Reduce context-switching for engineers

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Shodan Search Filters - Powerful Network Device Search

Master Shodan search filters to find network devices by IP range, port, location, hostname, OS, and dates. Enhance your cybersecurity investigations with precise queries.

Shodan Search Filters

Shodan is a powerful search engine for Internet-connected devices. Mastering its search filters is crucial for cybersecurity professionals, researchers, and network administrators to efficiently locate specific devices and services across the globe. This guide provides an overview of essential Shodan filters to refine your searches.

Shodan Filter Syntax

Shodan queries utilize a simple yet effective syntax. By combining keywords with specific filter prefixes, you can narrow down search results to precisely what you're looking for. Below are some of the most commonly used filters:

IP Range Filtering

To search within a specific block of IP addresses, use the net: filter. This is invaluable for investigating networks you have legitimate access to or for understanding the scope of a particular IP allocation.

net:<ip range>

Port Filtering

Focus your search on devices listening on a particular port with the port: filter. This is useful for identifying specific services, such as web servers (port 80, 443) or SSH servers (port 22).

port:<port>

Location-Based Filtering

Shodan allows you to filter results by geographical location. You can specify a city, country, or even precise coordinates.

city:"<city>"
country:<country_code>
geo:<coords>

Hostname Filtering

If you know or suspect a hostname, you can use the hostname: filter to find devices associated with it.

hostname:<hostname>

Operating System Filtering

Identify devices running a specific operating system using the os: filter. This can be critical for vulnerability assessments and targeted security analysis.

os:<operating system>

Date Filtering

Shodan allows you to search for devices based on when they were last seen or indexed. Use the before: and after: filters with dates in day/month/year or day-month-year format.

before:<date>
after:<date>

Advanced Shodan Usage

Combining these filters allows for highly specific and powerful searches. For instance, you could search for all web servers (port 443) in a particular country that were online within the last week. Understanding these filters is a fundamental skill for anyone leveraging Shodan for security research, threat intelligence, or network inventory.

External Resources

← Back to security cheatsheets All cheatsheets 🙏  Credits & Acknowledgments