General Rules
The search scope covers devices (IPv4, IPv6) and websites (domain names).
When entering a search string, the system matches keywords in global mode, covering content from various protocols such as HTTP, SSH, FTP, etc.
Search strings are case-insensitive by default and are matched after segmentation.
Use == for exact matching with case sensitivity.
Always use quotation marks for search strings, e.g., "Cisco System". Use backslashes to escape characters if needed, e.g., "a\"b" or portinfo().
Search Logic Operations
= – Search for assets containing the keyword
Example: title="knownsec"
== – Exact match (case-sensitive), supports empty values
Example: title=="knownsec"
|| – Logical OR
Example: service="ssh" || service="http"
&& – Logical AND
Example: device="router" && after="2020-01-01"
!= – Logical NOT
Example: country="US" && subdivisions!="new york"
() – Priority grouping
Example: (country="US" && port!=80) || (country="US" && title!="404 Not Found")
- – Fuzzy search Example: title="google*"
Geographical Location Search
country="CN" – Search assets by country (use abbreviation or name, e.g. country="china")
subdivisions="beijing" – Search assets by administrative region (input in English)
city="changsha" – Search assets by city (input in English)
Certificate Search
ssl="google" – Search for assets with string in SSL certificate (e.g., product/company name)
ssl.cert.fingerprint="..." – Search by certificate fingerprint
ssl.chain_count=3 – Search assets with a specific SSL chain count
ssl.cert.alg="SHA256-RSA" – Search by certificate signature algorithm
ssl.cert.issuer.cn="pbx.wildix.com" – Search by issuer common name
ssl.cert.pubkey.rsa.bits=2048 – Search by RSA public key bit length
ssl.cert.pubkey.type="RSA" – Search by public key type
ssl.cipher.version="TLSv1.3" – Search by cipher suite version
ssl.version="TLSv1.3" – Search by SSL version
ssl.cert.subject.cn="example.com" – Search by subject common name
ssl.jarm="..." – Search by JARM fingerprint
ssl.ja3s=... – Search by JA3S fingerprint
IP or Domain Name Search
ip="8.8.8.8" – Search for a specific IPv4 address
cidr="52.2.254.36/24" – Search for assets within a C-class IP range
org="Stanford University" – Search for assets belonging to an organization
asn=42893 – Search by ASN
port=80 – Search for assets running on a specific port
domain="baidu.com" – Search for domain or subdomain assets
http.header.server="Nginx" – Search by HTTP server header
http.header.status_code="200" – Search by HTTP status code
http.body="document" – Search by content in HTML body
Fingerprint Search
app="Cisco ASA SSL VPN" – Search for Cisco ASA-SSL-VPN devices
service="ssh" – Search for a specific service (http, ftp, ssh, telnet, etc.)
device="router" – Search by device type (router, switch, storage-misc, etc.)
os="RouterOS" – Search by operating system
industry="government" – Search by industry type
product="Cisco" – Search by product/component information
protocol="TCP" – Search by transport protocol
is_honeypot="True" – Filter honeypot assets
Time Filters
after="2020-01-01" && port="50050" – Search for assets discovered after a specific date
before="2020-01-01" && port="50050" – Search for assets discovered before a specific date
Other Filters
dig="baidu.com 220.181.38.148" – Search for assets containing specific dig results
vul.cve="CVE-2021-44228" – Search for assets affected by a specific CVE
iconhash="f3418a44..." – Search by icon MD5 hash
filehash="0b5ce08..." – Search by file hash (e.g., Gitlab parsed file data)
is_bugbounty=true – Filter assets that are part of a bug bounty program
is_changed=true – Filter assets that changed within the last 7 days
is_new=true – Filter assets newly discovered within the last 7 days
Top comments (0)