Shodan

Shodan is the go-to search engine for devices accessible from the internet. Shodan regularly scans the entire IPv4 address space for systems with open ports and makes their collected information public. You can use Shodan to discover external-facing APIs and get information about your target’s open ports, making it useful if you have only an IP address or organization’s name to work from. Like with Google Dorks, you can search Shodan casually by entering your target’s domain name or IP addresses; alternatively, you can use search parameters like you would when writing Google queries. The following table shows some useful Shodan queries.

Shodan QueriesPurpose

hostname:"targetname.com"

Using hostname will perform a basic Shodan search for your target’s domain name. This should be combined with the following queries to get results specific to your target.

"content-type: application/json"

APIs should have their content-type set to JSON or XML. This query will filter results that respond with JSON.

"content-type: application/xml"

This query will filter results that respond with XML.

"200 OK"

You can add "200 OK" to your search queries to get results that have had successful requests. However, if an API does not accept the format of Shodan’s request, it will likely issue a 300 or 400 response.

"wp-json"

This will search for web applications using the WordPress API.

Last updated