Shodan queries list for Threat Hunters (2022)

6 months ago Reza Rafati

This Shodan queries list is made out of queries which Threat Hunters use to identify threat landscapes, malware, command and control servers and vulnerable systems. The idea is that by having this list close to you, you will be able to utilize the powerful Shodan search engine more effectively.

In the past I have published Shodan tutorials which describe how you can hunt for Empire and Cobalt Strike C2 servers. These tutorials allow you to hunt for the C2 servers and it also allows you to get a better understanding of how you can perform queries via Shodan. Shodan can also be used to hunt for previously mentioned vulnerabilities, for example, CVE-2018-13379 still hasn’t been patched globally, and by following the Shodan tutorial on CVE-2018-13379, you can actually hunt for impacted systems.

Indexed (open) RDP systems on Shodan

Shodan queries list for threat hunters

The following Shodan queries will certainly provide results that you can use in your daily threat hunting process.

TypeHunt forLearn more
C2Cobalt Strike C2Go
C2Posh C2Go
C2Deimos C2Go
C2Empire C2Go
Shodan queries list for threat hunters

The default Shodan queries

Shodan has the following default queries which you can perform. The nice thing about search engines such as Shodan is that you can combine queries, this allows you to filter deeply into the results you are receiving.

Shodan screenshot showing query results on the world map

In overal, the following main filters can be used in the query:

  • general
  • http
  • ssl
  • bitcoin
  • ntp
  • snmp
  • cloud
  • telnet
  • ssh
General queryExample of the Shodan query
allhttps://www.shodan.io/search?query=all:[REPLACE_with_your_Value]
asnhttps://www.shodan.io/search?query=asn:[REPLACE_with_your_Value]
cityhttps://www.shodan.io/search?query=city:[REPLACE_with_your_Value]
countryhttps://www.shodan.io/search?query=country:[REPLACE_with_your_Value]
cpehttps://www.shodan.io/search?query=cpe:[REPLACE_with_your_Value]
devicehttps://www.shodan.io/search?query=device:[REPLACE_with_your_Value]
geohttps://www.shodan.io/search?query=geo:[REPLACE_with_your_Value]
has_ipv6https://www.shodan.io/search?query=has_ipv6:[REPLACE_with_your_Value]
has_screenshothttps://www.shodan.io/search?query=has_screenshot:[REPLACE_with_your_Value]
has_sslhttps://www.shodan.io/search?query=has_ssl:[REPLACE_with_your_Value]
has_vulnhttps://www.shodan.io/search?query=has_vuln:[REPLACE_with_your_Value]
hashhttps://www.shodan.io/search?query=hash:[REPLACE_with_your_Value]
hostnamehttps://www.shodan.io/search?query=hostname:[REPLACE_with_your_Value]
iphttps://www.shodan.io/search?query=ip:[REPLACE_with_your_Value]
isphttps://www.shodan.io/search?query=isp:[REPLACE_with_your_Value]
linkhttps://www.shodan.io/search?query=link:[REPLACE_with_your_Value]
nethttps://www.shodan.io/search?query=net:[REPLACE_with_your_Value]
orghttps://www.shodan.io/search?query=org:[REPLACE_with_your_Value]
oshttps://www.shodan.io/search?query=os:[REPLACE_with_your_Value]
porthttps://www.shodan.io/search?query=port:[REPLACE_with_your_Value]
postalhttps://www.shodan.io/search?query=postal:[REPLACE_with_your_Value]
producthttps://www.shodan.io/search?query=product:[REPLACE_with_your_Value]
regionhttps://www.shodan.io/search?query=region:[REPLACE_with_your_Value]
scanhttps://www.shodan.io/search?query=scan:[REPLACE_with_your_Value]
shodan.modulehttps://www.shodan.io/search?query=shodan.module:[REPLACE_with_your_Value]
statehttps://www.shodan.io/search?query=state:[REPLACE_with_your_Value]
versionhttps://www.shodan.io/search?query=version:[REPLACE_with_your_Value]
General Shodan queries list

HTTP based queries on Shodan

HTTP queryExample
http.componenthttps://www.shodan.io/search?query=http.component:[REPLACE_with_your_Value]
http.component_categoryhttps://www.shodan.io/search?query=http.component_category:[REPLACE_with_your_Value]
http.favicon.hashhttps://www.shodan.io/search?query=http.favicon.hash:[REPLACE_with_your_Value]
http.headers_hashhttps://www.shodan.io/search?query=http.headers_hash:[REPLACE_with_your_Value]
http.htmlhttps://www.shodan.io/search?query=http.html:[REPLACE_with_your_Value]
http.html_hashhttps://www.shodan.io/search?query=http.html_hash:[REPLACE_with_your_Value]
http.robots_hashhttps://www.shodan.io/search?query=http.robots_hash:[REPLACE_with_your_Value]
http.securitytxthttps://www.shodan.io/search?query=http.securitytxt:[REPLACE_with_your_Value]
http.statushttps://www.shodan.io/search?query=http.status:[REPLACE_with_your_Value]
http.titlehttps://www.shodan.io/search?query=http.title:[REPLACE_with_your_Value]
http.wafhttps://www.shodan.io/search?query=http.waf:[REPLACE_with_your_Value]
HTTP queries list

