forked from mathis2001/Dorking
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathCensysDorks.txt
224 lines (176 loc) · 6.88 KB
/
CensysDorks.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
##Industrial Control Systems
#Prismview (Samsung Electronic Billboards)
services.tls.certificates.leaf_data.subject.common_name: "Prismview" or services.http.response.headers.server: "Prismview Player"
#Gas Station Pump Controllers (ATGs)
(same_service(port: 10001 and banner: "IN-TANK INVENTORY") or services.service_name: ATG) and services.truncated: false
#Electric Vehicle Chargers
same_service(http.response.headers.server: "gSOAP/2.8" and http.response.headers.content_length: 583)
#Carel PlantVisor
services.http.response.html_title: "CAREL Pl@ntVisor"
#C4 Max Vehicle GPS
services.banner: "[1m[35mWelcome on console"
#GaugeTech Electricity Meters
services.http.response.headers.server: "EIG Embedded Web Server"
#XZERES Wind Turbine
services.http.response.html_title: "XZERES Wind"
#Note: This query works best with virtual hosts included.
##Internet of Things Devices
#Roombas
services.tls.certificates.leaf_data.issuer.common_name: "Roomba CA"
#Mein Automowers
services.http.response.headers.Www_Authenticate: `Basic realm= "Mein Automower (Robonect Hx+)"`
#WinAQMS Environmental Monitor
services.banner: "WinAQMS Data Server" and services.truncated: false
#Emerson Site Supervisor
services.http.response.html_title: "Emerson Site Supervisor"
#Nethix Wireless Controller
services.http.response.headers.set_cookie: "NethixSession"
##Security Applications
#Cobalt Strike Servers
services.certificate: {
"64257fc0fac31c01a5ccd816c73ea86e639260da1604d04db869bb603c2886e6",
"87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c"
}
or services.tls.certificates.leaf_data.issuer.common_name: "Major Cobalt Strike"
or services.tls.certificates.leaf_data.subject.common_name: "Major Cobalt Strike"
or services.jarm.fingerprint: {
"07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1",
"07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2"
}
#Metasploit Servers
services.http.response.html_title: "Metasploit" and (
services.tls.certificates.leaf_data.subject.organization: "Rapid7"
or services.tls.certificates.leaf_data.subject.common_name: "MetasploitSelfSignedCA"
)
or services.jarm.fingerprint: {
"07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d",
"07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823"
}
#Nessus Scanner Servers
services.http.response.headers.server: "NessusWWW"
or services.tls.certificates.leaf_data.subject.organizational_unit: "Nessus Server"
NTOP Network Analyzers
services.http.response.html_title: "Welcome to ntopng"
or same_service(
services.http.response.html_title: "Global Traffic Statistics"
and services.http.response.headers.server: "ntop/*"
)
#Merlin C2
services.jarm.fingerprint: "29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38"
#Mythic C2
same_service(port: 7443 and tls.certificates.leaf_data.subject.organization: "Mythic")
#Note: When using the same_service operator, the initial services. prefix is optional.
#Deimos C2
services.jarm.fingerprint: "00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64"
#Covenant C2
same_service(
http.response.body: "Blazor"
and tls.certificates.leaf_data.issuer.common_name: "Covenant"
)
#EvilGinx2
services.jarm.fingerprint: "20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6"
#Splunk
services.software.product: "Splunk"
##Databases
#Exposed CouchDB Servers
services.http.response.body: '"couchdb": "Welcome"'
##Dashboards
#cAdvisor Dashboards
same_service(
services.http.response.html_title=`cAdvisor - /`
and services.http.response.status_code=200
and services.http.request.uri="*/containers/"
)
#HashiCorp Consul Dashboards
same_service(
services.http.response.html_title=`Consul by HashiCorp`
and services.http.request.uri: "*/ui/"
)
#Netdata Dashboards
same_service(
services.http.response.headers.Server="Netdata Embedded HTTP*"
and services.http.response.html_title="netdata dashboard"
)
#Rancher Dashboards
same_service(
services.http.response.headers.unknown.name: "X-Rancher-Version"
and services.http.response.html_title: "Loading…"
)
#Traefik Dashboards
same_service(
services.http.request.uri: "*/dashboard/"
and services.http.response.html_title: "Traefik"
)
#Weave Scope
same_service(
services.http.response.html_title: "Weave Scope"
and services.http.response.body="*WEAVEWORKS_CSRF*"
)
##Game Servers
#Counter-Strike: Global Offensive
same_service(banner: "Counter-Strike: Global Offensive Server" and service_name: VALVE)
##Media Servers
#Plex Media Server
services.http.response.headers.unknown.name: "X-Plex-Protocol"
##Random Services
#Hosts emitting GNSS payloads
services.banner: "$GPRMC"
#Directory Listing
services.http.response.html_title: "Index of /"
#Swagger UI
services.http.response.html_title: "Swagger UI - "
#Mongo Express Admin Interface
services.http.response.html_title: "Home - Mongo Express"
#shell2http
services.http.response.html_title: "shell2http"
#Busybox Shells
same_service(services.banner: "Enter 'help' for a list of built-in commands" and services.service_name: TELNET) and services.truncated: false
#Unauthenticated Redis Servers
services.redis.ping_response: "PONG"
#Misconfigured Kubernetes Installations
services.kubernetes.pod_names: *
#Misconfigured WordPress
services.http.response.body: "The wp-config.php creation script uses this file"
#Unconfigured AdGuard
same_service(
services.http.response.html_title: "Setup AdGuard Home"
and services.http.request.uri="*/install.html"
)
#Prometheus Node Exporters
same_service(services.http.response.html_title: "node exporter" and services.http.response.body: "/metrics")
#VictoriaMetrics VMAgent
services.http.response.body: "<h2>vmagent</h2>"
#SonarQube
same_service(
http.response.html_title: "SonarQube"
and http.response.status_code: 200
and http.response.protocol: "HTTP/1.1"
)
##Advanced Queries
#Honeypots Hosts
services.truncated: true
#North Korean Hosts
location.country: "North Korea"
#Hosts that identify as US government or military
dns.names: *.gov or dns.names: *.mil or name: *.gov or name: *.mil
#Services Listening on 53 that are not DNS
same_service(services.port: 53 and not services.service_name: DNS) and services.truncated: false
#Services Listening on Port 22 that are not SSH
same_service(
not services.service_name: {SSH}
and services.port: 22
and not services.banner: {"Connection refused", "SSH-", "Exceeded MaxStartups", "Too many users", "Connection closed by server"}
)
and services.truncated: false
#Services Listening on 80 or 443 that are not HTTP or HTTPS (or UNKNOWN with TLS)
not same_service(
services.port: 443
and services.name: UNKNOWN
and services.tls.certificates.leaf_data.subject_dn: *
)
and same_service(
services.port: {80, 443}
and not services.service_name: {KUBERNETES, ANYCONNECT, OPENVPN, HTTP}
and not services.banner: “HTTP/”
)
and services.truncated: false