Example Search Result
SIPG stands for Shodan IP Grabber. It is a professional command-line tool for searching internet assets via Shodan. SIPG (Shodan IP Grabber) supports API mode and free mode (no API key), with one primary command: search.
- 🔍 Advanced Search: Powerful query syntax with support for all Shodan search filters
- 📊 Rich Output: Beautiful tables and detailed information display
- 💾 Flexible Export: Save results to files in various formats
- ⚡ Rate Limiting: Built-in API rate limiting to respect Shodan's limits
- 🔐 Secure Configuration: Secure API key storage in the user's home directory
- 🌍 Cross-Platform: Works on Windows, macOS, and Linux
- 📈 Progress Tracking: Real-time progress indicators for long searches
- 🎯 Multiple Output Formats: Simple IP lists, detailed results, or formatted tables
- 🆓 No-Key Search Mode: Facet-based collection without API key (
--mode free; default isauto: REST Search when a key is saved, otherwise free) - 🧩 Asset Collection: Use
search --collect(defaultips) with support for comma-separated values likedomains,subdomains - 🧠 Beginner Filter Mode: Build full Shodan queries with
--filter
pip install sipggit clone https://github.com/emptymahbob/sipg.git
cd sipg
pip install -e .- Get your Shodan API key from shodan.io
- Configure SIPG (Shodan IP Grabber) with your API key:
sipg configure# Search for IPs with SSL certificates from Uber
sipg search 'ssl:"Uber Technologies Inc"'
# Search with detailed information
sipg search 'http.server:Apache' --details
# Display results in a table format
sipg search 'port:80' --table
# Save results to a file
sipg search 'country:"United States"' -o results.txt
# Limit results and add delay
sipg search 'product:"nginx"' -m 50 -d 2.0
# Get results from pages 2 to 5 (i.e., results 101-500)
sipg search 'http.server:Apache' --details --start-page 2 --end-page 5
# Save results from pages 5 to 10 to a file
sipg search 'country:"United States"' -o us.txt --start-page 5 --end-page 10
# No-key mode (facet-based)
sipg search 'ssl:"nvidia"' --mode free --silent
# Beginner filter mode
echo "nvidia.com" | sipg search --filter ssl --silent
# Collect domains and subdomains too
sipg search 'ssl:"nvidia"' --mode free --collect all -o assets.txtConfigure your Shodan API key securely.
Arguments:
-k, --api-key TEXT: API key value (prompted securely if omitted).
Search and collect assets with one command.
Options:
-o, --output FILE: Save results to file. If not specified, results are printed to the console.-m, --max-results N: Maximum number of results to return. Default: all available results.-d, --delay SECONDS: Delay (in seconds) between API requests to avoid rate limits.-I, --api-min-interval SECONDS: Minimum spacing betweenapi.shodan.iocalls (0 disables spacing).-D, --details, --detail: Show detailed results with additional information (organization, location, hostnames, etc).-T, --table, --tables: Display results in an expanded formatted table (IP, org, ASN, ISP, transport, domains, product, OS, timestamp, vuln count).--start-page N: Start fetching results from this page (1-based, default: 1).--end-page N: End fetching results at this page (inclusive). If not set, fetches up to the last available page or the maximum number of results.-M, --mode [auto|api|free]:auto(default) uses api if an API key is configured, otherwise free. Use-M freeto force facet/no-key mode even with a key;-M apiforces REST Search (requires a key).-c, --collect TEXT: Choose asset type(s) to collect.- Single values:
ips,domains,subdomains,all - Comma-separated values:
ips,domains,domains,subdomains, etc. - Default:
ips
- Single values:
-f, --filter TEXT: Wrap input asfilter:"value"(example:--filter ssl).-s, --silent: Print raw values only.-O, --output-format [txt|json|csv]: Optional override for--outputformat. If omitted, SIPG (Shodan IP Grabber) auto-detects from file extension (.json,.csv, otherwise.txt).-F, --fields: Comma-separated fields for table/csv schemas. Useportfor search-hit ports per host;portsfor full host ports viaGET /shodan/host/{ip}(example:ip,port,org,asn).--domain-suffix TEXT: For domain/subdomain collection andhostnames/domainscolumns, keep only names ending at a label boundary with this suffix (comma-separated for OR). Example:--domain-suffix milkeeps*.mil, not*.mil.ng.
Quick flag map (common confusion):
-d= delay seconds (float), example:-d 1.0-D= details mode (API detail view)-T= table mode (API detail view)-F= fields list (comma-separated), example:-F ip,port,org-f= filter wrapper, example:-f ssl-c= collect type(s), example:-c domains,subdomains--domain-suffix= suffix filter for domains/subdomains (example:--domain-suffix mil)
How search behaves:
- No
-o: values are printed to console. - With
-o: values are exported to file. Format auto-detects from extension (.json,.csv, otherwise.txt). - Use
-Oonly when you want to override extension-based detection. --detailsand--tableare API-oriented views for rich host records.- In free mode,
--collect ipsstreams IP results progressively. - If you use free mode or
--collectwithout IPs, the tool ignores--details/--tableand shows a warning.
Common mistakes and fixes:
Option '-d' requires an argument:- use
-d <float>, e.g.-d 1.0
- use
Invalid value for '-d' / '--delay':- you likely passed fields to
-d; use-Ffor fields
- you likely passed fields to
--details/--tablewith-M freeand-c ips:- free mode only streams plain IPs; with default
-M autoand a saved key, searches use the REST API, and-D/-Tuse host/search when your key allows it - without a key, you only get the IP list; add a key (
sipg cfg) or pass-M apiexplicitly
- free mode only streams plain IPs; with default
Error: Got unexpected extra argumentafter-Dor-T:-Dand-Tare flags (on/off). They take no value. For columns use-F ip,hostnames,...with-M api -Dor-T
-D/-T/-Fstill show only plain IPs:- you may be in free mode (
-M free) or your key may be denied host/search (seesipg info --probeand the 403 note below). With a key and Search access, SIPG uses the API for rich output. Upgrade/reinstall if behavior seems outdated:pip install -U sipgorpip install -e /path/to/sipg
- you may be in free mode (
sipg infoworks but-D/-Treturns HTTP 403:- api-info and host/search are different endpoints; some plans/keys allow one but not the other. SIPG falls back to free IP streaming when host/search is denied. For full JSON/table, upgrade your Shodan plan or use a key with Search API access.
- Academic membership API key:
- Academic keys are a separate Shodan program; your plan line in
sipg infomay still look generic (e.g.dev) while permissions are set by Shodan. Search (/shodan/host/search) can return 403 even when api-info succeeds, depending on how your Academic access is configured. Check account.shodan.io (API access / documentation for your tier) or contact Shodan if Search should be included. SIPG’s 403 fallback (plain IPs via free mode) still works the same.
- Academic keys are a separate Shodan program; your plan line in
Show all supported field names for search --fields and asset CSV export.
sipg fields
# Machine-readable output for scripts
sipg fields -jSIPG (Shodan IP Grabber) includes short command aliases for faster usage:
s # search
cfg # configure
i # info
ex # examples
cl # clear
fs # fieldsHow output is saved:
- By default, results are printed to the console.
- Use
-o/--outputto save results to a file. - Export format is auto-detected from extension:
.json-> JSON.csv-> CSV- anything else -> TXT
- Use
-O/--output-formatonly if you want to override extension-based format detection. - Saved content follows your
--collectselection:- Default (
--collectomitted):ips - Examples:
-c domains,-c domains,subdomains,-c all
- Default (
- In API detailed mode (
--details/--table), exports include rich host fields; use-F/--fieldsto customize CSV/table schemas. -F ... portshows ports from search matches (merged per IP);-F ... portsloads full host port lists viaGET /shodan/host/{ip}.- Use
--domain-suffixto keep only names ending with specific suffixes (for collection andhostnames/domainstable/CSV fields). - Use
--max-resultsto limit the number of results. - Use
--start-pageand--end-pageto fetch results from a specific page range (each page = 100 results). - Use
--delayto avoid hitting Shodan rate limits (default: 1.0s).
Examples:
# Default behavior (no --collect): IPs only
sipg search 'ssl:"nvidia"'
# Collect domains and subdomains together
sipg search 'ssl:"nvidia"' -c domains,subdomains --mode free
# Save combined assets to CSV
sipg search 'ssl:"nvidia"' -c ips,domains,subdomains -o assets.csv --fields type,value
# Save domains only to JSON (auto-detected from extension)
sipg search 'ssl:"nvidia"' -c domains -o domains.json
# Delay must be a float
sipg search 'ssl:"nvidia"' -c domains,subdomains -d 1.0
# Fields use -F (not -d)
sipg search 'port:443' -M api -T -F ip,hostnames,org,location,port
# Full host ports for each IP (extra host lookups)
sipg search 'port:443' -M api -T -F ip,hostnames,org,ports
# Keep only names ending in .mil (not .mil.ng)
sipg search 'ssl:"nextcloud"' -c domains,subdomains --domain-suffix mil
# Get the first 200 results
sipg search 'ssl:"Uber Technologies Inc"' --max-results 200
# Get results from pages 2 to 5 (i.e., results 101-500)
sipg search 'http.server:Apache' --details --start-page 2 --end-page 5
# Save results from pages 5 to 10 to a file
sipg search 'country:"United States"' -o us.txt --start-page 5 --end-page 10Show information about your Shodan API key and usage (calls GET /api-info — plan and credits, not per-endpoint permissions).
How to know what your key allows
sipg inforeflects account/plan data from Shodan, not a full ACL list for every endpoint.sipg info --proberuns one minimalGET /shodan/host/search(uses 1 query credit) and reports whether Search API access works for rich flags (-D/-T/-F). If this fails with 403 whileapi-infosucceeds, your plan/key may block Search while still showing credits — see Shodan Developer API and your account settings.
Display example search queries.
Clear the stored API key.
sipg s→sipg searchsipg cfg→sipg configuresipg i→sipg infosipg ex→sipg examplessipg cl→sipg clearsipg fs→sipg fields
# SSL certificates
sipg search 'ssl:"Uber Technologies Inc"'
sipg search 'ssl.cert.subject.CN:"*.uber.com"'
# HTTP servers
sipg search 'http.server:Apache'
sipg search 'http.status:200'
# Geographic location
sipg search 'country:"United States"'
sipg search 'city:"New York"'
# Port scanning
sipg search 'port:80'
sipg search 'port:443'
# Products and services
sipg search 'product:"nginx"'
sipg search 'product:"MySQL"'
# Organizations
sipg search 'org:"Amazon"'
sipg search 'org:"Google"'
# Complex queries
sipg search 'ssl:"Uber Technologies Inc" http.status:200'
sipg search 'port:80 -http.title:"Invalid URL"'Official base URL for REST methods: https://api.shodan.io
Full method list and parameters: Shodan Developer API (Search, On-Demand Scanning, Alerts, DNS, etc.).
How SIPG uses it
| Shodan method | SIPG usage |
|---|---|
GET /api-info |
sipg info — plan, credits, query credits |
GET /shodan/host/search |
sipg search with -D / -T / -F (full host JSON, table, column export); sipg info --probe for a one-call access check (1 query credit) |
| (no REST equivalent for “all facet values”) | --mode free — HTML facet pages on www.shodan.io, not the REST Search API |
Non-200 responses include an error message in JSON (see Shodan docs). 403 on host/search while api-info works usually means your key/plan does not allow that Search endpoint — not a SIPG bug.
git clone https://github.com/emptymahbob/sipg.git
cd sipg
pip install -e ".[dev]"pytestblack sipg/mypy sipg/This project is licensed under the MIT License - see the LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
- Author: Mahbob Alam (@emptymahbob)
- Email: emptymahbob@gmail.com
- Twitter: https://x.com/emptymahbob
- Issues: https://github.com/emptymahbob/sipg/issues
This tool is for educational and authorized security research purposes only. Always ensure you have proper authorization before scanning any networks or systems. The authors are not responsible for any misuse of this tool.