User Guide
Synapse-Shodan User Guide
Synapse-Shodan adds new Storm commands to allow you to query the Shodan API using your existing API key.
Getting Started
Check with your Global Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> shodan.setup.apikey --self myapikey
Setting Shodan API key for the current user.
Use shodan.search
command to populate inet:flow
nodes
You may use the shodan.search
command to populate inet:flow
nodes
using Shodan search syntax. In the following example, we will populate
up to 10 inet:flow
nodes based on the search string Microtik
:
> shodan.search --yield --size 2 Microtik
inet:flow=4c3eccf0f242b7fe8616f6f98482c5a2
.created = 2024/12/20 18:15:05.863
:dst = tcp://43.241.140.3:1723
:dst:handshake = Firmware: 1
Hostname: Bhachau Microtik Server
Vendor: MikroTik
:dst:ipv4 = 43.241.140.3
:dst:port = 1723
:dst:proto = tcp
:time = 2021/08/19 05:31:26.780
#rep.shodan.vpn
inet:flow=3455f780b8ac7bf61713733c15505adc
.created = 2024/12/20 18:15:05.920
:dst = tcp://84.47.142.34:1723
:dst:handshake = Firmware: 1
Hostname: microtik
Vendor: MikroTik
:dst:ipv4 = 84.47.142.34
:dst:port = 1723
:dst:proto = tcp
:time = 2021/08/19 05:13:27.977
#rep.shodan.vpn
This will also populate an it:exec:query
node to represent the search
query syntax:
> it:exec:query:text=Microtik +:language=shodan
it:exec:query=642d3fac7df7b234377e13421a342722
.created = 2024/12/20 18:15:05.829
:api:url = https://api.shodan.io/shodan/host/search
:language = shodan
:text = Microtik
:time = 2024/12/20 18:15:05.757
The it:exec:query
node will also be linked to the resulting inet:flow
nodes
via -(found)>
light-weight edges:
> it:exec:query:text=Microtik +:language=shodan -(found)> inet:flow
inet:flow=4c3eccf0f242b7fe8616f6f98482c5a2
.created = 2024/12/20 18:15:05.863
:dst = tcp://43.241.140.3:1723
:dst:handshake = Firmware: 1
Hostname: Bhachau Microtik Server
Vendor: MikroTik
:dst:ipv4 = 43.241.140.3
:dst:port = 1723
:dst:proto = tcp
:time = 2021/08/19 05:31:26.780
#rep.shodan.vpn
inet:flow=3455f780b8ac7bf61713733c15505adc
.created = 2024/12/20 18:15:05.920
:dst = tcp://84.47.142.34:1723
:dst:handshake = Firmware: 1
Hostname: microtik
Vendor: MikroTik
:dst:ipv4 = 84.47.142.34
:dst:port = 1723
:dst:proto = tcp
:time = 2021/08/19 05:13:27.977
#rep.shodan.vpn
For query syntax details, see the Shodan Help Center.
Use of meta:source
nodes
Synapse-Shodan uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the Shodan API.
> meta:source=2cb67376db10f495740634c682b98e81
meta:source=2cb67376db10f495740634c682b98e81
.created = 2024/12/20 18:15:05.756
:name = synapse-shodan
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Shodan. The following example shows how to filter the results of a query to include only results observed by Synapse-Shodan:
> #cool.tag.lift +{ <(seen)- meta:source=2cb67376db10f495740634c682b98e81 }