May 1, 2026
Shodan Facet Searches That Read Like Threat Intel Poetry
I don’t open Shodan to find answers. I open it to confirm suspicions.
By Aeon Flex, Elriel Assoc. 2133 [NEON MAXIMA]
6 min read
Google is for recipes and stock tickers. Shodan is for autopsies. You don't ask it questions. You biopsy the internet with it and read the tissue samples. The raw search bar is a scalpel — apache will hand you 14 million hosts and tell you to figure it out yourself. Facets are the MRI. They don't just show you what exists. They show you the patterns, the clusters, the systemic failures hiding in plain sight.
If you're still running searches without facet:, you're looking at pixels and calling it a picture.
Why Facets Are the Only Way to Use Shodan Seriously
A search without facets is a body count. A search with facets is a cause of death.
Run port:502, and you'll get a wall of Modbus devices. That's trivia. Run port:502 facet: org, and you get a ranked list of the companies running industrial control systems exposed to the raw internet. Run port:502 facet: org facet: city facet:ssl.version, and you're suddenly holding a map of critical infrastructure, its owners, its locations, and whether it's encrypted with ciphers that were broken before the last election.
Facets don't just filter. They interrogate. They take the internet's monotone confession and force it into verse. The output isn't data. It's a diagnostic report, and the patient is always the entire IPv4 space.
I Thought I Was in Control Until the Logs Said Otherwise *Drift is a real and rather stealthy problem, always lurking in your own data. *
The Grammar You Need Before You Start
Shodan's query syntax is blunt. It has no patience for natural language. Learn the nouns and the filters, or you'll spend your credits on noise.
port: is obvious. port:23 is telnet. port:47808 is BACnet. port:20000 is DNP3. If you know the ports, you know the industry. If you don't, you will after the first hundred results.
product: is fingerprinting. product:"nginx" is a baseline. product:"nginx" facet:http.favicon.hash is profiling. Most nginx servers use the default favicon. The hash for it is -335242539. Fortinet is -1272064736. If you memorize a dozen hashes, you can identify the vendor before the banner even loads. That's not a search. That's digital phrenology.
vuln: is the loaded query. vuln: CVE-2021–44228 facet: org means "show me every organization that hasn't patched Log4Shell, then sort them by who should be most embarrassed." The result isn't a list. It's a subpoena.
ssl.cert.expired: true is for finding the companies driving with expired tags. Add facet: org, and you get a ranked list of operational negligence. Add facet:ssl.version, and you'll see how many are still negotiating TLS 1.0, which is a cryptographic way of saying "we have given up."
has_screenshot: true combined with port:554 or port:37777 is the fastest way to end up staring into a warehouse in Jakarta or a gas station in Ohio. It's not illegal. It's just impolite. And it's indexed.
os:, hostname:, city:, org: — these are the metadata that turn a flat search into a 3D model. A facet on any of them is a cross-section. Stack three, and you have a CAT scan.
Reading the Facet Output Like It Owes You Money
Run this: apache facet: org facet: city facet: os
You get back three tables.
Top Organizations
Amazon.com, Inc. 1,203,112
DigitalOcean, LLC 890,441
Chinanet 774,002
Top Cities
Ashburn 442,091
Singapore 301,884
Beijing 299,002
Top Operating Systems
Unix 2,101,443
Windows 3,112Top Organizations
Amazon.com, Inc. 1,203,112
DigitalOcean, LLC 890,441
Chinanet 774,002
Top Cities
Ashburn 442,091
Singapore 301,884
Beijing 299,002
Top Operating Systems
Unix 2,101,443
Windows 3,112Translation: The modern web is outsourced, centralized in Northern Virginia, and running on Unix systems that predate half the engineers maintaining them. Windows is a rounding error. Ashburn is where the cloud lives, and the cloud is where the misconfigurations breed.
That's one query. Three facets. A complete thesis on infrastructure monoculture.
Now make it mean something. port:445 facet:smb.version.
SMBv1 is the protocol equivalent of taping your house key to the front door. The facet result:
1 98,441
2 412,003
3 1,204,112
1 98,441
2 412,003
3 1,204,112Ninety-eight thousand devices are still advertising SMBv1 in 2026. The EternalBlue patch shipped in 2017. These boxes have survived three administrations, two hardware refresh cycles, and every "zero trust" initiative their companies announced on LinkedIn. They are still online. Still vulnerable. Still indexed.
That's the poetry. Not the number. The fact that the number exists.
Queries That Hit Like Case Files
You don't need a huge list. You need five queries that each tell a story. Here's the starter pack:
1. The Unpatched Hall of Shame
vuln:CVE-2021–44228 facet:org facet:product facet:country
vuln:CVE-2021–44228 facet:org facet:product facet:countryLog4Shell never died. It just got jobs in middle management. This query shows you who is running what, where. The product facet is key — it separates the VMware Horizon installs from the Minecraft servers. Both are bad. One is worse.
2. The Expired Certificate Census
ssl.cert.expired:true port:443 facet:org facet:ssl.issuer
ssl.cert.expired:true port:443 facet:org facet:ssl.issuer
Expired certs are a canary for operational health. If they can't automate cert renewal, what else are they not doing? The ssl.issuer facet tells you if it's Let's Encrypt laziness or enterprise PKI rot.
3. The Industrial Exposure Map
port:102,502,47808 facet:city facet:org
port:102,502,47808 facet:city facet:org
102 is Siemens S7. 502 is Modbus. 47808 is BACnet. This is factories, power, and building automation. The city facet turns it into a map of physical risk. The org facet tells you if it's residential ISPs — and it usually is. The line between "critical infrastructure" and "Comcast DHCP" is thinner than anyone wants to admit.
