Welcome to Shodan. Shodan is the Search Engine for the Internet of Everything. Learning and using Shodan can be quite scary at first but as you get used to it, you will discover that it has a lot to offer.

From scanning vulnerabilities of an IP, to finding the geographical location, VPN, ASN, country information, etc., all can be requested using the API call. In this post, I’ll show you how you can use the Shodan API to find relevant information about an IP address. We are using the Shodan API at Ennetix, Inc to find out open ports, vulnerabilities, and other info.

After making an account with Shodan, grab the API key unique to your account and paste it in the code below (shodan.py). This script queries Shodan using your API key and dumps the results into a JSON file.

import shodan
import json
import sys
api = shodan.Shodan(your_api_key)  # private api key
def shodan_fun(IP):
    try:
        ipinfo = api.host(IP)
    except shodan.APIError as e:  # this line is resolved
        ipinfo = {}
    with open("shodan_results.json", 'w') as f:
        json.dump(ipinfo, f, indent=4)
    return ipinfo
shodan_fun(sys.argv[1])

Now you can run the below command to get the info of an IP. Instead of IP, type the IP address you want to query (e.g., 8.8.8.8):

$ python3 shodan.py IP

Example Output

Here are examples of the JSON output you might get from the Shodan API:

Let’s analyse the output:

From the above JSON output, one can see the tags, country_code, hostnames, domains, location, port, and even product info — OpenSSH in this case.

The vulns field shows the vulnerabilities from that IP address. So, the attacker might have leveraged this information to access this server and launch an attack on a different machine using this machine. Shodan also shows open ports for that IP. This information can be leveraged in many ways, one of them being to launch a DDoS attack.

Shodan can show the top 10 or top 100 vulnerabilities across the internet, and if that vulnerability is present in your organization IP then it should be resolved quickly before any attack happens.

Shodan can do much more than the data shown here. This is just the tip of the iceberg. It can show Shodan Trends — historical trends, Shodan Monitor — monitor the network for incoming and outgoing requests. It has a database of blacklisted IP addresses which you can download locally with Enterprise access.

For more information and tutorials, visit https://www.shodan.io/.

This blog post was originally published on Medium.

PS: Brijesh Vora is a grad student at University of California, Davis and was a software engineering intern at Ennetix, a leading provider of AI-powered analytics solutions for deterministic digital operations. This blog post was developed as a part of Ennetix, Inc.

Installing Zeek from Source in Ubuntu

For other Linux variants, check the official documentation.

First, install the dependencies:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev

Clone the Repository:

git clone --recursive https://github.com/zeek/zeek

Build from Source:

./configure
make
make install

By default, the installation is in /usr/local/zeek/ which requires root privileges during make install. You can use the --prefix option to install in other directories. For example, to install in the .local folder in your home directory:

./configure --prefix=/home/yourusername/.local

The configuration and installation process might take a while. If you can run zeek --help, then you’ve installed it successfully.

Installing via Pre-built Binary Source Packages

You can download packages from the official repository according to your OS. For Ubuntu 22.04:

echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek

Configuring the Runtime Environment

Export the installation path:

export PATH=/usr/local/zeek/bin:$PATH

Running Your First Script

Create your first Zeek script with this simple “Hello World” example:

event zeek_init() {
    print "Hello, World!";
}

event zeek_done() {
    print "Goodbye, World!";
}

Save this as hello.zeek and run it:

zeek hello.zeek

Capturing and Analyzing Network Traffic

Let’s capture some packets and analyze them with Zeek. First, capture some traffic:

sudo tcpdump -s 0 -w get.trace

Run this for about 5 minutes, then press Ctrl+C to stop.

Now create a script to record log files (save as main.zeek):

event zeek_init() {
    Log::create_stream(Conn::LOG, [$columns=Conn::Info, $path="Conn"]);
    local filter: Log::Filter = [$name="conn", $path="conn"];
    Log::add_filter(Conn::LOG, filter);
    Log::remove_filter(Conn::LOG, "default");
}

Analyze the captured traffic:

zeek -C -r get.trace main.zeek

This will generate several log files including conn.log, dns.log, reporter.log, ssl.log, and weird.log. These logs can be inspected for suspicious activity and further analysis.

Next Steps

To learn more about the Zeek scripting language, check out the official tutorial.

Happy Zeeking!

This post was originally published on Medium and has been adapted for this blog.