# Shodan ## Basic Shodan Filters {% hint style="info" %} Check the Shodan Guide Book {% endhint %} {% file src="/files/hgwuFC4ZJ2BJoxOQpa6k" %} #### city: Find devices in a particular city. `city:"Bangalore"` #### country: Find devices in a particular country. `country:"IN"` #### geo: Find devices by giving geographical coordinates. `geo:"56.913055,118.250862"` #### Location `country:us` `country:ru country:de city:chicago` #### hostname: Find devices matching the hostname. `server: "gws" hostname:"google"` `hostname:example.com -hostname:subdomain.example.com` `hostname:example.com,example.org` #### net: Find devices based on an IP address or /x CIDR. `net:210.214.0.0/16` #### Organization `org:microsoft` `org:"United States Department"` #### Autonomous System Number (ASN) `asn:ASxxxx` #### os: Find devices based on operating system. `os:"windows 7"` #### port: Find devices based on open ports. `proftpd port:21` #### before/after: Find devices before or after between a given time. `apache after:22/02/2009 before:14/3/2010` #### SSL/TLS Certificates Self signed certificates `ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com` Expired certificates `ssl.cert.expired:true` `ssl.cert.subject.cn:example.com` #### Device Type `device:firewall` `device:router` `device:wap` `device:webcam` `device:media` `device:"broadband router"` `device:pbx` `device:printer` `device:switch` `device:storage` `device:specialized` `device:phone` `device:"voip"` `device:"voip phone"` `device:"voip adaptor"` `device:"load balancer"` `device:"print server"` `device:terminal` `device:remote` `device:telecom` `device:power` `device:proxy` `device:pda` `device:bridge` #### Operating System `os:"windows 7"` `os:"windows server 2012"` `os:"linux 3.x"` #### Product `product:apache` `product:nginx` `product:android` `product:chromecast` #### Customer Premises Equipment (CPE) `cpe:apple` `cpe:microsoft` `cpe:nginx` `cpe:cisco` #### Server `server: nginx` `server: apache` `server: microsoft` `server: cisco-ios` #### ssh fingerprints `dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0` ## Web #### Pulse Secure `http.html:/dana-na` #### PEM Certificates `http.title:"Index of /" http.html:".pem"` #### Tor / Dark Web sites `onion-location` ## Databases #### MySQL `"product:MySQL"` `mysql port:"3306"` #### MongoDB `"product:MongoDB"` `mongodb port:27017` #### Fully open MongoDBs `"MongoDB Server Information { "metrics":"` `"Set-Cookie: mongo-express=" "200 OK"` `"MongoDB Server Information" port:27017 -authentication` #### Kibana dashboards without authentication `kibana content-legth:217` #### elastic `port:9200 json` `port:"9200" all:elastic` `port:"9200" all:"elastic indices"` #### Memcached `"product:Memcached"` #### CouchDB `"product:CouchDB"` `port:"5984"+Server: "CouchDB/2.1.0"` #### PostgreSQL `"port:5432 PostgreSQL"` #### Riak `"port:8087 Riak"` #### Redis `"product:Redis"` #### Cassandra `"product:Cassandra"` ## Industrial Control Systems #### Samsung Electronic Billboards `"Server: Prismview Player"` #### Gas Station Pump Controllers `"in-tank inventory" port:10001` #### Fuel Pumps connected to internet: No auth required to access CLI terminal. `"privileged command" GET` #### Automatic License Plate Readers `P372 "ANPR enabled"` #### Traffic Light Controllers / Red Light Cameras `mikrotik streetlight` #### Voting Machines in the United States "voter system serial" country:US #### Open ATM: May allow for ATM Access availability `NCR Port:"161"` #### Telcos Running Cisco Lawful Intercept Wiretaps `"Cisco IOS" "ADVIPSERVICESK9_LI-M"` #### Prison Pay Phones `"[2J[H Encartele Confidential"` #### Tesla PowerPack Charging Status `http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2` #### Electric Vehicle Chargers `"Server: gSOAP/2.8" "Content-Length: 583"` #### Maritime Satellites Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too! `"Cobham SATCOM" OR ("Sailor" "VSAT")` #### Submarine Mission Control Dashboards `title:"Slocum Fleet Mission