Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/lothos612/shodan

Shodan Dorks
https://github.com/lothos612/shodan

Last synced: 13 days ago
JSON representation

Shodan Dorks

Awesome Lists containing this project

README 

        
### Shodan Dorks by twitter.com/lothos612

Feel free to make suggestions



# Shodan Dorks



# Basic Shodan Filters



### city:



Find devices in a particular city.

`city:"Bangalore"`



### country:



Find devices in a particular country.

`country:"IN"`



### geo:



Find devices by giving geographical coordinates.

`geo:"56.913055,118.250862"`



### Location



`country:us`

`country:ru country:de city:chicago`



### hostname:



Find devices matching the hostname.

`server: "gws" hostname:"google"`

`hostname:example.com -hostname:subdomain.example.com`

`hostname:example.com,example.org`



### net:



Find devices based on an IP address or /x CIDR.

`net:210.214.0.0/16`



### Organization



`org:microsoft`

`org:"United States Department"`



### Autonomous System Number (ASN)



`asn:ASxxxx`



### os:



Find devices based on operating system.

`os:"windows 7"`



### port:



Find devices based on open ports.

`proftpd port:21`



### before/after:



Find devices before or after between a given time.

`apache after:22/02/2009 before:14/3/2010`



### SSL/TLS Certificates



Self signed certificates

`ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com`



Expired certificates

`ssl.cert.expired:true`



`ssl.cert.subject.cn:example.com`



### Device Type



`device:firewall`

`device:router`

`device:wap`

`device:webcam`

`device:media`

`device:"broadband router"`

`device:pbx`

`device:printer`

`device:switch`

`device:storage`

`device:specialized`

`device:phone`

`device:"voip"`

`device:"voip phone"`

`device:"voip adaptor"`

`device:"load balancer"`

`device:"print server"`

`device:terminal`

`device:remote`

`device:telecom`

`device:power`

`device:proxy`

`device:pda`

`device:bridge`



### Operating System



`os:"windows 7"`

`os:"windows server 2012"`

`os:"linux 3.x"`



### Product



`product:apache`

`product:nginx`

`product:android`

`product:chromecast`



### Customer Premises Equipment (CPE)



`cpe:apple`

`cpe:microsoft`

`cpe:nginx`

`cpe:cisco`



### Server



`server: nginx`

`server: apache`

`server: microsoft`

`server: cisco-ios`



### ssh fingerprints



`dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0`



# Web



### Pulse Secure



`http.html:/dana-na`



### PEM Certificates



`http.title:"Index of /" http.html:".pem"`



### Tor / Dark Web sites



`onion-location`



# Databases



### MySQL



`"product:MySQL"`

`mysql port:"3306"`



### MongoDB



`"product:MongoDB"`

`mongodb port:27017`



### Fully open MongoDBs



`"MongoDB Server Information { "metrics":"`

`"Set-Cookie: mongo-express=" "200 OK"`

`"MongoDB Server Information" port:27017 -authentication`



### Kibana dashboards without authentication



`kibana content-legth:217`



### elastic



`port:9200 json`

`port:"9200" all:elastic`

`port:"9200" all:"elastic indices"`



### Memcached



`"product:Memcached"`



### CouchDB



`"product:CouchDB"`

`port:"5984"+Server: "CouchDB/2.1.0"`



### PostgreSQL



`"port:5432 PostgreSQL"`



### Riak



`"port:8087 Riak"`



### Redis



`"product:Redis"`



### Cassandra



`"product:Cassandra"`



# Industrial Control Systems



### Samsung Electronic Billboards



`"Server: Prismview Player"`



### Gas Station Pump Controllers



`"in-tank inventory" port:10001`



### Fuel Pumps connected to internet:



No auth required to access CLI terminal.

`"privileged command" GET`



### Automatic License Plate Readers



`P372 "ANPR enabled"`



### Traffic Light Controllers / Red Light Cameras



`mikrotik streetlight`



### Voting Machines in the United States



"voter system serial" country:US



### Open ATM:



May allow for ATM Access availability

`NCR Port:"161"`



### Telcos Running Cisco Lawful Intercept Wiretaps



`"Cisco IOS" "ADVIPSERVICESK9_LI-M"`



### Prison Pay Phones



`"[2J[H Encartele Confidential"`



### Tesla PowerPack Charging Status



`http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2`



### Electric Vehicle Chargers



`"Server: gSOAP/2.8" "Content-Length: 583"`



### Maritime Satellites



Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!



