steampipe plugin install shodan

Table: shodan_search - Query Shodan Search Results using SQL

Shodan is a search engine for internet-connected devices. It provides a way to discover devices, where they are located and who is using them. Shodan is used for various purposes including cybersecurity research, software development, and educational research.

Table Usage Guide

The shodan_search table provides insights into internet-connected devices as indexed by Shodan. As a cybersecurity analyst, explore device-specific details through this table, including IP addresses, hostnames, and potential vulnerabilities. Utilize it to uncover information about devices, such as their geographic location, the software they are running, and their exposure to potential cyber threats.

Important Notes

  • You must specify the query in the where clause to query this table.


List all services for a network range

Explore all the services associated with a specific network range. This is useful for gaining insights into the various operations within a particular network segment, helping to better manage and secure your network infrastructure.

query = 'net:';
Error: SQLite does not support CIDR operations.

Find all Windows XP hosts

Determine the areas in which Windows XP is still being used to understand potential security vulnerabilities and outdated systems in your network.

query = 'os:"windows xp"';
query = 'os:"windows xp"';

Find all services for the GitHub organization

Discover all the services associated with a particular organization, in this case, GitHub. This is useful for gaining insights into the various services that an organization utilizes or is associated with.

query = 'org:"GitHub"';
query = 'org:"GitHub"';

Schema for shodan_search

_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
asntextThe autonomous system number (ex. AS4837).
cassandrajsonbCassandra database services that allow connections to the client Thrift port (default: 9160/ tcp).
coapjsonbDevices running CoAP IoT protocol service.
cpejsonbCommon Platform Enumeration.
db2jsonbServices running the IBM DB2 DRDA protocol.
devicetypetextThe type of device (webcam, router, etc.).
dnsjsonbDNS servers that support either UDP or TCP (typically on port 53).
dockerjsonbDocker services that allow remote connections and don’t have authentication enabled.
domainsjsonbAn array of strings containing the top-level domains for the hostnames of the device.
elasticjsonbThe elastic property is available in banners that are identified as belonging to an Elastic service.
etcdjsonbThe etcd service provides a distributed key/value store used by projects such as Kubernetes. Ports that are running the etcd service.
ethernet_ipjsonbDevices that complete a handshake in either TCP or UDP for the industrial Ethernet/IP protocol.
ftpjsonbFTP services running on the default port 21/TCP. If the FTP service supports STARTTLS then the starttls tag will be added to the list of tags on the banner and it will also have a top-level ssl property which contains the certificate, SSL testing results and more.
hashbigintNumeric hash of the data property.
hivejsonbDevices running Apache Hive servers on any port that Shodan crawls.
hostnamesjsonbAn array of strings containing all of the hostnames that have been assigned to the IP address for this device.
httpjsonbThe banner was generated by a HTTP module (http, https, http-simple-new, https-simple-new) and successfully completed a HTTP handshake.
influxdbjsonbDevices running InfluxDB time-series database.
infotextMiscellaneous information that was extracted about the product.
ipinetThe IP address of the host as a string.
ipv6textThe IPv6 address of the host as a string.
isakmpjsonbVPN services that use the ISAKMP protocol (such as IKE).
isptextThe ISP that is providing the organization with the IP space for this device. Consider this the "parent" of the organization in terms of IP ownership.
lantronixjsonbLantronix devices that are running the configuration service.
linktextThe network link type. Possible values are: "Ethernet or modem", "generic tunnel or VPN", "DSL", "IPIP or SIT", "SLIP", "IPSec or GRE", "VLAN", "jumbo Ethernet", "Google", "GIF", "PPTP", "loopback", "AX.25 radio modem".
locationjsonbLocation of the host.
minecraftjsonbDevices running the Minecraft game server.
monerojsonbIf the Monero RPC service is enabled and accepting remote connections. Most results are on port 18081, but it can also be available on other ports.
mongodbjsonbMongoDB services that support the binary protocol to interact with the database.
mqttjsonbMQTT services that allow remote connections.
netbiosjsonbServices that run on port 137 and complete a NetBIOS handshake.
ntpjsonbNTP daemons supporting at least version 1 or version 2.
orgtextThe name of the organization that is assigned the IP space for this device.
ostextThe operating system that powers the device.
portbigintPort number that the service is operating on.
portsjsonbOpen ports for the IP.
producttextName of the software running the service.
querytext=Query string for the exploit search.
redisjsonbRedis services running on the default port 6379/TCP.
ripjsonbServices on port 520 that successfully respond to a RIP request.
rsyncjsonbrsync service information.
shodanjsonbInformation about how the banner was generated. It doesn’t store any data about the port/service itself.
smbjsonbServices that run on port 445 and support either SMBv1 or SMBv2.
snmpjsonbAny banner generated by the snmp module (typically on 161/UDP).
sshjsonbAny service banner where the initial response starts with “SSH” and subsequently completes a SSH handshake.
ssljsonbServices that require SSL (ex. HTTPS) or support upgrading a connection to SSL/TLS (ex. POP3 with STARTTLS).
tagsjsonbList of tags that describe the characteristics of the device.
timestamptimestamp with time zoneThe timestamp for when the banner was fetched from the device.
titletextTitle of the website as extracted from the HTML source.
transporttextUptime of the IP (in minutes).
uptimebigintUptime of the IP (in minutes).
versiontextVersion of the software running the service.
vertxjsonbDevices running the VertX/Edge door controllers.
vulnsjsonbThe vulns property contains information about vulnerabilities that may exist in the service represented by the banner. In general, the Shodan crawlers don’t perform vulnerability testing as a result the vulnerabilities stored in vulns are inferred from the banner and haven’t been verified. Availability: Banners where the software/version has been identified and there exist known CVEs for it.


This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the script:

/bin/sh -c "$(curl -fsSL" -- shodan

You can pass the configuration to the command with the --config argument:

steampipe_export_shodan --config '<your_config>' shodan_search