rtexit-method 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -5
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/copy-assets.js +5 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,880 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-shodan-recon
|
|
3
|
+
description: "Internet-wide asset discovery using Shodan, Censys, and FOFA. Use to find exposed services, open databases, network infrastructure, and vulnerable software versions without directly contacting target systems. Passive reconnaissance using internet scan databases. Requires API keys."
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# rt-shodan-recon
|
|
7
|
+
|
|
8
|
+
## Overview
|
|
9
|
+
|
|
10
|
+
This skill performs passive reconnaissance against internet-wide scan databases (Shodan, Censys, FOFA, ZoomEye) to enumerate exposed services, discover shadow IT, identify vulnerable software, and map network infrastructure belonging to the target organization — all without sending a single packet to target systems.
|
|
11
|
+
|
|
12
|
+
**When to use this skill:**
|
|
13
|
+
- Blackbox engagements where stealth is required before active scanning
|
|
14
|
+
- Pre-engagement asset discovery to understand what the client exposes
|
|
15
|
+
- Identifying forgotten internet-facing services outside the client's own inventory
|
|
16
|
+
- Finding exposed databases, admin panels, VPNs, and industrial systems
|
|
17
|
+
- Discovering credential leaks tied to target infrastructure (combined with other OSINT)
|
|
18
|
+
- Building a comprehensive attack surface map prior to exploitation phases
|
|
19
|
+
|
|
20
|
+
**Primary data sources:**
|
|
21
|
+
| Platform | Coverage | Strength |
|
|
22
|
+
|----------|----------|----------|
|
|
23
|
+
| Shodan | IPv4 internet (crawls continuously) | Best CLI, widest adoption, richest filters |
|
|
24
|
+
| Censys | IPv4 + IPv6, TLS cert graph | Superior certificate and TLS data |
|
|
25
|
+
| FOFA | APAC coverage, Chinese infrastructure | Best for targets with Asian presence |
|
|
26
|
+
| ZoomEye | IPv4 + application fingerprinting | Good overlap, alternative data source |
|
|
27
|
+
| BinaryEdge | Real-time scans, risk scoring | Useful for recent exposure events |
|
|
28
|
+
|
|
29
|
+
**API keys required:** Shodan, Censys, FOFA, ZoomEye — store in `~/.config/rtexit/api_keys.env` (see Output section).
|
|
30
|
+
|
|
31
|
+
---
|
|
32
|
+
|
|
33
|
+
## Skill Levels
|
|
34
|
+
|
|
35
|
+
### BEGINNER
|
|
36
|
+
|
|
37
|
+
Understand the basics: search by organization name and ASN, download results, save to output directory.
|
|
38
|
+
|
|
39
|
+
```bash
|
|
40
|
+
# Install Shodan CLI
|
|
41
|
+
pip3 install shodan censys
|
|
42
|
+
|
|
43
|
+
# Configure Shodan with your API key
|
|
44
|
+
shodan init YOUR_SHODAN_API_KEY
|
|
45
|
+
|
|
46
|
+
# Search by organization name — returns all IPs Shodan sees for that org
|
|
47
|
+
shodan search --fields ip_str,port,org,product,version "org:\"Target Corporation\""
|
|
48
|
+
|
|
49
|
+
# Search by domain to find all hosts Shodan has indexed
|
|
50
|
+
shodan search --fields ip_str,port,hostnames,product "hostname:targetcorp.com"
|
|
51
|
+
|
|
52
|
+
# Look up a single IP for all banner data
|
|
53
|
+
shodan host 203.0.113.42
|
|
54
|
+
|
|
55
|
+
# Export results as JSON for autodoc ingestion
|
|
56
|
+
shodan search --fields ip_str,port,org,product,version,ssl.cert.subject.cn \
|
|
57
|
+
"org:\"Target Corporation\"" \
|
|
58
|
+
--limit 1000 \
|
|
59
|
+
> _rtexit-output/docs/reconnaissance/shodan_org_raw.json
|
|
60
|
+
|
|
61
|
+
# Count results before pulling (saves API credits)
|
|
62
|
+
shodan count "org:\"Target Corporation\""
|
|
63
|
+
shodan count "net:203.0.113.0/24"
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
**Beginner checklist:**
|
|
67
|
+
- [ ] Shodan CLI installed and initialized with API key
|
|
68
|
+
- [ ] Org name search completed
|
|
69
|
+
- [ ] Single IP lookups performed for key hosts
|
|
70
|
+
- [ ] Raw results saved to reconnaissance output directory
|
|
71
|
+
|
|
72
|
+
---
|
|
73
|
+
|
|
74
|
+
### INTERMEDIATE
|
|
75
|
+
|
|
76
|
+
Combine multiple search operators, perform ASN and CIDR sweeps, pull certificate data, identify specific vulnerable services.
|
|
77
|
+
|
|
78
|
+
```bash
|
|
79
|
+
# --- ASN Enumeration ---
|
|
80
|
+
# Find the target's ASN first via BGP data
|
|
81
|
+
curl -s "https://api.bgpview.io/search?query_term=targetcorp.com" | python3 -m json.tool
|
|
82
|
+
# Or using whois
|
|
83
|
+
whois -h whois.radb.net -- '-i origin AS12345' | grep ^route
|
|
84
|
+
|
|
85
|
+
# Shodan: search by ASN
|
|
86
|
+
shodan search --fields ip_str,port,product,version,hostnames \
|
|
87
|
+
"asn:AS12345" --limit 5000 \
|
|
88
|
+
> _rtexit-output/docs/reconnaissance/shodan_asn_AS12345.json
|
|
89
|
+
|
|
90
|
+
# Shodan: CIDR range sweep
|
|
91
|
+
shodan search --fields ip_str,port,product,version \
|
|
92
|
+
"net:203.0.113.0/24" \
|
|
93
|
+
> _rtexit-output/docs/reconnaissance/shodan_cidr_203.0.113.json
|
|
94
|
+
|
|
95
|
+
# --- Certificate-Based Discovery (Censys) ---
|
|
96
|
+
# Find all certs issued to *.targetcorp.com — reveals subdomains
|
|
97
|
+
censys search "parsed.names: targetcorp.com" \
|
|
98
|
+
--index certificates \
|
|
99
|
+
--fields parsed.names,parsed.subject_dn,parsed.issuer_dn,parsed.validity \
|
|
100
|
+
> _rtexit-output/docs/reconnaissance/censys_certs_targetcorp.json
|
|
101
|
+
|
|
102
|
+
# Censys hosts with TLS cert matching target org
|
|
103
|
+
censys search "services.tls.certificates.leaf_data.subject.organization: \"Target Corporation\"" \
|
|
104
|
+
--index hosts \
|
|
105
|
+
> _rtexit-output/docs/reconnaissance/censys_hosts_tls.json
|
|
106
|
+
|
|
107
|
+
# --- Find Exposed Services ---
|
|
108
|
+
# RDP exposed to internet
|
|
109
|
+
shodan search --fields ip_str,port,org "org:\"Target Corporation\" port:3389"
|
|
110
|
+
|
|
111
|
+
# VPN appliances (Pulse Secure, Fortinet, Cisco)
|
