shodan-dorks.txt
| @@ -1,5 +1,6 @@ | |||
| 1 | 1 | Shodan Dorks by twitter.com/lothos612 | |
| 2 | 2 | Feel free to make suggestions | |
| 3 | + | From: https://github.com/lothos612/shodan | |
| 3 | 4 | ||
| 4 | 5 | Shodan Dorks | |
| 5 | 6 | Basic Shodan Filters | |
shodan-dorks.md переименован в shodan-dorks.txt
Файл переименован без изменений
shodan-dorks.md(файл создан)
| @@ -0,0 +1,477 @@ | |||
| 1 | + | Shodan Dorks by twitter.com/lothos612 | |
| 2 | + | Feel free to make suggestions | |
| 3 | + | ||
| 4 | + | Shodan Dorks | |
| 5 | + | Basic Shodan Filters | |
| 6 | + | city: | |
| 7 | + | Find devices in a particular city. city:"Bangalore" | |
| 8 | + | ||
| 9 | + | country: | |
| 10 | + | Find devices in a particular country. country:"IN" | |
| 11 | + | ||
| 12 | + | geo: | |
| 13 | + | Find devices by giving geographical coordinates. geo:"56.913055,118.250862" | |
| 14 | + | ||
| 15 | + | Location | |
| 16 | + | country:us country:ru country:de city:chicago | |
| 17 | + | ||
| 18 | + | hostname: | |
| 19 | + | Find devices matching the hostname. server: "gws" hostname:"google" hostname:example.com -hostname:subdomain.example.com hostname:example.com,example.org | |
| 20 | + | ||
| 21 | + | net: | |
| 22 | + | Find devices based on an IP address or /x CIDR. net:210.214.0.0/16 | |
| 23 | + | ||
| 24 | + | Organization | |
| 25 | + | org:microsoft org:"United States Department" | |
| 26 | + | ||
| 27 | + | Autonomous System Number (ASN) | |
| 28 | + | asn:ASxxxx | |
| 29 | + | ||
| 30 | + | os: | |
| 31 | + | Find devices based on operating system. os:"windows 7" | |
| 32 | + | ||
| 33 | + | port: | |
| 34 | + | Find devices based on open ports. proftpd port:21 | |
| 35 | + | ||
| 36 | + | before/after: | |
| 37 | + | Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010 | |
| 38 | + | ||
| 39 | + | SSL/TLS Certificates | |
| 40 | + | Self signed certificates ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com | |
| 41 | + | ||
| 42 | + | Expired certificates ssl.cert.expired:true | |
| 43 | + | ||
| 44 | + | ssl.cert.subject.cn:example.com | |
| 45 | + | ||
| 46 | + | Device Type | |
| 47 | + | device:firewall device:router device:wap device:webcam device:media device:"broadband router" device:pbx device:printer device:switch device:storage device:specialized device:phone device:"voip" device:"voip phone" device:"voip adaptor" device:"load balancer" device:"print server" device:terminal device:remote device:telecom device:power device:proxy device:pda device:bridge | |
| 48 | + | ||
| 49 | + | Operating System | |
| 50 | + | os:"windows 7" os:"windows server 2012" os:"linux 3.x" | |
| 51 | + | ||
| 52 | + | Product | |
| 53 | + | product:apache product:nginx product:android product:chromecast | |
| 54 | + | ||
| 55 | + | Customer Premises Equipment (CPE) | |
| 56 | + | cpe:apple cpe:microsoft cpe:nginx cpe:cisco | |
| 57 | + | ||
| 58 | + | Server | |
| 59 | + | server: nginx server: apache server: microsoft server: cisco-ios | |
| 60 | + | ||
| 61 | + | ssh fingerprints | |
| 62 | + | dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0 | |
| 63 | + | ||
| 64 | + | Web | |
| 65 | + | Pulse Secure | |
| 66 | + | http.html:/dana-na | |
| 67 | + | ||
| 68 | + | PEM Certificates | |
| 69 | + | http.title:"Index of /" http.html:".pem" | |
| 70 | + | ||
| 71 | + | Tor / Dark Web sites | |
| 72 | + | onion-location | |
| 73 | + | ||
| 74 | + | Databases | |
| 75 | + | MySQL | |
| 76 | + | "product:MySQL" mysql port:"3306" | |
| 77 | + | ||
| 78 | + | MongoDB | |
| 79 | + | "product:MongoDB" mongodb port:27017 | |
| 80 | + | ||
| 81 | + | Fully open MongoDBs | |
| 82 | + | "MongoDB Server Information { "metrics":" "Set-Cookie: mongo-express=" "200 OK" "MongoDB Server Information" port:27017 -authentication | |
| 83 | + | ||
| 84 | + | Kibana dashboards without authentication | |
| 85 | + | kibana content-legth:217 | |
| 86 | + | ||
| 87 | + | elastic | |
| 88 | + | port:9200 json port:"9200" all:elastic port:"9200" all:"elastic indices" | |
| 89 | + | ||
| 90 | + | Memcached | |
| 91 | + | "product:Memcached" | |
| 92 | + | ||
| 93 | + | CouchDB | |
| 94 | + | "product:CouchDB" port:"5984"+Server: "CouchDB/2.1.0" | |
| 95 | + | ||
| 96 | + | PostgreSQL | |
| 97 | + | "port:5432 PostgreSQL" | |
| 98 | + | ||
| 99 | + | Riak | |
| 100 | + | "port:8087 Riak" | |
| 101 | + | ||
| 102 | + | Redis | |
| 103 | + | "product:Redis" | |
| 104 | + | ||
| 105 | + | Cassandra | |
| 106 | + | "product:Cassandra" | |
| 107 | + | ||
| 108 | + | Industrial Control Systems | |
| 109 | + | Samsung Electronic Billboards | |
| 110 | + | "Server: Prismview Player" | |
| 111 | + | ||
| 112 | + | Gas Station Pump Controllers | |
| 113 | + | "in-tank inventory" port:10001 | |
| 114 | + | ||
| 115 | + | Fuel Pumps connected to internet: | |
| 116 | + | No auth required to access CLI terminal. "privileged command" GET | |
| 117 | + | ||
| 118 | + | Automatic License Plate Readers | |
| 119 | + | P372 "ANPR enabled" | |
| 120 | + | ||
| 121 | + | Traffic Light Controllers / Red Light Cameras | |
| 122 | + | mikrotik streetlight | |
| 123 | + | ||
| 124 | + | Voting Machines in the United States | |
| 125 | + | "voter system serial" country:US | |
| 126 | + | ||
| 127 | + | Open ATM: | |
| 128 | + | May allow for ATM Access availability NCR Port:"161" | |
| 129 | + | ||
| 130 | + | Telcos Running Cisco Lawful Intercept Wiretaps | |
| 131 | + | "Cisco IOS" "ADVIPSERVICESK9_LI-M" | |
| 132 | + | ||
| 133 | + | Prison Pay Phones | |
| 134 | + | "[2J[H Encartele Confidential" | |
| 135 | + | ||
| 136 | + | Tesla PowerPack Charging Status | |
| 137 | + | http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2 | |
| 138 | + | ||
| 139 | + | Electric Vehicle Chargers | |
| 140 | + | "Server: gSOAP/2.8" "Content-Length: 583" | |
| 141 | + | ||
| 142 | + | Maritime Satellites | |
| 143 | + | Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too! | |
| 144 | + | ||
| 145 | + | "Cobham SATCOM" OR ("Sailor" "VSAT") | |
| 146 | + | ||
| 147 | + | Submarine Mission Control Dashboards | |
| 148 | + | title:"Slocum Fleet Mission Control" | |
| 149 | + | ||
| 150 | + | CAREL PlantVisor Refrigeration Units | |
| 151 | + | "Server: CarelDataServer" "200 Document follows" | |
| 152 | + | ||
| 153 | + | Nordex Wind Turbine Farms | |
| 154 | + | http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)" | |
| 155 | + | ||
| 156 | + | C4 Max Commercial Vehicle GPS Trackers | |
| 157 | + | "[1m[35mWelcome on console" | |
| 158 | + | ||
| 159 | + | DICOM Medical X-Ray Machines | |
| 160 | + | Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet. | |
| 161 | + | ||
| 162 | + | "DICOM Server Response" port:104 | |
| 163 | + | ||
| 164 | + | GaugeTech Electricity Meters | |
| 165 | + | "Server: EIG Embedded Web Server" "200 Document follows" | |
| 166 | + | ||
| 167 | + | Siemens Industrial Automation | |
| 168 | + | "Siemens, SIMATIC" port:161 | |
| 169 | + | ||
| 170 | + | Siemens HVAC Controllers | |
| 171 | + | "Server: Microsoft-WinCE" "Content-Length: 12581" | |
| 172 | + | ||
| 173 | + | Door / Lock Access Controllers | |
| 174 | + | "HID VertX" port:4070 | |
| 175 | + | ||
| 176 | + | Railroad Management | |
| 177 | + | "log off" "select the appropriate" | |
| 178 | + | ||
| 179 | + | Tesla Powerpack charging Status: | |
