jarv.is/content/notes/shodan-search-queries/index.md

title, date, description, tags, image, draft

title	date	description	tags	image	draft
Fascinating & Frightening Shodan Search Queries (AKA: The Internet of Sh*t)	2019-09-19 09:56:10-0400	I've collected some interesting and scary search queries for Shodan, the internet-of-things search engine. Some return fun results, while others return serious vulnerabilities.	Infosec Pentesting Shodan Internet of Things Dorking	shodan.png	false

Star   Issue

Over time, I've collected an assortment of interesting, funny, and depressing search queries to plug into Shodan, the (literal) internet search engine. Some return facepalm-inducing results, while others return serious and/or ancient vulnerabilities in the wild.

Most search filters require a Shodan account.

You can assume these queries only return unsecured/open instances when possible. For your own legal benefit, do not attempt to login (even with default passwords) if they aren't! Narrow down results by adding filters like country:US or org:"Harvard University" or hostname:"nasa.gov" to the end.

The world and its devices are quickly becoming more connected through the shiny new Internet of Things Sh*t --- and exponentially more dangerous as a result. To that end, I hope this list spreads awareness (and, quite frankly, pant-wetting fear) rather than harm.

And as always, discover and disclose responsibly! 😊

---

Table of Contents:

• Industrial Control Systems
• Remote Desktop
• Network Infrastructure
• Network Attached Storage (NAS)
• Webcams
• Printers & Copiers
• Home Devices
• Random Stuff

---

Industrial Control Systems:

Samsung Electronic Billboards 🔎 →

"Server: Prismview Player"

{{< image src="images/billboard3.png" width="450" alt="Example: Electronic Billboards" >}}

Gas Station Pump Controllers 🔎 →

"in-tank inventory" port:10001

{{< image src="images/7-11.png" width="600" alt="Example: Gas Station Pump Inventories" >}}

Automatic License Plate Readers 🔎 →

P372 "ANPR enabled"

{{< image src="images/plate-reader.png" width="680" alt="Example: Automatic License Plate Reader" >}}

Traffic Light Controllers / Red Light Cameras 🔎 →

mikrotik streetlight

Voting Machines in the United States 🔎 →

"voter system serial" country:US

Telcos Running Cisco Lawful Intercept Wiretaps 🔎 →

"Cisco IOS" "ADVIPSERVICESK9_LI-M"

Wiretapping mechanism outlined by Cisco in RFC 3924:

Lawful intercept is the lawfully authorized interception and monitoring of communications of an intercept subject. The term "intercept subject" [...] refers to the subscriber of a telecommunications service whose communications and/or intercept related information (IRI) has been lawfully authorized to be intercepted and delivered to some agency.

Prison Pay Phones 🔎 →

"[2J[H Encartele Confidential"

Tesla PowerPack Charging Status 🔎 →

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

{{< image src="images/tesla.png" alt="Example: Tesla PowerPack Charging Status" >}}

Electric Vehicle Chargers 🔎 →

"Server: gSOAP/2.8" "Content-Length: 583"

Maritime Satellites 🔎 →

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!

"Cobham SATCOM" OR ("Sailor" "VSAT")

{{< image src="images/sailor-vsat.png" width="700" alt="Example: Maritime Satellites" >}}

Submarine Mission Control Dashboards 🔎 →

title:"Slocum Fleet Mission Control"

CAREL PlantVisor Refrigeration Units 🔎 →

"Server: CarelDataServer" "200 Document follows"

{{< image src="images/refrigeration.png" alt="Example: CAREL PlantVisor Refrigeration Units" >}}

Nordex Wind Turbine Farms 🔎 →

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

C4 Max Commercial Vehicle GPS Trackers 🔎 →

"[1m[35mWelcome on console"

{{< image src="images/c4max.png" alt="Example: C4 Max Vehicle GPS" >}}

DICOM Medical X-Ray Machines 🔎 →

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

"DICOM Server Response" port:104

GaugeTech Electricity Meters 🔎 →

"Server: EIG Embedded Web Server" "200 Document follows"

{{< image src="images/power-gaugetech.png" width="500" alt="Example: GaugeTech Electricity Meters" >}}

Siemens Industrial Automation 🔎 →

"Siemens, SIMATIC" port:161

Siemens HVAC Controllers 🔎 →

"Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers 🔎 →

"HID VertX" port:4070

Railroad Management 🔎 →

"log off" "select the appropriate"

---

Remote Desktop:

Unprotected VNC 🔎 →

"authentication disabled" "RFB 003.008"

Shodan Images is a great supplementary tool to browse screenshots, by the way! 🔎 →

{{< image src="images/vnc.png" alt="Example: Unprotected VNC" caption="The first result right now. 😞" >}}

Windows RDP 🔎 →

99.99% are secured by a secondary Windows login screen.

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

---

Network Infrastructure:

MongoDB 🔎 →

Older versions were insecure by default. Very scary.

"MongoDB Server Information" port:27017 -authentication

{{< image src="images/mongo.png" width="500" alt="Example: MongoDB" >}}

Mongo Express Web GUI 🔎 →

Like the infamous phpMyAdmin but for MongoDB.

"Set-Cookie: mongo-express=" "200 OK"

{{< image src="images/mongo-express.png" width="700" alt="Example: Mongo Express GUI" >}}

Jenkins CI 🔎 →

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

{{< image src="images/jenkins.png" width="700" alt="Example: Jenkins CI" >}}

Docker APIs 🔎 →

"Docker Containers:" port:2375

Pi-hole Open DNS Servers 🔎 →

"dnsmasq-pi-hole" "Recursion: enabled"

Already Logged-In as root via Telnet 🔎 →

"root@" port:23 -login -password -name -Session

Android Root Bridges 🔎 →

A tangential result of Google's dumb fractured update approach. 🙄 More information here.

