Monitor your public assets via Shodan

Monitor your assets in Shodan

Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is Shodan.io?), whatever that is connected to the internet will get indexed by their crawlers.

I wrote a script that takes one parameter (ideally a string) and

  • Fetches the information that is available at Shodan for your query string;
  • Stores the results in a sqlite database;
  • Whenever something news pops up (this can be either a new host or a new port on an existing host) it will alert you by e-mail;
  • Note that ports that are no longer available are not covered and the script does not monitor service banner changes.

It’s available for download at Github via https://github.com/cudeso/tools/tree/master/shodan-asset-monitor

Configure Shodan Monitor

The configuration is in the script with these settings

  • SHODAN_API_KEY : your Shodan API key
  • MAIL_SUBJECT : the subject of the alert email (the asset change gets added to the subject)
  • MAIL_FROM : the email sender
  • MAIL_RCPT : the email receiver
  • MAIL_SMTP : the mail server
  • SQL_LITE_DB : the name of the sqlite db (defaults to shodan-asset-monitor.db)
  • PRINT_PROGRESS : print status to screen when run (disable for cron-jobs)

Cron job

Ideally you run the script from a cron job, for example every day. Set the configuration option PRINT_PROGRESS to False when running from cron.

If you run the script from cron you might have to change SQL_LITE_DB to an absolute path instead of a relative path. This depends on your cron settings.

SQL_LITE_DB="/home/user/shodan-monitor/shodan-asset-monitor.db"

Shodan python library

You need the Shodan python library

sudo pip install shodan

Create sqlite database

Before you can run it you need to create the sqlite database.

sqlite3 shodan-asset-monitor.db < shodan-asset-monitor.sql

First run

Obviously, when run from the first time it will generate a lot of alerts (all hosts and ports are new). You can disable mail notifications on the first run by adding a second parameter (‘any’ parameter will do, no specific value). You can make that change permanent by setting NOTIFY_MAIL to False. This will not notify you by e-mail of changes found in Shodan.

Then run the script

./shodan-asset-monitor.py belgium.be


The output will indicate if a new asset was found or if an existing host has changed.

Leave a Reply

Your email address will not be published. Required fields are marked *