Shodan
Shodan is a search engine designed to help users find specific types of internet-connected computers, servers, and devices (routers, IoT devices). Unlike traditional search engines like Google, which crawl the web for hyperlinks and content, Shodan crawls the entire internet to locate devices and collect information about their services.
In the context of cybersecurity, Shodan is often referred to as "the search engine for hackers" or "the search engine for the Internet of Things (IoT)." It allows security professionals, researchers, and threat actors to discover exposed assets, identify vulnerabilities, and map the global digital infrastructure without ever sending a packet to the target network themselves.
How Shodan Works: The Banner Grabbing Process
Shodan operates by continuously scanning the entire IPv4 address space. It sends connection requests to various ports on every accessible IP address to see what services are running. When a service responds, it sends back a metadata packet known as a banner.
A banner typically contains crucial technical details, such as:
Server software and version (e.g., Apache 2.4.49).
Operating system details.
Device configuration information.
Default or custom welcome messages.
Shodan indexes this banner data, making it searchable through its web interface or API.
Core Capabilities and Use Cases
Shodan provides a unique view of the internet that supports various cybersecurity functions.
Attack Surface Management: Organizations use Shodan to monitor their own networks. By searching for their IP ranges, they can discover "Shadow IT"—devices or servers connected to the internet without the security team's knowledge.
Vulnerability Research: Researchers can quickly identify how many devices worldwide are running a specific version of vulnerable software. For example, when a new SSL vulnerability is discovered, Shodan can instantly reveal every server that hasn't been patched.
IoT Security: It is extensively used to find insecure Internet of Things devices, such as webcams, baby monitors, and smart home appliances, that are exposed to the public internet, often with default passwords.
Market Intelligence: Companies use Shodan to track the usage statistics of different technologies, operating systems, and server software across different countries and industries.
Powerful Search Filters
The true power of Shodan lies in its advanced search operators, which allow users to filter results with extreme precision.
port: Find devices with specific open ports (e.g.,
port:22for SSH orport:3389for Remote Desktop).os: Filter results by operating system (e.g.,
os:"Windows 7").org: Search for devices belonging to a specific organization or ISP (e.g.,
org:"Google").country: Limit searches to a specific country (e.g.,
country:US).product: Search for specific software or hardware models (e.g.,
product:"Apache Tomcat").vuln: (Paid feature) Search for devices known to be vulnerable to specific CVEs.
The Role of Shodan in Defensive and Offensive Security
Shodan serves as a critical tool for both sides of the cybersecurity spectrum.
Defensive Security (Blue Team)
Defenders use Shodan for reconnaissance on their own infrastructure. It helps them see their network exactly as an attacker sees it. By setting up monitoring alerts, security teams can be notified immediately if a database or remote access port is accidentally exposed to the public internet.
Offensive Security (Red Team)
Attackers and penetration testers use Shodan to find easy targets. Instead of scanning a target network actively (which generates noise and alerts firewalls), a Red Team can passively query Shodan to find vulnerable entry points, open webcams, or unpatched servers to plan their attack vectors.
Frequently Asked Questions About Shodan
Is using Shodan illegal?
No, using Shodan is legal. It simply aggregates publicly available information accessible to anyone connecting to those IP addresses. However, using the information found on Shodan to access, modify, or attack a device without permission is illegal.
How is Shodan different from Google?
Google crawls websites (HTTP/HTTPS) to index content for general users. Shodan crawls IP addresses and ports to index technical information (banners) for technical users. You use Google to find a recipe; you use Shodan to find a web server running a specific version of Linux.
Can Shodan scan my internal network?
No. Shodan only scans publicly accessible devices on the internet. It cannot see devices behind your firewall or on your local private network (LAN) unless you have specifically configured them to be reachable from the outside.
What is Shodan Monitor?
Shodan Monitor is a specialized service that allows organizations to define their network range (IP blocks). Shodan then periodically scans those ranges and alerts the organization if any new ports open or if known vulnerabilities are detected on its perimeter.