| 180 | + | Helps to find the charging status of tesla powerpack. http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2 | |
| 181 | + | ||
| 182 | + | XZERES Wind Turbine | |
| 183 | + | title:"xzeres wind" | |
| 184 | + | ||
| 185 | + | PIPS Automated License Plate Reader | |
| 186 | + | "html:"PIPS Technology ALPR Processors"" | |
| 187 | + | ||
| 188 | + | Modbus | |
| 189 | + | "port:502" | |
| 190 | + | ||
| 191 | + | Niagara Fox | |
| 192 | + | "port:1911,4911 product:Niagara" | |
| 193 | + | ||
| 194 | + | GE-SRTP | |
| 195 | + | "port:18245,18246 product:"general electric"" | |
| 196 | + | ||
| 197 | + | MELSEC-Q | |
| 198 | + | "port:5006,5007 product:mitsubishi" | |
| 199 | + | ||
| 200 | + | CODESYS | |
| 201 | + | "port:2455 operating system" | |
| 202 | + | ||
| 203 | + | S7 | |
| 204 | + | "port:102" | |
| 205 | + | ||
| 206 | + | BACnet | |
| 207 | + | "port:47808" | |
| 208 | + | ||
| 209 | + | HART-IP | |
| 210 | + | "port:5094 hart-ip" | |
| 211 | + | ||
| 212 | + | Omron FINS | |
| 213 | + | "port:9600 response code" | |
| 214 | + | ||
| 215 | + | IEC 60870-5-104 | |
| 216 | + | "port:2404 asdu address" | |
| 217 | + | ||
| 218 | + | DNP3 | |
| 219 | + | "port:20000 source address" | |
| 220 | + | ||
| 221 | + | EtherNet/IP | |
| 222 | + | "port:44818" | |
| 223 | + | ||
| 224 | + | PCWorx | |
| 225 | + | "port:1962 PLC" | |
| 226 | + | ||
| 227 | + | Crimson v3.0 | |
| 228 | + | "port:789 product:"Red Lion Controls" | |
| 229 | + | ||
| 230 | + | ProConOS | |
| 231 | + | "port:20547 PLC" | |
| 232 | + | ||
| 233 | + | Remote Desktop | |
| 234 | + | Unprotected VNC | |
| 235 | + | "authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008" | |
| 236 | + | ||
| 237 | + | Windows RDP | |
| 238 | + | 99.99% are secured by a secondary Windows login screen. | |
| 239 | + | ||
| 240 | + | "\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00" | |
| 241 | + | ||
| 242 | + | C2 Infrastructure | |
| 243 | + | CobaltStrike Servers | |
| 244 | + | product:"cobalt strike team server" product:"Cobalt Strike Beacon" ssl.cert.serial:146473198 - default certificate serial number ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 ssl:foren.zik | |
| 245 | + | ||
| 246 | + | Brute Ratel | |
| 247 | + | http.html_hash:-1957161625 product:"Brute Ratel C4" | |
| 248 | + | ||
| 249 | + | Covenant | |
| 250 | + | ssl:”Covenant” http.component:”Blazor” | |
| 251 | + | ||
| 252 | + | Metasploit | |
| 253 | + | ssl:"MetasploitSelfSignedCA" | |
| 254 | + | ||
| 255 | + | Network Infrastructure | |
| 256 | + | Hacked routers: | |
| 257 | + | Routers which got compromised hacked-router-help-sos | |
| 258 | + | ||
| 259 | + | Redis open instances | |
| 260 | + | product:"Redis key-value store" | |
| 261 | + | ||
| 262 | + | Citrix: | |
| 263 | + | Find Citrix Gateway. title:"citrix gateway" | |
| 264 | + | ||
| 265 | + | Weave Scope Dashboards | |
| 266 | + | Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure. | |
| 267 | + | ||
| 268 | + | title:"Weave Scope" http.favicon.hash:567176827 | |
| 269 | + | ||
| 270 | + | Jenkins CI | |
| 271 | + | "X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard" | |
| 272 | + | ||
| 273 | + | Jenkins: | |
| 274 | + | Jenkins Unrestricted Dashboard x-jenkins 200 | |
| 275 | + | ||
| 276 | + | Docker APIs | |
| 277 | + | "Docker Containers:" port:2375 | |
| 278 | + | ||
| 279 | + | Docker Private Registries | |
| 280 | + | "Docker-Distribution-Api-Version: registry" "200 OK" -gitlab | |
| 281 | + | ||
| 282 | + | Pi-hole Open DNS Servers | |
| 283 | + | "dnsmasq-pi-hole" "Recursion: enabled" | |
| 284 | + | ||
| 285 | + | DNS Servers with recursion | |
| 286 | + | "port: 53" Recursion: Enabled | |
| 287 | + | ||
| 288 | + | Already Logged-In as root via Telnet | |
| 289 | + | "root@" port:23 -login -password -name -Session | |
| 290 | + | ||
| 291 | + | Telnet Access: | |
| 292 | + | NO password required for telnet access. port:23 console gateway | |
| 293 | + | ||
| 294 | + | Polycom video-conference system no-auth shell | |
| 295 | + | "polycom command shell" | |
| 296 | + | ||
| 297 | + | NPort serial-to-eth / MoCA devices without password | |
| 298 | + | nport -keyin port:23 | |
| 299 | + | ||
| 300 | + | Android Root Bridges | |
| 301 | + | A tangential result of Google's sloppy fractured update approach. 🙄 More information here. | |
| 302 | + | ||
| 303 | + | "Android Debug Bridge" "Device" port:5555 | |
| 304 | + | ||
| 305 | + | Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords | |
| 306 | + | Lantronix password port:30718 -secured | |
| 307 | + | ||
| 308 | + | Citrix Virtual Apps | |
| 309 | + | "Citrix Applications:" port:1604 | |
| 310 | + | ||
| 311 | + | Cisco Smart Install | |
| 312 | + | Vulnerable (kind of "by design," but especially when exposed). | |
| 313 | + | ||
| 314 | + | "smart install client active" | |
| 315 | + | ||
| 316 | + | PBX IP Phone Gateways | |
| 317 | + | PBX "gateway console" -password port:23 | |
| 318 | + | ||
| 319 | + | Polycom Video Conferencing | |
| 320 | + | http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23 | |
| 321 | + | ||
| 322 | + | Telnet Configuration: | |
| 323 | + | "Polycom Command Shell" -failed port:23 | |
| 324 | + | ||
| 325 | + | Example: Polycom Video Conferencing | |
| 326 | + | ||
| 327 | + | Bomgar Help Desk Portal | |
| 328 | + | "Server: Bomgar" "200 OK" | |
| 329 | + | ||
| 330 | + | Intel Active Management CVE-2017-5689 | |
| 331 | + | "Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 ”Active Management Technology” | |
| 332 | + | ||
| 333 | + | HP iLO 4 CVE-2017-12542 | |
| 334 | + | HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900 | |
| 335 | + | ||
| 336 | + | Lantronix ethernet adapter’s admin interface without password | |
| 337 | + | "Press Enter for Setup Mode port:9999" | |
| 338 | + | ||
| 339 | + | Wifi Passwords: | |
| 340 | + | Helps to find the cleartext wifi passwords in Shodan. html:"def_wirelesspassword" | |
| 341 | + | ||
| 342 | + | Misconfigured Wordpress Sites: | |
| 343 | + | The wp-config.php if accessed can give out the database credentials. http.html:"* The wp-config.php creation script uses this file" | |
| 344 | + | ||
| 345 | + | Outlook Web Access: | |
| 346 | + | Exchange 2007 | |
| 347 | + | "x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0" | |
| 348 | + | ||
| 349 | + | Exchange 2010 | |
| 350 | + | "x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392 | |
| 351 | + | ||
| 352 | + | Exchange 2013 / 2016 | |
| 353 | + | "X-AspNet-Version" http.title:"Outlook" -"x-owa-version" | |
| 354 | + | ||
| 355 | + | Lync / Skype for Business | |
| 356 | + | "X-MS-Server-Fqdn" | |
| 357 | + | ||
| 358 | + | Network Attached Storage (NAS) | |
| 359 | + | SMB (Samba) File Shares | |
| 360 | + | Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc. | |
| 361 | + | ||
| 362 | + | "Authentication: disabled" port:445 | |
| 363 | + | ||
| 364 | + | Specifically domain controllers: | |
| 365 | + | "Authentication: disabled" NETLOGON SYSVOL -unix port:445 | |
| 366 | + | ||
| 367 | + | Concerning default network shares of QuickBooks files: | |
| 368 | + | "Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445 | |
| 369 | + | ||
| 370 | + | FTP Servers with Anonymous Login | |
| 371 | + | "220" "230 Login successful." port:21 | |
| 372 | + | ||
| 373 | + | Iomega / LenovoEMC NAS Drives | |
