shodan-dorks.txt

# Basic Shodan Filters
### city:
Find devices in a particular city.
`city:"Bangalore"`

### country:
Find devices in a particular country.
`country:"IN"`

### geo:
Find devices by giving geographical coordinates.
`geo:"56.913055,118.250862"`

### Location
`country:us`
`country:ru country:de city:chicago`

### hostname:
Find devices matching the hostname.
`server: "gws" hostname:"google"`
`hostname:example.com -hostname:subdomain.example.com`
`hostname:example.com,example.org`

### net:
Find devices based on an IP address or /x CIDR.
`net:210.214.0.0/16`

### Organization
`org:microsoft`
`org:"United States Department"`

### Autonomous System Number (ASN)
`asn:ASxxxx`

### os:
Find devices based on operating system.
`os:"windows 7"`

### port:
Find devices based on open ports.
`proftpd port:21`

### before/after:
Find devices before or after between a given time.
`apache after:22/02/2009 before:14/3/2010`

### SSL/TLS Certificates
Self signed certificates
`ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com`

Expired certificates
`ssl.cert.expired:true`

`ssl.cert.subject.cn:example.com`

### Device Type
`device:firewall`
`device:router`
`device:wap`
`device:webcam`
`device:media`
`device:"broadband router"`
`device:pbx`
`device:printer`
`device:switch`
`device:storage`
`device:specialized`
`device:phone`
`device:"voip"`
`device:"voip phone"`
`device:"voip adaptor"`
`device:"load balancer"`
`device:"print server"`
`device:terminal`
`device:remote`
`device:telecom`
`device:power`
`device:proxy`
`device:pda`
`device:bridge`

### Operating System
`os:"windows 7"`
`os:"windows server 2012"`
`os:"linux 3.x"`

### Product
`product:apache`
`product:nginx`
`product:android`
`product:chromecast`

### Customer Premises Equipment (CPE)
`cpe:apple`
`cpe:microsoft`
`cpe:nginx`
`cpe:cisco`

### Server
`server: nginx`
`server: apache`
`server: microsoft`
`server: cisco-ios`

### ssh fingerprints
`dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0`

# Web

### Pulse Secure
`http.html:/dana-na`
### PEM Certificates
`http.title:"Index of /" http.html:".pem"`

# Databases
### MySQL 
`"product:MySQL"`

### MongoDB 
`"product:MongoDB"`
`mongodb port:27017`

### Fully open MongoDBs
`"MongoDB Server Information { "metrics":"`
`"Set-Cookie: mongo-express=" "200 OK"`

### Kibana dashboards without authentication
`kibana content-legth:217`

### elastic 
`port:9200 json`
`port:"9200" all:elastic`

### Memcached 
`"product:Memcached"`

### CouchDB 
`"product:CouchDB"`
`port:"5984"+Server: "CouchDB/2.1.0"`

### PostgreSQL 
`"port:5432 PostgreSQL"`

### Riak 
`"port:8087 Riak"`

### Redis 
`"product:Redis"`

### Cassandra 
`"product:Cassandra"`

# Industrial Control Systems
### Samsung Electronic Billboards

`"Server: Prismview Player"`

### Gas Station Pump Controllers

`"in-tank inventory" port:10001`

### Fuel Pumps connected to internet:
No auth required to access CLI terminal.</br>
`"privileged command" GET`

### Automatic License Plate Readers

`P372 "ANPR enabled"`

### Traffic Light Controllers / Red Light Cameras

`mikrotik streetlight`

### Voting Machines in the United States

"voter system serial" country:US

### Open ATM:
May allow for ATM Access availability
`NCR Port:"161"`

### Telcos Running Cisco Lawful Intercept Wiretaps

`"Cisco IOS" "ADVIPSERVICESK9_LI-M"`

### Prison Pay Phones

`"[2J[H Encartele Confidential"`

### Tesla PowerPack Charging Status

`http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2`

### Electric Vehicle Chargers

`"Server: gSOAP/2.8" "Content-Length: 583"`

### Maritime Satellites

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!

