Skip to content

readme.md

Latest commit

Β 

History

History
1140 lines (667 loc) Β· 29.1 KB

readme.md

File metadata and controls

1140 lines (667 loc) Β· 29.1 KB

Awesome Shodan break the internet

You can assume these queries only return unsecured/open instances when possible. For your own legal benefit, do not attempt to login (even with default passwords) if they aren't! Narrow down results by adding filters like country:US or org:"Harvard University" or hostname:"nasa.gov" to the end.

The world and its devices are quickly becoming more connected through the shiny new Internet of Things Sh*t β€” and exponentially more dangerous as a result. To that end, I hope this list spreads awareness (and, quite frankly, pant-wetting fear) rather than harm.

MikroTik

FTP server (MikroTik 7.19.3) ready
MikroTik RouterOS:
\x05!done%=ret=40a146c20421aa031d27849bc899b5fb\x00 port:8728
RouterOS

companies XD

mbvit

oracle

Oracle-HTTP-Server
Server: Oracle-Application-Server-10g

net app

(NetApp/5.3.1R3)
Server: NetCache appliance

unique telnet etc

*  Welcome to D-Link Print Server  * * Telnet Console *
HiPath 5 Telnet

inventory systems

INVENTORY REPORT  TANK   PRODUCT

"Tanker Network"

inventory systems

"PHP/8.2.28"

version queries

Integrated Operating System.  

Device Model                             ]

Hardware version
V1.1                                  

Firmware version 
V2

Confidential computer software


Software revision WC.16.11.0018
Confidential computer software

The GPON OLT (Optical Line Terminal) is a key component responsible for connecting the Optical Distribution Network (

Device Model     : GPON OLT

just why the uwu of the internet

"uwu" product:"Jellyfin"

abunch of ssh any port you want use it in filter
"uwu"

cpanel

Server: CradlepointHTTPService/1.0.0



### pragma

"Pragma: public" "Pragma: private"

### sip

SIP/2.0 200 OK Via: SIP -4 Call-ID: Accept: application/sdp,

### xiaomi

xiaomi -Unauthorized Xiaomi IoT: -Unauthorized

apache

"Server: Apache/2.4" "200"

proxy


"HTTP/1.0 407 Proxy Authentication Required"
"Proxy-Authenticate:"
"realm="proxy"" -Unauthorized -Bad -Forbidden
"realm=proxy" -Unauthorized -Bad -Forbidden
"realm=login" -Unauthorized -Bad -Forbidden
"proxy"  "CONNECTION: keep-alive" -Unauthorized
Proxy-Authenticate: Basic realm="Invalid proxy credentials or missing IP Authorization."
Proxy-Authenticate: "CONNECTION: keep-alive" -Tinyproxy -Unauthorized
"Proxy-Authenticate: Basic realm=Proxy Manager"
Proxy-Authenticate: Basic realm="Luminati"

open search

"  X-OpenSearch-Version:" "200 OK"

file size

"  Total Size: "

elastic

"  gl-events_"

wazuh security

"   wazuh-alerts"
wazuh
wazuh "HTTP/1.1 200 OK"

Prometheus Node Exporter

"200" product:"Prometheus Node Exporter"

everything open in china

CONNECTION: keep-alive country:"CN"

open chineses cameras ?

DH-NVR  ###closed
DH-NVR CONNECTION: keep-alive

cooling systems

Product Chilling Mode Chilling Glycol Product

water reservoir

ad SUCTION RESERVOIR

ftp test servers

220-test

less honeypots and troll open vnc

"authentication disabled" "RFB 003.008" -FictusVNC -Who -QEMU -HAWK  -fixtux -VeNCrypt -x11

less honeypots and troll open vnc for critical infrastructure


"authentication disabled" "RFB 003.008" -FictusVNC -Who -QEMU -HAWK -fixtux  -VeNCrypt -x11 " Server Name: PanelView VNC Server"

Random accidents and flaws

product:" bandwidth-test server"

Random accidents and flaws

202 Accepted product:"Apache httpd"

PriSmart china

202 Accepted product:"Jetty"

the "201 created" code or response

"201 created"

spotify-connect:

mDNS  mDNS:   services:     41800/tcp spotify-connect:

418 I'm a teapot

418

IMAP4 IMAP4rev ??

