Shodan Dorking : 50+ Dorks To Uncover Hidden World

3 min readJan 25, 2025

Imagine typing a few words into a search bar and instantly accessing traffic lights, baby monitors, or even industrial control systems.

Welcome to Shodan, the “Google for hackers.”

But here’s the twist: you don’t need to be a hacker to use it. Let’s explore how Shodan dorking works, why it’s a cybersecurity wake-up call, and how to protect yourself—with over 50 real-world search examples.

What Is Shodan (And Why Should You Care?)

Shodan isn’t your average search engine. Instead of indexing websites, it scans the internet for devices—routers, cameras, servers, even refrigerators—connected to the web. While this sounds like sci-fi, the scary part is how many of these devices are wide open due to default passwords, outdated software, or misconfigurations.

Shodan dorking uses specific search queries (like “Google dorks”) to find vulnerable systems. Ethical hackers use it to identify risks, but malicious actors exploit it to launch attacks. Either way, understanding Shodan is crucial for anyone who cares about digital privacy and security.

50+ Shodan Dork Examples

Below are categorized search queries to help you grasp the sheer variety of exposed devices.

Use these responsibly—always get permission before probing networks.

1. Webcams & Surveillance Systems

 `product:"webcam"` – Generic webcams.


`"Camera" http.component:"livecam"` – Live camera feeds.


 `has_screenshot:true` – Devices with captured screenshots (creepy, right?).


 `port:554` – RTSP streams (often used for IP cameras).

  
`title:"CCTV"` – CCTV camera interfaces.


 `"D-Link Internet Camera"` – Specific D-Link models.


`html:"AXIS Video Server"` – Axis-branded surveillance systems.

2. Industrial Control Systems (ICS/SCADA)


 `product:"modbus"` – Modbus industrial protocols.


`port:502` – Default port for Modbus.


 `"SCADA"` – Supervisory control and data acquisition systems.


 `"Siemens SIMATIC"` – Siemens industrial controllers.


 `"Rockwell Automation"` – Rockwell PLCs.


`"HMI login"` – Human-Machine Interface dashboards.

3. Databases Left in the Wild


 `port:3306` – MySQL databases.

  
 `port:5432` – PostgreSQL servers.


`"MongoDB Server Information"` – Unsecured MongoDB instances.


 `"Elasticsearch"` – Exposed Elasticsearch clusters.


`product:"Redis"` – Redis data stores without authentication.

 
 `"CouchDB" "200 OK"` – Public CouchDB databases.

4. Network Devices (Routers, Printers, etc.)


 `"Cisco Router" http.title:"Login"` – Cisco router login pages.

 `"Printer" port:9100` – Network-connected printers.

`"HP JetDirect"` – HP printer servers.

 `"Ubiquiti" country:"US"` – Ubiquiti devices in the U.S.

`"RouterOS" "MikroTik"` – MikroTik router configurations.

`"DVR Login"` – Digital video recorder panels.

5. IoT Devices Gone Rogue


`"Smart TV" http.component:"lg webos tv"` – LG Smart TVs.

`"Philips Hue"` – Unsecured smart lights.

`"Roku" port:8060` – Roku media players.

`"Sonos"` – Sonos speakers.

`"Xbox"` – Yes, even game consoles.

6. Servers & Services Exposing Data


`"Apache/2.4.49"` – A vulnerable Apache version.

`"nginx" "index of /"` – NGINX servers with directory listing.

`"Welcome to FTP Server"` – Open FTP servers.

`"phpmyadmin" "log in"` – PHPMyAdmin login pages.

`port:22 "SSH-2.0"` – SSH services (look for weak passwords).

`"Oracle WebLogic Server"` – Often-targeted enterprise servers.

7. Medical & Office Equipment

  
`"hospital" product:"imaging"` – Medical imaging devices.

`"Xerox" "printer"` – Office printers.

`"PACS Server"` – Picture Archiving and Communication Systems.

8. Government & Critical Infrastructure

`org:"Government"` – Devices under government orgs.

`"power plant"` – Self-explanatory (yikes).

`"water treatment"` – SCADA systems for utilities.

9. Fun (But Risky) Finds


`"Tesla Charger"` – Electric vehicle chargers.

`"VNC" "RFB 003.008"` – Virtual Network Computing setups.

`"SQL Server Browser"` – Microsoft SQL servers.

`"Apache Tomcat"` – Often misconfigured Tomcat servers.

`"gitlab" "sign in"` – Exposed GitLab instances.

10. Geolocation-Based Searches

`city:"Tokyo"` – Devices in Tokyo.

`country:"CN" port:80` – Chinese web servers.

`region:"Europe" product:"firewall"` – European firewalls.

`geo:"52.5200,13.4050"` – Berlin-based devices (coordinates).

Bonus: The "Oh No" Category


`"default password"` – Systems admitting to default creds.

`"password" port:21` – FTP servers with “password” in banners.

`"admin" "1234"` – The classic combo.

For more Shodan dorks you can refer to the following github links :

Above are the shodan dorks that will help you in your recon for OSINT or Bug Bounty.