Shodan.io Explained: Searching the Internet of Things

Shodan is a search engine — not for web pages, but for the devices and services that run on the internet. Web cameras, routers, industrial controllers, databases, web servers, mail servers, VPN endpoints, smart appliances, ports left open by accident: Shodan finds them, fingerprints them, and lets you query the entire dataset.

For defenders, it's an essential tool for understanding your own attack surface. For researchers, it's a window into how the global internet is actually configured. For attackers, it's a reconnaissance accelerator — which is exactly why defenders need to know what it shows.

What Shodan is

Shodan continuously scans the public IPv4 address space (and now significant chunks of IPv6) on a wide range of TCP and UDP ports. When it finds something responding, it captures the service banner — the metadata the service announces in its initial response — and indexes it. The result is a searchable database of approximately every internet-facing service in existence.

Things Shodan can tell you about an IP address:

• Which ports are open
• What software is listening on each port (and often the version)
• Approximate physical location and the ISP/organization
• Whether the service has any well-known vulnerabilities (matched against the CVE database)
• SSL/TLS certificate metadata and chain
• For some categories of devices: actual content (a webcam thumbnail, a database schema)

How it works under the hood

The high-level pipeline:

1. Distributed scanners sweep the internet, connecting briefly to each IP on a rotating set of ports.
2. Banner grabbing — the scanner records the first few KB the service sends back. For HTTP that's headers; for SSH it's the version string; for industrial protocols it's whatever the protocol identifies itself with.
3. Parsing and enrichment — the banner is parsed, software/version extracted, GeoIP applied, CVE database consulted.
4. Indexing — the structured result lands in a searchable database with timestamps so you can see how a host changed over time.
5. Continuous rescanning — large portions of the internet are re-fingerprinted on a rolling basis.

Query basics

Shodan supports free-text search and structured filters. Free text matches against banner content; filters are typed (key:value).

Examples of free-text searches:

• apache — anything with "apache" in the banner
• "server: nginx" — exact string match (quotes required for phrases)
• "default password" — devices that announce a default credential in their banner

Free text is rarely what you want for serious work. Filters are where Shodan becomes powerful.

Useful filters

A non-exhaustive list of filters that come up constantly:

• port:22 — services on a specific port
• country:US / country:DE — restrict to a country
• city:"San Francisco" — restrict to a city
• org:"My Organization" — match by organization (ISP, hosting provider, or corporate name)
• net:198.51.100.0/24 — match a specific IP range (CIDR)
• hostname:.example.com — services with hostnames matching a pattern
• product:nginx — services Shodan has identified as nginx
• version:"1.18.0" — a specific version string
• os:"Windows Server 2019" — operating system fingerprint
• has_screenshot:true — devices with a captured screenshot (often misconfigured cameras)
• vuln:CVE-2021-44228 — devices Shodan thinks are vulnerable to a specific CVE
• ssl.cert.subject.cn:"example.com" — TLS certificate subject name match
• http.title:"Login" — pages with specific title text

Filters combine with AND by default. Use minus (-) for NOT and parentheses sparingly.

Practical example searches

These are search patterns used in legitimate defensive and research contexts. Run them against your own organization's IP ranges only.

Discover your organization's internet-facing services

net:YOUR.CIDR.HERE/24 — replace with a CIDR block you own. The result is an external view of your attack surface, exactly as an attacker would see it.

Find expired or weak TLS certificates

net:YOUR.CIDR/24 ssl.cert.expired:true — surfaces certs that have lapsed. A surprisingly common problem at scale.

Find services accidentally exposed

Database ports (port:5432 for Postgres, port:27017 for MongoDB, port:6379 for Redis) on the public internet are a red flag. Run against your own network.

Audit specific software versions

If a critical CVE drops for nginx 1.20.0, product:nginx version:"1.20.0" net:YOUR.CIDR finds your exposure quickly.

Industrial / IoT discovery

port:502 matches Modbus services. port:44818 matches EtherNet/IP. These shouldn't be on the public internet — find them, take them off.

Defender use cases (the right way to use Shodan)

• Continuous attack surface monitoring. Run weekly searches against your CIDR ranges. Anything new is worth investigating.
• Verify firewall changes worked. After tightening a firewall rule, re-scan to confirm the affected ports actually closed externally.
• Shadow IT discovery. Search by your organization's name and TLS cert metadata. Find services running on cloud accounts you didn't know about.
• Vendor and supplier risk. Run searches against suppliers' organizations. If a critical vendor exposes Redis on the public internet, your data may be at risk.
• M&A due diligence. Before acquiring a company, audit their external attack surface.
• Incident response. When a CVE is published for a specific product/version, Shodan tells you which of your assets are affected.

Alternatives and complements

Shodan isn't the only player in this space. Each has slightly different scan cadence and indexing focus:

• Censys — strong on TLS certificate transparency and structured fingerprinting; popular in academic research.
• ZoomEye — China-based, broader visibility into Asia-Pacific networks.
• BinaryEdge — emerging player with strong API.
• FOFA — China-based with deep industrial protocol coverage.
• Onyphe — France-based, threat-intelligence focus.

Most serious researchers run at least two in parallel and reconcile differences.

Ethics and access

Shodan is legal to use; using its findings to gain unauthorized access to systems is not. The line is bright and worth restating:

• Finding an exposed database via Shodan: legal.
• Connecting to it without authorization: a crime.
• Reporting the exposure to the owner: ethical and often appreciated.
• Public disclosure with the owner's name and screenshots: requires careful judgment about responsible disclosure.

Shodan offers a free tier with significant limits and paid tiers for professional use. Educational and academic discounts are available.

For OSINT context broader than Shodan, see our OSINT introduction, Google Dorks, and the broader OSINT toolkit.