What is the Shodan Search Engine?
Internet-connected devices are everywhere. It’s estimated that over 30 billion “Internet of things” or IoT devices are currently active. However, these devices can have security flaws, making them vulnerable to cyber-attacks.
So, how can you check if your IoT device is vulnerable?
You use the Shodan search engine, a one-of-a-kind tool developed for penetration testing and vulnerability analysis. A while ago, mainstream news outlets reported that Shodan is the “scariest search engine,” but that title is somewhat misleading.
That’s why we’ll go into all the details and explain what the Shodan search engine is and what it is not. We’ll discuss its interface, pricing, and, most importantly, what it is used for daily.
- Shodan, a search engine specifically designed to find internet-connected devices, uncovers IoT infrastructure typically invisible to standard search engines, providing an in-depth view of the global internet landscape.
Leveraging Shodan’s capabilities allows cybersecurity experts to identify unsecured devices, potential network vulnerabilities, and cyber threats, thereby supporting the strengthening of overall internet security.
Despite its extensive use in ethical cybersecurity, Shodan can be misused by malicious actors for unauthorized access to insecure devices, underlining the importance of robust cybersecurity measures for all internet-connected systems.
IoT Devices Explained
Before going deeper into discovering the uses, benefits, and potential dangers of Shodan platform, it’s vital to explain IoT devices connected to the internet, and why there is a unique engine that can scan them.
The term “Internet of Things” was coined in 1999, when the idea of devices with a constant web connection was a part of emerging technologies.
Today, the number of IoT devices is impossible to count because these units represent all physical devices or “things” that exchange data between each other and the internet.
We can categorize these internet-connected devices into several groups:
Consumer IoT – These are devices for regular residential and personal use, like Amazon Echo, baby monitors, home security cameras, and smart home appliances.
Commercial IoT – The most common types include monitoring systems in transportation and healthcare industries.
Industrial Internet of Things (IIoT) – These internet-connected devices comprise the core of industrial control systems. They are used for complex systems, like nuclear power plants, traffic lights, power grids, and many more.
Infrastructure IoT – The primary use of these devices is the implementation of management systems and infrastructure sensors in sprawling cities to upgrade them to “smart cities.”
Military (IoMT) – The application revolves around various types of security measures in the military field, including drones, surveillance robots, and various biometric devices for combat.
Shodan Search Engine – Explained
The name “Shodan” is an acronym for Sentient Hyper-Optimized Data Access Network. Shodan’s creator is John Matherly, a computer scientist who created the search engine in his spare time.
He had an idea to develop the most efficient and straightforward way to track any device connected to the internet. In 2009, he succeeded, and that’s how the “scariest search engine” was created.
Of course, the main purpose of Shodan was never to build an efficient tool for malicious actors who can hack into internet-connected devices.
It was to allow security researchers to detect data leaks, search for software vulnerabilities, and see how many devices are compromised at any given moment on the entire internet.
Often, basic search filters can provide plenty of information that can be used to find specific IP addresses, CISCO devices, and even Apache servers.
It’s vital to differentiate Shodan from search engines like Google, Bing, or Yahoo. These are designed for searching websites and web pages, whereas Shodan searches the entire internet.
That means you can use Shodan to find control servers for malware or find out which version of an operating system is the most popular.
What’s so amazing about Shodan is that it allows users to answer many questions and find vulnerable systems in a particular city or country.
With a quick search, Shodan can gather information about internet-connected devices and index them comprehensively, ranging from small desktop computers to commercially used CISCO devices and even nuclear power plants.
Is Shodan Legal?
We mentioned that Shodan is widely used by security researchers that monitor industrial control systems and detect data leaks, but what about everyone else? Anyone can download and use Shodan, even if they’re not a cyber security expert.
This accessibility is why many assume Shodan is dangerous. If anyone can use it to find devices vulnerable to attacks, it seems that this search engine should not be legal.
However, Shodan is perfectly legal, as its primary purpose is data aggregation that helps improve safety of IoT devices.
But like anything one might find on the internet, it can be used for different purposes, and Shodan isn’t inherently a malicious tool.
Shodan search results are meant to be used for references, especially by security researchers, but also by anyone who wants to improve their online safety.
Unfortunately, we do know search engines like Shodan come in handy to those who have ulterior motives, and the platform has surely been used for hacking. However, that doesn’t change the fact that Shodan is available to everyone and operates within the law.
What Is Shodan Used For?
