> For the complete documentation index, see [llms.txt](https://guide.offsecnewbie.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://guide.offsecnewbie.com/recon/active.md).

# Active

IP addresses from subdomains&#x20;

```
for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done
```

Search for all leaked keys/secrets using one regex

```
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]
```

## Shodan Dorks

#### Webcam searches

1. [title:camera](https://www.shodan.io/search?query=title%3Acamera) – general search for anything matching the “camera” keyword.
2. [webcam has\_screenshot:true](https://www.shodan.io/search?query=webcam+has_screenshot%3Atrue) – a general search for any IoT device identified as a webcam that has screenshots available.
3. [has\_screenshot:true IP Webcam](https://www.shodan.io/search?query=has_screenshot%3Atrue+IP+Webcam) – another version of the above search, see how the results might differ?
4. [server: webcampxp](https://www.shodan.io/search?query=server%3A+webcamxp) – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.&#x20;
5. [server: “webcam 7”](https://www.shodan.io/search?query=server%3A+%22webcam+7%22) – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.
6. [title:”blue iris remote view”](https://www.shodan.io/search?query=title%3A%22blue+iris+remote+view%22) – webcams identified as belonging to the [Blue Iris](https://blueirissoftware.com/) webcam remote management and monitoring service.
7. [title:”ui3 -“](https://www.shodan.io/search?query=title%3A%22ui3+-%22) – UI3 is a  HTML5 web interface for Blue Iris mentioned above.
8. [title:”Network Camera VB-M600″](https://www.shodan.io/search?query=title%3A%22Network+Camera+VB-M600%22) – Canon manufactured megapixel security cameras.
9. [product:”Yawcam webcam viewer httpd”](https://www.shodan.io/search?query=product%3A%22Yawcam+webcam+viewer+httpd%22) – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.
10. [title:”IPCam Client”](https://www.shodan.io/search?query=title%3A%22IPCam+Client%22) – IPCam Client webcam devices.
11. [server: GeoHttpServer](https://www.shodan.io/search?query=Server%3A+GeoHttpServer) – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.
12. [server: VVTK-HTTP-Server](https://www.shodan.io/search?query=server%3A+VVTK-HTTP-Server) – Vivotek IP cameras.
13. [title:”Avigilon”](https://www.shodan.io/search?query=title%3A%22Avigilon%22) – access to the Avigilion brand camera and monitoring devices.
14. [ACTi](https://www.shodan.io/search?query=ACTi) – various IP camera and video management system products.
15. [WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.”](https://www.shodan.io/search?query=WWW-Authenticate%3A+%22Merit+LILIN+Ent.+Co.%2C+Ltd.%22) – a UK-based house automation / IP camera provider.
16. [title:”+tm01+”](https://www.shodan.io/search?query=title%3A%22%2Btm01%2B%22) – unsecured Linksys webcams, a lot of them with screenshots.
17. [server: “i-Catcher Console”](https://www.shodan.io/search?query=server%3A+%22i-Catcher+Console%22) – another example of an IP-based CCTV system.
18. [Netwave IP Camera Content-Length: 2574](https://www.shodan.io/search?query=Netwave+IP+Camera+Content-Length%3A+2574) – access to the Netwave make IP cameras.
19. [200 ok dvr port:”81″](https://www.shodan.io/search?query=200+ok+dvr+port%3A%2281%22) – DVR CCTV cameras accessible via http.
20. [WVC80N](https://www.shodan.io/search?query=WVC80N) – Linksys WVC80N cameras.

