Shodan Dorking

What You Will Learn

  • What Shodan is and how it differs from regular search engines
  • How to write Shodan search queries (dorks)
  • How to find exposed services, expired certificates, and specific software
  • How to compute and use favicon hashes

What Is It?

Shodan is a search engine for internet-connected devices. Unlike Google, which indexes web page content, Shodan indexes banner information from services — open ports, server software, SSL certificates, and device metadata.

Shodan is an essential OSINT tool for recon in bug bounty and penetration testing.

Why It Matters

Shodan can find:

  • Exposed databases (MongoDB, Elasticsearch, Redis) with no authentication
  • Industrial control systems (SCADA, PLCs) accessible from the internet
  • Jenkins, Grafana, and admin panels with default credentials
  • Assets belonging to a target organization that are not in scope yet

Shodan Filters

Favicon Hash

Every website with a favicon (the small icon in the browser tab) can be found using a hash of that favicon. This is powerful for finding all servers running the same software or belonging to the same company.

import mmh3
import requests
import codecs

response = requests.get('https://cybersecurity.wtf/favicon.ico')
favicon = codecs.encode(response.content, "base64")
hash = mmh3.hash(favicon)
print(hash)

Then search Shodan:

http.favicon.hash:<hash>

ASN

Search by Autonomous System Number:

asn:AS12345

CIDR Range

Search for all IPs in a subnet:

net:192.168.1.0/24

Organization

org:microsoft
org:"target company name"

Expired Certificates

Find hosts with expired SSL certificates:

ssl.cert.expired:true

Certificate Common Name (CN)

Find certificates for a specific domain — useful for finding subdomains:

ssl.cert.subject.cn:example.com

WordPress Config Exposure

http.html:"* The wp-config.php creation script uses this file"

Jenkins

Find exposed Jenkins dashboards:

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
x-jenkins 200
port:27017     # MongoDB
port:6379      # Redis
port:9200      # Elasticsearch
port:5900      # VNC
port:3389      # RDP

Combining Filters

org:target http.title:"admin" port:8080
ssl.cert.subject.cn:*.example.com port:443

Shodan CLI

# Install
pip install shodan

# Initialize
shodan init <API_KEY>

# Search
shodan search org:microsoft port:3389

# Download results
shodan download results.json.gz org:microsoft

# Convert to CSV
shodan convert results.json.gz csv

Practical Bug Bounty Workflow

# 1. Find all IPs for the target organization
shodan search "org:targetname" --fields ip_str,port

# 2. Find subdomains via certificate transparency
shodan search "ssl.cert.subject.cn:*.targetname.com" --fields ssl.cert.subject.cn

# 3. Find exposed admin panels
shodan search 'http.title:"admin panel" org:targetname'

# 4. Find expired certs (potential subdomain takeover)
shodan search 'ssl.cert.expired:true org:targetname'

Resources


This site uses Just the Docs, a documentation theme for Jekyll.