[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-9f57626f-c37b-4fcb-8c09-a62c3bd6f6cd":3,"$fXm_B_e5UnTSrubt7r_40rwwR3OBFJFpjSgwoRrXLJ1I":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"9f57626f-c37b-4fcb-8c09-a62c3bd6f6cd","shodan-reconnaissance","提供利用Shodan作为渗透测试中的侦察工具的系统方法。","cat_life_career","mod_other","sickn33,other","---\nname: shodan-reconnaissance\ndescription: \"Provide systematic methodologies for leveraging Shodan as a reconnaissance tool during penetration testing engagements.\"\nrisk: unknown\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n# Shodan Reconnaissance and Pentesting\n\n## Purpose\n\nProvide systematic methodologies for leveraging Shodan as a reconnaissance tool during penetration testing engagements. This skill covers the Shodan web interface, command-line interface (CLI), REST API, search filters, on-demand scanning, and network monitoring capabilities for discovering exposed services, vulnerable systems, and IoT devices.\n\n## Inputs \u002F Prerequisites\n\n- **Shodan Account**: Free or paid account at shodan.io\n- **API Key**: Obtained from Shodan account dashboard\n- **Target Information**: IP addresses, domains, or network ranges to investigate\n- **Shodan CLI**: Python-based command-line tool installed\n- **Authorization**: Written permission for reconnaissance on target networks\n\n## Outputs \u002F Deliverables\n\n- **Asset Inventory**: List of discovered hosts, ports, and services\n- **Vulnerability Report**: Identified CVEs and exposed vulnerable services\n- **Banner Data**: Service banners revealing software versions\n- **Network Mapping**: Geographic and organizational distribution of assets\n- **Screenshot Gallery**: Visual reconnaissance of exposed interfaces\n- **Exported Data**: JSON\u002FCSV files for further analysis\n\n## Core Workflow\n\n### 1. Setup and Configuration\n\n#### Install Shodan CLI\n```bash\n# Using pip\npip install shodan\n\n# Or easy_install\neasy_install shodan\n\n# On BlackArch\u002FArch Linux\nsudo pacman -S python-shodan\n```\n\n#### Initialize API Key\n```bash\n# Set your API key\nshodan init YOUR_API_KEY\n\n# Verify setup\nshodan info\n# Output: Query credits available: 100\n#         Scan credits available: 100\n```\n\n#### Check Account Status\n```bash\n# View credits and plan info\nshodan info\n\n# Check your external IP\nshodan myip\n\n# Check CLI version\nshodan version\n```\n\n### 2. Basic Host Reconnaissance\n\n#### Query Single Host\n```bash\n# Get all information about an IP\nshodan host 1.1.1.1\n\n# Example output:\n# 1.1.1.1\n# Hostnames: one.one.one.one\n# Country: Australia\n# Organization: Mountain View Communications\n# Number of open ports: 3\n# Ports:\n#   53\u002Fudp\n#   80\u002Ftcp\n#   443\u002Ftcp\n```\n\n#### Check if Host is Honeypot\n```bash\n# Get honeypot probability score\nshodan honeyscore 192.168.1.100\n\n# Output: Not a honeypot\n#         Score: 0.3\n```\n\n### 3. Search Queries\n\n#### Basic Search (Free)\n```bash\n# Simple keyword search (no credits consumed)\nshodan search apache\n\n# Specify output fields\nshodan search --fields ip_str,port,os smb\n```\n\n#### Filtered Search (1 Credit)\n```bash\n# Product-specific search\nshodan search product:mongodb\n\n# Search with multiple filters\nshodan search product:nginx country:US city:\"New York\"\n```\n\n#### Count Results\n```bash\n# Get result count without consuming credits\nshodan count openssh\n# Output: 23128\n\nshodan count openssh 7\n# Output: 219\n```\n\n#### Download Results\n```bash\n# Download 1000 results (default)\nshodan download results.json.gz \"apache country:US\"\n\n# Download specific number of results\nshodan download --limit 5000 results.json.gz \"nginx\"\n\n# Download all available results\nshodan download --limit -1 all_results.json.gz \"query\"\n```\n\n#### Parse Downloaded Data\n```bash\n# Extract specific fields from downloaded data\nshodan parse --fields ip_str,port,hostnames results.json.gz\n\n# Filter by specific criteria\nshodan parse --fields location.country_code3,ip_str -f port:22 results.json.gz\n\n# Export to CSV format\nshodan parse --fields ip_str,port,org --separator , results.json.gz > results.csv\n```\n\n### 4. Search Filters Reference\n\n#### Network Filters\n```\nip:1.2.3.4                  # Specific IP address\nnet:192.168.0.0\u002F24          # Network range (CIDR)\nhostname:example.com        # Hostname contains\nport:22                     # Specific port\nasn:AS15169                 # Autonomous System Number\n```\n\n#### Geographic Filters\n```\ncountry:US                  # Two-letter country code\ncountry:\"United States\"     # Full country name\ncity:\"San Francisco\"        # City name\nstate:CA                    # State\u002Fregion\npostal:94102                # Postal\u002FZIP code\ngeo:37.7,-122.4             # Lat\u002Flong coordinates\n```\n\n#### Organization Filters\n```\norg:\"Google\"                # Organization name\nisp:\"Comcast\"               # ISP name\n```\n\n#### Service\u002FProduct Filters\n```\nproduct:nginx               # Software product\nversion:1.14.0              # Software version\nos:\"Windows Server 2019\"    # Operating system\nhttp.title:\"Dashboard\"      # HTTP page title\nhttp.html:\"login\"           # HTML content\nhttp.status:200             # HTTP status code\nssl.cert.subject.cn:*.example.com  # SSL certificate\nssl:true                    # Has SSL enabled\n```\n\n#### Vulnerability Filters\n```\nvuln:CVE-2019-0708          # Specific CVE\nhas_vuln:true               # Has any vulnerability\n```\n\n#### Screenshot Filters\n```\nhas_screenshot:true         # Has screenshot available\nscreenshot.label:webcam     # Screenshot type\n```\n\n### 5. On-Demand Scanning\n\n#### Submit Scan\n```bash\n# Scan single IP (1 credit per IP)\nshodan scan submit 192.168.1.100\n\n# Scan with verbose output (shows scan ID)\nshodan scan submit --verbose 192.168.1.100\n\n# Scan and save results\nshodan scan submit --filename scan_results.json.gz 192.168.1.100\n```\n\n#### Monitor Scan Status\n```bash\n# List recent scans\nshodan scan list\n\n# Check specific scan status\nshodan scan status SCAN_ID\n\n# Download scan results later\nshodan download --limit -1 results.json.gz scan:SCAN_ID\n```\n\n#### Available Scan Protocols\n```bash\n# List available protocols\u002Fmodules\nshodan scan protocols\n```\n\n### 6. Statistics and Analysis\n\n#### Get Search Statistics\n```bash\n# Default statistics (top 10 countries, orgs)\nshodan stats nginx\n\n# Custom facets\nshodan stats --facets domain,port,asn --limit 5 nginx\n\n# Save to CSV\nshodan stats --facets country,org -O stats.csv apache\n```\n\n### 7. Network Monitoring\n\n#### Setup Alerts (Web Interface)\n```\n1. Navigate to Monitor Dashboard\n2. Add IP, range, or domain to monitor\n3. Configure notification service (email, Slack, webhook)\n4. Select trigger events (new service, vulnerability, etc.)\n5. View dashboard for exposed services\n```\n\n### 8. REST API Usage\n\n#### Direct API Calls\n```bash\n# Get API info\ncurl -s \"https:\u002F\u002Fapi.shodan.io\u002Fapi-info?key=YOUR_KEY\" | jq\n\n# Host lookup\ncurl -s \"https:\u002F\u002Fapi.shodan.io\u002Fshodan\u002Fhost\u002F1.1.1.1?key=YOUR_KEY\" | jq\n\n# Search query\ncurl -s \"https:\u002F\u002Fapi.shodan.io\u002Fshodan\u002Fhost\u002Fsearch?key=YOUR_KEY&query=apache\" | jq\n```\n\n#### Python Library\n```python\nimport shodan\n\napi = shodan.Shodan('YOUR_API_KEY')\n\n# Search\nresults = api.search('apache')\nprint(f'Results found: {results[\"total\"]}')\nfor result in results['matches']:\n    print(f'IP: {result[\"ip_str\"]}')\n\n# Host lookup\nhost = api.host('1.1.1.1')\nprint(f'IP: {host[\"ip_str\"]}')\nprint(f'Organization: {host.get(\"org\", \"n\u002Fa\")}')\nfor item in host['data']:\n    print(f'Port: {item[\"port\"]}')\n```\n\n## Quick Reference\n\n### Essential CLI Commands\n\n| Command | Description | Credits |\n|---------|-------------|---------|\n| `shodan init KEY` | Initialize API key | 0 |\n| `shodan info` | Show account info | 0 |\n| `shodan myip` | Show your IP | 0 |\n| `shodan host IP` | Host details | 0 |\n| `shodan count QUERY` | Result count | 0 |\n| `shodan search QUERY` | Basic search | 0* |\n| `shodan download FILE QUERY` | Save results | 1\u002F100 results |\n| `shodan parse FILE` | Extract data | 0 |\n| `shodan stats QUERY` | Statistics | 1 |\n| `shodan scan submit IP` | On-demand scan | 1\u002FIP |\n| `shodan honeyscore IP` | Honeypot check | 0 |\n\n*Filters consume 1 credit per query\n\n### Common Search Queries\n\n| Purpose | Query |\n|---------|-------|\n| Find webcams | `webcam has_screenshot:true` |\n| MongoDB databases | `product:mongodb` |\n| Redis servers | `product:redis` |\n| Elasticsearch | `product:elastic port:9200` |\n| Default passwords | `\"default password\"` |\n| Vulnerable RDP | `port:3389 vuln:CVE-2019-0708` |\n| Industrial systems | `port:502 modbus` |\n| Cisco devices | `product:cisco` |\n| Open VNC | `port:5900 authentication disabled` |\n| Exposed FTP | `port:21 anonymous` |\n| WordPress sites | `http.component:wordpress` |\n| Printers | `\"HP-ChaiSOE\" port:80` |\n| Cameras (RTSP) | `port:554 has_screenshot:true` |\n| Jenkins servers | `X-Jenkins port:8080` |\n| Docker APIs | `port:2375 product:docker` |\n\n### Useful Filter Combinations\n\n| Scenario | Query |\n|---------|-------|\n| Target org recon | `org:\"Company Name\"` |\n| Domain enumeration | `hostname:example.com` |\n| Network range scan | `net:192.168.0.0\u002F24` |\n| SSL cert search | `ssl.cert.subject.cn:*.target.com` |\n| Vulnerable servers | `vuln:CVE-2021-44228 country:US` |\n| Exposed admin panels | `http.title:\"admin\" port:443` |\n| Database exposure | `port:3306,5432,27017,6379` |\n\n### Credit System\n\n| Action | Credit Type | Cost |\n|--------|-------------|------|\n| Basic search | Query | 0 (no filters) |\n| Filtered search | Query | 1 |\n| Download 100 results | Query | 1 |\n| Generate report | Query | 1 |\n| Scan 1 IP | Scan | 1 |\n| Network monitoring | Monitored IPs | Depends on plan |\n\n## Constraints and Limitations\n\n### Operational Boundaries\n- Rate limited to 1 request per second\n- Scan results not immediate (asynchronous)\n- Cannot re-scan same IP within 24 hours (non-Enterprise)\n- Free accounts have limited credits\n- Some data requires paid subscription\n\n### Data Freshness\n- Shodan crawls continuously but data may be days\u002Fweeks old\n- On-demand scans provide current data but cost credits\n- Historical data available with paid plans\n\n### Legal Requirements\n- Only perform reconnaissance on authorized targets\n- Passive reconnaissance generally legal but verify jurisdiction\n- Active scanning (scan submit) requires authorization\n- Document all reconnaissance activities\n\n## Examples\n\n### Example 1: Organization Reconnaissance\n```bash\n# Find all hosts belonging to target organization\nshodan search 'org:\"Target Company\"'\n\n# Get statistics on their infrastructure\nshodan stats --facets port,product,country 'org:\"Target Company\"'\n\n# Download detailed data\nshodan download target_data.json.gz 'org:\"Target Company\"'\n\n# Parse for specific info\nshodan parse --fields ip_str,port,product target_data.json.gz\n```\n\n### Example 2: Vulnerable Service Discovery\n```bash\n# Find hosts vulnerable to BlueKeep (RDP CVE)\nshodan search 'vuln:CVE-2019-0708 country:US'\n\n# Find exposed