# THLOP - SHODAN'S DATASET API

In [None]:
import os                                                                    
from pyspark.sql import SparkSession
import pyspark.sql.functions as F

# Note: Make sure to set an environment variable called "TLHOP_DATASETS_PATH" 
# used to define where THLOP's Crawlers store their collected data.

spark = SparkSession.builder\
            .master("local[4]")\
            .config("spark.driver.memory", "10g")\
            .getOrCreate()

In [2]:
from tlhop.datasets import DataSets

ds = DataSets()

In [3]:
ds.list_datasets()

Unnamed: 0,Code name,Description,Type,Downloaded,Size (MB),Last timestamp
0,ACCENTED_WORDS_PT_BR_FILE,List of accented pt-br words,internal,True,4.14,"12/11/2023, 19:42:54"
1,AS_RANK_FILE,CAIDA's AS Rank,external,True,12.56,"09/02/2023, 15:30:32"
2,AS_TYPE_FILE,CAIDA's AS Classification,external,True,2.18,"09/02/2023, 15:31:16"
3,BRAZILIAN_CITIES,Brazil's cities information dataset,external,True,3.07,"09/02/2023, 15:31:16"
4,BRAZILIAN_IPS,Lisf of Range of IPs available in Brazil's Internet,external,True,5.08,"09/02/2023, 15:30:36"
5,BRAZILIAN_RF,Brazilian National Register of Legal Entities - CNPJ,external,True,4555.93,"09/02/2023, 15:30:31"
6,CISA_EXPLOITS,CISA's Known Exploited Vulnerabilities Catalog,external,True,0.34,"09/02/2023, 15:30:39"
7,COLUMNS_MODULE_FILE,Shodan's Module list and their columns frequency,external,True,0.09,"09/02/2023, 15:30:40"
8,ENDOFLIFE,Keep track of various End of Life dates and support lifecycles for various products,external,True,1.96,"09/02/2023, 15:09:39"
9,FIRST_EPSS,FIRST's Exploit Prediction Scoring system (EPSS),external,True,1058.04,"12/06/2023, 11:16:44"


## NVD's CVE Library

In [6]:
ds1 = ds.read_dataset("NVD_CVE_LIB")
ds1.count()

                                                                                

211243

In [7]:
ds1.printSchema()

root
 |-- cve_id: string (nullable = true)
 |-- description: string (nullable = true)
 |-- cvssv2: double (nullable = true)
 |-- cvssv3: double (nullable = true)
 |-- publishedDate: date (nullable = true)
 |-- lastModifiedDate: string (nullable = true)
 |-- baseMetricV2: struct (nullable = true)
 |    |-- acInsufInfo: boolean (nullable = true)
 |    |-- exploitabilityScore: float (nullable = true)
 |    |-- impactScore: float (nullable = true)
 |    |-- obtainAllPrivilege: boolean (nullable = true)
 |    |-- obtainOtherPrivilege: boolean (nullable = true)
 |    |-- obtainUserPrivilege: boolean (nullable = true)
 |    |-- severity: string (nullable = true)
 |    |-- userInteractionRequired: boolean (nullable = true)
 |    |-- cvssV2_accessComplexity: string (nullable = true)
 |    |-- cvssV2_accessVector: string (nullable = true)
 |    |-- cvssV2_authentication: string (nullable = true)
 |    |-- cvssV2_availabilityImpact: string (nullable = true)
 |    |-- cvssV2_baseScore: float (null

In [8]:
ds1.show(5)

+-------------+--------------------+------+------+-------------+-----------------+--------------------+--------------------+--------------------+--------------------+--------------+------------+------------+
|       cve_id|         description|cvssv2|cvssv3|publishedDate| lastModifiedDate|        baseMetricV2|        baseMetricV3|                 cpe|          references|published_year|rank_cvss_v2|rank_cvss_v3|
+-------------+--------------------+------+------+-------------+-----------------+--------------------+--------------------+--------------------+--------------------+--------------+------------+------------+
|CVE-2021-0001|Observable timing...|   2.1|   4.7|   2021-06-09|2021-06-28T18:03Z|{false, 3.9, 2.9,...|{1.0, 3.6, HIGH, ...|cpe:2.3:a:intel:i...|https://www.intel...|          2021|         low|      medium|
|CVE-2021-0002|Improper conditio...|   3.6|   7.1|   2021-08-11|2021-11-30T19:43Z|{false, 3.9, 4.9,...|{1.8, 5.2, LOW, H...|                    |https://www.intel...|  

