Calculation for Shodan API Key Bruteforce (Not really)

I was laying in the bed with my laptop, suddenly i thought about searching something on shodan, i browsed to shodan.io and clicked my account to copy my api key, I don’t know from somewhere my brain started thinking about brute-forcing Shodan's api key to find valid ones, there is one official endpoint to check Shodan’s api key’s information.

https://api.shodan.io/api-info?key=KEYiiSOALSOODNIDEYEOASOEJL

I calculated the length of the api key, It’s 32 Bit long, and It’s a combination of capital and small alphanumeric character.

So let’s calculate if we mix up ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefchjklmnopqrstuvwxyz01234567890 how many combination we got, let’s use a simple formula.

Capital Alphabet + Small Alphabet + Number = 26+26+10 = 62

Now let’s power it with 32 (62)32

(62)32 = 2272657884496751345355241563627544170162852933518655225856

we have more than 2 octodecillion combination to try, now let’s get a idea how many users shodan has.

Shodan says it has 3 million user . and from three million user we get some markable premium and edu users, before getting more inside lets calculate the statics of 89% of fortune 100 company and 5 of the top 6 cloud providers and 1000+ university. Lets break it down.

89% of Fortune 100 is 89 Company as the are the top 89 company of course they will use enterprise access so we got 89 Enterprise account, it’s a probable calculation which can be more. 5 Cloud provider can use one of two Enterprise/Corporate if they use Corporate account could be multiple think each cloud provider has 3 member the Corporate account count will be 15, 1000+ University each university can have more than 6000+ student recent year student’s are getting attracted in cyber security lets think 12% of those student have registered in shodan which is 720000 we get 720000 academic users.

From shodan web site we can guess statics like that.

Enterprise account - 89 + Other Enterprise account 
Corporate Account - 15 + other corporate account
Academic User - 720000 + other university's academic user

Freelancer account costs 69$ there is a big possibility shodan has more freelancer account. and other account and active api key shodan contains are free account.

Let’s guess a probable calculation, in recent CORONA PANDEMIC, i saw many people are registering with edu account and mailing shodan to get free academic membership, from that we can guess it has more academic user than other subscription.

Let’s Guess shodan has 7% Academic user. Now days many security individual are buying freelancer subscription lets guess the number 3%, 0.1% Corporate account and other premium account’s are 4%.

We have total 3000000 Registered users, 14.01% are premium user 85.9% are free user, it could be less or more it’s a probable guess.

Now let’s get to the technical part, shodan accepts 1 requests per second and the con is we can’t use thread here we need to send request frequently after every 1.5 second more 0.5 second delay for not getting rate limited. we have 2272657884496751345355241563627544170162852933518655225856 combination, valid api key count is 3000000 most of these api are free users. the total number of valid api key is 0.00000000000000000000000000000000000000000000000013200403019147373 percent of total combination. if each combination take 1.5 seconds to check it will take 108098630136986299000000000000000000000000000000000.0 Year in word it will take more than one hundred eight quindecillion year. there little much probability to get bunch of valid api key. But it will be a total waste of time if you try to bruteforce there are 0.00000000001% chance to get a premium/membership/academic api key. if you have this much year try this script.

There are more possibility we can think of, this article is not intended to be useful for someone it’s one of stupid though i have noted on my medium.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joy Ghosh

Joy Ghosh

Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer