# Shodan Dorks ## Basic ### City: Find devices in a particular city. ``` city:"Bangalore" ``` ### Country: Find devices in a particular country. ``` country:"IN" ``` ### Geo: Find devices by giving geographical coordinates. ``` geo:"56.913055,118.250862" ``` ### Location ``` country:us country:ru city:chicago country:ru country:de city:chicago ``` ### Hostname: Find devices matching the hostname. ``` server: "gws" hostname:"google" hostname:example.com hostname:example.com,example.org ``` ### Net: Find devices based on an IP address or /x CIDR. ``` net:210.214.0.0/16 ``` ### Organization ``` org:microsoft org:"United States Department" ``` ### Autonomous System Number (ASN) ``` asn:ASxxxx ``` ### OS: Find devices based on operating system. ``` os:"windows 7" ``` ### Port: Find devices based on open ports. ``` proftpd port:21 ``` ### Before/after: Find devices before or after between a given time. ``` apache after:22/02/2009 before:14/3/2010 ``` ### SSL/TLS Certificates - Self signed certificates ``` ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com ``` - Expired certificates ``` ssl.cert.expired:true ssl.cert.subject.cn:example.com ``` ### Device Type ``` device:firewall device:router device:wap device:webcam device:media device:"broadband router" device:pbx device:printer device:switch device:storage device:specialized device:phone device:"voip phone" device:"voip adaptor" device:"load balancer" device:"print server" device:terminal device:remote device:telecom device:power device:proxy device:pda device:bridge ``` ### Operating System ``` os:"windows 7" os:"windows server 2012" os:"linux 3.x" ``` ### Product ``` product:apache product:nginx product:android product:chromecast ``` ### Customer Premises Equipment (CPE) ``` cpe:apple cpe:microsoft cpe:nginx cpe:cisco ``` ### Server ``` server: nginx server: apache server: microsoft server: cisco-ios ``` ### ssh fingerprints ``` dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0 ``` ## Web ### Pulse Secure ``` http.html:/dana-na ``` ### PEM Certificates ``` http.title:"Index of /" http.html:".pem" ``` ## Databases ### MySQL ``` "product:MySQL" ``` ### MongoDB ``` "product:MongoDB" ``` ### elastic ``` port:9200 json ``` ### Memcached ``` "product:Memcached" ``` ### CouchDB ``` "product:CouchDB" ``` ### PostgreSQL ``` "port:5432 PostgreSQL" ``` ### Riak ``` "port:8087 Riak" ``` ### Redis ``` "product:Redis" ``` ### Cassandra ``` "product:Cassandra" ``` ## Industrial Control Systems ### Samsung Electronic Billboards ``` "Server: Prismview Player" ``` ### Gas Station Pump Controllers ``` "in-tank inventory" port:10001 ``` ### Fuel Pumps connected to internet: No auth required to access CLI terminal. ``` "privileged command" GET ``` ### Automatic License Plate Readers ``` P372 "ANPR enabled" ``` ### Traffic Light Controllers / Red Light Cameras ``` mikrotik streetlight ``` ### Voting Machines in the United States ``` "voter system serial" country:US ``` ### Open ATM: ``` May allow for ATM Access availability NCR Port:"161" ``` ### Telcos Running Cisco Lawful Intercept Wiretaps ``` "Cisco IOS" "ADVIPSERVICESK9_LI-M" ``` ### Prison Pay Phones ``` "[2J[H Encartele Confidential" ``` ### Tesla PowerPack Charging Status ``` http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2 ``` ### Electric Vehicle Chargers ``` "Server: gSOAP/2.8" "Content-Length: 583" ``` ### Maritime Satellites Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too! ``` "Cobham SATCOM" OR ("Sailor" "VSAT") ``` ### Submarine Mission Control Dashboards ``` title:"Slocum Fleet Mission Control" ``` ### CAREL PlantVisor Refrigeration Units ``` "Server: CarelDataServer" "200 Document follows" ``` ### Nordex Wind Turbine Farms ``` http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)" ``` ### C4 Max