metasploit-framework/modules/auxiliary/gather/shodan_search.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/https'
require 'uri'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Shodan Search',
      'Description' => %q{
        This module uses the Shodan API to search Shodan. Accounts are free
        and an API key is required to use this module. Output from the module
        is displayed to the screen and can be saved to a file or the MSF database.
        NOTE: SHODAN filters (i.e. port, hostname, os, geo, city) can be used in
        queries, but there are limitations when used with a free API key. Please
        see the Shodan site for more information.
        Shodan website: https://www.shodan.io/
        API: https://developer.shodan.io/api
      },
      'Author' =>
        [
          'John H Sawyer <john[at]sploitlab.com>', # InGuardians, Inc.
          'sinn3r'  # Metasploit-fu plus other features
        ],
      'License' => MSF_LICENSE
      )
    )

    deregister_options('RHOST', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',
      'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',
      'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')

    register_options(
      [
        OptString.new('SHODAN_APIKEY', [true, 'The SHODAN API key']),
        OptString.new('QUERY', [true, 'Keywords you want to search for']),
        OptString.new('OUTFILE', [false, 'A filename to store the list of IPs']),
        OptBool.new('DATABASE', [false, 'Add search results to the database', false]),
        OptInt.new('MAXPAGE', [true, 'Max amount of pages to collect', 1]),
        OptRegexp.new('REGEX', [true, 'Regex search for a specific IP/City/Country/Hostname', '.*'])

      ])
  end

  # create our Shodan query function that performs the actual web request
  def shodan_query(query, apikey, page)
    # send our query to Shodan
    uri = URI.parse('https://api.shodan.io/shodan/host/search?query=' +
      Rex::Text.uri_encode(query) + '&key=' + apikey + '&page=' + page.to_s)
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = true
    request = Net::HTTP::Get.new(uri.request_uri)
    res = http.request(request)

    if res and res.body =~ /<title>401 Unauthorized<\/title>/
      fail_with(Failure::BadConfig, '401 Unauthorized. Your SHODAN_APIKEY is invalid')
    end

    # Check if we can resolve host, got a response,
    # then parse the JSON, and return it
    if res
      results = ActiveSupport::JSON.decode(res.body)
      return results
    else
      return 'server_response_error'
    end
  end

  # save output to file
  def save_output(data)
    ::File.open(datastore['OUTFILE'], 'wb') do |f|
      f.write(data)
      print_status("Saved results in #{datastore['OUTFILE']}")
    end
  end

  # Check to see if api.shodan.io resolves properly
  def shodan_resolvable?
    begin
      Rex::Socket.resolv_to_dotted("api.shodan.io")
    rescue RuntimeError, SocketError
      return false
    end

    true
  end

  def run
    # check to ensure api.shodan.io is resolvable
    unless shodan_resolvable?
      print_error("Unable to resolve api.shodan.io")
      return
    end

    # create our Shodan request parameters
    query = datastore['QUERY']
    apikey = datastore['SHODAN_APIKEY']
    page = 1
    maxpage = datastore['MAXPAGE']

    # results gets our results from shodan_query
    results = []
    results[page] = shodan_query(query, apikey, page)

    if results[page]['total'].nil? || results[page]['total'] == 0
      msg = "No results."
      if results[page]['error'].to_s.length > 0
        msg << " Error: #{results[page]['error']}"
      end
      print_error(msg)
      return
    end

    # Determine page count based on total results
    if results[page]['total'] % 100 == 0
      tpages = results[page]['total'] / 100
    else
      tpages = results[page]['total'] / 100 + 1
      maxpage = tpages if datastore['MAXPAGE'] > tpages
    end

    # start printing out our query statistics
    print_status("Total: #{results[page]['total']} on #{tpages} " +
      "pages. Showing: #{maxpage} page(s)")

    # If search results greater than 100, loop & get all results
    print_status('Collecting data, please wait...')
    if results[page]['total'] > 100
      page += 1
      while page <= maxpage
        break if page > datastore['MAXPAGE']
        results[page] = shodan_query(query, apikey, page)
        page += 1
      end
    end

    # Save the results to this table
    tbl = Rex::Text::Table.new(
      'Header'  => 'Search Results',
      'Indent'  => 1,
      'Columns' => ['IP:Port', 'City', 'Country', 'Hostname']
    )

