Active
IP addresses from subdomains
Search for all leaked keys/secrets using one regex
Shodan Dorks
Webcam searches
title:camera – general search for anything matching the “camera” keyword.
webcam has_screenshot:true – a general search for any IoT device identified as a webcam that has screenshots available.
has_screenshot:true IP Webcam – another version of the above search, see how the results might differ?
server: webcampxp – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.
server: “webcam 7” – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.
title:”blue iris remote view” – webcams identified as belonging to the Blue Iris webcam remote management and monitoring service.
title:”ui3 -“ – UI3 is a HTML5 web interface for Blue Iris mentioned above.
title:”Network Camera VB-M600″ – Canon manufactured megapixel security cameras.
product:”Yawcam webcam viewer httpd” – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.
title:”IPCam Client” – IPCam Client webcam devices.
server: GeoHttpServer – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.
server: VVTK-HTTP-Server – Vivotek IP cameras.
title:”Avigilon” – access to the Avigilion brand camera and monitoring devices.
ACTi – various IP camera and video management system products.
WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.” – a UK-based house automation / IP camera provider.
title:”+tm01+” – unsecured Linksys webcams, a lot of them with screenshots.
server: “i-Catcher Console” – another example of an IP-based CCTV system.
Netwave IP Camera Content-Length: 2574 – access to the Netwave make IP cameras.
200 ok dvr port:”81″ – DVR CCTV cameras accessible via http.
WVC80N – Linksys WVC80N cameras.
Explore further by these tags:
WEBCAM: https://www.shodan.io/explore/tag/webcam
CAM: https://www.shodan.io/explore/tag/cam
CAMERA: https://www.shodan.io/explore/tag/camera
VOIP communication devices
device:”voip” – general search for Voice over IP devices.
device:”voip phone” – more specific search for anything VoIP containing a “phone” keyword.
server: snom – Snom is a VoIP provider with some legacy devices online.
“snom embedded 200 OK” – Snom devices with enabled authentication.
AddPac – an older VoIP provider, nearly exclusively legacy devices.
mcu: tandberg – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.
title:”polycom” – Polycom is another VoIP communication brand.
title:”openstage” – Siemens Openstage brand IP phones.
39 voip – some more VoIP services, mostly behind login screens
Server: MSOS/2.0 mawebserver/1.1 – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.
Explore further by the VOIP tag: https://www.shodan.io/explore/tag/voip
Database searches
product:MySQL – broad search for MySQL databases.
mongodb port:27017 – MongoDB databases on their default port. Unsecured by default.
“MongoDB Server Information” port:27017 – another variation of the above search.
“MongoDB Server Information { “metrics”:” – fully open MongoDBs.
“Set-Cookie: mongo-express=” “200 OK” – MongoDB open databases.
kibana content-length:217 – Kibana dashboards accessible without authentication.
port:”9200″ all:elastic – Elasticsearch open databases.
port:5432 PostgreSQL – remote connections to PostgreSQL servers.
product:”CouchDB” – Apache CouchDB databases listed.
port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.
Explore further by the DATABASE tag: https://www.shodan.io/explore/tag/database
Maritime devices
maritime – general search for anything related to maritime devices.
sailor – another wide search, could yield unrelated results!
org:marlink – general search; Marlink is the world’s largest maritime satellite communications provider.
satcom – another maritime satellite communications services provider.
inmarsat – as above, but a slightly less known equipment vendor.
vsat – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.
ECDIS – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.
uhp vsat terminal software -password – satellite network router without a password.
ssl:”Cobham SATCOM” – maritime radio and locations systems.
title:”Slocum Fleet Mission Control” – maritime mission control software.
Explore further by the VSAT tag: https://www.shodan.io/explore/tag/vsat
Files & directories
http.title:”Index of /” – open lists of files and directories on various servers.
port:80 title:”Index of /” – slight variation of the above, note how the results might differ.
“220” “230 Login successful.” port:21 – FTP resources potentially accessible without login credentials.
230 ‘anonymous@’ login ok – anonymous login allowed to FTP resources.
“Anonymous+access+allowed” port:”21″ – as above.
vsftpd 2.3.4 – legacy Linux based FTP service with a widely known security vulnerability
ftp port:”10000″ – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.
“Authentication: disabled” port:445 product:”Samba” – SMB file sharing
“QuickBooks files OverNetwork” -unix port:445 – default settings for sharing QuickBooks files.
filezilla port:”21″ – popular file sharing software Filezilla.
Explore further by these tags:
FTP: https://www.shodan.io/explore/tag/ftp
SMB: https://www.shodan.io/explore/tag/smb
Legacy Windows operating systems
os:”Windows 5.0″ – Windows 2000; support ended in 2010.
os:”Windows 5.1″ – Windows XP; support ended in 2014.
os:Windows 2003 – Windows Server 2003; support ended in 2015.
os:”Windows Vista”– Windows Vista; support ended in 2017.
os:Windows 2008 – Windows Server 2008; support ended in 2020.
os:”Windows 7″ – Windows 7; support ended in 2020.
os:”Windows 8″ – Windows 8; support ended in 2016.
os:Windows 2011 – Windows Home Server 2011; support ended in 2016.
os:”Windows 8.1″ – Windows 8.1; support ended in 2018.
os:Windows 2012 – Windows Server 2012; support ended in 2018.
Explore further by the WINDOWS tag: https://www.shodan.io/explore/tag/windows
Default / generic credentials
admin 1234 – basic very unsecure credentials.
“default password” – speaks for itself…
test test port:”80″ – generic test credentials over HTTP.
“authentication disabled” “RFB 003.008” – no authentication necessary.
“root@” port:23 -login -password -name -Session – accounts already logged in with root privilege over Telnet, port 23.
port:23 console gateway – remote access via Telnet, no password required.
html:”def_wirelesspassword” – default login pages for routers.
“polycom command shell” – possible authentication bypass to Polycom devices.
“authentication disabled” port:5900,5901 – VNC services without authentication.
“server: Bomgar” “200 OK” – Bomgar remote support service.
Explore further by the VNC tag: https://www.shodan.io/explore/tag/vnc
Printers
printer – general search for printers.
“HP-ChaiSOE” port:”80″ – HP LaserJet printers accessible through HTTP.
title:”syncthru web service” – older Samsung printers, not secured by default.
“Location: /main/main.html” debut – admin pages of Brother printers, not secured.
port:161 hp – HP printers that can be restarted remotely via port 161.
port:23 “Password is not set” – open access via Telnet to printers without set passwords.
“Laser Printer FTP Server” – printers accessible via FTP with anonymous login allowed.
Printer Type: Lexmark – access to control panels for Lexmark make printers.
http 200 server epson -upnp – HTTP accessible Epson printers.
“Server: EPSON-HTTP” “200 OK” – another variation of the above search.
ssl:”Xerox Generic Root” – remote access to Xerox printers.
“Server: CANON HTTP Server” – Canon printer servers through HTTP connection.
Explore further by these tags:
PRINTER: https://www.shodan.io/explore/tag/printer
PRINTERS: https://www.shodan.io/explore/tag/printers
PRINT SERVER: https://www.shodan.io/explore/tag/print%20server
Compromised devices and websites
hacked – general search for the ‘hacked’ label.
“hacked by” – another variation of the above search.
http.title:”Hacked by” – another variation of the same search filter.
http.title:”0wn3d by” – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.
“HACKED-ROUTER” – compromised routers, labelled accordingly.
port:”27017″ “send_bitcoin_to_retrieve_the_data” – databases affected by ransomware, with the ransom demand still associated with them.
bitcoin has_screenshot:true – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
port:4444 system32 – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
“attention”+”encrypted”+port:3389 – ransomware infected RDP services.
“HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD” – compromised hosts with the name changed to that phrase.
“HACKED FTP server” – compromised FTP servers.
Explore further by the HACKED tag: https://www.shodan.io/explore/tag/hacked
Miscellaneous
solar – controls for solar panels and similar solar devices.
“ETH – Total speed” – Ethereum cryptocurrency miners.
http.html:”* The wp-config.php creation script uses this file” – misconfigured WordPress websites.
http.title:”Nordex Control” – searches for Nordex wind turbine farms.
“Server: EIG Embedded Web Server” “200 Document follows” – EIG electricity meters.
“DICOM Server Response” port:104 – DICOM medical machinery.
http.title:”Tesla” – anything with the term “Tesla” in the banner.
“in-tank inventory” port:10001 – petrol pumps, including their physical addresses.
http.title:”dashboard” – literally anything labelled ‘dashboard’, with many not accessible due to security by default.
http.title:”control panel” – as above, but whatever is labelled as control panels.
https://www.osintme.com/index.php/2021/01/16/ultimate-osint-with-shodan-100-great-shodan-queries/
Last updated