Active

IP addresses from subdomains

for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done

Search for all leaked keys/secrets using one regex

(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]

Shodan Dorks

Webcam searches

1. title:camera – general search for anything matching the “camera” keyword.

2. webcam has_screenshot:true – a general search for any IoT device identified as a webcam that has screenshots available.

3. has_screenshot:true IP Webcam – another version of the above search, see how the results might differ?

4. server: webcampxp – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.

5. server: “webcam 7” – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.

6. title:”blue iris remote view” – webcams identified as belonging to the Blue Iris webcam remote management and monitoring service.

7. title:”ui3 -“ – UI3 is a HTML5 web interface for Blue Iris mentioned above.

8. title:”Network Camera VB-M600″ – Canon manufactured megapixel security cameras.

9. product:”Yawcam webcam viewer httpd” – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.

10. title:”IPCam Client” – IPCam Client webcam devices.

11. server: GeoHttpServer – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.

12. server: VVTK-HTTP-Server – Vivotek IP cameras.

13. title:”Avigilon” – access to the Avigilion brand camera and monitoring devices.

14. ACTi – various IP camera and video management system products.

15. WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.” – a UK-based house automation / IP camera provider.

16. title:”+tm01+” – unsecured Linksys webcams, a lot of them with screenshots.

17. server: “i-Catcher Console” – another example of an IP-based CCTV system.

18. Netwave IP Camera Content-Length: 2574 – access to the Netwave make IP cameras.

19. 200 ok dvr port:”81″ – DVR CCTV cameras accessible via http.

20. WVC80N – Linksys WVC80N cameras.

Explore further by these tags:

WEBCAM: https://www.shodan.io/explore/tag/webcam

CAM: https://www.shodan.io/explore/tag/cam

CAMERA: https://www.shodan.io/explore/tag/camera

VOIP communication devices

1. device:”voip” – general search for Voice over IP devices.

2. device:”voip phone” – more specific search for anything VoIP containing a “phone” keyword.

3. server: snom – Snom is a VoIP provider with some legacy devices online.

4. “snom embedded 200 OK” – Snom devices with enabled authentication.

5. AddPac – an older VoIP provider, nearly exclusively legacy devices.

6. mcu: tandberg – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.

7. title:”polycom” – Polycom is another VoIP communication brand.

8. title:”openstage” – Siemens Openstage brand IP phones.

9. 39 voip – some more VoIP services, mostly behind login screens

10. Server: MSOS/2.0 mawebserver/1.1 – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

Explore further by the VOIP tag: https://www.shodan.io/explore/tag/voip

Database searches

1. product:MySQL – broad search for MySQL databases.

2. mongodb port:27017 – MongoDB databases on their default port. Unsecured by default.

3. “MongoDB Server Information” port:27017 – another variation of the above search.

4. “MongoDB Server Information { “metrics”:” – fully open MongoDBs.

5. “Set-Cookie: mongo-express=” “200 OK” – MongoDB open databases.

6. kibana content-length:217 – Kibana dashboards accessible without authentication.

7. port:”9200″ all:elastic – Elasticsearch open databases.

8. port:5432 PostgreSQL – remote connections to PostgreSQL servers.

9. product:”CouchDB” – Apache CouchDB databases listed.

10. port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.

Explore further by the DATABASE tag: https://www.shodan.io/explore/tag/database

Maritime devices

1. maritime – general search for anything related to maritime devices.

2. sailor – another wide search, could yield unrelated results!

3. org:marlink – general search; Marlink is the world’s largest maritime satellite communications provider.

4. satcom – another maritime satellite communications services provider.

5. inmarsat – as above, but a slightly less known equipment vendor.

6. vsat – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.

7. ECDIS – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.

8. uhp vsat terminal software -password – satellite network router without a password.

9. ssl:”Cobham SATCOM” – maritime radio and locations systems.

10. title:”Slocum Fleet Mission Control” – maritime mission control software.

Explore further by the VSAT tag: https://www.shodan.io/explore/tag/vsat

Files & directories

1. http.title:”Index of /” – open lists of files and directories on various servers.

2. port:80 title:”Index of /” – slight variation of the above, note how the results might differ.

3. “220” “230 Login successful.” port:21 – FTP resources potentially accessible without login credentials.

4. 230 ‘anonymous@’ login ok – anonymous login allowed to FTP resources.

5. “Anonymous+access+allowed” port:”21″ – as above.

6. vsftpd 2.3.4 – legacy Linux based FTP service with a widely known security vulnerability

7. ftp port:”10000″ – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.

8. “Authentication: disabled” port:445 product:”Samba” – SMB file sharing

9. “QuickBooks files OverNetwork” -unix port:445 – default settings for sharing QuickBooks files.

10. filezilla port:”21″ – popular file sharing software Filezilla.

Explore further by these tags:

FTP: https://www.shodan.io/explore/tag/ftp

SMB: https://www.shodan.io/explore/tag/smb

Legacy Windows operating systems

1. os:”Windows 5.0″ – Windows 2000; support ended in 2010.

2. os:”Windows 5.1″ – Windows XP; support ended in 2014.

3. os:Windows 2003 – Windows Server 2003; support ended in 2015.

4. os:”Windows Vista”– Windows Vista; support ended in 2017.

5. os:Windows 2008 – Windows Server 2008; support ended in 2020.

6. os:”Windows 7″ – Windows 7; support ended in 2020.

7. os:”Windows 8″ – Windows 8; support ended in 2016.

8. os:Windows 2011 – Windows Home Server 2011; support ended in 2016.

9. os:”Windows 8.1″ – Windows 8.1; support ended in 2018.

10. os:Windows 2012 – Windows Server 2012; support ended in 2018.

Explore further by the WINDOWS tag: https://www.shodan.io/explore/tag/windows

Default / generic credentials

1. admin 1234 – basic very unsecure credentials.

2. “default password” – speaks for itself…

3. test test port:”80″ – generic test credentials over HTTP.

4. “authentication disabled” “RFB 003.008” – no authentication necessary.

5. “root@” port:23 -login -password -name -Session – accounts already logged in with root privilege over Telnet, port 23.

6. port:23 console gateway – remote access via Telnet, no password required.

7. html:”def_wirelesspassword” – default login pages for routers.

8. “polycom command shell” – possible authentication bypass to Polycom devices.

9. “authentication disabled” port:5900,5901 – VNC services without authentication.

10. “server: Bomgar” “200 OK” – Bomgar remote support service.

Explore further by the VNC tag: https://www.shodan.io/explore/tag/vnc

Printers

1. printer – general search for printers.

2. “HP-ChaiSOE” port:”80″ – HP LaserJet printers accessible through HTTP.

3. title:”syncthru web service” – older Samsung printers, not secured by default.

4. “Location: /main/main.html” debut – admin pages of Brother printers, not secured.

5. port:161 hp – HP printers that can be restarted remotely via port 161.

6. port:23 “Password is not set” – open access via Telnet to printers without set passwords.

7. “Laser Printer FTP Server” – printers accessible via FTP with anonymous login allowed.

8. Printer Type: Lexmark – access to control panels for Lexmark make printers.

9. http 200 server epson -upnp – HTTP accessible Epson printers.

10. “Server: EPSON-HTTP” “200 OK” – another variation of the above search.

11. ssl:”Xerox Generic Root” – remote access to Xerox printers.

12. “Server: CANON HTTP Server” – Canon printer servers through HTTP connection.

Explore further by these tags:

PRINTER: https://www.shodan.io/explore/tag/printer

PRINTERS: https://www.shodan.io/explore/tag/printers

PRINT SERVER: https://www.shodan.io/explore/tag/print%20server

Compromised devices and websites

1. hacked – general search for the ‘hacked’ label.

2. “hacked by” – another variation of the above search.

3. http.title:”Hacked by” – another variation of the same search filter.

4. http.title:”0wn3d by” – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.

5. “HACKED-ROUTER” – compromised routers, labelled accordingly.

6. port:”27017″ “send_bitcoin_to_retrieve_the_data” – databases affected by ransomware, with the ransom demand still associated with them.

7. bitcoin has_screenshot:true – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).

8. port:4444 system32 – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.

9. “attention”+”encrypted”+port:3389 – ransomware infected RDP services.

10. “HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD” – compromised hosts with the name changed to that phrase.

11. “HACKED FTP server” – compromised FTP servers.

Explore further by the HACKED tag: https://www.shodan.io/explore/tag/hacked

Miscellaneous

1. solar – controls for solar panels and similar solar devices.

2. “ETH – Total speed” – Ethereum cryptocurrency miners.

3. http.html:”* The wp-config.php creation script uses this file” – misconfigured WordPress websites.

4. http.title:”Nordex Control” – searches for Nordex wind turbine farms.

5. “Server: EIG Embedded Web Server” “200 Document follows” – EIG electricity meters.

6. “DICOM Server Response” port:104 – DICOM medical machinery.

7. http.title:”Tesla” – anything with the term “Tesla” in the banner.

8. “in-tank inventory” port:10001 – petrol pumps, including their physical addresses.

9. http.title:”dashboard” – literally anything labelled ‘dashboard’, with many not accessible due to security by default.

10. http.title:”control panel” – as above, but whatever is labelled as control panels.

https://www.osintme.com/index.php/2021/01/16/ultimate-osint-with-shodan-100-great-shodan-queries/