shodan_host_search
Search internet-connected devices using Shodan queries to discover hosts, identify services, detect vulnerabilities, and perform security reconnaissance for assets like industrial control systems.
Instructions
Search Shodan for hosts matching a query. Returns detailed information about discovered hosts including IP addresses, ports, services, and vulnerabilities. Use for asset discovery and reconnaissance.
ICS/SCADA Examples:
"port:502 tag:ics" - Modbus industrial control systems
"port:502 Siemens" - Siemens SCADA/PLCs
"port:502 "Schneider Electric"" - Schneider Modbus devices
"port:44818 "Allen-Bradley"" - Rockwell EtherNet/IP
"port:20000 tag:ics" - DNP3 utility SCADA
"port:102 S7" - Siemens S7 PLCs
"port:47808 BACnet" - Building automation
"port:4840 "OPC UA"" - Modern ICS protocol
"port:502 org:"Electric"" - Power infrastructure
"port:502 country:US has_vuln:true" - Vulnerable Modbus in US
Effective Patterns:
Combine filters: "port:502 tag:ics country:US org:"Water""
Use facets for overview: facets="country,org,product"
Start broad, narrow down: "port:502" → "port:502 tag:ics" → "port:502 tag:ics Siemens"
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| query | Yes | Shodan search query. General examples: "apache city:San Francisco", "port:22 country:US", "vuln:CVE-2021-44228". ICS/SCADA: "port:502 tag:ics" (Modbus), "port:20000" (DNP3), "port:44818" (EtherNet/IP), "port:102" (Siemens S7), "port:47808" (BACnet). Combine with org:"", country:, product:"", has_vuln:true | |
| facets | No | Optional comma-separated facets for aggregated results. Common: "country,org,port,product". For ICS: "country,org,product" to see distribution. Use to get overview without burning credits. | |
| page | No | Page number for pagination (default: 1) |