Package Documentation
Storm Package: synapse-shodan
The following Commands are available from this package. This documentation is generated for version 5.4.3 of the package.
Storm Commands
This package implements the following Storm Commands.
shodan.apiinfo
Display Shodan API info for the API key.
Endpoints:
/api-info : Returns information about the API plan belonging to the given API key.
Usage: shodan.apiinfo [options]
Options:
--help : Display the command usage.
The command is accessible to users with one or more of the following permissions:
power-ups.shodan.user
shodan.dns.domain
Use the Shodan API to enrich an inet:fqdn.
Costs 1 query per page. Each page contains 100 results.
Example
// Get dns records for the domain vertex.link and associated subdomains
inet:fqdn=vertex.link | shodan.dns.domain --yield
// Get subdomains for the domain vertex.link
inet:fqdn=vertex.link | shodan.dns.domain | -> inet:fqdn:zone
Endpoints:
/dns/domain/{domain} : Get all the subdomains and other DNS entries for the given domain.
Usage: shodan.dns.domain [options]
Options:
--help : Display the command usage.
--type <type> : The type of DNS records to return. (A MX NS TXT AAAA CNAME).
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node). (default: 100)
--yield : Yield the newly created inet:dns:* nodes.
--no-tags <no_tags> : Construct nodes but do not record tags returned by the Shodan API. (default: False)
Inputs:
inet:fqdn : inet:fqdn nodes
The command is accessible to users with one or more of the following permissions:
power-ups.shodan.spendpower-ups.shodan.user
shodan.enrich
Enrich a node using the Shodan API to get additional context.
NOTE - If you are using a free API key, you will need to specify --no-history
Example
inet:ipv4=8.8.8.8 | shodan.enrich --asof now
Endpoints:
/shodan/host/{ipaddr} : Returns all services that have been found on the given host IP from the Shodan API.
Usage: shodan.enrich [options]
Options:
--help : Display the command usage.
--asof <asof> : Use cached results dating back this far. Use "--asof now" to disable. (default:
-30days)
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node). (default: 100)
--yield : Yield the newly created inet:flow nodes.
--no-tags : Construct nodes but do not record tags returned by the Shodan API.
--no-history : Do not request historical results.
Inputs:
inet:ipv4 : inet:ipv4 nodes
inet:ipv6 : inet:ipv6 nodes
The command is accessible to users with one or more of the following permissions:
power-ups.shodan.user
shodan.search
Populate and link inet:flow nodes by ingesting the results of a Shodan search query.
Costs 1 query per page beyond the first page. Users attempting to query beyond
the first page must have the power-ups.shodan.spend permission. Each page
contains 100 results.
This command will also create an it:exec:query node to represent the
query syntax and link resulting inet:flow nodes to it via -(found)> edges.
Endpoints:
/shodan/host/search : Search Shodan using the same query syntax as the website and use facets to get summary
information for different properties.
Usage: shodan.search [options] <query>
Options:
--help : Display the command usage.
--size <size> : Limit the number of results ingested to the given size. (default: 100)
--debug : Show verbose debug output.
--yield : Yield the newly created inet:flow nodes.
--no-tags : Add nodes but do not record tags returned by the Shodan API.
Arguments:
<query> : A query string in Shodan search syntax.
The command is accessible to users with one or more of the following permissions:
power-ups.shodan.user
shodan.setup.apikey
Manage the Shodan API key.
Examples
// Set a global Shodan API key
shodan.setup.apikey abcd1234
// Set a Shodan API key for the current user
shodan.setup.apikey --self abcd1234
// Display the API key scope of the current key
shodan.setup.apikey --show-scope
// Display the current API key.
shodan.setup.apikey --show-apikey
// Remove the current global API key.
shodan.setup.apikey --remove
// Remove the per-user API key for the current user.
shodan.setup.apikey --self --remove
Usage: shodan.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key.
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apikey] : The Shodan API key string.
The command is accessible to users with one or more of the following permissions:
power-ups.shodan.user
shodan.setup.tagprefix
Set the tag prefix used when recording shodan tags.
The default tag prefix is "rep.shodan" if not specified.
Any tags provided by a shodan API will be added within the given namespace.
For example, the shodan tag "foo" would result in "#rep.shodan.foo". Any
characters incompatible with tag names are replaced with "_".
Usage: shodan.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
The command is accessible to users with one or more of the following permissions:
power-ups.shodan.user
Storm Modules
This package does not export any Storm APIs.