Metasploit Auxiliary Module: SHODAN Enumerator

SHODAN is an extremely useful tool for scanning the Internet without having to do any scanning. It provides a search engine for banners and SNMP information that have been harvested from Internet-facing systems. I wrote a couple of scripts to leverage the API but wanted to go further by creating a module for the Metasploit Framework.

The SHODAN Enumerator module (download here) requires two options, APIKEY and QUERY, to work. There is a third option (OUTFILE) to write the IPs from the search to a file along with advanced options for sending the request through a web proxy. Database support is included and the services information for each IP is populated with the port, protocol, and banner. NOTE: Some systems will require ruby json gem to be installed (gem install json).

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ — –=[ 585 exploits – 301 auxiliary
+ — –=[ 224 payloads – 27 encoders – 8 nops
=[ svn r10253 updated today (2010.09.07)

msf > use auxiliary/gather/shodan_enumerator
msf auxiliary(shodan_enumerator) > info

Name: Shodan Enumerator
Version: 0.1
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
John Sawyer – –

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
OUTFILE no A filename to store the list of IPs
QUERY yes Keywords you want to search for

This module uses the SHODAN API to query the database and returns
the first 50 IPs. SHODAN accounts are free & output can be sent to a
file for use by another program. Results are also populated into the
services table in the database. NOTE: SHODAN filters (port,
hostname, os, before, after) can be used in queries, but the API
does not allow net and country filters. See “show advanced” for
proxy settings. API: FILTERS:

msf auxiliary(shodan_enumerator) > set APIKEY -=REMOVED=-

msf auxiliary(shodan_enumerator) > set query schneider etg3021
query => schneider etg3021

msf auxiliary(shodan_enumerator) > run

[*] Running SHODAN query …..
[*] Country Statistics:
[*] France (FR): 1
[*] United Kingdom (GB): 1
[*] Total: 2
[*] IP Results:
[*] Auxiliary module execution completed

msf auxiliary(shodan_enumerator) > set OUTFILE /tmp/cisco-ios
OUTFILE => /tmp/cisco-ios

The QUERY options supports multiple keywords and SHODAN filters including port, hostname, os, before and after. The API does not support filters net and country.

msf auxiliary(shodan_enumerator) > set QUERY cisco-ios last-modified after:20/08/2010
QUERY => cisco-ios last-modified after:20/08/2010

msf auxiliary(shodan_enumerator) > run

[*] Running SHODAN query …..
[*] Country Statistics:
[*] United States (US): 61
[*] China (CN): 16
[*] United Kingdom (GB): 14
[*] Mexico (MX): 11
[*] Italy (IT): 11
[*] Total: 264
[*] IP Results:
[*] Writing IPs to /tmp/cisco-ios…
[*] Auxiliary module execution completed


~ by John Sawyer on September 7, 2010.

5 Responses to “Metasploit Auxiliary Module: SHODAN Enumerator”

  1. Nice idea, look forward to testing this out!

  2. Now try to incorporate this in a “db_autopwn” style to automatically search metasploit for sploits

  3. Do i put the Guy Fawkes mask on before or after opening a shell?

  4. I entered my API key and it took. Tried to install json and it said something about, well, no. Basicly said no. Help

  5. Download Link is broken! Where can I download this module?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: