Passive DNS recon with Shodan
Use Shodan to get a list of the target’s publicly available servers and devices with their IP addresses, the services running on them, and the ports that are open.
Shodan gathers information about all devices directly connected to the Internet. If a device is directly hooked up to the Internet then Shodan queries it for various publicly-available information. That information can be queried, so there is no scanning of the target directly.
www.shodan.io, register if you have not already.
Use the Search box to search for the target.
Scroll through the results.
Choose the Maps tab to see the physical locations of those systems.
Choose one of the red dots representing one of the systems to see the IP address and ports open on that system.
Click the View Details button to view more information about that system.
Investigate all systems on the map belonging to the target.
The basic search filters:
city: find devices in a particular city country: find devices in a particular country geo: you can pass it coordinates hostname: find values that match the hostname net: search based on an IP or /x CIDR os: search based on operating system port: find particular ports that are open
Apache servers in Paris:
Nginx servers in France:
Cisco devices on a particular subnet:
Cleartext Wi-Fi passwords:
Surveillance cameras with username: admin and password: password
Info about mongo DB servers:
"MongoDB Server Information" port:27017 -authentication
FTP servers allowing fully anonymous access:
"220" "230 Login successful." port:21
Android root bridges with port 5555.
"Android Debug Bridge" "Device" port:5555
The shodan command-line interface (CLI) is a command-line library for Shodan search engine.
Install with pip:
pip install shodan
Get the private API key from your shodan account settings:
shodan init PRIVATE_API_KEY
List with help
Usage: shodan [OPTIONS] COMMAND [ARGS]... Options: -h, --help Show this message and exit. Commands: alert Manage the network alerts for your account convert Convert the given input data file into a different format. count Returns the number of results for a search data Bulk data access to Shodan domain View all available information for a domain download Download search results and save them in a compressed JSON... honeyscore Check whether the IP is a honeypot or not. host View all available information for an IP address info Shows general information about your account init Initialize the Shodan command-line myip Print your external IP address org Manage your organization's access to Shodan parse Extract information out of compressed JSON files. radar Real-Time Map of some results as Shodan finds them. scan Scan an IP/ netblock using Shodan. search Search the Shodan database stats Provide summary information about a search query stream Stream data in real-time. version Print version of this tool.
Public internet-facing ip address:
Get information on location, ports, owner of an IP.
shodan host xxx.xxx.xxx.xxx