## CISA's Known Exploited Vulnerabilities Catalog

In [8]:
ds2 = ds.read_dataset("CISA_EXPLOITS")
ds2.count()

916

In [9]:
ds2.printSchema()

root
 |-- cve_id: string (nullable = true)
 |-- vendorProject: string (nullable = true)
 |-- product: string (nullable = true)
 |-- vulnerabilityName: string (nullable = true)
 |-- dateAdded: string (nullable = true)
 |-- shortDescription: string (nullable = true)
 |-- requiredAction: string (nullable = true)
 |-- dueDate: string (nullable = true)
 |-- notes: string (nullable = true)



In [10]:
ds2.show(5)

+--------------+-------------+------------------+--------------------+----------+--------------------+--------------------+----------+-----+
|        cve_id|vendorProject|           product|   vulnerabilityName| dateAdded|    shortDescription|      requiredAction|   dueDate|notes|
+--------------+-------------+------------------+--------------------+----------+--------------------+--------------------+----------+-----+
|CVE-2021-27104|    Accellion|               FTA|Accellion FTA OS ...|2021-11-03|Accellion FTA 9_1...|Apply updates per...|2021-11-17| null|
|CVE-2021-27102|    Accellion|               FTA|Accellion FTA OS ...|2021-11-03|Accellion FTA 9_1...|Apply updates per...|2021-11-17| null|
|CVE-2021-27101|    Accellion|               FTA|Accellion FTA SQL...|2021-11-03|Accellion FTA 9_1...|Apply updates per...|2021-11-17| null|
|CVE-2021-27103|    Accellion|               FTA|Accellion FTA SSR...|2021-11-03|Accellion FTA 9_1...|Apply updates per...|2021-11-17| null|
|CVE-2021-210

## HTTP Status Code List

In [8]:
ds2 = ds.read_dataset("HTTP_STATUS_FILE")
ds2.count()

99

In [9]:
ds2.printSchema()

root
 |-- code: string (nullable = true)
 |-- name: string (nullable = true)
 |-- description: string (nullable = true)
 |-- group: string (nullable = true)
 |-- reference: string (nullable = true)



In [10]:
ds2.show(5)

+----+--------------------+--------------------+--------------------+--------------------+
|code|                name|         description|               group|           reference|
+----+--------------------+--------------------+--------------------+--------------------+
|null|          EMPTY_CODE|                null|                null|                null|
| 100|   100_HTTP_CONTINUE|            Continue|Informational - R...|[RFC9110, Section...|
| 101|101_HTTP_SWITCHIN...| Switching Protocols|Informational - R...|[RFC9110, Section...|
| 102| 102_HTTP_PROCESSING|This code indicat...|Informational - R...|           [RFC2518]|
| 103|103_HTTP_EARLY_HINTS|This status code ...|Informational - R...|           [RFC8297]|
+----+--------------------+--------------------+--------------------+--------------------+
only showing top 5 rows



## UTF-8 Code symbols 

In [25]:
ds3 = ds.read_dataset("UTF8_MAPPING_FILE")
ds3.count()

195

In [26]:
ds3.printSchema()

root
 |-- Expected: string (nullable = true)
 |-- Actual: string (nullable = true)



In [27]:
ds3.show(5)

+--------+------+
|Expected|Actual|
+--------+------+
|       €|   â‚¬|
|       ‚|   â€š|
|       ƒ|    Æ’|
|       „|   â€ž|
|       …|   â€¦|
+--------+------+
only showing top 5 rows



## AS Rank DataSet

In [37]:
ds4 = ds.read_dataset("AS_RANK_FILE")
ds4.count()

                                                                                

107239

In [38]:
ds4.printSchema()

root
 |-- asn: string (nullable = true)
 |-- asnName: string (nullable = true)
 |-- country_iso: string (nullable = true)
 |-- country: string (nullable = true)
 |-- rank: integer (nullable = true)
 |-- organization_name: string (nullable = true)
 |-- organization_id: string (nullable = true)



## AS Type DataSet

In [40]:
ds5 = ds.read_dataset("AS_TYPE_FILE")
ds5.count()

69564

In [41]:
ds5.printSchema()

root
 |-- asn: string (nullable = true)
 |-- class: string (nullable = true)
 |-- type: string (nullable = true)



## Brazil Cities DataSet

In [47]:
ds6 = ds.read_dataset("BRAZILIAN_CITIES")
ds6.count()

                                                                                