Commercial Vehicle GPS Trackers ``` "[1m[35mWelcome on console" ``` ### DICOM Medical X-Ray Machines Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet. ``` "DICOM Server Response" port:104 ``` ### GaugeTech Electricity Meters ``` "Server: EIG Embedded Web Server" "200 Document follows" ``` ### Siemens Industrial Automation ``` "Siemens, SIMATIC" port:161 ``` ### Siemens HVAC Controllers ``` "Server: Microsoft-WinCE" "Content-Length: 12581" ``` ### Door / Lock Access Controllers ``` "HID VertX" port:4070 ``` ### Railroad Management ``` "log off" "select the appropriate" ``` ### Tesla Powerpack charging Status: Helps to find the charging status of tesla powerpack. ``` http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2 ``` ### XZERES Wind Turbine ``` title:"xzeres wind" ``` ### PIPS Automated License Plate Reader ``` "html:"PIPS Technology ALPR Processors"" ``` ### Modbus ``` "port:502" ``` ### Niagara Fox ``` "port:1911,4911 product:Niagara" ``` ### GE-SRTP ``` "port:18245,18246 product:"general electric"" ``` ### MELSEC-Q ``` "port:5006,5007 product:mitsubishi" ``` ### CODESYS ``` "port:2455 operating system" ``` ### S7 ``` "port:102" ``` ### BACnet ``` "port:47808" ``` ### HART-IP ``` "port:5094 hart-ip" ``` ### Omron FINS ``` "port:9600 response code" ``` ### IEC 60870-5-104 ``` "port:2404 asdu address" ``` ### DNP3 ``` "port:20000 source address" ``` ### EtherNet/IP ``` "port:44818" ``` ### PCWorx ``` "port:1962 PLC" ``` ### Crimson v3.0 ``` "port:789 product:"Red Lion Controls" ``` ### ProConOS ``` "port:20547 PLC" ``` ## Remote Desktop ### Unprotected VNC ``` "authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008" ``` ### Windows RDP 99.99% are secured by a secondary Windows login screen. ``` "\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00" ``` ## Network Infrastructure ### Hacked routers: Routers which got compromised ``` hacked-router-help-sos ``` ### Redis open instances ``` product:"Redis key-value store" ``` ### Citrix: Find Citrix Gateway. ``` title:"citrix gateway" ``` ### Weave Scope Dashboards Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure. ``` title:"Weave Scope" http.favicon.hash:567176827 ``` ### MongoDB Older versions were insecure by default. Very scary. ``` "MongoDB Server Information" port:27017 -authentication ``` ### Mongo Express Web GUI Like the infamous phpMyAdmin but for MongoDB. ``` "Set-Cookie: mongo-express=" "200 OK" ``` ### Jenkins CI ``` "X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard" ``` ### Jenkins: Jenkins Unrestricted Dashboard ``` x-jenkins 200 ``` ### Docker APIs ``` "Docker Containers:" port:2375 ``` ### Docker Private Registries ``` "Docker-Distribution-Api-Version: registry" "200 OK" -gitlab ``` ### Pi-hole Open DNS Servers ``` "dnsmasq-pi-hole" "Recursion: enabled" ``` ### Already Logged-In as root via Telnet ``` "root@" port:23 -login -password -name -Session ``` ### Telnet Access: NO password required for telnet access. ``` port:23 console gateway ``` ### Polycom video-conference system no-auth shell ``` "polycom command shell" ``` ### NPort serial-to-eth / MoCA devices without password ``` nport -keyin port:23 ``` ### Android Root Bridges A tangential result of Google's sloppy fractured update approach. ``` "Android Debug Bridge" "Device" port:5555 ``` ### Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords ``` Lantronix password port:30718 -secured ``` ### Citrix Virtual Apps ``` "Citrix Applications:" port:1604 ``` ### Cisco Smart Install Vulnerable (kind of "by design," but especially when exposed). ``` "smart install client active" ``` ### PBX IP Phone Gateways ``` PBX "gateway console" -password port:23 ``` ### Polycom Video Conferencing ``` http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23 ``` ### Telnet