steampipe plugin install shodan

Table: shodan_host_service - Query Shodan Host Services using SQL

Shodan is a search engine for internet-connected devices. It provides a wealth of information about hosts, including open ports, protocols, and services. This information is crucial for security researchers, network administrators, and penetration testers to understand the digital footprint of a host.

Table Usage Guide

The shodan_host_service table provides insights into the services running on a specific host within the Shodan search engine. As a security researcher or network administrator, explore service-specific details through this table, including ports, protocols, and product information. Utilize it to uncover information about a host's digital footprint, such as open ports and the services running on them.

Important Notes

  • You must specify the ip in the where clause to query this table.

Examples

List all service information for an IP

Explore which services are associated with a specific IP address. This can be useful for understanding the functionality and potential vulnerabilities of the device or system associated with that IP.

select
*
from
shodan_host_service
where
ip = '8.8.8.8';
select
*
from
shodan_host_service
where
ip = '8.8.8.8';

SSL certificate details for services

Analyze the settings to understand the SSL certificate details for specific services on a given IP address. This is useful for ensuring secure connections by checking the validity and details of SSL certificates.

select
ip,
port,
ssl -> 'cert' as ssl_cert
from
shodan_host_service
where
ip = '140.82.112.4'
and ssl is not null;
select
ip,
port,
json_extract(ssl, '$.cert') as ssl_cert
from
shodan_host_service
where
ip = '140.82.112.4'
and ssl is not null;

Check Heartbleed status for each service

Determine the Heartbleed vulnerability status for each service on a specific IP address. This can be crucial in identifying potential security risks and taking appropriate measures to mitigate them.

select
ip,
port,
opts ->> 'heartbleed' as heartbleed
from
shodan_host_service
where
ip = '140.82.112.4';
select
ip,
port,
json_extract(opts, '$.heartbleed') as heartbleed
from
shodan_host_service
where
ip = '140.82.112.4';

Schema for shodan_host_service

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
bannersjsonbTODO
cassandrajsonbCassandra database services that allow connections to the client Thrift port (default: 9160/ tcp).
coapjsonbDevices running CoAP IoT protocol service.
cpejsonbCommon Platform Enumeration.
db2jsonbServices running the IBM DB2 DRDA protocol.
devicetypetextThe type of device (webcam, router, etc.).
dnsjsonbDNS servers that support either UDP or TCP (typically on port 53).
dockerjsonbDocker services that allow remote connections and don’t have authentication enabled.
domainsjsonbAn array of strings containing the top-level domains for the hostnames of the device.
elasticjsonbThe elastic property is available in banners that are identified as belonging to an Elastic service.
etcdjsonbThe etcd service provides a distributed key/value store used by projects such as Kubernetes. Ports that are running the etcd service.
ethernet_ipjsonbDevices that complete a handshake in either TCP or UDP for the industrial Ethernet/IP protocol.
ftpjsonbFTP services running on the default port 21/TCP. If the FTP service supports STARTTLS then the starttls tag will be added to the list of tags on the banner and it will also have a top-level ssl property which contains the certificate, SSL testing results and more.
hashbigintNumeric hash of the data property.
hivejsonbDevices running Apache Hive servers on any port that Shodan crawls.
httpjsonbThe banner was generated by a HTTP module (http, https, http-simple-new, https-simple-new) and successfully completed a HTTP handshake.
influxdbjsonbDevices running InfluxDB time-series database.
infotextMiscellaneous information that was extracted about the product.
ipinet=The IP address of the host as a string.
ipv6textThe IPv6 address of the host as a string.
isakmpjsonbVPN services that use the ISAKMP protocol (such as IKE).
lantronixjsonbLantronix devices that are running the configuration service.
linktextThe network link type. Possible values are: "Ethernet or modem", "generic tunnel or VPN", "DSL", "IPIP or SIT", "SLIP", "IPSec or GRE", "VLAN", "jumbo Ethernet", "Google", "GIF", "PPTP", "loopback", "AX.25 radio modem".
minecraftjsonbDevices running the Minecraft game server.
monerojsonbIf the Monero RPC service is enabled and accepting remote connections. Most results are on port 18081, but it can also be available on other ports.
mongodbjsonbMongoDB services that support the binary protocol to interact with the database.
mqttjsonbMQTT services that allow remote connections.
netbiosjsonbServices that run on port 137 and complete a NetBIOS handshake.
ntpjsonbNTP daemons supporting at least version 1 or version 2.
optsjsonbContains experimental and supplemental data for the service. This can include the SSL certificate, robots.txt and other raw information that hasn't yet been formalized into the Banner Specification.
portbigintPort number that the service is operating on.
producttextName of the software running the service.
redisjsonbRedis services running on the default port 6379/TCP.
ripjsonbServices on port 520 that successfully respond to a RIP request.
rsyncjsonbrsync service information.
shodanjsonbInformation about how the banner was generated. It doesn’t store any data about the port/service itself.
smbjsonbServices that run on port 445 and support either SMBv1 or SMBv2.
snmpjsonbAny banner generated by the snmp module (typically on 161/UDP).
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
sshjsonbAny service banner where the initial response starts with “SSH” and subsequently completes a SSH handshake.
ssljsonbServices that require SSL (ex. HTTPS) or support upgrading a connection to SSL/TLS (ex. POP3 with STARTTLS).
timestamptimestamp with time zoneThe timestamp for when the banner was fetched from the device.
titletextTitle of the website as extracted from the HTML source.
transporttextUptime of the IP (in minutes).
uptimebigintUptime of the IP (in minutes).
versiontextVersion of the software running the service.
vertxjsonbDevices running the VertX/Edge door controllers.
vulnsjsonbThe vulns property contains information about vulnerabilities that may exist in the service represented by the banner. In general, the Shodan crawlers don’t perform vulnerability testing as a result the vulnerabilities stored in vulns are inferred from the banner and haven’t been verified. Availability: Banners where the software/version has been identified and there exist known CVEs for it.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- shodan

You can pass the configuration to the command with the --config argument:

steampipe_export_shodan --config '<your_config>' shodan_host_service