metasploit-framework/modules/auxiliary/gather/shodan_search.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'
require 'net/https'
require 'uri'

class Metasploit4 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Shodan Search',
      'Description' => %q{
        This module uses the Shodan API to search Shodan. Accounts are free
        and an API key is required to used this module. Output from the module
        is displayed to the screen and can be saved to a file or the MSF database.
        NOTE: SHODAN filters (i.e. port, hostname, os, geo, city) can be used in
        queries, but there are limitations when used with a free API key. Please
        see the Shodan site for more information.
        Shodan website: https://www.shodan.io/
        API: https://developer.shodan.io/api
      },
      'Author' =>
        [
          'John H Sawyer <john[at]sploitlab.com>', # InGuardians, Inc.
          'sinn3r'  # Metasploit-fu plus other features
        ],
      'License' => MSF_LICENSE
      )
    )

    deregister_options('RHOST', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',
      'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',
      'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')

    register_options(
      [
        OptString.new('SHODAN_APIKEY', [true, 'The SHODAN API key']),
        OptString.new('QUERY', [true, 'Keywords you want to search for']),
        OptString.new('OUTFILE', [false, 'A filename to store the list of IPs']),
        OptBool.new('DATABASE', [false, 'Add search results to the database', false]),
        OptInt.new('MAXPAGE', [true, 'Max amount of pages to collect', 1]),
        OptRegexp.new('REGEX', [true, 'Regex search for a specific IP/City/Country/Hostname', '.*'])

      ], self.class)
  end

  # create our Shodan query function that performs the actual web request
  def shodan_query(query, apikey, page)
    # send our query to Shodan
    uri = URI.parse('https://api.shodan.io/shodan/host/search?query=' +
      Rex::Text.uri_encode(query) + '&key=' + apikey + '&page=' + page.to_s)
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = true
    request = Net::HTTP::Get.new(uri.request_uri)
    res = http.request(request)

    if res and res.body =~ /<title>401 Unauthorized<\/title>/
      fail_with(Failure::BadConfig, '401 Unauthorized. Your SHODAN_APIKEY is invalid')
    end

    # Check if we can resolve host, got a response,
    # then parse the JSON, and return it
    if res
      results = ActiveSupport::JSON.decode(res.body)
      return results
    else
      return 'server_response_error'
    end
  end

  # save output to file
  def save_output(data)
    ::File.open(datastore['OUTFILE'], 'wb') do |f|
      f.write(data)
      print_status("Saved results in #{datastore['OUTFILE']}")
    end
  end

  # Check to see if api.shodan.io resolves properly
  def shodan_rhost
    @res = Net::DNS::Resolver.new
    dns_query = @res.query('api.shodan.io', 'A')
    if dns_query.answer.length == 0
      print_error('Could not resolve api.shodan.io')
      raise ::Rex::ConnectError('api.shodan.io', '443')
    end
    dns_query.answer[0].to_s.split(/[\s,]+/)[4]
  end

  def run
    # check to ensure api.shodan.io is resolvable
    shodan_rhost

    # create our Shodan request parameters
    query = datastore['QUERY']
    apikey = datastore['SHODAN_APIKEY']
    page = 1
    maxpage = datastore['MAXPAGE']

    # results gets our results from shodan_query
    results = []
    results[page] = shodan_query(query, apikey, page)

    if results[page]['total'].nil? || results[page]['total'] == 0
      print_error('No Results Found!')
    end

    # Determine page count based on total results
    if results[page]['total'] % 100 == 0
      tpages = results[page]['total'] / 100
    else
      tpages = results[page]['total'] / 100 + 1
      maxpage = tpages if datastore['MAXPAGE'] > tpages
    end

    # start printing out our query statistics
    print_status("Total: #{results[page]['total']} on #{tpages} " +
      "pages. Showing: #{maxpage} page(s)")

    # If search results greater than 100, loop & get all results
    print_status('Collecting data, please wait...')
    if results[page]['total'] > 100
      page += 1
      while page <= maxpage
        break if page > datastore['MAXPAGE']
        results[page] = shodan_query(query, apikey, page)
        page += 1
      end
    end

    # Save the results to this table
    tbl = Rex::Ui::Text::Table.new(
      'Header'  => 'Search Results',
      'Indent'  => 1,
      'Columns' => ['IP:Port', 'City', 'Country', 'Hostname']
    )

    # Organize results and put them into the table and database
    p = 1
    regex = datastore['REGEX'] if datastore['REGEX']
    while p <= maxpage
      break if p > maxpage
      results[p]['matches'].each do |host|
        city = host['location']['city'] || 'N/A'
        ip   = host['ip_str'] || 'N/A'
        port = host['port'] || ''
        country = host['location']['country_name'] || 'N/A'
        hostname = host['hostnames'][0]
        data = host['data']

        report_host(:host     => ip,
                    :name     => hostname,
                    :comments => 'Added from Shodan',
                    :info     => host['info']
                    ) if datastore['DATABASE']

        report_service(:host => ip,
                       :port => port,
                       :info => 'Added from Shodan'
                       ) if datastore['DATABASE']

        if ip =~ regex ||
           city =~ regex ||
           country =~ regex ||
           hostname =~ regex ||
           data =~ regex
           # Unfortunately we cannot display the banner properly,
           # because it messes with our output format
           tbl << ["#{ip}:#{port}", city, country, hostname]
        end
      end
      p += 1
    end

    # Show data and maybe save it if needed
    print_line
    print_line("#{tbl}")
    save_output(tbl) if datastore['OUTFILE']
  end
end
Add Shodan Search Module (Feature #5451) 2011-12-05 18:50:21 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add Shodan Search Module (Feature #5451) 2011-12-05 18:50:21 +00:00			`##`

			`require 'msf/core'`
			`require 'rex'`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`require 'net/https'`
			`require 'uri'`
Add Shodan Search Module (Feature #5451) 2011-12-05 18:50:21 +00:00
			`class Metasploit4 < Msf::Auxiliary`

Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Shodan Search',`
			`'Description' => %q{`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`This module uses the Shodan API to search Shodan. Accounts are free`
			`and an API key is required to used this module. Output from the module`
			`is displayed to the screen and can be saved to a file or the MSF database.`
			`NOTE: SHODAN filters (i.e. port, hostname, os, geo, city) can be used in`
			`queries, but there are limitations when used with a free API key. Please`
			`see the Shodan site for more information.`
			`Shodan website: https://www.shodan.io/`
			`API: https://developer.shodan.io/api`
Retab modules 2013-08-30 21:28:54 +00:00			`},`
			`'Author' =>`
			`[`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`'John H Sawyer <john[at]sploitlab.com>', # InGuardians, Inc.`
			`'sinn3r' # Metasploit-fu plus other features`
Retab modules 2013-08-30 21:28:54 +00:00			`],`
			`'License' => MSF_LICENSE`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`)`
			`)`
Retab modules 2013-08-30 21:28:54 +00:00
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`deregister_options('RHOST', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',`
			`'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',`
			`'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')`
Retab modules 2013-08-30 21:28:54 +00:00
			`register_options(`
			`[`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`OptString.new('SHODAN_APIKEY', [true, 'The SHODAN API key']),`
			`OptString.new('QUERY', [true, 'Keywords you want to search for']),`
			`OptString.new('OUTFILE', [false, 'A filename to store the list of IPs']),`
			`OptBool.new('DATABASE', [false, 'Add search results to the database', false]),`
			`OptInt.new('MAXPAGE', [true, 'Max amount of pages to collect', 1]),`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`OptRegexp.new('REGEX', [true, 'Regex search for a specific IP/City/Country/Hostname', '.*'])`

Retab modules 2013-08-30 21:28:54 +00:00			`], self.class)`
			`end`

			`# create our Shodan query function that performs the actual web request`
			`def shodan_query(query, apikey, page)`
			`# send our query to Shodan`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`uri = URI.parse('https://api.shodan.io/shodan/host/search?query=' +`
			`Rex::Text.uri_encode(query) + '&key=' + apikey + '&page=' + page.to_s)`
			`http = Net::HTTP.new(uri.host, uri.port)`
			`http.use_ssl = true`
			`request = Net::HTTP::Get.new(uri.request_uri)`
			`res = http.request(request)`

Add conditions to check healthy shodan results 2014-09-10 16:38:06 +00:00			`if res and res.body =~ /<title>401 Unauthorized<\/title>/`
			`fail_with(Failure::BadConfig, '401 Unauthorized. Your SHODAN_APIKEY is invalid')`
			`end`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# Check if we can resolve host, got a response,`
			`# then parse the JSON, and return it`
			`if res`
Retab modules 2013-08-30 21:28:54 +00:00			`results = ActiveSupport::JSON.decode(res.body)`
			`return results`
			`else`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`return 'server_response_error'`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# save output to file`
Retab modules 2013-08-30 21:28:54 +00:00			`def save_output(data)`
Committing changes from r7 comments 2014-08-23 04:08:27 +00:00			`::File.open(datastore['OUTFILE'], 'wb') do \|f\|`
			`f.write(data)`
			`print_status("Saved results in #{datastore['OUTFILE']}")`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# Check to see if api.shodan.io resolves properly`
Fix shodan to not muck with datastore 2014-04-15 02:16:40 +00:00			`def shodan_rhost`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`@res = Net::DNS::Resolver.new`
			`dns_query = @res.query('api.shodan.io', 'A')`
Fix shodan to not muck with datastore 2014-04-15 02:16:40 +00:00			`if dns_query.answer.length == 0`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`print_error('Could not resolve api.shodan.io')`
			`raise ::Rex::ConnectError('api.shodan.io', '443')`
Fix shodan to not muck with datastore 2014-04-15 02:16:40 +00:00			`end`
			`dns_query.answer[0].to_s.split(/[\s,]+/)[4]`
			`end`