`"Cobham SATCOM" OR ("Sailor" "VSAT")`

### Submarine Mission Control Dashboards

`title:"Slocum Fleet Mission Control"`

### CAREL PlantVisor Refrigeration Units

`"Server: CarelDataServer" "200 Document follows"`

### Nordex Wind Turbine Farms

`http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"`

### C4 Max Commercial Vehicle GPS Trackers

`"[1m[35mWelcome on console"`

### DICOM Medical X-Ray Machines

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

`"DICOM Server Response" port:104`

### GaugeTech Electricity Meters

`"Server: EIG Embedded Web Server" "200 Document follows"`

### Siemens Industrial Automation

`"Siemens, SIMATIC" port:161`

### Siemens HVAC Controllers

`"Server: Microsoft-WinCE" "Content-Length: 12581"`

### Door / Lock Access Controllers

`"HID VertX" port:4070`

### Railroad Management

`"log off" "select the appropriate"`

### Tesla Powerpack charging Status:
Helps to find the charging status of tesla powerpack.
`http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2`

### XZERES Wind Turbine 
`title:"xzeres wind"`

### PIPS Automated License Plate Reader 
`"html:"PIPS Technology ALPR Processors""`

### Modbus 
`"port:502"`

### Niagara Fox 
`"port:1911,4911 product:Niagara"`

### GE-SRTP 
`"port:18245,18246 product:"general electric""`

### MELSEC-Q 
`"port:5006,5007 product:mitsubishi"`

### CODESYS 
`"port:2455 operating system"`

### S7 
`"port:102"`

### BACnet 
`"port:47808"`

### HART-IP 
`"port:5094 hart-ip"`

### Omron FINS 
`"port:9600 response code"`

### IEC 60870-5-104 
`"port:2404 asdu address"`

### DNP3 
`"port:20000 source address"`

### EtherNet/IP 
`"port:44818"`

### PCWorx 
`"port:1962 PLC"`

### Crimson v3.0 
`"port:789 product:"Red Lion Controls"`

### ProConOS 
`"port:20547 PLC"`

# Remote Desktop
### Unprotected VNC
`"authentication disabled" port:5900,5901`
`"authentication disabled" "RFB 003.008"`

### Windows RDP

99.99% are secured by a secondary Windows login screen.

`"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"`

# Network Infrastructure

### CobaltStrike Servers
`product:"cobalt strike team server"`
`ssl.cert.serial:146473198` - default certificate serial number
`ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1`

### Hacked routers:
Routers which got compromised </br>
`hacked-router-help-sos`

### Redis open instances
`product:"Redis key-value store"`

### Citrix:
Find Citrix Gateway.<br/>
`title:"citrix gateway"`

### Weave Scope Dashboards

Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.

`title:"Weave Scope" http.favicon.hash:567176827`

### MongoDB

Older versions were insecure by default. Very scary.

`"MongoDB Server Information" port:27017 -authentication`

### Mongo Express Web GUI

Like the infamous phpMyAdmin but for MongoDB.

`"Set-Cookie: mongo-express=" "200 OK"`

### Jenkins CI

`"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"`

### Jenkins:
Jenkins Unrestricted Dashboard
`x-jenkins 200`

### Docker APIs

`"Docker Containers:" port:2375`

### Docker Private Registries

`"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab`

### Pi-hole Open DNS Servers

`"dnsmasq-pi-hole" "Recursion: enabled"`

### Already Logged-In as root via Telnet

`"root@" port:23 -login -password -name -Session`

### Telnet Access:
NO password required for telnet access. </br>
`port:23 console gateway`

### Polycom video-conference system no-auth shell
`"polycom command shell"`

### NPort serial-to-eth / MoCA devices without password
`nport -keyin port:23`

### Android Root Bridges

A tangential result of Google's sloppy fractured update approach. 🙄 More information here.

`"Android Debug Bridge" "Device" port:5555`

### Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords

`Lantronix password port:30718 -secured`

### Citrix Virtual Apps

`"Citrix Applications:" port:1604`

### Cisco Smart Install

Vulnerable (kind of "by design," but especially when exposed).

`"smart install client active"`

### PBX IP Phone Gateways

`PBX "gateway console" -password port:23`

### Polycom Video Conferencing

`http.title:"- Polycom" "Server: lighttpd"`
`"Polycom Command Shell" -failed port:23`

### Telnet Configuration:

`"Polycom Command Shell" -failed port:23`

Example: Polycom Video Conferencing
### Bomgar Help Desk Portal

`"Server: Bomgar" "200 OK"`

### Intel Active Management CVE-2017-5689

`"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995`
`”Active Management Technology”`

### HP iLO 4 CVE-2017-12542

`HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900`

### Lantronix ethernet adapter’s admin interface without password
`"Press Enter for Setup Mode port:9999"`

### Wifi Passwords:
Helps to find the cleartext wifi passwords in Shodan.
`html:"def_wirelesspassword"`

### Misconfigured Wordpress Sites:
The wp-config.php if accessed can give out the database credentials.
`http.html:"* The wp-config.php creation script uses this file"`

# Outlook Web Access:
### Exchange 2007

`"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"`

### Exchange 2010

`"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392`

### Exchange 2013 / 2016

`"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"`

### Lync / Skype for Business

`"X-MS-Server-Fqdn"`

# Network Attached Storage (NAS)
### SMB (Samba) File Shares

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

`"Authentication: disabled" port:445`

### Specifically domain controllers:

`"Authentication: disabled" NETLOGON SYSVOL -unix port:445`

### Concerning default network shares of QuickBooks files:

`"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445`

### FTP Servers with Anonymous Login

`"220" "230 Login successful." port:21`

### Iomega / LenovoEMC NAS Drives

`"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"`

### Buffalo TeraStation NAS Drives

`Redirecting sencha port:9000`

### Logitech Media Servers

`"Server: Logitech Media Server" "200 OK"`

Example: Logitech Media Servers
### Plex Media Servers

`"X-Plex-Protocol" "200 OK" port:32400`

### Tautulli / PlexPy Dashboards

`"CherryPy/5.1.0" "/home"`

### Home router attached USB
`"IPC$ all storage devices"`

# Webcams
### Generic camera search
`title:camera`

### Webcams with screenshots
`webcam has_screenshot:true`

### D-Link webcams
`"d-Link Internet Camera, 200 OK"`

### Hipcam
`"Hipcam RealServer/V1.0"`

### Yawcams

`"Server: yawcam" "Mime-Type: text/html"`

### webcamXP/webcam7

`("webcam 7" OR "webcamXP") http.component:"mootools" -401`

### Android IP Webcam Server

`"Server: IP Webcam Server" "200 OK"`

### Security DVRs
`html:"DVR_H264 ActiveX"`

### Surveillance Cams:
With username:admin and password: :P</br>
`NETSurveillance uc-httpd`
`Server: uc-httpd 1.0.0`

# Printers & Copiers:
### HP Printers

`"Serial Number:" "Built:" "Server: HP HTTP"`

### Xerox Copiers/Printers

`ssl:"Xerox Generic Root"`

### Epson Printers

`"SERVER: EPSON_Linux UPnP" "200 OK"`

`"Server: EPSON-HTTP" "200 OK"`

### Canon Printers

`"Server: KS_HTTP" "200 OK"`

`"Server: CANON HTTP Server"`

# Home Devices
### Yamaha Stereos

`"Server: AV_Receiver" "HTTP/1.1 406"`

### Apple AirPlay Receivers

Apple TVs, HomePods, etc.

`"\x08_airplay" port:5353`

### Chromecasts / Smart TVs

`"Chromecast:" port:8008`

### Crestron Smart Home Controllers

`"Model: PYNG-HUB"`

# Random Stuff
### Calibre libraries
`"Server: calibre" http.status:200 http.title:calibre`

### OctoPrint 3D Printer Controllers

`title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944`

### Etherium Miners

`"ETH - Total speed"`


### Apache Directory Listings

Substitute .pem with any extension or a filename like phpinfo.php.

`http.title:"Index of /" http.html:".pem"`

### Misconfigured WordPress

Exposed wp-config.php files containing database credentials.

`http.html:"* The wp-config.php creation script uses this file"`

### Too Many Minecraft Servers

`"Minecraft Server" "protocol 340" port:25565`

### Literally Everything in North Korea

`net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24`