Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/thehappydinoa/awesome-censys-queries

A collection of fascinating and bizarre Censys Search Queries
https://github.com/thehappydinoa/awesome-censys-queries
List: awesome-censys-queries
awesome awesome-list censys censys-dorks dorks ics iot osint queries search security-tools
Last synced: 2 months ago
JSON representation
A collection of fascinating and bizarre Censys Search Queries
Host: GitHub
URL: https://github.com/thehappydinoa/awesome-censys-queries
Owner: thehappydinoa
License: cc0-1.0
Created: 2022-08-16T16:52:05.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-05-06T19:28:16.000Z (8 months ago)
Last Synced: 2024-05-19T01:01:11.945Z (7 months ago)
Topics: awesome, awesome-list, censys, censys-dorks, dorks, ics, iot, osint, queries, search, security-tools
Homepage:
Size: 1.77 MB
Stars: 662
Watchers: 17
Forks: 78
Open Issues: 1
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project

ultimate-awesome - awesome-censys-queries - A collection of fascinating and bizarre Censys Search Queries . (Other Lists / Monkey C Lists)
awesome-ip-search-engines - Awesome Censys Queries
awesome-ip-search-engines - Awesome Censys Queries
README

        # Awesome Censys Queries

[![Awesome](https://awesome.re/badge.svg)](https://awesome.re)

[![pre-commit.ci status](https://results.pre-commit.ci/badge/github/thehappydinoa/awesome-censys-queries/main.svg)](https://results.pre-commit.ci/latest/github/thehappydinoa/awesome-censys-queries/main)

[![GitHub contributors](https://img.shields.io/github/contributors/thehappydinoa/awesome-censys-queries)](https://github.com/thehappydinoa/awesome-censys-queries/graphs/contributors)

[![GitHub Repo stars](https://img.shields.io/github/stars/thehappydinoa/awesome-censys-queries)](https://github.com/thehappydinoa/awesome-censys-queries/stargazers)

[![License](https://img.shields.io/github/license/thehappydinoa/awesome-censys-queries)](#license)

![Twitter URL](https://img.shields.io/twitter/url?url=https%3A%2F%2Fgithub.com%2Fthehappydinoa%2Fawesome-censys-queries)

A collection of fascinating and bizarre [Censys Search](https://search.censys.io?ref=awesome-censys-queries) queries.



    



## Contributing

Found an awesome query? [Submit it here](https://github.com/thehappydinoa/awesome-censys-queries/issues/new?assignees=thehappydinoa&labels=query+submissions&template=query-submission.md&title=)

Interested in contributing in another way? [See the contributing guidelines](CONTRIBUTING.md)

## Resources

- [Censys Search](https://search.censys.io?ref=awesome-censys-queries)

- [CensysGPT Beta - AI Generated Queries](https://gpt.censys.io?utm_source=github&utm_medium=awesome-censys-queries&utm_campaign=awesome-censys-queries)

## Key

- 🔎 → - This icon will take you to the Censys Search results page for the query.

## Table of Contents

  * [Industrial Control Systems](#industrial-control-systems)

  * [Internet of Things Devices](#internet-of-things-devices)

  * [Security Applications](#security-applications)

  * [Databases](#databases)

  * [Dashboards](#dashboards)

  * [Game Servers](#game-servers)

  * [Media Servers](#media-servers)

  * [Random Services](#random-services)

  * [Advanced Queries](#advanced-queries)

- [Credits](#credits)

- [License](#license)

- [Star History](#star-history)

### Industrial Control Systems

#### Industrial Control System Protocols [🔎 →](https://search.censys.io/search?resource=hosts&q=services.service_name%3A+%7BBACNET%2C+CODESYS%2C+EIP%2C+FINS%2C+FOX%2C+IEC60870_5_104%2C+S7%2C+MODBUS%7D&ref=awesome-censys-queries)

```dsl

services.service_name: {BACNET, CODESYS, EIP, FINS, FOX, IEC60870_5_104, S7, MODBUS}

```

#### Prismview (Samsung Electronic Billboards) [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject.common_name%3A+%22Prismview%22+or+services.http.response.headers.server%3A+%22Prismview+Player%22&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject.common_name: "Prismview" or services.http.response.headers.server: "Prismview Player"

```

    Screenshot

    

#### Gas Station Pump Controllers (ATGs) [🔎 →](https://search.censys.io/search?resource=hosts&q=%28same_service%28port%3A+10001+and+banner%3A+%22IN-TANK+INVENTORY%22%29+or+services.service_name%3A+ATG%29+and+services.truncated%3A+false&ref=awesome-censys-queries)

```dsl

(same_service(port: 10001 and banner: "IN-TANK INVENTORY") or services.service_name: ATG) and services.truncated: false

```

> **Pro-Tip**: Add `services.truncated: false` to your query to exclude honeypots (Hosts with 100+ services).

    Screenshot

    

#### Electric Vehicle Chargers [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28http.response.headers.server%3A+%22gSOAP%2F2.8%22+and+http.response.headers.content_length%3A+583%29&ref=awesome-censys-queries)

```dsl

same_service(http.response.headers.server: "gSOAP/2.8" and http.response.headers.content_length: 583)

```

#### Carel PlantVisor [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.html_title%3A+%22CAREL+Pl%40ntVisor%22&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "CAREL Pl@ntVisor"

```

    References

- 

#### C4 Max Vehicle GPS [🔎 →](https://search.censys.io/search?resource=hosts&q=services.banner%3A+%22%5B1m%5B35mWelcome+on+console%22&ref=awesome-censys-queries)

```dsl

services.banner: "[1m[35mWelcome on console"

```

    References

- 

#### GaugeTech Electricity Meters [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.headers.server%3A+%22EIG+Embedded+Web+Server%22&ref=awesome-censys-queries)

```dsl

services.http.response.headers.server: "EIG Embedded Web Server"

```

    Screenshot

    

#### XZERES Wind Turbines [🔎 →](https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=services.http.response.html_title%3A+%22XZERES+Wind%22&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "XZERES Wind"

```

> **Note**: This query works best with virtual hosts included.

    Screenshot

    

#### Nordex Wind Turbine Farms [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.html_title%3A+%22Nordex+Control%22+or+services.tls.certificates.leaf_data.issuer.domain_component%3A+%22NORDEX-AG%22&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "Nordex Control" or services.tls.certificates.leaf_data.issuer.domain_component: "NORDEX-AG"

```

    References

- 

#### Saferoads VMS Signs [🔎 →](https://search.censys.io/search?resource=hosts&q=services.software%3A+%28vendor%3A+%22Saferoads%22+and+product%3A+%22VMS%22%29&ref=awesome-censys-queries)

```dsl

services.software: (vendor: "Saferoads" and product: "VMS")

```

    References

- 

### Internet of Things Devices

#### Roombas [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.issuer.common_name%3A+%22Roomba+CA%22&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.issuer.common_name: "Roomba CA"

```

#### Mein Automowers [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.headers.Www_Authenticate%3A+%60Basic+realm%3D+%22Mein+Automower+%28Robonect+Hx%2B%29%22%60&ref=awesome-censys-queries)

```dsl

services.http.response.headers.Www_Authenticate: `Basic realm= "Mein Automower (Robonect Hx+)"`

```

#### WinAQMS Environmental Monitor [🔎 →](https://search.censys.io/search?resource=hosts&q=services.banner%3A+%22WinAQMS+Data+Server%22+and+services.truncated%3A+false&ref=awesome-censys-queries)

```dsl

services.banner: "WinAQMS Data Server" and services.truncated: false

```

#### Emerson Site Supervisor [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.html_title%3A+%22Emerson+Site+Supervisor%22&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "Emerson Site Supervisor"

```

    Screenshot

    

    References

- 

#### Brightsign Digital Sign [🔎 →](https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&q=services.http.response.html_title%3A+%22%27BrightSign%26reg%3B%22&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "'BrightSign®"

```

#### Elnet Power Meters [🔎 →](https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&q=same_service%28services.http.response.headers.Server%3D%22CAL1.0%22+and+services.http.response.status_code%3A+200%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.response.headers.Server="CAL1.0" and services.http.response.status_code: 200)

```

    Screenshot

    

    References

- 

#### Nethix Wireless Controller [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.headers.set_cookie%3A+%22NethixSession%22&ref=awesome-censys-queries)

```dsl

services.http.response.headers.set_cookie: "NethixSession"

```

    References

- 

#### Compromised Mikrotik Router [🔎 →](https://search.censys.io/search?resource=hosts&q=services.service_name%3A+MIKROTIK_BW+and+%22hacked%22&ref=awesome-censys-queries)

```dsl

services.service_name: MIKROTIK_BW and services.pptp.hostname: "HACKED"

```

    References

- 

### Security Applications

#### Cobalt Strike Servers [🔎 →](https://search.censys.io/search?resource=hosts&q=services.certificate%3A+%7B%2264257fc0fac31c01a5ccd816c73ea86e639260da1604d04db869bb603c2886e6%22%2C+%2287f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c%22%7D+or+services.tls.certificates.leaf_data.issuer.common_name%3A+%22Major+Cobalt+Strike%22+or+services.tls.certificates.leaf_data.subject.common_name%3A+%22Major+Cobalt+Strike%22+or+services.jarm.fingerprint%3A+%7B%2207d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1%22%2C+%2207d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2%22%7D&ref=awesome-censys-queries)

```dsl

services.certificate: {

    "64257fc0fac31c01a5ccd816c73ea86e639260da1604d04db869bb603c2886e6",

    "87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c"

}

or services.tls.certificates.leaf_data.issuer.common_name: "Major Cobalt Strike"

or services.tls.certificates.leaf_data.subject.common_name: "Major Cobalt Strike"

```

#### Metasploit Servers [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.html_title%3A+%22Metasploit%22+and+%28services.tls.certificates.leaf_data.subject.organization%3A+%22Rapid7%22+or+services.tls.certificates.leaf_data.subject.common_name%3A+%22MetasploitSelfSignedCA%22%29+or+services.jarm.fingerprint%3A+%7B07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d%2C+07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823%7D&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "Metasploit" and (

    services.tls.certificates.leaf_data.subject.organization: "Rapid7"

    or services.tls.certificates.leaf_data.subject.common_name: "MetasploitSelfSignedCA"

)

or services.jarm.fingerprint: {

    "07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d",

    "07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823"

}

```

#### Nessus Scanner Servers [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.headers.server%3A+%22NessusWWW%22+or+services.tls.certificates.leaf_data.subject.organizational_unit%3A+%22Nessus+Server%22&ref=awesome-censys-queries)

```dsl

services.http.response.headers.server: "NessusWWW"

or services.tls.certificates.leaf_data.subject.organizational_unit: "Nessus Server"

```

#### NTOP Network Analyzers [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.html_title%3A+%22Welcome+to+ntopng%22+or+same_service%28services.http.response.html_title%3A+%22Global+Traffic+Statistics%22+and+services.http.response.headers.server%3A+%22ntop%2F*%22%29&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "Welcome to ntopng"

or same_service(

    services.http.response.html_title: "Global Traffic Statistics"

    and services.http.response.headers.server: "ntop/*"

)

```

#### Merlin C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=services.jarm.fingerprint%3A+29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38&ref=awesome-censys-queries)

```dsl

services.jarm.fingerprint: "29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38"

```

    References

- 

#### Mythic C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28port%3A+7443+and+tls.certificates.leaf_data.subject.organization%3A+%22Mythic%22%29&ref=awesome-censys-queries)

```dsl

same_service(port: 7443 and tls.certificates.leaf_data.subject.organization: "Mythic")

```

> **Note**: When using the `same_service` operator, the initial `services.` prefix is optional.

    References

- 

- 

#### Deimos C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=services.jarm.fingerprint%3A+00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64&ref=awesome-censys-queries)

```dsl

services.jarm.fingerprint: "00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64"

```

    References

- 

#### Covenant C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28http.response.body%3A+{%22Blazor%22,%20%22covenant.css%22}+and+tls.certificates.leaf_data.issuer.common_name%3A+%22Covenant%22%29&ref=awesome-censys-queries)

```dsl

same_service(

    http.response.body: {"Blazor", "covenant.css"}

    and tls.certificates.leaf_data.issuer.common_name: "Covenant"

)

```

    References

- 

#### PoshC2 [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28services.tls.certificates.leaf_data.subject.common_name%3D%22P18055077%22%20and%20services.tls.certificates.leaf_data.subject.province%3D%22Minnesota%22%20and%20services.tls.certificates.leaf_data.subject.locality%3D%22Minnetonka%22%20and%20services.tls.certificates.leaf_data.subject.organization%3D%22Pajfds%22%20and%20services.tls.certificates.leaf_data.subject.organizational_unit%3D%22Jethpro%22%29&ref=awesome-censys-queries)

```dsl

same_service(

    services.tls.certificates.leaf_data.subject.common_name="P18055077" and

    services.tls.certificates.leaf_data.subject.province="Minnesota" and

    services.tls.certificates.leaf_data.subject.locality="Minnetonka" and

    services.tls.certificates.leaf_data.subject.organization="Pajfds" and

    services.tls.certificates.leaf_data.subject.organizational_unit="Jethpro"

)

