Shodan se vuelve más simple con el uso de #Shodansploit

Shodan es muy popular para buscar dispositivos vulnerables en Internet. Como Shodan hace ping con todos los dispositivos que están conectados a internet, muestra todos y cada uno de los puertos que están asociados con los dispositivos conectados a Internet. En Shodan podemos encontrar dispositivos como bases de datos, cámaras abiertas, servidores abiertos, barcos y muchos dispositivos que están conectados a través de Internet. Hoy vamos a mostrar la herramienta Shodansploit.

Especialistas en seguridad en redes del Instituto Internacional de Seguridad Cibernética mencionan que Shodansploit puede ser útil en la fase de recopilación de información.

Shodansploit es una herramienta que se utiliza para realizar búsquedas de detalles en su objetivo mediante la interfaz de línea de comandos. Esta herramienta también proporciona búsquedas específicas que son posibles. Shodansploit funciona con Shodan API. Shodansploit funciona según el privilegio de API que tiene. Esta herramienta actúa como una interfaz de línea de comandos de Shodan.

  • Shodansploit se ha probado en Kali Linux 2018.4
  • Para descargar, escriba git clone https://github.com/ismailtasdelen/shodansploit.git
root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/ismailtasdelen/shodansploit.git
Cloning into 'shodansploit'…
remote: Enumerating objects: 51, done.
remote: Counting objects: 100% (51/51), done.
remote: Compressing objects: 100% (46/46), done.
remote: Total 51 (delta 15), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (51/51), done.
  • Escriba cd shodansploit && ls
root@kali:/home/iicybersecurity/Downloads# cd shodansploit/
root@kali:/home/iicybersecurity/Downloads/shodansploit# ls
doc img LICENSE README.md shodansploit.py
  • Escriba chmod u+x shodansploit.py
root@kali:/home/iicybersecurity/Downloads/shodansploit# chmod u+x shodansploit.py
  • Teclee nano shodansploit
  • Introduzca shodan API en la primera instrucción else. Para obtener la API de Shodan, vaya a: https://account.shodan.io. Cree una cuenta, luego ingrese a través de su cuenta
  • Después de iniciar sesión, haga clic en la pestaña Mi cuenta. En esa página puede obtener la API de Shodan. Copie la API de Shodan y péguela en shodansploit.py en la declaración requerida
else:
file = open('api.txt', 'w')
shodan_api = raw_input('[*] Please enter a valid Shodan.io API Key: ')
file.write(shodan_api)
print('[~] File written: ./api.txt')
file.close()
  • Después de agregar Shodan API, escriba python shodansploit.py
  • Si está confundido para ingresar Shodan API en shodansploit code, escriba shodansploit.py y luego ingrese la clave de la API Shodan
root@kali:/home/iicybersecurity/shodansploit# python shodansploit.py
[*] Please enter a valid Shodan.io API Key:
  • Escriba python shodansploit.py
root@kali:/home/iicybersecurity/shodansploit# python shodansploit.py
      _               _                       _       _ _
  ___| |__   ___   __| | __ _ _ __  ___ _ __ | | ___ (_) |_
 / __| '_ \ / _ \ / _` |/ _` | '_ \/ __| '_ \| |/ _ \| | __|
 \__ \ | | | (_) | (_| | (_| | | | \__ \ |_) | | (_) | | |_
 |___/_| |_|\___/ \__,_|\__,_|_| |_|___/ .__/|_|\___/|_|\__|
                                       |_|            v1.1.0
        Author : Ismail Tasdelen
        GitHub : github.com/ismailtasdelen
      Linkedin : linkedin.com/in/ismailtasdelen
       Twitter : twitter.com/ismailtsdln

[1] GET > /shodan/host/{ip}
[2] GET > /shodan/host/count
[3] GET > /shodan/host/search
[4] GET > /shodan/host/search/tokens
[5] GET > /shodan/ports

[6] GET > /shodan/exploit/author
[7] GET > /shodan/exploit/cve
[8] GET > /shodan/exploit/msb
[9] GET > /shodan/exploit/bugtraq-id
[10] GET > /shodan/exploit/osvdb
[11] GET > /shodan/exploit/title
[12] GET > /shodan/exploit/description
[13] GET > /shodan/exploit/date
[14] GET > /shodan/exploit/code
[15] GET > /shodan/exploit/platform
[16] GET > /shodan/exploit/port

[17] GET > /dns/resolve
[18] GET > /dns/reverse
[19] GET > /labs/honeyscore/{ip}

[20] GET > /account/profile
[21] GET > /tools/myip
[22] GET > /tools/httpheaders
[23] GET > /api-info

[24] Exit
  • Escriba <1> y luego escriba <dirección IP> de su objetivo
  • Encontrará los detalles básicos del objetivo
Which option number : 1
Shodan Host Search : 74.50.111.244
{
"area_code": 813,
"asn": "AS29802",
"city": "Tampa",
"country_code": "US",
"country_code3": "USA",
"country_name": "United States",
"data": [
{
"_shodan": {
"crawler": "a3cc14ebb782071aec2032690d4fd1979446a9ab",
"id": "ec4e8de3-02e7-4c2d-bce7-071a1326a11b",
"module": "http",
"options": {},
"ptr": true
},
"asn": "AS29802",
"data": "HTTP/1.1 404 Not Found\r\nContent-Type: text/html; charset=us-ascii\r\nDate: Sat, 02 Feb 2019 18:41:30 GMT\r\nConnection: close\r\nContent-Length: 315\r\n\r\n",
"domains": [
"hvvc.us"
],
"hash": 1275063445,
"hostnames": [
"74-50-111-244.static.hvvc.us"
],
"http": {
"components": {},
"favicon": null,
"host": "74.50.111.244",
"html": "\r\nNot Found
\r\n\r\n
Not Found
\r\n
HTTP Error 404. The requested resource is not found.
\r\n\r\n",
"html_hash": 1489525118,
"location": "/",
"redirects": [],
"robots": null,
"robots_hash": null,
"securitytxt": null,
"securitytxt_hash": null,
"server": null,
"sitemap": null,
"sitemap_hash": null,
"title": "Not Found"
  • Después de ejecutar con 1 y la dirección IP de destino. Shodansploit ha encontrado muchos detalles. Detalles como código de área, código de asn, ciudad
  • Estos detalles se pueden utilizar en ataques de diccionario y otras actividades de hacking
  • Escriba <3> & target <IP address>
Which option number : 3
Shodan Host Search : 162.241.216.11
{
"matches": [
{
"_shodan": {
"crawler": "62861a86c4e4b71dceed5113ce9593b98431f89a",
"id": "e0f7df01-a19f-4aa2-bd90-44433b41cea4",
"module": "https-simple-new",
"options": {},
"ptr": true
},
"asn": "AS20013",
"data": "HTTP/1.1 401 Access Denied\r\nConnection: close\r\nContent-Type: text/html; charset=\"utf-8\"\r\nDate: Sat, 09 Feb 2019 04:57:11 GMT\r\nCache-Control: no-cache, no-store, must-revalidate, private\r\nPragma: no-cache\r\nSet-Cookie: whostmgrrelogin=no; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: whostmgrsession=%3aku20Vju9PIy161cD%2cd1b6a1ec42e7edd4e6362ab95b9012dd; HttpOnly; path=/; port=2087; secure\r\nSet-Cookie: roundcube_sessid=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: roundcube_sessauth=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: horde_secret_key=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/horde; port=2087; secure\r\nSet-Cookie: PPA_ID=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: imp_key=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: key=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/3rdparty/squirrelmail/; port=2087; secure\r\nSet-Cookie: SQMSESSID=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087\r\nSet-Cookie: horde_secret_key=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087\r\nCache-Control: no-cache, no-store, must-revalidate, private\r\nX-Frame-Options: SAMEORIGIN\r\nX-Content-Type-Options: nosniff\r\nContent-Length: 36260\r\n\r\n",
"domains": [
"bluehost.com"
],
"hash": 1033132057,
"hostnames": [
"box5331.bluehost.com"
],
"http": {
"components": {},
"favicon": null,
"host": "162.241.216.11",
"html": "\n\n\n\n
\n
\n
\n
\n WHM Login
\n
\n\n
\n
\n
\n\n \n/<em>\n This css is included in the base template in case the css cannot be loaded because of access restrictions\n If this css is updated, please update securitypolicy_header.html.tmpl as well\n</em>/\n.copyright {\n background: url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzNTlwdCIgaGVpZ2h0PSIzMjAiIHZpZXdCb3g9IjAgMCAzNTkgMjQwIj48ZGVmcz48Y2xpcFBhdGggaWQ9ImEiPjxwYXRoIGQ9Ik0xMjMgMGgyMzUuMzd2MjQwSDEyM3ptMCAwIi8+PC9jbGlwUGF0aD48L2RlZnM+PHBhdGggZD0iTTg5LjY5IDU5LjEwMmg2Ny44MDJsLTEwLjUgNDAuMmMtMS42MDUgNS42LTQuNjA1IDEwLjEtOSAxMy41LTQuNDAyIDMuNC05LjUwNCA1LjA5Ni0xNS4zIDUuMDk2aC0zMS41Yy03LjIgMC0xMy41NSAyLjEwMi0xOS4wNSA2LjMtNS41MDUgNC4yLTkuMzUzIDkuOTA0LTExLjU1MiAxNy4xMDMtMS40IDUuNDAzLTEuNTUgMTAuNS0uNDUgMTUuMzAyIDEuMDk4IDQuNzk2IDMuMDQ3IDkuMDUgNS44NTIgMTIuNzUgMi43OTcgMy43MDMgNi40IDYuNjUyIDEwLjc5NyA4Ljg1IDQuMzk3IDIuMiA5L</p>
