loading
loading
OSINT
Download compressed json.gz banner data from Shodan.
overview
shodan-download runs a Shodan search and saves the full result set to a compressed json.gz file instead of paging through it live. Shodan indexes internet-connected devices and the service banners they return, so the export captures open ports, software versions, TLS certificates, and host metadata for every device that matched your query.
Bulk export is the right call when a query matches thousands of hosts. You spend query credits once, download the archive, and parse it offline as many times as you need, filtering and reshaping records without hitting the API again. The same file doubles as a dated, point-in-time record of how a target's exposure looked.
On Trickest, shodan-download is an OSINT node that takes a Shodan search query and an API key, then writes a file and a folder of results. Snapshot the IP space of a target, then feed the export into parsing and enrichment stages that build a host inventory or flag risky services for triage.
use cases
Download every host matching a Shodan query as json.gz and analyze the whole set offline, with no repeat searches against the API.
Export banner data across a target's IP ranges to map open ports, running software, and TLS certificates over the whole estate.
Save the raw archive once, then run filtering and reformatting stages against the file as often as needed without spending more query credits.
Capture a dated json.gz each run and diff snapshots to catch newly opened ports or services between scans.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| query | STRING | · | Shodan search query built from Shodan filters (net:, port:, product:, org:, country:). |
| api_key | STRING | · | Shodan API key with download privileges; each run spends query credits. |
Showing key inputs. shodan-download exposes 2 inputs in total.
example
# download every host matching a query into exposed.json.gzshodan download exposed "net:198.51.100.0/24 port:443,8443"Search query: net:198.51.100.0/24 port:443,8443Total number of results: 128Query credits left: 96Output file: exposed.json.gz[####################################] 100%# one decoded banner from exposed.json.gz:{"ip_str":"198.51.100.24","port":443,"transport":"tcp","product":"nginx","org":"Example Hosting","hostnames":["web.example.com"]}{"ip_str":"198.51.100.87","port":8443,"transport":"tcp","product":"Apache httpd","version":"2.4.57","org":"Example Hosting"}guidance
Use shodan-download to bulk-export Shodan results as json.gz for offline processing, especially when a query matches many hosts. For interactive search, host lookups, and counts, use shodan-python. To parse the export, pair it with a JSON processing stage.
Full Shodan CLI for live search, host lookup, counts, and stats. Use it interactively rather than for bulk dumps.
DNS and domain history rather than device banners. A different OSINT data source.
Email and username availability. Unrelated to device data but another OSINT building block.
faq
related
Look up DNS records on DNSDumpster.
Look up a host on DNSDumpster.
Find lookalike domains adversaries use for typosquatting, phishing, and brand impersonation.
List all public repositories for valid GitHub usernames.
Look up the real IP of a host starting from its favicon and using Shodan.
Gather email account intelligence from public sources and check it against breach data.
A query feeds shodan-download, which exports the matching banners as json.gz before a parse stage turns them into a host inventory.
Facts on this page come from the live Trickest tool library.