Shodan
What It Is
Section titled “What It Is”Shodan continuously scans the internet and indexes banner data from services running on public IPs. Instead of searching web page content (like Google), Shodan searches service banners — the metadata that servers return when you connect to them.
Useful for: discovering exposed services, finding vulnerable software versions, mapping an organization’s external attack surface, and identifying IoT/OT devices.
Web Search Filters
Section titled “Web Search Filters”Use at shodan.io. Free tier gives limited results; paid plans unlock full data.
| Filter | Purpose | Example |
|---|---|---|
hostname: | Search by hostname | hostname:example.com |
ip: | Specific IP | ip:10.10.10.1 |
net: | CIDR range | net:10.10.10.0/24 |
port: | Specific port | port:3389 |
org: | Organization name | org:"Amazon" |
os: | Operating system | os:"Windows Server 2019" |
product: | Software/product name | product:"Apache httpd" |
version: | Software version | version:"2.4.49" |
city: | City location | city:"London" |
country: | Country code | country:"US" |
ssl.cert.subject.cn: | SSL cert common name | ssl.cert.subject.cn:example.com |
http.title: | HTTP page title | http.title:"Dashboard" |
http.status: | HTTP status code | http.status:200 |
vuln: | CVE vulnerability (paid) | vuln:CVE-2021-44228 |
has_screenshot:true | Has a screenshot | has_screenshot:true port:3389 |
Combine filters: product:"Apache" port:443 country:"DE"
Common Searches
Section titled “Common Searches”Exposed databases
Section titled “Exposed databases”product:"MongoDB" port:27017 -authenticationproduct:"Elasticsearch" port:9200product:"Redis" port:6379Webcams and IoT
Section titled “Webcams and IoT”has_screenshot:true port:554http.title:"webcam""Server: yawcam"RDP and remote access
Section titled “RDP and remote access”port:3389 "Desktop Protocol"port:5900 "VNC"Default credentials / admin panels
Section titled “Default credentials / admin panels”http.title:"admin" http.status:200http.title:"Dashboard" port:8080# Installpip install shodan
# Set API key (from account page)shodan init YOUR_API_KEY
# Searchshodan search "apache" --limit 10
# Host lookupshodan host 10.10.10.1
# Count resultsshodan count "port:22 country:US"
# Download results for offline analysisshodan download results.json.gz "product:nginx port:443"shodan parse results.json.gz --fields ip_str,port,org