Shodan: The Search Engine for Internet-Connected Devices & Exposed Services
NotionWhat is Shodan?
Shodan is a search engine for internet-connected devices. While Google indexes web pages, Shodan indexes everything connected to the internet — servers, webcams, routers, SCADA/ICS systems, IoT devices, databases, printers, traffic lights, and anything else with a public IP address.
Shodan works by continuously scanning the entire IPv4 address space, grabbing banners and metadata from every open port it finds. This data is then searchable through the web interface, CLI, or API.
In OSINT and penetration testing, Shodan is invaluable for attack surface mapping. You can find every internet-facing asset belonging to a target organization, discover exposed databases and admin panels, identify outdated software versions with known vulnerabilities, and detect misconfigured devices — all without sending a single packet to the target.
Legal Notice: Shodan queries publicly available data from its own scans. However, accessing or exploiting any systems you discover without authorization is illegal. Shodan is for reconnaissance and awareness only.
Getting Started
Create a Shodan Account
Sign up at shodan.io. Free accounts can search with limited results. Paid plans ($49/month for Small Business, $69 lifetime for Freelancer) unlock API access, bulk lookups, and advanced filters.
Install the CLI
pip install shodanInitialize with Your API Key
shodan init YOUR_API_KEYOutput:
Successfully initializedCheck Your API Info
shodan infoExpected Output:
Query credits available: 100
Scan credits available: 100
Plan: dev
HTTPS: True
Unlocked: TrueShodan InternetDB (Free, No API Key Required)
The InternetDB is Shodan's free API that provides basic information about any IP address — no authentication needed. This is the fastest way to check an IP.
Query an IP Address
curl -s https://internetdb.shodan.io/8.8.8.8 | python3 -m json.toolReal Output:
{
"cpes": [],
"hostnames": [
"dns.google"
],
"ip": "8.8.8.8",
"ports": [
53,
443
],
"tags": [],
"vulns": []
}Query Cloudflare DNS
curl -s https://internetdb.shodan.io/1.1.1.1 | python3 -m json.toolReal Output:
{
"cpes": [
"cpe:/a:cloudflare:cloudflare"
],
"hostnames": [
"one.one.one.one"
],
"ip": "1.1.1.1",
"ports": [
53,
80,
443,
2053,
2082,
2086,
2087,
2096,
8443
],
"tags": [],
"vulns": []
}Query a CDN-Hosted IP
curl -s https://internetdb.shodan.io/104.18.26.120 | python3 -m json.toolReal Output:
{
"cpes": [
"cpe:/a:cloudflare:cloudflare"
],
"hostnames": [
"docs.code-test.roche.com"
],
"ip": "104.18.26.120",
"ports": [
80,
443,
2052,
2053,
2082,
2083,
2086,
2087,
2096,
8080,
8443,
8880
],
"tags": [
"cdn"
],
"vulns": []
}Batch InternetDB Script
#!/bin/bash
# batch_shodan.sh - Query multiple IPs via InternetDB
for ip in "$@"; do
echo "=== $ip ==="
curl -s "https://internetdb.shodan.io/$ip" | python3 -m json.tool
echo ""
doneUsage: ./batch_shodan.sh 8.8.8.8 1.1.1.1 9.9.9.9
Shodan CLI
Search for Hosts
shodan search apacheExpected Output:
93.184.216.34 80 Apache/2.4.52 (Ubuntu)
104.21.34.56 443 Apache/2.4.54
185.199.108.153 80 Apache/2.4.41 (Ubuntu)
...Get Host Information
shodan host 8.8.8.8Expected Output:
8.8.8.8
Hostnames: dns.google
Country: United States
City: Mountain View
Organization: Google LLC
Updated: 2026-03-05T12:34:56.789012
Number of open ports: 2
Ports:
53/udp DNS
443/tcpCount Results
shodan count apacheOutput:
35482941Download Results in Bulk
shodan download results apache country:US --limit 1000
shodan parse results.json.gz --fields ip_str,port,orgScan a Target (Uses Scan Credits)
shodan scan submit 192.168.1.0/24Shodan Search Filters (Web & CLI)
Shodan's power comes from its search filters. These work in both the web interface and CLI.