| 374 | + | "Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In" | |
| 375 | + | ||
| 376 | + | Buffalo TeraStation NAS Drives | |
| 377 | + | Redirecting sencha port:9000 | |
| 378 | + | ||
| 379 | + | Logitech Media Servers | |
| 380 | + | "Server: Logitech Media Server" "200 OK" | |
| 381 | + | ||
| 382 | + | Example: Logitech Media Servers | |
| 383 | + | ||
| 384 | + | Plex Media Servers | |
| 385 | + | "X-Plex-Protocol" "200 OK" port:32400 | |
| 386 | + | ||
| 387 | + | Tautulli / PlexPy Dashboards | |
| 388 | + | "CherryPy/5.1.0" "/home" | |
| 389 | + | ||
| 390 | + | Home router attached USB | |
| 391 | + | "IPC$ all storage devices" | |
| 392 | + | ||
| 393 | + | Webcams | |
| 394 | + | Generic camera search | |
| 395 | + | title:camera | |
| 396 | + | ||
| 397 | + | Webcams with screenshots | |
| 398 | + | webcam has_screenshot:true | |
| 399 | + | ||
| 400 | + | D-Link webcams | |
| 401 | + | "d-Link Internet Camera, 200 OK" | |
| 402 | + | ||
| 403 | + | Hipcam | |
| 404 | + | "Hipcam RealServer/V1.0" | |
| 405 | + | ||
| 406 | + | Yawcams | |
| 407 | + | "Server: yawcam" "Mime-Type: text/html" | |
| 408 | + | ||
| 409 | + | webcamXP/webcam7 | |
| 410 | + | ("webcam 7" OR "webcamXP") http.component:"mootools" -401 | |
| 411 | + | ||
| 412 | + | Android IP Webcam Server | |
| 413 | + | "Server: IP Webcam Server" "200 OK" | |
| 414 | + | ||
| 415 | + | Security DVRs | |
| 416 | + | html:"DVR_H264 ActiveX" | |
| 417 | + | ||
| 418 | + | Surveillance Cams: | |
| 419 | + | With username:admin and password: :P NETSurveillance uc-httpd Server: uc-httpd 1.0.0 | |
| 420 | + | ||
| 421 | + | Printers & Copiers: | |
| 422 | + | HP Printers | |
| 423 | + | "Serial Number:" "Built:" "Server: HP HTTP" | |
| 424 | + | ||
| 425 | + | Xerox Copiers/Printers | |
| 426 | + | ssl:"Xerox Generic Root" | |
| 427 | + | ||
| 428 | + | Epson Printers | |
| 429 | + | "SERVER: EPSON_Linux UPnP" "200 OK" | |
| 430 | + | ||
| 431 | + | "Server: EPSON-HTTP" "200 OK" | |
| 432 | + | ||
| 433 | + | Canon Printers | |
| 434 | + | "Server: KS_HTTP" "200 OK" | |
| 435 | + | ||
| 436 | + | "Server: CANON HTTP Server" | |
| 437 | + | ||
| 438 | + | Home Devices | |
| 439 | + | Yamaha Stereos | |
| 440 | + | "Server: AV_Receiver" "HTTP/1.1 406" | |
| 441 | + | ||
| 442 | + | Apple AirPlay Receivers | |
| 443 | + | Apple TVs, HomePods, etc. | |
| 444 | + | ||
| 445 | + | "\x08_airplay" port:5353 | |
| 446 | + | ||
| 447 | + | Chromecasts / Smart TVs | |
| 448 | + | "Chromecast:" port:8008 | |
| 449 | + | ||
| 450 | + | Crestron Smart Home Controllers | |
| 451 | + | "Model: PYNG-HUB" | |
| 452 | + | ||
| 453 | + | Random Stuff | |
| 454 | + | Calibre libraries | |
| 455 | + | "Server: calibre" http.status:200 http.title:calibre | |
| 456 | + | ||
| 457 | + | OctoPrint 3D Printer Controllers | |
| 458 | + | title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944 | |
| 459 | + | ||
| 460 | + | Etherium Miners | |
| 461 | + | "ETH - Total speed" | |
| 462 | + | ||
| 463 | + | Apache Directory Listings | |
| 464 | + | Substitute .pem with any extension or a filename like phpinfo.php. | |
| 465 | + | ||
| 466 | + | http.title:"Index of /" http.html:".pem" | |
| 467 | + | ||
| 468 | + | Misconfigured WordPress | |
| 469 | + | Exposed wp-config.php files containing database credentials. | |
| 470 | + | ||
| 471 | + | http.html:"* The wp-config.php creation script uses this file" | |
| 472 | + | ||
| 473 | + | Too Many Minecraft Servers | |
| 474 | + | "Minecraft Server" "protocol 340" port:25565 | |
| 475 | + | ||
| 476 | + | Literally Everything in North Korea | |
| 477 | + | net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24 | |
Новее
Позже