Shodan 渗透测试与网络侦察指南：发现暴露服务与物联网设备漏洞

Shodan Reconnaissance and Pentesting by automindtechnologie-jpg/ultimate-skill.md

安装命令

npx skills add https://github.com/automindtechnologie-jpg/ultimate-skill.md --skill 'Shodan Reconnaissance and Pentesting'

命令行工具网络协议分析安全

🇨🇳中文介绍

Shodan 侦察与渗透测试

目的

提供系统化的方法论，以便在渗透测试活动中利用 Shodan 作为侦察工具。本技能涵盖 Shodan 网页界面、命令行界面 (CLI)、REST API、搜索过滤器、按需扫描和网络监控能力，用于发现暴露的服务、易受攻击的系统和物联网设备。

输入 / 先决条件

Shodan 账户 : shodan.io 上的免费或付费账户
API 密钥 : 从 Shodan 账户仪表板获取
目标信息 : 要调查的 IP 地址、域名或网络范围
Shodan CLI : 已安装基于 Python 的命令行工具
授权 : 对目标网络进行侦察的书面许可

输出 / 交付成果

资产清单 : 发现的主机、端口和服务列表
漏洞报告 : 已识别的 CVE 和暴露的易受攻击服务
横幅数据 : 显示软件版本的服务横幅
网络映射 : 资产的地理和组织分布
截图库 : 暴露界面的视觉侦察
导出数据 : 用于进一步分析的 JSON/CSV 文件

核心工作流程

1. 设置与配置

安装 Shodan CLI

# 使用 pip
pip install shodan

# 或使用 easy_install
easy_install shodan

# 在 BlackArch/Arch Linux 上
sudo pacman -S python-shodan

初始化 API 密钥

# 设置你的 API 密钥
shodan init YOUR_API_KEY

# 验证设置
shodan info
# 输出: Query credits available: 100
#         Scan credits available: 100

🇺🇸English

Shodan Reconnaissance and Pentesting

Purpose

Provide systematic methodologies for leveraging Shodan as a reconnaissance tool during penetration testing engagements. This skill covers the Shodan web interface, command-line interface (CLI), REST API, search filters, on-demand scanning, and network monitoring capabilities for discovering exposed services, vulnerable systems, and IoT devices.

Inputs / Prerequisites

Shodan Account : Free or paid account at shodan.io
API Key : Obtained from Shodan account dashboard
Target Information : IP addresses, domains, or network ranges to investigate
Shodan CLI : Python-based command-line tool installed
Authorization : Written permission for reconnaissance on target networks

Outputs / Deliverables

Asset Inventory : List of discovered hosts, ports, and services
Vulnerability Report : Identified CVEs and exposed vulnerable services
Banner Data : Service banners revealing software versions
Network Mapping : Geographic and organizational distribution of assets
Screenshot Gallery : Visual reconnaissance of exposed interfaces
Exported Data : JSON/CSV files for further analysis

Core Workflow

1. Setup and Configuration

Install Shodan CLI

# Using pip
pip install shodan

# Or easy_install
easy_install shodan

# On BlackArch/Arch Linux
sudo pacman -S python-shodan

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

2. 基础主机侦察

# 获取关于一个 IP 的所有信息
shodan host 1.1.1.1

# 示例输出:
# 1.1.1.1
# Hostnames: one.one.one.one
# Country: Australia
# Organization: Mountain View Communications
# Number of open ports: 3
# Ports:
#   53/udp
#   80/tcp
#   443/tcp

检查主机是否为蜜罐

# 获取蜜罐概率分数
shodan honeyscore 192.168.1.100

# 输出: Not a honeypot
#         Score: 0.3

基础搜索 (免费)

# 简单关键词搜索 (不消耗信用额度)
shodan search apache

# 指定输出字段
shodan search --fields ip_str,port,os smb

过滤搜索 (消耗 1 信用额度)