&#x20;

Explore further by these tags:

WEBCAM: <https://www.shodan.io/explore/tag/webcam>

CAM: [https://www.shodan.io/explore/tag/cam ](https://www.shodan.io/explore/tag/cam)

CAMERA: <https://www.shodan.io/explore/tag/camera>

<figure><img src="https://www.osintme.com/wp-content/uploads/2020/10/webcam-shodan-search-osint.png" alt=""><figcaption></figcaption></figure>

#### VOIP communication devices

1. [device:”voip”](https://www.shodan.io/search?query=device%3A%22voip%22) – general search for Voice over IP devices.
2. [device:”voip phone”](https://www.shodan.io/search?query=device%3A%22voip+phone%22) – more specific search for anything VoIP containing a “phone” keyword.
3. [server: snom](https://www.shodan.io/search?query=server%3A+snom) – Snom is a VoIP provider with some legacy devices online.
4. [“snom embedded 200 OK”](https://www.shodan.io/search?query=%22snom+embedded+200+OK%22) – Snom devices with enabled authentication.
5. [AddPac](https://www.shodan.io/search?query=AddPac) – an older VoIP provider, nearly exclusively legacy devices.
6. [mcu: tandberg](https://www.shodan.io/search?query=mcu%3A+tandberg) – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.
7. [title:”polycom”](https://www.shodan.io/search?query=title%3A%22polycom%22) – Polycom is another VoIP communication brand.
8. [title:”openstage”](https://www.shodan.io/search?query=title%3A%22openstage%22) – Siemens Openstage brand IP phones.
9. [39 voip](https://www.shodan.io/search?query=39+voip) – some more VoIP services, mostly behind login screens
10. [Server: MSOS/2.0 mawebserver/1.1](https://www.shodan.io/search?query=Server%3A+MSOS%2F2.0+mawebserver%2F1.1) – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

&#x20;

Explore further by the VOIP tag: <https://www.shodan.io/explore/tag/voip>

![](https://www.osintme.com/wp-content/uploads/2021/01/Patton-VoIP.png)

#### Database searches

1. [product:MySQL](https://www.shodan.io/search?query=product%3AMySQL) – broad search for MySQL databases.
2. [mongodb port:27017](https://www.shodan.io/search?query=mongodb+port%3A27017) – MongoDB databases on their default port. Unsecured by default.
3. [“MongoDB Server Information” port:27017](https://www.shodan.io/search?query=%22MongoDB+Server+Information%22+port%3A27017) – another variation of the above search.
4. [“MongoDB Server Information { “metrics”:”](https://www.shodan.io/search?query=%22MongoDB+Server+Information+%7B+++++%22metrics%22%3A%22) – fully open MongoDBs.
5. [“Set-Cookie: mongo-express=” “200 OK”](https://www.shodan.io/search?query=%22Set-Cookie%3A+mongo-express%3D%22+%22200+OK%22) – MongoDB open databases.
6. [kibana content-length:217](https://www.shodan.io/search?query=kibana+content-length%3A217) – Kibana dashboards accessible without authentication.
7. [port:”9200″ all:elastic](https://www.shodan.io/search?query=port%3A%229200%22+all%3Aelastic) – Elasticsearch open databases.
8. [port:5432 PostgreSQL](https://www.shodan.io/search?query=port%3A5432+PostgreSQL) – remote connections to PostgreSQL servers.
9. [product:”CouchDB”](https://www.shodan.io/search?query=product%3A%22CouchDB%22) – Apache CouchDB databases listed.
10. [port:”5984″+Server: “CouchDB/2.1.0”](https://www.shodan.io/search?query=port%3A%225984%22%2BServer%3A+%22CouchDB%2F2.1.0%22) – vulnerable CouchDB where remote code execution may be possible.

&#x20;

Explore further by the DATABASE tag: [https://www.shodan.io/explore/tag/database ](https://www.shodan.io/explore/tag/database)

![](https://www.osintme.com/wp-content/uploads/2020/10/kibana-shodan-search-osint.png)

#### Maritime devices

1. [maritime](https://www.shodan.io/search?query=maritime) – general search for anything related to maritime devices.
2. [sailor](https://www.shodan.io/search?query=sailor) – another wide search, could yield unrelated results!
3. [org:marlink](https://www.shodan.io/search?query=org%3Amarlink) – general search; Marlink is the world’s largest maritime satellite communications provider.
4. [satcom](https://www.shodan.io/search?query=satcom) – another maritime satellite communications services provider.
5. [inmarsat](https://www.shodan.io/search?query=inmarsat) – as above, but a slightly less known equipment vendor.
6. [vsat](https://www.shodan.io/search?query=vsat) – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.
7. [ECDIS](https://www.shodan.io/search?query=ECDIS) – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.
8. [uhp vsat terminal software -password](https://www.shodan.io/search?query=uhp+vsat+terminal+software+-password) – satellite network router without a password.
9. [ssl:”Cobham SATCOM”](https://www.shodan.io/search?query=ssl%3A%22Cobham+SATCOM%22) – maritime radio and locations systems.
10. [title:”Slocum Fleet Mission Control”](https://www.shodan.io/search?query=title%3A%22Slocum+Fleet+Mission+Control%22) – maritime mission control software.

&#x20;

Explore further by the VSAT tag: <https://www.shodan.io/explore/tag/vsat>

#### Files & directories

1. [http.title:”Index of /”](https://www.shodan.io/search?query=http.title%3A%22Index+of+%2F%22) – open lists of files and directories on various servers.
2. [port:80 title:”Index of /”](https://www.shodan.io/search?query=port%3A80+title%3A%22Index+of+%2F%22) – slight variation of the above, note how the results might differ.
3. [“220” “230 Login successful.” port:21](https://www.shodan.io/search?query=%22220%22+%22230+Login+successful.%22+port%3A21) – FTP resources potentially accessible without login credentials.
4. [230 ‘anonymous@’ login ok](https://www.shodan.io/search?query=230+%27anonymous%40%27+login+ok) – anonymous login allowed to FTP resources.
5. [“Anonymous+access+allowed” port:”21″](https://www.shodan.io/search?query=%22Anonymous%2Baccess%2Ballowed%22+port%3A%2221%22) – as above.
6. [vsftpd 2.3.4](https://www.shodan.io/search?query=Vsftpd+2.3.4) – legacy Linux based FTP service with a widely known security vulnerability
7. [ftp port:”10000″](https://www.shodan.io/search?query=ftp+port%3A%2210000%22) – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.
8. [“Authentication: disabled” port:445 product:”Samba”](https://www.shodan.io/search?query=%22Authentication%3A+disabled%22+port%3A445+product%3A%22Samba%22) – SMB file sharing
9. [“QuickBooks files OverNetwork” -unix port:445](https://www.shodan.io/search?query=%22QuickBooks+files+OverNetwork%22+-unix+port%3A445) – default settings for sharing QuickBooks files.
10. [filezilla port:”21″](https://www.shodan.io/search?query=filezilla+port%3A%2221%22) – popular file sharing software Filezilla.

&#x20;

Explore further by these tags:

FTP: <https://www.shodan.io/explore/tag/ftp>

SMB: [https://www.shodan.io/explore/tag/smb ](https://www.shodan.io/explore/tag/smb)

#### Legacy Windows operating systems

1. [os:”Windows 5.0″](https://www.shodan.io/search?query=os%3A%22Windows+5.0%22) – Windows 2000; support ended in 2010.
2. [os:”Windows 5.1″](https://www.shodan.io/search?query=os%3A%22Windows+5.1%22) – Windows XP; support ended in 2014.
3. [os:Windows 2003](https://www.shodan.io/search?query=os%3AWindows+2003) – Windows Server 2003; support ended in 2015.
4. [os:”Windows Vista”](https://www.shodan.io/search?query=os%3A%22Windows+Vista%22)– Windows Vista; support ended in 2017.
5. [os:Windows 2008](https://www.shodan.io/search?query=os%3AWindows+2008) – Windows Server 2008; support ended in 2020.
6. [os:”Windows 7″](https://www.shodan.io/search?query=os%3A%22Windows+7%22) – Windows 7; support ended in 2020.
7. [os:”Windows 8″](https://www.shodan.io/search?query=os%3A%22Windows+8%22) – Windows 8; support ended in 2016.
8. [os:Windows 2011](https://www.shodan.io/search?query=os%3AWindows+2011) – Windows Home Server 2011; support ended in 2016.
9. [os:”Windows 8.1″](https://www.shodan.io/search?query=os%3A%22Windows+8.1%22) – Windows 8.1; support ended in 2018.
10. [os:Windows 2012](https://www.shodan.io/search?query=os%3AWindows+2012) – Windows Server 2012; support ended in 2018.

