If you are not familiar with Shodan, it is a great search engine to find devices and banners on the internet.  Want to search for ssh servers in China?  See if the United States Navy is running any outdated IIS 5.0 servers?  Find all DNS hostnames for the Ford Motor Corporation?

Shodan can help us find this and much much more.

It’s important to note that Shodan is a passive scanner.  This means that Shodan has already scanned the hosts you are looking for and you are in no way sending data to the devices you are searching for.  This is already in Shodan’s database as it constantly spiders the web, for port numbers, banners, etc.

First, you will need to register with Shodan to create an account.  Once logged in, you can retrieve your API key by clicking the Link in the top right corner of the Shodan webpage.

Registration and API Key:

Second, you will need to install the Shodan command line interface from the link below:

Installation:  https://cli.shodan.io/

Once installed, you can initiate a scan by typing shodan search followed by your search criteria.

Below are some basic search parameters:

Note:  More info on the Shodan CLI

Some Basic Search operators:

title: Search the content of the HTML title tag
html: Search the full HTML content of the web page
net: Search a given netblock (example: 206.22.56.12/24)
product: Search the name of the software or product identified in the banner
version: Search the product version
port: Search for a specific port or ports
os: Search for specific operating system
country: Search for results in a given country (2-letter code)
city: Search for results in a given city

More Field Specifications

Examples:

shodan search --fields ip_str,port,org,hostnames,version apache hostname:navy.mil

shodan search --fields ip_str,port,org, hostname:army.mil

shodan search --fields ip_str,port,org,hostnames org: "Ford Motor Company"

shodan search iis-5.0 hostname:.mil