Links

Active

IP addresses from subdomains
for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done
Search for all leaked keys/secrets using one regex
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]

Shodan Dorks

Webcam searches

  1. 1.
    title:camera – general search for anything matching the “camera” keyword.
  2. 2.
    webcam has_screenshot:true – a general search for any IoT device identified as a webcam that has screenshots available.
  3. 3.
    has_screenshot:true IP Webcam – another version of the above search, see how the results might differ?
  4. 4.
    server: webcampxp – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.
  5. 5.
    server: “webcam 7” – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.
  6. 6.
    title:”blue iris remote view” – webcams identified as belonging to the Blue Iris webcam remote management and monitoring service.
  7. 7.
    title:”ui3 -“ – UI3 is a HTML5 web interface for Blue Iris mentioned above.
  8. 8.
    title:”Network Camera VB-M600″ – Canon manufactured megapixel security cameras.
  9. 9.
    product:”Yawcam webcam viewer httpd” – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.
  10. 10.
    title:”IPCam Client” – IPCam Client webcam devices.
  11. 11.
    server: GeoHttpServer – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.
  12. 12.
    server: VVTK-HTTP-Server – Vivotek IP cameras.
  13. 13.
    title:”Avigilon” – access to the Avigilion brand camera and monitoring devices.
  14. 14.
    ACTi – various IP camera and video management system products.
  15. 15.
    WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.” – a UK-based house automation / IP camera provider.
  16. 16.
    title:”+tm01+” – unsecured Linksys webcams, a lot of them with screenshots.
  17. 17.
    server: “i-Catcher Console” – another example of an IP-based CCTV system.
  18. 18.
    Netwave IP Camera Content-Length: 2574 – access to the Netwave make IP cameras.
  19. 19.
    200 ok dvr port:”81″ – DVR CCTV cameras accessible via http.
  20. 20.
    WVC80N – Linksys WVC80N cameras.
Explore further by these tags:

VOIP communication devices

  1. 1.
    device:”voip” – general search for Voice over IP devices.
  2. 2.
    device:”voip phone” – more specific search for anything VoIP containing a “phone” keyword.
  3. 3.
    server: snom – Snom is a VoIP provider with some legacy devices online.
  4. 4.
    “snom embedded 200 OK” – Snom devices with enabled authentication.
  5. 5.
    AddPac – an older VoIP provider, nearly exclusively legacy devices.
  6. 6.
    mcu: tandberg – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.
  7. 7.
    title:”polycom” – Polycom is another VoIP communication brand.
  8. 8.
    title:”openstage” – Siemens Openstage brand IP phones.
  9. 9.
    39 voip – some more VoIP services, mostly behind login screens
  10. 10.
    Server: MSOS/2.0 mawebserver/1.1 – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.
Explore further by the VOIP tag: https://www.shodan.io/explore/tag/voip

Database searches

  1. 1.
    product:MySQL – broad search for MySQL databases.
  2. 2.
    mongodb port:27017 – MongoDB databases on their default port. Unsecured by default.
  3. 3.
    “MongoDB Server Information” port:27017 – another variation of the above search.
  4. 5.
    “Set-Cookie: mongo-express=” “200 OK” – MongoDB open databases.
  5. 6.
    kibana content-length:217 – Kibana dashboards accessible without authentication.
  6. 7.
    port:”9200″ all:elastic – Elasticsearch open databases.
  7. 8.
    port:5432 PostgreSQL – remote connections to PostgreSQL servers.
  8. 9.
    product:”CouchDB” – Apache CouchDB databases listed.
  9. 10.
    port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.
Explore further by the DATABASE tag: https://www.shodan.io/explore/tag/database

Maritime devices

  1. 1.
    maritime – general search for anything related to maritime devices.
  2. 2.
    sailor – another wide search, could yield unrelated results!
  3. 3.
    org:marlink – general search; Marlink is the world’s largest maritime satellite communications provider.
  4. 4.
    satcom – another maritime satellite communications services provider.
  5. 5.
    inmarsat – as above, but a slightly less known equipment vendor.
  6. 6.
    vsat – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.
  7. 7.
    ECDIS – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.
  8. 8.
    uhp vsat terminal software -password – satellite network router without a password.
  9. 9.
    ssl:”Cobham SATCOM” – maritime radio and locations systems.
  10. 10.
    title:”Slocum Fleet Mission Control” – maritime mission control software.
Explore further by the VSAT tag: https://www.shodan.io/explore/tag/vsat

Files & directories

  1. 1.
    http.title:”Index of /” – open lists of files and directories on various servers.
  2. 2.
    port:80 title:”Index of /” – slight variation of the above, note how the results might differ.
  3. 3.
    “220” “230 Login successful.” port:21 – FTP resources potentially accessible without login credentials.
  4. 4.
    230 ‘[email protected]’ login ok – anonymous login allowed to FTP resources.
  5. 6.
    vsftpd 2.3.4 – legacy Linux based FTP service with a widely known security vulnerability
  6. 7.
    ftp port:”10000″ – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.
  7. 9.
    “QuickBooks files OverNetwork” -unix port:445 – default settings for sharing QuickBooks files.
  8. 10.
    filezilla port:”21″ – popular file sharing software Filezilla.
Explore further by these tags:

