Git Product home page Git Product logo

censys-queries's Introduction

Awesome Censys Queries

Awesome pre-commit.ci status GitHub contributors GitHub Repo stars License Twitter URL

A collection of fascinating and bizarre Censys Search queries.

Censys Search

Contributing

Found an awesome query? Submit it here

Interested in contributing in another way? See the contributing guidelines

Resources

Key

  • ๐Ÿ”Ž โ†’ - This icon will take you to the Censys Search results page for the query.

Table of Contents

Industrial Control Systems

Industrial Control System Protocols ๐Ÿ”Ž โ†’

services.service_name: {BACNET, CODESYS, EIP, FINS, FOX, IEC60870_5_104, S7, MODBUS}

Prismview (Samsung Electronic Billboards) ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject.common_name: "Prismview" or services.http.response.headers.server: "Prismview Player"
Screenshot Prismview

Gas Station Pump Controllers (ATGs) ๐Ÿ”Ž โ†’

(same_service(port: 10001 and banner: "IN-TANK INVENTORY") or services.service_name: ATG) and services.truncated: false

Pro-Tip: Add services.truncated: false to your query to exclude honeypots (Hosts with 100+ services).

Screenshot ATG

Electric Vehicle Chargers ๐Ÿ”Ž โ†’

same_service(http.response.headers.server: "gSOAP/2.8" and http.response.headers.content_length: 583)

Carel PlantVisor ๐Ÿ”Ž โ†’

services.http.response.html_title: "CAREL Pl@ntVisor"
References

C4 Max Vehicle GPS ๐Ÿ”Ž โ†’

services.banner: "[1m[35mWelcome on console"
References

GaugeTech Electricity Meters ๐Ÿ”Ž โ†’

services.http.response.headers.server: "EIG Embedded Web Server"
Screenshot GaugeTech

XZERES Wind Turbines ๐Ÿ”Ž โ†’

services.http.response.html_title: "XZERES Wind"

Note: This query works best with virtual hosts included.

Screenshot XZERES Wind Turbine

Nordex Wind Turbine Farms ๐Ÿ”Ž โ†’

services.http.response.html_title: "Nordex Control" or services.tls.certificates.leaf_data.issuer.domain_component: "NORDEX-AG"
References

Saferoads VMS Signs ๐Ÿ”Ž โ†’

services.software: (vendor: "Saferoads" and product: "VMS")
References

Internet of Things Devices

Roombas ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.issuer.common_name: "Roomba CA"

Mein Automowers ๐Ÿ”Ž โ†’

services.http.response.headers.Www_Authenticate: `Basic realm= "Mein Automower (Robonect Hx+)"`

WinAQMS Environmental Monitor ๐Ÿ”Ž โ†’

services.banner: "WinAQMS Data Server" and services.truncated: false

Emerson Site Supervisor ๐Ÿ”Ž โ†’

services.http.response.html_title: "Emerson Site Supervisor"
Screenshot Emerson
References

Brightsign Digital Sign ๐Ÿ”Ž โ†’

services.http.response.html_title: "'BrightSign®"

Elnet Power Meters ๐Ÿ”Ž โ†’

same_service(services.http.response.headers.Server="CAL1.0" and services.http.response.status_code: 200)
Screenshot Elnet
References

Nethix Wireless Controller ๐Ÿ”Ž โ†’

services.http.response.headers.set_cookie: "NethixSession"
References

Compromised Mikrotik Router ๐Ÿ”Ž โ†’

services.service_name: MIKROTIK_BW and services.pptp.hostname: "HACKED"
References

Security Applications

Cobalt Strike Servers ๐Ÿ”Ž โ†’

services.certificate: {
    "64257fc0fac31c01a5ccd816c73ea86e639260da1604d04db869bb603c2886e6",
    "87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c"
}
or services.tls.certificates.leaf_data.issuer.common_name: "Major Cobalt Strike"
or services.tls.certificates.leaf_data.subject.common_name: "Major Cobalt Strike"

Metasploit Servers ๐Ÿ”Ž โ†’

services.http.response.html_title: "Metasploit" and (
    services.tls.certificates.leaf_data.subject.organization: "Rapid7"
    or services.tls.certificates.leaf_data.subject.common_name: "MetasploitSelfSignedCA"
)
or services.jarm.fingerprint: {
    "07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d",
    "07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823"
}

Nessus Scanner Servers ๐Ÿ”Ž โ†’

services.http.response.headers.server: "NessusWWW"
or services.tls.certificates.leaf_data.subject.organizational_unit: "Nessus Server"

NTOP Network Analyzers ๐Ÿ”Ž โ†’

services.http.response.html_title: "Welcome to ntopng"
or same_service(
    services.http.response.html_title: "Global Traffic Statistics"
    and services.http.response.headers.server: "ntop/*"
)

Merlin C2 ๐Ÿ”Ž โ†’

services.jarm.fingerprint: "29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38"
References

Mythic C2 ๐Ÿ”Ž โ†’

same_service(port: 7443 and tls.certificates.leaf_data.subject.organization: "Mythic")

Note: When using the same_service operator, the initial services. prefix is optional.

References

Deimos C2 ๐Ÿ”Ž โ†’

services.jarm.fingerprint: "00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64"
References

Covenant C2 ๐Ÿ”Ž โ†’

same_service(
    http.response.body: {"Blazor", "covenant.css"}
    and tls.certificates.leaf_data.issuer.common_name: "Covenant"
)
References

PoshC2 ๐Ÿ”Ž โ†’

same_service(
    services.tls.certificates.leaf_data.subject.common_name="P18055077" and
    services.tls.certificates.leaf_data.subject.province="Minnesota" and
    services.tls.certificates.leaf_data.subject.locality="Minnetonka" and
    services.tls.certificates.leaf_data.subject.organization="Pajfds" and
    services.tls.certificates.leaf_data.subject.organizational_unit="Jethpro"
)
References

Sliver C2 ๐Ÿ”Ž โ†’

same_service(
    services.tls.certificates.leaf_data.pubkey_bit_size: 2048 and
    services.tls.certificates.leaf_data.subject.organization: /(ACME|Partners|Tech|Cloud|Synergy|Test|Debug)? ?(co|llc|inc|corp|ltd)?/ and
    services.jarm.fingerprint: 3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910 and
    services.tls.certificates.leaf_data.subject.country: US and
    services.tls.certificates.leaf_data.subject.postal_code: /<1001-9999>/
)

Note: This search uses regex and requires a paid account.

Pro-Tip: Try removing JARM to find even more Sliver instances.

References

EvilGinx2 ๐Ÿ”Ž โ†’

services.jarm.fingerprint: "20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6"
References

Brute Ratel C4 ๐Ÿ”Ž โ†’

services.http.response.body_hash="sha1:1a279f5df4103743b823ec2a6a08436fdf63fe30"
References

Empire C2 ๐Ÿ”Ž โ†’

same_service(
    services.http.response.body_hash: {"sha1:bc517bf173440dad15b99a051389fadc366d5df2", "sha1:dcb32e6256459d3660fdc90e4c79e95a921841cc"}
    and services.http.response.headers.expires: 0
    and services.http.response.headers.cache_control: "*"
)
References

Raccoon Stealer V2 (RecordBreaker C2) ๐Ÿ”Ž โ†’

services.banner_hashes: "sha256:7987d0c39c4839572ab88c6d82da01395f74e0c31f12d94c58d0e1bed0b0c75c"
References

NimPlant C2 ๐Ÿ”Ž โ†’

services.http.response.headers.Server: "NimPlant C2 Server" or services.http.response.body_hashes: "sha256:636d68bd1bc19d763de95d0a6406f4f77953f9973389857353ac445e2b6fff87"
References

RedGuard ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject_dn: "C=CN, L=HangZhou, O=Alibaba (China) Technology Co.\\, Ltd., CN=\*.aliyun.com"
References

AsyncRAT ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject.common_name: "AsyncRAT Server"
References

BitRAT ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject.common_name: "BitRAT"
References

