# Passive OSINT

## Netcraft.com

Finds underlying OS, web server version uptime&#x20;

## Find subdomains

Sometimes SSL is a goldmine of information

```
crt.sh
```

```
#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot
if [[ $# -eq 0 ]] ;

then
	echo "Usage: ./crt.sh domain. Also you might have to install jq - 'apt get install jq'"
	exit 1

else

curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > $1

fi


```

If you can't get jq installed - try this script

```
#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot

if [[ $# -eq 0 ]] ;

then
	echo "Usage: ./crt.sh domain"
	exit 1

else

curl -s "https://crt.sh/?q=%.$1" -o rawdata; cat rawdata | grep "<TD>" | grep -vE "style" | cut -d ">" -f 2 | grep -Po '.*(?=....$)' | sort -u | grep -v "*" > $1

fi
```

Compare subdomains found using theHavester with crt.sh script as some will be missing - not all domains have ssl.

```
theHarvester -d offsecnewbie.com -l 500 -b google
```

IP addresses from subdomains

```
for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done
```

Use Virustotal to find subdomains

```
https://www.virustotal.com
```

![](https://1508177803-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LSy0aAo8OKT4I-Ahftv%2F-Lld37FJPVUr9P6Bx15p%2F-Lld3EgoxtLpK2IAFQpi%2Fimage.png?alt=media\&token=e28bfaca-97aa-4c54-b25a-8eaa9f1537c0)

Also you can play about with a nice entity diagram

![](https://1508177803-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LSy0aAo8OKT4I-Ahftv%2F-Lld37FJPVUr9P6Bx15p%2F-Lld3ZkH4lqUqZydifNH%2Fimage.png?alt=media\&token=dbd1cf37-4481-4f97-a25b-b5da9ed20814)

## Read

```
https://www.bugcrowd.com/blog/discovering-subdomains/
```

FireFox addon - passive recon

## Google hacking

```
examples here
site:offsecnewbie.com doctype:docx
inurl:/etc/passwd%00 intext:root
also check out doc meta info, ie doc creator, where doc was stored, created with Office 2010, saved on this network share eg its IP address
```

also heck out doc meta info, gives info such as where doc was stored - network share ip address, who created it, what was it created with etc&#x20;

```
https://github.com/ElevenPaths/FOCA
```

## Social Media Search

Search for people on social media

```
/opt/sherlock/sherlock.py
```

## Recon

A giant inventory of recon tools is available via the Skip Tracing Framework

```
https://makensi.es/stf/
```

## Find information about a device that is connected

Create a <https://grabify.link/> and get someone to click on it.

On device go to <https://www.deviceinfo.me/>

## List of OSINT Tools

{% embed url="<https://start.me/p/wMdQMQ/tools>" %}

{% embed url="<https://start.me/p/1kJKR9/commandergirl-s-suggestions>" %}

{% embed url="<https://www.osintme.com/index.php/2021/01/16/ultimate-osint-with-shodan-100-great-shodan-queries>" %}