Basic Filters
Powerful OSINT Search Queries
Find All Assets for an Organization
org:"Tesla Inc"Find Exposed RDP Servers
port:3389 country:USFind Exposed Databases
product:MongoDB port:27017
product:MySQL port:3306
product:PostgreSQL port:5432
product:Elasticsearch port:9200
product:Redis port:6379Find Exposed Webcams
http.title:"Live View / - AXIS"
http.title:"WV-" "Network Camera"
http.title:"webcamXP"
http.title:"IPCamera"Find Default Credential Pages
http.title:"Login" http.html:"default password"
http.title:"admin" http.html:"password"Find Exposed Admin Panels
http.title:"Dashboard" port:8080
http.title:"phpMyAdmin"
http.title:"Kibana" port:5601
http.title:"Grafana" port:3000
http.title:"Jenkins" port:8080Find Vulnerable Systems by CVE
vuln:CVE-2021-44228
vuln:CVE-2023-23397
vuln:CVE-2021-34473Find SCADA/Industrial Control Systems
port:502 "Schneider Electric"
port:47808 product:BACnet
port:44818 product:"Rockwell Automation"
http.title:"Siemens"Find SSL Certificates by Organization
ssl.cert.subject.cn:"tesla.com"
ssl:"Organization: Tesla Inc"Shodan Python API
Basic IP Lookup
import shodan
api = shodan.Shodan('YOUR_API_KEY')
try:
host = api.host('8.8.8.8')
print(f"IP: {host['ip_str']}")
print(f"Organization: {host.get('org', 'N/A')}")
print(f"OS: {host.get('os', 'N/A')}")
print(f"Ports: {host['ports']}")
for item in host['data']:
print(f" Port {item['port']}: {item.get('product', 'Unknown')}")
except shodan.APIError as e:
print(f"Error: {e}")Search and Export
import shodan
import json
api = shodan.Shodan('YOUR_API_KEY')
results = api.search('org:"Tesla Inc"')
print(f"Total results: {results['total']}")
for result in results['matches']:
print(f"{result['ip_str']}:{result['port']} - {result.get('product', 'N/A')}")
# Save to JSON
with open('tesla_results.json', 'w') as f:
json.dump(results['matches'], f, indent=2)Monitor Your Own Infrastructure
import shodan
api = shodan.Shodan('YOUR_API_KEY')
# Check if your IPs have exposed services
my_ips = ['YOUR.IP.HERE']
for ip in my_ips:
try:
host = api.host(ip)
if host['ports']:
print(f"WARNING: {ip} has {len(host['ports'])} open ports: {host['ports']}")
except shodan.APIError:
print(f"{ip}: No data")Real-World OSINT Workflow
Map a Company's Attack Surface
# Step 1: Find all IPs belonging to the org
shodan search org:"Target Corp" --fields ip_str,port,product --limit 500 > target_assets.txt
# Step 2: Check for vulnerabilities
shodan search org:"Target Corp" vuln:CVE --fields ip_str,port,vulns > target_vulns.txt
# Step 3: Look for exposed services
shodan search org:"Target Corp" port:3389,5900,27017,9200,6379 > target_exposed.txt
# Step 4: Check SSL certificate details
shodan search ssl.cert.subject.cn:"target.com" --fields ip_str,ssl.cert.subject.cn,ssl.cert.expiresQuick IP Assessment Script
#!/bin/bash
# quick_shodan.sh - Assess an IP using free InternetDB + optional API
IP=$1
echo "=== InternetDB (Free) ==="
curl -s "https://internetdb.shodan.io/$IP" | python3 -m json.tool
echo ""
echo "=== Shodan CLI (API key required) ==="
shodan host $IP 2>/dev/null || echo "API key not configured"Shodan Alternatives and Companions
Useful CLI Reference
Summary
Shodan provides a god's-eye view of the internet's attack surface. It's the fastest way to understand what's publicly exposed, from Fortune 500 companies to your own home network. The InternetDB API gives you free, instant IP lookups. The full API and CLI unlock powerful search filters for deep reconnaissance.
Key Takeaways:
- Use InternetDB (
internetdb.shodan.io/IP) for free, instant IP lookups — no API key needed - Use
org:"Company Name"to map an organization's entire internet-facing infrastructure - Use
vuln:CVE-XXXX-XXXXXto find systems vulnerable to specific exploits - Use
port:filters to find exposed databases (27017, 9200), RDP (3389), and admin panels - Use the Python API for automated monitoring of your own infrastructure
- Combine Shodan with Nmap for deeper enumeration of discovered hosts