What is Shodan?

Shodan Definition

Shodan is a specialized internet search engine that indexes devices connected to the internet instead of websites. Founded in 2009 by John Matherly, Shodan scans the internet and collects information about services running on publicly accessible IP addresses, revealing configuration details, service banners, and potential vulnerabilities.

How Does Shodan Work?

Shodan operates differently from traditional search engines:

1. Scanning - Shodan bots scan the entire IPv4 address space
2. Banner grabbing - they collect responses from open ports
3. Parsing - extract information about services, versions, certificates
4. Indexing - data is stored in a searchable database
5. Searching - users can query the database using filters

What Does Shodan Index?

Devices and Systems

• Web servers (Apache, Nginx, IIS)
• Databases (MongoDB, MySQL, Elasticsearch)
• IP cameras and CCTV systems
• Routers, switches, firewalls
• Industrial systems (SCADA, ICS)
• Network printers
• IoT devices
• Admin panels

Service Information

• Protocol banners
• Software versions
• SSL/TLS certificates
• Service configuration
• Geolocation
• ASN affiliation

Shodan Search Filters

# Search by country
country:US

# Search by city
city:"New York"

# Search by organization
org:"Example Corp"

# Search by port
port:22

# Search by product
product:nginx

# Search by version
version:1.0

# Search by operating system
os:windows

# Search for vulnerabilities
vuln:CVE-2021-44228

# Search by banner
http.title:"Dashboard"

# Combining filters
country:US port:3389 os:windows

Shodan Applications

Offensive Security

• Reconnaissance before penetration testing
• Attack surface identification
• Finding vulnerable systems
• Target infrastructure analysis

Defensive Security

• Monitoring own organization’s exposure
• Detecting unsecured devices
• Identifying shadow IT
• Firewall configuration verification

Security Research

• Threat trend analysis
• Vulnerability statistics
• Malware spread research
• Botnet analysis

OSINT

• Gathering information about organizations
• Infrastructure mapping
• Security due diligence
• Competitive analysis

Shodan Monitor

Monitoring service allowing:

• Infrastructure change tracking
• New device alerts
• Vulnerability notifications
• Security reports

Shodan API

Shodan offers an API enabling:

• Search automation
• Security tool integration
• Building custom applications
• Scripts and automation

Search Examples

Unsecured Databases

product:mongodb port:27017 -authentication

Open Cameras

webcam has_screenshot:true

Industrial Systems

port:502 modbus

Login Panels

http.title:"login" country:US

Ethics and Legal Aspects

Using Shodan is legal, but:

• Searching alone - legal (public information)
• Login attempts - require authorization
• Vulnerability exploitation - illegal without consent
• Data disclosure - may violate regulations

Responsible Use

• Use to protect your own infrastructure
• Report discovered vulnerabilities
• Don’t use for illegal activities
• Follow terms of service

Shodan Alternatives

• Censys - similar search engine focused on certificates
• Zoomeye - Chinese alternative
• BinaryEdge - search engine with advanced analysis
• GreyNoise - focus on scanning traffic
• Fofa - Chinese IoT search engine

Protection Against Shodan

To limit visibility in Shodan:

• Minimize public service exposure
• Use firewalls and access control lists
• Change default service banners
• Use VPN for sensitive services
• Regularly audit public resources

Shodan is a powerful tool for both attackers and defenders - knowledge of its capabilities is essential for every security professional.