Shodan

Goal - Gather first batch of information

Find the target

Check vulnerabilities without making any noise.

</aside>

There are many use cases for shodan, but lets focus on finding information about company.

Filter	Usage	Description
org	org: “Company Name”	Matches the organization or company name.
isp	isp:"Comcast”	Filters results by Internet Service Provider, often associated with the company.
asn	asn:"AS15169”	Filters by the Autonomous System Number (ASN) of the company.
hostname	Matches hostnames associated with a company's domain.	hostname:"example.com"
net	net:"192.168.0.0/24”	Searches within a specific CIDR range (often tied to a company’s IP allocation).
ssl.cert.subject	ssl.cert.subject:"CN=example.com"	Matches SSL certificate subjects (useful for identifying company-issued certificates).
ssl.cert.issuer	Example: ssl.cert.issuer:"Google Trust Services”	Searches for SSL certificates issued by a specific CA or company.

Filter	Usage	Description
product	product:"Cisco ASA”	Searches for specific product names.
device	device:"router”	Filters by device type (e.g., router, webcam, printer).
http.component	http.component:"WordPress”	Filters by specific HTTP components like CMS, frameworks, or servers.
os	os:"Windows Server”	Filters by operating system, which can identify device environments.
port	port:22	Searches devices by port number. Combine with other filters to focus on specific devices.
vuln	vuln:CVE-2021-44228	Searches devices for specific vulnerabilities.
modbus / bacnet / ics	modbus:"coil status”	Industrial-specific protocols for finding SCADA/ICS devices tied to a company.

as example: *org:"Google" http.component:"nginx”*

</aside>

There are many ways to use filters, and I even have not list all of them, so checkout link below: