Jarvs Blog
Over time, I've collected an assortment of interesting, funny, and depressing search queries to plug into Shodan , the (literal ) internet search engine. Some return facepalm-inducing results, while others return serious and/or ancient vulnerabilities in the wild.
Most search filters require a Shodan account.
You can assume these queries only return unsecured/open instances when possible. For your own legal benefit, do not attempt to login (even with default passwords) if they aren't! Narrow down results by adding filters like country:US or org:"Harvard University" or hostname:"nasa.gov" to the end.
The world and its devices are quickly becoming more connected through the shiny new Internet of Things Sh*t — and exponentially more dangerous as a result. To that end, I hope this list spreads awareness (and, quite frankly, pant-wetting fear) rather than harm.
And as always, discover and disclose responsibly ! 🤓
Table of Contents
Industrial Control Systems
Samsung Electronic Billboards
🔎 →
Copy "Server: Prismview Player" Gas Station Pump Controllers
🔎 →
Copy "in-tank inventory" port:10001 Automatic License Plate Readers
🔎 → Traffic Light Controllers / Red Light Cameras
🔎 → Voting Machines in the United States
🔎 →
Copy "voter system serial" country:US
Copy "Cisco IOS" "ADVIPSERVICESK9_LI-M" Wiretapping mechanism outlined by Cisco in RFC 3924 :
Lawful intercept is the lawfully authorized interception and monitoring of communications of an intercept subject. The term "intercept subject" [...] refers to the subscriber of a telecommunications service whose communications and/or intercept related information (IRI) has been lawfully authorized to be intercepted and delivered to some agency.
Copy "[2J[H Encartele Confidential"
Copy http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2 Electric Vehicle Chargers
🔎 →
Copy "Server: gSOAP/2.8" "Content-Length: 583" Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!
Copy "Cobham SATCOM" OR ("Sailor" "VSAT") Submarine Mission Control Dashboards
🔎 →
Copy title:"Slocum Fleet Mission Control"
Copy "Server: CarelDataServer" "200 Document follows"
Copy http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)" C4 Max Commercial Vehicle GPS Trackers
🔎 →
Copy "[1m[35mWelcome on console" DICOM Medical X-Ray Machines
🔎 → Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.
Copy "DICOM Server Response" port:104
Copy "Server: EIG Embedded Web Server" "200 Document follows" Siemens Industrial Automation
🔎 →
Copy "Siemens, SIMATIC" port:161 Siemens HVAC Controllers
🔎 →
Copy "Server: Microsoft-WinCE" "Content-Length: 12581" Door / Lock Access Controllers
🔎 →
Copy "HID VertX" port:4070
Copy "log off" "select the appropriate" Remote Desktop
Copy "authentication disabled" "RFB 003.008" Shodan Images is a great supplementary tool to browse screenshots, by the way! 🔎 →
99.99% are secured by a secondary Windows login screen.
Copy "\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00" Network Infrastructure
Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.
Copy title:"Weave Scope" http.favicon.hash:567176827 Older versions were insecure by default. Very scary.
Copy "MongoDB Server Information" port:27017 -authentication Like the infamous phpMyAdmin but for MongoDB.
Copy "Set-Cookie: mongo-express=" "200 OK"
Copy "X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
Copy "Docker Containers:" port:2375 Docker Private Registries
🔎 →
Copy "Docker-Distribution-Api-Version: registry" "200 OK" -gitlab
Copy "dnsmasq-pi-hole" "Recursion: enabled" Already Logged-In as
root via Telnet
🔎 →
Copy "root@" port:23 -login -password -name -Session A tangential result of Google's sloppy fractured update approach. 🙄 More information here.
Copy "Android Debug Bridge" "Device" port:5555
Copy Lantronix password port:30718 -secured
Copy "Citrix Applications:" port:1604 Vulnerable (kind of "by design," but especially when exposed).
Copy "smart install client active" PBX IP Phone Gateways
🔎 →
Copy PBX "gateway console" -password port:23
Copy http.title:"- Polycom" "Server: lighttpd" Telnet Configuration: 🔎 →
Copy "Polycom Command Shell" -failed port:23
Copy "Server: Bomgar" "200 OK"
Copy "Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995
Copy HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900 Outlook Web Access:
Copy "x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"
Copy "x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392
Copy "X-AspNet-Version" http.title:"Outlook" -"x-owa-version" Lync / Skype for Business
🔎 → Network Attached Storage (NAS)
SMB (Samba) File Shares
🔎 → Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.
Copy "Authentication: disabled" port:445 Specifically domain controllers: 🔎 →
Copy "Authentication: disabled" NETLOGON SYSVOL -unix port:445 Concerning default network shares of QuickBooks files: 🔎 →
Copy "Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445 FTP Servers with Anonymous Login
🔎 →
Copy "220" "230 Login successful." port:21 Iomega / LenovoEMC NAS Drives
🔎 →
Copy "Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In" Buffalo TeraStation NAS Drives
🔎 →
Copy Redirecting sencha port:9000 Logitech Media Servers
🔎 →
Copy "Server: Logitech Media Server" "200 OK"
Copy "X-Plex-Protocol" "200 OK" port:32400
Copy "CherryPy/5.1.0" "/home" Webcams
Example images not necessary. 🤦
Copy "Server: yawcam" "Mime-Type: text/html"
Copy ("webcam 7" OR "webcamXP") http.component:"mootools" -401 Android IP Webcam Server
🔎 →
Copy "Server: IP Webcam Server" "200 OK"
Copy html:"DVR_H264 ActiveX" Printers & Copiers:
Copy "Serial Number:" "Built:" "Server: HP HTTP" Xerox Copiers/Printers
🔎 →
Copy ssl:"Xerox Generic Root"
Copy "SERVER: EPSON_Linux UPnP" "200 OK"
Copy "Server: EPSON-HTTP" "200 OK"
Copy "Server: KS_HTTP" "200 OK"
Copy "Server: CANON HTTP Server" Home Devices
Copy "Server: AV_Receiver" "HTTP/1.1 406" Apple AirPlay Receivers
🔎 → Apple TVs, HomePods, etc.
Copy "\x08_airplay" port:5353 Chromecasts / Smart TVs
🔎 →
Copy "Chromecast:" port:8008 Random Stuff
OctoPrint 3D Printer Controllers
🔎 →
Copy title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944 Apache Directory Listings
🔎 → Substitute .pem with any extension or a filename like phpinfo.php.
Copy http.title:"Index of /" http.html:".pem" Misconfigured WordPress
🔎 → Exposed wp-config.php
Copy http.html:"* The wp-config.php creation script uses this file" Too Many Minecraft Servers
🔎 →
Copy "Minecraft Server" "protocol 340" port:25565 Literally
Everything in North Korea 🇰🇵
🔎 →
Copy net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24 Port 17 (RFC 865 ) has a bizarre history ...
Copy port:17 product:"Windows qotd" Find a Job Doing This! 👩💼
🔎 → If you've found any other juicy Shodan gems, whether it's a search query or a specific example, definitely drop a comment on the blog or open an issue/PR here on GitHub .
Bon voyage, fellow penetrators! 😉
License
To the extent possible under law, Jake Jarvis has waived all copyright and related or neighboring rights to this work.
Mirrored from a blog post at https://jarv.is/notes/shodan-search-queries/.
