Shodan is a search engine for internet-exposed systems. Instead of indexing web pages, it indexes services (SSH, HTTP, databases, VPNs, remote admin panels, etc.) and their banners/metadata, which makes it extremely useful for attack surface discovery and continuous exposure monitoring.
This tutorial focuses on authorized, defensive use: mapping what your company exposes to the internet, validating what’s visible, and setting up monitoring so you’re alerted when exposure changes.
Legal / ethical note: Only use Shodan to investigate systems you own or have explicit authorization to assess.
What is Shodan?
Shodan continuously collects service banners from public IPs and indexes them so you can search by:
- Scope (your netblock, domains, org)
- Service/port (e.g., 443/22/3389)
- Product fingerprints (nginx, OpenSSH, Kubernetes, etc.)
- TLS certificate pivots (CN/issuer, etc.)
- HTTP properties (title, status code, WAF, components)
When to use Shodan
Use Shodan when you need to:
- Build an external exposure baseline (“what’s reachable from the internet today?”)
- Detect shadow IT and unexpected services/ports
- Track cloud drift (new hosts, ports, products appearing)
- Support incident triage (confirm if an endpoint is publicly visible)
- Operationalize monitoring with notifications/webhooks
Benefits for security teams
- Fast inventory without running your own scans
- Great pivoting (TLS certs, org, netblocks, hostnames)
- Monitoring-first workflow (alerts when exposure changes)
- Automation-ready via CLI + API
How Shodan works (briefly)
At a high level:
- Shodan collects service banners from internet-facing IPs.
- It extracts fingerprints/metadata (product, protocol, cert details, etc.).
- You query results with keywords + filters (
filter:value). - You can add monitoring and notifications via Shodan Monitor
Key concepts you must know
Banners
A “banner” is what a service reveals during handshake / response metadata. Banners are your proof in reporting.
Filters
Shodan searches are most useful when you combine:
- scope filters (net/domain/org)
- service filters (port, product)
- context filters (http., ssl., etc.)
You can even retrieve the complete list of filters programmatically via the API.
Essential filters cheat sheet
Start with scope, then refine. Keep it simple and repeatable.
| Filter | What it does | Example (with placeholders) | When to use |
|---|---|---|---|
net: | Limits results to your IP/CIDR | net:YOUR_PUBLIC_CIDR | Best baseline scope |
hostname: | Matches hostnames/domains | hostname:"api.YOURDOMAIN.com" / hostname:".YOURDOMAIN.com" | Cloud assets / subdomain pivots |
org: | Matches org label in results | org:"YOUR COMPANY" | Helpful, but not perfect coverage |
port: | Filters by port | port:443 / port:22,3389 | Exposure by service |
product: | Filters by detected product | product:nginx | Quick tech inventory |
ssl.cert.subject.cn: | Matches TLS cert subject CN | ssl.cert.subject.cn:"YOURDOMAIN.com" | Cert pivots / asset discovery |
ssl.cert.issuer.cn: | Matches TLS issuer CN | ssl.cert.issuer.cn:"Let's Encrypt" | Cert hygiene / pivots |
http.title: | Matches page title | http.title:"admin" | Find exposed panels in your scope |
http.status: | Matches HTTP status | http.status:200 | Reduce noise |
http.waf: | Matches WAF detection | http.waf:true | Know where WAF is present (signal) |
ssh.fingerprint: | SSH fingerprint match | ssh.fingerprint:... | Identify duplicate keys / assets (advanced) |
Tip: Don’t memorize everything. If you want the authoritative list, pull filters via API.
Safe Query Pack
Step 0 — Pick ONE scope
Use only one of these as your prefix:
Option A (best):
net:YOUR_PUBLIC_CIDR
Option B (great for cloud / changing IPs):
hostname:".YOURDOMAIN.com"
Option C (useful but less reliable than net/hostname):
org:"YOUR COMPANY"
From here on, every query below assumes you’ll prepend one of the scopes above.
Baseline inventory
It is your “what’s exposed?” snapshot.
SCOPE
SCOPE port:80,443
SCOPE port:22
SCOPE port:3389
SCOPE port:8080,8443
“Oops ports” checklist
Keep this scoped. This is for catching accidental exposures inside your perimeter.
SCOPE port:2375
SCOPE port:9200
SCOPE port:5601
SCOPE port:27017
SCOPE port:6379
SCOPE port:5432
SCOPE port:3306
Admin panels / management surfaces
SCOPE http.title:"admin"
SCOPE http.title:"dashboard"
SCOPE http.title:"login"
SCOPE http.title:"panel"
Tech inventory
SCOPE product:nginx
SCOPE product:apache
SCOPE product:OpenSSH
SCOPE product:kubernetes
TLS certificate pivots
ssl.cert.subject.cn:"YOURDOMAIN.com"
ssl.cert.subject.cn:"*.YOURDOMAIN.com"
ssl.cert.issuer.cn:"Let's Encrypt" SCOPE
Cert pivots are especially useful when your infra is distributed and IP ranges are not stable.
Reduce noise
SCOPE port:443 http.status:200
SCOPE port:443 http.title:"" # sometimes helps reduce junk titles
SCOPE -port:80 -port:443 # find “everything except web”
Shodan CLI
Install + initialize
pip install -U --user shodan
shodan init YOUR_API_KEY
The shodan init step is the official CLI initialization flow.
Run a scoped search
shodan search "net:YOUR_PUBLIC_CIDR port:443"
Inspect a host
shodan host YOUR_PUBLIC_IP
Monitoring your exposure
Network monitoring (CIDR/IP-based)
Shodan supports network monitoring via alerts in CLI and API.
Domain-based monitoring
If your IPs change frequently, use domain-based monitoring:
shodan alert domain yourdomain.com
This is the documented way to track IPs derived from domains/hostnames.
Webhooks / notifications
Shodan Monitor can notify via multiple channels and also supports webhook notifications for developer workflows.
How to report findings
For each exposed service, capture:
- IP + port + protocol
- Product fingerprint (and version if available)
- Banner evidence (headers/cert fields/title/etc.)
- Why it matters (e.g., “internet-exposed management interface”)
- Next action (restrict exposure, require auth, move behind VPN, segmentation, allowlists)
Common mistakes to avoid
- Searching without scope (you’ll drown in noise, and it’s not defensible)
- Treating “vulnerability signals” as confirmed exploitation (use as triage input)
- Using only
org:in cloud-heavy environments (preferhostname:and domain monitoring) - Not operationalizing (no alerting → no ownership → no remediation)
Pro tips
- Always lead with scope (net/hostname).
- Build a baseline once, then let monitoring catch drift.
- Use domain-based monitoring for cloud workloads.
- Route Monitor events to webhooks when you want automation (SIEM/SOAR/Jira).
Conclusion
Shodan becomes truly valuable when you treat it as external exposure observability: establish a baseline, monitor continuously, and convert changes into actionable remediation with evidence and ownership.
Leave a Reply