Shodan is an essential tool for penetration testers, helping uncover exposed devices, vulnerabilities, and misconfigured services. This guide covers key techniques and queries to use Shodan in your pentesting process effectively.
Shodan is often called the “search engine for hackers” Unlike Google, which indexes websites, Shodan indexes internet-connected devices, including webcams, routers, industrial control systems, databases, and even unsecured security cameras. This makes it invaluable for penetration testers and cybersecurity professionals.
In this guide, we will explore how to use Shodan for Pentesting, practical search queries, Shodan cli, additional features available in a Shodan account, and how to integrate Shodan with other bug bounties tools like Karma v2 and Shosubgo, some features like favicon map, Shodan Internet Exposure Observatory and Shodan 2000.
Why Shodan Matters for Pentesters
Penetration testing requires gathering information about exposed services and misconfigured devices. Shodan helps identify publicly accessible systems, running services, and vulnerabilities, making it an essential reconnaissance tool.
Unlike traditional scanners like Nmap, Shodan continuously scans the internet and maintains a searchable database of exposed services. This saves time and helps pentesters identify potential attack surfaces before actively probing a target.
Getting Started with Shodan
To use Shodan effectively, you need an account. The free account has limited functionality, but upgrading to Shodan Academic Plus unlocks additional features as am I using some features from this level of account. Also if you can then you can go with the high level of account as per your needs.
If you have a college email ID, then you can use this to sign up and login with it, and you can access additional features.
Some Key features of Shodan
- Search Filters — Pinpoint specific devices, services, or vulnerabilities using various filters.
- Banner Information — Collects details like software version, OS, open ports, and metadata.
- Exploit Finder — Identifies systems running vulnerable software versions.
- Network Mapping — Maps internet-facing assets for organizations.
- IoT Device Discovery — Detects exposed and misconfigured IoT devices
Getting Started With Shodan.io
To get started with Shodan.io, sign up for an account and explore its powerful search engine for connected devices. The dashboard allows you to easily search for devices, services, and vulnerabilities worldwide using specific filters.
You can visualize device locations on Maps, view device images, and set up Monitoring for ongoing alerts. Developers can integrate Shodan’s functionality into custom applications via the API.
Here we will be navigating through the dashboard explaining every tab.
1.Shodan:
The main tab is where you can start your searches, access your account, and view general information about Shodan. It’s the home page of the platform.
Here is the image of how the Shodan works.
2.Maps:
Displays a visual representation of devices connected to the internet around the world. You can see real-time data on the geographical distribution of Shodan’s indexed devices.
3.Images:
Shows images of devices (such as webcams, routers, etc.) found by Shodan during its scans. These are often publicly accessible images captured from devices connected to the internet.
4. Monitor:
You can set up alerts or continuous monitoring for specific domains or IP ranges. You can track changes over time and receive notifications when certain events occur.
5.Developer:
Provides access to Shodan’s API documentation, allowing developers to integrate Shodan’s functionality into their own applications. You can get API keys here and learn how to use them.
6.More:
This section may contain additional features or settings not included in the primary menu, products, services and more, such as tools, documentation, and advanced search filters.
7.Explore:
A way to discover interesting and popular searches on Shodan. This could include trending devices, vulnerabilities, or interesting network patterns.
8.Downloads:
It will be all your resources, reports which you can download.
9.Pricing:
A section where you can view Shodan’s pricing plans for different tiers of access. This includes the basic free account and various paid options with additional features and data access.
10.Search Bar:
Located at the top of the dashboard, it allows you to perform searches for devices, services, vulnerabilities, or specific keywords across Shodan’s indexed data.
11.Account:
The Shodan Account Overview displays your account details, including your Account Level (Academic Plus), Display Name (Your Account Name), and Email. You can also manage your API Key and access the Developer Dashboard for API usage details. Options like Change Password and Redeem Gift Code are available under Settings.
Shodan Search Queries for Pentesting
Shodan supports advanced search queries that help narrow down results.
- These filters are from the Shodan website but the explanation and examples are generated using AI, so if they don’t work then they might be incorrect or need some refinement to provide the result.
General Filters
all: This includes all available data for a search. For example, searching for all: "admin" will return results related to anything with the term "admin".
asn: The Autonomous System Number (ASN) related to an IP.
Example: asn: 12345.
city: The city location of the IP address.
