a curated list of shodan dorks for finding sensitive data in shodan.io
ex : Searching for slack API token on all the scanned websites
http.html:"xoxb-"
- One of the most accurate way of finding services
ex- Find all jenkins server :
http.favicon.hash:81586312
Tip: https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
ex - Find all grafana dashboards
http.title:"Grafana"
ex - Search all machines vulnerable to 'eternal blue'.
vuln:ms17-010
Search a particular CVE : ex - Services that are vulnerable to Heartbleed
vuln:CVE-2014-0160
Note:This is only available to users of higher API plan
ex - SSH on port 22 or 3333
You can use this to find services on non-standard port.
Like : ssh -port:22
ssh which is not on port 22
ssh port:22,3333
proftpd port:21
ssh -port:22
e.g. Checking for vulnerable win 10 home version
os:"Windows 10 Home 19041"
e.g. All windows 7 machines in India
country:"IN" os:"windows 7"
- Jenkins CI
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
- Docker Private Registries
"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab
- MongoDB mag_right
"MongoDB Server Information" port:27017 -authentication
- FTP Servers with Anonymous Login
"220" "230 Login successful." port:21
- Mongo Express Web GUI
"Set-Cookie: mongo-express=" "200 OK"
ssl.cert.subject.cn:google.com
https://www.shodan.io/host/x.x.x.x
https://www.shodan.io/domain/site.com