Shodan
Shodan lets you search for devices that are connected to the Internet.
Connect Shodan with Devo SOAR
Navigate to Automations > Integrations.
Search for Shodan.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API Key: The API key to connect to the Shodan.
After you've entered all the details, click Connect.
Actions for Shodan
IP Lookup
Submit an IP to return all services that have been found on the given IP.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Column Name | Column name from parent table to lookup value for. | Required |
Output
A JSON object containing multiple rows of result:
result: Searches devices.
``` {json}{ "error": "Empty search query" }
## Lookup V2
Submit a lookup query to return all services that have been found on the given filter. Example to search by hostname use `hostname:{comma separated hostname}`, search by IP use `{Malicious IP}` or search by URL use `url:{URL}`
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :---------- | :------------------------------------------------- | :------- |
| Column Name | Column name from parent table to lookup value for. | Required |
### Output
A JSON object containing multiple rows of result:
- result: Json.
``` {text}{
data":{9 items
"hostnames":[...]15 items
"services":[]0 items
"location":[...]15 items
"isps":[...]15 items
"os":[]0 items
"ports":[...]15 items
"has_error":boolfalse
"error":NULL
"ips":[...]15 items
}
List Ports
This returns a list of port numbers that the crawlers are looking for.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Explode Results | Explode each result in a separate row. (Default is No) | Optional |
Output
JSON containing the following items:
``` {json}{ "has_error": false, "result": [ 7, 11, 13, 15, 17 ], "error": null }
## List Protocols
This returns an object containing all the protocols that can be used when launching an Internet scan.
### Input Field
Choose a connection that you have previously created.
### Output
JSON containing the following items:
``` {json}{
"tibia": "Grab general information from Open Tibia servers",
"ftp": "Grab the FTP banner",
"pop3-ssl": "Grab the secure POP3 welcome message",
"idera": "Grab target system info through Idera uptime agent system",
"tc-b": "Cursory check whether a device is running the TC-B protocol",
"nodata-dtls": "Check whether the service supports DTLS and store whatever is returned",
"omron-tcp": "Gets information about the Omron PLC.",
"etcd": "Etcd cluster information",
"tuya": "Check whether a device supports the Tuya API",
"smtp": "Get basic SMTP server response",
"ikettle": "Check whether the device is a coffee machine/ kettle.",
"statsd-admin": "Gathers statistics from the StatsD service.",
"kerberos": "Checks whether a device is running the Kerberos authentication daemon.",
"ipmi": "Checks whether a device is running IPMI remote management software.",
"hbase-old": "Grab the status page for old, deprecated HBase database software.",
"toshiba-pos": "Grabs device information for the IBM/ Toshiba 4690.",
"bitcoin": "Grabs information about a Bitcoin daemon, including any devices connected to it.",
"bacnet": "Gets various information from a BACnet device.",
"gtp-v1": "Checks whether the device is running a GPRS Tunnel.",
"steam-dedicated-server-rcon": "Checks whether an IP is running as a Steam dedicated game server with remote authentication enabled.",
"lantronix-udp": "Attempts to grab the setup object from a Lantronix device.",
"memcache-udp": "Get general information about the Memcache daemon responding on UDP",
"ntp": "Get a list of IPs that NTP server recently saw and try to get version info.",
"newline-udp": "Connect to a server with UDP and send a newline.",
"auto": "Detect the type of service that runs on the port and send the appropriate request.",
"smtps": "Grab a banner and certificate for SMTPS servers",
"imap": "Get the welcome message of the IMAP server",
"remcos-pro-rat": "Checks whether the device is a C2 for RemCos Pro 2.05",
