Awesome-Mirrors
/
awesome-shodan-queries
mirror of https://github.com/jakejarvis/awesome-shodan-queries.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
A collection of interesting, funny, and depressing search queries to plug into shodan.io
2 Commits 1 Branch 0 Tags 4.4 MiB
Markdown 100%
Go to file
Jake Jarvis 561b8ec916
license, contributing guidelines, code of conduct, and awesome-list compliance 		2019-04-25 14:57:23 -04:00
screenshots Initial commit! 2019-04-25 14:06:16 -04:00
code-of-conduct.md license, contributing guidelines, code of conduct, and awesome-list compliance 2019-04-25 14:57:23 -04:00
contributing.md license, contributing guidelines, code of conduct, and awesome-list compliance 2019-04-25 14:57:23 -04:00
license.md license, contributing guidelines, code of conduct, and awesome-list compliance 2019-04-25 14:57:23 -04:00
readme.md license, contributing guidelines, code of conduct, and awesome-list compliance 2019-04-25 14:57:23 -04:00

readme.md

Awesome Shodan Search Queries Awesome

Based on a blog post at https://jarv.is/notes/shodan-search-queries/.

Over time, I've collected an assortment of interesting, funny, and depressing search queries to plug into Shodan, the (literal) internet search engine. Some return facepalm-inducing results, while others return serious and/or ancient vulnerabilities in the wild.

Most search filters require a Shodan account.

You can assume these queries only return unsecured/open instances when possible. For your own legal benefit, do not attempt to login (even with default passwords) if they aren't! Narrow down results by adding filters like country:US or org:"Harvard University" or hostname:"nasa.gov" to the end.

The world and its devices are quickly becoming more connected through the shiny new Internet of Things Sh*t — and exponentially more dangerous as a result. To that end, I hope this list spreads awareness (and, quite frankly, pant-wetting fear) rather than harm.

And as always, discover and disclose responsibly! 😊

Table of Contents

Industrial Control Systems

Samsung Electronic Billboards 

"Server: Prismview Player"

Example: Electronic Billboards

Gas Station Pump Controllers 

"in-tank inventory" port:10001

Example: Gas Station Pump Inventories

Automatic License Plate Readers 

P372 "ANPR enabled"

Traffic Light Controllers / Red Light Cameras 

mikrotik streetlight

Voting Machines in the United States 

"voter system serial" country:US

Prison Pay Phones 

"[2J[H Encartele Confidential"

Tesla PowerPack Charging Status 

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

Example: Tesla PowerPack Charging Status

Electric Vehicle Chargers 

"Server: gSOAP/2.8" "Content-Length: 583"

Nordex Wind Turbine Farms 

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

C4 Max Commercial Vehicle GPS Trackers 

"[1m[35mWelcome on console"

Example: C4 Max Vehicle GPS

DICOM Medical X-Ray Machines

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

"DICOM Server Response" port:104

Siemens Industrial Automation 

"Siemens, SIMATIC" port:161

Siemens HVAC Controllers 

"Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers 

"HID VertX" port:4070

Railroad Management 

"log off" "select the appropriate"

Remote Desktop

Unprotected VNC 

"authentication disabled" "RFB 003.008"

Shodan Images is a great supplementary tool to browse screenshots, by the way!

Example: Unprotected VNC

The first result right now. 😞

Windows RDP

99.99% are secured by a secondary Windows login screen.

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

Network Infrastructure

MongoDB

Older versions were insecure by default. Very scary.

"MongoDB Server Information" port:27017 -authentication

Example: MongoDB

Jenkins CI 

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

Example: Jenkins CI

Docker APIs 

"Docker Containers:" port:2375

Pi-hole Open DNS Servers 

"dnsmasq-pi-hole" "Recursion: enabled"

Already Logged-In as root via Telnet 

"root@" port:23 -login -password -name -Session

Android Root Bridges

A tangential result of Google's dumb fractured update approach. 🙄 More information here.

"Android Debug Bridge" "Device" port:5555

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords 

Lantronix password port:30718 -secured

Citrix Virtual Apps 

"Citrix Applications:" port:1604

Example: Citrix Virtual Apps

Cisco Smart Install

Vulnerable (kind of "by design," but especially when exposed).

"smart install client active"

PBX IP Phone Gateways 

PBX "gateway console" -password port:23

Polycom Video Conferencing 

http.title:"- Polycom" "Server: lighttpd"

Telnet Configuration: 

"Polycom Command Shell" -failed port:23

Example: Polycom Video Conferencing

Bomgar Help Desk Portal 

"Server: Bomgar" "200 OK"

Intel Active Management CVE-2017-5689 

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995

HP iLO 4 CVE-2017-12542 

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" port:1900

Outlook Web Access:

Exchange 2007 

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"

Example: OWA for Exchange 2007

Exchange 2010 

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392

Example: OWA for Exchange 2010

Exchange 2013 / 2016 

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

Example: OWA for Exchange 2013/2016

Lync / Skype for Business 

"X-MS-Server-Fqdn"

Network Attached Storage (NAS)

SMB (Samba) File Shares

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers: 

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

Iomega / LenovoEMC NAS Drives 

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"

Example: Iomega / LenovoEMC NAS Drives

Buffalo TeraStation NAS Drives 

Redirecting sencha port:9000

Example: Buffalo TeraStation NAS Drives

Logitech Media Servers 

"Server: Logitech Media Server" "200 OK"

Example: Logitech Media Servers

Plex Media Servers 

"X-Plex-Protocol" "200 OK" port:32400

Tautulli / PlexPy Dashboards 

"CherryPy/5.1.0" "/home"

Example: PlexPy / Tautulli Dashboards

Webcams

Example images not necessary. 🤦

Yawcams 

"Server: yawcam" "Mime-Type: text/html"

webcamXP/webcam7 

("webcam 7" OR "webcamXP") http.component:"mootools" -401

Android IP Webcam Server 

"Server: IP Webcam Server" "200 OK"

Security DVRs 

html:"DVR_H264 ActiveX"

Printers & Copiers:

HP Printers 

"Serial Number:" "Built:" "Server: HP HTTP"

Example: HP Printers

Xerox Copiers/Printers 

ssl:"Xerox Generic Root"

Example: Xerox Copiers/Printers

Epson Printers 

"SERVER: EPSON_Linux UPnP" "200 OK"

"Server: EPSON-HTTP" "200 OK"

Example: Epson Printers

Canon Printers 

"Server: KS_HTTP" "200 OK"

"Server: CANON HTTP Server"

Example: Canon Printers

Home Devices

Yamaha Stereos 

"Server: AV_Receiver" "HTTP/1.1 406"

Example: Yamaha Stereos

Chromecasts / Smart TVs 

"Chromecast:" port:8008

Crestron Smart Home Controllers 

"Model: PYNG-HUB"

Random Stuff

Etherium Miners 

"ETH - Total speed"

Example: Etherium Miners

Apache Directory Listings

Substitute .pem with any extension or a filename like phpinfo.php.

http.title:"Index of /" http.html:".pem"

Too Many Minecraft Servers 

"Minecraft Server" "protocol 340" port:25565

Literally Everything in North Korea 🇰🇵 

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

TCP Quote of the Day

Port 17 (RFC 865) has a bizarre history...

port:17 product:"Windows qotd"

Find a Job Doing This! 👩‍💼 

"X-Recruiting:"

If you've found any other juicy Shodan gems, whether it's a search query or a specific example, definitely drop a comment on the blog or open an issue/PR here on GitHub.

Bon voyage, fellow penetrators! 😉

License

CC0

To the extent possible under law, Jake Jarvis has waived all copyright and related or neighboring rights to this work.