├── sibil.sh
└── README.md


/sibil.sh:
--------------------------------------------------------------------------------
 1 | #
 2 | #          "dMMMb   dMP  dMMMMb   dM"
 3 | #         dMP" VP  amr  dMP'dMP  dMP
 4 | #         "MMMb   dMP  dMMMMK   dM"
 5 | #       dP .dMP  dMP  dMP.aMF  dMP
 6 | #       "MMMP'  dMP  dMMMMP'  dMMMMM"
 7 | #          Shodan IP Block List v0.2
 8 | #
 9 | #             - whoisbyip.com -
10 | 
11 | #Gather your current IP from shodan so you can sanatize the file
12 | #Scan IP may differ depending on if you are running on the same host or not
13 | wanip=$(shodan myip)
14 | echo External IP is: $wanip
15 | #Start a TCP dump for 60 seconds and then start the shodan scan on the host
16 | timeout 60 /usr/sbin/tcpdump -ni any port 5901 >> tcpdump.txt &
17 | #Start the shodan scan
18 | sleep 10 ; /usr/local/bin/shodan scan submit $wanip >> shodanlogs.txt
19 | date +"%d-%m-%y %T" >> shodanlogs.txt
20 | wait
21 | #Get all the IP addresses out of the generated log
22 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' tcpdump.txt >> newips.txt
23 | #Remove the localhost IP addresses
24 | sed '/'$wanip'/d' newips.txt >> ShodanIPsOnly.txt
25 | tail ShodanIPsOnly.txt >> ShodanIPOnly.lst
26 | #Get the DNS address for those hosts in the file
27 | cat ShodanIPsOnly.txt | xargs -I % bash -c 'echo "%:$(host %)"' >> DNSlist.txt
28 | #Clean up the DNS list a little
29 | grep -Eo ' pointer .*' DNSlist.txt >> DNStrimmed.txt
30 | #Export into a somwhat formatted list
31 | paste -d '' ShodanIPsOnly.txt DNStrimmed.txt >> final.txt
32 | #Replace the word ' pointer ' with a comma , trim the trailing period
33 | sed -i 's/ pointer /\,/g' final.txt
34 | sed 's/.$//' final.txt >> ShodanIPList.txt
35 | #Remove duplicates from the list of servers
36 | sort ShodanIPList.txt | uniq >> ShodanList.lst
37 | #Make a IP Block or Drop list
38 | sort ShodanIPsOnly.txt | uniq >> IPDropList.lst
39 | #Clean up all the worker files leaving just the .lst
40 | rm *.txt


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 |           "dMMMb   dMP  dMMMMb   dM"
 3 |          dMP" VP  amr  dMP'dMP  dMP
 4 |          "MMMb   dMP  dMMMMK   dM"
 5 |        dP .dMP  dMP  dMP.aMF  dMP
 6 |        "MMMP'  dMP  dMMMMP'  dMMMMM"
 7 |       Shodan IP Block List (SIBL) v0.2
 8 | 
 9 |              - whoisbyip.com -
10 | 
11 | <b>Requirements:</b><br>
12 | Shodan CLI - https://cli.shodan.io/<br>
13 | The current list of IPs used by shodan *Optional
14 | 
15 | <b>Inteded Use:</b>
16 | Used to generate a list of IPs used by shodan that scan hosts. The script will start a tcpdump session that will listen for new VNC connections, after starting the dump it will initate a scan request to shodan.io logging the IP address that attempts to connect. 
17 | 
18 | <b>Isnt blocking shodan sticking your head in the sand?</b>
19 | Yes, it is if you are exposing equipment to the internet it will be vulnerable blocking shodan does not fix this. However you would not let users run nmap on the inside of your network so why would you let them do it to the outside. Below is a nifty diagaram of how shodan is used by its userbase:
20 | <pre>
21 |        /\
22 |       /__\ < Actual Infosec
23 |      /    \ 
24 |     /      \
25 |    /        \
26 |   /  ABUSE   \ 
27 |  /            \
28 | /______________\
29 | </pre>
30 | For this reason I find it would be useful to keep a up to date list of IP addresses or scanners that shodan is using. Plus it is interesting to do.
31 | 
32 | <b>You just said blocking shodan wont fix my equipment so why would I bother logging IPs?</b>
33 | Since the script logs only the IP address that comes from a user iniated scan, you are only blocking the IP addresses that would be used from other users from manually scanning your network using the shodan cli. For a complete list of all IPs see the bottom question.
34 | 
35 | <b>How can you gaurentee these are shodan IP addresses?</b>
36 | Easy shodan wont let you use shodan to check one of its own IPs, the search will either censor out the IP like this:
37 | xxx.xxx.xxx.xxx or show you a custom 404 page when you attempt to access the scanner. This tool also uses the host utility to check the dns name of the IP address. The tcpdump is set to run for only 60 seconds and the longest a shodan scan usually takes is 10 seconds. While I have gotten false IPs in my tcpdump they all resolved to chineese scanners looking for open VNC sessions.
38 | 
39 | <b>Do you have a block list of shodan IPs?</b>
40 | Yes they are hosted at romcheckfail.com/URL and whoisbyip.com/URL
41 | 
42 | 
43 | 


--------------------------------------------------------------------------------