top of page

Quick Start with Shodan

You may have heard the term threat hunting here and there, but what does it really mean? At its core, threat hunting is the practice of proactively searching for and studying adversary tactics closely enough that we can begin to predict—or at least anticipate—their next move. There’s a method to the madness, and this short guide is designed to kick-start your journey into hunting.

***Note: Be sure to review the Analyst Mindset section before proceeding here.***

​

Shodan​

​​

Shodan is an excellent tool for indexing information about publicly exposed devices and endpoints. It’s often used to uncover potential command-and-control (C2) infrastructure and other malicious servers. Honestly, Shodan’s capabilities are so deep that they could fill an entire college course, so this guide is by no means exhaustive. You can explore it yourself here: Shodan Dashboard.

​

Shodan also provides a Filter Cheat Sheet, which is a fantastic starting point for learning what to search and how to refine your results. Below, I’ll share a general methodology I use that you can adapt for your own hunts.

​

  1.  Start Big: Search first from a whole wolrd. 

Begin with broad searches to map the global landscape. This could mean filtering by country, port, or operating system

example;

  • country:VN This would search for specefically in the country of vietnam

  • ip:80 This would search worldwide for devuces that have port 80 open.

​​​​

    ​2. Hone in

Once you identify a service or region of interest, narrow your scope with combined filters.

example;

  • country:VN ip:80 This would search for open http ports in the country of Vietnam.

  • city:Manila ip:22 This would search for open ssh ports in the city of Manila, Philippines.

​​

   3. Collect and Correlate

Now comes the analysis. Cross-reference what you’ve found with other intelligence sources:​

  • Run suspicious IPs through VirusTotal.

  • Look for recurring ISPs or hosting providers.

  • Identify patterns in vulnerabilities across a region.

  • Compare “last block” numbers on Bitcoin nodes with the public ledger for anomalies.

​

Avoid tunnel vision. In CTI, one of the biggest pitfalls is “falling in love with your own plan.” It’s tempting to want your theory to be right, but good analysis means remaining skeptical and willing to step back when evidence doesn’t line up.

​

Our team is currently compiling a Shodan Cheat Sheet with our favorite filters. Feel free to check it out (and add your own) once it’s live!

​

Here's a helpful resource we've found to help us: https://ia903408.us.archive.org/7/items/shodan-book-extras/shodan/shodan.pdf

​​

​​

bottom of page