← Back to home
Shodan OSINT Reconocimiento IoT CVE Pasivo
Basic

Shodan: OSINT & Passive Reconnaissance

Sep 5, 2024

Shodan is the search engine for internet-connected devices. It indexes service banners, software versions, and metadata from millions of hosts worldwide. It's the most powerful passive reconnaissance tool — we send no packets to the target.

1. Shodan CLI Setup

# Install CLI:
pip3 install shodan

# Authenticate with your API key (free account works):
shodan init YOUR_API_KEY

# Check account info:
shodan info

2. Basic Web Searches

# By service banner:
apache
nginx 1.18

# By country:
country:US "webcam"
country:ES apache

# By city:
city:"Madrid" port:22
city:"London" product:MySQL

# By organisation:
org:"Amazon" port:3389
org:"Cloudflare"

# By CIDR range:
net:203.0.113.0/24

# By open port:
port:27017          # Exposed MongoDB
port:9200           # Exposed Elasticsearch
port:6379           # Unauthenticated Redis

3. Advanced Shodan Filters

# Specific CVE in production:
vuln:CVE-2021-44228    # Log4Shell
vuln:CVE-2019-19781    # Citrix ADC
vuln:CVE-2017-0144     # EternalBlue (MS17-010)

# Product + version:
product:"Apache httpd" version:2.4.49   # CVE-2021-41773
product:OpenSSH version:7.4

# ICS/SCADA:
product:Siemens
"Modbus" port:502

# IoT cameras:
product:"Hikvision IP Camera"
"GoAhead-Webs" port:80

# Exposed admin panels:
http.title:"phpMyAdmin"
http.title:"Grafana"
http.title:"Jenkins"
http.title:"Kibana"

# SSL certificates:
ssl:"target.com"
ssl.cert.subject.cn:"*.target.com"

4. Shodan CLI Usage

# Basic search:
shodan search "apache 2.4.49"

# Count results only:
shodan count "port:27017 MongoDB"

# Get IPs only:
shodan search --fields ip_str "port:6379 -auth"

# Get host info:
shodan host 1.2.3.4

# Alerts (paid plan):
shodan alert create "My company" 203.0.113.0/24
shodan alert list

5. Shodan Python API

import shodan
import json

API_KEY = "YOUR_API_KEY"
api = shodan.Shodan(API_KEY)

# Search for exposed MongoDB in the US:
results = api.search('port:27017 country:US')
print(f'Total: {results["total"]}')

for r in results['matches']:
    print(f"IP: {r['ip_str']} | Org: {r.get('org','N/A')}")

# Full host info:
host = api.host("1.2.3.4")
print(json.dumps(host, indent=2, default=str))

6. Pentesting-Oriented Searches

# Exposed VPN login panels:
http.title:"Pulse Connect Secure"
http.title:"GlobalProtect"
http.title:"Cisco AnyConnect"

# Databases without authentication:
product:CouchDB port:5984
"Elasticsearch" port:9200

# Old vulnerable versions:
product:"Apache httpd" version:"2.2"
product:OpenSSL version:1.0

# Exposed RDP:
port:3389 os:"Windows Server 2008"

7. Quick Reference Filters

TargetShodan Filter
MongoDB no authport:27017 -"requires auth"
Redis no authport:6379 "redis_version" -"requirepass"
Open Elasticsearchport:9200 json
Log4Shellvuln:CVE-2021-44228
IP Camerasproduct:"Hikvision" port:80
Jenkins no authhttp.title:"Dashboard [Jenkins]" -"Authentication"
phpMyAdminhttp.title:"phpMyAdmin"