Shodan Dorking
Shodan Dorking
One-liner: Using advanced search filters and operators on Shodan.io to discover specific vulnerable devices, services, or misconfigurations across the internet.
π― What Is It?
Shodan Dorking (similar to Google Dorking) is the technique of crafting targeted search queries on Shodan using filters, operators, and keywords to find:
- Vulnerable systems (CVE exploits)
- Misconfigured devices (default credentials)
- Industrial control systems (SCADA, ICS)
- Exposed databases and cameras
- Specific software versions or banners
The term "dork" refers to a pre-crafted search query that reveals something specificβlike all internet-connected printers, or devices vulnerable to EternalBlue.
π€ Why It Matters
For Offensive Security
- Rapid reconnaissance β Find vulnerable targets instantly
- CVE exploitation β Discover unpatched systems
- IoT hunting β Locate exposed cameras, routers, smart devices
- Banner analysis β Identify software versions for exploit matching
For Defensive Security
- Attack surface mapping β See what attackers see
- Shadow IT discovery β Find forgotten or unauthorized devices
- Vulnerability assessment β Identify your exposed services before attackers do
- Compliance validation β Ensure nothing sensitive is internet-facing
π¬ How It Works
Shodan Filters
Shodan uses filters to narrow down search results:
| Filter | Description | Example |
|---|---|---|
hostname: |
Search by hostname | hostname:example.com |
port: |
Find devices with specific port open | port:3389 |
country: |
Filter by country code | country:"US" |
city: |
Filter by city | city:"London" |
os: |
Operating system | os:"Windows 7" |
product: |
Software/service name | product:"Apache" |
vuln: |
Known CVE vulnerability | vuln:CVE-2017-0144 |
asn: |
Autonomous System Number | asn:AS15169 |
org: |
Organization name | org:"Google" |
has_screenshot: |
Devices with web interface screenshot | has_screenshot:true |
http.favicon.hash: |
Favicon hash (fingerprinting) | http.favicon.hash:-1776962843 |
Combining Filters
# Basic search
apache
# Apache in US
apache country:"US"
# Apache version 2.4 on port 8080
product:"Apache" "2.4" port:8080
# MySQL databases in Germany on DigitalOcean
product:"MySQL" country:"DE" org:"DigitalOcean"
# Windows RDP servers
port:3389 os:"Windows"
π οΈ Famous Shodan Dorks
Ransomware-Infected Machines
has_screenshot:true encrypted attention
Uses OCR (Optical Character Recognition) to find ransomware messages on remote desktops.
Industrial Control Systems (ICS)
screenshot.label:ics
# Or specific ICS vendors
"Siemens" "PLC"
"Schneider Electric"
Vulnerable to EternalBlue (MS17-010)
vuln:MS17-010
Note: vuln: filter requires a premium account.
Exposed Webcams
webcam has_screenshot:true
# Or specific webcam brands
"IP Camera" "DVR"
Default Credentials
"default password"
"admin:admin"
Exposed Databases
# MongoDB
product:"MongoDB"
# Elasticsearch
port:9200 product:"Elasticsearch"
# Redis
product:"Redis"
SolarWinds Supply Chain Attack Detection
http.favicon.hash:-1776962843
Identifies SolarWinds Orion instances by their unique favicon hash.
Misconfigured Cloud Storage
"Index of /" "aws s3"
ICS/SCADA Systems
port:502 Modbus
port:102 Siemens
π‘οΈ Detection & Prevention
How to Detect
- You cannot directly detect Shodan scans β They're passive from your perspective
- Monitor for unusual connection patterns across many IPs
- Use threat intel feeds that track Shodan scanner IPs
- Alert on services that shouldn't be internet-facing
How to Prevent / Mitigate
- Search yourself first β Use Shodan to find your own exposed assets
- Remove unnecessary services β Don't expose databases, ICS, or admin panels
- Use Shodan Monitor β Get alerts when new services appear on your IP ranges
- Change default credentials β Immediately upon deployment
- Update software β Patch CVEs that Shodan can detect
- Implement VPN/zero trust β Put sensitive services behind authentication
- Hide banners β Modify service banners to obscure version information
Blue Team Shodan Usage
# Monitor your organization
org:"Your Company Name"
# Check your ASN
asn:AS[YourNumber]
# Look for your IP ranges
net:203.0.113.0/24
# Find exposed admin panels
org:"Your Company" "admin" "login"
π€ Interview Angles
Common Questions
-
Q: What is Shodan Dorking and how does it differ from Google Dorking?
- A: Shodan Dorking uses search filters on Shodan.io to find exposed devices and services by querying Shodan's database of internet-connected systems. Unlike Google Dorking (which searches web pages), Shodan searches service banners, ports, and device metadata.
-
Q: How would you use Shodan during a pentest?
- A: First, I'd search for the target's organization or ASN to map their internet-facing infrastructure. Then use filters like
vuln:,product:, andport:to identify potentially vulnerable services. Finally, correlate findings with CVE databases for exploitation.
- A: First, I'd search for the target's organization or ASN to map their internet-facing infrastructure. Then use filters like
-
Q: What's the ethical/legal concern with Shodan Dorking?
- A: Viewing information on Shodan is legal (it's publicly accessible). However, accessing those systems without authorization is illegal. It's a reconnaissance toolβwhat you do after finding something determines legality.
STAR Example
Situation: A financial client was concerned about exposed internal systems after a data breach at a competitor.
Task: Identify any internet-facing databases or admin panels belonging to the client.
Action: Used Shodan dorks likeorg:"[Client Name]" product:"MySQL"andport:3389 org:"[Client Name]". Found 3 exposed MySQL instances and 2 RDP servers with weak passwords.
Result: Client immediately secured the databases and disabled RDP access. Prevented potential breach that could have exposed customer financial data.
β Best Practices
- Always have written authorization before accessing discovered systems
- Use Shodan for passive recon onlyβdon't exploit findings without permission
- Document all Shodan queries and results with timestamps
- Combine with CVE databases to assess exploitability
- Use Shodan Monitor for continuous asset discovery
β Common Misconceptions
- "Shodan scanning is hacking" β Querying Shodan is legal. Accessing systems without permission is not.
- "Only hackers use Shodan" β Security teams, researchers, and companies use it for asset management and vulnerability assessment.
- "Shodan reveals everything" β Only shows internet-facing services. Internal networks remain hidden unless exposed.
π Related Concepts
- Shodan
- Google Dorking
- Banner Grabbing
- Passive Reconnaissance
- Autonomous System Number (ASN)
- Open Source Intelligence (OSINT)
- Vulnerability Scanning
π References
- https://www.shodan.io/explore β Popular Shodan Dorks
- https://github.com/jakejarvis/awesome-shodan-queries β Curated Shodan Dorks
- https://help.shodan.io/the-basics/search-query-fundamentals β Official Shodan Search Guide
- TryHackMe: Shodan.io Room