Quartz 🪬

❯

❯

Shodan & Censys Dorking

Shodan & Censys Dorking

Apr 10, 20252 min read

fleeting
recon

Filtering by Organization

Shodan: org:"Intigriti"
Censys: host.autonomous_system.organization:"Intigriti"

Thông qua tên doanh nghiệp hoặc domain được tìm thấy trong chứng chỉ SSL:

Shodan: ssl:"Intigriti" hoặc ssl.cert.subject.CN:"intigriti.com"
Censys: host.services.cert.parsed.subject.organization:"Intigriti" or web.cert.parsed.subject.organization:"Intigriti" hoặc services.tls.certificate.names:"intigriti.com"

Filtering by Autonomous System Number (ASN)

Shodan: asn:AS19551
Censys: host.autonomous_system.asn="19551"

Filtering by HTTP Status Code

Shodan: http.status:200 org:"Intigriti"
Censys: services.http.response.status_code:200 AND autonomous_system.organization: "Intigriti"

Finding More Subdomains Using Favicons

Tìm theo favicon:

Shodan: http.favicon.hash:<favicon_hash>
Censys: services.http.response.favicons.hashes:<favicon_hash>

Finding More Targets with Unique Keywords

Có thể thông qua các từ khóa độc nhất trong response mà chỉ target có, chẳng hạn như:

Các script phân tích (với ID tracking độc nhất chẳng hạn như Google Tag Manager IDs)
Copyright
Tên công ty
Custom response headers
etc

Tìm dựa trên các từ khóa như sau:

Shodan: http.html:"© copyright <company>"
Censys: services.http.response.body:"© copyright <company>"

Filtering by Technologies

Shodan: org:<company> http.component:php
Censys: autonomous_system.organization:"<company>" AND services.software.product:"PHP"

Finding Forgotten Hosts

Tìm thông qua các host có chứng chỉ SSL hết hạn:

Shodan: org:<company> ssl.cert.expired: true
Censys: autonomous_system.organization:"<company>" AND services.tls.certificate.parsed.validity_period.not_after: 2024-11-17

Finding Authentication Panels and Endpoints

Shodan: org:<company> http.title:Login,Log in,Register,Signin, Sign in, Sign up
Censys: autonomous_system.organization:"<company>" AND services.http.response.html_title: {"Login", "Log in", "Register", "Signin", "Sign in", "Sign up"}

Finding Sites with Directory Listings Enabled

Shodan: org:<company> http.title:"Index of"
Censys: autonomous_system.organization:"<company>" AND services.http.response.html_title: "Index of *"

Finding Sites Running on Non-standard HTTP Ports

Shodan: org:<company> http.status:200,404 -port:80 -port:443 -port:8080 -port:8443
Censys: autonomous_system.organization:"<company>" AND services: (service_name: HTTP and not port: {80, 443, 8080, 8443})

Finding Suspicious HTTP Redirects

Shodan: org:<company> http.status:301,302,303
Censys: autonomous_system.organization:"<company>" AND services.http.response.status_code: [300 to 399]

Finding Sites Running Jenkins

Shodan: org:<company> product:jenkins
Censys: autonomous_system.organization:"<company>" AND services.software.vendor: jenkins

Resources

Shodan & Censys for beginners: How to find more vulnerabilities
GitHub - lothos612/shodan: Shodan Dorks

Filtering by Organization
Filtering by Autonomous System Number (ASN)
Filtering by HTTP Status Code
Finding More Subdomains Using Favicons
Finding More Targets with Unique Keywords
Filtering by Technologies
Finding Forgotten Hosts
Finding Authentication Panels and Endpoints
Finding Sites with Directory Listings Enabled
Finding Sites Running on Non-standard HTTP Ports
Finding Suspicious HTTP Redirects
Finding Sites Running Jenkins
Resources

Created with Quartz v4.5.2 © 2025

GitHub
Discord Community