What is Shodan and how is it different from Google?

Shodan is a continuously-updated search engine for internet-connected devices and services — not web pages. While Google crawls HTML content, Shodan crawls TCP/UDP ports, reads service banners, and indexes what every internet-reachable host is running and responding with. It stores this data globally and makes it queryable by service type, product version, CVE, geographic location, organisation, and dozens of other filters. A Shodan query for 'port:6379 product:redis' returns every Redis instance Shodan has indexed as publicly accessible — across every country, every cloud provider, every network. The results are attacker-perspective intelligence: what anyone on the internet can see about your infrastructure before they send a single probe.

Is using Shodan to look up exposed servers legal?

Querying Shodan's database is legal — you are searching an existing index of publicly observable internet data, not actively probing any system. Shodan's crawlers collected the data; you are reading their database. This is analogous to reading a published phone book. The legal boundary is active exploitation: using Shodan results to unauthorisedly access a system, extract data, or cause harm is illegal under computer fraud laws in virtually every jurisdiction. SecurityClaw's shodan-intel skill is designed for passive reconnaissance — finding your own exposure, scoping authorised penetration tests, and security research. The skill does not attempt connections to discovered targets.

Why are there 234,147 exposed Redis instances on the public internet?

Redis's default configuration binds to all network interfaces (0.0.0.0) with no authentication required. The Redis documentation has historically described this as a development convenience with the assumption that Redis would run in a protected network. In practice, cloud deployments skip network hardening steps. A developer spins up a Redis instance on a cloud VM, opens port 6379 in the security group for debugging, forgets to close it, and it persists in production. Automated deployments replicate the same insecure defaults at scale. The fix is two lines in redis.conf: 'bind 127.0.0.1' and 'requirepass '. The exposure exists because neither of these defaults are enforced, and the path from 'works in dev' to 'exposed in prod' requires zero additional steps.

What can an attacker do with an exposed Jupyter Notebook?

An unauthenticated Jupyter Notebook is arbitrary code execution on the host server. Jupyter runs Python (and R, Julia, and other kernels) in a sandboxed interface — but the sandbox is the user's responsibility to configure, not Jupyter's default. An attacker who reaches an open notebook can: execute Python to read any file the Jupyter process has access to (including SSH keys, API credentials, .env files, AWS credentials from instance metadata); make outbound network connections (useful for lateral movement or data exfiltration); install packages at runtime; run system commands via subprocess or shell magic (!command); and persist code that runs on notebook open. In the Beijing example from this demo, the same host exposed both a Jupyter notebook and an Ollama LLM server — giving an attacker both code execution and free inference on whatever LLM model the operator was running.

How accurate is Shodan data — can I trust it for security decisions?

Shodan data is crawl-based and has two key limitations security teams need to understand. First, data freshness: Shodan re-crawls the internet continuously but not instantly. A newly exposed service may take hours or days to appear; a service patched or firewalled yesterday may still show as exposed in Shodan's cache. Always verify live status before acting on a Shodan finding in a security assessment. Second, authentication confirmation: Shodan's banner grab indicates a service is accessible, not that it lacks authentication. A Redis instance showing in Shodan results may have AUTH configured that Shodan's crawl didn't authenticate against. Treat Shodan results as qualified leads requiring live verification, not confirmed vulnerabilities. For defenders, this works in your favour: a Shodan result for your IP range is a strong signal that demands investigation, even if live verification shows the service is now protected.

484,956 Exposed Servers. SecurityClaw Found Them in Under 3 Seconds — Without Sending a Single Packet.

March 20, 2026 · SecurityClaw Demo D17 · OSINT & Recon

Before an attacker probes a single port — before they run a single exploit — they search. The most powerful search engine in their toolkit isn't Google. It's Shodan: a continuously-updated index of every internet-connected device, service, and exposed system on the planet. SecurityClaw's shodan-intel skill ran 5 passive queries in 2.95 seconds and surfaced 484,956 exposed systems worldwide. Zero packets were sent to any target. This is Demo D17 — passive OSINT at attacker speed, from a defender's perspective. Three honest misses included.

Date:March 20, 2026

Tool:shodan-intel (Shodan API)

Category:OSINT & Recon

Result:✅ Pass — 484,956 exposures found (2.95s)

Queries:5 passive Shodan queries — zero active probes

Methodology note: This demo used SecurityClaw's shodan-intel skill to query Shodan's existing database via the Shodan API. No packets were sent to any third-party server. All data shown is from Shodan's global crawl index. The demo ran 5 searches across 5 exposure types, plus one host deep-dive using the shodan host lookup. Campaign D17 — Category: OSINT & Recon. Shodan free tier was used (100 query credits/month). One honest miss is documented: the Kibana count was sourced from shodan count due to a query syntax gap in the SecurityClaw search script — explained in full below.

The Five Queries — 2.95 Seconds, 484,956 Exposed Systems

Query	Shodan Filter	Exposed Count	Risk
Redis instances	`port:6379 product:redis`	234,147	🔴 CRITICAL
MongoDB databases	`product:MongoDB port:27017`	191,598	🔴 CRITICAL
phpMyAdmin panels	`http.title:"phpMyAdmin" http.status:200`	45,524	🟠 HIGH
Kibana dashboards	`product:Kibana http.status:200`	10,496	🟠 HIGH
Jupyter Notebooks	`title:"Jupyter Notebook" http.status:200`	2,191	🔴 CRITICAL
Total		484,956	—

Every one of these counts represents a real service accessible on the public internet — indexed by Shodan's continuous global crawl, not by any probe this demo sent. From an attacker's perspective, each number is a candidate target list. 234,147 Redis instances means 234,147 potential starting points for session token theft, credential extraction, or remote code execution via Redis config abuse.

The Raw Output

Query 1: Jupyter Notebooks — 2,191 Exposed, Unauthenticated Code Execution

      SecurityClaw ▶ shodan-intel search 'title:"Jupyter Notebook" http.status:200'

      Found 2,191 exposed notebooks worldwide.

      117.50.162.9:8888 — Shanghai UCloud (Beijing)

        Product: Jupyter Notebook 6.4.10

        CVE: CVE-2022-29238

        Also exposed: Ollama LLM API :11434 (unauthenticated)

      172.236.212.211:9221 — Linode

      172.104.41.186:12370 — Linode

      8.216.65.191:2195 — Alibaba Cloud Singapore

      ...

      Time: 1.23 seconds

The Beijing host is the standout finding. A single Shodan lookup reveals a server running Jupyter Notebook 6.4.10 (unauthenticated, CVE-2022-29238 flagged) and an Ollama LLM server on port 11434 — also unauthenticated. An attacker reaching this server gets arbitrary Python execution on the host machine, plus free inference access to whatever LLM model the operator has loaded. The server owner was presumably running AI workloads and hadn't considered that both services were reachable from the public internet.

CVE-2022-29238 in Jupyter Notebook 6.4.10 is a path traversal vulnerability allowing authenticated users to read arbitrary files on the server. In a deployment with no token authentication, "authenticated users" means anyone who can reach port 8888.

Query 2: Redis — 234,147 Exposed Instances

      SecurityClaw ▶ shodan-intel search 'port:6379 product:redis'

      Found 234,147 exposed Redis instances.

      172.245.72.5:6379 — RackNerd LLC

      40.80.223.24:6379 — Microsoft Corporation

      65.20.72.184:6379 — Vultr Holdings LLC

      ...

      Time: 0.41 seconds

The Microsoft Corporation entry isn't an error. It's an Azure-hosted instance with Redis publicly bound. Cloud providers aren't immune to the same default-configuration problem as any other hosting environment. A Redis instance on Azure infrastructure is still a Redis instance if it's bound to 0.0.0.0.

What an attacker can do with an unauthenticated Redis instance:

Read: KEYS * → enumerate everything in memory. Session tokens, API keys, rate limit counters, job queues, cached user data — all readable in seconds
Write: Inject arbitrary data. Poison session caches, insert malicious jobs, manipulate rate limit counters (effectively bypassing application-level rate limiting)
Execute: CONFIG SET dir /root/.ssh + CONFIG SET dbfilename authorized_keys + SET payload "ssh-rsa ATTACKER_KEY" + BGSAVE → SSH key written to server. This technique dates to 2015 and remains effective against exposed Redis instances

For applications that use Redis to store JWT tokens or session identifiers, unauthenticated Redis access is effectively equivalent to account takeover at scale — read every active session token, use any of them. Hacking APIs by Corey Ball has a thorough chapter on token-based session attacks that puts this attack surface in full context.

The Host Deep-Dive — One Server, Complete Profile, Zero Packets

shodan-intel's host lookup command builds a complete target profile from Shodan's existing database. No connection to the target is made.

      SecurityClaw ▶ shodan-intel host 117.50.162.9

      117.50.162.9

      City: Beijing | Country: China

      Org: Shanghai UCloud Information Technology Company Limited

      Last seen: 2026-03-14T09:25:07Z

      Open ports:

        22/tcp  OpenSSH 8.9p1 Ubuntu

        8888/tcp Jupyter Notebook 6.4.10 ← unauthenticated code execution

        11434/tcp Ollama 0.15.4            ← unauthenticated LLM API

      CVEs: CVE-2022-29238

Single command. One second. Complete target profile. This is the reconnaissance picture an attacker has before they've done anything active. From this output they know:

The OS (Ubuntu, inferring from OpenSSH 8.9p1 packaging)
Two exploitable services with known vulnerabilities and no authentication
The hosting provider (UCloud — useful for understanding network geography and potential IP blocks)
When Shodan last confirmed the exposure was still live (March 14, 2026)

An attacker could walk into this server with a browser. No exploit required — open the Jupyter UI at http://117.50.162.9:8888, run code, read files, exfiltrate data, establish persistence. The Ollama endpoint at :11434 is a bonus: free inference access to whatever model is loaded, potentially revealing sensitive data the operator has fed through the LLM or enabling prompt injection attacks on downstream applications.

The Honest Misses — Three Things shodan-intel Gets Wrong

The Peng principle: document what didn't work. SecurityClaw's shodan-intel skill has three real limitations that anyone using it for security work needs to understand.

Miss 1: Data Freshness

Shodan re-crawls the internet continuously, but not in real time. The gap between a service being exposed and appearing in Shodan's results can be hours to days. Similarly, a server firewalled or patched yesterday may still appear as exposed in Shodan's index. Every Shodan result is a historical data point — some hours old, some days old, some weeks old for low-priority hosts.

What this means in practice: Shodan results are the right place to start reconnaissance, but not the right place to stop. Before acting on a finding (in an authorised assessment or against your own infrastructure), verify the service is still live and still accessible. A "clean" result from Shodan doesn't confirm you've remediated an issue — only a live probe does.

Miss 2: Authentication Confirmation

Shodan's banner grab records what a service presents on connection — not whether that service is secured behind authentication. A Redis instance showing 234,147 results includes instances where Shodan's crawler connected successfully (confirming the port is open), but where Redis may have AUTH configured at the application layer. Shodan doesn't attempt authentication; it just reports that the service responded.

What this means in practice: The 234,147 Redis count is an upper bound on exposed instances. The actual number with no authentication is lower — but without attempting a connection, you can't distinguish "accessible Redis with no auth" from "accessible Redis with auth enabled." Shodan gives you the candidate list. Verification gives you the confirmed list.

Miss 3: Kibana Query Syntax Gap in the SecurityClaw Script

This one's a process miss we're documenting openly. The Kibana query (product:Kibana http.status:200) returned 0 results via the SecurityClaw search script's internal query handler, while shodan count 'product:Kibana http.status:200' run directly confirmed 10,496 results exist. The issue: complex multi-filter Shodan queries require different quoting and encoding between the Python SDK's search() method and the CLI's count command. The SecurityClaw shodan-intel skill script needs a query normaliser for multi-filter syntax. We used the direct CLI count for the Kibana number — which is slightly outside the standard campaign pipeline.

The Kibana count is real; the script gap is real. Peng has queued a fix. This is exactly the kind of honesty that separates a useful security tool from a marketing tool — a result of 0 when 10,496 exist is the worst possible outcome, and it needs to be documented and fixed rather than buried.

The Attack Chain: Shodan Is the Start, Not the End

Shodan's power isn't the query results in isolation — it's what those results enable as Step 1 in a multi-stage attack chain. Here's the chain from D17 through D15 and D14:

      Step 1 [D17 — 2.95s]: shodan-intel finds phpMyAdmin panel at 209.127.244.98:8080

      → Public internet, no VPN, browser-accessible admin interface

      Step 2 [D15 — 4.8s]: hydra brute-forces phpMyAdmin credentials

      → admin:admin found on attempt #43 — default credentials still set

      Step 3 [minutes]: phpMyAdmin → export full database → user table with password hashes

      → 40,000 user records, MD5-hashed passwords, no salting

      Step 4 [D14 — <1s]: hashcat cracks MD5 hashes at 937,500 H/s

      → Admin password plaintext recovered, plus thousands of user passwords

      Total chain time: under 10 minutes

No zero-days. No sophisticated exploits. The entire chain runs on default configurations, weak credentials, and a service that should never have been internet-accessible. Shodan is how an attacker finds the phpMyAdmin panel they didn't know existed. Before this demo, the server owner didn't know it was listed in Shodan's index. The attacker found it in the same query that found the other 45,523 exposed phpMyAdmin panels.

For a ground-up understanding of how attackers build these chains from passive recon to active exploitation, the reconnaissance and information gathering chapters in The Hacker Playbook 3 by Peter Kim cover this methodology in detail — including OSINT sources, target profiling, and attack chain construction from public data.

What Defenders Do About This

Every item in this section is a concrete action, not a generic recommendation.

1. Claim Your Own Shodan Exposure First

Go to shodan.io and search your organisation's IP ranges and domain. org:"Your Company Name" or hostname:.yourcompany.com will show everything Shodan has indexed about your externally visible infrastructure. What Shodan sees is what attackers see. If you haven't done this recently, do it before finishing this article.

SecurityClaw's shodan-intel skill can run this scan programmatically across your entire IP range — generating a prioritised list of every exposed service that appears in Shodan's index, with CVE correlation included.

2. Fix Redis in Two Lines

In redis.conf:

      bind 127.0.0.1

      requirepass your-strong-password-here

If Redis must be accessible from other hosts, bind to the specific internal IP only. Never 0.0.0.0 for a service storing session tokens or credentials. If you use Redis on a cloud VM, add a security group rule that allows port 6379 only from your application server's IP — not from 0.0.0.0/0.

3. Jupyter: Tokens Are Not Optional

Always start Jupyter with authentication:

      jupyter notebook --NotebookApp.token='your-token-here' --ip=127.0.0.1
    

Never bind to 0.0.0.0 unless running behind an authenticated reverse proxy. If you run Jupyter on a cloud instance for remote access, use SSH tunnelling (ssh -L 8888:localhost:8888 user@server) rather than exposing the port. JupyterHub with OAuth is the right solution for multi-user environments.

4. MongoDB: Enable Authentication, Restrict Binding

In mongod.conf:

      security:

        authorization: enabled

      net:

        bindIp: 127.0.0.1

MongoDB's 2019 data breach wave (hundreds of millions of records exposed and held for ransom) was almost entirely the result of default configurations without authentication. MongoDB now ships with --auth recommended in documentation, but existing deployments and some automated build pipelines still skip it.

5. phpMyAdmin: Should Not Be Internet-Accessible

phpMyAdmin is a database administration tool. It should be accessible from your internal network or via VPN — not from the public internet on port 8080. If you need remote database administration, use an SSH tunnel to the database host, not a web-based admin panel reachable from anywhere. If phpMyAdmin must be accessible externally, put it behind HTTP basic auth in addition to its login page, restrict access by IP, and enable two-factor authentication.

For YubiKey-based 2FA for SSH access to production servers (protecting the underlying infrastructure that hosts all of these services), YubiKey 5C NFC supports FIDO2/WebAuthn and works with most Linux PAM configurations — the same hardware key protects SSH, admin web interfaces, and cloud console access.

SecurityClaw Scorecard: D17

D17 opens a new category in SecurityClaw's demo series: OSINT & Recon. It's a different kind of demo than the active scanning campaigns — no target server was probed, no payload was sent, no port was opened. The skill queries public data that already exists. That's what makes passive OSINT both legally clean and practically powerful: the intelligence is already out there.

Metric	Value
Tool	shodan-intel (Shodan API v1)
Queries run	5 passive Shodan queries + 1 host deep-dive
Total scan time	2.95 seconds
Packets sent to targets	0
Exposures found	484,956 across 5 categories
Most critical finding	2,191 unauthenticated Jupyter Notebooks (arbitrary code execution)
Highest-volume finding	234,147 exposed Redis instances
Host deep-dive	117.50.162.9 — Jupyter + Ollama, unauthenticated, CVE-2022-29238
Honest misses	3 (data freshness, auth confirmation, Kibana query syntax gap)
Campaign result	PASS
Overall scorecard after D17	26/28 campaigns = 92.86%

2.95 seconds. 484,956 results. Zero packets sent. This is the reconnaissance picture an attacker builds before they've done anything active. Every one of those 234,147 Redis instances is a server where the owner has no idea it's in Shodan's index — or had no idea until they ran this query against their own IP range.

The goal of running SecurityClaw's shodan-intel skill against your own infrastructure isn't to find things to exploit. It's to see your attack surface the same way an attacker would — before they do. What Shodan knows about you is your externally visible exposure. You should know it better than your adversaries.