Skip to content
Shodan Book

Search Query Syntax

To get the most out of Shodan it’s important to understand the query syntax that’s used by the search engine. Before we delve into the actual search query syntax, lets take a look at what you’ll be searching in Shodan:

The Banner

Devices run services and those services are what Shodan collects information about. For example, websites are hosted on devices that run a web service and Shodan would gather information by speaking with that web service. The information for each service is stored in an object called the banner. It is the fundamental unit of data that Shodan gathers and what you’ll be searching for. A simplified banner looks like the following:

{
    "data": "Moxa Nport Device
            Status: Authentication disabled
            Name: NP5232I_4728
            MAC: 00:90:e8:47:10:2d",
    "ip_str": "46.252.132.235",
    "port": 4800,
    "org": "SingTel Mobile",
    "location": {
        "country_code": "SG"
    }
}

The above banner has 5 properties. Note that a real banner will contain many more properties and detailed information about the service. Each property stores a different type of information about the service:

  • data: the main response from the service itself
  • ip_str: IP address of the device
  • port: port number of the service
  • org: the organization that owns this IP space
  • location.country_code: the country where the device is located

By default, only the data property is searched by Shodan. The content of the data property can vary greatly depending on the type of service. For example, here is a typical HTTP banner:

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Sat, 03 Oct 2015 06:09:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6466
Connection: keep-alive

The above banner shows that the device is running the nginx web server software with a version of 1.1.19. To show how different the banners can look like, here is a banner for the Siemens S7 industrial control system protocol:

Copyright: Original Siemens Equipment
PLC name: S7_Turbine
Module type: CPU 313C
Unknown (129): Boot Loader           A
Module: 6ES7 313-5BG04-0AB0  v.0.3
Basic Firmware: v.3.3.8
Module name: CPU 313C
Serial number of module: S Q-D9U083642013
Plant identification:
Basic Hardware: 6ES7 313-5BG04-0AB0  v.0.3

The Siemens S7 protocol returns a completely different banner, this time providing information about the firmware, its serial number and a lot of detailed data to describe the device.

You have to decide what type of service you’re interested in when searching in Shodan because the banners vary greatly.

Query Syntax

Lets look again at the simplified banner for Moxa devices:

{
    "data": "Moxa Nport Device
            Status: Authentication disabled
            Name: NP5232I_4728
            MAC: 00:90:e8:47:10:2d",
    "ip_str": "46.252.132.235",
    "port": 4800,
    "org": "SingTel Mobile",
    "location": {
        "country_code": "SG"
    }
}

If you wanted to find more of these Moxa Nport devices then a simple search query would be:

Terminal window
Moxa Nport

However, if you wanted to search for devices on the SingTel Mobile network then a simple search for SingTel Mobile won’t return the expected results. This is because by default, Shodan only searches the data property!

So how do you search those other properties on the banner? How would you ask Shodan to only show Moxa Nport devices located in Singapore?

Search Filters

Search filters are special keywords to tell Shodan that you wish to search specific properties. They take the format of:

filtername:value

Note that there is no space in between the filtername and its value. Using the above example, if you wanted to find devices located in Singapore then you would use the country search filter which accepts as an argument a 2-letter country code:

country:SG

If the value you’re trying to search contains spaces then you need to wrap the value in quotes. The following search query shows devices that are located on the SingTel Mobile network:

org:"SingTel Mobile"

Filters can also be combined to narrow down results even further. For example, here is a search query to find devices located on SingTel Mobile and located in the city of Singapore:

org:"SingTel Mobile" city:Singapore

All search filters accept a comma-separated list of values where each value is OR-ed together. For example, the below searches for MySQL or PostgreSQL services:

product:MySQL,PostgreSQL

And filters for numeric properties allow specifying of ranges. For example, the following searches for SSH services that are running in between ports 1024 and 6000 (exclusive):

ssh port:>1024,<6000

The website has a list of available filters and more examples.