1. Censys
  2. Censys Attack Surface Management
  3. Foundations of ASM: Inventory Introduction

Other Articles In This Section

See more

In this article:

Asset Inventory Example Queries

  • Updated

General Queries

Find untagged assets:

not tags: *

Try it out

List assets with a tag:

tags: {example, example2}

Try it out

Find all assets with a useful keyword in their name:

web_entity.name: /.*dev.*/ OR certificate.names: /.*dev.*/ OR domain.name: /.*dev.*/ OR storage_bucket.name: /.*dev.*/

Try it out

Host Queries

Find hosts whose IP address is within a range, written using CIDR notation or using initial and terminal values in brackets:

host.ip: 2.255.190.0/24

Try it out

OR

host.ip: {162.142.125.0 to 162.142.125.255]

Try it out

Find SSH services running on non-standard ports:

host.services: (service_name:ssh and not port:{22, 2222})

Try it out

Web Entity Queries

Find web entities that are serving one of the following HTTP applications:

web_entity.instances.service_name: {Elasticsearch, Kubernetes, Prometheus}

Try it out

Find web entities that are redirecting to another location:

web_entity.instances: (not port: 80 and http.response.status_code: [301 to 308])

Try it out

Find web entities that are using a plain HTTP connection.

web_entity.instances: (not port: 80 and extended_service_name: HTTP)

Try it out

Vulnerability & Risk Queries

Jan 2023 (CVE-2023-20025): Remote Code Execution Vulnerability in End-of-Life Cisco Routers:

host.services: (service_name=HTTP and tls.certificates.leaf_data.issuer.organizational_unit: {RV042G,RV016, RV042, RV082}) or host.services.http.response.headers: (key: www_authenticate and value.headers: {'="RV016"', '="RV042"', '="RV042G"', '="RV082"'})

Try it out

Find hacked HTTP servers in your inventory:

host.services.http.response.html_title:"hacked by" or web_entity.instances.http.response.html_title:"hacked by"

Try it out

Identify services with executables presenting in the HTTP body:

host.services.http.response.body: .exe or web_entity.instances.http.response.body: .exe

Try it out

List assets with a recently detected risk:

risks.discovered_at: [2023-02-06 to *]

Try it out

Find potentially unknown assets with severe risks:

risks.severity:{critical, high} and source:"censys scan"

Try it out

Find newly discovered assets with a risk:

association_date: {2023-02-06 to *} and risks: *

Try it out

Find hosts presenting a self-signed certificate:

host.services.tls.certificates.leaf_data.signature.self_signed: true

Try it out

Potential Shadow Cloud

Search for hosts located in data centers outside of sanctioned clouds:

host.ip: * and not host.cloud:{aws, ovh}

Try it out

Search for potentially unknown hosts in major Cloud Providers:

source:"censys scan" and host.cloud: {"Amazon Aws", "Google Cloud", "Microsoft Azure", "Alibaba Cloud", "Soft Layer Technologies Inc.", "Tencent Cloud", "Digital Ocean Inc.", "Hetzner Online", "Verizon Communications Inc.", "Oracle Cloud", "Huawei Cloud Service", "US Signal", "Switch Communications Group LLC", "Internap Corporation", "Tier Point LLC", "American Internet Services", "Arvixe", "Cologix Inc.", "Confluence Networks Inc."}

Try it out

Related articles

Comments

0 comments

Please sign in to leave a comment.