&#x20;

Explore further by the WINDOWS tag: <https://www.shodan.io/explore/tag/windows>

#### Default / generic credentials

1. [admin 1234](https://www.shodan.io/search?query=admin+1234) – basic very unsecure credentials.
2. [“default password”](https://www.shodan.io/search?query=%22default+password%22) – speaks for itself…
3. [test test port:”80″](https://www.shodan.io/search?query=test+test+port%3A%2280%22) – generic test credentials over HTTP.
4. [“authentication disabled” “RFB 003.008”](https://www.shodan.io/search?query=%22authentication+disabled%22+%22RFB+003.008%22) – no authentication necessary.
5. “[root@” port:23 -login -password -name -Session](https://www.shodan.io/search?query=%22root%40%22+port%3A23+-login+-password+-name+-Session) – accounts already logged in with root privilege over Telnet, port 23.
6. [port:23 console gateway](https://www.shodan.io/search?query=port%3A23+console+gateway) – remote access via Telnet, no password required.
7. [html:”def\_wirelesspassword”](https://www.shodan.io/search?query=html%3A%22def_wirelesspassword%22) – default login pages for routers.
8. [“polycom command shell”](https://www.shodan.io/search?query=%22polycom+command+shell%22) – possible authentication bypass to Polycom devices.
9. [“authentication disabled” port:5900,5901](https://www.shodan.io/search?query=%22authentication+disabled%22+port%3A5900%2C5901) – VNC services without authentication.
10. [“server: Bomgar” “200 OK”](https://www.shodan.io/search?query=%22server%3A+Bomgar%22+%22200+OK%22) – Bomgar remote support service.

&#x20;

Explore further by the VNC tag: <https://www.shodan.io/explore/tag/vnc>

![](https://www.osintme.com/wp-content/uploads/2021/01/Bomgar-remote-not-secure.png)

#### Printers

1. [printer](https://www.shodan.io/search?query=printer) – general search for printers.
2. [“HP-ChaiSOE” port:”80″](https://www.shodan.io/search?query=%22HP-ChaiSOE%22+port%3A%2280%22) – HP LaserJet printers accessible through HTTP.
3. [title:”syncthru web service”](https://www.shodan.io/search?query=title%3A%22syncthru+web+service%22) – older Samsung printers, not secured by default.
4. [“Location: /main/main.html” debut](https://www.shodan.io/search?query=%22Location%3A+%2Fmain%2Fmain.html%22+debut) – admin pages of Brother printers, not secured.
5. [port:161 hp](https://www.shodan.io/search?query=port%3A161+hp) – HP printers that can be restarted remotely via port 161.
6. [port:23 “Password is not set”](https://www.shodan.io/search?query=port%3A23+%22Password+is+not+set%22) – open access via Telnet to printers without set passwords.
7. [“Laser Printer FTP Server”](https://www.shodan.io/search?query=%22Laser+Printer+FTP+Server%22) – printers accessible via FTP with anonymous login allowed.
8. [Printer Type: Lexmark](https://www.shodan.io/search?query=Printer+Type%3A+Lexmark) – access to control panels for Lexmark make printers.
9. [http 200 server epson -upnp](https://www.shodan.io/search?query=http+200+server+epson+-upnp) – HTTP accessible Epson printers.
10. [“Server: EPSON-HTTP” “200 OK”](https://www.shodan.io/search?query=%22Server%3A+EPSON-HTTP%22+%22200+OK%22) – another variation of the above search.
11. [ssl:”Xerox Generic Root”](https://www.shodan.io/search?query=ssl%3A%22Xerox+Generic+Root%22) – remote access to Xerox printers.
12. [“Server: CANON HTTP Server”](https://www.shodan.io/search?query=%22Server%3A+CANON+HTTP+Server%22) – Canon printer servers through HTTP connection.