"whois": "Check whether the port is running WHOIS",
"netmobility": "Checks whether the device is a NetMobility.",
"rdp": "RDP banner grabbing module",
"sip": "Gets the options that the SIP device supports.",
"dns-udp": "Try to determine the version of a DNS server by grabbing version.bind",
"openvpn": "Checks whether the other server runs an OpenVPN that doesnt require TLS auth",
"matrikon-opc": "Checks whether the device is running Matrikon OPC.",
"nanocore-122-rat": "Checks whether the device is a C2 for NanoCore Version 1.2.2.0 Cracked",
"ventrilo": "Gets the detailed status information from a Ventrilo server.",
"libreoffice-impress": "Check whether the LibreOffice Impress Remote Server is enabled",
"tor-versions": "Checks whether the device is running the Tor OR protocol.",
"memcache": "Get general information about the Memcache daemon",
"kamstrup": "Kamstrup Smart Meters",
"hart-ip-udp": "Checks whether the IP is a HART-IP gateway.",
"epmd": "Get a list of Erlang services and the ports they are listening on",
"netbios": "Grab NetBIOS information including the MAC address.",
"afp": "AFP server information grabbing module",
"steam-ihs": "Steam In-Home Streaming protocol",
"nuclear-rat": "Checks whether the device is a C2 for Nuclear RAT.",
"printer-job-language": "Get the current output from the status display on a printer",
"ssh": "Get the SSH banner, its host key and fingerprint",
"upnp": "Collects device information via UPnP.",
"serialnumbered": "Checks for other servers with the same serial number on the local network. AAAAAA is a dummy value.",
"couchdb": "HTTP banner grabbing module",
"gearman": "Gather usage information from a Gearman queue",
"telnet": "Telnet banner grabbing module",
"ldap-udp": "CLDAP banner grabbing module",
"dictionary": "Connects to a dictionary server using the DICT protocol.",
"amqp": "Grab information from an AMQP service",
"rtsp-tcp": "Determine which options the RTSP server allows.",
"idevice": "Connects to an iDevice and grabs the property list.",
"microhard": "Checks whether the device is running Microhard.",
"orcus-rat": "Checks whether the device is a C2 for Gh0st RAT.",
"portmap-udp": "Get a list of processes that are running and their ports.",
"ldaps": "LDAPS banner grabbing module",
"dht": "Gets a list of peers from a DHT node.",
"bittorrent-tracker": "Check whether there is a BitTorrent tracker running.",
"moxa-nport": "Attempts to grab information from Moxna Nport devices.",
"ghost-rat": "Checks whether the device is a C2 for Gh0st RAT.",
"ajp": "Check whether the Tomcat server running AJP protocol",
"telnets": "Telnet wrapped in SSL banner grabbing module",
"apple-airport-admin": "Check whether the device is an Apple AirPort administrative interface.",
"dicom": "Checks whether the DICOM service is running.",
"pcworx": "Gets information about PC Worx device.",
"pcanywhere-status": "Asks the PC Anywhere status daemon for basic information.",
"ethernetip": "Grab information from a device supporting EtherNet/IP over TCP",
"imap-ssl": "Get the welcome message of the secure IMAP server",
"iec-61850": "MMS protocol",
"snmp": "Performs an SNMP walk of the system OID",
"ms-sql-monitor": "Pings an MS-SQL Monitor server",
"nodata-tcp-small": "Connect to a server without sending any data and store whatever it returns.",
"mikrotik-routeros": "Check whether the device operates the Oracle Weblogic T3 protocol",
"quic": "Checks whether a service supports the QUIC HTTP protocol",
"redlion-crimson3": "A fingerprint for the Red Lion HMI devices running CrimsonV3",
"ike": "Checks wheter a device is running a VPN using IKE.",
"java-rmi": "Check whether the device is running Java RMI.",
"rdate": "Get the time from a remote rdate server",
"dhcp": "Send a DHCP INFORM request to learn about the lease information from the DHCP server.",
"https": "HTTPS banner grabbing module",
"mqtt": "Grab a list of recent messages from an MQTT broker.",
"dahua-dvr": "Grab the serial number from a Dahua DVR device.",
