Shodan#
Version: 1.0.1 · Category: Threat Intelligence · Plan: Base+
Shodan is an internet intelligence platform providing real-time device exposure data: open ports, running services, SSL certificates, device banners, and CVE risk scores. It is a core tool for attack surface management and threat investigation.
Tools#
ip_lookup — IP reconnaissance report#
Full reconnaissance for a target IP:
- Geolocation (country/city/coordinates)
- All open ports and running services
- SSL certificate chain
- Reverse hostnames
- Cloud provider detection (AWS/Azure/GCP, etc.)
- Historical scan records
Example:
Query the Shodan exposure data for IP 185.220.101.1
shodan_search — Internet device search#
Search the Shodan internet device database using advanced filter syntax:
| Parameter | Description |
|---|---|
query |
Search expression (supports full Shodan filter syntax) |
max_results |
Maximum number of results to return |
Common search syntax:
port:22 country:CN org:"Amazon"
product:nginx vuln:CVE-2021-44228
hostname:.corp.example.com
ssl.cert.subject.cn:*.example.com
dns_lookup — Bulk DNS resolution#
Resolve multiple hostnames to IP addresses in a single call.
reverse_dns_lookup — Bulk reverse DNS#
Bulk reverse-resolve IP addresses to hostnames. Useful for tracing network IOCs back to domain infrastructure.
cve_lookup — CVE detail query#
| Return field | Description |
|---|---|
| CVSS v2/v3 | Common vulnerability severity score |
| EPSS | Probability and percentile of active exploitation |
| KEV status | Whether it is in the CISA Known Exploited Vulnerabilities catalog |
| Ransomware association | Whether used by known ransomware groups |
| Affected CPEs | List of affected standard platforms |
cpe_lookup — CPE identifier search#
Search for CPE standard identifiers by product name — used as a prerequisite step before cves_by_product.
cves_by_product — Product CVE list#
List all CVEs for a product. Key filter parameters:
| Parameter | Description |
|---|---|
is_kev: true |
Return only CVEs in the CISA KEV catalog (actively exploited) |
sort_by_epss: true |
Sort by EPSS exploitation probability (highest first) |
| Date range | Filter by vulnerability disclosure date |
Configuration#
| Item | Description |
|---|---|
| Customer-selected connector | Configure Shodan only if your workspace is allowed to use it |
| Bring your own key (BYOK) | Enter your own Shodan API key for direct API access |
!!! info "Getting an API key" Register at account.shodan.io. Free keys have search quota limits; paid plans unlock the full Search API.
Investigation workflow#
1. ip_lookup ip:"<suspicious IP>"
→ Identify exposed services and cloud provider
2. shodan_search query:"net:<CIDR> port:3389"
→ Find hosts in a subnet with RDP exposed to the internet
3. reverse_dns_lookup ips:["<IP1>","<IP2>"]
→ Resolve attacker IPs to domain infrastructure
4. cve_lookup cve:"CVE-2021-44228"
→ Review vulnerability: EPSS score, KEV status, ransomware association
5. cves_by_product product:"Apache Log4j" is_kev:true sort_by_epss:true
→ Get a prioritized CVE list sorted by exploitation probability