Shosubgo
Shosubgo is a command-line tool that uses the Shodan API to find subdomains of a given domain. Combines Shodan results with DNS enumeration to discover internet-facing assets and identify exposed services.
Installation
From Source
git clone https://github.com/incogbisquit/shosubgo.git
cd shosubgo
go build
sudo mv shosubgo /usr/local/bin/From Binary
# Download latest release
wget https://github.com/incogbisquit/shosubgo/releases/latest/download/shosubgo-linux-amd64
chmod +x shosubgo-linux-amd64
sudo mv shosubgo-linux-amd64 /usr/local/bin/shosubgoGo Install
go install github.com/incogbisquit/shosubgo@latestVerify Installation
shosubgo -hSetup & Configuration
Shodan API Key
# Get API key from https://shodan.io/
# Free and paid accounts available
export SHODAN_API_KEY="your_shodan_api_key"
# Or set in config
echo "your_api_key" > ~/.shodan_key
# Verify API key works
shodan infoBasic Usage
| Command | Description |
|---|---|
shosubgo -d example.com | Find subdomains |
shosubgo -d example.com -s | Include Shodan results |
shosubgo -d example.com -o results.txt | Save to file |
shosubgo -d example.com -t 10 | Use 10 threads |
shosubgo -d example.com -f domains.txt | Input file |
shosubgo -d example.com -v | Verbose output |
Subdomain Discovery
Basic Enumeration
# Find subdomains with Shodan API
shosubgo -d example.com
# Include Shodan data
shosubgo -d example.com -s
# Verbose output
shosubgo -d example.com -v
# Save results
shosubgo -d example.com -o subdomains.txt
# Count results
shosubgo -d example.com | wc -lAdvanced Options
# Increase threads for faster results
shosubgo -d example.com -t 20
# Specify API key directly
shosubgo -d example.com -a "your_api_key"
# Filter by Shodan port
shosubgo -d example.com -p 443
# Include specific Shodan data
shosubgo -d example.com -s -vMultiple Domains
# From file
shosubgo -f domains.txt
# With output
shosubgo -f domains.txt -o results/
# Per domain
while read domain; do
echo "[*] Processing $domain..."
shosubgo -d $domain -o results_$domain.txt
done < domains.txtOSINT & Reconnaissance
Vulnerability Discovery
#!/bin/bash
# Find exposed services via Shodan
TARGET="example.com"
echo "[*] Finding subdomains with exposed services..."
shosubgo -d $TARGET -s > results.txt
# Analyze results
echo ""
echo "=== Unique Hosts Found ==="
sort -u results.txt | wc -l
# Extract by service type
echo ""
echo "=== SSH Services ==="
grep -i "ssh\|22" results.txt
# Web services
echo ""
echo "=== Web Services ==="
grep -iE "http|443|8080|8443" results.txt
# Database services
echo ""
echo "=== Database Services ==="
grep -iE "mysql|postgres|mongodb|redis" results.txtService Enumeration
#!/bin/bash
# Enumerate services exposed on subdomains
TARGET="example.com"
echo "[*] Discovering exposed services..."
shosubgo -d $TARGET -s -v > services.txt
# Extract IP addresses
echo "=== IP Addresses ==="
grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" services.txt | sort -u
# Extract open ports
echo ""
echo "=== Open Ports ==="
grep -oE ":[0-9]+" services.txt | sed 's/:/:/' | sort -u
# Service banners
echo ""
echo "=== Service Information ==="
grep -iE "(server|banner|version)" services.txtOrganization Asset Discovery
#!/bin/bash
# Complete asset reconnaissance
DOMAIN="example.com"
OUTPUT_DIR="asset_recon"
mkdir -p "$OUTPUT_DIR"
echo "[*] Discovering assets with Shodan..."
shosubgo -d $DOMAIN -s -v > "$OUTPUT_DIR/shodan_results.txt"
# Extract unique hosts
echo "[*] Extracting unique hosts..."
grep -oE "[a-z0-9.-]+\.$DOMAIN" "$OUTPUT_DIR/shodan_results.txt" | sort -u > "$OUTPUT_DIR/subdomains.txt"
# Extract IPs
echo "[*] Extracting IP addresses..."
grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" "$OUTPUT_DIR/shodan_results.txt" | sort -u > "$OUTPUT_DIR/ips.txt"
# Extract services
echo "[*] Identifying services..."
grep -iE "(http|ssh|ftp|smtp|rdp|vnc|sql)" "$OUTPUT_DIR/shodan_results.txt" | sort -u > "$OUTPUT_DIR/services.txt"
# Summary
echo ""
echo "=== Asset Discovery Summary ==="
echo "Subdomains: $(wc -l < $OUTPUT_DIR/subdomains.txt)"
echo "Unique IPs: $(wc -l < $OUTPUT_DIR/ips.txt)"
echo "Services: $(wc -l < $OUTPUT_DIR/services.txt)"Port-Specific Searches
#!/bin/bash
# Find subdomains with specific open ports
DOMAIN="example.com"
# Web servers
echo "=== HTTP (80) ==="
shosubgo -d $DOMAIN -p 80 2>/dev/null
# HTTPS
echo ""
echo "=== HTTPS (443) ==="
shosubgo -d $DOMAIN -p 443 2>/dev/null
# SSH
echo ""
echo "=== SSH (22) ==="
shosubgo -d $DOMAIN -p 22 2>/dev/null
# RDP
echo ""
echo "=== RDP (3389) ==="
shosubgo -d $DOMAIN -p 3389 2>/dev/null
# Databases
echo ""
echo "=== MySQL (3306) ==="
shosubgo -d $DOMAIN -p 3306 2>/dev/nullIntegration with Other Tools
Chain with Curl for Status Checking
#!/bin/bash
# Discover subdomains and check HTTP status
DOMAIN="example.com"
echo "[*] Discovering subdomains..."
shosubgo -d $DOMAIN > subdomains.txt
echo "[*] Checking HTTP status..."
while IFS= read -r subdomain; do
# Try HTTP
status=$(timeout 2 curl -s -o /dev/null -w "%{http_code}" "http://$subdomain" 2>/dev/null)
if [ ! -z "$status" ] && [ "$status" != "000" ]; then
echo "$subdomain: HTTP-$status"
fi
done < subdomains.txt | tee web_services.txtChain with Nmap for Port Scanning
#!/bin/bash
# Discover subdomains and scan ports
DOMAIN="example.com"
echo "[*] Discovering subdomains..."
shosubgo -d $DOMAIN -s > subdomains.txt
# Get unique hosts
HOSTS=$(grep -oE "[a-z0-9.-]+\.$DOMAIN" subdomains.txt | sort -u)
echo "[*] Scanning with nmap..."
echo "$HOSTS" | nmap -iL - -p 22,80,443,3306,5432,8080 -sS --open | tee nmap_results.txtFind Subdomains via IP Reverse Lookup
#!/bin/bash
# Use Shodan to find related IPs
DOMAIN="example.com"
echo "[*] Finding IPs for domain..."
shosubgo -d $DOMAIN -s > shodan_data.txt
# Extract IPs
IPS=$(grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" shodan_data.txt | sort -u)
echo "[*] Found $(echo $IPS | wc -w) unique IPs"
# For each IP, find related domains (if Shodan paid API)
for ip in $IPS; do
echo "IP: $ip"
# This would require additional Shodan API calls
doneFiltering & Analysis
Parse Shodan Results
#!/bin/bash
# Extract useful information from results
RESULTS="shodan_results.txt"
# Extract HTTP servers with interesting headers
echo "=== HTTP Servers ==="
grep -iE "http|web" $RESULTS | head -20
# Extract all software versions mentioned
echo ""
echo "=== Software Detected ==="
grep -iE "server:|version:" $RESULTS | sort -u
# Extract ISP information
echo ""
echo "=== ISP Information ==="
grep -iE "isp:|organization:" $RESULTS | sort -u
# Extract geographic information
echo ""
echo "=== Geographic Info ==="
grep -iE "country:|city:|lat:|longitude:" $RESULTS | sort -uVulnerability Pattern Detection
#!/bin/bash
# Identify potentially vulnerable services
RESULTS="shodan_results.txt"
# Old Apache versions
echo "=== Potentially Vulnerable Apache ==="
grep -iE "apache/2\.[0-2]" $RESULTS
# Outdated IIS
echo ""
echo "=== Outdated IIS ==="
grep -iE "microsoft-iis/[5-7]" $RESULTS
# SSH brute force targets
echo ""
echo "=== SSH Services ==="
grep -i "ssh" $RESULTS
# Exposed services
echo ""
echo "=== Potentially Exposed ==="
grep -iE "mongodb|redis|elasticsearch|mysql" $RESULTSOrganization-Wide Enumeration
Large-Scale Scanning
#!/bin/bash
# Scan multiple organizations
ORGANIZATIONS="target_orgs.txt"
OUTPUT_DIR="org_scans"
mkdir -p "$OUTPUT_DIR"
while read org_domain; do
echo "[*] Scanning $org_domain..."
