▒█████ ██▓ ██▓ ▓█████ ▄▄▄ ██ ▄█▀
▒██▒ ██▒▓██▒ ▓██▒ ▓█ ▀▒████▄ ██▄█▒
▒██░ ██▒▒██░ ▒██░ ▒███ ▒██ ▀█▄ ▓███▄░
▒██ ██░▒██░ ▒██░ ▒▓█ ▄░██▄▄▄▄██ ▓██ █▄
░ ████▓▒░░██████▒░██████▒░▒████▒▓█ ▓██▒▒██▒ █▄
░ ▒░▒░▒░ ░ ▒░▓ ░░ ▒░▓ ░░░ ▒░ ░▒▒ ▓▒█░▒ ▒▒ ▓▒
░ ▒ ▒░ ░ ░ ▒ ░░ ░ ▒ ░ ░ ░ ░ ▒ ▒▒ ░░ ░▒ ▒░
░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ▒ ░ ░░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░
by bx0 -=]dbx0.lol[=-
olleak discovers publicly exposed Ollama instances via Shodan, probes every available model with a chat message, and records the results — including response language, token counts, and timing — in a PostgreSQL or SQLite database.
git clone <repo>
cd olleak
python -m venv venv && source venv/bin/activate
pip install -r requirements.txt
cp .env.example .env
# fill in SHODAN_API_KEY and either POSTGRES_URL or SQLITE_FILE# Discover IPs from Shodan and store them
python main.py --shodan
# Discover IPs via masscan (no Shodan key needed — requires masscan installed)
python main.py --discover --ranges 0.0.0.0/0
python main.py --discover --ranges 1.0.0.0/8 192.168.0.0/16 --rate 50000
# Probe all stored IPs for live Ollama instances
python main.py --scan
# Skip IPs already scanned in a previous run
python main.py --scan --skip-scanned
# Custom probe message (default: "hi")
python main.py --scan --message "What model are you?"
# Run both phases in sequence
python main.py --shodan --scan
# View the last scan session summary
python main.py --last-session
# View full results for a specific session
python main.py --session <uuid>| Variable | Required | Description |
|---|---|---|
SHODAN_API_KEY |
Yes | Shodan API key |
POSTGRES_URL |
One of | PostgreSQL connection string |
SQLITE_FILE |
One of | Path to SQLite file (created automatically) |
SCAN_WORKERS |
No | Concurrent probe threads (default: 50) |
PORT_CHECK_TIMEOUT |
No | TCP port check timeout in seconds (default: 3) |
HTTP_TIMEOUT |
No | /api/tags request timeout in seconds (default: 10) |
CHAT_TIMEOUT |
No | /api/chat request timeout in seconds (default: 30) |
Phase 1 — --shodan
Streams all Shodan results for port:11434 html:"Ollama" using the cursor API, storing each discovered IP with geolocation and org data. Re-running only adds new IPs; duplicates are ignored. Commits every 100 results so progress is preserved on interruption.
Phase 1 (alternative) — --discover
Runs masscan against the specified CIDR ranges on port 11434, then geo-enriches discovered IPs in batches via ip-api.com (free, no API key). Writes to the same shodan_ips table. Requires masscan installed (sudo apt-get install masscan / brew install masscan) and typically root/sudo privileges for raw socket access.
Phase 2 — --scan
For every IP in the database:
- TCP port check on
11434 GET /api/tagsto list available modelsPOST /api/chatfor each model with the configured message- Records response time, token counts (prompt/completion), internal Ollama timing, and detected response language
Results are written to the database as each probe completes. A scan session row is created at the start so partial runs are never lost.
Works with PostgreSQL (tables created in the olleak schema) or SQLite (local file). Schema is created automatically on first run.
| Table | Description |
|---|---|
shodan_ips |
Discovered IPs with location and org metadata |
scan_sessions |
One row per --scan run with aggregate stats |
scan_results |
Per-IP probe outcome linked to a session |
model_results |
Per-model chat result with full timing and token data |
All primary keys are UUIDs.