Show Menu
Cheatography

Censys Search Cheat Sheet by

A quick reference for writing useful queries to leverage Censys Internet Map data. Try them out at https://search.censys.io/. Check out the Censys data changelog at https://search.censys.io/search/changelog?resources=hosts.

IP Addresses and Subnets

Single IP (supports IPv4 and IPv6)
8.8.8.8 or
ip:8.8.8.8
Subnet by CIDR
ip: "­23.0.0.0/­8"
Subnet by IP Range
ip: [1.12.0.0 to 1.15.2­55.255]
Hostname
dns.na­mes­:"*.z­ip­"
Autonomous System # (ASN)
autono­mou­s_s­yst­em.a­sn­:16509
Autonomous System Name
autono­mou­s_s­yst­em.n­am­e:"A­MAZ­ON-­02"
IPv6 hosts
ip: "­200­1::­/3" or
labels­:ipv6

Ports, Protocols, and Software

Port
servic­es.p­ort:22
servic­es.p­or­t:{­20,­21,22}
Service / Protocol
servic­es.s­er­vic­e_n­ame:SSH
Transport protocol
servic­es.t­ra­nsp­ort­_pr­oto­col:TCP
Software by product and/or vendor
services: (softw­are.ve­ndo­r:"A­pac­he" AND softwa­re.p­ro­duc­t:"H­TTP­D")
Software by URI / CPE
servic­es.s­of­twa­re.cpe =`cpe:­2.3­:o:­mik­rot­ik:­rou­teros::::::::`
Banner grab
servic­es.b­an­ner­:"HT­TP/­"
Device type
servic­es.s­of­tware: (other.ke­y:"D­evi­ce" and other.v­al­ue:­"­Rou­ter­")
Number of open ports on host
servic­e_c­ount: [1 to 20]

Geography

Country
locati­on.c­ou­ntr­y:"U­nited States­"
City
locati­on.c­it­y:"Ann Arbor"
State
locati­on.p­ro­vin­ce:­"­Mic­hig­an"
GPS Coordi­nates
(locat­ion.co­ord­ina­tes.la­tit­ude­=41.85003 AND locati­on.c­oo­rdi­nat­es.l­on­git­ude­=-8­7.6­5005)
Pro tip: Use Map To Censys to draw a box over the geographic area of interest and click “Open in Search” to see hosts in the area

Labels

search by label
labels:
<la­bel­-na­me>
Labels provide broad context about a host or service. Some useful host labels: c2, login-­page, open-dir, ics, networ­k.d­evice, crypto­cur­rency, manage­d-f­ile­-tr­ansfer, ipv6, tarpit, honeypot.

Handy Censys Search CLI JQ filters

List of IP addresses
'.[].ip'
Banners
'.[] | .ip as $ip | .servi­ces[] | [ $ip, .trans­por­t_p­rot­ocol, .port, .servi­ce_­name, .banner ]'
Usage:
censys search <qu­ery> | jq <fi­lte­r>
 

Web Entities (HTTP/S)

HTML Title
servic­es.h­tt­p.r­esp­ons­e.h­tml­_ti­tle­:"da­shb­oar­d"
Response Body - plaintext or hash
servic­es.h­tt­p.r­esp­ons­e.b­ody­:"lo­gin­" or servic­es.h­tt­p.r­esp­ons­e.b­ody­_ha­shes:*
Status code
servic­es.h­tt­p.r­esp­ons­e.s­tat­us_­cod­e=200
Server header
servic­es.h­tt­p.r­esp­ons­e.h­eaders: (key:
Server
and value.h­ea­ders:
nginx
)
Certif­icate Issuer
servic­es.t­ls.ce­rti­fic­ate­s.l­eaf­_da­ta.i­ss­uer.or­gan­iza­tio­n:"Let's Encryp­t"
Certif­icate Subject Common Name
servic­es.t­ls.ce­rti­fic­ate­s.l­eaf­_da­ta.s­ub­jec­t.c­omm­on_­name:
*.hero­kua­pp.com
TLS version
(Highest negotiated version)
servic­es.t­ls.ve­rsi­on_­sel­ect­ed:­"­TLS­v1_­1"
Favicon MD5 Hash
servic­es.h­tt­p.r­esp­ons­e.f­avi­con­s.m­d5_­hash:*
Favicon Shodan Hash (mmh3)
servic­es.h­tt­p.r­esp­ons­e.f­avi­con­s.s­hod­an_­hash:*

Use Case Examples

Hacked web servers
services: (servi­ce_­nam­e:"H­TTP­" and http.r­esp­ons­e.h­tml­_ti­tle­:”h­acked by”)
Hosts serving login pages with port 22 open
servic­es.p­ort:22 and labels:
login-page
Servers in Russia running remote access protocols
locati­on.c­ou­ntr­y:"R­uss­ia" and labels:
remote­-access
Filter out hosts with 100+ ports open
servic­es.t­ru­ncated: false
Compro­mised MikroTik routers
servic­es.s­er­vic­e_name: MIKROT­IK_BW and "­HAC­KED­"
Filter out honeypots and noisy hosts
not labels­:{'­hon­eypot', 'tarpit', 'trunc­ated'}
RDP running on nonsta­ndard ports
services: (servi­ce_­nam­e="R­DP" and NOT port=3389)
Pro tip: Get more results by including virtual hosts -- click the gear icon and toggle Virtual Hosts:
INCLUDE

Certif­icates

Unexpired certif­icates for a specific domain
labels=
unexpired
and names: censys.io
Self-s­igned certif­icates observed in Censys host scans
ever_s­een­_in­_scan: true and labels: "­sel­f-s­ign­ed"
Trusted certs from a specific CA expiring on specific day
parsed.is­sue­r.o­rga­niz­ation: "­Let's Encryp­t" and labels: "­tru­ste­d" and parsed.va­lid­ity­_pe­rio­d.n­ot_­after: 2023-10-13
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          HTML5 deutsch Cheat Sheet