# 特定产品搜索
shodan search product:mongodb

# 使用多个过滤器搜索
shodan search product:nginx country:US city:"New York"

# 获取结果数量而不消耗信用额度
shodan count openssh
# 输出: 23128

shodan count openssh 7
# 输出: 219

# 下载 1000 个结果 (默认)
shodan download results.json.gz "apache country:US"

# 下载指定数量的结果
shodan download --limit 5000 results.json.gz "nginx"

# 下载所有可用结果
shodan download --limit -1 all_results.json.gz "query"

解析下载的数据

# 从下载的数据中提取特定字段
shodan parse --fields ip_str,port,hostnames results.json.gz

# 按特定条件过滤
shodan parse --fields location.country_code3,ip_str -f port:22 results.json.gz

# 导出为 CSV 格式
shodan parse --fields ip_str,port,org --separator , results.json.gz > results.csv

4. 搜索过滤器参考

ip:1.2.3.4                  # 特定 IP 地址
net:192.168.0.0/24          # 网络范围 (CIDR)
hostname:example.com        # 主机名包含
port:22                     # 特定端口
asn:AS15169                 # 自治系统号

country:US                  # 两位字母国家代码
country:"United States"     # 完整国家名称
city:"San Francisco"        # 城市名称
state:CA                    # 州/地区
postal:94102                # 邮政编码
geo:37.7,-122.4             # 经纬度坐标

org:"Google"                # 组织名称
isp:"Comcast"               # ISP 名称

服务/产品过滤器

product:nginx               # 软件产品
version:1.14.0              # 软件版本
os:"Windows Server 2019"    # 操作系统
http.title:"Dashboard"      # HTTP 页面标题
http.html:"login"           # HTML 内容
http.status:200             # HTTP 状态码
ssl.cert.subject.cn:*.example.com  # SSL 证书
ssl:true                    # 启用了 SSL

vuln:CVE-2019-0708          # 特定 CVE
has_vuln:true               # 有任何漏洞

has_screenshot:true         # 有可用的截图
screenshot.label:webcam     # 截图类型

# 扫描单个 IP (每个 IP 消耗 1 信用额度)
shodan scan submit 192.168.1.100

# 使用详细输出扫描 (显示扫描 ID)
shodan scan submit --verbose 192.168.1.100

# 扫描并保存结果
shodan scan submit --filename scan_results.json.gz 192.168.1.100

# 列出最近的扫描
shodan scan list

# 检查特定扫描状态
shodan scan status SCAN_ID

# 稍后下载扫描结果
shodan download --limit -1 results.json.gz scan:SCAN_ID

可用的扫描协议

# 列出可用的协议/模块
shodan scan protocols

获取搜索统计信息

# 默认统计信息 (前 10 个国家、组织)
shodan stats nginx

# 自定义分面
shodan stats --facets domain,port,asn --limit 5 nginx

# 保存到 CSV
shodan stats --facets country,org -O stats.csv apache

设置警报 (网页界面)

1. 导航到监控仪表板
2. 添加要监控的 IP、范围或域名
3. 配置通知服务 (电子邮件、Slack、webhook)
4. 选择触发事件 (新服务、漏洞等)
5. 查看暴露服务的仪表板

# 获取 API 信息
curl -s "https://api.shodan.io/api-info?key=YOUR_KEY" | jq

# 主机查询
curl -s "https://api.shodan.io/shodan/host/1.1.1.1?key=YOUR_KEY" | jq

# 搜索查询
curl -s "https://api.shodan.io/shodan/host/search?key=YOUR_KEY&query=apache" | jq

import shodan

api = shodan.Shodan('YOUR_API_KEY')

# 搜索
results = api.search('apache')
print(f'Results found: {results["total"]}')
for result in results['matches']:
    print(f'IP: {result["ip_str"]}')

# 主机查询
host = api.host('1.1.1.1')
print(f'IP: {host["ip_str"]}')
print(f'Organization: {host.get("org", "n/a")}')
for item in host['data']:
    print(f'Port: {item["port"]}')

命令	描述	信用额度
`shodan init KEY`	初始化 API 密钥	0
`shodan info`	显示账户信息	0
`shodan myip`	显示你的 IP	0
`shodan host IP`	主机详情	0
`shodan count QUERY`	结果数量	0
`shodan search QUERY`	基础搜索	0*
`shodan download FILE QUERY`	保存结果	1/100 个结果
`shodan parse FILE`	提取数据	0
`shodan stats QUERY`	统计信息	1
`shodan scan submit IP`	按需扫描	1/IP
`shodan honeyscore IP`	蜜罐检查	0

*过滤器每查询消耗 1 信用额度

目的	查询
查找网络摄像头	`webcam has_screenshot:true`
MongoDB 数据库	`product:mongodb`
Redis 服务器	`product:redis`
Elasticsearch	`product:elastic port:9200`
默认密码	`"default password"`
易受攻击的 RDP	`port:3389 vuln:CVE-2019-0708`
工业系统	`port:502 modbus`
Cisco 设备	`product:cisco`
开放的 VNC	`port:5900 authentication disabled`
暴露的 FTP	`port:21 anonymous`
WordPress 站点	`http.component:wordpress`
打印机	`"HP-ChaiSOE" port:80`
摄像头 (RTSP)	`port:554 has_screenshot:true`
Jenkins 服务器	`X-Jenkins port:8080`
Docker API	`port:2375 product:docker`

有用的过滤器组合

场景	查询
目标组织侦察	`org:"Company Name"`
域名枚举	`hostname:example.com`
网络范围扫描	`net:192.168.0.0/24`
SSL 证书搜索	`ssl.cert.subject.cn:*.target.com`
易受攻击的服务器	`vuln:CVE-2021-44228 country:US`
暴露的管理面板	`http.title:"admin" port:443`
数据库暴露	`port:3306,5432,27017,6379`

操作	信用额度类型	成本
基础搜索	查询	0 (无过滤器)
过滤搜索	查询	1
下载 100 个结果	查询	1
生成报告	查询	1
扫描 1 个 IP	扫描	1
网络监控	监控的 IP	取决于套餐

速率限制为每秒 1 个请求
扫描结果非即时 (异步)
24 小时内无法重新扫描同一 IP (非企业版)
免费账户信用额度有限
某些数据需要付费订阅

Shodan 持续爬取但数据可能已过时数天/数周
按需扫描提供当前数据但消耗信用额度
历史数据需付费套餐

仅对授权目标执行侦察
被动侦察通常合法但需核实管辖范围
主动扫描 (scan submit) 需要授权
记录所有侦察活动

示例 1: 组织侦察

# 查找属于目标组织的所有主机
shodan search 'org:"Target Company"'

# 获取其基础设施的统计信息
shodan stats --facets port,product,country 'org:"Target Company"'

# 下载详细数据
shodan download target_data.json.gz 'org:"Target Company"'

# 解析特定信息
shodan parse --fields ip_str,port,product target_data.json.gz

示例 2: 易受攻击服务发现

# 查找易受 BlueKeep (RDP CVE) 攻击的主机
shodan search 'vuln:CVE-2019-0708 country:US'

# 查找未认证的暴露 Elasticsearch
shodan search 'product:elastic port:9200 -authentication'

# 查找 Log4j 易受攻击系统
shodan search 'vuln:CVE-2021-44228'

示例 3: 物联网设备发现

# 查找暴露的网络摄像头
shodan search 'webcam has_screenshot:true country:US'

# 查找工业控制系统
shodan search 'port:502 product:modbus'

# 查找暴露的打印机
shodan search '"HP-ChaiSOE" port:80'

# 查找智能家居设备
shodan search 'product:nest'

示例 4: SSL/TLS 证书分析

# 查找具有特定 SSL 证书的主机
shodan search 'ssl.cert.subject.cn:*.example.com'

# 查找过期的证书
shodan search 'ssl.cert.expired:true org:"Company"'

# 查找自签名证书
shodan search 'ssl.cert.issuer.cn:self-signed'

示例 5: Python 自动化脚本

#!/usr/bin/env python3
import shodan
import json

API_KEY = 'YOUR_API_KEY'
api = shodan.Shodan(API_KEY)

