Network Monitoring

If you're looking for a web-based interface for setting up network monitoring then please check out our Shodan Monitor website. It's designed to make it very easy to get started with monitoring your attack surface. If you'd like to control everything via the CLI then you're in the right place. The CLI can do everything the website is able to do - and more!

alert

All of the network monitoring capabilities of the CLI are put behind the alert command. It supports a variety of subcommands and we'll cover most of them here:

Usage: shodan alert [OPTIONS] COMMAND [ARGS]...

  Manage the network alerts for your account

Options:
  -h, --help  Show this message and exit.

Commands:
  clear     Remove all alerts
  create    Create a network alert to monitor an external network
  disable   Disable a trigger for the alert
  domain    Create a network alert based on a domain name
  enable    Enable a trigger for the alert
  info      Show information about a specific alert
  list      List all the active alerts
  remove    Remove the specified alert
  stats     Show summary information about your monitored networks
  triggers  List the available notification triggers
Create a network monitor

To create a network monitor/ alert use the shodan alert create command:

Usage: shodan alert create [OPTIONS] <name> <netblocks>

  Create a network alert to monitor an external network

Options:
  -h, --help  Show this message and exit.

It's fairly straight-forward. Just provide it with a name of the networks that you're going to monitor and then a list of IPs or networks. For example, here we create a network monitor for the IP 154.25.60.42:

$ shodan alert create "My Network" 154.25.60.42

Or you can provide it with a long list of IPs and networks:

$ shodan alert create "Many Networks" 198.20.79.0/24 199.2.60.42 1.1.1.1

The number of IPs/ networks that you can monitor depends on your API subscription. Members can monitor up to 16 IPs whereas enterprise customers can monitor the entire Internet.

At this point, you've told Shodan which networks you would like to monitor but you haven't yet told Shodan when you'd like to get notifications. To do so we need to enable triggers.

Getting Notifications

Triggers are rules that run against any banner collected for your monitored networks and can cause a notification to get sent out. I.e. whenever Shodan finds a service on your IP/ network it performs a series of checks and if they meet any of your triggers then you get a notification. You can see the list of available triggers by running:

$ shodan alert triggers

We recommend enabling the triggers:

  • new_service
  • malware
  • open_database
  • iot
  • vulnerable
  • ssl_expired
  • industrial_control_system
  • internet_scanner

The most important trigger in the above list is new_service. The new_service trigger fires a notification whenever Shodan finds a service/ port on your network that it hasn't seen before. I.e. it lets you know when something in your environment changes. All of the other triggers will send out a notification whenever Shodan finds the service - regardless if it's been discovered before or not.

To enable a trigger you need to use the enable subcommand:

$ shodan alert enable -h
Usage: shodan alert enable [OPTIONS] <alert ID> <trigger name>

  Enable a trigger for the alert

Options:
  -h, --help  Show this message and exit.

There are 2 required arguments for the subcommand: the alert ID for the network(s) you're monitoring and a list of trigger names. The trigger names can either be an individual trigger name (ex. new_service) or a comma-separated list of triggers (ex. new_service,malware).

Run the following command to get a list of alerts on your account and their IDs:

$ shodan alert list

You're now ready to enable triggers on your monitored network. Once a trigger has been added to an alert you will start getting notifications to the email address on your Shodan account. Lets add the new_service trigger (assuming your alert ID is 218441SBIEDT4U68):

$ shodan alert enable 218441SBIEDT4U68 new_service

Or you can add the entire list of recommended triggers:

$ shodan alert enable 218441SBIEDT4U68 new_service,malware,open_database,iot,vulnerable,ssl_expired,industrial_control_system,internet_scanner

Nothing changes if you enable the same trigger twice so we can safely enable new_service again. And now you're done! As Shodan crawls your IPs/ networks and finds services you will get notifications based on your configured triggers.

The above works great for IPs/ networks that you own but what about services deployed to the cloud? Or if you have a dynamic IP at home?

Domain-based network monitoring

So far we've only worked directly with IPs and network ranges but sometimes you don't know them. Or the underlying services are running in the cloud and keep changing periodically. In those cases, you can use the domain-based network monitoring available in Shodan. The basic command to get started is even easier than for regular network monitoring:

$ shodan alert domain -h
Usage: shodan alert domain [OPTIONS] <domain>

  Create a network alert based on a domain name

Options:
  --triggers TEXT  List of triggers to enable
  -h, --help       Show this message and exit.

Just provide the subcommand with a hostname or domain and that's it! Shodan will find all the subdomains for the domain, grab all their IPs, create a network monitor for them and keep that monitor up to date as the DNS information changes. You can view the information that Shodan currently has available for a domain using the shodan domain command.

There are a few things to consider:

  1. If you provide a top-level domain (ex. cnn.com) then it will monitor everything under that domain - including subdomains. Shodan continuously performs subdomain enumeration and a variety of other OSINT techniques to discover services that a domain is running.
  2. If you provide a specific hostname (ex. www.cnn.com) then Shodan will only monitor that specific subdomain. It will simply create a new alert and make sure it's always synced to the IP of the provided hostname. This is ideal for monitoring dynamic home IPs.
Analyzing your Exposure

Now that you've configured network monitoring it's time to get a look at what is currently exposed. Notifications help you keep track of changes or fix issues as they appear but how do you find out the current top 20 ports that are on your network? Or a list of all the verified vulnerabilities? To get that information we will use facets and the shodan alert stats command:

$ shodan alert stats -h
Usage: shodan alert stats [OPTIONS] <facets ...>

  Show summary information about your monitored networks

Options:
  --limit INTEGER      The number of results to return.
  -O, --filename TEXT  Save the results in a CSV file of the provided name.
  -h, --help           Show this message and exit.

The Shodan Monitor website generates its dashboard by faceting on port, vuln and vuln.verified. We can get the same information as the dashboard by running the command:

$ shodan alert stats port vuln.verified vuln

By default, the CLI will show you the top 10 values for a facet/ property. You can request more values by increasing the limit using the --limit option. For example, lets get a breakdown of the top 100 ports for our monitored networks:

$ shodan alert stats --limit 100 port

For a list of available facets please check out our Facet Analysis page.