1. [title:camera](https://www.shodan.io/search?query=title%3Acamera) – general search for anything matching the “camera” keyword.
2. [webcam has\_screenshot:true](https://www.shodan.io/search?query=webcam+has_screenshot%3Atrue) – a general search for any IoT device identified as a webcam that has screenshots available.
3. [has\_screenshot:true IP Webcam](https://www.shodan.io/search?query=has_screenshot%3Atrue+IP+Webcam) – another version of the above search, see how the results might differ?
4. [server: webcampxp](https://www.shodan.io/search?query=server%3A+webcamxp) – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.&#x20;
5. [server: “webcam 7”](https://www.shodan.io/search?query=server%3A+%22webcam+7%22) – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.
6. [title:”blue iris remote view”](https://www.shodan.io/search?query=title%3A%22blue+iris+remote+view%22) – webcams identified as belonging to the [Blue Iris](https://blueirissoftware.com/) webcam remote management and monitoring service.
7. [title:”ui3 -“](https://www.shodan.io/search?query=title%3A%22ui3+-%22) – UI3 is a  HTML5 web interface for Blue Iris mentioned above.
8. [title:”Network Camera VB-M600″](https://www.shodan.io/search?query=title%3A%22Network+Camera+VB-M600%22) – Canon manufactured megapixel security cameras.
9. [product:”Yawcam webcam viewer httpd”](https://www.shodan.io/search?query=product%3A%22Yawcam+webcam+viewer+httpd%22) – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.
10. [title:”IPCam Client”](https://www.shodan.io/search?query=title%3A%22IPCam+Client%22) – IPCam Client webcam devices.
11. [server: GeoHttpServer](https://www.shodan.io/search?query=Server%3A+GeoHttpServer) – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.
12. [server: VVTK-HTTP-Server](https://www.shodan.io/search?query=server%3A+VVTK-HTTP-Server) – Vivotek IP cameras.
13. [title:”Avigilon”](https://www.shodan.io/search?query=title%3A%22Avigilon%22) – access to the Avigilion brand camera and monitoring devices.
14. [ACTi](https://www.shodan.io/search?query=ACTi) – various IP camera and video management system products.
15. [WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.”](https://www.shodan.io/search?query=WWW-Authenticate%3A+%22Merit+LILIN+Ent.+Co.%2C+Ltd.%22) – a UK-based house automation / IP camera provider.
16. [title:”+tm01+”](https://www.shodan.io/search?query=title%3A%22%2Btm01%2B%22) – unsecured Linksys webcams, a lot of them with screenshots.
17. [server: “i-Catcher Console”](https://www.shodan.io/search?query=server%3A+%22i-Catcher+Console%22) – another example of an IP-based CCTV system.
18. [Netwave IP Camera Content-Length: 2574](https://www.shodan.io/search?query=Netwave+IP+Camera+Content-Length%3A+2574) – access to the Netwave make IP cameras.
19. [200 ok dvr port:”81″](https://www.shodan.io/search?query=200+ok+dvr+port%3A%2281%22) – DVR CCTV cameras accessible via http.
20. [WVC80N](https://www.shodan.io/search?query=WVC80N) – Linksys WVC80N cameras.

&#x20;

Explore further by these tags:

WEBCAM: <https://www.shodan.io/explore/tag/webcam>

CAM: [https://www.shodan.io/explore/tag/cam ](https://www.shodan.io/explore/tag/cam)

CAMERA: <https://www.shodan.io/explore/tag/camera>

#### VOIP communication devices

1. [device:”voip”](https://www.shodan.io/search?query=device%3A%22voip%22) – general search for Voice over IP devices.
2. [device:”voip phone”](https://www.shodan.io/search?query=device%3A%22voip+phone%22) – more specific search for anything VoIP containing a “phone” keyword.
3. [server: snom](https://www.shodan.io/search?query=server%3A+snom) – Snom is a VoIP provider with some legacy devices online.
4. [“snom embedded 200 OK”](https://www.shodan.io/search?query=%22snom+embedded+200+OK%22) – Snom devices with enabled authentication.
5. [AddPac](https://www.shodan.io/search?query=AddPac) – an older VoIP provider, nearly exclusively legacy devices.
6. [mcu: tandberg](https://www.shodan.io/search?query=mcu%3A+tandberg) – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.
7. [title:”polycom”](https://www.shodan.io/search?query=title%3A%22polycom%22) – Polycom is another VoIP communication brand.
8. [title:”openstage”](https://www.shodan.io/search?query=title%3A%22openstage%22) – Siemens Openstage brand IP phones.
9. [39 voip](https://www.shodan.io/search?query=39+voip) – some more VoIP services, mostly behind login screens
10. [Server: MSOS/2.0 mawebserver/1.1](https://www.shodan.io/search?query=Server%3A+MSOS%2F2.0+mawebserver%2F1.1) – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

#### Database searches

1. [product:MySQL](https://www.shodan.io/search?query=product%3AMySQL) – broad search for MySQL databases.
2. [mongodb port:27017](https://www.shodan.io/search?query=mongodb+port%3A27017) – MongoDB databases on their default port. Unsecured by default.
3. [“MongoDB Server Information” port:27017](https://www.shodan.io/search?query=%22MongoDB+Server+Information%22+port%3A27017) – another variation of the above search.
4. [“MongoDB Server Information { “metrics”:”](https://www.shodan.io/search?query=%22MongoDB+Server+Information+%7B+++++%22metrics%22%3A%22) – fully open MongoDBs.
5. [“Set-Cookie: mongo-express=” “200 OK”](https://www.shodan.io/search?query=%22Set-Cookie%3A+mongo-express%3D%22+%22200+OK%22) – MongoDB open databases.
6. [kibana content-length:217](https://www.shodan.io/search?query=kibana+content-length%3A217) – Kibana dashboards accessible without authentication.
7. [port:”9200″ all:elastic](https://www.shodan.io/search?query=port%3A%229200%22+all%3Aelastic) – Elasticsearch open databases.
8. [port:5432 PostgreSQL](https://www.shodan.io/search?query=port%3A5432+PostgreSQL) – remote connections to PostgreSQL servers.
9. [product:”CouchDB”](https://www.shodan.io/search?query=product%3A%22CouchDB%22) – Apache CouchDB databases listed.
10. [port:”5984″+Server: “CouchDB/2.1.0”](https://www.shodan.io/search?query=port%3A%225984%22%2BServer%3A+%22CouchDB%2F2.1.0%22) – vulnerable CouchDB where remote code execution may be possible.

&#x20;

Explore further by the DATABASE tag: [https://www.shodan.io/explore/tag/database ](https://www.shodan.io/explore/tag/database)Database searches

1. [product:MySQL](https://www.shodan.io/search?query=product%3AMySQL) – broad search for MySQL databases.
2. [mongodb port:27017](https://www.shodan.io/search?query=mongodb+port%3A27017) – MongoDB databases on their default port. Unsecured by default.
3. [“MongoDB Server Information” port:27017](https://www.shodan.io/search?query=%22MongoDB+Server+Information%22+port%3A27017) – another variation of the above search.
4. [“MongoDB Server Information { “metrics”:”](https://www.shodan.io/search?query=%22MongoDB+Server+Information+%7B+++++%22metrics%22%3A%22) – fully open MongoDBs.
5. [“Set-Cookie: mongo-express=” “200 OK”](https://www.shodan.io/search?query=%22Set-Cookie%3A+mongo-express%3D%22+%22200+OK%22) – MongoDB open databases.
6. [kibana content-length:217](https://www.shodan.io/search?query=kibana+content-length%3A217) – Kibana dashboards accessible without authentication.
7. [port:”9200″ all:elastic](https://www.shodan.io/search?query=port%3A%229200%22+all%3Aelastic) – Elasticsearch open databases.
8. [port:5432 PostgreSQL](https://www.shodan.io/search?query=port%3A5432+PostgreSQL) – remote connections to PostgreSQL servers.
9. [product:”CouchDB”](https://www.shodan.io/search?query=product%3A%22CouchDB%22) – Apache CouchDB databases listed.
10. [port:”5984″+Server: “CouchDB/2.1.0”](https://www.shodan.io/search?query=port%3A%225984%22%2BServer%3A+%22CouchDB%2F2.1.0%22) – vulnerable CouchDB where remote code execution may be possible.

