• Look at SSL name/trade name or company name

  • Use them in shodan for domains.

  —>ssl:”adam&co,inc” 200

  • Make multiple shodan accounts (At least five)
  • Try to filter the results (like http_title)
  • Look for weird results like (anything contains a login page)
  • try to find out domains that are not registered on organizational name.
    1. ssl.cert.subject.CN:”subdomain.com” 200
    2. ssl:”Program name”
    3. ssl.cert.subject.CN:”subdomain.com” 200
    4. http.title:”grafana” 200
    5. http.title:”citrix gateway” 200
    6. “230 login successful” port:”21"
    7. vsftpd 2.3.4 port:21
    8. 230 ‘anonymous@’ login ok
    9. “set-cookie: webvpn;”
  • If you are looking for new CVE for any panel like grafana etc.

  —> http.title:”grafana” 200 also use filter to org

  Top shodan dorks:

  1.Search for secret API keys publicly exposed on websites :
  ex : Searching for slack API token on all the scanned websites 
  http.html:"xoxb-"
  
  Try other regexes like:
  {
      "Slack Token": "(xox[pborsa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})",
      "RSA private key": "-----BEGIN RSA PRIVATE KEY-----",
      "SSH (DSA) private key": "-----BEGIN DSA PRIVATE KEY-----",
      "SSH (EC) private key": "-----BEGIN EC PRIVATE KEY-----",
      "PGP private key block": "-----BEGIN PGP PRIVATE KEY BLOCK-----",
      "AWS API Key": "((?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})",
      "Amazon MWS Auth Token": "amzn\\\\.mws\\\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}",
      "AWS API Key": "AKIA[0-9A-Z]{16}",
      "AWS AppSync GraphQL Key": "da2-[a-z0-9]{26}",
      "Facebook Access Token": "EAACEdEose0cBA[0-9A-Za-z]+",
      "Facebook OAuth": "[fF][aA][cC][eE][bB][oO][oO][kK].*['|\\"][0-9a-f]{32}['|\\"]",
      "GitHub": "[gG][iI][tT][hH][uU][bB].*['|\\"][0-9a-zA-Z]{35,40}['|\\"]",
      "Generic API Key": "[aA][pP][iI]_?[kK][eE][yY].*['|\\"][0-9a-zA-Z]{32,45}['|\\"]",
      "Generic Secret": "[sS][eE][cC][rR][eE][tT].*['|\\"][0-9a-zA-Z]{32,45}['|\\"]",
      "Google API Key": "AIza[0-9A-Za-z\\\\-_]{35}",
      "Google Cloud Platform API Key": "AIza[0-9A-Za-z\\\\-_]{35}",
      "Google Cloud Platform OAuth": "[0-9]+-[0-9A-Za-z_]{32}\\\\.apps\\\\.googleusercontent\\\\.com",
      "Google Drive API Key": "AIza[0-9A-Za-z\\\\-_]{35}",
      "Google Drive OAuth": "[0-9]+-[0-9A-Za-z_]{32}\\\\.apps\\\\.googleusercontent\\\\.com",
      "Google (GCP) Service-account": "\\"type\\": \\"service_account\\"",
      "Google Gmail API Key": "AIza[0-9A-Za-z\\\\-_]{35}",
      "Google Gmail OAuth": "[0-9]+-[0-9A-Za-z_]{32}\\\\.apps\\\\.googleusercontent\\\\.com",
      "Google OAuth Access Token": "ya29\\\\.[0-9A-Za-z\\\\-_]+",
      "Google YouTube API Key": "AIza[0-9A-Za-z\\\\-_]{35}",
      "Google YouTube OAuth": "[0-9]+-[0-9A-Za-z_]{32}\\\\.apps\\\\.googleusercontent\\\\.com",
      "Heroku API Key": "[hH][eE][rR][oO][kK][uU].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}",
      "MailChimp API Key": "[0-9a-f]{32}-us[0-9]{1,2}",
      "Mailgun API Key": "key-[0-9a-zA-Z]{32}",
      "Password in URL": "[a-zA-Z]{3,10}://[^/\\\\s:@]{3,20}:[^/\\\\s:@]{3,20}@.{1,100}[\\"'\\\\s]",
      "PayPal Braintree Access Token": "access_token\\\\$production\\\\$[0-9a-z]{16}\\\\$[0-9a-f]{32}",
      "Picatic API Key": "sk_live_[0-9a-z]{32}",
      "Slack Webhook": "<https://hooks>\\\\.slack\\\\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}",
      "Stripe API Key": "sk_live_[0-9a-zA-Z]{24}",
      "Stripe Restricted API Key": "rk_live_[0-9a-zA-Z]{24}",
      "Square Access Token": "sq0atp-[0-9A-Za-z\\\\-_]{22}",
      "Square OAuth Secret": "sq0csp-[0-9A-Za-z\\\\-_]{43}",
      "Telegram Bot API Key": "[0-9]+:AA[0-9A-Za-z\\\\-_]{33}",
      "Twilio API Key": "SK[0-9a-fA-F]{32}",
      "Twitter Access Token": "[tT][wW][iI][tT][tT][eE][rR].*[1-9][0-9]+-[0-9a-zA-Z]{40}",
      "Twitter OAuth": "[tT][wW][iI][tT][tT][eE][rR].*['|\\"][0-9a-zA-Z]{35,44}['|\\"]"
  }
  
  2.Search using 'favicon' hash :
  - One of the most accurate way of finding services
  ex- Find all jenkins server : http.favicon.hash:81586312
  
  list of favicon-hashes- <https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv>
  
  3.Search using website's title :
  ex - Find all grafana dashboards
  http.title:"Grafana"
  
  4.Search services vulnerable to a particular CVE :
  ex - Search all machines vulnerable to 'eternal blue'. vuln:ms17-010
                                 or 
  Search a particular CVE :
  ex - Services that are vulnerable to Heartbleed
  vuln:CVE-2014-0160
  
  5.Search for a particular port + service :
  
  ex - SSH on port 22 or 3333 
  ssh port:22,3333
  or 
  proftpd port:21
  
  You can use this to find services on non-standard port. 
  Like : ssh -port:22
  ssh which is not on port 22
  
  6.Search for a particular OS :
  e.g. Checking for vulnerable win 10 home version
  os:"Windows 10 Home 19041"
  
  7.Combine filters to generate more targeted results
  e.g. All windows 7 machines in India
  country:"IN" os:"windows 7"
  

• another tip by godfather orwa:

Important notes/tricks for shodan:

1. To find all information related to *.target.*, you first need to identify the organization's name. You can do this by clicking the lock icon -> connection is secure -> certificate is valid.

2. Use this dork to find all information related to .target.

   

3. If you are targeting a specific TLD such as *.target.com, then use this dork as shown below.

   

4. Hunting on a huge domain will give you loads of results. To filter unnecessary results like say "Invalid URL", use this dork.

   

5. You can check all http titles and other info related to the target at "Facet Analysis". Say if you've found pages with "302 Found" in title when filtering with http.title and want to look at these IPs only, use this dork.

   

6. Tip: Sometimes domain names will not be accessible, but their corresponding IPs found in shodan will give you live pages. In such scenarios dork for this domain name in Google, Bing, URLScan, Web Archive and more.

7. If you have got lot of cached entries for the target domain, check manually if some directory is accessible. Try to understand what sort of error you are getting when accessing certain pages and guess the web server used. Then you can do content discovery on the page.

8. You can also use status codes like 302, 200, 403 in the dork to find pages corresponding to that. It's interesting to look at pages with 403.

9. Sometimes you can bypass WAF by accessing the IP of the page rather than the domain name. Once you've an IP without WAF, fuzz intelligently.

10. If you have a windows app domain like IIS Web Server Page, then dork for more results on this domain in Bing for better results.