What Shodan Reveals About Your Infrastructure -- and What Attackers See
Shodan indexes every internet-connected device. Learn what information it exposes about your organisation, how attackers use it, and how to reduce your footprint.
What is Shodan?
Shodan is a search engine for internet-connected devices. While Google indexes web pages, Shodan indexes services -- every open port, banner, certificate, and protocol response on every publicly reachable IP address.
Shodan continuously scans the entire IPv4 address space (and increasingly IPv6) and records what it finds. Security researchers use it to understand the internet's attack surface. Attackers use it to find targets.
The uncomfortable truth: everything Shodan shows about your infrastructure is visible to every attacker on the internet. Shodan just makes it searchable.
What information Shodan collects
When Shodan connects to an open port, it records the service banner -- the response the service sends when a connection is established. This typically includes:
Software and version numbers
Server: Apache/2.4.41 (Ubuntu)
Server: nginx/1.18.0
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
220 mail.yourcompany.com ESMTP Postfix (Ubuntu)
Version numbers are the most valuable piece of information for attackers. Knowing the exact version tells them precisely which CVEs apply and which exploits to use.
Operating system details
Service banners often leak the operating system:
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
Microsoft-IIS/10.0
TLS certificate information
For HTTPS and other TLS-enabled services, Shodan records certificate details including subject names, issuer, expiry dates, and Subject Alternative Names (SANs). This reveals all domain names associated with an IP address.
Application-specific data
Some services return detailed information:
- HTTP -- response headers, page titles, HTML snippets
- FTP -- welcome banners, sometimes directory listings
- SMTP -- mail server name, supported authentication methods
- MongoDB -- database names, collection counts (if no auth)
- Elasticsearch -- cluster name, index names, document counts
- Redis -- memory usage, connected clients, database size
How to search for your own organisation on Shodan
By IP address
ip:203.0.113.0/24
This shows everything Shodan has found on your IP range.
By hostname
hostname:yourcompany.com
This finds any service whose banner or certificate mentions your domain.
By SSL certificate
ssl.cert.subject.cn:yourcompany.com
This finds all servers using certificates issued for your domain, which is useful for discovering forgotten servers and shadow IT.
By organisation name
org:"Your Company Name"
Shodan maps IP ranges to organisation names using WHOIS data. This finds infrastructure registered to your company even if you have forgotten about it.
Combine searches
org:"Your Company Name" port:3389
This finds any RDP endpoints in your organisation's IP space -- exactly what a ransomware operator would search for.
Real examples of dangerous Shodan findings
These are common findings that attackers actively search for:
Exposed databases
port:27017 "mongodb"
port:6379 "redis"
port:9200 "elasticsearch"
Thousands of databases are found exposed on Shodan every day. See our guide on exposed database ports for why this is critical and how to fix it.
Exposed remote management
port:3389 "Remote Desktop"
port:22 "SSH"
port:5900 "VNC"
Remote management services are the top entry points for ransomware. RDP and SSH should never be directly exposed without proper hardening.
Industrial control systems
port:502 "Modbus"
port:47808 "BACnet"
SCADA and building automation systems are sometimes found on the public internet with no authentication.
Webcams and IoT devices
"Server: webcamXP"
"Server: IP Camera"
Exposed cameras with default credentials are trivially searchable.
Default credentials
"default password" port:80
"admin" "password" http.title:"Login"
Many devices and applications ship with default credentials that are never changed.
How to reduce your Shodan footprint
You cannot remove yourself from Shodan (it scans the public internet, which you are part of). But you can reduce what it finds:
1. Close unnecessary ports
The most effective step. If a service does not need to be internet-facing, firewall it. Review our guide on open ports security for a complete approach.
2. Remove version information from banners
Configure your services to hide version numbers:
# Nginx
server_tokens off;
# Apache
ServerTokens Prod
ServerSignature Off
# SSH - edit /etc/ssh/sshd_config
# You can't fully hide the version, but keep OpenSSH updated
# so the version number does not correspond to known vulnerabilities
3. Use non-standard ports (with caveats)
Moving services to non-standard ports (e.g., SSH on port 2222) reduces casual scanning but does not stop Shodan -- it scans common non-standard ports too. Treat this as noise reduction, not security.
4. Implement proper authentication on everything
Ensure every internet-facing service requires authentication. This includes databases, admin panels, monitoring dashboards, and APIs.
5. Keep software updated
If Shodan shows your version number, at least make sure it does not correspond to a known vulnerability. Regular patching makes version disclosure less dangerous.
6. Use a CDN or reverse proxy
Placing services behind a CDN (Cloudflare, AWS CloudFront) hides your origin IP. Shodan sees the CDN's IP, not yours. But this only works if you also ensure your origin IP is not directly accessible.
Why banner grabbing matters
Banner grabbing is the first step in targeted exploitation:
- Attacker searches Shodan for your organisation
- Finds
Apache/2.4.41on port 443 - Searches CVE databases for Apache 2.4.41 vulnerabilities
- Finds CVE-2021-41773 (path traversal, CVSS 7.5)
- Launches the exploit with a pre-built tool
The entire process can take minutes. Every piece of version information you expose shortens the attacker's time to exploitation.
Shodan vs Censys vs other OSINT tools
Shodan is the most well-known internet scanner, but it is not the only one:
| Tool | Focus | Notes |
|---|---|---|
| Shodan | General internet scanning | Most popular, broadest coverage |
| Censys | TLS certificates, internet-wide scanning | Strong certificate and host analysis |
| ZoomEye | Chinese internet scanner | Large dataset, different perspective |
| BinaryEdge | Risk scoring, internet scanning | Includes risk scores per IP |
| GreyNoise | Identifies mass scanners | Tells you if an IP is a known scanner |
All of these tools show what attackers see. Checking your organisation on multiple platforms gives you the most complete picture.
Setting up Shodan alerts
Shodan offers a monitoring feature that alerts you when new services are detected on your IP ranges:
- Create a Shodan account
- Go to Dashboard > Network Monitor
- Add your IP ranges
- Configure notifications (email, Slack, webhook)
This gives you a free early-warning system for newly exposed services.
How SurfaceScan helps
SurfaceScan does what Shodan does -- and more -- specifically for your organisation. It continuously discovers and monitors your external attack surface, checking every port, service, and configuration from the attacker's perspective. Unlike Shodan, SurfaceScan is purpose-built for remediation: every finding includes severity ratings, specific remediation steps, and historical tracking so you can measure improvement. It catches exposed databases, open management ports, weak TLS, missing security headers, and every other issue that Shodan would reveal -- before an attacker finds them.
Related articles
Exposed Database Ports: A Critical Security Finding You Must Fix Now
Database ports like MySQL 3306, PostgreSQL 5432, MongoDB 27017, and Redis 6379 exposed to the internet are a critical risk. Learn how to detect and secure them.
Open Ports: Which Ones Are Dangerous and How to Close Them
Not all open ports are a problem, but some should never be exposed to the internet. Learn which ports are dangerous, why, and how to close them safely.
RDP Security: Why Exposed RDP is the #1 Ransomware Entry Point
RDP on port 3389 exposed to the internet is the most common ransomware entry point. Learn why you must never expose RDP directly and what secure alternatives exist.