🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Malware Intelligence
mins read

Quickstart Shodan: What is it and how does it work

Quickstart Shodan: What is it and how does it work

July 15, 2020
Green Alert
Last Update posted on
August 21, 2025
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

 

Rated the best search engine for hackers, Shodan was referred to as the scariest search engine on the internet, back in 2013. While Shodan is similar to Google, in that they are both search engines that use crawlers, it crawls the entire internet to map and index internet-connected IoT devices. To put this into perspective, Google’s crawlers only index a part of the internet that is publicly accessible, the World Wide Web. And although Shodan is infamous for being instrumental in blackhat hacking, in the right hands, this search engine is effective in the process of vulnerability assessment and pen-testing IoT devices. 

In this article we delve into Shodan and its working, and discuss the features that make this search engine useful for pen-testers and bug bounty hunters.

 

What is Shodan?

As mentioned earlier, Shodan (Sentient Hyper-Optimized Data Access Network) is a search engine for devices connected to the internet. Designed and developed by Web Developer John Matherly, this search engine crawls the entire internet, parses the service banners of IoT devices, and indexes them for future searches. It maps and reports any device, such as webcams, smart devices, medical devices, traffic lights, C2 systems of devices, etc., that is connected to the internet and is not secure. 

The service banners of IoT devices contain metadata relevant to the devices, such as:

  • Geo-location
  • Make and model
  • IP address
  • Default username and password
  • Software version

Shodan service banners

 

How does Shodan work?

Upon scanning the entire internet, the search engine sends queries to connected IoT devices for publicly available information related to them. The servers of such devices return their service banners to the user. Shodan also supports customized queries using filters like city, country, hostname, OS, etc. to find out the corresponding details.

 

The Basics

Similar to other search engines, Shodan also utilizes a search box, to which users can enter search terms that adhere to its search query syntax. Moreover, search results can be narrowed down to be as accurate as possible, by making use of quotation marks and other such operators. 

For instance, boolean operators + or — can be used to include or exclude terms in the query.

Shodan basic search

 

Shodan Filters

This search engine only searches for the data property on the IoT devices’ banners. Hence, it employs search filters for refined results. Here are some basic search filters you can use:

  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: you can pass it coordinates
  • hostname: find values that match the hostname
  • net: search based on an IP or /x CIDR
  • os: search based on operating system
  • port: find particular ports that are open
  • before/after: find results within a timeframe

 

Search examples:

org:”Amazon” ssl:”target”

ssl:”target”

html:”Dashboard Jenkins”

http.component:”jenkins”

http.title:”302 Found”

http.component:”java”

ssl.cert.subject.cn:”target”

hostname:”target”

http.favicon.hash:-335242539

html:”© 2020 target”

product:elastic port:9200

Examples of Shodan filter

 

Continuous Monitoring

This IoT search engine can be used to monitor your networks or products continuously, to help you stay informed of any threats to them. For this, you can make use of the Shodan Command-line Interface (CLI).

  • Use the following command to set up an alert for notifications related to your IP range:

shodan alert create “Bug-Bounty-Target” 198.172.0.0/24

 

  • The following command allows you to create a trigger to send the alert:

shodan alert triggers

 

  • When Shodan detects a malware or a new CVE against your product, get a notification using this:

shodan alert enable {ALERTID} malware

 

Automation

Every new trick boils down to automation these days. Fortunately, with this search engine you can automate various tasks that are within its range of activities. There are the three main ways to automate this search engine:

  • Shodan-API
  • Shodan Python Module
  • Shodan CLI

Check out this handy tool that makes the entire process easier and hassle-free: m4ll0k/Shodanfy.py

 

Conclusion

Although it seems quite perverse, security professionals, researchers, and even government agencies trust Shodan to alert them on unmanaged IoT devices that may present vulnerabilities. Such devices could potentially expose critical data belonging to an enterprise, organization or individual, to attacks. This search engine helps prevent this. By following the methods prescribed above, you can also explore Shodan and monitor and protect your network or product from exploitation. 

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.

Blog Image
Ransomware
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
Malware
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Malware Intelligence

Quickstart Shodan: What is it and how does it work

Quickstart Shodan: What is it and how does it work
July 15, 2020
min
Table of Content
Example H2

 

Rated the best search engine for hackers, Shodan was referred to as the scariest search engine on the internet, back in 2013. While Shodan is similar to Google, in that they are both search engines that use crawlers, it crawls the entire internet to map and index internet-connected IoT devices. To put this into perspective, Google’s crawlers only index a part of the internet that is publicly accessible, the World Wide Web. And although Shodan is infamous for being instrumental in blackhat hacking, in the right hands, this search engine is effective in the process of vulnerability assessment and pen-testing IoT devices. 

In this article we delve into Shodan and its working, and discuss the features that make this search engine useful for pen-testers and bug bounty hunters.

 

What is Shodan?

As mentioned earlier, Shodan (Sentient Hyper-Optimized Data Access Network) is a search engine for devices connected to the internet. Designed and developed by Web Developer John Matherly, this search engine crawls the entire internet, parses the service banners of IoT devices, and indexes them for future searches. It maps and reports any device, such as webcams, smart devices, medical devices, traffic lights, C2 systems of devices, etc., that is connected to the internet and is not secure. 

The service banners of IoT devices contain metadata relevant to the devices, such as:

  • Geo-location
  • Make and model
  • IP address
  • Default username and password
  • Software version

Shodan service banners

 

How does Shodan work?

Upon scanning the entire internet, the search engine sends queries to connected IoT devices for publicly available information related to them. The servers of such devices return their service banners to the user. Shodan also supports customized queries using filters like city, country, hostname, OS, etc. to find out the corresponding details.

 

The Basics

Similar to other search engines, Shodan also utilizes a search box, to which users can enter search terms that adhere to its search query syntax. Moreover, search results can be narrowed down to be as accurate as possible, by making use of quotation marks and other such operators. 

For instance, boolean operators + or — can be used to include or exclude terms in the query.

Shodan basic search

 

Shodan Filters

This search engine only searches for the data property on the IoT devices’ banners. Hence, it employs search filters for refined results. Here are some basic search filters you can use:

  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: you can pass it coordinates
  • hostname: find values that match the hostname
  • net: search based on an IP or /x CIDR
  • os: search based on operating system
  • port: find particular ports that are open
  • before/after: find results within a timeframe

 

Search examples:

org:”Amazon” ssl:”target”

ssl:”target”

html:”Dashboard Jenkins”

http.component:”jenkins”

http.title:”302 Found”

http.component:”java”

ssl.cert.subject.cn:”target”

hostname:”target”

http.favicon.hash:-335242539

html:”© 2020 target”

product:elastic port:9200

Examples of Shodan filter

 

Continuous Monitoring

This IoT search engine can be used to monitor your networks or products continuously, to help you stay informed of any threats to them. For this, you can make use of the Shodan Command-line Interface (CLI).

  • Use the following command to set up an alert for notifications related to your IP range:

shodan alert create “Bug-Bounty-Target” 198.172.0.0/24

 

  • The following command allows you to create a trigger to send the alert:

shodan alert triggers

 

  • When Shodan detects a malware or a new CVE against your product, get a notification using this:

shodan alert enable {ALERTID} malware

 

Automation

Every new trick boils down to automation these days. Fortunately, with this search engine you can automate various tasks that are within its range of activities. There are the three main ways to automate this search engine:

  • Shodan-API
  • Shodan Python Module
  • Shodan CLI

Check out this handy tool that makes the entire process easier and hassle-free: m4ll0k/Shodanfy.py

 

Conclusion

Although it seems quite perverse, security professionals, researchers, and even government agencies trust Shodan to alert them on unmanaged IoT devices that may present vulnerabilities. Such devices could potentially expose critical data belonging to an enterprise, organization or individual, to attacks. This search engine helps prevent this. By following the methods prescribed above, you can also explore Shodan and monitor and protect your network or product from exploitation. 

Related Blogs

Malware Intelligence
October 12, 2021
min
The Shang-Chi Malware Campaign: Is your pirated copy of the summer blockbuster laced with a RAT?
Read more
Malware Intelligence
January 7, 2022
min
Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)
Read more
Malware Intelligence
February 17, 2022
min
Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)
Read more