Devices Search Engines

SHODAN - Shodan.io & Shodan2000

Shodan has several powerful yet easy to use filters which prove handy during VA/PT exercises. The usage of filters is usually of the form filter:value.Some of the most common basic filters that you can use in Shodan are as follows.

  • Country: The country filter allows users to search for computers running services in a particular country. The country code is specified as a two-letter word.
  • Usage: cisco country: IN (searches for Cisco devices in the particular country. In this case, it’s India).
  • Host name: This useful option in Shodan lets you find a particular service or the service running in specified hosts or domains.
  • Usage: “Server:IIS” host name: domain name.
  • Net: This filter is used to scan a particular IP address or subnet range. The service name can also be added along with the IP address or subnet.
  • Usage: For scanning an IP address: net: IP).
  • Port: This filter allows you to scan a particular service. For instance, FTP (21), HTTP (80).
  • Usage: Service port number.
  • Operating system (OS): This Shodan filter helps you to identify a service with a required OS. You can use it to find the service running on the particular OS.
  • Usage: Service: OS: OS name.
  • After/before: This option helps or returns the query, changed or unchanged before.
  • Example: apache after: 22/03/2010 before: 4/6/2010.

SOURCE: https://www.computerweekly.com/tip/Shodan-search-engine-for-penetration-tests-How-to

FOFA - Fofa.io

Directly enter the query, search from the title, html content, http header information, url field.

  • Title=”abc” Search for abc from the title. Example: There is a website in Beijing in the title.
  • Header=”abc” Search for abc from the http header. Example: jboss server.
  • Body=”abc” Search for abc from the html body. Example: The body contains Hacked by.
  • Domain=”qq.com” Searches for websites with root domains with qq.com. Example: The root domain name is the website of qq.com.
  • Host=”.gov.cn” Search for .gov.cn from the url, pay attention to the search to use host as the name. Example: government website, education website.
  • Port=”443” Find the corresponding port 443 asset. Example: Find the corresponding 443 port asset.
  • Ip=”” Search the website containing from ip, pay attention to the search to use ip as the name. Example: Query the website with the IP address ; if you want to query the network segment, you can: ip=””, for example, query the C network segment asset with the IP address
  • Protocol=”https” Search for the protocol type (valid when port scanning is enabled). Example: Query https protocol assets.
  • City=”Beijing” Searches for assets in a given city. Example: Search for assets in a given city.
  • Region=”Zhejiang” Searches for assets in a given administrative district. Example: Search for assets in a designated administrative district.
  • Country=”CN” Searches for assets in a specified country (code). Example: Search for assets in a given country (code)
  • Cert=”google” Search for certificates (https or imaps, etc.) with google’s assets. Example: Search for a certificate (https or imaps, etc.) with google assets.
  • Banner=users && protocol=ftp Searches for assets with user text in the FTP protocol. Example: Search for assets with user text in FTP protocol.
  • Type=service Searches all protocol assets and supports subdomain and service. Example: Search all protocol assets.
  • Os=windows Search for Windows assets. Example: Searching for Windows assets.
  • Server==”Microsoft-IIS/7.5” Search for the IIS 7.5 server. Example: Searching for IIS 7.5 server.
  • App=”Hikvision - Video Surveillance” Search for Hikvision devices, more app rules . Example: Searching for Hikvision devices
  • After=”2017” && before=”2017-10-01” Time range search. Example: Time range search , note: after is greater than and equal, before is less than, here after=”2017” is the date is greater than and equal to 2017-01-01 data, and before=”2017-10-01” is Less than 2017-10-01.
  • Asn=”19551” Search for the assets of the specified asn. Example: Search for assets of the specified asn.
  • Org=”Amazon.com, Inc.” searches for assets for a specified org (organization). Example: Search for assets of a specified org (organization).
  • Base_protocol=”udp” Searches for the assets of the specified udp protocol. Example: Search for assets of the specified udp protocol.

Advanced search: you can use parentheses and symbols such as && || !=, such as. Title=”powered by” && title!=discuz. Title!=”powered by” && body=discuz. ( body=”content="WordPress” || (header=”X-Pingback” && header=”/xmlrpc.php” && body=”/wp-includes/”) ) && host=”gov.cn” Added == exact match symbol to speed up the search, such as finding all hosts of qq.com, which can be domain==”qq.com”. For the search syntax of the website software, please refer to: component list.

Precautions: If the query expression has multiple ORs, try to include it with () and it’s time to use your imagination ;) SOURCE: https://fofa.so/

ZOOMEYE - ZoomEye.org

ZoomEye supports both web fingerprint and device banner. Web fingerprints consists of version, frontend framework, web framework, server-side programming language, web container, content management system, database, etc. Device banner includes OS, open ports, geography location, ISP, ASN, etc.

  • For websites using PHP as backend: php.
  • For devices running VxWorks: VxWorks.

Upgrade to geek mood, there are some shortcut key useful. Just try it everywhere.

  • Shift/ Show shortcut manual.
  • Esc Hide shortcut manual.
  • Shift h Back to index.
  • Shift s Advanced Search.

CENSYS - censys.io

By default, Censys performs full-text searches. For example, searching for Dell will find any hosts where the word Dell appears in the record—it won’t limit the search to Dell manufactured devices. However, this is possible by querying specific fields using the follow syntax:

  • Specifying Fields Censys records are structured and allow querying specific fields. For example, you can search for all hosts with a specific HTTP status code with the following query: 80.http.get.status_code: 200. You can view a list of defined fields under the Data Definitions tab or by looking at the details of a host. For example, here are the fields for the Censys web server.
  • Boolean Logic You can compose multiple statements using the terms and, or, not, and parentheses. For example, (“Schneider Electric” or Dell) and By default, all included terms are optional (i.e., executed as an or statement).
  • Networks, Host Names, and Protocols You can search for IP addresses using CIDR notation (e.g., ip: or by specifying a range of addresses: ip:[ TO]. You can search for hosts that serve a particular protocol by searching the protocols field, e.g., protocols: “102/s7”. Inline DNS queries are possible with the following syntax: a:facebook.com and mx:gmail.com
  • Ranges You can search for ranges of numbers using [ and ] for inclusive ranges and { and } for exclusive ranges. For example, 80.http.get.status_code:[200 TO 300]. Dates should be formatted using the following syntax: [2012-01-01 TO 2012-12-31]. One sided limits can also be specified: [2012-01-01 TO *]. Warning! The TO operator must be capitalized.
  • Wildcards and Regular Expressions By default, Censys searches for complete words. In other words, the search Del will not return records that contain the word Dell. Wildcard searches can be run on individual terms, using ? to replace a single character, and * to replace zero or more characters. For example, if you want to search for words that start with Del, you would search for Del*. You can also search using regular expressions, e.g., metadata.manufacturer:/De[ll]/. The full regex syntax is available here.
  • Boosting The boost operator (^) can be used to make one term more relevant than another. For example, metadata.manufacturer: Dell^2 OR “Schneider Electric” places more preference on the Dell keyword.
  • Reserved Characters The following characters must be escaped with a backslash: + - = & || > < ! ( ) { } [ ] ^ “ ~ * ? : \ /.

SOURCE: https://censys.io/ipv4/help

INSECAM - insecam.org

Network live IP video cameras directory Insecam.com

Welcome to Insecam project. The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password. Mozilla Firefox browser is recommended to watch network cameras. The following actions were made to Insecam for the protection of individual privacy:

  • Only filtered cameras are available now. This way none of the cameras on Insecam invade anybody’s private life.
  • Any private or unethical camera will be removed immediately upon e-mail complaint. Pleaseprovide a direct link to help facilitate the prompt removal of the camera.
  • If you do not want to contact us by e-mail, you can still remove your camera from Insecam. The only thing you need to do is to set the password ofyour camera.
  • You can add your camera to the directory by following next link. It will be available only after adminitrator’s approval.

THINGFUL - thingful.net

A Search Engine for the Internet of Things Find & use open IoT data from around the world.

IntelligenceX - intelx.io

Intelligence X is a search engine and data archive. Intelligence X is an independent European technology company founded in 2018 by Peter Kleissner. The company is based in Prague, Czech Republic. Its mission is to develop and maintain the search engine and data archive. Intelligence X differentiates itself from other search engines in these unique ways: The search works with selectors, i.e. specific search terms such as email addresses, domains, URLs, IPs, CIDRs, Bitcoin addresses, IPFS hashes, etc. It searches in places such as the darknet, document sharing platforms, North Korea and soon more. It keeps a historical data archive of results, similar to how the Wayback Machine from archive.org stores historical copies of websites. Our target customers are companies of all sizes and governments. Contact us for individual plans that match your organizations’ needs. You can use Intelligence X to perform any kind of open source intelligence. We deliver fast, high-quality results and make the deepest parts of the internet accessible with a few clicks. Intelligence X searches billions of selectors in a matter of milliseconds. Combined with our data archive this is a powerful new tool.

IVRE - ivre.rocks

IVRE is an open-source framework for network recon. It relies on open-source well-known tools (Nmap, Zmap, Masscan, Bro and p0f) to gather data (network intelligence), stores it in a database (MongoDB), and provides tools to analyze it. It includes a Web interface aimed at analyzing Nmap scan results (since it relies on a database, it can be much more efficient with huge scans than a tool like Zenmap, the Nmap GUI, for example). IVRE means Instrument de veille sur les réseaux extérieurs, and is French for DRUNK, Dynamic Recon of Unknown NetworKs. It’s free software, and it’s on GitHub!

BINARY EDGE - binaryedge.io

We continuously collect and correlate data from internet accessible devices, allowing organizations to see what is their attack surface and what they are exposing to attackers.

  • Ports and Services Exposure
  • Possible Vulnerabilities
  • Accessible Remote Desktops
  • Invalid SSL Certificates
  • Misconfigured Network Shares
  • Databases We map these digital assets to Organizations to be able to show their Known and Unknown assets.

ONYPHE - onyphe.io

ONYPHE is a search engine for open-source and cyber threat intelligence data collected by crawling various sources available on the Internet or by listening to Internet background noise. ONYPHE does correlate this information with data gathered by performing active Internet scanning for connected devices. It then normalizes information and makes it available via an API and its query language.