Steampipe lets you query REST APIs as if they were a SQL database. And it lets you JOIN data from different APIs using familiar SQL syntax. In this short guide we'll show how to get setup and use Steampipe with its Shodan plugin.
To get started, follow their instructions to install Steampipe on your operating system of choice:
Install SteampipeIf everything is correctly installed you should be able to run the following command to get the version of the Steampipe command:
~$ steampipe -v
steampipe version 0.7.1
Next we will be installing the Shodan plugin for Steampipe:
~$ steampipe plugin install shodan
Installed plugin: shodan v0.0.1
Documentation: https://hub.steampipe.io/plugins/turbot/shodan
The final step is entering your API key that you can get from your Shodan Account page. By default, the configuration file for the shodan plugin is stored in the ~/.steampipe/config/shodan.spc location. It should look like this:
connection "shodan" {
plugin = "shodan"
# Shodan requires an API key for all requests, but offers a free tier.
# Sign up on the Shodan website (https://account.shodan.io) to get your free
# token (it looks like `ZGloRSAl6Tvur9tCTu44NkZIe1i5Cc5U`) and set it:
#api_key = "YOUR_API_KEY_HERE"
}
Uncomment the file that begins with api_key and enter your Shodan API key. It should look something like this (replace XXX with your API key):
connection "shodan" {
plugin = "shodan"
# Shodan requires an API key for all requests, but offers a free tier.
# Sign up on the Shodan website (https://account.shodan.io) to get your free
# token (it looks like `ZGloRSAl6Tvur9tCTu44NkZIe1i5Cc5U`) and set it:
api_key = "XXX"
}
And now we can start querying the Shodan API as if it was a SQL table! For example, lets grab everything for the IP 8.8.8.8:
~$ steampipe query "SELECT * FROM shodan_host_service WHERE ip = '8.8.8.8'"
+---------+--------+------+---------------------+------------+----------------+--------+--------+-----------+---------+---------+--------+--------+------------+--------+------------------------------------------------------------------------------------------------------------------------------------------------+--------+------------------------+--------+-----------+--------+--------------------------------------------------------------------------------+--------+---------+--------+-------------+--------+--------+--------+--------+-----------+--------+---------+--------+---------+--------+--------+--------+--------+--------+--------+--------+--------+-----------+----------+--------+------------------------------------------------------------------------+
| ip | ipv6 | port | timestamp | hash | domains | link | uptime | transport | product | version | cpe | title | devicetype | info | shodan | vulns | banners | ssl | cassandra | db2 | dns | docker | elastic | etcd | ethernet_ip | ftp | hive | http | isakmp | lantronix | monero | mongodb | mqtt | netbios | ntp | redis | rip | rsync | smb | snmp | ssh | vertx | minecraft | influxdb | coap | opts |
+---------+--------+------+---------------------+------------+----------------+--------+--------+-----------+---------+---------+--------+--------+------------+--------+------------------------------------------------------------------------------------------------------------------------------------------------+--------+------------------------+--------+-----------+--------+--------------------------------------------------------------------------------+--------+---------+--------+-------------+--------+--------+--------+--------+-----------+--------+---------+--------+---------+--------+--------+--------+--------+--------+--------+--------+--------+-----------+----------+--------+------------------------------------------------------------------------+
| 8.8.8.8 | <null> | 53 | 2021-08-05 16:56:13 | -553166942 | ["dns.google"] | <null> | <null> | udp | | | <null> | <null> | <null> | <null> | {"crawler":"42f86247b760542c0192b61c60405edc5db01d55","id":"d0c6cca6-08ab-449e-9476-d00cf5609bd5","module":"dns-udp","options":{},"ptr":false} | <null> | ["Recursion: enabled"] | <null> | <null> | <null> | {"recursive":true,"resolver_hostname":null,"resolver_id":null,"software":null} | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | <null> | {"raw":"34ef818200010000000000000776657273696f6e0462696e640000100003"} |
+---------+--------+------+---------------------+------------+----------------+--------+--------+-----------+---------+---------+--------+--------+------------+--------+------------------------------------------------------------------------------------------------------------------------------------------------+--------+------------------------+--------+-----------+--------+--------------------------------------------------------------------------------+--------+---------+--------+-------------+--------+--------+--------+--------+-----------+--------+---------+--------+---------+--------+--------+--------+--------+--------+--------+--------+--------+-----------+----------+--------+------------------------------------------------------------------------+
That's a bit unruly so lets just look at a few of the properties:
~$ steampipe query "SELECT ip,port,timestamp,dns FROM shodan_host_service WHERE ip = '8.8.8.8'"
+---------+------+---------------------+--------------------------------------------------------------------------------+
| ip | port | timestamp | dns |
+---------+------+---------------------+--------------------------------------------------------------------------------+
| 8.8.8.8 | 53 | 2021-08-05 16:56:13 | {"recursive":true,"resolver_hostname":null,"resolver_id":null,"software":null} |
+---------+------+---------------------+--------------------------------------------------------------------------------+
Much better! Now you're ready to start accessing the Shodan API using SQL and JOIN-ing it with other data sources.