1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
|
# -*- coding: utf-8 -*-
"""
shodan.client
~~~~~~~~~~~~~
This module implements the Shodan API.
:copyright: (c) 2014- by John Matherly
"""
import time
import requests
import json
from .exception import APIError
from .helpers import api_request, create_facet_string
from .stream import Stream
# Try to disable the SSL warnings in urllib3 since not everybody can install
# C extensions. If you're able to install C extensions you can try to run:
#
# pip install requests[security]
#
# Which will download libraries that offer more full-featured SSL classes
# pylint: disable=E1101
try:
requests.packages.urllib3.disable_warnings()
except Exception:
pass
# Define a basestring type if necessary for Python3 compatibility
try:
basestring
except NameError:
basestring = str
class Shodan:
"""Wrapper around the Shodan REST and Streaming APIs
:param key: The Shodan API key that can be obtained from your account page (https://account.shodan.io)
:type key: str
:ivar exploits: An instance of `shodan.Shodan.Exploits` that provides access to the Exploits REST API.
:ivar stream: An instance of `shodan.Shodan.Stream` that provides access to the Streaming API.
"""
class Data:
def __init__(self, parent):
self.parent = parent
def list_datasets(self):
"""Returns a list of datasets that the user has permission to download.
:returns: A list of objects where every object describes a dataset
"""
return self.parent._request('/shodan/data', {})
def list_files(self, dataset):
"""Returns a list of files that belong to the given dataset.
:returns: A list of objects where each object contains a 'name', 'size', 'timestamp' and 'url'
"""
return self.parent._request('/shodan/data/{}'.format(dataset), {})
class Dns:
def __init__(self, parent):
self.parent = parent
def domain_info(self, domain, history=False, type=None, page=1):
"""Grab the DNS information for a domain.
"""
args = {
'page': page,
}
if history:
args['history'] = history
if type:
args['type'] = type
return self.parent._request('/dns/domain/{}'.format(domain), args)
class Notifier:
def __init__(self, parent):
self.parent = parent
def create(self, provider, args, description=None):
"""Get the settings for the specified notifier that a user has configured.
:param provider: Provider name
:type provider: str
:param args: Provider arguments
:type args: dict
:param description: Human-friendly description of the notifier
:type description: str
:returns: dict -- fields are 'success' and 'id' of the notifier
"""
args['provider'] = provider
if description:
args['description'] = description
return self.parent._request('/notifier', args, method='post')
def edit(self, nid, args):
"""Get the settings for the specified notifier that a user has configured.
:param nid: Notifier ID
:type nid: str
:param args: Provider arguments
:type args: dict
:returns: dict -- fields are 'success' and 'id' of the notifier
"""
return self.parent._request('/notifier/{}'.format(nid), args, method='put')
def get(self, nid):
"""Get the settings for the specified notifier that a user has configured.
:param nid: Notifier ID
:type nid: str
:returns: dict -- object describing the notifier settings
"""
return self.parent._request('/notifier/{}'.format(nid), {})
def list_notifiers(self):
"""Returns a list of notifiers that the user has added.
:returns: A list of notifierse that are available on the account
"""
return self.parent._request('/notifier', {})
def list_providers(self):
"""Returns a list of supported notification providers.
:returns: A list of providers where each object describes a provider
"""
return self.parent._request('/notifier/provider', {})
def remove(self, nid):
"""Delete the provided notifier.
:param nid: Notifier ID
:type nid: str
:returns: dict -- 'success' set to True if action succeeded
"""
return self.parent._request('/notifier/{}'.format(nid), {}, method='delete')
class Tools:
def __init__(self, parent):
self.parent = parent
def myip(self):
"""Get your current IP address as seen from the Internet.
:returns: str -- your IP address
"""
return self.parent._request('/tools/myip', {})
class Exploits:
def __init__(self, parent):
self.parent = parent
def search(self, query, page=1, facets=None):
"""Search the entire Shodan Exploits archive using the same query syntax
as the website.
