Shodan is an online search engine that enables anyone to connect to public or improperly secured devices that allow remote access through the Internet. For example, a zoo might set up an IP camera in one of its enclosures for anyone in the world to watch the animals through just their browser. Shodan would index this connection and enable anyone to search for it. It does this by grabbing service banners sent by a device to a client over certain ports.
More commonly, however, manufacturers and users of devices exercise poor security practices and unwittingly expose their device to the wider world. For example, someone might purchase an IP camera to use as surveillance at their home or office, and they may fail to change the default user name and password from "admin" and "admin123". Using Shodan, anyone can find and watch the live feed of this camera if it is Internet-connected.
Devices indexed by Shodan include more than just cameras, however. Everything from traffic lights to industrial control systems (ICSs) may have Internet connectivity as part of the Internet of Things (IoT)—and IoT devices are notoriously lax when it comes to security. Some systems may even allow a user full remote control of a device.
Shodan can be useful to the pen test reconnaissance phase in a number of ways. If you manage to view the feed of a security camera outside the target organization’s office, you can get a better picture of the premises and its defenses if you plan on conducting a physical test there. If the organization employs control systems for HVAC or industrial equipment, you may be able to control these remotely as part of your attack phase.