CyberCheatsheets

Shodan Cheat Sheet

Search engine for Internet-connected devices, banners, ports, and exposed services via CLI and web.

Reconnaissance & OSINTbannersinternet-scaniotosintUpdated 2026-06-02

Overview

Shodan indexes banner data from Internet-wide scanning. Use it for external attack surface mapping (open ports, vulnerable services, SSL certs, default creds indicators) without directly scanning—subject to API limits and legal use of data.

Authorized testing only. Query only organizations and IP ranges in scope. Shodan data is third-party—verify findings before reporting; do not access systems without permission.

Install

pip install shodan
shodan init YOUR_API_KEY
shodan --help

Essential commands

Host lookup

shodan host 1.2.3.4

Search (CLI)

shodan search 'hostname:target.example.com' --limit 100

Count results

shodan count 'org:"Target Corp"'

Common workflows

Domain / SSL cert pivot —

shodan search 'ssl.cert.subject.cn:"target.example.com"' --fields ip_str,port,hostnames
shodan domain target.example.com

Download results —

shodan search 'net:203.0.113.0/24' --limit 1000 -o results.json

Exploit / CVE context (metadata only) —

shodan search 'vuln:CVE-2021-44228 country:US' --fields ip_str,port,org

Monitor (account feature) —

shodan alert create "Client External" 203.0.113.0/24
shodan alert list

Parse with jq —

shodan search 'hostname:target.example.com' -o /dev/stdout | jq -r '.ip_str' | sort -u

Flags: shodan search

'apache country:FR'

Search query (positional)

--limit 100

Max results

--fields ip,port,hostnames

Columns to return

-o results.json

Write output to file

Flags: shodan host

8.8.8.8

Target IP (positional)

--history

Include historical banners

Commands: shodan CLI

Result count only

shodan count 'query'

DNS info for domain

shodan domain example.com

Export large saved search

shodan download 12345

Save API key locally

shodan init YOUR_API_KEY

Facet statistics

shodan stats --facets country,port 'query'

Tips

  • Web UI filters (http.title, product, country, org, asn) map to CLI queries.
  • Free API keys have low credits—cache results and avoid redundant searches.
  • Correlate Shodan ports with your own nmap validation—banners can be stale.
  • For sensitive programs, prefer client-provided asset lists over broad org: searches.

References

Ähnliche Cheat Sheets