Skip to content

Web Scanners


  • query ASN via whois:
    • whois -H -h " -v $IP"
  • reverse ip to dns lookup:
  • List of OpenSource WebScanners

(Port) Scanner

  • nmap

    • Common Ports of web applications including non standards:
      • 80,81,82,83,84,85,86,88,90,300,443,444,591,593,631,832,981,1010,1311,1935,2052,2053,2069,2078,2079,2080,2082,2083,2086,2087,2095,2222,2480,3000,3004,3128,3333,3434,4000,4100,4243,4431,4433,4443,4567,4711,4712,4993,5000,5104,5108,5280,5800,6543,7000,7001,7071,7080,7081,7394,7443,7474,7547,8000,8001,8008,8010,8014,8042,8069,8080,8081,8082,8084,8085,8087,8088,8089,8090,8091,8099,8118,8123,8172,8222,8243,8280,8281,8333,8383,8443,8500,8834,8880,8888,8983,9000,9001,9002,9003,9009,9043,9060,9080,9090,9091,9200,9443,9800,9981,9998,9999,10000,10125,10443,12443,16080,18091,18092,20000,20720,28017
  • httpx

      • Supports: URL, Title, Status Code, Content Length, TLS Certificate, CSP Header, Location Header, Web Server, Web Socket, Response Time
    • httpx -l $TARGETS -p $PORTS -o $OUTPUT
  • frogy

    • Using the combination of different subdomain enumeration tools and logic this script tries to identify more subdomains and root domains in recon.
  • OWASP Amass


  • dirb (slow, included with kali)
    • dirb http://$IP/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -o $OUTPUT
  • gobuster (fast, not within kali)
    • apt install gobuster
    • gobuster dir --url http://$IP/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -o $OUTPUT
  • ffuf (fastest, not within kali)
    • apt install ffuf
    • ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://$IP/FUZZ -o $OUTPUT

Requires account.




Useful syntax

Get available filter values grouped:

The vuln query is only allowed for academic and paying customers, but one can use the facet view to get the results (more or less) anyway:

  • TODO: writing a script that does a cross-join over these two results gives exact results

  • query by ASN: asn:AS123456

  • query by product: product:mysql
  • results only with screenshot: has_screenshot:"1"
  • domains with same favicon: http.favicon.hash:-1776962843 (favicons map)

available filters (at least): asn, bitcoin.ip, bitcoin.ip_count, bitcoin.port, bitcoin.user_agent, bitcoin.version, city, cloud.provider, cloud.region, cloud.service, country, cpe, device, domain, has_screenshot, hash, http.component, http.component_category, http.favicon.hash, http.html_hash, http.robots_hash, http.status, http.title, http.waf, ip, isp, link,, ntp.ip, ntp.ip_count, ntp.more, ntp.port, org, os, port, postal, product, redis.key, region, rsync.module, screenshot.label,, snmp.location,, ssh.cipher, ssh.fingerprint, ssh.hassh, ssh.mac, ssh.type, ssl.alpn, ssl.cert.alg, ssl.cert.expired, ssl.cert.extension, ssl.cert.fingerprint,, ssl.cert.pubkey.bits, ssl.cert.pubkey.type, ssl.cert.serial,, ssl.chain_count, ssl.cipher.bits,, ssl.cipher.version, ssl.ja3s, ssl.jarm, ssl.version, state, tag,, telnet.dont, telnet.option, telnet.will, telnet.wont, uptime, version, vuln, vuln.verified


Google Dorks

intext:"© 2018 Sony Electronics Inc. All rights reserved"

site:"*" "Sony" intext:login intext:username intext:password ext:ppt intext:password filetype:xls inurl:"email.xls"

c:\Users filetype:pdf c:\Users

allintext:username filetype:log inurl:/proc/self/cwd "index of" "" inurl:admin "" and intext:scheduled for allintitle: restricted filetype:doc site:gov intitle:"Index of" wp-admin inurl:Dashboard.jspa intext:"Atlassian Jira Project Management Software"

Shodan Dorks

Find open web-dir listing: http.title:"Index of /"

Citrix - Find Citrix Gateway. Example: title:"citrix gateway"

Wifi Passwords - Helps to find the cleartext wifi passwords in Shodan. Example: html:"def_wirelesspassword"

Surveillance Cams - With username admin and password. Example: NETSurveillance uc-httpd

Fuel Pumps connected to internet - No auth required to access CLI terminal. Example: "privileged command" GET

Windows RDP Password - But may contain secondary windows auth. Example: "\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

Mongo DB servers - It may give info about mongo db servers and dashboard. Example: "MongoDB Server Information" port:27017 -authentication

FTP servers allowing anonymous access - Complete Anon access. Example: "220" "230 Login successful." port:21

Jenkins - Jenkins Unrestricted Dashboard. Example: x-jenkins 200

Hacked routers - Routers which got compromised. Example: hacked-router-help-sos

Open ATM - May allow for ATM Access availability. Example: NCR Port:"161"

Telnet Access - NO password required for telnet access. Example: port:23 console gateway

Misconfigured Wordpress Sites - The wp-config.php if accessed can give out the database credentials. Example: http.html:"* The wp-config.php creation script uses this file"

Hiring - Find sites hiring. Example: "X-Recruiting:"

Android Root Bridge - Find android root bridges with port 5555. Example: "Android Debug Bridge" "Device" port:5555

Etherium Miners - Shows the miners running ETH. Example: "ETH - Total speed"

Tesla Powerpack charging Status - Helps to find the charging status of tesla powerpack. Example: http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

"authentication disabled" "RFB 003.008"

"in-tank inventory" port:10001

P372 "ANPR enabled"

mikrotik streetlight

"[2J[H Encartele Confidential"

Siemens Industrial Automation 🔎 → "Siemens, SIMATIC" port:161

Siemens HVAC Controllers 🔎 → "Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers 🔎 → "HID VertX" port:4070

Railroad Management 🔎 → "log off" "select the appropriate"

"MongoDB Server Information" port:27017 -authentication

"Set-Cookie: mongo-express=" "200 OK"

"Citrix Applications:" port:1604

http.title:"- Polycom" "Server: lighttpd"

SMB (Samba) File Shares 🔎 → Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers: 🔎 → "Authentication: disabled" NETLOGON SYSVOL -unix port:445

Concerning default network shares of QuickBooks files: 🔎 → "Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

"X-Plex-Protocol" "200 OK" port:32400

"Serial Number:" "Built:" "Server: HP HTTP"

"Server: AV_Receiver" "HTTP/1.1 406"

Apple AirPlay Receivers 🔎 → Apple TVs, HomePods, etc. "\x08_airplay" port:5353

Chromecasts / Smart TVs 🔎 → "Chromecast:" port:8008

Crestron Smart Home Controllers 🔎 → "Model: PYNG-HUB"

OctoPrint 3D Printer Controllers 🔎 → title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

port:5901 authentication disabled