Shodan Postman Collection
The Christmas holidays are coming and to those of you who feel like doing something adventurous: there is now a new way to visit the dark caverns of the internet. We created an exciting combination of two existing services that make this trip possible: A Postman collection of all the currently available Shodan API calls. It’s available for download on our github account: https://github.com/bitnesswise/shodan-postman-collection where you will find installation instructions as well.
New to Shodan and/or Postman? Read on …
For a lot of readers Shodan doesn’t need an introduction anymore, but for those that are unfamiliar with it, it is described on their own website as: “the world’s first search engine for Internet-connected devices”. Or, as Wikipedia describes it: “Shodan is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server.”
This tool might not be as famous as Shodan, but in recent years it has become very popular among developers working with APIs. It started as a browser plugin but has evolved into a very feature rich, standalone tool. It allows you to easily interact with any web API and facilitate all the classic challenges that come with it, such as changing environments, chaining requests, authentication, etc.
The website https://shodan.io offers a way to query the shodan database and contains enough documentation to get you started. The search engine is free, but not all the features are available for those without an account.
After we signed up for a Shodan account and used it more intensively we ran into the limits of the GUI that is offered through the website. The error message suggested we should use the API instead. While there are enough libraries to choose from, setting up a development environment and writing code for all the calls you want to do costs a lot of time. So we turned to Postman instead. Realizing about the benefits it has as an addition to the existing libraries1, we decided to complete the whole collection and make it available on github
- Postman has an easy-to-understand GUI. If you have a little bit of a technical mindset (and we assume you do if you’re interested in using Shodan), then it makes it really easy to talk to an API – even if you’re not a developer. The Readme on the github page explains into detail how to set it up; after that is done, it’s just click-and-play
- You can save important queries (similar to how bookmarks work). Especially when using a combination of many filters this can be very handy.
- You won’t have to consult the documentation for every call you do: every available call is available in the collection and the documentation of each call is available as well from within Postman.
- The API has less limits than the web interface, so it is the recommended way for frequent usage. By using the collection you can start using the API in a couple of minutes instead of having to write (and debug) lots of code to get things working and even more code to make it visually functional – easily spending a couple of days instead of minutes.
- If you’re a developer (working with one of the code libraries), you might sometimes run into situations where a quick check with a GUI can give you just the insight you needed to understand the behaviour of your code better
- It allows you to write tests and define actions based on the outcome.
- You can easily chain requests: Postman allows you to save information from the result-set as variables that can be used in subsequent calls. This can be a time saver when repeating the same sequence of queries.
- Shodan returns a lot of information. When looking for specific data it can become a tedious job scrolling through the response to find what you’re looking for. Using the Visualization Tab in Postman, you can display only that information that matters to you in any way you like using templates. As a bonus: the github collection contains some examples and we created a hack that allows you to save these visualizations as HTML snippets.
Have fun exploring; we hope you enjoy the Collection as much as we do 🙂
1There is also a cli (command line interface) tool available, which at least takes away much of the initial setup needed for working with a library. But it still lacks many of the benefits that the Postman collection offers