Skip to content
Shodan Book

Metasploit

Introduction

This guide explains how to use Metasploit Framework modules that integrate with the Shodan search engine. These modules allow you to gather host-specific information, perform broad Shodan searches, all from within the Metasploit console.

Prerequisites

  1. Metasploit Framework Installed: You need to have Metasploit installed on your system.
  2. Shodan API Key: You'll need a Shodan API key. You can get one by signing up on the Shodan website. A free tier is available, but paid plans offer more credits and capabilities.

Usage

This section details how to use specific Shodan-related auxiliary modules.

1. Gathering Host-Specific Open Port (auxiliary/gather/shodan_host)

This module's purpose is to show only the open ports of a specific IP address using Shodan.

Purpose: To show open ports of a specific IP using Shodan. Key Options:

  • SHODAN_APIKEY: Your Shodan API key. Required.
  • RHOSTS: The target IP address you want to query. Required.
  • Proxies: Proxy chain (e.g., http:host:port,socks5:host:port). (Optional).

Step-by-Step Usage:

  1. Load the Module:

    Terminal window
    msf6 > use auxiliary/gather/shodan_host

  2. View Options:

    Terminal window
    msf6 auxiliary(gather/shodan_host) > show options

  3. Set Required Options:

    Terminal window
    msf6 auxiliary(gather/shodan_host) > set SHODAN_APIKEY YOUR_API_KEY_HERE
    msf6 auxiliary(gather/shodan_host) > set RHOSTS TARGET_IP_ADDRESS

    (Replace TARGET_IP_ADDRESS with the actual IP, e.g., 8.8.8.8)

  4. Run the Module:

    Terminal window
    msf6 auxiliary(gather/shodan_host) > run

    Result:

    [*] Running module against 8.8.8.8
    [+] 8.8.8.8:443
    [+] 8.8.8.8:53
    [*] Auxiliary module execution completed

This module allows you to perform Shodan searches using Shodan's search query syntax directly from Metasploit. This is how you can "search Shodan" for various devices, services, or vulnerabilities.

Purpose: To find internet-connected devices based on specific search criteria (Shodan dorks). Key Options:

  • SHODAN_APIKEY: Your Shodan API key. Required.
  • QUERY: The Shodan search query string (e.g., "nginx", "port:22 country:US", "vuln:CVE-2020-0796"). Required.
  • MAXPAGE: (Optional) Maximum number of result pages to retrieve (default is 1). Shodan limits results per page.
  • OUTFILE: (Optional) File to save the search results (often in JSONL - JSON Lines format).
  • REGEX: (Optional) Regex search for a specific IP/City/Country/Hostname.

Step-by-Step Usage:

  1. Load the Module:

    Terminal window
    msf6 > use auxiliary/gather/shodan_search

  2. View Options (Crucial for QUERY syntax and other settings):

    Terminal window
    msf6 auxiliary(gather/shodan_search) > show options

  3. Set Required Options:

    Terminal window
    msf6 auxiliary(gather/shodan_search) > set SHODAN_APIKEY YOUR_API_KEY_HERE
    msf6 auxiliary(gather/shodan_search) > set QUERY "apache country:DE"

    (This example query searches for Apache servers in Germany.)

  4. (Optional) Set Other Options: For example, to save results to a file and get more pages:

    Terminal window
    msf6 auxiliary(gather/shodan_search) > set MAXPAGE 5
    msf6 auxiliary(gather/shodan_search) > set OUTFILE /path/to/shodan_search_results.jsonl

  5. Run the Module:

    Terminal window
    msf6 auxiliary(gather/shodan_search) > run

    The module will output a list of IPs and associated data matching your query.

    Result:

    [*] Total: 1667113 on 16672 pages. Showing: 5 page(s)
    [*] Collecting data, please wait...
    

    Search Results
    ==============
    

    IP:Port          City              Country  Hostname
    -------          ----              -------  --------
    103.147.104.242  Frankfurt am Mai  Germany  mail.tp3003.mailrcld.com
    :80              n
    116.202.181.235  Nürnberg          Germany  rose-plastic.kr
    :443
    116.203.112.14:  Nürnberg          Germany  xibo.smpmedia.net
    443
    116.203.84.229:  Nürnberg          Germany  static.229.84.203.116.cli
    443                                         ents.your-server.de

Example: Finding Vulnerable Webcams (Conceptual)

Using shodan_search, you could look for webcams with specific banners:

msf6 auxiliary(gather/shodan_search) > set QUERY has_screenshot:true HTTP
msf6 auxiliary(gather/shodan_search) > run
[*] Total: 38316 on 384 pages. Showing: 1 page(s)
[*] Collecting data, please wait...


Search Results
==============


 IP:Port             City                Country             Hostname
 -------             ----                -------             --------
 107.91.189.76:443   Alpharetta          United States
 109.190.32.150:81   Amiens              France              150-32-190-109.dsl.
                                                             ovh.fr
 109.196.131.14:82   Chaykovskiy         Russian Federation
 110.4.178.160:1233  Tokyo               Japan               z178160.ppp.asahi-n
 5                                                           et.or.jp
 110.4.178.160:1252  Tokyo               Japan               z178160.ppp.asahi-n
 1                                                           et.or.jp
 110.4.178.160:285   Tokyo               Japan               z178160.ppp.asahi-n
                                                             et.or.jp
 110.4.178.160:5227  Tokyo               Japan               z178160.ppp.asahi-n
                                                             et.or.jp