Skip to content

romcheckfail/shodan-ip-block-list

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

README.md

README.md

 
 

sibil.sh

sibil.sh

 
 

Repository files navigation

      "dMMMb   dMP  dMMMMb   dM"
     dMP" VP  amr  dMP'dMP  dMP
     "MMMb   dMP  dMMMMK   dM"
   dP .dMP  dMP  dMP.aMF  dMP
   "MMMP'  dMP  dMMMMP'  dMMMMM"
  Shodan IP Block List (SIBL) v0.2

         - whoisbyip.com -

Requirements:
Shodan CLI - https://cli.shodan.io/
The current list of IPs used by shodan *Optional

Inteded Use: Used to generate a list of IPs used by shodan that scan hosts. The script will start a tcpdump session that will listen for new VNC connections, after starting the dump it will initate a scan request to shodan.io logging the IP address that attempts to connect.

Isnt blocking shodan sticking your head in the sand? Yes, it is if you are exposing equipment to the internet it will be vulnerable blocking shodan does not fix this. However you would not let users run nmap on the inside of your network so why would you let them do it to the outside. Below is a nifty diagaram of how shodan is used by its userbase:

       /\
      /__\ < Actual Infosec
     /    \ 
    /      \
   /        \
  /  ABUSE   \ 
 /            \
/______________\

For this reason I find it would be useful to keep a up to date list of IP addresses or scanners that shodan is using. Plus it is interesting to do.

You just said blocking shodan wont fix my equipment so why would I bother logging IPs? Since the script logs only the IP address that comes from a user iniated scan, you are only blocking the IP addresses that would be used from other users from manually scanning your network using the shodan cli. For a complete list of all IPs see the bottom question.

How can you gaurentee these are shodan IP addresses? Easy shodan wont let you use shodan to check one of its own IPs, the search will either censor out the IP like this: xxx.xxx.xxx.xxx or show you a custom 404 page when you attempt to access the scanner. This tool also uses the host utility to check the dns name of the IP address. The tcpdump is set to run for only 60 seconds and the longest a shodan scan usually takes is 10 seconds. While I have gotten false IPs in my tcpdump they all resolved to chineese scanners looking for open VNC sessions.

Do you have a block list of shodan IPs? Yes they are hosted at romcheckfail.com/URL and whoisbyip.com/URL

About

Used to bait shodan to scan your host, capture the IP address, then add it to a local blocklist.

Resources

Readme
Activity

Stars

29 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages