Complete Shodan Dork Cheat Sheet
Your Ultimate Guide to Mastering the World's Most Powerful IoT Search Engine
What is Shodan?
Shodan is a specialized search engine that's fundamentally different from Google or Bing. Instead of searching for content, Shodan scans the internet for connected devices including cameras, servers, IoT devices, industrial control systems, and much more.
Unlike traditional search engines, Shodan provides a way to discover which devices are connected to the internet, where they're located, and who is using them. It's an invaluable tool for security researchers, penetration testers, and IT professionals.
Legal Disclaimer: Use Shodan for educational and legal research purposes only. Unauthorized access to systems is illegal in most countries. Always obtain proper authorization before testing systems.
Primary Keywords:
Table of Contents
- Basic Search Filters
- Network & Location Filters
- HTTP/Web Filters
- SSL/TLS Filters
- Advanced Device Filters
- Pro Tips & Combinations
Basic Search Filters
hostname - Search by Hostname
Description: Search for devices based on specific hostname or domain name.
Component Examples:
http.component:"jQuery"
http.component:"Bootstrap"
http.component:"Angular"
http.component:"React"
- Identify technology stack
- Find sites using specific frameworks
- Research technology adoption
http.favicon.hash - Search by Favicon Hash
Description: Find websites with specific favicon (using MurmurHash).
Use Case:
http.favicon.hash:81586312 (pfSense)
- Identify specific applications by favicon
- Find all instances of a platform
- Track web application deployments
SSL/TLS Certificate Filters
ssl - Search SSL Certificates
Description: Search within SSL/TLS certificate information.
SSL Examples:
ssl.cert.issuer.cn:"Let's Encrypt"
ssl.cert.expired:true
ssl.cert.subject.cn:*.google.com
- Find expired certificates
- Identify organizations by certificates
- Track SSL/TLS implementations
ssl.cert.subject.cn - Certificate Common Name
Description: Search by SSL certificate common name.
Common Name Examples:
ssl.cert.subject.cn:"*.cloudflare.com"
ssl.cert.subject.cn:"mail.example.com"
- Find domains with SSL certificates
- Discover wildcard certificates
ssl.cert.issuer.cn - Certificate Issuer
Description: Search by certificate authority/issuer.
Issuer Examples:
ssl.cert.issuer.cn:"GeoTrust"
ssl.cert.issuer.cn:"Comodo"
ssl.cert.issuer.cn:"GlobalSign"
- Find certificates by CA
- Research CA usage statistics
Advanced Device & Service Filters
device - Search by Device Type
Description: Search for specific types of devices.
Device Types:
device:"firewall"
device:"printer"
device:"storage"
device:"camera"
device:"phone"
- Find IoT devices
- Discover network equipment
- Locate specific hardware
has_screenshot - Devices with Screenshots
Description: Find devices where Shodan has captured screenshots.
Screenshot Examples:
has_screenshot:true http.title:"Dashboard"
- Visual verification of services
- Identify visual interfaces
vuln - Search by Vulnerability (CVE)
Description: Find devices with known vulnerabilities.
Vulnerability Examples:
vuln:CVE-2014-0160 (Heartbleed)
vuln:CVE-2021-44228 (Log4Shell)
- Find vulnerable systems
- Security research and testing
- Vulnerability assessment
tag - Search by Service Tag
Description: Search for devices tagged with specific service categories.
Tag Examples:
tag:webcam
tag:industrial
tag:vpn
tag:cloud
- Find categorized services
- Discover IoT devices
before/after - Search by Date
Description: Filter results by scan date.
Date Examples:
ssh after:15/06/2024
product:"MySQL" after:01/01/2024 before:31/12/2024
- Find recently scanned devices
- Track changes over time
hash - Search by Banner Hash
Description: Search for services with identical banner hashes.
Use Case:
- Find identical services
- Identify service fingerprints
Pro Tips for Mastering Shodan
- Combine Multiple Filters: Use multiple filters together for precise results:
country:US port:22 os:"Ubuntu" product:"OpenSSH" - Use Quotation Marks: For exact phrase matching:
http.title:"Admin Panel" - Exclude Results: Use minus sign to exclude terms:
apache -country:US - Wildcard Searches: Use asterisk for wildcards:
hostname:*.edu - Boolean Logic: Use AND, OR, NOT operators for complex queries
- Learn from Examples: Study Shodan's official documentation regularly
- Ethical Usage: Always use Shodan ethically and legally
- Save Searches: Use Shodan's monitor feature to track changes
- Use Filters Wisely: Start broad, then narrow down with filters
- Check Scan Dates: Remember that Shodan data isn't real-time
Advanced Query Combinations
Real-World Examples:
country:US product:"Apache" vuln:CVE-2021-41773
# Locate MongoDB databases without authentication
product:"MongoDB" port:27017 "mongodb server information"
# Find cameras with default credentials
device:"webcam" http.title:"IP Camera" country:US
# Discover Elasticsearch instances
port:9200 product:"Elasticsearch"
# Find exposed RDP servers
port:3389 country:DE has_screenshot:true
# Locate industrial control systems
tag:industrial port:502 country:US
# Find WordPress sites with specific plugin
http.component:"WordPress" http.html:"wp-content/plugins/vulnerable-plugin"
# Discover IoT devices by manufacturer
device:iot org:"Internet of Things Inc"
# Find Jenkins servers
http.title:"Dashboard [Jenkins]" port:8080
# Locate exposed MySQL databases
product:"MySQL" port:3306 -authentication
Security & Legal Guidelines
- Legal Authorization: Always obtain explicit permission before testing systems
- Responsible Disclosure: Report vulnerabilities to appropriate parties
- Know the Law: Understand cybersecurity laws in your jurisdiction
- Ethical Hacking: Use Shodan for legitimate security research only
- Documentation: Keep records of your security research activities
- Data Privacy: Respect privacy and don't access sensitive information
- Education First: Use Shodan as a learning tool for cybersecurity
Useful Resources
- Official Documentation: https://help.shodan.io
- Shodan Filters: https://www.shodan.io/search/filters
- Shodan Academy: Learn advanced techniques
- Community Forum: Connect with other researchers
- Shodan API: Automate your searches
- Shodan CLI: Command-line interface tools
Practical Examples:
hostname:*.edu
hostname:example.org
hostname:*.gov
- Find servers belonging to specific companies
- Explore infrastructure of a specific domain
- Identify subdomains and related services
port - Search by Port Number
Description: Find services running on a specific port number.
Common Ports:
port:443 (HTTPS)
port:22 (SSH)
port:21 (FTP)
port:23 (Telnet)
port:3389 (RDP)
port:3306 (MySQL)
port:5432 (PostgreSQL)
port:27017 (MongoDB)
port:6379 (Redis)
- Discover SSH servers
- Find web services
- Locate database instances
- Identify specific protocols
product - Search by Product/Software
Description: Search for specific software products or services.
Popular Products:
product:"MySQL"
product:"MongoDB"
product:"OpenSSH"
product:"Microsoft IIS"
product:"Cisco IOS"
product:"Apache Tomcat"
product:"WordPress"
- Find specific technologies
- Identify vulnerabilities in specific products
- Research technology usage statistics
version - Search by Version Number
Description: Find specific versions of products or services.
Version Examples:
product:"OpenSSH" version:"7.4"
product:"nginx" version:"1.18.0"
- Find outdated versions with vulnerabilities
- Identify specific versions for testing
- Track version distribution
os - Search by Operating System
Description: Find devices running a specific operating system.
Operating Systems:
os:"Windows Server 2019"
os:"Ubuntu"
os:"CentOS"
os:"FreeBSD"
os:"macOS"
os:"Windows 7"
- Target specific operating systems
- Find OS-specific vulnerabilities
- Research OS distribution statistics
Network & Location Filters
net - Search by Network/IP Range
Description: Search for devices within a specific IP range using CIDR notation.
Network Examples:
net:10.0.0.0/8
net:172.16.0.0/12
net:203.0.113.0/24
- Scan entire networks
- Search corporate IP ranges
- Analyze local networks
country - Search by Country
Description: Filter results by country using two-letter country codes.
Country Codes:
country:GB (United Kingdom)
country:DE (Germany)
country:CN (China)
country:JP (Japan)
country:RU (Russia)
country:BR (Brazil)
- Geographically locate devices
- Study country-specific infrastructure
- Comply with regional regulations
city - Search by City
Description: Search for devices in a specific city.
City Examples:
city:"Tokyo"
city:"Paris"
city:"Singapore"
city:"Dubai"
- Target specific geographic areas
- Analyze local infrastructure
org - Search by Organization
Description: Search for devices belonging to specific organizations.
Organization Examples:
org:"Microsoft"
org:"Digital Ocean"
org:"Cloudflare"
- Find company-owned infrastructure
- Research organizational assets
asn - Search by Autonomous System Number
Description: Search for devices within a specific ASN.
ASN Examples:
asn:AS16509 (Amazon)
asn:AS8075 (Microsoft)
- Find devices by network provider
- Research ISP infrastructure
HTTP/Web Filters
http.title - Search by Page Title
Description: Search for web pages with specific titles.
Title Examples:
http.title:"Login"
http.title:"phpMyAdmin"
http.title:"Admin Panel"
http.title:"Router"
- Find admin panels
- Discover login pages
- Identify specific web applications
http.html - Search in HTML Content
Description: Search for specific text within HTML content.
HTML Search Examples:
http.html:"default password"
http.html:"index of"
- Find specific content in pages
- Discover exposed information
http.status - Search by HTTP Status Code
Description: Filter results by HTTP response status code.
Status Codes:
http.status:401 (Unauthorized)
http.status:403 (Forbidden)
http.status:500 (Server Error)
- Find accessible pages
- Discover authentication pages
http.component - Search by Web Component
Description: Search for specific web technologies or frameworks.
