1. Library
  2. Computer Networks
  3. Tools and Commands
  4. Online Tools

Shodan: The Search Engine for Internet-Connected Devices

Updated 8 hours ago

Google indexes what people choose to publish. Shodan indexes what devices accidentally reveal—every server, router, webcam, and industrial controller that answers when a stranger connects. The search engine at shodan.io has been quietly cataloging the Internet's infrastructure since 2009, and what it finds is equal parts fascinating and unsettling.

Shodan doesn't hack anything. It knocks on doors. The disturbing part is how many doors answer.

How Shodan Works

Shodan continuously scans the entire IPv4 address space, connecting to common ports and recording the responses. When your web server responds to a connection with "Apache/2.4.41 (Ubuntu)" it's not being hacked—it's introducing itself, the way it does to every visitor. Shodan just happens to be visiting everything.

For each device that responds, Shodan records:

  • IP address and geolocation
  • Open ports and what services run on them
  • Banner information—the identification strings services broadcast
  • SSL/TLS certificate details
  • HTTP headers, titles, and page content
  • Known vulnerabilities based on version information
  • Historical snapshots showing changes over time

This creates a searchable database of Internet-connected devices. What would take you weeks of scanning happens instantly—Shodan has already done the work.

Searching Shodan

Visit shodan.io and create a free account. The search syntax is straightforward but powerful.

Find specific software:

apache
nginx
openssh

Filter by location:

country:US
city:"San Francisco"
country:DE port:22

Search by port:

port:22          # SSH
port:3389        # Remote Desktop
port:23          # Telnet (yes, still exists)

Target organizations:

org:"Amazon"
org:"Google"
net:192.168.0.0/16

Find specific versions:

product:OpenSSH version:7.4
product:nginx version:1.10

The real power comes from combining filters. country:US port:23 os:"Linux" finds Telnet servers running on Linux in the United States—devices using a protocol from 1969 that sends passwords in plain text.

What Shodan Reveals

Shodan makes visible what most people assume is hidden.

Default credentials everywhere. Search for "default password" or http.title:"DVR Login" and you'll find thousands of devices with their factory credentials still active. Shodan doesn't provide passwords, but finding a login page titled "admin/admin" tells you everything you need to know.

Industrial control systems online. The systems controlling power grids, water treatment plants, and manufacturing floors were supposedly air-gapped—disconnected from the Internet. Shodan proves otherwise:

"Siemens, SIMATIC"
port:502          # Modbus protocol
port:102          # Siemens S7

These queries find programmable logic controllers that were never meant to be reachable from a coffee shop in another country. The "air gap" was always a fiction we told ourselves.

Webcams and IoT devices. Millions of cameras, DVRs, and smart devices sit exposed:

"HIKVISION"
product:webcamXP
http.title:"IP Camera"

Many have known vulnerabilities. Many use default credentials. Shodan shows the scale of the problem in a way that abstract warnings never could.

Expired certificates and forgotten servers. Search ssl.cert.expired:true and you'll find servers with expired SSL certificates—often test environments, forgotten deployments, or infrastructure that nobody's maintained in years. Still running. Still answering.

Vulnerability Research

Shodan can search for specific CVEs:

vuln:CVE-2014-0160    # Heartbleed
vuln:CVE-2017-5638    # Apache Struts

This identifies devices that Shodan believes are vulnerable based on version information and banner analysis. It's not proof of exploitability—that requires actual testing—but it shows the landscape of potentially affected systems.

Security researchers use this to understand the scope of vulnerabilities. When a new CVE drops, Shodan shows how many devices might be affected before patches roll out.

Monitoring Your Own Exposure

The most legitimate use of Shodan is finding out what you're accidentally exposing.

org:"Your Company Name"

This shows what anyone researching your organization would find. Surprises here are bad news:

  • Shadow IT—devices someone deployed without approval
  • Forgotten test servers still running
  • Internal services accidentally exposed
  • Development environments with production data

Shodan offers monitoring features that alert you when new devices appear under your organization or IP ranges. This catches unauthorized exposures before attackers find them.

Certificate Intelligence

SSL certificates contain metadata that reveals infrastructure:

ssl.cert.subject.cn:example.com
ssl.cert.issuer.cn:"Let's Encrypt"

This finds servers using certificates for specific domains, even if DNS records don't point to them. Certificate transparency logs mean you can discover subdomains and infrastructure that organizations thought were hidden.

The API

For programmatic access, Shodan provides an API:

import shodan

api = shodan.Shodan('YOUR_API_KEY')
results = api.search('apache')

for result in results['matches']:
    print(result['ip_str'])

This enables automated searches, integration with security tools, and custom monitoring. Free accounts get limited API credits; paid plans unlock more.

The Ethics of Visibility

Shodan raises uncomfortable questions. Is it ethical to make this information so accessible?

The service doesn't hack anything. It connects to public services and records what they voluntarily disclose—the same thing any visitor would see. Shodan just visits systematically and makes the results searchable.

But using Shodan results to access devices you don't own is unauthorized access, illegal in most jurisdictions. The tool is for:

  • Monitoring your own infrastructure
  • Security research and threat intelligence
  • Understanding Internet topology
  • Finding your own accidental exposures

Not for accessing others' devices, regardless of how poorly secured they are.

Reducing Your Shodan Footprint

To prevent your devices from appearing:

Expose only what must be exposed. Administrative interfaces should never face the Internet directly. Use VPNs or IP allowlists.

Use firewalls. Restrict access by source IP. SSH doesn't need to accept connections from everywhere.

Minimize banner information. Configure services to be less chatty about versions and internals. This is security through obscurity—not sufficient alone, but it reduces discoverability.

Monitor yourself. Search Shodan for your IP ranges and organization regularly. Set up alerts for new appearances.

Limitations

Shodan isn't omniscient:

  • IPv6 coverage is sparse—scanning that address space is practically impossible
  • Some services block Shodan's known scanning IPs
  • Data is point-in-time; devices change between scans
  • Vulnerability detection based on banners produces false positives
  • Free accounts have significant query limits

Appearing in Shodan doesn't mean a device is exploitable. It means the device answers when strangers knock. Whether that answer reveals something dangerous requires further investigation.

Frequently Asked Questions About Shodan

Was this page helpful?

😔
🤨
😃