Shodan Dorks

Shodan Dorks by twitter.com/lothos612​

Feel free to make suggestions

Shodan Dorks​

Basic Shodan Filters​

city:​

Find devices in a particular city. city:"Bangalore"

country:​

Find devices in a particular country. country:"IN"

geo:​

Find devices by giving geographical coordinates. geo:"56.913055,118.250862"

Location​

country:us country:ru country:de city:chicago

hostname:​

Find devices matching the hostname. server: "gws" hostname:"google" hostname:example.com -hostname:subdomain.example.com hostname:example.com,example.org

net:​

Find devices based on an IP address or /x CIDR. net:210.214.0.0/16

Organization​

org:microsoft org:"United States Department"

Autonomous System Number (ASN)​

asn:ASxxxx

os:​

Find devices based on operating system. os:"windows 7"

port:​

Find devices based on open ports. proftpd port:21

before/after:​

Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010

SSL/TLS Certificates​

Self signed certificates ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com
Expired certificates ssl.cert.expired:true
ssl.cert.subject.cn:example.com

Device Type​

device:firewall device:router device:wap device:webcam device:media device:"broadband router" device:pbx device:printer device:switch device:storage device:specialized device:phone device:"voip" device:"voip phone" device:"voip adaptor" device:"load balancer" device:"print server" device:terminal device:remote device:telecom device:power device:proxy device:pda device:bridge

Operating System​

os:"windows 7" os:"windows server 2012" os:"linux 3.x"

Product​

product:apache product:nginx product:android product:chromecast

Customer Premises Equipment (CPE)​

cpe:apple cpe:microsoft cpe:nginx cpe:cisco

Server​

server: nginx server: apache server: microsoft server: cisco-ios

ssh fingerprints​

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

Web​

Pulse Secure​

http.html:/dana-na

PEM Certificates​

http.title:"Index of /" http.html:".pem"

Tor / Dark Web sites​

onion-location

Databases​

MySQL​

"product:MySQL" mysql port:"3306"

MongoDB​

"product:MongoDB" mongodb port:27017

Fully open MongoDBs​

"MongoDB Server Information { "metrics":" "Set-Cookie: mongo-express=" "200 OK" "MongoDB Server Information" port:27017 -authentication

Kibana dashboards without authentication​

kibana content-legth:217

elastic​

port:9200 json port:"9200" all:elastic port:"9200" all:"elastic indices"

Memcached​

"product:Memcached"

CouchDB​

"product:CouchDB" port:"5984"+Server: "CouchDB/2.1.0"

PostgreSQL​

"port:5432 PostgreSQL"

Riak​

"port:8087 Riak"

Redis​

"product:Redis"

Cassandra​

"product:Cassandra"

Industrial Control Systems​

Samsung Electronic Billboards​

"Server: Prismview Player"

Gas Station Pump Controllers​

"in-tank inventory" port:10001

Fuel Pumps connected to internet:​

No auth required to access CLI terminal. "privileged command" GET

Automatic License Plate Readers​

P372 "ANPR enabled"

Traffic Light Controllers / Red Light Cameras​

mikrotik streetlight

Voting Machines in the United States​

"voter system serial" country:US

Open ATM:​

May allow for ATM Access availability NCR Port:"161"

Telcos Running Cisco Lawful Intercept Wiretaps​

"Cisco IOS" "ADVIPSERVICESK9_LI-M"

Prison Pay Phones​

"[2J[H Encartele Confidential"

Tesla PowerPack Charging Status​

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

Electric Vehicle Chargers​

"Server: gSOAP/2.8" "Content-Length: 583"

Maritime Satellites​

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!
"Cobham SATCOM" OR ("Sailor" "VSAT")

Submarine Mission Control Dashboards​

title:"Slocum Fleet Mission Control"

CAREL PlantVisor Refrigeration Units​

"Server: CarelDataServer" "200 Document follows"

Nordex Wind Turbine Farms​

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

C4 Max Commercial Vehicle GPS Trackers​

"[1m[35mWelcome on console"

DICOM Medical X-Ray Machines​

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.
"DICOM Server Response" port:104

GaugeTech Electricity Meters​

"Server: EIG Embedded Web Server" "200 Document follows"

Siemens Industrial Automation​

"Siemens, SIMATIC" port:161

Siemens HVAC Controllers​

"Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers​

"HID VertX" port:4070

Railroad Management​

"log off" "select the appropriate"

Tesla Powerpack charging Status:​

Helps to find the charging status of tesla powerpack. http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

XZERES Wind Turbine​

title:"xzeres wind"

PIPS Automated License Plate Reader​

"html:"PIPS Technology ALPR Processors""

Modbus​

"port:502"

Niagara Fox​

"port:1911,4911 product:Niagara"

GE-SRTP​

"port:18245,18246 product:"general electric""

MELSEC-Q​

"port:5006,5007 product:mitsubishi"

CODESYS​

"port:2455 operating system"

S7​

"port:102"

BACnet​

"port:47808"

HART-IP​

"port:5094 hart-ip"

Omron FINS​

"port:9600 response code"

IEC 60870-5-104​

"port:2404 asdu address"

DNP3​

"port:20000 source address"

EtherNet/IP​

"port:44818"

PCWorx​

"port:1962 PLC"

Crimson v3.0​

"port:789 product:"Red Lion Controls"

ProConOS​

"port:20547 PLC"

Remote Desktop​

Unprotected VNC​

"authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008"

Windows RDP​

99.99% are secured by a secondary Windows login screen.
"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

C2 Infrastructure​

CobaltStrike Servers​

product:"cobalt strike team server" product:"Cobalt Strike Beacon" ssl.cert.serial:146473198 - default certificate serial number ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 ssl:foren.zik

Brute Ratel​

http.html_hash:-1957161625 product:"Brute Ratel C4"

Covenant​

ssl:"Covenant" http.component:"Blazor"

Metasploit​

ssl:"MetasploitSelfSignedCA"

Network Infrastructure​

Hacked routers:​

Routers which got compromised hacked-router-help-sos

Redis open instances​

product:"Redis key-value store"

Citrix:​

Find Citrix Gateway. title:"citrix gateway"

Weave Scope Dashboards​

Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.
title:"Weave Scope" http.favicon.hash:567176827

Jenkins CI​

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

Jenkins:​

Jenkins Unrestricted Dashboard x-jenkins 200

Docker APIs​

"Docker Containers:" port:2375

Docker Private Registries​

"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab

Pi-hole Open DNS Servers​

"dnsmasq-pi-hole" "Recursion: enabled"

DNS Servers with recursion​

"port: 53" Recursion: Enabled

Already Logged-In as root via Telnet​

"root@" port:23 -login -password -name -Session

Telnet Access:​

NO password required for telnet access. port:23 console gateway

Polycom video-conference system no-auth shell​

"polycom command shell"

NPort serial-to-eth / MoCA devices without password​

nport -keyin port:23

Android Root Bridges​

A tangential result of Google's sloppy fractured update approach. More information here.
"Android Debug Bridge" "Device" port:5555

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords​

Lantronix password port:30718 -secured

Citrix Virtual Apps​

"Citrix Applications:" port:1604

Cisco Smart Install​

Vulnerable (kind of "by design," but especially when exposed).
"smart install client active"

PBX IP Phone Gateways​

PBX "gateway console" -password port:23

Polycom Video Conferencing​

http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23

Telnet Configuration:​

"Polycom Command Shell" -failed port:23
Example: Polycom Video Conferencing

Bomgar Help Desk Portal​

"Server: Bomgar" "200 OK"

Intel Active Management CVE-2017-5689​

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 "Active Management Technology"

HP iLO 4 CVE-2017-12542​

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900

Lantronix ethernet adapter's admin interface without password​

"Press Enter for Setup Mode port:9999"

Wifi Passwords:​

Helps to find the cleartext wifi passwords in Shodan. html:"def_wirelesspassword"

Misconfigured Wordpress Sites:​

The wp-config.php if accessed can give out the database credentials. http.html:"* The wp-config.php creation script uses this file"

Outlook Web Access:​

Exchange 2007​

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"

Exchange 2010​

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392

Exchange 2013 / 2016​

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

Lync / Skype for Business​

"X-MS-Server-Fqdn"

Network Attached Storage (NAS)​

SMB (Samba) File Shares​

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.
"Authentication: disabled" port:445

Specifically domain controllers:​

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

Concerning default network shares of QuickBooks files:​

"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

FTP Servers with Anonymous Login​

"220" "230 Login successful." port:21

Iomega / LenovoEMC NAS Drives​

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"

Buffalo TeraStation NAS Drives​

Redirecting sencha port:9000

Logitech Media Servers​

"Server: Logitech Media Server" "200 OK"
Example: Logitech Media Servers

Plex Media Servers​

"X-Plex-Protocol" "200 OK" port:32400

Tautulli / PlexPy Dashboards​

"CherryPy/5.1.0" "/home"

Home router attached USB​

"IPC$ all storage devices"

Webcams​

Generic camera search​

title:camera

Webcams with screenshots​

webcam has_screenshot:true

D-Link webcams​

"d-Link Internet Camera, 200 OK"

Hipcam​

"Hipcam RealServer/V1.0"

Yawcams​

"Server: yawcam" "Mime-Type: text/html"

webcamXP/webcam7​

("webcam 7" OR "webcamXP") http.component:"mootools" -401

Android IP Webcam Server​

"Server: IP Webcam Server" "200 OK"

Security DVRs​

html:"DVR_H264 ActiveX"

Surveillance Cams:​

With username:admin and password: NETSurveillance uc-httpd Server: uc-httpd 1.0.0

Printers & Copiers:​

HP Printers​

"Serial Number:" "Built:" "Server: HP HTTP"

Xerox Copiers/Printers​

ssl:"Xerox Generic Root"

Epson Printers​

"SERVER: EPSON_Linux UPnP" "200 OK"
"Server: EPSON-HTTP" "200 OK"

Canon Printers​

"Server: KS_HTTP" "200 OK"
"Server: CANON HTTP Server"

Home Devices​

Yamaha Stereos​

"Server: AV_Receiver" "HTTP/1.1 406"

Apple AirPlay Receivers​

Apple TVs, HomePods, etc.
"\x08_airplay" port:5353

Chromecasts / Smart TVs​

"Chromecast:" port:8008

Crestron Smart Home Controllers​

"Model: PYNG-HUB"

Random Stuff​

Calibre libraries​

"Server: calibre" http.status:200 http.title:calibre

OctoPrint 3D Printer Controllers​

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

Etherium Miners​

"ETH - Total speed"

Apache Directory Listings​

Substitute .pem with any extension or a filename like phpinfo.php.
http.title:"Index of /" http.html:".pem"

Misconfigured WordPress​

Exposed wp-config.php files containing database credentials.
http.html:"* The wp-config.php creation script uses this file"

Too Many Minecraft Servers​

"Minecraft Server" "protocol 340" port:25565

Literally Everything in North Korea​

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24