OrcusRAT ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server", "OrcusServerCertificate"}
References

QuasarRAT ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject.common_name: {"Anony96", "Quasar Server CA"}
References

NanoCore ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject.common_name: "unk"
References

DcRat ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject.common_name: "DcRat Server"
References

Deimos C2 ๐Ÿ”Ž โ†’

same_service((services.http.response.html_title="Deimos C2" or services.tls.certificates.leaf_data.subject.organization="Acme Co") and services.port: 8443)
References

Posh C2 ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject_dn: "C=US, ST=Minnesota, L=Minnetonka, O=Pajfds, OU=Jethpro, CN=P18055077"
References

IcedID Banking Trojan ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.subject_dn: "CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"
References

Gozi Malware ๐Ÿ”Ž โ†’

services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"
References

Pupy RAT C2 ๐Ÿ”Ž โ†’

same_service(services.http.response.headers.Etag="\"aa3939fc357723135870d5036b12a67097b03309\"" and services.http.response.headers.Server="nginx/1.13.8") or same_service(services.tls.certificates.leaf_data.issuer.organization:/[a-zA-Z]{10}/ and  services.tls.certificates.leaf_data.subject.organization:/[a-zA-Z]{10}/ and services.tls.certificates.leaf_data.subject.organizational_unit="CONTROL")

Note: This search uses regex and requires a paid account.

References

Responder Server ๐Ÿ”Ž โ†’

services.banner="HTTP/1.1 401 Unauthorized\r\nServer: Microsoft-IIS/7.5\r\nDate:  <REDACTED>\r\nContent-Type: text/html\r\nWWW-Authenticate: NTLM\r\nContent-Length: 0\r\n"
References

Titan Stealer C2 ๐Ÿ”Ž โ†’

services.http.response.body: "Titan Stealer"
References

Open Directory Listing Host with Suspicious File Names in their Contents ๐Ÿ”Ž โ†’

same_service(
    (services.http.response.html_title:"Index of /" or services.http.response.html_title:"Directory Listing for /")
    and services.http.response.body: /.*?(cve|metasploit|cobaltstrike|sliver|covenant|brc4|brute-ratel|commander-runme|bruteratel|ps2exe|(badger|shellcode|sc|beacon|artifact|payload|teamviewer|anydesk|mimikatz|cs|rclone)\.(exe|ps1|vbs|bin|nupkg)).*/
)

Note: This search uses regex and requires a paid account.

Splunk ๐Ÿ”Ž โ†’

services.software.product: "Splunk"
References

Databases

Exposed CouchDB Servers ๐Ÿ”Ž โ†’

services.http.response.body: '"couchdb": "Welcome"'
References

Dashboards

cAdvisor Dashboards ๐Ÿ”Ž โ†’

same_service(services.http.response.html_title=`cAdvisor - /` and services.http.response.status_code=200 and services.http.request.uri="*/containers/")
References

HashiCorp Consul Dashboards ๐Ÿ”Ž โ†’

same_service(services.http.response.html_title=`Consul by HashiCorp` and services.http.request.uri: "*/ui/")
References

Netdata Dashboards ๐Ÿ”Ž โ†’

same_service(services.http.response.headers.Server="Netdata Embedded HTTP*" and services.http.response.html_title="netdata dashboard")
References

Rancher Dashboards ๐Ÿ”Ž โ†’

same_service(services.http.response.headers.unknown.name: "X-Rancher-Version" and services.http.response.html_title: "Loading&hellip;")

Traefik Dashboards ๐Ÿ”Ž โ†’

same_service(services.http.request.uri: "*/dashboard/" and services.http.response.html_title: "Traefik")
References

Weave Scope ๐Ÿ”Ž โ†’

same_service(services.http.response.html_title: "Weave Scope" and services.http.response.body="*WEAVEWORKS_CSRF*")
References

Game Servers

Counter-Strike: Global Offensive ๐Ÿ”Ž โ†’

same_service(banner: "Counter-Strike: Global Offensive Server" and service_name: VALVE)