:param query: The exploit search query; same syntax as website.
:type query: str
:param facets: A list of strings or tuples to get summary information on.
:type facets: str
:param page: The page number to access.
:type page: int
:returns: dict -- a dictionary containing the results of the search.
"""
query_args = {
'query': query,
'page': page,
}
if facets:
query_args['facets'] = create_facet_string(facets)
return self.parent._request('/api/search', query_args, service='exploits')
def count(self, query, facets=None):
"""Search the entire Shodan Exploits archive but only return the total # of results,
not the actual exploits.
:param query: The exploit search query; same syntax as website.
:type query: str
:param facets: A list of strings or tuples to get summary information on.
:type facets: str
:returns: dict -- a dictionary containing the results of the search.
"""
query_args = {
'query': query,
}
if facets:
query_args['facets'] = create_facet_string(facets)
return self.parent._request('/api/count', query_args, service='exploits')
class Labs:
def __init__(self, parent):
self.parent = parent
def honeyscore(self, ip):
"""Calculate the probability of an IP being an ICS honeypot.
:param ip: IP address of the device
:type ip: str
:returns: int -- honeyscore ranging from 0.0 to 1.0
"""
return self.parent._request('/labs/honeyscore/{}'.format(ip), {})
class Organization:
def __init__(self, parent):
self.parent = parent
def add_member(self, user, notify=True):
"""Add the user to the organization.
:param user: username or email address
:type user: str
:param notify: whether or not to send the user an email notification
:type notify: bool
:returns: True if it succeeded and raises an Exception otherwise
"""
return self.parent._request('/org/member/{}'.format(user), {
'notify': notify,
}, method='PUT')['success']
def info(self):
"""Returns general information about the organization the current user is a member of.
"""
return self.parent._request('/org', {})
def remove_member(self, user):
"""Remove the user from the organization.
:param user: username or email address
:type user: str
:returns: True if it succeeded and raises an Exception otherwise
"""
return self.parent._request('/org/member/{}'.format(user), {}, method='DELETE')['success']
def __init__(self, key, proxies=None):
"""Initializes the API object.
:param key: The Shodan API key.
:type key: str
:param proxies: A proxies array for the requests library, e.g. {'https': 'your proxy'}
:type proxies: dict
"""
self.api_key = key
self.base_url = 'https://api.shodan.io'
self.base_exploits_url = 'https://exploits.shodan.io'
self.data = self.Data(self)
self.dns = self.Dns(self)
self.exploits = self.Exploits(self)
self.labs = self.Labs(self)
self.notifier = self.Notifier(self)
self.org = self.Organization(self)
self.tools = self.Tools(self)
self.stream = Stream(key, proxies=proxies)
self._session = requests.Session()
self.api_rate_limit = 1 # Requests per second
self._api_query_time = None
if proxies:
self._session.proxies.update(proxies)
self._session.trust_env = False
def _request(self, function, params, service='shodan', method='get'):
"""General-purpose function to create web requests to SHODAN.
Arguments:
function -- name of the function you want to execute
params -- dictionary of parameters for the function
Returns
A dictionary containing the function's results.