    # Organize results and put them into the table and database
    p = 1
    regex = datastore['REGEX'] if datastore['REGEX']
    while p <= maxpage
      break if p > maxpage
      results[p]['matches'].each do |host|
        city = host['location']['city'] || 'N/A'
        ip   = host['ip_str'] || 'N/A'
        port = host['port'] || ''
        country = host['location']['country_name'] || 'N/A'
        hostname = host['hostnames'][0]
        data = host['data']

        report_host(:host     => ip,
                    :name     => hostname,
                    :comments => 'Added from Shodan',
                    :info     => host['info']
                    ) if datastore['DATABASE']

        report_service(:host => ip,
                       :port => port,
                       :info => 'Added from Shodan'
                       ) if datastore['DATABASE']

        if ip =~ regex ||
           city =~ regex ||
           country =~ regex ||
           hostname =~ regex ||
           data =~ regex
           # Unfortunately we cannot display the banner properly,
           # because it messes with our output format
           tbl << ["#{ip}:#{port}", city, country, hostname]
        end
      end
      p += 1
    end

    # Show data and maybe save it if needed
    print_line
    print_line("#{tbl}")
    save_output(tbl) if datastore['OUTFILE']
  end
end
Add Shodan Search Module (Feature #5451) 2011-12-05 18:50:21 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add Shodan Search Module (Feature #5451) 2011-12-05 18:50:21 +00:00			`##`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`require 'net/https'`
			`require 'uri'`
Add Shodan Search Module (Feature #5451) 2011-12-05 18:50:21 +00:00
use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Shodan Search',`
			`'Description' => %q{`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`This module uses the Shodan API to search Shodan. Accounts are free`
more updates, 465 more pages to go 2017-08-27 01:01:10 +00:00			`and an API key is required to use this module. Output from the module`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`is displayed to the screen and can be saved to a file or the MSF database.`
			`NOTE: SHODAN filters (i.e. port, hostname, os, geo, city) can be used in`
			`queries, but there are limitations when used with a free API key. Please`
			`see the Shodan site for more information.`
			`Shodan website: https://www.shodan.io/`
			`API: https://developer.shodan.io/api`
Retab modules 2013-08-30 21:28:54 +00:00			`},`
			`'Author' =>`
			`[`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`'John H Sawyer <john[at]sploitlab.com>', # InGuardians, Inc.`
			`'sinn3r' # Metasploit-fu plus other features`
Retab modules 2013-08-30 21:28:54 +00:00			`],`
			`'License' => MSF_LICENSE`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`)`
			`)`
Retab modules 2013-08-30 21:28:54 +00:00
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`deregister_options('RHOST', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',`
			`'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',`
			`'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')`
Retab modules 2013-08-30 21:28:54 +00:00
			`register_options(`
			`[`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`OptString.new('SHODAN_APIKEY', [true, 'The SHODAN API key']),`
			`OptString.new('QUERY', [true, 'Keywords you want to search for']),`
			`OptString.new('OUTFILE', [false, 'A filename to store the list of IPs']),`
			`OptBool.new('DATABASE', [false, 'Add search results to the database', false]),`
			`OptInt.new('MAXPAGE', [true, 'Max amount of pages to collect', 1]),`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`OptRegexp.new('REGEX', [true, 'Regex search for a specific IP/City/Country/Hostname', '.*'])`

Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`])`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

			`# create our Shodan query function that performs the actual web request`
			`def shodan_query(query, apikey, page)`
			`# send our query to Shodan`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`uri = URI.parse('https://api.shodan.io/shodan/host/search?query=' +`
			`Rex::Text.uri_encode(query) + '&key=' + apikey + '&page=' + page.to_s)`
			`http = Net::HTTP.new(uri.host, uri.port)`
			`http.use_ssl = true`
			`request = Net::HTTP::Get.new(uri.request_uri)`
			`res = http.request(request)`

Add conditions to check healthy shodan results 2014-09-10 16:38:06 +00:00			`if res and res.body =~ /<title>401 Unauthorized<\/title>/`
			`fail_with(Failure::BadConfig, '401 Unauthorized. Your SHODAN_APIKEY is invalid')`
			`end`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# Check if we can resolve host, got a response,`
			`# then parse the JSON, and return it`
			`if res`
Retab modules 2013-08-30 21:28:54 +00:00			`results = ActiveSupport::JSON.decode(res.body)`
			`return results`
			`else`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`return 'server_response_error'`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# save output to file`
Retab modules 2013-08-30 21:28:54 +00:00			`def save_output(data)`
Committing changes from r7 comments 2014-08-23 04:08:27 +00:00			`::File.open(datastore['OUTFILE'], 'wb') do \|f\|`
			`f.write(data)`
			`print_status("Saved results in #{datastore['OUTFILE']}")`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# Check to see if api.shodan.io resolves properly`
Fix #4764, NameError unitialized constant Net::DNS in shodan_search 2015-02-13 20:21:21 +00:00			`def shodan_resolvable?`
			`begin`
			`Rex::Socket.resolv_to_dotted("api.shodan.io")`
			`rescue RuntimeError, SocketError`
			`return false`
Fix shodan to not muck with datastore 2014-04-15 02:16:40 +00:00			`end`
Fix #4764, NameError unitialized constant Net::DNS in shodan_search 2015-02-13 20:21:21 +00:00
			`true`
Fix shodan to not muck with datastore 2014-04-15 02:16:40 +00:00			`end`

