Fascinating & Frightening Shodan Search Queries (AKA: The Internet of Sh*t)
Over time, I’ve collected an assortment of interesting, funny, and depressing search queries to plug into Shodan, the (literal) internet search engine. Some return facepalm-inducing results, while others return serious and/or ancient vulnerabilities in the wild.
You can assume these queries only return unsecured/open instances when possible. For your own legal benefit, do not attempt to login (even with default passwords) if they aren’t! Narrow down results by adding filters like country:US or org:"Harvard University" or hostname:"nasa.gov" to the end.
The world and its devices are quickly becoming more connected through the shiny new Internet of Sh*t — and exponentially more dangerous as a result. To that end, I hope this list spreads awareness (and, quite frankly, pant-wetting fear) rather than harm.
And as always, discover and disclose responsibly! 😊
Industrial Control Systems:
Samsung Electronic Billboards →
"Server: Prismview Player"
Gas Station Pump Controllers →
"in-tank inventory" port:10001
Automatic License Plate Readers →
P372 "ANPR enabled"Traffic Light Controllers / Red Light Cameras →
mikrotik streetlightVoting Machines in the United States →
"voter system serial" country:USPrison Pay Phones →
"[2J[H Encartele Confidential"Tesla PowerPack Charging Status →
http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
Electric Vehicle Chargers →
"Server: gSOAP/2.8" "Content-Length: 583"Nordex Wind Turbine Farms →
http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"C4 Max Commercial Vehicle GPS Trackers →
"[1m[35mWelcome on console"
DICOM Medical X-Ray Machines →
Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.
"DICOM Server Response" port:104Siemens Industrial Automation →
"Siemens, SIMATIC" port:161Siemens HVAC Controllers →
"Server: Microsoft-WinCE" "Content-Length: 12581"Door / Lock Access Controllers →
"HID VertX" port:4070Railroad Management →
"log off" "select the appropriate"Remote Desktop:
Unprotected VNC →
"authentication disabled" "RFB 003.008"Shodan Images is a great supplementary tool to browse screenshots, by the way! →
Windows RDP →
99.99% are secured by a secondary Windows login screen.
"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"Network Infrastructure:
MongoDB →
Older versions were insecure by default. Very scary.
"MongoDB Server Information" port:27017 -authentication
Jenkins CI →
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
Docker APIs →
"Docker Containers:" port:2375Pi-hole Open DNS Servers →
"dnsmasq-pi-hole" "Recursion: enabled"Already Logged-In as root via Telnet →
"root@" port:23 -login -password -name -SessionAndroid Root Bridges →
A tangential result of Google’s dumb fractured update approach. 🙄 More information here.
"Android Debug Bridge" "Device" port:5555Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords →
Lantronix password port:30718 -securedCitrix Virtual Apps →
"Citrix Applications:" port:1604
Cisco Smart Install →
Vulnerable (kind of “by design,” but especially when exposed).
"smart install client active"PBX IP Phone Gateways →
PBX "gateway console" -password port:23Polycom Video Conferencing →
http.title:"- Polycom" "Server: lighttpd"Telnet Configuration: →
"Polycom Command Shell" -failed port:23
Bomgar Help Desk Portal →
"Server: Bomgar" "200 OK"Intel Active Management CVE-2017–5689 →
"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995HP iLO 4 CVE-2017–12542 →
HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" port:1900Outlook Web Access:
Exchange 2007 →
"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"
Exchange 2010 →
"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392
Exchange 2013 / 2016 →
"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"
Lync / Skype for Business →
"X-MS-Server-Fqdn"Network Attached Storage (NAS):
SMB (Samba) File Shares →
Produces ~500,000 results…narrow down by adding “Documents” or “Videos”, etc.
"Authentication: disabled" port:445Specifically domain controllers: →
"Authentication: disabled" NETLOGON SYSVOL -unix port:445Iomega / LenovoEMC NAS Drives →
"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"
Buffalo TeraStation NAS Drives →
Redirecting sencha port:9000
Logitech Media Servers →
"Server: Logitech Media Server" "200 OK"
Plex Media Servers →
"X-Plex-Protocol" "200 OK" port:32400Tautulli / PlexPy Dashboards →
"CherryPy/5.1.0" "/home"
Home Devices:
Yamaha Stereos →
"Server: AV_Receiver" "HTTP/1.1 406"
Apple AirPlay Receivers →
Apple TVs, HomePods, etc.
"\x08_airplay" port:5353Chromecasts / Smart TVs →
"Chromecast:" port:8008Crestron Smart Home Controllers →
"Model: PYNG-HUB"Random Stuff:
OctoPrint 3D Printer Controllers →
title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944
Etherium Miners →
"ETH - Total speed"
Apache Directory Listings →
Substitute .pem with any extension or a filename like phpinfo.php.
http.title:"Index of /" http.html:".pem"Too Many Minecraft Servers →
"Minecraft Server" "protocol 340" port:25565Literally Everything in North Korea 🇰🇵 →
net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24TCP Quote of the Day →
Port 17 (RFC 865) has a bizarre history…
port:17 product:"Windows qotd"Find a Job Doing This! 👩💼 →
"X-Recruiting:"If you’ve found any other juicy Shodan gems, whether it’s a search query or a specific example, definitely drop a response below or open an issue/PR on GitHub!
Bon voyage, fellow penetrators! 😉
Originally published at https://jarv.is on May 4, 2019.
