This Shodan queries list is made out of queries which Threat Hunters use to identify threat landscapes, malware, command and control servers and vulnerable systems. The idea is that by having this list close to you, you will be able to utilize the powerful Shodan search engine more effectively.

In the past I have published Shodan tutorials which describe how you can hunt for Empire and Cobalt Strike C2 servers. These tutorials allow you to hunt for the C2 servers and it also allows you to get a better understanding of how you can perform queries via Shodan. Shodan can also be used to hunt for previously mentioned vulnerabilities, for example, CVE-2018-13379 still hasn’t been patched globally, and by following the Shodan tutorial on CVE-2018-13379, you can actually hunt for impacted systems.

Shodan queries list for threat hunters

The following Shodan queries will certainly provide results that you can use in your daily threat hunting process.

Type	Hunt for	Learn more
C2	Cobalt Strike C2	Go
C2	Posh C2	Go
C2	Deimos C2	Go
C2	Empire C2	Go

The default Shodan queries

Shodan has the following default queries which you can perform. The nice thing about search engines such as Shodan is that you can combine queries, this allows you to filter deeply into the results you are receiving.

In overal, the following main filters can be used in the query:

• general
• http
• ssl
• bitcoin
• ntp
• snmp
• cloud
• telnet
• ssh

General query	Example of the Shodan query
all	https://www.shodan.io/search?query=all:[REPLACE_with_your_Value]
asn	https://www.shodan.io/search?query=asn:[REPLACE_with_your_Value]
city	https://www.shodan.io/search?query=city:[REPLACE_with_your_Value]
country	https://www.shodan.io/search?query=country:[REPLACE_with_your_Value]
cpe	https://www.shodan.io/search?query=cpe:[REPLACE_with_your_Value]
device	https://www.shodan.io/search?query=device:[REPLACE_with_your_Value]
geo	https://www.shodan.io/search?query=geo:[REPLACE_with_your_Value]
has_ipv6	https://www.shodan.io/search?query=has_ipv6:[REPLACE_with_your_Value]
has_screenshot	https://www.shodan.io/search?query=has_screenshot:[REPLACE_with_your_Value]
has_ssl	https://www.shodan.io/search?query=has_ssl:[REPLACE_with_your_Value]
has_vuln	https://www.shodan.io/search?query=has_vuln:[REPLACE_with_your_Value]
hash	https://www.shodan.io/search?query=hash:[REPLACE_with_your_Value]
hostname	https://www.shodan.io/search?query=hostname:[REPLACE_with_your_Value]
ip	https://www.shodan.io/search?query=ip:[REPLACE_with_your_Value]
isp	https://www.shodan.io/search?query=isp:[REPLACE_with_your_Value]
link	https://www.shodan.io/search?query=link:[REPLACE_with_your_Value]
net	https://www.shodan.io/search?query=net:[REPLACE_with_your_Value]
org	https://www.shodan.io/search?query=org:[REPLACE_with_your_Value]
os	https://www.shodan.io/search?query=os:[REPLACE_with_your_Value]
port	https://www.shodan.io/search?query=port:[REPLACE_with_your_Value]
postal	https://www.shodan.io/search?query=postal:[REPLACE_with_your_Value]
product	https://www.shodan.io/search?query=product:[REPLACE_with_your_Value]
region	https://www.shodan.io/search?query=region:[REPLACE_with_your_Value]
scan	https://www.shodan.io/search?query=scan:[REPLACE_with_your_Value]
shodan.module	https://www.shodan.io/search?query=shodan.module:[REPLACE_with_your_Value]
state	https://www.shodan.io/search?query=state:[REPLACE_with_your_Value]
version	https://www.shodan.io/search?query=version:[REPLACE_with_your_Value]

HTTP based queries on Shodan

HTTP query	Example
http.component	https://www.shodan.io/search?query=http.component:[REPLACE_with_your_Value]
http.component_category	https://www.shodan.io/search?query=http.component_category:[REPLACE_with_your_Value]
http.favicon.hash	https://www.shodan.io/search?query=http.favicon.hash:[REPLACE_with_your_Value]
http.headers_hash	https://www.shodan.io/search?query=http.headers_hash:[REPLACE_with_your_Value]
http.html	https://www.shodan.io/search?query=http.html:[REPLACE_with_your_Value]
http.html_hash	https://www.shodan.io/search?query=http.html_hash:[REPLACE_with_your_Value]
http.robots_hash	https://www.shodan.io/search?query=http.robots_hash:[REPLACE_with_your_Value]
http.securitytxt	https://www.shodan.io/search?query=http.securitytxt:[REPLACE_with_your_Value]
http.status	https://www.shodan.io/search?query=http.status:[REPLACE_with_your_Value]
http.title	https://www.shodan.io/search?query=http.title:[REPLACE_with_your_Value]
http.waf	https://www.shodan.io/search?query=http.waf:[REPLACE_with_your_Value]

More queries

SSL query	Example
ssl	https://www.shodan.io/search?query=ssl:[REPLACE_with_your_Value]
ssl.alpn	https://www.shodan.io/search?query=ssl.alpn:[REPLACE_with_your_Value]
ssl.cert.alg	https://www.shodan.io/search?query=ssl.cert.alg:[REPLACE_with_your_Value]
ssl.cert.expired	https://www.shodan.io/search?query=ssl.cert.expired:[REPLACE_with_your_Value]
ssl.cert.extension	https://www.shodan.io/search?query=ssl.cert.extension:[REPLACE_with_your_Value]
ssl.cert.fingerprint	https://www.shodan.io/search?query=ssl.cert.fingerprint:[REPLACE_with_your_Value]
ssl.cert.issuer.cn	https://www.shodan.io/search?query=ssl.cert.issuer.cn:[REPLACE_with_your_Value]
ssl.cert.pubkey.bits	https://www.shodan.io/search?query=ssl.cert.pubkey.bits:[REPLACE_with_your_Value]
ssl.cert.pubkey.type	https://www.shodan.io/search?query=ssl.cert.pubkey.type:[REPLACE_with_your_Value]
ssl.cert.serial	https://www.shodan.io/search?query=ssl.cert.serial:[REPLACE_with_your_Value]
ssl.cert.subject.cn	https://www.shodan.io/search?query=ssl.cert.subject.cn:[REPLACE_with_your_Value]
ssl.chain_count	https://www.shodan.io/search?query=ssl.chain_count:[REPLACE_with_your_Value]
ssl.cipher.bits	https://www.shodan.io/search?query=ssl.cipher.bits:[REPLACE_with_your_Value]
ssl.cipher.name	https://www.shodan.io/search?query=ssl.cipher.name:[REPLACE_with_your_Value]
ssl.cipher.version	https://www.shodan.io/search?query=ssl.cipher.version:[REPLACE_with_your_Value]
ssl.ja3s	https://www.shodan.io/search?query=ssl.ja3s:[REPLACE_with_your_Value]
ssl.jarm	https://www.shodan.io/search?query=ssl.jarm:[REPLACE_with_your_Value]
ssl.version	https://www.shodan.io/search?query=ssl.version:[REPLACE_with_your_Value]

Bitcoin query	Example
bitcoin.ip	https://www.shodan.io/search?query=bitcoin.ip:[REPLACE_with_your_Value]
bitcoin.ip_count	https://www.shodan.io/search?query=bitcoin.ip_count:[REPLACE_with_your_Value]
bitcoin.port	https://www.shodan.io/search?query=bitcoin.port:[REPLACE_with_your_Value]
bitcoin.version	https://www.shodan.io/search?query=bitcoin.version:[REPLACE_with_your_Value]

NTP query	Example
ntp.ip	https://www.shodan.io/search?query=ntp.ip:[REPLACE_with_your_Value]
ntp.ip_count	https://www.shodan.io/search?query=ntp.ip_count:[REPLACE_with_your_Value]
ntp.more	https://www.shodan.io/search?query=ntp.more:[REPLACE_with_your_Value]
ntp.port	https://www.shodan.io/search?query=ntp.port:[REPLACE_with_your_Value]

SNMP query	Example
snmp.contact	https://www.shodan.io/search?query=snmp.contact:[REPLACE_with_your_Value]
snmp.location	https://www.shodan.io/search?query=snmp.location:[REPLACE_with_your_Value]
snmp.name	https://www.shodan.io/search?query=snmp.name:[REPLACE_with_your_Value]

Screenshot query	Example
screenshot.hash	https://www.shodan.io/search?query=screenshot.hash:[REPLACE_with_your_Value]
screenshot.label	https://www.shodan.io/search?query=screenshot.label:[REPLACE_with_your_Value]

Cloud query	Example
cloud.provider	https://www.shodan.io/search?query=cloud.provider:[REPLACE_with_your_Value]
cloud.region	https://www.shodan.io/search?query=cloud.region:[REPLACE_with_your_Value]
cloud.service	https://www.shodan.io/search?query=cloud.service:[REPLACE_with_your_Value]

Telnet query	Example
telnet.do	https://www.shodan.io/search?query=telnet.do:[REPLACE_with_your_Value]
telnet.dont	https://www.shodan.io/search?query=telnet.dont:[REPLACE_with_your_Value]
telnet.option	https://www.shodan.io/search?query=telnet.option:[REPLACE_with_your_Value]
telnet.will	https://www.shodan.io/search?query=telnet.will:[REPLACE_with_your_Value]
telnet.wont	https://www.shodan.io/search?query=telnet.wont:[REPLACE_with_your_Value]

SSH query	Example
ssh.hash	https://www.shodan.io/search?query=ssh.hash:[REPLACE_with_your_Value]
ssh.type	https://www.shodan.io/search?query=ssh.type:[REPLACE_with_your_Value]