"identd": "Check whether the service is running identd",
"melsec-q-tcp": "Get the CPU information from a Mitsubishi Electric Q Series PLC.",
"cassandra": "Get cluster information for the Cassandra database software.",
"tacacs": "Check whether the device supports TACACS+ AAA.",
"teamviewer": "Determine whether a server is running TeamViewer",
"modbus": "Grab the Modbus device information via functions 17 and 43.",
"language-server-protocol": "Checks whether the port is running a language server.",
"automated-tank-gauge": "Get the tank inventory for a gasoline station.",
"gardasoft-vision": "Grabs the version for the Gardasoft controller.",
"postgresql": "Collects system information from the PostgreSQL daemon",
"iscsi": "Determine whether a server is an iSCSI target",
"echo-udp": "Checks whether the device is running echo.",
"natpmp": "Checks whether NAT-PMP is exposed on the device.",
"line-printer-daemon": "Get a list of jobs in the print queue to verify the device is a printer.",
"http-simple-new": "HTTP banner grabber only (no robots, sitemap etc.)",
"plc5": "Checks whether the device is running Poison Ivy.",
"voldemort": "Pings the Voldemort database.",
"udpxy": "Udpxy banner grabbing module",
"unitronics-pcom": "Collects device information for Unitronics PLCs via PCOM protocol.",
"sap-router": "Check whether the SAP Router is active",
"ibm-db2-das": "Grab basic information about the IBM DB2 Database Server.",
"xiaongmai-backdoor": "Detect backdoor in xiaongmai devices.",
"ibm-nje": "Check whether the z/OS Network Job Entry service is running.",
"scpi": "Check for the SCPI protocol used by lab equipment",
"cisco-smi": "Check whether the device supports the Cisco Smart Install feature.",
"ubiquiti-discover": "Grabs information about the Ubiquiti-powered device",
"kafka": "Get information about a Kafka cluster.",
"git": "Check whether git is running.",
"pop3": "Grab the POP3 welcome message",
"flux-led": "Grab the current state from a Flux LED light bulb.",
"checkpoint-hostname": "Get hostnames for the CheckPoint firewall and management station.",
"has_error": false,
"ripple-rtxp": "Grabs the list of peers from an RTXP Ripple daemon.",
"andromouse": "Checks whether the device is running the remote mouse AndroMouse service.",
"iec-104": "Banner grabber for the IEC-104 protocol.",
"dns-tcp": "Try to determine the version of a DNS server by grabbing version.bind",
"error": null,
"hddtemp": "View hard disk information from hddtemp service.",
"oracle-tns": "Check whether the Oracle TNS Listener is running.",
"open-tcp": "Checks whether a port is open and nothing else.",
"teradici-pcoip": "Check whether the device is running Teradici PCoIP Management Console.",
"nodata-tcp-ssl": "Connect to a server using SSL and without sending any data.",
"mumble-server": "Grabs the version information for the Murmur service (Mumble server)",
"realport": "Get the banner for the Digi Realport device",
"lifx": "Check whether there is a BitTorrnt tracker running.",
"newline-tcp": "Connect to a server with TCP and send a newline.",
"rsync": "Get a list of shares from the rsync daemon.",
"nntp": "Get the welcome message of a Network News server",
"njrat": "Determine whether a server is running a njRAT C&C",
"bgp": "Checks whether the device is running BGP.",
"ibm-db2-drda": "Checks for support of the IBM DB2 DRDA protocol.",
"ms-portmap-tcp": "Queries an MSRPC endpoint mapper for a list of mapped services and gathered information.",
"coap": "Check whether the server supports the CoAP protocol",
"minecraft": "Gets the server status information from a Minecraft server",
"knx": "Grabs the description from a KNX service.",
"ike-nat-t": "Checks wheter a device is running a VPN using IKE and NAT traversal.",
"onvif": "Check whether the Onvif camera is operating.",
"qrat": "Determine whether a server is running a QRAT C&C",
"mdns": "Perform a DNS-based service discovery over multicast DNS",
