DATE
March 27, 2026
The internet is not just made up of websites. Routers, webcams, industrial control systems, medical devices, smart TVs, and database servers are all connected to the same global network, many of them silently broadcasting their presence to anyone who knows how to look. Shodan is the search engine that lets you look.
Often called "the most dangerous search engine on the internet," Shodan indexes internet-facing devices and services rather than web pages. Security researchers, penetration testers, system administrators, and threat intelligence teams rely on it to understand what is exposed, what is vulnerable, and what attackers can see before they even launch a single exploit. If your organization has public-facing infrastructure and you have never run a Shodan query against it, you are operating blind.
This guide walks through how Shodan works, the commands and filters that make it powerful, and what to do when the results reveal more exposure than you expected.
Shodan was created by John Matherly in 2009. Unlike Google, which crawls HTML content, Shodan crawls the internet by sending connection requests to IP addresses across every port and recording the banners, certificates, and metadata that services return. It does this continuously, giving you a near real-time snapshot of what any given IP address or organization is exposing to the world.
When a web server responds to a request, it returns a banner that may include the server software version, the operating system, open ports, TLS certificate details, and more. Shodan collects all of this and makes it searchable. The result is a database of hundreds of millions of devices and services, each with rich metadata you can filter, sort, and analyze.
This is not hacking. Shodan only collects information that devices voluntarily return in response to standard connection probes. It is the equivalent of knocking on a door and recording what you can see when it opens. The problem is that most organizations have no idea how many doors they have left open.
To get started, create a free account at shodan.io. Free accounts offer limited results per search (up to two pages) and access to basic filters. A paid membership unlocks full results, advanced filters, and API access. For serious security work, the membership is worth it.
Install the Shodan command-line interface using pip:
pip install shodan
Initialize it with your API key:
shodan init YOUR_API_KEY
You can now run queries directly from your terminal, which is faster for bulk lookups and scripting.
Shodan's power comes from its filter syntax. Knowing the right filters turns a vague curiosity into targeted reconnaissance.
org:"Target Organization Name"
This returns all devices indexed under that organization's ASN. It is one of the first queries a penetration tester runs to map an organization's external attack surface.
port:22 org:"Example Corp"
This finds all SSH-accessible devices exposed by a specific organization. Combine it with a banner search to find devices running outdated OpenSSH versions:
port:22 "OpenSSH 5" org:"Example Corp"
country:IN city:Mumbai port:3389
This query finds RDP (Remote Desktop Protocol) exposed devices in Mumbai, India. RDP exposure is one of the most common entry points for ransomware operators.
product:"Apache httpd" version:"2.2"
Apache 2.2 reached end-of-life in 2017 and no longer receives security patches. Finding it exposed on port 80 or 443 is a significant finding in any security assessment.
product:"Microsoft IIS" version:"6.0"
IIS 6.0 is associated with Windows Server 2003. Finding this in the wild is alarming and unfortunately not uncommon.
The following commands represent real-world use cases that security professionals apply during external assessments and threat intelligence gathering.
MongoDB instances that require no authentication have been responsible for some of the largest data leaks in history:
product:"MongoDB" port:27017
To narrow it down to instances that explicitly show no authentication:
"MongoDB Server Information" port:27017 -authentication
Elasticsearch clusters are another frequent source of exposed data:
port:9200 json
product:"Elastic" port:9200
If your organization runs either of these services and they appear in Shodan results, that is a critical finding. Professional penetration testing can help you identify and close these gaps before an attacker does. Redfox Cybersecurity's penetration testing services include full external attack surface mapping as part of every engagement.
SCADA and ICS devices control power grids, water treatment facilities, manufacturing plants, and more. Many were never designed for internet connectivity but end up exposed due to misconfiguration:
port:102 siemens
Port 102 is used by the S7 protocol, associated with Siemens SIMATIC PLCs. Finding these exposed is a critical infrastructure risk.
port:47808
Port 47808 is the default port for BACnet, a protocol used in building automation systems including HVAC, lighting, and access control.
"SCADA" country:US port:502
Port 502 is used by Modbus, one of the oldest industrial communication protocols, still widely deployed and largely unauthenticated.
port:3389 has_screenshot:true
Shodan captures screenshots of VNC and RDP sessions when they are accessible without authentication. This filter returns only those results where a screenshot was captured, meaning the session was fully open.
port:5900 has_screenshot:true
Port 5900 is VNC. Finding open VNC sessions with screenshots is about as close to a ready-made compromise as passive reconnaissance gets.
"default password" port:23
Telnet on port 23 transmitting default credentials in the banner is a combination that has fueled multiple major botnet campaigns including Mirai.
cisco "show version" port:23
This finds Cisco devices exposing their version information over Telnet, often indicating that default or weak credentials are in use.
