I've done the leg work and I've struggled to identify how to search with the Shodan CLI, or the web search, just for a specific port and output all the IP addresses that expose this port.
For example in the cli:
shodan search [port] I can't figure that out.
Also in the search bar on the site:
[shodan] port:[port] This does not work as expected, possibly because pulling false resolvers and I'm looking for a weird port.
Founder of Shodan here: we crawl a few thousand ports but as you noticed 55555 isn't on that list. The search syntax for what you're trying to do is:
port:55555 Which means in the CLI you would enter:
shodan search port:55555 Or to get a count of how many are open:
shodan count port:55555 For more information about the search syntax please visit:
https://help.shodan.io/the-basics/search-query-fundamentals
If you search for simply "55555" then you are searching for banners where the main data property contains the string "55555". To search in the contents of other properties (ex: port) you need to use a search filter. A list of them is available on the developer website. Check out the /shodan/host/search method:
Note: I am assuming here that you have set up the CLI with a working API key, and that you are logged into the website with a valid username/password. The CLI tool should throw an error telling you that you need to run shodan init <api key>.
When searching in Shodan I find that more often than not, it is safer to put quotes around the search term. In your case, I found that searching on the shodan.io website for port:"55555" yielded 862 results. The same search without quotes also worked, yielding the same number of results.
I'm not very experienced with the CLI, but I found that doing any of the following yielded the same number of results (862):
shodan count port:55555 shodan count port:"55555" shodan count 'port:55555' shodan count 'port:"55555"' But your terms (shodan count 55555) yielded a different, much larger result, presumably because it was searching for "55555" everywhere, rather than just the port.
Ok, so I think I have an answer. After scraping around help documentation it appears that Shodan is focused on certain services. It does not appear to do a full port scan of every IP regularly, only specific common ones like telnet, ftp, http, and etc.
It does capture more than just those ports through other mechanisms, but it is not a full internet every IP address with every port database. I found this information on a Defcon power point, but it is also alluded to in the wiki which is more trustworthy:
https://en.wikipedia.org/wiki/Shodan_(website)
"Shodan collects data mostly on web servers (HTTP/HTTPS - port 80, 8080, 443, 8443), as well as FTP (port 21), SSH (port 22), Telnet (port 23), SNMP (port 161), IMAP (port 993), SIP (port 5060),[2] and Real Time Streaming Protocol (RTSP, port 554). The latter can be used to access webcams and their video stream.[3]"