def recon_organization(org_name):
    """对组织执行侦察"""
    try:
        # 搜索组织
        query = f'org:"{org_name}"'
        results = api.search(query)
        
        print(f"[*] Found {results['total']} hosts for {org_name}")
        
        # 收集唯一的 IP 和端口
        hosts = {}
        for result in results['matches']:
            ip = result['ip_str']
            port = result['port']
            product = result.get('product', 'unknown')
            
            if ip not in hosts:
                hosts[ip] = []
            hosts[ip].append({'port': port, 'product': product})
        
        # 输出发现结果
        for ip, services in hosts.items():
            print(f"\n[+] {ip}")
            for svc in services:
                print(f"    - {svc['port']}/tcp ({svc['product']})")
        
        return hosts
        
    except shodan.APIError as e:
        print(f"Error: {e}")
        return None

if __name__ == '__main__':
    recon_organization("Target Company")

示例 6: 网络范围评估

# 扫描一个 /24 网络范围
shodan search 'net:192.168.1.0/24'

# 获取端口分布
shodan stats --facets port 'net:192.168.1.0/24'

# 在范围内查找特定漏洞
shodan search 'net:192.168.1.0/24 vuln:CVE-2021-44228'

# 导出范围内的所有数据
shodan download network_scan.json.gz 'net:192.168.1.0/24'

问题	原因	解决方案
未配置 API 密钥	密钥未初始化	运行 `shodan init YOUR_API_KEY`，然后用 `shodan info` 验证
查询信用额度耗尽	月度信用额度已用完	使用免信用额度查询 (无过滤器)，等待重置，或升级套餐
主机最近被爬取过	24 小时内无法重新扫描 IP	使用 `shodan host IP` 获取现有数据，或等待 24 小时
超出速率限制	>1 个请求/秒	在 API 请求之间添加 `time.sleep(1)`
搜索结果为空	条件太具体或语法错误	对短语使用引号: `'org:"Company Name"'`；放宽条件
下载的文件无法解析	损坏或格式错误	用 `gunzip -t file.gz` 验证，用 `--limit` 重新下载

# Set your API key
shodan init YOUR_API_KEY

# Verify setup
shodan info
# Output: Query credits available: 100
#         Scan credits available: 100

Check Account Status

# View credits and plan info
shodan info

# Check your external IP
shodan myip

# Check CLI version
shodan version

2. Basic Host Reconnaissance

# Get all information about an IP
shodan host 1.1.1.1

# Example output:
# 1.1.1.1
# Hostnames: one.one.one.one
# Country: Australia
# Organization: Mountain View Communications
# Number of open ports: 3
# Ports:
#   53/udp
#   80/tcp
#   443/tcp

Check if Host is Honeypot

# Get honeypot probability score
shodan honeyscore 192.168.1.100

# Output: Not a honeypot
#         Score: 0.3

# Simple keyword search (no credits consumed)
shodan search apache

# Specify output fields
shodan search --fields ip_str,port,os smb

Filtered Search (1 Credit)