"authenticated" -not-authenticated "* CAPABILITY "

WebKredit on windows 10

"authenticated" -not-authenticated "Server: Microsoft-IIS/10.0"

passbolt foss

"authenticated" -not-authenticated product:"nginx"

router telnets

port:23 "welcome"
port:23 " Model:"
port:23 " Please keyin your password:"
port:23 " Firmware version : "
port:23 " Welcome to the Windows CE Telnet Service"
port:23 " Integrated Operating System.   "
port:23 " MiiNePort "
port:23 " MAXFIBER "
port:23 "Welcome To Drcom NOS"
port:23 "Welcome to DZS"
port:23 "zlm60 "
port:23 "Welcome Visiting Huawei Home Gateway"
port:23 "Huawei TERMINAL Multi-service Distribution Module"
port:23 "2006 Huawei Technologies"
port:23 "Welcome to ZXR10 Carrier-Class High-end"
port:23 "CCCC"
port:23 " DASAN Zhone Solutions"
port:23 " help"
port:23 " Available Commands:"
port:23 "Enco control Telnet"
port:23 " AXTEL S.A. de C.V."
port:23 "User Access Verification"
port:23 "CC\r\n\r\n***************************************************************************\r\n*"
port:23 "Cliente:"
port:23 " Telecom Italia"
port:23 "Gaia4"
port:23 " SAS" country:"IT"
port:23 " TiMOS"
port:23 " Esta conectado"
port:23 "(none) login:"
port:23 "kernel" "CentOS "
port:23 "Ingenic linux machine"
port:23 "Windows users "
port:23 "kernel" country:"RU"

GreasySpoon

X-Include: X-Client-IP, X-Authenticated-Groups, X-Authenticated-User, X-Subscriber-Id

Industrial Control Systems

Samsung Electronic Billboards πŸ”Ž β†’

"Server: Prismview Player"
Example: Electronic Billboards

Gas Station Pump Controllers πŸ”Ž β†’

"in-tank inventory" port:10001
Example: Gas Station Pump Inventories

Automatic License Plate Readers πŸ”Ž β†’

P372 "ANPR enabled"
Example: Automatic License Plate Reader

Traffic Light Controllers / Red Light Cameras πŸ”Ž β†’

mikrotik streetlight

the best query so far

"test "

camera's ipv6


port:554 has_ipv6:true "200 ok"

Voting Machines in the United States πŸ”Ž β†’

"voter system serial" country:US

Telcos Running Cisco Lawful Intercept Wiretaps πŸ”Ž β†’

"Cisco IOS" "ADVIPSERVICESK9_LI-M"

Wiretapping mechanism outlined by Cisco in RFC 3924:

Lawful intercept is the lawfully authorized interception and monitoring of communications of an intercept subject. The term "intercept subject" [...] refers to the subscriber of a telecommunications service whose communications and/or intercept related information (IRI) has been lawfully authorized to be intercepted and delivered to some agency.

Prison Pay Phones πŸ”Ž β†’

"[2J[H Encartele Confidential"

Tesla PowerPack Charging Status πŸ”Ž β†’

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
Example: Tesla PowerPack Charging Status

Electric Vehicle Chargers πŸ”Ž β†’

"Server: gSOAP/2.8" "Content-Length: 583"

Maritime Satellites πŸ”Ž β†’

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!

"Cobham SATCOM" OR ("Sailor" "VSAT")
Example: Maritime Satellites

Submarine Mission Control Dashboards πŸ”Ž β†’

title:"Slocum Fleet Mission Control"

CAREL PlantVisor Refrigeration Units πŸ”Ž β†’

"Server: CarelDataServer" "200 Document follows"
Example: CAREL PlantVisor Refrigeration Units

Nordex Wind Turbine Farms πŸ”Ž β†’

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

C4 Max Commercial Vehicle GPS Trackers πŸ”Ž β†’

"[1m[35mWelcome on console"
Example: C4 Max Vehicle GPS

DICOM Medical X-Ray Machines πŸ”Ž β†’

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

"DICOM Server Response" port:104

GaugeTech Electricity Meters πŸ”Ž β†’

"Server: EIG Embedded Web Server" "200 Document follows"
Example: GaugeTech Electricity Meters

Siemens Industrial Automation πŸ”Ž β†’

"Siemens, SIMATIC" port:161

Siemens HVAC Controllers πŸ”Ž β†’

"Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers πŸ”Ž β†’

"HID VertX" port:4070

""Name: VertX_EVO_V1000"  "
""EdgeEH400"  "
" door controller:  "
"AXIS A1001 Network Door "

Railroad Management πŸ”Ž β†’

"log off" "select the appropriate"

Remote Desktop

Unprotected VNC πŸ”Ž β†’

"authentication disabled" "RFB 003.008"

Shodan Images is a great supplementary tool to browse screenshots, by the way! πŸ”Ž β†’

Example: Unprotected VNC
The first result right now. 😞

Windows RDP πŸ”Ž β†’

99.99% are secured by a secondary Windows login screen.

