Information Gathering with Shodan


Shodan, the official definition of himself Computer Search Engine (Computer Resource Search Engine), is American man John Mase Li spent nearly 10 years to build a search engine that can search almost all US industrial control and connected to the network system.

Shodan Unlike traditional search engines such as Google, use Web crawlers to traverse your entire site, but directly into the channel behind the Internet, various types of port equipment audits, and never stops looking for the Internet and all associated servers, camera, printers, routers, and so on. Shodan month will be at about 500 million servers around the clock to gather information.

Shodan only searches for network equipment. Many devices should not be connected to the Internet. However, due to the negligence and laziness of the local network administrator, the network cable is directly connected to the same network as a normal personal computer. Such as car washing machines, temperature controllers, traffic surveillance cameras, heating systems, routers, printers, cameras, servers, etc. Users can search for these devices that should not be connected to the Internet through Shodan, and obtain critical information from most unarmed devices to gain control. Hackers can use Shodan to search for numerous servers with weak firewalls to set up backdoors and turn them into botnets for cyber attacks.

Shodan works well with basic, single-term searches. Here are the basic search filters you can use:

  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: you can pass it coordinates
  • hostname: find values that match the hostname
  • net: search based on an IP or /x CIDR
  • os: search based on an operating system
  • port: find particular ports that are open
  • before/after: find results within a timeframe

Below is the list of Shodan Filters by Javier Olmedo 

General Filters

afterOnly show results after the given date (dd/mm/yyyy) stringstring
asnAutonomous system number stringstring
beforeOnly show results before the given date (dd/mm/yyyy) stringstring
categoryAvailable categories: ics, malware stringstring
cityName of the city stringstring
countryThe 2-letter country code stringstring
geoAccepts between 2 and 4 parameters. If 2 parameters: latitude, longitude. If 3 parameters: latitude,longitude,range. If 4 parameters: top left latitude, top left longitude, bottom right latitude, bottom right longitude.string
hashHash of the data property integerinteger
has_ipv6True/ False booleanboolean
has_screenshotTrue/ False booleanboolean
hostnameA full hostname for the device stringstring
ipAlias for net filter stringstring
ispISP managing the netblock stringstring
netNetwork range in CIDR notation (ex. stringstring
orgThe organization assigned the netblock stringstring
osOperating system stringstring
portPort number for the service integerstring
postalPostal code (US-only) stringstring
productName of the software/ product providing the banner stringstring
regionName of the region/ state stringstring
stateAlias for region stringstring
versionVersion for the product stringstring
vulnCVE ID for a vulnerability stringstring

HTTP Filters

http.componentName of web technology used on the websitestring
http.component_categoryCategory of web components used on the websitestring
http.htmlHTML of web bannersstring
http.html_hashHash of the website HTMLinteger
http.statusResponse status codeinteger
http.titleTitle for the web banners websitestring

NTP Filters

ntp.ipIP addresses returned by monliststring
ntp.ip_countNumber of IPs returned by initial monlistinteger
ntp.moreTrue/ False; whether there are more IP addresses to be gathered from monlistboolean
ntp.portPort used by IP addresses in monlistinteger

SSL Filters

has_sslTrue / Falseboolean
sslSearch all SSL datastring
ssl.alpnApplication layer protocols such as HTTP/2 (“h2”)string
ssl.chain_countNumber of certificates in the chaininteger
ssl.versionPossible values: SSLv2, SSLv3, TLSv1,TLSv1.1, TLSv1.2string
ssl.cert.algCertificate algorithmstring
ssl.cert.expiredTrue / Falseboolean
ssl.cert.extensionvNames of extensions in the certificatestring
ssl.cert.serialSerial number as an integer or hexadecimal stringinteger / string
ssl.cert.pubkey.bitsNumber of bits in the public keyinteger
ssl.cert.pubkey.typePublic key typestring
ssl.cipher.versionSSL version of the preferred cipherstring
ssl.cipher.bitsNumber of bits in the preferred cipherinteger
ssl.cipher.nameName of the preferred cipherstring

Telnet Filters

telnet.optionSearch all the optionsstring
telnet.doThe server requests the client does support these optionsstring
telnet.dontThe server requests the client to not support these optionsstring
telnet.willThe server supports these optionsstring
telnet.wontThe server doesn’t support these optionsstring


Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

SC ProDefence SRL - Cyber Security Services