# Product-specific search
shodan search product:mongodb

# Search with multiple filters
shodan search product:nginx country:US city:"New York"

# Get result count without consuming credits
shodan count openssh
# Output: 23128

shodan count openssh 7
# Output: 219

# Download 1000 results (default)
shodan download results.json.gz "apache country:US"

# Download specific number of results
shodan download --limit 5000 results.json.gz "nginx"

# Download all available results
shodan download --limit -1 all_results.json.gz "query"

Parse Downloaded Data

# Extract specific fields from downloaded data
shodan parse --fields ip_str,port,hostnames results.json.gz

# Filter by specific criteria
shodan parse --fields location.country_code3,ip_str -f port:22 results.json.gz

# Export to CSV format
shodan parse --fields ip_str,port,org --separator , results.json.gz > results.csv

4. Search Filters Reference

ip:1.2.3.4                  # Specific IP address
net:192.168.0.0/24          # Network range (CIDR)
hostname:example.com        # Hostname contains
port:22                     # Specific port
asn:AS15169                 # Autonomous System Number

country:US                  # Two-letter country code
country:"United States"     # Full country name
city:"San Francisco"        # City name
state:CA                    # State/region
postal:94102                # Postal/ZIP code
geo:37.7,-122.4             # Lat/long coordinates

Organization Filters

org:"Google"                # Organization name
isp:"Comcast"               # ISP name

Service/Product Filters

product:nginx               # Software product
version:1.14.0              # Software version
os:"Windows Server 2019"    # Operating system
http.title:"Dashboard"      # HTTP page title
http.html:"login"           # HTML content
http.status:200             # HTTP status code
ssl.cert.subject.cn:*.example.com  # SSL certificate
ssl:true                    # Has SSL enabled

Vulnerability Filters

vuln:CVE-2019-0708          # Specific CVE
has_vuln:true               # Has any vulnerability

has_screenshot:true         # Has screenshot available
screenshot.label:webcam     # Screenshot type

5. On-Demand Scanning

# Scan single IP (1 credit per IP)
shodan scan submit 192.168.1.100

# Scan with verbose output (shows scan ID)
shodan scan submit --verbose 192.168.1.100

# Scan and save results
shodan scan submit --filename scan_results.json.gz 192.168.1.100

# List recent scans
shodan scan list

# Check specific scan status
shodan scan status SCAN_ID

# Download scan results later
shodan download --limit -1 results.json.gz scan:SCAN_ID

Available Scan Protocols

# List available protocols/modules
shodan scan protocols

6. Statistics and Analysis

Get Search Statistics

# Default statistics (top 10 countries, orgs)
shodan stats nginx

# Custom facets
shodan stats --facets domain,port,asn --limit 5 nginx

# Save to CSV
shodan stats --facets country,org -O stats.csv apache

7. Network Monitoring

Setup Alerts (Web Interface)

1. Navigate to Monitor Dashboard
2. Add IP, range, or domain to monitor
3. Configure notification service (email, Slack, webhook)
4. Select trigger events (new service, vulnerability, etc.)
5. View dashboard for exposed services

# Get API info
curl -s "https://api.shodan.io/api-info?key=YOUR_KEY" | jq

# Host lookup
curl -s "https://api.shodan.io/shodan/host/1.1.1.1?key=YOUR_KEY" | jq

# Search query
curl -s "https://api.shodan.io/shodan/host/search?key=YOUR_KEY&query=apache" | jq

import shodan

api = shodan.Shodan('YOUR_API_KEY')

# Search
results = api.search('apache')
print(f'Results found: {results["total"]}')
for result in results['matches']:
    print(f'IP: {result["ip_str"]}')

# Host lookup
host = api.host('1.1.1.1')
print(f'IP: {host["ip_str"]}')
print(f'Organization: {host.get("org", "n/a")}')
for item in host['data']:
    print(f'Port: {item["port"]}')

Essential CLI Commands

Command	Description	Credits
`shodan init KEY`	Initialize API key	0
`shodan info`	Show account info	0
`shodan myip`	Show your IP	0
`shodan host IP`	Host details	0
`shodan count QUERY`	Result count	0
`shodan search QUERY`	Basic search	0*
`shodan download FILE QUERY`	Save results	1/100 results
`shodan parse FILE`	Extract data	0
`shodan stats QUERY`	Statistics	1
`shodan scan submit IP`	On-demand scan	1/IP
`shodan honeyscore IP`	Honeypot check	0

