Search 2.0 Example Host Queries
The table below provides working queries you can use to learn the Censys Search Language for querying hosts.
The first column indicates the Censys Search Language feature being showcased, the second column provides a description of the query, and the third column presents the query syntax, which is linked to the results page on search.censys.io.
Search Feature |
Query Description |
Query |
Field:Value pairs |
Search for hosts with an HTTP service whose HTML title indicates it is exposing a directory |
|
Exact Match Operator |
Search for hosts with an HTTP service whose hashed body content indicates that it is a Brute Ratel C4 server |
services.http.response.body_hash="sha1:1a279f5df4103743b823ec2a6a08436fdf63fe30" |
Boolean Logic |
Search for hosts in the 23.20.0.0/14 range with any reference to either the phrase "Schneider Electric" or "Dell" |
|
Set Operator |
Search for hosts that have any of the following ports open: 22, 23, 24, 25 |
|
Boolean Logic |
Search for hosts that have no HTTP services |
|
Boolean Logic |
Search for hosts that have at least one non-HTTP service |
|
Wildcards |
Search for hosts with at least one service presenting a certificate during a TLS handshake |
|
Full Text Search |
Search for hosts whose parsed data contains the word "hello" |
|
Regular Expressions (Paid users only) |
Search for hosts presenting certificates with a name foo1, foo2, foo3...foo100 followed by any value |
|
Ranges |
Search for hosts whose IP address falls within the specified range |
|
Same Service Operator |
Search for hosts running the SSH protocol on ports other than 22 and 2222 |
|
Same Service Operator |
Search for hosts running Elasticsearch on port 443 |
same_service(service.service_name: ELASTICSEARCH and service.port: 443) |
Same Service Operator |
Search for hosts with a an HTTP service with an open directory list and suspicious file names in their contents |
|
Multi-Perspective Scanning |
Search for hosts with services that were last observed by Censys Scanners within NTT and TELIA ISPs |
service.perspective_id: "PERSPECTIVE_NTT" and service.perspective_id: "PERSPECTIVE_TELIA" |
Searching Web Servers |
Search for hosts with a page title on the HTTP service containing the word "dashboard" |
|
Searching Web Servers |
Search for hosts that have an HTTP service that responded with a 500 status code |
|
Searching Web Servers |
Search for hosts that have specific HTTP header value pairs |
|
Searching TLS |
Search for hosts that have an RDP service that is presenting a certificate |
same_service(services.service_name: RDP and services.certificate: *) |
Searching TLS |
Search for hosts with a service using TLSv1.0 encryption |
|
Searching TLS |
Search for hosts presenting a certificate with the string "localhost" in the subject_dn |
|
Searching Software |
Search for hosts running Microsoft IIS 7.5 |
same_service(services.software.vendor: Microsoft and services.software.product: IIS and services.software.version: 7.5) |
Searching Software with CPE URIs |
Search for hosts running Microsoft Exchange |
service.software.uniform_resource_identifier: `cpe:2.3:a:microsoft:exchange_server:*:*:*:*:*:*:*:*` |
Searching CPE Software, OS, Product, Manufacturer |
Search for hosts with a service running OpenSSH version 7.6p1 software on Linux version 18.04. |
|
Searching CPE Software, OS, Product, Manufacturer |
Search for hosts running a Raspberry Pi product |
|
Searching Location |
Search for hosts in Russia |
|
Search Location |
Search for hosts in the Bahamas, excluding Nassau |
Some of these examples were gathered from community resources like this!
Diàtaxis: reference
Comments
0 comments
Article is closed for comments.