More queries

SSL queryExample
sslhttps://www.shodan.io/search?query=ssl:[REPLACE_with_your_Value]
ssl.alpnhttps://www.shodan.io/search?query=ssl.alpn:[REPLACE_with_your_Value]
ssl.cert.alghttps://www.shodan.io/search?query=ssl.cert.alg:[REPLACE_with_your_Value]
ssl.cert.expiredhttps://www.shodan.io/search?query=ssl.cert.expired:[REPLACE_with_your_Value]
ssl.cert.extensionhttps://www.shodan.io/search?query=ssl.cert.extension:[REPLACE_with_your_Value]
ssl.cert.fingerprinthttps://www.shodan.io/search?query=ssl.cert.fingerprint:[REPLACE_with_your_Value]
ssl.cert.issuer.cnhttps://www.shodan.io/search?query=ssl.cert.issuer.cn:[REPLACE_with_your_Value]
ssl.cert.pubkey.bitshttps://www.shodan.io/search?query=ssl.cert.pubkey.bits:[REPLACE_with_your_Value]
ssl.cert.pubkey.typehttps://www.shodan.io/search?query=ssl.cert.pubkey.type:[REPLACE_with_your_Value]
ssl.cert.serialhttps://www.shodan.io/search?query=ssl.cert.serial:[REPLACE_with_your_Value]
ssl.cert.subject.cnhttps://www.shodan.io/search?query=ssl.cert.subject.cn:[REPLACE_with_your_Value]
ssl.chain_counthttps://www.shodan.io/search?query=ssl.chain_count:[REPLACE_with_your_Value]
ssl.cipher.bitshttps://www.shodan.io/search?query=ssl.cipher.bits:[REPLACE_with_your_Value]
ssl.cipher.namehttps://www.shodan.io/search?query=ssl.cipher.name:[REPLACE_with_your_Value]
ssl.cipher.versionhttps://www.shodan.io/search?query=ssl.cipher.version:[REPLACE_with_your_Value]
ssl.ja3shttps://www.shodan.io/search?query=ssl.ja3s:[REPLACE_with_your_Value]
ssl.jarmhttps://www.shodan.io/search?query=ssl.jarm:[REPLACE_with_your_Value]
ssl.versionhttps://www.shodan.io/search?query=ssl.version:[REPLACE_with_your_Value]
SSL queries list
Bitcoin queryExample
bitcoin.iphttps://www.shodan.io/search?query=bitcoin.ip:[REPLACE_with_your_Value]
bitcoin.ip_counthttps://www.shodan.io/search?query=bitcoin.ip_count:[REPLACE_with_your_Value]
bitcoin.porthttps://www.shodan.io/search?query=bitcoin.port:[REPLACE_with_your_Value]
bitcoin.versionhttps://www.shodan.io/search?query=bitcoin.version:[REPLACE_with_your_Value]
Bitcoin queries list
NTP queryExample
ntp.iphttps://www.shodan.io/search?query=ntp.ip:[REPLACE_with_your_Value]
ntp.ip_counthttps://www.shodan.io/search?query=ntp.ip_count:[REPLACE_with_your_Value]
ntp.morehttps://www.shodan.io/search?query=ntp.more:[REPLACE_with_your_Value]
ntp.porthttps://www.shodan.io/search?query=ntp.port:[REPLACE_with_your_Value]
NTP queries list
SNMP queryExample
snmp.contacthttps://www.shodan.io/search?query=snmp.contact:[REPLACE_with_your_Value]
snmp.locationhttps://www.shodan.io/search?query=snmp.location:[REPLACE_with_your_Value]
snmp.namehttps://www.shodan.io/search?query=snmp.name:[REPLACE_with_your_Value]
SNMP queries list
Screenshot queryExample
screenshot.hashhttps://www.shodan.io/search?query=screenshot.hash:[REPLACE_with_your_Value]
screenshot.labelhttps://www.shodan.io/search?query=screenshot.label:[REPLACE_with_your_Value]
Screenshot queries list
Cloud queryExample
cloud.providerhttps://www.shodan.io/search?query=cloud.provider:[REPLACE_with_your_Value]
cloud.regionhttps://www.shodan.io/search?query=cloud.region:[REPLACE_with_your_Value]
cloud.servicehttps://www.shodan.io/search?query=cloud.service:[REPLACE_with_your_Value]
Cloud queries list
Telnet queryExample
telnet.dohttps://www.shodan.io/search?query=telnet.do:[REPLACE_with_your_Value]
telnet.donthttps://www.shodan.io/search?query=telnet.dont:[REPLACE_with_your_Value]
telnet.optionhttps://www.shodan.io/search?query=telnet.option:[REPLACE_with_your_Value]
telnet.willhttps://www.shodan.io/search?query=telnet.will:[REPLACE_with_your_Value]
telnet.wonthttps://www.shodan.io/search?query=telnet.wont:[REPLACE_with_your_Value]
Telnet queries list
SSH queryExample
ssh.hashhttps://www.shodan.io/search?query=ssh.hash:[REPLACE_with_your_Value]
ssh.typehttps://www.shodan.io/search?query=ssh.type:[REPLACE_with_your_Value]
SSH queries

Share this information

More Stories

Build your own SOC in 10 steps

2 months ago Reza Rafati

What is phishing?

2 months ago Reza Rafati

The MITRE Attack Framework explained in basic language

4 months ago Reza Rafati

You may have missed

Top cybersecurity tools available today

2 months ago Reza Rafati

Build your own SOC in 10 steps

2 months ago Reza Rafati

Threat actors

2 months ago Reza Rafati

What is phishing?

2 months ago Reza Rafati

Cyber warfare in 2023 drawn by AI

2 months ago Reza Rafati