Revision of shodan-dorks.md

1

+

Shodan Dorks by twitter.com/lothos612

2

+

Feel free to make suggestions

3

+

4

+

Shodan Dorks

5

+

Basic Shodan Filters

6

+

city:

7

+

Find devices in a particular city. city:"Bangalore"

8

+

9

+

country:

10

+

Find devices in a particular country. country:"IN"

11

+

12

+

geo:

13

+

Find devices by giving geographical coordinates. geo:"56.913055,118.250862"

14

+

15

+

Location

16

+

country:us country:ru country:de city:chicago

17

+

18

+

hostname:

19

+

Find devices matching the hostname. server: "gws" hostname:"google" hostname:example.com -hostname:subdomain.example.com hostname:example.com,example.org

20

+

21

+

net:

22

+

Find devices based on an IP address or /x CIDR. net:210.214.0.0/16

23

+

24

+

Organization

25

+

org:microsoft org:"United States Department"

26

+

27

+

Autonomous System Number (ASN)

28

+

asn:ASxxxx

29

+

30

+

os:

31

+

Find devices based on operating system. os:"windows 7"

32

+

33

+

port:

34

+

Find devices based on open ports. proftpd port:21

35

+

36

+

before/after:

37

+

Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010

38

+

39

+

SSL/TLS Certificates

40

+

Self signed certificates ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com

41

+

42

+

Expired certificates ssl.cert.expired:true

43

+

44

+

ssl.cert.subject.cn:example.com

45

+

46

+

Device Type

47

+

device:firewall device:router device:wap device:webcam device:media device:"broadband router" device:pbx device:printer device:switch device:storage device:specialized device:phone device:"voip" device:"voip phone" device:"voip adaptor" device:"load balancer" device:"print server" device:terminal device:remote device:telecom device:power device:proxy device:pda device:bridge

48

+

49

+

Operating System

50

+

os:"windows 7" os:"windows server 2012" os:"linux 3.x"

51

+

52

+

Product

53

+

product:apache product:nginx product:android product:chromecast

54

+

55

+

Customer Premises Equipment (CPE)

56

+

cpe:apple cpe:microsoft cpe:nginx cpe:cisco

57

+

58

+

Server

59

+

server: nginx server: apache server: microsoft server: cisco-ios

60

+

61

+

ssh fingerprints

62

+

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

63

+

64

+

Web

65

+

Pulse Secure

66

+

http.html:/dana-na

67

+

68

+

PEM Certificates

69

+

http.title:"Index of /" http.html:".pem"

70

+

71

+

Tor / Dark Web sites

72

+

onion-location

73

+

74

+

Databases

75

+

MySQL

76

+

"product:MySQL" mysql port:"3306"

77

+

78

+

MongoDB

79

+

"product:MongoDB" mongodb port:27017

80

+

81

+

Fully open MongoDBs

82

+

"MongoDB Server Information { "metrics":" "Set-Cookie: mongo-express=" "200 OK" "MongoDB Server Information" port:27017 -authentication

83

+

84

+

Kibana dashboards without authentication

85

+

kibana content-legth:217

86

+

87

+

elastic

88

+

port:9200 json port:"9200" all:elastic port:"9200" all:"elastic indices"

89

+

90

+

Memcached

91

+

"product:Memcached"

92

+

93

+

CouchDB

94

+

"product:CouchDB" port:"5984"+Server: "CouchDB/2.1.0"

95

+

96

+

PostgreSQL

97

+

"port:5432 PostgreSQL"

98

+

99

+

Riak

100

+

"port:8087 Riak"

101

+

102

+

Redis

103

+

"product:Redis"

104

+

105

+

Cassandra

106

+

"product:Cassandra"

107

+

108

+

Industrial Control Systems

109

+

Samsung Electronic Billboards

110

+

"Server: Prismview Player"

111

+

112

+

Gas Station Pump Controllers

113

+

"in-tank inventory" port:10001

114

+

115

+

Fuel Pumps connected to internet:

116

+

No auth required to access CLI terminal. "privileged command" GET

117

+

118

+

Automatic License Plate Readers

119

+

P372 "ANPR enabled"

120

+

121

+

Traffic Light Controllers / Red Light Cameras

122

+

mikrotik streetlight

123

+

124

+

Voting Machines in the United States

125

+

"voter system serial" country:US

126

+

127

+

Open ATM:

128

+

May allow for ATM Access availability NCR Port:"161"

129

+

130

+

Telcos Running Cisco Lawful Intercept Wiretaps

131

+

"Cisco IOS" "ADVIPSERVICESK9_LI-M"

132

+

133

+

Prison Pay Phones

134

+

"[2J[H Encartele Confidential"

135

+

136

+

Tesla PowerPack Charging Status

137

+

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

138

+

139

+

Electric Vehicle Chargers

140

+

"Server: gSOAP/2.8" "Content-Length: 583"

141

+

142

+

Maritime Satellites

143

+

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!

144

+

145

+

"Cobham SATCOM" OR ("Sailor" "VSAT")

146

+

147

+

Submarine Mission Control Dashboards

148

+

title:"Slocum Fleet Mission Control"

149

+

150

+

CAREL PlantVisor Refrigeration Units

151

+

"Server: CarelDataServer" "200 Document follows"

152

+

153

+

Nordex Wind Turbine Farms

154

+

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

155

+

156

+

C4 Max Commercial Vehicle GPS Trackers

157

+

"[1m[35mWelcome on console"

158

+

159

+

DICOM Medical X-Ray Machines

160

+

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

161

+

162

+

"DICOM Server Response" port:104

163

+

164

+

GaugeTech Electricity Meters

165

+

"Server: EIG Embedded Web Server" "200 Document follows"

166

+

167

+

Siemens Industrial Automation

168

+

"Siemens, SIMATIC" port:161

169

+

170

+

Siemens HVAC Controllers

171

+

"Server: Microsoft-WinCE" "Content-Length: 12581"

172

+

173

+

Door / Lock Access Controllers

174

+

"HID VertX" port:4070

175

+

176

+

Railroad Management

177

+

"log off" "select the appropriate"

178

+

179

+

Tesla Powerpack charging Status:

180

+

Helps to find the charging status of tesla powerpack. http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

181

+

182

+

XZERES Wind Turbine

183

+

title:"xzeres wind"

184

+

185

+

PIPS Automated License Plate Reader

186

+

"html:"PIPS Technology ALPR Processors""

187

+

188

+

Modbus

189

+

"port:502"

190

+

191

+

Niagara Fox

192

+

"port:1911,4911 product:Niagara"

193

+

194

+

GE-SRTP

195

+

"port:18245,18246 product:"general electric""

196

+

197

+

MELSEC-Q

198

+

"port:5006,5007 product:mitsubishi"

199

+

200

+

CODESYS

201

+

"port:2455 operating system"

202

+

203

+

S7

204

+

"port:102"

205

+

206

+

BACnet

207

+

"port:47808"

208

+

209

+

HART-IP

210

+

"port:5094 hart-ip"

211

+

212

+

Omron FINS

213

+

"port:9600 response code"

214

+

215

+

IEC 60870-5-104

216

+

"port:2404 asdu address"

217

+

218

+

DNP3

219

+

"port:20000 source address"

220

+

221

+

EtherNet/IP

222

+

"port:44818"

223

+

224

+

PCWorx

225

+

"port:1962 PLC"

226

+

227

+

Crimson v3.0

228

+

"port:789 product:"Red Lion Controls"

229

+

230

+

ProConOS

231

+

"port:20547 PLC"

232

+

233

+

Remote Desktop

234

+

Unprotected VNC

235

+

"authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008"

236

+

237

+

Windows RDP

238

+

99.99% are secured by a secondary Windows login screen.

