Ultimate OSINT with Shodan: 100+ great Shodan queries

Happy New Year!

We are returning to OSINT after a short hiatus, with a post that I have spent some time working on.

My fondness for Shodan has been obvious, especially since I created the Shodan, OSINT & IoT Devices online course (by the way, it still has 4 seats left available!).

You can experiment with making Shodan search queries, or you can take this shortcut and use some of my ones.

Each of the 100+ queries has been manually tested and (at the time of writing at least) it delivers tangible results.

If you find something else useful that is not covered here, please drop it in the comments below.

Webcam searches

  1. title:camera – general search for anything matching the “camera” keyword.
  2. webcam has_screenshot:true – a general search for any IoT device identified as a webcam that has screenshots available.
  3. has_screenshot:true IP Webcam – another version of the above search, see how the results might differ?
  4. server: webcampxp – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS. 
  5. server: “webcam 7” – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.
  6. title:”blue iris remote view” – webcams identified as belonging to the Blue Iris webcam remote management and monitoring service.
  7. title:”ui3 -“ – UI3 is a  HTML5 web interface for Blue Iris mentioned above.
  8. title:”Network Camera VB-M600″ – Canon manufactured megapixel security cameras.
  9. product:”Yawcam webcam viewer httpd” – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.
  10. title:”IPCam Client” – IPCam Client webcam devices.
  11. server: GeoHttpServer – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.
  12. server: VVTK-HTTP-Server – Vivotek IP cameras.
  13. title:”Avigilon” – access to the Avigilion brand camera and monitoring devices.
  14. ACTi – various IP camera and video management system products.
  15. WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.” – a UK-based house automation / IP camera provider.
  16. title:”+tm01+” – unsecured Linksys webcams, a lot of them with screenshots.
  17. server: “i-Catcher Console” – another example of an IP-based CCTV system.
  18. Netwave IP Camera Content-Length: 2574 – access to the Netwave make IP cameras.
  19. 200 ok dvr port:”81″ – DVR CCTV cameras accessible via http.
  20. WVC80N – Linksys WVC80N cameras.

 

Explore further by these tags:

WEBCAM: https://www.shodan.io/explore/tag/webcam

CAM: https://www.shodan.io/explore/tag/cam 

CAMERA: https://www.shodan.io/explore/tag/camera

VOIP communication devices

  1. device:”voip” – general search for Voice over IP devices.
  2. device:”voip phone” – more specific search for anything VoIP containing a “phone” keyword.
  3. server: snom – Snom is a VoIP provider with some legacy devices online.
  4. “snom embedded 200 OK” – Snom devices with enabled authentication.
  5. AddPac – an older VoIP provider, nearly exclusively legacy devices.
  6. mcu: tandberg – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.
  7. title:”polycom” – Polycom is another VoIP communication brand.
  8. title:”openstage” – Siemens Openstage brand IP phones.
  9. 39 voip – some more VoIP services, mostly behind login screens
  10. Server: MSOS/2.0 mawebserver/1.1 – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

 

Explore further by the VOIP tag: https://www.shodan.io/explore/tag/voip

Database searches

  1. product:MySQL – broad search for MySQL databases.
  2. mongodb port:27017 – MongoDB databases on their default port. Unsecured by default.
  3. “MongoDB Server Information” port:27017 – another variation of the above search.
  4. “MongoDB Server Information { “metrics”:” – fully open MongoDBs.
  5. “Set-Cookie: mongo-express=” “200 OK” – MongoDB open databases.
  6. kibana content-length:217 – Kibana dashboards accessible without authentication.
  7. port:”9200″ all:elastic – Elasticsearch open databases.
  8. port:5432 PostgreSQL – remote connections to PostgreSQL servers.
  9. product:”CouchDB” – Apache CouchDB databases listed.
  10. port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.

 

Explore further by the DATABASE tag: https://www.shodan.io/explore/tag/database 

Maritime devices

  1. maritime – general search for anything related to maritime devices.
  2. sailor – another wide search, could yield unrelated results!
  3. org:marlink – general search; Marlink is the world’s largest maritime satellite communications provider.
  4. satcom – another maritime satellite communications services provider.
  5. inmarsat – as above, but a slightly less known equipment vendor.
  6. vsat – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.
  7. ECDIS – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.
  8. uhp vsat terminal software -password – satellite network router without a password.
  9. ssl:”Cobham SATCOM” – maritime radio and locations systems.
  10. title:”Slocum Fleet Mission Control” – maritime mission control software.

 

Explore further by the VSAT tag: https://www.shodan.io/explore/tag/vsat

Files & directories

  1. http.title:”Index of /” – open lists of files and directories on various servers.
  2. port:80 title:”Index of /” – slight variation of the above, note how the results might differ.
  3. “220” “230 Login successful.” port:21 – FTP resources potentially accessible without login credentials.
  4. 230 ‘anonymous@’ login ok – anonymous login allowed to FTP resources.
  5. “Anonymous+access+allowed” port:”21″ – as above.
  6. vsftpd 2.3.4 – legacy Linux based FTP service with a widely known security vulnerability
  7. ftp port:”10000″ – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.
  8. “Authentication: disabled” port:445 product:”Samba” – SMB file sharing
  9. “QuickBooks files OverNetwork” -unix port:445 – default settings for sharing QuickBooks files.
  10. filezilla port:”21″ – popular file sharing software Filezilla.

 

Explore further by these tags:

FTP: https://www.shodan.io/explore/tag/ftp

SMB: https://www.shodan.io/explore/tag/smb 

Legacy Windows operating systems

  1. os:”Windows 5.0″ – Windows 2000; support ended in 2010.
  2. os:”Windows 5.1″ – Windows XP; support ended in 2014.
  3. os:Windows 2003 – Windows Server 2003; support ended in 2015.
  4. os:”Windows Vista”– Windows Vista; support ended in 2017.
  5. os:Windows 2008 – Windows Server 2008; support ended in 2020.
  6. os:”Windows 7″ – Windows 7; support ended in 2020.
  7. os:”Windows 8″ – Windows 8; support ended in 2016.
  8. os:Windows 2011 – Windows Home Server 2011; support ended in 2016.
  9. os:”Windows 8.1″ – Windows 8.1; support ended in 2018.
  10. os:Windows 2012 – Windows Server 2012; support ended in 2018.

 

Explore further by the WINDOWS tag: https://www.shodan.io/explore/tag/windows

Default / generic credentials

  1. admin 1234 – basic very unsecure credentials.
  2. “default password” – speaks for itself…
  3. test test port:”80″ – generic test credentials over HTTP.
  4. “authentication disabled” “RFB 003.008” – no authentication necessary.
  5. root@” port:23 -login -password -name -Session – accounts already logged in with root privilege over Telnet, port 23.
  6. port:23 console gateway – remote access via Telnet, no password required.
  7. html:”def_wirelesspassword” – default login pages for routers.
  8. “polycom command shell” – possible authentication bypass to Polycom devices.
  9. “authentication disabled” port:5900,5901 – VNC services without authentication.
  10. “server: Bomgar” “200 OK” – Bomgar remote support service.

 

Explore further by the VNC tag: https://www.shodan.io/explore/tag/vnc

Printers

  1. printer – general search for printers.
  2. “HP-ChaiSOE” port:”80″ – HP LaserJet printers accessible through HTTP.
  3. title:”syncthru web service” – older Samsung printers, not secured by default.
  4. “Location: /main/main.html” debut – admin pages of Brother printers, not secured.
  5. port:161 hp – HP printers that can be restarted remotely via port 161.
  6. port:23 “Password is not set” – open access via Telnet to printers without set passwords.
  7. “Laser Printer FTP Server” – printers accessible via FTP with anonymous login allowed.
  8. Printer Type: Lexmark – access to control panels for Lexmark make printers.
  9. http 200 server epson -upnp – HTTP accessible Epson printers.
  10. “Server: EPSON-HTTP” “200 OK” – another variation of the above search.
  11. ssl:”Xerox Generic Root” – remote access to Xerox printers.
  12. “Server: CANON HTTP Server” – Canon printer servers through HTTP connection.

 

Explore further by these tags:

PRINTER: https://www.shodan.io/explore/tag/printer

PRINTERS: https://www.shodan.io/explore/tag/printers

PRINT SERVER: https://www.shodan.io/explore/tag/print%20server 

Compromised devices and websites

  1. hacked – general search for the ‘hacked’ label.
  2. “hacked by” – another variation of the above search.
  3. http.title:”Hacked by” – another variation of the same search filter.
  4. http.title:”0wn3d by” – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.
  5. “HACKED-ROUTER” – compromised routers, labelled accordingly.
  6. port:”27017″ “send_bitcoin_to_retrieve_the_data” – databases affected by ransomware, with the ransom demand still associated with them.
  7. bitcoin has_screenshot:true – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
  8. port:4444 system32 – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
  9. “attention”+”encrypted”+port:3389 – ransomware infected RDP services.
  10. “HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD” – compromised hosts with the name changed to that phrase.
  11. “HACKED FTP server” – compromised FTP servers.

 

Explore further by the HACKED tag: https://www.shodan.io/explore/tag/hacked 

Miscellaneous

  1. solar – controls for solar panels and similar solar devices.
  2. “ETH – Total speed” – Ethereum cryptocurrency miners.
  3. http.html:”* The wp-config.php creation script uses this file” – misconfigured WordPress websites.

  4. http.title:”Nordex Control” – searches for Nordex wind turbine farms.
  5. “Server: EIG Embedded Web Server” “200 Document follows” – EIG electricity meters.
  6. “DICOM Server Response” port:104 – DICOM medical machinery.
  7. http.title:”Tesla” –  anything with the term “Tesla” in the banner.
  8. “in-tank inventory” port:10001 – petrol pumps, including their physical addresses.
  9. http.title:”dashboard” – literally anything labelled ‘dashboard’, with many not accessible due to security by default.
  10. http.title:”control panel” – as above, but whatever is labelled as control panels.

4 thoughts on “Ultimate OSINT with Shodan: 100+ great Shodan queries”

  1. Greetings! I know this is kinda off topic but I’d
    figured I’d ask. Would you be interested in trading links or
    maybe guest authoring a blog post or vice-versa? My blog addresses
    a lot of the same topics as yours and I feel we
    could greatly benefit from each other. If you are interested
    feel free to send me an e-mail. I look forward to hearing from you!

    Great blog by the way!

Leave a Reply

Your email address will not be published.