# Run Shosubgo
timeout 120 shosubgo -d $org_domain -s -v \
> "$OUTPUT_DIR/$org_domain.txt" 2>/dev/null
# Extract stats
subdomains=$(grep -oE "[a-z0-9.-]+\.$org_domain" "$OUTPUT_DIR/$org_domain.txt" | wc -l)
services=$(grep -iE "(http|ssh|ftp|sql)" "$OUTPUT_DIR/$org_domain.txt" | wc -l)
echo " Subdomains: $subdomains, Services: $services"
done < "$ORGANIZATIONS"
echo "[+] Scans complete"Reporting
Generate Report
#!/bin/bash
# Create comprehensive report
DOMAIN="example.com"
REPORT="shosubgo_report_${DOMAIN}_$(date +%Y%m%d).txt"
cat > $REPORT << EOF
=== SHOSUBGO RECONNAISSANCE REPORT ===
Domain: $DOMAIN
Date: $(date)
Tool: shosubgo
API: Shodan
=== SUMMARY ===
EOF
shosubgo -d $DOMAIN -s > temp_results.txt
TOTAL=$(wc -l < temp_results.txt)
UNIQUE=$(sort -u temp_results.txt | wc -l)
cat >> $REPORT << EOF
Total results: $TOTAL
Unique entries: $UNIQUE
=== FINDINGS ===
EOF
cat temp_results.txt >> $REPORT
rm temp_results.txt
echo "[+] Report saved to $REPORT"CSV Export
#!/bin/bash
# Export to CSV
DOMAIN="example.com"
OUTPUT="shosubgo_${DOMAIN}.csv"
echo "subdomain,ip,port,service,version" > $OUTPUT
shosubgo -d $DOMAIN -s | while read line; do
# Parse line (format depends on Shodan response)
# This is a simplified example
subdomain=$(echo "$line" | cut -d'|' -f1)
ip=$(echo "$line" | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}")
echo "$subdomain,$ip,,,," >> $OUTPUT
done
echo "[+] Exported to $OUTPUT"Shodan API Usage
Direct API Integration
#!/bin/bash
# Use Shodan API directly for advanced queries
API_KEY=$SHODAN_API_KEY
DOMAIN="example.com"
# Search for specific services
echo "=== Searching Shodan API ==="
curl -s "https://api.shodan.io/shodan/host/search?query=hostname:${DOMAIN}&key=${API_KEY}" | \
jq '.matches[] | {ip: .ip_str, port: .port, org: .org, product: .product}'
# Get IP details
echo ""
echo "=== IP Details ==="
IP="1.2.3.4"
curl -s "https://api.shodan.io/shodan/host/${IP}?key=${API_KEY}" | \
jq '.data[] | {port: .port, product: .product, version: .version}'Best Practices
- Use Shodan API responsibly (respect rate limits)
- Combine with passive techniques (assetfinder, findomain)
- Verify findings before acting on them
- Document all discovered assets
- Keep API key secure (use environment variables)
- Run scans regularly to catch new exposures
- Filter results by relevance
- Cross-reference with other OSINT sources
Troubleshooting
No API Results
# Verify API key
echo $SHODAN_API_KEY
# Test API connectivity
curl -s "https://api.shodan.io/account/profile?key=$SHODAN_API_KEY" | jq '.credits'
# Check domain for Shodan results
# Not all domains have Shodan dataRate Limiting
# Shodan has rate limits based on plan
# Free: 1 query/second
# Paid: higher limits
# Add delays between requests
for domain in $(cat domains.txt); do
shosubgo -d $domain
sleep 2 # Respect rate limits
doneResources
Last updated: 2026-03-30