Shodan for Pentesting: The Ultimate Detailed Guide — Part 2

6 min readFeb 14, 2025

Dive deeper into the world of Shodan as we explore the powerful CLI, integrate bug bounty tools, and uncover the secrets of the Shodan Monitor feature. Enhance your pentesting skills with practical insights and advanced techniques designed to expose hidden vulnerabilities.

Introduction

In Part 1 of Shodan for Pentesting: The Ultimate Detailed Guide, we explored the fundamentals of Shodan, how it collects data, and how pentesters can use its search capabilities for reconnaissance. Now, in Part 2, we take things a step further by diving into Shodan CLI, which allows for more efficient automation and advanced filtering.

We’ll also explore bug bounty tools that integrate Shodan, helping researchers identify vulnerabilities faster. Additionally, we’ll cover the Shodan Monitor feature, which enables security teams to track their attack surface in real-time. Whether you’re a pentester, bug bounty hunter, or security analyst, this guide will equip you with powerful techniques to maximize Shodan’s potential.

Part 1 Link: https://medium.com/@sankalppatil12112001/shodan-for-pentesting-the-ultimate-detailed-guide-part-1-8b618e40acd5

Some specific searches

Before moving to the Shodan cli and other interesting things I would like to provide a few more Shodan GUI search queries that are related to;
1. Cameras
2. Printers
3. Directory listing
4. FTP Access
5. Ransomware Infected Devices [Confirm/check query]
6. Hacker Websites [Defaced or Includes keywords].

product:"Hikvision IP Camera"  --> search Hikvision cameras
product:"Hikvision"

title:"IPCam Client" --> search IPCam Client Webcams

server: GeoHttpServer --> Geovision Webcameras

title:"Avigilon" --> Avigilon Cameras

server: VVTK-HTTP-Server --> Vivotek Cameras

title:"CP Plus" product:"CP Plus" --> CP Plus Cameras

"Android Debug Bridge" "Device" port:5555 --> Find the Android Debug Bridge

"Set-Cookie: mongo-express=" "200 OK" --> Exposed MongoDB Express Web Interfaces

"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab --> Docker Private Registries

printer --> search general printers

port:161 hp --> HP Printers Remote Restart

Server: CANON HTTP Server --> Canon Printer

http 200 server epson -upnp --> HTTP Accessible Epson Printers

title:"syncthru web service" --> Samsung Printers with SyncThru Web Service

port:23 "Password not set" --> Printers with telnet access

ssl:"Xerox Generic Root" --> Xerox Printers with remote access avaiable

http.title:"Index of /" --> Directory listing

"Authentication: disabled" port:445 product:"Samba" --> Access Samba with no Authentication required

"Anonymous access allowed" port:"21" --> Anonymous Access Allowed to FTP

hacked --> Devices with labeled Hacked

HACKED-ROUTER --> search Hacker Routers with this label

http.title:"Hacked by" --> Search websites defaced or includes hacker by

"attention" "encrypted" port:3389 --> Ransomeware Infected devices or demanding for payment

bitcoin has_screenshot:true --> Find Bitcoin related ransomeware with screenshot available

Now that we are done all about the Shodan website we can now focus a little bit on the Shodan cli;

Using Shodan CLI

Shodan also provides a command-line interface (CLI) for efficient searching and automation.

Installing Shodan CLI

pip install shodan
shodan init YOUR_API_KEY

NOTE: You can find the Shodan API key in your account.

Basic & Advanced Shodan CLI Commands

shodan search "port:22" → Searches for open SSH servers.

shodan count "port:3389" → Counts the number of exposed RDP servers.

shodan host 192.168.1.1 → Retrieves details about a specific IP.

shodan scan submit 192.168.1.1/24 → Requests a scan on a subnet.

shodan download results.json.gz "port:80" → Saves search results for offline use

shodan search 'cpe:"cpe:2.3:a:apache:http_server:2.4.41:*:*:*:*:*:*:*"' → Search by a Common Platform Enumeration (CPE) string to find a particular software version

shodan search 'geo:"37.7749,-122.4194,50km"' → Search for devices within a certain radius of geographic coordinates

Download a dataset of hosts that have screenshots available, then pipe it through decompression and JSON processing (e.g., with jq):
shodan download screenshot_results has_screenshot:true
gunzip -c screenshot_results.json.gz | jq '.matches[] | {ip, port, http: .data.http}'

Shodan + Bug Bounty & Pentesting Tools

Karma v2 + Shodan

Karma v2 is an automated subdomain takeover scanner. Combining it with Shodan allows bug bounty hunters to:

Identify subdomains using Shodan searches.
Cross-check subdomains against vulnerable services in Shodan.
Automate takeover detection with Karma v2 after collecting subdomains.

Link: https://github.com/Dheerajmadhukar/karma_v2

Shosubgo + Shodan

Shosubgo is an OSINT tool for discovering subdomains using Shodan. It can be used to:

Extract subdomains directly from Shodan’s indexed data.
Filter results based on open ports and services.
Combine with other enumeration tools for deeper recon.

Example Usage:

./shosubgo_linux -d target.com -s YourAPIKEY
./shosubgo_linux -f file -s YourAPIKEY

This helps bug bounty hunters and pentesters automate subdomain discovery using Shodan’s vast database.

Link: https://github.com/incogbyte/shosubgo

Shodan Monitor for Continuous Threat Detection

Shodan Monitor allows security teams to track their own assets and receive alerts when a new device or vulnerability appears in their organization’s network.

Setting Up Shodan Monitor:

Log into Shodan and navigate to Monitor.
Add your IP ranges or domains.
Configure notifications for any exposure or security issues.

The dashboard will be visible as shown in the image;

We can also manage the assets like adding a network, adding new domains, or adding a new search query, as shown in the image below;

Add domain to monitor any change in ports, ssl certs. expiration, and vulnerabilities.

As shown below I have added a domain for demonstration purpose and in total of 10 IPs related to domain are been monitored and potential vulnerabilities are shown. We can also rescan at our will also the Shodan will be keeping its scan.

We can also edit the domain settings and add or remove the trigger rules as per our needs.

We can also add the CIDR to scan if the target is large and they keep adding new domains, subdomains and more so that we will not be missing anything.

Stay tuned for Shodan for Pentesting: The Ultimate Detailed Guide — Part 3, where we’ll explore Shodan Internet Observatory, revealing global trends in exposed devices. We’ll also dive into Shodan 2000, a curated list of the most scanned services, helping you prioritize targets efficiently. Plus, we’ll uncover the Favicon Map, a powerful way to track devices and technologies using unique favicon hashes. Get ready for advanced Shodan techniques to elevate your pentesting game!

PART 3 Link: https://medium.com/@sankalppatil12112001/shodan-for-pentesting-the-ultimate-detailed-guide-part-3-452f1cd83dec

Summary

Shodan is a powerful asset for pentesters and cybersecurity analysts. Whether you’re conducting reconnaissance, identifying vulnerabilities, or automating security analysis, Shodan provides deep insights into the exposed internet.

If you’re serious about Pentesting, learning to use Shodan effectively is a must! Have you used Shodan for security research? Share your experiences in the comments!

Explore more of our insightful blogs to stay updated on the latest trends in technology and cybersecurity. Dive deep into valuable knowledge and tools to enhance your skills and expertise.