### Query Syntax Reference

[](https://github.com/Daemon-AT4/Shodan_Cheet-Sheet#-query-syntax-reference)

| Filter | Usage | Example |
| :---------------: | :-------------------------: | :----------------------: |
| `title:` | Search page title | `title:"Admin Panel"` |
| `product:` | Search product name | `product:"Apache"` |
| `port:` | Search specific port | `port:22` |
| `country:` | Filter by country code | `country:"US"` |
| `city:` | Filter by city | `city:"New York"` |
| `region:` | Filter by state/region | `region:"California"` |
| `org:` | Search by organization | `org:"Google"` |
| `asn:` | Search by ASN | `asn:AS15169` |
| `net:` | Search by IP range | `net:8.8.8.0/24` |
| `geo:` | Search by coordinates | `geo:"40.7128,-74.0060"` |
| `vuln:` | Search by vulnerability | `vuln:heartbleed` |
| `has_screenshot:` | Include/exclude screenshots | `has_screenshot:true` |
| `html:` | Search in HTML content | `html:"server version"` |
| `header:` | Search HTTP headers | `header:"Server: Nginx"` |




"default password"
server has_screenshot:true
hacked
org:"Verizon Business" port:8900(flock_camz)
title:camera
webcam has_screenshot:true
device:"voip"
product:MySQL
"in-tank inventory" port:10001
"Server: Prismview Player"
P372 "ANPR enabled"
mikrotik streetlight
"voter system serial" country:US
"Cisco IOS" "ADVIPSERVICESK9_LI-M"(wire_taps)
"[2J[H Encartele Confidential" (prison_phones)
http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
"Server: gSOAP/2.8" "Content-Length: 583"
"Cobham SATCOM" OR ("Sailor" "VSAT")
title:"Slocum Fleet Mission Control"
"[1m[35mWelcome on console"
"Siemens, SIMATIC" port:161
"Server: Microsoft-WinCE" "Content-Length: 12581"
"HID VertX" port:4070
"authentication disabled" "RFB 003.008"
title:"Weave Scope" http.favicon.hash:567176827
"MongoDB Server Information" port:27017 -authentication
"Set-Cookie: mongo-express=" "200 OK"
"Docker Containers:" port:2375
"dnsmasq-pi-hole" "Recursion: enabled"
"Android Debug Bridge" "Device" port:5555
Lantronix password port:30718 -secured
"Citrix Applications:" port:1604
PBX "gateway console" -password port:23
"Polycom Command Shell" -failed port:23
"Authentication: disabled" port:445
"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445
"Server: Logitech Media Server" "200 OK"

#### **General Search Queries**

Shodan allows users to create queries to locate specific devices, services, or configurations. Here are some of the most widely used queries:

- **city:”[city name]”**: Find devices located in a specific city.
Example: `city:"New York"` searches for devices in New York City.
- **country:”[country code]”**: Search for devices in a specific country.
Example: `country:"US"` finds devices in the United States.
- **geo:”[latitude],[longitude]”**: Search for devices at a specific geographical location.
Example: `geo:"40.7128,-74.0060"` searches around New York City’s coordinates.
- **hostname:”[hostname]”**: Look for devices with a specific hostname.
Example: `hostname:"example.com"` returns devices hosted under example.com.
- **net:”[IP range]”**: Find devices within a certain IP range.
Example: `net:"192.168.1.0/24"` finds devices in the IP range 192.168.1.0-192.168.1.255.
- **os:”[operating system]”**: Search for devices running a specific operating system.
Example: `os:"Windows"` returns devices running Windows.
- **port:”[port number]”**: Find devices with a specific open port.
Example: `port:22` returns devices with SSH running on port 22.
- **org:”[organization name]”**: Search for devices associated with a particular organization.
Example: `org:"Google"` finds devices associated with Google.
- **isp:”[ISP name]”**: Search for devices using a specific ISP.
Example: `isp:"Comcast"` finds devices using Comcast as their ISP.
- **product:”[product name]”**: Find devices running a specific software product.
Example: `product:"Apache"` returns devices running the Apache web server.
- **version:”[version number]”**: Search for devices running a particular version of software.
Example: `version:"5.7"` returns devices running MySQL version 5.7.
- **has_screenshot:”true”**: Find devices with available screenshots.
Example: `has_screenshot:true` returns devices that include a screenshot.
- **ssl.cert.subject.cn:”[common name]”**: Search for SSL certificates with a specific common name.
Example: `ssl.cert.subject.cn:"example.com"` finds certificates for example.com.
- **http.title:”[title text]”**: Find web pages with a specific title.
Example: `http.ti

Install Maigret (Linux/macOS/Windows)
Option A: Install from GitHub (most common)
git clone https://github.com/soxoj/maigret && cd maigret
python3 -m pip install -r requirements.txt


Maigret requires Python 3.7+.

Option B: Run it without “installing” (still from the repo)

After cloning + requirements:

python3 maigret --help


(That’s how the project demonstrates running it.)

How to use Maigret (the stuff that matters)
1) Basic username scan (show only hits)
python3 maigret --print-found someusername


This is the core workflow shown in the project demo.

2) Try recursive discovery (find related usernames)
python3 maigret --ids --print-found --skip-errors someusername


That example is straight from the demo section.

3) Pro tip

Start with one username, then rerun on any aliases it discovers. Maigret’s strength is correlation across platforms.

What it’s for

Building a wide intel graph fast: domains, subdomains, IPs, ports (from public sources), leaked creds mentions, social links, DNS records, tech fingerprints, etc.

Great for pivoting: you start with example.com, then SpiderFoot finds related domains, hosts, emails, and sometimes exposed metadata you didn’t think to search manually.

Best used as an early recon mapper, then you verify findings with targeted tools.

How to use it (practical)
Install

Kali/Ubuntu/Debian-ish:

sudo apt update
sudo apt install spiderfoot


If your repo doesn’t have it, you can run it from source (common approach):

git clone https://github.com/smicallef/spiderfoot.git
cd spiderfoot
python3 -m pip install -r requirements.txt
python3 sf.py -l 127.0.0.1:5001

Start the web UI
spiderfoot -l 127.0.0.1:5001


Then open your browser to:
http://127.0.0.1:5001

Run a scan (web UI way)

Click New Scan

Target: example.com (or IP/email/name/etc.)

Pick scan type:

All (noisy but thorough)

Footprint (good “first pass” for domains)

Passive (safer / less aggressive)

Start scan and watch results populate.

CLI scan (if you prefer terminal)

From the SpiderFoot folder:

python3 sf.py -s example.com -m all -o json > results.json


-s target

-m all modules

-o json output format

(Exact flags can vary slightly by version, but that’s the common pattern.)

What to look for in the output

New domains / subdomains you didn’t know existed (especially dev, stage, old, beta, admin).

DNS + infrastructure links: shared hosting, shared IPs, ASN, name servers.

Email / username hits: patterns that help identify real staff vs. junk data.

Leaky breadcrumbs: paste mentions, document metadata, code repo references, third-party services.

Best practice: “Trust but verify”

SpiderFoot is awesome, but it can produce false positives.

Treat results as leads, not truth.

Verify critical findings with direct checks (DNS resolve, HTTP probe, manual search, etc.).

Common problems + quick fixes

API keys: some modules are much better with keys (Shodan, HaveIBeenPwned, etc.). Without keys, scans still work, just with fewer hits.

Too much noise: don’t run “All” every time. Start with “Footprint” or “Passive.”

Scan feels slow: reduce modules, reduce target scope, or run fewer concurrent requests in settings.

What it’s for

Finding employee email addresses that are publicly indexed (good for building contact maps and spotting patterns like first.last@company.com).

Discovering subdomains and related hosts (useful for recon + expanding your attack surface map in authorized tests).

Getting a quick “OSINT snapshot” before you do deeper enumeration.

How to use it (practical)
Install

Kali/Parrot (usually easiest):

sudo apt update
sudo apt install theharvester


If your distro doesn’t have it or it’s outdated, you can use pip (varies by distro), but apt is the cleanest when available.

Basic run (domain recon)
theHarvester -d example.com -b all


-d = target domain

-b = data source (“backend”). all tries multiple sources.

Use specific sources (more control)
theHarvester -d example.com -b google,bing,duckduckgo


This is often more stable than all if one source rate-limits you.

Limit results (faster, less noisy)
theHarvester -d example.com -b bing -l 200


-l 200 caps how many results it pulls (good for quick runs).

Save output (so you can report it)
theHarvester -d example.com -b all -f example_osint


This saves results to files (HTML/XML/JSON depending on version). Check the created files in your directory.

What you should look for in the output

Emails: patterns, departments, third-party services (e.g., marketing tools) that might indicate other exposed systems.

Hosts/Subdomains: anything interesting like:

dev. / staging. / test. (often softer targets)

old portals: vpn., owa., mail., jira., git., sso.

Repetition across sources: if multiple sources show the same host, it’s more likely real.

Common “why is it not working?” fixes

Rate limiting / captchas: try fewer sources, or run from a clean IP, or use a different backend.

Garbage results: narrow sources and lower -l.

Nothing found: that can be normal—some orgs are just clean, or block indexing.

Ethical line (important)

Only run it against domains you own or have permission to assess. OSINT still counts as recon in most engagement rules.