Shodan Dork Cheat Sheet

What is Shodan?

As the digital landscape continually evolves, understanding and utilizing Shodan, a sophisticated search engine for the Internet of Things, becomes crucial for cybersecurity professionals and enthusiasts alike. This article serves as your comprehensive cheat sheet, offering detailed insights into the various search queries in Shodan. Whether you’re aiming to enhance your network security, conduct research, or simply explore the vast expanse of internet-connected devices, mastering Shodan search queries is an essential skill. Dive into our guide to unlock the full potential of Shodan’s capabilities right from the start

Why Use Shodan?

Shodan is extensively used for security analysis, network monitoring, and exploring the internet of search things. It helps in discovering devices like servers, webcams, routers, and more, which are connected to the internet and provides insights about their configuration, software, and vulnerabilities.

General Search Queries

1. city:”[city name]”: Searches for devices in a specific city.
2. country:”[country code]”: Searches for devices in a specific country.
3. geo:”[latitude],[longitude]”: Searches for devices in a specific geographic location.
4. hostname:”[hostname]”: Searches for devices with a specific hostname.
5. net:”[IP range]”: Searches for devices within a specific IP range.
6. os:”[operating system]”: Searches for devices with a specific operating system.
7. port:”[port number]”: Searches for devices with a specific port.
8. org:”[organization name]”: Searches for devices associated with a specific organization.
9. isp:”[internet service provider]”: Finds devices using a specific internet service provider.
10. product:”[product name]”: Searches for devices using a specific software or hardware product.
11. version:”[version number]”: Looks for devices running a specific version of software or firmware.
12. has_screenshot:”true”: Finds devices with available screenshots.
13. ssl.cert.subject.cn:”[common name]”: Searches for SSL certificates with a specific common name.
14. http.title:”[title text]”: Looks for web pages with a specific title.
15. http.html:”[html content]”: Searches for web pages containing specific HTML content.
16. http.status_code:[code]: Finds devices returning a specific HTTP status code.
17. ssl:”[SSL keyword]”: Searches for devices with specific SSL configurations or details.
18. before:”[date]” / after:”[date]”: Searches for devices that were online before or after a specific date.

Specific Applications and Services

1. product:”[product name]”: Searches for devices running a specific product.
2. version:”[version]”: Searches for devices with a specific version number.
3. webcam: Searches for internet-connected webcams.
4. “default password”: Searches for devices using default passwords.
5. “server: Apache”: Finds servers specifically running the Apache web server.
6. ftp: Searches for devices with FTP services.
7. “X-Powered-By: PHP/[version]”: Looks for servers running a specific version of PHP.
8. iis:[version number]: Finds servers running a specific version of Microsoft IIS.
9. “Server: nginx”: Searches for devices running the Nginx server.
10. “MongoDB Server Information” port:27017: Finds MongoDB databases exposed on the default port.

Security Vulnerabilities and Weaknesses

1. vuln:”[CVE-ID]”: Searches for security vulnerabilities with a specific CVE ID.
2. “200 OK” ssl: Searches for servers with SSL certificates that return a 200 OK response.
3. “Server: Apache” -“mod_ssl” -“OpenSSL”: Finds Apache servers that might not be using SSL encryption.
4. ssl.cert.expired:”true”: Searches for devices with expired SSL certificates.
5. “heartbleed” vuln: Looks for vulnerabilities related to the Heartbleed bug.
6. http.component:”Drupal” vuln:”CVE-2018-7600″: Finds Drupal sites vulnerable to a specific CVE.
7. “Authentication: disabled”: Searches for devices with authentication disabled.
8. http.title:”Index of /”: Finds directories with potentially open indexes.
9. ssl:”TLSv1″: Searches for devices using the older TLSv1 protocol.
10. org:”[organization]” vuln:”[CVE-ID]”: Searches for vulnerabilities within a specific organization’s infrastructure.

Example Complex Queries for Shodan

1. os:”Linux” port:”22″ “SSH” country:”JP”
   • Searches for Linux devices in Japan with SSH service running on port 22.
2. product:”Apache” version:”2.4.7″ -“200 OK”
   • Looks for Apache servers running version 2.4.7 that do not return a 200 OK status.
3. city:”New York” os:”Windows” port:”3389″
   • Finds Windows devices with Remote Desktop Protocol (RDP) enabled in New York City.
4. net:”192.168.1.0/24″ webcam
   • Searches for webcams within the IP range 192.168.1.0 to 192.168.1.255.
5. org:”Google” ssl cert:”expired”
   • Searches for expired SSL certificates on devices belonging to the organization “Google”.
6. country:”DE” product:”MySQL” version:”5.5″ “default password”
   • Looks for MySQL databases version 5.5 in Germany using default passwords
7. “HTTP/1.1 401 Unauthorized” city:”London” port:”80″
   • Finds devices in London returning a 401 Unauthorized status on HTTP port 80.
8. “Server: Apache” -“Apache-Coyote” country:”BR”
   • Searches for servers in Brazil running Apache but not Apache-Coyote.
9. hostname:”*.edu” vuln:”CVE-2019-11510″
   • Finds educational institutions’ hosts vulnerable to CVE-2019-11510.
10. “IIS/8.0” -“X-Powered-By” net:”205.251.192.0/18″
    • Searches for servers running IIS 8.0 without the “X-Powered-By” header in the specified IP range.

Conclusion

Using Shodan search queries effectively can provide valuable insights into the security and configuration of devices connected to the internet. It’s a powerful tool for cybersecurity professionals, researchers, and enthusiasts alike. Remember to use Shodan responsibly and ethically, as it can expose sensitive information and vulnerabilities.