*Filters consume 1 credit per query

Common Search Queries

Purpose	Query
Find webcams	`webcam has_screenshot:true`
MongoDB databases	`product:mongodb`
Redis servers	`product:redis`
Elasticsearch	`product:elastic port:9200`
Default passwords	`"default password"`
Vulnerable RDP	`port:3389 vuln:CVE-2019-0708`
Industrial systems	`port:502 modbus`
Cisco devices	`product:cisco`
Open VNC	`port:5900 authentication disabled`
Exposed FTP	`port:21 anonymous`
WordPress sites	`http.component:wordpress`
Printers	`"HP-ChaiSOE" port:80`
Cameras (RTSP)	`port:554 has_screenshot:true`
Jenkins servers	`X-Jenkins port:8080`
Docker APIs	`port:2375 product:docker`

Useful Filter Combinations

Scenario	Query
Target org recon	`org:"Company Name"`
Domain enumeration	`hostname:example.com`
Network range scan	`net:192.168.0.0/24`
SSL cert search	`ssl.cert.subject.cn:*.target.com`
Vulnerable servers	`vuln:CVE-2021-44228 country:US`
Exposed admin panels	`http.title:"admin" port:443`
Database exposure	`port:3306,5432,27017,6379`

Action	Credit Type	Cost
Basic search	Query	0 (no filters)
Filtered search	Query	1
Download 100 results	Query	1
Generate report	Query	1
Scan 1 IP	Scan	1
Network monitoring	Monitored IPs	Depends on plan

Constraints and Limitations

Operational Boundaries

Rate limited to 1 request per second
Scan results not immediate (asynchronous)
Cannot re-scan same IP within 24 hours (non-Enterprise)
Free accounts have limited credits
Some data requires paid subscription

Shodan crawls continuously but data may be days/weeks old
On-demand scans provide current data but cost credits
Historical data available with paid plans

Only perform reconnaissance on authorized targets
Passive reconnaissance generally legal but verify jurisdiction
Active scanning (scan submit) requires authorization
Document all reconnaissance activities

Example 1: Organization Reconnaissance

# Find all hosts belonging to target organization
shodan search 'org:"Target Company"'

# Get statistics on their infrastructure
shodan stats --facets port,product,country 'org:"Target Company"'

# Download detailed data
shodan download target_data.json.gz 'org:"Target Company"'

# Parse for specific info
shodan parse --fields ip_str,port,product target_data.json.gz

Example 2: Vulnerable Service Discovery

# Find hosts vulnerable to BlueKeep (RDP CVE)
shodan search 'vuln:CVE-2019-0708 country:US'

# Find exposed Elasticsearch with no auth
shodan search 'product:elastic port:9200 -authentication'

# Find Log4j vulnerable systems
shodan search 'vuln:CVE-2021-44228'

Example 3: IoT Device Discovery

# Find exposed webcams
shodan search 'webcam has_screenshot:true country:US'

# Find industrial control systems
shodan search 'port:502 product:modbus'

# Find exposed printers
shodan search '"HP-ChaiSOE" port:80'

# Find smart home devices
shodan search 'product:nest'

Example 4: SSL/TLS Certificate Analysis

# Find hosts with specific SSL cert
shodan search 'ssl.cert.subject.cn:*.example.com'

# Find expired certificates
shodan search 'ssl.cert.expired:true org:"Company"'

# Find self-signed certificates
shodan search 'ssl.cert.issuer.cn:self-signed'

Example 5: Python Automation Script

#!/usr/bin/env python3
import shodan
import json

API_KEY = 'YOUR_API_KEY'
api = shodan.Shodan(API_KEY)

def recon_organization(org_name):
    """Perform reconnaissance on an organization"""
    try:
        # Search for organization
        query = f'org:"{org_name}"'
        results = api.search(query)
        
        print(f"[*] Found {results['total']} hosts for {org_name}")
        