5578

In [48]:
ds6.printSchema()

root
 |-- CITY: string (nullable = true)
 |-- STATE: string (nullable = true)
 |-- CAPITAL: string (nullable = true)
 |-- IBGE_RES_POP: string (nullable = true)
 |-- IBGE_RES_POP_BRAS: string (nullable = true)
 |-- IBGE_RES_POP_ESTR: string (nullable = true)
 |-- IBGE_DU: string (nullable = true)
 |-- IBGE_DU_URBAN: string (nullable = true)
 |-- IBGE_DU_RURAL: string (nullable = true)
 |-- IBGE_POP: string (nullable = true)
 |-- IBGE_1: string (nullable = true)
 |-- IBGE_1-4: string (nullable = true)
 |-- IBGE_5-9: string (nullable = true)
 |-- IBGE_10-14: string (nullable = true)
 |-- IBGE_15-59: string (nullable = true)
 |-- IBGE_60+: string (nullable = true)
 |-- IBGE_PLANTED_AREA: string (nullable = true)
 |-- IBGE_CROP_PRODUCTION_$: string (nullable = true)
 |-- IDHM Ranking 2010: string (nullable = true)
 |-- IDHM: string (nullable = true)
 |-- IDHM_Renda: string (nullable = true)
 |-- IDHM_Longevidade: string (nullable = true)
 |-- IDHM_Educacao: string (nullable = true)
 |-- LO

## Mikrotik OS Release Version

In [60]:
ds8 = ds.read_dataset("MIKROTIK_OS")
ds8.count()

22/08/04 09:13:03 WARN CacheManager: Asked to cache already cached data.


351

In [56]:
ds8.printSchema()

root
 |-- deployment: string (nullable = true)
 |-- release: string (nullable = true)
 |-- date: string (nullable = true)



In [57]:
ds8.show(5)

+----------+-------+----------+
|deployment|release|      date|
+----------+-------+----------+
|    Stable| 6.49.4|2022-02-25|
|   Testing| 7.2rc4|2022-02-22|
|    Stable| 6.49.3|2022-02-15|
|    Stable|  7.1.3|2022-02-11|
|    Stable|  7.1.2|2022-02-03|
+----------+-------+----------+
only showing top 5 rows



## Language code (iso 639) mapping list

In [61]:
ds9 = ds.read_dataset("ISO_639_LANGUAGE")
ds9.count()

22/08/04 09:13:11 WARN CacheManager: Asked to cache already cached data.


184

In [62]:
ds9.printSchema()

root
 |-- iso: string (nullable = true)
 |-- language: string (nullable = true)



In [63]:
ds9.show(5)

+---+---------+
|iso| language|
+---+---------+
| ab|   Abkhaz|
| aa|     Afar|
| af|Afrikaans|
| ak|     Akan|
| sq| Albanian|
+---+---------+
only showing top 5 rows



## PT-BR Accented words

In [25]:
ds10 = ds.read_dataset("ACCENTED_WORDS_PT_BR_FILE")
ds10.count()

22/08/08 12:27:05 WARN CacheManager: Asked to cache already cached data.


287883

In [26]:
ds10.printSchema()

root
 |-- word: string (nullable = true)



In [27]:
ds10.show(5)

+----------+
|      word|
+----------+
|oleássemos|
|filóstaque|
|pelotearás|
|calotípico|
|desconvirá|
+----------+
only showing top 5 rows



## PT-BR Dictionary

In [14]:
ds11 = ds.read_dataset("PT_BR_DICTIONARY")
ds11.count()

                                                                                

980279

In [15]:
ds11.printSchema()

root
 |-- word: string (nullable = true)



In [16]:
ds11.show(5)

+----+
|word|
+----+
| Abã|
| Aci|
| Acã|
| Adã|
| Aim|
+----+
only showing top 5 rows



## Federal Revenue of Brazil

In [6]:
ds12 = ds.read_dataset("BRAZILIAN_RF")
ds12.count()

                                                                                

53642858

In [7]:
ds12.printSchema()

root
 |-- cnpj_basico: string (nullable = true)
 |-- identificador_matriz: string (nullable = true)
 |-- nome_fantasia: string (nullable = true)
 |-- situacao_cadastral: string (nullable = true)
 |-- situacao_cadastral_data: date (nullable = true)
 |-- nome_cidade_exterior: string (nullable = true)
 |-- data_inicio_atividade: date (nullable = true)
 |-- cnae_fiscal_principal_cod: string (nullable = true)
 |-- cnae_fiscal_secundaria_cod: string (nullable = true)
 |-- endereço_tipo_logradouro: string (nullable = true)
 |-- endereço_logradouro: string (nullable = true)
 |-- endereço_numero: integer (nullable = true)
 |-- endereço_complemento: string (nullable = true)
 |-- endereço_bairro: string (nullable = true)
 |-- endereço_cep: integer (nullable = true)
 |-- endereço_uf: string (nullable = true)
 |-- contato_ddd1: integer (nullable = true)
 |-- contato_telone1: integer (nullable = true)
 |-- contato_email: string (nullable = true)
 |-- situacao_especial: string (nullable = true)
 |-- 

## FIRST EPSS

In [None]:
ds13 = ds.read_dataset("FIRST_EPSS", check_update=True)
ds13.count()

In [4]:
ds13.show()

+--------------+----------+----+-------------+-------+----------+
|        cve_id|score_date|year|model_version|   epss|percentile|
+--------------+----------+----+-------------+-------+----------+
| CVE-2018-7422|2022-12-07|2022|  v2022.01.01|0.42738|   0.98235|
|CVE-2020-14462|2022-06-25|2022|  v2022.01.01|0.00885|   0.25362|
| CVE-2021-0623|2022-06-14|2022|  v2022.01.01|0.01036|   0.40087|
| CVE-2014-5983|2022-11-03|2022|  v2022.01.01|0.00954|   0.35181|
| CVE-2006-1587|2022-02-16|2022|  v2022.01.01| 0.0095|   0.14008|
| CVE-2020-1447|2022-06-25|2022|  v2022.01.01|0.01875|   0.75787|
| CVE-2007-5999|2022-10-26|2022|  v2022.01.01|0.00986|   0.36328|
| CVE-2014-5984|2022-11-03|2022|  v2022.01.01|0.00954|   0.35181|
|CVE-2022-31626|2022-12-07|2022|  v2022.01.01|0.46725|   0.98496|
|CVE-2020-14470|2022-06-25|2022|  v2022.01.01|0.00885|   0.25362|
| CVE-2021-0624|2022-06-14|2022|  v2022.01.01|0.01036|   0.40087|
| CVE-2014-5985|2022-11-03|2022|  v2022.01.01|0.00954|   0.35181|
| CVE-2006

In [5]:
ds13.groupby("model_version")\
    .agg(F.min("score_date"), 
         F.max("score_date"))\
    .orderBy("model_version")\
    .show()



+-------------+---------------+---------------+
|model_version|min(score_date)|max(score_date)|
+-------------+---------------+---------------+
|  v2021-04-14|     2021-04-14|     2022-02-03|
|  v2022.01.01|     2022-02-04|     2023-03-06|
|  v2023.03.01|     2023-03-07|     2023-12-06|
+-------------+---------------+---------------+



                                                                                

## LACNIC RIR Statistics

In [4]:
ds14 = ds.read_dataset("LACNIC_STATISTICS", check_update=True)
ds14.count()

Last crawling timestamp: 20240130
The current dataset version is the most recent.
The current dataset version is the most recent.


24/01/31 10:23:45 WARN package: Truncated the string representation of a plan since it was too large. This behavior can be adjusted by setting 'spark.sql.debug.maxToStringFields'.
                                                                                

49110601

In [5]:
ds14.show()
#.drop("status").withColumnRenamed("date", "status").withColumnRenamed("date", "status").show()

[Stage 14:>                                                         (0 + 1) / 1]

+--------+-------+----+-----------+-----+--------+---------+------------+------------+------------+------------+
|registry|country|type|       mask|n_ips|    date|   status|start_ip_int|  end_ip_int|crawler_date|crawler_year|
+--------+-------+----+-----------+-----+--------+---------+------------+------------+------------+------------+
|  lacnic|     BR|ipv4| 24.152.0.0| 1024|20200310|allocated|4.12614656E8|4.12615679E8|  2023-08-01|        2023|
|  lacnic|     BR|ipv4| 24.152.4.0| 1024|20200312|allocated| 4.1261568E8|4.12616703E8|  2023-08-01|        2023|
|  lacnic|     BR|ipv4| 24.152.8.0| 1024|20200309|allocated|4.12616704E8|4.12617727E8|  2023-08-01|        2023|
|  lacnic|     BR|ipv4|24.152.12.0| 1024|20200309|allocated|4.12617728E8|4.12618751E8|  2023-08-01|        2023|
|  lacnic|     BR|ipv4|24.152.16.0| 1024|20200312|allocated|4.12618752E8|4.12619775E8|  2023-08-01|        2023|
|  lacnic|     BR|ipv4|24.152.20.0| 1024|20230328|allocated|4.12619776E8|4.12620799E8|  2023-08-

                                                                                

In [10]:
spark.stop()