Shodan search guide

Tips and search filters for obtaining host and IP data from Shodan. All users that sign up with 
an educational address .ac.uk get free Shodan accounts. As with any search engine, Shodan works 
well with basic, single-term searches, but the real power comes with customized queries.

Here are the basic search filters you can use:
	•	city: find devices in a particular city i.e.  city:helsinki

	•	country: find devices in a particular country i.e.  country: GB 

	•	geo: you can pass it coordinates

	•	software types: iis 5.0 type in the software and version number to find nodes running it.

	•	hostname: find values that match the hostname i.e.  hostname:".ac.uk" 

	•	net: network i.e.  net:"86.176.0.0/16" 

	•	net and proto: search based on an IP also with CIDR i.e.  NTP net:"130.88.0.0/16" 

	•	os: search based on operating system

	•	port: find particular ports that are open i.e.  port:445 country:"GB" org:"University" 

	•	before/after: find results within a timeframe 
	        i.e.  org:"The University of Manchester" after:"17/5/2017" or ip:141.163.217.160 before:"10/05/2017"

	•	org: use organisation name in search i.e.  org:"FireEye" 

	•	Wordpress: http.component:"wordpress" country:"GB" org:"University"

	•	HTTP componet: country:GB org:"Oxford University" http.component:"drupal"

	•       Product: net:86.176.0.0/16 product:pulse
        •       vuln:CVE-2021-27065 vulnerable Microsoft Exchange Server boxes with tag 
    
Other cool searches:
	•	NTP daemon servers in Helsinki, a method for finding some open NTP servers  ntpd city:helsinki


Further reading:
	•	https://pen-testing.sans.org/blog/2015/12/08/effective-shodan-searches
        
Shodan CLI
Installing: pip3 install shodan, you may use the Shodan CLI using "shodan init <>".
This python script below runs set query from command line, sent to TI community by cert.at

Command style: shodan search --fields ip_str,hostnames,transport,port,banner ip:103.21.142.12 after:09/07/2018
Another example: shodan search --fields ip_str,hostnames,transport,port,product,org,banner net:194.80.48.0/20


$ #!/usr/bin/env python3.4

import shodan
import sys

SHODAN_API_KEY = "YOUR-API-KEY"

api = shodan.Shodan(SHODAN_API_KEY)

#querystr = sys.argv[1]
querystr = "port:445 country:GB org:University"

# Wrap the request in a try/ except block to catch errors
try:
      # Search Shodan
      results = api.search(querystr)

      # Show the results
      print ('Results found: %s' % results['total'])
      for result in results['matches']:
          if 'SMB Version: 1' in result['data']:
              print ('IP: %s' % result['ip_str'])
              if 'org' in result:
                  print ('Organisation: %s' % result['org'])
              if 'os' in result:
                  print ('OS: %s' % result['os'])
              if 'devicetype' in result:
                  print ('Devicetype: %s' % result['devicetype'])
              if 'product' in result:
                  print ('Product: %s' % result['product'])
              if 'info' in result:
                  print ('Info: %s' % result['info'])
              print (result['data'])
              print ('')
except shodan.APIError as e:
      print ('Error: %s' % e)