IP addresses from subdomains

for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done

Search for all leaked keys/secrets using one regex

(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]

Shodan Dorks

Webcam searches

  1. title:camera – general search for anything matching the “camera” keyword.

  2. webcam has_screenshot:true – a general search for any IoT device identified as a webcam that has screenshots available.

  3. has_screenshot:true IP Webcam – another version of the above search, see how the results might differ?

  4. server: webcampxp – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.

  5. server: “webcam 7” – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.

  6. title:”blue iris remote view” – webcams identified as belonging to the Blue Iris webcam remote management and monitoring service.

  7. title:”ui3 -“ – UI3 is a HTML5 web interface for Blue Iris mentioned above.

  8. title:”Network Camera VB-M600″ – Canon manufactured megapixel security cameras.

  9. product:”Yawcam webcam viewer httpd” – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.

  10. title:”IPCam Client” – IPCam Client webcam devices.

  11. server: GeoHttpServer – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.

  12. server: VVTK-HTTP-Server – Vivotek IP cameras.

  13. title:”Avigilon” – access to the Avigilion brand camera and monitoring devices.

  14. ACTi – various IP camera and video management system products.

  15. WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.” – a UK-based house automation / IP camera provider.

  16. title:”+tm01+” – unsecured Linksys webcams, a lot of them with screenshots.

  17. server: “i-Catcher Console” – another example of an IP-based CCTV system.

  18. Netwave IP Camera Content-Length: 2574 – access to the Netwave make IP cameras.

  19. 200 ok dvr port:”81″ – DVR CCTV cameras accessible via http.

  20. WVC80N – Linksys WVC80N cameras.

Explore further by these tags:




VOIP communication devices

  1. device:”voip” – general search for Voice over IP devices.

  2. device:”voip phone” – more specific search for anything VoIP containing a “phone” keyword.

  3. server: snom – Snom is a VoIP provider with some legacy devices online.

  4. “snom embedded 200 OK” – Snom devices with enabled authentication.

  5. AddPac – an older VoIP provider, nearly exclusively legacy devices.

  6. mcu: tandberg – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.

  7. title:”polycom” – Polycom is another VoIP communication brand.

  8. title:”openstage” – Siemens Openstage brand IP phones.

  9. 39 voip – some more VoIP services, mostly behind login screens

  10. Server: MSOS/2.0 mawebserver/1.1 – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

Explore further by the VOIP tag:

Database searches

  1. product:MySQL – broad search for MySQL databases.

  2. mongodb port:27017 – MongoDB databases on their default port. Unsecured by default.

  3. “MongoDB Server Information” port:27017 – another variation of the above search.

  4. kibana content-length:217 – Kibana dashboards accessible without authentication.

  5. port:”9200″ all:elastic – Elasticsearch open databases.

  6. port:5432 PostgreSQL – remote connections to PostgreSQL servers.

  7. product:”CouchDB” – Apache CouchDB databases listed.

  8. port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.

Explore further by the DATABASE tag:

Maritime devices

  1. maritime – general search for anything related to maritime devices.

  2. sailor – another wide search, could yield unrelated results!

  3. org:marlink – general search; Marlink is the world’s largest maritime satellite communications provider.

  4. satcom – another maritime satellite communications services provider.

  5. inmarsat – as above, but a slightly less known equipment vendor.

  6. vsat – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.

  7. ECDIS – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.

  8. uhp vsat terminal software -password – satellite network router without a password.

  9. ssl:”Cobham SATCOM” – maritime radio and locations systems.

  10. title:”Slocum Fleet Mission Control” – maritime mission control software.

Explore further by the VSAT tag:

Files & directories

  1. http.title:”Index of /” – open lists of files and directories on various servers.

  2. port:80 title:”Index of /” – slight variation of the above, note how the results might differ.

  3. “220” “230 Login successful.” port:21 – FTP resources potentially accessible without login credentials.

  4. 230 ‘anonymous@’ login ok – anonymous login allowed to FTP resources.

  5. vsftpd 2.3.4 – legacy Linux based FTP service with a widely known security vulnerability

  6. ftp port:”10000″ – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.