Media Servers

Plex Media Server ๐Ÿ”Ž โ†’

services.software.vendor: "Plex"
References

MythWeb ๐Ÿ”Ž โ†’

services.http.request.uri: "mythweb"
Screenshot MythWeb
References

Random Services

Hosts emitting GNSS payloads ๐Ÿ”Ž โ†’

services.banner: "$GPRMC"

Directory Listing ๐Ÿ”Ž โ†’

services.http.response.html_title: "Index of /"

Swagger UI ๐Ÿ”Ž โ†’

services.http.response.html_title: "Swagger UI - "
Screenshot Swagger UI
References

Mongo Express Admin Interface ๐Ÿ”Ž โ†’

services.http.response.html_title: "Home - Mongo Express"
References

shell2http ๐Ÿ”Ž โ†’

services.http.response.html_title: "shell2http"

Busybox Shells ๐Ÿ”Ž โ†’

same_service(services.banner: "Enter 'help' for a list of built-in commands" and services.service_name: TELNET) and services.truncated: false
Screenshot Busybox

Unauthenticated Redis Servers ๐Ÿ”Ž โ†’

services.redis.ping_response: "PONG"

Misconfigured Kubernetes Installations ๐Ÿ”Ž โ†’

services.kubernetes.pod_names: *

Misconfigured WordPress ๐Ÿ”Ž โ†’

services.http.response.body: "The wp-config.php creation script uses this file"

Unconfigured AdGuard ๐Ÿ”Ž โ†’

same_service(services.http.response.html_title: "Setup AdGuard Home" and services.http.request.uri="*/install.html")
References

Prometheus Node Exporters ๐Ÿ”Ž โ†’

same_service(services.http.response.html_title: "node exporter" and services.http.response.body: "/metrics")

VictoriaMetrics Agent ๐Ÿ”Ž โ†’

services.http.response.body: "<h2>vmagent</h2>"
Screenshot vmagent
References

SonarQube ๐Ÿ”Ž โ†’

same_service(http.response.html_title: "SonarQube" and http.response.status_code: 200 and http.response.protocol: "HTTP/1.1")
References

Advanced Queries

IPv6 Hosts ๐Ÿ”Ž โ†’

ip:"2001::/3"

Honeypots Hosts ๐Ÿ”Ž โ†’

services.truncated: true

North Korean Hosts ๐Ÿ”Ž โ†’

location.country: "North Korea"

Hosts that identify as US government or military ๐Ÿ”Ž โ†’

dns.names: *.gov or dns.names: *.mil or name: *.gov or name: *.mil

Services Listening on 53 that are not DNS ๐Ÿ”Ž โ†’

same_service(services.port: 53 and not services.service_name: DNS) and services.truncated: false

Alternative syntax without the services. prefix inside the same_service function:

same_service(port: 53 and not service_name: DNS) and services.truncated: false

Non-Standard Services Listening on Common Ports ๐Ÿ”Ž โ†’

same_service(services.port: {21, 22, 80} and not services.service_name: {HTTP, SSH, FTP, UNKNOWN}) and services.truncated: false

Services Listening on Port 22 that are not SSH ๐Ÿ”Ž โ†’

same_service(services.port: 22 and not services.service_name: {SSH} and not services.banner: {"Connection refused", "SSH-", "Exceeded MaxStartups", "Too many users", "Connection closed by server"}) and services.truncated: false

Services Listening on 80 or 443 that are not HTTP or HTTPS (or UNKNOWN with TLS) ๐Ÿ”Ž โ†’

not same_service(services.port: 443 and services.name: UNKNOWN and services.tls.certificates.leaf_data.subject_dn: *) and same_service(services.port: {80, 443} and not services.service_name: {KUBERNETES, ANYCONNECT, OPENVPN, HTTP} and not services.banner: โ€œHTTP/โ€) and services.truncated: false

Credits

License

CC0

Star History

Star History Chart

censys-queries's People

Contributors

thehappydinoa avatar ycamper avatar pre-commit-ci[bot] avatar imgbotapp avatar dependabot[bot] avatar crosleyzack avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.