"""
# Add the API key parameter automatically
params['key'] = self.api_key
# Determine the base_url based on which service we're interacting with
base_url = {
'shodan': self.base_url,
'exploits': self.base_exploits_url,
}.get(service, 'shodan')
# Wait for API rate limit
if self._api_query_time is not None and self.api_rate_limit > 0:
while (1.0 / self.api_rate_limit) + self._api_query_time >= time.time():
time.sleep(0.1 / self.api_rate_limit)
# Send the request
try:
method = method.lower()
if method == 'post':
data = self._session.post(base_url + function, params)
elif method == 'put':
data = self._session.put(base_url + function, params=params)
elif method == 'delete':
data = self._session.delete(base_url + function, params=params)
else:
data = self._session.get(base_url + function, params=params)
self._api_query_time = time.time()
except Exception:
raise APIError('Unable to connect to Shodan')
# Check that the API key wasn't rejected
if data.status_code == 401:
try:
# Return the actual error message if the API returned valid JSON
error = data.json()['error']
except Exception as e:
# If the response looks like HTML then it's probably the 401 page that nginx returns
# for 401 responses by default
if data.text.startswith('<'):
error = 'Invalid API key'
else:
# Otherwise lets raise the error message
error = u'{}'.format(e)
raise APIError(error)
elif data.status_code == 403:
raise APIError('Access denied (403 Forbidden)')
elif data.status_code == 502:
raise APIError('Bad Gateway (502)')
# Parse the text into JSON
try:
data = data.json()
except ValueError:
raise APIError('Unable to parse JSON response')
# Raise an exception if an error occurred
if type(data) == dict and 'error' in data:
raise APIError(data['error'])
# Return the data
return data
def count(self, query, facets=None):
"""Returns the total number of search results for the query.
:param query: Search query; identical syntax to the website
:type query: str
:param facets: (optional) A list of properties to get summary information on
:type facets: str
:returns: A dictionary with 1 main property: total. If facets have been provided then another property called "facets" will be available at the top-level of the dictionary. Visit the website for more detailed information.
"""
query_args = {
'query': query,
}
if facets:
query_args['facets'] = create_facet_string(facets)
return self._request('/shodan/host/count', query_args)
def host(self, ips, history=False, minify=False):
"""Get all available information on an IP.
:param ip: IP of the computer
:type ip: str
:param history: (optional) True if you want to grab the historical (non-current) banners for the host, False otherwise.
:type history: bool
:param minify: (optional) True to only return the list of ports and the general host information, no banners, False otherwise.
:type minify: bool
"""
if isinstance(ips, basestring):
ips = [ips]
params = {}
if history:
params['history'] = history
if minify:
params['minify'] = minify
return self._request('/shodan/host/{}'.format(','.join(ips)), params)
def info(self):
"""Returns information about the current API key, such as a list of add-ons
and other features that are enabled for the current user's API plan.
"""
return self._request('/api-info', {})
def ports(self):
"""Get a list of ports that Shodan crawls
:returns: An array containing the ports that Shodan crawls for.
"""
return self._request('/shodan/ports', {})
def protocols(self):
"""Get a list of protocols that the Shodan on-demand scanning API supports.
:returns: A dictionary containing the protocol name and description.
"""
return self._request('/shodan/protocols', {})
def scan(self, ips, force=False):
"""Scan a network using Shodan
:param ips: A list of IPs or netblocks in CIDR notation or an object structured like:
{
"9.9.9.9": [
(443, "https"),
(8080, "http")
],
"1.1.1.0/24": [
(503, "modbus")
]
}
:type ips: str or dict
:param force: Whether or not to force Shodan to re-scan the provided IPs. Only available to enterprise users.
:type force: bool
:returns: A dictionary with a unique ID to check on the scan progress, the number of IPs that will be crawled and how many scan credits are left.
"""
if isinstance(ips, basestring):
ips = [ips]
if isinstance(ips, dict):
networks = json.dumps(ips)
else:
networks = ','.join(ips)
params = {
'ips': networks,
'force': force,
}
return self._request('/shodan/scan', params, method='post')
def scans(self, page=1):
"""Get a list of scans submitted
:param page: Page through the list of scans 100 results at a time
:type page: int
"""
return self._request('/shodan/scans', {
'page': page,
})
def scan_internet(self, port, protocol):
"""Scan a network using Shodan
:param port: The port that should get scanned.
:type port: int
:param port: The name of the protocol as returned by the protocols() method.
:type port: str
:returns: A dictionary with a unique ID to check on the scan progress.
"""
params = {
'port': port,
'protocol': protocol,
}
return self._request('/shodan/scan/internet', params, method='post')
def scan_status(self, scan_id):
"""Get the status information about a previously submitted scan.
