Shodan is a search engine for internet‑connected devices that indexes service “banners,” HTTP headers, and other metadata from IPv4 address space to reveal exposed systems and configuration risks. Security teams use it to discover Internet of Things (IoT) , identify security flaws, and prioritize remediation. This guide shows how to turn Shodan discovery into outcomes with Bugcrowd—connecting exposure data to external attack surface management and managed pentesting to validate what matters.
IT and security professionals use Shodan to perform reconnaissance on their own systems, as well as to gather intelligence on potential vulnerabilities and threats. Shodan can help security teams identify exposed devices and systems that are at risk of being compromised, and it can be used to search for devices that may have been compromised and are being used as part of a botnet.
In this blog post, we’ll take a closer look at what Shodan is, how it works, and how IT and security professionals can use it to improve their security posture.
Shodan’s main use is searching for IoT devices such as security cameras, medical instruments, and more recently smart home appliances such as fridges and doorbells. Such devices are often seen to have small processing power and there may be approximately 31 billion of these devices around today.
Shodan collects data by sending a scan request to common ports and recording service responses. These often include an FTP banner (port 21) or HTTP headers (port 80/443), which become part of an asset’s asset details (e.g., open ports, product, version, country code). You can refine results with Shodan filter attributes like country:US, port:21, or http.title:”Welcome to nginx!”. Results roll up by IPv4 address, with hostnames and possible IP alias information helping you understand exposure in context.
Unfortunately, they have also caused major security issues, which were first brought to public attention when one of the largest scale Distributed Denial of Service (DDoS) attacks happened with the Mirai botnet which mostly consisted of compromised IoT devices.
However, Shodan crawls the internet for all internet-connected devices – such as laptops, servers, printers, or any device with an IP address. This can prove immensely useful in uncovering poorly configured devices that may expose sensitive data.
After you enter a search term, Shodan crawls the internet for any connected device with an IP address that matches your query. It will then present these results in a variety of categories, including locations, devices, and operating systems.
Shodan can be used to find all of these things and more. If you have devices that aren’t protected and that have recently been connected to the internet, then Shodan is a great way to find them.
Shodan is an excellent source for finding any of your devices connected to the internet that have vulnerable systems. These devices are often the first to be targeted by hackers who can use them to launch DDoS attacks or steal sensitive data. By scanning for these devices, enterprise organizations and security teams can learn which vulnerable devices need to be secured.
One of the most prominent and daunting finds with the Shodan search engine was the presence of webcams and security cameras exposed with no authentication. A Wired article in 2013 was one of the first to bring this to attention and in spite of this, 12 years later similar issues persist. While not as prevalent, a quick search reveals CCTV cameras are still exposed through Shodan.
In another blog post, we explored how Remote Desktop Protocol (RDP) exposure increased due to COVID-19. This is a common way for hackers to enter a network before performing a ransomware attack. Shodans own blog reported 8% of RDP services on their platform were vulnerable to a common RDP flaw. RDP is not the only vulnerable service however, others such as Redis, MongoDB, MySQL and SMB are also all visible through Shodan.
Shodan complements other cyber web tools across your stack. Teams often pair Shodan with:
When devices are exposed to the internet they become targets of mass-cyber attacks. The previously mentioned Mirai botnet was formed through IoT devices being exposed with default credentials.
Ransomware has seen a significant increase in recent years and the trend is continuing. The effectiveness of this type of attack can be attributed to insufficient asset management and lack of backups in both consumer and professional environments. By exposing devices with weak or misconfigured services, the likelihood of a ransomware attack also increases.
Whilst conducting research, we found a particularly interesting device through the Shodan search that we can use as a case study now. The device had databases exposed behind no authentication. One of the databases present caught our attention, not for the data it stored, but because of its name:
The name READ_ME_TO_RECOVER_YOUR_DATA immediately suggests that this service has been subject to a ransomware attack and the contents of this database will contain the ransom note. This is a deeply saddening reality a lot of companies will face if they don’t take the appropriate measures to identify their attack surface and update their assets. Individuals could also be affected in similar ways, with personal files (such as photos) being encrypted in the same undiscriminating and ruthless manner as this database.
Shodan is a fast and easy way to find unprotected devices on the internet. It’s also a great way to discover which devices have open ports on them.
Shodan can also be used to find devices that have recently been connected to the internet. This can give you an early warning about a breach and helps you to take the necessary steps to prevent data loss.
Shodan is also very accessible. You can easily use it from a desktop, smartphone, or tablet.
It may come as a surprise to some that Shodan is a legal and readily usable tool. Exposing so many devices may seem counterproductive in preventing cybercrime, but Shodan isn’t the issue. Shodan simply highlights a larger problem: individuals and organizations not being aware of their cyber footprint and attack surface.
Shodan removes a layer of security that has long been debunked as being effective – security through obscurity. Attackers will always find the exposed service or device given time and people should be securing their networks with this assumption. However, it is not capable of scanning for every single device connected to the internet.
It can, however, be used to find unprotected devices in your organization which may not be secure and have recently been connected to the internet. With this data, you can act quickly to secure your devices and network from possible attacks.
Shodan removes a layer of security that has long been debunked as being effective – security through obscurity. Attackers will always find the exposed service or device given time and people should be securing their networks with this assumption.
Shodan is a search engine that is based on publicly accessible devices. It can be used to find unprotected devices, discover recently connected devices and create text to speech results if required. However, it is not capable of scanning for every single device connected to the internet.
Discovery is step one. Bugcrowd helps cybersecurity professionals operationalize it:
Absolutely! Shodan is a legitimate tool that provides valuable insights into internet-connected devices. However, it’s important to use Shodan responsibly and adhere to ethical guidelines while leveraging its capabilities.
While Shodan can provide information that could potentially be exploited by malicious actors, it is essential to note that Shodan itself is not a hacking tool. Its primary purpose is to enhance cybersecurity practices and empower organizations to secure their networks effectively.
No, Shodan can be valuable for organizations of all sizes. Whether you’re a small business or a large enterprise, Shodan’s capabilities can help you identify vulnerabilities, assess your security posture, and protect your digital assets.
While Shodan offers powerful vulnerability assessment capabilities, it should not be seen as a replacement for traditional vulnerability scanners. Shodan can complement existing vulnerability management processes and provide additional insights into devices that may not be covered by traditional scanners.
Shodan is often associated with IoT devices, it can scan and provide information about various other devices and services connected to the internet. Shodan’s scope extends beyond IoT and encompasses a wide range of networked devices.
Shodan was created by John Matherly and is widely used by cybersecurity professionals for exposure discovery and research.
Yes. An API key enables automation via the API or command-line interface, scheduled data downloads, and on‑demand scan request workflows.
An FTP banner is the service string a server returns on connect (e.g., product/version). Like HTTP headers, it helps fingerprint software and prioritize risky configurations.
No. Shodan surfaces exposure; penetration testing validates exploitability. Bugcrowd’s PTaaS turns exposure into verified, prioritized findings with fixed guidance.
Use filter attributes such as country code (e.g., country:US) and CIDRs or IPv4 address queries; hostnames and IP alias info add context.
Yes—Shodan developer tooling includes an API, python library, and third‑party plugins that snap into CI/CD and asset workflows.