Elasticsearch with no auth\nshodan search 'product:elastic port:9200 -authentication'\n\n# Find Log4j vulnerable systems\nshodan search 'vuln:CVE-2021-44228'\n```\n\n### Example 3: IoT Device Discovery\n```bash\n# Find exposed webcams\nshodan search 'webcam has_screenshot:true country:US'\n\n# Find industrial control systems\nshodan search 'port:502 product:modbus'\n\n# Find exposed printers\nshodan search '\"HP-ChaiSOE\" port:80'\n\n# Find smart home devices\nshodan search 'product:nest'\n```\n\n### Example 4: SSL\u002FTLS Certificate Analysis\n```bash\n# Find hosts with specific SSL cert\nshodan search 'ssl.cert.subject.cn:*.example.com'\n\n# Find expired certificates\nshodan search 'ssl.cert.expired:true org:\"Company\"'\n\n# Find self-signed certificates\nshodan search 'ssl.cert.issuer.cn:self-signed'\n```\n\n### Example 5: Python Automation Script\n```python\n#!\u002Fusr\u002Fbin\u002Fenv python3\nimport shodan\nimport json\n\nAPI_KEY = 'YOUR_API_KEY'\napi = shodan.Shodan(API_KEY)\n\ndef recon_organization(org_name):\n    \"\"\"Perform reconnaissance on an organization\"\"\"\n    try:\n        # Search for organization\n        query = f'org:\"{org_name}\"'\n        results = api.search(query)\n        \n        print(f\"[*] Found {results['total']} hosts for {org_name}\")\n        \n        # Collect unique IPs and ports\n        hosts = {}\n        for result in results['matches']:\n            ip = result['ip_str']\n            port = result['port']\n            product = result.get('product', 'unknown')\n            \n            if ip not in hosts:\n                hosts[ip] = []\n            hosts[ip].append({'port': port, 'product': product})\n        \n        # Output findings\n        for ip, services in hosts.items():\n            print(f\"\\n[+] {ip}\")\n            for svc in services:\n                print(f\"    - {svc['port']}\u002Ftcp ({svc['product']})\")\n        \n        return hosts\n        \n    except shodan.APIError as e:\n        print(f\"Error: {e}\")\n        return None\n\nif __name__ == '__main__':\n    recon_organization(\"Target Company\")\n```\n\n### Example 6: Network Range Assessment\n```bash\n# Scan a \u002F24 network range\nshodan search 'net:192.168.1.0\u002F24'\n\n# Get port distribution\nshodan stats --facets port 'net:192.168.1.0\u002F24'\n\n# Find specific vulnerabilities in range\nshodan search 'net:192.168.1.0\u002F24 vuln:CVE-2021-44228'\n\n# Export all data for range\nshodan download network_scan.json.gz 'net:192.168.1.0\u002F24'\n```\n\n## Troubleshooting\n\n| Issue | Cause | Solution |\n|-------|-------|----------|\n| No API Key Configured | Key not initialized | Run `shodan init YOUR_API_KEY` then verify with `shodan info` |\n| Query Credits Exhausted | Monthly credits consumed | Use credit-free queries (no filters), wait for reset, or upgrade |\n| Host Recently Crawled | Cannot re-scan IP within 24h | Use `shodan host IP` for existing data, or wait 24 hours |\n| Rate Limit Exceeded | >1 request\u002Fsecond | Add `time.sleep(1)` between API requests |\n| Empty Search Results | Too specific or syntax error | Use quotes for phrases: `'org:\"Company Name\"'`; broaden criteria |\n| Downloaded File Won't Parse | Corrupted or wrong format | Verify with `gunzip -t file.gz`, re-download with `--limit` |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,80,1436,"2026-05-16 13:40:19",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"a9832e4b-9fc4-424a-9995-eeb15c5355ce","1.0.0","shodan-reconnaissance.zip",5289,"uploads\u002Fskills\u002F9f57626f-c37b-4fcb-8c09-a62c3bd6f6cd\u002Fshodan-reconnaissance.zip","e1df2163748ac7df8f590df6f96d3fd23312977916c0d5efc5420cea6a8080e1","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":13697}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]