loading
loading
Recon
Analyze a list of IP addresses and see which ones have open ports and known vulnerabilities through Shodan.
overview
nrich takes a list of IP addresses and enriches them with Shodan-sourced port and vulnerability context so you see what the internet already knows about each host.
It is a fast passive pass: no packets to the target, only lookups against the published dataset, which suits early triage of large IP ranges.
Feed it masscan or cloud inventory output before active scanning so you prioritize hosts that already show interesting ports or known CVEs.
use cases
Feed resolved IPs and let nrich rank them by open ports and known CVEs, so scanner time goes to the hosts that already look exposed.
Run nrich after a resolver or ASN expansion to add ports, hostnames, and tech to bare addresses without touching the targets.
Pull Shodan's recorded CVEs for each IP to flag hosts carrying published issues before any active testing begins.
Emit --output json so each enriched IP lands as a row a later node can filter by port, tech, or CVE for targeted follow-up.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| output | STRING | --output | Output format (shell or json) [default: shell] |
| input | FILE | · | File containing an IP per line. Non-IPs are ignored |
Showing key inputs. nrich exposes 2 inputs in total.
example
# nrich: enrich an IP list with Shodan-derived ports/CVEsnrich ips.txt --output json198.51.100.10 ports=[80,443] cves=[CVE-2021-44228]203.0.113.5 ports=[22,8080] cves=[]192.0.2.8 ports=[443] cves=[CVE-2023-44487]198.51.100.44 ports=[25,465] cves=[]203.0.113.90 ports=[3389] cves=[]192.0.2.50 ports=[80,8443] cves=[CVE-2022-22965]guidance
Reach for nrich when you have a list of IPs and want to know which are exposed before scanning. It queries Shodan passively, so it adds ports, tech, and CVEs without sending traffic. For an active port scan instead, use naabu or masscan.
Full Shodan API client for arbitrary queries. nrich is the focused bulk-enrichment path for an IP list.
Pulls hosts from Shodan, Censys, and FOFA by query. nrich enriches IPs you already have.
Active port scanner. Run it when you need live ports rather than Shodan's recorded view.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A list of IPs feeds nrich, which enriches each with Shodan data and writes the ports, tech, and CVEs as a queryable output.
Facts on this page come from the live Trickest tool library.