MITRE ATT&CK Technique
Description
Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan) Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-02T17:00:44.586Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may search within public scan databases for '
'information about victims that can be used during targeting. '
'Various online services continuously publish the results of '
'Internet scans/surveys, often harvesting information such as '
'active IP addresses, hostnames, open ports, certificates, and '
'even server banners.(Citation: Shodan)\n'
'\n'
'Adversaries may search scan databases to gather actionable '
'information. Threat actors can use online resources and '
'lookup tools to harvest information from these services. '
'Adversaries may seek information about their already '
'identified targets, or use these datasets to discover '
'opportunities for successful breaches. Information from these '
'sources may reveal opportunities for other forms of '
'reconnaissance (ex: [Active '
'Scanning](https://attack.mitre.org/techniques/T1595) or '
'[Search Open '
'Websites/Domains](https://attack.mitre.org/techniques/T1593)), '
'establishing operational resources (ex: [Develop '
'Capabilities](https://attack.mitre.org/techniques/T1587) or '
'[Obtain '
'Capabilities](https://attack.mitre.org/techniques/T1588)), '
'and/or initial access (ex: [External Remote '
'Services](https://attack.mitre.org/techniques/T1133) or '
'[Exploit Public-Facing '
'Application](https://attack.mitre.org/techniques/T1190)).',
'external_references': [{'external_id': 'T1596.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1596/005'},
{'description': 'Shodan. (n.d.). Shodan. Retrieved '
'October 20, 2020.',
'source_name': 'Shodan',
'url': 'https://shodan.io'}],
'id': 'attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'reconnaissance'}],
'modified': '2025-10-24T17:49:34.076Z',
'name': 'Scan Databases',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.0'}