Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Using Shodan Monitoring - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Using Shodan Monitoring

Back in March, Shodan started a new service called Shodan Monitor(1). What this service does is notify you of ports that are open on the network you  specify. When you initially setup your network, you put in your CIDR to monitor and then select notification triggers where you will get emails for any of these categories that show up on the specified network.   In the notification emails, you get a link to be able to whitelist systems. I’m finding that the uncommon ports to be chatty for large networks, and tend to whitelist many of these.

 

 

 

They have a heat map that shows you what hosts has the most open ports.  You can hover over them and see what system have the largest footprint on the Internet.

 

 

 

The Initial dashboard shows you the top port breakdown, notable ports and possible vulnerabilities for your networks you are watching.

 

 

 

 

While this list could be useful, it’s only gathering these details based on banner information, which web applications have lots of backported patches which make this less valuable for web.

 

 

 

 


While you can and should script this within you organization using Nmap, this is great way to validate and see what attackers are seeing from outside with little effort. Has anyone found other cool uses of this service yet?

 

(1) https://monitor.shodan.io/

 

Tom

55 Posts
ISC Handler
My bean-counters wouldn't spring for it (I didn't even ask them), so I wrote a powershell script to query our info via the API and let me know of any differences. Also useful for certificate expiry. Seems to work quite well...
lansalot

20 Posts
Any chance you could share that script in GitHub (or another public repository)?
Anonymous
There are several scripts already available to do this. If you seach for "NMAP NDIFF script", you should find several. This is one I tracked down on GIT github.com/rommelfs/…. There is at least one for powershell there too.
Tom

55 Posts
ISC Handler
This feature requires a Shodan paid subscription.
Marlon

9 Posts
It's also available to users that have purchased the Shodan Membership which is a one-time payment of $49 (i.e. no subscription required). And it's available for free to academic or law enforcement users.
John Matherly

2 Posts

Sign Up for Free or Log In to start participating in the conversation!