239

+

240

+

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

241

+

242

+

C2 Infrastructure

243

+

CobaltStrike Servers

244

+

product:"cobalt strike team server" product:"Cobalt Strike Beacon" ssl.cert.serial:146473198 - default certificate serial number ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 ssl:foren.zik

245

+

246

+

Brute Ratel

247

+

http.html_hash:-1957161625 product:"Brute Ratel C4"

248

+

249

+

Covenant

250

+

ssl:”Covenant” http.component:”Blazor”

251

+

252

+

Metasploit

253

+

ssl:"MetasploitSelfSignedCA"

254

+

255

+

Network Infrastructure

256

+

Hacked routers:

257

+

Routers which got compromised hacked-router-help-sos

258

+

259

+

Redis open instances

260

+

product:"Redis key-value store"

261

+

262

+

Citrix:

263

+

Find Citrix Gateway. title:"citrix gateway"

264

+

265

+

Weave Scope Dashboards

266

+

Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.

267

+

268

+

title:"Weave Scope" http.favicon.hash:567176827

269

+

270

+

Jenkins CI

271

+

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

272

+

273

+

Jenkins:

274

+

Jenkins Unrestricted Dashboard x-jenkins 200

275

+

276

+

Docker APIs

277

+

"Docker Containers:" port:2375

278

+

279

+

Docker Private Registries

280

+

"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab

281

+

282

+

Pi-hole Open DNS Servers

283

+

"dnsmasq-pi-hole" "Recursion: enabled"

284

+

285

+

DNS Servers with recursion

286

+

"port: 53" Recursion: Enabled

287

+

288

+

Already Logged-In as root via Telnet

289

+

"root@" port:23 -login -password -name -Session

290

+

291

+

Telnet Access:

292

+

NO password required for telnet access. port:23 console gateway

293

+

294

+

Polycom video-conference system no-auth shell

295

+

"polycom command shell"

296

+

297

+

NPort serial-to-eth / MoCA devices without password

298

+

nport -keyin port:23

299

+

300

+

Android Root Bridges

301

+

A tangential result of Google's sloppy fractured update approach. 🙄 More information here.

302

+

303

+

"Android Debug Bridge" "Device" port:5555

304

+

305

+

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords

306

+

Lantronix password port:30718 -secured

307

+

308

+

Citrix Virtual Apps

309

+

"Citrix Applications:" port:1604

310

+

311

+

Cisco Smart Install

312

+

Vulnerable (kind of "by design," but especially when exposed).

313

+

314

+

"smart install client active"

315

+

316

+

PBX IP Phone Gateways

317

+

PBX "gateway console" -password port:23

318

+

319

+

Polycom Video Conferencing

320

+

http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23

321

+

322

+

Telnet Configuration:

323

+

"Polycom Command Shell" -failed port:23

324

+

325

+

Example: Polycom Video Conferencing

326

+

327

+

Bomgar Help Desk Portal

328

+

"Server: Bomgar" "200 OK"

329

+

330

+

Intel Active Management CVE-2017-5689

331

+

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 ”Active Management Technology”

332

+

333

+

HP iLO 4 CVE-2017-12542

334

+

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900

335

+

336

+

Lantronix ethernet adapter’s admin interface without password

337

+

"Press Enter for Setup Mode port:9999"

338

+

339

+

Wifi Passwords:

340

+

Helps to find the cleartext wifi passwords in Shodan. html:"def_wirelesspassword"

341

+

342

+

Misconfigured Wordpress Sites:

343

+

The wp-config.php if accessed can give out the database credentials. http.html:"* The wp-config.php creation script uses this file"

344

+

345

+

Outlook Web Access:

346

+

Exchange 2007

347

+

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"

348

+

349

+

Exchange 2010

350

+

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392

351

+

352

+

Exchange 2013 / 2016

353

+

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

354

+

355

+

Lync / Skype for Business

356

+

"X-MS-Server-Fqdn"

357

+

358

+

Network Attached Storage (NAS)

359

+

SMB (Samba) File Shares

360

+

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

361

+

362

+

"Authentication: disabled" port:445

363

+

364

+

Specifically domain controllers:

