Shodan provides a great starting point for researchers performing any information gathering task. By being able to filter data by its location, software version, when it was last seen and much more, Shodan can help researchers target specific research points, making their work easier and more efficient.
Shodan is great for marketing teams and software vendors too, allowing you to filter out different versions of software running on a server. Furthermore, with the location filters available, one can also find the number of instances running in a certain country, city or district.
Shodan employs cybersecurity fingerprinting as a way to find and tag devices, similar to the way human fingerprints identify a person. Various bits of information and services running on an IP address help identify the device running on that IP address.
For example, looking up the issuer of an SSL certificate attached to an IP address can often help identify the manufacturer of the device with which the IP is associated.
Today we will explore the top Shodan dorks to find sensitive data from IoT connected devices.
Most popular Shodan dorks
Thanks to its internet scanning capabilities, and with the numerous data points and filters available in Shodan, knowing a few tricks or “dorks” (like the famous Google Dorks) can help filter and find relevant results for your IP intelligence research.
To begin using Shodan dorks (in a practice known as “Shodan dorking”), you’ll first need to log in (or create an account and log in) to your Shodan account by clicking on the “Login or Register” button on the right-hand side:
After which you can log in to or create your Shodan account.
Keep in mind this list is presented in random order. There’s no Shodan dork more important than any other; they’re merely used for different purposes.
Databases often hold critical bits of information. When exposed to the public internet—whether for ease of development access or simply due to misconfiguration—can open up a huge security hole.
To find MongoDB database servers which have open authentication over the public internet within Shodan, the following search query can be used:
"MongoDB Server Information" port:27017 -authentication
MongoDB also has a web management application similar to phpMyAdmin called Mongo Express Web GUI, which we can find with the following query:
"Set-Cookie: mongo-express=" "200 OK"
Similarly, to find MySQL-powered databases:
To lookup popular ElasticSearch-powered instances:
port:"9200" all:"elastic indices"
And to look up PostgreSQL databases:
Searching for services running on open ports accessible on the public internet—like FTP servers, SSH servers and others—is possible by using the following queries.
For FTP, querying for proftpd, a popular FTP server:
To look for FTP servers that allow anonymous logins:
"220" "230 Login successful." port:21
To query for OpenSSH, a popular SSH server:
For Telnet, querying for port 23:
To look up EXIM-powered mail servers on port 25:
Memcached, commonly seen on port 11211, has been a major source of UDP amplification attacks leading to huge DDoS attacks. Services running Memcached available on the public internet are often exploited for these attacks:
Jenkins is a popular automated build, deploy and test tool, often the starting point of any software being built for release. It can be found via the following query:
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
DNS servers with recursion enabled can be a huge source of network threats. To find these servers, one can use the query:
"port: 53" Recursion: Enabled
To find devices running a specific version of a RouterOS operating system that powers routers, switches and other networking equipment from the company MikroTik, we use the following search query:
port:8291 os:"MikroTik RouterOS 6.45.9"
This allows us to find those switches, routers and other networking gear running an older and possibly vulnerable version of the RouterOS operating system which runs on port number 8291, used for the web management UI.
Shodan makes it possible to find and filter out web server versions as well. For example, we’ll use this to find IPs that host a specific version of the popular web server Apache:
product:"Apache httpd" port:"80"
With the above query, we can find Apache web servers on port 80, the most common port for web servers.
Similarly, to look up Microsoft IIS-powered websites and web servers:
product:"Microsoft IIS httpd"
To look up Nginx-powered websites and web servers:
The above product query can be combined with the “port” option too. For example, if you wish to lookup Nginx-powered web servers on port 8080:
"port: 8080" product:"nginx"
Querying for older and possibly end-of-life operating systems like Windows 7 is also possible in Shodan, by using the following query:
Similarly, to look up specific build versions of Windows 10, the following query can be used, wherein we look up Windows 10 Home edition with build version 19041:
os:"Windows 10 Home 19041"
To filter and find Linux-based devices, the following query can be used:
Filtering by country, city or location
At certain points of time, the amount of data returned by Shodan might be a bit too much. To make things easier to filter, the Country or City filter can be applied:
For example, if you wish to filter by country:
To filter by city:
Last but not least, you can even look up via GPS coordinates of a region or city:
This location filter can be combined with other filters as well. For example, if you wish to find Windows 7 devices in the United Kingdom, the following query can be used:
os:"windows 7" country:"UK"
Another advantage of Shodan is that it can be used to find SSL certificates that are expired or self-signed.
To find self-signed certificates, the following query can be used:
To find expired SSL certificates, this query can be used:
Other useful Shodan dorks for IoT device intelligence
Let’s see what else can be found by “Shodan dorking”.
Often left running on the public internet with outdated and insecure software, webcams can be easily compromised. Fortunately, Shodan allows us to filter and find them, with the following query:
Looking further, we can filter out specific software vendors who provide software for webcams, such as Yawcam, with the following query:
"Server: yawcam" "Mime-Type: text/html"
Industrial control systems
Industrial control systems run some of the most complex machinery seen in modern times. With uses ranging from power generation to manufacturing, control systems can be as simple as basic temperature sensors to complex machinery that controls the whole plant.
For example, to find XZERES Wind Turbines:
And for Mitsubishi Electric, the MELSEC-Q protocol is commonly used by control system machines/networks:
We can also find electric vehicle chargers on Shodan, with the following query:
"Server: gSOAP/2.8" "Content-Length: 583"
Remote Desktop, commonly known as RDP, is a service used to remotely access Windows-based machines. These devices often run older or out-of-date Windows patches, allowing them to be exploitable.
To look up open Windows Remote Desktop ports, use:
remote desktop "port:3389"
Looking at the Linux side of things, we commonly see VNC being used. Devices with VNC available without authentication can be found with the following query:
"authentication disabled" "RFB 003.008"
NAS, or network attached storage devices, often carry or hold a lot of data. Leaving them exposed to the public internet without authentication can lead to data theft, data loss and ransomware attacks.
Samba is a popular networking protocol which provides file and print services for Windows based devices. The following query allows us to find devices running on the Samba protocol on port 445 with authentication disabled:
"Authentication: disabled" port:445
For media devices, Plex is a popular media management device used to manage photos, movies and music. Plex devices can be found with the following filter:
"X-Plex-Protocol" "200 OK" port:32400
Some NAS devices have FTP-based services running on them. They can be found via the following query:
"220" "230 Login successful." port:21
Printers and copiers
With nearly all modern printers and copiers having networking capabilities, and some even with WiFi abilities, it’s critical to secure them.
To find HP-powered printers, the following query can be used:
"Serial Number:" "Built:" "Server: HP HTTP"
Similarly, to find EPSON powered printers:
"SERVER: EPSON_Linux UPnP" "200 OK"
Xerox printers and copiers often seen at workplaces are easily found via the following query, which pulls identifiable information from its SSL certificate:
ssl:"Xerox Generic Root"
With the available information in the Shodan database growing each day, knowing how to find the exact device type or software you’re looking for is a critical matter. By using filters or “dorks” to find specific results from millions of data points and entries, Shodan makes such work easier and more effective.
Its ability to combine most dorks with each other means Shodan can also be a powerful tool for marketing and software suppliers.
For example, the ability to combine software version filters with location filters gives marketing and software vendors the ability to look up which software or hardware versions sell best in different locations.
Security researchers who work with software and hardware vendors also benefit from this feature, which helps them find outdated and often vulnerable versions of their software accessible on the public internet. This allows them to find and contact users to alert them of possible security concerns.
Stay tuned for the next chapter, where we’ll present our own in-house alternative solution to Shodan.