"Android Debug Bridge" "Device" port:5555

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords 🔎 →

Lantronix password port:30718 -secured

Citrix Virtual Apps 🔎 →

"Citrix Applications:" port:1604

{{< image src="images/citrix.png" width="700" alt="Example: Citrix Virtual Apps" >}}

Cisco Smart Install 🔎 →

Vulnerable (kind of "by design," but especially when exposed).

"smart install client active"

PBX IP Phone Gateways 🔎 →

PBX "gateway console" -password port:23

Polycom Video Conferencing 🔎 →

http.title:"- Polycom" "Server: lighttpd"

Telnet Configuration: 🔎 →

"Polycom Command Shell" -failed port:23

{{< image src="images/polycom.png" width="550" alt="Example: Polycom Video Conferencing" >}}

Bomgar Help Desk Portal 🔎 →

"Server: Bomgar" "200 OK"

Intel Active Management CVE-2017-5689 🔎 →

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995

HP iLO 4 CVE-2017-12542 🔎 →

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" port:1900

Outlook Web Access:

Exchange 2007 🔎 →

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"

{{< image src="images/owa2007.png" width="450" alt="Example: OWA for Exchange 2007" >}}

Exchange 2010 🔎 →

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392

{{< image src="images/owa2010.png" width="450" alt="Example: OWA for Exchange 2010" >}}

Exchange 2013 / 2016 🔎 →

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

{{< image src="images/owa2013.png" width="580" alt="Example: OWA for Exchange 2013/2016" >}}

Lync / Skype for Business 🔎 →

"X-MS-Server-Fqdn"

---

Network Attached Storage (NAS):

SMB (Samba) File Shares 🔎 →

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers: 🔎 →

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

FTP Servers with Anonymous Login 🔎 →

"220" "230 Login successful." port:21

Iomega / LenovoEMC NAS Drives 🔎 →

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"

{{< image src="images/iomega.png" width="600" alt="Example: Iomega / LenovoEMC NAS Drives" >}}

Buffalo TeraStation NAS Drives 🔎 →

Redirecting sencha port:9000

{{< image src="images/buffalo.png" width="580" alt="Example: Buffalo TeraStation NAS Drives" >}}

Logitech Media Servers 🔎 →

"Server: Logitech Media Server" "200 OK"

{{< image src="images/logitech.png" width="500" alt="Example: Logitech Media Servers" >}}

Plex Media Servers 🔎 →

"X-Plex-Protocol" "200 OK" port:32400

Tautulli / PlexPy Dashboards 🔎 →

"CherryPy/5.1.0" "/home"

{{< image src="images/plexpy.png" width="560" alt="Example: PlexPy / Tautulli Dashboards" >}}

---

Webcams:

Example images not necessary. 🤦

Yawcams 🔎 →

"Server: yawcam" "Mime-Type: text/html"

webcamXP/webcam7 🔎 →

("webcam 7" OR "webcamXP") http.component:"mootools" -401

Android IP Webcam Server 🔎 →

"Server: IP Webcam Server" "200 OK"

Security DVRs 🔎 →

html:"DVR_H264 ActiveX"

---

Printers & Copiers:

HP Printers 🔎 →

"Serial Number:" "Built:" "Server: HP HTTP"

{{< image src="images/hp.png" width="700" alt="Example: HP Printers" >}}

Xerox Copiers/Printers 🔎 →

ssl:"Xerox Generic Root"

{{< image src="images/xerox.png" width="620" alt="Example: Xerox Copiers/Printers" >}}

Epson Printers 🔎 →

"SERVER: EPSON_Linux UPnP" "200 OK"

"Server: EPSON-HTTP" "200 OK"

{{< image src="images/epson.png" width="550" alt="Example: Epson Printers" >}}

Canon Printers 🔎 →

"Server: KS_HTTP" "200 OK"

"Server: CANON HTTP Server"

{{< image src="images/canon.png" width="550" alt="Example: Canon Printers" >}}

---

Home Devices:

Yamaha Stereos 🔎 →

"Server: AV_Receiver" "HTTP/1.1 406"

{{< image src="images/yamaha.png" width="550" alt="Example: Yamaha Stereos" >}}

Apple AirPlay Receivers 🔎 →

Apple TVs, HomePods, etc.

"\x08_airplay" port:5353

Chromecasts / Smart TVs 🔎 →

"Chromecast:" port:8008

Crestron Smart Home Controllers 🔎 →

"Model: PYNG-HUB"

---

Random Stuff:

OctoPrint 3D Printer Controllers 🔎 →

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

{{< image src="images/octoprint.png" width="700" alt="Example: OctoPrint 3D Printers" >}}

Etherium Miners 🔎 →

"ETH - Total speed"

{{< image src="images/eth.png" width="800" alt="Example: Etherium Miners" >}}

Apache Directory Listings 🔎 →

Substitute .pem with any extension or a filename like phpinfo.php.

http.title:"Index of /" http.html:".pem"

Too Many Minecraft Servers 🔎 →

"Minecraft Server" "protocol 340" port:25565

Literally Everything in North Korea 🇰🇵 🔎 →

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

TCP Quote of the Day 🔎 →

Port 17 (RFC 865) has a bizarre history...

port:17 product:"Windows qotd"

Find a Job Doing This! 👩‍💼 🔎 →

"X-Recruiting:"

---

If you've found any other juicy Shodan gems, whether it's a search query or a specific example, definitely drop a comment below or open an issue/PR on GitHub!

Bon voyage, fellow penetrators! 😉