Table: shodan_search - Query Shodan Search Results using SQL
Shodan is a search engine for internet-connected devices. It provides a way to discover devices, where they are located and who is using them. Shodan is used for various purposes including cybersecurity research, software development, and educational research.
Table Usage Guide
The shodan_search table provides insights into internet-connected devices as indexed by Shodan. As a cybersecurity analyst, explore device-specific details through this table, including IP addresses, hostnames, and potential vulnerabilities. Utilize it to uncover information about devices, such as their geographic location, the software they are running, and their exposure to potential cyber threats.
Important Notes
- You must specify the
queryin thewhereclause to query this table.
Examples
List all services for a network range
Explore all the services associated with a specific network range. This is useful for gaining insights into the various operations within a particular network segment, helping to better manage and secure your network infrastructure.
select *from shodan_searchwhere query = 'net:34.98.0.0/26';Error: SQLite does not support CIDR operations.Find all Windows XP hosts
Determine the areas in which Windows XP is still being used to understand potential security vulnerabilities and outdated systems in your network.
select *from shodan_searchwhere query = 'os:"windows xp"';select *from shodan_searchwhere query = 'os:"windows xp"';Find all services for the GitHub organization
Discover all the services associated with a particular organization, in this case, GitHub. This is useful for gaining insights into the various services that an organization utilizes or is associated with.
select *from shodan_searchwhere query = 'org:"GitHub"';select *from shodan_searchwhere query = 'org:"GitHub"';Schema for shodan_search
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| asn | text | The autonomous system number (ex. AS4837). | |
| banners | jsonb | TODO | |
| cassandra | jsonb | Cassandra database services that allow connections to the client Thrift port (default: 9160/ tcp). | |
| coap | jsonb | Devices running CoAP IoT protocol service. | |
| cpe | jsonb | Common Platform Enumeration. | |
| db2 | jsonb | Services running the IBM DB2 DRDA protocol. | |
| devicetype | text | The type of device (webcam, router, etc.). | |
| dns | jsonb | DNS servers that support either UDP or TCP (typically on port 53). | |
| docker | jsonb | Docker services that allow remote connections and don’t have authentication enabled. | |
| domains | jsonb | An array of strings containing the top-level domains for the hostnames of the device. | |
| elastic | jsonb | The elastic property is available in banners that are identified as belonging to an Elastic service. | |
| etcd | jsonb | The etcd service provides a distributed key/value store used by projects such as Kubernetes. Ports that are running the etcd service. | |
| ethernet_ip | jsonb | Devices that complete a handshake in either TCP or UDP for the industrial Ethernet/IP protocol. | |
| ftp | jsonb | FTP services running on the default port 21/TCP. If the FTP service supports STARTTLS then the starttls tag will be added to the list of tags on the banner and it will also have a top-level ssl property which contains the certificate, SSL testing results and more. | |
| hash | bigint | Numeric hash of the data property. | |
| hive | jsonb | Devices running Apache Hive servers on any port that Shodan crawls. | |
| hostnames | jsonb | An array of strings containing all of the hostnames that have been assigned to the IP address for this device. | |
| http | jsonb | The banner was generated by a HTTP module (http, https, http-simple-new, https-simple-new) and successfully completed a HTTP handshake. | |
| influxdb | jsonb | Devices running InfluxDB time-series database. | |
| info | text | Miscellaneous information that was extracted about the product. | |
| ip | inet | The IP address of the host as a string. | |
| ipv6 | text | The IPv6 address of the host as a string. | |
| isakmp | jsonb | VPN services that use the ISAKMP protocol (such as IKE). | |
| isp | text | The ISP that is providing the organization with the IP space for this device. Consider this the "parent" of the organization in terms of IP ownership. | |
| lantronix | jsonb | Lantronix devices that are running the configuration service. | |
| link | text | The network link type. Possible values are: "Ethernet or modem", "generic tunnel or VPN", "DSL", "IPIP or SIT", "SLIP", "IPSec or GRE", "VLAN", "jumbo Ethernet", "Google", "GIF", "PPTP", "loopback", "AX.25 radio modem". | |
| location | jsonb | Location of the host. | |
| minecraft | jsonb | Devices running the Minecraft game server. | |
| monero | jsonb | If the Monero RPC service is enabled and accepting remote connections. Most results are on port 18081, but it can also be available on other ports. | |
| mongodb | jsonb | MongoDB services that support the binary protocol to interact with the database. | |
| mqtt | jsonb | MQTT services that allow remote connections. | |
| netbios | jsonb | Services that run on port 137 and complete a NetBIOS handshake. | |
| ntp | jsonb | NTP daemons supporting at least version 1 or version 2. | |
| org | text | The name of the organization that is assigned the IP space for this device. | |
| os | text | The operating system that powers the device. | |
| port | bigint | Port number that the service is operating on. | |
| ports | jsonb | Open ports for the IP. | |
| product | text | Name of the software running the service. | |
| query | text | = | Query string for the exploit search. |
| redis | jsonb | Redis services running on the default port 6379/TCP. | |
| rip | jsonb | Services on port 520 that successfully respond to a RIP request. | |
| rsync | jsonb | rsync service information. | |
| shodan | jsonb | Information about how the banner was generated. It doesn’t store any data about the port/service itself. | |
| smb | jsonb | Services that run on port 445 and support either SMBv1 or SMBv2. | |
| snmp | jsonb | Any banner generated by the snmp module (typically on 161/UDP). | |
| ssh | jsonb | Any service banner where the initial response starts with “SSH” and subsequently completes a SSH handshake. | |
| ssl | jsonb | Services that require SSL (ex. HTTPS) or support upgrading a connection to SSL/TLS (ex. POP3 with STARTTLS). | |
| tags | jsonb | List of tags that describe the characteristics of the device. | |
| timestamp | timestamp with time zone | The timestamp for when the banner was fetched from the device. | |
| title | text | Title of the website as extracted from the HTML source. | |
| transport | text | Uptime of the IP (in minutes). | |
| uptime | bigint | Uptime of the IP (in minutes). | |
| version | text | Version of the software running the service. | |
| vertx | jsonb | Devices running the VertX/Edge door controllers. | |
| vulns | jsonb | The vulns property contains information about vulnerabilities that may exist in the service represented by the banner. In general, the Shodan crawlers don’t perform vulnerability testing as a result the vulnerabilities stored in vulns are inferred from the banner and haven’t been verified. Availability: Banners where the software/version has been identified and there exist known CVEs for it. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- shodanYou can pass the configuration to the command with the --config argument:
steampipe_export_shodan --config '<your_config>' shodan_search