loading
loading
OSINT
Shodan is a search engine for internet-connected devices, where you search for hosts instead of pages.
overview
Shodan indexes the services running on internet-connected devices rather than the pages they serve. Where a web search engine returns websites, Shodan returns the open ports, service banners, software versions, and TLS certificates behind an IP, which makes it a staple source for reconnaissance and threat intelligence. The Python CLI exposes that index as a set of subcommands: search the database, look up a single host, count matches, summarize stats, enumerate a domain, and pull bulk data.
The breadth of the CLI is its strength. One node covers host lookups with optional history, full database search with field and facet control, count-only queries to size a search before spending credits, domain lookups that surface a target's subdomains and IPs, honeyscore checks to flag likely honeypots, and on-demand scanning. Output prints pretty or as TSV with a chosen separator and field list, so results drop cleanly into downstream parsing.
On Trickest, shodan-python is an OSINT node that takes a query or target plus a Shodan API key and writes a file and a folder of results. Reach for it to enrich a target's IP space with service intelligence, confirm what a host exposes, or size a search before committing to a bulk export.
use cases
Run host mode on an IP, with --history when you want past banners, to see every open port, service banner, and certificate Shodan has recorded for it.
Query Shodan for exposed products, ports, or vulnerable software versions, then break the results down with facets and stats to prioritize what matters.
Run domain mode with --details to turn a domain into a list of subdomains and the service inventory behind each resolved IP.
Use count mode to return the number of matches, so you know how large a bulk download will be before spending credits.
Run honeyscore on an IP to estimate whether a host is a honeypot before treating its banners as real infrastructure.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| search-mode | BOOLEAN | search | Search the Shodan database for hosts matching a query. |
| host-mdoe | BOOLEAN | host | View every open port, banner, and certificate for an IP address. |
| domain-mode | BOOLEAN | domain | Look up a domain's subdomains and associated IPs. |
| count-mode | BOOLEAN | count | Return only the number of results for a search. |
| honeyscore-mode | BOOLEAN | honeyscore | Check whether an IP is likely a honeypot. |
| api-key | STRING | · | Shodan API key used to authenticate requests. |
| fields | STRING | --fields | Comma-separated list of properties to output. |
| limit | STRING | --limit | Cap the number of results returned. |
Showing key inputs. shodan-python exposes 50 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| type | STRING | --type | Result type for the query. |
| force | BOOLEAN | --force | Force the operation. |
| limit | STRING | --limit | Limit the number of results returned. |
| facets | STRING | --facets | List of facets to get statistics for. |
| fields | STRING | --fields | List of properties to output. |
| format | STRING | --format | Output format for the host information: pretty or tsv. |
| api-key | STRING | · | Shodan API key used to authenticate requests. |
| history | BOOLEAN | --history | Include historical data in the results. |
| verbose | BOOLEAN | --verbose | Verbose output. |
| data-set | STRING | --dataset | See the available files in the given dataset. |
| filename | STRING | --filename | Save the host information in the given file. |
| no-color | BOOLEAN | --no-color | Disable colors in the output. |
| org-mode | STRING | org | Manage your organization's access to Shodan. |
| data-mode | BOOLEAN | data | Bulk data access to Shodan. |
| host-mdoe | BOOLEAN | host | View all available information for an IP address. |
| scan-mode | BOOLEAN | scan | Scan an IP or netblock using Shodan. |
| separator | STRING | --separator | The separator between the properties of the search results. |
| count-mode | BOOLEAN | count | Return the number of results for a search. |
| parse-mode | BOOLEAN | parse | Extract information out of compressed JSON files. |
| stats-mode | BOOLEAN | stats | Provide summary information about a search query. |
| domain-mode | BOOLEAN | domain | Look up DNS records and subdomains for a domain. |
| domain-name | STRING | · | Domain name to look up in domain mode. |
| search-mode | BOOLEAN | search | Search the Shodan database. |
| silent-mode | STRING | --silent | Do not send a notification to the user. |
| convert-mode | BOOLEAN | convert | Convert the given input data file into a different format. |
| host-mode-ip | STRING | · | IP address to inspect in host mode. |
| org-mode-add | STRING | add | Add a new member to the organization. |
| scan-mode-ip | STRING | · | IP address or netblock to scan. |
| wait-results | STRING | --wait | How long to wait for results to come back. |
| honeyscore-ip | STRING | · | IP address to check whether it is a honeypot. |
| org-mode-info | BOOLEAN | info | Show an overview of the organization. |
| data-mode-list | BOOLEAN | list | List available bulk data files. |
| scan-mode-list | BOOLEAN | list | Show recently launched scans. |
| honeyscore-mode | BOOLEAN | honeyscore | Check whether the IP is a honeypot or not. |
| org-mode-remove | STRING | remove | Remove and downgrade a member. |
| save-information | BOOLEAN | --save | Save the information in a file. |
| scan-mode-status | STRING | status | Check the status of an on-demand scan by SCAN_ID. |
| scan-mode-submit | STRING | submit | Submit an IP or netblock to scan using Shodan. |
| stats-mode-query | STRING | · | Search query to summarize in stats mode. |
| search-mode-query | STRING | · | Search query to run in search mode. |
| count-search-query | STRING | · | Search query to count in count mode. |
| data-mode-download | FILE | download | Dataset to download in bulk data mode. |
| parse-mode-filters | STRING | --filters | Filter the results for specific values using key:value. |
| scan-mode-internet | STRING | internet | Scan the internet for a specific port and protocol using Shodan infrastructure. |
| domain-mode-details | STRING | --details | Look up host information for any IPs in the domain results. |
| parse-mode-filename | FILE | · | JSON file to parse. |
| scan-mode-protocols | STRING | protocols | List the protocols you can scan with using Shodan. |
| convert-mode-filename | FILE | · | Input file to convert. |
| data-mode-search-query | STRING | · | Search query used to select bulk data. |
| convert-mode-output-format | STRING | · | Convert output format, for example kml, csv, geo.json, images, xlsx. |
example
# search the index, cap the results, and print selected fieldsshodan search --limit 25 --fields ip_str,port,org,product 'product:nginx port:443'198.51.100.23 443 Example Networks nginx198.51.100.24 443 Example Networks nginx203.0.113.10 443 Cloud Example BV nginx203.0.113.42 8443 Example Hosting nginx198.51.100.9 443 Example Networks nginx203.0.113.77 443 Example Telecom nginxguidance
Use shodan-python for interactive Shodan work: searching the device index, inspecting a single host, counting matches, or pulling stats. For a one-shot bulk dump of a query to json.gz, use shodan-download instead.
Bulk-exports a query's results to json.gz for offline processing. Use it when you only need the raw dump.
Passive DNS inventory rather than device banners. A complementary OSINT source.
Social-identity OSINT. A different axis from device and service intelligence.
faq
related
Look up DNS records on DNSDumpster.
Look up a host on DNSDumpster.
Find lookalike domains adversaries use for typosquatting, phishing, and brand impersonation.
List all public repositories for valid GitHub usernames.
Look up the real IP of a host starting from its favicon and using Shodan.
Gather email account intelligence from public sources and check it against breach data.
A search query feeds shodan-python, which queries the device index and writes the matching hosts and services as a queryable output.
Facts on this page come from the live Trickest tool library.