`"Cobham SATCOM" OR ("Sailor" "VSAT")`



### Submarine Mission Control Dashboards



`title:"Slocum Fleet Mission Control"`



### CAREL PlantVisor Refrigeration Units



`"Server: CarelDataServer" "200 Document follows"`



### Nordex Wind Turbine Farms



`http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"`



### C4 Max Commercial Vehicle GPS Trackers



`"[1m[35mWelcome on console"`



### DICOM Medical X-Ray Machines



Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.



`"DICOM Server Response" port:104`



### GaugeTech Electricity Meters



`"Server: EIG Embedded Web Server" "200 Document follows"`



### Siemens Industrial Automation



`"Siemens, SIMATIC" port:161`



### Siemens HVAC Controllers



`"Server: Microsoft-WinCE" "Content-Length: 12581"`



### Door / Lock Access Controllers



`"HID VertX" port:4070`



### Railroad Management



`"log off" "select the appropriate"`



### Tesla Powerpack charging Status:



Helps to find the charging status of tesla powerpack.

`http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2`



### XZERES Wind Turbine



`title:"xzeres wind"`



### PIPS Automated License Plate Reader



`"html:"PIPS Technology ALPR Processors""`



### Modbus



`"port:502"`



### Niagara Fox



`"port:1911,4911 product:Niagara"`



### GE-SRTP



`"port:18245,18246 product:"general electric""`



### MELSEC-Q



`"port:5006,5007 product:mitsubishi"`



### CODESYS



`"port:2455 operating system"`



### S7



`"port:102"`



### BACnet



`"port:47808"`



### HART-IP



`"port:5094 hart-ip"`



### Omron FINS



`"port:9600 response code"`



### IEC 60870-5-104



`"port:2404 asdu address"`



### DNP3



`"port:20000 source address"`



### EtherNet/IP



`"port:44818"`



### PCWorx



`"port:1962 PLC"`



### Crimson v3.0



`"port:789 product:"Red Lion Controls"`



### ProConOS



`"port:20547 PLC"`



# Remote Desktop



### Unprotected VNC



`"authentication disabled" port:5900,5901`

`"authentication disabled" "RFB 003.008"`



### Windows RDP



99.99% are secured by a secondary Windows login screen.



`"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"`



# C2 Infrastructure



### CobaltStrike Servers



`product:"cobalt strike team server"`

`product:"Cobalt Strike Beacon"`

`ssl.cert.serial:146473198` \- default certificate serial number

`ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1`

`ssl:foren.zik`



### Brute Ratel



`http.html_hash:-1957161625`

`product:"Brute Ratel C4"`



### Covenant



`ssl:”Covenant” http.component:”Blazor”`



### Metasploit



`ssl:"MetasploitSelfSignedCA"`



# Network Infrastructure



### Hacked routers:



Routers which got compromised

`hacked-router-help-sos`



### Redis open instances



`product:"Redis key-value store"`



### Citrix:



Find Citrix Gateway.

`title:"citrix gateway"`



### Weave Scope Dashboards



Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.



`title:"Weave Scope" http.favicon.hash:567176827`



### Jenkins CI



`"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"`



### Jenkins:



Jenkins Unrestricted Dashboard

`x-jenkins 200`



### Docker APIs



`"Docker Containers:" port:2375`



### Docker Private Registries



`"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab`



### Pi-hole Open DNS Servers



`"dnsmasq-pi-hole" "Recursion: enabled"`



### DNS Servers with recursion



`"port: 53" Recursion: Enabled`



### Already Logged-In as root via Telnet



`"root@" port:23 -login -password -name -Session`



### Telnet Access:



NO password required for telnet access.

`port:23 console gateway`



### Polycom video-conference system no-auth shell



`"polycom command shell"`



### NPort serial-to-eth / MoCA devices without password



`nport -keyin port:23`



### Android Root Bridges



A tangential result of Google's sloppy fractured update approach. 🙄 More information here.



`"Android Debug Bridge" "Device" port:5555`



### Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords



`Lantronix password port:30718 -secured`



### Citrix Virtual Apps



`"Citrix Applications:" port:1604`



### Cisco Smart Install



Vulnerable (kind of "by design," but especially when exposed).



