If you're looking for a web-based interface for setting up network monitoring then please check out our Shodan Monitor website. It's designed to make it very easy to get started with monitoring your attack surface. If you'd like to control everything via the CLI then you're in the right place. The CLI can do everything the website is able to do - and more!
All of the network monitoring capabilities of the CLI are put behind the alert command. It supports a variety of subcommands and we'll cover most of them here:
Usage: shodan alert [OPTIONS] COMMAND [ARGS]...
Manage the network alerts for your account
Options:
-h, --help Show this message and exit.
Commands:
clear Remove all alerts
create Create a network alert to monitor an external network
disable Disable a trigger for the alert
domain Create a network alert based on a domain name
enable Enable a trigger for the alert
info Show information about a specific alert
list List all the active alerts
remove Remove the specified alert
stats Show summary information about your monitored networks
triggers List the available notification triggers
To create a network monitor/ alert use the shodan alert create command:
Usage: shodan alert create [OPTIONS] <name> <netblocks>
Create a network alert to monitor an external network
Options:
-h, --help Show this message and exit.
It's fairly straight-forward. Just provide it with a name of the networks that you're going to monitor and then a list of IPs or networks. For example, here we create a network monitor for the IP 154.25.60.42:
$ shodan alert create "My Network" 154.25.60.42
Or you can provide it with a long list of IPs and networks:
$ shodan alert create "Many Networks" 198.20.79.0/24 199.2.60.42 1.1.1.1
The number of IPs/ networks that you can monitor depends on your API subscription. Members can monitor up to 16 IPs whereas enterprise customers can monitor the entire Internet.
At this point, you've told Shodan which networks you would like to monitor but you haven't yet told Shodan when you'd like to get notifications. To do so we need to enable triggers.
Triggers are rules that run against any banner collected for your monitored networks and can cause a notification to get sent out. I.e. whenever Shodan finds a service on your IP/ network it performs a series of checks and if they meet any of your triggers then you get a notification. You can see the list of available triggers by running:
$ shodan alert triggers
We recommend enabling the triggers:
The most important trigger in the above list is new_service. The new_service trigger fires a notification whenever Shodan finds a service/ port on your network that it hasn't seen before. I.e. it lets you know when something in your environment changes. All of the other triggers will send out a notification whenever Shodan finds the service - regardless if it's been discovered before or not.
To enable a trigger you need to use the enable subcommand:
$ shodan alert enable -h
Usage: shodan alert enable [OPTIONS] <alert ID> <trigger name>
Enable a trigger for the alert
Options:
-h, --help Show this message and exit.
There are 2 required arguments for the subcommand: the alert ID for the network(s) you're monitoring and a list of trigger names. The trigger names can either be an individual trigger name (ex. new_service) or a comma-separated list of triggers (ex. new_service,malware).
Run the following command to get a list of alerts on your account and their IDs:
$ shodan alert list
You're now ready to enable triggers on your monitored network. Once a trigger has been added to an alert you will start getting notifications to the email address on your Shodan account. Lets add the new_service trigger (assuming your alert ID is 218441SBIEDT4U68):
$ shodan alert enable 218441SBIEDT4U68 new_service
Or you can add the entire list of recommended triggers:
$ shodan alert enable 218441SBIEDT4U68 new_service,malware,open_database,iot,vulnerable,ssl_expired,industrial_control_system,internet_scanner
Nothing changes if you enable the same trigger twice so we can safely enable new_service again. And now you're done! As Shodan crawls your IPs/ networks and finds services you will get notifications based on your configured triggers.
The above works great for IPs/ networks that you own but what about services deployed to the cloud? Or if you have a dynamic IP at home?
So far we've only worked directly with IPs and network ranges but sometimes you don't know them. Or the underlying services are running in the cloud and keep changing periodically. In those cases, you can use the domain-based network monitoring available in Shodan. The basic command to get started is even easier than for regular network monitoring:
$ shodan alert domain -h
Usage: shodan alert domain [OPTIONS] <domain>
Create a network alert based on a domain name
Options:
--triggers TEXT List of triggers to enable
-h, --help Show this message and exit.
Just provide the subcommand with a hostname or domain and that's it! Shodan will find all the subdomains for the domain, grab all their IPs, create a network monitor for them and keep that monitor up to date as the DNS information changes. You can view the information that Shodan currently has available for a domain using the shodan domain command.
There are a few things to consider:
cnn.com) then it will monitor everything under that domain - including subdomains. Shodan continuously performs subdomain enumeration and a variety of other OSINT techniques to discover services that a domain is running.www.cnn.com) then Shodan will only monitor that specific subdomain. It will simply create a new alert and make sure it's always synced to the IP of the provided hostname. This is ideal for monitoring dynamic home IPs.Now that you've configured network monitoring it's time to get a look at what is currently exposed. Notifications help you keep track of changes or fix issues as they appear but how do you find out the current top 20 ports that are on your network? Or a list of all the verified vulnerabilities? To get that information we will use facets and the shodan alert stats command:
$ shodan alert stats -h
Usage: shodan alert stats [OPTIONS] <facets ...>
Show summary information about your monitored networks
Options:
--limit INTEGER The number of results to return.
-O, --filename TEXT Save the results in a CSV file of the provided name.
-h, --help Show this message and exit.
The Shodan Monitor website generates its dashboard by faceting on port, vuln and vuln.verified. We can get the same information as the dashboard by running the command:
$ shodan alert stats port vuln.verified vuln
By default, the CLI will show you the top 10 values for a facet/ property. You can request more values by increasing the limit using the --limit option. For example, lets get a breakdown of the top 100 ports for our monitored networks:
$ shodan alert stats --limit 100 port
For a list of available facets please check out our Facet Analysis page.