LogoLogo
  • Intro
  • Pre-engagement
  • General methodology
  • OSCP Templates
  • Recon
    • Active
    • Passive OSINT
  • Attack Types
  • Network
    • Linux
    • Windows
    • Active Directory Enumeration
  • Shells
  • Port Forwarding / SSH Tunneling
  • Transferring files
  • Web
  • SQL
  • Password cracking
    • Brute Force - CheatSheet
  • Useful Linux Commands
  • Android
  • Buffer Overflow
  • TCP Dump and Wireshark Commands
  • Cloud Pentesting
    • SQL vs NoSQL Cheetsheet Cloud
    • AWS cli cheatsheet
    • Tools to install
    • Enumeration
    • Cloudgoat
  • Privilege Escalation
    • Linux
      • Loot
    • Windows
      • Loot
  • Kali Configuration
    • My bash Profile Files
    • Terminator Configuration
    • Tmux Configuration
    • Fish Config
    • Useful things to Install
    • VSCode Configuration
  • Automated
    • Tools
  • Videos
    • My Youtube Channel
    • IppSec Videos
    • The Cyber Mentor
  • VMs Similar to OSCP
    • Machines Similar to OSCP
  • Search Ippsec's Videos
    • Search Ippsec's Videos
  • Pcap Analysis
    • Pcap analysis
    • RegEx
  • MSFvenom Cheetsheet
  • Support me
  • Donate
Powered by GitBook
On this page

Was this helpful?

  1. Recon

Active

Last updated 2 years ago

Was this helpful?

IP addresses from subdomains

for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done

Search for all leaked keys/secrets using one regex

(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]

Shodan Dorks

Webcam searches

  1. – general search for anything matching the “camera” keyword.

  2. – a general search for any IoT device identified as a webcam that has screenshots available.

  3. – another version of the above search, see how the results might differ?

  4. – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.

  5. – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.

  6. – webcams identified as belonging to the webcam remote management and monitoring service.

  7. – UI3 is a HTML5 web interface for Blue Iris mentioned above.

  8. – Canon manufactured megapixel security cameras.

  9. – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.

  10. – IPCam Client webcam devices.

  11. – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.

  12. – Vivotek IP cameras.

  13. – access to the Avigilion brand camera and monitoring devices.

  14. – various IP camera and video management system products.

  15. – a UK-based house automation / IP camera provider.

  16. – unsecured Linksys webcams, a lot of them with screenshots.

  17. – another example of an IP-based CCTV system.

  18. – access to the Netwave make IP cameras.

  19. – DVR CCTV cameras accessible via http.

  20. – Linksys WVC80N cameras.

Explore further by these tags:

VOIP communication devices

Database searches

Maritime devices

Files & directories

Explore further by these tags:

Legacy Windows operating systems

Default / generic credentials

Printers

Explore further by these tags:

Compromised devices and websites

Miscellaneous

WEBCAM:

CAM:

CAMERA:

– general search for Voice over IP devices.

– more specific search for anything VoIP containing a “phone” keyword.

– Snom is a VoIP provider with some legacy devices online.

– Snom devices with enabled authentication.

– an older VoIP provider, nearly exclusively legacy devices.

– Tandberg is a hardware manufacturer of multi-point control units for video conferencing.

– Polycom is another VoIP communication brand.

– Siemens Openstage brand IP phones.

– some more VoIP services, mostly behind login screens

– VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

Explore further by the VOIP tag:

– broad search for MySQL databases.

– MongoDB databases on their default port. Unsecured by default.

– another variation of the above search.

– fully open MongoDBs.

– MongoDB open databases.

– Kibana dashboards accessible without authentication.

– Elasticsearch open databases.

– remote connections to PostgreSQL servers.

– Apache CouchDB databases listed.

– vulnerable CouchDB where remote code execution may be possible.

Explore further by the DATABASE tag:

– general search for anything related to maritime devices.

– another wide search, could yield unrelated results!

– general search; Marlink is the world’s largest maritime satellite communications provider.

– another maritime satellite communications services provider.

– as above, but a slightly less known equipment vendor.

– abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.

– abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.

– satellite network router without a password.

– maritime radio and locations systems.

– maritime mission control software.

Explore further by the VSAT tag:

– open lists of files and directories on various servers.

– slight variation of the above, note how the results might differ.

– FTP resources potentially accessible without login credentials.

– anonymous login allowed to FTP resources.

– as above.

– legacy Linux based FTP service with a widely known security vulnerability

– Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.

– SMB file sharing

– default settings for sharing QuickBooks files.

– popular file sharing software Filezilla.

FTP:

SMB:

– Windows 2000; support ended in 2010.

– Windows XP; support ended in 2014.

– Windows Server 2003; support ended in 2015.

– Windows Vista; support ended in 2017.

– Windows Server 2008; support ended in 2020.

– Windows 7; support ended in 2020.

– Windows 8; support ended in 2016.

– Windows Home Server 2011; support ended in 2016.

– Windows 8.1; support ended in 2018.

– Windows Server 2012; support ended in 2018.

Explore further by the WINDOWS tag:

– basic very unsecure credentials.

– speaks for itself…

– generic test credentials over HTTP.

– no authentication necessary.

“ – accounts already logged in with root privilege over Telnet, port 23.

– remote access via Telnet, no password required.

– default login pages for routers.

– possible authentication bypass to Polycom devices.

– VNC services without authentication.

– Bomgar remote support service.

Explore further by the VNC tag:

– general search for printers.

– HP LaserJet printers accessible through HTTP.

– older Samsung printers, not secured by default.

– admin pages of Brother printers, not secured.

– HP printers that can be restarted remotely via port 161.

– open access via Telnet to printers without set passwords.

– printers accessible via FTP with anonymous login allowed.

– access to control panels for Lexmark make printers.

– HTTP accessible Epson printers.

– another variation of the above search.

– remote access to Xerox printers.

– Canon printer servers through HTTP connection.

PRINTER:

PRINTERS:

PRINT SERVER:

– general search for the ‘hacked’ label.

– another variation of the above search.

– another variation of the same search filter.

– resourced labelled as ‘owned’ by a threat agent, hacker group, etc.

– compromised routers, labelled accordingly.

– databases affected by ransomware, with the ransom demand still associated with them.

– searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).

– compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.

– ransomware infected RDP services.

– compromised hosts with the name changed to that phrase.

– compromised FTP servers.

Explore further by the HACKED tag:

– controls for solar panels and similar solar devices.

– Ethereum cryptocurrency miners.

– misconfigured WordPress websites.

– searches for Nordex wind turbine farms.

– EIG electricity meters.

– DICOM medical machinery.

– anything with the term “Tesla” in the banner.

– petrol pumps, including their physical addresses.

– literally anything labelled ‘dashboard’, with many not accessible due to security by default.

– as above, but whatever is labelled as control panels.

title:camera
webcam has_screenshot:true
has_screenshot:true IP Webcam
server: webcampxp
server: “webcam 7”
title:”blue iris remote view”
Blue Iris
title:”ui3 -“
title:”Network Camera VB-M600″
product:”Yawcam webcam viewer httpd”
title:”IPCam Client”
server: GeoHttpServer
server: VVTK-HTTP-Server
title:”Avigilon”
ACTi
WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.”
title:”+tm01+”
server: “i-Catcher Console”
Netwave IP Camera Content-Length: 2574
200 ok dvr port:”81″
WVC80N
https://www.shodan.io/explore/tag/webcam
https://www.shodan.io/explore/tag/cam
https://www.shodan.io/explore/tag/camera
device:”voip”
device:”voip phone”
server: snom
“snom embedded 200 OK”
AddPac
mcu: tandberg
title:”polycom”
title:”openstage”
39 voip
Server: MSOS/2.0 mawebserver/1.1
https://www.shodan.io/explore/tag/voip
product:MySQL
mongodb port:27017
“MongoDB Server Information” port:27017
“MongoDB Server Information { “metrics”:”
“Set-Cookie: mongo-express=” “200 OK”
kibana content-length:217
port:”9200″ all:elastic
port:5432 PostgreSQL
product:”CouchDB”
port:”5984″+Server: “CouchDB/2.1.0”
https://www.shodan.io/explore/tag/database
maritime
sailor
org:marlink
satcom
inmarsat
vsat
ECDIS
uhp vsat terminal software -password
ssl:”Cobham SATCOM”
title:”Slocum Fleet Mission Control”
https://www.shodan.io/explore/tag/vsat
http.title:”Index of /”
port:80 title:”Index of /”
“220” “230 Login successful.” port:21
230 ‘anonymous@’ login ok
“Anonymous+access+allowed” port:”21″
vsftpd 2.3.4
ftp port:”10000″
“Authentication: disabled” port:445 product:”Samba”
“QuickBooks files OverNetwork” -unix port:445
filezilla port:”21″
https://www.shodan.io/explore/tag/ftp
https://www.shodan.io/explore/tag/smb
os:”Windows 5.0″
os:”Windows 5.1″
os:Windows 2003
os:”Windows Vista”
os:Windows 2008
os:”Windows 7″
os:”Windows 8″
os:Windows 2011
os:”Windows 8.1″
os:Windows 2012
https://www.shodan.io/explore/tag/windows
admin 1234
“default password”
test test port:”80″
“authentication disabled” “RFB 003.008”
root@” port:23 -login -password -name -Session
port:23 console gateway
html:”def_wirelesspassword”
“polycom command shell”
“authentication disabled” port:5900,5901
“server: Bomgar” “200 OK”
https://www.shodan.io/explore/tag/vnc
printer
“HP-ChaiSOE” port:”80″
title:”syncthru web service”
“Location: /main/main.html” debut
port:161 hp
port:23 “Password is not set”
“Laser Printer FTP Server”
Printer Type: Lexmark
http 200 server epson -upnp
“Server: EPSON-HTTP” “200 OK”
ssl:”Xerox Generic Root”
“Server: CANON HTTP Server”
https://www.shodan.io/explore/tag/printer
https://www.shodan.io/explore/tag/printers
https://www.shodan.io/explore/tag/print%20server
hacked
“hacked by”
http.title:”Hacked by”
http.title:”0wn3d by”
“HACKED-ROUTER”
port:”27017″ “send_bitcoin_to_retrieve_the_data”
bitcoin has_screenshot:true
port:4444 system32
“attention”+”encrypted”+port:3389
“HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD”
“HACKED FTP server”
https://www.shodan.io/explore/tag/hacked
solar
“ETH – Total speed”
http.html:”* The wp-config.php creation script uses this file”
http.title:”Nordex Control”
“Server: EIG Embedded Web Server” “200 Document follows”
“DICOM Server Response” port:104
http.title:”Tesla”
“in-tank inventory” port:10001
http.title:”dashboard”
http.title:”control panel”
https://www.osintme.com/index.php/2021/01/16/ultimate-osint-with-shodan-100-great-shodan-queries/