Shodan Reconnaissance

• Asset Inventory: List of discovered hosts, ports, and services
• Vulnerability Report: Identified CVEs and exposed vulnerable services
• Banner Data: Service banners revealing software versions
• Network Mapping: Geographic and organizational distribution of assets
• Screenshot Gallery: Visual reconnaissance of exposed interfaces
• Exported Data: JSON/CSV files for further analysis

Core Workflow

1. Setup and Configuration

Install Shodan CLI

# Using pip
pip install shodan

# Or easy_install
easy_install shodan

# On BlackArch/Arch Linux
sudo pacman -S python-shodan

Initialize API Key

# Set your API key
shodan init YOUR_API_KEY

# Verify setup
shodan info
# Output: Query credits available: 100
#         Scan credits available: 100

Check Account Status

# View credits and plan info
shodan info

# Check your external IP
shodan myip

# Check CLI version
shodan version

2. Basic Host Reconnaissance

Query Single Host

# Get all information about an IP
shodan host 1.1.1.1

# Example output:
# 1.1.1.1
# Hostnames: one.one.one.one
# Country: Australia
# Organization: Mountain View Communications
# Number of open ports: 3
# Ports:
#   53/udp
#   80/tcp
#   443/tcp

Check if Host is Honeypot

# Get honeypot probability score
shodan honeyscore 192.168.1.100

# Output: Not a honeypot
#         Score: 0.3

3. Search Queries

Basic Search (Free)

# Simple keyword search (no credits consumed)
shodan search apache

# Specify output fields
shodan search --fields ip_str,port,os smb

Filtered Search (1 Credit)

# Product-specific search
shodan search product:mongodb

# Search with multiple filters
shodan search product:nginx country:US city:"New York"

Count Results

# Get result count without consuming credits
shodan count openssh
# Output: 23128

shodan count openssh 7
# Output: 219

Download Results

# Download 1000 results (default)
shodan download results.json.gz "apache country:US"

# Download specific number of results
shodan download --limit 5000 results.json.gz "nginx"

# Download all available results
shodan download --limit -1 all_results.json.gz "query"

Parse Downloaded Data

# Extract specific fields from downloaded data
shodan parse --fields ip_str,port,hostnames results.json.gz

# Filter by specific criteria
shodan parse --fields location.country_code3,ip_str -f port:22 results.json.gz

# Export to CSV format
shodan parse --fields ip_str,port,org --separator , results.json.gz > results.csv

4. Search Filters Reference

Network Filters