{"id":599,"date":"2026-04-17T15:51:58","date_gmt":"2026-04-17T15:51:58","guid":{"rendered":"https:\/\/quantusintel.group\/osint\/blog\/2026\/04\/17\/the-2026-shodan-dork-bible-finding-exposed-jenkins-grafana-and-cameras-big-tech-forgot\/"},"modified":"2026-04-17T15:51:58","modified_gmt":"2026-04-17T15:51:58","slug":"the-2026-shodan-dork-bible-finding-exposed-jenkins-grafana-and-cameras-big-tech-forgot","status":"publish","type":"post","link":"https:\/\/quantusintel.group\/osint\/blog\/2026\/04\/17\/the-2026-shodan-dork-bible-finding-exposed-jenkins-grafana-and-cameras-big-tech-forgot\/","title":{"rendered":"The 2026 Shodan Dork Bible: Finding Exposed Jenkins, Grafana, and Cameras Big Tech Forgot"},"content":{"rendered":"
\"\"<\/figure>\n

Shodan stopped being a novelty around 2014. In 2026 it is infrastructure. While everyone was busy building AI guardrails and compliance dashboards, they left the backdoors open, the build servers unauthenticated, the Grafana instances with default admin, and the cameras still broadcasting to anyone who knows how to\u00a0ask.<\/p>\n

I have been crawling this stuff since I was young, taught myself because I wanted to build text-based games and needed the backend, but then did some hacking into my school to change friends grades. The pattern never changes. Companies ship, they scale, they forget. Shodan remembers.<\/p>\n

This is not a listicle. This is how you actually find the things that still\u00a0matter.<\/p>\n

The Landscape In\u00a02026<\/h3>\n

Three things shifted. First, Shodan now indexes over 3.4 million cameras alone, and that is just the ones that say \u201ccamera\u201d in the banner. Second, CI\/CD sprawl means every startup has three Jenkins instances they spun up in 2022 and never patched. Third, observability became mandatory, so Grafana is everywhere, often internet-facing because someone wanted to check metrics from\u00a0home.<\/p>\n

The filters that work now are boring and precise. product, http.title, http.favicon.hash, ssl, org. The magic is in combining them with what vendors forgot to\u00a0hide.<\/p>\n

Jenkins: the build server that builds you a\u00a0shell<\/h4>\n

Jenkins is still the crown jewel because it executes code by design. In April 2025 someone found a Jenkins on Shodan with a reverse shell already waiting. In 2026 we have fresh CVEs: CVE-2026\u201327099 is a stored XSS in the \u201cMark temporarily offline\u201d field that lets you hijack sessions if you have agent configure permissions. CVE-2026\u201327100 leaks build info. None of this matters if you cannot find the\u00a0box.<\/p>\n

The dork that still returns clean\u00a0hits:<\/strong><\/p>\n

\u201cX-Jenkins\u201d \u201cSet-Cookie: JSESSIONID\u201d http.title:\u201dDashboard\u201d<\/p>\n

That query was pulling 1,583 results last time the list refreshed. It works because Jenkins sets that header on every unauthenticated landing page and the title rarely\u00a0changes.<\/p>\n

Do not stop there. Big Tech hides in plain sight using org filters. Intigriti\u2019s guide from last year still\u00a0holds:<\/strong><\/p>\n

org:\u201dtarget\u201d product:jenkins<\/p>\n

That syntax lets you scope to a single company. Replace target with Netflix, Shopify, whoever. You will find the dev instances they forgot to\u00a0VPN.<\/p>\n

For the CVE-2024\u201323897 args4j crowd, the ones that let you read \/etc\/passwd unauthenticated, you want older banners. Over 45,000 unpatched instances were identified in the wild last year. Filter by version in the\u00a0header:<\/p>\n

product:jenkins http.html:\u201d2.4″ country:US<\/p>\n

Then check for the classic login bypass. The smell of these pages is always the same. Burnt coffee and cheap cologne from the data center, a login form with no rate limit, the faint hum of a fan in the screenshot.<\/p>\n

When you land, do not click build immediately. Look for Script Console at \/script. Look for credentials in environment variables. Look for the cloud agents that have IAM keys. Jenkins does not need an exploit if it is configured by an intern in\u00a02021.<\/p>\n

Grafana: dashboards full of\u00a0secrets<\/h4>\n

Grafana went from niche to default. Every Kubernetes cluster ships with it. The problem is that people expose it to the internet with admin\/admin and then connect it to Prometheus, Loki, and their cloud\u00a0billing.<\/p>\n

