Shodan
Shodan
Filters
Use the following filters to refine your Shodan searches:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Search by ASN (Autonomous System Lookup)
ASN:[NUMBER]
# Search for specific products
product:mysql
product:nginx
product:"VNC"
# Filter by location
country:"US"
city:"Los Angeles"
# Search for text in screenshots
has_screenshot:true encrypted attention
# Search using screenshot labels
screenshot.label:ics
screenshot.label:windows
Shodan API with cURL
Shoutout to SANS Internet Storm Center for these examples.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Basic request to get host information
curl -s -k "https://api.shodan.io/shodan/host/<host_ip>?key=%shodan-api-key%"
# Get DNS names for a domain
curl -s -k "https://api.shodan.io/dns/domain/github.com?key=%shodan-api-key" | jq | less
# Find open SSH port 22
curl -s -k "https://api.shodan.io/shodan/host/search?key=%shodan-api-key%&query=ssh&port:22" | grep \"ip\":
# Count open RDP ports
curl -s -k "https://api.shodan.io/shodan/host/count?key=%shodan-api-key%&query=port:3389" | jq
# Search for webcams with screenshots
curl -s -k "https://api.shodan.io/shodan/host/count?key=%shodan-api-key%&query=windows+port:3389+has_screenshot:true" | jq
Shodan CLI Commands
Use the Shodan CLI for quick and efficient queries:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Initialize with your API key
shodan init <api-key>
# Get your public IP
shodan myip
# Get information about a specific IP
shodan host <ip>
# Count occurrences of a query
shodan count microsoft iis 6.0
# Search for specific data
shodan search microsoft rdp
# Download search results to JSON (limited to 1000 results)
shodan download microsoft exchange
# Download search results to JSON (unlimited)
shodan download --limit -1 microsoft exchange
# Convert output to CSV, XLSX, or HTML
shodan convert microsoft.json.gz csv
Query Examples
Here are some useful Shodan queries:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# FTP anonymous login
"220" "230 Login successful." port:21
# Search by icon hash (example: Ivanti EPMM)
http.favicon.hash:362091310
# SMB with disabled authentication
"Authentication: disabled" port:445
# Telnet logged in as root
"root@" port:23 -login -password -name -Session
# WordPress files containing database credentials
http.html:"* The wp-config.php creation script uses this file"
# SSL certificate search
ssl:"github"
# HTML component search
http.component:"wordpress"
# Ransomware notes
html:"We hacked your company successfully" title:"How to Restore Your Files"
Sources
- Cloudflare: What are ASN?
- Find ASN:
- Shodan: Filter Reference
- Shodan: Examples
- GitHub: Awesome Shodan Queries
- SANS: Getting the Most Out of Shodan Searches
- Medium: Exploring the Dark Side of Shodan
- Medium: Exploring the Dark Side of Shodan 2
- Medium: Using Shodan the Better Way
- SANS Internet Storm Center: Shodan’s API For The (Recon) Win!
This post is licensed under CC BY 4.0 by the author.