```

    References

- 

#### Sliver C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28%20services.tls.certificates.leaf_data.pubkey_bit_size%3A%202048%20and%20services.tls.certificates.leaf_data.subject.organization%3A%20%2F%28ACME%7CPartners%7CTech%7CCloud%7CSynergy%7CTest%7CDebug%29%3F%20%3F%28co%7Cllc%7Cinc%7Ccorp%7Cltd%29%3F%2F%20and%20services.jarm.fingerprint%3A%203fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910%20and%20services.tls.certificates.leaf_data.subject.country%3A%20US%20and%20services.tls.certificates.leaf_data.subject.postal_code%3A%20%2F%3C1001-9999%3E%2F%20%29&ref=awesome-censys-queries)

```dsl

same_service(

    services.tls.certificates.leaf_data.pubkey_bit_size: 2048 and

    services.tls.certificates.leaf_data.subject.organization: /(ACME|Partners|Tech|Cloud|Synergy|Test|Debug)? ?(co|llc|inc|corp|ltd)?/ and

    services.jarm.fingerprint: 3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910 and

    services.tls.certificates.leaf_data.subject.country: US and

    services.tls.certificates.leaf_data.subject.postal_code: /<1001-9999>/

)

```

> **Note**: This search uses regex and requires a paid account.

>

> **Pro-Tip**: Try removing JARM to find even more Sliver instances.

    References

- 

#### EvilGinx2 [🔎 →](https://search.censys.io/search?resource=hosts&q=services.jarm.fingerprint%3A+20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6&ref=awesome-censys-queries)

```dsl

services.jarm.fingerprint: "20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6"

```

    References

- 

#### Brute Ratel C4 [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.body_hash%3A+%22sha1%3A1a279f5df4103743b823ec2a6a08436fdf63fe30%22&ref=awesome-censys-queries)

```dsl

services.http.response.body_hash="sha1:1a279f5df4103743b823ec2a6a08436fdf63fe30"

```

    References

- 

#### Empire C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service(services.http.response.body_hash%3A+%7B%22sha1%3Abc517bf173440dad15b99a051389fadc366d5df2%22%2C+%22sha1%3Adcb32e6256459d3660fdc90e4c79e95a921841cc%22%7D+and+services.http.response.headers.expires%3A+0+and+services.http.response.headers.cache_control%3A+%22*%22)&ref=awesome-censys-queries)

```dsl

same_service(

    services.http.response.body_hash: {"sha1:bc517bf173440dad15b99a051389fadc366d5df2", "sha1:dcb32e6256459d3660fdc90e4c79e95a921841cc"}

    and services.http.response.headers.expires: 0

    and services.http.response.headers.cache_control: "*"

)

```

    References

- 

#### Raccoon Stealer V2 (RecordBreaker C2) [🔎 →](https://search.censys.io/search?resource=hosts&q=services.banner_hashes%3A+%22sha256%3A7987d0c39c4839572ab88c6d82da01395f74e0c31f12d94c58d0e1bed0b0c75c%22&ref=awesome-censys-queries)

```dsl

services.banner_hashes: "sha256:7987d0c39c4839572ab88c6d82da01395f74e0c31f12d94c58d0e1bed0b0c75c"

```

    References

- 

#### NimPlant C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.headers.Server:%20%22NimPlant%20C2%20Server%22%20or%20services.http.response.body_hashes:%20%22sha256:636d68bd1bc19d763de95d0a6406f4f77953f9973389857353ac445e2b6fff87%22&ref=awesome-censys-queries)

```dsl

services.http.response.headers.Server: "NimPlant C2 Server" or services.http.response.body_hashes: "sha256:636d68bd1bc19d763de95d0a6406f4f77953f9973389857353ac445e2b6fff87"

```

    References

- 

- 

#### RedGuard [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject_dn%3A+%22C%3DCN%2C+L%3DHangZhou%2C+O%3DAlibaba+%28China%29+Technology+Co.%5C%5C%2C+Ltd.%2C+CN%3D%5C*.aliyun.com%22&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject_dn: "C=CN, L=HangZhou, O=Alibaba (China) Technology Co.\\, Ltd., CN=\*.aliyun.com"

```

    References

- 

- 

#### AsyncRAT [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject.common_name%3A+%22AsyncRAT+Server%22&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject.common_name: "AsyncRAT Server"

