Metasploit Auxiliary Module: SHODAN Enumerator

SHODAN is an extremely useful tool for scanning the Internet without having to do any scanning. It provides a search engine for banners and SNMP information that have been harvested from Internet-facing systems. I wrote a couple of scripts to leverage the API but wanted to go further by creating a module for the Metasploit Framework.

The SHODAN Enumerator module (download here) requires two options, APIKEY and QUERY, to work. There is a third option (OUTFILE) to write the IPs from the search to a file along with advanced options for sending the request through a web proxy. Database support is included and the services information for each IP is populated with the port, protocol, and banner. NOTE: Some systems will require ruby json gem to be installed (gem install json).

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ — –=[ 585 exploits - 301 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10253 updated today (2010.09.07)

msf > use auxiliary/gather/shodan_enumerator
msf auxiliary(shodan_enumerator) > info

Name: Shodan Enumerator
Version: 0.1
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
John Sawyer - sploitlab.com - mezzendogmail.com

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
APIKEY yes The SHODAN API key
OUTFILE no A filename to store the list of IPs
QUERY yes Keywords you want to search for

Description:
This module uses the SHODAN API to query the database and returns
the first 50 IPs. SHODAN accounts are free & output can be sent to a
file for use by another program. Results are also populated into the
services table in the database. NOTE: SHODAN filters (port,
hostname, os, before, after) can be used in queries, but the API
does not allow net and country filters. See "show advanced" for
proxy settings. API: http://www.shodanhq.com/api_doc FILTERS:

http://www.shodanhq.com/help/filters

msf auxiliary(shodan_enumerator) > set APIKEY -=REMOVED=-
APIKEY => -=REMOVED=-

msf auxiliary(shodan_enumerator) > set query schneider etg3021
query => schneider etg3021

msf auxiliary(shodan_enumerator) > run

[*] Running SHODAN query …..
[*] Country Statistics:
[*] France (FR): 1
[*] United Kingdom (GB): 1
[*] Total: 2
[*] IP Results:
[*] 217.37.40.203
[*] 90.94.179.11
[*] Auxiliary module execution completed

msf auxiliary(shodan_enumerator) > set OUTFILE /tmp/cisco-ios
OUTFILE => /tmp/cisco-ios

The QUERY options supports multiple keywords and SHODAN filters including port, hostname, os, before and after. The API does not support filters net and country.

msf auxiliary(shodan_enumerator) > set QUERY cisco-ios last-modified after:20/08/2010
QUERY => cisco-ios last-modified after:20/08/2010

msf auxiliary(shodan_enumerator) > run

[*] Running SHODAN query …..
[*] Country Statistics:
[*] United States (US): 61
[*] China (CN): 16
[*] United Kingdom (GB): 14
[*] Mexico (MX): 11
[*] Italy (IT): 11
[*] Total: 264
[*] IP Results:
[*] 194.27.103.224
[*] 201.229.186.145
[*] 64.94.34.254
-=TRIMMED=-
[*] 98.211.245.142
[*] 218.6.24.62
[*] Writing IPs to /tmp/cisco-ios…
[*] Auxiliary module execution completed

About these ads

~ by John Sawyer on September 7, 2010.

5 Responses to “Metasploit Auxiliary Module: SHODAN Enumerator”

  1. Nice idea, look forward to testing this out!

  2. Now try to incorporate this in a “db_autopwn” style to automatically search metasploit for sploits

  3. Do i put the Guy Fawkes mask on before or after opening a shell?

  4. I entered my API key and it took. Tried to install json and it said something about, well, no. Basicly said no. Help

  5. Download Link is broken! Where can I download this module?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: