Censys Search Language
The Censys Search Language is what you use to find host and certificate records that are of interest to you. Queries written in the Censys Search Language provide criteria that a record must meet in order to be returned as a hit.
This guide will introduce query writing with examples that you can follow to see in the Search product.
New! A new tool currently in Beta leverages the natural-language processing of ChatGPT to produce valid query syntax in the Censys Search Language. Give it a try here.
Construct a Query
Full Text Searches
A query that doesn’t specify a field will launch a search across all text-based fields for the word or phrase submitted.
Example:
Query for hosts with any field that contains the term “hello”:
hello
You can search for a multiple-word phrase by surrounding it in double quotes.
Example:
Query for Hosts with any field that contains the phrase “Hello World”:
"hello world"
These searches are not case sensitive. You will see results with any capitalization of the letters in your search term.
Field, Value Searches
Search structured fields for a value stored there. Fields reflect the nested structure of the host schema using dot notation to separate keys.
Find all devices that have a software product with the word "Windows" in it:
services.software.product: Windows
|
Important
|
The search above does not limit hits to the exact word specified. So a host with “Windows Server 2012 R2” in the server header would also be returned as a result. |
If you want to search for an exact match (that is, only the word "Windows" and nothing more), replace the colon between the field name and value with an equals sign (=).
Example:
Find all devices whose software product is parsed as exactly the word "Windows:"
services.software.product=Windows
Wildcard Searches
You can use the asterisk symbol (*) to substitute zero or more unknown characters.
Use the question mark (?) to substitute for exactly one unknown character.
These wildcard symbols are helpful for finding records where you know some part of a value, but not all.
For example, a query that specifies a value of "email" will not return records where the value is “e-mail,” since it matches on tokenized words.
Search for variations of email using the wildcard:
services.http.response.headers: (key: server and value: e*mail)
|
Warning
|
Censys does not support leading wildcard searches (e.g., *windows)
|
However, since leading wildcards are very desirable for fields containing DNS-style domain names (e.g., the name on a certificate), the search “censys.io” will include results for all subdomains of censys.io by default. To restrict those searches to exactly the name provided, use the equals operator (=).
Boolean Logic Searches
Censys allows the binary operators and, or, and not, as well as parentheses to combine search criteria.
OR
Use or to provide multiple options that a record could match in order to be considered a hit.
Example:
Return all hosts located either in the United States or Canada:
location.country: Canada or location.country: “United States”
You can also use a set to shorten what would otherwise be a long or statement.
Example:
Return all hosts whose country is among this set of countries in the Americas:
location.country: {Canada, Chile, Honduras, Mexico, “United States”, Uruguay}
AND
Use and to make a search more specific by providing multiple criteria that must match in order for a host to be considered a hit.
Example:
Return hosts with port 443 open (with any service type) and an HTTP service (on any port):
services.port: 443 and services.service_name: HTTP
|
Important
|
Search criteria applies to a host or certificate as a whole, unless specified. The query above returns hosts with any service on port 443 and HTTP on any port. |
NOT
Use not to exclude hosts with certain characteristics.
Example:
Find hosts running SSH on a non-standard port (i.e., neither 22 nor 2222):
services: (service_name: SSH and not port: {22, 2222})
Nested Searches
Use nested query syntax to apply multiple search criteria to a single object within a list of like objects, instead of to the entity as a whole.
For example, the services record on a host can contain any number of services.
If you want certain criteria to all be true of a single service on a host, you must nest provided field/value pairs inside parentheses following the services field name.
Example:
Return hosts that are running an HTTP service on port 8888:
services: (port: 8888 and service_name: HTTP)
Example:
Return hosts with an HTTP service returning a specific Etag header value:
services.http.response.headers: (key: `Etag` and value.headers: `"6001043d.16d"`)
Example:
Return host services with both a Cisco iOS operating system and OpenResty application software:
services: (software.uniform_resource_identifier: `cpe:2.3:a:openresty:openresty:*:*:*:*:*:*:*:*` and services.software.uniform_resource_identifier: `cpe:2.3:o:cisco:ios:*:*:*:*:*:*:*:*`)
Ranges
Ranges allow you to define a spectrum that a value may fall into in order for the host to be considered a hit. This is useful for numerical values such as dates, version numbers, and even IP addresses.
Example:
Search for certificates submitted to a the Cloudflare Nimbus 2023 CT log within a (recent) date range, not including the first value given:
ct.entries: (key: `cloudflare_nimbus_2023` and value.added_to_ct_at: {2023-06-01 to 2023-07-10])
Example:
Search for online hosts in a non-standard IP address range, including the first and last values given:
ip: [119.167.243.56 to 119.167.243.201]
Censys also supports CIDR notation of IP ranges, which shows a IPv4 or IPv6 address with a slash followed by a decimal to indicate how many bits in binary identifiers (from left to right) are fixed and do not change.
Example:
Search for online hosts whose IPv4 address fall between 35.180.0.0 and 35.180.255.255:
ip: 35.180.0.0/16
Quotes
Double Quotes (")
Double quotes are for searching for a phrase instead of a single word. You must wrap whitespace-separated words in double quotes when searching in order for the phrase to be evaluated as a whole. Searches that specify a phrase for a field value are invalid without the double quotes.
Search for hosts (and virtual hosts) with an HTML title:
services.http.response.html_title: "your dashboard"
Backticks (`)
Backticks are used to escape all reserved characters occurring therein. For example, CPE-formatted software strings use many reserved characters. Instead of escaping each one, wrap the whole string in backticks.
Search for hosts running Microsoft IIS version 10.0:
services.software.uniform_resource_identifier: `cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*`
Diàtaxis: tutorial
Comments
0 comments
Article is closed for comments.