How to: Use ShonyDanza to Find a Target and an Exploit

Shodan is a search engine that collects information on internet-connected devices. It is an incredibly powerful tool for security researchers, penetration testers, hackers, and network defenders.

The ShonyDanza utility makes using Shodan even easier, by providing simple menus, query-building help, and configurable options for the user.

With ShonyDanza, you can:

Obtain IPs based on search criteria
Automatically exclude honeypots from the results
Pre-configure all IP searches to filter on your specified net range(s)
Pre-configure search limits
Use build-a-search to craft searches with easy building blocks
Use stock searches and pre-configure your own stock searches
Check if IPs are known malware C2s
Get host and domain profiles
Scan on-demand
Find exploits
Get total counts for searches and exploits
Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza

In this How-To, we will use ShonyDanza to identify a vulnerable target and then find and save an exploit that is suitable for the target. This How-To assumes you are using a Linux system.

Step 1: Install ShonyDanza

Before installing ShonyDanza, install Python3 if you do not already have it.

sudo apt-get install python3

Clone ShonyDanza from GitHub and install the requirements.

git clone github.com/fierceoj/ShonyDanza
cd ShonyDanza
pip3 install -r requirements.txt

Step 2: Configure ShonyDanza

ShonyDanza comes with a config.py file which allows users to set network address ranges for searches, auto-exclude honeypots from results, set search result limits, and add their own search queries to the menu. Navigate to the config.py file.

cd configs
sudo nano config.py

You must include a Shodan API key in order to use the tool, but other changes to the config.py file are optional. For our purposes, we will add an API key (required) and adjust the honeyscore limit to 0.4 to provide extra confidence that we will not get honeypots in our results. I have also reduced the SEARCH_LIMIT to 5 in my own config file for the purposes of the demonstration, but it will work just fine with the default SEARCH_LIMIT as well.

Modify the config file as shown below, replacing 'ADD YOUR API KEY HERE' with your API key (single quotes included).

Note: If you plan to actually run an exploit against one of the vulnerable IPs, I strongly suggest that you also uncomment and add a NET_RANGE containing only IP addresses which you are legally permitted to attack.

#config file for shonydanza searches
#REQUIRED
#shodan account API key
API_KEY = 'ADD YOUR API KEY HERE'
#REQUIRED
#maximum number of results that will be returned per search
#default is 100
SEARCH_LIMIT = 100
#REQUIRED
#IPs exceeding the honeyscore limit will not show up in IP results
#adjust to desired probability to adjust results, or change to 1.0 to include all results
HONEYSCORE_LIMIT = 0.4
#REQUIRED - at least one key: value pair
#stock searches that can be selected from a menu
#add search to the dictionary to automatically add it to your shonydanza menu
STOCK_SEARCHES = {
'ANONYMOUS_FTP':'ftp anonymous ok',
'RDP':'port:3389 has_screenshot:true'
}
#OPTIONAL
#IP or cidr range constraint for searches that return list of IP addresses
#use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4)
#NET_RANGE = '0.0.0.0/0'

Step 3: Search for IPs

Go back to the ShonyDanza directory and run the tool.

cd ../
python3 shonydanza.py

Choose option 1 from the main menu.

How to: Use ShonyDanza to Find a Target and an Exploit

From the "Get IPs" menu, choose option 4 to use your own Shodan search, or another option if suitable for your purposes. The build-a-search option helps the user build a search using a combination of some of the other search options. In my example, I've selected option 4 to use my own search to look for "200 OK vxworks", which shows systems using VxWorks that return a 200 OK response.

The IP results will print to the screen, and the tool will ask whether you want to save the IP list. In the example below, I've saved the IP list as "vxworks_ips" in the default ip_lists directory within ShonyDanza. IPs are redacted in the screenshot.

Step 4: Get Host Profile

Let's return to the main menu and get a host profile of one of the IPs. Choose one of the IPs from your results and get the host profile using option 5 from the main menu. The host profile will return basic host info, as well as information about each service running on the host (software, version, port, and banner, if available). We see in the example below that Shodan includes some likely vulnerabilities for the host. Not all host profiles will contain a CVE list, but it does not mean the host does not have any vulnerabilities. There are many other clues from the host profile that can help with searching for potential exploits for the target.

The host profile is automatically saved in the host_profiles directory in ShonyDanza, with naming convention xx-xx-xx-xx_profile, where xx represents each octet of the IP address.

Step 5: Find Exploits

Now that we have some ideas of what exploits might be applicable for the target, return to main menu and choose option 8 to go to the find exploits menu. In this example, we'll search for one of the CVEs that was listed in the host profile, so choose option 5 from the Find Exploits menu. We'll also specify that we want a remote exploit type when it prompts us to enter additional Shodan search terms.