"yahoo-smarttv": "Checks whether the device is running the Yahoo Smart TV device communication service.",
"nodata-tcp": "Connect to a server without sending any data and store whatever it returns.",
"coap-dtls": "Check whether the server supports the CoAP protocol with DTLS",
"beanstalk": "Get general information about the Beanstalk daemon",
"clamav": "Determine whether a server is running ClamAV",
"monero-rpc": "Collect information about the Monero daemon.",
"consul": "Determine wether consul is running & collect relevant info",
"ldap-tcp": "LDAP banner grabbing module",
"insteon-plm": "Checks whether the device is Insteon PLM type",
"kilerrat": "Determine whether a server is running a KilerRAT C&C",
"tor-control": "Checks whether a device is running the Tor control service.",
"rip": "Checks whether the device is running the Routing Information Protocol.",
"proconos": "Gets information about the PLC via the ProConOs protocol.",
"steam-a2s": "Get a list of IPs that NTP server recently saw and try to get version info.",
"poison-ivy-rat": "Checks whether the device is running Poison Ivy.",
"ard": "Query the Apple Remote Desktop service for information about the device",
"portmap-tcp": "Get a list of processes that are running and their ports.",
"dnp3": "A dump of data from a DNP3 outstation",
"zookeeper": "Grab statistical information from a Zookeeper node",
"mysql": "Grabs the version of the running MySQL server",
"ethereum-rpc": "Grabs version information about the Ethereum node.",
"s7": "Communicate using the S7 protocol and grab the device identifications.",
"riak": "Sends a ServerInfo request to Riak",
"ms-sql": "Check whether the MS-SQL database server is running",
"teradici-pcoip-old": "Check whether the device is running Teradici PCoIP Management Console.",
"codesys": "Grab a banner for Codesys daemons",
"redis": "Redis banner grabbing module",
"hifly": "Checks whether the HiFly lighting control is running.",
"mongodb": "Collects system information from the MongoDB daemon.",
"x11": "Connect to X11 w/ no auth and grab the resulting banner.",
"citrix-apps": "This module attempts to query Citrix Metaframe ICA server to obtain a published list of applications.",
"smarter-coffee": "Checks the device status of smart coffee machines.",
"weblogic-t3": "Check whether the device operates the Oracle Weblogic T3 protocol",
"darktrack-rat": "Checks whether the device is a C2 for DarkTrack RAT.",
"http-supermicro": "HTTP banner grabbing module for Supermicro servers",
"hbase": "Grab the status page for HBase database software.",
"crestron": "Checks for other servers with the same serial number on the local network. AAAAAA is a dummy value.",
"pptp": "Connect via PPTP",
"vault": "Determine wether vault is running & collect relevant info",
"vertx-edge": "Checks whether the device is running the VertX/ Edge door controller.",
"general-electric-srtp": "Check whether the GE SRTP service is active on the device.",
"ethernetip-udp": "Grab information from a device supporting EtherNet/IP over UDP",
"http": "HTTP banner grabbing module",
"opc-ua": "Grab a list of nodes from an OPC UA service",
"nanocore-rat": "Checks whether the device is a C2 for NanoCore RAT.",
"munin": "Check whether a Munin node is active and list its plugins",
"blackshades": "Determine whether a server is running a Blackshades C&C",
"wdbrpc": "Checks whehter the WDB agent (used for debugging) is enabled on a VxWorks device.",
"fox": "Grabs a banner for proprietary FOX protocol by Tridium",
"secure-fox": "Grabs a banner for proprietary FOX protocol by Tridium",
"smb": "Grab a list of shares exposed through the Server Message Block service",
"iota-rpc": "Grabs version information about the IOTA node.",
"xmpp": "Sends a hello request to the XMPP daemon",
"melsec-q-udp": "Get the CPU information from a Mitsubishi Electric Q Series PLC.",
"wemo-http": "Connect to a Wemo Link and grab the setup.xml file",
"https-simple-new": "HTTPS banner grabber only (no robots, sitemap etc.)"