4. The Favicon Fingerprint Audit
product:”nginx” facet:http.favicon.hash facet:org
product:”nginx” facet:http.favicon.hash facet:org
Default favicons are a signal. Not of vulnerability, but of care. A custom favicon means someone touched the config. A default means it was installed and forgotten. Sort by org and you see which companies have fleets of forgotten nginx proxies. That's your attack surface.
5. The Telnet Graveyard
port:23 facet:ssh.version facet:org
port:23 facet:ssh.version facet:org
If ssh.version even shows up in a port 23 search, something is deeply wrong. But the real value is in the org facet. It's always ISPs, always hotels, always the same three vendors who haven't shipped a firmware update since 2014. This query is how you find the devices that still think the internet is a friendly place.
How to Actually Use This Without Becoming an Incident Report
Step 1: Start with a behavior, not a keyword. Don't search webcam. Search has_screenshot:true port:554. One is a noun. The other is an artifact. Behaviors are harder to fake.
Step 2: Facet until the story appears. One facet is a clue. Two facets are in correlation. Three facets are a case file. product:" MongoDB" Authentication: false facet: org facet: country is not a search. It's a breach report waiting for a timestamp.
Step 3: Read the zeros. The most important facet result is the one that doesn't show up. Run port:22 facet: ssh.version, and if you don't see SSH-1.99 in the list, that's good news. It means someone, somewhere, did their job. Document the absence. Absence is data.
Step 4: Export and pivot. The web UI is for reconnaissance. The CLI is for analysis.
shodan download — limit 20000 exposed_rdp port:3389 has_screenshot:true
shodan parse — fields ip_str,port,org,city — facets org,city exposed_rdp.json.gz
shodan download — limit 20000 exposed_rdp port:3389 has_screenshot:true
shodan parse — fields ip_str,port,org,city — facets org,city exposed_rdp.json.gzNow you have a dataset. Open it in whatever tool you trust. Cross-reference with Censys. Feed it to your own scripts. This is how you build a picture of the internet that your employer would call "unauthorized monitoring," and you call "situational awareness."
Step 5: Don't touch. Scanning is research. Interacting is a crime. If your query returns a login page, you close the tab. You're mapping the terrain, not invading it. The moment you send a packet beyond the banner grab, you're not a researcher. You're evidence.
The Daily Query I Actually Run
I have a cron job. It's not complicated. It's not a secret. It's just a sanity check.
shodan search — fields ip_str,port,org,hostnames \
— facets org:10,city:10,ssl.version:10 \
“ssl.cert.expired:true port:443 -org:\”Shodan\” -org:\”Censys\””
shodan search — fields ip_str,port,org,hostnames \
— facets org:10,city:10,ssl.version:10 \
“ssl.cert.expired:true port:443 -org:\”Shodan\” -org:\”Censys\””
Exclude the scanners so you don't just watch scanners scanning scanners. The output is my morning paper.
Today's top lines:
Top Organizations
Charter Communications 8,112
Comcast Cable 7,901
AT&T Services 6,443
Top SSL Versions
TLSv1.2 19,441
TLSv1.0 2,112
SSLv3 44Top Organizations
Charter Communications 8,112
Comcast Cable 7,901
AT&T Services 6,443
Top SSL Versions
TLSv1.2 19,441
TLSv1.0 2,112
SSLv3 44Forty-four devices are still negotiating SSLv3. That protocol was deprecated in 2015. It's not encryption. It's archaeology. And it's still answering on port 443, attached to real organizations, with real customer data behind it.
That's the point of all this. Not to scare you. Not to flex. To point out that the internet is a place built by people, and people forget, and people get busy, and people assume someone else renewed the cert. Facets make that forgetting visible. They turn entropy into a bar chart.
The 2026 Shodan Dork Bible: Finding Exposed Jenkins, Grafana, and Cameras Big Tech Forgot The 2026 Shodan Dork Bible: Finding Exposed Jenkins, Grafana, and Cameras Big Tech Forgot Shodan stopped being a…
Final Thought: The Internet Is Flat, and Everything Is Touching
Run port:102 facet: org one last time. Port 102 is Siemens S7, the protocol that runs factories, water plants, and power distribution.
The top orgs are not Siemens. They're not utilities. They're Comcast Cable, AT&T Internet Services, Verizon Business.
Residential ISPs. Your home IP is one hop away from infrastructure that can open a valve or drop a grid segment. The boundary between "enterprise," "consumer," and "industrial" is a routing table, not a firewall.
Shodan doesn't create that reality. It just indexes it. Facets don't hack anything. They just refuse to let you pretend it's not there.
If you work a corporate job and IT sees these queries in your history, you'll get a meeting. If legal sees your exports, you'll get a conversation.
But you don't work there. You work here. In the quiet spaces between banners and handshakes. And every day, you can open a terminal, ask the internet a hard question, and get an honest answer.
The only thing unethical is pretending you didn't see it.
If you want to be free, start by building a toolkit your boss would be afraid to understand. Then use it to look at the world as it actually is. Facets first.
If you're running queries like these, you need the rest of the toolkit. Guides below. No tracking. No newsletter. Just commands that work.
The 2026 Shrouded Sentinel Live Dork Deck - 400 Fresh + Effective Shodan Queries That Still Hit… The 2026 Dork Deck - 400 Live Shodan Queries That Still Hitcurated, annotated, and updated monthly. not a dump.Stop…
How To Fake Your iPhone Location Convincingly Be Anywhere But Here - Fake Your iPhone Location Convincinglyno jailbreak. no trace. no "why are you at the…