2 minute read

Discovering devices cover


The present-day internet sees everything from smart toothbrushes, unsecured databases, CCTVs and dirty dishes soaking in a smart kitchen right now .

By 2023 the number of devices connected to the internet will be approximately 29.3 billion. More devices joining the internet with little or no security have become a lucrative target for threat actors.

This article describes a few tools we can use to identify and monitor our devices connected to the internet on a budget.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu

Passive reconnaissance

The first phase of hacking is reconnaissance (recon), where the attacker research and gathers information about a target. Passive reconnaissance collects information about a target without raising alarms; this phase does not directly interact with a target or its network assets.

There are SaaS (Software As A Service Platforms), which provide information gathered from actively scanning the internet (Active Reconnaissance). They are passive recon tools.


Shodan is the world’s first search engine for Internet-connected devices and my favourite tool.

Shodan Dashboard of devices connected to the internet

Shodan allows you to search devices based on various metadata, including but not limited to IP address, CVE (Common Vulnerability Exposure), HTTP banners, and the list go on.

In addition, they do provide network monitoring features where if something pops up in your given IP address space, the service will send you an alert. According to Shodan’s documentation, it scans the entire internet at least once a week. However, their API does provide on-demand scanning if you want to build continuous scanning and alerting.

Shodan pro subscriptions cost 49 $ a month, but they offer 5$/per month pro shodan accounts during the Black Friday sale. If you have a .edu email, they offer the pro account features for free.


Greynoise comes in handy if we want to identify any compromised devices within a specified IP address range.

Greynoise bulk IP address analysis

Greynoise does provide a free community subscription, allowing users to search IP addresses to identify whether they have been compromised and scanning the internet for other machines to infect.

Example Greynoise insights about an infected machine

Active Recon


Nmap is the go-to opensource tool for network discovery and if you want to host your network scanning service. Nmap comes in many flavours.

Nmap can be used to find open-ports, OS fingerprinting and vulnerabilities too.

If you need an excellent place to start on continous network scanning Jeremy Gamblin has written a simple guide on that with alerting.


As defenders, we need to monitor the devices connected to the internet to prevent/identify a breach. We can only defend what we can see !.

Misconfigured and vulnerable devices are the root cause of some of the notable hacks in the past :