How to Use Shodan 2026 — The Hacker’s Search Engine Complete Guide
Mr Elite ··
15 min read
⚠️ Passive Research Only: Shodan searches public internet-facing information. Using Shodan to identify exposed assets is legal passive reconnaissance. However, accessing any device or service you discover through Shodan without explicit authorisation is illegal regardless of how the device was found. Use Shodan findings only within authorised bug bounty scope or your own infrastructure.
How to use Shodan in 2026 ? First is First, Shodan is the search engine that shows you everything the internet has accidentally left exposed. While Google indexes web pages, Shodan indexes services: every open port, every exposed database, every default-credential camera, every industrial control system, every unsecured API endpoint that any internet-connected device broadcasts when you connect to it. Over 15 billion indexed services. Today you are learning how to search them, filter them, and turn them into the most comprehensive passive recon source available for bug bounty and penetration testing.
🎯 What You’ll Master in This Guide
Understand what Shodan indexes and why it differs fundamentally from Google
Master the most valuable Shodan filters for bug bounty recon
Use Shodan dorks to find exposed admin panels, databases, and vulnerable services
Install and use the Shodan CLI on Kali Linux for automated recon
Set up Shodan alerts for continuous target monitoring
⏱️ 48 min read · 3 exercises
📊 How familiar are you with Shodan?
✅ This guide layers from first-principles explanation through advanced dork construction to CLI automation. The Shodan dorks section and CLI integration are the most useful for anyone who already knows the basics but is not yet integrating Shodan into their automated recon pipeline.
Shodan sits at the intersection of the OSINT tools and bug bounty recon methodology. It works at a layer between Maltego’s entity-relationship intelligence and Nmap’s active scanning — passive like Maltego, but focused on service characteristics rather than DNS relationships. For any organisation with internet-facing infrastructure, Shodan often reveals more attack surface than any other single passive source.
What Is Shodan and How It Indexes the Internet
Shodan was created by John Matherly in 2009. It works by continuously scanning the entire internet — all 4.3 billion IPv4 addresses — on common and uncommon ports, recording the service banner that each open port returns. A service banner is the raw response a network service sends when you connect to it before any credentials are supplied: the SSH version string, the HTTP server header, the database version announcement, the industrial control system model number.
This banner data is indexed and made searchable. When you search Shodan for MongoDB server information, you are searching the banners of every internet-facing MongoDB instance that Shodan has observed — including any that expose their databases without authentication. When you search for a specific CVE, Shodan returns every device whose banner contains indicators associated with that vulnerability.
securityelites.com
What Shodan Indexes vs What Google Indexes
🌐 GOOGLE
Web page content
HTML text and links
Site titles and meta
Public documents Does NOT index raw service responses
👁️ SHODAN
Service banners
Open port listings
SSL certificate data
Software versions Exposed databases, cameras, SCADA
📸 Shodan vs Google indexing model — Google indexes web content; Shodan indexes service banners from every internet-connected device, revealing exposed services that web search cannot find.
Core Shodan Filters — The 10 Most Useful for Security Research
SHODAN FILTERS — COMPLETE REFERENCE
# Organisation filter — find all assets belonging to a company
org:”Target Company Name”
# Port filter — find specific exposed services
port:22 # SSH
port:3389 # RDP
port:27017 # MongoDB (often unauthenticated)
port:6379 # Redis (often unauthenticated)
port:9200 # Elasticsearch (often unauthenticated)
# Product / software filter
product:”Apache httpd”
product:”OpenSSH” version:”7.2″
# HTTP title filter — find specific web interfaces
http.title:”Admin Panel”
http.title:”phpMyAdmin”
http.title:”Kibana”
# Country filter
country:US org:”Target”
# Hostname filter — find by domain name
hostname:target.com
# Vulnerability filter (requires paid account)
vuln:CVE-2021-44228 # Log4Shell — internet-wide
# SSL certificate subject — find all certs for a domain
Step 1: Go to shodan.io and log in (or create free account)
Step 2: Choose a company from a public bug bounty programme
Search: org:”[Company Name]”
Note: total number of results and top open ports shown
Step 3: Refine — add port filters for interesting services:
org:”[Company Name]” port:8080
org:”[Company Name]” port:8443
org:”[Company Name]” port:3389
Note: any non-standard ports or unexpected services?
Step 4: Search by hostname:
hostname:[company domain]
Compare results to your subfinder/amass subdomain list —
do the IPs match? Any new IPs not in your DNS results?
Step 5: Check SSL certificates:
ssl.cert.subject.cn:[company domain]
This often reveals subdomains covered by wildcard certs
Step 6: Look at any result carefully:
– What software version is running?
– Is there a default credential hint in the banner?
– Does the HTTP title suggest an admin interface?
Step 7: Note any findings that warrant further investigation
within the programme scope for your next testing session
IMPORTANT: Observation only — do not attempt to access any service.