365

+

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

366

+

367

+

Concerning default network shares of QuickBooks files:

368

+

"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

369

+

370

+

FTP Servers with Anonymous Login

371

+

"220" "230 Login successful." port:21

372

+

373

+

Iomega / LenovoEMC NAS Drives

374

+

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"

375

+

376

+

Buffalo TeraStation NAS Drives

377

+

Redirecting sencha port:9000

378

+

379

+

Logitech Media Servers

380

+

"Server: Logitech Media Server" "200 OK"

381

+

382

+

Example: Logitech Media Servers

383

+

384

+

Plex Media Servers

385

+

"X-Plex-Protocol" "200 OK" port:32400

386

+

387

+

Tautulli / PlexPy Dashboards

388

+

"CherryPy/5.1.0" "/home"

389

+

390

+

Home router attached USB

391

+

"IPC$ all storage devices"

392

+

393

+

Webcams

394

+

Generic camera search

395

+

title:camera

396

+

397

+

Webcams with screenshots

398

+

webcam has_screenshot:true

399

+

400

+

D-Link webcams

401

+

"d-Link Internet Camera, 200 OK"

402

+

403

+

Hipcam

404

+

"Hipcam RealServer/V1.0"

405

+

406

+

Yawcams

407

+

"Server: yawcam" "Mime-Type: text/html"

408

+

409

+

webcamXP/webcam7

410

+

("webcam 7" OR "webcamXP") http.component:"mootools" -401

411

+

412

+

Android IP Webcam Server

413

+

"Server: IP Webcam Server" "200 OK"

414

+

415

+

Security DVRs

416

+

html:"DVR_H264 ActiveX"

417

+

418

+

Surveillance Cams:

419

+

With username:admin and password: :P NETSurveillance uc-httpd Server: uc-httpd 1.0.0

420

+

421

+

Printers & Copiers:

422

+

HP Printers

423

+

"Serial Number:" "Built:" "Server: HP HTTP"

424

+

425

+

Xerox Copiers/Printers

426

+

ssl:"Xerox Generic Root"

427

+

428

+

Epson Printers

429

+

"SERVER: EPSON_Linux UPnP" "200 OK"

430

+

431

+

"Server: EPSON-HTTP" "200 OK"

432

+

433

+

Canon Printers

434

+

"Server: KS_HTTP" "200 OK"

435

+

436

+

"Server: CANON HTTP Server"

437

+

438

+

Home Devices

439

+

Yamaha Stereos

440

+

"Server: AV_Receiver" "HTTP/1.1 406"

441

+

442

+

Apple AirPlay Receivers

443

+

Apple TVs, HomePods, etc.

444

+

445

+

"\x08_airplay" port:5353

446

+

447

+

Chromecasts / Smart TVs

448

+

"Chromecast:" port:8008

449

+

450

+

Crestron Smart Home Controllers

451

+

"Model: PYNG-HUB"

452

+

453

+

Random Stuff

454

+

Calibre libraries

455

+

"Server: calibre" http.status:200 http.title:calibre

456

+

457

+

OctoPrint 3D Printer Controllers

458

+

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

459

+

460

+

Etherium Miners

461

+

"ETH - Total speed"

462

+

463

+

Apache Directory Listings

464

+

Substitute .pem with any extension or a filename like phpinfo.php.

465

+

466

+

http.title:"Index of /" http.html:".pem"

467

+

468

+

Misconfigured WordPress

469

+

Exposed wp-config.php files containing database credentials.

470

+

471

+

http.html:"* The wp-config.php creation script uses this file"

472

+

473

+

Too Many Minecraft Servers

474

+

"Minecraft Server" "protocol 340" port:25565

475

+

476

+

Literally Everything in North Korea

477

+

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

Malin / shodan-dorks.md

Malin revisou este gist 1727326209. Ir para a revisão

Malin revisou este gist 1727326027. Ir para a revisão

Malin revisou este gist 1727326015. Ir para a revisão

			@@ -1,5 +1,6 @@
1	1		Shodan Dorks by twitter.com/lothos612
2	2		Feel free to make suggestions
	3	+	From: https://github.com/lothos612/shodan
3	4
4	5		Shodan Dorks
5	6		Basic Shodan Filters

		@@ -0,0 +1,477 @@
1	+	Shodan Dorks by twitter.com/lothos612
2	+	Feel free to make suggestions
3	+
4	+	Shodan Dorks
5	+	Basic Shodan Filters
6	+	city:
7	+	Find devices in a particular city. city:"Bangalore"
8	+
9	+	country:
10	+	Find devices in a particular country. country:"IN"
11	+
12	+	geo:
13	+	Find devices by giving geographical coordinates. geo:"56.913055,118.250862"
14	+
15	+	Location
16	+	country:us country:ru country:de city:chicago
17	+
18	+	hostname:
19	+	Find devices matching the hostname. server: "gws" hostname:"google" hostname:example.com -hostname:subdomain.example.com hostname:example.com,example.org
20	+
21	+	net:
22	+	Find devices based on an IP address or /x CIDR. net:210.214.0.0/16
23	+
24	+	Organization
25	+	org:microsoft org:"United States Department"
26	+
27	+	Autonomous System Number (ASN)
28	+	asn:ASxxxx
29	+
30	+	os:
31	+	Find devices based on operating system. os:"windows 7"
32	+
33	+	port:
34	+	Find devices based on open ports. proftpd port:21
35	+
36	+	before/after:
37	+	Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010
38	+
39	+	SSL/TLS Certificates
40	+	Self signed certificates ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com
41	+
42	+	Expired certificates ssl.cert.expired:true
43	+
44	+	ssl.cert.subject.cn:example.com
45	+
46	+	Device Type
47	+	device:firewall device:router device:wap device:webcam device:media device:"broadband router" device:pbx device:printer device:switch device:storage device:specialized device:phone device:"voip" device:"voip phone" device:"voip adaptor" device:"load balancer" device:"print server" device:terminal device:remote device:telecom device:power device:proxy device:pda device:bridge
48	+
49	+	Operating System
50	+	os:"windows 7" os:"windows server 2012" os:"linux 3.x"
51	+
52	+	Product
53	+	product:apache product:nginx product:android product:chromecast
54	+
55	+	Customer Premises Equipment (CPE)
56	+	cpe:apple cpe:microsoft cpe:nginx cpe:cisco
57	+
58	+	Server
59	+	server: nginx server: apache server: microsoft server: cisco-ios
60	+
61	+	ssh fingerprints
62	+	dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0
63	+
64	+	Web
65	+	Pulse Secure
66	+	http.html:/dana-na
67	+
68	+	PEM Certificates
69	+	http.title:"Index of /" http.html:".pem"
70	+
71	+	Tor / Dark Web sites
72	+	onion-location
73	+
74	+	Databases
75	+	MySQL
76	+	"product:MySQL" mysql port:"3306"
77	+
78	+	MongoDB
79	+	"product:MongoDB" mongodb port:27017
80	+
81	+	Fully open MongoDBs
82	+	"MongoDB Server Information { "metrics":" "Set-Cookie: mongo-express=" "200 OK" "MongoDB Server Information" port:27017 -authentication
83	+
84	+	Kibana dashboards without authentication
85	+	kibana content-legth:217
86	+
87	+	elastic
88	+	port:9200 json port:"9200" all:elastic port:"9200" all:"elastic indices"
89	+
90	+	Memcached
91	+	"product:Memcached"
92	+
