Shodan , guide how you can find everything!

Article Metadata

• Category: CTI
• Source article: https://medium.com/@1200km/shodan-guide-how-you-can-find-everything-640f47f41bbe
• Published: 2024-10-24
• Preserved media: 1 image(s), including cover images, screenshots, diagrams, and infographics where present.
• Preserved technical blocks: 0 code/configuration block(s).

Ecosystem Fit

This page mirrors the original Medium article into the 1200km.com Docusaurus ecosystem. The original article flow, images, screenshots, infographics, and technical blocks are preserved from the export.

In this guide, we’ll explore how to navigate Shodan, understand the information it provides, and, most importantly, how to make use of the data you find. From identifying exposed critical infrastructure to locating everyday devices, Shodan opens a window into the connected world. Let’s dive in and learn how to uncover and leverage this powerful resource!

The internet is more than just websites; it’s a vast network of devices, from industrial control systems to home security cameras, all of which can be discovered with the right tools.Shodanis that tool — a powerful search engine for the Internet of Things (IoT). Whether you’re a cyber security professional, researcher, or curious tech enthusiast, Shodan can reveal what devices are exposed to the internet and potentially vulnerable.

About the Author:

I’m Andrey Pautov, a penetration tester and cyber security researcher. My work and research focus on offensive security.

About this guide:

In this guide, I’ll explore many of Shodan’s capabilities, providing a detailed look at what you can uncover. I’ll also include links to my other articles on how to use or exploit the findings you discover, helping you maximize Shodan’s potential in your cybersecurity research.

• Integrating Shodan with HexStrike-AI Using Gemini-CLI ../2025/2025-12-23-integrating-shodan-with-hexstrike-ai-using-gemini-cli-b6f9fcbe8e6e.md

Disclaimer:

This guide is intended for educational purposes only and is aimed at promoting responsible and legal use of Shodan for cybersecurity research. All data, including IP addresses, usernames, and other sensitive information, referenced in this guide were found through open sources that are publicly available on the internet. No systems were harmed or compromised during the creation of this guide.

It is important to note that unauthorized access to systems or networks is illegal and unethical. As the author, I am not responsible for how the information in this guide is used by others. Always ensure you have proper authorization before interacting with any network, device, or system.

What devices can Shodan really find with examples and exploit:

1. Servers and Endpoints with open remote access services

Shodan can locate:

1. FTP (File Transfer Protocol)

• Standard Query:

[port:21](https://www.shodan.io/search?query=port%3A21)

Vulnerable or Misconfigured FTP Servers:

• Anonymous Access Enabled:

[port:21 "230"](https://www.shodan.io/search?query=port%3A21+%22230%22)

[port:21 Login successful](https://www.shodan.io/search?query=port%3A21+Login+successful)

Full explanation about FTP cracking in my other posthere

2. Remote Desktop Protocol (RDP) services

• Standard Query:

[port:3389](https://www.shodan.io/search?query=port%3A3389)

Vulnerable or Misconfigured RDP Services:

• RDP with Screenshot Available or username (potential for exposed sensitive information):

[port:3389 has_screenshot:true](https://www.shodan.io/search?query=port%3A3389+has_screenshot%3Atrue)

[port:3389 "Administrator"](https://www.shodan.io/search?query=port%3A3389+has_screenshot%3Atrue)

Full explanation about RDP cracking in my other posthere

3. Telnet

• Standard Query:

[port:23](https://www.shodan.io/search?query=port%3A23)

Vulnerable or Misconfigured Telnet Services:

• Telnet with Login Prompt (susceptible to brute force attacks):

[port:23 "Login"](https://www.shodan.io/search?query=port%3A23+%22Login%22)

• Telnet Not Requiring Authentication:

Already Logged-In as root via Telnet: ["root@" port:23 -login -password -name -Session](https://www.shodan.io/search?query=%22root%40%22+port%3A23+-login+-password+-name+-Session)

No password for Telnet Access: [port:23 console gateway](https://www.shodan.io/search?query=port%3A23+console+gateway)

Full explanation about Telnet cracking in my other posthere

3. SSH

[port:22](https://www.shodan.io/search?query=port%3A22)

Full explanation about SSH cracking in my other posthere

4. RTSP

• Standard Query:

[port:554](https://www.shodan.io/search?query=port%3A554)

Vulnerable or Misconfigured RTSP Services:

• RTSP with Screenshot Available (can indicate unsecured streams):

[port:554 has_screenshot:true](https://www.shodan.io/search?query=port%3A554+has_screenshot%3Atrue)

• Unauthenticated RTSP Streams:

[port:554 "401 Unauthorized"](https://www.shodan.io/search?query=port%3A554+%22401+Unauthorized%22)

Full explanation about RTSP cracking in my other posthere

5.Web servers

Full explanation about Web Interface cracking in my other posthere

What is Shodan dorks?

“Shodan dorks” refer to the search queries used on the Shodan search engine. Shodan is a tool that scans and indexes devices connected to the internet, ranging from webcams and routers to servers and industrial control systems. Shodan collects data from these devices, such as banners which can contain information about the software and versions running, any services exposed to the internet, and sometimes even the physical location of the device.

Understanding Shodan Dorks

A Shodan dork is essentially a search string that uses specific search syntax to filter through the indexed data collected by Shodan. These dorks can be simple or complex, depending on the user’s familiarity with the syntax and the specific data they are trying to extract. For example:

• Searching for all devices within a specific country:country:"US"

• Finding devices running a specific web server:server:"Apache"

• Locating devices with a specific port open:port:21

Uses of Shodan Dorks

**1. Security Research:**Security professionals use Shodan dorks to find devices that may be vulnerable to exploits, helping to identify and mitigate risks before they can be exploited by malicious actors.

**2. Network Monitoring:**System administrators can use Shodan to monitor the internet exposure of their network and ensure that no unexpected services or devices are publicly accessible.

**3. Educational Purposes:**Educators and students use Shodan for research and learning about the distribution of devices and services across the internet, enhancing their understanding of the global digital infrastructure.

**4. Market Research:**Companies can use Shodan to gauge how widely their products are being used or to find the usage stats of competitors’ products.

Crafting Effective Shodan Dorks

To effectively use Shodan dorks, one must understand the various filters and operators that Shodan supports. This includes geographic filters, service or product filters, and more complex boolean operators that allow for detailed and refined searches. Mastery of these dorks can yield powerful insights and a comprehensive view of the internet’s infrastructure landscape.

In summary, Shodan dorks are powerful tools in the hands of those who know how to use them, allowing for detailed searches and analysis of the devices that make up the internet. However, it’s important to approach this capability responsibly, given the potential security and privacy implications.

Table of Contents

• Cameras

• Industrial Control Systems

• Network Infrastructure

• Files and Directories

• Compromised Devices and Websites

• Miscellaneous

Cameras

General Camera Searches

• General Camera Search: Explore a broad spectrum of cameras connected all over the world.

• Search here

Specific Camera Brands and Features

• Hikvision IP Cameras: Popular in security settings, these cameras have known vulnerabilities.

• Search Hikvision Cameras

• Backdoor exploit details

• IPCam Client Webcams: Frequently used in personal and home security systems.

• Search IPCam Client

• GeoVision Webcams: These older models can still be found in operation today.

• Search GeoVision Webcams

• Avigilon Camera Devices: Known for their high-definition surveillance capabilities.

• Search Avigilon Cameras

• Vivotek IP Cameras: A staple in commercial and residential security systems.

• Search Vivotek Cameras

Vulnerable and Accessible Cameras

• DVR CCTV Cameras: These are often accessible via HTTP and may lack robust security.

• Search DVR CCTV Cameras

• Netwave IP Cameras: Known for specific vulnerabilities related to content length.

• Search Netwave IP Cameras

• Merit LILIN Cameras: This UK-based provider’s cameras can be specifically identified by their authentication headers.

• Search Merit LILIN Cameras

Miscellaneous Camera Queries

• ACTi Cameras: These are various IP camera and video management system products.

• Search ACTi Cameras

• Yawcam Software: Used for webcam viewing and streaming.

• Search Yawcam Webcams

• UI3 for Blue Iris: A popular HTML5 web interface for managing Blue Iris software setups.

• Search UI3 Cameras

• Unsecured Linksys Webcams: Particularly those with the model identifier tm01.

• Search Unsecured Linksys Webcams

Less Common Searches

• Webcams with Screenshots: These offer a direct glimpse through the camera via Shodan’s screenshot feature.

• Search Webcams with Screenshots

• Webcams on webcam 7 and webcamXP: Software-specific searches that reveal cameras using these applications.

• Search webcamXP

• Search webcam 7

• Blue Iris Webcams: These are known for remote viewing capabilities.

• Search Blue Iris Webcams

• Canon Security Cameras: High-end security cameras manufactured by Canon.

• Search Canon VB-M600 Cameras

• i-Catcher Console CCTV Systems: These systems use the i-Catcher console for operations.

• Search i-Catcher CCTV Systems

• Linksys WVC80N Cameras: Specific model of Linksys cameras.

• Search Linksys WVC80N Cameras

Industrial Control Systems

Major Industrial Protocols

• EtherNet/IP: Widely used in factory automation and other industrial environments.

• Search for EtherNet/IP devices

• Siemens S7: A key protocol in automation, known for its robustness and vulnerability in industrial networks.

• Search for Siemens S7 controllers

• Modbus: Essential for SCADA systems and often targeted for its critical role in industrial operations.

• Search for Modbus devices

• BACnet: Used in building management systems, overseeing everything from heating to security systems.

• Search for BACnet devices

Specialized Industrial Searches

• Niagara Fox: Utilized in building automation for managing utilities like heating, ventilation, and air conditioning.

• Search for Niagara Fox devices

• Gas Station Pump Controllers: These devices manage fuel inventory and can be accessed to monitor stock levels.

• Search for gas station pump controllers

• VNC Servers: Remote desktop services that may be unsecured, providing a direct window into operational systems.

• Search for VNC servers with disabled authentication

• Additional VNC Server search

Monitoring and Control Devices

• IEC 60870–5–104: Used primarily in electric power systems for communication between control stations and substations.

• Search for IEC 60870–5–104 devices

• Siemens Industrial Automation: Includes devices used extensively in automated manufacturing processes.

• Search for Siemens industrial automation devices

• Omron FINS: Protocol used for communication between network devices and controllers.

• Search for Omron FINS devices

• DICOM Medical X-Ray Machines: Critical healthcare devices that are often connected to networks for remote diagnostics.

• Search for DICOM X-Ray machines

Miscellaneous Industrial Equipment

• PCWorx: A protocol used by various programmable logic controllers.

• Search for PCWorx devices

• DNP3: Commonly used in utilities for communicating various types of data including telemetry.

• Search for DNP3 devices

• ProConOS: Another PLC-related protocol designed for real-time execution of processes.

• Search for ProConOS devices

• XZERES Wind Turbines: For monitoring and controlling wind energy production.

• Search for XZERES Wind Turbines

• MELSEC-Q: Mitsubishi Electric’s sequence controllers for manufacturing processes.

• Search for MELSEC-Q devices—251 results

Highly Specific and Niche Searches

• Door / Lock Access Controllers: Essential for security management within buildings.

• Search for access controllers

• C4 Max Commercial Vehicle GPS Trackers: Used for tracking and logistics of commercial vehicles.

• Search for GPS trackers

• Nordex Wind Turbine Farms: Controls and monitors wind farms, crucial for sustainable energy management.

• Search for Nordex Control systems

• Electric Vehicle Chargers: Part of the expanding infrastructure for electric vehicles.

• Search for electric vehicle chargers

• GaugeTech Electricity Meters: Devices used to measure and communicate electricity usage.

• Search for GaugeTech meters

Network Infrastructure

Database Technologies

• General MySQL Database Search: Widely used in various applications, MySQL databases are pivotal for data management.

• Search MySQL databases

• Remote PostgreSQL Connections: PostgreSQL is known for its robustness and is used in critical applications requiring reliable data storage.

• Search PostgreSQL connections

• Default MongoDB Instances: MongoDB is popular in modern web applications but often misconfigured for security.

• Search default MongoDB instances

• Search MongoDB server information

• Open Elasticsearch Databases: Elasticsearch is critical for big data and analytics environments, often containing sensitive data.

• Search open Elasticsearch databases

Management and Configuration Interfaces

• Jenkins CI: A popular automation server often used for continuous integration and delivery.

• Search Jenkins CI instances

• Cisco Smart Install: A legacy management protocol that can be exploited if left accessible online.

• Search Cisco Smart Install clients

• Apache CouchDB: A NoSQL database used for web apps that require scalable, flexible data storage.

• Search listed Apache CouchDB

Network Devices and Tools

• Android Debug Bridge: Provides a terminal interface for managing Android devices, often left open unintentionally.

• Search Android Root Bridges

• Polycom Video Conferencing: These devices are crucial for business communications but can expose meetings if misconfigured.

• Search Polycom systems

• Pi-hole Open DNS Servers: DNS servers that block ads at the network level but can be manipulated if exposed.

• Search open Pi-hole DNS servers

Vulnerabilities and Misconfigurations

• Exposed MongoDB Express Web Interfaces: Web interfaces for MongoDB that should not be accessible without authentication.

• Search exposed MongoDB Express interfaces

• Citrix Virtual Apps: Used for remote applications and desktops, these systems can give access to an organization’s internal networks if compromised.

• Search Citrix applications

• PBX IP Phone Gateways: Essential for managing VoIP services, these gateways must be secured against unauthorized access.

• Search PBX gateways

Miscellaneous

• Docker Private Registries: Private Docker registries can contain sensitive images and should be secured.

• Search Docker private registries

• Vulnerable CouchDB Instances: Specifically targeting older or misconfigured CouchDB instances.

• Search vulnerable CouchDB instances

General Printer Searches

• General Printer Search: This query provides a broad view of printers connected across the globe, regardless of brand or type.

• Search general printers—91,880 results

• Brand-Specific Printer Searches

• HP Printers Remote Restart: HP printers are common in both business and personal environments. This search finds devices that may allow remote restart commands.

• Search HP printers with remote restart capability

• Canon Printer HTTP Servers: Canon printers with HTTP servers can often be managed remotely.

• Search Canon printers

• HTTP Accessible Epson Printers: These printers are accessible over HTTP, potentially allowing for unsecured access to the device’s functions.

• Search HTTP accessible Epson printers

Security and Configuration

• Samsung Printers with SyncThru Web Service: Samsung’s SyncThru service helps manage print settings and device configuration.

• Search Samsung printers with SyncThru

• Unsecured Telnet Access to Printers: Printers with unsecured Telnet access can pose significant security risks.

• Search printers with unsecured Telnet access

• Remote Access to Xerox Printers: Xerox printers that support remote access through SSL/TLS.

• Search Xerox printers with remote access

Miscellaneous Printer Searches

• Epson Printers via HTTP Server: This query targets Epson printers specifically offering HTTP services.

• Search Epson printers via HTTP

• Lexmark Printer Control Panels: Access to Lexmark printer control panels can offer insights into the printer’s management.

• Search Lexmark printer control panels

• HP LaserJet Printers via HTTP: Targeting HP LaserJet models that are accessible via HTTP.

• Search HP LaserJet printers

• Brother Printers Admin Interface: These searches target Brother printers with exposed admin interfaces.

• Search Brother printers admin interface

• Printers with FTP Access: Some printers offer FTP services for file transfers, which can be an entry point for security risks.

• Search printers with FTP access

Files and Directories

Exploring Open Directories

• Open Lists of Files and Directories: Discover directories openly indexed on the internet, potentially exposing sensitive files.

• Search open file lists

• Open Lists on Port 80: Specifically focusing on web servers configured to list contents publicly on the default HTTP port.

• Search open lists on port 80

Network File Sharing Vulnerabilities

• Samba Shares with Authentication Disabled: Critical exposures where Samba shares have been configured without any form of authentication.

• Search Samba shares with disabled authentication

• Anonymous Access Allowed FTP: FTP servers that permit anonymous access, potentially allowing anyone to download or upload files.

• Search FTP with anonymous access

• FTP Access Without Credentials: Servers indicating successful logins without the need for credentials.

• Search FTP servers allowing access without credentials

Specific FTP Configurations and Vulnerabilities

• Filezilla FTP: Targeting Filezilla servers, commonly used for file sharing and management.

• Search Filezilla FTP servers

• NDMP on FTP Port 10000: Searching for Network Data Management Protocol services running on a non-standard FTP port.

• Search NDMP services on FTP port 10000

• Vulnerable vsftpd Service: Specifically targets vulnerable versions of the vsftpd server, known for critical security flaws.

• Search vulnerable vsftpd servers

• Miscellaneous File Exposures

• QuickBooks Files Shared Over Network: Focuses on network shares that expose QuickBooks financial data, which could be extremely sensitive.

• Search QuickBooks files over network

• Compromised Devices and Websites

Indicators of Compromise

• General Hacked Label Search— Looks for devices labeled as hacked.

• Ransomware Infected RDP Services — Targets RDP services compromised with ransomware.

Compromised devices and websites

General Search for Hacked Devices

• General Hacked Label Search: A broad search to find devices and systems labeled as “hacked.”

• Search for ‘hacked’ labels

Specific Compromised Systems

• Compromised Legacy Systems on Port 4444: Targets older systems that are often less secure and still operating.

• Search compromised systems on port 4444

• Compromised Routers Labeled HACKED-ROUTER: Specifically looking for routers that have been compromised and labeled as such.

• Search for HACKED-ROUTER

• Search for additional compromised routers

Hacked Website Indicators

• Hacked By in HTTP Title: Websites that have been defaced and include a “Hacked by” message in the HTTP title.

• Search for websites with ‘Hacked by’ in title

• Search for variations of ‘Hacked by’ in title

Specific Types of Compromise

• Compromised Hosts Advertising Default Password: Devices that have been compromised and now display a message about having had a default password.

• Search for devices advertising default passwords

• Compromised FTP Servers: FTP servers that have been hacked, potentially allowing unauthorized access to stored data.

• Search for compromised FTP servers

Ransomware and Malware

• Ransomware Infected RDP Services: Remote desktop services that have been infected with ransomware, often displaying messages demanding payment.

• Search for ransomware-infected RDP services

• Owned By Label in HTTP Title: Another form of website defacement where the title is changed to show ownership by the hacker.

• Search for ‘Owned by’ in HTTP title

Bitcoin and Cryptocurrency Threats

• Bitcoin Ransomware with Screenshot: Specifically targets Bitcoin-related ransomware that includes screenshots, a tactic used to prove control.

• Search for Bitcoin ransomware with screenshots

Miscellaneous

Dashboard and Control Panel Interfaces

• General Dashboard Interfaces: These are common entry points for the administration of various systems and devices.

• Search for general dashboard interfaces

• Control Panel Access Points: Specifically looks for web-based control panels used in network management and system configurations.

• Search for control panel access points

Specific Server Configurations

• Minecraft Servers: Identifies active servers running Minecraft, a popular online game, which can reveal the game’s network infrastructure.

• Search for Minecraft servers

• Tesla-related Interfaces: Searches for network interfaces related to Tesla, which might include charging stations or other Tesla-related technology.

• Search for Tesla-related interfaces

Geographically Specific Searches

• Everything in North Korea: A search designed to uncover any internet-connected devices within specified North Korean IP ranges.

• Search for devices in North Korea

Utility and Infrastructure

• EIG Electricity Meters: These searches target specific utility meters, which can provide insights into the infrastructure and operational technology of utility providers.

• Search for EIG electricity meters

Configuration Vulnerabilities

• Misconfigured WordPress Installations: This query finds WordPress installations that have mistakenly exposed their setup configurations to the public, posing significant security risks.

• Search for misconfigured WordPress installations

Conclusion: The Broad Reach of Shodan

Exploring Shodan has uncovered a wide spectrum of exposed and vulnerable devices, from everyday objects like printers to critical infrastructure like industrial controls. This exploration underscores the vastness of the digital world and the urgent need for enhanced cybersecurity awareness and measures. Shodan not only illuminates the hidden corners of the internet but also highlights the importance of proactive digital hygiene practices. Let this guide inspire you to further explore and secure our interconnected digital landscape, making the internet a safer place for everyone.

1200km@gmail.com