jarv.is/content/notes/shodan-search-queries/index.md

title, date, description, tags, image, css, draft

title	date	description	tags	image	css	draft
Fascinating & Frightening Shodan Search Queries (AKA: The Internet of Sh*t)	2019-09-19 09:56:10-0400	I've collected some interesting and scary search queries for Shodan, the internet-of-things search engine. Some return fun results, while others return serious vulnerabilities.	Infosec Pentesting Shodan Internet of Things Dorking	images/shodan.png	h3 a:last-child, h4 a:last-child { background-image: none; padding-bottom: 0; margin-left: 6px; }	false

{{< gh-buttons username="jakejarvis" repo="awesome-shodan-queries" >}}

Over time, I've collected an assortment of interesting, funny, and depressing search queries to plug into Shodan, the (literal) internet search engine. Some return facepalm-inducing results, while others return serious and/or ancient vulnerabilities in the wild.

{{< image src="images/shodan.png" >}}Most search filters require a Shodan account.{{< /image >}}

You can assume these queries only return unsecured/open instances when possible. For your own legal benefit, do not attempt to login (even with default passwords) if they aren't! Narrow down results by adding filters like country:US or org:"Harvard University" or hostname:"nasa.gov" to the end.

The world and its devices are quickly becoming more connected through the shiny new Internet of Things Sh*t — and exponentially more dangerous as a result. To that end, I hope this list spreads awareness (and, quite frankly, pant-wetting fear) rather than harm.

And as always, discover and disclose responsibly! 😊

---

Table of Contents:

• Industrial Control Systems
• Remote Desktop
• Network Infrastructure
• Network Attached Storage (NAS)
• Webcams
• Printers & Copiers
• Home Devices
• Random Stuff

---

Industrial Control Systems

Samsung Electronic Billboards 🔎 →

"Server: Prismview Player"

{{< image src="images/billboard3.png" width="450" alt="Example: Electronic Billboards" />}}

Gas Station Pump Controllers 🔎 →

"in-tank inventory" port:10001

{{< image src="images/7-11.png" width="600" alt="Example: Gas Station Pump Inventories" />}}

Automatic License Plate Readers 🔎 →

P372 "ANPR enabled"

{{< image src="images/plate-reader.png" width="680" alt="Example: Automatic License Plate Reader" />}}

Traffic Light Controllers / Red Light Cameras 🔎 →

mikrotik streetlight

Voting Machines in the United States 🔎 →

"voter system serial" country:US

Telcos Running Cisco Lawful Intercept Wiretaps 🔎 →

"Cisco IOS" "ADVIPSERVICESK9_LI-M"

Wiretapping mechanism outlined by Cisco in RFC 3924:

Lawful intercept is the lawfully authorized interception and monitoring of communications of an intercept subject. The term "intercept subject" [...] refers to the subscriber of a telecommunications service whose communications and/or intercept related information (IRI) has been lawfully authorized to be intercepted and delivered to some agency.

Prison Pay Phones 🔎 →

"[2J[H Encartele Confidential"

Tesla PowerPack Charging Status 🔎 →

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

{{< image src="images/tesla.png" alt="Example: Tesla PowerPack Charging Status" />}}

Electric Vehicle Chargers 🔎 →

"Server: gSOAP/2.8" "Content-Length: 583"

Maritime Satellites 🔎 →

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!

"Cobham SATCOM" OR ("Sailor" "VSAT")

{{< image src="images/sailor-vsat.png" width="700" alt="Example: Maritime Satellites" />}}

Submarine Mission Control Dashboards 🔎 →

title:"Slocum Fleet Mission Control"

CAREL PlantVisor Refrigeration Units 🔎 →

"Server: CarelDataServer" "200 Document follows"

{{< image src="images/refrigeration.png" alt="Example: CAREL PlantVisor Refrigeration Units" />}}

Nordex Wind Turbine Farms 🔎 →

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

C4 Max Commercial Vehicle GPS Trackers 🔎 →

"[1m[35mWelcome on console"

{{< image src="images/c4max.png" alt="Example: C4 Max Vehicle GPS" />}}

DICOM Medical X-Ray Machines 🔎 →

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

"DICOM Server Response" port:104

GaugeTech Electricity Meters 🔎 →

"Server: EIG Embedded Web Server" "200 Document follows"

{{< image src="images/power-gaugetech.png" width="500" alt="Example: GaugeTech Electricity Meters" />}}

Siemens Industrial Automation 🔎 →

"Siemens, SIMATIC" port:161

Siemens HVAC Controllers 🔎 →

"Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers 🔎 →

"HID VertX" port:4070

Railroad Management 🔎 →

"log off" "select the appropriate"

---

Remote Desktop

Unprotected VNC 🔎 →

"authentication disabled" "RFB 003.008"

Shodan Images is a great supplementary tool to browse screenshots, by the way! 🔎 →

{{< image src="images/vnc.png" width="500" alt="Example: Unprotected VNC" caption="The first result right now. 😞" />}}

Windows RDP 🔎 →

99.99% are secured by a secondary Windows login screen.

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

---

Network Infrastructure

Weave Scope Dashboards 🔎 →

Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.

title:"Weave Scope" http.favicon.hash:567176827

{{< image src="images/weavescope.png" alt="Example: Weave Scope Dashboards" />}}

MongoDB 🔎 →

Older versions were insecure by default. Very scary.

"MongoDB Server Information" port:27017 -authentication

{{< image src="images/mongo.png" width="500" alt="Example: MongoDB" />}}

Mongo Express Web GUI 🔎 →

Like the infamous phpMyAdmin but for MongoDB.

"Set-Cookie: mongo-express=" "200 OK"

{{< image src="images/mongo-express.png" width="700" alt="Example: Mongo Express GUI" />}}

Jenkins CI 🔎 →

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

{{< image src="images/jenkins.png" width="700" alt="Example: Jenkins CI" />}}

Docker APIs 🔎 →

"Docker Containers:" port:2375

Docker Private Registries 🔎 →

"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab

Pi-hole Open DNS Servers 🔎 →

"dnsmasq-pi-hole" "Recursion: enabled"

Already Logged-In as root via Telnet 🔎 →

"root@" port:23 -login -password -name -Session

Android Root Bridges 🔎 →

A tangential result of Google's dumb fractured update approach. 🙄 More information here.

"Android Debug Bridge" "Device" port:5555

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords 🔎 →

Lantronix password port:30718 -secured

Citrix Virtual Apps 🔎 →

"Citrix Applications:" port:1604

{{< image src="images/citrix.png" width="700" alt="Example: Citrix Virtual Apps" />}}

Cisco Smart Install 🔎 →

Vulnerable (kind of "by design," but especially when exposed).

"smart install client active"

PBX IP Phone Gateways 🔎 →

PBX "gateway console" -password port:23

Polycom Video Conferencing 🔎 →

http.title:"- Polycom" "Server: lighttpd"

Telnet Configuration: 🔎 →

"Polycom Command Shell" -failed port:23

{{< image src="images/polycom.png" width="550" alt="Example: Polycom Video Conferencing" />}}

Bomgar Help Desk Portal 🔎 →

"Server: Bomgar" "200 OK"

Intel Active Management CVE-2017-5689 🔎 →

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995

HP iLO 4 CVE-2017-12542 🔎 →

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900

Outlook Web Access:

Exchange 2007 🔎 →

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"

{{< image src="images/owa2007.png" width="450" alt="Example: OWA for Exchange 2007" />}}

Exchange 2010 🔎 →

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392

{{< image src="images/owa2010.png" width="450" alt="Example: OWA for Exchange 2010" />}}

Exchange 2013 / 2016 🔎 →

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

{{< image src="images/owa2013.png" width="580" alt="Example: OWA for Exchange 2013/2016" />}}

Lync / Skype for Business 🔎 →

"X-MS-Server-Fqdn"

---

Network Attached Storage (NAS)