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

ssh

port:22  "200 ok"

port:22 has_ipv6:true "200 ok"

Network Infrastructure

Weave Scope Dashboards πŸ”Ž β†’

Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.

title:"Weave Scope" http.favicon.hash:567176827
Example: Weave Scope Dashboards

MongoDB πŸ”Ž β†’

Older versions were insecure by default. Very scary.

"MongoDB Server Information" port:27017 -authentication
Example: MongoDB

Mongo Express Web GUI πŸ”Ž β†’

Like the infamous phpMyAdmin but for MongoDB.

"Set-Cookie: mongo-express=" "200 OK"
Example: Mongo Express GUI

Jenkins CI πŸ”Ž β†’

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
Example: Jenkins CI

Docker APIs πŸ”Ž β†’

"Docker Containers:" port:2375

Docker Private Registries πŸ”Ž β†’

"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab

Pi-hole Open DNS Servers πŸ”Ž β†’

"dnsmasq-pi-hole" "Recursion: enabled"

Already Logged-In as root via Telnet πŸ”Ž β†’

"root@" port:23 -login -password -name -Session

Android Root Bridges πŸ”Ž β†’

A tangential result of Google's sloppy fractured update approach. πŸ™„ More information here.

"Android Debug Bridge" "Device" port:5555

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords πŸ”Ž β†’

Lantronix password port:30718 -secured

Citrix Virtual Apps πŸ”Ž β†’

"Citrix Applications:" port:1604
Example: Citrix Virtual Apps

Cisco Smart Install πŸ”Ž β†’

Vulnerable (kind of "by design," but especially when exposed).

"smart install client active"

PBX IP Phone Gateways πŸ”Ž β†’

PBX "gateway console" -password port:23

Polycom Video Conferencing πŸ”Ž β†’

http.title:"- Polycom" "Server: lighttpd"

Telnet Configuration: πŸ”Ž β†’

"Polycom Command Shell" -failed port:23
Example: Polycom Video Conferencing

Bomgar Help Desk Portal πŸ”Ž β†’

"Server: Bomgar" "200 OK"

Intel Active Management CVE-2017-5689 πŸ”Ž β†’

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995

HP iLO 4 CVE-2017-12542 πŸ”Ž β†’

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900

Outlook Web Access:

Exchange 2007 πŸ”Ž β†’

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"
Example: OWA for Exchange 2007

Exchange 2010 πŸ”Ž β†’

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392
Example: OWA for Exchange 2010

Exchange 2013 / 2016 πŸ”Ž β†’

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"
Example: OWA for Exchange 2013/2016

Lync / Skype for Business πŸ”Ž β†’

"X-MS-Server-Fqdn"

Network Attached Storage (NAS)

SMB (Samba) File Shares πŸ”Ž β†’

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers: πŸ”Ž β†’

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

Concerning default network shares of QuickBooks files: πŸ”Ž β†’

"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

FTP Servers with Anonymous Login πŸ”Ž β†’

"220" "230 Login successful." port:21

port:21 "IPv6" "220" "230 Login successful."

port:21 "welcome to the" "220" "230 Login successful."

port:21 "welcome to " "220" "230 Login successful."

port:21 "welcome to asus" "220" "230 Login successful."

port:21 "welcome to tp" "220" "230 Login successful."

port:21 "welcome to my" "220" "230 Login successful."

port:21 "private" "220" "230 Login successful."

port:21 "ext.1" "220" "230 Login successful."

port:21 "ext.3" "220" "230 Login successful."

port:21 "porn" "220" "230 Login successful."

port:21 "you" "220" "230 Login successful."

port:21 " legacy FTP " "220" "230 Login successful."

port:21 "German " "220" "230 Login successful."

port:21 "south africa " "220" "230 Login successful."

port:21 "admin " "220" "230 Login successful."

port:21 " compromised " "220" "230 Login successful."

port:21 " owned " "220" "230 Login successful."

port:21 " y?? " "220" "230 Login successful."

port:21 " database" "220" "230 Login successful."

port:21 " FORBIDDEN " "220" "230 Login successful."

port:21 "  do not " "220" "230 Login successful."

port:21 " live" "220" "230 Login successful."

port:21 " prod " "220" "230 Login successful."

port:21 " test " "220" "230 Login successful."

port:21 " temporary  " "220" "230 Login successful."

port:21 " FileZilla Server " "220" "230 Login successful." 

port:21 " door" "220" "230 Login successful."

port:21 "Computers & Control" "220" "230 Login successful."

port:21 "Computers " "220" "230 Login successful."

port:21 "Welcome to open" "220" "230 Login successful."

port:21 "Welcome to our" "220" "230 Login successful."

port:21 "jap" "220" "230 Login successful."

port:21 " research " "220" "230 Login successful."

port:21 "  storage" "220" "230 Login successful."

port:21 "  archive" "220" "230 Login successful."

port:21 "  To upload an " "220" "230 Login successful."

port:21 "  upload " "220" "230 Login successful."

port:21 " ware " "220" "230 Login successful."

port:21 "/upload " "220" "230 Login successful."

port:21 "/download " "220" "230 Login successful."

port:21 " Foundation " "220" "230 Login successful."

port:21 " /file " "220" "230 Login successful."

port:21 " dna" "220" "230 Login successful."

port:21 "home" "220" "230 Login successful."

port:21 " Control " "220" "230 Login successful."

port:21 " InterNIC " "220" "230 Login successful."

port:21 " /pub/FreeBSD " "220" "230 Login successful."

port:21 " /pub/ " "220" "230 Login successful."

port:21 " pub/CentOS" "220" "230 Login successful."

Iomega / LenovoEMC NAS Drives πŸ”Ž β†’

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"
Example: Iomega / LenovoEMC NAS Drives

Buffalo TeraStation NAS Drives πŸ”Ž β†’

Redirecting sencha port:9000
Example: Buffalo TeraStation NAS Drives

Logitech Media Servers πŸ”Ž β†’

"Server: Logitech Media Server" "200 OK"
Example: Logitech Media Servers

Plex Media Servers πŸ”Ž β†’

"X-Plex-Protocol" "200 OK" port:32400

Tautulli / PlexPy Dashboards πŸ”Ž β†’

"CherryPy/5.1.0" "/home"
Example: PlexPy / Tautulli Dashboards

Webcams

Example images not necessary. 🀦

Yawcams πŸ”Ž β†’

"Server: yawcam" "Mime-Type: text/html"

webcamXP/webcam7 πŸ”Ž β†’

("webcam 7" OR "webcamXP") http.component:"mootools" -401

Android IP Webcam Server πŸ”Ž β†’

"Server: IP Webcam Server" "200 OK"

Security DVRs πŸ”Ž β†’

html:"DVR_H264 ActiveX"

Printers & Copiers:

HP Printers πŸ”Ž β†’

"Serial Number:" "Built:" "Server: HP HTTP"
Example: HP Printers

Xerox Copiers/Printers πŸ”Ž β†’

ssl:"Xerox Generic Root"
Example: Xerox Copiers/Printers

Epson Printers πŸ”Ž β†’

"SERVER: EPSON_Linux UPnP" "200 OK"

"Server: EPSON-HTTP" "200 OK"
Example: Epson Printers

Canon Printers πŸ”Ž β†’

"Server: KS_HTTP" "200 OK"

"Server: CANON HTTP Server"
Example: Canon Printers

Home Devices

Yamaha Stereos πŸ”Ž β†’

"Server: AV_Receiver" "HTTP/1.1 406"
Example: Yamaha Stereos

Apple AirPlay Receivers πŸ”Ž β†’

Apple TVs, HomePods, etc.

"\x08_airplay" port:5353

Chromecasts / Smart TVs πŸ”Ž β†’

"Chromecast:" port:8008

Crestron Smart Home Controllers πŸ”Ž β†’

"Model: PYNG-HUB"

Random Stuff

OctoPrint 3D Printer Controllers πŸ”Ž β†’

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944
Example: OctoPrint 3D Printers

Etherium Miners πŸ”Ž β†’

"ETH - Total speed"
Example: Etherium Miners

Apache Directory Listings πŸ”Ž β†’

Substitute .pem with any extension or a filename like phpinfo.php.

http.title:"Index of /" http.html:".pem"

Misconfigured WordPress πŸ”Ž β†’

Exposed wp-config.php files containing database credentials.

http.html:"* The wp-config.php creation script uses this file"

Too Many Minecraft Servers πŸ”Ž β†’

"Minecraft Server" "protocol 340" port:25565

Literally Everything in North Korea πŸ‡°πŸ‡΅ πŸ”Ž β†’

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

TCP Quote of the Day πŸ”Ž β†’

Port 17 (RFC 865) has a bizarre history...

port:17 product:"Windows qotd"

Find a Job Doing This! πŸ‘©β€πŸ’Ό πŸ”Ž β†’

"X-Recruiting:"

If you've found any other juicy Shodan gems, whether it's a search query or a specific example, definitely drop a comment on the blog or open an issue/PR here on GitHub.

Bon voyage, fellow penetrators! πŸ˜‰

License

CC0

To the extent possible under law, Jake Jarvis has waived all copyright and related or neighboring rights to this work.

Mirrored from a blog post at https://jarv.is/notes/shodan-search-queries/.