This Shodan queries list is made out of queries which Threat Hunters use to identify threat landscapes, malware, command and control servers and vulnerable systems . The idea is that by having this list close to you, you will be able to utilize the powerful Shodan search engine more effectively.
In the past I have published Shodan tutorials which describe how you can hunt for Empire and Cobalt Strike C2 servers. These tutorials allow you to hunt for the C2 servers and it also allows you to get a better understanding of how you can perform queries via Shodan. Shodan can also be used to hunt for previously mentioned vulnerabilities, for example, CVE-2018-13379 still hasn’t been patched globally, and by following the Shodan tutorial on CVE-2018-13379 , you can actually hunt for impacted systems .
Indexed (open) RDP systems on Shodan
Shodan queries list for threat hunters
The following Shodan queries will certainly provide results that you can use in your daily threat hunting process.
Type Hunt for Learn more C2 Cobalt Strike C2 Go C2 Posh C2 Go C2 Deimos C2 Go C2 Empire C2 Go
Shodan queries list for threat hunters
The default Shodan queries
Shodan has the following default queries which you can perform. The nice thing about search engines such as Shodan is that you can combine queries, this allows you to filter deeply into the results you are receiving.
Shodan screenshot showing query results on the world map
In overal, the following main filters can be used in the query:
general http ssl bitcoin ntp snmp cloud telnet ssh
General query Example of the Shodan query all https://www.shodan.io/search?query=all:[REPLACE_with_your_Value] asn https://www.shodan.io/search?query=asn:[REPLACE_with_your_Value] city https://www.shodan.io/search?query=city:[REPLACE_with_your_Value] country https://www.shodan.io/search?query=country:[REPLACE_with_your_Value] cpe https://www.shodan.io/search?query=cpe:[REPLACE_with_your_Value] device https://www.shodan.io/search?query=device:[REPLACE_with_your_Value] geo https://www.shodan.io/search?query=geo:[REPLACE_with_your_Value] has_ipv6 https://www.shodan.io/search?query=has_ipv6:[REPLACE_with_your_Value] has_screenshot https://www.shodan.io/search?query=has_screenshot:[REPLACE_with_your_Value] has_ssl https://www.shodan.io/search?query=has_ssl:[REPLACE_with_your_Value] has_vuln https://www.shodan.io/search?query=has_vuln:[REPLACE_with_your_Value] hash https://www.shodan.io/search?query=hash:[REPLACE_with_your_Value] hostname https://www.shodan.io/search?query=hostname:[REPLACE_with_your_Value] ip https://www.shodan.io/search?query=ip:[REPLACE_with_your_Value] isp https://www.shodan.io/search?query=isp:[REPLACE_with_your_Value] link https://www.shodan.io/search?query=link:[REPLACE_with_your_Value] net https://www.shodan.io/search?query=net:[REPLACE_with_your_Value] org https://www.shodan.io/search?query=org:[REPLACE_with_your_Value] os https://www.shodan.io/search?query=os:[REPLACE_with_your_Value] port https://www.shodan.io/search?query=port:[REPLACE_with_your_Value] postal https://www.shodan.io/search?query=postal:[REPLACE_with_your_Value] product https://www.shodan.io/search?query=product:[REPLACE_with_your_Value] region https://www.shodan.io/search?query=region:[REPLACE_with_your_Value] scan https://www.shodan.io/search?query=scan:[REPLACE_with_your_Value] shodan.module https://www.shodan.io/search?query=shodan.module:[REPLACE_with_your_Value] state https://www.shodan.io/search?query=state:[REPLACE_with_your_Value] version https://www.shodan.io/search?query=version:[REPLACE_with_your_Value]
General Shodan queries list
HTTP based queries on Shodan
HTTP query Example http.component https://www.shodan.io/search?query=http.component:[REPLACE_with_your_Value] http.component_category https://www.shodan.io/search?query=http.component_category:[REPLACE_with_your_Value] http.favicon.hash https://www.shodan.io/search?query=http.favicon.hash:[REPLACE_with_your_Value] http.headers_hash https://www.shodan.io/search?query=http.headers_hash:[REPLACE_with_your_Value] http.html https://www.shodan.io/search?query=http.html:[REPLACE_with_your_Value] http.html_hash https://www.shodan.io/search?query=http.html_hash:[REPLACE_with_your_Value] http.robots_hash https://www.shodan.io/search?query=http.robots_hash:[REPLACE_with_your_Value] http.securitytxt https://www.shodan.io/search?query=http.securitytxt:[REPLACE_with_your_Value] http.status https://www.shodan.io/search?query=http.status:[REPLACE_with_your_Value] http.title https://www.shodan.io/search?query=http.title:[REPLACE_with_your_Value] http.waf https://www.shodan.io/search?query=http.waf:[REPLACE_with_your_Value]
HTTP queries list
More queries
SSL query Example ssl https://www.shodan.io/search?query=ssl:[REPLACE_with_your_Value] ssl.alpn https://www.shodan.io/search?query=ssl.alpn:[REPLACE_with_your_Value] ssl.cert.alg https://www.shodan.io/search?query=ssl.cert.alg:[REPLACE_with_your_Value] ssl.cert.expired https://www.shodan.io/search?query=ssl.cert.expired:[REPLACE_with_your_Value] ssl.cert.extension https://www.shodan.io/search?query=ssl.cert.extension:[REPLACE_with_your_Value] ssl.cert.fingerprint https://www.shodan.io/search?query=ssl.cert.fingerprint:[REPLACE_with_your_Value] ssl.cert.issuer.cn https://www.shodan.io/search?query=ssl.cert.issuer.cn:[REPLACE_with_your_Value] ssl.cert.pubkey.bits https://www.shodan.io/search?query=ssl.cert.pubkey.bits:[REPLACE_with_your_Value] ssl.cert.pubkey.type https://www.shodan.io/search?query=ssl.cert.pubkey.type:[REPLACE_with_your_Value] ssl.cert.serial https://www.shodan.io/search?query=ssl.cert.serial:[REPLACE_with_your_Value] ssl.cert.subject.cn https://www.shodan.io/search?query=ssl.cert.subject.cn:[REPLACE_with_your_Value] ssl.chain_count https://www.shodan.io/search?query=ssl.chain_count:[REPLACE_with_your_Value] ssl.cipher.bits https://www.shodan.io/search?query=ssl.cipher.bits:[REPLACE_with_your_Value] ssl.cipher.name https://www.shodan.io/search?query=ssl.cipher.name:[REPLACE_with_your_Value] ssl.cipher.version https://www.shodan.io/search?query=ssl.cipher.version:[REPLACE_with_your_Value] ssl.ja3s https://www.shodan.io/search?query=ssl.ja3s:[REPLACE_with_your_Value] ssl.jarm https://www.shodan.io/search?query=ssl.jarm:[REPLACE_with_your_Value] ssl.version https://www.shodan.io/search?query=ssl.version:[REPLACE_with_your_Value]
SSL queries list
Bitcoin query Example bitcoin.ip https://www.shodan.io/search?query=bitcoin.ip:[REPLACE_with_your_Value] bitcoin.ip_count https://www.shodan.io/search?query=bitcoin.ip_count:[REPLACE_with_your_Value] bitcoin.port https://www.shodan.io/search?query=bitcoin.port:[REPLACE_with_your_Value] bitcoin.version https://www.shodan.io/search?query=bitcoin.version:[REPLACE_with_your_Value]
Bitcoin queries list
NTP query Example ntp.ip https://www.shodan.io/search?query=ntp.ip:[REPLACE_with_your_Value] ntp.ip_count https://www.shodan.io/search?query=ntp.ip_count:[REPLACE_with_your_Value] ntp.more https://www.shodan.io/search?query=ntp.more:[REPLACE_with_your_Value] ntp.port https://www.shodan.io/search?query=ntp.port:[REPLACE_with_your_Value]
NTP queries list
SNMP query Example snmp.contact https://www.shodan.io/search?query=snmp.contact:[REPLACE_with_your_Value] snmp.location https://www.shodan.io/search?query=snmp.location:[REPLACE_with_your_Value] snmp.name https://www.shodan.io/search?query=snmp.name:[REPLACE_with_your_Value]
SNMP queries list
Screenshot query Example screenshot.hash https://www.shodan.io/search?query=screenshot.hash:[REPLACE_with_your_Value] screenshot.label https://www.shodan.io/search?query=screenshot.label:[REPLACE_with_your_Value]
Screenshot queries list
Cloud query Example cloud.provider https://www.shodan.io/search?query=cloud.provider:[REPLACE_with_your_Value] cloud.region https://www.shodan.io/search?query=cloud.region:[REPLACE_with_your_Value] cloud.service https://www.shodan.io/search?query=cloud.service:[REPLACE_with_your_Value]
Cloud queries list
Telnet query Example telnet.do https://www.shodan.io/search?query=telnet.do:[REPLACE_with_your_Value] telnet.dont https://www.shodan.io/search?query=telnet.dont:[REPLACE_with_your_Value] telnet.option https://www.shodan.io/search?query=telnet.option:[REPLACE_with_your_Value] telnet.will https://www.shodan.io/search?query=telnet.will:[REPLACE_with_your_Value] telnet.wont https://www.shodan.io/search?query=telnet.wont:[REPLACE_with_your_Value]
Telnet queries list
SSH query Example ssh.hash https://www.shodan.io/search?query=ssh.hash:[REPLACE_with_your_Value] ssh.type https://www.shodan.io/search?query=ssh.type:[REPLACE_with_your_Value]
SSH queries
Continue Reading