✅ What you just learned: Shodan’s org and hostname filters give you a passive attack surface map in under 5 minutes that would take hours of active Nmap scanning. The SSL certificate filter is particularly powerful — it reveals infrastructure that DNS enumeration misses by correlating certificates to infrastructure. The combination of Shodan results with your subfinder subdomain list creates a comprehensive target inventory before you send a single request.
📸 Screenshot your Shodan org filter results and share in #shodan-recon on Discord.
Shodan Dorks 2026 — Targeted Queries for Bug Bounty Recon
Shodan dorks are pre-built queries combining multiple filters to find specific types of exposed or vulnerable services. These are the queries security researchers use to find the most interesting targets efficiently.
SHODAN DORKS — BUG BOUNTY AND SECURITY RESEARCH 2026
# Find exposed admin panels
http.title:”Admin” http.status:200 org:”Target”
http.title:”Dashboard” port:8080 org:”Target”
# Find Jenkins CI/CD instances (often exposed, often vulnerable)
🧠 EXERCISE 2 — THINK LIKE A HACKER (8 MIN · NO TOOLS)
Build a Shodan Recon Workflow for a Cloud-Heavy Target Organisation
⏱️ Time: 8 minutes · No tools required
You are targeting a mid-sized SaaS company for a bug bounty programme.
Their main product is a B2B analytics platform. From LinkedIn you know:
– They use AWS (EC2 instances, S3, RDS)
– Their engineering team uses GitHub and Jenkins CI/CD
– They have offices in 3 countries
– Their main domain is company.com
Design a Shodan recon sequence (5–7 queries) that would
map their internet-facing attack surface efficiently.
For each query:
1. Write the exact Shodan filter syntax
2. Explain what specific exposure you are looking for
3. Describe what a “hit” on that query would mean for testing
Consider:
– Which services are highest value for a SaaS company?
– Which services are most likely to be accidentally exposed?
– How would you use the org filter vs hostname filter vs ssl filter?
– What would a Jenkins or Kubernetes hit tell you about their
infrastructure security posture?
✅ Sample query sequence: (1) org:”Company” — baseline inventory. (2) hostname:company.com — match Shodan IPs against DNS. (3) ssl.cert.subject.cn:company.com — cert-revealed infrastructure. (4) org:”Company” port:8080 OR port:8443 — non-standard web services, often dev/staging. (5) org:”Company” http.title:”Jenkins” — CI/CD exposure. (6) org:”Company” port:6379 OR port:27017 — database exposure. (7) org:”Company” product:”Amazon S3″ http.status:200 — publicly accessible storage. A Jenkins hit means potential secret exposure and pipeline manipulation. An open MongoDB means immediate Critical data access finding. Building the query sequence before opening Shodan makes your recon structured rather than random.
📸 Share your 5-query Shodan recon sequence in #shodan-recon on Discord.
Organisation Reconnaissance — Mapping a Target’s Full Attack Surface
The most systematic approach to Shodan org recon is to combine the org filter with your ASN (Autonomous System Number) if you can identify it. A company’s ASN covers all IP ranges they own — including ranges that are not obviously linked to the company name in WHOIS records. Find the ASN with tools like bgp.he.net and then use asn:AS12345 in Shodan for complete coverage.
ASN-BASED SHODAN RECON — COMPLETE COVERAGE
# Find a company’s ASN via bgp.he.net or Shodan itself
# Step 7: Check what Shodan knows about your own IP
myip=$(curl -s ifconfig.me)
shodan host $myip
# Step 8: Count results for a query without downloading
shodan count “product:nginx”
shodan count “org:Google”
✅ What you just learned: The Shodan CLI turns any Shodan query into a scriptable tool — you can pipe results into jq, awk, grep, and other tools to build automated recon workflows. The shodan host command is particularly useful for quickly checking what Shodan knows about any IP you discover — it shows open ports, software, and historical data in seconds. Checking your own IP in Step 7 shows you what attackers see when they look at your home or lab network from the internet.
📸 Screenshot your Shodan CLI output showing an IP host result and share in #shodan-recon on Discord. Tag #shodan2026
Shodan vs Censys vs FOFA — Choosing the Right Tool
Shodan is the most well-known internet-wide scanner but it is not the only one. Censys and FOFA index overlapping but distinct subsets of the internet and sometimes surface infrastructure that Shodan misses. Using all three on high-value targets gives the most complete coverage.
Censys (censys.io) has particularly strong TLS/SSL certificate indexing and provides more structured data through its search API. The free tier allows 250 queries per month. For bug bounty, Censys is strongest for certificate discovery: search parsed.names: target.com to find all certificates mentioning your target domain — this reveals infrastructure that neither DNS enumeration nor Shodan certificate search catches. Censys Academic access is free for students.
FOFA (fofa.info) is a Chinese internet intelligence platform that indexes significant infrastructure in Asia-Pacific that Shodan under-represents. For programmes with global infrastructure, FOFA regularly finds assets in APAC regions that Shodan shows as empty. Its query syntax is similar to Shodan and a free tier with limited results is available without registration.
