Host Query Examples

Use the tables of example queries in this doc to learn about the Censys Search Language and the searchable data available for hosts.

Examples of Search Language Features

The first table below provides working queries you can use to learn the Censys Search Language for querying hosts.

The first column indicates the Censys Search Language feature showcased in the query, the second column provides a description of the query, and the third column presents the query syntax, which is linked to the results page on search.censys.io.

Search Feature Query Description Link Query

Full Text Search

Search for hosts whose parsed data contains the word hello

Try it

hello

Full Text Search

Search for hosts whose parsed data contains the words hello and world although not necessarily together

Try it

hello world

Full Text Search

Search for hosts whose parsed data contains the phrase hello world

Try it

"hello world"

Field:Value Pairs

Search for hosts with an HTTP service whose HTML title indicates it is exposing a directory

Try it

services.http.response.html_title: "Index of /"

Exact Match Operator

Search for hosts with an HTTP service whose hashed body content indicates that it is a Brute Ratel C4 server

Try it

services.http.response.body_hash="sha1:1a279f5df4103743b823ec2a6a08436fdf63fe30"

Boolean Logic

Search for hosts in the U.S. with any reference to the string "teslamate"

Try it

(teslamate) and location.country=United States

Set Operator

Search for hosts that have any of the following ports open: 22, 23, 24, 25

Try it

services.port: {22, 23, 24, 25}

Boolean Logic

Search for hosts that have no HTTP services

Try it

not services.service_name: HTTP

Boolean Logic

Search for hosts that have at least one non-HTTP service

Try it

services: (not service_name: HTTP)

Wildcards

Search for hosts with at least one service presenting a certificate during a TLS handshake

Try it

services.tls.certificate.fingerprint_sha256: *

Regular Expressions

(Paid users only)

Search for hosts presenting certificates with a name foo1, foo2, foo3…foo100 followed by any value

Try it

services.tls.certificate.names=/foo<1-100>.*/

Ranges

Search for hosts whose IP address falls within the specified range

Try it

ip: [1.12.0.0 to 1.15.255.255]

Ranges

Search for hosts whose location is within a box specified by its geographic coordinates

(TIP: draw a box on this map and open Search with the coordinate ranges populated!)

Try it

location.coordinates.latitude: [31.2221970321032 to 31.596082850911525] and location.coordinates.longitude: [34.16473388671876 to 34.58908081054688]

Nested field queries

Search for hosts running the SSH protocol on ports other than 22 and 2222

Try it

services:(service_name: SSH and not (port: {22, 2222}))

Nested field queries

Search for hosts running Elasticsearch on port 443

Try it

services: (service_name: ELASTICSEARCH and port: 443)

Nested field queries

Search for hosts with a an HTTP service with an open directory list and suspicious file names in their contents

Try it

Examples of Host Attributes

The next table provides working queries you can use to learn about the data model of hosts.

The first column describes the top-level host attribute showcased in the query, the second column provides a description of the query, and the third column presents the query syntax, which is linked to the results page on search.censys.io.

Host Attribute Query Description Link Query