The simplest dork is almost insulting:<\/em><\/strong><\/p>\n

http.title:\u201dgrafana\u201d<\/p>\n

A researcher wrote it up last year as his starting point for LFI. It works because Grafana\u2019s default title is just \u201cGrafana\u201d. For more precision:<\/strong><\/p>\n

title:\u201dgrafana\u201d hostname:target<\/p>\n

That was the exact line from the\u00a0writeup.<\/em><\/strong><\/p>\n

In 2026 you want to hunt versions. CVE-2025\u20132703 was an XSS that lived from 11.1.0 until 11.6.0+security-01. Shodan lets you grep the JavaScript bundle:<\/p>\n

http.html:\u201dGrafana v11.\u201d\u00a0200<\/p>\n

Or hunt plugins. The grafanacubism-panel before 0.1.2 had a zoom-link XSS. Find\u00a0it:<\/strong><\/p>\n

http.html:\u201dcubism\u201d product:\u201dgrafana\u201d<\/p>\n

The real gold is not RCE, it is data. I have found AWS keys in dashboard variables, Snowflake passwords in data source configs, and internal Okta URLs that leak to unauthenticated viewers. Grafana\u2019s API at \/api\/datasources is readable if you have Viewer role, and too many instances give Viewer to anonymous.<\/p>\n

Filter for the open\u00a0ones:<\/strong><\/p>\n

http.title:\u201dGrafana\u201d \u201clogin\u201d -\u201dSign\u00a0in\u201d<\/p>\n

That negative catches instances where the login button is missing because auth is disabled. You will see the sharp and sweet smell of fresh JSON, dashboards loading without a prompt, the musk of someone else\u2019s infrastructure mixing with your browser\u00a0cache.<\/p>\n

For automation, chain\u00a0it:<\/strong><\/p>\n

shodan search\u200a\u2014\u200afields ip_str,port,org \u2018product:\u201dgrafana\u201d http.status:200\u2019 | while read ip; do curl -s http:\/\/$ip\/api\/health<\/a>; done<\/p>\n

Health returns version. Version maps to\u00a0exploit.<\/p>\n

Cameras: Big Tech forgot the physical\u00a0layer<\/h4>\n

This is where the numbers get stupid. The auto-updating dork list tracked 3,425,376 results for just the word \u201ccamera\u201d. Hikvision alone is over 2.1\u00a0million.<\/p>\n

Hikvision is the classic because of the old backdoor. The\u00a0dork:<\/strong><\/p>\n

product:\u201dHikvision IP\u00a0Camera\u201d<\/p>\n

Still works in 2026. You get login pages, many with default creds, many with firmware from\u00a02019.<\/p>\n

But the interesting stuff is not Hikvision. It is the long tail that facilities teams install and never\u00a0patch.<\/p>\n

IPCam Client:<\/strong><\/p>\n

title:\u201dIPCam Client\u201d<\/p>\n

45,275 results last count. These are small business DVRs, often with no password.<\/p>\n

GeoVision older\u00a0webcams:<\/strong><\/p>\n

server: GeoHttpServer<\/p>\n

39,278 results. The banner leaks model and sometimes credentials in the\u00a0401.<\/p>\n

ContaCam:<\/strong><\/p>\n

title:\u201dContaCam\u201d<\/p>\n

30,053 results. Windows software that people expose directly.<\/p>\n

Vivotek:<\/strong><\/p>\n

server: VVTK-HTTP-Server<\/p>\n

22,490 results.<\/p>\n

Avigilon, which is now Motorola, shows up\u00a0as:<\/strong><\/p>\n

title:\u201dAvigilon\u201d<\/p>\n

17,073 results. Those are enterprise, and when they are open they are usually in a parking garage or a lobby with no\u00a0auth.<\/p>\n

For the weird stuff, use screenshots. Shodan renders\u00a0them:<\/strong><\/p>\n

webcam has_screenshot:true<\/p>\n

90 results with live images. Add country filters to find traffic cams in your\u00a0city.<\/p>\n

DVRs on port\u00a081:<\/strong><\/p>\n

200 ok dvr port:\u201d81″<\/p>\n

5,133 results. That port is a tell for cheap Chinese DVRs that multiplex cameras over\u00a0HTTP.<\/p>\n

Blue Iris, the software every home lab\u00a0uses:<\/strong><\/p>\n

title:\u201dui3 -\u201d<\/p>\n

801 results for the HTML5 interface. Or:<\/strong><\/p>\n

title:\u201dblue iris remote\u00a0view\u201d<\/p>\n

12 results. Small numbers mean high signal. Those 12 are probably someones\u00a0house.<\/p>\n

The smell here is different. Not data center ozone. It is laundry detergent from a hallway camera, rain on a lens in October cold biting through his jacket, the faint buzz of a fluorescent light in a storage room at 3am. You can hear background chatter in some feeds, realistic conversations not about the story, just people\u00a0living.<\/p>\n

Chaining: how you go from dork to\u00a0access<\/h4>\n

Finding is step one. The bible part is what you do\u00a0next.<\/p>\n

For Jenkins, once you have IPs, check for the script console anonymously. Curl<\/strong>:<\/p>\n

curl -s http:\/\/IP:8080\/script<\/a><\/p>\n

If 200, you have Groovy execution. If 403, try the CLI over WebSocket. The 2026 advisory warned about DNS rebinding via WebSocket CLI. That means you can sometimes tunnel through a\u00a0browser.<\/p>\n

For Grafana, hit \/api\/org\/users. If it returns JSON without auth, enumerate users, then try default passwords. The SonarQube report on CVE-2025\u20132703 noted authenticated XSS, but auth is often admin:admin.<\/p>\n

For cameras, automate with Shodan CLI and ffmpeg. Grab a screenshot, run face detection, discard parking lots, keep lobbies. The Trend Micro analysis showed Houston and San Jose have the most exposed assets, so start there if you want\u00a0density.<\/p>\n

Use favicon hashes to find clones. Jenkins has a consistent favicon. Grafana\u2019s is hash 848442153. Search<\/strong>:<\/p>\n

http.favicon.hash:848442153<\/p>\n

That finds Grafana even when they rename the\u00a0title.<\/p>\n

Why Big Tech still\u00a0forgets<\/h3>\n

It is not malice. It is sprawl. A team spins up Jenkins for a hackathon in 2023, puts it on a public subnet because VPC peering was slow, adds a DNS record, forgets it. Two years later Shodan indexes it, the certificate renews via LetsEncrypt, and it looks legitimate.<\/p>\n

Same with Grafana. Observability vendors push \u201cshare your dashboard\u201d features. Engineers enable anonymous access to show a client a graph. They never disable\u00a0it.<\/p>\n

Cameras are worse because facilities is not IT. The camera installer opens port 80 to \u201ctest remotely\u201d and leaves it. The building gets sold, the IP\u00a0stays.<\/p>\n

The auto-updating dork list I pulled from updates every six hours and removes dead queries. That is the pace you are fighting. Things appear and disappear constantly.<\/p>\n

A working methodology for\u00a02026<\/h3>\n

Do not collect dorks. Build a pipeline.<\/p>\n

1. Start with org. Pick a target. Use product filters for Jenkins, Grafana, and camera vendors.
2. Enrich with Shodan\u2019s vuln tag. Shodan now tags CVE-2024\u201323897 and others. Search `vuln:CVE-2024\u201323897 product:jenkins`.
3. Filter by last seen. Use `last_update:7d` to get fresh hosts.
4. Screenshot everything. Shodan\u2019s has_screenshot is gold for cameras and login pages.
5. Correlate. If you find Jenkins and Grafana on same \/24, it is probably the same company.\u00a0Pivot.<\/em><\/strong><\/p>\n

The dorks that pay rent right\u00a0now:<\/strong><\/h4>\n

Jenkins unauth dashboard:<\/strong>
`\u201dX-Jenkins\u201d \u201cSet-Cookie: JSESSIONID\u201d http.title:\u201dDashboard\u201d`<\/p>\n

Grafana open:<\/strong>
`http.title:\u201dgrafana\u201d`<\/p>\n

Hikvision:<\/strong>
`product:\u201dHikvision IP\u00a0Camera\u201d`<\/p>\n

IPCam:<\/strong>
`title:\u201dIPCam Client\u201d`<\/p>\n

GeoVision:<\/strong>
`server: GeoHttpServer`<\/p>\n

Blue Iris UI3:<\/strong>
`title:\u201dui3 -\u201d`<\/p>\n

Combine with country, org, asn. The magic is never the dork alone. It is the\u00a0context.<\/p>\n

Closing Remarks<\/h3>\n

Shodan is not hacking. It is looking. Big Tech forgot to close the blinds. Jenkins still builds, Grafana still graphs, cameras still watch empty hallways at\u00a02am.<\/p>\n

In 2026 the internet is larger but not smarter. The same headers, the same default titles, the same human error. The dorks above are not theoretical. They returned millions of results last week. The Jenkins XSS from February is still unpatched on hundreds of hosts. The Grafana plugin XSS is still in the wild. The cameras still\u00a0stream.<\/p>\n

Write your own tooling. Store results. Diff daily. The moment something new appears with product:jenkins and no auth, you want to be\u00a0first.<\/p>\n

Godspeed<\/em><\/strong>.<\/p>\n

\"\"<\/p>\n

\n

The 2026 Shodan Dork Bible: Finding Exposed Jenkins, Grafana, and Cameras Big Tech Forgot<\/a> was originally published in OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"

Shodan stopped being a novelty around 2014. In 2026 it is infrastructure. While everyone was busy building AI guardrails and compliance dashboards, they left the backdoors open, the build servers unauthenticated, the Grafana instances with default admin, and the cameras still broadcasting to anyone who knows how to\u00a0ask. I have been crawling this stuff since … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":600,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-599","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=599"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/599\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media\/600"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}