Staff Shodan Mega Cheat Sheet

Luckyy Vendetta

Administrator
Luckyy
Staff
Luckyy Rep
1
0
0
Rep
1
Luckyy Vouches
2
0
0
Vouches
2
Posts
315
Likes
29
Bits
800,766
5 YEARS
5 YEARS OF SERVICE
LEVEL 500 XP
🔎 Shodan Mega Cheat Sheet
The most complete list of Shodan dorks, filters, and queries for educational and security research only.​


⚠️ Disclaimer
This is for educational, research, and awareness purposes.
Shodan searches are legal.
Accessing or exploiting exposed systems without permission = illegal hacking.


1️⃣ Basic Syntax
Code: 
keyword
"exact phrase"
-keyword
keyword1 OR keyword2
before:2024-01-01
after:2024-01-01
has_screenshot:true

2️⃣ Common Filters
Code: 
ip:1.2.3.4
net:1.2.3.0/24
port:3389
country:"US"
city:"London"
region:"California"
geo:"40.7128,-74.0060,25"
org:"Google"
isp:"Comcast"
os:"Windows 7"
product:"Apache"
version:"2.4.49"
http.title:"Login"
http.html:"Index of /"
http.component:"WordPress"
http.favicon.hash:-247388890
ssl:"Let's Encrypt"
ssl.cert.subject.cn:"example.com"
ssl.cert.expired:true
vuln:CVE-2021-44228


3️⃣ Common Ports
Code: 
21   FTP
22   SSH
23   Telnet
25   SMTP
53   DNS
80   HTTP
443  HTTPS
445  SMB
1433 MSSQL
1521 Oracle
3306 MySQL
3389 RDP
5432 PostgreSQL
5900 VNC
6379 Redis
8006 Proxmox
8080 HTTP-alt
9200 Elasticsearch
27017 MongoDB
32400 Plex


4️⃣ Web Applications
Code: 
http.title:"phpMyAdmin"
http.component:"WordPress"
http.component:"Drupal"
http.component:"Joomla"
http.title:"Kibana"
http.title:"Grafana"
http.title:"Zabbix"
http.title:"Solr Admin"
http.title:"Confluence"
http.title:"Jira"
http.title:"Redmine"
http.html:".git/config"
http.html:".env"


5️⃣ Databases
Code: 
"MongoDB Server Information" port:27017 -authentication
"200 OK" "elastic indices" port:9200
"redis_version" port:6379
"Welcome" port:5984
"PostgreSQL" port:5432
"mysql_native_password" port:3306
"Starting listening for CQL clients" port:9042
"Set-Cookie: mongo-express=" "200 OK"


6️⃣ Remote Admin Panels
Code: 
http.title:"WHM Login"
http.title:"Plesk"
http.title:"Login to Webmin"
http.title:"Nagios"
"Proxmox" port:8006
http.title:"Citrix Gateway"
http.title:"FortiGate"
http.title:"GlobalProtect Portal"
"OpenVPN" http.title:"Access Server"
http.title:"pfSense"
"HP-iLO"
"Server: iDRAC"
"Server: ATEN"
"APC Management Card"
"Server: Bomgar" "200 OK"


7️⃣ Cloud / DevOps
Code: 
http.title:"Kubernetes Dashboard"
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
"Docker Containers:" port:2375
"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab
title:"Weave Scope" http.favicon.hash:567176827
"etcdserver" "raft" port:2379
"X-Consul-Index"
"Vault" port:8200
"RabbitMQ Management"
"ActiveMQ Console"
"Spark Master at"
"Resourcemanager" port:8088


8️⃣ IoT Devices / Cameras
Code: 
title:"AXIS"
title:"Foscam"
title:"TP-Link"
title:"Hikvision"
title:"Vivotek"
title:"AVTech"
title:"Wansview"
title:"Panasonic Network Camera"
http.title:"DVR_H264 ActiveX"
"Server: yawcam" "Mime-Type: text/html"
("webcam 7" OR "webcamXP") http.component:"mootools" -401
"Server: IP Webcam Server" "200 OK"
http.title:"Synology DiskStation"
"Server: Logitech Media Server" "200 OK"
"X-Plex-Protocol" "200 OK" port:32400
"CherryPy/5.1.0" "/home"
http.title:"Kodi"


9️⃣ ICS / SCADA
Code: 
"Server: Prismview Player"
"in-tank inventory" port:10001
P372 "ANPR enabled"
mikrotik streetlight
"voter system serial" country:US
"Cisco IOS" "ADVIPSERVICESK9_LI-M"
"[2J[H Encartele Confidential"
http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
"Server: gSOAP/2.8" "Content-Length: 583"
"Cobham SATCOM" OR ("Sailor" "VSAT")
title:"Slocum Fleet Mission Control"
"Server: CarelDataServer" "200 Document follows"
http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1"
"[1m[35mWelcome on console"
"DICOM Server Response" port:104
"Server: EIG Embedded Web Server" "200 Document follows"
"Siemens, SIMATIC" port:161
"Server: Microsoft-WinCE" "Content-Length: 12581"
"HID VertX" port:4070
"log off" "select the appropriate"


🔟 Vulnerabilities
Code: 
vuln:ms17-010
vuln:CVE-2014-6271
vuln:heartbleed
vuln:CVE-2019-0708
vuln:CVE-2020-1472
vuln:CVE-2021-34527
vuln:CVE-2021-44228
"Anonymous FTP login allowed"
"220" "230 Login successful." port:21
port:445 "NT_STATUS_ACCESS_DENIED"
"Authentication: disabled" port:445
"Authentication: disabled" NETLOGON SYSVOL -unix port:445
"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445
"Apache/2.2.15"
"Microsoft-IIS/6.0"


1️⃣1️⃣ Printers & Copiers
Code: 
"Serial Number:" "Built:" "Server: HP HTTP"
ssl:"Xerox Generic Root"
"SERVER: EPSON_Linux UPnP" "200 OK"
"Server: EPSON-HTTP" "200 OK"
"Server: KS_HTTP" "200 OK"
"Server: CANON HTTP Server"


1️⃣2️⃣ Home Devices
Code: 
"Server: AV_Receiver" "HTTP/1.1 406"
"\x08_airplay" port:5353
"Chromecast:" port:8008
"Model: PYNG-HUB"
"Android Debug Bridge" "Device" port:5555


1️⃣3️⃣ Gaming Servers
Code: 
"Minecraft Server" "protocol 340" port:25565
"Half-Life" "Server"
"Rust Server"
"ARK Survival Evolved"
"FXServer"


1️⃣4️⃣ Fun / Weird
Code: 
title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944
"ETH - Total speed"
"stratum" "mining"
http.title:"Index of /" http.html:".pem"
http.html:"* The wp-config.php creation script uses this file"
http.title:"phpinfo()" "PHP Version"
port:17 product:"Windows qotd"
"X-Recruiting:"
net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24
 
Last edited:
You must log in or register to reply here.

99

373

461

17

C chrollo
Top