Shodan, often referred to as the “search engine for hackers,” allows users to search for devices connected to the internet — from webcams and routers to industrial control systems. While it has legitimate uses, it also reveals the darker side of the internet, exposing vulnerabilities and potential attack vectors for malicious actors.
Here’s a glimpse of some of the threats and warnings you might uncover when exploring Shodan’s dark side.
FTP Servers with Anonymous Login
"230 Login successful" "Anonymous user logged in" port:21
"220-FileZilla Server" "220- vsftpd 3.0.3" port:21Cameras and Unauthenticated Streams
"Server: RTSP/1.0 200 OK" port:554
"Server: DVRDVS-Webs" "200 OK" html:"camera"Unsecured Printers or Admin Panels
html:"HP LaserJet" "200 OK"
"Server: JetDirect" "PORT 9100"Open SMB Shares Without Authentication
"Authentication: disabled" "SMB" port:445Exposed SSH Banners with Weak Configurations
"SSH-2.0-OpenSSH_5" port:22Open cPanel/Webmin Admin Panels
html:"cPanel Login" http.title:"cPanel"
html:"Webmin" port:10000Exposed Remote Desktop Services
"Remote Desktop Protocol" port:3389
"Microsoft Windows XP RDP" port:3389
"Microsoft Terminal Services" "200 OK" port:3389Hacked or Defaced Pages
html:"Hacked by"
"html":"We hacked your company successfully" "title":"How to Restore Your Files"
html:"Your data is encrypted" title:"Ransomware Note"Vulnerable Apache Server Information Disclosure
"Apache/2.4.7" "200 OK"Exposed Docker API
"Docker" "200 OK" port:2375
"Docker" "200 OK" port:2375Exposed Redis Servers Without Passwords
"Redis server is running" port:6379
"Redis" "200 OK" port:6379Elasticsearch Databases Without Authentication
"name" "cluster_name" port:9200
"elasticsearch" "200 OK" port:9200MongoDB Databases Open to Public
"MongoDB Server Information" port:27017
"MongoDB" "200 OK" port:27017VNC Servers Without Authentication
"RFB 003.008" "Authentication: None" port:5900
"RFB 003.003" "VNC password" "protocol version 3.3"Unsecured WordPress Admin Panels
http.html:"/wp-login.php"Exposed Jenkins CI/CD Servers
"X-Jenkins" port:8080
"X-Jenkins" "200 OK" port:8080Routers and IoT Devices with Default Credentials
"Server: MikroTik" "401 Unauthorized"
"Server: Ubiquiti" "200 OK"SMB Information Disclosure for Windows Devices
"smb-os-discovery" port:445Citrix and NetScaler Gateway Login Pages
title:"Citrix Gateway" html:"ns_cookietest"Hadoop and HDFS Data Nodes Exposed
"Hadoop" "200 OK" port:50070Exposed Telnet Services
Weak Credentials
"Welcome to the Telnet service" port:23UPnP Services Exposed
"M-SEARCH" "HTTP/1.1" port:1900Vulnerable HTTP Headers
"X-Powered-By" "PHP/5.6.30" "200 OK"Zerologon Vulnerability
"windows-net" "Zerologon" "200 OK" port:445Vulnerable Web Servers
"Server: Apache/2.2.15 (CentOS)" "200 OK"Exposed JBoss Servers
No Authentication
"X-JBoss-Register" "200 OK" port:8080OpenVPN Configuration or Vulnerable Servers
"OpenVPN" "200 OK" port:1194Exposed SCADA Systems
"SCADA" "200 OK" port:502Exposed SMB Shares
"smb-os-discovery" "200 OK" port:445Default or Weak Web Application Firewalls
Blind SQL Injection
"WAF" "X-SQL" "200 OK"Exposed Shodan-Like Servers with Default Passwords
"Shodan" "200 OK" port:8080Key Takeaway
The Dark Side of Shodan reveals how easily exposed devices can be found by anyone with bad intentions. It underscores the critical importance of securing devices, services, and protocols. What you might consider mundane — such as an open port or a misconfigured service — can be a treasure trove for attackers looking for their next target. Proper network segmentation, up-to-date software, and good security hygiene are essential to minimizing these risks.