93	+	CouchDB
94	+	"product:CouchDB" port:"5984"+Server: "CouchDB/2.1.0"
95	+
96	+	PostgreSQL
97	+	"port:5432 PostgreSQL"
98	+
99	+	Riak
100	+	"port:8087 Riak"
101	+
102	+	Redis
103	+	"product:Redis"
104	+
105	+	Cassandra
106	+	"product:Cassandra"
107	+
108	+	Industrial Control Systems
109	+	Samsung Electronic Billboards
110	+	"Server: Prismview Player"
111	+
112	+	Gas Station Pump Controllers
113	+	"in-tank inventory" port:10001
114	+
115	+	Fuel Pumps connected to internet:
116	+	No auth required to access CLI terminal. "privileged command" GET
117	+
118	+	Automatic License Plate Readers
119	+	P372 "ANPR enabled"
120	+
121	+	Traffic Light Controllers / Red Light Cameras
122	+	mikrotik streetlight
123	+
124	+	Voting Machines in the United States
125	+	"voter system serial" country:US
126	+
127	+	Open ATM:
128	+	May allow for ATM Access availability NCR Port:"161"
129	+
130	+	Telcos Running Cisco Lawful Intercept Wiretaps
131	+	"Cisco IOS" "ADVIPSERVICESK9_LI-M"
132	+
133	+	Prison Pay Phones
134	+	"[2J[H Encartele Confidential"
135	+
136	+	Tesla PowerPack Charging Status
137	+	http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
138	+
139	+	Electric Vehicle Chargers
140	+	"Server: gSOAP/2.8" "Content-Length: 583"
141	+
142	+	Maritime Satellites
143	+	Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!
144	+
145	+	"Cobham SATCOM" OR ("Sailor" "VSAT")
146	+
147	+	Submarine Mission Control Dashboards
148	+	title:"Slocum Fleet Mission Control"
149	+
150	+	CAREL PlantVisor Refrigeration Units
151	+	"Server: CarelDataServer" "200 Document follows"
152	+
153	+	Nordex Wind Turbine Farms
154	+	http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"
155	+
156	+	C4 Max Commercial Vehicle GPS Trackers
157	+	"[1m[35mWelcome on console"
158	+
159	+	DICOM Medical X-Ray Machines
160	+	Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.
161	+
162	+	"DICOM Server Response" port:104
163	+
164	+	GaugeTech Electricity Meters
165	+	"Server: EIG Embedded Web Server" "200 Document follows"
166	+
167	+	Siemens Industrial Automation
168	+	"Siemens, SIMATIC" port:161
169	+
170	+	Siemens HVAC Controllers
171	+	"Server: Microsoft-WinCE" "Content-Length: 12581"
172	+
173	+	Door / Lock Access Controllers
174	+	"HID VertX" port:4070
175	+
176	+	Railroad Management
177	+	"log off" "select the appropriate"
178	+
179	+	Tesla Powerpack charging Status:
180	+	Helps to find the charging status of tesla powerpack. http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
181	+
182	+	XZERES Wind Turbine
183	+	title:"xzeres wind"
184	+
185	+	PIPS Automated License Plate Reader
186	+	"html:"PIPS Technology ALPR Processors""
187	+
188	+	Modbus
189	+	"port:502"
190	+
191	+	Niagara Fox
192	+	"port:1911,4911 product:Niagara"
193	+
194	+	GE-SRTP
195	+	"port:18245,18246 product:"general electric""
196	+
197	+	MELSEC-Q
198	+	"port:5006,5007 product:mitsubishi"
199	+
200	+	CODESYS
201	+	"port:2455 operating system"
202	+
203	+	S7
204	+	"port:102"
205	+
206	+	BACnet
207	+	"port:47808"
208	+
209	+	HART-IP
210	+	"port:5094 hart-ip"
211	+
212	+	Omron FINS
213	+	"port:9600 response code"
214	+
215	+	IEC 60870-5-104
216	+	"port:2404 asdu address"
217	+
218	+	DNP3
219	+	"port:20000 source address"
220	+
221	+	EtherNet/IP
222	+	"port:44818"
223	+
224	+	PCWorx
225	+	"port:1962 PLC"
226	+
227	+	Crimson v3.0
228	+	"port:789 product:"Red Lion Controls"
229	+
230	+	ProConOS
231	+	"port:20547 PLC"
232	+
233	+	Remote Desktop
234	+	Unprotected VNC
235	+	"authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008"
236	+
237	+	Windows RDP
238	+	99.99% are secured by a secondary Windows login screen.
239	+
240	+	"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"
241	+
242	+	C2 Infrastructure
243	+	CobaltStrike Servers
244	+	product:"cobalt strike team server" product:"Cobalt Strike Beacon" ssl.cert.serial:146473198 - default certificate serial number ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 ssl:foren.zik
245	+
246	+	Brute Ratel
247	+	http.html_hash:-1957161625 product:"Brute Ratel C4"
248	+
249	+	Covenant
250	+	ssl:”Covenant” http.component:”Blazor”
251	+
252	+	Metasploit
253	+	ssl:"MetasploitSelfSignedCA"
254	+
255	+	Network Infrastructure
256	+	Hacked routers:
257	+	Routers which got compromised hacked-router-help-sos
258	+
259	+	Redis open instances
260	+	product:"Redis key-value store"
261	+
262	+	Citrix:
263	+	Find Citrix Gateway. title:"citrix gateway"
264	+
265	+	Weave Scope Dashboards
266	+	Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.
267	+
268	+	title:"Weave Scope" http.favicon.hash:567176827
269	+
270	+	Jenkins CI
271	+	"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
272	+
273	+	Jenkins:
274	+	Jenkins Unrestricted Dashboard x-jenkins 200
275	+
276	+	Docker APIs
277	+	"Docker Containers:" port:2375
278	+
279	+	Docker Private Registries
280	+	"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab
281	+
282	+	Pi-hole Open DNS Servers
283	+	"dnsmasq-pi-hole" "Recursion: enabled"
284	+
285	+	DNS Servers with recursion
286	+	"port: 53" Recursion: Enabled
287	+
288	+	Already Logged-In as root via Telnet
289	+	"root@" port:23 -login -password -name -Session
290	+
291	+	Telnet Access:
292	+	NO password required for telnet access. port:23 console gateway
293	+
294	+	Polycom video-conference system no-auth shell
295	+	"polycom command shell"
296	+
297	+	NPort serial-to-eth / MoCA devices without password
298	+	nport -keyin port:23
299	+
300	+	Android Root Bridges
301	+	A tangential result of Google's sloppy fractured update approach. 🙄 More information here.
302	+
303	+	"Android Debug Bridge" "Device" port:5555
304	+
305	+	Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords
306	+	Lantronix password port:30718 -secured
307	+
308	+	Citrix Virtual Apps
309	+	"Citrix Applications:" port:1604
310	+
311	+	Cisco Smart Install
312	+	Vulnerable (kind of "by design," but especially when exposed).
313	+
314	+	"smart install client active"
315	+
316	+	PBX IP Phone Gateways
317	+	PBX "gateway console" -password port:23
318	+
319	+	Polycom Video Conferencing
320	+	http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23
321	+
322	+	Telnet Configuration:
323	+	"Polycom Command Shell" -failed port:23
324	+
325	+	Example: Polycom Video Conferencing
326	+
327	+	Bomgar Help Desk Portal
328	+	"Server: Bomgar" "200 OK"
329	+
330	+	Intel Active Management CVE-2017-5689
331	+	"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 ”Active Management Technology”
332	+
333	+	HP iLO 4 CVE-2017-12542
334	+	HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900
335	+
336	+	Lantronix ethernet adapter’s admin interface without password
337	+	"Press Enter for Setup Mode port:9999"
338	+
339	+	Wifi Passwords:
340	+	Helps to find the cleartext wifi passwords in Shodan. html:"def_wirelesspassword"
341	+
342	+	Misconfigured Wordpress Sites:
343	+	The wp-config.php if accessed can give out the database credentials. http.html:"* The wp-config.php creation script uses this file"
344	+
345	+	Outlook Web Access:
346	+	Exchange 2007