`"smart install client active"`



### PBX IP Phone Gateways



`PBX "gateway console" -password port:23`



### Polycom Video Conferencing



`http.title:"- Polycom" "Server: lighttpd"`

`"Polycom Command Shell" -failed port:23`



### Telnet Configuration:



`"Polycom Command Shell" -failed port:23`



Example: Polycom Video Conferencing



### Bomgar Help Desk Portal



`"Server: Bomgar" "200 OK"`



### Intel Active Management CVE-2017-5689



`"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995`

`”Active Management Technology”`



### HP iLO 4 CVE-2017-12542



`HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900`



### Lantronix ethernet adapter’s admin interface without password



`"Press Enter for Setup Mode port:9999"`



### Wifi Passwords:



Helps to find the cleartext wifi passwords in Shodan.

`html:"def_wirelesspassword"`



### Misconfigured Wordpress Sites:



The wp-config.php if accessed can give out the database credentials.

`http.html:"* The wp-config.php creation script uses this file"`



# Outlook Web Access:



### Exchange 2007



`"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"`



### Exchange 2010



`"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392`



### Exchange 2013 / 2016



`"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"`



### Lync / Skype for Business



`"X-MS-Server-Fqdn"`



# Network Attached Storage (NAS)



### SMB (Samba) File Shares



Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.



`"Authentication: disabled" port:445`



### Specifically domain controllers:



`"Authentication: disabled" NETLOGON SYSVOL -unix port:445`



### Concerning default network shares of QuickBooks files:



`"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445`



### FTP Servers with Anonymous Login



`"220" "230 Login successful." port:21`



### Iomega / LenovoEMC NAS Drives



`"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"`



### Buffalo TeraStation NAS Drives



`Redirecting sencha port:9000`



### Logitech Media Servers



`"Server: Logitech Media Server" "200 OK"`



Example: Logitech Media Servers



### Plex Media Servers



`"X-Plex-Protocol" "200 OK" port:32400`



### Tautulli / PlexPy Dashboards



`"CherryPy/5.1.0" "/home"`



### Home router attached USB



`"IPC$ all storage devices"`



# Webcams



### Generic camera search



`title:camera`



### Webcams with screenshots



`webcam has_screenshot:true`



### D-Link webcams



`"d-Link Internet Camera, 200 OK"`



### Hipcam



`"Hipcam RealServer/V1.0"`



### Yawcams



`"Server: yawcam" "Mime-Type: text/html"`



### webcamXP/webcam7



`("webcam 7" OR "webcamXP") http.component:"mootools" -401`



### Android IP Webcam Server



`"Server: IP Webcam Server" "200 OK"`



### Security DVRs



`html:"DVR_H264 ActiveX"`



### Surveillance Cams:



With username:admin and password: :P

`NETSurveillance uc-httpd`

`Server: uc-httpd 1.0.0`



# Printers & Copiers:



### HP Printers



`"Serial Number:" "Built:" "Server: HP HTTP"`



### Xerox Copiers/Printers



`ssl:"Xerox Generic Root"`



### Epson Printers



`"SERVER: EPSON_Linux UPnP" "200 OK"`



`"Server: EPSON-HTTP" "200 OK"`



### Canon Printers



`"Server: KS_HTTP" "200 OK"`



`"Server: CANON HTTP Server"`



# Home Devices



### Yamaha Stereos



`"Server: AV_Receiver" "HTTP/1.1 406"`



### Apple AirPlay Receivers



Apple TVs, HomePods, etc.



`"\x08_airplay" port:5353`



### Chromecasts / Smart TVs



`"Chromecast:" port:8008`



### Crestron Smart Home Controllers



`"Model: PYNG-HUB"`



# Random Stuff



### Calibre libraries



`"Server: calibre" http.status:200 http.title:calibre`



### OctoPrint 3D Printer Controllers



`title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944`



### Etherium Miners



`"ETH - Total speed"`



### Apache Directory Listings



Substitute .pem with any extension or a filename like phpinfo.php.



`http.title:"Index of /" http.html:".pem"`



### Misconfigured WordPress



Exposed wp-config.php files containing database credentials.



`http.html:"* The wp-config.php creation script uses this file"`



### Too Many Minecraft Servers



`"Minecraft Server" "protocol 340" port:25565`



### Literally Everything in North Korea



`net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24`