βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββ βββ βββ βββ βββ ββββ βββ βββ βββββ βββ βββ βββ βββ βββ β
β βββ β β βββ βββ βββ ββββ βββ βββ βββββ βββ βββ βββ βββ βββ β
β β
β βββ[ CYBER RECONNAISSANCE ]βββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββ β
β β
β > Scanning the digital realm... β
β > Mapping the IoT landscape... β
β > Discovering vulnerable systems... β
β β
β [ββββββββββββββββββββ] 100% β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
A comprehensive guide to mastering Shodan for reconnaissance, vulnerability research, and security auditing.
Note
Common Ports for IP Cameras π·
- HTTP: 80, 8080
- HTTPS: 443
- RTSP: 554
- Custom Ports: Vary by manufacturer (e.g., 81, 8888)
- Common Ports: 80, 443
- Search Queries:
title:"AXIS"|product:"Axis"
- Common Ports: 80, 8080
- Search Queries:
title:"DCS-930L"|product:"D-Link"
- Common Ports: 80, 88, 443
- Search Queries:
title:"Foscam"|product:"Foscam"
- Common Ports: 80, 1024
- Search Queries:
title:"Linksys WVC80N"|product:"Linksys"
- Common Ports: 80, 443
- Search Queries:
title:"Panasonic Network Camera"|product:"Panasonic"
- Common Ports: 80, 443
- Search Queries:
title:"Sony Network Camera"|product:"Sony"
- Common Ports: 80, 443
- Search Queries:
title:"TV-IP"|product:"Trendnet"
- Common Ports: 80, 8080
- Search Queries:
title:"TP-Link"|product:"TP-Link"
- Common Ports: 80, 443, 554, 8000, 8080
- Search Queries:
title:"Hikvision"|product:"Hikvision"
- Common Ports: 80, 443
- Search Queries:
title:"Vivotek"|product:"Vivotek"
- Common Ports: 80, 8888
- Search Queries:
title:"AVTech"|product:"AvTech"
- Common Ports: 80, 8080
- Search Queries:
title:"Wansview"|product:"Wansview"
- Common Ports: 80, 443, 554, 8000, 8080, 8081, 8888
- Search Queries:
title:"Dahua"|product:"Dahua"|html:"Dahua"
- Common Ports: 80, 443, 8080, 8443, 7080, 7443
- Search Queries:
title:"UniFi"|product:"Ubiquiti"|"UniFi Video"
- Common Ports: 80, 443, 8080
- Search Queries:
title:"Reolink"|product:"Reolink"|html:"Reolink"
- Common Ports: 80, 443, 8080
- Search Queries:
title:"Wyze"|product:"Wyze"
- Common Ports: 80, 443, 554, 8080, 8443
- Search Queries:
title:"Uniview"|product:"Uniview"
- Common Ports: 80, 8080, 8000
- Search Queries:
title:"Amcrest"|product:"Amcrest"
- Common Ports: 80, 443
- Search Queries:
title:"Lorex"|product:"Lorex"
- Common Ports: 80, 443, 8080
- Search Queries:
title:"Mobotix"|product:"Mobotix"
- Common Ports: 80, 443, 554, 8080
- Search Queries:
title:"Avigilon"|product:"Avigilon"
- Common Ports: 8080
- Search Queries:
title:"GoPro"|product:"GoPro"
- Common Ports: 80, 443, 554
- Search Queries:
title:"FLIR"|product:"FLIR"
πΊπΈ Axis Cameras in the United States
title:"AXIS" country:"US"
πΈ Foscam Cameras with Screenshots
title:"Foscam" has_screenshot:true
ποΈ Hikvision Cameras in New York
title:"Hikvision" city:"New York"
π TP-Link Cameras on Port 8080
title:"TP-Link" port:8080
π Vivotek Cameras Worldwide
title:"Vivotek"
βοΈ D-Link Cameras on Custom Ports
title:"DCS-930L" port:8080
π Dahua Cameras Worldwide
title:"Dahua"
πͺπΊ Reolink Cameras in Europe
title:"Reolink" country:"DE" OR country:"GB" OR country:"FR"
πΉ UniFi Cameras with Screenshots
"UniFi Video" has_screenshot:true
π Amcrest Cameras on Port 8080
title:"Amcrest" port:8080
πΎ Dahua Cameras with HTML Interface
html:"Dahua" port:80
Tip
Query Optimization & Best Practices π Master these techniques to write more effective and efficient Shodan queries.