```

    References

- 

#### BitRAT [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject.common_name%3A+%22BitRAT%22&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject.common_name: "BitRAT"

```

    References

- 

#### OrcusRAT [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject.common_name:%20{%22Orcus%20Server%22,%20%22OrcusServerCertificate%22}&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server", "OrcusServerCertificate"}

```

    References

- 

#### QuasarRAT [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject.common_name:%20{%22Anony96%22,%20%22Quasar%20Server%20CA%22}&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject.common_name: {"Anony96", "Quasar Server CA"}

```

    References

- 

#### NanoCore [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject.common_name:%20%22unk%22&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject.common_name: "unk"

```

    References

- 

#### DcRat [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject.common_name:%20%22DcRat%20Server%22&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject.common_name: "DcRat Server"

```

    References

- 

#### Deimos C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject_dn%3A+%22C%3DUS%2C+ST%3DMinnesota%2C+L%3DMinnetonka%2C+O%3DPajfds%2C+OU%3DJethpro%2C+CN%3DP18055077%22&ref=awesome-censys-queries)

```dsl

same_service((services.http.response.html_title="Deimos C2" or services.tls.certificates.leaf_data.subject.organization="Acme Co") and services.port: 8443)

```

    References

- 

- 

#### Posh C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service((services.http.response.html_title%3D%22Deimos+C2%22+or+services.tls.certificates.leaf_data.subject.organization%3D%22Acme+Co%22)+and+services.port%3A+8443)&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject_dn: "C=US, ST=Minnesota, L=Minnetonka, O=Pajfds, OU=Jethpro, CN=P18055077"

```

    References

- 

- 

#### IcedID Banking Trojan [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.subject_dn:%20%22CN=localhost,%20C=AU,%20ST=Some-State,%20O=Internet%20Widgits%20Pty%20Ltd%22&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.subject_dn: "CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"

```

    References

- 

- 

#### Gozi Malware [🔎 →](https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.issuer_dn%3A+%22C%3DXX%2C+ST%3D1%2C+L%3D1%2C+O%3D1%2C+OU%3D1%2C+CN%3D%5C*%22&ref=awesome-censys-queries)

```dsl

services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"

```

    References

- 

#### Pupy RAT C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28services.http.response.headers.Etag%3D%22%5C%22aa3939fc357723135870d5036b12a67097b03309%5C%22%22+AND+services.http.response.headers.Server%3D%22nginx%2F1.13.8%22%29+OR+same_service%28services.tls.certificates.leaf_data.issuer.organization%3A%2F%5Ba-zA-Z%5D%7B10%7D%2F+AND++services.tls.certificates.leaf_data.subject.organization%3A%2F%5Ba-zA-Z%5D%7B10%7D%2F+AND+services.tls.certificates.leaf_data.subject.organizational_unit%3D%22CONTROL%22%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.response.headers.Etag="\"aa3939fc357723135870d5036b12a67097b03309\"" and services.http.response.headers.Server="nginx/1.13.8") or same_service(services.tls.certificates.leaf_data.issuer.organization:/[a-zA-Z]{10}/ and  services.tls.certificates.leaf_data.subject.organization:/[a-zA-Z]{10}/ and services.tls.certificates.leaf_data.subject.organizational_unit="CONTROL")

```

> **Note**: This search uses regex and requires a paid account.

    References

- 

#### Responder Server [🔎 →](https://search.censys.io/search?resource=hosts&q=services.banner%3D%22HTTP%2F1.1+401+Unauthorized%5Cr%5CnServer%3A+Microsoft-IIS%2F7.5%5Cr%5CnDate%3A++%3CREDACTED%3E%5Cr%5CnContent-Type%3A+text%2Fhtml%5Cr%5CnWWW-Authenticate%3A+NTLM%5Cr%5CnContent-Length%3A+0%5Cr%5Cn%22&ref=awesome-censys-queries)

```dsl

services.banner="HTTP/1.1 401 Unauthorized\r\nServer: Microsoft-IIS/7.5\r\nDate:  \r\nContent-Type: text/html\r\nWWW-Authenticate: NTLM\r\nContent-Length: 0\r\n"

```

    References

- 

- 

#### Titan Stealer C2 [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.body%3A+%22Titan+Stealer%22&ref=awesome-censys-queries)

```dsl

services.http.response.body: "Titan Stealer"

