shodan使用
city: 城市,貌似只支持英文,而且不是能是简称,如,TOKYO,Hong Kong,Seoul...
country: 指定国家或地区后缀,比如:cn,us,jp,tw,br,ph,vn,hk...
hostname: 指定主机名,其实就是目标域名[域名如果是子域还需要在前面加个.]
net: 指定网络范围,可以是单个ip或者cidr格式的ip段
os : 指定操作系统 centOS,win32,red hat,suse 等...
port: 指定端口,HTTP (80),FTP (21),SSH (22),SNMP (161),SIP (5060)等...
product: 指定具体的产品名称,如,各类web服务器,数据库服务器,网络设备名称等...
Server: 指定响应头的key值
简单的搜索实例
搜集某个城市的特定设备 [这里暂以不同类型的web服务器为例] 标识 [自己可以事先多收集一些常见的软件和设备标识]:
Microsoft-IIS/5.0 city:"TOKYO" 可逐个尝试能否直接写shell
Microsoft-IIS/6.0 city:"Seoul" 可逐个尝试能否直接 RCE
Microsoft-IIS/7.5 city:"Hong Kong"
apache city:"Nagoya"
Apache/2.2.27 city:"Nagoya"
Tomcat city:"Seoul" 可逐个尝试能否直接 RCE
cisco city:"Osaka"
tplink city:"nanjing"
搜索特定版本的操作系统及端口:
os:"linux" net:"72.34.62.0/24"
os:"windows" net:"195.40.91.0/24"
Apache city:"Hong Kong" port:"8080" product:"Apache Tomcat/Coyote JSP engine"
Apache city:"Seoul" port:"8080"
hostname:".polyu.edu.hk" os:"windows"
搜索指定国家地域特定类型的工具服务 (还是那句话,多搜集一些高质量的工具banner):
product:"tomcat" net:"158.132.18.0/24"
product:"apache" net:"158.132.18.0/24"
product:"iis" net:"158.132.18.0/24"
port:"8080" jboss country:CN
port:"8080" jboss country:IN
扫描指定网段内的所有特定数据库服务器:
product:"Mysql" net:"140.117.13.0/24" port:"3306"
port:"1433" net:"78.131.197.0/24"
port:"5432" net:"77.55.149.0/24"
port:"1521" net:"78.143.192.0/12"
port:"1521" city:"Osaka"
搜索特定远程管理终端端口:
os:"windows" port:"3389" net:"107.160.1.0/24"
os:"linux" port:"22" net:"107.160.1.0/24"
os:"linux" port:"23" net:"107.160.1.0/24"
os:"linux" port:"23" net:"87.124.0.0/15"
搜索ftp / tftp :
port:"21" net:"107.160.1.0/24"
port:"69" net:"218.242.16.0/24"
在某个城市中搜索指定的端口,操作系统及在线网络设备:
city:"Hong Kong" port:"69"
city:"Hong Kong" port:"3389"
city:"Hong Kong" port:"22"
city:"Hong Kong" port:"23"
city:"Hong Kong" port:"3306"
city:"Hong Kong" port:"110"
city:"Hong Kong" os:"windows"
city:"Hong Kong" product:"cisco"
city:"Hong Kong" port:"8080"
搜索指定国家的特定设备,端口,服务器:
port:"23" country:CN
port:"1433" country:CN
port:"3389" country:CN
tplink country:CN
huawei country:CN
netcam country:CN
country:CN net:"115.225.113.0/24" port:"22"
country:CN router
admin login country:HK
hacked by country:HK
搜缺省密码:
"default password" city:"Hong Kong"
country:CN "default password"
搜exp[其实,就是把exploit上的东西扒下来]:
https://exploits.shodan.io/welcome
搜索各类漏洞摄像头:
netcam net:"187.189.82.0/24"
常见默认密码
ACTi: admin/123456 or Admin/123456
Axis (traditional): root/pass,
Axis (new): requires password creation during first login
Cisco: No default password, requires creation during first login
Grandstream: admin/admin
IQinVision: root/system
Mobotix: admin/meinsm
Panasonic: admin/12345
Samsung Electronics: root/root or admin/4321
Samsung Techwin (old): admin/1111111
Samsung Techwin (new): admin/4321
Sony: admin/admin
TRENDnet: admin/admin
Toshiba: root/ikwd
Vivotek: root/<blank>
WebcamXP: admin/ <blank>