OR Operator (Find Multiple Brands)
title:"Axis" OR title:"Hikvision" OR title:"Dahua"
AND Operator (Combine Filters)
title:"Camera" AND port:8080 AND country:"US"
NOT Operator (Exclude Results)
title:"Camera" NOT "authentication required"
Search by HTTP Header
header:"Server: Boa"
Search by Specific HTTP Status Codes
http.status:200 "admin"
Find Open Web Interfaces
"200 OK" http.title:"Index of"
Search Across Multiple Ports
title:"Camera" (port:80 OR port:8080 OR port:8888)
Combine Product Name with Vulnerable Versions
product:"Apache" "2.2.15"
Find Devices with Outdated Java
java org:*
Find Pages with Specific Keywords
"username" "password" filetype:html
Search for Default Pages
"It works!" "Apache"
Find Administrative Interfaces
title:"Admin" OR title:"Administration"
Find All Devices from a Specific Organization
org:"Company Name"
Search by Autonomous System Number (ASN)
asn:AS12345
Search by IP Range (CIDR Notation)
net:192.168.1.0/24
Find a Specific Service in Multiple Countries
title:"Camera" (country:"US" OR country:"CA" OR country:"MX")
Search Specific Regions for Vulnerable Services
"MongoDB Server Information" port:27017 region:"California"
Find Devices in a City with a Specific Product
product:"Cisco" city:"London"
- Use Specific Queries: More specific queries return faster results
- Avoid Common Keywords Alone: Instead of just
port:80, combine with product or title - Use has_screenshot Filter Sparingly: Screenshots slow down queries
- Limit Geographic Scope: Searching worldwide takes longer; narrow by country when possible
- Use Title/Product Filters: These are indexed and search faster than HTML content
| Filter | Usage | Example |
|---|---|---|
title: |
Search page title | title:"Admin Panel" |
product: |
Search product name | product:"Apache" |
port: |
Search specific port | port:22 |
country: |
Filter by country code | country:"US" |
city: |
Filter by city | city:"New York" |
region: |
Filter by state/region | region:"California" |
org: |
Search by organization | org:"Google" |
asn: |
Search by ASN | asn:AS15169 |
net: |
Search by IP range | net:8.8.8.0/24 |
geo: |
Search by coordinates | geo:"40.7128,-74.0060" |
vuln: |
Search by vulnerability | vuln:heartbleed |
has_screenshot: |
Include/exclude screenshots | has_screenshot:true |
html: |
Search in HTML content | html:"server version" |
header: |
Search HTTP headers | header:"Server: Nginx" |
Important
Common Vulnerabilities and Their Shodan Queries π
These queries help identify common vulnerabilities. Always use findings responsibly and with proper authorization.
Heartbleed (CVE-2014-0160) π©Ή
vuln:heartbleed
OpenSSL CCS Injection (CVE-2014-0224) π
vuln:CVE-2014-0224
Shellshock (CVE-2014-6271) π₯
vuln:CVE-2014-6271
EternalBlue (MS17-010) π‘οΈ
vuln:ms17-010
FTP with Anonymous Login
"220" "Anonymous FTP login allowed"
Telnet with Default Credentials
"220" "telnet" "default password"
Outdated Apache Servers
"Apache/2.2.15"
Outdated IIS Servers
"Microsoft-IIS/6.0"
Open MongoDB Instances
"MongoDB Server Information" port:27017
ElasticSearch Instances Without Authentication
"200 OK" "elastic indices" port:9200
Open SMB Shares
port:445 "smb" "NT_STATUS_ACCESS_DENIED"
Exposed RDP Services
port:3389
Tip
Combining Vulnerability Queries with Geographic Filters π
Narrow down vulnerability searches by location for more targeted research.
