forked from Karanxa/Bug-Bounty-Wordlists
-
Notifications
You must be signed in to change notification settings - Fork 1
/
shodan-dorks.txt
604 lines (378 loc) · 11.8 KB
/
shodan-dorks.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
# Basic Shodan Filters
### city:
Find devices in a particular city.
`city:"Bangalore"`
### country:
Find devices in a particular country.
`country:"IN"`
### geo:
Find devices by giving geographical coordinates.
`geo:"56.913055,118.250862"`
### Location
`country:us`
`country:ru country:de city:chicago`
### hostname:
Find devices matching the hostname.
`server: "gws" hostname:"google"`
`hostname:example.com -hostname:subdomain.example.com`
`hostname:example.com,example.org`
### net:
Find devices based on an IP address or /x CIDR.
`net:210.214.0.0/16`
### Organization
`org:microsoft`
`org:"United States Department"`
### Autonomous System Number (ASN)
`asn:ASxxxx`
### os:
Find devices based on operating system.
`os:"windows 7"`
### port:
Find devices based on open ports.
`proftpd port:21`
### before/after:
Find devices before or after between a given time.
`apache after:22/02/2009 before:14/3/2010`
### SSL/TLS Certificates
Self signed certificates
`ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com`
Expired certificates
`ssl.cert.expired:true`
`ssl.cert.subject.cn:example.com`
### Device Type
`device:firewall`
`device:router`
`device:wap`
`device:webcam`
`device:media`
`device:"broadband router"`
`device:pbx`
`device:printer`
`device:switch`
`device:storage`
`device:specialized`
`device:phone`
`device:"voip"`
`device:"voip phone"`
`device:"voip adaptor"`
`device:"load balancer"`
`device:"print server"`
`device:terminal`
`device:remote`
`device:telecom`
`device:power`
`device:proxy`
`device:pda`
`device:bridge`
### Operating System
`os:"windows 7"`
`os:"windows server 2012"`
`os:"linux 3.x"`
### Product
`product:apache`
`product:nginx`
`product:android`
`product:chromecast`
### Customer Premises Equipment (CPE)
`cpe:apple`
`cpe:microsoft`
`cpe:nginx`
`cpe:cisco`
### Server
`server: nginx`
`server: apache`
`server: microsoft`
`server: cisco-ios`
### ssh fingerprints
`dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0`
# Web
### Pulse Secure
`http.html:/dana-na`
### PEM Certificates
`http.title:"Index of /" http.html:".pem"`
# Databases
### MySQL
`"product:MySQL"`
### MongoDB
`"product:MongoDB"`
`mongodb port:27017`
### Fully open MongoDBs
`"MongoDB Server Information { "metrics":"`
`"Set-Cookie: mongo-express=" "200 OK"`
### Kibana dashboards without authentication
`kibana content-legth:217`
### elastic
`port:9200 json`
`port:"9200" all:elastic`
### Memcached
`"product:Memcached"`
### CouchDB
`"product:CouchDB"`
`port:"5984"+Server: "CouchDB/2.1.0"`
### PostgreSQL
`"port:5432 PostgreSQL"`
### Riak
`"port:8087 Riak"`
### Redis
`"product:Redis"`
### Cassandra
`"product:Cassandra"`
# Industrial Control Systems
### Samsung Electronic Billboards
`"Server: Prismview Player"`
### Gas Station Pump Controllers
`"in-tank inventory" port:10001`
### Fuel Pumps connected to internet:
No auth required to access CLI terminal.</br>
`"privileged command" GET`
### Automatic License Plate Readers
`P372 "ANPR enabled"`
### Traffic Light Controllers / Red Light Cameras
`mikrotik streetlight`
### Voting Machines in the United States
"voter system serial" country:US
### Open ATM:
May allow for ATM Access availability
`NCR Port:"161"`
### Telcos Running Cisco Lawful Intercept Wiretaps
`"Cisco IOS" "ADVIPSERVICESK9_LI-M"`
### Prison Pay Phones
`"[2J[H Encartele Confidential"`
### Tesla PowerPack Charging Status
`http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2`
### Electric Vehicle Chargers
`"Server: gSOAP/2.8" "Content-Length: 583"`
### Maritime Satellites
Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!
`"Cobham SATCOM" OR ("Sailor" "VSAT")`
### Submarine Mission Control Dashboards
`title:"Slocum Fleet Mission Control"`
### CAREL PlantVisor Refrigeration Units
`"Server: CarelDataServer" "200 Document follows"`
### Nordex Wind Turbine Farms
`http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"`
### C4 Max Commercial Vehicle GPS Trackers
`"[1m[35mWelcome on console"`
### DICOM Medical X-Ray Machines
Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.
`"DICOM Server Response" port:104`
### GaugeTech Electricity Meters
`"Server: EIG Embedded Web Server" "200 Document follows"`
### Siemens Industrial Automation
`"Siemens, SIMATIC" port:161`
### Siemens HVAC Controllers
`"Server: Microsoft-WinCE" "Content-Length: 12581"`
### Door / Lock Access Controllers
`"HID VertX" port:4070`
### Railroad Management
`"log off" "select the appropriate"`
### Tesla Powerpack charging Status:
Helps to find the charging status of tesla powerpack.
`http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2`
### XZERES Wind Turbine
`title:"xzeres wind"`
### PIPS Automated License Plate Reader
`"html:"PIPS Technology ALPR Processors""`
### Modbus
`"port:502"`
### Niagara Fox
`"port:1911,4911 product:Niagara"`
### GE-SRTP
`"port:18245,18246 product:"general electric""`
### MELSEC-Q
`"port:5006,5007 product:mitsubishi"`
### CODESYS
`"port:2455 operating system"`
### S7
`"port:102"`
### BACnet
`"port:47808"`
### HART-IP
`"port:5094 hart-ip"`
### Omron FINS
`"port:9600 response code"`
### IEC 60870-5-104
`"port:2404 asdu address"`
### DNP3
`"port:20000 source address"`
### EtherNet/IP
`"port:44818"`
### PCWorx
`"port:1962 PLC"`
### Crimson v3.0
`"port:789 product:"Red Lion Controls"`
### ProConOS
`"port:20547 PLC"`
# Remote Desktop
### Unprotected VNC
`"authentication disabled" port:5900,5901`
`"authentication disabled" "RFB 003.008"`
### Windows RDP
99.99% are secured by a secondary Windows login screen.
`"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"`
# Network Infrastructure
### CobaltStrike Servers
`product:"cobalt strike team server"`
`ssl.cert.serial:146473198` - default certificate serial number
`ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1`
### Hacked routers:
Routers which got compromised </br>
`hacked-router-help-sos`
### Redis open instances
`product:"Redis key-value store"`
### Citrix:
Find Citrix Gateway.<br/>
`title:"citrix gateway"`
### Weave Scope Dashboards
Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.
`title:"Weave Scope" http.favicon.hash:567176827`
### MongoDB
Older versions were insecure by default. Very scary.
`"MongoDB Server Information" port:27017 -authentication`
### Mongo Express Web GUI
Like the infamous phpMyAdmin but for MongoDB.
`"Set-Cookie: mongo-express=" "200 OK"`
### Jenkins CI
`"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"`
### Jenkins:
Jenkins Unrestricted Dashboard
`x-jenkins 200`
### Docker APIs
`"Docker Containers:" port:2375`
### Docker Private Registries
`"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab`
### Pi-hole Open DNS Servers
`"dnsmasq-pi-hole" "Recursion: enabled"`
### Already Logged-In as root via Telnet
`"root@" port:23 -login -password -name -Session`
### Telnet Access:
NO password required for telnet access. </br>
`port:23 console gateway`
### Polycom video-conference system no-auth shell
`"polycom command shell"`
### NPort serial-to-eth / MoCA devices without password
`nport -keyin port:23`
### Android Root Bridges
A tangential result of Google's sloppy fractured update approach. 🙄 More information here.
`"Android Debug Bridge" "Device" port:5555`
### Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords
`Lantronix password port:30718 -secured`
### Citrix Virtual Apps
`"Citrix Applications:" port:1604`
### Cisco Smart Install
Vulnerable (kind of "by design," but especially when exposed).
`"smart install client active"`
### PBX IP Phone Gateways
`PBX "gateway console" -password port:23`
### Polycom Video Conferencing
`http.title:"- Polycom" "Server: lighttpd"`
`"Polycom Command Shell" -failed port:23`
### Telnet Configuration:
`"Polycom Command Shell" -failed port:23`
Example: Polycom Video Conferencing
### Bomgar Help Desk Portal
`"Server: Bomgar" "200 OK"`
### Intel Active Management CVE-2017-5689
`"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995`
`”Active Management Technology”`
### HP iLO 4 CVE-2017-12542
`HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900`
### Lantronix ethernet adapter’s admin interface without password
`"Press Enter for Setup Mode port:9999"`
### Wifi Passwords:
Helps to find the cleartext wifi passwords in Shodan.
`html:"def_wirelesspassword"`
### Misconfigured Wordpress Sites:
The wp-config.php if accessed can give out the database credentials.
`http.html:"* The wp-config.php creation script uses this file"`
# Outlook Web Access:
### Exchange 2007
`"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"`
### Exchange 2010
`"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392`
### Exchange 2013 / 2016
`"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"`
### Lync / Skype for Business
`"X-MS-Server-Fqdn"`
# Network Attached Storage (NAS)
### SMB (Samba) File Shares
Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.
`"Authentication: disabled" port:445`
### Specifically domain controllers:
`"Authentication: disabled" NETLOGON SYSVOL -unix port:445`
### Concerning default network shares of QuickBooks files:
`"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445`
### FTP Servers with Anonymous Login
`"220" "230 Login successful." port:21`
### Iomega / LenovoEMC NAS Drives
`"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"`
### Buffalo TeraStation NAS Drives
`Redirecting sencha port:9000`
### Logitech Media Servers
`"Server: Logitech Media Server" "200 OK"`
Example: Logitech Media Servers
### Plex Media Servers
`"X-Plex-Protocol" "200 OK" port:32400`
### Tautulli / PlexPy Dashboards
`"CherryPy/5.1.0" "/home"`
### Home router attached USB
`"IPC$ all storage devices"`
# Webcams
### Generic camera search
`title:camera`
### Webcams with screenshots
`webcam has_screenshot:true`
### D-Link webcams
`"d-Link Internet Camera, 200 OK"`
### Hipcam
`"Hipcam RealServer/V1.0"`
### Yawcams
`"Server: yawcam" "Mime-Type: text/html"`
### webcamXP/webcam7
`("webcam 7" OR "webcamXP") http.component:"mootools" -401`
### Android IP Webcam Server
`"Server: IP Webcam Server" "200 OK"`
### Security DVRs
`html:"DVR_H264 ActiveX"`
### Surveillance Cams:
With username:admin and password: :P</br>
`NETSurveillance uc-httpd`
`Server: uc-httpd 1.0.0`
# Printers & Copiers:
### HP Printers
`"Serial Number:" "Built:" "Server: HP HTTP"`
### Xerox Copiers/Printers
`ssl:"Xerox Generic Root"`
### Epson Printers
`"SERVER: EPSON_Linux UPnP" "200 OK"`
`"Server: EPSON-HTTP" "200 OK"`
### Canon Printers
`"Server: KS_HTTP" "200 OK"`
`"Server: CANON HTTP Server"`
# Home Devices
### Yamaha Stereos
`"Server: AV_Receiver" "HTTP/1.1 406"`
### Apple AirPlay Receivers
Apple TVs, HomePods, etc.
`"\x08_airplay" port:5353`
### Chromecasts / Smart TVs
`"Chromecast:" port:8008`
### Crestron Smart Home Controllers
`"Model: PYNG-HUB"`
# Random Stuff
### Calibre libraries
`"Server: calibre" http.status:200 http.title:calibre`
### OctoPrint 3D Printer Controllers
`title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944`
### Etherium Miners
`"ETH - Total speed"`
### Apache Directory Listings
Substitute .pem with any extension or a filename like phpinfo.php.
`http.title:"Index of /" http.html:".pem"`
### Misconfigured WordPress
Exposed wp-config.php files containing database credentials.
`http.html:"* The wp-config.php creation script uses this file"`
### Too Many Minecraft Servers
`"Minecraft Server" "protocol 340" port:25565`
### Literally Everything in North Korea
`net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24`