```

    References

- 

#### Open Directory Listing Host with Suspicious File Names in their Contents [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28%28services.http.response.html_title%3A%22Index+of+%2F%22+or+services.http.response.html_title%3A%22Directory+Listing+for+%2F%22%29+and+services.http.response.body%3A+%2F.*%3F%28cve%7Cmetasploit%7Ccobaltstrike%7Csliver%7Ccovenant%7Cbrc4%7Cbrute-ratel%7Ccommander-runme%7Cbruteratel%7Cps2exe%7C%28badger%7Cshellcode%7Csc%7Cbeacon%7Cartifact%7Cpayload%7Cteamviewer%7Canydesk%7Cmimikatz%7Ccs%7Crclone%29%5C.%28exe%7Cps1%7Cvbs%7Cbin%7Cnupkg%29%29.*%2F%29&ref=awesome-censys-queries)

```dsl

same_service(

    (services.http.response.html_title:"Index of /" or services.http.response.html_title:"Directory Listing for /")

    and services.http.response.body: /.*?(cve|metasploit|cobaltstrike|sliver|covenant|brc4|brute-ratel|commander-runme|bruteratel|ps2exe|(badger|shellcode|sc|beacon|artifact|payload|teamviewer|anydesk|mimikatz|cs|rclone)\.(exe|ps1|vbs|bin|nupkg)).*/

)

```

> **Note**: This search uses regex and requires a paid account.

#### Splunk [🔎 →](https://search.censys.io/search?resource=hosts&q=services.software.product%3A+%22Splunk%22&ref=awesome-censys-queries)

```dsl

services.software.product: "Splunk"

```

    References

- 

### Databases

#### Exposed CouchDB Servers [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.body%3A+%27%22couchdb%22%3A+%22Welcome%22%27&ref=awesome-censys-queries)

```dsl

services.http.response.body: '"couchdb": "Welcome"'

```

    References

- 

### Dashboards

#### cAdvisor Dashboards [🔎 →](https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=same_service%28services.http.response.html_title%3D%60cAdvisor+-+%2F%60+and+services.http.response.status_code%3D200+and+services.http.request.uri%3D%22*%2Fcontainers%2F%22%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.response.html_title=`cAdvisor - /` and services.http.response.status_code=200 and services.http.request.uri="*/containers/")

```

    References

- 

#### HashiCorp Consul Dashboards [🔎 →](https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=same_service%28services.http.response.html_title%3D%60Consul+by+HashiCorp%60+and+services.http.request.uri%3A+%22*%2Fui%2F%22%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.response.html_title=`Consul by HashiCorp` and services.http.request.uri: "*/ui/")

```

    References

- 

#### Netdata Dashboards [🔎 →](https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=same_service%28services.http.response.headers.Server%3D%22Netdata+Embedded+HTTP*%22+and+services.http.response.html_title%3D%22netdata+dashboard%22%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.response.headers.Server="Netdata Embedded HTTP*" and services.http.response.html_title="netdata dashboard")

```

    References

- 

#### Rancher Dashboards [🔎 →](https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=same_service%28services.http.response.headers.unknown.name%3A+%22X-Rancher-Version%22+and+services.http.response.html_title%3A+%22Loading%26hellip%3B%22%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.response.headers.unknown.name: "X-Rancher-Version" and services.http.response.html_title: "Loading…")

```

#### Traefik Dashboards [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28services.http.request.uri%3A+%22*%2Fdashboard%2F%22+and+services.http.response.html_title%3A+%22Traefik%22%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.request.uri: "*/dashboard/" and services.http.response.html_title: "Traefik")

```

    References

- 

#### Weave Scope [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28services.http.response.html_title%3A+%22Weave+Scope%22+and+services.http.response.body%3D%22*WEAVEWORKS_CSRF*%22%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.response.html_title: "Weave Scope" and services.http.response.body="*WEAVEWORKS_CSRF*")

```

    References

- 

### Game Servers

#### Counter-Strike Gameservers [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28banner%3A+%22Counter-Strike%22+and+service_name%3A+VALVE%29&ref=awesome-censys-queries)

```dsl

same_service(banner: "Counter-Strike" and service_name: VALVE)

```

#### FiveM [🔎 →](https://search.censys.io/search?resource=hosts&q=services%3A+%28port%3A+30120+and+http.response.headers%3A+%28key%3A+"Location"+and+value.headers%3A+"https%3A%2F%2Fcfx.re%2Fjoin%2F*"%29%29&ref=awesome-censys-queries)

```dsl

services: (port: 30120 and http.response.headers: (key: "Location" and value.headers: "https://cfx.re/join/*"))

```

### Media Servers

#### Plex Media Server [🔎 →](https://search.censys.io/search?resource=hosts&q=services.software.vendor%3A+%22Plex%22&ref=awesome-censys-queries)

```dsl

services.software.vendor: "Plex"

```

    References

- 

#### MythWeb [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.request.uri%3A+%22mythweb%22&ref=awesome-censys-queries)

```dsl

services.http.request.uri: "mythweb"

```

    Screenshot

    

    References

- 

### Random Services

#### Hosts emitting GNSS payloads [🔎 →](https://search.censys.io/search?resource=hosts&q=services.banner%3A+%22%24GPRMC%22&ref=awesome-censys-queries)

```dsl

services.banner: "$GPRMC"

```

#### Directory Listing [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.html_title%3A+%22Index+of+%2F%22&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "Index of /"

```

#### Swagger UI [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.html_title%3A+%22Swagger+UI+-+%22&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "Swagger UI - "

```

    Screenshot

    

    References

- 

#### Mongo Express Admin Interface [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.html_title%3A+%22Home+-+Mongo+Express%22&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "Home - Mongo Express"

```

    References

- 

#### shell2http [🔎 →](https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=services.http.response.html_title%3A+%22shell2http%22&ref=awesome-censys-queries)

```dsl

services.http.response.html_title: "shell2http"

```

#### Busybox Shells [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28services.banner%3A+%22Enter+%27help%27+for+a+list+of+built-in+commands%22+and+services.service_name%3A+TELNET%29+and+services.truncated%3A+false&ref=awesome-censys-queries)

```dsl

same_service(services.banner: "Enter 'help' for a list of built-in commands" and services.service_name: TELNET) and services.truncated: false

```

    Screenshot

    

#### Unauthenticated Redis Servers [🔎 →](https://search.censys.io/search?resource=hosts&q=services.redis.ping_response%3A+%22PONG%22&ref=awesome-censys-queries)

```dsl

services.redis.ping_response: "PONG"

```

#### Misconfigured Kubernetes Installations [🔎 →](https://search.censys.io/search?resource=hosts&q=services.kubernetes.pod_names%3A+*&ref=awesome-censys-queries)

```dsl

services.kubernetes.pod_names: *

```

#### Misconfigured WordPress [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.body%3A+%22The+wp-config.php+creation+script+uses+this+file%22&ref=awesome-censys-queries)

```dsl

services.http.response.body: "The wp-config.php creation script uses this file"

```

#### Unconfigured AdGuard [🔎 →](https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=same_service%28services.http.response.html_title%3A+%22Setup+AdGuard+Home%22+and+services.http.request.uri%3D%22*%2Finstall.html%22%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.response.html_title: "Setup AdGuard Home" and services.http.request.uri="*/install.html")

```

    References

- 

#### Prometheus Node Exporters [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28services.http.response.html_title%3A+%22node+exporter%22+and+services.http.response.body%3A+%22%2Fmetrics%22%29&ref=awesome-censys-queries)

```dsl

same_service(services.http.response.html_title: "node exporter" and services.http.response.body: "/metrics")

```

#### VictoriaMetrics Agent [🔎 →](https://search.censys.io/search?resource=hosts&q=services.http.response.body%3A+%22%3Ch2%3Evmagent%3C%2Fh2%3E%22&ref=awesome-censys-queries)

```dsl

services.http.response.body: "
vmagent"

```

    Screenshot

    

    References

- 

#### SonarQube [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28http.response.html_title%3A+%22SonarQube%22+and+http.response.status_code%3A+200+and+http.response.protocol%09%3A+%22HTTP%2F1.1%22%29&ref=awesome-censys-queries)

```dsl

same_service(http.response.html_title: "SonarQube" and http.response.status_code: 200 and http.response.protocol: "HTTP/1.1")

```

    References

- 

### Advanced Queries

#### IPv6 Hosts [🔎 →](https://search.censys.io/search?resource=hosts&q=ip%3A%222001%3A%3A%2F3%22&ref=awesome-censys-queries)

```dsl

ip:"2001::/3"

