0% found this document useful (0 votes)
130 views6 pages

Shodan Dork Cheat Sheet

The Shodan Dork Cheat Sheet provides a comprehensive list of search queries for finding specific devices and services on the internet. It includes categories such as general search queries, applications and services, device identification, network analysis, IoT devices, security research, and geographic analysis. Users can combine queries to refine their searches based on various parameters like location, operating system, and vulnerabilities.

Uploaded by

jhenning0140
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
130 views6 pages

Shodan Dork Cheat Sheet

The Shodan Dork Cheat Sheet provides a comprehensive list of search queries for finding specific devices and services on the internet. It includes categories such as general search queries, applications and services, device identification, network analysis, IoT devices, security research, and geographic analysis. Users can combine queries to refine their searches based on various parameters like location, operating system, and vulnerabilities.

Uploaded by

jhenning0140
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Shodan Dork Cheat sheet

General Search Queries


 city:”[city name]”: Devices in a specific city.
 country:”[country code]”: Devices in a specified country.
 geo:”[latitude],[longitude]”: Geographic location-specific
devices.
 hostname:”[hostname]”: Devices with a particular hostname.
 net:”[IP range]”: Devices within a certain IP range.
 os:”[operating system]”: Devices running a specific OS.
 port:”[port number]”: Devices open on a specific port.
 org:”[organization name]”: Devices related to a certain
organization.
 isp:”[ISP name]”: Devices using a specific ISP.
 product:”[product name]”: Devices with a specific
software/hardware.
 version:”[version number]”: Devices on a particular software
version.
 has_screenshot:”true”: Devices with available screenshots.
 ssl.cert.subject.cn:”[common name]”: SSL certificates with a
specific CN.
 http.title:”[title text]”: Web pages with a certain title.
 http.html:”[HTML content]”: Web pages containing specific
HTML.
 http.status_code:[code]: Devices returning a specific HTTP
status code.
 ssl:”[SSL keyword]”: Devices with specific SSL
configurations/details.
 before:”[date]” / after:”[date]”: Devices online
before/after a date.
 bitcoin.ip:”[IP address]”: Bitcoin nodes by IP.
 ssh.fingerprint:”[fingerprint]”: SSH servers with a specific
fingerprint.
Applications and Services
 product:”[product name]”: Devices running a specific
product.
 version:”[version]”: Devices with a specific version number.
 webcam: Searches for internet-connected webcams.
 “default password”: Devices using default passwords.
 “server: Apache”: Finds Apache web servers.
 ftp: Devices with FTP services.
 “X-Powered-By: PHP/[version]”: PHP version-specific servers.
 iis:[version number]: Servers running Microsoft IIS.
 “Server: nginx”: Devices running Nginx server.
 “MongoDB Server Information” port:27017: MongoDB databases
on default port.
 “CCTV”: Internet-connected CCTV cameras.
 “PBX VoIP”: VoIP PBX systems.
 “Elasticsearch”: Elasticsearch servers.
 “OpenSSL”: Devices using OpenSSL.
 “SCADA”: SCADA systems.
 “VoIP Phone”: Internet-connected VoIP phones.
Device and Service Identification
 asn:”[ASN]”: Devices associated with a specific ASN.
 http.favicon.hash:[hash]: Web servers with a specific
favicon hash.
 ntp.ip:”[IP address]”: NTP servers related to a specific IP.
 ssl.cert.issuer.cn:”[issuer CN]”: SSL certificates issued by
a specific issuer.
 http.component:”[component]”: Web applications using
specific components.
 http.robotstxt:”[content]”: Web servers with specific
robots.txt content.
 http.waf:”[WAF name]”: Identification of web application
firewalls.
 http.xssed:”[keyword]”: Web pages marked in XSSed database.
 http.cookie:”[cookie name]”: Web servers setting a specific
cookie.
 http.useragent:”[user agent]”: Devices with a specific user
agent.
Network and Infrastructure Analysis
 not ssl: Devices not using SSL.
 metadata:”[keyword]”: Searches for devices with specific
metadata.
 http.html_hash:[hash]: Identifies web pages with a specific
HTML hash.
 netblock:”[owner]”: Devices within a netblock owned by a
specific entity.
 asn:”[ASN]”: Devices associated with a specific ASN.
 http.server_header:”[header content]”: Devices with specific
server header responses.
 udp: Devices with open UDP ports.
 telnet: Devices accessible via Telnet.
IoT and Connected Devices
 “smart tv”: Searches for internet-connected smart TVs.
 “printer” “default password”: Printers possibly using
default passwords.
 “Raspberry Pi” port:22: Raspberry Pi devices with SSH
enabled.
 “thermostat” “wifi”: Wi-Fi-enabled thermostats.
 “smart home”: Various smart home devices.
 “IP camera” “default login”: IP cameras with default login
credentials.
 “smart meter”: Internet-connected smart meters.
 “home automation”: Home automation systems.
 “wearable”: Wearable technology devices.
Security and Vulnerability Research
 ssl.cert.serial:”[serial number]”: SSL certificates by
serial number.
 “Server: Microsoft-HTTPAPI/2.0”: Devices running specific
Microsoft HTTP services.
 “Cisco IOS” “http auth”: Cisco IOS devices with HTTP
authentication.
 “default login” “router”: Routers with default login
credentials.
 “Hadoop NameNode”: Hadoop NameNode servers.
 “Apache Struts” vuln: Apache Struts vulnerabilities.
 “Tomcat” admin: Tomcat servers with admin panels.
 “Docker” port:2375: Docker instances on default port.
 vuln:”[CVE-ID]”: Searches for vulnerabilities with a
specific CVE ID.
 “200 OK” ssl: Servers with SSL certificates returning 200
OK.
 “Server: Apache” -“mod_ssl” -“OpenSSL”: Apache servers
potentially without SSL encryption.
 ssl.cert.expired:”true”: Devices with expired SSL
certificates.
 “heartbleed” vuln: Searches for vulnerabilities related to
Heartbleed.
 http.component:”Drupal” vuln:”CVE-2018-7600″: Drupal sites
vulnerable to a specific CVE.
 “Authentication: disabled”: Devices with authentication
disabled.
 http.title:”Index of /”: Directories with potentially open
indexes.
 ssl:”TLSv1″: Searches for devices using the older TLSv1
protocol.
 org:”[organization]” vuln:”[CVE-ID]”: Searches for
vulnerabilities within a specific organization.
 “EternalBlue” vuln: Devices vulnerable to EternalBlue.
 “Joomla” vuln: Joomla sites with specific vulnerabilities.
 “WordPress” vuln: WordPress sites with specific
vulnerabilities.
 “SQL Injection” vuln: Devices vulnerable to SQL Injection.
 “DDoS” vuln: Devices potentially vulnerable to DDoS attacks.
Geographic and Demographic Analysis
 city:”[city]” os:”[OS]”: Devices with a specific OS in a
city.
 country:”[country]” product:”[product]”: Specific devices in
a country.
 region:”[region]”: Devices in a specific region.
 postal:”[postal code]”: Devices in a specific postal code.
 latitude:”[latitude]” longitude:”[longitude]”: Devices at
specific coordinates.
 area:”[area code]”: Devices in a specific area code.
Combined Queries
 os:”Linux” port:”22″ “SSH” country:”JP”: Linux devices with
SSH in Japan.
 product:”Apache” version:”2.4.7″ -“200 OK”: Apache servers
not returning 200 OK.
 city:”New York” os:”Windows” port:”3389″: Windows devices
with RDP in New York.
 net:”192.168.1.0/24″ webcam: Webcams in the 192.168.1.0/24
IP range.
 org:”Google” ssl cert:”expired”: Expired SSL certificates in
Google's infrastructure.
 country:”DE” product:”MySQL” version:”5.5″ “default
password”: MySQL databases in Germany.
 “HTTP/1.1 401 Unauthorized” city:”London” port:”80″:
Unauthorized HTTP responses in London.
 “Server: Apache” -“Apache-Coyote” country:”BR”: Apache
servers in Brazil.
 hostname:”*.edu” vuln:”CVE-2019-11510″: Educational
institutions vulnerable to CVE-2019-11510.
 “IIS/8.0” -“X-Powered-By” net:”205.251.192.0/18″: IIS 8.0
servers in the specified range.

You might also like