Shodan Dorks

Advanced search queries for discovering exposed devices, services, databases, cameras, and vulnerable systems.

10 Categories50+ CommandsCopy Ready

Phase 1

Basic Filters

1#1 Filter by country code (2-letter ISO)

country:"SA" OR country:"US" OR country:"IN"

2#2 Filter by city name

city:"Riyadh" OR city:"Dubai" OR city:"London"

3#3 Filter by GPS coordinates (latitude, longitude)

geo:"24.7136, 46.6753"

4#4 Most important for Bug Bounty - filter by organization

org:"Company Name"

5#5 Filter by hostname (wildcard supported)

hostname:"target.com" OR hostname:"*.target.com"

6#6 Filter by port number

port:"80" OR port:"443" OR port:"22" OR port:"3389"

7#7 Filter by product name

product:"Apache" OR product:"nginx" OR product:"Jenkins"

8#8 Filter by operating system

os:"Windows" OR os:"Linux" OR os:"IOS"

9#9 Filter by software version

version:"1.2.3"

10#10 Find SSL certificates with specific CN

ssl.cert.subject.CN:"target.com"

11#11 Only show results with screenshots

has_screenshot:true

Phase 2

Exposed Admin Panels & Dashboards

1#1 Dashboard/Admin panels on port 80

http.title:"Dashboard" OR http.title:"Admin" port:"80"

2#2 Jenkins CI/CD panels

http.title:"Jenkins" OR http.title:"Jenkins"

3#3 Grafana/Kibana monitoring dashboards

http.title:"Grafana" OR http.title:"Kibana"

4#4 phpMyAdmin database management (favicon hash)

http.title:"phpMyAdmin" OR http.favicon.hash:-123456

5#5 Fortinet FortiPortal/FortiGate

http.title:"FortiPortal" OR http.title:"FortiGate"

6#6 Git repository management tools

http.title:"FleetCart" OR http.title:"Forgejo" OR http.title:"Gitea"

7#7 Camera/webcam viewing interfaces

http.title:"IPCam Client" OR http.title:"Live View" port:"80"

8#8 NVR/DVR surveillance systems

http.title:"Blue Iris" OR http.title:"NVR" OR http.title:"DVR"

Phase 3

Databases & Storage

1#1 MongoDB NoSQL database (default port 27017)

product:"MongoDB" port:"27017"

2#2 Redis in-memory data store

product:"Redis"

3#3 MySQL database server

product:"MySQL" port:"3306"

4#4 Elasticsearch search engine

product:"Elasticsearch" port:"9200"

5#5 CouchDB NoSQL database

product:"CouchDB" port:"5984"

6#6 PostgreSQL database

port:5432 "PostgreSQL"

7#7 Redis with authentication disabled

port:"6379" "authentication disabled" (Redis)

8#8 MongoDB with authentication disabled

port:"27017" "authentication disabled" (MongoDB)

9#9 Elasticsearch with exposed info

port:9200 "MongoDB Server Information"

Phase 4

Cameras & IoT Devices

1#1 Hikvision IP cameras

product:"Hikvision IP Camera"

2#2 Webcam/IP camera clients

http.title:"IPCam Client" OR Server:"webcam"

3#3 Live camera view interfaces

http.title:"Live View" OR http.title:"Live View" port:"80"

4#4 Webcam/IoT devices

device:"webcam"

5#5 Blue Iris NVR software

http.title:"Blue Iris" OR http.title:"NVR"

6#6 MJPEG video streams on port 8080

port:"8080" "MJPEG Stream"

7#7 RTSP streaming protocol

port:"554" "RTSP/1.0"

8#8 DVR/NVR surveillance systems

http.title:"DVR" OR http.title:"NVR" port:"80"

Phase 5

Industrial Control Systems (ICS/SCADA)

1#1 Modbus TCP (port 502) - ICS protocol

port:"502" (Modbus)

2#2 EtherNet/IP (port 44818) - Rockwell Automation

port:"44818" (EtherNet/IP)

3#3 DNP3 (port 20000) - Distributed Network Protocol

port:"20000" (DNP3)

4#4 BACnet (port 47808) - Building automation

port:"47808" (BACnet)

5#5 Schneider Electric/Siemens ICS devices

product:"Schneider Electric" OR product:"Siemens"

6#6 Industrial devices on HTTPS

port:"443" "Rockwell" OR "Schneider"

7#7 Filter by ICS tag in Shodan

tag:ics

8#8 Siemens S7 PLC (port 102)

port:"102" "Siemens S7"

Phase 6

Remote Access & Services

1#1 SSH (port 22) - Secure Shell

port:"22" "SSH-2.0"

2#2 Telnet (port 23) - Unencrypted remote access

port:"23" "Telnet" OR "login:"

3#3 RDP (port 3389) - Remote Desktop Protocol

port:"3389" "RDP" OR "NLA"

4#4 VNC (port 5900) - Virtual Network Computing

port:"5900" "RFB" OR "VNC"

5#5 SMTP (port 25) - Email server

port:"25" "SMTP" OR "220"

6#6 NetBIOS/SMB (port 139) - Windows file sharing

port:"139" "NetBIOS" OR "SMB"

7#7 SMB (port 445) - Direct SMB over TCP

port:"445" "SMB" OR "Microsoft-DS"

8#8 PPTP (port 1723) - VPN protocol

port:"1723" "PPTP"

Phase 7

Sensitive Files & Exposed Directories

1#1 Directory listing enabled (Index of /)

http.title:"Index of /"

2#2 Parent directory listing

http.title:"Index of /" "parent directory"

3#3 Exposed SSH private keys in response

http.html:"BEGIN RSA PRIVATE KEY" OR http.html:"BEGIN OPENSSH PRIVATE KEY"

4#4 Environment/config files exposed

http.html:".env" OR http.html:"config.php" OR http.html:"database.yml"

5#5 API keys/secrets in HTTP response

http.html:"api_key" OR http.html:"aws_secret" OR http.html:"password"

6#6 Certificate/key files exposed

http.html:".pem" OR http.html:".crt" OR http.html:".pfx"

7#7 SSH keys in HTML response

http.html:"id_rsa" OR http.html:"id_dsa" OR http.html:"authorized_keys"

8#8 Database/backup/log files exposed

http.html:".sql" OR http.html:".db" OR http.html:".log"

Phase 8

Bug Bounty Specific Recon

1#1 Find exposed directories for target org

org:"targetcompany" http.title:"Index of /"

2#2 Admin panels for specific hostname

hostname:"target.com" http.title:"Dashboard" port:"80" OR port:"443"

3#3 Login pages for target organization

org:"target" port:"80" http.title:"login" OR http.title:"admin"

4#4 Services with auth disabled on subdomains

hostname:"*.target.com" "authentication disabled"

5#5 Bug bounty with screenshots enabled

org:"target" has_screenshot:true port:"80" OR port:"443"

6#6 Expired SSL certificates

hostname:"target.com" ssl.cert.expired:true

7#7 Known CVEs in target's infrastructure

org:"target" vuln:"CVE-2021-XXXX"

Phase 9

Advanced & Powerful Combinations

1#1 Org + Country + Product + Version

org:"target" country:"US" product:"Apache" version:"2.4.49"

2#2 Exclude login/admin from results

hostname:"target.com" http.title:"Index of /" -http.title:"login" -http.title:"admin"

3#3 Parentheses for grouping conditions

port:"80" OR port:"443" (org:"target") AND has_screenshot:true

4#4 Search for specific CVEs (Log4j example)

vuln:CVE-2021-41773 OR vuln:CVE-2021-44228 (Log4j)

5#5 Filter by date range

org:"target" after:"2025-01-01" before:"2026-01-01"

6#6 Find services by favicon hash

http.favicon.hash:-1041246900 (Jenkins favicon)

7#7 Combined: Org + SSL expired + screenshots

org:"target" port:"443" ssl.cert.expired:true has_screenshot:true

Phase 10

Mitigation & Prevention

1Use VPN or IP whitelisting for admin access

#1: Never expose admin panels to the public internet

2Monitor CVE databases for your tech stack

#2: Keep software updated and patched

3Change default credentials, enable 2FA, restrict ports

#3: Use strong authentication and firewalls

4Set up alerts when new services appear in Shodan

#4: Monitor Shodan for your organization

5Configure server to prevent Index of / exposure

#5: Disable directory listing on web servers

6Avoid self-signed or expired certificates

#6: Use SSL/TLS properly with valid certificates

Tools

Tools & Resources

Shodan

Official Shodan search engine

Shodan Dorks List

CoffinXP Shodan Dorks repository

Shodan CLI

Command-line interface for Shodan

Shodan API Documentation

Official API docs for automated queries