Mastering Shodan Search Engine

Let’s explore the depths of Shodan Dorking to level up your security testing. While Google can find many websites, Shodan lets you find everything else — servers, webcams, washing machines, etc. Imagine that you are a bad guy. It could be a true gold mine! But of course, I do not endorse anything illegal! The main thing that I’m trying to teach — is the methods to get some good leads, to find something that it’s critical for certain organizations. Report those findings and might get some reward or recognition AKA Bounties.

If you have followed my YouTube videos, I’ve been doing recon on the Coca-Cola Company. Even before deep diving into the Shodan, I highly suggest gathering some information about the company. One of the prerequisites is getting the company name. You could either get it via services like crt.sh, visiting the main website and inspecting the certificate, or just checking the footer of the main page. For this particular session, I will use “the Coca-Cola Company” as the organization name.

The first keyword I like to use while doing Shodan Dorking is org with the company name. It is very helpful when testing for large companies or organizations. For this instance, the Coca-Cola Shodan dork will look like this:

Note: Even if you find some results, it doesn’t mean that it will actually belong to the company. Every time before you do something to the target, you have to validate.

In this case, there are only 71 results to work on, so I suggest trying the next Shodan Dork — ssl:

If you want to exclude results with 403 or 400, you could use 200 to get like less results:

Alternatively, for SSL check you could try using ssl.cert.subject.CN:"target.com" dork, where target.com is your target's root domain. For this specific case, the Shodan query for the main subdomain will look like this:

If you are getting thousands of results, your next goal is just to filter them out to only leave those that are interesting. I usually click on More… near TOP COUNTRIES or TOP PORTS:

You will be redirected to the page, where you can basically filter out the results. For example, by the port:

Another interesting filter is http.title:

Another interesting thing that you can also do — is search by favicon. If you have noticed Coca-Cola has its own favicon. When you have a lot of results, you can click on the icon itself and it will appear at the end of the query with http.favicon.hash:<hash>:

Later you could remove other filters, and check if you can enumerate more results just by using this hash. Another way to find this favicon hash is just from the main website by using extensions like fav-up.

When it comes to getting ideas, I have multiple favorite places to look for. The first one is the Awesome-Dorks repository on GitHub:

It’s pretty useful for Bug Bounty. There are some extra searches like — by the header. For example, checking for Jenkins — html:”Dashboard Jenkins” http.component:”jenkins”. This keyword checks in the HTML. Not all of Shodan dork repos on GitHub are useful since not all of those are made for bug bounties, but this repository is extremely helpful.

The next thing that I also use is checking for Shodan favicon hashes:

Certain products, like Jenkins, has their like the same hash everywhere. Atlassian has its own hash and sometimes even multiple different ones.

Lastly, my favorite way to get ideas for Shodan Dorking is from Twitter. I use Google for this — site:twitter shodan dorks:

If you find this information useful, please share this article on your social media, I will greatly appreciate it! I am active on Twitter, check out some content I post there daily! If you are interested in video content, check my YouTube. Also, if you want to reach me personally, you can visit my Discord server. Cheers!