steampipe plugin install shodansteampipe plugin install shodan
On This Page
Get Involved

Table: shodan_search

Search the Internet for information about hosts and their services. Please see the examples, a cheat sheet and the filter reference to understand the query options.

Note: A query must be provided in all queries to this table.


List all services for a network range

query = 'net:'

Find all Windows XP hosts

query = 'os:"windows xp"'

Find all services for the GitHub organization

query = 'org:"GitHub"'

.inspect shodan_search

Search the internet for hosts matching the query parameters.

asntextThe autonomous system number (ex. AS4837).
cassandrajsonbCassandra database services that allow connections to the client Thrift port (default: 9160/ tcp).
coapjsonbDevices running CoAP IoT protocol service.
cpejsonbCommon Platform Enumeration.
db2jsonbServices running the IBM DB2 DRDA protocol.
devicetypetextThe type of device (webcam, router, etc.).
dnsjsonbDNS servers that support either UDP or TCP (typically on port 53).
dockerjsonbDocker services that allow remote connections and don’t have authentication enabled.
domainsjsonbAn array of strings containing the top-level domains for the hostnames of the device.
elasticjsonbThe elastic property is available in banners that are identified as belonging to an Elastic service.
etcdjsonbThe etcd service provides a distributed key/value store used by projects such as Kubernetes. Ports that are running the etcd service.
ethernet_ipjsonbDevices that complete a handshake in either TCP or UDP for the industrial Ethernet/IP protocol.
ftpjsonbFTP services running on the default port 21/TCP. If the FTP service supports STARTTLS then the starttls tag will be added to the list of tags on the banner and it will also have a top-level ssl property which contains the certificate, SSL testing results and more.
hashbigintNumeric hash of the data property.
hivejsonbDevices running Apache Hive servers on any port that Shodan crawls.
hostnamesjsonbAn array of strings containing all of the hostnames that have been assigned to the IP address for this device.
httpjsonbThe banner was generated by a HTTP module (http, https, http-simple-new, https-simple-new) and successfully completed a HTTP handshake.
influxdbjsonbDevices running InfluxDB time-series database.
infotextMiscellaneous information that was extracted about the product.
ipinetThe IP address of the host as a string.
ipv6textThe IPv6 address of the host as a string.
isakmpjsonbVPN services that use the ISAKMP protocol (such as IKE).
isptextThe ISP that is providing the organization with the IP space for this device. Consider this the "parent" of the organization in terms of IP ownership.
lantronixjsonbLantronix devices that are running the configuration service.
linktextThe network link type. Possible values are: "Ethernet or modem", "generic tunnel or VPN", "DSL", "IPIP or SIT", "SLIP", "IPSec or GRE", "VLAN", "jumbo Ethernet", "Google", "GIF", "PPTP", "loopback", "AX.25 radio modem".
locationjsonbLocation of the host.
minecraftjsonbDevices running the Minecraft game server.
monerojsonbIf the Monero RPC service is enabled and accepting remote connections. Most results are on port 18081, but it can also be available on other ports.
mongodbjsonbMongoDB services that support the binary protocol to interact with the database.
mqttjsonbMQTT services that allow remote connections.
netbiosjsonbServices that run on port 137 and complete a NetBIOS handshake.
ntpjsonbNTP daemons supporting at least version 1 or version 2.
orgtextThe name of the organization that is assigned the IP space for this device.
ostextThe operating system that powers the device.
portbigintPort number that the service is operating on.
portsjsonbOpen ports for the IP.
producttextName of the software running the service.
querytextQuery string for the exploit search.
redisjsonbRedis services running on the default port 6379/TCP.
ripjsonbServices on port 520 that successfully respond to a RIP request.
rsyncjsonbrsync service information.
shodanjsonbInformation about how the banner was generated. It doesn’t store any data about the port/service itself.
smbjsonbServices that run on port 445 and support either SMBv1 or SMBv2.
snmpjsonbAny banner generated by the snmp module (typically on 161/UDP).
sshjsonbAny service banner where the initial response starts with “SSH” and subsequently completes a SSH handshake.
ssljsonbServices that require SSL (ex. HTTPS) or support upgrading a connection to SSL/TLS (ex. POP3 with STARTTLS).
tagsjsonbList of tags that describe the characteristics of the device.
timestamptimestamp without time zoneThe timestamp for when the banner was fetched from the device.
titletextTitle of the website as extracted from the HTML source.
transporttextUptime of the IP (in minutes).
uptimebigintUptime of the IP (in minutes).
versiontextVersion of the software running the service.
vertxjsonbDevices running the VertX/Edge door controllers.
vulnsjsonbThe vulns property contains information about vulnerabilities that may exist in the service represented by the banner. In general, the Shodan crawlers don’t perform vulnerability testing as a result the vulnerabilities stored in vulns are inferred from the banner and haven’t been verified. Availability: Banners where the software/version has been identified and there exist known CVEs for it.