Shodan Query Syntax and Filters

Lesson

Shodan is a powerful tool for searching devices connected to the internet - this includes the Internet of Things as well as traditional web facing systems like servers and routers. It is commonly used by security researchers, offensive security testers and bug bounty hunters to identify exposed systems which may present security vulnerabilities or by threat analysts to track infrastructure which is used by cyber attackers. Shodan also has attack surface management capabilities to help organizations monitor their 'external attack surface' so that can quickly identify and remediate any cyber security risks from exposed systems.

Shodan works by regularly scanning the internet - for every IP address they capture the data returned by open TCP and UDP ports. This data is commonly referred to as a 'banner' and provides information about what services and protocols are running on different ports for a system - for example a web server, SSH or maybe modbus for a connected industrial control system (ICS). All of this data is parsed and processed, allowing you to search based on the raw banner data or specific properties like IP address, open ports or product.

When you click through to a Shodan result page, it combines all banners and properties for a given IP address on the 'Regular View' but if you select the 'Raw Data' tab, you can explore the details for the separate results from different UDP and TCP ports. The 'Raw Data' page also lets you copy the result as raw JSON for further analysis in the tool of your choice.

With great power comes great responsibility. Although using Shodan search is likely to be legal in many jurisdictions, you should never use information from Shodan to then interact with any systems identified in a way that the system's owner doesn't intend.

Query Syntax

Running a search with just free text will query the raw banner data. For example, searching for just apache will look for any banners containing the word apache (case-insensitive) anywhere in the banner text.

You can then use Shodan filters to be more specific - these take the format of

filtername:value

If the value you are searching for includes spaces then you need to wrap it in quotes. For example:

product:"Apache Tomcat"

Filters may be network based (such as IP address or open ports) or application based (such as identified application, or HTML content).

Multiple Filters

In Shodan, you can apply multiple different filters simply by including multiple filter:value pairs in your query, separated with a space. Shodan automatically interprets these as being 'ANDed' together. For example, the following query would search for entries which match the IP address '1.1.1.1' AND are returned from port '53'.

ip:1.1.1.1 port:53

Multiple Values

OR

If you want to match on any one of multiple values, you can just comma separate them. For example, the following filter will match banners seen on port 21, 21 OR 443.

ports:21,22,443

AND

In some circumstances, you might want to match all of a set of values. In this case, you can specify them as separate filter:value pairs. Note that some filters can't be 'ANDed' together such as locations, ports or IP addresses because a given banner entry can only be in a single location and on a single port and IP address.

The following example would return results with both 'Fox' and 'Search' in the title of a web page.

http.title:"Fox" http.title:"Search"

Negating Conditions

Shodan also lets us negate terms in search queries with a minus (-) in front of the filter:value pair you want to exclude from results (-filter:value).

For example, the following search could help identify OpenSSH servers running on non-standard ports:

OpenSSH -port:22

Combining filters

We can put this together to combine different filters for complex queries which can help narrow down results.

For example, the query below matches open FTP (port 21) and SSH (port 22) servers located in Germany (DE) or the US but not in Los Angeles.

port:21,22 country:DE,US -city:"Los Angeles"

Shodan facets

Certain fields in Shodan results can return information about the category of the device or service based on analysis done behind the scenes.

It's not always obvious which facets/categories are available so you can use Shodan's facet analysis page to see what's out there.

Facet examples to explore:

Filters and Examples

This section gives an overview of some popular filters. You can explore more about the types of data that can be filtered on by looking at Shodan's Datapedia.

Raw Banner Data

Running a search on plain text will simply look for that text in device banners. For example, the following query will return banners with the word 'dropbear'.

dropbear

IP Address

Search for one or more IP address with the ip filter.

ip:8.8.8.8
ip:1.1.1.1,8.8.8.8

IP Address Range

The net filter supports search for a network range with CIDR notation:

net:18.9.47.0/24

Hostname

Shodan's hostname filter uses hostnames associated with an IP address based on PTR/reverse DNS lookups.

hostname:"example.com"

Port

Search for one or more open TCP/UDP ports.

port:443
port:22,2222

Location

Shodan geolocates IP addresses to give a rough location - note that this is not usually precise and may sometimes be completely wrong or at least misleading.

You can search at different levels of granularity including country, region, state and city. Country expects a country code.

country:US
state:PA
city:Philadelphia

ASN

Autonomous system number (ASN) is a 16 bit number which uniquely identifies a given 'autonomous system' (AS). An AS is a group of IP networks with a single, clearly defined routing policy.

asn:"AS396982"

Organization

The org filter is used to search on the name of a network owner.

org:google

Products

Shodan has native support for identifying many different 'products' which are popular network services that they've fingerprinted for searching. They can be searched with the product filter and Shodan's Datapedia has a comprehensive list.

The example below will return Cobalt Strike Beacon servers. This query can be used by cyber threat intelligence analysts to track the use of Cobalt Strike which is an offensive command and control (C2) tool.

product:"cobalt strike beacon"

Below are further examples in different categories - to search for them, just use the product filter combined with the given product name product:<product name>.

Malware and C2s

You can use Shodan to hunt other malicious software and command and control servers which they track as products:

You can also use the malware tag: tag:malware.

Databases

Network Infrastructure

Internet of Things (IoT)

HTTP Elements

Where Shodan identifies a web server - a network service which serves HTML over HTTP(s) - it indexes certain properties about the data served. It doesn't crawl the site, so you will only see data for whatever page is served at the root/homepage for a given port on a given IP address (for example index.html).

HTML

You can search for a string seen within any of the HTML - a bit like a google search but just looking at homepages. For example, this can help find servers associated with particular organizations or running particular web frameworks and platforms.

http.html:joomla

Title

If you want to search for a specific HTML title tag, you can use the http.title filter.

http.title:"Apache2 Ubuntu Default Page: It works"

Component

Shodan runs some processing on web pages to try and fingerprint popular components (such as web frameworks) which are used.

http.component:bootstrap

Lots of components are supported, but some common ones are:

As you explore search results, you will see the breadth of components available - displayed as Web Technologies. You can also use Facets to see the different HTTP components and relative popularity.

Hashes

Shodan also stores hashes for a number of key site elements. A hash is a one way function which generates a unique, fixed length output value for different input values.

For example, Shodan generates a hash for the Favicon of a website (the little image you see on the browser tab). This means that to find all websites that use the same Favicon, you can search on the hash value.

http.favicon.hash:-1118725322

This lets you use the hashed property as a pivot point. If you find infrastructure of interest, you can look for all other servers which have an identical property (such as re-using a favicon).

The different site properties which Shodan calculates a hash for are:

There are also a couple of other, non-HTTP hashes that you can search on:

SSL

The complexities of encryption mean that information about how a site handles TLS (or it's predecessor, SSL) can be an effective way of profiling or fingerprinting a server. Shodan offers many options, but some of the most common are:


Questions

Test your knowledge with these questions.

No - Shodan estimates location based on IP address but this shouldn't be relied on as accurate geolocation.

HTTP components are popular website tools and libraries which have been fingerprinted by Shodan. They are displayed on results pages as 'Web Technologies'.

The 'net' filter supports search for a network range with CIDR notation: 'net:18.9.47.0/24'

References

Learn more about this topic by checking out these references.


Other Lessons

Learn more by checking out these related lessons

Hashes and Computer Security

lesson

View

Network Sockets and Ports

lesson

View