Shodan Search Engine Intro

Shodan is a search engine for objects connected to the Internet, including servers, routers, websites, databases, cameras, industrial control systems (ICS), cameras, network attached storage (NAS), and IoT devices. Shodan indexes service banners (metadata about software running on a device) and makes it searchable. It’s a useful resource for OSINT and CTI.

Shodan sells paid accounts, but you can also register for a free account, which is limited to basic features and 20 results per query.

You can get ideas for what to search for on Shodan’s Explore page. To aid searching, Shodan explains search query fundamentals and provides a filter reference and query examples.

Search filters take the form filtername:value. For example, to see websites that have been defaced and had their title tag set to include the string hacked by, search for http.title:”hacked by”. To see machines compromised by ransomware, search for has_screenshot:true encrypted attention.

When you search, you’ll see a page with the first 10 search results. Each result shows some data, and you can click links to view more info in Shodan, or to go directly to the external resource (be careful!).

Shodan search results for hacked websites

Along the left side, Shodan will display data about the results, such as the following:

• Total results
• Top ports
• Top organizations
• Top products
• Top operating systems
• Top versions

Shodan will show up to 5 lines for each of these categories, with links to view more. Near the top of each search results page is also a View Report link to view a report that includes data such as the following:

• Countries
• Ports
• Organization
• Vulnerabilities
• Products
• Tags
• Operating Systems
• Website Titles
• Web Technologies
• Protocol Versions
• SSL/ TLS Versions
• JARM Fingerprints
• JA3S Fingerprints

Shodan will show up to 5 lines for each of these categories, with links to view more.

Shodan report for hacked websites

Using Shodan for OSINT & CTI

You can use Shodan to find the following, which can be useful for OSINT or CTI investigations:

• Devices running software vulnerable to particular exploits, by searching by CVE
• Threat actor infrastructure, including C2 servers and infostealers
• Compromised devices or websites
• Devices or websites owned by a particular organization
• Servers that have served a digital certificate containing a particular URL

Additional Resources

Search Query Fundamentals - Shodan Help Center

Filter Reference

Search Query Examples

What is Shodan? (PDF)

Shodan Quick Start Reference (PDF)

Searching with Shodan

Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms

Shodan — Computer Search Engine | OSINT Framework #2

Adversary Infrastructure on Shodan

Ultimate OSINT with Shodan: 100+ great Shodan queries

TryHackMe | Shodan.io