Retab modules 2013-08-30 21:28:54 +00:00			`def run`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# check to ensure api.shodan.io is resolvable`
Fix #4764, NameError unitialized constant Net::DNS in shodan_search 2015-02-13 20:21:21 +00:00			`unless shodan_resolvable?`
			`print_error("Unable to resolve api.shodan.io")`
			`return`
			`end`
Fix shodan to not muck with datastore 2014-04-15 02:16:40 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# create our Shodan request parameters`
			`query = datastore['QUERY']`
			`apikey = datastore['SHODAN_APIKEY']`
			`page = 1`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`maxpage = datastore['MAXPAGE']`
Retab modules 2013-08-30 21:28:54 +00:00
			`# results gets our results from shodan_query`
			`results = []`
			`results[page] = shodan_query(query, apikey, page)`

Add conditions to check healthy shodan results 2014-09-10 16:38:06 +00:00			`if results[page]['total'].nil? \|\| results[page]['total'] == 0`
Show errors when no results are found 2015-09-10 21:05:40 +00:00			`msg = "No results."`
			`if results[page]['error'].to_s.length > 0`
			`msg << " Error: #{results[page]['error']}"`
			`end`
			`print_error(msg)`
			`return`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

			`# Determine page count based on total results`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`if results[page]['total'] % 100 == 0`
			`tpages = results[page]['total'] / 100`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`tpages = results[page]['total'] / 100 + 1`
			`maxpage = tpages if datastore['MAXPAGE'] > tpages`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

			`# start printing out our query statistics`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`print_status("Total: #{results[page]['total']} on #{tpages} " +`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`"pages. Showing: #{maxpage} page(s)")`

			`# If search results greater than 100, loop & get all results`
			`print_status('Collecting data, please wait...')`
			`if results[page]['total'] > 100`
Retab modules 2013-08-30 21:28:54 +00:00			`page += 1`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`while page <= maxpage`
Retab modules 2013-08-30 21:28:54 +00:00			`break if page > datastore['MAXPAGE']`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`results[page] = shodan_query(query, apikey, page)`
			`page += 1`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`

			`# Save the results to this table`
replace old rex::ui::text::table refs everywhere we called the class we have now rewritten it to use the new namespace MS-1875 2016-08-10 18:30:09 +00:00			`tbl = Rex::Text::Table.new(`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`'Header' => 'Search Results',`
Retab modules 2013-08-30 21:28:54 +00:00			`'Indent' => 1,`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`'Columns' => ['IP:Port', 'City', 'Country', 'Hostname']`
Retab modules 2013-08-30 21:28:54 +00:00			`)`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# Organize results and put them into the table and database`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`p = 1`
			`regex = datastore['REGEX'] if datastore['REGEX']`
			`while p <= maxpage`
			`break if p > maxpage`
			`results[p]['matches'].each do \|host\|`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`city = host['location']['city'] \|\| 'N/A'`
			`ip = host['ip_str'] \|\| 'N/A'`
Retab modules 2013-08-30 21:28:54 +00:00			`port = host['port'] \|\| ''`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`country = host['location']['country_name'] \|\| 'N/A'`
Retab modules 2013-08-30 21:28:54 +00:00			`hostname = host['hostnames'][0]`
			`data = host['data']`

Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`report_host(:host => ip,`
			`:name => hostname,`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`:comments => 'Added from Shodan',`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`:info => host['info']`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`) if datastore['DATABASE']`

Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`report_service(:host => ip,`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`:port => port,`
			`:info => 'Added from Shodan'`
			`) if datastore['DATABASE']`

Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`if ip =~ regex \|\|`
			`city =~ regex \|\|`
			`country =~ regex \|\|`
			`hostname =~ regex \|\|`
			`data =~ regex`
Committing changes from r7 comments 2014-08-23 04:08:27 +00:00			`# Unfortunately we cannot display the banner properly,`
			`# because it messes with our output format`
			`tbl << ["#{ip}:#{port}", city, country, hostname]`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`end`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`p += 1`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

Updated shodan_search for new API 2014-08-20 04:48:13 +00:00			`# Show data and maybe save it if needed`
Committing changes from r7 comments 2014-08-23 04:08:27 +00:00			`print_line`
			`print_line("#{tbl}")`
Addressed r7 comments, fixed bug in results loop 2014-09-01 17:43:31 +00:00			`save_output(tbl) if datastore['OUTFILE']`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Whitespace and File.open binary mode cleanups. Fixes some recent modules: dns_fuzzer, shodan_search, avidphoneticindexer, and win_privs. 2011-12-12 23:31:28 +00:00			`end`