🔍

Shodan Search Query Basics

Jul 15, 2025

Overview

This lecture introduces the fundamentals of Shodan's search query syntax, focusing on how to search for specific device data and use filters to target results effectively.

Understanding Shodan Data Structure

  • Devices run services, and Shodan collects information about these services.
  • The main unit of data in Shodan is called a banner.
  • A banner stores data such as service response, IP address, port, organization, and location.
  • Each banner has multiple properties for different information (e.g., data, ip_str, port, org, location).

Banner Examples

  • Banner content varies by service: an HTTP banner may show web server details (e.g., nginx/1.1.19).
  • Industrial protocol banners (e.g., Siemens S7) provide detailed hardware and firmware information.
  • Deciding which service type to search for is important as banner formats differ widely.

Search Syntax Basics

  • By default, Shodan searches only the data property of a banner.
  • A simple keyword search (e.g., "Moxa Nport") searches within the data property.

Search Filters

  • Filters allow searching specific banner properties using the format: filtername:value.
  • There must be no space between the filtername and value.
  • Common filters include country, org, and city.
  • Use quotes for filter values containing spaces, e.g., org:"SingTel Mobile".
  • Filters can be combined to refine searches, e.g., org:"SingTel Mobile" city:Singapore.

Why Filters Matter

  • Filters prevent irrelevant results and help target the correct property (e.g., distinguishing "Apache" software from "Apache Junction" city).
  • Proper filter use ensures accurate and relevant search results in Shodan.

Key Terms & Definitions

  • Banner — The main data object in Shodan containing service information.
  • Filter — A keyword used to direct Shodan to search a specific property.
  • Property — An individual data field within a banner (e.g., data, ip_str).

Action Items / Next Steps

  • Practice using search filters in Shodan to find specific device types or locations.
  • Explore shared search queries on the Shodan website for more examples.

Certainly! Here are some Shodan search queries tailored for hackthissite.org to help you explore devices or services related to that domain or organization for your practice:

Shodan Queries for hackthissite.org

1. Search by Domain Name

Find devices or services mentioning "hackthissite.org" in their banner or metadata:

"hackthissite.org"

2. Search by Organization Name

If hackthissite.org has an associated organization name in Shodan, try:

org:"hackthissite.org"

3. Search by IP Address or Network (if known)

If you know the IP or subnet hosting hackthissite.org, search by IP:

ip:<IP_ADDRESS>

Or subnet:

net:<IP_RANGE>

4. Search for Web Servers on Common Ports

Find web servers related to hackthissite.org on HTTP/HTTPS ports:

"hackthissite.org" (port:80 OR port:443)

5. Search for Specific Software or Services

If you want to find specific web server software used by hackthissite.org:

"hackthissite.org" (product:nginx OR product:Apache)

6. Search for Possible Vulnerabilities

If you want to check for known vulnerabilities related to hackthissite.org’s services (replace CVE with actual IDs):

"hackthissite.org" vuln:CVE-xxxx-xxxx

Tips for Practice

  • Use these queries to explore how services are exposed and what information banners reveal.
  • Combine filters to narrow down results and practice crafting precise queries.
  • Always use Shodan ethically and only on systems you have permission to test.

If you want, I can help you create more specific queries based on any IPs, software, or services you discover related to hackthissite.org!

Certainly! Here are refined Shodan queries combining the IP ranges you provided with relevant keywords related to Queensland Police Service (QPS) and Axon Evidence, designed to help you find precise results:

Combined IP Range + Keywords + Filters Queries

1. Search devices in the IP ranges mentioning QPS or Queensland Police Service

(net:20.36.34.0/24 OR net:20.37.47.0/24) ("QPS" OR "Queensland Police Service")

2. Search devices in the IP ranges mentioning Axon Evidence or QPS Axon Evidence.au

(net:20.36.34.0/24 OR net:20.37.47.0/24) ("Axon Evidence" OR "QPS Axon Evidence.au")

3. Search devices in the IP ranges owned by Queensland Police Service organization

(net:20.36.34.0/24 OR net:20.37.47.0/24) org:"Queensland Police Service"

4. Search HTTPS services in the IP ranges with QPS or Axon keywords

(net:20.36.34.0/24 OR net:20.37.47.0/24) port:443 ("QPS" OR "Axon")

5. Search nginx or Apache servers in the IP ranges owned by Queensland Police Service

(net:20.36.34.0/24 OR net:20.37.47.0/24) org:"Queensland Police Service" (product:nginx OR product:Apache)

6. Search for devices mentioning authentication disabled (possible misconfig) in the IP ranges with QPS or Axon keywords

(net:20.36.34.0/24 OR net:20.37.47.0/24) ("QPS" OR "Axon") "authentication disabled"

How to Use These Queries

  • Paste the query into Shodan’s search bar.
  • Review the results for banners, open ports, and service details.
  • Use the filters on Shodan to sort or export data if needed.

Optional: Add Country Filter for Australia

To further narrow results to Australia, add country:AU:

Example:

(net:20.36.34.0/24 OR net:20.37.47.0/24) ("QPS" OR "Queensland Police Service") country:AU

If you want, I can help you interpret the results or create queries for other IP ranges or keywords!

View note sourcehttps://help.shodan.io/the-basics/search-query-fundamentals