Searching Software in Censys Search
Managing risk and enforcing compliance are critical to protecting what you own. This video shows you how to use Censys Search to find and track vendor or provider compliance.
Censys uses the Common Platform Enumeration (CPE ) format and the Hershel+ library to categorize software, hardware, and operating systems of hosts and the services running on them.
As a widely adopted, standardized format for representing software, the CPE promotes interoperability between security tools. Censys adopted this format in its host and service schemas.
If you have a CPE-formatted URI
Paste it as the value for services.software.uniform_resource_identifier
in the Search bar.
Tip
Wrap your identifier string in back ticks (`) to escape all the reserved characters.
If you don’t have a CPE-formatted URI
Search other software fields with more friendly (but still CPE-informed) names and values, like:
-
services.software.vendor
: Search for things likeapple
ormicrosoft
. -
services.software.product
: Search for things likewindows
orapache
. -
services.software.version
: Search for things like8.0
. You probably want to combine this with a value for theproduct
field inside thesame_service()
operator.
Or look up the CPE URI in the dictionary (an XML file) provided by the National Vulnerabilities Database.
If you have a Hershel+ Fingerprint
Paste the ID as a value for services.transport_fingerprint.id
in the Search bar.
Software information is kept in 3 places in a host record:
-
Host Operating System (
operating_system
): Censys' best estimate of the host’s operating system. -
Service Software (
services.software
): The software reported at OSI Layer 7 when connecting to a service on a host. -
Transport Fingerprint (
services.transport_fingerprint
): The software detected at OSI Layer 4 when connecting to a service on a host.
The Censys best estimate of a host’s operating system is stored at the root level of the host entity in a record called operating_system
.
Each field in the record is defined in the Host Operating System with its value type.
This record can be populated from a few software identification methods that Censys employs at different networking layers.
An operating system detected at OSI Layer 7 is preferred over an OSI Layer 4 detection, and the most specific version information is preferred.
Censys considers software and OS reporting on OSI Layer 7 to be the most reliable. Multiple software products, hardware, and operating systems can be detected, so this information is stored in an array called software
with other general service information.
Each field in a software record is defined in Service Software with its value type.
Censys uses the Hershel+ algorithm for fingerprinting operating systems at the transport layer (OSI Layer 4). This information, if obtained, is found in service records under the name services.transport_fingerprint
.
Each field in the record is defined in the Miscellaneous Service Info with its value type.
Censys retains raw observations with no matching fingerprint in the services.transport_fingerprint.raw
for searching. The services.transport_fingerprint.id
field for an unknown fingerprint is not present in this case.
Note
Currently, Censys only tries to obtain transport fingerprints when the transport protocol is TCP, not UDP.
Comments
0 comments
Please sign in to leave a comment.