SANS Penetration Testing

Getting the Most Out of Shodan Searches

By Joshua Wright and Jeff McJunkin

Shodan is a search engine that takes a distinct departure from most Internet search engines. Instead of searching through content intentionally served up and delivered to web browsers, Shodan allows us to search for Internet-connected devices. Created by John Matherly, Shodan uses distributed scanners throughout the world to randomly select target IP addresses and identify listening TCP and UDP ports. Listening ports are further enumerated to gather protocol banners, web pages, and other service data. All of this data is then added to an enormous, searchable database that describes the "what" of Internet devices.


Shodan's search feature is powerful, allowing us to specify generic terms such as "camera" or even a specific part number such as "WVC80N" and quickly identify the devices that match.



Beyond the web interface, Shodan offers a full-featured API and command-line tools to search and parse the Internet-device results. In this article we'll focus on using the web interface for effective device searches, as well as tips to use Shodan in your next penetration test.

Default Search Behavior

By default, Shodan's website search feature will use a search term as an exact expression in a string match. Shodan does not do incomplete word matching (e.g. "WVC80" will not return matches against "WVC80N"), and will treat multiple words as a logical AND expression. Common words (a, and, by, the, is, on, it) are ignored.

The basic search will perform string matching against server banner information without searching through additional protocol metadata that is also gathered about the discovered devices. The Shodan documentation doesn't disclose exactly what protocol data is used in the default search, but empirical analysis indicates that it includes at least the following:

  • HTTP header information
  • HTTPS header and certificate information
  • Several gaming server banners (Steam's A2S, Minecraft, and more)
  • FTP banners
  • NetBIOS server banner
  • SSH header and server key data
  • Telnet banner
  • SMTP banner
  • NTP banner
  • SIP/VoIP banner
  • DNS server configuration settings
  • And more!


Metadata about a service is not searched by default. This list includes:

  • HTML title tag content
  • HTML header and body content
  • Physical location (via IP geolocation)
  • Autonomous System Number (ASN)
  • Internet Service Provider (by name, such as "Verizon Wireless")

Shodan Search Operators

To perform more advanced searches using Shodan, we can apply search operators. Search operators are only available to registered users. It's free to create an account, which will also give you an API key for use with Shodan's command-line tool.

Once you are logged-in, you can apply additional search modifiers to focus your search. Search operators include:

  • title: Search the content scraped from the HTML tag
  • html: Search the full HTML content of the returned page
  • product: Search the name of the software or product identified in the banner
  • net: Search a given netblock (example:
  • version: Search the version of the product
  • port: Search for a specific port or ports
  • os: Search for a specific operating system name
  • country: Search for results in a given country (2-letter code)
  • city: Search for results in a given city

Some filters allow multiple values, such as "postal:97201,97202".

By default, multiple search terms are treated as Boolean AND expressions. You can also negate a particular prefix with the "!" character at the beginning of the search operator. For example, to search for machines running Outlook Web Access on ports other than 80 and 443, you can combine the title and port operators as follows:

Shodan 4

Search query: title:"Outlook Web Access" !port:443,80

Applying Shodan in your Pen Test

It's easy to disregard Shodan as offering functionality to find vulnerable devices: an opportunistic attack tool. However, to do so is to overlook the benefits that Shodan can offer you and your customers in a penetration test.

Answering Questions About Similar Vulnerabilities
When putting together a report for a customer, I try to answer the inevitable question "How many others are similarly vulnerable?" Sometimes this question is in an attempt to justify a vulnerable configuration as commonplace or industry standard, or as a defensive mechanism for explaining why they continue to run Outlook Web Access on an IIS 5.0 server.

Using Shodan, you can quickly use the search criteria described in this article to answer that question. At the time of this writing, there appear to be no fewer than 18 publicly accessible IIS/5.0 servers running Outlook Web Access. Adding this level of detail to a penetration test report can help your customer to better understand the nature of the risk in the context of other similar configurations.

Search query: Microsoft-IIS/4.0 title:"outlook web"

Search query: Microsoft-IIS/4.0 title:"outlook web"

Scoping Targets by Network
Shodan can quickly disclose information about target devices scoped to a specific range of IP addresses. This can be useful for helping to get a quick understanding of your customer's assets and the services on those assets as known to Shodan.

For example, this author's office Internet access uses IP addresses in block through Verizon FIOS. I can ask Shodan how many people with IP addresses in my network also have their routers available for remote authentication and access. Apparently, it's far too many.

Search query: net: unauthorized

Search query: net: unauthorized

Scoping Targets Without IP Ranges
Sometimes the point of contact you are working with to scope your penetration test might not be aware of the company's entire web presence. By searching for identifying features of the website (such as the copyright notice), you may be able to find lesser-known sites for a given organization.

As a penetration tester, identifying targets that are owned by an organization that they don't know allows you to clearly demonstrate your value and usefulness as a security analyst.

For example, a search for html:"eBay Inc. All Rights Reserved" shows a small number of sites (eBay has excluded a lot of their web properties from Shodan) that may not be as well known:

Search query: html:"eBay Inc. All Right Reserved"

Search query: html:"eBay Inc. All Right Reserved"

If your target is large enough to have Regional Internet Registry allocations (where the WHOIS information reflects the organization name), you can combine negative searches to exclude the known ranges with the html filter (searching for copyright or other unique strings) or the "org" filter.

Search query: title:"eBay Deals" -org:"EBAY"

Search query: title:"eBay Deals" -org:"EBAY"

Shodan and You

Using the power of Shodan and some creative thinking, you can provide additional value to your penetration tests. Use some of these ideas in your next pen test and see if you can find some targets that were supposed be in scope, but weren't! Above all, have fun discovering new things on the Internet and providing more value to target system personnel.

-Josh Wright and Jeff McJunkin


Upcoming SANS Special Event - 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen


Posted December 11, 2015 at 5:48 PM | Permalink | Reply


Good article.

Posted February 2, 2016 at 6:14 PM | Permalink | Reply

Tom Wood

While I appreciate the value of such a data aggregation, I'm concerned about the ethics of using, especially in light of Snort's blacklisting of them and the recent revelation of them scanning IPv6 machines that used their NTP servers published through's efforts. Should white hats use what might be described as gray hats' resources?

Posted July 4, 2016 at 4:13 AM | Permalink | Reply


tnx author :X

Posted January 4, 2018 at 5:32 PM | Permalink | Reply

SEO Sheffield

What about other engines like google that use them?

Post a Comment


* Indicates a required field.