Open source intelligence tools for pen testing

Private Eye

Automated Searches: Shodan and Nmap

The Nmap creators have allowed you to use Shodan for some time by specifying the --script option with the shodan-api argument, which allows you to specify your Shodan key:

$ sudo nmap -sn -Pn -n --script shodan-api --script-args shodan-api.apikey= UsYM89GnfM86IP5aodgbTf6voFQL7kae

In a moment, I'll show you how to get your own Shodan key, but first I want to explain the above command. It simply tells Nmap to do a stealth scan using null sessions, not to use ping, and not to do Domain Name System (DNS) resolution. The --script option tells Nmap that you're going to use a script of some sort – in this case, it will be the Shodan API. The Shodan API script argument specifies your API key. The command then finishes by specifying the target URL, .

The result is much more accurate information about your target. Specifying the Shodan API also results in having Shodan, not nmap, conduct the actual scan; in this way, you are doing an indirect scan, which is much more stealthy. You are also conducting one that is more accurate and informative about the hosts you're scanning. Note, however, that you can only use the Shodan API this way on publicly-facing IP addresses, and not private IP addresses. By specifying the Shodan API, I was able to gather more information during the Discovery phase (Figure 4), and the resulting scan gives more detailed information about the services on a particular target host. In this case, it reveals port 22 and the specific operating system of the server, Debian 5.

Figure 4: Nmap with an assist from the Shodan API.

Obtaining the Shodan Key

You can obtain the Shodan key by going to the Shodan website [2] and creating an account. Figure 5 shows the Overview screen with an API key and Quick Response (QR) code. You can use either in Nmap and many other applications. (Also see the box titled "Getting a New API Key.")

Figure 5: Example of a Shodan API key.

Getting a New API Key

When necessary – such as when you share a screenshot with your key and QR code – you can generate a new API key. Simply log in to the Shodan site, go to Settings , and click on the Overview tab. Scroll down and click on the Reset API Key button. The only reason you would not want to do this often is that you might have automated scripts and pre-programmed tools that use the key. Obviously, you'll need to update all scripts and software tools you have been using.

Automated Discovery: Maltego

Maltego (Figure 6) is another tool often used during the pen testing reconnaissance step. Maltego automates the process of discovering network resources. By simply entering common information, such as a DNS domain name or a Twitter handle, you can automate discovery of:

  • All DNS servers, including primary/master and secondary/slave.
  • Email account names. Maltego can discover defined email accounts, thereby quickly giving you the structure of accounts on a server. From here, it is a quick two-step to effective social engineering.
  • Twitter information. Specifying a simple Twitter handle lets you identify conversation threads quickly. By parsing these conversations, you can discover an enormous amount of information about a particular user or set of users. In Figure 6, Maltego has returned information about a specific network domain.
Figure 6: Results of a Maltego discovery operation.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=