Table: shodan_host_service - Query Shodan Host Services using SQL
Shodan is a search engine for internet-connected devices. It provides a wealth of information about hosts, including open ports, protocols, and services. This information is crucial for security researchers, network administrators, and penetration testers to understand the digital footprint of a host.
Table Usage Guide
The shodan_host_service
table provides insights into the services running on a specific host within the Shodan search engine. As a security researcher or network administrator, explore service-specific details through this table, including ports, protocols, and product information. Utilize it to uncover information about a host's digital footprint, such as open ports and the services running on them.
Important Notes
- You must specify the
ip
in thewhere
clause to query this table.
Examples
List all service information for an IP
Explore which services are associated with a specific IP address. This can be useful for understanding the functionality and potential vulnerabilities of the device or system associated with that IP.
select *from shodan_host_servicewhere ip = '8.8.8.8';
select *from shodan_host_servicewhere ip = '8.8.8.8';
SSL certificate details for services
Analyze the settings to understand the SSL certificate details for specific services on a given IP address. This is useful for ensuring secure connections by checking the validity and details of SSL certificates.
select ip, port, ssl -> 'cert' as ssl_certfrom shodan_host_servicewhere ip = '140.82.112.4' and ssl is not null;
select ip, port, json_extract(ssl, '$.cert') as ssl_certfrom shodan_host_servicewhere ip = '140.82.112.4' and ssl is not null;
Check Heartbleed status for each service
Determine the Heartbleed vulnerability status for each service on a specific IP address. This can be crucial in identifying potential security risks and taking appropriate measures to mitigate them.
select ip, port, opts ->> 'heartbleed' as heartbleedfrom shodan_host_servicewhere ip = '140.82.112.4';
select ip, port, json_extract(opts, '$.heartbleed') as heartbleedfrom shodan_host_servicewhere ip = '140.82.112.4';
Schema for shodan_host_service
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
banners | jsonb | TODO | |
cassandra | jsonb | Cassandra database services that allow connections to the client Thrift port (default: 9160/ tcp). | |
coap | jsonb | Devices running CoAP IoT protocol service. | |
cpe | jsonb | Common Platform Enumeration. | |
db2 | jsonb | Services running the IBM DB2 DRDA protocol. | |
devicetype | text | The type of device (webcam, router, etc.). | |
dns | jsonb | DNS servers that support either UDP or TCP (typically on port 53). | |
docker | jsonb | Docker services that allow remote connections and don’t have authentication enabled. | |
domains | jsonb | An array of strings containing the top-level domains for the hostnames of the device. | |
elastic | jsonb | The elastic property is available in banners that are identified as belonging to an Elastic service. | |
etcd | jsonb | The etcd service provides a distributed key/value store used by projects such as Kubernetes. Ports that are running the etcd service. | |
ethernet_ip | jsonb | Devices that complete a handshake in either TCP or UDP for the industrial Ethernet/IP protocol. | |
ftp | jsonb | FTP services running on the default port 21/TCP. If the FTP service supports STARTTLS then the starttls tag will be added to the list of tags on the banner and it will also have a top-level ssl property which contains the certificate, SSL testing results and more. | |
hash | bigint | Numeric hash of the data property. | |
hive | jsonb | Devices running Apache Hive servers on any port that Shodan crawls. | |
http | jsonb | The banner was generated by a HTTP module (http, https, http-simple-new, https-simple-new) and successfully completed a HTTP handshake. | |
influxdb | jsonb | Devices running InfluxDB time-series database. | |
info | text | Miscellaneous information that was extracted about the product. | |
ip | inet | = | The IP address of the host as a string. |
ipv6 | text | The IPv6 address of the host as a string. | |
isakmp | jsonb | VPN services that use the ISAKMP protocol (such as IKE). | |
lantronix | jsonb | Lantronix devices that are running the configuration service. | |
link | text | The network link type. Possible values are: "Ethernet or modem", "generic tunnel or VPN", "DSL", "IPIP or SIT", "SLIP", "IPSec or GRE", "VLAN", "jumbo Ethernet", "Google", "GIF", "PPTP", "loopback", "AX.25 radio modem". | |
minecraft | jsonb | Devices running the Minecraft game server. | |
monero | jsonb | If the Monero RPC service is enabled and accepting remote connections. Most results are on port 18081, but it can also be available on other ports. | |
mongodb | jsonb | MongoDB services that support the binary protocol to interact with the database. | |
mqtt | jsonb | MQTT services that allow remote connections. | |
netbios | jsonb | Services that run on port 137 and complete a NetBIOS handshake. | |
ntp | jsonb | NTP daemons supporting at least version 1 or version 2. | |
opts | jsonb | Contains experimental and supplemental data for the service. This can include the SSL certificate, robots.txt and other raw information that hasn't yet been formalized into the Banner Specification. | |
port | bigint | Port number that the service is operating on. | |
product | text | Name of the software running the service. | |
redis | jsonb | Redis services running on the default port 6379/TCP. | |
rip | jsonb | Services on port 520 that successfully respond to a RIP request. | |
rsync | jsonb | rsync service information. | |
shodan | jsonb | Information about how the banner was generated. It doesn’t store any data about the port/service itself. | |
smb | jsonb | Services that run on port 445 and support either SMBv1 or SMBv2. | |
snmp | jsonb | Any banner generated by the snmp module (typically on 161/UDP). | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
ssh | jsonb | Any service banner where the initial response starts with “SSH” and subsequently completes a SSH handshake. | |
ssl | jsonb | Services that require SSL (ex. HTTPS) or support upgrading a connection to SSL/TLS (ex. POP3 with STARTTLS). | |
timestamp | timestamp with time zone | The timestamp for when the banner was fetched from the device. | |
title | text | Title of the website as extracted from the HTML source. | |
transport | text | Uptime of the IP (in minutes). | |
uptime | bigint | Uptime of the IP (in minutes). | |
version | text | Version of the software running the service. | |
vertx | jsonb | Devices running the VertX/Edge door controllers. | |
vulns | jsonb | The vulns property contains information about vulnerabilities that may exist in the service represented by the banner. In general, the Shodan crawlers don’t perform vulnerability testing as a result the vulnerabilities stored in vulns are inferred from the banner and haven’t been verified. Availability: Banners where the software/version has been identified and there exist known CVEs for it. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- shodan
You can pass the configuration to the command with the --config
argument:
steampipe_export_shodan --config '<your_config>' shodan_host_service