This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services using Shodan," "scan IP ranges with Shodan," or "discover IoT devices and open ports." It provides comprehensive guidance for using Shodan's search engine, CLI, and API for penetration testing reconnaissance.
Provide systematic methodologies for leveraging Shodan as a reconnaissance tool during penetration testing engagements. This skill covers the Shodan web interface, command-line interface (CLI), REST API, search filters, on-demand scanning, and network monitoring capabilities for discovering exposed services, vulnerable systems, and IoT devices.
# Using pip
pip install shodan
# Or easy_install
easy_install shodan
# On BlackArch/Arch Linux
sudo pacman -S python-shodan
# Set your API key
shodan init YOUR_API_KEY
# Verify setup
shodan info
# Output: Query credits available: 100
# Scan credits available: 100
# View credits and plan info
shodan info
# Check your external IP
shodan myip
# Check CLI version
shodan version
# Get all information about an IP
shodan host 1.1.1.1
# Example output:
# 1.1.1.1
# Hostnames: one.one.one.one
# Country: Australia
# Organization: Mountain View Communications
# Number of open ports: 3
# Ports:
# 53/udp
# 80/tcp
# 443/tcp
# Get honeypot probability score
shodan honeyscore 192.168.1.100
# Output: Not a honeypot
# Score: 0.3
# Simple keyword search (no credits consumed)
shodan search apache
# Specify output fields
shodan search --fields ip_str,port,os smb
# Product-specific search
shodan search product:mongodb
# Search with multiple filters
shodan search product:nginx country:US city:"New York"
# Get result count without consuming credits
shodan count openssh
# Output: 23128
shodan count openssh 7
# Output: 219
# Download 1000 results (default)
shodan download results.json.gz "apache country:US"
# Download specific number of results
shodan download --limit 5000 results.json.gz "nginx"
# Download all available results
shodan download --limit -1 all_results.json.gz "query"
# Extract specific fields from downloaded data
shodan parse --fields ip_str,port,hostnames results.json.gz
# Filter by specific criteria
shodan parse --fields location.country_code3,ip_str -f port:22 results.json.gz
# Export to CSV format
shodan parse --fields ip_str,port,org --separator , results.json.gz > results.csv