Shodan: Searching the Internet of Connected Devices

Shodan tutorial for investigators: search exposed services, use filters and facets, read banners, and pivot from IP to organisation without crossing legal lines.

Intermediate digital

Shodan: Searching the Internet of Connected Devices

Where Google indexes web pages, Shodan indexes services. Every public-facing server, camera, industrial controller, and mail gateway broadcasts a banner that Shodan records. For an investigator, it is the fastest way to inventory an organisation's externally visible infrastructure.

Who this is for

Intermediate

Security-adjacent OSINT practitioners, journalists investigating infrastructure, and researchers verifying an organisation's digital footprint. You should already be comfortable with DNS and IP basics.

What you'll need

  • A free Shodan account for basic web search; a paid membership unlocks filters that matter for serious work.
  • Shodan CLI (optional): pip install shodan.
  • A second tool for cross-checking: Censys, ZoomEye, or FOFA.

How it works

Shodan runs continuous crawlers that connect to every reachable IPv4 address across common ports (and many uncommon ones), record the initial protocol banner, and parse it. The result is a queryable index of service metadata — not content. Shodan does not log into systems, and neither should you. Searches return what services advertise publicly at handshake time.

Step-by-step walkthrough

  1. Create an account and note your API key. Sign in at https://account.shodan.io/. Copy the API key from your account page. Configure the CLI:

    shodan init YOUR_API_KEY

  2. Run a basic organisation search.

    org:"Example Corp"

    Shodan's org: filter matches the organisation field from reverse DNS and routing data. It is imprecise — expect false positives from shared hosts.

  3. Narrow by network.

    net:203.0.113.0/24

    If you have an ASN for the target:

    asn:AS15169

    AS-scoped searches are the most reliable way to map an organisation's real footprint.

  4. Filter by service, port, and product.

    org:"Example Corp" port:443
org:"Example Corp" product:"Apache httpd"
org:"Example Corp" http.title:"login"

    Combine filters with spaces (implicit AND). Negate with -filter:value.

  5. Read the banner carefully. Each result shows the raw service response. Look for software versions, hostname hints in TLS certificates, cloud provider headers (Server: cloudflare, x-amz-*), and timestamp fields. The TLS SAN list is often the single most useful field — it enumerates every hostname bound to that cert.

  6. Use facets for a sector view.

    country:US product:"RDP" port:3389 --facets org,country,port

    Facets aggregate results by field. This turns a search into a quick demographic of exposure across a sector.

  7. Pivot to the organisation. For every interesting IP, check:

    • Reverse DNS (dig -x <ip>).
    • TLS certificate SAN entries.
    • ASN and routing (whois -h whois.cymru.com " -v <ip>").
    • Censys for an independent view of the same host.

  8. Export responsibly.

    shodan download example-export "org:\"Example Corp\" port:443"
shodan parse --fields ip_str,port,hostnames,org example-export.json.gz

    Exports consume query credits. Pull only what your investigation requires.

Common pitfalls

  • Treating Shodan banners as current. Banners are as old as the last scan, often weeks out of date. Verify live state with a polite curl -I before publishing any claim.
  • Over-interpreting org: matches. Many organisations sit on shared or cloud infrastructure where the org: field reflects the cloud provider, not the tenant.
  • Assuming a "login" page means a vulnerability. A management interface being reachable is not the same as it being exploitable.
  • Scanning or probing beyond Shodan's data. Running your own port scans or attempting authentication moves you from passive OSINT into active reconnaissance, which is regulated in many jurisdictions.

Verifying your findings

A Shodan result is a lead. To turn it into evidence, pair the banner screenshot with: the exact query, the result timestamp, the IP and ASN, the reverse DNS, and an independent confirmation from Censys or certificate transparency logs. Document the chain in your source log as described in the analysis phase guide.

Related tutorials

Apply this in practice

See infrastructure mapping used alongside WHOIS in the tracking a disinformation network case study. For investigations that combine infrastructure discovery with long-form document analysis, explore the Epstein Revealed investigation series.