Shodan Dorks by twitter.com/lothos612 Feel free to make suggestions From: https://github.com/lothos612/shodan Shodan Dorks Basic Shodan Filters city: Find devices in a particular city. city:"Bangalore" country: Find devices in a particular country. country:"IN" geo: Find devices by giving geographical coordinates. geo:"56.913055,118.250862" Location country:us country:ru country:de city:chicago hostname: Find devices matching the hostname. server: "gws" hostname:"google" hostname:example.com -hostname:subdomain.example.com hostname:example.com,example.org net: Find devices based on an IP address or /x CIDR. net:210.214.0.0/16 Organization org:microsoft org:"United States Department" Autonomous System Number (ASN) asn:ASxxxx os: Find devices based on operating system. os:"windows 7" port: Find devices based on open ports. proftpd port:21 before/after: Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010 SSL/TLS Certificates Self signed certificates ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com Expired certificates ssl.cert.expired:true ssl.cert.subject.cn:example.com Device Type device:firewall device:router device:wap device:webcam device:media device:"broadband router" device:pbx device:printer device:switch device:storage device:specialized device:phone device:"voip" device:"voip phone" device:"voip adaptor" device:"load balancer" device:"print server" device:terminal device:remote device:telecom device:power device:proxy device:pda device:bridge Operating System os:"windows 7" os:"windows server 2012" os:"linux 3.x" Product product:apache product:nginx product:android product:chromecast Customer Premises Equipment (CPE) cpe:apple cpe:microsoft cpe:nginx cpe:cisco Server server: nginx server: apache server: microsoft server: cisco-ios ssh fingerprints dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0 Web Pulse Secure http.html:/dana-na PEM Certificates http.title:"Index of /" http.html:".pem" Tor / Dark Web sites onion-location Databases MySQL "product:MySQL" mysql port:"3306" MongoDB "product:MongoDB" mongodb port:27017 Fully open MongoDBs "MongoDB Server Information { "metrics":" "Set-Cookie: mongo-express=" "200 OK" "MongoDB Server Information" port:27017 -authentication Kibana dashboards without authentication kibana content-legth:217 elastic port:9200 json port:"9200" all:elastic port:"9200" all:"elastic indices" Memcached "product:Memcached" CouchDB "product:CouchDB" port:"5984"+Server: "CouchDB/2.1.0" PostgreSQL "port:5432 PostgreSQL" Riak "port:8087 Riak" Redis "product:Redis" Cassandra "product:Cassandra" Industrial Control Systems Samsung Electronic Billboards "Server: Prismview Player" Gas Station Pump Controllers "in-tank inventory" port:10001 Fuel Pumps connected to internet: No auth required to access CLI terminal. "privileged command" GET Automatic License Plate Readers P372 "ANPR enabled" Traffic Light Controllers / Red Light Cameras mikrotik streetlight Voting Machines in the United States "voter system serial" country:US Open ATM: May allow for ATM Access availability NCR Port:"161" Telcos Running Cisco Lawful Intercept Wiretaps "Cisco IOS" "ADVIPSERVICESK9_LI-M" Prison Pay Phones "[2J[H Encartele Confidential" Tesla PowerPack Charging Status http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2 Electric Vehicle Chargers "Server: gSOAP/2.8" "Content-Length: 583" Maritime Satellites Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too! "Cobham SATCOM" OR ("Sailor" "VSAT") Submarine Mission Control Dashboards title:"Slocum Fleet Mission Control" CAREL PlantVisor Refrigeration Units "Server: CarelDataServer" "200 Document follows" Nordex Wind Turbine Farms http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)" C4 Max Commercial Vehicle GPS Trackers "[1m[35mWelcome on console" DICOM Medical X-Ray Machines Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet. "DICOM Server Response" port:104 GaugeTech Electricity Meters "Server: EIG Embedded Web Server" "200 Document follows" Siemens Industrial Automation "Siemens, SIMATIC" port:161 Siemens HVAC Controllers "Server: Microsoft-WinCE" "Content-Length: 12581" Door / Lock Access Controllers "HID VertX" port:4070 Railroad Management "log off" "select the appropriate" Tesla Powerpack charging Status: Helps to find the charging status of tesla powerpack. http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2 XZERES Wind Turbine title:"xzeres wind" PIPS Automated License Plate Reader "html:"PIPS Technology ALPR Processors"" Modbus "port:502" Niagara Fox "port:1911,4911 product:Niagara" GE-SRTP "port:18245,18246 product:"general electric"" MELSEC-Q "port:5006,5007 product:mitsubishi" CODESYS "port:2455 operating system" S7 "port:102" BACnet "port:47808" HART-IP "port:5094 hart-ip" Omron FINS "port:9600 response code" IEC 60870-5-104 "port:2404 asdu address" DNP3 "port:20000 source address" EtherNet/IP "port:44818" PCWorx "port:1962 PLC" Crimson v3.0 "port:789 product:"Red Lion Controls" ProConOS "port:20547 PLC" Remote Desktop Unprotected VNC "authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008" Windows RDP 99.99% are secured by a secondary Windows login screen. "\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00" C2 Infrastructure CobaltStrike Servers product:"cobalt strike team server" product:"Cobalt Strike Beacon" ssl.cert.serial:146473198 - default certificate serial number ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 ssl:foren.zik Brute Ratel http.html_hash:-1957161625 product:"Brute Ratel C4" Covenant ssl:”Covenant” http.component:”Blazor” Metasploit ssl:"MetasploitSelfSignedCA" Network Infrastructure Hacked routers: Routers which got compromised hacked-router-help-sos Redis open instances product:"Redis key-value store" Citrix: Find Citrix Gateway. title:"citrix gateway" Weave Scope Dashboards Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure. title:"Weave Scope" http.favicon.hash:567176827 Jenkins CI "X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard" Jenkins: Jenkins Unrestricted Dashboard x-jenkins 200 Docker APIs "Docker Containers:" port:2375 Docker Private Registries "Docker-Distribution-Api-Version: registry" "200 OK" -gitlab Pi-hole Open DNS Servers "dnsmasq-pi-hole" "Recursion: enabled" DNS Servers with recursion "port: 53" Recursion: Enabled Already Logged-In as root via Telnet "root@" port:23 -login -password -name -Session Telnet Access: NO password required for telnet access. port:23 console gateway Polycom video-conference system no-auth shell "polycom command shell" NPort serial-to-eth / MoCA devices without password nport -keyin port:23 Android Root Bridges A tangential result of Google's sloppy fractured update approach. 🙄 More information here. "Android Debug Bridge" "Device" port:5555 Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords Lantronix password port:30718 -secured Citrix Virtual Apps "Citrix Applications:" port:1604 Cisco Smart Install Vulnerable (kind of "by design," but especially when exposed). "smart install client active" PBX IP Phone Gateways PBX "gateway console" -password port:23 Polycom Video Conferencing http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23 Telnet Configuration: "Polycom Command Shell" -failed port:23 Example: Polycom Video Conferencing Bomgar Help Desk Portal "Server: Bomgar" "200 OK" Intel Active Management CVE-2017-5689 "Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 ”Active Management Technology” HP iLO 4 CVE-2017-12542 HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900 Lantronix ethernet adapter’s admin interface without password "Press Enter for Setup Mode port:9999" Wifi Passwords: Helps to find the cleartext wifi passwords in Shodan. html:"def_wirelesspassword" Misconfigured Wordpress Sites: The wp-config.php if accessed can give out the database credentials. http.html:"* The wp-config.php creation script uses this file" Outlook Web Access: Exchange 2007 "x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0" Exchange 2010 "x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392 Exchange 2013 / 2016 "X-AspNet-Version" http.title:"Outlook" -"x-owa-version" Lync / Skype for Business "X-MS-Server-Fqdn" Network Attached Storage (NAS) SMB (Samba) File Shares Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc. "Authentication: disabled" port:445 Specifically domain controllers: "Authentication: disabled" NETLOGON SYSVOL -unix port:445 Concerning default network shares of QuickBooks files: "Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445 FTP Servers with Anonymous Login "220" "230 Login successful." port:21 Iomega / LenovoEMC NAS Drives "Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In" Buffalo TeraStation NAS Drives Redirecting sencha port:9000 Logitech Media Servers "Server: Logitech Media Server" "200 OK" Example: Logitech Media Servers Plex Media Servers "X-Plex-Protocol" "200 OK" port:32400 Tautulli / PlexPy Dashboards "CherryPy/5.1.0" "/home" Home router attached USB "IPC$ all storage devices" Webcams Generic camera search title:camera Webcams with screenshots webcam has_screenshot:true D-Link webcams "d-Link Internet Camera, 200 OK" Hipcam "Hipcam RealServer/V1.0" Yawcams "Server: yawcam" "Mime-Type: text/html" webcamXP/webcam7 ("webcam 7" OR "webcamXP") http.component:"mootools" -401 Android IP Webcam Server "Server: IP Webcam Server" "200 OK" Security DVRs html:"DVR_H264 ActiveX" Surveillance Cams: With username:admin and password: :P NETSurveillance uc-httpd Server: uc-httpd 1.0.0 Printers & Copiers: HP Printers "Serial Number:" "Built:" "Server: HP HTTP" Xerox Copiers/Printers ssl:"Xerox Generic Root" Epson Printers "SERVER: EPSON_Linux UPnP" "200 OK" "Server: EPSON-HTTP" "200 OK" Canon Printers "Server: KS_HTTP" "200 OK" "Server: CANON HTTP Server" Home Devices Yamaha Stereos "Server: AV_Receiver" "HTTP/1.1 406" Apple AirPlay Receivers Apple TVs, HomePods, etc. "\x08_airplay" port:5353 Chromecasts / Smart TVs "Chromecast:" port:8008 Crestron Smart Home Controllers "Model: PYNG-HUB" Random Stuff Calibre libraries "Server: calibre" http.status:200 http.title:calibre OctoPrint 3D Printer Controllers title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944 Etherium Miners "ETH - Total speed" Apache Directory Listings Substitute .pem with any extension or a filename like phpinfo.php. http.title:"Index of /" http.html:".pem" Misconfigured WordPress Exposed wp-config.php files containing database credentials. http.html:"* The wp-config.php creation script uses this file" Too Many Minecraft Servers "Minecraft Server" "protocol 340" port:25565 Literally Everything in North Korea net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24