Create shodan_host.rb

[Natto97]

Module options (auxiliary/scanner/http/shodan_host):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          80               yes       The target port (TCP)
   SHODAN_APIKEY                   yes       The SHODAN API key
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                           no        HTTP server virtual host

msf6 auxiliary(scanner/http/shodan_host) > reload
[*] Reloading module...
msf6 auxiliary(scanner/http/shodan_host) > run
[-] Auxiliary failed: Msf::OptionValidateError One or more options failed to validate: RHOSTS, SHODAN_APIKEY.
msf6 auxiliary(scanner/http/shodan_host) > set RHOSTS 8.8.8.8
RHOSTS => 8.8.8.8
msf6 auxiliary(scanner/http/shodan_host) > set SHODAN_APIKEY xxxxxx
SHODAN_APIKEY => xxxxxx
msf6 auxiliary(scanner/http/shodan_host) > run
[*] Running module against 8.8.8.8

[+] 8.8.8.8:53
[*] Auxiliary module execution completed

[label-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[label-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[gwillcox-r7]

@Natto97 Any update on creating documentation for this PR and updating the module to fix the issues reported by Travis?

[Natto97]

@gwillcox-r7 Update file completed #14511

[gwillcox-r7]

@Natto97 You do not need to create a separate PR for the documentation file. I have closed the other PR. Please apply your documentation updates from #14511 to your branch patch-2 instead, and those changes will populate into this PR.

[Natto97]

@Natto97 Any update on creating documentation for this PR and updating the module to fix the issues reported by Travis?

Has been updated, is it like this @gwillcox-r7

[gwillcox-r7]

Hello @Natto97. So I was just reviewing this module and I noticed that we already have a module in the framework right now that performs very similar functionality to your module, specifically https://github.com/rapid7/metasploit-framework/blob/c0b42ff7a2a1b677aaba6acd7ebeefddcffdf38e/modules/auxiliary/gather/shodan_search.rb.

That being said during my tests I did notice that the module I linked above will not work on free accounts as the ip: filter is a paid filter within shodan.io.

So with all this being said it seems the best option would be to update the module at https://github.com/rapid7/metasploit-framework/blob/c0b42ff7a2a1b677aaba6acd7ebeefddcffdf38e/modules/auxiliary/gather/shodan_search.rb so that it adds a new check to see if the user specified an IP as the search filter and if they did, then adjust the query format to specifically use the new API format to prevent users having to use the paid ip: filter.

This will allow us to still gather the same information without having similar code spread across multiple modules, thereby reducing code duplication.

In essence we will just be expanding upon the existing module to add in some newer features.

[bcoles]

so that it adds a new check to see if the user specified an IP as the search filter and if they did, then adjust the query format to specifically use the new API format to prevent users having to use the paid ip: filter.

Is there a difference between the host and ip filters? If so, this check sounds like it will introduce unexpected behavior.

[gwillcox-r7]

so that it adds a new check to see if the user specified an IP as the search filter and if they did, then adjust the query format to specifically use the new API format to prevent users having to use the paid ip: filter.

Is there a difference between the host and ip filters? If so, this check sounds like it will introduce unexpected behavior.

I'm actually not sure if the host filter is a valid filter upon further review. As for the ip: filter allowing hostnames, you are correct in that it does not allow hostnames.

[gwillcox-r7]

Okay very sorry for the confusion here. So what happened was that we were going to try and merge the changes into https://github.com/rapid7/metasploit-framework/blob/c0b42ff7a2a1b677aaba6acd7ebeefddcffdf38e/modules/auxiliary/gather/shodan_search.rb however after a lot of deliberation and analysis we discovered that module heavily relies on the concept of splitting results by pages, which is a pro feature, and the API this module uses doesn't support that feature. Additionally since that module's code is heavily based around the pages feature, its hard to refactor the code to support this new API.

Therefore I think it would be better to leave this module as is and if people have questions as to why some factors might be duplicated we can point them to this discussion. Again sorry for this confusion @Natto97.

Below are a few minor things that I found whilst reviewing the module. I'm going to go ahead and fix these up myself. I'm just leaving them here for your records, however don't worry I'll make sure these are fixed and the module will be landed today once all the changes have been applied and retested to make sure everything still works appropriately.

[gwillcox-r7]

Release Notes

New module auxiliary/gather/shodan_host has been added, allowing users with a Shodan account to enumerate which ports are publicly accessible on a host or set of hosts using Shodan's API.