Retab modules 2013-08-30 21:28:54 +00:00			`def run`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# check to ensure api.shodan.io is resolvable`
			`shodan_rhost`
Fix shodan to not muck with datastore 2014-04-15 02:16:40 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# create our Shodan request parameters`
			`query = datastore['QUERY']`
			`apikey = datastore['SHODAN_APIKEY']`
			`page = 1`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`maxpage = datastore['MAXPAGE']`
Retab modules 2013-08-30 21:28:54 +00:00
			`# results gets our results from shodan_query`
			`results = []`
			`results[page] = shodan_query(query, apikey, page)`

Add conditions to check healthy shodan results 2014-09-10 16:38:06 +00:00			`if results[page]['total'].nil? \|\| results[page]['total'] == 0`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`print_error('No Results Found!')`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

			`# Determine page count based on total results`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`if results[page]['total'] % 100 == 0`
			`tpages = results[page]['total'] / 100`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`tpages = results[page]['total'] / 100 + 1`
			`maxpage = tpages if datastore['MAXPAGE'] > tpages`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

			`# start printing out our query statistics`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`print_status("Total: #{results[page]['total']} on #{tpages} " +`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`"pages. Showing: #{maxpage} page(s)")`

			`# If search results greater than 100, loop & get all results`
			`print_status('Collecting data, please wait...')`
			`if results[page]['total'] > 100`
Retab modules 2013-08-30 21:28:54 +00:00			`page += 1`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`while page <= maxpage`
Retab modules 2013-08-30 21:28:54 +00:00			`break if page > datastore['MAXPAGE']`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`results[page] = shodan_query(query, apikey, page)`
			`page += 1`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`

			`# Save the results to this table`
			`tbl = Rex::Ui::Text::Table.new(`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`'Header' => 'Search Results',`
Retab modules 2013-08-30 21:28:54 +00:00			`'Indent' => 1,`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`'Columns' => ['IP:Port', 'City', 'Country', 'Hostname']`
Retab modules 2013-08-30 21:28:54 +00:00			`)`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# Organize results and put them into the table and database`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`p = 1`
			`regex = datastore['REGEX'] if datastore['REGEX']`
			`while p <= maxpage`
			`break if p > maxpage`
			`results[p]['matches'].each do \|host\|`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`city = host['location']['city'] \|\| 'N/A'`
			`ip = host['ip_str'] \|\| 'N/A'`
Retab modules 2013-08-30 21:28:54 +00:00			`port = host['port'] \|\| ''`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`country = host['location']['country_name'] \|\| 'N/A'`
Retab modules 2013-08-30 21:28:54 +00:00			`hostname = host['hostnames'][0]`
			`data = host['data']`

Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`report_host(:host => ip,`
			`:name => hostname,`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`:comments => 'Added from Shodan',`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`:info => host['info']`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`) if datastore['DATABASE']`

Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`report_service(:host => ip,`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`:port => port,`
			`:info => 'Added from Shodan'`
			`) if datastore['DATABASE']`

Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`if ip =~ regex \|\|`
			`city =~ regex \|\|`
			`country =~ regex \|\|`
			`hostname =~ regex \|\|`
			`data =~ regex`
Committing changes from r7 comments 2014-08-23 04:08:27 +00:00			`# Unfortunately we cannot display the banner properly,`
			`# because it messes with our output format`
			`tbl << ["#{ip}:#{port}", city, country, hostname]`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`end`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`p += 1`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# Show data and maybe save it if needed`
Committing changes from r7 comments 2014-08-23 04:08:27 +00:00			`print_line`
			`print_line("#{tbl}")`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`save_output(tbl) if datastore['OUTFILE']`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Whitespace and File.open binary mode cleanups. Fixes some recent modules: dns_fuzzer, shodan_search, avidphoneticindexer, and win_privs. 2011-12-12 23:31:28 +00:00			`end`