        # Collect unique IPs and ports
        hosts = {}
        for result in results['matches']:
            ip = result['ip_str']
            port = result['port']
            product = result.get('product', 'unknown')
            
            if ip not in hosts:
                hosts[ip] = []
            hosts[ip].append({'port': port, 'product': product})
        
        # Output findings
        for ip, services in hosts.items():
            print(f"\n[+] {ip}")
            for svc in services:
                print(f"    - {svc['port']}/tcp ({svc['product']})")
        
        return hosts
        
    except shodan.APIError as e:
        print(f"Error: {e}")
        return None

if __name__ == '__main__':
    recon_organization("Target Company")

Example 6: Network Range Assessment

# Scan a /24 network range
shodan search 'net:192.168.1.0/24'

# Get port distribution
shodan stats --facets port 'net:192.168.1.0/24'

# Find specific vulnerabilities in range
shodan search 'net:192.168.1.0/24 vuln:CVE-2021-44228'

# Export all data for range
shodan download network_scan.json.gz 'net:192.168.1.0/24'

Issue	Cause	Solution
No API Key Configured	Key not initialized	Run `shodan init YOUR_API_KEY` then verify with `shodan info`
Query Credits Exhausted	Monthly credits consumed	Use credit-free queries (no filters), wait for reset, or upgrade
Host Recently Crawled	Cannot re-scan IP within 24h	Use `shodan host IP` for existing data, or wait 24 hours
Rate Limit Exceeded	>1 request/second	Add `time.sleep(1)` between API requests
Empty Search Results	Too specific or syntax error	Use quotes for phrases: `'org:"Company Name"'`; broaden criteria
Downloaded File Won't Parse	Corrupted or wrong format	Verify with `gunzip -t file.gz`, re-download with `--limit`

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

24,700 周安装

Shodan 渗透测试与网络侦察指南：发现暴露服务与物联网设备漏洞

🇨🇳中文介绍

Shodan 侦察与渗透测试

目的

输入 / 先决条件

输出 / 交付成果

核心工作流程

1. 设置与配置

安装 Shodan CLI

初始化 API 密钥

🇺🇸English

Shodan Reconnaissance and Pentesting

Purpose

Inputs / Prerequisites

Outputs / Deliverables

Core Workflow

1. Setup and Configuration

Install Shodan CLI

相关 Skills

检查账户状态

2. 基础主机侦察

查询单个主机

检查主机是否为蜜罐

3. 搜索查询

基础搜索 (免费)

过滤搜索 (消耗 1 信用额度)

统计结果数量

下载结果

解析下载的数据

4. 搜索过滤器参考

网络过滤器

地理过滤器

组织过滤器

服务/产品过滤器

漏洞过滤器

截图过滤器

5. 按需扫描

提交扫描

监控扫描状态

可用的扫描协议

6. 统计与分析

获取搜索统计信息

7. 网络监控

设置警报 (网页界面)

8. REST API 使用

直接 API 调用

Python 库

快速参考

基本 CLI 命令

常见搜索查询

有用的过滤器组合

信用额度系统

约束与限制

操作边界

数据新鲜度

法律要求

示例

示例 1: 组织侦察

示例 2: 易受攻击服务发现

示例 3: 物联网设备发现

示例 4: SSL/TLS 证书分析

示例 5: Python 自动化脚本

示例 6: 网络范围评估

故障排除

Initialize API Key

Check Account Status

2. Basic Host Reconnaissance

Query Single Host

Check if Host is Honeypot

3. Search Queries

Basic Search (Free)

Filtered Search (1 Credit)

Count Results

Download Results

Parse Downloaded Data

4. Search Filters Reference

Network Filters

Geographic Filters

Organization Filters

Service/Product Filters