Shodan: Hidden Bug Bounty Tool

What is Shodan?

Shodan is a search engine for Internet-connected devices and a powerful tool for bug hunters. It provides a wealth of information about a target's systems, networks, and online presence, making it an invaluable resource for conducting initial reconnaissance and identifying potential attack surfaces.

Why use it for bug bounties?

This tool allows bug hunters to search for Internet-connected devices, including web servers, routers, and other types of systems. it also provides detailed information about a target's systems, including the operating system, web server software, and programming language.

This information can be used to identify potential attack surfaces and to determine the target's security posture.

How to use it for bug bounties?

Here are a few practical ways to use it:

• Find devices by IP address: It allows you to search for specific IP addresses, which can be useful if you already have a target in mind. For example, you can search for "192.168.1.1" to see if any internet-connected devices use that IP address.
• Find devices by keywords: It also allows you to search for devices based on keywords, such as specific manufacturers, operating systems, or protocols. For example, you can search for "webcam" to find all internet-connected cameras or "IoT" to find all internet-connected devices.
• Filter your results: It provides a number of filters that allow you to refine your search results, including location, operating system, and the web server. For example, you can use the "city" filter to search for devices in a specific city or the "os" filter to search for devices running a specific operating system.
• View device details: It provides detailed information about each device, including the IP address, hostname, operating system, and open ports. This information can be useful for identifying potential attack surfaces and determining the type of device you're dealing with.
• Use the API: It provides an API that allows you to automate your searches and access the information in a programmatic manner. This can be useful if you want to integrate results into your bug-hunting workflow or if you need to search for a large number of devices.

Dorks to utilize in Shodan

"port: 80 country:US" - This dork will find all the devices in the United States that have port 80 open, which is typically used for HTTP 

"port: 22 product: OpenSSH" - This dork will find all the devices that have port 22 open and are running 

"hostname: example.com" - This dork will find all devices that are associated with the domain "example.

"net: 203.0.113.0/24" - This dork will find all the devices within a specific network range, in this case, the IP range of 203.0.113.0/

"title: Login" - This dork will find all devices with a web page that has "Login" in the 

"ssl:/C=US/ST=California/L=Los Angeles/O=Example/OU=Example/CN=example.com" - This dork will find all devices that have a SSL certificate matching the specified 

"http.component: WordPress" - This dork will find all devices running 

"http.favicon.hash:-335242539" - This dork will find all devices with the same favicon hash, which can be useful in identifying related or duplicate 

"os: Windows" - This dork will find all devices running a Windows operating 

"http.html: password" - This dork will find all devices with the word "password" in their HTML.        

Let me know if you find success using Shodan!

(btw I'll post my favorite shodan dorks for bug bounties next week!)

________________________

?? Follow my newsletter for more tips on crushing bug bounties in 2024!

?? Contact me: [email protected]