Awesome
Awesome Shodan Search Queries
Over time, I've collected an assortment of interesting, funny, and depressing search queries to plug into Shodan, the (literal) internet search engine. Some return facepalm-inducing results, while others return serious and/or ancient vulnerabilities in the wild.
<p align="center"> <img src="screenshots/shodan.png" /><br /> <strong><a href="https://account.shodan.io/register">Most search filters require a Shodan account.</a></strong> </p>You can assume these queries only return unsecured/open instances when possible. For your own legal benefit, do not attempt to login (even with default passwords) if they aren't! Narrow down results by adding filters like country:US
or org:"Harvard University"
or hostname:"nasa.gov"
to the end.
The world and its devices are quickly becoming more connected through the shiny new Internet of Things Sh*t — and exponentially more dangerous as a result. To that end, I hope this list spreads awareness (and, quite frankly, pant-wetting fear) rather than harm.
And as always, discover and disclose responsibly! 🤓
Table of Contents
- Industrial Control Systems
- Remote Desktop
- Network Infrastructure
- Network Attached Storage (NAS)
- Webcams
- Printers & Copiers
- Home Devices
- Random Stuff
Industrial Control Systems
Samsung Electronic Billboards 🔎 →
"Server: Prismview Player"
<div align="center"><img src="screenshots/billboard3.png" alt="Example: Electronic Billboards" width="500" /></div>
Gas Station Pump Controllers 🔎 →
"in-tank inventory" port:10001
<div align="center"><img src="screenshots/7-11.png" alt="Example: Gas Station Pump Inventories" width="700" /></div>
Automatic License Plate Readers 🔎 →
P372 "ANPR enabled"
<div align="center"><img src="screenshots/plate-reader.png" alt="Example: Automatic License Plate Reader" /></div>
Traffic Light Controllers / Red Light Cameras 🔎 →
mikrotik streetlight
Voting Machines in the United States 🔎 →
"voter system serial" country:US
Telcos Running Cisco Lawful Intercept Wiretaps 🔎 →
"Cisco IOS" "ADVIPSERVICESK9_LI-M"
Wiretapping mechanism outlined by Cisco in RFC 3924:
Lawful intercept is the lawfully authorized interception and monitoring of communications of an intercept subject. The term "intercept subject" [...] refers to the subscriber of a telecommunications service whose communications and/or intercept related information (IRI) has been lawfully authorized to be intercepted and delivered to some agency.
Prison Pay Phones 🔎 →
"[2J[H Encartele Confidential"
Tesla PowerPack Charging Status 🔎 →
http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
<div align="center"><img src="screenshots/tesla.png" alt="Example: Tesla PowerPack Charging Status" /></div>
Electric Vehicle Chargers 🔎 →
"Server: gSOAP/2.8" "Content-Length: 583"
Maritime Satellites 🔎 →
Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!
"Cobham SATCOM" OR ("Sailor" "VSAT")
<div align="center"><img src="screenshots/sailor-vsat.png" alt="Example: Maritime Satellites" width="700" /></div>
Submarine Mission Control Dashboards 🔎 →
title:"Slocum Fleet Mission Control"
CAREL PlantVisor Refrigeration Units 🔎 →
"Server: CarelDataServer" "200 Document follows"
<div align="center"><img src="screenshots/refrigeration.png" alt="Example: CAREL PlantVisor Refrigeration Units" /></div>
Nordex Wind Turbine Farms 🔎 →
http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"
C4 Max Commercial Vehicle GPS Trackers 🔎 →
"[1m[35mWelcome on console"
<div align="center"><img src="screenshots/c4max.png" alt="Example: C4 Max Vehicle GPS" width="780" /></div>
DICOM Medical X-Ray Machines 🔎 →
Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.
