Shodan v2
Shodan Pack.#
This Integration is part of theShodan is a search engine for Internet-connected devices. Unlike traditional search engines that index websites, Shodan indexes information about the devices connected to the internet, such as servers, routers, webcams, and other IoT devices.
#
Configure Shodan v2 in CortexParameter | Description | Required |
---|---|---|
API Key | False | |
Base URL to Shodan API | True | |
Trust any certificate (not secure) | False | |
Use system proxy settings | False | |
Source Reliability | Reliability of the source providing the intelligence data. | False |
The maximum number of events per fetch | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
searchSearches Shodan using facets to get summary information on properties.
#
Base Commandsearch
#
InputArgument Name | Description | Required |
---|---|---|
query | The query for searching the database of banners. The search query supports filtering using the "filter:value" format to narrow your search. For example, the query "apache country:DE" returns Apache web servers located in Germany. | Required |
facets | A CSV list of properties on which to get summary information. The search query supports filtering using the "property:count" format to define the number of facets to return for a property. For example, the query "country:100" returns the top 100 countries. | Optional |
page | The page number of the fetched results. Each page contains a maximum of 100 results. Default is 1. | Optional |
return_json | Whether to return a JSON file containing the full search results for further processing. Possible values are: Yes, No. Default is No. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Banner.Org | String | The name of the organization to which the space of the IP address space for the searched device is assigned. |
Shodan.Banner.Isp | String | The Internet Service Provider that provides the organization with the IP address space for the searched device. |
Shodan.Banner.Transport | String | The IP address transport protocol used to fetch the summary information. Can be "UDP" or "TCP". |
Shodan.Banner.Asn | String | The Autonomous System Number. For example, "AS4837". |
Shodan.Banner.IP | String | The IP address of the host as a string. |
Shodan.Banner.Port | Number | The port number on which the service is operating. |
Shodan.Banner.Ssl.versions | String | The list of SSL versions that are supported by the server. Unsupported versions are prefixed with a "-". For example, ["TLSv1", "-SSLv2"] means that the server supports TLSv1, but does not support SSLv2. |
Shodan.Banner.Hostnames | String | An array of strings containing all of the host names that have been assigned to the IP address for the searched device. |
Shodan.Banner.Location.City | String | The city in which the searched device is located. |
Shodan.Banner.Location.Longitude | Number | The longitude of the geolocation of the searched device. |
Shodan.Banner.Location.Latitude | Number | The latitude of the geolocation of the searched device. |
Shodan.Banner.Location.Country | String | The country in which the searched device is located. |
Shodan.Banner.Timestamp | Date | The timestamp in UTC format indicating when the banner was fetched from the searched device. |
Shodan.Banner.Domains | String | An array of strings containing the top-level domains for the host names of the searched device. It is a utility property for filtering by a top-level domain instead of a subdomain. It supports handling global top-level domains that have several dots in the domain. For example, "co.uk". |
Shodan.Banner.OS | String | The operating system that powers the searched device. |
Shodan.Banner.Product | String | Name of the software that powers the service. |
Shodan.Banner.Ntlm.OSBuild | String | OS build reported by the service. |
Shodan.Banner.Ntlm.DNSForestName | String | DNS Forest Name reported by the service. |
Shodan.Banner.Ntlm.Timestamp | Number | Timestamp. |
Shodan.Banner.Ntlm.FQDN | String | FQDN. |
Shodan.Banner.Ntlm.NetBIOSDomainName | String | Netbios Domain Name. |
Shodan.Banner.Ntlm.NetBIOSComputerName | String | Netbios Computer Name. |
Shodan.Banner.Ntlm.TargetRealm | String | Target Realm. |
Shodan.Banner.Ntlm.OS | Unknown | OS. |
Shodan.Banner.Ntlm.DNSDomainName | String | DNS Domain Name. |
Shodan.Banner.Hash | Number | Numeric hash of the "data" property which is helpful for finding other IPs with the exact same information. |
Shodan.Banner.Tags | Unknown | Tag applied by Shodan analysis. |
Shodan.Banner.SslCert.SigAlg | String | Certificate Signature Algorithm. |
Shodan.Banner.SslCert.Issued | Date | Timestamp of the beginning of certificate validity (Not Valid Before). |
Shodan.Banner.SslCert.Expires | Date | Timestamp of the end of certificate validity (Not Valid After). |
Shodan.Banner.SslCert.Version | Number | X.509 Certificate Version. |
Shodan.Banner.SslCert.Serial | Number | Serial Number assigned by the issuer. |
Shodan.Banner.SslCert.Subject.CN | String | Subject Common Name. |
Shodan.Banner.SslCert.Subject.O | String | Subject Organization. |
Shodan.Banner.SslCert.Subject.L | String | Subject Locality or City. |
Shodan.Banner.SslCert.Subject.ST | String | Subject State or Province. |
Shodan.Banner.SslCert.Subject.C | String | Subject Country Name. |
