Focused Shodan organization recon. Give it an org name and/or a domain — it sweeps Shodan through many correlated dorks in parallel, then keeps only the assets that provably belong to your target and drops the noise.
Shodan's normal problem: search org:"Acme" or ssl:acme.com and you get a pile
of unrelated hosts (shared CDNs, other customers, coincidental cert strings).
RootXshodan runs the whole family of dorks, then scores every result by how well
it correlates to your org (hostname / SSL cert / org / ISP / ASN) and throws
away everything that doesn't.
____ _ __ __ _ _
| _ \ ___ ___ | |_ \ \/ /___ | |__ ___ __| | __ _ _ __
| |_) / _ \ / _ \| __| \ // __|| '_ \ / _ \ / _` |/ _` | '_ \
| _ < (_) | (_) | |_ / \\__ \| | | | (_) | (_| | (_| | | | |
|_| \_\___/ \___/ \__| /_/\_\___/|_| |_|\___/ \__,_|\__,_|_| |_|
Only needs requests (already on most systems). The Shodan REST API is called
directly — you do not need the shodan pip package.
pip install -r requirements.txt # just: requestsProvide it any of these ways (checked in order):
python rootxshodan.py -t acme.com --api-key <KEY>
export SHODAN_API_KEY=<KEY> # then just run
python rootxshodan.py --api-key <KEY> --save-key # store to ~/.config/rootxshodan/api_key (chmod 600)Without a key it does a dry run and just prints the dork plan.
# simplest — one domain
python rootxshodan.py -t google.com
# org + domain together (comma ok); go deeper into discovered ASNs
python rootxshodan.py -t "Google inc, google.com" --deep --max-pages 3
# explicit fields + pull full per-host service lists for the top 20 hosts
python rootxshodan.py --org "Acme Corp" --domain acme.com --host-detail 20
# only high-confidence assets (drop medium/low correlation)
python rootxshodan.py -t tesla.com --min-score 3
# keep everything, don't filter (see the raw firehose)
python rootxshodan.py -t acme.com --no-filter- Discovery —
/shodan/host/countwith facets. Maps the org's ASNs, ports, products, CVEs and countries. Costs 0 query credits. - Enumeration — runs all correlated dorks in parallel (rate-limited to
Shodan's 1 req/s), then applies the relevance filter. This is where query
credits are spent (1 per 100 results per dork; tune with
--max-pages). - DNS — pulls the subdomain inventory from Shodan's DNS DB.
- Host detail (optional,
--host-detail N) — full service/vuln list per host for the top N hosts. Costs 0 query credits.
| Category | Dork |
|---|---|
| hostname | hostname:"D" |
| ssl | ssl:"D", ssl.cert.subject.cn:"D", ssl.cert.subject.cn:"*.D" |
| ssl-org | ssl.cert.subject.o:"O" |
| org | org:"O" (+ suffix-stripped variant, e.g. Google inc → Google) |
| http | http.html:"D", http.title:"O" |
| vuln | hostname:"D" has_vuln:true, org:"O" has_vuln:true |
| asn | asn:AS#### for every ASN discovered in phase 1 (with --deep) |
| custom | anything you pass via --dork '...' (repeatable) |
The problem: for a well-known domain, hostnames and reverse-DNS are forgeable.
Anyone can set a PTR record or a self-signed cert to cache.google.com on their
own OVH box — so "hostname matches" is not proof of ownership.
RootXshodan solves this by verifying who each ASN is actually registered to.
During discovery it runs a free asn:ASxxxx count (facet org) per candidate
ASN and keeps only the ones whose registered org matches your target. Forged-PTR
hosts on unrelated networks (OVH, Amazon, Tencent…) get dropped automatically.
Every kept result is then labelled with an ownership tier:
| Ownership | Meaning |
|---|---|
| OWNED | on a verified org-owned ASN and a real hostname/cert match — genuinely the org's own service |
| CLOUD-CUST | on the org's cloud ASN but a customer VM (customer reverse-DNS, e.g. *.googleusercontent.com) or no positive proof — on their network, not operated by them |
| UNVERIFIED | claims the org's hostname/cert but is not on a verified org ASN — forged reverse-DNS / self-signed impostor (usually dropped by the score filter) |
Scoring (tier = HIGH ≥4 / MEDIUM 2–3 / LOW 1; default keep ≥ --min-score 2):
- +3 verified org-owned ASN · trusted cert CN/SAN ∈ your domain
- +2 hostname ∈ your domain on an owned ASN · org / cert-subject-O token match
- +1 hostname ∈ your domain not on an owned ASN (forgeable) · self-signed cert · ISP / http mention
Shared hosting/CDN org names (AWS, Cloudflare, Azure, Akamai…) never count as
proof on their own. Use --owned-only to keep just the OWNED + CLOUD-CUST
assets and drop every unverified impostor.
The terminal report leads with a ★ GENUINELY ORG-OWNED & VULNERABLE section so you immediately see whether any real org asset (not a customer or impostor) is actually exposed.
Terminal report plus four files in rootxshodan-<target>-<date>/:
rootxshodan.json— everything, machine-readablehosts.csv— flat host/service table for spreadsheetsreport.html— self-contained dark-theme dashboardreport.md— markdown report
Sections: summary, ASN/org landscape, host inventory (with confidence),
exposed/interesting services (databases, RDP/VNC, Docker/K8s, IPMI, SMB…),
vulnerabilities (CVEs), leaked internal IPs/hosts (RFC1918 + .internal
/.corp/.local pulled from banners), and the discovered subdomain inventory.
| Flag | Meaning |
|---|---|
--max-pages N |
result pages per dork (100/page, 1 credit/page). Default 1 |
--min-score N |
relevance threshold (default 2). Use 3 for high-confidence only |
--owned-only |
keep only assets on verified org-owned ASNs (drop impostors) |
--max-verify N |
verify ownership of the top N candidate ASNs (default 30) |
--no-filter |
keep ALL results (disable correlation filter) |
--wide |
add the noisy http.html:domain dork (any site embedding the domain) |
--deep |
also sweep every verified org ASN |
--host-detail N |
full service list for top N hosts |
--workers N |
parallel dork workers (default 4) |
--rate S |
min seconds between API calls (default 1.05) |
--dork '...' |
add a raw custom dork (repeatable) |
--no-vuln / --no-dns |
skip those phases (some plans block has_vuln) |
- Respects Shodan's ~1 req/s limit. Parallel workers overlap latency but calls
are serialized by the shared rate limiter — raise
--ratedown cautiously. has_vuln:/vuln:and some facets require a paid Shodan plan; if your plan blocks them the tool logs it and continues.- Authorized use only. For your own assets, bug-bounty programs whose scope covers the target, or engagements with written permission.