Skip to content
Shodan Book

Recon-ng

Introduction

This guide explains how to use Recon-ng framework modules that integrate with the Shodan search engine. These modules allow you to leverage Shodan's vast database of internet-connected devices to discover hosts, netblocks, and other information related to your target, all from within the Recon-ng console.

Prerequisites

  1. Recon-ng Framework Installed: You need to have Recon-ng installed on your system.
  2. Shodan API Key: You'll need a Shodan API key. You can get one by signing up on the Shodan website.

Initial Setup: Adding the API Key

Before using any Shodan modules, you must add your API key to the Recon-ng keystore. This is a one-time setup.

  1. Launch Recon-ng:
    Terminal window
    $ recon-ng
  2. Add the key:
    Terminal window
    [recon-ng][default] > keys add shodan_api YOUR_API_KEY_HERE
    Result:
    [*] Key 'shodan_api' added.

Available Shodan Modules in Recon-ng

Recon-ng has several modules that leverage the Shodan API to gather information. Here are some of the key modules:

  • recon/companies-multi/shodan_org: Gathers information about companies.
  • recon/domains-hosts/shodan_hostname: Finds hosts related to a domain.
  • recon/hosts-ports/shodan_ip: Discovers open ports and services on a host.
  • recon/locations-pushpins/shodan: Gathers location-based data.
  • recon/netblocks-hosts/shodan_net: Finds hosts within a specific netblock.

To install these modules, use the following:

Terminal window
[recon-ng][default] > marketplace install shodan
[*] Module installed: recon/companies-multi/shodan_org
[*] Module installed: recon/domains-hosts/shodan_hostname
[*] Module installed: recon/hosts-ports/shodan_ip
[*] Module installed: recon/locations-pushpins/shodan
[*] Module installed: recon/netblocks-hosts/shodan_net
[*] Reloading modules...

Usage

This section details how to use specific Shodan-related reconnaissance modules. For best practice, we'll start by creating a workspace for our session.

Terminal window
[recon-ng][default] > workspaces create example_shodan

1. Finding Hosts by Domain (recon/domains-hosts/shodan_hostname)

This module queries Shodan for hosts that match a given domain name.

  1. Add a domain to the domains table:

    Terminal window
    [recon-ng][example_shodan] > db insert domains
    domain (TEXT): medium.com
    notes (TEXT):
    [*] 1 row affected.

  2. Load the Module:

    Terminal window
    [recon-ng][example_shodan] > modules load shodan_hostname

  3. Run the Module:

    Terminal window
    [recon-ng][example_shodan][shodan_hostname] > run

  4. View the Results:

    Terminal window
    [recon-ng][example_shodan][shodan_hostname] > show hosts

2. Finding Hosts by Netblock (recon/netblocks-hosts/shodan_net)

This module allows you to find all hosts that Shodan has cataloged within a specific network range (CIDR notation).

  1. Add a netblock to the netblocks table:

    Terminal window
    [recon-ng][example_company] > db insert netblocks
    netblock (TEXT): 1.1.1.0/28
    notes (TEXT):
    [*] 1 row affected.

  2. Load the Module:

    Terminal window
    [recon-ng][example_company] > modules load shodan_net

  3. Run the Module:

    Terminal window
    [recon-ng][example_shodan][shodan_hostname] > run

  4. View the Results:

    Terminal window
    [recon-ng][example_shodan][shodan_hostname] > show hosts