  • La tercera consulta muestra el html del destino. Esta consulta intenta obtener información resumida de la URL
  • Esta información puede ser considerada en la fase inicial de pentesting. Como solo muestra html de la URL de destino
  • Escriba <5> luego presione enter
Which option number : 5
[
7,
11,
13,
15,
17,
19,
21,
22,
23,
25,
26,
37,
43,
49,
53,
69,
70,
79,
80,
81,
82,
83,
84,
88,
102,
104,
110,
111,
113,
119,
123,
129,
137,
143,
161,
175,
179,
195,
264,
311,
389,
443,
444,
445,
465,
500,
502,
503,
515,
520,
523,
554,
587,
623,
626,
631,
636,
666,
771,
789,
873,
902,
992,
993,
995,
1010,
  • La consulta anterior muestra los puertos que Shodan utiliza en el escaneo. Estos son la lista de puertos que son utilizados por Shodan
  • Escriba <6> y luego escriba <microsoft>
  • Microsoft es el objetivo
  • Esta consulta muestra las vulnerabilidades que están causadas en el objetivo
Which option number : 6
Exploit Author : Microsoft
{
"matches": [
{
"_id": 19361,
"author": "Microsoft",
"code": "source: https://www.securityfocus.com/bid/477/info\r\n\r\n\r\nThis vulnerability could allow a web site viewer to obtain the source code for .asp and similar files if the server's default language (Input Locale) is set to Chinese, Japanese or Korean. How this works is as follows:\r\n\r\nIIS checks the extension of the requested file to see if it needs to do any processing before delivering the information. If the requested extension is not on it's list, it then makes any language-based calculations, and delivers the file. If a single byte is appended to the end of the URL when IIS to set to use one of the double-byte language packs (Chinese, Japanese, or Korean) the language module will strip it as invalid, then look for the file. Since the new URL now points to a valid filename, and IIS has already determined that this transaction requires no processing, the file is simply delivered as is, exposing the source code. \r\n\r\nRequest a URL of a known-good file that requires server processing, then append a hex value between x81 and xfe to the URL. For example: https://myhost/main.asp%81. If your server is vulnerable you will receive back the source code of your .asp file.",
"cve": [],
"date": "1999-06-24T00:00:00+00:00",
"description": "Microsoft IIS 3.0/4.0 - Double Byte Code Page",
"platform": "windows",
"port": 0,
"source": "ExploitDB",
"type": "remote"
},
{
"_id": "exploit/windows/fileformat/adobe_libtiff",
"alias": null,
"arch": "[]",
"author": [
"Microsoft",
"villy villys777@gmail.com",
"jduck jduck@metasploit.com"
],
"bid": [
"38195"
],
  • La consulta anterior muestra las vulnerabilidades en el objetivo. Muestra que el visor del sitio web puede obtener el código fuente del objetivo. La información puede ser útil en otras actividades de hacking.
  • Escriba <13> y escriba <date>
  • Escriba cualquier fecha
Which option number : 13
Exploit Date : 2018/04//13
{
"matches": [
{
"_id": "2018-7559",
"bid": [],
"cve": [
"CVE-2018-7559"
],
"description": "An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit 2018-03-13. A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack.",
"msb": [],
"osvdb": [],
"source": "CVE"
}
],
"total": 1
}

Después de ejecutar Shodansploit, se muestra la vulnerabilidad que puede permitir al atacante obtener una clave privada enviando tokens al objetivo. La información puede ser útil en la fase inicial de pentesting