Integrating ThreatNG and Shodan for Complete Perimeter Visibility
Combining ThreatNG’s strategic External Attack Surface Management (EASM) with Shodan’s global internet scanning capabilities creates a unified view of an organization’s digital risk. ThreatNG provides the high-fidelity, business-contextualized asset inventory, while Shodan provides the deep technical telemetry of those assets from a global perspective.
Together, they answer the two most critical questions in perimeter security: "What do we own?" (ThreatNG) and "What is the world seeing when they look at it?" (Shodan).
Enhancing External Discovery
Shodan scans the entire internet indiscriminately, but it requires specific search queries to be useful. ThreatNG’s External Discovery acts as the precise targeting system that makes Shodan’s data actionable.
Target Scope Definition: ThreatNG performs purely external, unauthenticated discovery to generate a complete map of the organization’s digital footprint, including subsidiaries, brands, and forgotten subdomains. This validated "seed list" of domains and IP addresses is used to query Shodan, ensuring security teams focus on their specific assets rather than getting lost in irrelevant search results.
Illuminating Shadow IT: ThreatNG specializes in finding "Shadow IT"—assets like legacy marketing microsites or rogue cloud instances. Once ThreatNG identifies a hostname (e.g.,
dev-test.legacy-brand.com), Shodan is used to reveal port-level details, including whether that forgotten asset is exposing dangerous services such as Telnet, RDP, or unpatched web servers.
External Assessment and Technical Validation
ThreatNG’s External Assessment modules characterize an asset's "susceptibility" by identifying configuration flaws. Shodan complements this by providing "verification" through its banner-grabbing capabilities.
Web Application Hijack Susceptibility
ThreatNG Assessment: The solution analyzes web assets to detect missing security headers, specifically flagging subdomains that lack Content-Security-Policy (CSP), HTTP Strict-Transport-Security (HSTS), or X-Frame-Options.
Shodan Validation: Shodan indexes the HTTP headers of every server it scans. Security teams can cross-reference ThreatNG’s findings with Shodan’s historical data to see how long these headers have been missing. Furthermore, Shodan can identify whether a server is running an outdated version of Nginx or Apache, which could make the lack of headers even more dangerous due to known server-level exploits.
Subdomain Takeover Susceptibility
ThreatNG Assessment: ThreatNG uses DNS enumeration to identify CNAME records pointing to unclaimed third-party services (e.g., AWS S3, Heroku). It cross-references these against a Vendor List to confirm the "dangling" status.
Shodan Validation: When a subdomain is dangling, the service provider often serves a specific error page (e.g., "There is no app configured at this address"). Shodan often captures these error messages in its banner history. By checking Shodan, teams can confirm if the subdomain is actively serving the error page, which validates that the takeover is currently exploitable.
Supply Chain & Third-Party Exposure
ThreatNG Assessment: ThreatNG maps the third-party SaaS and infrastructure providers connected to the organization (e.g., "This asset is hosted on Azure").
Shodan Validation: Shodan provides the "ISP" and "Organization" fields for every IP address. It validates ThreatNG’s mapping by confirming the asset's physical location and hosting provider. If ThreatNG flags a suspicious third-party connection, Shodan can reveal if that third-party IP is also hosting known malware command-and-control structures or has a poor reputation.
Investigation Modules Driving Contextual Analysis
ThreatNG’s investigation modules provide the "Who" and "Why" behind an asset, while Shodan provides the "What."
Technology Stack Investigation
ThreatNG Context: This module identifies nearly 4,000 technologies, pinpointing specific versions of CMS platforms, frameworks, and analytics tools (e.g., "Target is running Drupal 7").
Shodan Application: Shodan’s search filters allow teams to find every other server on the internet running that same technology configuration. This helps determine if the organization’s specific configuration is a "standard" deployment or a unique "snowflake" that might be easier to fingerprint and attack.
ThreatNG Context: Monitors public code repositories for leaks, identifying API Keys and Configuration Files that expose internal IP addresses or staging environments.
