What is Shodan?

Shodan is a search engine for devices on the internet. It scans and indexes hosts and their services into a searchable format, and it’s a fantastic resource for pentesters and bug hunters.

If it has a public IP, it can probably be found on Shodan: everything from industrial control systems to internet-enabled tea kettles. A few of the most popular searches include “default password” and “ipcamera”.

It is incredibly useful for searching IP ranges within the scope of your bug bounty or pentest for vulnerable systems.

Free accounts are available, but search results are limited. Unrestricted accounts cost only $45.

Advanced Search

Simple search for key terms, or try out a few advanced operators:

Filter Use Example
city: find devices in a city city:”Rio de Janeiro”
country: find devices in a country country:”BR”
geo: find devices with coordinates geo:42.9693,-74.1224
hostname: find devices with specific hostname hostname:”Gibson”
net: filter on CIDR notation or IP net:”172.16.255.1/24”
os: filter by operating system os:FreeBSD
port: devices with a certain port open port:9001
before: results pulled before a certain time before:dd-mm-yyyy or dd/mm/yyyy
after: results pullled after a certain time after:dd-mm-yyyy or dd/mm/yyyy

.

Shodan also supports Google-like booleans (-/+) and quotation restrictions:

os:Debian port:80 "please sign in" +apache -2.2.4

In addition to all this, Shodan also offers exploit search, Shodan maps and radar, a command line tool, and more.

Tool integration

Shodan offers an API which works nicely with many common tools. Maltego, Metasploit, Recon-NG, and others, all offer Shodan integration. You can even write your own tools using things like the Python module for Shodan. This makes it easy to integrate Shodan searches into your operations.

Also check out similar search engines like Censys.io and good old-fashioned Google Dorks