Search 2.0 Example Host Queries
The table below provides working queries you can use to learn the Censys Search Language for querying hosts.
The first column indicates the Censys Search Language feature being showcased, the second column provides a description of the query, and the third column presents the query syntax, which is linked to the results page on search.censys.io.
|
Search Feature |
Query Description |
Query |
|
Field:Value pairs |
Search for hosts with an HTTP service whose body contains the word "powershell.exe" |
|
|
Field:Value pairs, Exact Operator |
Search for hosts with an SNMP service whose reported location is exactly this phrase: "Sitting on the Dock of the Bay" |
service.snmp.oid_system.location="Sitting on the Dock of the Bay" |
|
Boolean Logic |
Search for hosts in the 23.20.0.0/14 range whose services contain either the phrase "Schneider Electric" or "Dell" |
|
|
Set Operator |
Search for hosts that have any of the following ports open: 22, 23, 24, 25 |
|
|
Boolean Logic |
Search for hosts that do not have an HTTP service running |
|
|
Wildcards |
Search for hosts with any service presenting a certificate |
|
|
Full Text Searches and Wildcards |
Search for hosts whose parsed data contains the word "hello" |
|
|
Wildcards and Regular Expressions |
Search for hosts presenting certificates with a name foo1, foo2, foo3...foo100 followed by any value |
|
|
Ranges |
Search for hosts whose IP address falls within the specified range |
|
|
Same Service Operator |
Search for hosts running the SSH protocol on ports other than 22 and 2222 |
same_service(services.service_name: SSH and not (service.port: {22, 2222})) |
|
Same Service Operator |
Search for hosts running Elasticsearch on port 443 |
same_service(service.service_name: ELASTICSEARCH and service.port: 443) |
|
Multi-Perspective Scanning |
Search for hosts with a service that was last observed by Censys Scanners within NTT ISP |
|
|
Multi-Perspective Scanning |
Search for hosts with services that were last observed by Censys Scanners within NTT and TELIA ISPs |
service.perspective_id: "PERSPECTIVE_NTT" and service.perspective_id: "PERSPECTIVE_TELIA" |
|
Searching Web Servers |
Search for hosts with a page title on the HTTP service containing the word "dashboard" |
|
|
Searching Web Servers |
Search for hosts that have an HTTP service that responded with a 500 status code |
|
|
Searching Web Servers |
Search for hosts that have specific HTTP header value pairs |
|
|
Searching TLS |
Search for hosts that have an RDP service that is presenting a certificate |
same_service(services.service_name: RDP and services.certificate: *) |
|
Searching TLS |
Search for hosts with a service using TLSv1.0 encryption |
|
|
Searching TLS |
Search for hosts presenting a certificate with the string "localhost" in the subject_dn |
|
|
Searching Software |
Search for hosts running Microsoft IIS 7.5 |
same_service(services.software.vendor: Microsoft and services.software.product: IIS and services.software.version: 7.5) |
|
Searching Software with CPE URIs |
Search for hosts running Microsoft Exchange |
service.software.uniform_resource_identifier: `cpe:2.3:a:microsoft:exchange_server:*:*:*:*:*:*:*:*` |
|
Searching CPE Software, OS, Product, Manufacturer |
Search for hosts with a service running OpenSSH version 7.6p1 software on Linux version 18.04. |
|
|
Searching CPE Software, OS, Product, Manufacturer |
Search for hosts running a Raspberry Pi product |
|
|
Searching Location |
Search for hosts in Russia |
|
|
Search Location |
Search for hosts in the Bahamas, excluding Nassau |
Need more examples? Check out community resources like this!
Diàtaxis: reference
Comments
0 comments
Article is closed for comments.