Google sees the surface of the internet: blogs, news sites, and social media. But the internet is much deeper than that.
There are billions of devices connected to the web-security cameras, industrial control systems, baby monitors, and servers. Google ignores them. Shodan finds them.
Shodan is the “Search Engine for the Internet of Things (IoT).” It allows you to see what devices are connected to the internet in a specific city, or even a specific building.
Here is how to use it to explore the hidden web (and check if your own devices are exposed).
What is Shodan?
Shodan constantly scans the entire internet, knocking on every digital “door” (IP address) to see if anyone answers. If a device answers, Shodan records its name, location, and whether it requires a password.
Warning: Scanning is legal. Logging in is NOT.
- Legal: Using Shodan to find an open webcam and seeing the login page.
- Illegal: Guessing the password (admin/admin) and watching the feed.
- We use Shodan to investigate, not to intrude.
Method 1: The “Open Webcam” Search
One of the most common uses of Shodan is finding security cameras that have been accidentally connected to the public internet.
How to use it:
- Go to Shodan.io (Free account required).
- Type a query into the search bar.
The Search Queries:
has_screenshot:true webcam(Shows devices that identify as webcams and have a screenshot available).webcam city:"London"(Finds webcams specifically in London).
What you see: Shodan often takes a snapshot of what the camera sees. You might see a parking lot, a factory floor, or a living room. This highlights a massive privacy flaw: people plug in cameras without setting a password.
Method 2: The “Infrastructure” Map
Investigators use Shodan to map out the digital footprint of a city or a company. You can see exactly what technology a city is running.
How to use it:
- Search by City:
city:"New York"(Shows all connected devices in NYC). - Search by Organization:
org:"Google"(Shows servers owned by Google).
Why it matters: If you are investigating a suspicious server IP you found in an email header, paste that IP into Shodan. It will tell you:
- Where the server is physically located.
- What software it is running.
- If it has any known vulnerabilities (bugs).
Method 3: The “Self-Audit” (Are YOU Exposed?)
This is the most important step. Is your home router or security camera visible to the world?
How to check:
- Find your own public IP address (Google “What is my IP”).
- Paste your IP address into Shodan’s search bar.
The Verdict:
- “404 Not Found”: Good. This means Shodan scanned you and found nothing. Your firewall is working.
- Results Appear: Bad. If Shodan shows details about your router or camera, it means your device is open to the public. You need to close your ports immediately.
Summary: The Shodan Cheat Sheet
| Query | What it Finds |
|---|---|
| has_screenshot:true | Devices that let Shodan take a picture. |
| city:”Berlin” product:”Apache” | Web servers in Berlin running Apache. |
| net:192.168.1.1 | Scans a specific IP address (replace with target). |
The Bottom Line
The internet has eyes. Shodan proves that “Security through Obscurity” (hoping no one finds you) does not work.
Use Shodan to check your own digital perimeter. If you can find your webcam on Shodan, so can a hacker.
Next Step: If Shodan reveals a suspicious IP address attacking you, cross-reference it with our Website Owner Guide to see if that IP is linked to a known scam domain.