EternalBlue in the United States
vuln:ms17-010 country:"US"
Open MongoDB Instances in Germany
"MongoDB Server Information" port:27017 country:"DE"
Shellshock Vulnerable Servers in California
vuln:CVE-2014-6271 region:"California"
Heartbleed Vulnerable Servers in London
vuln:heartbleed city:"London"
Outdated Apache Servers with Screenshots in France
"Apache/2.2.15" country:"FR" has_screenshot:true
Elasticsearch with Screenshots in the UK
"200 OK" "elastic indices" port:9200 country:"GB" has_screenshot:true
FTP Servers with Anonymous Login in Japan
"220" "Anonymous FTP login allowed" country:"JP"
Note
Common Geographic Filters π
- Country:
country:"<country_code>" - City:
city:"<city_name>" - Region/State:
region:"<region_name>" - Coordinates:
geo:"<latitude>,<longitude>"
Web Servers in the United States
http country:"US"
FTP Servers in Germany
ftp country:"DE"
Telnet Servers in London, UK
telnet city:"London"
RDP Servers in California, USA
rdp region:"California"
MySQL Servers in Paris, France
mysql city:"Paris"
Elasticsearch Instances in Berlin, Germany
"elastic indices" port:9200 city:"Berlin"
SSH Servers in Specific Countries
- πΊπΈ United States:
ssh country:"US" - π―π΅ Japan:
ssh country:"JP"
HTTP Servers in Specific Cities
- π½ New York:
http city:"New York" - π¦ Sydney:
http city:"Sydney"
Database Servers in Specific Regions
- π California:
"database" region:"California" - π Ontario:
"database" region:"Ontario"
Specific Services in Coordinated Areas
- π Within a 10km radius of New York City:
http geo:"40.7128,-74.0060"
Apache Servers in Germany with Screenshots
"Apache" country:"DE" has_screenshot:true
Elasticsearch in the UK and Open Ports
"elastic indices" country:"GB" port:9200
FTP Servers in France with Anonymous Login
"FTP" "Anonymous login allowed" country:"FR"
Axis Cameras in the Netherlands
"AXIS" country:"NL"
Hikvision Cameras in Los Angeles
"Hikvision" city:"Los Angeles"
Cisco Devices in California
"cisco" region:"California"
Note
Common Ports π₯οΈ
- HTTP: 32400
Plex Media Servers Worldwide
"X-Plex-Protocol" port:32400
Plex Media Servers in the United States
"X-Plex-Protocol" port:32400 country:"US"
Plex Media Servers in Germany with Screenshots
"X-Plex-Protocol" port:32400 country:"DE" has_screenshot:true
Note
Common Ports π
- SSH: 22
- HTTP: 80
Raspberry Pi Devices via SSH
"Raspbian" port:22
Raspberry Pi Devices via HTTP
"Raspberry Pi" port:80
Raspberry Pi Devices in the United States
"Raspbian" port:22 country:"US"
Note
Common Ports π
- HTTPS: 8006
Proxmox Servers Worldwide
"Proxmox" port:8006
Proxmox Servers in the United States
"Proxmox" port:8006 country:"US"
Proxmox Servers with Screenshots
"Proxmox" port:8006 has_screenshot:true
Note
Common Streaming Protocols & Ports πΉ
- MJPEG: 8081, 8082, 8888
- RTSP: 554, 322
- HTTP: 80, 8080
Webcams with MJPEG Streams
"MJPEG Server" port:8081
Devices Streaming Video Content
"Motion JPEG" port:8888
RTSP Protocol Streams
port:554 "rtsp"
Webcams with No Authentication
"200 OK" "webcam" NOT "password"
Note
Common IoT Protocols & Ports π
- MQTT: 1883
- CoAP: 5683
- ZigBee: 6100
- Smart Home Hubs: 8080-8090
IoT Devices via MQTT
port:1883
Smart Home Hubs Worldwide
title:"Home" OR title:"Smart" port:8080
MQTT Brokers with Open Connections
"MQTT" port:1883
IoT Devices from Manufacturers
product:"Arduino" OR product:"Raspberry Pi" OR product:"ESP"
Note
Common ICS/SCADA Protocols βοΈ
- Modbus: 502
- Siemens S7: 102
- Profinet: 34962-34964
- OPC UA: 4840
Modbus Devices
port:502 "Modbus"
Siemens Control Systems
port:102 "Siemens"
Industrial Devices Worldwide
"Siemens" OR "Modbus" OR "PLC"
Note
Common NAS Brands & Ports π¦
- QNAP: 8080, 8443
- Synology: 5000, 5001
- WD MyCloud: 80
QNAP NAS Devices
title:"QNAP" port:8080
Synology NAS Devices
"Synology" port:5000
Western Digital MyCloud
"WD MyCloud" port:80
Open NAS Shares
"NAS" "sharing" has_screenshot:true
Note
Common Database Ports π
- MySQL: 3306
- PostgreSQL: 5432
- MongoDB: 27017
- Redis: 6379
- Cassandra: 9042
- Elasticsearch: 9200
Unprotected MongoDB Instances
"MongoDB Server Information" port:27017 -"authentication"
Redis Servers
"redis_version" port:6379
Open PostgreSQL Servers
port:5432 "PostgreSQL"
Elasticsearch Clusters
"elasticsearch" port:9200
MySQL Servers with Default Credentials
"MySQL" port:3306 -"Access denied"
Note
Common Remote Access Ports π
- OpenVPN: 1194
- WireGuard: 51820
- IPSec VPN: 500, 4500
- RDP: 3389
- VNC: 5900-5999
OpenVPN Servers
"OpenVPN" port:1194
RDP Services with Screenshots
port:3389 has_screenshot:true
VNC Servers
port:5900 "RFB"
Citrix Servers
"Citrix" port:1494
Note
Common Printer Ports π
- HP/Canon/Xerox: 80, 443, 9100 (JetDirect)
- Ricoh: 80, 443, 8080
HP Printers
"HP" port:9100
Canon Printers
title:"Canon" port:80
Xerox Devices
"Xerox" OR "WorkCentre"
Open Printer Interfaces
"printer" port:80 has_screenshot:true
Tip
Pro Tips for Finding Specific Vulnerabilities π―
Master these techniques for precise vulnerability discovery.
Finding Weak SSL/TLS Configurations π
ssl:"OpenSSL/1.0" "weak"
Finding Devices with Exposed Information π€
"Basic realm" port:80
Finding CVE-Specific Vulnerabilities π
"CVE-2021-21315"
Finding Devices by HTTP Response Headers π
"X-Powered-By: PHP" port:80
Finding Devices Running Custom Applications βοΈ
header:"X-Custom-Header"
Geographic Proximity Search π
geo:"40.7128,-74.0060" _geo:5000
Note
Shodan CLI Commands π»
Command-line interface for powerful Shodan interactions.
pip install shodanshodan init API_KEYshodan search "apache"shodan search "title:Camera" --fields ip_str,port,org,country,htmlshodan download camera-results "title:Camera"shodan host 8.8.8.8shodan streamshodan count "apache"Strategy 1: Finding Devices by Vulnerability Chain
product:"Cisco" "privilege" "escalation"
Strategy 2: Finding Default Installation Instances
"default username is" OR "default password is"
Strategy 3: Finding Recently Indexed Devices
"200 OK" updated:>2024-11-01
Strategy 4: Finding Devices with Known CVEs
"Apache/2.4.49" OR "Apache/2.4.50"
Strategy 5: Finding Devices in Critical Infrastructure
"SCADA" OR "HMI" OR "historian"
- Shodan Dorking: Use complex queries to find specific devices
- Censys: Alternative internet scan database
- Shodan Scripts: Official GitHub repository with helpful scripts
- Shodan Maps: Geographic visualization of devices
- Security Research: Use Shodan for vulnerability research
- Threat Intelligence: Monitor for exposed company devices
- Network Discovery: Map your organization's external footprint
- Compliance: Identify devices not in compliance with policies
- Identify vulnerable devices
- Track exploitation of CVEs
- Monitor emerging threats
- Recon targets (with authorization)
- Find internet-facing services
- Identify tech stacks
- Audit exposed services
- Monitor your organization's external presence
- Identify rogue devices
- Monitor brand/product mentions
- Identify misconfigurations
- Track shadow IT
Important
Ethical Considerations π‘οΈ
- Permission: Always have explicit permission to search and access devices before attempting any kind of access or testing.
- Responsibility: Use the information to help improve security and report vulnerabilities responsibly.
- Legal Compliance: Ensure compliance with all legal regulations and guidelines (CFAA, GDPR, etc.).
- No Malicious Intent: Do not use Shodan searches for illegal activities, unauthorized access, or data theft.
Tip
Best Practices for Reporting Found Issues π―
Responsible disclosure is essential for ethical security research.
1. Identify the Vulnerability π
- Confirm the vulnerability exists
- Document your findings with evidence
- Note the affected systems and versions
2. Find Contact Information π§
- Look for security.txt file at
/.well-known/security.txt - Check the organization's website for security contacts
- Search for published vulnerability disclosure policies
- Use reverse DNS or whois for contact details
3. Report Responsibly π¨
- Send detailed technical report to security contact
- Provide reasonable timeline for patching (typically 90 days)
- Do not publicly disclose before vendor has patched
- Offer to assist with verification of the fix
4. Document Everything π
- Keep records of all communications
- Note dates and responses received
- Track patch releases and updates
| Timeline | Action |
|---|---|
| Day 1 | Discover and confirm vulnerability |
| Day 1 | Contact vendor with details |
| Day 30 | Follow up if no response |
| Day 60 | Consider escalation |
| Day 90 | Coordinate public disclosure after patch |
Note
Pre-Search Checklist π
Before conducting any Shodan search, ensure you've covered these items:
- Do you have authorization to perform this search?
- Is your search for legitimate security purposes?
- Have you reviewed the legal implications in your jurisdiction?
- Are you prepared to responsibly disclose any vulnerabilities?
- Have you understood Shodan's Terms of Service?
- Will you report findings to the appropriate parties?
- Over-Broad Searches: Refine queries to reduce false positives
- Ignoring False Positives: Not every result is actually vulnerable
- Unauthorized Testing: Never attempt to access systems without permission
- Public Disclosure: Never publicly disclose before the vendor has patched
- Assuming Ownership: Just because a service is exposed doesn't mean you should access it
- Ignoring Honeypots: Some honeypots are intentionally exposed for research