Example: city: "New York".
country: The country of the IP address.
Example: country: "US".
cpe: The Common Platform Enumeration (CPE) for software or devices.
Example: cpe: "cpe:/a:apache:apache_http_server:2.4".
device: The type of device detected.
Example: device: "router".
geo: The geographical location of the device or server.
Example: geo: "lat:40.7128,long:-74.0060".
has_ipv6: Filters to include results with IPv6 addresses.
Example: has_ipv6:true.
has_screenshot: Filters to include only results with screenshots.
Example: has_screenshot:true.
has_ssl: Filters results that have SSL enabled.
Example: has_ssl:true.
has_vuln: Filters results that have vulnerabilities.
Example: has_vuln:true.
hash: Filters results by the hash value.
Example: hash: "abcd1234".
hostname: Filters results based on the hostname.
Example: hostname: "example.com".
ip: Filters by the IP address.
Example: ip: "192.168.1.1".
isp: Filters by Internet Service Provider.
Example: isp: "Comcast".
link: Filters by links related to the results.
Example: link: "http://example.com".
net: Filters by the network or subnet.
Example: net: "192.168.1.0/24".
org: Filters by organization name.
Example: org: "Google".
os: Filters by operating system.
Example: os: "Linux".
port: Filters by the network port.
Example: port: 80.
postal: Filters by postal code.
Example: postal: "10001".
product: Filters by product name.
Example: product: "Apache HTTP Server".
region: Filters by the region.
Example: region: "California".
scan: Filters by the type of scan.
Example: scan: "nmap".
shodan.module: Filters by a specific Shodan module.
Example: shodan.module: "http".
state: Filters by the state or province.
Example: state: "California".
version: Filters by the version of the software.
Example: version: "2.4".
Screenshots
screenshot.hash: Filters by the screenshot hash.
Example: screenshot.hash: "abcd1234".
screenshot.label: Filters by the screenshot label.
Example: screenshot.label: "example".
Cloud
cloud.provider: Filters by cloud service provider.
Example: cloud.provider: "AWS".
cloud.region: Filters by the cloud region.
Example: cloud.region: "us-east-1".
cloud.service: Filters by cloud service.
Example: cloud.service: "EC2".
HTTP
http.component: Filters by the HTTP component.
Example: http.component: "nginx".
http.component_category: Filters by the category of the HTTP component.
Example: http.component_category: "web server".
http.favicon.hash: Filters by the hash of the favicon.
Example: http.favicon.hash: "abcd1234".
http.headers_hash: Filters by the hash of HTTP headers.
Example: http.headers_hash: "abcd1234".
http.html: Filters by the HTML content.
Example: http.html: "login".
http.html_hash: Filters by the hash of HTML content.
Example: http.html_hash: "abcd1234".
http.robots_hash: Filters by the hash of the robots.txt file.
Example: http.robots_hash: "abcd1234".
http.securitytxt: Filters by the presence of a security.txt file.
Example: http.securitytxt:true.
http.status: Filters by HTTP status code.
Example: http.status: 200.
http.title: Filters by the HTTP title.
Example: http.title: "Welcome to Example".
http.waf: Filters by the Web Application Firewall presence.
Example: http.waf:true.
Bitcoin
bitcoin.ip: Filters by Bitcoin-related IP.
Example: bitcoin.ip: "192.168.1.1".
bitcoin.ip_count: Filters by the number of Bitcoin IPs.
Example: bitcoin.ip_count: 5.
bitcoin.port: Filters by Bitcoin port.
Example: bitcoin.port: 8333.
bitcoin.version: Filters by Bitcoin version.
Example: bitcoin.version: "0.21.0".
Restricted (Available with higher API plans)
tag: Filters by specific tags.
Example: tag: "critical".
vuln: Filters by vulnerability.
Example: vuln: "CVE-2021-34527".
SNMP
snmp.contact: Filters by SNMP contact information.
Example: snmp.contact: "admin@example.com".
snmp.location: Filters by SNMP location information.
Example: snmp.location: "datacenter1".
snmp.name: Filters by SNMP device name.
Example: snmp.name: "router1".
SSL
ssl: Filters by SSL availability.
Example: ssl:true.
ssl.alpn: Filters by SSL ALPN (Application-Layer Protocol Negotiation).
Example: ssl.alpn: "h2".
ssl.cert.alg: Filters by SSL certificate algorithm.