Shodan Application: If ThreatNG finds a config file leaking an internal IP address (e.g.,
192.168.x.xmapped to a public NAT), users can search Shodan for that specific gateway IP to see what ports are open to the outside world. This verifies if the internal leak actually corresponds to an externally accessible path.
ThreatNG Context: Analyzes Whois data and registrar details to determine ownership and expiration risk.
Shodan Application: Shodan can track the SSL/TLS certificates associated with those domains. If ThreatNG flags a domain as "Expiring Soon," Shodan can confirm if the SSL certificate has already expired, which would cause service outages or trust warnings for users.
Intelligence Repositories (DarCache)
ThreatNG’s DarCache repositories enrich Shodan’s technical findings with threat-centric intelligence.
Ransomware Groups: ThreatNG tracks the TTPs (Tactics, Techniques, and Procedures) of ransomware gangs, such as their preference for exploiting exposed RDP (Remote Desktop Protocol) or VPN concentrators. When Shodan identifies an open RDP port (Port 3389) on a corporate asset, ThreatNG correlates this with its ransomware intelligence to elevate the finding from a "Misconfiguration" to a "Critical Ransomware Entry Vector."
Vulnerability Intelligence (KEV & EPSS): Shodan often identifies vulnerabilities (CVEs) based on version banners. ThreatNG filters this massive list by applying Known Exploited Vulnerabilities (KEV) data and EPSS scores. This ensures the team ignores the low-risk CVEs found by Shodan and focuses immediately on those ThreatNG confirms are actively being weaponized.
Reporting and Continuous Monitoring
The cooperation between ThreatNG and Shodan establishes a persistent feedback loop for security management.
Continuous Monitoring Loop: ThreatNG monitors the attack surface 24/7. When it discovers a new asset, it effectively "tasks" Shodan to inspect it. If ThreatNG detects a new marketing subdomain, Shodan is queried to check open ports. If Shodan detects a new high-risk port open (e.g., Database Port 5432), it feeds into the ThreatNG risk model, lowering the organization’s Security Rating.
Unified Reporting: Executive reports benefit from the synthesis of data. ThreatNG provides the business impact ("Risk to Brand Reputation"), while Shodan data provides the technical evidence ("Proof of Exposure: Screenshot of Open Webcam"). This satisfies both the C-suite’s need for risk metrics and the engineering team’s need for technical proof.
Complementary Solutions
ThreatNG and Shodan act as the "Eyes" of the security stack, feeding data into downstream execution systems.
Security Information and Event Management (SIEM)
Workflow: ThreatNG defines the authorized asset list. Shodan scans the internet for traffic and banners.
Benefit: The SIEM ingests this data to correlate "External View" with "Internal Logs." If Shodan sees a server responding to external queries that the internal firewall logs show as "Blocked," the SIEM can flag a firewall misconfiguration.
Vulnerability Management Platforms
Workflow: ThreatNG identifies the scope of live assets. Shodan provides a preliminary passive vulnerability scan.
Benefit: This pre-validates the target list for active scanners (like Nessus). Instead of scanning the entire IP space, the active scanner is directed only to the IPs that ThreatNG and Shodan have confirmed are live and hosting services, optimizing license usage and network bandwidth.
Frequently Asked Questions
Does ThreatNG scan like Shodan? ThreatNG performs discovery and assessment, but Shodan is a specialized "Internet-wide Scanner." ThreatNG identifies your assets; Shodan tells you what everyone else already knows about them.
How does this help with Zero-Day exploits? When a Zero-Day (like Log4j) hits, Shodan can instantly identify every server reporting the vulnerable version header. ThreatNG identifies which servers belong to you and your subsidiaries, enabling instant remediation triage.
Can ThreatNG detect if Shodan has indexed my sensitive data? Yes. By using ThreatNG to identify your assets and then cross-referencing with Shodan, you can see if sensitive databases or webcams have been inadvertently indexed and made searchable by the public.