  7. “QuickBooks files OverNetwork” -unix port:445 – default settings for sharing QuickBooks files.

  8. filezilla port:”21″ – popular file sharing software Filezilla.

Explore further by these tags:



Legacy Windows operating systems

  1. os:”Windows 5.0″ – Windows 2000; support ended in 2010.

  2. os:”Windows 5.1″ – Windows XP; support ended in 2014.

  3. os:Windows 2003 – Windows Server 2003; support ended in 2015.

  4. os:”Windows Vista”– Windows Vista; support ended in 2017.

  5. os:Windows 2008 – Windows Server 2008; support ended in 2020.

  6. os:”Windows 7″ – Windows 7; support ended in 2020.

  7. os:”Windows 8″ – Windows 8; support ended in 2016.

  8. os:Windows 2011 – Windows Home Server 2011; support ended in 2016.

  9. os:”Windows 8.1″ – Windows 8.1; support ended in 2018.

  10. os:Windows 2012 – Windows Server 2012; support ended in 2018.

Explore further by the WINDOWS tag:

Default / generic credentials

  1. admin 1234 – basic very unsecure credentials.

  2. “default password” – speaks for itself…

  3. test test port:”80″ – generic test credentials over HTTP.

  4. “authentication disabled” “RFB 003.008” – no authentication necessary.

  5. root@” port:23 -login -password -name -Session – accounts already logged in with root privilege over Telnet, port 23.

  6. port:23 console gateway – remote access via Telnet, no password required.

  7. html:”def_wirelesspassword” – default login pages for routers.

  8. “polycom command shell” – possible authentication bypass to Polycom devices.

  9. “authentication disabled” port:5900,5901 – VNC services without authentication.

  10. “server: Bomgar” “200 OK” – Bomgar remote support service.

Explore further by the VNC tag:


  1. printer – general search for printers.

  2. “HP-ChaiSOE” port:”80″ – HP LaserJet printers accessible through HTTP.

  3. title:”syncthru web service” – older Samsung printers, not secured by default.

  4. “Location: /main/main.html” debut – admin pages of Brother printers, not secured.

  5. port:161 hp – HP printers that can be restarted remotely via port 161.

  6. port:23 “Password is not set” – open access via Telnet to printers without set passwords.

  7. “Laser Printer FTP Server” – printers accessible via FTP with anonymous login allowed.

  8. Printer Type: Lexmark – access to control panels for Lexmark make printers.

  9. http 200 server epson -upnp – HTTP accessible Epson printers.

  10. “Server: EPSON-HTTP” “200 OK” – another variation of the above search.

  11. ssl:”Xerox Generic Root” – remote access to Xerox printers.

  12. “Server: CANON HTTP Server” – Canon printer servers through HTTP connection.

Explore further by these tags:




Compromised devices and websites

  1. hacked – general search for the ‘hacked’ label.

  2. “hacked by” – another variation of the above search.

  3. http.title:”Hacked by” – another variation of the same search filter.

  4. http.title:”0wn3d by” – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.

  5. “HACKED-ROUTER” – compromised routers, labelled accordingly.

  6. port:”27017″ “send_bitcoin_to_retrieve_the_data” – databases affected by ransomware, with the ransom demand still associated with them.

  7. bitcoin has_screenshot:true – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).

  8. port:4444 system32 – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.

  9. “attention”+”encrypted”+port:3389 – ransomware infected RDP services.

  10. “HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD” – compromised hosts with the name changed to that phrase.

  11. “HACKED FTP server” – compromised FTP servers.

Explore further by the HACKED tag:


  1. solar – controls for solar panels and similar solar devices.

  2. “ETH – Total speed” – Ethereum cryptocurrency miners.

  3. http.title:”Nordex Control” – searches for Nordex wind turbine farms.

  4. “DICOM Server Response” port:104 – DICOM medical machinery.

  5. http.title:”Tesla” – anything with the term “Tesla” in the banner.

  6. “in-tank inventory” port:10001 – petrol pumps, including their physical addresses.

  7. http.title:”dashboard” – literally anything labelled ‘dashboard’, with many not accessible due to security by default.

  8. http.title:”control panel” – as above, but whatever is labelled as control panels.

Last updated