Example: ssl.cert.alg: "RSA".
ssl.cert.expired: Filters by expired SSL certificates.
Example: ssl.cert.expired:true.
ssl.cert.extension: Filters by SSL certificate extension.
Example: ssl.cert.extension: "SAN".
ssl.cert.fingerprint: Filters by SSL certificate fingerprint.
Example: ssl.cert.fingerprint: "abcdef123456".
ssl.cert.issuer.cn: Filters by SSL certificate issuer's common name.
Example: ssl.cert.issuer.cn: "Let's Encrypt".
ssl.cert.pubkey.bits: Filters by SSL certificate public key bit length.
Example: ssl.cert.pubkey.bits: 2048.
ssl.cert.pubkey.type: Filters by SSL certificate public key type.
Example: ssl.cert.pubkey.type: "RSA".
ssl.cert.serial: Filters by SSL certificate serial number.
Example: ssl.cert.serial: "123456".
ssl.cert.subject.cn: Filters by SSL certificate subject's common name.
Example: ssl.cert.subject.cn: "example.com".
ssl.chain_count: Filters by the number of SSL certificate chains.
Example: ssl.chain_count: 3.
ssl.cipher.bits: Filters by SSL cipher bit strength.
Example: ssl.cipher.bits: 256.
ssl.cipher.name: Filters by SSL cipher name.
Example: ssl.cipher.name: "ECDHE-RSA-AES256-GCM-SHA384".
ssl.cipher.version: Filters by SSL cipher version.
Example: ssl.cipher.version: "TLSv1.2".
ssl.ja3s: Filters by JA3S hash.
Example: ssl.ja3s: "abcd1234".
ssl.jarm: Filters by JARM fingerprint.
Example: ssl.jarm: "abcd1234".
ssl.version: Filters by SSL/TLS version.
Example: ssl.version: "TLSv1.2".
NTP
ntp.ip: Filters by NTP server IP.
Example: ntp.ip: "192.168.1.1".
ntp.ip_count: Filters by NTP IP count.
Example: ntp.ip_count: 5.
ntp.more: Filters for additional NTP details.
Example: ntp.more:true.
ntp.port: Filters by NTP port.
Example: ntp.port: 123.
Telnet
telnet.do: Filters by Telnet DO option.
Example: telnet.do: "echo".
telnet.dont: Filters by Telnet DONT option.
Example: telnet.dont: "echo".
telnet.option: Filters by Telnet option.
Example: telnet.option: "binary".
telnet.will: Filters by Telnet WILL option.
Example: telnet.will: "echo".
telnet.wont: Filters by Telnet WON'T option.
Example: telnet.wont: "echo".
SSH
ssh.hassh: Filters by SSH hash.
Example: ssh.hassh: "abcd1234".
ssh.type: Filters by SSH type.
Example: ssh.type: "RSA".
Finding Open Devices
Attackers often scan the internet for open ports to identify vulnerable services that can be exploited. Using Shodan, you can quickly find exposed devices by searching for specific ports and services. Below are some useful Shodan queries:
port:22 → Lists devices with SSH open.
port:3389 → Finds RDP servers, often targeted for brute-force attacks.
port:23 country:US → Searches for Telnet services in the United States.
port:445 os:Windows → Finds SMB services on Windows machines.
product: apache → Lists Apache servers.
Searching for Vulnerable Services
Attackers often look for outdated software and misconfigured services that can be exploited. With Shodan, security researchers can efficiently search for vulnerable services based on product versions, CVEs, and other indicators. Below are some powerful Shodan queries for identifying potential risks:
product:nginx version:1.14.0 → Finds Nginx servers with a specific version.
vuln:CVE-2023-1234 → Searches for systems vulnerable to a specific CVE.
ssl:true → Identifies SSL/TLS-enabled services.
http.title:"Login" → Finds webpages with login portals.
has_screenshot:true → Searches for results that include screenshots.
Exposed Databases & Cloud Services
Exposed databases and cloud storage services pose a significant security risk, as they can contain sensitive data accessible to attackers. Using Shodan, security professionals can identify misconfigured instances that are publicly accessible. Below are some key queries for detecting exposed databases and cloud services:
MongoDB port:27017 → Finds open MongoDB instances.
MySQL port:3306 → Searches for MySQL databases.
s3 bucket → Identifies exposed AWS S3 buckets.
