Using Shodanhq.com and FeedBurner to keep a public eye on your hosts
Shodan’s net: operator is limited by session cookie. However, Shodan results are available as XML and a few other ways for a fee, and I’m sure the net: operator is revealed through this. The net: operator is NOT available to the free RSS feed, so you shouldn’t expect RSS generated by queries with the net: operator to be able to be read by FeedBurner. In other words: This article doesn’t work, unless you can create your own RSS poller that feeds Shodan with whatever cookie bit it wants (with an HTTP GET). It’s also worth noting that John, from Shodan, got back to me and said he may enable something like leveraging the API key and allow users access to a few net: subnet queries for free. But we’ll wait and see.
Shodan is a search engine that crawls protocol (such as SIP, HTTP, FTP, SSH) headers, and other content and makes it available to users via a web interface and RESTful API.
I decided to look into it this passed weekend while researching Maltego, when I came across some videos of a talk the developers of FOCA gave at DEFCON 18. I think I had seen Shodan previously, but never looked too deeply at it as it seems ripe for grayhattery which I don’t have time to participate in.
Although it’s not a vulnerability scanner, Shodan’s indexed contents will assist you in learning if you are publicly touting information that you may feel should be private. In addition to some of the techniques described in the FOCA talks, you can easily use FeedBurner’s Email subscription feature to get daily digests of Shodan results, since Shodan offers an RSS feed.
Access Shodanhq.com and sign up for an account to gain access to the net: search query operator. To monitor a subnet, enter the search syntax as follows: net:184.108.40.206/24. The results can also be accessed via RSS as: http://www.shodanhq.com/search?feed=1&q=net%3A220.127.116.11%2F24.
You can easily use FeedBurner to receive “daily digests Emails” of updates to an RSS feed:
After signing up for FeedBurner service, you can simply access the main page and input the URL to the RSS feed you wish to subscribe.
http://www.shodanhq.com/search?feed=1&q=externaldomain.com or http://www.shodanhq.com/search?feed=1&q=net%3A18.104.22.168%2F24
In feed management click publicize, then Email Subscriptions on the left side menu, then click Activate. On the following page you will see Subscription Form Code within you will find the subscription link, which you can access, enter your Email and, after receiving the confirmation Email, you will be subscribed to updates.
This is useful, in addition to Google Alerts, to make sure that you are not exposing private information to public.