Awesome Censys Queries

A collection of fascinating and bizarre Censys Search queries.

Contributing

Found an awesome query? Submit it here

Interested in contributing in another way? See the contributing guidelines

Industrial Control Systems
Internet of Things Devices
Security Applications
Databases
Game Servers
Random Services

Industrial Control Systems

Prismview (Samsung Electronic Billboards) →

services.tls.certificates.leaf_data.subject.common_name: "Prismview" or services.http.response.headers.server: "Prismview Player"

Screenshot

Gas Station Pump Controllers (ATGs) →

(same_service(port: 10001 and banner: "IN-TANK INVENTORY")
or services.service_name: ATG) and services.truncated: false

Screenshot

Electric Vehicle Chargers →

same_service(http.response.headers.server: "gSOAP/2.8" and http.response.headers.content_length: 583)

Carel PlantVisor →

services.http.response.html_title: "CAREL Pl@ntVisor"

C4 Max Vehicle GPS →

services.banner: "[1m[35mWelcome on console"

GaugeTech Electricity Meters →

services.http.response.headers.server: "EIG Embedded Web Server"

Screenshot

Internet of Things Devices

Roombas →

services.tls.certificates.leaf_data.issuer.common_name: "Roomba CA"

Mein Automowers →

services.http.response.headers.Www_Authenticate: `Basic realm= "Mein Automower (Robonect Hx+)"`

WinAQMS Environmental Monitor →

services.banner: "WinAQMS Data Server" and services.truncated: false

Emerson Site Supervisor →

services.http.response.html_title: "Emerson Site Supervisor"

Screenshot

Nethix Wireless Controller →

services.http.response.headers.set_cookie: "NethixSession"

Security Applications

Cobalt Strike Servers →

services.certificate: {
    "64257fc0fac31c01a5ccd816c73ea86e639260da1604d04db869bb603c2886e6",
    "87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c"
}
or services.tls.certificates.leaf_data.issuer.common_name: "Major Cobalt Strike"
or services.tls.certificates.leaf_data.subject.common_name: "Major Cobalt Strike"
or services.jarm.fingerprint: {
    "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1",
    "07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2"
}

Metasploit Servers →

services.http.response.html_title: "Metasploit" and (
    services.tls.certificates.leaf_data.subject.organization: "Rapid7"
    or services.tls.certificates.leaf_data.subject.common_name: "MetasploitSelfSignedCA"
)
or services.jarm.fingerprint: {
    "07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d",
    "07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823"
}

Nessus Scanner Servers →

services.http.response.headers.server: "NessusWWW"
or services.tls.certificates.leaf_data.subject.organizational_unit: "Nessus Server"

NTOP Network Analyzers →

services.http.response.html_title: "Welcome to ntopng"
or same_service(
    services.http.response.html_title: "Global Traffic Statistics"
    and services.http.response.headers.server: "ntop/*"
)

Merlin C2 →

services.jarm.fingerprint: "29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38"

Mythic C2 →

same_service(port: 7443 and tls.certificates.leaf_data.subject.organization: "Mythic")

Note: When using the same_service operator, the initial services. prefix is optional.

Deimos C2 →

services.jarm.fingerprint: "00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64"

Covenant C2 →

same_service(http.response.body: "Blazor" and tls.certificates.leaf_data.issuer.common_name: "Covenant")

EvilGinx2 →

services.jarm.fingerprint: "20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6"

Databases

Exposed CouchDB Servers →

services.http.response.body: '"couchdb": "Welcome"'

Game Servers

Counter-Strike: Global Offensive →

same_service(banner: "Counter-Strike: Global Offensive Server" and service_name: VALVE)

Random Services

shell2http →

services.http.response.html_title: "shell2http"

Busybox Shells →

same_service(services.banner: "Enter 'help' for a list of built-in commands" and services.service_name: TELNET) and services.truncated: false

Screenshot

Services Listening on Port 22 that are not SSH →

same_service(
    not services.service_name: {SSH}
    and services.port: 22
    and not services.banner: {"Connection refused", "SSH-", "Exceeded MaxStartups", "Too many users", "Connection closed by server"}
)
and services.truncated: false

Services Listening on 80 or 443 that are not HTTP or HTTPS (or UNKNOWN with TLS) →

not same_service(
    services.port: 443
    and services.name: UNKNOWN
    and services.tls.certificates.leaf_data.subject_dn: *
)
and same_service(
    services.port: {80, 443}
    and not services.service_name: {KUBERNETES, ANYCONNECT, OPENVPN, HTTP}
    and not services.banner: “HTTP/”
)
and services.truncated: false

Services Listening on 53 that are not DNS →

same_service(services.port: 53 and not services.service_name: DNS) and services.truncated: false

Unauthenticated Redis Servers →

services.redis.ping_response: "PONG"

Misconfigured Kubernetes Installations →

services.kubernetes.pod_names: *

Directory Listing →

services.http.response.html_title: "Index of /"

Hosts that identify as US government or military →

dns.names: *.gov or dns.names: *.mil or name: *.gov or name: *.mil

Hosts emitting GNSS payloads →

services.banner: "$GPRMC"

Mongo Express Admin Interface →

services.http.response.html_title: "Home - Mongo Express"

Misconfigured WordPress →

services.http.response.body: "The wp-config.php creation script uses this file"

North Korean Hosts →

location.country: "North Korea"

Honepots Hosts →

services.truncated: true

Traefik Dashboards →

same_service(services.http.request.uri: "*/dashboard/" and services.http.response.html_title: "Traefik")

Weave Scope →

same_service(services.http.response.html_title: "Weave Scope" and services.http.response.body="*WEAVEWORKS_CSRF*")

Prometheus Node Exporters →

same_service(services.http.response.html_title: "node exporter" and services.http.response.body: "/metrics")

VictoriaMetrics VMAgent →

services.http.response.body: "<h2>vmagent</h2>"

SonarQube →

same_service(
    http.response.html_title: "SonarQube"
    and http.response.status_code: 200
    and http.response.protocol: "HTTP/1.1"
)

soufianely / awesome-censys-queries Goto Github PK

awesome-censys-queries's Introduction

Awesome Censys Queries

Contributing

Table of Contents

Industrial Control Systems

Prismview (Samsung Electronic Billboards) →

Gas Station Pump Controllers (ATGs) →

Electric Vehicle Chargers →

GaugeTech Electricity Meters →

Internet of Things Devices

Roombas →

Mein Automowers →

WinAQMS Environmental Monitor →

Security Applications

Cobalt Strike Servers →

Metasploit Servers →

Nessus Scanner Servers →

NTOP Network Analyzers →

Databases

Game Servers

Counter-Strike: Global Offensive →

Random Services

shell2http →

Busybox Shells →

Services Listening on Port 22 that are not SSH →

Services Listening on 80 or 443 that are not HTTP or HTTPS (or UNKNOWN with TLS) →

Services Listening on 53 that are not DNS →

Unauthenticated Redis Servers →

Misconfigured Kubernetes Installations →

Directory Listing →

Hosts that identify as US government or military →

Hosts emitting GNSS payloads →

Misconfigured WordPress →

North Korean Hosts →

Honepots Hosts →

Prometheus Node Exporters →

License

Credits

awesome-censys-queries's People

Contributors

Watchers

Recommend Projects

Recommend Topics

Recommend Org

Jobs