The Shodan Dork Cheat Sheet provides a comprehensive list of search queries for finding specific devices and services on the internet. It includes categories such as general search queries, applications and services, device identification, network analysis, IoT devices, security research, and geographic analysis. Users can combine queries to refine their searches based on various parameters like location, operating system, and vulnerabilities.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
130 views6 pages
Shodan Dork Cheat Sheet
The Shodan Dork Cheat Sheet provides a comprehensive list of search queries for finding specific devices and services on the internet. It includes categories such as general search queries, applications and services, device identification, network analysis, IoT devices, security research, and geographic analysis. Users can combine queries to refine their searches based on various parameters like location, operating system, and vulnerabilities.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6
Shodan Dork Cheat sheet
General Search Queries
city:”[city name]”: Devices in a specific city. country:”[country code]”: Devices in a specified country. geo:”[latitude],[longitude]”: Geographic location-specific devices. hostname:”[hostname]”: Devices with a particular hostname. net:”[IP range]”: Devices within a certain IP range. os:”[operating system]”: Devices running a specific OS. port:”[port number]”: Devices open on a specific port. org:”[organization name]”: Devices related to a certain organization. isp:”[ISP name]”: Devices using a specific ISP. product:”[product name]”: Devices with a specific software/hardware. version:”[version number]”: Devices on a particular software version. has_screenshot:”true”: Devices with available screenshots. ssl.cert.subject.cn:”[common name]”: SSL certificates with a specific CN. http.title:”[title text]”: Web pages with a certain title. http.html:”[HTML content]”: Web pages containing specific HTML. http.status_code:[code]: Devices returning a specific HTTP status code. ssl:”[SSL keyword]”: Devices with specific SSL configurations/details. before:”[date]” / after:”[date]”: Devices online before/after a date. bitcoin.ip:”[IP address]”: Bitcoin nodes by IP. ssh.fingerprint:”[fingerprint]”: SSH servers with a specific fingerprint. Applications and Services product:”[product name]”: Devices running a specific product. version:”[version]”: Devices with a specific version number. webcam: Searches for internet-connected webcams. “default password”: Devices using default passwords. “server: Apache”: Finds Apache web servers. ftp: Devices with FTP services. “X-Powered-By: PHP/[version]”: PHP version-specific servers. iis:[version number]: Servers running Microsoft IIS. “Server: nginx”: Devices running Nginx server. “MongoDB Server Information” port:27017: MongoDB databases on default port. “CCTV”: Internet-connected CCTV cameras. “PBX VoIP”: VoIP PBX systems. “Elasticsearch”: Elasticsearch servers. “OpenSSL”: Devices using OpenSSL. “SCADA”: SCADA systems. “VoIP Phone”: Internet-connected VoIP phones. Device and Service Identification asn:”[ASN]”: Devices associated with a specific ASN. http.favicon.hash:[hash]: Web servers with a specific favicon hash. ntp.ip:”[IP address]”: NTP servers related to a specific IP. ssl.cert.issuer.cn:”[issuer CN]”: SSL certificates issued by a specific issuer. http.component:”[component]”: Web applications using specific components. http.robotstxt:”[content]”: Web servers with specific robots.txt content. http.waf:”[WAF name]”: Identification of web application firewalls. http.xssed:”[keyword]”: Web pages marked in XSSed database. http.cookie:”[cookie name]”: Web servers setting a specific cookie. http.useragent:”[user agent]”: Devices with a specific user agent. Network and Infrastructure Analysis not ssl: Devices not using SSL. metadata:”[keyword]”: Searches for devices with specific metadata. http.html_hash:[hash]: Identifies web pages with a specific HTML hash. netblock:”[owner]”: Devices within a netblock owned by a specific entity. asn:”[ASN]”: Devices associated with a specific ASN. http.server_header:”[header content]”: Devices with specific server header responses. udp: Devices with open UDP ports. telnet: Devices accessible via Telnet. IoT and Connected Devices “smart tv”: Searches for internet-connected smart TVs. “printer” “default password”: Printers possibly using default passwords. “Raspberry Pi” port:22: Raspberry Pi devices with SSH enabled. “thermostat” “wifi”: Wi-Fi-enabled thermostats. “smart home”: Various smart home devices. “IP camera” “default login”: IP cameras with default login credentials. “smart meter”: Internet-connected smart meters. “home automation”: Home automation systems. “wearable”: Wearable technology devices. Security and Vulnerability Research ssl.cert.serial:”[serial number]”: SSL certificates by serial number. “Server: Microsoft-HTTPAPI/2.0”: Devices running specific Microsoft HTTP services. “Cisco IOS” “http auth”: Cisco IOS devices with HTTP authentication. “default login” “router”: Routers with default login credentials. “Hadoop NameNode”: Hadoop NameNode servers. “Apache Struts” vuln: Apache Struts vulnerabilities. “Tomcat” admin: Tomcat servers with admin panels. “Docker” port:2375: Docker instances on default port. vuln:”[CVE-ID]”: Searches for vulnerabilities with a specific CVE ID. “200 OK” ssl: Servers with SSL certificates returning 200 OK. “Server: Apache” -“mod_ssl” -“OpenSSL”: Apache servers potentially without SSL encryption. ssl.cert.expired:”true”: Devices with expired SSL certificates. “heartbleed” vuln: Searches for vulnerabilities related to Heartbleed. http.component:”Drupal” vuln:”CVE-2018-7600″: Drupal sites vulnerable to a specific CVE. “Authentication: disabled”: Devices with authentication disabled. http.title:”Index of /”: Directories with potentially open indexes. ssl:”TLSv1″: Searches for devices using the older TLSv1 protocol. org:”[organization]” vuln:”[CVE-ID]”: Searches for vulnerabilities within a specific organization. “EternalBlue” vuln: Devices vulnerable to EternalBlue. “Joomla” vuln: Joomla sites with specific vulnerabilities. “WordPress” vuln: WordPress sites with specific vulnerabilities. “SQL Injection” vuln: Devices vulnerable to SQL Injection. “DDoS” vuln: Devices potentially vulnerable to DDoS attacks. Geographic and Demographic Analysis city:”[city]” os:”[OS]”: Devices with a specific OS in a city. country:”[country]” product:”[product]”: Specific devices in a country. region:”[region]”: Devices in a specific region. postal:”[postal code]”: Devices in a specific postal code. latitude:”[latitude]” longitude:”[longitude]”: Devices at specific coordinates. area:”[area code]”: Devices in a specific area code. Combined Queries os:”Linux” port:”22″ “SSH” country:”JP”: Linux devices with SSH in Japan. product:”Apache” version:”2.4.7″ -“200 OK”: Apache servers not returning 200 OK. city:”New York” os:”Windows” port:”3389″: Windows devices with RDP in New York. net:”192.168.1.0/24″ webcam: Webcams in the 192.168.1.0/24 IP range. org:”Google” ssl cert:”expired”: Expired SSL certificates in Google's infrastructure. country:”DE” product:”MySQL” version:”5.5″ “default password”: MySQL databases in Germany. “HTTP/1.1 401 Unauthorized” city:”London” port:”80″: Unauthorized HTTP responses in London. “Server: Apache” -“Apache-Coyote” country:”BR”: Apache servers in Brazil. hostname:”*.edu” vuln:”CVE-2019-11510″: Educational institutions vulnerable to CVE-2019-11510. “IIS/8.0” -“X-Powered-By” net:”205.251.192.0/18″: IIS 8.0 servers in the specified range.