If you're looking for a web-based interface for setting up network monitoring then please check out our Shodan Monitor website. It's designed to make it very easy to get started with monitoring your attack surface. If you'd like to control everything via the CLI then you're in the right place. The CLI can do everything the website is able to do - and more!
All of the network monitoring capabilities of the CLI are put behind the
alert command. It supports a variety of subcommands and we'll cover most of them here:
Usage: shodan alert [OPTIONS] COMMAND [ARGS]... Manage the network alerts for your account Options: -h, --help Show this message and exit. Commands: clear Remove all alerts create Create a network alert to monitor an external network disable Disable a trigger for the alert domain Create a network alert based on a domain name enable Enable a trigger for the alert info Show information about a specific alert list List all the active alerts remove Remove the specified alert stats Show summary information about your monitored networks triggers List the available notification triggers
Create a network monitor
To create a network monitor/ alert use the
shodan alert create command:
Usage: shodan alert create [OPTIONS] <name> <netblocks> Create a network alert to monitor an external network Options: -h, --help Show this message and exit.
It's fairly straight-forward. Just provide it with a name of the networks that you're going to monitor and then a list of IPs or networks. For example, here we create a network monitor for the IP 18.104.22.168:
shodan alert create "My Network" 22.214.171.124
Or you can provide it with a long list of IPs and networks:
shodan alert create "Many Networks" 126.96.36.199/24 188.8.131.52 184.108.40.206
The number of IPs/ networks that you can monitor depends on your API subscription. Members can monitor up to 16 IPs whereas enterprise customers can monitor the entire Internet.
At this point, you've told Shodan which networks you would like to monitor but you haven't yet told Shodan when you'd like to get notifications. To do so we need to enable triggers.
Triggers are rules that run against any banner collected for your monitored networks and can cause a notification to get sent out. I.e. whenever Shodan finds a service on your IP/ network it performs a series of checks and if they meet any of your triggers then you get a notification. You can see the list of available triggers by running:
shodan alert triggers
We recommend enabling the triggers:
The most important trigger in the above list is new_service. The new_service trigger fires a notification whenever Shodan finds a service/ port on your network that it hasn't seen before. I.e. it lets you know when something in your environment changes. All of the other triggers will send out a notification whenever Shodan finds the service - regardless if it's been discovered before or not.
To enable a trigger you need to use the
$ shodan alert enable -h Usage: shodan alert enable [OPTIONS] <alert ID> <trigger name> Enable a trigger for the alert Options: -h, --help Show this message and exit.
There are 2 required arguments for the subcommand: the alert ID for the network(s) you're monitoring and a list of trigger names. The trigger names can either be an individual trigger name (ex.
new_service) or a comma-separated list of triggers (ex.
Run the following command to get a list of alerts on your account and their IDs:
shodan alert list
You're now ready to enable triggers on your monitored network. Once a trigger has been added to an alert you will start getting notifications to the email address on your Shodan account. Lets add the
new_service trigger (assuming your alert ID is 218441SBIEDT4U68):
shodan alert enable 218441SBIEDT4U68 new_service
Or you can add the entire list of recommended triggers:
shodan alert enable 218441SBIEDT4U68 new_service,malware,open_database,iot,vulnerable,ssl_expired,industrial_control_system,internet_scanner
Nothing changes if you enable the same trigger twice so we can safely enable
new_service again. And now you're done! As Shodan crawls your IPs/ networks and finds services you will get notifications based on your configured triggers.
The above works great for IPs/ networks that you own but what about services deployed to the cloud? Or if you have a dynamic IP at home?
Domain-based network monitoring
So far we've only worked directly with IPs and network ranges but sometimes you don't know them. Or the underlying services are running in the cloud and keep changing periodically. In those cases, you can use the domain-based network monitoring available in Shodan. The basic command to get started is even easier than for regular network monitoring:
$ shodan alert domain -h Usage: shodan alert domain [OPTIONS] <domain> Create a network alert based on a domain name Options: --triggers TEXT List of triggers to enable -h, --help Show this message and exit.
Just provide the subcommand with a hostname or domain and that's it! Shodan will find all the subdomains for the domain, grab all their IPs, create a network monitor for them and keep that monitor up to date as the DNS information changes. You can view the information that Shodan currently has available for a domain using the
shodan domain command.
There are a few things to consider:
- If you provide a top-level domain (ex.
cnn.com) then it will monitor everything under that domain - including subdomains. Shodan continuously performs subdomain enumeration and a variety of other OSINT techniques to discover services that a domain is running.
- If you provide a specific hostname (ex.
www.cnn.com) then Shodan will only monitor that specific subdomain. It will simply create a new alert and make sure it's always synced to the IP of the provided hostname. This is ideal for monitoring dynamic home IPs.
Analyzing your Exposure
Now that you've configured network monitoring it's time to get a look at what is currently exposed. Notifications help you keep track of changes or fix issues as they appear but how do you find out the current top 20 ports that are on your network? Or a list of all the verified vulnerabilities? To get that information we will use facets and the
shodan alert stats command:
$ shodan alert stats -h Usage: shodan alert stats [OPTIONS] <facets ...> Show summary information about your monitored networks Options: --limit INTEGER The number of results to return. -O, --filename TEXT Save the results in a CSV file of the provided name. -h, --help Show this message and exit.
The Shodan Monitor website generates its dashboard by faceting on
vuln.verified. We can get the same information as the dashboard by running the command:
shodan alert stats port vuln.verified vuln
By default, the CLI will show you the top 10 values for a facet/ property. You can request more values by increasing the limit using the
--limit option. For example, lets get a breakdown of the top 100 ports for our monitored networks:
shodan alert stats --limit 100 port
For a list of available facets please check out our Facet Analysis page.