Shodan.Banner.SslCert.Expired | Boolean | Boolean indicating whether the certificate is expired. |
Shodan.Banner.SslCert.Issuer.CN | String | Issuer Certificate Common Name. |
Shodan.Banner.SslCert.Issuer.O | String | Issuer Organization. |
Shodan.Banner.SslCert.Issuer.OU | String | Issuer Organizational Unit. |
Shodan.Banner.SslCert.Issuer.L | String | Issuer Locality or City. |
Shodan.Banner.SslCert.Issuer.ST | String | Issuer State or Province. |
Shodan.Banner.SslCert.Issuer.C | String | Issuer Country Name. |
Shodan.Banner.Data | String | The raw data returned fro the service. |
Shodan.Banner.CPE23 | Unknown | CPE information in the 2.3 format. |
Shodan.Banner.Device | String | Device identified by Shodan. |
Shodan.Banner.DeviceType | String | The Device Type identified by Shodan. |
Shodan.Banner.Info | String | Additional information provided by Shodan. |
Shodan.Banner.IPv6 | String | The IPv6 address of the host as a string. |
Shodan.Banner.Link | String | The Link identified by Shodan. |
Shodan.Banner.Platform | String | The Platform identified by Shodan. |
Shodan.Banner.Product | String | The Product identified by Shodan. |
#
Command Example!search query="country:HK org:RLL-HK -port:80 -port:443 -port:21 -port:25 has_ssl:false" using-brand=Shodan_v2
#
Context Example#
Human Readable OutputSearch results for query "country:HK org:RLL-HK -port:80 -port:443 -port:21 -port:25 has_ssl:false" - page 1, facets: None
IP Port Timestamp 1.2.3.4 5353 2021-08-17T03:13:54.617598
#
ipReturns all services that have been found on the IP address of the searched host.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | The IP address of the host. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IP.ASN | Unknown | The Autonomous System Number. |
IP.Address | Unknown | The IP address. |
IP.Geo.Country | Unknown | The country of a given IP address. |
IP.Geo.Description | Unknown | The description of the location. |
IP.Geo.Location | Unknown | The latitude and longitude of an IP address. |
IP.Hostname | Unknown | The hostname of the IP address. |
IP.Relationships | Unknown | The relationships between the ip and it's CVEs. |
Shodan.IP.Tags | String | The tags associated with the IP address. |
Shodan.IP.Latitude | Number | The latitude of the geolocation of the searched device. |
Shodan.IP.Org | String | The name of the organization to which the IP space for the searched device is assigned. |
Shodan.IP.ASN | String | The Autonomous System Number. For example, "AS4837". |
Shodan.IP.ISP | String | The Internet Service Provider that provides the organization with the IP space for the searched device. |
Shodan.IP.Longitude | Number | The longitude of the geolocation of the searched device. |
Shodan.IP.LastUpdate | Date | The timestamp in UTC format indicating when the banner was fetched from the searched device. |
Shodan.IP.CountryName | String | The country in which the searched device is located. |
Shodan.IP.OS | String | The operating system on which the searched device is running. |
Shodan.IP.Port | Number | The port number on which the service is operating. |
Shodan.IP.Address | String | The IP address of the host as a string. |
Shodan.IP.Vulnerabilities | Unknown | A list of Vulnerabilities. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
#
Command Example!ip ip="8.8.8.8" using-brand="Shodan_v2"
#
Context Example#
Human Readable OutputShodan details for IP 8.8.8.8
ASN Country Hostname ISP Location Ports AS15169 United States dns.google Google LLC 37.406,-122.078 53
#
shodan-search-countReturns the total number of results that match only the specified query or facet settings. This command does not return host results. This command does not consume query credits.
#
Base Commandshodan-search-count
#
InputArgument Name | Description | Required |
---|---|---|
query | The query for searching the database of banners. The search query supports filtering using the "filter:value" format to narrow your search. For example, the query "apache country:DE" returns Apache web servers located in Germany. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Search.ResultCount | Number | The number of results matched in the search query. |
#
Command Example!shodan-search-count query="country:HK product:Apache"
#
Context Example#
Human Readable Output498645 results for query "country:HK product:Apache"
#
shodan-scan-ipRequests Shodan to crawl a network.
#
Base Commandshodan-scan-ip
#
InputArgument Name | Description | Required |
---|---|---|
ips | A CSV list of IP addresses or netblocks for Shodan to crawl defined in CIDR notation. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Scan.ID | String | The unique ID of the scan. |
Shodan.Scan.Status | String | The status of the scan. |
#
Command Example!shodan-scan-ip ips=8.8.8.8
#
Context Example#
Human Readable OutputScanning results for scan wQEp0bIIEHklpAwa
ID Status wQEp0bIIEHklpAwa PROCESSING
#
shodan-scan-internetRequests for Shodan to perform a scan on the specified port and protocol.
#
Base Commandshodan-scan-internet
#
InputArgument Name | Description | Required |
---|---|---|
port | The port for which Shodan crawls the Internet. | Required |
protocol | The name of the protocol used to interrogate the port. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Scan.ID | String | The ID of the initial scan. |