}
List Scans
This returns a listing of all the on-demand scans that are currently active on the account.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Explode Results | Explode each result in a separate row. (Default is No) | Optional |
Output
JSON containing the following items:
``` {json}[ { "status_check": "2024-04-30T11:13:42.719000", "size": 1, "credits_left": 655, "has_error": false, "id": "TEST_ID", "error": null, "api_key": "TEST_API", "status": "PROCESSING", "created": "2024-04-30T11:13:42.664000" }, { "status_check": "2024-04-30T11:13:42.719000", "size": 1, "credits_left": 654, "has_error": false, "id": "TEST_ID", "error": null, "api_key": "TEST_API", "status": "PROCESSING", "created": "2024-04-30T11:13:42.664000" } ]
## Status of Scan
This check the progress of a previously submitted scan request.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :----------------------------------------------------------------- | :------- |
| Scan ID | [Jinja-templated](doc:jinja-template) text containing the scan ID. | Required |
### Output
JSON containing the following items:
``` {json}{
"count": 1,
"status": "DONE",
"id": "Mo8W7itcWumiy9Ay",
"created": "2021-01-26T08:17:43.794000"
}
Scan Network
This is used to request Shodan to crawl a network. Use either IPs or services from optional params.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
IPs | Jinja-templated text containing the comma-separated list of IPs or netblocks (in CIDR notation) that should get crawled. Example '8.8.8.8,1.1.1.1' | Optional |
Services | Jinja-templated JSON containing the list of services that should get scanned. Example {"1.1.1.1": [ [53, "dns-udp"], [443, "https"]] } | Optional |
Output
JSON containing the following items:
``` {json}{ "count": 1, "credits_left": 65523, "has_error": false, "id": "Test", "error": null }
Get Alert
This is used to get the information about a specific network alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Alert ID | Jinja-templated text containing the alert ID. | Required |
Output
JSON containing the following items:
``` {json}{ "notifiers": [], "name": "CIDR", "expires": 0, "size": 16384, "has_triggers": true, "triggers": { "malware": {}, "open_database": {}, "iot": {}, "end_of_life": {}, "internet_scanner": {}, "industrial_control_system": {}, "new_service": {}, "ssl_expired": {}, "vulnerable": {} }, "has_error": false, "id": "Id", "error": null, "filters": { "ip": [ "0.0.0.0/18" ] }, "expiration": null, "created": "2023-10-18T12:23:47.205000" }
Modify Alert
This is used to edit a network alert with a new list of IPs/networks to keep track of.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Alert ID | Jinja-templated text containing the alert ID. | Required |
Alert Details | Jinja-templated JSON containing the details of alert to be modified. Example {"filters": {"ip": ["8.8.8.8","1.1.1.1"]}} | Required |
Output
JSON containing the following items:
``` {json}{ "name": "DNS Alert 2902", "expires": 0, "size": 5, "has_triggers": false, "triggers": {}, "has_error": false, "id": "ID", "error": null, "filters": { "ip": [ "8.8.8.8", "1.1.1.1", "2.2.2.2", "3.3.3.3", "4.4.4.4" ] }, "expiration": null, "created": "2024-04-30T11:52:48.108000" }
List Triggers
This returns a list of all the triggers that can be enabled on network alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Explode Results | Explode each result in a separate row. (Default is No) | Optional |
Output
JSON containing the following items:
``` {json}[{ "name": "any", "description": "Match any service that is discovered", "rule": "*", "has_error": false, "error": null }, { "name": "industrial_control_system", "description": "Services associated with industrial control systems", "rule": "tag:ics", "has_error": false, "error": null }]
Disable Trigger
This is used to stop getting notifications for the specified trigger.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Alert ID | Jinja-templated text containing the alert ID. | Required |
Triggers | Jinja-templated text containing the comma-separated list of trigger names. Example 'new_service,vulnerable' | Required |
Output
JSON containing the following items:
``` {json}{ "has_error":false, "success":true, "error":null }
Remove From Whitelist
This is used to start getting notifications again for the specified trigger.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Alert ID | Jinja-templated text containing the alert ID. | Required |
Triggers | Jinja-templated text containing the comma-separated list of trigger names. Example 'new_service,vulnerable' | Required |
Services | Jinja-templated text containing service specified in the format "ip:port". Example '1.1.1.1:53' | Required |
Output
JSON containing the following items:
``` {json}{ "has_error":false, "success":true, "error":null }
Remove Notifier
This is used to remove the notification service from the alert. Notifications are only sent if triggers have also been enabled.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Alert ID | Jinja-templated text containing the alert ID. | Required |
Notifier ID | Jinja-templated text containing the Notifier ID. Example 'default' | Required |
Output
JSON containing the following items:
{json}{
"has_error":false,
"success":true,
"error":null
}
Release Notes
v2.1.1
- Added 17 new actions :List Ports
,List Protocols
,List Scans
,Status of Scan
,Scan Network
,Create Alert
,Get Alert
,Delete Alert
,Modify Alert
,List Alerts
,List Triggers
,Enable Trigger
,Disable Trigger
,Add to Whitelist
,Remove From Whitelist
,Add Notifier
andRemove Notifier
v2.0.8
- Modified IP Lookup v2 to Lookup v2, to handle generic filter search while maintaining backward compatibility.v2.0.0
- Updated architecture to support IO via filesystemv1.1.2
- Added documentation link in the automation library.v1.1.1
- New action created which returns valid json