How do I install Shodan Reconnaissance and Pentesting?

Install Shodan Reconnaissance and Pentesting with a single command: npx mdskills install sickn33/shodan-reconnaissance. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Shodan Reconnaissance and Pentesting?

Shodan Reconnaissance and Pentesting works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Shodan Reconnaissance and Pentesting

Name: Shodan Reconnaissance and Pentesting: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

Testing & QAIntermediate

This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services using Shodan," "scan IP ranges with Shodan," or "discover IoT devices and open ports." It provides comprehensive guidance for using Shodan's search engine, CLI, and API for penetration testing reconnaissance.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/shodan-reconnaissance

Fork & Edit

Skill Advisor8.0

Comprehensive pentesting reconnaissance guide with extensive CLI examples and search patterns

+Provides systematic workflow with detailed CLI commands and filter combinations
+Includes practical examples covering organization recon, vulnerability discovery, and IoT scanning
+Documents credit system, rate limits, and legal authorization requirements clearly
-Requests shell execution permissions for commands agents typically don't run directly

SKILL.md

Edit in Browser

1---
2name: Shodan Reconnaissance and Pentesting
3description: This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services using Shodan," "scan IP ranges with Shodan," or "discover IoT devices and open ports." It provides comprehensive guidance for using Shodan's search engine, CLI, and API for penetration testing reconnaissance.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Shodan Reconnaissance and Pentesting
10 
11## Purpose
12 
13Provide systematic methodologies for leveraging Shodan as a reconnaissance tool during penetration testing engagements. This skill covers the Shodan web interface, command-line interface (CLI), REST API, search filters, on-demand scanning, and network monitoring capabilities for discovering exposed services, vulnerable systems, and IoT devices.
14 
15## Inputs / Prerequisites
16 
17- **Shodan Account**: Free or paid account at shodan.io
18- **API Key**: Obtained from Shodan account dashboard
19- **Target Information**: IP addresses, domains, or network ranges to investigate
20- **Shodan CLI**: Python-based command-line tool installed
21- **Authorization**: Written permission for reconnaissance on target networks
22 
23## Outputs / Deliverables
24 
25- **Asset Inventory**: List of discovered hosts, ports, and services
26- **Vulnerability Report**: Identified CVEs and exposed vulnerable services
27- **Banner Data**: Service banners revealing software versions
28- **Network Mapping**: Geographic and organizational distribution of assets
29- **Screenshot Gallery**: Visual reconnaissance of exposed interfaces
30- **Exported Data**: JSON/CSV files for further analysis
31 
32## Core Workflow
33 
34### 1. Setup and Configuration
35 
36#### Install Shodan CLI
37```bash
38# Using pip
39pip install shodan
40 
41# Or easy_install
42easy_install shodan
43 
44# On BlackArch/Arch Linux
45sudo pacman -S python-shodan
46```
47 
48#### Initialize API Key
49```bash
50# Set your API key
51shodan init YOUR_API_KEY
52 
53# Verify setup
54shodan info
55# Output: Query credits available: 100
56#         Scan credits available: 100
57```
58 
59#### Check Account Status
60```bash
61# View credits and plan info
62shodan info
63 
64# Check your external IP
65shodan myip
66 
67# Check CLI version
68shodan version
69```
70 
71### 2. Basic Host Reconnaissance
72 
73#### Query Single Host
74```bash
75# Get all information about an IP
76shodan host 1.1.1.1
77 
78# Example output:
79# 1.1.1.1
80# Hostnames: one.one.one.one
81# Country: Australia
82# Organization: Mountain View Communications
83# Number of open ports: 3
84# Ports:
85#   53/udp
86#   80/tcp
87#   443/tcp
88```
89 
90#### Check if Host is Honeypot
91```bash
92# Get honeypot probability score
93shodan honeyscore 192.168.1.100
94 
95# Output: Not a honeypot
96#         Score: 0.3
97```
98 
99### 3. Search Queries
100 
101#### Basic Search (Free)
102```bash
103# Simple keyword search (no credits consumed)
104shodan search apache
105 
106# Specify output fields
107shodan search --fields ip_str,port,os smb
108```
109 
110#### Filtered Search (1 Credit)
111```bash
112# Product-specific search
113shodan search product:mongodb
114 
115# Search with multiple filters
116shodan search product:nginx country:US city:"New York"
117```
118 
119#### Count Results
120```bash
121# Get result count without consuming credits
122shodan count openssh
123# Output: 23128
124 
125shodan count openssh 7
126# Output: 219
127```
128 
129#### Download Results
130```bash
131# Download 1000 results (default)
132shodan download results.json.gz "apache country:US"
133 
134# Download specific number of results
135shodan download --limit 5000 results.json.gz "nginx"
136 
137# Download all available results
138shodan download --limit -1 all_results.json.gz "query"
139```
140 
141#### Parse Downloaded Data
142```bash
143# Extract specific fields from downloaded data
144shodan parse --fields ip_str,port,hostnames results.json.gz
145 
146# Filter by specific criteria
147shodan parse --fields location.country_code3,ip_str -f port:22 results.json.gz
148 
149# Export to CSV format
150shodan parse --fields ip_str,port,org --separator , results.json.gz > results.csv
151```
152 
153### 4. Search Filters Reference
154 
155#### Network Filters
156```
157ip:1.2.3.4                  # Specific IP address
158net:192.168.0.0/24          # Network range (CIDR)
159hostname:example.com        # Hostname contains
160port:22                     # Specific port
161asn:AS15169                 # Autonomous System Number
162```
163 
164#### Geographic Filters
165```
166country:US                  # Two-letter country code
167country:"United States"     # Full country name
168city:"San Francisco"        # City name
169state:CA                    # State/region
170postal:94102                # Postal/ZIP code
171geo:37.7,-122.4             # Lat/long coordinates
172```
173 
174#### Organization Filters
175```
176org:"Google"                # Organization name
177isp:"Comcast"               # ISP name
178```
179 
180#### Service/Product Filters
181```
182product:nginx               # Software product
183version:1.14.0              # Software version
184os:"Windows Server 2019"    # Operating system
185http.title:"Dashboard"      # HTTP page title
186http.html:"login"           # HTML content
187http.status:200             # HTTP status code
188ssl.cert.subject.cn:*.example.com  # SSL certificate
189ssl:true                    # Has SSL enabled
190```
191 
192#### Vulnerability Filters
193```
194vuln:CVE-2019-0708          # Specific CVE
195has_vuln:true               # Has any vulnerability
196```
197 
198#### Screenshot Filters
199```
200has_screenshot:true         # Has screenshot available
201screenshot.label:webcam     # Screenshot type
202```
203 
204### 5. On-Demand Scanning
205 
206#### Submit Scan
207```bash
208# Scan single IP (1 credit per IP)
209shodan scan submit 192.168.1.100
210 
211# Scan with verbose output (shows scan ID)
212shodan scan submit --verbose 192.168.1.100
213 
214# Scan and save results
215shodan scan submit --filename scan_results.json.gz 192.168.1.100
216```
217 
218#### Monitor Scan Status
219```bash
220# List recent scans
221shodan scan list
222 
223# Check specific scan status
224shodan scan status SCAN_ID
225 
226# Download scan results later
227shodan download --limit -1 results.json.gz scan:SCAN_ID
228```
229 
230#### Available Scan Protocols
231```bash
232# List available protocols/modules
233shodan scan protocols
234```
235 
236### 6. Statistics and Analysis
237 
238#### Get Search Statistics
239```bash
240# Default statistics (top 10 countries, orgs)
241shodan stats nginx
242 
243# Custom facets
244shodan stats --facets domain,port,asn --limit 5 nginx
245 
246# Save to CSV
247shodan stats --facets country,org -O stats.csv apache
248```
249 
250### 7. Network Monitoring
251 
252#### Setup Alerts (Web Interface)
253```
2541. Navigate to Monitor Dashboard
2552. Add IP, range, or domain to monitor
2563. Configure notification service (email, Slack, webhook)
2574. Select trigger events (new service, vulnerability, etc.)
2585. View dashboard for exposed services
259```
260 
261### 8. REST API Usage
262 
263#### Direct API Calls
264```bash
265# Get API info
266curl -s "https://api.shodan.io/api-info?key=YOUR_KEY" | jq
267 
268# Host lookup
269curl -s "https://api.shodan.io/shodan/host/1.1.1.1?key=YOUR_KEY" | jq
270 
271# Search query
272curl -s "https://api.shodan.io/shodan/host/search?key=YOUR_KEY&query=apache" | jq
273```
274 
275#### Python Library
276```python
277import shodan
278 
279api = shodan.Shodan('YOUR_API_KEY')
280 
281# Search
282results = api.search('apache')
283print(f'Results found: {results["total"]}')
284for result in results['matches']:
285    print(f'IP: {result["ip_str"]}')
286 
287# Host lookup
288host = api.host('1.1.1.1')
289print(f'IP: {host["ip_str"]}')
290print(f'Organization: {host.get("org", "n/a")}')
291for item in host['data']:
292    print(f'Port: {item["port"]}')
293```
294 
295## Quick Reference
296 
297### Essential CLI Commands
298 
299| Command | Description | Credits |
300|---------|-------------|---------|
301| `shodan init KEY` | Initialize API key | 0 |
302| `shodan info` | Show account info | 0 |
303| `shodan myip` | Show your IP | 0 |
304| `shodan host IP` | Host details | 0 |
305| `shodan count QUERY` | Result count | 0 |
306| `shodan search QUERY` | Basic search | 0* |
307| `shodan download FILE QUERY` | Save results | 1/100 results |
308| `shodan parse FILE` | Extract data | 0 |
309| `shodan stats QUERY` | Statistics | 1 |
310| `shodan scan submit IP` | On-demand scan | 1/IP |
311| `shodan honeyscore IP` | Honeypot check | 0 |
312 
313*Filters consume 1 credit per query
314 
315### Common Search Queries
316 
317| Purpose | Query |
318|---------|-------|
319| Find webcams | `webcam has_screenshot:true` |
320| MongoDB databases | `product:mongodb` |
321| Redis servers | `product:redis` |
322| Elasticsearch | `product:elastic port:9200` |
323| Default passwords | `"default password"` |
324| Vulnerable RDP | `port:3389 vuln:CVE-2019-0708` |
325| Industrial systems | `port:502 modbus` |
326| Cisco devices | `product:cisco` |
327| Open VNC | `port:5900 authentication disabled` |
328| Exposed FTP | `port:21 anonymous` |
329| WordPress sites | `http.component:wordpress` |
330| Printers | `"HP-ChaiSOE" port:80` |
331| Cameras (RTSP) | `port:554 has_screenshot:true` |
332| Jenkins servers | `X-Jenkins port:8080` |
333| Docker APIs | `port:2375 product:docker` |
334 
335### Useful Filter Combinations
336 
337| Scenario | Query |
338|---------|-------|
339| Target org recon | `org:"Company Name"` |
340| Domain enumeration | `hostname:example.com` |
341| Network range scan | `net:192.168.0.0/24` |
342| SSL cert search | `ssl.cert.subject.cn:*.target.com` |
343| Vulnerable servers | `vuln:CVE-2021-44228 country:US` |
344| Exposed admin panels | `http.title:"admin" port:443` |
345| Database exposure | `port:3306,5432,27017,6379` |
346 
347### Credit System
348 
349| Action | Credit Type | Cost |
350|--------|-------------|------|
351| Basic search | Query | 0 (no filters) |
352| Filtered search | Query | 1 |
353| Download 100 results | Query | 1 |
354| Generate report | Query | 1 |
355| Scan 1 IP | Scan | 1 |
356| Network monitoring | Monitored IPs | Depends on plan |
357 
358## Constraints and Limitations
359 
360### Operational Boundaries
361- Rate limited to 1 request per second
362- Scan results not immediate (asynchronous)
363- Cannot re-scan same IP within 24 hours (non-Enterprise)
364- Free accounts have limited credits
365- Some data requires paid subscription
366 
367### Data Freshness
368- Shodan crawls continuously but data may be days/weeks old
369- On-demand scans provide current data but cost credits
370- Historical data available with paid plans
371 
372### Legal Requirements
373- Only perform reconnaissance on authorized targets
374- Passive reconnaissance generally legal but verify jurisdiction
375- Active scanning (scan submit) requires authorization
376- Document all reconnaissance activities
377 
378## Examples
379 
380### Example 1: Organization Reconnaissance
381```bash
382# Find all hosts belonging to target organization
383shodan search 'org:"Target Company"'
384 
385# Get statistics on their infrastructure
386shodan stats --facets port,product,country 'org:"Target Company"'
387 
388# Download detailed data
389shodan download target_data.json.gz 'org:"Target Company"'
390 
391# Parse for specific info
392shodan parse --fields ip_str,port,product target_data.json.gz
393```
394 
395### Example 2: Vulnerable Service Discovery
396```bash
397# Find hosts vulnerable to BlueKeep (RDP CVE)
398shodan search 'vuln:CVE-2019-0708 country:US'
399 
400# Find exposed Elasticsearch with no auth
401shodan search 'product:elastic port:9200 -authentication'
402 
403# Find Log4j vulnerable systems
404shodan search 'vuln:CVE-2021-44228'
405```
406 
407### Example 3: IoT Device Discovery
408```bash
409# Find exposed webcams
410shodan search 'webcam has_screenshot:true country:US'
411 
412# Find industrial control systems
413shodan search 'port:502 product:modbus'
414 
415# Find exposed printers
416shodan search '"HP-ChaiSOE" port:80'
417 
418# Find smart home devices
419shodan search 'product:nest'
420```
421 
422### Example 4: SSL/TLS Certificate Analysis
423```bash
424# Find hosts with specific SSL cert
425shodan search 'ssl.cert.subject.cn:*.example.com'
426 
427# Find expired certificates
428shodan search 'ssl.cert.expired:true org:"Company"'
429 
430# Find self-signed certificates
431shodan search 'ssl.cert.issuer.cn:self-signed'
432```
433 
434### Example 5: Python Automation Script
435```python
436#!/usr/bin/env python3
437import shodan
438import json
439 
440API_KEY = 'YOUR_API_KEY'
441api = shodan.Shodan(API_KEY)
442 
443def recon_organization(org_name):
444    """Perform reconnaissance on an organization"""
445    try:
446        # Search for organization
447        query = f'org:"{org_name}"'
448        results = api.search(query)
449        
450        print(f"[*] Found {results['total']} hosts for {org_name}")
451        
452        # Collect unique IPs and ports
453        hosts = {}
454        for result in results['matches']:
455            ip = result['ip_str']
456            port = result['port']
457            product = result.get('product', 'unknown')
458            
459            if ip not in hosts:
460                hosts[ip] = []
461            hosts[ip].append({'port': port, 'product': product})
462        
463        # Output findings
464        for ip, services in hosts.items():
465            print(f"\n[+] {ip}")
466            for svc in services:
467                print(f"    - {svc['port']}/tcp ({svc['product']})")
468        
469        return hosts
470        
471    except shodan.APIError as e:
472        print(f"Error: {e}")
473        return None
474 
475if __name__ == '__main__':
476    recon_organization("Target Company")
477```
478 
479### Example 6: Network Range Assessment
480```bash
481# Scan a /24 network range
482shodan search 'net:192.168.1.0/24'
483 
484# Get port distribution
485shodan stats --facets port 'net:192.168.1.0/24'
486 
487# Find specific vulnerabilities in range
488shodan search 'net:192.168.1.0/24 vuln:CVE-2021-44228'
489 
490# Export all data for range
491shodan download network_scan.json.gz 'net:192.168.1.0/24'
492```
493 
494## Troubleshooting
495 
496| Issue | Cause | Solution |
497|-------|-------|----------|
498| No API Key Configured | Key not initialized | Run `shodan init YOUR_API_KEY` then verify with `shodan info` |
499| Query Credits Exhausted | Monthly credits consumed | Use credit-free queries (no filters), wait for reset, or upgrade |
500| Host Recently Crawled | Cannot re-scan IP within 24h | Use `shodan host IP` for existing data, or wait 24 hours |
501| Rate Limit Exceeded | >1 request/second | Add `time.sleep(1)` between API requests |
502| Empty Search Results | Too specific or syntax error | Use quotes for phrases: `'org:"Company Name"'`; broaden criteria |
503| Downloaded File Won't Parse | Corrupted or wrong format | Verify with `gunzip -t file.gz`, re-download with `--limit` |
504

Full transparency — inspect the skill content before installing.