&#x20;

Explore further by the DATABASE tag: [https://www.shodan.io/explore/tag/database ](https://www.shodan.io/explore/tag/database)

#### Maritime devices

1. [maritime](https://www.shodan.io/search?query=maritime) – general search for anything related to maritime devices.
2. [sailor](https://www.shodan.io/search?query=sailor) – another wide search, could yield unrelated results!
3. [org:marlink](https://www.shodan.io/search?query=org%3Amarlink) – general search; Marlink is the world’s largest maritime satellite communications provider.
4. [satcom](https://www.shodan.io/search?query=satcom) – another maritime satellite communications services provider.
5. [inmarsat](https://www.shodan.io/search?query=inmarsat) – as above, but a slightly less known equipment vendor.
6. [vsat](https://www.shodan.io/search?query=vsat) – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.
7. [ECDIS](https://www.shodan.io/search?query=ECDIS) – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.
8. [uhp vsat terminal software -password](https://www.shodan.io/search?query=uhp+vsat+terminal+software+-password) – satellite network router without a password.
9. [ssl:”Cobham SATCOM”](https://www.shodan.io/search?query=ssl%3A%22Cobham+SATCOM%22) – maritime radio and locations systems.
10. [title:”Slocum Fleet Mission Control”](https://www.shodan.io/search?query=title%3A%22Slocum+Fleet+Mission+Control%22) – maritime mission control software.

&#x20;

Explore further by the VSAT tag: <https://www.shodan.io/explore/tag/vsat>

#### Files & directories

1. [http.title:”Index of /”](https://www.shodan.io/search?query=http.title%3A%22Index+of+%2F%22) – open lists of files and directories on various servers.
2. [port:80 title:”Index of /”](https://www.shodan.io/search?query=port%3A80+title%3A%22Index+of+%2F%22) – slight variation of the above, note how the results might differ.
3. [“220” “230 Login successful.” port:21](https://www.shodan.io/search?query=%22220%22+%22230+Login+successful.%22+port%3A21) – FTP resources potentially accessible without login credentials.
4. [230 ‘anonymous@’ login ok](https://www.shodan.io/search?query=230+%27anonymous%40%27+login+ok) – anonymous login allowed to FTP resources.
5. [“Anonymous+access+allowed” port:”21″](https://www.shodan.io/search?query=%22Anonymous%2Baccess%2Ballowed%22+port%3A%2221%22) – as above.
6. [vsftpd 2.3.4](https://www.shodan.io/search?query=Vsftpd+2.3.4) – legacy Linux based FTP service with a widely known security vulnerability
7. [ftp port:”10000″](https://www.shodan.io/search?query=ftp+port%3A%2210000%22) – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.
8. [“Authentication: disabled” port:445 product:”Samba”](https://www.shodan.io/search?query=%22Authentication%3A+disabled%22+port%3A445+product%3A%22Samba%22) – SMB file sharing
9. [“QuickBooks files OverNetwork” -unix port:445](https://www.shodan.io/search?query=%22QuickBooks+files+OverNetwork%22+-unix+port%3A445) – default settings for sharing QuickBooks files.
10. [filezilla port:”21″](https://www.shodan.io/search?query=filezilla+port%3A%2221%22) – popular file sharing software Filezilla.

&#x20;

Explore further by these tags:

FTP: <https://www.shodan.io/explore/tag/ftp>

SMB: [https://www.shodan.io/explore/tag/smb ](https://www.shodan.io/explore/tag/smb)

#### Legacy Windows operating systems

1. [os:”Windows 5.0″](https://www.shodan.io/search?query=os%3A%22Windows+5.0%22) – Windows 2000; support ended in 2010.
2. [os:”Windows 5.1″](https://www.shodan.io/search?query=os%3A%22Windows+5.1%22) – Windows XP; support ended in 2014.
3. [os:Windows 2003](https://www.shodan.io/search?query=os%3AWindows+2003) – Windows Server 2003; support ended in 2015.
4. [os:”Windows Vista”](https://www.shodan.io/search?query=os%3A%22Windows+Vista%22)– Windows Vista; support ended in 2017.
5. [os:Windows 2008](https://www.shodan.io/search?query=os%3AWindows+2008) – Windows Server 2008; support ended in 2020.
6. [os:”Windows 7″](https://www.shodan.io/search?query=os%3A%22Windows+7%22) – Windows 7; support ended in 2020.
7. [os:”Windows 8″](https://www.shodan.io/search?query=os%3A%22Windows+8%22) – Windows 8; support ended in 2016.
8. [os:Windows 2011](https://www.shodan.io/search?query=os%3AWindows+2011) – Windows Home Server 2011; support ended in 2016.
9. [os:”Windows 8.1″](https://www.shodan.io/search?query=os%3A%22Windows+8.1%22) – Windows 8.1; support ended in 2018.
10. [os:Windows 2012](https://www.shodan.io/search?query=os%3AWindows+2012) – Windows Server 2012; support ended in 2018.

&#x20;

Explore further by the WINDOWS tag: <https://www.shodan.io/explore/tag/windows>

#### Default / generic credentials

1. [admin 1234](https://www.shodan.io/search?query=admin+1234) – basic very unsecure credentials.
2. [“default password”](https://www.shodan.io/search?query=%22default+password%22) – speaks for itself…
3. [test test port:”80″](https://www.shodan.io/search?query=test+test+port%3A%2280%22) – generic test credentials over HTTP.
4. [“authentication disabled” “RFB 003.008”](https://www.shodan.io/search?query=%22authentication+disabled%22+%22RFB+003.008%22) – no authentication necessary.
5. “[root@” port:23 -login -password -name -Session](https://www.shodan.io/search?query=%22root%40%22+port%3A23+-login+-password+-name+-Session) – accounts already logged in with root privilege over Telnet, port 23.
6. [port:23 console gateway](https://www.shodan.io/search?query=port%3A23+console+gateway) – remote access via Telnet, no password required.
7. [html:”def\_wirelesspassword”](https://www.shodan.io/search?query=html%3A%22def_wirelesspassword%22) – default login pages for routers.
8. [“polycom command shell”](https://www.shodan.io/search?query=%22polycom+command+shell%22) – possible authentication bypass to Polycom devices.
9. [“authentication disabled” port:5900,5901](https://www.shodan.io/search?query=%22authentication+disabled%22+port%3A5900%2C5901) – VNC services without authentication.
10. [“server: Bomgar” “200 OK”](https://www.shodan.io/search?query=%22server%3A+Bomgar%22+%22200+OK%22) – Bomgar remote support service.

&#x20;

Explore further by the VNC tag: <https://www.shodan.io/explore/tag/vnc>

#### Printers

1. [printer](https://www.shodan.io/search?query=printer) – general search for printers.
2. [“HP-ChaiSOE” port:”80″](https://www.shodan.io/search?query=%22HP-ChaiSOE%22+port%3A%2280%22) – HP LaserJet printers accessible through HTTP.
3. [title:”syncthru web service”](https://www.shodan.io/search?query=title%3A%22syncthru+web+service%22) – older Samsung printers, not secured by default.
4. [“Location: /main/main.html” debut](https://www.shodan.io/search?query=%22Location%3A+%2Fmain%2Fmain.html%22+debut) – admin pages of Brother printers, not secured.
5. [port:161 hp](https://www.shodan.io/search?query=port%3A161+hp) – HP printers that can be restarted remotely via port 161.
6. [port:23 “Password is not set”](https://www.shodan.io/search?query=port%3A23+%22Password+is+not+set%22) – open access via Telnet to printers without set passwords.
7. [“Laser Printer FTP Server”](https://www.shodan.io/search?query=%22Laser+Printer+FTP+Server%22) – printers accessible via FTP with anonymous login allowed.
8. [Printer Type: Lexmark](https://www.shodan.io/search?query=Printer+Type%3A+Lexmark) – access to control panels for Lexmark make printers.
9. [http 200 server epson -upnp](https://www.shodan.io/search?query=http+200+server+epson+-upnp) – HTTP accessible Epson printers.
10. [“Server: EPSON-HTTP” “200 OK”](https://www.shodan.io/search?query=%22Server%3A+EPSON-HTTP%22+%22200+OK%22) – another variation of the above search.
11. [ssl:”Xerox Generic Root”](https://www.shodan.io/search?query=ssl%3A%22Xerox+Generic+Root%22) – remote access to Xerox printers.
12. [“Server: CANON HTTP Server”](https://www.shodan.io/search?query=%22Server%3A+CANON+HTTP+Server%22) – Canon printer servers through HTTP connection.

&#x20;

Explore further by these tags:

PRINTER: <https://www.shodan.io/explore/tag/printer>

PRINTERS: <https://www.shodan.io/explore/tag/printers>

PRINT SERVER: [https://www.shodan.io/explore/tag/print%20server ](https://www.shodan.io/explore/tag/print%20server)

#### Compromised devices and websites

1. [hacked](https://www.shodan.io/search?query=hacked) – general search for the ‘hacked’ label.
2. [“hacked by”](https://www.shodan.io/search?query=%22hacked+by%22) – another variation of the above search.
3. [http.title:”Hacked by”](https://www.shodan.io/search?query=http.title%3A%22Hacked+by%22) – another variation of the same search filter.
4. [http.title:”0wn3d by”](https://www.shodan.io/search?query=http.title%3A%220wn3d+by%22) – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.
5. [“HACKED-ROUTER”](https://www.shodan.io/search?query=%22HACKED-ROUTER%22) – compromised routers, labelled accordingly.
6. [port:”27017″ “send\_bitcoin\_to\_retrieve\_the\_data”](https://www.shodan.io/search?query=port%3A%2227017%22+%22send_bitcoin_to_retrieve_the_data%22) – databases affected by ransomware, with the ransom demand still associated with them.
7. [bitcoin has\_screenshot:true](https://www.shodan.io/search?query=bitcoin+has_screenshot%3Atrue) – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
8. [port:4444 system32](https://www.shodan.io/search?query=port%3A4444+system32) – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
9. [“attention”+”encrypted”+port:3389](https://www.shodan.io/search?query=%22attention%22%2B%22encrypted%22%2Bport%3A3389) – ransomware infected RDP services.
10. [“HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD”](https://www.shodan.io/search?query=%22HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD%22) – compromised hosts with the name changed to that phrase.
11. [“HACKED FTP server”](https://www.shodan.io/search?query=%22HACKED+FTP+server%22+) – compromised FTP servers.

&#x20;

Explore further by the HACKED tag: [https://www.shodan.io/explore/tag/hacked ](https://www.shodan.io/explore/tag/hacked)

#### Miscellaneous

1. [solar](https://www.shodan.io/search?query=solar) – controls for solar panels and similar solar devices.
2. [“ETH – Total speed”](https://www.shodan.io/search?query=%22ETH+-+Total+speed%22) – Ethereum cryptocurrency miners.
3. [http.html:”\* The wp-config.php creation script uses this file”](https://www.shodan.io/search?query=http.html%3A%22*+The+wp-config.php+creation+script+uses+this+file%22) – misconfigured WordPress websites.
4. [http.title:”Nordex Control”](https://www.shodan.io/search?query=http.title%3A%22Nordex+Control%22) – searches for Nordex wind turbine farms.
5. [“Server: EIG Embedded Web Server” “200 Document follows”](https://www.shodan.io/search?query=%22Server%3A+EIG+Embedded+Web+Server%22+%22200+Document+follows%22) – EIG electricity meters.
6. [“DICOM Server Response” port:104](https://www.shodan.io/search?query=%22DICOM+Server+Response%22+port%3A104) – DICOM medical machinery.
7. [http.title:”Tesla”](https://www.shodan.io/search?query=http.title%3A%22Tesla%22) –  anything with the term “Tesla” in the banner.
8. [“in-tank inventory” port:10001](https://www.shodan.io/search?query=%22in-tank+inventory%22+port%3A10001) – petrol pumps, including their physical addresses.
9. [http.title:”dashboard”](https://www.shodan.io/search?query=http.title%3A%22dashboard%22) – literally anything labelled ‘dashboard’, with many not accessible due to security by default.
10. [http.title:”control panel”](https://www.shodan.io/search?query=http.title%3A%22control+panel%22) – as above, but whatever is labelled as control panels.

## Favicon - Search in Shodan

<https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv>