• Register
• Login

• User Guide
• Filter Reference
• Exporting Data
• FAQ
• Videos

Filters

Much like Google and other search engines, SHODAN also lets you use boolean operators ('+', '-' and '|') to include/ exclude certain terms. By default, every search term has a '+' operator assigned to it.

In addition to boolean operators, there are special filters to narrow down the search results.

General

All filters have the format 'filter:value' and can be added anywhere in the search query. Notice that there's no space before or after the ':'.

» city

Use the 'city' filter to find devices located in the given city. It's best combined with the 'country' filter to make sure you get the city in the country you want (city names are not always unique).

Examples:

• Apache servers located in Zürich: apache city:"Zürich"
• Nginx servers located in San Diego, USA: nginx city:"San Diego" country:US

---

» country

The 'country' filter is used to narrow results down by... country. It's useful for when you want to find computers running in a specific country.

Examples:

• Apache servers located in Switzerland: apache country:CH
• Nginx servers located in Germany: nginx country:DE

---

» geo

The 'geo' filter allows you to find devices that are within a certain radius of the given latitude and longitude. The filter accepts either 2 or 3 arguments. The optional third argument is the radius in kilometers within to search for computers (default: 5).

Examples:

• Apache servers near 42.9693,-74.1224: apache geo:42.9693,-74.1224
• Devices within a 50km radius of San Diego (32.8,-117): geo:32.8,-117,50

---

» hostname

The 'hostname' filter lets you search for hosts that contain the value in their hostname.

Examples:

• GWS with 'google' in the hostname: "Server: gws" hostname:google
• Nginx with '.de' in the hostname: nginx hostname:.de

---

» net

The 'net' filter provides a mechanism for limiting the search results to a specific IP or subnet. It uses CIDR notation to designate the subnet range. Here are a few examples:

Examples:

• All data for IP 216.219.143.14: net:216.219.143.14
• All data in the subnet 216.219.143.*: net:216.219.143.0/24
• All data in the subnet 216.219.*: net:216.219.0.0/16
• Apache servers in the subnet 216.*: apache net:216.0.0.0/8

---

» os

The 'os' filter is used to search for specific operating systems. Common possible values are: windows, linux and cisco.

Examples:

• Microsoft-IIS running on Windows 2003: microsoft-iis os:"windows 2003"
• JBoss running on Linux: JBoss os:linux

---

» port

The 'port' filter is used to narrow the search to specific services. Possible values are:

• 21 (FTP)
• 22 (SSH)
• 23 (Telnet)
• 25 (SMTP)
• 80 (HTTP)
• 110 (POP3)
• 119 (NNTP)
• 137 (NetBIOS)
• 143 (IMAP)
• 161 (SNMP)
• 443 (HTTPS)
• 445 (SMB)
• 993 (IMAP + SSL)
• 995 (POP3 + SSL)
• 1023 (Telnet)
• 1900 (UPnP)
• 2323 (Telnet)
• 3306 (MySQL)
• 3389 (RDP)
• 5000 (Synology)
• 5001 (Synology)
• 5432 (PostgreSQL)
• 5560 (Oracle)
• 6379 (Redis)
• 7777 (Oracle)
• 8000 (Qconn)
• 8080 (HTTP)
• 8129 (Snapstream)
• 8443 (HTTPS)
• 9200 (ElasticSearch)
• 11211 (MemCache)
• 27017 (MongoDB)
• 28017 (MongoDB Web)

Examples:

• Look only at the FTP banners for ProFTPd: proftpd port:21

---

» before/ after

The 'before' and 'after' filters let you search only for data that was collected before or after the given date. Acceptable date formats are:

day/month/year
day-month-year

Examples:

• Nginx server banners found before January 18 2010: nginx before:18/01/2010
• Apache servers in Switzerland found between March 22 2010 and June 4 2010: apache country:CH after:22/03/2010 before:4/6/2010

SSL Filters

» cert_version

The 'cert_version' filter lets you refine your search based on the SSL certificate version. Valid numbers are:

• 0: Original
• 1: SSLv2
• 2: SSLv3
• 3: TLSv1

---

» cert_bits

The 'cert_bits' filter lets you refine your search based on the SSL certificate public key bit length.

---

» cert_issuer

Filter based on information about the organisation that issued the SSL certificate.

Examples:

• Certificates issued by Google: cert_issuer:"google internet authority"

---

» cert_subject

Filter based on the information about the organisation receiving the SSL certificate.

---

» cipher_name

Filter based on the accepted ciphers the server allows using the cipher name. Valid cipher names are:

• ADH-AES128-SHA
• ADH-AES256-SHA
• ADH-DES-CBC-SHA
• ADH-DES-CBC3-SHA
• ADH-RC4-MD5
• AES128-SHA
• AES256-SHA
• DES-CBC-MD5
• DES-CBC-SHA
• DES-CBC3-MD5
• DES-CBC3-SHA
• DHE-DSS-AES128-SHA
• DHE-DSS-AES256-SHA
• DHE-RSA-AES128-SHA
• DHE-RSA-AES256-SHA
• EDH-DSS-DES-CBC-SHA
• EDH-DSS-DES-CBC3-SHA
• EDH-RSA-DES-CBC-SHA
• EDH-RSA-DES-CBC3-SHA
• EXP-ADH-DES-CBC-SHA
• EXP-ADH-RC4-MD5
• EXP-DES-CBC-SHA
• EXP-EDH-DSS-DES-CBC-SHA
• EXP-EDH-RSA-DES-CBC-SHA
• EXP-RC2-CBC-MD5
• EXP-RC4-MD5
• NULL-MD5
• NULL-SHA
• RC2-CBC-MD5
• RC4-MD5
• RC4-SHA

---

» cipher_bits

Filter based on the accepted ciphers the server allows using the cipher bit length. Valid cipher bit lengths are:

• 0, 40, 56, 128, 168, 256

Examples:

• Servers that support low-bit ciphers: cipher_bits:0,40,56
• Servers that accept NULL ciphers: cipher_bits:0

---

» cipher_protocol

Filter based on the accepted ciphers the server allows using the cipher protocol. Valid cipher protocols are:

• SSLv2
• SSLv3
• TLSv1

Examples:

• Servers accepting SSLv2: cipher_protocol:SSLv2