访问官网
GithubAwesome Censys Queries
A collection of fascinating and bizarre Censys Search queries.
Contributing
Found an awesome query? Submit it here
Interested in contributing in another way? See the contributing guidelines
Resources
Key
- 🔎 → - This icon will take you to the Censys Search results page for the query.
Table of Contents
- Industrial Control Systems
- Internet of Things Devices
- Security Applications
- Databases
- Dashboards
- Game Servers
- Media Servers
- Random Services
- Advanced Queries
Industrial Control Systems
Industrial Control System Protocols 🔎 →
services.service_name: {BACNET, CODESYS, EIP, FINS, FOX, IEC60870_5_104, S7, MODBUS}
Prismview (Samsung Electronic Billboards) 🔎 →
services.tls.certificates.leaf_data.subject.common_name: "Prismview" or services.http.response.headers.server: "Prismview Player"
Screenshot
Gas Station Pump Controllers (ATGs) 🔎 →
(same_service(port: 10001 and banner: "IN-TANK INVENTORY") or services.service_name: ATG) and services.truncated: false
Pro-Tip: Add
services.truncated: falseto your query to exclude honeypots (Hosts with 100+ services).
Screenshot
Electric Vehicle Chargers 🔎 →
same_service(http.response.headers.server: "gSOAP/2.8" and http.response.headers.content_length: 583)
Carel PlantVisor 🔎 →
services.http.response.html_title: "CAREL Pl@ntVisor"
References
C4 Max Vehicle GPS 🔎 →
services.banner: "[1m[35mWelcome on console"
GaugeTech Electricity Meters 🔎 →
services.http.response.headers.server: "EIG Embedded Web Server"
Screenshot
XZERES Wind Turbines 🔎 →
services.http.response.html_title: "XZERES Wind"
Note: This query works best with virtual hosts included.
Screenshot
Nordex Wind Turbine Farms 🔎 →
services.http.response.html_title: "Nordex Control" or services.tls.certificates.leaf_data.issuer.domain_component: "NORDEX-AG"
Saferoads VMS Signs 🔎 →
services.software: (vendor: "Saferoads" and product: "VMS")
References
Internet of Things Devices
Roombas 🔎 →
services.tls.certificates.leaf_data.issuer.common_name: "Roomba CA"
Mein Automowers 🔎 →
services.http.response.headers.Www_Authenticate: `Basic realm= "Mein Automower (Robonect Hx+)"`
WinAQMS Environmental Monitor 🔎 →
services.banner: "WinAQMS Data Server" and services.truncated: false
Emerson Site Supervisor 🔎 →
services.http.response.html_title: "Emerson Site Supervisor"
Screenshot
Brightsign Digital Sign 🔎 →
services.http.response.html_title: "'BrightSign®"
Elnet Power Meters 🔎 →
same_service(services.http.response.headers.Server="CAL1.0" and services.http.response.status_code: 200)
Screenshot
References
Nethix Wireless Controller 🔎 →
services.http.response.headers.set_cookie: "NethixSession"
References
Compromised Mikrotik Router 🔎 →
services.service_name: MIKROTIK_BW and services.pptp.hostname: "HACKED"
Security Applications
Cobalt Strike Servers 🔎 →
services.certificate: {
"64257fc0fac31c01a5ccd816c73ea86e639260da1604d04db869bb603c2886e6",
"87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c"
}
or services.tls.certificates.leaf_data.issuer.common_name: "Major Cobalt Strike"
or services.tls.certificates.leaf_data.subject.common_name: "Major Cobalt Strike"
Metasploit Servers 🔎 →
services.http.response.html_title: "Metasploit" and (
services.tls.certificates.leaf_data.subject.organization: "Rapid7"
or services.tls.certificates.leaf_data.subject.common_name: "MetasploitSelfSignedCA"
)
or services.jarm.fingerprint: {
"07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d",
"07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823"
}
Nessus Scanner Servers 🔎 →
services.http.response.headers.server: "NessusWWW"
or services.tls.certificates.leaf_data.subject.organizational_unit: "Nessus Server"
