New Module: Shodan Ports (InternetDB) #911
Conversation
|
Thanks for the PR. I'll work on reviewing. |
|
I actually just wrote a much simpler module that uses Shodan's InternetDB API instead of Shodan Proper - no API key required and the only missing data is the "verified" vulnerabilities that you might want to check out - cnnrshd@0d3c828 Haven't written any tests though |
|
TIL about internetdb. I like the idea, especially since it's free and has higher rate limits. I'm about halfway through reviewing this one, so let's leave this PR open, and I'll just modify this one to use internetdb instead. Sound good? |
|
That works for me. InternetDB is only updated weekly, but the use case of passive port scanning implies you don't need entirely accurate results anyway imo. |
TheTechromancer
force-pushed
the
shodan_ports
branch
from
9e29dee to
7849638
Compare
TheTechromancer
force-pushed
the
shodan_ports
branch
from
7849638 to
f0f0fdc
Compare
|
@cnnrshd thanks for you work on this. The internetdb updates have been made and the tests have been written. I made a few other modifications to the module to ensure it works with both IP_ADDRESS and DNS_NAME and that it only accepts in-scope events. (Your solution of changing the scope distance was clever but dangerous since it would have affected other modules). Please test it out and lmk if you're okay with the changes. |
TheTechromancer
changed the title
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## dev #911 +/- ##
======================================
- Coverage 92% 92% -0%
======================================
Files 297 300 +3
Lines 18498 18604 +106
======================================
+ Hits 16989 17086 +97
- Misses 1509 1518 +9 ☔ View full report in Codecov by Sentry. |
|
Quick question @cnnrshd when do you consider a vulnerability 'verified', is shodan actually sure about it's presence or it is still purely version based. I was under the impression shodan data was almost fully version based. |
|
@joostgrunwald Verified comes from Shodan's definition - if you check the source code (I'd direct reference, but I'm on mobile) for this module, I believe I just pull data from a "vulns" key in the internetdb response. This is probably done with version checking, I don't think they do active verification. |
|
Also it's worth noting that the vulns are tracked by IP address, not hostname. So it's possible something in the past shared that IP address, but has since been replaced. |
|
@cnnrshd ah yes I checked the source code but thought I might be missing something. Note that there |
|
@joostgrunwald I don't think that the internetdb API differentiates between vulns and verified vulns, but yeah, the wording could be changed. |
|
@cnnrshd No you are correct, even though implementation of this would simply be hardcoding the list of verified vulnerabilities and checking against them (the list is that small), I'm not sure how much impact that has based on the small amount of verified vulnerabilities supported. |
Agreed we should probably change the wording |
This module checks Shodan's host endpoint to get and report open TCP ports.. Additional information includes verified vulnerabilities, unverfied vulnerabilities (reported as a FINDING), CPE data, OS data, and DNS information.