Early access: New content posts daily — updates are frequent and you may notice work in progress.
OSINTBench
Guides How to Use Shodan: A Beginner's Guide

How to Use Shodan: A Beginner's Guide

A practical introduction to Shodan — what it is, how to search it, and how OSINT investigators and security practitioners use it to research internet-facing infrastructure.

beginner Updated 2026-03-31

Shodan indexes internet infrastructure, devices, ports, software versions. Anything connected to the internet gets catalogued.

You don't use Shodan like Google. Shodan doesn't care about web page content. It catalogues open ports, service banners, and device metadata.

If a device has an internet-facing component — a web server, camera, router, or industrial control system — Shodan's likely seen it.

Getting Started

Getting started with Shodan takes minutes. Go to shodan.io and sign up. The free account includes limited searches, basic API access, and one scan credit.

The free account's limits are reached in about 40 minutes of actual work. For serious OSINT or security work, a membership costs $49/month or $499/year, offering unlimited results, full API access, and monitoring. The API is where this tool earns its rating.

To get started with Shodan, simply launch the platform and enter a domain, such as:

hostname:example.com

This will yield a comprehensive list of every IP address associated with that domain. The information provided includes open ports, services, software versions, SSL certificates, location, organization, and the last scan date. Trying a well-known company's domain can give you insight into their server layout.

Understanding Shodan Results

Each result includes IP address, the server's address. It also includes open ports, which are exposed services, like 80/443 for web, 22 for SSH, and 3389 for RDP. Additionally, the result includes a banner, which is what the service claims, including software name, version numbers, and config details. The result also includes organization, which is who owns the IP range. Finally, it includes location, which is the country, city, approximated.

Banners hide useful intel, such as exact software versions, OS details, SSH host keys, and SSL cert subjects. You can tell a lot from a banner.

Essential Search Filters

Shodan's filters find specific devices, vulnerabilities, and configurations. You search by port, protocol, service, OS version, and even SSL cert details. The query syntax gets complex quickly. For example, ssl.cert.subject.C=US finds devices with US-issued SSL certs. Simple or complex, filters narrow down results. You precision-search; you don't browse. Try combining filters. A search like port:443 ssl.cert.subject.C=US isolates US hosts with open HTTPS ports. The output is a list of IPs, hostnames, and data, with no noise. You can't replicate this with a generic search engine. Shodan's index is custom-built for network exploration.

By Organization

org:"Company Name"

This returns all IPs indexed as belonging to that organization, useful for mapping an organization's internet footprint.

By Hostname

hostname:example.com

This query returns all IPs associated with the specified domain.

By Port

port:3389

This finds devices with the specified port open — in this case, Remote Desktop Protocol.

By Country

country:US port:22

Combine filters to find US-based servers with SSH exposed.

By Software

product:Apache
version:2.4.52

This identifies servers running specific software versions, useful for finding vulnerable systems.

By SSL Certificate

ssl.cert.subject.cn:example.com

This finds servers presenting SSL certificates issued to a specific domain, often revealing subdomains and infrastructure.

By HTTP Title

http.title:"Login" org:"Target Corp"

This query returns login pages associated with a specific organization.

Shodan Dorks — Searches Worth Knowing

Exposed Webcams

The search query port:554 has_screenshot:true can reveal them. Security teams use this to track down internet-connected cameras.

Industrial control systems

port:102 siemens

Exposed MongoDB databases (no auth)

product:MongoDB port:27017

Default credentials — Cisco routers

"cisco" "last login"

Exposed Elasticsearch

port:9200 product:Elasticsearch

Remote Desktop exposed

port:3389 os:Windows

Exposed printers

port:9100 "HP LaserJet"

Find subdomains via SSL certs

ssl.cert.subject.cn:*.example.com

Remember, searching for these results is legal, but accessing the systems you find without authorization is not.

## OSINT Use Cases

### Mapping a Target's Infrastructure

## Recon with Shodan Queries

### Filter by Organization

Start with an organization filter:

org:"Target Company Inc"

This narrows it down to the company name, straight from the registry.

### Domains and Hostnames

Then pivot to their domains:

hostname:targetcompany.com ssl.cert.subject.cn:*.targetcompany.com

The search results show domains and hostnames, including subdomains.

### Infrastructure Insights

These searches map internet-facing infrastructure, showing servers, software versions, cloud providers. Exposed ports are also visible. This provides an asset profile.

### Next Steps

Operators often miss things, such as lingering dev servers. You can find them with targeted queries.

### Finding Historical Data

## Historical Scan Data

Shodan stores scan history. Clicking "View All" on an IP shows past banners.

The scan history can be used for past software states, when a service started or stopped, and pre-patch software versions.

You see what was exposed. Over time, that changes. Banners update. Services go dark.

The timeline can be confirmed. Was a server patched? Or did it fall off the scan list? Details stay in Shodan's logs.

### Investigating an IP Address

(Frontmatter remains unchanged)

If an IP address surfaces in an investigation, Shodan provides context. The context includes IP range ownership, services running, SSL cert details, and domains often listed. Historical data is also available, showing when the IP was last tied to a particular service.

## Tables, Code Blocks, and Links Remain Unchanged

(Remaining content, including tables, code blocks, and links, remains unchanged)

### Identifying Vulnerable Infrastructure

A major CVE drops. You can search Shodan to find vulnerable systems. Security researchers use it to gauge the damage, verify exposure, and focus patching efforts.

## The Shodan CLI

To use Shodan for scripted tasks, you need the Shodan command-line tool.
You can install it via pip with the command:
pip install shodan.
Next, initialize the tool with your API key using:
shodan init YOUR_API_KEY.
This completes the setup for automation.

# Basic search
shodan search 'hostname:example.com'

# Count results
shodan count 'org:"Example Corp"'

# Download full results
shodan download output.json.gz 'org:"Example Corp"'

# Parse downloaded results
shodan parse output.json.gz

The CLI is useful for integrating Shodan into automated reconnaissance workflows.

Shodan Monitoring

Monitoring Alerts

With a paid membership, you get Monitoring, which alerts you to changes, such as new open ports on IPs you monitor, vulnerable software versions, and new IPs in a monitored network range. Alerts help with tracking exposure drift.

What Shodan Doesn't Show

Understanding limitations prevents misinterpretation:

Shodan is not real-time. Scan data can be days, weeks, or months old. You need to verify with live checks for critical assessments.

Shodan doesn't see behind firewalls. It only indexes what's out in the open on the public internet. Internal networks and properly firewalled services don't show up.

Coverage is uneven. Major hosting providers get scanned frequently. Observers of obscure ASNs or recently acquired IP ranges may find stale data.

The free tier has limitations. Search results are limited to two per search. For actual work, a paid account is necessary.

Searching Shodan is legal, you're querying public data.

What's not legal is unauthorized access. Don't log into a router you don't own, don't pull data from someone else's database, don't connect to industrial systems without permission.

Shodan scans the public internet. Devices are indexed if they were reachable.

The data can be used to understand your exposure. Prioritize patching and conduct authorized assessments.

  • Full Shodan review — detailed assessment of capabilities, pricing, and alternatives
  • Best OSINT Tools — where Shodan fits in the broader toolkit
  • SpiderFoot — tool that automates Shodan queries alongside 200+ other sources

Related Guides

Best OSINT GitHub Repositories in 2026

The top GitHub repositories for OSINT — curated lists, automation frameworks, username lookup, email investigation, phone OSINT, and threat intelligence tools. Stars verified April 2026.

beginner

Domain and IP Investigation with OSINT: A Complete Guide

A practical guide to investigating domains and IP addresses using open source tools — covering WHOIS, DNS history, IP geolocation, ASN analysis, and infrastructure pivoting.

intermediate

How to Use SpiderFoot for Automated OSINT Reconnaissance

Step-by-step guide to running SpiderFoot scans, configuring modules, and reading results without alerting your target.

intermediate

Last updated 2026-03-31. Techniques and tools change — verify current capabilities with vendors directly.