Redis port:6379 → Finds open Redis servers.
Advanced Filters
Shodan’s advanced filters enable precise searches by narrowing down results based on time, location, organization, and network details. These filters help security researchers and analysts identify specific devices and trends efficiently. Below are some key advanced filters:
product:apache → Filters results by a particular software or product identified in the banner
before:2023-01-01 → Shows results from before January 1, 2023.
after:2023-06-01 → Shows results after June 1, 2023.
country:IN → Filters results to devices located in India.
org:"Google LLC" → Lists results belonging to a specific organization.
city: "New York" → Finds devices located in a specific city.
asn: AS15169 → Filters by Autonomous System Number (ASN).
isp:Bell → Filters results by devices assigned a particular address (space) from a specified ISP (Internet Service Provider)
product:"Apache" os:"Linux" port:"80" country:"US": → This query identifies Apache servers running on Linux systems with an open port 80, specifically located in the US. It could help identify potentially exploitable systems.
product:"nginx" version:"1.14.0": This query is used to find nginx servers with version 1.14.0. This suggests these systems may have known vulnerabilities associated with that version of nginx.
Some Searches By Categories
1. port:5006,5007 product:mitsubishi [Industrial Control Systems]
2. product:MongoDB [Databases]
3. "Citrix Applications:” port:1604 [Network Infrastructure]
4. product:”Counter-Strike Global Offensive” [Video Games]
[Bonus: More advanced and interesting things will be present in Part 2]
Devices And Services that can be found using Shodan
Shodan is an essential tool for penetration testers, offering the ability to gather in-depth information about internet-facing assets. It can reveal open ports, operating systems, and services on connected devices, helping uncover potential security weaknesses.
Here are some common devices and services that can be found using Shodan:
- VoIP Phones: These devices, when inadequately secured, could allow attackers to eavesdrop on communications or even gain unauthorized network access.
- RDP Services: Shodan is capable of detecting exposed Remote Desktop Protocol (RDP) services, which may be misconfigured, presenting a security risk.
- Industrial Control Systems (ICS): For penetration testers working in industries like manufacturing or utilities, identifying vulnerabilities in ICS devices, such as PLCs (Programmable Logic Controllers), is crucial.
- Printers: Network printers can sometimes be overlooked but may present significant security risks. They can also be used as pivot points within the network.
- Exposed Databases: Shodan can detect databases that are directly accessible online, such as MongoDB or Elasticsearch, which might leak sensitive data if not properly secured.
- Cameras and Webcams: If these devices are improperly configured, they pose serious privacy risks. Discovering and securing them is important in a penetration test.
- Smart Devices: Increasingly common in homes and offices, IoT devices like smart thermostats, lights, and refrigerators often lack robust security, making them an important target for penetration testers.
- Servers: Web, email, database, FTP, DNS, and other types of servers can be found using Shodan, providing a deeper look into potential vulnerabilities that need attention.
- Routers and Switches: These critical network devices can be identified by Shodan, revealing information on open ports and any associated vulnerabilities.
- SMB Services: Shodan helps identify devices using the Server Message Block (SMB) protocol, which may lack proper security configurations or authentication measures.
- Firewalls and IDS/IPS Devices: Analyzing firewalls and intrusion detection/prevention systems is important for understanding a network’s defense mechanisms.
- Devices with Default Credentials: Shodan can highlight devices still using default usernames and passwords, a common security weakness in many internet-connected devices.
Stay tuned for Shodan for Pentesting: The Ultimate Detailed Guide -Part 2, where we’ll dive deep into the Shodan CLI and explore how to leverage it effectively. We’ll also uncover bug bounty tools that integrate Shodan to enhance your vulnerability assessments. Plus, you’ll get an in-depth look at the Shodan Monitor feature and much more to empower your pentesting arsenal.
Summary
Shodan for Pentesting: The Ultimate Detailed Guide — Part 1 introduces Shodan as a powerful search engine for discovering internet-connected devices, essential for reconnaissance in pentesting. It explains how Shodan collects and indexes data from various devices. The guide covers basic search queries and advanced filtering techniques to pinpoint vulnerable systems. Ethical use and practical pentesting scenarios are also highlighted as a foundation for deeper exploration in subsequent parts.
“Shodan is a hacker’s treasure map — it reveals every hidden digital doorway and unguarded system, turning the vast internet into an open playground of opportunity.”