&#x20;

Explore further by these tags:

PRINTER: <https://www.shodan.io/explore/tag/printer>

PRINTERS: <https://www.shodan.io/explore/tag/printers>

PRINT SERVER: [https://www.shodan.io/explore/tag/print%20server ](https://www.shodan.io/explore/tag/print%20server)

#### Compromised devices and websites

1. [hacked](https://www.shodan.io/search?query=hacked) – general search for the ‘hacked’ label.
2. [“hacked by”](https://www.shodan.io/search?query=%22hacked+by%22) – another variation of the above search.
3. [http.title:”Hacked by”](https://www.shodan.io/search?query=http.title%3A%22Hacked+by%22) – another variation of the same search filter.
4. [http.title:”0wn3d by”](https://www.shodan.io/search?query=http.title%3A%220wn3d+by%22) – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.
5. [“HACKED-ROUTER”](https://www.shodan.io/search?query=%22HACKED-ROUTER%22) – compromised routers, labelled accordingly.
6. [port:”27017″ “send\_bitcoin\_to\_retrieve\_the\_data”](https://www.shodan.io/search?query=port%3A%2227017%22+%22send_bitcoin_to_retrieve_the_data%22) – databases affected by ransomware, with the ransom demand still associated with them.
7. [bitcoin has\_screenshot:true](https://www.shodan.io/search?query=bitcoin+has_screenshot%3Atrue) – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
8. [port:4444 system32](https://www.shodan.io/search?query=port%3A4444+system32) – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
9. [“attention”+”encrypted”+port:3389](https://www.shodan.io/search?query=%22attention%22%2B%22encrypted%22%2Bport%3A3389) – ransomware infected RDP services.
10. [“HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD”](https://www.shodan.io/search?query=%22HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD%22) – compromised hosts with the name changed to that phrase.
11. [“HACKED FTP server”](https://www.shodan.io/search?query=%22HACKED+FTP+server%22+) – compromised FTP servers.

&#x20;

Explore further by the HACKED tag: [https://www.shodan.io/explore/tag/hacked ](https://www.shodan.io/explore/tag/hacked)

![](https://www.osintme.com/wp-content/uploads/2021/01/ransomware-osint-shodan.png)

#### Miscellaneous

1. [solar](https://www.shodan.io/search?query=solar) – controls for solar panels and similar solar devices.
2. [“ETH – Total speed”](https://www.shodan.io/search?query=%22ETH+-+Total+speed%22) – Ethereum cryptocurrency miners.
3. [http.html:”\* The wp-config.php creation script uses this file”](https://www.shodan.io/search?query=http.html%3A%22*+The+wp-config.php+creation+script+uses+this+file%22) – misconfigured WordPress websites.
4. [http.title:”Nordex Control”](https://www.shodan.io/search?query=http.title%3A%22Nordex+Control%22) – searches for Nordex wind turbine farms.
5. [“Server: EIG Embedded Web Server” “200 Document follows”](https://www.shodan.io/search?query=%22Server%3A+EIG+Embedded+Web+Server%22+%22200+Document+follows%22) – EIG electricity meters.
6. [“DICOM Server Response” port:104](https://www.shodan.io/search?query=%22DICOM+Server+Response%22+port%3A104) – DICOM medical machinery.
7. [http.title:”Tesla”](https://www.shodan.io/search?query=http.title%3A%22Tesla%22) –  anything with the term “Tesla” in the banner.
8. [“in-tank inventory” port:10001](https://www.shodan.io/search?query=%22in-tank+inventory%22+port%3A10001) – petrol pumps, including their physical addresses.
9. [http.title:”dashboard”](https://www.shodan.io/search?query=http.title%3A%22dashboard%22) – literally anything labelled ‘dashboard’, with many not accessible due to security by default.
10. [http.title:”control panel”](https://www.shodan.io/search?query=http.title%3A%22control+panel%22) – as above, but whatever is labelled as control panels.

<https://www.osintme.com/index.php/2021/01/16/ultimate-osint-with-shodan-100-great-shodan-queries/>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://guide.offsecnewbie.com/recon/active.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.