Shodan is usually discussed as an offensive tool — the search engine that indexes internet-connected devices and lets researchers find exposed industrial control systems, open databases, and misconfigured services. The defensive use case is equally compelling and less often covered: using Shodan to find what you or your organization has inadvertently exposed before an attacker does.
What Shodan Is Actually Doing
Shodan continuously scans the internet, connects to IP addresses on common and uncommon ports, and records the service banners and response data it receives. This data is indexed and searchable. The result is a searchable database of internet-connected devices that is updated continuously.
When an attacker uses Shodan to find targets, they are searching this index. When you use Shodan to find your own exposed assets, you are seeing what an attacker would see — including services you did not know were exposed.
The key insight for defensive use: Shodan often knows about your infrastructure before you do, and attackers are searching it continuously.
Setting Up for Defensive Monitoring
Step 1: Identify all IP ranges you are responsible for.
For a home researcher: your home ISP IP (dynamic, but you can still check it), any VPS or cloud instances, any static IPs on hosted services. Run curl ifconfig.me to get your current external IP.
For an organization: all ASN-assigned IP ranges, cloud provider IP allocations (AWS, Azure, GCP), and any CDN or third-party ranges that serve your content.
Step 2: Search Shodan for your IP ranges.
Basic searches:
net:203.0.113.0/24 # All services on a CIDR range
net:203.0.113.5 # A specific IP
org:"Your Company Name" # All IPs Shodan associates with your org
hostname:yourdomain.com # Services on your domain's hostnames
ssl.cert.subject.cn:yourdomain.com # Services presenting your SSL cert
Step 3: Review what Shodan found and assess each finding.
Every open port and service in Shodan’s results represents something you are running that is visible from the internet. For each one:
- Did you intend to expose this?
- Is it running a current, patched version?
- Is it authenticated?
- Is it supposed to be here at all?
The Findings That Should Alarm You
Databases with no authentication. MongoDB, Elasticsearch, Redis, and CouchDB instances exposed to the internet without authentication have been the source of countless data breach incidents. Shodan has dedicated queries for these:
product:MongoDB port:27017
product:Elasticsearch port:9200
product:Redis port:6379
If Shodan finds these on your IPs, check them immediately. Many default installations of these products bind to all interfaces rather than localhost.
Remote desktop and admin interfaces. RDP (port 3389), VNC (5900-5901), and web admin panels (common on port 8080, 8443, 9090) that are directly internet-exposed are high-value targets for credential attacks.
Old software versions in banners. Shodan captures version strings from service banners. If your SSH server is advertising OpenSSH 7.2 or your web server is serving Apache 2.2, that version information is indexed and searchable by attackers looking for vulnerable versions.
SSL certificate mismatches. Running a domain search on your SSL certificates sometimes surfaces services you have forgotten about — old servers still responding on expired certs, test environments that never got shut down, cloud instances from a previous project.
IoT and management interfaces. Home routers, IP cameras, NAS devices, and similar hardware often run web management interfaces that get exposed accidentally. These devices frequently run outdated firmware with known vulnerabilities.
Shodan Monitor for Ongoing Alerting
Shodan Monitor (paid feature, available on Freelancer plan and above) lets you define IP ranges and receive alerts when new services appear, existing services change, or known vulnerabilities are detected on your infrastructure.
For an individual researcher or small organization, setting up Monitor on your external IPs is one of the highest-value security investments available. A new port open on your infrastructure at 3am is exactly the kind of signal you want to know about immediately.
The Query Reference That Actually Matters
Beyond IP-based searches, these Shodan filters are most useful for defenders:
# Find services running specific vulnerable software versions
apache http.title:"Index of /"
ssh banner:"OpenSSH_7.2"
# Find exposed admin interfaces
http.title:"phpMyAdmin"
http.title:"pfSense"
http.title:"Webmin"
# Find your domains in SSL certificates (includes subdomains)
ssl.cert.subject.cn:*.yourdomain.com
# Find services with default credentials (by title)
http.title:"Welcome to nginx!"
http.title:"It works!"
# Find cameras
product:"Hikvision" net:YOUR_IP_RANGE
Using the API for Automation
Shodan’s API (included with any paid plan) lets you automate these queries and integrate results into your own tooling:
import shodan
api = shodan.Shodan('YOUR_API_KEY')
# Search your IP range
results = api.search('net:203.0.113.0/24')
for result in results['matches']:
print(f"{result['ip_str']}:{result['port']} - {result.get('product', 'Unknown')}")
Running this on a cron schedule against your IP ranges and diffing against previous results gives you a basic asset discovery and change detection system that catches new exposures automatically.
The Mindset Shift
The value of Shodan for defenders is not in using it reactively after an incident — it is in using it proactively to maintain accurate awareness of your exposed surface. The organizations that get breached through Shodan-findable services are almost always organizations that were not running this kind of continuous visibility themselves.
The attacker’s advantage in using Shodan is that they can afford to be patient and systematic across thousands of targets. The defender’s advantage is that they can focus exclusively on their own assets and act on findings immediately. Use that advantage.
—
Sources:
- Shodan documentation — https://help.shodan.io/
- Matherly, John. Complete Guide to Shodan. Leanpub, 2017.
- CISA advisories on internet-exposed industrial control systems — https://www.cisa.gov/
- Verizon Data Breach Investigations Report — https://www.verizon.com/business/resources/reports/dbir/