SMB (Samba) File Shares 🔎 →

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers: 🔎 →

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

Concerning default network shares of QuickBooks files: 🔎 →

"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

FTP Servers with Anonymous Login 🔎 →

"220" "230 Login successful." port:21

Iomega / LenovoEMC NAS Drives 🔎 →

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"

{{< image src="images/iomega.png" width="600" alt="Example: Iomega / LenovoEMC NAS Drives" />}}

Buffalo TeraStation NAS Drives 🔎 →

Redirecting sencha port:9000

{{< image src="images/buffalo.png" width="580" alt="Example: Buffalo TeraStation NAS Drives" />}}

Logitech Media Servers 🔎 →

"Server: Logitech Media Server" "200 OK"

{{< image src="images/logitech.png" width="500" alt="Example: Logitech Media Servers" />}}

Plex Media Servers 🔎 →

"X-Plex-Protocol" "200 OK" port:32400

Tautulli / PlexPy Dashboards 🔎 →

"CherryPy/5.1.0" "/home"

{{< image src="images/plexpy.png" width="560" alt="Example: PlexPy / Tautulli Dashboards" />}}

---

Webcams

Example images not necessary. 🤦

Yawcams 🔎 →

"Server: yawcam" "Mime-Type: text/html"

webcamXP/webcam7 🔎 →

("webcam 7" OR "webcamXP") http.component:"mootools" -401

Android IP Webcam Server 🔎 →

"Server: IP Webcam Server" "200 OK"

Security DVRs 🔎 →

html:"DVR_H264 ActiveX"

---

Printers & Copiers

HP Printers 🔎 →

"Serial Number:" "Built:" "Server: HP HTTP"

{{< image src="images/hp.png" width="700" alt="Example: HP Printers" />}}

Xerox Copiers/Printers 🔎 →

ssl:"Xerox Generic Root"

{{< image src="images/xerox.png" width="620" alt="Example: Xerox Copiers/Printers" />}}

Epson Printers 🔎 →

"SERVER: EPSON_Linux UPnP" "200 OK"

"Server: EPSON-HTTP" "200 OK"

{{< image src="images/epson.png" width="550" alt="Example: Epson Printers" />}}

Canon Printers 🔎 →

"Server: KS_HTTP" "200 OK"

"Server: CANON HTTP Server"

{{< image src="images/canon.png" width="550" alt="Example: Canon Printers" />}}

---

Home Devices

Yamaha Stereos 🔎 →

"Server: AV_Receiver" "HTTP/1.1 406"

{{< image src="images/yamaha.png" width="550" alt="Example: Yamaha Stereos" />}}

Apple AirPlay Receivers 🔎 →

Apple TVs, HomePods, etc.

"\x08_airplay" port:5353

Chromecasts / Smart TVs 🔎 →

"Chromecast:" port:8008

Crestron Smart Home Controllers 🔎 →

"Model: PYNG-HUB"

---

Random Stuff

OctoPrint 3D Printer Controllers 🔎 →

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

{{< image src="images/octoprint.png" width="700" alt="Example: OctoPrint 3D Printers" />}}

Etherium Miners 🔎 →

"ETH - Total speed"

{{< image src="images/eth.png" width="800" alt="Example: Etherium Miners" />}}

Apache Directory Listings 🔎 →

Substitute .pem with any extension or a filename like phpinfo.php.

http.title:"Index of /" http.html:".pem"

Misconfigured WordPress 🔎 →

Exposed wp-config.php files containing database credentials.

http.html:"* The wp-config.php creation script uses this file"

Too Many Minecraft Servers 🔎 →

"Minecraft Server" "protocol 340" port:25565

Literally Everything in North Korea 🇰🇵 🔎 →

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

TCP Quote of the Day 🔎 →

Port 17 (RFC 865) has a bizarre history...

port:17 product:"Windows qotd"

Find a Job Doing This! 👩‍💼 🔎 →

"X-Recruiting:"

---

If you've found any other juicy Shodan gems, whether it's a search query or a specific example, definitely drop a comment below or open an issue/PR on GitHub!

Bon voyage, fellow penetrators! 😉