How to Use Shodan for OSINT Reconnaissance
Most people stumble across Shodan, spend five minutes on it, and walk away thinking it's a fancy port scanner with a web interface. It's not. In the hands of someone who knows what they're doing, Shodan is one of the most powerful passive reconnaissance tools on the planet — capable of surfacing exposed industrial control systems, misconfigured databases, vulnerable routers, and entire corporate attack surfaces without sending a single packet to your target.
This guide is for security professionals, penetration testers, and OSINT investigators who want to move past the basics and use Shodan the way it's actually used in real-world reconnaissance workflows.
What Is Shodan and Why It Matters for OSINT
Shodan is an internet-wide search engine that continuously crawls and indexes internet-connected devices — not web pages. Where Google indexes HTML content, Shodan indexes banners: the raw responses that servers, IoT devices, databases, routers, cameras, and industrial systems send back when probed on open ports.
Every entry in Shodan represents a real device on the real internet, along with its IP, open ports, service banners, SSL certificate details, geolocation, and ASN. That's a staggering amount of intelligence — and it's all passively harvested. You never touch the target. That's what makes it such a clean tool for OSINT reconnaissance.
Before we go further: use Shodan responsibly. Scanning and identifying exposed systems is legal in most jurisdictions when done passively, but actively exploiting anything you find is a different story entirely. Know your legal boundaries and your rules of engagement before you start.
Setting Up Shodan for Serious Recon
The free tier of Shodan gets you through the door, but it's limited — you get a handful of results per query and no access to the full API. For real reconnaissance work, a paid account is worth the investment. The membership unlocks full result sets, advanced filters, vulnerability data, and the API.
Once you have an account, install the Shodan CLI. It's a Python package and comes up in one command:
pip install shodan
shodan init YOUR_API_KEY
The CLI is faster for bulk queries and scripting. You'll use it alongside the web interface, depending on what you're hunting.
Mastering Shodan Search Filters
Raw keyword searches in Shodan are a starting point, not an endpoint. The real power comes from filters. These narrow your results to exactly what you're looking for, cutting through millions of irrelevant entries to surface the targets that matter.
Here are the filters you'll use constantly:
- org: — Filter by organization name.
org:"Amazon"shows assets registered to Amazon's AS. Useful for mapping a company's cloud footprint. - net: — Search a specific CIDR range.
net:203.0.113.0/24restricts results to a subnet you're investigating. - hostname: — Match against reverse DNS entries.
hostname:.govsurfaces government-facing assets with open services. - port: — Filter by open port. Combine this with service-specific keywords to find exposed services fast.
- country: — Limit results by country code.
country:BDrestricts to Bangladeshi IP space, for example. - os: — Filter by operating system.
os:"Windows XP"in 2025 is a red flag that practically writes its own report. - ssl.cert.subject.cn: — Match against the Common Name in SSL certificates. This is gold for tracking assets tied to a specific domain across different IP ranges.
- vuln: — Filter by CVE. This requires a paid account but is one of the most direct ways to find exposed vulnerable systems.
vuln:CVE-2021-44228will show you Log4Shell-affected hosts still sitting on the public internet.
Shodan Dorks: Queries That Actually Deliver
Just like Google dorks expose misconfigured web servers, Shodan dorks surface exposed services and devices that should never be public-facing. Here are some of the most practically useful ones:
Exposed Elasticsearch databases:
port:9200 json
Elasticsearch's default config ships with no authentication. Countless databases sit open on port 9200 with their full contents accessible to anyone who asks.
Open MongoDB instances:
port:27017 "MongoDB Server Information"
Legacy deployments with no authentication keep showing up. Shodan indexes the server info banner which confirms the vulnerability.
Industrial Control Systems (ICS/SCADA):
port:102 "Siemens"
Port 102 is Siemens S7 protocol. Finding these on the public internet is a major security finding in critical infrastructure assessments.
Pivoting in Shodan: How Real Investigations Work
Single queries are useful for surface-level recon. Real OSINT reconnaissance is about pivoting — using one data point to uncover the next, building a picture of an entire infrastructure from a handful of initial clues.
Say you're investigating a domain — let's call it target-company.com. You start with a passive DNS lookup to get their IP ranges, then move into Shodan with net: to scope their ASN. You identify a cluster of servers running the same version of nginx with an unusual custom header in the banner. That custom header is a fingerprint. Search Shodan for that exact banner string and suddenly you're not looking at one server — you're looking at their entire fleet.
Using the Shodan API for Scaled Investigations
When you need to process large result sets, the API is essential. Here's a minimal Python snippet to pull targets:
{`import shodan
api = shodan.Shodan("YOUR_API_KEY")
try:
results = api.search("org:\"Target Org\" port:443")
for result in results['matches']:
print(f"IP: {result['ip_str']} | Port: {result['port']}")
except shodan.APIError as e:
print(f"Error: {e}")`}
Passionate OSINT investigator and cybersecurity professional with over 3 years of experience. Expertise in web penetration testing, background checks, fraud detection, and uncovering digital fingerprints. Providing verified truth in the digital shadows.
Need a
ProfessionalInvestigation?
If this case sounds familiar, I can help. Get a confidential consultation today.