Shodan CLI — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Command-line client for Shodan, the search engine for internet-connected devices and exposed services.

Use case: OSINTDifficulty: BeginnerHomepage: https://cli.shodan.io

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

pipx

pipx install shodan

pip

pip install --user shodan

Init API key

shodan init YOUR_API_KEY

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Search by query

shodan search "apache country:IN port:80"

Host details

shodan host 8.8.8.8

Count results without listing

shodan count "apache country:IN"

Stream results to JSON

shodan search --fields ip_str,port,org "Mongo country:IN" -o results.json

Alert on new exposures

shodan alert create "MyOrg" 1.2.3.4/24

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Free tier: 100 query credits/month. Membership ($49 one-time) unlocks bulk download and more credits — worth it.
  • --fields dramatically reduces credit consumption — only request what you need.
  • shodan download caches results offline — query against the dump with shodan parse for free.
  • shodan stream is a real-time firehose for monitoring — needs Enterprise tier.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • shodan init stores API key in plaintext at ~/.shodan/api_key — treat the workstation as sensitive.
  • Date-based queries (after:2026-04-01) only on paid tiers.
  • shodan host consumes 1 credit per IP — bulk lookups are expensive without download dumps.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • Censys — academic origin, broader X.509 cert data.
  • ZoomEye — China-based, sometimes shows assets others miss.
  • FOFA — particularly strong on East Asian networks.

India context and engagement notes

Indian-stack queries that pay off: port:6379 country:IN (exposed Redis), port:9200 country:IN (Elasticsearch), "X-Powered-By: PHP" country:IN port:8080 (admin panels). Report findings via CERT-In responsible disclosure.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Continue learning

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
Continue Learning

Related Academy modules

View all modules
Hacking Tools 2026

Burp Suite Pro 2026 — Five Production Bambdas and Three Custom BChecks (Paste-Ready)

Burp Bambdas (per-request JavaScript) and BChecks (YAML scanner checks) are the highest-leverage features in Burp Pro…

May 8, 2026 · 6 min read
Hacking Tools 2026

Caido for Web Pentest — A Modern Alternative to Burp Suite Pro (Hands-On Walkthrough)

Caido is the first credible challenger to Burp Suite Pro — Rust-built, web UI, multi-tester collaboration.…

May 8, 2026 · 6 min read
Hacking Tools 2026

Sliver C2 Operator Guide — Implants, Transports, OPSEC, and the Detection Patterns Blue Teams Should Hunt

Sliver is the open-source post-Cobalt-Strike C2 framework — accessible to Indian red teams without licensing barriers,…

May 8, 2026 · 6 min read