"DICOM Server Response" port:104
GaugeTech Electricity Meters 🔎 →
"Server: EIG Embedded Web Server" "200 Document follows"
<div align="center"><img src="screenshots/power-gaugetech.png" alt="Example: GaugeTech Electricity Meters" width="650" /></div>
Siemens Industrial Automation 🔎 →
"Siemens, SIMATIC" port:161
Siemens HVAC Controllers 🔎 →
"Server: Microsoft-WinCE" "Content-Length: 12581"
Door / Lock Access Controllers 🔎 →
"HID VertX" port:4070
Railroad Management 🔎 →
"log off" "select the appropriate"
Remote Desktop
Unprotected VNC 🔎 →
"authentication disabled" "RFB 003.008"
Shodan Images is a great supplementary tool to browse screenshots, by the way! 🔎 →
<p align="center"> <img src="screenshots/vnc.png" alt="Example: Unprotected VNC" /><br /> <em>The first result right now. 😞</em> </p>Windows RDP 🔎 →
99.99% are secured by a secondary Windows login screen.
"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"
Network Infrastructure
Weave Scope Dashboards 🔎 →
Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.
title:"Weave Scope" http.favicon.hash:567176827
<div align="center"><img src="screenshots/weavescope.png" alt="Example: Weave Scope Dashboards" /></div>
MongoDB 🔎 →
Older versions were insecure by default. Very scary.
"MongoDB Server Information" port:27017 -authentication
<div align="center"><img src="screenshots/mongo.png" alt="Example: MongoDB" width="500" /></div>
Mongo Express Web GUI 🔎 →
Like the infamous phpMyAdmin but for MongoDB.
"Set-Cookie: mongo-express=" "200 OK"
<div align="center"><img src="screenshots/mongo-express.png" alt="Example: Mongo Express GUI" width="700" /></div>
Jenkins CI 🔎 →
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
<div align="center"><img src="screenshots/jenkins.png" alt="Example: Jenkins CI" width="700" /></div>
Docker APIs 🔎 →
"Docker Containers:" port:2375
Docker Private Registries 🔎 →
"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab
Pi-hole Open DNS Servers 🔎 →
"dnsmasq-pi-hole" "Recursion: enabled"
Already Logged-In as root
via Telnet 🔎 →
"root@" port:23 -login -password -name -Session
Android Root Bridges 🔎 →
A tangential result of Google's sloppy fractured update approach. 🙄 More information here.
"Android Debug Bridge" "Device" port:5555
Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords 🔎 →
Lantronix password port:30718 -secured
Citrix Virtual Apps 🔎 →
"Citrix Applications:" port:1604
<div align="center"><img src="screenshots/citrix.png" alt="Example: Citrix Virtual Apps" width="700" /></div>
Cisco Smart Install 🔎 →
Vulnerable (kind of "by design," but especially when exposed).
"smart install client active"
PBX IP Phone Gateways 🔎 →
PBX "gateway console" -password port:23
Polycom Video Conferencing 🔎 →
http.title:"- Polycom" "Server: lighttpd"
Telnet Configuration: 🔎 →
"Polycom Command Shell" -failed port:23
<div align="center"><img src="screenshots/polycom.png" alt="Example: Polycom Video Conferencing" /></div>
Bomgar Help Desk Portal 🔎 →
"Server: Bomgar" "200 OK"
Intel Active Management CVE-2017-5689 🔎 →
"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995
HP iLO 4 CVE-2017-12542 🔎 →
HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900
Outlook Web Access:
Exchange 2007 🔎 →
"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"
<div align="center"><img src="screenshots/owa2007.png" alt="Example: OWA for Exchange 2007" width="400" /></div>
Exchange 2010 🔎 →
"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392
<div align="center"><img src="screenshots/owa2010.png" alt="Example: OWA for Exchange 2010" width="400" /></div>
Exchange 2013 / 2016 🔎 →
"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"
<div align="center"><img src="screenshots/owa2013.png" alt="Example: OWA for Exchange 2013/2016" width="500" /></div>
Lync / Skype for Business 🔎 →
"X-MS-Server-Fqdn"
Network Attached Storage (NAS)
SMB (Samba) File Shares 🔎 →
Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.
"Authentication: disabled" port:445
Specifically domain controllers: 🔎 →
"Authentication: disabled" NETLOGON SYSVOL -unix port:445
Concerning default network shares of QuickBooks files: 🔎 →
"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445
FTP Servers with Anonymous Login 🔎 →
"220" "230 Login successful." port:21
Iomega / LenovoEMC NAS Drives 🔎 →
"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"
<div align="center"><img src="screenshots/iomega.png" alt="Example: Iomega / LenovoEMC NAS Drives" width="600" /></div>
Buffalo TeraStation NAS Drives 🔎 →
Redirecting sencha port:9000
<div align="center"><img src="screenshots/buffalo.png" alt="Example: Buffalo TeraStation NAS Drives" width="600" /></div>
Logitech Media Servers 🔎 →
"Server: Logitech Media Server" "200 OK"
<div align="center"><img src="screenshots/logitech.png" alt="Example: Logitech Media Servers" width="500" /></div>
Plex Media Servers 🔎 →
"X-Plex-Protocol" "200 OK" port:32400
Tautulli / PlexPy Dashboards 🔎 →
"CherryPy/5.1.0" "/home"
<div align="center"><img src="screenshots/plexpy.png" alt="Example: PlexPy / Tautulli Dashboards" width="570" /></div>
Webcams
Example images not necessary. 🤦
Yawcams 🔎 →
"Server: yawcam" "Mime-Type: text/html"
webcamXP/webcam7 🔎 →
("webcam 7" OR "webcamXP") http.component:"mootools" -401
Android IP Webcam Server 🔎 →
"Server: IP Webcam Server" "200 OK"
Security DVRs 🔎 →
html:"DVR_H264 ActiveX"
Printers & Copiers:
HP Printers 🔎 →
"Serial Number:" "Built:" "Server: HP HTTP"
<div align="center"><img src="screenshots/hp.png" alt="Example: HP Printers" width="650" /></div>
Xerox Copiers/Printers 🔎 →
ssl:"Xerox Generic Root"
<div align="center"><img src="screenshots/xerox.png" alt="Example: Xerox Copiers/Printers" width="550" /></div>
Epson Printers 🔎 →
"SERVER: EPSON_Linux UPnP" "200 OK"
"Server: EPSON-HTTP" "200 OK"
<div align="center"><img src="screenshots/epson.png" alt="Example: Epson Printers" width="500" /></div>
Canon Printers 🔎 →
"Server: KS_HTTP" "200 OK"
"Server: CANON HTTP Server"
<div align="center"><img src="screenshots/canon.png" alt="Example: Canon Printers" width="500" /></div>
Home Devices
Yamaha Stereos 🔎 →
"Server: AV_Receiver" "HTTP/1.1 406"
<div align="center"><img src="screenshots/yamaha.png" alt="Example: Yamaha Stereos" width="500" /></div>
Apple AirPlay Receivers 🔎 →
Apple TVs, HomePods, etc.
"\x08_airplay" port:5353
Chromecasts / Smart TVs 🔎 →
"Chromecast:" port:8008
Crestron Smart Home Controllers 🔎 →
"Model: PYNG-HUB"
Random Stuff
OctoPrint 3D Printer Controllers 🔎 →
title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944
<div align="center"><img src="screenshots/octoprint.png" alt="Example: OctoPrint 3D Printers" width="740" /></div>
Etherium Miners 🔎 →
"ETH - Total speed"
<div align="center"><img src="screenshots/eth.png" alt="Example: Etherium Miners" /></div>
Apache Directory Listings 🔎 →
Substitute .pem
with any extension or a filename like phpinfo.php
.
http.title:"Index of /" http.html:".pem"
Misconfigured WordPress 🔎 →
Exposed wp-config.php
files containing database credentials.
http.html:"* The wp-config.php creation script uses this file"
Too Many Minecraft Servers 🔎 →
"Minecraft Server" "protocol 340" port:25565
Literally Everything in North Korea 🇰🇵 🔎 →
net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24
TCP Quote of the Day 🔎 →
Port 17 (RFC 865) has a bizarre history...
port:17 product:"Windows qotd"
Find a Job Doing This! 👩💼 🔎 →
"X-Recruiting:"
If you've found any other juicy Shodan gems, whether it's a search query or a specific example, definitely drop a comment on the blog or open an issue/PR here on GitHub.
Bon voyage, fellow penetrators! 😉
License
To the extent possible under law, Jake Jarvis has waived all copyright and related or neighboring rights to this work.
Mirrored from a blog post at https://jarv.is/notes/shodan-search-queries/.