How to Use Shodan
Step by Step
Shodan is the world’s most powerful search engine for internet-connected devices. Learn how to use it from scratch — web interface, CLI, advanced filters, Shodan Monitor, and bug bounty integration — with real hands-on examples.
What is Shodan?
Created by John Matherly in 2009, Shodan is often described as “Google for hackers” — but that barely scratches the surface. While Google indexes web page content, Shodan continuously scans the entire IPv4 address space and indexes the metadata of every internet-connected device it finds: servers, routers, webcams, industrial control systems, databases, smart TVs, satellites, and more.
For penetration testers, bug bounty hunters, and security researchers, Shodan is an irreplaceable reconnaissance tool. It allows you to discover exposed assets passively — without sending a single packet to your target — making it ideal even for programs that restrict aggressive scanning.
Shodan itself is a legal and legitimate tool. However, using the information it provides to access systems without authorization is illegal. Always operate within the scope of a bug bounty program or with explicit written permission from the asset owner. This guide is for educational and authorized security testing purposes only.
Step 1 — Create Your Account
Head to shodan.io and register for a free account. A free account gives you limited search results (2 pages max) and access to basic filters. For serious pentesting work, the Membership plan ($49 one-time) is the best value — it unlocks the full CLI, unlimited filters, and API access.
2 pages of results per query, basic filters, limited API calls. Good for exploration and learning.
Full CLI access, all filters, 1 query credit/month, export results, Shodan Monitor (5 IPs). Best for bug bounty hunters.
More API credits, team features, advanced monitoring, bulk data export for professional security teams.
Available in your dashboard under “Account”. Required for the CLI and all programmatic access. Keep it private.
Step 2 — The Web Interface
Once logged in, the search bar at shodan.io is your starting point.
Type any keyword — a product name, a banner string, a CVE — and Shodan returns
every device on the internet that matches.
Your first search
Try typing nginx in the search bar.
You will instantly see millions of servers worldwide running Nginx,
with their IP address, country, open ports, banner data, and hostnames.
Each result card shows: the IP address, the open ports, the banner (raw response from the service), the country and city, the organization (ISP or company), and detected vulnerabilities (CVEs) if your plan includes them. Click any result to see the full host profile.
Key sections of the dashboard
- Maps — Visualize search results on an interactive world map. Limited to 1,000 results at a time. Zoom in to drill into a specific region.
- Explore — Browse curated searches and the most popular queries from the community. Great for inspiration.
- Images — A gallery of screenshots captured from exposed devices via VNC, RDP, RTSP, webcams, and X Windows. Search with
has_screenshot:true. - Exploits — A search engine that cross-references exposed devices with known CVEs and exploits from multiple databases simultaneously.
- Monitor — Track your own assets in real time. Set alerts when new ports open or services change (covered in depth below).
Step 3 — Master the Search Filters
Raw keyword searches return too many results to be useful.
Filters are what make Shodan truly powerful.
They follow the syntax filter:value and can be combined freely.
| Filter | Description | Example |
|---|---|---|
| port: | Filter by specific port number | port:22 |
| product: | Filter by software/product name | product:Apache |
| version: | Filter by software version | version:2.4.49 |
| os: | Filter by operating system | os:"Windows Server 2019" |
| country: | Filter by 2-letter country code | country:FR |
| city: | Filter by city name | city:Paris |
| org: | Filter by organization / ISP name | org:"Amazon" |
| hostname: | Filter by hostname or domain | hostname:".gov" |
| net: | Filter by IP range (CIDR) | net:192.168.0.0/24 |
| http.title: | Filter by HTML page title | http.title:"Login" |
| http.status: | Filter by HTTP status code | http.status:200 |
| ssl.cert.subject.cn: | Filter by SSL certificate CN | ssl.cert.subject.cn:"example.com" |
| vuln: | Filter by CVE number (paid) | vuln:CVE-2021-44228 |
| has_screenshot: | Only return hosts with a screenshot | has_screenshot:true |
| before: / after: | Filter by scan date | after:01/01/2024 |
Combining filters — real examples
Step 4 — Install and Use the Shodan CLI
The Shodan CLI (Command Line Interface) lets you run Shodan queries directly from your terminal, automate searches, and pipe results into other tools. It is a must-have for efficient pentesting workflows.
Installation
# Install via pip (Python required)
pip3 install shodan
# Initialize with your API key
shodan init YOUR_API_KEY_HERE
# Verify installation
shodan info
Query credits available: 100
Scan credits available: 100Essential CLI commands
# Simple keyword search (no credits consumed)
shodan search nginx
# Search with filters (consumes 1 query credit)
shodan search "product:Apache country:US port:443"
# Limit results and select specific fields
shodan search --fields ip_str,port,org,hostnames --limit 100 "product:nginx"
# Count total results without displaying them
shodan count "port:22 country:DE"
1248392# Get complete info on a specific IP address
shodan host 8.8.8.8
# Output in JSON format (for scripting)
shodan host 8.8.8.8 --format json
# Resolve a domain to IPs via Shodan DNS
shodan domain example.com# Get statistics about a search query
shodan stats --facets country,org,port "product:Redis"
# Download results to a file (consumes credits)
shodan download output.json.gz "product:MySQL port:3306"
# Parse the downloaded file
shodan parse --fields ip_str,port,org output.json.gz
# Convert to CSV for spreadsheet analysis
shodan convert output.json.gz output.csv# Create an alert for an IP range
shodan alert create "My Network" 203.0.113.0/24
# List all active alerts
shodan alert list
# Get triggered notifications
shodan alert info ALERT_IDStep 5 — Shodan Monitor: Watch Your Attack Surface
Shodan Monitor is a real-time tracking feature that continuously watches a set of IP addresses or CIDR ranges and alerts you whenever something changes — a new port opens, a service changes, or a new vulnerability is detected.
This is invaluable both for defenders (monitoring their own infrastructure) and for bug bounty hunters (tracking a target’s new assets as they appear).
Set up a new alert
Go to monitor.shodan.io → click “Add Network” →
enter your IP or CIDR range (e.g., 203.0.113.0/24) →
give it a name. With the Membership plan you can monitor up to 16 IPs for free.
Configure notification triggers
Click on the alert → go to “Triggers”. You can set alerts for: new open ports, new services, new vulnerabilities (CVEs), SSL certificate changes, new malware detections, or any custom filter.
• Alert when port 22 (SSH) or 3389 (RDP) becomes open
• Alert when a new CVE is detected on your network
• Alert when an SSL certificate expires or changes
• Alert when a new host appears in the monitored range
Connect notifications
Shodan Monitor can send alerts via email, Slack webhook, or via the API. For bug bounty hunters, connecting it to a Slack channel is the most efficient setup — you get notified in real time when a new asset appears.
Step 6 — Shodan for Bug Bounty Recon
Shodan integrates seamlessly into a bug bounty recon workflow. Here is how to use it alongside popular tools to build a comprehensive picture of a target’s attack surface.
Enumerate all assets of a target organization
# 1. Find all IPs belonging to a target org
shodan search --fields ip_str,port,hostname org:"Target Company"
# 2. Find all subdomains via SSL certificates
shodan search --fields ip_str,port,ssl.cert.subject.cn \
'ssl.cert.subject.cn:"*.targetcompany.com"'
# 3. Find login panels (juicy targets)
shodan search 'org:"Target Company" http.title:"Login"'
# 4. Find exposed admin interfaces
shodan search 'org:"Target Company" http.title:"Admin"'
# 5. Find hosts with expired SSL certs (often forgotten assets)
shodan search 'ssl.cert.expired:true org:"Target Company"'Integration with other recon tools
# Extract all IPs and pipe into httpx for HTTP probing
shodan search --fields ip_str,port org:"Target" \
| awk '{print $1":"$2}' \
| httpx -silent -status-code -title
# Extract IPs and pipe into nuclei for vulnerability scanning
shodan search --fields ip_str org:"Target" \
| nuclei -t technologies/ -silent#!/usr/bin/env python3
import shodan
API_KEY = "YOUR_API_KEY"
api = shodan.Shodan(API_KEY)
# Search for exposed Jenkins instances
results = api.search('http.title:"Dashboard [Jenkins]"')
print(f"Total results: {results['total']}")
for match in results['matches']:
print(f"{match['ip_str']}:{match['port']} — {match.get('org', 'N/A')}")Step 7 — Advanced Techniques
Favicon hash search
Every web application has a favicon. If you hash it (using the MurmurHash algorithm), you can find all servers worldwide running the same application — even if they’ve changed their banners or titles. This is particularly powerful for finding forgotten or hidden instances of a target’s infrastructure.
# Python: compute favicon hash from a URL
import requests, mmh3, base64, codecs
response = requests.get("https://target.com/favicon.ico")
favicon = codecs.encode(response.content, "base64")
hash_value = mmh3.hash(favicon)
print(f"Favicon hash: {hash_value}")
# Then search Shodan for this hash
# http.favicon.hash:-XXXXXXX# Example: find all servers with the Grafana favicon
shodan search 'http.favicon.hash:-1028726852'
# Example: find all servers with a specific app favicon
shodan search 'http.favicon.hash:HASH_VALUE org:"Target"'Shodan 2000 — The retro real-time view
Go to 2000.shodan.io to see a live, real-time stream of devices
being indexed by Shodan at this very moment. Beyond the aesthetic,
it gives you a raw sense of what Shodan is actually scanning and how much
data it collects every second.
Internet Exposure Observatory
Available at exposure.shodan.io, this dashboard lets you see
the global exposure statistics for any country or technology:
how many devices are exposed, on which ports, running which software.
Useful for threat intelligence and understanding the attack surface of a sector.
Common Mistakes to Avoid
- Scanning without authorization — finding something on Shodan does not give you permission to connect to it. Always verify scope before taking any action on a target.
-
Wasting query credits — simple keyword searches (no filters) don’t consume credits. Save filters for targeted queries. Use
shodan countbefore downloading to estimate the result size. -
Ignoring the “before/after” filters — Shodan data can be weeks old. Use
after:01/01/2024to ensure your results reflect the current state of a target. -
Forgetting SSL certificate recon —
ssl.cert.subject.cnandssl.cert.subject.orgare among the most powerful filters for discovering all assets linked to a company, including subdomains and IP ranges you’d never find otherwise. - Not verifying results — Shodan data is a snapshot. Always confirm with active tools (httpx, nmap, etc.) before reporting a vulnerability in a bug bounty context.
Go further in cybersecurity?
Access full cybersecurity courses: pentesting, OSINT, CTF challenges and more.
Related Articles
Shodan is most powerful when combined with the right knowledge. These articles will help you build a complete recon and security toolkit.