provocativo_
back to the arsenal
// arsenal·Recon & OSINTBeginnerFreemium

Shodan

Search engine for internet-connected devices — banners, certs, screenshots.

Recon & OSINT

$ shodan --help

Shodan

// what it is

Description

John Matherly's continuously-updated index of every IPv4 host on the internet. Each host record includes open ports, service banners, TLS certificate chains, geolocation, ISP, and sometimes a screenshot. A free account gets you 100 results/month; paid plans unlock filters, exports, and the streaming firehose.

// use cases

What people use it for

  • Find internet-exposed Industrial Control Systems
  • Enumerate a target organization's perimeter from public data alone
  • Track exposure of a specific CVE via 'product:Apache version:2.2'
  • Pre-flight reconnaissance before active scanning

// commands

The commands you'll type

CLI init

$ shodan init <API_KEY>

Find Apache 2.2 servers

$ shodan search 'apache 2.2 country:US' --limit 100

Host detail

$ shodan host 1.1.1.1

// facts

category
Recon & OSINT
platforms
WEB · LIN · WIN · MAC
license
Freemium
difficulty
Beginner

// links

// related in Recon & OSINT

Recon & OSINTBeginner

Nmap/en-map/

The Network Mapper — Fyodor's port-scanner and host-discovery framework.

FOSS
LIN·WIN·MAC
open entry →
Recon & OSINTIntermediate

Masscan

Internet-scale TCP port scanner — claims 10M packets/second on the right hardware.

FOSS
LIN·WIN·MAC
open entry →
Recon & OSINTBeginner

Censys

Internet-scale scanning platform — Shodan's academic-origin sibling.

Freemium
WEB·LIN·WIN·MAC
open entry →