Cybersecurity : automating Shodan intel research with 2501
Everything connected to internet, with an IP address, is on Shodan. We gave 2501.ai a Shodan API key and played around with it…
.jpg)
Everything connected to internet, with an IP address, is on Shodan. We gave 2501.ai a Shodan API key and played around with it…
Red Team note: this blog post states possibilities of using 2501 CLI for offensive purposes. Please stay within the limit of the law.
The idea of this blog post originate in a past experience of Alex, 2501 co-founder, when he was building a semi-automated samba scraper.
It's important to understand the risks of using automated reconnaissance. They're very real and can have significant impact on your life or running business.
The goal of this experiment is to gather information about possible targets who fit a specific pattern:
In this use case (SMB reconnaissance), we use 2501 and Shodan in order to find a target samba server with possible open credentials (anonymous or guest allowed). After listing the targets we could easily build a script to perform actions on the identified servers.
Once you have access to a server full of documents (accounting / banking / personal stuff / etc.) you can easily download them and encrypt the files on the server to make them unusable for the original user.
Hackers would then sell the decryption key allowing the business to resume its activities.
You can easily find copies of passports, bank receipts, phone invoices, or social security numbers on open servers. Enough to steal the identity of someone, open a bank account in his/her name.
There's plenty other goals to exploit with access with access to such sensitive data. Black hat creativity is without limit....
Shodan is a powerful search engine, but unlike Google, it returns all reachable IP addresses, not just webpages as results.
You can find some surprisingly interesting stuff (we invite you to watch Dan (Viss) Tentler's Defcon showcase for example discoveries on Shodan).
The 2501 CLI is perfect for this particular experiment, so we started by installing, configuring, and connecting Shodan.
"@2501 use shodan CLI to search for 20 SMB servers, you can try to search for shares with interesting target names like accounting etc. Do not use has_smb or fields restrictions, just do a filter on port and free text search on possible names you will find interesting to target. Restrict the search to Canada. Do not connect to the servers, just gather the info via the shodan CLI and report into a CSV file your target discoveries including the IP and a comment about why you selected it. Do one search per name of shares to maximize volumes."
The prompt above allows us to properly brief 2501's agent with the task details, the results we expect, and some hints based on our past knowledge to avoid encountering issues that can lose time.
With all the necessary info covered in the prompt, 2501 starts processing and executing right away. As usual, we get a breakthrough of the sub-tasks and the current step the AI agent is performing.
As you can see in the screenshot below, 2501 provides a CSV file with possible targets, respecting our brief (the output of the previous step when the Agent was crawling Shodan search queries).
General practice would be to now proceed with more investigation into these targets. For example, potential next steps could be to ask 2501 to:
We didn't go any further to avoid crossing any legal lines, but anything was possible from this point.
In an era when cybersecurity threats evolve at breakneck speed, the ability to automate intelligence gathering with precision is no longer a luxury — it’s a necessity.
By integrating Shodan research into 2501’s orchestration framework, you can stay ahead of potential vulnerabilities with minimal manual intervention. With this approach, your business can:
As 2501 pushes the boundaries of AI-driven security solutions, you can expect a future of threat management with smarter, faster, and more proactive systems.
Give your company the power to safeguard their digital assets in an increasingly hostile landscape. And don't leave your machines open to the web...