:param id: The unique ID for the scan that was submitted
:type id: str
:returns: A dictionary with general information about the scan, including its status in getting processed.
"""
return self._request('/shodan/scan/{}'.format(scan_id), {})
def search(self, query, page=1, limit=None, offset=None, facets=None, minify=True):
"""Search the SHODAN database.
:param query: Search query; identical syntax to the website
:type query: str
:param page: (optional) Page number of the search results
:type page: int
:param limit: (optional) Number of results to return
:type limit: int
:param offset: (optional) Search offset to begin getting results from
:type offset: int
:param facets: (optional) A list of properties to get summary information on
:type facets: str
:param minify: (optional) Whether to minify the banner and only return the important data
:type minify: bool
:returns: A dictionary with 2 main items: matches and total. If facets have been provided then another property called "facets" will be available at the top-level of the dictionary. Visit the website for more detailed information.
"""
args = {
'query': query,
'minify': minify,
}
if limit:
args['limit'] = limit
if offset:
args['offset'] = offset
else:
args['page'] = page
if facets:
args['facets'] = create_facet_string(facets)
return self._request('/shodan/host/search', args)
def search_cursor(self, query, minify=True, retries=5):
"""Search the SHODAN database.
This method returns an iterator that can directly be in a loop. Use it when you want to loop over
all of the results of a search query. But this method doesn't return a "matches" array or the "total"
information. And it also can't be used with facets, it's only use is to iterate over results more
easily.
:param query: Search query; identical syntax to the website
:type query: str
:param minify: (optional) Whether to minify the banner and only return the important data
:type minify: bool
:param retries: (optional) How often to retry the search in case it times out
:type retries: int
:returns: A search cursor that can be used as an iterator/ generator.
"""
page = 1
tries = 0
# Placeholder results object to make the while loop below easier
results = {
'matches': [True],
'total': None,
}
while results['matches']:
try:
results = self.search(query, minify=minify, page=page)
for banner in results['matches']:
try:
yield banner
except GeneratorExit:
return # exit out of the function
page += 1
tries = 0
except Exception:
# We've retried several times but it keeps failing, so lets error out
if tries >= retries:
raise APIError('Retry limit reached ({:d})'.format(retries))
tries += 1
time.sleep(tries) # wait (1 second * retry number) if the search errored out for some reason
def search_facets(self):
"""Returns a list of search facets that can be used to get aggregate information about a search query.
:returns: A list of strings where each is a facet name
"""
return self._request('/shodan/host/search/facets', {})
def search_filters(self):
"""Returns a list of search filters that are available.
:returns: A list of strings where each is a filter name
"""
return self._request('/shodan/host/search/filters', {})
def search_tokens(self, query):
"""Returns information about the search query itself (filters used etc.)
:param query: Search query; identical syntax to the website
:type query: str
:returns: A dictionary with 4 main properties: filters, errors, attributes and string.
"""
query_args = {
'query': query,
}
return self._request('/shodan/host/search/tokens', query_args)
def services(self):
"""Get a list of services that Shodan crawls
:returns: A dictionary containing the ports/ services that Shodan crawls for. The key is the port number and the value is the name of the service.
"""
return self._request('/shodan/services', {})
def queries(self, page=1, sort='timestamp', order='desc'):
"""List the search queries that have been shared by other users.
:param page: Page number to iterate over results; each page contains 10 items
:type page: int
:param sort: Sort the list based on a property. Possible values are: votes, timestamp
:type sort: str
:param order: Whether to sort the list in ascending or descending order. Possible values are: asc, desc
:type order: str
:returns: A list of saved search queries (dictionaries).
"""
args = {
'page': page,
'sort': sort,
'order': order,
}
return self._request('/shodan/query', args)
def queries_search(self, query, page=1):
"""Search the directory of saved search queries in Shodan.
:param query: The search string to look for in the search query
:type query: str
:param page: Page number to iterate over results; each page contains 10 items
:type page: int
:returns: A list of saved search queries (dictionaries).
"""
args = {
'page': page,
'query': query,
}
return self._request('/shodan/query/search', args)
def queries_tags(self, size=10):
"""Search the directory of saved search queries in Shodan.
:param size: The number of tags to return
:type size: int
:returns: A list of tags.
"""
args = {
'size': size,
}
return self._request('/shodan/query/tags', args)
def create_alert(self, name, ip, expires=0):
"""Create a network alert/ private firehose for the specified IP range(s)
:param name: Name of the alert
:type name: str
:param ip: Network range(s) to monitor
:type ip: str OR list of str
:returns: A dict describing the alert
"""
data = {
'name': name,
'filters': {
'ip': ip,
},
'expires': expires,
}
response = api_request(self.api_key, '/shodan/alert', data=data, params={}, method='post',
proxies=self._session.proxies)
return response
def edit_alert(self, aid, ip):
"""Edit the IPs that should be monitored by the alert.
:param aid: Alert ID
:type name: str
:param ip: Network range(s) to monitor
:type ip: str OR list of str
:returns: A dict describing the alert
"""
data = {
'filters': {
'ip': ip,
},
}
response = api_request(self.api_key, '/shodan/alert/{}'.format(aid), data=data, params={}, method='post',
proxies=self._session.proxies)
return response
def alerts(self, aid=None, include_expired=True):
"""List all of the active alerts that the user created."""
if aid:
func = '/shodan/alert/{}/info'.format(aid)
else:
func = '/shodan/alert/info'
response = api_request(self.api_key, func, params={
'include_expired': include_expired,
}, proxies=self._session.proxies)
return response
def delete_alert(self, aid):
"""Delete the alert with the given ID."""
func = '/shodan/alert/{}'.format(aid)
response = api_request(self.api_key, func, params={}, method='delete',
proxies=self._session.proxies)
return response
def alert_triggers(self):
"""Return a list of available triggers that can be enabled for alerts.
:returns: A list of triggers
"""
return self._request('/shodan/alert/triggers', {})
def enable_alert_trigger(self, aid, trigger):
"""Enable the given trigger on the alert."""
return self._request('/shodan/alert/{}/trigger/{}'.format(aid, trigger), {}, method='put')
def disable_alert_trigger(self, aid, trigger):
"""Disable the given trigger on the alert."""
return self._request('/shodan/alert/{}/trigger/{}'.format(aid, trigger), {}, method='delete')
def ignore_alert_trigger_notification(self, aid, trigger, ip, port, vulns=None):
"""Ignore trigger notifications for the provided IP and port."""
# The "vulnerable" and "vulnerable_unverified" triggers let you specify specific vulnerabilities
# to ignore. If a user provides a "vulns" list and specifies on of those triggers then we'll use
# a different API endpoint.
if trigger in ('vulnerable', 'vulnerable_unverified') and vulns and isinstance(vulns, list):
return self._request('/shodan/alert/{}/trigger/{}/ignore/{}:{}/{}'.format(aid, trigger, ip, port, ','.join(vulns)), {}, method='put')
return self._request('/shodan/alert/{}/trigger/{}/ignore/{}:{}'.format(aid, trigger, ip, port), {}, method='put')
def unignore_alert_trigger_notification(self, aid, trigger, ip, port):
"""Re-enable trigger notifications for the provided IP and port"""
return self._request('/shodan/alert/{}/trigger/{}/ignore/{}:{}'.format(aid, trigger, ip, port), {}, method='delete')
def add_alert_notifier(self, aid, nid):
"""Enable the given notifier for an alert that has triggers enabled."""
return self._request('/shodan/alert/{}/notifier/{}'.format(aid, nid), {}, method='put')
def remove_alert_notifier(self, aid, nid):
"""Remove the given notifier for an alert that has triggers enabled."""
return self._request('/shodan/alert/{}/notifier/{}'.format(aid, nid), {}, method='delete')
|