|
112
|
+
shodan search "org:\"Target Corporation\" product:\"Pulse Secure\""
|
|
113
|
+
shodan search "org:\"Target Corporation\" http.title:\"SSL VPN\""
|
|
114
|
+
shodan search "org:\"Target Corporation\" product:\"FortiGate\""
|
|
115
|
+
|
|
116
|
+
# Exposed databases
|
|
117
|
+
shodan search "org:\"Target Corporation\" product:MongoDB"
|
|
118
|
+
shodan search "org:\"Target Corporation\" product:\"Elasticsearch\""
|
|
119
|
+
shodan search "org:\"Target Corporation\" product:\"Redis\""
|
|
120
|
+
shodan search "org:\"Target Corporation\" port:5432 product:PostgreSQL"
|
|
121
|
+
shodan search "org:\"Target Corporation\" port:1433 product:\"Microsoft SQL Server\""
|
|
122
|
+
|
|
123
|
+
# Industrial control systems / SCADA
|
|
124
|
+
shodan search "org:\"Target Corporation\" tag:ics"
|
|
125
|
+
shodan search "org:\"Target Corporation\" port:102" # Siemens S7
|
|
126
|
+
shodan search "org:\"Target Corporation\" port:502" # Modbus
|
|
127
|
+
|
|
128
|
+
# --- Shodan Facets (aggregated stats without pulling all records) ---
|
|
129
|
+
shodan stats --facets port,product "org:\"Target Corporation\""
|
|
130
|
+
|
|
131
|
+
# --- Pull full host data for a CIDR range ---
|
|
132
|
+
shodan download --limit 10000 targetcorp_net net:203.0.113.0/24
|
|
133
|
+
shodan parse --fields ip_str,port,product,version targetcorp_net.json.gz \
|
|
134
|
+
> _rtexit-output/docs/reconnaissance/shodan_parsed_net.csv
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
**Intermediate checklist:**
|
|
138
|
+
- [ ] ASN identified and all associated IP ranges documented
|
|
139
|
+
- [ ] Certificate data pulled from Censys — new subdomains identified
|
|
140
|
+
- [ ] Key exposed services (RDP, VPN, DB) inventoried
|
|
141
|
+
- [ ] Facets run to understand port/product distribution
|
|
142
|
+
- [ ] Results parsed to CSV for reporting
|
|
143
|
+
|
|
144
|
+
---
|
|
145
|
+
|
|
146
|
+
### ADVANCED
|
|
147
|
+
|
|
148
|
+
Shodan dorks, vulnerability filters, historical data, FOFA queries, Python automation, banner analysis.
|
|
149
|
+
|
|
150
|
+
```bash
|
|
151
|
+
# --- Shodan Dorks for High-Value Targets ---
|
|
152
|
+
|
|
153
|
+
# Admin panels
|
|
154
|
+
shodan search "org:\"Target Corporation\" http.title:\"Admin\""
|
|
155
|
+
shodan search "org:\"Target Corporation\" http.title:\"Dashboard\""
|
|
156
|
+
shodan search "org:\"Target Corporation\" http.title:\"phpMyAdmin\""
|
|
157
|
+
shodan search "org:\"Target Corporation\" http.title:\"Kibana\""
|
|
158
|
+
shodan search "org:\"Target Corporation\" http.title:\"Grafana\""
|
|
159
|
+
|
|
160
|
+
# Default credentials / setup pages
|
|
161
|
+
shodan search "org:\"Target Corporation\" http.title:\"Setup\""
|
|
162
|
+
shodan search "org:\"Target Corporation\" http.title:\"Installation\""
|
|
163
|
+
shodan search "org:\"Target Corporation\" http.title:\"Welcome to nginx\""
|
|
164
|
+
|
|
165
|
+
# Exposed Git repos
|
|
166
|
+
shodan search "org:\"Target Corporation\" http.title:\"Index of /.git\""
|
|
167
|
+
|
|
168
|
+
# Citrix / remote access
|
|
169
|
+
shodan search "org:\"Target Corporation\" http.title:\"Citrix Gateway\""
|
|
170
|
+
shodan search "org:\"Target Corporation\" http.title:\"NetScaler\""
|
|
171
|
+
|
|
172
|
+
# Microsoft Exchange / OWA
|
|
173
|
+
shodan search "org:\"Target Corporation\" http.title:\"Outlook Web App\""
|
|
174
|
+
shodan search "org:\"Target Corporation\" http.title:\"Microsoft Exchange\""
|
|
175
|
+
shodan search "org:\"Target Corporation\" product:\"Microsoft Exchange httpapi\""
|
|
176
|
+
|
|
177
|
+
# JIRA / Confluence (common data exfil targets)
|
|
178
|
+
shodan search "org:\"Target Corporation\" http.title:\"Jira\""
|
|
179
|
+
shodan search "org:\"Target Corporation\" http.title:\"Confluence\""
|
|
180
|
+
|
|
181
|
+
# Exposed S3-style storage proxies
|
|
182
|
+
shodan search "org:\"Target Corporation\" http.title:\"Minio\""
|
|
183
|
+
|
|
184
|
+
# Printers and IoT
|
|
185
|
+
shodan search "org:\"Target Corporation\" http.title:\"Printer\""
|
|
186
|
+
shodan search "org:\"Target Corporation\" port:9100" # Raw printing
|
|
187
|
+
|
|
188
|
+
# --- CVE-based Vulnerability Searches ---
|
|
189
|
+
# Shodan vuln filter (requires Membership or above)
|
|
190
|
+
shodan search "org:\"Target Corporation\" vuln:CVE-2021-44228" # Log4Shell
|
|
191
|
+
shodan search "org:\"Target Corporation\" vuln:CVE-2021-26855" # ProxyLogon Exchange
|
|
192
|
+
shodan search "org:\"Target Corporation\" vuln:CVE-2019-19781" # Citrix ADC
|
|
193
|
+
shodan search "org:\"Target Corporation\" vuln:CVE-2022-26134" # Confluence RCE
|
|
194
|
+
shodan search "org:\"Target Corporation\" vuln:CVE-2023-23397" # Outlook NTLM
|
|
195
|
+
|
|
196
|
+
# --- Historical Data ---
|
|
197
|
+
# Pull historical banners for an IP (shows what was running before)
|
|
198
|
+
shodan host --history 203.0.113.42
|
|
199
|
+
|
|
200
|
+
# --- FOFA Queries ---
|
|
201
|
+
# FOFA syntax differs from Shodan — use domain, title, cert operators
|
|
202
|
+
# FOFA base URL: https://fofa.info/
|
|
203
|
+
# CLI: pip3 install fofa-cli
|
|
204
|
+
fofa search 'domain="targetcorp.com"'
|
|
205
|
+
fofa search 'cert="targetcorp.com" && country="US"'
|
|
206
|
+
fofa search 'org="Target Corporation" && port="3389"'
|
|
207
|
+
fofa search 'title="Target Corporation" && app="Apache"'
|
|
208
|
+
|
|
209
|
+
# Export FOFA results to CSV
|
|
210
|
+
fofa search --fields "ip,port,title,country,city,protocol,server" \
|
|
211
|
+
'cert="targetcorp.com"' \
|
|
212
|
+
--size 1000 \
|
|
213
|
+
--format csv \
|
|
214
|
+
> _rtexit-output/docs/reconnaissance/fofa_cert_targetcorp.csv
|
|
215
|
+
|
|
216
|
+
# --- ZoomEye ---
|
|
217
|
+
# pip3 install zoomeye-sdk
|
|
218
|
+
zoomeye search "org:\"Target Corporation\""
|
|
219
|
+
zoomeye search "hostname:targetcorp.com"
|
|
220
|
+
zoomeye search "site:targetcorp.com +port:22"
|
|
221
|
+
|
|
222
|
+
# --- Censys Advanced ---
|
|
223
|
+
# Find hosts running specific software version
|
|
224
|
+
censys search "services.software.product: \"Apache\" AND services.software.version: \"2.4.49\"" \
|
|
225
|
+
--index hosts
|
|
226
|
+
|
|
227
|
+
# Hosts with expired or self-signed certs (often forgotten/shadow IT)
|
|
228
|
+
censys search "services.tls.certificates.leaf_data.subject.organization: \"Target Corporation\" AND services.tls.certificates.leaf_data.issuer.organization: \"Target Corporation\"" \
|
|
229
|
+
--index hosts
|
|
230
|
+
|
|
231
|
+
# --- BinaryEdge ---
|
|
232
|
+
# pip3 install pybinaryedge
|
|
233
|
+
binaryedge host 203.0.113.42
|
|
234
|
+
binaryedge search "org:\"Target Corporation\""
|
|
235
|
+
binaryedge search "hostname:targetcorp.com" --type services
|
|
236
|
+
```
|
|
237
|
+
|
|
238
|
+
**Advanced checklist:**
|
|
239
|
+
- [ ] All admin panel / login page exposure documented
|
|
240
|
+
- [ ] CVE-specific searches run against all known CVEs in current threat list
|
|
241
|
+
- [ ] Historical data reviewed for recently decommissioned services
|
|
242
|
+
- [ ] FOFA + ZoomEye run to cross-validate Shodan findings
|
|
243
|
+
- [ ] BinaryEdge risk scoring pulled for key IPs
|
|
244
|
+
|
|
245
|
+
---
|
|
246
|
+
|
|
247
|
+
### EXPERT
|
|
248
|
+
|
|
249
|
+
Full automation with Python SDK, bulk ASN/CIDR correlation, integration with RTExit autodoc engine, custom Shodan facet dashboards, continuous monitoring setup.
|
|
250
|
+
|
|
251
|
+
```bash
|
|
252
|
+
# --- Python Shodan SDK Automation ---
|
|
253
|
+
# Save as: scripts/shodan_bulk_recon.py
|
|
254
|
+
```
|
|
255
|
+
|
|
256
|
+
```python
|
|
257
|
+
#!/usr/bin/env python3
|
|
258
|
+
"""
|
|
259
|
+
rt-shodan-recon bulk automation script
|
|
260
|
+
Integrates with RTExit autodoc engine
|
|
261
|
+
Usage: python3 shodan_bulk_recon.py --org "Target Corporation" --asn AS12345 --cidr 203.0.113.0/24
|
|
262
|
+
"""
|
|
263
|
+
|
|
264
|
+
import shodan
|
|
265
|
+
import censys.search
|
|
266
|
+
import json
|
|
267
|
+
import csv
|
|
268
|
+
import argparse
|
|
269
|
+
import os
|
|
270
|
+
import sys
|
|
271
|
+
from datetime import datetime
|
|
272
|
+
from pathlib import Path
|
|
273
|
+
|
|
274
|
+
OUTPUT_BASE = Path("_rtexit-output/docs/reconnaissance")
|
|
275
|
+
SHODAN_API_KEY = os.environ.get("SHODAN_API_KEY")
|
|
276
|
+
CENSYS_API_ID = os.environ.get("CENSYS_API_ID")
|
|
277
|
+
CENSYS_API_SECRET = os.environ.get("CENSYS_API_SECRET")
|
|
278
|
+
|
|
279
|
+
VULN_CVES = [
|
|
280
|
+
"CVE-2021-44228", # Log4Shell
|
|
281
|
+
"CVE-2021-26855", # ProxyLogon
|
|
282
|
+
"CVE-2019-19781", # Citrix ADC
|
|
283
|
+
"CVE-2022-26134", # Confluence RCE
|
|
284
|
+
"CVE-2023-23397", # Outlook NTLM
|
|
285
|
+
"CVE-2022-22965", # Spring4Shell
|
|
286
|
+
"CVE-2021-21985", # VMware vCenter
|
|
287
|
+
"CVE-2020-5902", # F5 BIG-IP
|
|
288
|
+
]
|
|
289
|
+
|
|
290
|
+
HIGH_VALUE_TITLES = [
|
|
291
|
+
"phpMyAdmin", "Kibana", "Grafana", "Admin", "Dashboard",
|
|
292
|
+
"Jira", "Confluence", "NetScaler", "Citrix Gateway",
|
|
293
|
+
"Outlook Web App", "Minio", "GitLab", "Jenkins",
|
|
294
|
+
"SonarQube", "Rancher", "Portainer",
|
|
295
|
+
]
|
|
296
|
+
|
|
297
|
+
|
|
298
|
+
def init_shodan():
|
|
299
|
+
if not SHODAN_API_KEY:
|
|
300
|
+
print("[!] SHODAN_API_KEY not set in environment", file=sys.stderr)
|
|
301
|
+
sys.exit(1)
|
|
302
|
+
return shodan.Shodan(SHODAN_API_KEY)
|
|
303
|
+
|
|
304
|
+
|
|
305
|
+
def shodan_search_paginated(api, query, max_results=1000):
|
|
306
|
+
"""Pull all pages of Shodan results for a query."""
|
|
307
|
+
results = []
|
|
308
|
+
try:
|
|
309
|
+
count = api.count(query)["total"]
|
|
310
|
+
print(f"[*] Shodan: '{query}' -> {count} results (pulling up to {max_results})")
|
|
311
|
+
for result in api.search_cursor(query):
|
|
312
|
+
results.append(result)
|
|
313
|
+
if len(results) >= max_results:
|
|
314
|
+
break
|
|
315
|
+
except shodan.APIError as e:
|
|
316
|
+
print(f"[!] Shodan API error: {e}", file=sys.stderr)
|
|
317
|
+
return results
|
|
318
|
+
|
|
319
|
+
|
|
320
|
+
def run_org_search(api, org_name, output_dir):
|
|
321
|
+
query = f'org:"{org_name}"'
|
|
322
|
+
results = shodan_search_paginated(api, query)
|
|
323
|
+
out_file = output_dir / "shodan_org_full.json"
|
|
324
|
+
with open(out_file, "w") as f:
|
|
325
|
+
json.dump(results, f, indent=2, default=str)
|
|
326
|
+
print(f"[+] Org results saved: {out_file} ({len(results)} hosts)")
|
|
327
|
+
return results
|
|
328
|
+
|
|
329
|
+
|
|
330
|
+
def run_vuln_search(api, org_name, output_dir):
|
|
331
|
+
vuln_hits = {}
|
|
332
|
+
for cve in VULN_CVES:
|
|
333
|
+
query = f'org:"{org_name}" vuln:{cve}'
|
|
334
|
+
results = shodan_search_paginated(api, query, max_results=500)
|
|
335
|
+
if results:
|
|
336
|
+
vuln_hits[cve] = results
|
|
337
|
+
print(f"[!] CRITICAL: {len(results)} host(s) potentially vulnerable to {cve}")
|
|
338
|
+
out_file = output_dir / "shodan_vuln_hits.json"
|
|
339
|
+
with open(out_file, "w") as f:
|
|
340
|
+
json.dump(vuln_hits, f, indent=2, default=str)
|
|
341
|
+
print(f"[+] Vulnerability hits saved: {out_file}")
|
|
342
|
+
return vuln_hits
|
|
343
|
+
|
|
344
|
+
|
|
345
|
+
def run_title_search(api, org_name, output_dir):
|
|
346
|
+
title_hits = {}
|
|
347
|
+
for title in HIGH_VALUE_TITLES:
|
|
348
|
+
query = f'org:"{org_name}" http.title:"{title}"'
|
|
349
|
+
results = shodan_search_paginated(api, query, max_results=200)
|
|
350
|
+
if results:
|
|
351
|
+
title_hits[title] = results
|
|
352
|
+
print(f"[+] Found '{title}' on {len(results)} host(s)")
|
|
353
|
+
out_file = output_dir / "shodan_admin_panels.json"
|
|
354
|
+
with open(out_file, "w") as f:
|
|
355
|
+
json.dump(title_hits, f, indent=2, default=str)
|
|
356
|
+
return title_hits
|
|
357
|
+
|
|
358
|
+
|
|
359
|
+
def generate_summary_csv(org_results, vuln_hits, output_dir):
|
|
360
|
+
"""Generate operator-friendly CSV summary for reporting."""
|
|
361
|
+
rows = []
|
|
362
|
+
for host in org_results:
|
|
363
|
+
ip = host.get("ip_str", "")
|
|
364
|
+
for item in host.get("data", [host]):
|
|
365
|
+
rows.append({
|
|
366
|
+
"ip": ip,
|
|
367
|
+
"port": item.get("port", ""),
|
|
368
|
+
"product": item.get("product", ""),
|
|
369
|
+
"version": item.get("version", ""),
|
|
370
|
+
"org": item.get("org", ""),
|
|
371
|
+
"hostnames": ", ".join(item.get("hostnames", [])),
|
|
372
|
+
"country": item.get("location", {}).get("country_name", ""),
|
|
373
|
+
"city": item.get("location", {}).get("city", ""),
|
|
374
|
+
"cves": ", ".join([c for c, hits in vuln_hits.items()
|
|
375
|
+
if any(h.get("ip_str") == ip for h in hits)]),
|
|
376
|
+
"timestamp": item.get("timestamp", ""),
|
|
377
|
+
})
|
|
378
|
+
out_file = output_dir / "shodan_summary.csv"
|
|
379
|
+
if rows:
|
|
380
|
+
with open(out_file, "w", newline="") as f:
|
|
381
|
+
writer = csv.DictWriter(f, fieldnames=rows[0].keys())
|
|
382
|
+
writer.writeheader()
|
|
383
|
+
writer.writerows(rows)
|
|
384
|
+
print(f"[+] Summary CSV saved: {out_file} ({len(rows)} rows)")
|
|
385
|
+
|
|
386
|
+
|
|
387
|
+
def autodoc_log(output_dir, org_name, host_count, vuln_count):
|
|
388
|
+
"""Write a machine-readable log entry for the RTExit autodoc engine."""
|
|
389
|
+
log_entry = {
|
|
390
|
+
"skill": "rt-shodan-recon",
|
|
391
|
+
"timestamp": datetime.utcnow().isoformat() + "Z",
|
|
392
|
+
"target_org": org_name,
|
|
393
|
+
"hosts_discovered": host_count,
|
|
394
|
+
"vuln_cve_hits": vuln_count,
|
|
395
|
+
"output_files": [
|
|
396
|
+
str(output_dir / "shodan_org_full.json"),
|
|
397
|
+
str(output_dir / "shodan_vuln_hits.json"),
|
|
398
|
+
str(output_dir / "shodan_admin_panels.json"),
|
|
399
|
+
str(output_dir / "shodan_summary.csv"),
|
|
400
|
+
str(output_dir / "censys_certs.json"),
|
|
401
|
+
],
|
|
402
|
+
}
|
|
403
|
+
log_file = output_dir / "shodan_recon_autodoc.json"
|
|
404
|
+
with open(log_file, "w") as f:
|
|
405
|
+
json.dump(log_entry, f, indent=2)
|
|
406
|
+
print(f"[+] Autodoc log written: {log_file}")
|
|
407
|
+
|
|
408
|
+
|
|
409
|
+
def main():
|
|
410
|
+
parser = argparse.ArgumentParser(description="RTExit Shodan Bulk Recon")
|
|
411
|
+
parser.add_argument("--org", required=True, help='Organization name e.g. "Target Corporation"')
|
|
412
|
+
parser.add_argument("--asn", help="ASN number e.g. AS12345")
|
|
413
|
+
parser.add_argument("--cidr", help="CIDR range e.g. 203.0.113.0/24")
|
|
414
|
+
parser.add_argument("--out", default=str(OUTPUT_BASE), help="Output directory")
|
|
415
|
+
args = parser.parse_args()
|
|
416
|
+
|
|
417
|
+
output_dir = Path(args.out)
|
|
418
|
+
output_dir.mkdir(parents=True, exist_ok=True)
|
|
419
|
+
|
|
420
|
+
api = init_shodan()
|
|
421
|
+
|
|
422
|
+
print(f"\n[*] Starting Shodan recon for org: {args.org}")
|
|
423
|
+
org_results = run_org_search(api, args.org, output_dir)
|
|
424
|
+
vuln_hits = run_vuln_search(api, args.org, output_dir)
|
|
425
|
+
run_title_search(api, args.org, output_dir)
|
|
426
|
+
generate_summary_csv(org_results, vuln_hits, output_dir)
|
|
427
|
+
|
|
428
|
+
total_vuln_hosts = sum(len(v) for v in vuln_hits.values())
|
|
429
|
+
autodoc_log(output_dir, args.org, len(org_results), total_vuln_hosts)
|
|
430
|
+
|
|
431
|
+
print(f"\n[*] Recon complete. {len(org_results)} hosts, {total_vuln_hosts} vuln hits.")
|
|
432
|
+
|
|
433
|
+
|
|
434
|
+
if __name__ == "__main__":
|
|
435
|
+
main()
|
|
436
|
+
```
|
|
437
|
+
|
|
438
|
+
```bash
|
|
439
|
+
# Run the automation script
|
|
440
|
+
export SHODAN_API_KEY="your_key_here"
|
|
441
|
+
export CENSYS_API_ID="your_id_here"
|
|
442
|
+
export CENSYS_API_SECRET="your_secret_here"
|
|
443
|
+
|
|
444
|
+
python3 .agents/skills/rt-shodan-recon/scripts/shodan_bulk_recon.py \
|
|
445
|
+
--org "Target Corporation" \
|
|
446
|
+
--asn AS12345 \
|
|
447
|
+
--cidr 203.0.113.0/24
|
|
448
|
+
|
|
449
|
+
# --- Continuous Monitoring (cron-based alert for new exposures) ---
|
|
450
|
+
# Install as cron to detect new services appearing on the internet
|
|
451
|
+
# Requires: pip3 install shodan diffoscope
|
|
452
|
+
|
|
453
|
+
# daily_shodan_monitor.sh
|
|
454
|
+
#!/bin/bash
|
|
455
|
+
DATE=$(date +%Y%m%d)
|
|
456
|
+
PREV_DATE=$(date -d "yesterday" +%Y%m%d)
|
|
457
|
+
ORG="Target Corporation"
|
|
458
|
+
OUT_DIR="_rtexit-output/docs/reconnaissance/monitoring"
|
|
459
|
+
mkdir -p "$OUT_DIR"
|
|
460
|
+
|
|
461
|
+
shodan search --fields ip_str,port,product,version \
|
|
462
|
+
"org:\"$ORG\"" --limit 5000 \
|
|
463
|
+
> "$OUT_DIR/shodan_${DATE}.json"
|
|
464
|
+
|
|
465
|
+
if [ -f "$OUT_DIR/shodan_${PREV_DATE}.json" ]; then
|
|
466
|
+
diff "$OUT_DIR/shodan_${PREV_DATE}.json" "$OUT_DIR/shodan_${DATE}.json" \
|
|
467
|
+
> "$OUT_DIR/delta_${DATE}.diff"
|
|
468
|
+
echo "[*] Delta saved: $OUT_DIR/delta_${DATE}.diff"
|
|
469
|
+
fi
|
|
470
|
+
|
|
471
|
+
# --- Subdomain Discovery via Certificate Transparency + Shodan ---
|
|
472
|
+
# Pull all known certs for the target domain from crt.sh
|
|
473
|
+
curl -s "https://crt.sh/?q=%25.targetcorp.com&output=json" \
|
|
474
|
+
| python3 -c "
|
|
475
|
+
import json,sys
|
|
476
|
+
data = json.load(sys.stdin)
|
|
477
|
+
names = set()
|
|
478
|
+
for cert in data:
|
|
479
|
+
for name in cert.get('name_value','').split('\n'):
|
|
480
|
+
name = name.strip().lstrip('*.')
|
|
481
|
+
if name:
|
|
482
|
+
names.add(name)
|
|
483
|
+
for n in sorted(names):
|
|
484
|
+
print(n)
|
|
485
|
+
" > _rtexit-output/docs/reconnaissance/subdomains_crtsh.txt
|
|
486
|
+
|
|
487
|
+
# Feed discovered subdomains into Shodan
|
|
488
|
+
while IFS= read -r subdomain; do
|
|
489
|
+
shodan search --fields ip_str,port,product \
|
|
490
|
+
"hostname:${subdomain}" >> \
|
|
491
|
+
_rtexit-output/docs/reconnaissance/shodan_subdomains.json
|
|
492
|
+
done < _rtexit-output/docs/reconnaissance/subdomains_crtsh.txt
|
|
493
|
+
|
|
494
|
+
# --- Integrate with RTExit autodoc engine ---
|
|
495
|
+
python3 _rtexit/scripts/autodoc_engine.py log-activity \
|
|
496
|
+
--phase reconnaissance \
|
|
497
|
+
--tool shodan \
|
|
498
|
+
--description "Shodan internet-wide asset discovery completed" \
|
|
499
|
+
--output-file _rtexit-output/docs/reconnaissance/shodan_recon_autodoc.json
|
|
500
|
+
```
|
|
501
|
+
|
|
502
|
+
**Expert checklist:**
|
|
503
|
+
- [ ] Bulk Python automation script executed and results aggregated
|
|
504
|
+
- [ ] CVE vulnerability scan run against all known critical CVEs
|
|
505
|
+
- [ ] Admin panel / high-value title discovery completed
|
|
506
|
+
- [ ] CT log subdomains cross-referenced with Shodan
|
|
507
|
+
- [ ] Continuous monitoring cron configured for duration of engagement
|
|
508
|
+
- [ ] Autodoc engine log entry written for audit trail
|
|
509
|
+
- [ ] Delta diff configured to detect new exposures
|
|
510
|
+
|
|
511
|
+
---
|
|
512
|
+
|
|
513
|
+
## Step-by-Step Engagement Workflow
|
|
514
|
+
|
|
515
|
+
Follow these steps in order at the start of every engagement where external reconnaissance is authorized.
|
|
516
|
+
|
|
517
|
+
### Step 1 — Environment Setup
|
|
518
|
+
|
|
519
|
+
```bash
|
|
520
|
+
# Create output directories
|
|
521
|
+
mkdir -p _rtexit-output/docs/reconnaissance/{shodan,censys,fofa,certs,monitoring}
|
|
522
|
+
|
|
523
|
+
# Install required tools
|
|
524
|
+
pip3 install shodan censys fofa-cli zoomeye-sdk pybinaryedge requests dnspython
|
|
525
|
+
|
|
526
|
+
# Configure API keys (store in env file, never commit to git)
|
|
527
|
+
cat >> ~/.config/rtexit/api_keys.env <<'EOF'
|
|
528
|
+
export SHODAN_API_KEY="YOUR_SHODAN_KEY"
|
|
529
|
+
export CENSYS_API_ID="YOUR_CENSYS_ID"
|
|
530
|
+
export CENSYS_API_SECRET="YOUR_CENSYS_SECRET"
|
|
531
|
+
export FOFA_EMAIL="your@email.com"
|
|
532
|
+
export FOFA_KEY="YOUR_FOFA_KEY"
|
|
533
|
+
export ZOOMEYE_API_KEY="YOUR_ZOOMEYE_KEY"
|
|
534
|
+
export BINARYEDGE_KEY="YOUR_BINARYEDGE_KEY"
|
|
535
|
+
EOF
|
|
536
|
+
|
|
537
|
+
source ~/.config/rtexit/api_keys.env
|
|
538
|
+
|
|
539
|
+
# Initialize Shodan CLI
|
|
540
|
+
shodan init "$SHODAN_API_KEY"
|
|
541
|
+
|
|
542
|
+
# Verify Shodan account plan and remaining query credits
|
|
543
|
+
shodan info
|
|
544
|
+
```
|
|
545
|
+
|
|
546
|
+
### Step 2 — Target Profile Collection
|
|
547
|
+
|
|
548
|
+
```bash
|
|
549
|
+
# Collect all known identifiers for the target
|
|
550
|
+
TARGET_ORG="Target Corporation"
|
|
551
|
+
TARGET_DOMAIN="targetcorp.com"
|
|
552
|
+
TARGET_ASN="AS12345"
|
|
553
|
+
TARGET_CIDR="203.0.113.0/24"
|
|
554
|
+
|
|
555
|
+
# Enumerate all IP ranges owned by the target via ARIN/RIPE/APNIC
|
|
556
|
+
whois -h whois.arin.net "org:TARGETCORP" | grep -E "^(NetRange|CIDR|OrgName)"
|
|
557
|
+
|
|
558
|
+
# BGP prefix lookup
|
|
559
|
+
curl -s "https://api.bgpview.io/asn/${TARGET_ASN}/prefixes" \
|
|
560
|
+
| python3 -c "
|
|
561
|
+
import json,sys
|
|
562
|
+
d = json.load(sys.stdin)
|
|
563
|
+
for p in d.get('data',{}).get('ipv4_prefixes',[]):
|
|
564
|
+
print(p['prefix'], p.get('description',''))
|
|
565
|
+
" > _rtexit-output/docs/reconnaissance/bgp_prefixes.txt
|
|
566
|
+
|
|
567
|
+
cat _rtexit-output/docs/reconnaissance/bgp_prefixes.txt
|
|
568
|
+
```
|
|
569
|
+
|
|
570
|
+
### Step 3 — Shodan Discovery
|
|
571
|
+
|
|
572
|
+
```bash
|
|
573
|
+
# Run all standard searches and save raw results
|
|
574
|
+
TARGET_ORG="Target Corporation"
|
|
575
|
+
OUTDIR="_rtexit-output/docs/reconnaissance/shodan"
|
|
576
|
+
|
|
577
|
+
# Primary org search
|
|
578
|
+
shodan search --fields ip_str,port,org,product,version,hostnames,ssl.cert.subject.cn \
|
|
579
|
+
"org:\"${TARGET_ORG}\"" --limit 10000 \
|
|
580
|
+
> "${OUTDIR}/01_org_search.json"
|
|
581
|
+
|
|
582
|
+
# By domain hostnames
|
|
583
|
+
shodan search --fields ip_str,port,product,version,hostnames \
|
|
584
|
+
"hostname:${TARGET_DOMAIN}" --limit 5000 \
|
|
585
|
+
> "${OUTDIR}/02_hostname_search.json"
|
|
586
|
+
|
|
587
|
+
# By SSL certificate CN
|
|
588
|
+
shodan search --fields ip_str,port,ssl.cert.subject.cn,ssl.cert.issuer.cn \
|
|
589
|
+
"ssl.cert.subject.cn:\"${TARGET_DOMAIN}\"" --limit 5000 \
|
|
590
|
+
> "${OUTDIR}/03_ssl_cert_search.json"
|
|
591
|
+
|
|
592
|
+
# Aggregated stats
|
|
593
|
+
shodan stats --facets port,product,country,org "org:\"${TARGET_ORG}\"" \
|
|
594
|
+
> "${OUTDIR}/04_facets.txt"
|
|
595
|
+
```
|
|
596
|
+
|
|
597
|
+
### Step 4 — Censys Certificate Enumeration
|
|
598
|
+
|
|
599
|
+
```bash
|
|
600
|
+
OUTDIR="_rtexit-output/docs/reconnaissance/censys"
|
|
601
|
+
|
|
602
|
+
# Certificate transparency search
|
|
603
|
+
censys search "parsed.names: ${TARGET_DOMAIN}" \
|
|
604
|
+
--index certificates \
|
|
605
|
+
--fields parsed.names,parsed.subject_dn,parsed.validity.start,parsed.validity.end \
|
|
606
|
+
--max-records 5000 \
|
|
607
|
+
> "${OUTDIR}/01_certs_by_domain.json"
|
|
608
|
+
|
|
609
|
+
# Host enumeration via TLS cert org field
|
|
610
|
+
censys search "services.tls.certificates.leaf_data.subject.organization: \"${TARGET_ORG}\"" \
|
|
611
|
+
--index hosts \
|
|
612
|
+
--fields ip,services.port,services.service_name,services.software \
|
|
613
|
+
> "${OUTDIR}/02_hosts_by_org_tls.json"
|
|
614
|
+
|
|
615
|
+
# Extract unique subdomains from cert data
|
|
616
|
+
python3 -c "
|
|
617
|
+
import json
|
|
618
|
+
with open('${OUTDIR}/01_certs_by_domain.json') as f:
|
|
619
|
+
data = json.load(f)
|
|
620
|
+
names = set()
|
|
621
|
+
for cert in data.get('result',{}).get('hits',[]):
|
|
622
|
+
for name in cert.get('parsed.names',[]):
|
|
623
|
+
names.add(name.lstrip('*.'))
|
|
624
|
+
for n in sorted(names):
|
|
625
|
+
print(n)
|
|
626
|
+
" > _rtexit-output/docs/reconnaissance/certs/unique_subdomains.txt
|
|
627
|
+
|
|
628
|
+
echo "[*] Unique subdomains discovered:"
|
|
629
|
+
wc -l < _rtexit-output/docs/reconnaissance/certs/unique_subdomains.txt
|
|
630
|
+
```
|
|
631
|
+
|
|
632
|
+
### Step 5 — FOFA Cross-Validation
|
|
633
|
+
|
|
634
|
+
```bash
|
|
635
|
+
OUTDIR="_rtexit-output/docs/reconnaissance/fofa"
|
|
636
|
+
|
|
637
|
+
# By certificate
|
|
638
|
+
fofa search --fields "ip,port,title,country,city,protocol,server,cert" \
|
|
639
|
+
"cert=\"${TARGET_DOMAIN}\"" \
|
|
640
|
+
--size 1000 --format json \
|
|
641
|
+
> "${OUTDIR}/01_fofa_cert.json"
|
|
642
|
+
|
|
643
|
+
# By organization
|
|
644
|
+
fofa search --fields "ip,port,title,org,country" \
|
|
645
|
+
"org=\"${TARGET_ORG}\"" \
|
|
646
|
+
--size 1000 --format json \
|
|
647
|
+
> "${OUTDIR}/02_fofa_org.json"
|
|
648
|
+
|
|
649
|
+
# Find Confluence/Jira (common data targets)
|
|
650
|
+
fofa search --fields "ip,port,title,country" \
|
|
651
|
+
"cert=\"${TARGET_DOMAIN}\" && (title=\"Jira\" || title=\"Confluence\")" \
|
|
652
|
+
--format json > "${OUTDIR}/03_fofa_jira_confluence.json"
|
|
653
|
+
```
|
|
654
|
+
|
|
655
|
+
### Step 6 — Vulnerability Assessment
|
|
656
|
+
|
|
657
|
+
```bash
|
|
658
|
+
# Run CVE-targeted Shodan queries
|
|
659
|
+
OUTDIR="_rtexit-output/docs/reconnaissance/shodan"
|
|
660
|
+
CVES=(
|
|
661
|
+
"CVE-2021-44228" "CVE-2021-26855" "CVE-2019-19781"
|
|
662
|
+
"CVE-2022-26134" "CVE-2023-23397" "CVE-2022-22965"
|
|
663
|
+
"CVE-2021-21985" "CVE-2020-5902" "CVE-2021-34473"
|
|
664
|
+
"CVE-2023-20198" "CVE-2024-21762"
|
|
665
|
+
)
|
|
666
|
+
|
|
667
|
+
for CVE in "${CVES[@]}"; do
|
|
668
|
+
COUNT=$(shodan count "org:\"${TARGET_ORG}\" vuln:${CVE}")
|
|
669
|
+
if [ "$COUNT" -gt 0 ]; then
|
|
670
|
+
echo "[CRITICAL] ${CVE}: ${COUNT} host(s) potentially vulnerable"
|
|
671
|
+
shodan search --fields ip_str,port,product,version \
|
|
672
|
+
"org:\"${TARGET_ORG}\" vuln:${CVE}" \
|
|
673
|
+
> "${OUTDIR}/vuln_${CVE}.json"
|
|
674
|
+
fi
|
|
675
|
+
done
|
|
676
|
+
```
|
|
677
|
+
|
|
678
|
+
### Step 7 — Aggregate and Generate Report
|
|
679
|
+
|
|
680
|
+
```bash
|
|
681
|
+
# Run the Python automation script for full aggregation
|
|
682
|
+
python3 .agents/skills/rt-shodan-recon/scripts/shodan_bulk_recon.py \
|
|
683
|
+
--org "${TARGET_ORG}" \
|
|
684
|
+
--asn "${TARGET_ASN}" \
|
|
685
|
+
--out "_rtexit-output/docs/reconnaissance"
|
|
686
|
+
|
|
687
|
+
# Log activity to RTExit autodoc engine
|
|
688
|
+
python3 _rtexit/scripts/autodoc_engine.py log-activity \
|
|
689
|
+
--phase reconnaissance \
|
|
690
|
+
--tool "shodan,censys,fofa" \
|
|
691
|
+
--description "Passive internet-wide asset discovery via scan databases" \
|
|
692
|
+
--output-file _rtexit-output/docs/reconnaissance/shodan_recon_autodoc.json \
|
|
693
|
+
--notes "No packets sent to target — fully passive"
|
|
694
|
+
```
|
|
695
|
+
|
|
696
|
+
### Step 8 — Feed Discovered Assets into Active Recon
|
|
697
|
+
|
|
698
|
+
```bash
|
|
699
|
+
# Extract unique IPs from all Shodan results for nmap (active — confirm in-scope first)
|
|
700
|
+
python3 -c "
|
|
701
|
+
import json, glob
|
|
702
|
+
ips = set()
|
|
703
|
+
for f in glob.glob('_rtexit-output/docs/reconnaissance/shodan/*.json'):
|
|
704
|
+
try:
|
|
705
|
+
with open(f) as fh:
|
|
706
|
+
data = json.load(fh)
|
|
707
|
+
if isinstance(data, list):
|
|
708
|
+
for item in data:
|
|
709
|
+
ip = item.get('ip_str') or item.get('ip')
|
|
710
|
+
if ip: ips.add(ip)
|
|
711
|
+
except: pass
|
|
712
|
+
for ip in sorted(ips):
|
|
713
|
+
print(ip)
|
|
714
|
+
" > _rtexit-output/docs/reconnaissance/all_discovered_ips.txt
|
|
715
|
+
|
|
716
|
+
echo "[*] Total unique IPs discovered: $(wc -l < _rtexit-output/docs/reconnaissance/all_discovered_ips.txt)"
|
|
717
|
+
|
|
718
|
+
# Use discovered subdomains for active DNS resolution
|
|
719
|
+
cat _rtexit-output/docs/reconnaissance/certs/unique_subdomains.txt \
|
|
720
|
+
| dnsx -silent -a -resp \
|
|
721
|
+
> _rtexit-output/docs/reconnaissance/resolved_subdomains.txt
|
|
722
|
+
```
|
|
723
|
+
|
|
724
|
+
---
|
|
725
|
+
|
|
726
|
+
## All Commands Reference
|
|
727
|
+
|
|
728
|
+
| Command | Purpose |
|
|
729
|
+
|---------|---------|
|
|
730
|
+
| `shodan init KEY` | Initialize Shodan CLI with API key |
|
|
731
|
+
| `shodan info` | Show account plan, credits remaining |
|
|
732
|
+
| `shodan count "query"` | Count results without spending query credits |
|
|
733
|
+
| `shodan search "query"` | Search with default output |
|
|
734
|
+
| `shodan search --fields a,b "query"` | Search with selected fields |
|
|
735
|
+
| `shodan search --limit N "query"` | Limit result count |
|
|
736
|
+
| `shodan host IP` | Full banner data for one IP |
|
|
737
|
+
| `shodan host --history IP` | Historical banners for one IP |
|
|
738
|
+
| `shodan stats --facets port,product "query"` | Aggregated statistics |
|
|
739
|
+
| `shodan download FILE "query"` | Download results to gzipped JSON |
|
|
740
|
+
| `shodan parse --fields a,b FILE.json.gz` | Parse downloaded file |
|
|
741
|
+
| `shodan alert create NAME cidr` | Set up continuous monitoring alert |
|
|
742
|
+
| `censys search "query" --index hosts` | Search Censys hosts index |
|
|
743
|
+
| `censys search "query" --index certificates` | Search Censys certs index |
|
|
744
|
+
| `fofa search "query" --format json` | FOFA search with JSON output |
|
|
745
|
+
| `zoomeye search "query"` | ZoomEye search |
|
|
746
|
+
| `binaryedge host IP` | BinaryEdge host lookup |
|
|
747
|
+
|
|
748
|
+
**Shodan Filter Reference:**
|
|
749
|
+
|
|
750
|
+
| Filter | Example | Purpose |
|
|
751
|
+
|--------|---------|---------|
|
|
752
|
+
| `org:` | `org:"Target Corp"` | Organization name in WHOIS |
|
|
753
|
+
| `hostname:` | `hostname:targetcorp.com` | DNS hostname in banner |
|
|
754
|
+
| `net:` | `net:203.0.113.0/24` | CIDR range |
|
|
755
|
+
| `asn:` | `asn:AS12345` | Autonomous System Number |
|
|
756
|
+
| `port:` | `port:3389` | Service port |
|
|
757
|
+
| `product:` | `product:MongoDB` | Product name from banner |
|
|
758
|
+
| `version:` | `version:2.4.49` | Software version |
|
|
759
|
+
| `http.title:` | `http.title:"Admin"` | HTTP page title |
|
|
760
|
+
| `http.html:` | `http.html:"password"` | HTTP page body content |
|
|
761
|
+
| `ssl.cert.subject.cn:` | `ssl.cert.subject.cn:"*.targetcorp.com"` | TLS cert CN field |
|
|
762
|
+
| `vuln:` | `vuln:CVE-2021-44228` | Known CVE (Membership+) |
|
|
763
|
+
| `tag:` | `tag:ics` | Shodan category tag |
|
|
764
|
+
| `country:` | `country:US` | Country code |
|
|
765
|
+
| `city:` | `city:"New York"` | City |
|
|
766
|
+
|
|
767
|
+
---
|
|
768
|
+
|
|
769
|
+
## Tools Referenced
|
|
770
|
+
|
|
771
|
+
| Tool | URL | Install |
|
|
772
|
+
|------|-----|---------|
|
|
773
|
+
| Shodan CLI | https://github.com/achillean/shodan-python | `pip3 install shodan` |
|
|
774
|
+
| Censys Python SDK | https://github.com/censys/censys-python | `pip3 install censys` |
|
|
775
|
+
| FOFA CLI | https://github.com/LubyRuffy/fofa-tools | `pip3 install fofa-cli` |
|
|
776
|
+
| ZoomEye SDK | https://github.com/knownsec/ZoomEye-python | `pip3 install zoomeye-sdk` |
|
|
777
|
+
| BinaryEdge SDK | https://github.com/binaryedge/python-binaryedge | `pip3 install pybinaryedge` |
|
|
778
|
+
| dnsx | https://github.com/projectdiscovery/dnsx | `go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest` |
|
|
779
|
+
| subfinder | https://github.com/projectdiscovery/subfinder | `go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest` |
|
|
780
|
+
| amass | https://github.com/owasp-amass/amass | `go install github.com/owasp-amass/amass/v4/...@master` |
|
|
781
|
+
| httpx | https://github.com/projectdiscovery/httpx | `go install github.com/projectdiscovery/httpx/cmd/httpx@latest` |
|
|
782
|
+
| crt.sh (web) | https://crt.sh | Web UI + API (no key required) |
|
|
783
|
+
