Filters
Much like Google and other search engines, SHODAN also lets you use boolean operators ('+', '-' and '|') to include/ exclude certain terms. By default, every search term has a '+' operator assigned to it.
In addition to boolean operators, there are special filters to narrow down the search results.
General
All filters have the format 'filter:value' and can be added anywhere in the search query.
Notice that there's no space before or after the ':'.
» country
The 'country' filter is used to narrow results down by... country. It's useful for when you want to find computers running in a specific country.
Examples:- Apache servers located in Switzerland: apache country:CH
- Nginx servers located in Germany: nginx country:DE
» hostname
The 'hostname' filter lets you search for hosts that contain the value in their hostname.
Examples:- GWS with 'google' in the hostname: "Server: gws" hostname:google
- Nginx with '.de' in the hostname: nginx hostname:.de
» net
The 'net' filter provides a mechanism for limiting the search results to a specific IP or subnet. It uses CIDR notation to designate the subnet range. Here are a few examples:
Examples:- All data for IP 216.219.143.14: net:216.219.143.14
- All data in the subnet 216.219.143.*: net:216.219.143.0/24
- All data in the subnet 216.219.*: net:216.219.0.0/16
- Apache servers in the subnet 216.*: apache net:216.0.0.0/8
» os
The 'os' filter is used to search for specific operating systems. Common possible values are: windows, linux and cisco.
Examples:- Microsoft-IIS running on Windows 2003: microsoft-iis os:"windows 2003"
- JBoss running on Linux: JBoss os:linux
» port
The 'port' filter is used to narrow the search to specific services. Possible values are: 21, 22, 23 and 80.
Examples:- Look only at the FTP banners for ProFTPd: proftpd port:21
» before/ after
The 'before' and 'after' filters let you search only for data that was collected before or after the given
date. Acceptable date formats are:
day/month/year
day-month-year
- Nginx server banners found before January 18 2010: nginx before:18/01/2010
- Apache servers in Switzerland found between March 22 2010 and June 4 2010: apache country:CH after:22/03/2010 before:4/6/2010
SSL Filters
» cert_version
The 'cert_version' filter lets you refine your search based on the SSL certificate version. Valid numbers are:
- 0: Original
- 1: SSLv2
- 2: SSLv3
- 3: TLSv1
» cert_bits
The 'cert_bits' filter lets you refine your search based on the SSL certificate public key bit length.
» cert_issuer
Filter based on information about the organisation that issued the SSL certificate.
Examples:- Certificates issued by Google: cert_issuer:"google internet authority"
» cert_subject
Filter based on the information about the organisation receiving the SSL certificate.
» cipher_name
Filter based on the accepted ciphers the server allows using the cipher name. Valid cipher names are:
- ADH-AES128-SHA
- ADH-AES256-SHA
- ADH-DES-CBC-SHA
- ADH-DES-CBC3-SHA
- ADH-RC4-MD5
- AES128-SHA
- AES256-SHA
- DES-CBC-MD5
- DES-CBC-SHA
- DES-CBC3-MD5
- DES-CBC3-SHA
- DHE-DSS-AES128-SHA
- DHE-DSS-AES256-SHA
- DHE-RSA-AES128-SHA
- DHE-RSA-AES256-SHA
- EDH-DSS-DES-CBC-SHA
- EDH-DSS-DES-CBC3-SHA
- EDH-RSA-DES-CBC-SHA
- EDH-RSA-DES-CBC3-SHA
- EXP-ADH-DES-CBC-SHA
- EXP-ADH-RC4-MD5
- EXP-DES-CBC-SHA
- EXP-EDH-DSS-DES-CBC-SHA
- EXP-EDH-RSA-DES-CBC-SHA
- EXP-RC2-CBC-MD5
- EXP-RC4-MD5
- NULL-MD5
- NULL-SHA
- RC2-CBC-MD5
- RC4-MD5
- RC4-SHA
» cipher_bits
Filter based on the accepted ciphers the server allows using the cipher bit length. Valid cipher bit lengths are:
- 0, 40, 56, 128, 168, 256
- Servers that support low-bit ciphers: cipher_bits:0,40,56
- Servers that accept NULL ciphers: cipher_bits:0
» cipher_protocol
Filter based on the accepted ciphers the server allows using the cipher protocol. Valid cipher protocols are:
- SSLv2
- SSLv3
- TLSv1
- Servers accepting SSLv2: cipher_protocol:SSLv2