June 11, 2026

Shodan: The Search Engine Hackers Don’t Want You to Know About

How I discovered 14,704 exposed SSH servers in Pakistan — in under 5 minutes

Haseeb Bilal

2 min read

Imagine a search engine that doesn't show you websites.

Instead, it shows you cameras, routers, hospital machines, industrial systems, and servers — all directly connected to the internet. Some with no passwords. Some running outdated software with known vulnerabilities. Some belonging to banks, hospitals, and government offices.

That search engine exists. It's called Shodan.

And it's completely legal to use.

What Exactly is Shodan?

Google crawls the web and indexes websites.

Shodan crawls the internet and indexes devices.

Every few minutes, Shodan scans billions of IP addresses across the internet and asks a simple question:

"Is anyone home?"

If a device responds — a server, a camera, a router, a smart TV — Shodan records everything:

  • The IP address
  • Open ports
  • Software version
  • Operating system
  • Location
  • Organization

No hacking involved. It's all publicly available information that your device is already broadcasting to the world.

The scary part? Most people have no idea their devices are doing this.

My First 5 Minutes on Shodan

I recently started learning ethical hacking, and my mentor told me to open Shodan and just look around.

I typed one word:

apache

Millions of results. Web servers running Apache — spread across every country in the world, broadcasting their exact software version to anyone who cares to look.

Then I narrowed it down:

apache country:"PK"

Thousands of Apache servers in Pakistan alone. Each one showing its version number. Each version number potentially matching a known CVE (Common Vulnerability and Exposure).

I was sitting at my laptop doing nothing special — and I could see the digital skeleton of an entire country's internet infrastructure.

The 14,704 Number That Shocked Me

Out of curiosity, I searched:

port:22 country:"PK"

Port 22 is SSH — the port that allows remote login to a server.

Results: 14,704 servers in Pakistan with SSH directly exposed to the internet.

Here's the breakdown:

City Exposed SSH Servers Karachi 4,559 Lahore 4,284 Rawalpindi 1,517 Islamabad 996 Faisalabad 601

PTCL alone had 1,644 servers exposed.

These aren't necessarily hacked. But every single one of them is a door — and if that door has a weak password, anyone can walk in.

I Analyzed a Real Server (Ethically)

I clicked on one result. A Pakistani ISP's server. Within seconds, Shodan gave me:

  • IP: 103.147.86.103
  • Domain: multicitypk.com
  • Open Ports: 22, 53, 80, 3000, 5353
  • Apache Version: 2.4.58
  • Organization: MultiCity Broad Band Pvt Ltd

This is what a penetration tester does in the Recon Phase — before touching a single thing, they build a complete picture of their target using only public information.

No scanning. No hacking. Just looking.

The Windows Machines That Kept Me Up at Night

The search that disturbed me most:

has_screenshot:true country:"PK"

Shodan automatically takes screenshots of devices that have visual interfaces. I started seeing Windows login screens — Remote Desktop Protocol (RDP) pages — sitting completely open on the internet.

No firewall. No VPN. Just a login screen, exposed to the entire world.

Some of them had known vulnerabilities listed right there on the Shodan page.

These are real machines. Real data. Real people who have no idea.

"Isn't This Illegal?"

This is the first question everyone asks. And the answer is important.

Looking at Shodan results is 100% legal.

Your device is already broadcasting this information publicly. Shodan just organizes it. It's like walking down a street and noticing which shops have their doors open — you're not breaking in, you're just observing.

What IS illegal — and what ethical hackers never do — is actually accessing, scanning, or exploiting a system without written permission from the owner.

This is the line between:

  • Ethical Hacker / Penetration Tester — hired to find vulnerabilities and report them
  • Criminal — exploiting those vulnerabilities without permission

Real pentesters use Shodan to help companies find and fix their exposed systems. Bug bounty programs literally pay you to do exactly this.

The Takeaway

Shodan isn't just a hacker tool. It's a mirror.

It shows organizations what they look like from the outside — what any attacker sees before they even think about launching an attack.

If you're in cybersecurity, learning Shodan is non-negotiable. If you're a developer or sysadmin, running your company's IP through Shodan should be something you do regularly.

The internet is not as private as we think.

The question isn't whether your systems are visible.

The question is: do you know what's visible?

I'm currently learning ethical hacking and penetration testing. Follow along as I document my journey from beginner to certified pentester.

Next up: Nmap — the tool that goes deeper than Shodan.