We’ve discussed types of IoT devices and emphasized their spread worldwide. Of all existing search engines, Shodan is the one that offers vulnerability scanning with the help of efficient search filters.
But in order to truly understand the power of Shodan, it’s essential to explore the various possibilities this search engine unlocks.
Here’s a full rundown of how you can use Shodan for business and other purposes.
The most common way to use Shodan is to conduct security research and find vulnerable systems. Many devices have full information on their firmware listed on the official login page.
This allows security professionals to look for devices with a simple search query and examine any known vulnerabilities. If they detect potential dangers, they can alert Internet Service Providers and let them know that their network security is compromised.
Also, a security researcher working as an IT manager in a company may use Shodan to look for specific devices the business may plan on purchasing. This gives them the opportunity to check for existing security breaches and determine if they’re worth the investment.
But using Shodan for security purposes is not just for security researchers, but for “civilians” too. Anyone can register on Shodan and look for the connected devices in their home. They may learn that the printer or even their baby monitor have been compromised.
Users can look for and monitor their IP addresses and immediately detect if their device is listed on Shodan. This feature makes Shodan one of the most effective security tools available to a wide population of users.
Many IoT devices contain their brand names and model numbers in the HTTP headers and login pages. This information gives marketers and salespeople the opportunity to explore specific topics.
For example, they may use Shodan to answer the following questions:
How many people are using specific brands and models of smart TVs?
What is the most widely used brand of Wi-Fi routers?
What is the usage of smart thermostats in a specific geographical location?
How many connected devices are running on Android?
With a simple search, marketing experts can perform remarkable data acquisition which can help them improve their practices.
Shodan can assist governments and the private sector with managing existing infrastructure.
Because power grids, power plants, and traffic systems are all connected to the internet, Shodan can tell if any part of the system has had data leaks or is generally vulnerable.
Shodan can even pinpoint specific outdated legacy control systems, prompting for their removal. In terms of infrastructure management, Shodan facilitates important supervisory control.
It’s not only the security researchers in private cyber security companies that use Shodan for valuable data aggregation.
Academic researchers use this search engine to detect network security issues and compromised devices connected to the internet.
They may use this data to understand and predict trends in the security sector and analyze the overall device usage on the internet.
How to Use Shodan?
Whether you believe Shodan is dangerous or merely an incredibly powerful tool for securing IoT devices, it’s helpful to know to use it.
Compared to the World Wide Web search engines like Google or Bing, Shodan offers more features but has a complicated interface.
Even though there’s a learning curve with Shodan, once you figure out how it works, the possibilities are endless.
Search Query Syntax
To get anywhere with Shodan, it’s essential to master the search query fundamentals or search query syntax. But to understand its importance and purpose, we first have to discuss what type of information Shodan collects.
This browser essentially aggregates information on devices and the services they provide. The data on these services are stored in banners, and acquiring the stored information is called banner grabbing.
A network security team or a hacker will use banner grabbing to find devices or computer systems running on open ports.
A banner is a fundamental unit of data Shodan collects, and a single banner grabbed by Shodan has a lot of different properties, and not all will be useful to everyone. The following data points provide the most important information about a service a specific IoT device provides:
Data – the most important property and the main response from the service
IP_str – the IP address of the IoT device
Port – the valid port number of the service
Org – the organization that holds the IP space
country_code – the country where the connected device is located
Understanding these properties provides users with approximate search query syntax. However, Shodan only searches data by these default values, and you can access other properties using appropriate search filters. But more on that later.
Shodan’s Main Services
Search engines like Shodan offer users various possibilities for researching vulnerabilities. When navigating Shodan, you can rely on three types of services, general-purpose search engine, Shodan Maps, and Shodan Images.
These services are designed for different applications, and here’s a little more about how they work and how to use them.
General-Purpose Search Engine
Unsurprisingly, this is the main Shodan service, and it’s where you’ll likely land first if you research Shodan for the first time.
By default, any search query you make will show you data collected in the past 30 days, so the browser provides accurate collection of data at the given moment.
But you can do more than just search. The general-purpose search engine allows you to download data and generate reports.
When users complete a Shodan search, they can also download the data it yielded. You’ll easily find the “Downloading Results” button on the main page and choose the desired download format. Your options are JSON, CSV, and XML.
However, only the JSON format creates a file with full banner information and relevant metadata collected by Shodan. The data you’ve downloaded moves to the “Downloads” section, easily located on the main page.
Shodan also lets you generate reports based on search queries. These reports contain charts and graphs, providing users with a broader view of the results distributed all over the internet. You’ll find the “Create Report” right next to the “Download Results” button.
