Shodan is the search engine for Internet-connected devices. Where Google indexes web pages, Shodan indexes service banners — HTTP headers, TLS certificates, SSH keys, and product fingerprints. For OSINT investigators, that turns a domain or IP into a full map of exposed infrastructure, often revealing systems the owner forgot about.
Why Shodan matters for OSINT
Most reconnaissance tools stop at DNS and web content. Shodan reaches the transport layer: which ports are open, what software answers on each one, and whether the TLS certificate ties back to another asset. That's how you find staging boxes, forgotten IoT devices, and shared infrastructure across seemingly unrelated domains.
Core search operators
Shodan uses key:value filters combined with free-text keywords. The operators below cover about 90% of investigative use cases.
hostname:example.com— devices whose reverse DNS matches the domain.org:"Example Corp"— devices belonging to a specific ASN owner.net:192.0.2.0/24— everything inside a CIDR block.port:22 product:OpenSSH— narrow by port and identified software.ssl:"example.com"— hits whose TLS certificate mentions the domain — great for finding shared origin servers behind a CDN.http.favicon.hash:-123456789— MurmurHash3 of a favicon; unmasks hosts sharing a brand.country:US city:"New York"— geo-scope the query.
Reading a Shodan result
Every hit contains the banner (the raw service response), plus enriched metadata: organization, ASN, hostname, location, and vulnerability flags. Focus on three things:
- Banner text — reveals product name, version, and sometimes internal hostnames.
- TLS certificate — SAN entries expose sibling domains and internal subdomains.
- Vulnerabilities (CVEs) — flagged when the banner matches a known-vulnerable version. Useful for reporting, not for testing.
Pivoting into the BidzzFind workflow
Shodan is strongest when it's not the last stop. A typical chain looks like this:
theHarvester → seed domains, subdomains, and IPs
Shodan → banners, ports, TLS pivots
IntelX → leaks and mentions of the discovered assets
Add your Shodan API key in Settings to let theHarvester include Shodan as a source, then jump into the unified OSINT workflow guide to see the full chain end-to-end.
Ethics and legality
Passive viewing of Shodan results is fine — Shodan only shows publicly reachable services. Actively probing, connecting to, or exploiting those services without written authorization is not. Keep your recon read-only unless you have a scope.
Ready to run recon?
Start with a domain in theHarvester, then jump to Shodan for the deep dive.