nrich: A Tool for Fast IP enrichment

You have a long list of IPs and you quickly want to get a basic idea of what they're running for the purpose of:

  • Make sure they're not exposing any unexpected services
  • Filter out VPN IPs from a list of IOCs
  • Prioritize IPs that have possible vulnerabilities

Introducing nrich, a command-line tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities:

https://gitlab.com/shodan-public/nrich

It's difficult to capture with Asciinema just how fast it is but here's a short demonstration:

nrich currently supports 3 output formats:

  • shell (default): a user-friendly view of the information.
  • json: creates a single JSON object containing all the information. Useful if you want to store the results in a separate file that can be then loaded by other tools.
  • ndjson: newline-delimited JSON prints a single JSON object for every line. Use this if you want to pipe the results to another tool such as jq.

Behind the scenes, nrich takes advantage of Shodan's new InternetDB API to efficiently lookup IPs without requiring an API key. Release builds are available for Windows, MacOS and Linux.