Quick ‘n Dirty Ruby SHODAN API

Here’s some code I threw together last night that mimics the Python code achillean published here to interface with the SHODAN API. The first contains shodan_query and shodan_host that can be used to query for a string like VxWorks and dig deeper into a particular IP, respectively. Note: You will need to register with SHODAN and get an API key. Also, you’ll need to install the JSON gem.

Eventually, I plan to turn this into an auxiliary module for Metasploit so you can enter your API key, the IP or search term, and have resulting data stored in a log file or database.

require ‘rubygems’
require ‘json’
require ‘net/http’

def shodan_query(query, apikey)
base_url = “http://www.shodanhq.com/api/search?”
url = “#{base_url}&q=#{URI.encode(query)}&key=#{apikey}”
resp = Net::HTTP.get_response(URI.parse(url))
data = resp.body

result = JSON.parse(data)

return result
end

def shodan_host(ip, apikey)
base_url = “http://www.shodanhq.com/api/host?”
url = “#{base_url}&ip=#{URI.encode(ip)}&key=#{apikey}”
resp = Net::HTTP.get_response(URI.parse(url))
data = resp.body

result = JSON.parse(data)

return result
end

This next part shows them in use within irb. The returned JSON is parsed and stored as a hash that can be printed however you want using pp or yaml.

irb(main):001:0> require ‘shodan_api.rb’
=> true
irb(main):002:0> query_results = shodan_query(‘vxworks’, ‘my_key’)
=> {“matches”=>[{“updated”=>”23.08.2010”, “ip”=>”99.166.181.106”, “hostnames”=>[“adsl-99-166-181-106.dsl.hstntx.sbcglobal.net”], “country”=>”US”, “data”=>”HTTP/1.0 200 OK\r\nDate: Mon, 03 Oct 2033 17:10:43 GMT\r\nServer: Jetty/4.2.x (VxWorks/WIND version 2.9 ppc java/1.1-rr-std-b12)\r\nTransfer-Encoding: chunked\r\nContent-Length: 767\r\nLast-Modified: Tue, 19 Jul 2033 14:21:36 GMT\r\n\r\n”, “port”=>80}, {“updated”=>”23.08.2010”, “ip”=>”72.80.211.164”, “hostnames”=>[“pool-72-80-211-164.nycmny.east.verizon.net”], “country”=>”US”, “data”=>”HTTP/1.0 200 OK\r\nDate: Mon, 23 Aug 2010 01:59:19 GMT\r\nServer: Jetty/4.2.x (VxWorks/WIND version 2.9 ppc java/1.1-rr-std-b12)\r\nTransfer-Encoding: chunked\r\nContent-Length: 767\r\nLast-Modified: Fri, 11 Sep 2009 20:55:48 GMT\r\n\r\n”, “port”=>80}, {“updated”=>”23.08.2010”, “ip”=>”163.173.92.48”, “hostnames”=>[“automats9.cnam.fr”], “country”=>”FR”, “data”=>”HTTP/1.0 302 Moved Temporarily\r\nDate: Mon, 23 Aug 2010 05:39:32 GMT\r\nServer: Jetty/4.2.x (VxWorks/WIND version 2.9 ppc java/1.1-rr-std-b12)\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nSet-Cookie: JSESSIONID=15roktflvbrw3;Path=/\r\nLocation: http://163.173.92.48/web/root/login.xml?path=/web/http/default.html\r\nTransfer-Encoding: chunked\r\n\r\n”, “port”=>80}, {“updated”=>”23.08.2010”, “ip”=>”149.169.127.198”, “hostnames”=>[“149-169-127-198.nat.asu.edu”],

irb(main):003:0> host_info = shodan_host(‘128.104.140.42’, ‘my_key’)
=> {“city”=>”Madison”, “ip”=>”128.104.140.42”, “data”=>[{“timestamp”=>”21.06.2010”, “banner”=>”HTTP/1.0 302 Moved Temporarily\r\nDate: Sun, 20 Jun 2010 19:52:36 GMT\r\nServer: Jetty/4.2.x (VxWorks/WIND version 2.9 ppc java/1.1-rr-std-b12)\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nSet-Cookie: JSESSIONID=3tii8gafp66tb;Path=/\r\nLocation: http://128.104.140.42/web/root/login.xml?path=/web/http/default.html\r\nTransfer-Encoding: chunked\r\n\r\n”, “port”=>80}, {“timestamp”=>”20.08.2010”, “banner”=>”HTTP/1.0 302 Moved Temporarily\r\nDate: Thu, 19 Aug 2010 19:55:24 GMT\r\nServer: Jetty/4.2.x (VxWorks/WIND version 2.9 ppc java/1.1-rr-std-b12)\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nSet-Cookie: JSESSIONID=206sonikg4toh;Path=/\r\nLocation: http://128.104.140.42/web/root/login.xml?path=/web/http/default.html\r\nTransfer-Encoding: chunked\r\n\r\n”, “port”=>80}, {“timestamp”=>”27.08.2010”, “banner”=>”HTTP/1.0 302 Moved Temporarily\r\nDate: Fri, 27 Aug 2010 02:06:55 GMT\r\nServer: Jetty/4.2.x (VxWorks/WIND version 2.9 ppc java/1.1-rr-std-b12)\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nSet-Cookie: JSESSIONID=5b9gjbl5drm9t;Path=/\r\nLocation: http://128.104.140.42/web/root/login.xml?path=/web/http/default.html\r\nTransfer-Encoding: chunked\r\n\r\n”, “port”=>80}], “hostnames”=>[], “country”=>”United States”, “os”=>”F5 BigIP LB 4.1.x (sometimes FreeBSD)”}

Advertisements

~ by John Sawyer on August 31, 2010.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: