Imagine a search engine better than both Google and your mom at scouring the underbelly of … the Net. A search engine that doesn’t do doodles. Gah. I admit it. I suck at writing openings. Today we are going to take a look at – the infamous search engine that is able to uncover the innards of the Net.

What is it?

Shodan is a search engine for finding information on specific Internet connected devices. Like any other search engine it scans the entire Internet. It differs from, say, Google by that it is looking for banners that are returned by various devices – and it let you query that information. This mean you could go to Shodan and lookup webcams, routers, switches, various services and more. For instance, it is possible to map out several SCADA installations widely available on the Internet through Shodan. Just imagine what you would be able to find once Internet of Things really sets in!

Shodan is a great killchain tool for any penetration testers mapping out vulnerable clients without even hitting the target.

How do I use it?

Shodan works just like any other search engine on the Net. Head on over to the main page and enter an arbitrary query. It’s as simple as that. Here’s an example (I’ve redacted the hosts):


Narrowing the search

Sometimes you need to narrow the search result since it may be too broad. Luckily Shodan supports filters. Here’s a quick list

  • city: filter on particular city
  • country: filter on particular country
  • port: filter on ports
  • geo: filter narrowing down passing it coordinates
  • os: filter on operating system
  • hostname: filter based on hostname
  • net: filter on specific IP or /x CIDR
  • before and after: filter within timeframe

The downside is, you must be logged in to do filters. So, head on and create your account and log in!


Any example below are for illustration purposes only and are meant to act as examples only.

Example Query 1

Finding Linux servers in the U.S running FTP:

port:21 country:"US" os:"Linux 3.x"

Example Query 2

Finding Cisco routers running telnetd in Italy:

port:23 country:"IT" product:"Cisco router telnetd"

Closing words

It’s well worth to get to know Shodan since it is a great tool for passive information gathering without even touching the target. I hope this post will trigger you to include it into your killchain.