Filter

# search by ASN (Autonomous System Lookup)
ASN:[NUMBER]

# search for product
product:mysql
product:nginx
product:"VNC"

# location
country:"US"
city:"Los Angeles"

# searches for text in screenshot
has_screenshot:true encrypted attention 

# searches for labels
screenshot.label:ics 
screenshot.label:windows

shodan curl

shoutout to sans internet Storm Center

# basic request
curl -s -k "https://api.shodan.io/shodan/host/<host_ip>?key=%shodan-api-key%"

# get DNS Names
curl -s -k "https://api.shodan.io/dns/domain/github.com?key=%shodan-api-key" | jq | less

# get open ssh port 22
curl -s -k "https://api.shodan.io/shodan/host/search?key=%shodan-api-key%&query=ssh&port:22" | grep \"ip\":

# count for open rdp Ports
curl -s -k "https://api.shodan.io/shodan/host/count?key=%shodan-api-key%&query=port:3389" | jq

# search for webcams with screenshot
curl -s -k "https://api.shodan.io/shodan/host/count?key=%shodan-api-key%&query=windows+port:3389+has_screenshot:true" | jq

shodan CLI

# initialize
shodan init <api-key>

# show myip
shodan myip

# show ip infos
shodan host <ip>

# count stuff
shodan count microsoft iis 6.0

# search
shodan search microsoft rdp

# download search to json (limited to 1000)
shodan download microsoft exchange

# download search to json (unlimited)
shodan download --limit -1 microsoft exchange

# convert output to csv|xlsx|html
shodan convert microsoft.json.gz csv

Querys

# FTP anonymous login
"220" "230 Login successful." port:21

# search by icon hash (example: Ivanti EPMM)
http.favicon.hash:362091310

# SMB with disabled authentication
"Authentication: disabled" port:445

# telnet logged in as root
"root@" port:23 -login -password -name -Session

# Wordpress files contain database credentials
http.html:"* The wp-config.php creation script uses this file"

# ssl certificate
ssl:"github"

# html component
http.component:"wordpress"

# ransome noted
html:"We hacked your company successfully" title:"How to Restore Your Files"

source

You may also enjoy