recon / shodan

• devices
  • cisco-ios
  • citrix
  • cyberoam-ssl-vpn
  • f5-big-ip
  • f5-vpn
  • juniper-router
  • k8s
  • metasploit
  • mikrotik
  • oracle-e-business
  • palo-globalprotect
  • pulse-secure
  • rdp
  • sonicwall
  • vmware-esxi
  • zyxel
  • zte
• organization
• services
  • dns
  • docker
  • elasticsearch
  • ftp
  • icmp
  • kerberos
  • kibana
  • ldap
  • mongodb
  • mysql
  • mssql
  • neo4j
  • nfs
  • postgresql
  • rdp
  • smb
  • ssh
  • tcp
  • udp
  • vnc
  • winrm
• sources

devices

cisco-ios

# cisco ios - no password - HTTP return code 200
HTTP/1.0 200 Ok
Last-modififed: Tue, 08 Jun 1999 06:55:45 GMT
# cisco ios - no password - HTTP return code 401
HTTP/1.0 401 Unauthorized
Www-authenticate: Basic realm="level_15 or view_access"
# cisco ios - default password - HTTP return code 401
Www-authenticate: Basic realm="Default password:1234"

citrix

# cve-2023-3519
citrix netscaler
ssl:"*contoso*" http.favicon.hash:-1292923998,-1166125415
ssl:"*contoso*" http.title:"*netscaler*"
ssl:"*contoso*" ja3:""

# basic
http.title:"Citrix Login"
http.title:citrix
http.title:"Endpoint Management - Console - Logon"
Citrix-TransactionId
http.waf:"Citrix NetScaler"

cyberoam-ssl-vpn

ssl.cert.issuer.CN:Cyberoam

f5-big-ip

http.title:"BIG-IP®- Redirect"
http.favicon.hash:-335242539
Server: BigIP

f5-vpn

http.html:"BIG-IP logout"
Server: BigIP

juniper-router

http.title:"Log In - Juniper Web Device Manager"

k8s

ssl.cert.issuer.CN:kubernetes
# k8s API server
ssl.cert.subject.cn:kube-apiserver
ssl.cert.subject.cn:kube-apiserver "200 OK"

metasploit

http.title:Metasploit
http.title:"Metasploit is initializing"
http.title:"Metasploit - Setup and Configuration"

mikrotik

# last update: 20230921
# CVE-2018-7445 / RCE up to 6.38.4
# https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html
http.title:"RouterOS router configuration page"
http.title:"Router"
os:"MikroTik"

oracle-e-business

http.title:"E-Business Suite Home Page Redirect"
path=/OA_HTML -http.title:"E-Business Suite"

palo-globalprotect

http.html:"Global Protect"

pulse-secure

product:"Pulse Secure"
http.title:Pulse

rdp

http.html:tdDomainUserNameLabel

sonicwall

http.title:"Policy Jump"
http.title:"SonicWALL - Authentication"

vmware-esxi

http.title:"\" + ID_EESX_Welcome + \""

zyxel

ssl.cert.issuer.CN:ZyXEL

zte

http.title:"F660"
ZTE corp

organization

asn:123456
org:contoso

services

dns

port:53 !HTTP

docker

port:2375 !HTTP
port:5000 !HTTP

elasticsearch

port:9200 !HTTP

ftp

port:21 !HTTP

kerberos

port:88 !HTTP

kibana

port:5601 !HTTP

ldap

port:389 !HTTP

mongodb

port:27017 !HTTP

mysql

port:3306 !HTTP

mssql

port:1433 !HTTP

neo4j

port:1433 !HTTP

nfs

port:2049

postgresql

port:5432 !HTTP

rdp

port:3389 !HTTP

smb

port:445 !HTTP

ssh

port:22,2022,3022,4022,5022,6022,7022,8022,9022,10022,20022,30022,40022,50022,60022 !HTTP

vnc

port:5900 !HTTP

winrm

port:5985,5986 !HTTP

sources

• examples
• filters / github
• fingerprints
• /tool/shodan.png