Skip to content

Forbiddem/RootXshodan

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

RootXshodan

Focused Shodan organization recon. Give it an org name and/or a domain — it sweeps Shodan through many correlated dorks in parallel, then keeps only the assets that provably belong to your target and drops the noise.

Shodan's normal problem: search org:"Acme" or ssl:acme.com and you get a pile of unrelated hosts (shared CDNs, other customers, coincidental cert strings). RootXshodan runs the whole family of dorks, then scores every result by how well it correlates to your org (hostname / SSL cert / org / ISP / ASN) and throws away everything that doesn't.

  ____             _    __  __     _               _
 |  _ \ ___   ___ | |_  \ \/ /___ | |__   ___   __| | __ _ _ __
 | |_) / _ \ / _ \| __|  \  // __|| '_ \ / _ \ / _` |/ _` | '_ \
 |  _ < (_) | (_) | |_   /  \\__ \| | | | (_) | (_| | (_| | | | |
 |_| \_\___/ \___/ \__| /_/\_\___/|_| |_|\___/ \__,_|\__,_|_| |_|

Install

Only needs requests (already on most systems). The Shodan REST API is called directly — you do not need the shodan pip package.

pip install -r requirements.txt        # just: requests

API key

Provide it any of these ways (checked in order):

python rootxshodan.py -t acme.com --api-key <KEY>
export SHODAN_API_KEY=<KEY>             # then just run
python rootxshodan.py --api-key <KEY> --save-key   # store to ~/.config/rootxshodan/api_key (chmod 600)

Without a key it does a dry run and just prints the dork plan.

Usage

# simplest — one domain
python rootxshodan.py -t google.com

# org + domain together (comma ok); go deeper into discovered ASNs
python rootxshodan.py -t "Google inc, google.com" --deep --max-pages 3

# explicit fields + pull full per-host service lists for the top 20 hosts
python rootxshodan.py --org "Acme Corp" --domain acme.com --host-detail 20

# only high-confidence assets (drop medium/low correlation)
python rootxshodan.py -t tesla.com --min-score 3

# keep everything, don't filter (see the raw firehose)
python rootxshodan.py -t acme.com --no-filter

What it does (4 phases)

  1. Discovery/shodan/host/count with facets. Maps the org's ASNs, ports, products, CVEs and countries. Costs 0 query credits.
  2. Enumeration — runs all correlated dorks in parallel (rate-limited to Shodan's 1 req/s), then applies the relevance filter. This is where query credits are spent (1 per 100 results per dork; tune with --max-pages).
  3. DNS — pulls the subdomain inventory from Shodan's DNS DB.
  4. Host detail (optional, --host-detail N) — full service/vuln list per host for the top N hosts. Costs 0 query credits.

Dorks it runs (per domain D and org O)

Category Dork
hostname hostname:"D"
ssl ssl:"D", ssl.cert.subject.cn:"D", ssl.cert.subject.cn:"*.D"
ssl-org ssl.cert.subject.o:"O"
org org:"O" (+ suffix-stripped variant, e.g. Google incGoogle)
http http.html:"D", http.title:"O"
vuln hostname:"D" has_vuln:true, org:"O" has_vuln:true
asn asn:AS#### for every ASN discovered in phase 1 (with --deep)
custom anything you pass via --dork '...' (repeatable)

Relevance + ASN-ownership verification (the "no fluff" engine)

The problem: for a well-known domain, hostnames and reverse-DNS are forgeable. Anyone can set a PTR record or a self-signed cert to cache.google.com on their own OVH box — so "hostname matches" is not proof of ownership.

RootXshodan solves this by verifying who each ASN is actually registered to. During discovery it runs a free asn:ASxxxx count (facet org) per candidate ASN and keeps only the ones whose registered org matches your target. Forged-PTR hosts on unrelated networks (OVH, Amazon, Tencent…) get dropped automatically.

Every kept result is then labelled with an ownership tier:

Ownership Meaning
OWNED on a verified org-owned ASN and a real hostname/cert match — genuinely the org's own service
CLOUD-CUST on the org's cloud ASN but a customer VM (customer reverse-DNS, e.g. *.googleusercontent.com) or no positive proof — on their network, not operated by them
UNVERIFIED claims the org's hostname/cert but is not on a verified org ASN — forged reverse-DNS / self-signed impostor (usually dropped by the score filter)

Scoring (tier = HIGH ≥4 / MEDIUM 2–3 / LOW 1; default keep ≥ --min-score 2):

  • +3 verified org-owned ASN · trusted cert CN/SAN ∈ your domain
  • +2 hostname ∈ your domain on an owned ASN · org / cert-subject-O token match
  • +1 hostname ∈ your domain not on an owned ASN (forgeable) · self-signed cert · ISP / http mention

Shared hosting/CDN org names (AWS, Cloudflare, Azure, Akamai…) never count as proof on their own. Use --owned-only to keep just the OWNED + CLOUD-CUST assets and drop every unverified impostor.

The terminal report leads with a ★ GENUINELY ORG-OWNED & VULNERABLE section so you immediately see whether any real org asset (not a customer or impostor) is actually exposed.

Output

Terminal report plus four files in rootxshodan-<target>-<date>/:

  • rootxshodan.json — everything, machine-readable
  • hosts.csv — flat host/service table for spreadsheets
  • report.html — self-contained dark-theme dashboard
  • report.md — markdown report

Sections: summary, ASN/org landscape, host inventory (with confidence), exposed/interesting services (databases, RDP/VNC, Docker/K8s, IPMI, SMB…), vulnerabilities (CVEs), leaked internal IPs/hosts (RFC1918 + .internal /.corp/.local pulled from banners), and the discovered subdomain inventory.

Key flags

Flag Meaning
--max-pages N result pages per dork (100/page, 1 credit/page). Default 1
--min-score N relevance threshold (default 2). Use 3 for high-confidence only
--owned-only keep only assets on verified org-owned ASNs (drop impostors)
--max-verify N verify ownership of the top N candidate ASNs (default 30)
--no-filter keep ALL results (disable correlation filter)
--wide add the noisy http.html:domain dork (any site embedding the domain)
--deep also sweep every verified org ASN
--host-detail N full service list for top N hosts
--workers N parallel dork workers (default 4)
--rate S min seconds between API calls (default 1.05)
--dork '...' add a raw custom dork (repeatable)
--no-vuln / --no-dns skip those phases (some plans block has_vuln)

Notes / limits

  • Respects Shodan's ~1 req/s limit. Parallel workers overlap latency but calls are serialized by the shared rate limiter — raise --rate down cautiously.
  • has_vuln: / vuln: and some facets require a paid Shodan plan; if your plan blocks them the tool logs it and continues.
  • Authorized use only. For your own assets, bug-bounty programs whose scope covers the target, or engagements with written permission.

About

Focused Shodan organization recon — verifies ASN ownership and surfaces only real org-owned assets (hosts, services, CVEs, hidden hosts, leaked internal IPs). No fluff.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages