Shodan is the most dangerous and fascinating search engine on the Internet. While Google crawls web pages looking for content, Shodan scans ports (Banner Grabbing) looking for devices: servers, webcams, industrial control systems (SCADA), routers, and databases. It is the crown jewel of Passive Reconnaissance.
Professionals use the CLI (Command Line Interface) and API to automate tasks and evade visual web limitations.
# Python installation:
pip3 install shodan
# Authentication (API Key from account.shodan.io):
shodan init YOUR_API_KEY_HERE
# Check account status (query/scan credits):
shodan infoBasic operators allow you to segment the Internet by geography or network properties.
# By ASN (Autonomous System Number):
asn:AS3352
# By IP range (CIDR) - Great for corporate perimeter auditing:
net:203.0.113.0/24
# Combined geographic filters:
country:US org:"Amazon.com" port:443One of the most powerful OSINT techniques is Favicon hashing. Shodan calculates a mathematical hash (MurmurHash3) of the website's tab icon. You can use it to find phishing sites or hidden admin panels across the entire internet.
# Find exposed Spring Boot servers by their favicon hash:
http.favicon.hash:116323821
# Search inside HTML title or body:
http.title:"Dashboard [Jenkins]"
http.html:"defaced by"
# Search by SSL Certificate issuer/subject:
ssl.cert.subject.cn:"*.company.com"Threat Intelligence has assigned you a critical task: We need to quantify how many Tomcat servers are vulnerable to Log4Shell (CVE-2021-44228) in the United States (US). Construct the exact Shodan Dork to obtain this information.
>_ START CTF 15 CHALLENGEShodan cross-references extracted versions (e.g., Apache 2.4.49) with the CVE database. This allows instant discovery of exploitable targets.
# Search for a specific vulnerability (Log4Shell):
vuln:CVE-2021-44228
# Filter servers that have ANY verified vulnerability:
has_vuln:True port:443 country:US
# Search by specific product and version:
product:"OpenSSH" version:"7.4"Working on a terminal screen isn't scalable. OSINT pros download the data and filter it locally to save API credits.
# 1. Download results to a compressed JSON file:
shodan download ftp_servers "port:21 Anonymous access allowed" --limit 1000
# 2. Parse the downloaded file to extract only IPs and ports:
shodan parse --fields ip_str,port ftp_servers.json.gz
# 3. Generate statistics (Facets) without downloading data:
# Top 5 countries with open MongoDB databases?
shodan stats --facets country:5 "port:27017 -auth"Blue Teams deploy "Honeypots" (fake systems) to trap hackers. Shodan has an ML algorithm that calculates the probability of an IP being a trap.
# Evaluate Honeypot score (1.0 = 100% Trap, 0.0 = Real):
shodan honeyscore 1.2.3.4import shodan
api = shodan.Shodan('YOUR_API_KEY')
try:
results = api.search('product:"Hikvision" city:"London"')
print(f"Found: {results['total']}")
except shodan.APIError as e:
print(f"Error: {e}")