You’ll have the option to title your report and receive an email with a link to charts which provide an aggregate overview of a search result.
If the text-based main Shodan website isn’t comprehensive enough, you can explore Shodan Maps. This service shows up to 1,000 results simultaneously.
It also allows you to zoom in and out of specific areas, while adjusting the search query automatically. Users can choose from a variety of map styles which sort the acquired data to your preference.
You can browse all images Shodan collects by using the Shodan Images service. You can search Shodan Images by organization or netblock, but also the types of images collected by the search engine.
There are five different image data sources.
Virtual Network Computing (VNC)
Real-Time Streaming Protocol (RTSP)
Remote Desktop (RDP)
Specific images sources come with particular ports or services and have different banners.
So, if you only want to look for webcam images, you need to make an HTTP search query.
Understanding Shodan Interface
We’ve briefly discussed some of the interface features like “Download Data” and “Create Report.” But there’s a lot more to understand and learn about how to navigate Shodan and its main service.
The “Search” option is the most important feature, and you’ll use it to look for IoT devices by brand or model, devices based on specific IP addresses, or search by inputting by device name. However, you can learn a lot with Shodan by browsing its “Explore” feature.
Using Shodan’s Explore Feature
If you’ve never used Shodan before, the “Explore” feature is usually the perfect place to start. You may not have anything specific to search but want to find interesting data.
From the search engine’s main menu, select the “Explore” option and consider browsing the following sections.
Here is where you’ll find organized lists of devices users most commonly search for, and find categories like Industrial Control System, Webcam, Router, Smart TV, and similar.
This section includes the most popular devices in a single list. You may see “webcams” or “surveillance” listed as Top Voted categories, along with the number a single category contain.
The Top Voted section is a shortcut for gathering intelligence as it saves you the time you’d invest in hunting for specific device models or manufacturers.
Top Voted and Recently Shared sections are often referred as “community queries,” because they represent a joint effort from users to make Shodan easier to use.
Recently Shared is a lot like a “trending” feature on social media platforms, as it contains newly discovered or very popular devices.
Researchers constantly update the Recently Shared section and allows you to easily see which devices are shared multiple times and what their vulnerabilities are. It’s also crucial to remember that when you a new device, it becomes public, and everyone can see it.
Shodan: Understanding Search Results
When you search Shodan for a specific device, IP address, or another query, you’ll have gain access to different information, but you may only want to focus on some. For example, many security experts will focus on examining virtual open ports.
Specific open ports can carry numbers between 1 and 65535. Each port is assigned to a connection, and some ports are used more frequently or have standardized uses. For example, installing operating systems on computers require open ports for receiving and sending system data over networks.
However, the essential information most Shodan users are looking for is vulnerabilities. If a device is compromised, you’ll see a “Vulnerabilities found” tag and a full list of issues describing what makes the device unsafe to use.
More About Shodan Search Filters
If you want to navigate Shodan efficiently and gain access to the banner properties you need, mastering search filters is essential. Like all search engines, Shodan offers different commands and filters, and you need to enter a single-term search before making your query.
For example, if you want to search devices in a specific city, you’ll enter “city: Los Angeles,” or “port: . You follow the same principle to search for a specific hostname, and even use the “before/after” filter to find results within a specific period.
Is Shodan Free?
Whether you need Shodan to find CISCO devices, servers, or webcams, you might be wondering if you need to pay for the service. The answer is yes and no.
You can use Shodan for free to search or explore a few devices, but certain features, like custom searches and advanced tagging, Shodan Maps, and Shodan Images, require a paid subscription. Also, you don’t need to sign a contract with Shodan, and you can cancel the subscription at any time.
But before we go into Shodan plans, prices, and available features, we must discuss the concept of Shodan credits. The amount of access to data and other important properties you can receive with Shodan depends on the credits you have available. There are two types of Shodan credits, query and scan.
You can use query credits to download data through the Shodan main website, command line interface (CLI) or the API. Queries renew every month, and one query allows users to download up to 100 results.
Scan credits renew at the beginning of every month and allow users to request global network scans. One scan credit allows you to scan one IP address.
Shodan Plans Pricing
The Shodan subscription plans differ in number of scans, monitored IPs, and search filters you’ll have available.
Also, the plans are based on usage, not users, and you can share the Shodan API key within a single organization. Here’s what you can expect to pay for Shodan if you want to go beyond basic features.
The most affordable Shodan plan is Membership and will cost you $49 per month. You’ll have access to 100 query and 100 scan credits per month, all search filters except for “tag” and “vuln” (vulnerabilities) and can keep track up to 16 monitored IPs.
This plan is $69 per month, contains up to 10,000 query credits and up to 5,120 scan credits and monitored IPs. You also get access to all search filters other than “tag” and “vuln.”
Membership and Freelancer are designed to accommodate individual users. But the $359 per month fee for Small Business plan contains up to 200,000 query credits and 65,536 scan credits and monitored IPs per month. All employees have access to all search filters except “tag.”
This is another Shodan plan for businesses and comes with a price of $1,099 per month. Users have unlimited query credits, and up to 327,680 scans and monitored IPs per month. There is also no limitation when it comes to search filters.
Like most subscription-based services, Shodan offers custom solutions for enterprises. The Enterprise plan doesn’t have any limitations in terms of query and scan credits, monitored IPs, search filters and you may even customize the number of users if necessary.
Because Shodan is widely used by academic researchers, universities can have a free upgrade to Membership plan, provided they have an academic email address.
Also, Shodan will provide an even more comprehensive academic upgrade IT departments in institutions of higher education.
The idea behind this benefit is to allow experts to monitor changes on their network and get notifications whenever an issue comes up. It also allows them to keep their devices up to date in terms of security.
You can integrate Shodan into your personal projects using the Shodan API, but there are a few other integrations available. Shodan allows Artic Hub integration, a well-known automated platform for cyber security monitoring.
You can also integrate Shodan into Microsoft Azure Sentinel, a cloud-based cyber security platform. Finally, developers and operations engineers can make the most of the Steampipe Shodan plugin.
Real-Life Example of Shodan in Action
If you’re not a cyber security expert, it can be challenging to fully understand the power of Shodan. That’s why it might be helpful to illustrate a real-life situation that exemplifies it.
Back in 2015, a botnet by the name of Encryptor RaaS became known a tool that allows nefarious actors to launch ransomware campaigns. While they didn’t make much splash right away, in 2018 they had close to 2,000 victims and have branded themselves as “fully undetectable.”
But not too long after that, security professionals had found, using Shodan, that Encryptor RaaS servers were left vulnerable and exposed to the internet. Upon identifying where the botnet was hosted, law enforcement agencies were able to bring down the system and force the botnet to cease operation.
Practices That Limit IoT Vulnerabilities
One of the most valuable benefits of learning how Shodan works is that it gives you ideas on how to protect your private network and IoTs. Here are a few useful practices that will keep you protected from exposure and cyber-attacks.
Change your login details. Devices usually come with default login information, which hackers can break into easily. The best solution is to use a reliable password manager to generate and store safe passwords and change your login details frequently.
Reduce the number of devices connected to the internet. You can allow certain devices local-only access to your network, without compromising functionality.
Use a network firewall. Your network should have an adequately configured firewall. It efficiently prevents unauthorized requests to access devices behind it.
Minimize banner information. Many devices contain a large amount of information in their service banners. Users can remove all unnecessary data from banners, thus limiting the information available on search engines like Shodan.
Using Shodan to Protect Your Devices and Network
The above-mentioned measures will lower the risk of your devices and networks becoming vulnerable to attacks.
However, if you truly want to stay on top of online security, using Shodan is the way to go. You’ll likely need to upgrade to a Membership plan at least in order to conduct more comprehensive research, which allows you to see exactly what information Shodan receives from specific IPs.
How to stay safe online:
- Practice Strong Password Hygiene: Use a unique and complex password for each account. A password manager can help generate and store them. In addition, enable two-factor authentication (2FA) whenever available.
- Invest in Your Safety: Buying the best antivirus for Windows 11 is key for your online security. A high-quality antivirus like Norton, McAfee, or Bitdefender will safeguard your PC from various online threats, including malware, ransomware, and spyware.
- Be Wary of Phishing Attempts: Be cautious when receiving suspicious communications that ask for personal information. Legitimate businesses will never ask for sensitive details via email or text. Before clicking on any links, ensure the sender's authenticity.
- Stay Informed. We cover a wide range of cybersecurity topics on our blog. And there are several credible sources offering threat reports and recommendations, such as NIST, CISA, FBI, ENISA, Symantec, Verizon, Cisco, Crowdstrike, and many more.
Frequently Asked Questions
Below are the most frequently asked questions.
Can shodan expose your private data?
Do law enforcement agencies use shodan?
What is on-demand shodan scanning?
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab