# Active

IP addresses from subdomains&#x20;

```
for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done
```

Search for all leaked keys/secrets using one regex

```
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]
```

## Shodan Dorks

#### Webcam searches

1. [title:camera](https://www.shodan.io/search?query=title%3Acamera) – general search for anything matching the “camera” keyword.
2. [webcam has\_screenshot:true](https://www.shodan.io/search?query=webcam+has_screenshot%3Atrue) – a general search for any IoT device identified as a webcam that has screenshots available.
3. [has\_screenshot:true IP Webcam](https://www.shodan.io/search?query=has_screenshot%3Atrue+IP+Webcam) – another version of the above search, see how the results might differ?
4. [server: webcampxp](https://www.shodan.io/search?query=server%3A+webcamxp) – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.&#x20;
5. [server: “webcam 7”](https://www.shodan.io/search?query=server%3A+%22webcam+7%22) – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.
6. [title:”blue iris remote view”](https://www.shodan.io/search?query=title%3A%22blue+iris+remote+view%22) – webcams identified as belonging to the [Blue Iris](https://blueirissoftware.com/) webcam remote management and monitoring service.
7. [title:”ui3 -“](https://www.shodan.io/search?query=title%3A%22ui3+-%22) – UI3 is a  HTML5 web interface for Blue Iris mentioned above.
8. [title:”Network Camera VB-M600″](https://www.shodan.io/search?query=title%3A%22Network+Camera+VB-M600%22) – Canon manufactured megapixel security cameras.
9. [product:”Yawcam webcam viewer httpd”](https://www.shodan.io/search?query=product%3A%22Yawcam+webcam+viewer+httpd%22) – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.
10. [title:”IPCam Client”](https://www.shodan.io/search?query=title%3A%22IPCam+Client%22) – IPCam Client webcam devices.
11. [server: GeoHttpServer](https://www.shodan.io/search?query=Server%3A+GeoHttpServer) – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.
12. [server: VVTK-HTTP-Server](https://www.shodan.io/search?query=server%3A+VVTK-HTTP-Server) – Vivotek IP cameras.
13. [title:”Avigilon”](https://www.shodan.io/search?query=title%3A%22Avigilon%22) – access to the Avigilion brand camera and monitoring devices.
14. [ACTi](https://www.shodan.io/search?query=ACTi) – various IP camera and video management system products.
15. [WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.”](https://www.shodan.io/search?query=WWW-Authenticate%3A+%22Merit+LILIN+Ent.+Co.%2C+Ltd.%22) – a UK-based house automation / IP camera provider.
16. [title:”+tm01+”](https://www.shodan.io/search?query=title%3A%22%2Btm01%2B%22) – unsecured Linksys webcams, a lot of them with screenshots.
17. [server: “i-Catcher Console”](https://www.shodan.io/search?query=server%3A+%22i-Catcher+Console%22) – another example of an IP-based CCTV system.
18. [Netwave IP Camera Content-Length: 2574](https://www.shodan.io/search?query=Netwave+IP+Camera+Content-Length%3A+2574) – access to the Netwave make IP cameras.
19. [200 ok dvr port:”81″](https://www.shodan.io/search?query=200+ok+dvr+port%3A%2281%22) – DVR CCTV cameras accessible via http.
20. [WVC80N](https://www.shodan.io/search?query=WVC80N) – Linksys WVC80N cameras.

&#x20;

Explore further by these tags:

WEBCAM: <https://www.shodan.io/explore/tag/webcam>

CAM: [https://www.shodan.io/explore/tag/cam ](https://www.shodan.io/explore/tag/cam)

CAMERA: <https://www.shodan.io/explore/tag/camera>

<figure><img src="https://www.osintme.com/wp-content/uploads/2020/10/webcam-shodan-search-osint.png" alt=""><figcaption></figcaption></figure>

#### VOIP communication devices

1. [device:”voip”](https://www.shodan.io/search?query=device%3A%22voip%22) – general search for Voice over IP devices.
2. [device:”voip phone”](https://www.shodan.io/search?query=device%3A%22voip+phone%22) – more specific search for anything VoIP containing a “phone” keyword.
3. [server: snom](https://www.shodan.io/search?query=server%3A+snom) – Snom is a VoIP provider with some legacy devices online.
4. [“snom embedded 200 OK”](https://www.shodan.io/search?query=%22snom+embedded+200+OK%22) – Snom devices with enabled authentication.
5. [AddPac](https://www.shodan.io/search?query=AddPac) – an older VoIP provider, nearly exclusively legacy devices.
6. [mcu: tandberg](https://www.shodan.io/search?query=mcu%3A+tandberg) – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.
7. [title:”polycom”](https://www.shodan.io/search?query=title%3A%22polycom%22) – Polycom is another VoIP communication brand.
8. [title:”openstage”](https://www.shodan.io/search?query=title%3A%22openstage%22) – Siemens Openstage brand IP phones.
9. [39 voip](https://www.shodan.io/search?query=39+voip) – some more VoIP services, mostly behind login screens
10. [Server: MSOS/2.0 mawebserver/1.1](https://www.shodan.io/search?query=Server%3A+MSOS%2F2.0+mawebserver%2F1.1) – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

&#x20;

Explore further by the VOIP tag: <https://www.shodan.io/explore/tag/voip>

![](https://www.osintme.com/wp-content/uploads/2021/01/Patton-VoIP.png)

#### Database searches

1. [product:MySQL](https://www.shodan.io/search?query=product%3AMySQL) – broad search for MySQL databases.
2. [mongodb port:27017](https://www.shodan.io/search?query=mongodb+port%3A27017) – MongoDB databases on their default port. Unsecured by default.
3. [“MongoDB Server Information” port:27017](https://www.shodan.io/search?query=%22MongoDB+Server+Information%22+port%3A27017) – another variation of the above search.
4. [“MongoDB Server Information { “metrics”:”](https://www.shodan.io/search?query=%22MongoDB+Server+Information+%7B+++++%22metrics%22%3A%22) – fully open MongoDBs.
5. [“Set-Cookie: mongo-express=” “200 OK”](https://www.shodan.io/search?query=%22Set-Cookie%3A+mongo-express%3D%22+%22200+OK%22) – MongoDB open databases.
6. [kibana content-length:217](https://www.shodan.io/search?query=kibana+content-length%3A217) – Kibana dashboards accessible without authentication.
7. [port:”9200″ all:elastic](https://www.shodan.io/search?query=port%3A%229200%22+all%3Aelastic) – Elasticsearch open databases.
8. [port:5432 PostgreSQL](https://www.shodan.io/search?query=port%3A5432+PostgreSQL) – remote connections to PostgreSQL servers.
9. [product:”CouchDB”](https://www.shodan.io/search?query=product%3A%22CouchDB%22) – Apache CouchDB databases listed.
10. [port:”5984″+Server: “CouchDB/2.1.0”](https://www.shodan.io/search?query=port%3A%225984%22%2BServer%3A+%22CouchDB%2F2.1.0%22) – vulnerable CouchDB where remote code execution may be possible.

&#x20;

Explore further by the DATABASE tag: [https://www.shodan.io/explore/tag/database ](https://www.shodan.io/explore/tag/database)

![](https://www.osintme.com/wp-content/uploads/2020/10/kibana-shodan-search-osint.png)

#### Maritime devices

1. [maritime](https://www.shodan.io/search?query=maritime) – general search for anything related to maritime devices.
2. [sailor](https://www.shodan.io/search?query=sailor) – another wide search, could yield unrelated results!
3. [org:marlink](https://www.shodan.io/search?query=org%3Amarlink) – general search; Marlink is the world’s largest maritime satellite communications provider.
4. [satcom](https://www.shodan.io/search?query=satcom) – another maritime satellite communications services provider.
5. [inmarsat](https://www.shodan.io/search?query=inmarsat) – as above, but a slightly less known equipment vendor.
6. [vsat](https://www.shodan.io/search?query=vsat) – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.
7. [ECDIS](https://www.shodan.io/search?query=ECDIS) – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.
8. [uhp vsat terminal software -password](https://www.shodan.io/search?query=uhp+vsat+terminal+software+-password) – satellite network router without a password.
9. [ssl:”Cobham SATCOM”](https://www.shodan.io/search?query=ssl%3A%22Cobham+SATCOM%22) – maritime radio and locations systems.
10. [title:”Slocum Fleet Mission Control”](https://www.shodan.io/search?query=title%3A%22Slocum+Fleet+Mission+Control%22) – maritime mission control software.

&#x20;

Explore further by the VSAT tag: <https://www.shodan.io/explore/tag/vsat>

#### Files & directories

1. [http.title:”Index of /”](https://www.shodan.io/search?query=http.title%3A%22Index+of+%2F%22) – open lists of files and directories on various servers.
2. [port:80 title:”Index of /”](https://www.shodan.io/search?query=port%3A80+title%3A%22Index+of+%2F%22) – slight variation of the above, note how the results might differ.
3. [“220” “230 Login successful.” port:21](https://www.shodan.io/search?query=%22220%22+%22230+Login+successful.%22+port%3A21) – FTP resources potentially accessible without login credentials.
4. [230 ‘anonymous@’ login ok](https://www.shodan.io/search?query=230+%27anonymous%40%27+login+ok) – anonymous login allowed to FTP resources.
5. [“Anonymous+access+allowed” port:”21″](https://www.shodan.io/search?query=%22Anonymous%2Baccess%2Ballowed%22+port%3A%2221%22) – as above.
6. [vsftpd 2.3.4](https://www.shodan.io/search?query=Vsftpd+2.3.4) – legacy Linux based FTP service with a widely known security vulnerability
7. [ftp port:”10000″](https://www.shodan.io/search?query=ftp+port%3A%2210000%22) – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.
8. [“Authentication: disabled” port:445 product:”Samba”](https://www.shodan.io/search?query=%22Authentication%3A+disabled%22+port%3A445+product%3A%22Samba%22) – SMB file sharing
9. [“QuickBooks files OverNetwork” -unix port:445](https://www.shodan.io/search?query=%22QuickBooks+files+OverNetwork%22+-unix+port%3A445) – default settings for sharing QuickBooks files.
10. [filezilla port:”21″](https://www.shodan.io/search?query=filezilla+port%3A%2221%22) – popular file sharing software Filezilla.

&#x20;

Explore further by these tags:

FTP: <https://www.shodan.io/explore/tag/ftp>

SMB: [https://www.shodan.io/explore/tag/smb ](https://www.shodan.io/explore/tag/smb)

#### Legacy Windows operating systems

1. [os:”Windows 5.0″](https://www.shodan.io/search?query=os%3A%22Windows+5.0%22) – Windows 2000; support ended in 2010.
2. [os:”Windows 5.1″](https://www.shodan.io/search?query=os%3A%22Windows+5.1%22) – Windows XP; support ended in 2014.
3. [os:Windows 2003](https://www.shodan.io/search?query=os%3AWindows+2003) – Windows Server 2003; support ended in 2015.
4. [os:”Windows Vista”](https://www.shodan.io/search?query=os%3A%22Windows+Vista%22)– Windows Vista; support ended in 2017.
5. [os:Windows 2008](https://www.shodan.io/search?query=os%3AWindows+2008) – Windows Server 2008; support ended in 2020.
6. [os:”Windows 7″](https://www.shodan.io/search?query=os%3A%22Windows+7%22) – Windows 7; support ended in 2020.
7. [os:”Windows 8″](https://www.shodan.io/search?query=os%3A%22Windows+8%22) – Windows 8; support ended in 2016.
8. [os:Windows 2011](https://www.shodan.io/search?query=os%3AWindows+2011) – Windows Home Server 2011; support ended in 2016.
9. [os:”Windows 8.1″](https://www.shodan.io/search?query=os%3A%22Windows+8.1%22) – Windows 8.1; support ended in 2018.
10. [os:Windows 2012](https://www.shodan.io/search?query=os%3AWindows+2012) – Windows Server 2012; support ended in 2018.

&#x20;

Explore further by the WINDOWS tag: <https://www.shodan.io/explore/tag/windows>

#### Default / generic credentials

1. [admin 1234](https://www.shodan.io/search?query=admin+1234) – basic very unsecure credentials.
2. [“default password”](https://www.shodan.io/search?query=%22default+password%22) – speaks for itself…
3. [test test port:”80″](https://www.shodan.io/search?query=test+test+port%3A%2280%22) – generic test credentials over HTTP.
4. [“authentication disabled” “RFB 003.008”](https://www.shodan.io/search?query=%22authentication+disabled%22+%22RFB+003.008%22) – no authentication necessary.
5. “[root@” port:23 -login -password -name -Session](https://www.shodan.io/search?query=%22root%40%22+port%3A23+-login+-password+-name+-Session) – accounts already logged in with root privilege over Telnet, port 23.
6. [port:23 console gateway](https://www.shodan.io/search?query=port%3A23+console+gateway) – remote access via Telnet, no password required.
7. [html:”def\_wirelesspassword”](https://www.shodan.io/search?query=html%3A%22def_wirelesspassword%22) – default login pages for routers.
8. [“polycom command shell”](https://www.shodan.io/search?query=%22polycom+command+shell%22) – possible authentication bypass to Polycom devices.
9. [“authentication disabled” port:5900,5901](https://www.shodan.io/search?query=%22authentication+disabled%22+port%3A5900%2C5901) – VNC services without authentication.
10. [“server: Bomgar” “200 OK”](https://www.shodan.io/search?query=%22server%3A+Bomgar%22+%22200+OK%22) – Bomgar remote support service.

&#x20;

Explore further by the VNC tag: <https://www.shodan.io/explore/tag/vnc>

![](https://www.osintme.com/wp-content/uploads/2021/01/Bomgar-remote-not-secure.png)

#### Printers

1. [printer](https://www.shodan.io/search?query=printer) – general search for printers.
2. [“HP-ChaiSOE” port:”80″](https://www.shodan.io/search?query=%22HP-ChaiSOE%22+port%3A%2280%22) – HP LaserJet printers accessible through HTTP.
3. [title:”syncthru web service”](https://www.shodan.io/search?query=title%3A%22syncthru+web+service%22) – older Samsung printers, not secured by default.
4. [“Location: /main/main.html” debut](https://www.shodan.io/search?query=%22Location%3A+%2Fmain%2Fmain.html%22+debut) – admin pages of Brother printers, not secured.
5. [port:161 hp](https://www.shodan.io/search?query=port%3A161+hp) – HP printers that can be restarted remotely via port 161.
6. [port:23 “Password is not set”](https://www.shodan.io/search?query=port%3A23+%22Password+is+not+set%22) – open access via Telnet to printers without set passwords.
7. [“Laser Printer FTP Server”](https://www.shodan.io/search?query=%22Laser+Printer+FTP+Server%22) – printers accessible via FTP with anonymous login allowed.
8. [Printer Type: Lexmark](https://www.shodan.io/search?query=Printer+Type%3A+Lexmark) – access to control panels for Lexmark make printers.
9. [http 200 server epson -upnp](https://www.shodan.io/search?query=http+200+server+epson+-upnp) – HTTP accessible Epson printers.
10. [“Server: EPSON-HTTP” “200 OK”](https://www.shodan.io/search?query=%22Server%3A+EPSON-HTTP%22+%22200+OK%22) – another variation of the above search.
11. [ssl:”Xerox Generic Root”](https://www.shodan.io/search?query=ssl%3A%22Xerox+Generic+Root%22) – remote access to Xerox printers.
12. [“Server: CANON HTTP Server”](https://www.shodan.io/search?query=%22Server%3A+CANON+HTTP+Server%22) – Canon printer servers through HTTP connection.

&#x20;

Explore further by these tags:

PRINTER: <https://www.shodan.io/explore/tag/printer>

PRINTERS: <https://www.shodan.io/explore/tag/printers>

PRINT SERVER: [https://www.shodan.io/explore/tag/print%20server ](https://www.shodan.io/explore/tag/print%20server)

#### Compromised devices and websites

1. [hacked](https://www.shodan.io/search?query=hacked) – general search for the ‘hacked’ label.
2. [“hacked by”](https://www.shodan.io/search?query=%22hacked+by%22) – another variation of the above search.
3. [http.title:”Hacked by”](https://www.shodan.io/search?query=http.title%3A%22Hacked+by%22) – another variation of the same search filter.
4. [http.title:”0wn3d by”](https://www.shodan.io/search?query=http.title%3A%220wn3d+by%22) – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.
5. [“HACKED-ROUTER”](https://www.shodan.io/search?query=%22HACKED-ROUTER%22) – compromised routers, labelled accordingly.
6. [port:”27017″ “send\_bitcoin\_to\_retrieve\_the\_data”](https://www.shodan.io/search?query=port%3A%2227017%22+%22send_bitcoin_to_retrieve_the_data%22) – databases affected by ransomware, with the ransom demand still associated with them.
7. [bitcoin has\_screenshot:true](https://www.shodan.io/search?query=bitcoin+has_screenshot%3Atrue) – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
8. [port:4444 system32](https://www.shodan.io/search?query=port%3A4444+system32) – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
9. [“attention”+”encrypted”+port:3389](https://www.shodan.io/search?query=%22attention%22%2B%22encrypted%22%2Bport%3A3389) – ransomware infected RDP services.
10. [“HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD”](https://www.shodan.io/search?query=%22HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD%22) – compromised hosts with the name changed to that phrase.
11. [“HACKED FTP server”](https://www.shodan.io/search?query=%22HACKED+FTP+server%22+) – compromised FTP servers.

&#x20;

Explore further by the HACKED tag: [https://www.shodan.io/explore/tag/hacked ](https://www.shodan.io/explore/tag/hacked)

![](https://www.osintme.com/wp-content/uploads/2021/01/ransomware-osint-shodan.png)

#### Miscellaneous

1. [solar](https://www.shodan.io/search?query=solar) – controls for solar panels and similar solar devices.
2. [“ETH – Total speed”](https://www.shodan.io/search?query=%22ETH+-+Total+speed%22) – Ethereum cryptocurrency miners.
3. [http.html:”\* The wp-config.php creation script uses this file”](https://www.shodan.io/search?query=http.html%3A%22*+The+wp-config.php+creation+script+uses+this+file%22) – misconfigured WordPress websites.
4. [http.title:”Nordex Control”](https://www.shodan.io/search?query=http.title%3A%22Nordex+Control%22) – searches for Nordex wind turbine farms.
5. [“Server: EIG Embedded Web Server” “200 Document follows”](https://www.shodan.io/search?query=%22Server%3A+EIG+Embedded+Web+Server%22+%22200+Document+follows%22) – EIG electricity meters.
6. [“DICOM Server Response” port:104](https://www.shodan.io/search?query=%22DICOM+Server+Response%22+port%3A104) – DICOM medical machinery.
7. [http.title:”Tesla”](https://www.shodan.io/search?query=http.title%3A%22Tesla%22) –  anything with the term “Tesla” in the banner.
8. [“in-tank inventory” port:10001](https://www.shodan.io/search?query=%22in-tank+inventory%22+port%3A10001) – petrol pumps, including their physical addresses.
9. [http.title:”dashboard”](https://www.shodan.io/search?query=http.title%3A%22dashboard%22) – literally anything labelled ‘dashboard’, with many not accessible due to security by default.
10. [http.title:”control panel”](https://www.shodan.io/search?query=http.title%3A%22control+panel%22) – as above, but whatever is labelled as control panels.

<https://www.osintme.com/index.php/2021/01/16/ultimate-osint-with-shodan-100-great-shodan-queries/>