Back to Blog

The Shodan Guide

Posted on June 20, 2025

What Is Shodan?

Shodan is the world’s most powerful search engine for internet-connected devices. It allows you to discover:

  • Exposed webcams
  • Remote desktops (RDP, VNC)
  • Industrial systems (SCADA/ICS)
  • Office printers and phones
  • Databases
  • Admin panels
  • Dev dashboards
  • Anything running online with an open port

Is Using Shodan Legal?

Yes—viewing is legal, but interacting is not. Shodan indexes data that is already publicly exposed to the internet. You can legally search for banners, open ports, and metadata. Attempting to access, modify, or exploit those systems is illegal and unethical.

This guide is for educational, auditing, and cybersecurity research only. Use it responsibly.

Beginner-Level Shodan Queries

Some basic examples of queries include:

nginx             # Finds Nginx web servers
port:80           # Finds HTTP services
country:DE        # Filters results to Germany
org:"testcompany" # Finds assets owned by an organization
os:"windows"      # Filters for Windows machines
title:"login"     # Identifies web login pages

Example combination:

nginx port:80 country:DE

How to Search by Coordinates

Shodan allows geo-based filtering using:

geo:LAT,LONG,RADIUS_KM

Examples:

To find RDP systems in Berlin within 15km:

port:3389 geo:52.5200,13.4050,15

To find IP cameras near Frankfurt:

has_screenshot:true title:camera geo:50.1109,8.6821,20

Most Commonly Exposed Ports and Devices

Here are the most frequently seen ports in Shodan searches:

  • 21 — FTP
  • 22 — SSH
  • 23 — Telnet
  • 80 — HTTP
  • 443 — HTTPS
  • 445 — SMB (Windows shares)
  • 631 — CUPS (Printers)
  • 9100 — Raw Printing (JetDirect)
  • 3389 — RDP (Remote Desktop)
  • 5900 — VNC
  • 5060 — SIP (VoIP)
  • 102 — Siemens S7 ICS
  • 502 — Modbus
  • 27017 — MongoDB
  • 3306 — MySQL
  • 9200 — Elasticsearch
  • 5601 — Kibana dashboards

Examples of Specific Exposed Devices

RDP (Remote Desktop Protocol)

Search for:

port:3389 "Remote Desktop" country:DE

You’ll often find Windows login screens exposed.

VNC Desktops

Search for:

port:5900 has_screenshot:true country:DE

These are frequently left unauthenticated and offer direct access to desktops.

IP Cameras

Search for:

port:554 has_screenshot:true country:ES

You may find public or industrial cameras with full video access.

Network Printers

Search for:

port:631 "printer" country:DE
port:9100 "HP LaserJet"

These interfaces may leak scanned documents or job logs.

VoIP Phones (e.g. Cisco, Yealink)

Search for:

port:5060 "SIP/2.0" country:DE

You may discover admin panels for phone systems with default credentials.

Dev Dashboards (e.g. Grafana, Kibana)

Search for:

title:"Grafana" port:3000 country:DE
title:"Kibana" port:5601

Useful for auditing misconfigured dashboards.

ICS / SCADA Systems

Search for:

port:102 Siemens country:DE
port:502 "modbus"

These are often used to manage critical infrastructure.

Open Databases

Search for:

port:27017 product:MongoDB
port:9200 "name:elasticsearch"

These often contain sensitive data with no authentication.

Find Vulnerable Devices (Shodan Membership Required)

You can search for devices affected by known vulnerabilities using CVEs. Examples include:

vuln:CVE-2023-3519
vuln:CVE-2021-22986

This functionality requires a Shodan account with membership or enterprise access.

Concatenating Queries with Boolean Logic

Use logical operators to combine or exclude elements:

  • AND (implicit): nginx port:80
  • OR: nginx OR apache
  • - (exclude): nginx -country:DE
  • "": Group multi-word phrases like title:"login page"
  • (): Group complex logic like (nginx OR apache) country:DE

Examples:

title:login country:DE -title:cisco
title:grafana geo:50.1109,8.6821,20
title:camera city:Berlin has_screenshot:true
product:MongoDB -org:"Amazon.com"
product:mysql -org:"Amazon.com"

Hacked Devices (Indicators of Compromise)

These often show signs of tampering, defacement, botnets, or malware infections.

Defaced Websites or Pages:

title:"hacked by"
html:"hacked by"
http.title:"hacked"
html:"Your files have been encrypted"

Crypto Miners Exposed:

"XMRig" port:3333
"XMRig" port:4444
title:"Monero Mining"
product:ethminer

Open Indexes / File Browsers

These expose entire file systems or directories due to misconfigured web servers.

title:"Index of /"
http.title:"Index of /"
html:"Index of /"
"Index of /backup"
"Index of /admin"

Examples of juicy targets:

title:"Index of /" country:DE
"Index of /" "config.php"

Bonus: Open Jenkins / Git / Dev Tools

title:"Dashboard [Jenkins]"
title:"Git repository" "Index of /"
title:"phpMyAdmin"
http.favicon.hash:-247388890 (phpMyAdmin)

Shodan via the Command-Line Interface (CLI)

Install the Shodan CLI

You need Python and pip installed. Then run:

pip install -U shodan

Initialize with Your API Key

Get your API key from https://account.shodan.io/

Then run:

shodan init YOUR_API_KEY

Run Searches via CLI

Basic search:

shodan search apache

Search in Germany for nginx on port 80:

shodan search nginx country:DE port:80

Display specific fields only:

shodan search --fields ip_str,port,org nginx

Save results to a file:

shodan search nginx --limit 100 --save nginx-servers

Explore Hosts

To get detailed info about a specific IP:

shodan host 8.8.8.8

Bonus: Explore Services

List all available services (ports and protocols) found by Shodan:

shodan services

You can use all standard queries from the web version in the CLI, e.g. port:3389, title:"Index of /", org:test

What You Can Discover with Shodan

  • Remote desktops exposed without authentication
  • IP cameras streaming offices or streets
  • Printers leaking job history and internal data
  • Dev dashboards showing internal metrics
  • VoIP phones with exposed control panels
  • SCADA devices powering critical infrastructure
  • Databases full of user info with no password

Conclusion

Shodan reveals the true attack surface of the internet. It's an essential tool for security researchers, pentesters, red teamers, and IT professionals.

Use it to protect your organization—not to exploit others.

Search, don’t touch. Scan ethically, act responsibly.

Note: While these are some of the most commonly exposed ports and devices, Shodan often reveals surprising services running on uncommon ports. This guide is just a starting point—there’s a lot more out there, and some of it is downright wild. The best way to discover it is to explore and experiment for yourself. Additionally, these are not all the devices exposed on the internet—only the ones that Shodan has indexed.

There are many other tools beyond Shodan that index internet-connected devices and services such as Censys, ZoomEye, GreyNoise, Netlas, Fofa, and BinaryEdge. In upcoming posts, we’ll break each of these down to explore their strengths, differences, and how you can use them for ethical cybersecurity research.

Resources:

https://www.shodan.io/