347	+	"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"
348	+
349	+	Exchange 2010
350	+	"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392
351	+
352	+	Exchange 2013 / 2016
353	+	"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"
354	+
355	+	Lync / Skype for Business
356	+	"X-MS-Server-Fqdn"
357	+
358	+	Network Attached Storage (NAS)
359	+	SMB (Samba) File Shares
360	+	Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.
361	+
362	+	"Authentication: disabled" port:445
363	+
364	+	Specifically domain controllers:
365	+	"Authentication: disabled" NETLOGON SYSVOL -unix port:445
366	+
367	+	Concerning default network shares of QuickBooks files:
368	+	"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445
369	+
370	+	FTP Servers with Anonymous Login
371	+	"220" "230 Login successful." port:21
372	+
373	+	Iomega / LenovoEMC NAS Drives
374	+	"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"
375	+
376	+	Buffalo TeraStation NAS Drives
377	+	Redirecting sencha port:9000
378	+
379	+	Logitech Media Servers
380	+	"Server: Logitech Media Server" "200 OK"
381	+
382	+	Example: Logitech Media Servers
383	+
384	+	Plex Media Servers
385	+	"X-Plex-Protocol" "200 OK" port:32400
386	+
387	+	Tautulli / PlexPy Dashboards
388	+	"CherryPy/5.1.0" "/home"
389	+
390	+	Home router attached USB
391	+	"IPC$ all storage devices"
392	+
393	+	Webcams
394	+	Generic camera search
395	+	title:camera
396	+
397	+	Webcams with screenshots
398	+	webcam has_screenshot:true
399	+
400	+	D-Link webcams
401	+	"d-Link Internet Camera, 200 OK"
402	+
403	+	Hipcam
404	+	"Hipcam RealServer/V1.0"
405	+
406	+	Yawcams
407	+	"Server: yawcam" "Mime-Type: text/html"
408	+
409	+	webcamXP/webcam7
410	+	("webcam 7" OR "webcamXP") http.component:"mootools" -401
411	+
412	+	Android IP Webcam Server
413	+	"Server: IP Webcam Server" "200 OK"
414	+
415	+	Security DVRs
416	+	html:"DVR_H264 ActiveX"
417	+
418	+	Surveillance Cams:
419	+	With username:admin and password: :P NETSurveillance uc-httpd Server: uc-httpd 1.0.0
420	+
421	+	Printers & Copiers:
422	+	HP Printers
423	+	"Serial Number:" "Built:" "Server: HP HTTP"
424	+
425	+	Xerox Copiers/Printers
426	+	ssl:"Xerox Generic Root"
427	+
428	+	Epson Printers
429	+	"SERVER: EPSON_Linux UPnP" "200 OK"
430	+
431	+	"Server: EPSON-HTTP" "200 OK"
432	+
433	+	Canon Printers
434	+	"Server: KS_HTTP" "200 OK"
435	+
436	+	"Server: CANON HTTP Server"
437	+
438	+	Home Devices
439	+	Yamaha Stereos
440	+	"Server: AV_Receiver" "HTTP/1.1 406"
441	+
442	+	Apple AirPlay Receivers
443	+	Apple TVs, HomePods, etc.
444	+
445	+	"\x08_airplay" port:5353
446	+
447	+	Chromecasts / Smart TVs
448	+	"Chromecast:" port:8008
449	+
450	+	Crestron Smart Home Controllers
451	+	"Model: PYNG-HUB"
452	+
453	+	Random Stuff
454	+	Calibre libraries
455	+	"Server: calibre" http.status:200 http.title:calibre
456	+
457	+	OctoPrint 3D Printer Controllers
458	+	title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944
459	+
460	+	Etherium Miners
461	+	"ETH - Total speed"
462	+
463	+	Apache Directory Listings
464	+	Substitute .pem with any extension or a filename like phpinfo.php.
465	+
466	+	http.title:"Index of /" http.html:".pem"
467	+
468	+	Misconfigured WordPress
469	+	Exposed wp-config.php files containing database credentials.
470	+
471	+	http.html:"* The wp-config.php creation script uses this file"
472	+
473	+	Too Many Minecraft Servers
474	+	"Minecraft Server" "protocol 340" port:25565
475	+
476	+	Literally Everything in North Korea
477	+	net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24