Ekaterina Gainullina, Security Vision
Introduction
On today's internet, anything connected to the web can be found - if you have the desire and the right tool. Scanners like Shodan, ZoomEye, Netlas, Censys, FOFA and Criminal IP have long gone beyond ‘hacker scanners’ and have become workhorses for cybersecurity specialists, Red Team, SOC analysts and OSINT-enthusiasts. They allow you to literally look into the ‘technical underbelly’ of the internet: finding vulnerable cameras, forgotten databases, unauthorised test servers and industrial equipment accidentally exposed.
In my work at Security Vision, I regularly use these tools to analyse the outer surface of the infrastructure, check configurations, scout for potential vulnerabilities, and just to keep my finger on the pulse of what technologies and services are most actively exposed on the Internet right now. Such services often help to quickly get the right context and complete the picture in incident intelligence or technical forensics.
This article provides a comparison of six of the most popular and useful open host search engines. The features of architecture, query syntax, availability of functions, as well as capabilities of each platform - including API, integrations with other solutions, alerting system, search by certificates, images, etc. - are considered. Special attention is given to practical application examples and data relevance assessment. This is the first part of a series devoted to a comparative review. It examines in detail the capabilities of Shodan and ZoomEye. The next parts will analyse Censys, FOFA, Netlas and Criminal IP.
To give you a general idea right away, below is a summary table with the key features of each platform:
As you can see, each platform has its own specifics. Let's proceed to a detailed review of each, including examples of use.
Shodan
General characteristics
Shodan is the most famous Internet device search engine, launched around 2009. Its scanners continuously traverse the entire IPv4 (and partially IPv6) address space and collect data about open ports and services. Over more than a decade, Shodan has amassed a huge database: by some estimates, it processes information on ~500 million devices and services every month. The geography of coverage is global; on the Shodan device map, the US and Europe traditionally lead, as well as major Asian countries (China, Republic of Korea, India, etc.), i.e. regions with the largest number of nodes connected to the Internet.
Indexing depth
Initially, Shodan only scanned popular ports (80, 443, 21, 22, 23, 25, 3389, etc.), but in recent years the list has expanded considerably - as of 2024, Shodan regularly scans about 1237 ports. The main focus is on the most common ones: web (HTTP/HTTPS on 80, 443, as well as 8080, 8443), FTP (21), SSH (22), Telnet (23), SNMP (161), SMTP (25), RDP (3389), SIP (5060), etc. Less popular ports are also present in the scan, though at a lower frequency. The frequency of Shodan updates depends on the demand for the port: for example, port 80 is scanned daily, while rare ports may be scanned once every few weeks. Below is the distribution of the five most common open ports by the number of devices in the Shodan database (estimated based on Shodan and independent research):
Figure 1: Most common open ports (Shodan, number of devices in millions) as of 2024. The dominance of web ports 80 and 443 is notable.
Shodan stores for each found service a so-called banner - service or protocol identifier and related information. All detected open ports and received responses are recorded in the host record. For example, for a web server Shodan saves HTTP headers (Server, Date, Content-Type, etc.) and part of the HTML code of the page; for a TLS service - the certificate; for SSH - protocol parameters (algorithms, keys). Metadata are also automatically assigned: geolocation (country, city) and organisation are determined by IP (GeoIP and WHOIS ASN). Some devices are categorised (tags) by Shodan - e.g. industrial control system, webcam, router, database, etc. - but only corporate subscribers can use the tag: filter. An important feature of Shodan is that it automatically tries to match received banners with known vulnerabilities: the vuln: filter by CVE is available for subscribers. For example, the query vuln:CVE-2019-19781 country:DE will find in Shodan all vulnerable Citrix gateways in Germany, and the list of results next to the banner will contain the corresponding CVEs. In this way, Shodan not only shows which service is responding on a port, but also immediately alerts you to known vulnerable versions.
Interface and search
The Shodan web interface is intuitive. The search bar supports both simple keywords and special filters. By default, a query without filters tries to find a word in the content of any banners. Popular filters are country (country:), city (city:), autonomous system (asn:), organisation (org:), domain name (hostname:), IP or network (net:), port (port:), product name (product:), etc.
The screenshot shows the list of supported Shodan filters grouped by categories (SSL, HTTP, Restricted, etc.). These filters help to refine queries when searching for banners.
For example, the query country:RU port:22 will bring up SSH servers in Russia, and org: ‘Energy’ - devices belonging to organisations with the name Energy. Shodan also recognises different protocol fields: you can search by HTTP header content (http.title, http.html), SSL certificate fields (ssl.cert.subject), device type (device:), etc., even if there is a screenshot of the removed SSH server. - up to the presence of a screenshot of the remote screen (has_screenshot:true). For example, has_screenshot:true city:London will show the systems (usually VNC/RDP) for which Shodan took screenshots of the screen in London.
A remote desktop screenshot (RDP) automatically captured by Shodan. Such images allow you to instantly evaluate exposed interfaces - from server panels to Windows login screens.
Shodan Images is a kind of gallery of screenshots of device interfaces (cameras, remote desktops, etc.) taken by Shodan; access to it is also limited to paid accounts.
Search results are displayed as a list of IP addresses with a brief summary: country, organisation, open ports and a piece of banner. By clicking on the result, you can see full information about the host: all collected banners, metadata, possible domain names, known vulnerabilities (CVEs) and geolocation on a map. For large customers, Shodan provides additional interfaces, such as Shodan Maps (map view of devices on a world map) and Shodan Trends (statistics on the occurrence of certain technologies over time), which are available on corporate tariffs.
Availability and prices
Without registration, Shodan allows you to perform only a few trial searches. A free account provides basic access: web search with the first 2-3 pages of results and a limited API. For advanced use, a one-time $49 Shodan Membership subscription is available, which permanently (‘lifetime’) increases the limits - up to 1 million search results and a significantly higher daily limit of API requests. It's a one-time payment with no subscription fee - many enthusiasts limit themselves to it, getting enough features. For professional use, there are monthly plans: Freelancer ($69/month), Small Business ($359/month), etc., all the way up to corporate. They give credits for even more requests (from 10 thousand to unlimited), include the possibility of on-demand scanning of your IP (Shodan Scanner), as well as access to such functions as Shodan Monitor (continuous monitoring of your networks) - for example, on the business plan you can monitor in real time up to 16 IP addresses, and on the corporate plan up to /16 networks. In general, Shodan's pricing policy is aimed at different categories: from students and researchers (one-time $49) to large companies (tens of thousands of dollars for full access to data via API).
Examples of use
Shodan is widely used to find vulnerable or misconfigured services. A classic case is the detection of open databases or storages. For example, the query ‘MongoDB Server Information’ port:27017 -authentication instantly finds hundreds of unprotected MongoDB instances all over the world (without password) - a similar data leak was once detected by journalists using Shodan.
A search in Shodan using the filter ‘MongoDB Server Information’ port:27017 -authentication reveals thousands of MongoDB instances with open access without authorisation. Such instances often lead to data leaks or ransomware encrypting storage.
Another example is searching for industrial SCADA/ICS controllers or city systems: filter product: ‘Niagara AX’ gives Tridium Niagara building system control panels (some may be unprotected).
For bug bounty and redtiming needs Shodan is also indispensable, you can find video surveillance cameras with default password (by www-authenticate: Basic realm=‘), printers with open control panel (’Server: HP HTTP/1.1") or vulnerable VMware vCenter (query by unique header and CVE). The flexibility of the Shodan query language allows combining conditions and obtaining very precise samples. For example, a specialist can create a query that will retrieve all Windows servers in a certain country with open RDP and a specific vulnerability - and Shodan will find such hosts in seconds, whereas a manual scan would take days.
Shodan is actively integrated with external tools. There are Shodan plugins for Nmap, Metasploit, Maltego, browser extensions (Shodan plugin for Firefox highlights information about the current site). The official CLI utility (shodan in Python) allows you to search and retrieve data from the terminal. Shodan also maintains the open source InternetDB project, a free API with IP address summaries (e.g. what ports are open) for cases where only a quick answer is needed and a full-fledged search is redundant. All these integrations make Shodan a kind of ‘platform’ for Internet scanning. Not without reason, Shodan is cited in most OSINT intelligence and pentesting techniques as the first tool to quickly assess an organisation's attack surface.
ZoomEye: Shodan's Chinese twin brother
ZoomEye Interface. The bottom part displays the most popular queries, including AI applications, dashboards, and open web interfaces. The service allows you to search by hosts and web content.
General characteristics
ZoomEye is the Chinese analogue of Shodan, launched by Knownsec around 2013. The service is positioned as a ‘global cyber-scanning system’ and was initially oriented towards the local community (the interface was in Chinese), but is now also available in English. ZoomEye's approach is slightly different: it divides searches into two types - Host Search and Web Search. Host Search is similar to Shodan (searching devices by IP and their ports), while Web Search allows you to search websites by page content. That is, ZoomEye indexes not only the hosts themselves, but also the web content (HTML) of sites, which brings it closer to traditional web search engines, albeit for a limited set of detected sites.
Indexing depth
ZoomEye claims to cover all IPv4 and a significant portion of active IPv6 addresses, as well as domain names . The total number of indexed devices is comparable to Shodan (on the order of hundreds of millions), but there is a nuance: ZoomEye stores historical data on all detected hosts. The default interface shows the total number of results for the entire time of observation, so at first glance ZoomEye can produce an order of magnitude more than Shodan. It is recommended to use a time filter (e.g. Past Year) for a more correct comparison of actual devices.
ZoomEye's port scanning is very broad: according to experimental estimates, the service checks about 3828 ports - almost all significant ports up to 65535 . This is significantly more than Shodan (1237 ports). However, just like Shodan, ZoomEye updates popular ports (80, 443, etc.) more often, while exotic ports can be scanned less frequently (once every few weeks or months). Nevertheless, this breadth of coverage means that ZoomEye sometimes finds services on rare ports that may have been missed by other scanners. An interesting feature is on-demand scanning: an authorised ZoomEye user can manually request an immediate scan of a specific IP or domain to update the data . This is handy if you need to check if a vulnerability is closed on a known host - no need to wait for a scheduled round, the system will scan the target immediately.
Search language and interface
ZoomEye's query syntax is much like Shodan, but has its own keywords. For example: app=‘Apache httpd’ && ver="2.4.33’ && country=‘US’ in Host Search mode will find all Apache 2.4.33 in the US.
. A ZoomEye search using the query app=‘Apache httpd’ && ver="2.4.33’ && country=‘US’ reveals hosts with an outdated version of the Apache web server exposed in the United States. The results display HTTP headers, IP address, organisation, geography and map.
AND/OR/NOT operators are supported (indicated as + and - before conditions). Popular ZoomEye filters: app (application or server name), ver (software version), port (port number), service (protocol/service - the list corresponds to names from nmap), os (operating system), hostname (domain name found in the banner), site (domain in Web Search mode, for searching the content of sites), headers (search for a fragment in HTTP headers), and others. In Web Search mode, filters title (page title), keywords (keywords in the text), desc (site description) are available.
The ZoomEye interface is available in English and Chinese. In Host Search mode, the results are a list of IPs with brief data: open ports, services, organisation, country. Web Search mode shows a list of URLs with a fragment of the page text. An interesting detail is that each ZoomEye search result has a ‘Vulnerability’ tab, which is unique for such services. This tab lists popular vulnerabilities relevant to the current query or device category.
In fact, ZoomEye is integrated with Seebug's large Chinese exploit database. A user can click on a specific vulnerability from the list and ZoomEye will automatically generate a query showing all hosts potentially vulnerable to it. This is a fast transition from vulnerability information to specific targets, which speeds up threat analysis. This feature is especially useful for reactive searches - for example, when a new vulnerability is released, you can find all vulnerable systems at once.
The screenshot shows the homepage of Seebug, a Chinese platform closely integrated with ZoomEye. New vulnerabilities are published here, including RCE, authentication bypass and other critical issues. The risk level, publication date, description and popularity of the vulnerability are indicated.
Availability and pricing: ZoomEye provides free access with some restrictions. Once registered, a free user can view up to 10,000 results per month and monitor up to 50 IP addresses. This is enough for familiarisation, but a subscription will be required for serious work. ZoomEye's paid plans start at around $70 per month, which gives a quota of ~30,000 results/month and monitoring of 256 IPs. More expensive plans extend these limits.
However, there is an important limitation: even with paid accounts, ZoomEye does not allow exporting more than a certain limit of results (e.g., you can't upload a million records in bulk, there is a threshold in the interface). FOFA compares favourably in this respect (more about it below). In general, ZoomEye's pricing policy is aimed at professionals inside China, many of whom use it in conjunction with Knownsec services (e.g. Seebug vulnerability discussion platform and Pocsuite exploit kit). For external professionals, ZoomEye is valuable as an additional source, especially if data from the Asian region needs to be considered.
Examples of use
ZoomEye, in addition to its general function of finding vulnerable services, is popular for tasks related to finding devices in China and Asia. For example, if Shodan might miss some specific Chinese IoT device or web application, ZoomEye/FOFA is likely to spot it. ZoomEye is also widely used to search for ICS/SCADA systems: it has a filter by device type (for example, you can select SCADA and get a list of known vulnerable control systems).
ZoomEye sometimes finds more open RDP or SMBs on some networks than Shodan, due to its sparser but still extensive scanning of ports 3389, 445, etc. Another case is bug bounty in Asia: when testing security of Asian companies, ZoomEye helps detect their external hosts because it indexes local resources (e.g. .cn domains, Chinese cloud providers) better. In general, ZoomEye should be used in conjunction with Shodan: first search in Shodan (as it is more relevant) and then go through the same queries in ZoomEye - there is a chance to identify historical or rare targets.
Conclusion
Today, Shodan and ZoomEye represent some of the major platforms used by cyber intelligence and infrastructure defence practitioners. Each offers a unique approach to indexing open hosts: Shodan relies on relevance and a rich ecosystem of integrations, while ZoomEye stands out for its broad port sampling, historical coverage and built-in linkage to the Seebug vulnerability database.
Practice shows that these tools are most effective when used together. Shodan provides quick access to fresh data, while ZoomEye allows you to identify rare or long-exposed targets, including in the Asian segment of the Internet.
In subsequent parts of the comparative review, the capabilities of other platforms - Censys, FOFA, Netlas and Criminal IP - will be discussed in detail.
.jpg)
.jpg)
