Corporate Espionage with Shodan

RDP Exposed on the internet

What is Shodan?

There are few sites like it, notably Binary Edge, that scan the entire internet, on our behalf. When I say scanning, it’s a mix of tools we are familiar with such as Nmap, Webscreenshot, etc. However services like Shodan do this 24/7 and make the results searchable through filters and facets. This is powerful from an attackers perspective because the only footprint produced, is the access to Shodan’s web servers.

Hunting for your Target

This really depends on what you are looking to get. Money? “Payback”? Corporate Espionage? Actual Espionage? Lulz? The list goes on and on. But the first step an attacker needs to decide is, what does the end game look like. As defenders, I would HIGHLY encourage you look into creating a threat model, who are you most prevalent threats and what systems/person(s) are they going to target.

Shodan Filters

This is how you are going to get around to narrowing down your search results on Shodan. A comprehensive list can be found here. These are your gateway to scoping down to a particular organization, port, service, etc.

Filters vs Facets

This confused me when I first started using Shodan, so let me break it down Barney style.

Filters and Facets

Searching via Port Number

This is one of the simplest searches you can do on Shodan, and I will make sure you get some results that can result into Incident Response teams getting paged.

port 9200 and 9300 exposure on the internet

Searching for Organizations

There a few ways this can be accomplished, and I will show you the ways I am aware of. Some of these techniques are easy to remember, so require you to visit back here to copy paste the filter :).

Searching for Autonomous Systems
Enumerating Russian Military websites
Enumerating Chinese Military websites
Enumerating Subdomains of

Searching via Favicon Icon

This is the best way to get around WAFs (Web Application Firewalls). Typically, larger sites will host their site behind services like Cloudflare and Fastly. Not only does this speed up their websites, but any attacker looking to DDoS via Domain name, will more than likely fail. However, there is 1 weakness with using services like Cloudflare and Fastly. It does not protect websites from direct attacks.

Finding Exposed SMB and Connecting to them

I just want to reiterate, please only do this if you have permission… This is where shit gets scary.

Blurring out this IP… But you can see what I added to my search.

PWN’ing Databases

SMB is a very lucrative path into a network, and using Linux tools such as grep, find, scp, etc, you can find yourself in some really gnarly parts of a network. Start doing internal recon using Python Responder and Bloodhound… But the juicy bits are in exposed Databases.

Different kinds of Databases and their default port assignments
We have 1 DB with an Index of 2TB, yikes

Webcams and Desktops

This is typically the number 1 question I get when someone is coming to me for Shodan advice. “How can I view webcams?” Please stop, it’s weird… But since it is important for Corporate Espionage, I will show you.


Bonus Content

Who doesn’t like some bonus content? These are nothing but for lulz and I won’t share the search queries for them.

Final Comments

Cybersecurity is a job field as well as something a lot of us fail at. Check out for any exposures on your own IP, check you ASNs and of course… Reach out to Blackburn Security if you are needing a Penetration Test, Vulnerability Management or a report on your organization’s internet footprint. I can be reached at, you can add me on Linkedin or follow me on Twitter @TwutterSupport.



Senior Vulnerability Management Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store