```

#### Honeypots Hosts [🔎 →](https://search.censys.io/search?resource=hosts&q=services.truncated%3A+true&ref=awesome-censys-queries)

```dsl

services.truncated: true

```

#### North Korean Hosts [🔎 →](https://search.censys.io/search?resource=hosts&q=location.country%3A+%22North+Korea%22&ref=awesome-censys-queries)

```dsl

location.country: "North Korea"

```

#### Hosts that identify as US government or military [🔎 →](https://search.censys.io/search?resource=hosts&q=dns.names%3A+*.gov+or+dns.names%3A+*.mil+or+name%3A+*.gov+or+name%3A+*.mil&ref=awesome-censys-queries)

```dsl

dns.names: *.gov or dns.names: *.mil or name: *.gov or name: *.mil

```

#### Services Listening on 53 that are not DNS [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28services.port%3A+53+and+not+services.service_name%3A+DNS%29+and+services.truncated%3A+false&ref=awesome-censys-queries)

```dsl

same_service(services.port: 53 and not services.service_name: DNS) and services.truncated: false

```

> Alternative syntax without the `services.` prefix inside the `same_service` function:

>

> ```dsl

> same_service(port: 53 and not service_name: DNS) and services.truncated: false

> ```

#### Non-Standard Services Listening on Common Ports [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28services.port%3A+%7B21%2C+22%2C+80%7D+and+not+services.service_name%3A+%7BHTTP%2C+SSH%2C+FTP%2C+UNKNOWN%7D%29+and+services.truncated%3A+false&ref=awesome-censys-queries)

```dsl

same_service(services.port: {21, 22, 80} and not services.service_name: {HTTP, SSH, FTP, UNKNOWN}) and services.truncated: false

```

#### Services Listening on Port 22 that are not SSH [🔎 →](https://search.censys.io/search?resource=hosts&q=same_service%28not+services.service_name%3A+%7BSSH%7D+and+services.port%3A+22+and+not+services.banner%3A+%7B%22Connection+refused%22%2C+%22SSH-%22%2C+%22Exceeded+MaxStartups%22%2C+%22Too+many+users%22%2C+%22Connection+closed+by+server%22%7D%29+and+services.truncated%3A+false&ref=awesome-censys-queries)

```dsl

same_service(services.port: 22 and not services.service_name: {SSH} and not services.banner: {"Connection refused", "SSH-", "Exceeded MaxStartups", "Too many users", "Connection closed by server"}) and services.truncated: false

```

#### Services Listening on 80 or 443 that are not HTTP or HTTPS (or UNKNOWN with TLS) [🔎 →](https://search.censys.io/search?resource=hosts&q=not+same_service%28services.port%3A+443+and+services.name%3A+UNKNOWN+and+services.tls.certificates.leaf_data.subject_dn%3A+*+%29+and+same_service%28services.port%3A+%7B80%2C+443%7D+and+not+services.service_name%3A+%7BKUBERNETES%2C+ANYCONNECT%2C+OPENVPN%2C+HTTP%7D+and+not+services.banner%3A+%E2%80%9CHTTP%2F%E2%80%9D+%29++and+services.truncated%3A+false&ref=awesome-censys-queries)

```dsl

not same_service(services.port: 443 and services.name: UNKNOWN and services.tls.certificates.leaf_data.subject_dn: *) and same_service(services.port: {80, 443} and not services.service_name: {KUBERNETES, ANYCONNECT, OPENVPN, HTTP} and not services.banner: “HTTP/”) and services.truncated: false

```

## Credits

- [jakejarvis/awesome-shodan-queries](https://github.com/jakejarvis/awesome-shodan-queries)

- [woj-ciech/Kamerka-GUI](https://github.com/woj-ciech/Kamerka-GUI)

- [salesforce/jarm](https://github.com/salesforce/jarm)

- [cedowens/C2-JARM](https://github.com/cedowens/C2-JARM)

- [emilyaustin/censys-resources](https://github.com/emilyaustin/censys-resources)

- [drb-ra](https://github.com/drb-ra)

- [The State of SSL/TLS Certificate Usage in Malware C&C Communications](https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf)

- [Hunting C2 - Michael Koczwara](https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f)

## License

[![CC0](http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg)](https://creativecommons.org/publicdomain/zero/1.0/)

## Star History

[![Star History Chart](https://api.star-history.com/svg?repos=thehappydinoa/awesome-censys-queries&type=Date)](https://star-history.com/#thehappydinoa/awesome-censys-queries&Date)