Configuration: ``` "Polycom Command Shell" -failed port:23 ``` ### Bomgar Help Desk Portal ``` "Server: Bomgar" "200 OK" ``` ### Intel Active Management CVE-2017-5689 ``` "Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 "Active Management Technology" ``` ### HP iLO 4 CVE-2017-12542 ``` HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900 ``` ### Lantronix ethernet adapter’s admin interface without password ``` "Press Enter for Setup Mode port:9999" ``` ### Wifi Passwords: Helps to find the cleartext wifi passwords in Shodan. ``` html:"def_wirelesspassword" ``` ### Misconfigured Wordpress Sites: The wp-config.php if accessed can give out the database credentials. ``` http.html:"* The wp-config.php creation script uses this file" ``` ## Outlook Web Access: ### Exchange 2007 ``` "x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0" ``` ### Exchange 2010 ``` "x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392 ``` ### Exchange 2013 / 2016 ``` "X-AspNet-Version" http.title:"Outlook" -"x-owa-version" ``` ### Lync / Skype for Business ``` "X-MS-Server-Fqdn" ``` ## Network Attached Storage (NAS) ### SMB (Samba) File Shares Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc. ``` "Authentication: disabled" port:445 ``` ### Specifically domain controllers: ``` "Authentication: disabled" NETLOGON SYSVOL -unix port:445 ``` ### Concerning default network shares of QuickBooks files: ``` "Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445 ``` ### FTP Servers with Anonymous Login ``` "220" "230 Login successful." port:21 ``` ### Iomega / LenovoEMC NAS Drives ``` "Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In" ``` ### Buffalo TeraStation NAS Drives ``` Redirecting sencha port:9000 ``` ### Logitech Media Servers ``` "Server: Logitech Media Server" "200 OK" ``` ### Plex Media Servers ``` "X-Plex-Protocol" "200 OK" port:32400 ``` ### Tautulli / PlexPy Dashboards ``` "CherryPy/5.1.0" "/home" ``` ### Home router attached USB ``` "IPC$ all storage devices" ``` ## Webcams ### D-Link webcams ``` "d-Link Internet Camera, 200 OK" ``` ### Hipcam ``` "Hipcam RealServer/V1.0" ``` ### Yawcams ``` "Server: yawcam" "Mime-Type: text/html" ``` ### webcamXP/webcam7 ``` ("webcam 7" OR "webcamXP") http.component:"mootools" -401 ``` ### Android IP Webcam Server ``` "Server: IP Webcam Server" "200 OK" ``` ### Security DVRs ``` html:"DVR_H264 ActiveX" ``` ### Surveillance Cams: With username:admin and password: :P ``` NETSurveillance uc-httpd Server: uc-httpd 1.0.0 ``` ## Printers & Copiers: ### HP Printers ``` "Serial Number:" "Built:" "Server: HP HTTP" ``` ### Xerox Copiers/Printers ``` ssl:"Xerox Generic Root" ``` ### Epson Printers ``` "SERVER: EPSON_Linux UPnP" "200 OK" "Server: EPSON-HTTP" "200 OK" ``` ### Canon Printers ``` "Server: KS_HTTP" "200 OK" "Server: CANON HTTP Server" ``` ## Home Devices ### Yamaha Stereos ``` "Server: AV_Receiver" "HTTP/1.1 406" ``` ### Apple AirPlay Receivers Apple TVs, HomePods, etc. ``` "\x08_airplay" port:5353 ``` ### Chromecasts / Smart TVs ``` "Chromecast:" port:8008 ``` ### Crestron Smart Home Controllers ``` "Model: PYNG-HUB" ``` ## Random Stuff ### OctoPrint 3D Printer Controllers ``` title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944 ``` ### Etherium Miners ``` "ETH - Total speed" ``` ### Apache Directory Listings Substitute .pem with any extension or a filename like phpinfo.php. ``` http.title:"Index of /" http.html:".pem" ``` ### Misconfigured WordPress Exposed wp-config.php files containing database credentials. ``` http.html:"* The wp-config.php creation script uses this file" ``` ### Too Many Minecraft Servers ``` "Minecraft Server" "protocol 340" port:25565 ``` ### Literally Everything in North Korea ``` net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24 ```