The combined workflow: Run the same org and hostname queries across all three platforms and merge the unique IP results. Feed the merged list into Nmap for service verification. Cross-reference with your subdomain enumeration results. The union of all three scanners produces a near-complete internet-facing asset inventory for any target.
Shodan Alerts are a paid feature that notifies you when new devices or services appear in Shodan’s index for a specified IP range or network. For bug bounty hunters, alerts set on a target company’s IP ranges mean you are notified whenever a new asset becomes internet-facing — before other hunters discover it. New assets are often freshly deployed and less hardened than established infrastructure.
To set up an alert: log into shodan.io, click “Monitor” in the navigation, then “Create Network Monitor”. Enter the target IP range (use the ASN-derived range from the org recon section). Choose which port and service changes trigger notifications. The free tier allows monitoring up to 16 IPs. Paid tiers expand this to full netblock monitoring.
🧠 QUICK CHECK — Shodan
You run the Shodan query org:"Target Corp" http.title:"Kibana" and find an internal Kibana dashboard accessible from the internet with no authentication. What is the severity and what data is likely exposed?
📋 Key Shodan Filters — Quick Reference 2026
org:”Company Name”Find all indexed assets belonging to an organisation
hostname:domain.comFind assets by domain name in banner or reverse DNS
ssl.cert.subject.cn:domain.comFind assets by SSL certificate common name
asn:AS12345Find all assets under a specific autonomous system number
http.title:”Admin Panel”Find exposed admin interfaces by page title
shodan host IPCLI — get all Shodan data for a specific IP address
shodan init API_KEYCLI — configure Shodan API key for command-line use
❓ Frequently Asked Questions
What is Shodan and what makes it different from Google?
Shodan indexes internet-connected device service banners — SSH servers, open databases, cameras, industrial systems. Google indexes web page content. Shodan can find exposed services that have no web presence at all, making it the primary tool for discovering internet-facing attack surface.
Is using Shodan legal?
Searching Shodan is legal — you are querying a database of publicly observable information. What you do with findings matters: accessing any device without authorisation is illegal regardless of how you found it. Shodan is passive reconnaissance — finding something does not grant permission to access it.
What is a Shodan dork?
A Shodan dork combines multiple filters to find specific exposed device types. Examples: http.title:”phpMyAdmin” finds exposed database management interfaces; port:6379 -“requirepass” finds unauthenticated Redis instances. Public dork repositories cover hundreds of device types and vulnerability patterns.
How do I use Shodan for bug bounty recon?
Use org:”Company” for baseline inventory, hostname:domain.com for DNS correlation, ssl.cert.subject.cn for certificate-revealed infrastructure, and service-specific dorks for high-value targets. Cross-reference with subdomain enumeration results — Shodan IPs not in your DNS list may indicate shadow IT or forgotten assets.
Does Shodan require a paid account?
The free account provides 100 results per query and 100 API queries per month — sufficient for targeting individual organisations. The Shodan Freelancer plan ($19/month) increases limits significantly. Academic upgrade is free with an educational email address.
What types of devices can Shodan find?
Any internet-connected device with an accessible service: web servers, SSH/FTP servers, databases (MongoDB, Elasticsearch, Redis), network equipment, IoT devices (cameras, smart home), industrial control systems, VoIP, remote desktop (RDP/VNC), and cloud infrastructure. Over 15 billion indexed services as of 2026.
← Related
Maltego OSINT Tutorial 2026
Related →
Subdomain Enumeration Tools 2026
📚 Further Reading
Maltego Tutorial Kali Linux 2026— Maltego provides entity-relationship OSINT mapping that complements Shodan’s service-banner intelligence — use both together for comprehensive passive recon.
OSINT Tools Guide— The complete OSINT tools category covering Shodan, Maltego, SpiderFoot, theHarvester, and every major passive intelligence gathering tool for security research.
Shodan Explore — Public Search Queries— The official Shodan community query library featuring thousands of curated dorks for finding specific device types, vulnerable services, and internet-wide vulnerability patterns.
Shodan CLI Documentation— Official Shodan command-line interface documentation covering all commands, output formats, and API integration for automated recon pipeline construction.
ME
Mr Elite
Owner, SecurityElites.com
The Shodan search that surprised me most was running an org filter against a large insurance company during an authorised assessment. The scope said “all internet-facing assets.” Shodan found 847 of them. Their own IT team thought they had 200. The discrepancy came from years of acquired subsidiaries, forgotten test environments, and development servers that someone had opened a port on temporarily and then forgotten. Three of those 647 extra assets had no authentication at all — two were Kibana dashboards full of customer claims data, one was a Jenkins server with full access to their main product’s deployment pipeline. The CEO was told about these findings before the report was even written. Shodan found in 30 minutes what years of internal auditing had missed entirely.
Leave a Reply