| BGPView API | https://bgpview.io/api | REST API (no key required) |
|
|
784
|
+
| ARIN WHOIS | https://search.arin.net | Web + CLI WHOIS |
|
|
785
|
+
|
|
786
|
+
**SecLists references (used in downstream active recon after Shodan discovery):**
|
|
787
|
+
- `/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt` — subdomain brute force
|
|
788
|
+
- `/usr/share/seclists/Discovery/Web-Content/common.txt` — web path discovery
|
|
789
|
+
- `/usr/share/seclists/Passwords/Default-Credentials/default-passwords.csv` — default credential checks
|
|
790
|
+
|
|
791
|
+
---
|
|
792
|
+
|
|
793
|
+
## Output Instructions
|
|
794
|
+
|
|
795
|
+
All output files must be saved in the RTExit standard output tree:
|
|
796
|
+
|
|
797
|
+
```
|
|
798
|
+
_rtexit-output/docs/reconnaissance/
|
|
799
|
+
├── shodan/
|
|
800
|
+
│ ├── 01_org_search.json # Full org search results
|
|
801
|
+
│ ├── 02_hostname_search.json # Hostname-based results
|
|
802
|
+
│ ├── 03_ssl_cert_search.json # SSL cert CN results
|
|
803
|
+
│ ├── 04_facets.txt # Port/product distribution stats
|
|
804
|
+
│ ├── shodan_summary.csv # Operator-friendly CSV for reporting
|
|
805
|
+
│ └── vuln_CVE-XXXX-XXXX.json # Per-CVE vulnerability hits
|
|
806
|
+
├── censys/
|
|
807
|
+
│ ├── 01_certs_by_domain.json # All certs issued to target domain
|
|
808
|
+
│ └── 02_hosts_by_org_tls.json # Hosts with org name in TLS cert
|
|
809
|
+
├── fofa/
|
|
810
|
+
│ ├── 01_fofa_cert.json # FOFA cert-based results
|
|
811
|
+
│ └── 02_fofa_org.json # FOFA org-based results
|
|
812
|
+
├── certs/
|
|
813
|
+
│ └── unique_subdomains.txt # De-duplicated subdomain list from CT logs
|
|
814
|
+
├── monitoring/
|
|
815
|
+
│ ├── shodan_YYYYMMDD.json # Daily snapshots for delta comparison
|
|
816
|
+
│ └── delta_YYYYMMDD.diff # New exposures since previous day
|
|
817
|
+
├── bgp_prefixes.txt # All BGP-announced prefixes for target ASN
|
|
818
|
+
├── subdomains_crtsh.txt # Subdomains from crt.sh CT logs
|
|
819
|
+
├── all_discovered_ips.txt # Aggregated unique IPs for active recon
|
|
820
|
+
├── resolved_subdomains.txt # DNS-resolved subdomains with IPs
|
|
821
|
+
└── shodan_recon_autodoc.json # RTExit autodoc engine activity log
|
|
822
|
+
```
|
|
823
|
+
|
|
824
|
+
**Autodoc engine integration:**
|
|
825
|
+
|
|
826
|
+
```bash
|
|
827
|
+
# The autodoc log entry format for rt-shodan-recon:
|
|
828
|
+
{
|
|
829
|
+
"skill": "rt-shodan-recon",
|
|
830
|
+
"timestamp": "2026-05-31T10:00:00Z",
|
|
831
|
+
"target_org": "Target Corporation",
|
|
832
|
+
"hosts_discovered": 342,
|
|
833
|
+
"vuln_cve_hits": 7,
|
|
834
|
+
"output_files": [...]
|
|
835
|
+
}
|
|
836
|
+
```
|
|
837
|
+
|
|
838
|
+
**Naming conventions:**
|
|
839
|
+
- All files use snake_case
|
|
840
|
+
- CIDR-specific files include the network: `shodan_cidr_203.0.113.json`
|
|
841
|
+
- ASN-specific files include the ASN: `shodan_asn_AS12345.json`
|
|
842
|
+
- Vulnerability files include the CVE: `vuln_CVE-2021-44228.json`
|
|
843
|
+
- Monitoring snapshots include the date: `shodan_20260531.json`
|
|
844
|
+
|
|
845
|
+
---
|
|
846
|
+
|
|
847
|
+
## Operational Security Notes
|
|
848
|
+
|
|
849
|
+
- Shodan, Censys, FOFA queries do NOT contact target systems — all data comes from the scan database's own crawlers
|
|
850
|
+
- Your source IP is never seen by the target when querying these APIs
|
|
851
|
+
- Shodan query logs are stored by Shodan — avoid including operator-identifying strings in queries if OPSEC requires it
|
|
852
|
+
- API keys should be stored in `~/.config/rtexit/api_keys.env` — never commit to source control, never paste into reports
|
|
853
|
+
- Shodan Membership plan is minimum required for `vuln:` filter and full banner data downloads
|
|
854
|
+
- FOFA requires a paid account for bulk exports; free tier limited to 10 results
|
|
855
|
+
- Document all query timestamps in the autodoc log — required for legal chain of custody
|
|
856
|
+
|
|
857
|
+
---
|
|
858
|
+
|
|
859
|
+
## Resources
|
|
860
|
+
|
|
861
|
+
| Resource | URL |
|
|
862
|
+
|----------|-----|
|
|
863
|
+
| Shodan Search Reference | https://www.shodan.io/search/filters |
|
|
864
|
+
| Shodan Dorks Collection | https://github.com/jakejarvis/awesome-shodan-queries |
|
|
865
|
+
| Shodan Python Docs | https://shodan.readthedocs.io |
|
|
866
|
+
| Censys Search Docs | https://search.censys.io/search/help |
|
|
867
|
+
| Censys Python Docs | https://censys-python.readthedocs.io |
|
|
868
|
+
| FOFA Search Syntax | https://en.fofa.info/help |
|
|
869
|
+
| ZoomEye Dorks | https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/ZoomEye%20Dorks.md |
|
|
870
|
+
| Shodan Dorks GitHub | https://github.com/lothos612/shodan |
|
|
871
|
+
| Awesome Shodan | https://github.com/jakejarvis/awesome-shodan-queries |
|
|
872
|
+
| Censys Universal Internet Dataset | https://censys.io/data |
|
|
873
|
+
| BGPView ASN Lookup | https://bgpview.io |
|
|
874
|
+
| crt.sh Certificate Transparency | https://crt.sh |
|
|
875
|
+
| ARIN IP Lookup | https://search.arin.net |
|
|
876
|
+
| RIPE NCC Database | https://apps.db.ripe.net |
|
|
877
|
+
| BinaryEdge Docs | https://docs.binaryedge.io |
|
|
878
|
+
| SecLists DNS Wordlists | https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS |
|
|
879
|
+
| OWASP Amass Docs | https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md |
|
|
880
|
+
| ProjectDiscovery Tools | https://github.com/projectdiscovery |
|