Shodan and IPInfo
Shodan
Shodan is a search engine for devices connected to the internet. For each IP it returns information about the services it has exposed.
What it returns
from src.tools.shodan_tool import shodan_host_lookupresult = await shodan_host_lookup("185.220.101.34")| Field | Description |
|---|---|
ports | List of open ports |
hostnames | Associated hostnames |
domains | Domains |
country_name | Country |
city | City |
org | Organization |
isp | ISP |
asn | ASN |
vulns | CVEs detected in exposed services |
data | Service banners with detailed information |
Service information
For each open port, Shodan returns the service banner:
{ "port": 22, "transport": "tcp", "product": "OpenSSH", "version": "8.9p1", "data": "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6"}This allows you to identify:
- Software versions (and therefore known vulnerabilities)
- Technologies in use
- Unusual configurations
Detected CVEs
If Shodan detects vulnerable versions, it lists the CVEs:
vulns: ["CVE-2023-38408", "CVE-2023-51384"]Free tier
Shodan has a very limited free tier: 100 queries/month. The 24h cache helps, but use this tool selectively.
Use cases in OSINT
- Identify Tor nodes / VPNs (port 9001, 9030)
- Detect C2 servers (non-standard ports with suspicious banners)
- Verify infrastructure of a domain
- Find exposed IoT devices
IPInfo
IPInfo provides accurate geolocation and network context for IPs.
What it returns
from src.tools.ipinfo import ipinfo_lookupresult = await ipinfo_lookup("185.220.101.34")| Field | Description |
|---|---|
ip | IP queried |
hostname | Reverse hostname (PTR) |
city | City |
region | Region/state |
country | Country code (ISO) |
loc | GPS coordinates |
org | Organization (ASN + name) |
postal | Postal code |
timezone | Time zone |
Advantage over other services
IPInfo has one of the best free tiers: 50,000 requests/month. For most use cases, it is effectively unlimited.
IPInfo’s geolocation is especially accurate for:
- Identifying proxies and VPNs (org usually shows the provider name)
- Detecting shared vs dedicated hosting
- Correlating with geographic patterns of a campaign
Example output
[IPInfo] 185.220.101.34 ├─ Hostname: tor-exit-nl-01.example.net ├─ City: Amsterdam ├─ Region: North Holland ├─ Country: NL (Netherlands) ├─ Coordinates: 52.3667, 4.9000 ├─ Organization: AS53667 Frantech Solutions └─ Timezone: Europe/Amsterdam