Control"` #### CAREL PlantVisor Refrigeration Units `"Server: CarelDataServer" "200 Document follows"` #### Nordex Wind Turbine Farms `http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"` #### C4 Max Commercial Vehicle GPS Trackers `"[1m[35mWelcome on console"` #### DICOM Medical X-Ray Machines Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet. `"DICOM Server Response" port:104` #### GaugeTech Electricity Meters `"Server: EIG Embedded Web Server" "200 Document follows"` #### Siemens Industrial Automation `"Siemens, SIMATIC" port:161` #### Siemens HVAC Controllers `"Server: Microsoft-WinCE" "Content-Length: 12581"` #### Door / Lock Access Controllers `"HID VertX" port:4070` #### Railroad Management `"log off" "select the appropriate"` #### Tesla Powerpack charging Status: Helps to find the charging status of tesla powerpack. `http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2` #### XZERES Wind Turbine `title:"xzeres wind"` #### PIPS Automated License Plate Reader `"html:"PIPS Technology ALPR Processors""` #### Modbus `"port:502"` #### Niagara Fox `"port:1911,4911 product:Niagara"` #### GE-SRTP `"port:18245,18246 product:"general electric""` #### MELSEC-Q `"port:5006,5007 product:mitsubishi"` #### CODESYS `"port:2455 operating system"` #### S7 `"port:102"` #### BACnet `"port:47808"` #### HART-IP `"port:5094 hart-ip"` #### Omron FINS `"port:9600 response code"` #### IEC 60870-5-104 `"port:2404 asdu address"` #### DNP3 `"port:20000 source address"` #### EtherNet/IP `"port:44818"` #### PCWorx `"port:1962 PLC"` #### Crimson v3.0 `"port:789 product:"Red Lion Controls"` #### ProConOS `"port:20547 PLC"` ## Remote Desktop #### Unprotected VNC `"authentication disabled" port:5900,5901` `"authentication disabled" "RFB 003.008"` #### Windows RDP 99.99% are secured by a secondary Windows login screen. `"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"` ## C2 Infrastructure #### CobaltStrike Servers `product:"cobalt strike team server"` `product:"Cobalt Strike Beacon"` `ssl.cert.serial:146473198` - default certificate serial number `ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1` `ssl:foren.zik` #### Brute Ratel `http.html_hash:-1957161625` `product:"Brute Ratel C4"` #### Covenant `ssl:”Covenant” http.component:”Blazor”` #### Metasploit `ssl:"MetasploitSelfSignedCA"` ## Network Infrastructure #### Hacked routers: Routers which got compromised `hacked-router-help-sos` #### Redis open instances `product:"Redis key-value store"` #### Citrix: Find Citrix Gateway. `title:"citrix gateway"` #### Weave Scope Dashboards Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure. `title:"Weave Scope" http.favicon.hash:567176827` #### Jenkins CI `"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"` #### Jenkins: Jenkins Unrestricted Dashboard `x-jenkins 200` #### Docker APIs `"Docker Containers:" port:2375` #### Docker Private Registries `"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab` #### Pi-hole Open DNS Servers `"dnsmasq-pi-hole" "Recursion: enabled"` #### DNS Servers with recursion `"port: 53" Recursion: Enabled` #### Already Logged-In as root via Telnet `"root@" port:23 -login -password -name -Session` #### Telnet Access: NO password required for telnet access. `port:23 console gateway` #### Polycom video-conference system no-auth shell `"polycom command shell"` #### NPort serial-to-eth / MoCA devices without password `nport -keyin port:23` #### Android Root Bridges A tangential result of Google's sloppy fractured update approach. 🙄 More information here. `"Android Debug Bridge" "Device" port:5555` #### Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords `Lantronix password port:30718 -secured` #### Citrix Virtual Apps `"Citrix Applications:" port:1604` #### Cisco Smart Install Vulnerable (kind of "by design," but especially when exposed). `"smart install client active"` #### PBX IP Phone Gateways `PBX "gateway console" -password port:23` #### Polycom Video Conferencing `http.title:"- Polycom" "Server: lighttpd"` `"Polycom Command Shell" -failed port:23` #### Telnet Configuration: `"Polycom Command Shell" -failed port:23` Example: Polycom Video Conferencing #### Bomgar Help Desk Portal `"Server: Bomgar" "200 OK"` #### Intel Active Management CVE-2017-5689 `"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995` `”Active Management Technology”` #### HP iLO 4 CVE-2017-12542 `HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900` #### Lantronix ethernet adapter’s admin interface without password `"Press Enter for Setup Mode port:9999"` #### Wifi Passwords: Helps to find the cleartext wifi passwords in Shodan. `html:"def_wirelesspassword"` #### Misconfigured Wordpress Sites: The wp-config.php if accessed can give out the database credentials. `http.html:"* The wp-config.php creation script uses this file"` ## Outlook Web Access: #### Exchange 2007 `"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"` #### Exchange 2010 `"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392` #### Exchange 2013 / 2016 `"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"` #### Lync / Skype for Business `"X-MS-Server-Fqdn"` ## Network Attached Storage (NAS) #### SMB (Samba) File Shares Produces \~500,000 results...narrow down by adding "Documents" or "Videos", etc. `"Authentication: disabled" port:445` #### Specifically domain controllers: `"Authentication: disabled" NETLOGON SYSVOL -unix port:445` #### Concerning default network shares of QuickBooks files: `"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445` #### FTP Servers with Anonymous Login `"220" "230 Login successful." port:21` #### Iomega / LenovoEMC NAS Drives `"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"` #### Buffalo TeraStation NAS Drives `Redirecting sencha port:9000` #### Logitech Media Servers `"Server: Logitech Media Server" "200 OK"` Example: Logitech Media Servers #### Plex Media Servers `"X-Plex-Protocol" "200 OK" port:32400` #### Tautulli / PlexPy Dashboards `"CherryPy/5.1.0" "/home"` #### Home router attached USB `"IPC$ all storage devices"` ## Webcams #### Generic camera search `title:camera` #### Webcams with screenshots `webcam has_screenshot:true` #### D-Link webcams `"d-Link Internet Camera, 200 OK"` #### Hipcam `"Hipcam RealServer/V1.0"` #### Yawcams `"Server: yawcam" "Mime-Type: text/html"` #### webcamXP/webcam7 `("webcam 7" OR "webcamXP") http.component:"mootools" -401` #### Android IP Webcam Server `"Server: IP Webcam Server" "200 OK"` #### Security DVRs `html:"DVR_H264 ActiveX"` #### Surveillance Cams: With username:admin and password: :P `NETSurveillance uc-httpd` `Server: uc-httpd 1.0.0` ## Printers & Copiers: #### HP Printers `"Serial Number:" "Built:" "Server: HP HTTP"` #### Xerox Copiers/Printers `ssl:"Xerox Generic Root"` #### Epson Printers `"SERVER: EPSON_Linux UPnP" "200 OK"` `"Server: EPSON-HTTP" "200 OK"` #### Canon Printers `"Server: KS_HTTP" "200 OK"` `"Server: CANON HTTP Server"` ## Home Devices #### Yamaha Stereos `"Server: AV_Receiver" "HTTP/1.1 406"` #### Apple AirPlay Receivers Apple TVs, HomePods, etc. `"\x08_airplay" port:5353` #### Chromecasts / Smart TVs `"Chromecast:" port:8008` #### Crestron Smart Home Controllers `"Model: PYNG-HUB"` ## Random Stuff #### Calibre libraries `"Server: calibre" http.status:200 http.title:calibre` #### OctoPrint 3D Printer Controllers `title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944` #### Etherium Miners `"ETH - Total speed"` #### Apache Directory Listings Substitute .pem with any extension or a filename like phpinfo.php. `http.title:"Index of /" http.html:".pem"` #### Misconfigured WordPress Exposed wp-config.php files containing database credentials. `http.html:"* The wp-config.php creation script uses this file"` #### Too Many Minecraft Servers `"Minecraft Server" "protocol 340" port:25565` #### Literally Everything in North Korea `net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.hackerium.io/asset-discovery/shodan.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.