Shodan
Shodan is a search engine for exposed devices and services on the internet. Use it for reconnaissance, vulnerability discovery, and understanding your attack surface.
Installation
Linux/Ubuntu
# Install via pip
pip3 install shodan
# Install from source
git clone https://github.com/achillean/shodan-python.git
cd shodan-python
python3 setup.py install
# Verify installation
shodan --versionmacOS
# Homebrew
brew install shodan
# Or via pip
pip3 install shodanWindows
# Via pip
pip install shodan
# Or download CLI from GitHub releasesBasic Configuration
| Command | Description |
|---|---|
shodan init <api_key> | Initialize with your Shodan API key |
shodan info | Display account info and search credits |
shodan --help | Show all available commands |
shodan search --help | Show search command options |
Basic Searches
Simple Queries
# Search for Apache servers
shodan search "apache"
# Search by country (US)
shodan search "country:US"
# Search for specific port (80 - HTTP)
shodan search "port:80"
# Combine filters
shodan search "apache country:US port:80"
# Search for webcams
shodan search "webcam"
# Find MongoDB instances
shodan search "mongo"
# Find Elasticsearch clusters
shodan search "elasticsearch"Common Filters
| Filter | Example | Description |
|---|---|---|
port | port:22 | Search by port number |
country | country:US | Search by country code |
city | city:Seattle | Search by city |
org | org:Google | Search by organization |
product | product:Apache | Search by product name |
version | version:2.4.41 | Search by specific version |
os | os:Linux | Search by operating system |
hostname | hostname:example.com | Search by hostname/domain |
net | net:192.168.1.0/24 | Search by CIDR range |
Advanced Queries
Security Scanning
# Find exposed databases
shodan search "mongodb default port"
shodan search "mysql port:3306"
shodan search "postgresql port:5432"
# Find exposed caches/stores
shodan search "redis port:6379"
shodan search "memcached port:11211"
# Find development/debug services
shodan search "jenkins"
shodan search "gitea"
# Find exposed admin panels
shodan search "admin panel"
shodan search "login page"
# Look for IoT devices
shodan search "webcam"
shodan search "DVR"
shodan search "CCTV"
# Printer discovery
shodan search "printer port:9100"
# Router discovery
shodan search "router"Vulnerability Discovery
# Search for specific CVE affected software
shodan search "Apache/2.4.1"
# Find outdated software versions
shodan search "IIS/7.5"
# Find SSL/TLS issues
shodan search "ssl.cert.subject:example.com"
# Find weak SSL versions
shodan search "ssl.version:SSLv2"Organization Reconnaissance
# Find all assets for organization
shodan search "org:CompanyName"
# Find by ASN (Autonomous System Number)
shodan search "asn:AS1234"
# Find by IP range
shodan search "net:192.168.1.0/24"
# Combine with ports
shodan search "org:Google port:22"Detailed Host Information
# Get full details for an IP
shodan host 8.8.8.8
# Show services running
shodan host --service 8.8.8.8
# Look for specific ports
shodan host 8.8.8.8 443
# Export format (JSON)
shodan download --limit 10000 "port:22" results.jsonDownload Results
# Download search results to JSON
shodan download --limit 10000 "apache country:US" results.json
# Process with jq
shodan download --limit 10000 "apache" results.json
cat results.json | jq '.[] | {ip: .ip_str, port: .port, banner: .data}'
# Download with specific fields
shodan download --limit 5000 "port:22" ssh_servers.jsonAPI Key Management
# View current API key info
shodan info
# Show account status
shodan stats
# Check search credits available
shodan accountAutomation & Scripting
Python Integration
#!/usr/bin/env python3
import shodan
# Initialize API
api = shodan.Shodan('YOUR_API_KEY')
# Simple search
results = api.search('apache')
# Parse results
for match in results['matches']:
print(f"{match['ip_str']}:{match['port']}")
print(f"Banner: {match['data']}\n")
# Get host information
host = api.host('8.8.8.8')
print(f"IP: {host['ip_str']}")
print(f"Organization: {host.get('org', 'Unknown')}")
print(f"Operating System: {host.get('os', 'Unknown')}")
print(f"ISP: {host.get('isp', 'Unknown')}")Bash Automation
#!/bin/bash
# Bulk reconnaissance script
API_KEY="YOUR_API_KEY"
TARGET_ORG="Google"
# Initialize shodan
shodan init $API_KEY
# Search for organization
echo "Searching for $TARGET_ORG assets..."
shodan search "org:$TARGET_ORG" --limit 10000 > results.json
# Extract IPs and ports
jq -r '.[] | "\(.ip_str):\(.port)"' results.json > targets.txt
# Count results
echo "Found $(wc -l < targets.txt) services"
# Show top ports
echo "Top ports found:"
jq -r '.[] | .port' results.json | sort | uniq -c | sort -rn | head -10Common Use Cases
Company Recon
# Find all public-facing infrastructure
shodan search "org:YourCompany"
# Look for weak SSL/TLS
shodan search "org:YourCompany ssl.version:SSLv3"
# Check for exposed services
shodan search "org:YourCompany port:3389"
shodan search "org:YourCompany port:3306"
shodan search "org:YourCompany port:5432"Security Assessment
# Find outdated versions in target scope
shodan search "Apache/2.2"
shodan search "IIS/7.0"
# Locate potentially vulnerable services
shodan search "FTP"
shodan search "Telnet"
shodan search "smtp"
# Find test/dev environments
shodan search "test server"
shodan search "development"
shodan search "staging"Threat Intelligence
# Find botnets or malware infrastructure
shodan search "infected"
# Track spreading vulnerabilities
shodan search "product:Apache version:2.4.49"
# Monitor specific ports for changes
shodan search "port:8080 country:US"Best Practices
Search Efficiency
- Use specific filters to reduce false positives
- Combine multiple criteria for precision
- Start broad, then refine results
- Use appropriate timeouts for large queries
- Monitor API credit usage
Security & Ethics
- Only use on authorized targets
- Respect robots.txt and rate limits
- Document all reconnaissance activities
- Use VPN for privacy
- Never abuse search capabilities
- Follow local laws and regulations
Analysis
- Cross-reference with other OSINT sources
- Verify findings before acting
- Document all findings
- Look for patterns and relationships
- Consider false positives
- Track changes over time
Dorks & Advanced Filters
# Webcams and surveillance
shodan search "webcam"
shodan search "CCTV"
shodan search "rtsp"
# Printers and MFPs
shodan search "printer port:9100"
shodan search "Brother HL-L8360CDW"
# Routers and networking
shodan search "router cisco"
shodan search "gateway"
# Industrial control systems
shodan search "scada"
shodan search "siemens"
shodan search "HVAC"
# Miscellaneous exposed services
shodan search "jenkins login"
shodan search "grafana login"
shodan search "vsphere"
shodan search "kubernetes"Troubleshooting
Common Issues
No API Key Error
# Initialize with your key
shodan init YOUR_API_KEY
# Verify initialization
shodan infoSearch Credit Issues
# Check remaining credits
shodan info
# Free tier has limited searches
# Consider upgrading for more creditsLarge Result Sets
# Download results to analyze locally
shodan download --limit 10000 "your_query" output.json
# Process with jq
jq '.[] | .ip_str' output.json | sort -uResources
- Official Shodan Website: https://www.shodan.io
- API Documentation: https://developer.shodan.io
- Filter Reference: https://www.shodan.io/search/filters
- Python Library: https://github.com/achillean/shodan-python
- Community Queries: https://www.shodan.io/explore
Last updated: 2025-03-30