Front Matter
Structured Query Language (SQL): A domain-specific language for working with data and data structures. It is particularly useful in handling relations (joining) data across entities. SQL is 50 years old and is still the most popular language for data work.
Shodan is a search engine for Internet connected devices, ranging from internet connected cameras to cloud servers.
Steampipe is an open source CLI that uses Postgres Foreign Data Wrappers to instantly query cloud APIs using SQL. The Steampipe plugin for Shodan enables use of SQL to query host metadata, open ports, DNS info and even potential exploit information. This metadata can be made even more powerful when joined with data from other cloud services.
The Objective
Automate checks to find open ports and vulnerabilities for AWS resources.
Step 1: What EC2 instances have public IPs?
Using the Steampipe CLI we can query for AWS EC2 instances with public IPs:
Step 2: Initiate Shodan Scan
To ensure Shodan has the latest information on these instances, we will initiate an on-demand scan using the Shodan CLI. The CLI command uses the format shodan scan submit <ip address>.
We use Steampipe’s --output=csv and --header=false options to just a list of IP addresses delimited with newlines:
We can assign that output to a variable and then iteratively call the Shodan CLI:
Step 3: Install and test Shodan plugin
Step 4: Check if Shodan scans are complete
Step 5: Join Shodan and AWS Data
Once all of the scans are complete we can now join our EC2 instance information with the shodan scan information.
Other #shiftleftjoin opportunities with Shodan:
What TLS ciphers are enabled on my load balancers?
What elastic IP addresses have open ports?
Thank you Shodan Team!
We think it is incredible to have such a useful service to integrate with for security testing against dynamic cloud environments. A huge shout out to the entire Shodan team for making it accessible via their API.