This repo houses the code I made to mine various C2/malware IPs from Shodan. Most of the searches used were sourced from Michael Koczwara's and @BushidoToken's (Will's) research (see references below). Huge thanks to the both of them!

• C2's
  • Cobalt Strike
  • Metasploit Framework
  • Covenant
  • Mythic
  • Brute Ratel C4
  • Posh
  • Sliver
  • Deimos
  • PANDA
  • NimPlant C2
  • Havoc C2
• Malware
  • AcidRain Stealer
  • Misha Stealer (AKA Grand Misha)
  • Patriot Stealer
  • RAXNET Bitcoin Stealer
  • Titan Stealer
  • Collector Stealer
  • Mystic Stealer
• Tools
  • Hashcat Cracking Tool
  • BurpSuite
  • PowerSploit
  • XMRig Monero Cryptominer
  • GoPhish

I currently have this script running nightly on a crontab and automatically updating the files in data. There is a backup of the data in backup, this is not touched by the automation and will occassionally be updated manually.

Last Backup: 1/6/2023

However if you want to host a private version, put your Shodan API key in an environment variable called SHODAN_API_KEY

echo SHODAN_API_KEY=API_KEY >> ~/.bashrc
bash
python3 -m pip install -r requirements.txt
python3 tracker.py

• Write scripts to analyze DNS/WHOIS info
• Build automation into the script
• Write script to identify servers with multiple frameworks running
• Track metrics over time

• Hunting C2 with Shodan by Michael Koczwara
• Hunting Cobalt Strike C2 with Shodan by Michael Koczwara
• This tweet
• BushidoToken's OSINT-SearchOperators
• This tweet
• This tweet
• This tweet