What is Shodan?
Shodan is a search engine for devices on the internet. It scans and indexes hosts and their services into a searchable format, and it’s a fantastic resource for pentesters and bug hunters.
If it has a public IP, it can probably be found on Shodan: everything from industrial control systems to internet-enabled tea kettles. A few of the most popular searches include “default password” and “ipcamera”.
It is incredibly useful for searching IP ranges within the scope of your bug bounty or pentest for vulnerable systems.
Free accounts are available, but search results are limited. Unrestricted accounts cost only $45.
Simple search for key terms, or try out a few advanced operators:
|city:||find devices in a city||city:”Rio de Janeiro”|
|country:||find devices in a country||country:”BR”|
|geo:||find devices with coordinates||geo:42.9693,-74.1224|
|hostname:||find devices with specific hostname||hostname:”Gibson”|
|net:||filter on CIDR notation or IP||net:”172.16.255.1/24”|
|os:||filter by operating system||os:FreeBSD|
|port:||devices with a certain port open||port:9001|
|before:||results pulled before a certain time||before:dd-mm-yyyy or dd/mm/yyyy|
|after:||results pullled after a certain time||after:dd-mm-yyyy or dd/mm/yyyy|
Shodan also supports Google-like booleans (-/+) and quotation restrictions:
os:Debian port:80 "please sign in" +apache -2.2.4
In addition to all this, Shodan also offers exploit search, Shodan maps and radar, a command line tool, and more.
Shodan offers an API which works nicely with many common tools. Maltego, Metasploit, Recon-NG, and others, all offer Shodan integration. You can even write your own tools using things like the Python module for Shodan. This makes it easy to integrate Shodan searches into your operations.