1. Censys
  2. Censys Search
  3. Advanced Searching

Other Articles In This Section

In this article:

Searching Software in Search 2.0

  • Updated

Censys uses the Common Platform Enumeration (CPE) format and the Hershel+ library to categorize software, hardware, and operating systems of hosts and the services running on them.

software-search-ex.png

How to Search for Software

If you have a CPE-formatted URI:

Paste it as the value for services.software.uniform_resource_identifier in the Search bar.

Warning
 Don’t forget to wrap your identifier string in back ticks (`) to escape all of the reserved characters!

If you don’t have a CPE-formatted URI:

Search other software fields with more friendly (but still CPE-informed) names and values, like:

  • services.software.vendor — Search for things like apple or microsoft

  • services.software.product — Search for things like windows or apache

  • services.software.version — Search for things like 8.0 (You’ll probably want to combine this with a value for the product field inside the same_service() operator)

Or look up the CPE URI in the dictionary (an XML file) provided by the National Vulnerabilities Database.

If you have a Hershel+ Fingerprint

Paste the ID as a value for services.transport_fingerprint.id in the Search bar.

Software Fields in Censys Host Records

Software information is kept in three places in a host record:

  • "Host Operating System" (operating_system)— Censys' best estimate of the host’s operating system.

  • "Service Software" (services.software)— The software reported at OSI Layer 7 when connecting to a service on a host.

  • "Transport Fingerprint" (services.transport_fingerprint) — The software detected at OSI Layer 4 when connecting to a service on a host.

Host Operating System Fields

Censys' best estimate of a host’s operating system is stored at the root level of the host entity in a record called operating_system.

Each field in the record is defined in the Host Operating System table with its value type.

This record can be populated from a few software identification methods that Censys employs at different networking layers.

An operating system detected at OSI Layer 7 is preferred over an OSI Layer 4 detection, and the most specific version information will be preferred.

Service Software (L7)

Censys considers software and OS reporting on OSI Layer 7 to be the most reliable. Multiple software products, hardware, and operating systems can be detected, so this information is stored in an array called software with other general service information.

Each field in a software record is defined in Service Software table with its value type.

Transport Fingerprint (L4)

Censys uses the Hershel+ algorithm for fingerprinting operating systems at the transport layer (OSI Layer 4). This information, if obtained, is found in service records under the name services.transport_fingerprint.

Each field in the record is defined in the Miscellaneous Service Info table with its value type.

Censys retains raw observations with no matching fingerprint in the services.transport_fingerprint.raw for searching. The services.transport_fingerprint.id field for an unknown fingerprint will not be present in this case.

Note
 Currently, Censys only attempts to obtain transport fingerprints when the transport protocol is TCP, not UDP.

About Censys' Choice of the CPE Format

As a widely adopted, standardized format for representing software, the Common Platform Enumeration promotes interoperability between security tools, so Censys has adopted this format in its host and service schemas.

 

Diàtaxis: how-to

Related articles

Comments

0 comments

Please sign in to leave a comment.