Thiago Teixeira
EN | PT

Shodan

Shodan

Search engine for internet-connected devices — find exposed services worldwide.

Threat Intelligence Freemium Web App Practiced in lab saas
Homepage

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

Shodan is the search engine for internet-connected devices. It continuously scans the public IPv4/IPv6 space and indexes banners from common services (HTTP, FTP, SSH, RDP, ICS/SCADA protocols, MQTT, MongoDB, RTSP cameras, etc.).

A CySA+ analyst uses Shodan to:

  • Discover shadow IT exposed on the public internet under their organisation's IP space.
  • Pivot during threat-intel work — find every host running a specific banner or self-signed cert.
  • Track exposure of vulnerable services (Heartbleed, log4j, Exchange ProxyLogon).

Use cases

  • Continuous monitoring of org-owned ASNs for new exposures
  • Adversary-style reconnaissance of acquired companies
  • Tracking global IOC infrastructure

Example

# Filters
org:"Example Corp" port:3389       # exposed RDP under your org
product:Apache version:2.4.49      # CVE-2021-41773 candidates
ssl:"My Internal CA"               # leaked internal certs