Active
IP addresses from subdomains
for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done
Search for all leaked keys/secrets using one regex
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]
- 1.
- 2.webcam has_screenshot:true – a general search for any IoT device identified as a webcam that has screenshots available.
- 3.has_screenshot:true IP Webcam – another version of the above search, see how the results might differ?
- 4.server: webcampxp – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.
- 5.server: “webcam 7” – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.
- 6.title:”blue iris remote view” – webcams identified as belonging to the Blue Iris webcam remote management and monitoring service.
- 7.
- 8.
- 9.product:”Yawcam webcam viewer httpd” – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.
- 10.
- 11.server: GeoHttpServer – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
Explore further by these tags:

- 1.
- 2.
- 3.
- 4.
- 5.
- 6.mcu: tandberg – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.
- 7.
- 8.
- 9.
- 10.Server: MSOS/2.0 mawebserver/1.1 – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.

- 1.
- 2.
- 3.org:marlink – general search; Marlink is the world’s largest maritime satellite communications provider.
- 4.
- 5.
- 6.vsat – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.
- 7.ECDIS – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.
- 8.
- 9.
- 10.
- 1.
- 2.
- 3.“220” “230 Login successful.” port:21 – FTP resources potentially accessible without login credentials.
- 4.
- 5.
- 6.
- 7.ftp port:”10000″ – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.
- 8.
- 9.
- 10.
Explore further by these tags:
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 1.
- 2.
- 3.
- 4.
- 5.“[email protected]” port:23 -login -password -name -Session – accounts already logged in with root privilege over Telnet, port 23.
- 6.
- 7.
- 8.
- 9.
- 10.

- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
Explore further by these tags:
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.port:”27017″ “send_bitcoin_to_retrieve_the_data” – databases affected by ransomware, with the ransom demand still associated with them.
- 7.bitcoin has_screenshot:true – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
- 8.port:4444 system32 – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
- 9.
- 10.“HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD” – compromised hosts with the name changed to that phrase.
- 11.

- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.http.title:”dashboard” – literally anything labelled ‘dashboard’, with many not accessible due to security by default.
- 10.
Last modified 7mo ago