Shodan Filters

CLI commands, search filters and ready-made queries. Filters/commands in English, descriptions follow your language.

Install: sudo pip install shodan, then shodan init <API KEY> (key from your Shodan account).

CLI — Basic Commands

shodan init — Initialize the Shodan command-line.

shodan info — Show general information about your account.

shodan host — View all available information for an IP.

shodan myip — Print your external IP address.

shodan honeyscore — Check whether the IP is a honeypot or not.

shodan org — Manage your organization's access to Shodan.

shodan download — Download search results and save them.

shodan parse — Extract information out of compressed JSON.

shodan domain — View all available information for a domain.

shodan radar — Real-time map of results as Shodan finds them.

shodan data — Bulk data access to Shodan.

shodan scan — Scan an IP / netblock using Shodan.

shodan count — Return the number of results for a search.

shodan search — Search the Shodan database.

shodan convert — Convert an input data file into another format.

shodan stats — Provide summary information about a search.

shodan alert — Manage the network alerts for your account.

shodan stream — Stream data in real-time.

shodan -h — Help.

CLI — Alerts

shodan alert info — Show information about a specific alert.

shodan alert list — List all the active alerts.

shodan alert remove — Remove the specified alert.

shodan alert create — Create a network alert to monitor an external IP.

shodan alert triggers — List the available notification triggers.

shodan alert enable — Enable a trigger for the alert.

shodan alert disable — Disable a trigger for the alert.

shodan alert clear — Remove all alerts.

General Filters

iphostnamehashhas_vulnhas_sslhas_screenshothas_ipv6geodevicecpecountrycityasnallisplinknetorgosportpostalproductregionscanshodan.modulestateversion

HTTP Filters

http.robots_hashhttp.securitytxthttp.statushttp.titlehttp.wafhttp.html_hashhttp.htmlhttp.headers_hashhttp.favicon.hashhttp.component_categoryhttp.component

SSL Filters

sslssl.versionssl.jarmssl.ja3sssl.cipher.versionssl.cipher.namessl.cipher.bitsssl.chain_countssl.cert.subject.cnssl.cert.serialssl.cert.pubkey.typessl.cert.pubkey.bitsssl.cert.issuer.cnssl.cert.fingerprintssl.cert.extensionssl.cert.expiredssl.cert.algssl.alpn

SNMP / NTP / Telnet / SSH

snmp.contactsnmp.locationsnmp.namentp.ipntp.ip_countntp.morentp.porttelnet.dotelnet.donttelnet.optiontelnet.willtelnet.wontssh.hasshssh.type

Cloud / Bitcoin / Screenshots

(Restricted, higher API plans): tag, vuln

cloud.providercloud.regioncloud.servicebitcoin.ipbitcoin.ip_countbitcoin.portbitcoin.versionscreenshot.hashscreenshot.label

Databases

Find MongoDB database servers.

mongodb

Find Mongo Express Web GUI.

"Set-Cookie: mongo-express=" "200 OK"

Find MySQL-powered databases.

mysql port:3306

Lookup popular ElasticSearch instances.

port:9200 all:"elastic indices"

Look up PostgreSQL databases.

port:5432 PostgreSQL

Exposed Ports

FTP (proftpd, a popular FTP server).

proftpd port:21

FTP servers allowing anonymous logins.

"220" "230 Login successful." port:21

OpenSSH, a popular SSH server.

openssh port:22

Telnet on port 23.

port:23

EXIM-powered mail servers on port 25.

port:25 product:"exim"

Memcached on port 11211 (UDP amplification).

port:"11211" product:"Memcached"

Jenkins (software build entry point).

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

Network Infrastructure

Devices running a specific RouterOS version.

port:8291 os:"MikroTik RouterOS 6.45.9"

Web Servers

Specific version of Apache web server.

product:"Apache httpd" port:"80"

Microsoft IIS websites and servers.

product:"Microsoft IIS httpd"

Nginx-powered websites and servers.

product:"nginx"

Nginx web servers on port 8080.

port:8080 product:"nginx"

Webcams

Outdated and insecure webcam software.

Server: SQ-WEBCAM

Specific vendor software (e.g. Yawcam).

"Server: yawcam" "Mime-Type: text/html"

Industrial Control Systems

Find XZERES Wind Turbines.

title:"xzeres wind"

Electric vehicle chargers on Shodan.

"Server: gSOAP/2.8" "Content-Length: 583"

Remote Desktop / NAS

Open Windows Remote Desktop ports.

remote desktop port:3389

VNC available without authentication.

"authentication disabled" "RFB 003.008"

Samba on port 445, auth disabled.

"Authentication: disabled" port:445

Plex devices.

"X-Plex-Protocol" "200 OK" port:32400

NAS with FTP services running.

"220" "230 Login successful." port:21

Printers / RDP / Misc

HP-powered printers.

"Serial Number:" "Built:" "Server: HP HTTP"

EPSON-powered printers.

"SERVER: EPSON_Linux UPnP" "200 OK"

Xerox printers/copiers via SSL certs.

ssl:"Xerox Generic Root"

Windows RDP password (null bytes).

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

Hiring pages.

"X-Recruiting:"

Android Debug Bridge devices.

"Android Debug Bridge" "Device" port:5555

Ethereum miners.

"ETH - Total speed"

Tesla PowerPack charging status.

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

Compiled from the “Shodan Filters” chart by Hacking Articles (Ignite Technologies); descriptions condensed.