Legacy Windows operating systems

  1. 1.
    os:”Windows 5.0″ – Windows 2000; support ended in 2010.
  2. 2.
    os:”Windows 5.1″ – Windows XP; support ended in 2014.
  3. 3.
    os:Windows 2003 – Windows Server 2003; support ended in 2015.
  4. 4.
    os:”Windows Vista”– Windows Vista; support ended in 2017.
  5. 5.
    os:Windows 2008 – Windows Server 2008; support ended in 2020.
  6. 6.
    os:”Windows 7″ – Windows 7; support ended in 2020.
  7. 7.
    os:”Windows 8″ – Windows 8; support ended in 2016.
  8. 8.
    os:Windows 2011 – Windows Home Server 2011; support ended in 2016.
  9. 9.
    os:”Windows 8.1″ – Windows 8.1; support ended in 2018.
  10. 10.
    os:Windows 2012 – Windows Server 2012; support ended in 2018.
Explore further by the WINDOWS tag: https://www.shodan.io/explore/tag/windows

Default / generic credentials

  1. 1.
    admin 1234 – basic very unsecure credentials.
  2. 2.
    “default password” – speaks for itself…
  3. 3.
    test test port:”80″ – generic test credentials over HTTP.
  4. 4.
    “authentication disabled” “RFB 003.008” – no authentication necessary.
  5. 5.
    [email protected]” port:23 -login -password -name -Session – accounts already logged in with root privilege over Telnet, port 23.
  6. 6.
    port:23 console gateway – remote access via Telnet, no password required.
  7. 7.
    html:”def_wirelesspassword” – default login pages for routers.
  8. 8.
    “polycom command shell” – possible authentication bypass to Polycom devices.
  9. 9.
    “authentication disabled” port:5900,5901 – VNC services without authentication.
  10. 10.
    “server: Bomgar” “200 OK” – Bomgar remote support service.
Explore further by the VNC tag: https://www.shodan.io/explore/tag/vnc

Printers

  1. 1.
    printer – general search for printers.
  2. 2.
    “HP-ChaiSOE” port:”80″ – HP LaserJet printers accessible through HTTP.
  3. 3.
    title:”syncthru web service” – older Samsung printers, not secured by default.
  4. 4.
    “Location: /main/main.html” debut – admin pages of Brother printers, not secured.
  5. 5.
    port:161 hp – HP printers that can be restarted remotely via port 161.
  6. 6.
    port:23 “Password is not set” – open access via Telnet to printers without set passwords.
  7. 7.
    “Laser Printer FTP Server” – printers accessible via FTP with anonymous login allowed.
  8. 8.
    Printer Type: Lexmark – access to control panels for Lexmark make printers.
  9. 9.
    http 200 server epson -upnp – HTTP accessible Epson printers.
  10. 10.
    “Server: EPSON-HTTP” “200 OK” – another variation of the above search.
  11. 11.
    ssl:”Xerox Generic Root” – remote access to Xerox printers.
  12. 12.
    “Server: CANON HTTP Server” – Canon printer servers through HTTP connection.
Explore further by these tags:

Compromised devices and websites

  1. 1.
    hacked – general search for the ‘hacked’ label.
  2. 2.
    “hacked by” – another variation of the above search.
  3. 3.
    http.title:”Hacked by” – another variation of the same search filter.
  4. 4.
    http.title:”0wn3d by” – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.
  5. 5.
    “HACKED-ROUTER” – compromised routers, labelled accordingly.
  6. 6.
    port:”27017″ “send_bitcoin_to_retrieve_the_data” – databases affected by ransomware, with the ransom demand still associated with them.
  7. 7.
    bitcoin has_screenshot:true – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
  8. 8.
    port:4444 system32 – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
  9. 9.
    “attention”+”encrypted”+port:3389 – ransomware infected RDP services.
  10. 10.
    “HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD” – compromised hosts with the name changed to that phrase.
  11. 11.
    “HACKED FTP server” – compromised FTP servers.
Explore further by the HACKED tag: https://www.shodan.io/explore/tag/hacked

Miscellaneous

  1. 1.
    solar – controls for solar panels and similar solar devices.
  2. 2.
    “ETH – Total speed” – Ethereum cryptocurrency miners.
  3. 4.
    http.title:”Nordex Control” – searches for Nordex wind turbine farms.
  4. 6.
    “DICOM Server Response” port:104 – DICOM medical machinery.
  5. 7.
    http.title:”Tesla” – anything with the term “Tesla” in the banner.
  6. 8.
    “in-tank inventory” port:10001 – petrol pumps, including their physical addresses.
  7. 9.
    http.title:”dashboard” – literally anything labelled ‘dashboard’, with many not accessible due to security by default.
  8. 10.
    http.title:”control panel” – as above, but whatever is labelled as control panels.
Last modified 7mo ago