"Cisco IOS" port:22
While SSH is more secure than Telnet, outdated Cisco IOS versions have known vulnerabilities. Knowing which version is running is the first step in assessing exploitability.
ssl.cert.expired:true port:443
Expired certificates indicate neglected infrastructure. Neglected infrastructure is often unpatched infrastructure.
ssl.cert.subject.cn:"*.example.com"
This finds all subdomains associated with a certificate's common name, useful for mapping an organization's full web presence.
For security teams managing large estates, the CLI is essential.
Count how many results exist for a query without pulling them all:
shodan count org:"Your Organization"
Pull full results for a query and save them to a file:
shodan search --fields ip_str,port,org,hostnames "product:nginx" > nginx_results.txt
Look up all information Shodan has on a specific IP:
shodan host 8.8.8.8
Scan your own IP ranges directly through Shodan's on-demand scanning (requires credits):
shodan scan submit 192.168.1.0/24
Download historical data on an IP address:
shodan host --history 203.0.113.45
Historical data is particularly valuable during incident response, helping you understand what a compromised host was running before an attacker altered its configuration.
Organizations with mature security programs integrate Shodan into their continuous monitoring workflows. The Python API makes this straightforward:
import shodan
api = shodan.Shodan("YOUR_API_KEY")
results = api.search('org:"Example Corp" port:3389')
for result in results["matches"]:
print(f"IP: {result['ip_str']} | Port: {result['port']} | OS: {result.get('os', 'Unknown')}")
You can extend this to alert on new findings, track changes over time, and feed data into SIEMs or ticketing systems. Shodan also provides a streaming API for real-time alerts when new devices matching your criteria come online.
If setting up and maintaining this level of monitoring is beyond your current capacity, Redfox Cybersecurity offers managed security services and penetration testing that include continuous external exposure monitoring as part of broader engagements.
Running Shodan queries against your own organization's IP ranges and ASN is one of the highest-value, lowest-cost exercises any security team can perform. The findings typically fall into a few categories.
Developers spin up cloud instances, contractors connect devices to the network, old servers never get decommissioned. Shodan frequently surfaces assets that IT and security teams did not know existed. These orphaned systems are rarely patched and often configured with default credentials.
Many services announce their software version in their banners. This is useful for administrators but equally useful for attackers who can cross-reference version numbers against public vulnerability databases to find exploitable CVEs without touching the target at all.
Database ports exposed to the internet, admin panels accessible without authentication, and management interfaces reachable from anywhere are findings Shodan surfaces constantly. These are not theoretical risks. They are configurations attackers actively scan for around the clock.
Weak TLS configurations, expired certificates, and legacy protocols like SSLv3 and TLS 1.0 still appear regularly in Shodan results. These create both compliance failures and practical exploitation paths.
Shodan is a passive reconnaissance tool. Querying it does not involve accessing any system without authorization. The data Shodan presents was collected by its own crawlers, not by you.
That said, acting on Shodan findings without proper authorization is a different matter entirely. Using Shodan to identify vulnerabilities in systems you do not own or have explicit permission to test crosses into illegal territory under computer fraud laws in most jurisdictions, including the Computer Fraud and Abuse Act in the United States and the Computer Misuse Act in the United Kingdom.
The responsible use of Shodan is to understand your own exposure, conduct authorized security testing, and inform defensive decisions. If you want to test how exploitable your organization's Shodan-visible assets actually are, that work should be done through a structured, authorized penetration test.
Redfox Cybersecurity's penetration testing team specializes in external and internal network assessments, web application testing, red team operations, and cloud security reviews. Every engagement is conducted under a formal scope agreement, ensuring your organization benefits from adversarial testing without the legal or operational risk of unauthorized activity.
Shodan shows you what the internet can see. What you do with that information is where security posture is actually built or neglected.
A responsible workflow looks like this. Run Shodan queries against your organization's IP ranges and ASN. Document every finding, categorized by severity. Immediately remediate critical exposures such as open databases, unauthenticated remote access services, and end-of-life software. Conduct authorized penetration testing to determine exploitability beyond what passive reconnaissance can reveal. Implement continuous monitoring to catch new exposures as they appear.
Organizations that treat Shodan as a regular part of their security toolkit consistently present smaller, harder attack surfaces. Those that ignore it are leaving the reconnaissance work entirely to attackers.
Shodan is one of the most powerful and accessible tools available for understanding internet exposure. The commands and filters covered in this guide represent a fraction of what the platform can do, but they are enough to generate significant findings against almost any organization with a meaningful internet presence.
The critical insight Shodan delivers is not that vulnerabilities exist. It is that they are already visible. Attackers are not waiting for a zero-day exploit to find your exposed RDP port or your unauthenticated MongoDB instance. They are running the same queries covered in this guide, right now, at scale.
If your organization has not yet mapped its own exposure through Shodan or engaged a professional team to test what that exposure actually means in practice, that is the most important next step you can take.
Contact Redfox Cybersecurity to schedule a penetration test and find out what attackers see when they look at your infrastructure. The answer is almost always more than you expect.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
