ZoomEye, a leading cyberspace search engine, has updated its query syntax to provide more precise and flexible search capabilities. This guide consolidates the latest syntax rules from the official documentation, offering cybersecurity professionals a ready reference for asset discovery, attack surface mapping, and threat hunting.
Description
- Search scope covers devices (IPv4, IPv6) and websites (domain names)
- When entering a search string, the system will match the keywords in “global” mode, covering content from various protocols such as HTTP, SSH, FTP, etc. (e.g., HTTP/HTTPS protocol headers, body, SSL, title, and other protocol banners)
- The search string is case-insensitive and will be matched after segmentation (the search results page provides a “segmentation” test function). Use == for precise matching and strict restriction of search syntax case sensitivity.
- Please use quotation marks for search strings.
e.g., "Cisco System" or 'Cisco System'
If there are quotation marks in the search string, use \ for escape,
e.g., "a\"b"
If there are brackets in the search string, use \ for escape,
e.g., portinfo\(\)
1. Search Logic Operations
Searchlogic: =
Description: Search for assets containing keywords
Example: title=“knownsec”
Search for websites with titles containing Knowsec’s assets
Searchlogic: ==
Description: Accurate search, indicating a complete match of keywords (case sensitive), can search for data with empty values
Example: title==“knownsec”
Precise search, which means exact match of keywords (case sensitive), and can search for data with empty values Search for assets with the website title “Knownsec”
Searchlogic: ||
Description: Enter “||” in the search box to indicate the logical operation of “or”
Example: service=“ssh” || service=”http”
Search for SSH or HTTP data
Searchlogic: &&
Description: Enter “&&” in the search box to indicate the logical operation of “and”
Example: device=“router” && after=“2020–01–01”
Search for routers after Jan 1, 2020
Searchlogic: !=
Description: Enter “!=” in the search box to indicate the logical operation of “not”
Example: country=“US” && subdivisions!=“new york”
Search for data in united states excluding new york
Searchlogic: ()
Description: Enter “()” in the search box to indicate the logical operation of “priority processing”
Example: (country=“US” && port!=80) || (country=“US” && title!=“404 Not Found”)
Search excluding port 80 in US or “404 not found” in the US
Searchlogic: *
Description: Fuzzy search, use * for search
Example: title=“google*”
Fuzzy search, use * to search Search for assets containing google in the website title, and the title can end with any character
2. Geographical Search
Filter: country="CN"
Description: Search for country assets
Tips: Input country abbreviations or names, e.g. country=“china”
Filter: subdivisions="beijing"
Description: Search for assets in the specified administrative region
Tips: Input in English, e.g. subdivisions=“beijing”
Filter: city="changsha"
Description: Search for city assets
Tips: Input in English, e.g. city=“changsha”
3. Certificate Search
Filter: ssl="google"
Description: Search for assets with “google” string in ssl certificate
Tips: Often used to search for corresponding targets by product name and company name
> Filter: ssl.cert.fingerprint="F3C98F223D82CC41CF83D94671CCC6C69873FABF"
Description: Search for certificate-related fingerprint assets
Filter: ssl.cert.issuer.cn="pbx.wildix.com"
Description: Search for the common domain name of the user certificate issuer
Filter: ssl.cert.subject.cn="example.com"
Description: Search for the common domain name of the user certificate holder
Filter: ssl.jarm="29d29d15d29d29d00029d29d29d29dea0f89a2e5fb09e4d8e099befed92cfa"
Description: Search for assets related to Jarm Fingerprint content
Filter: ssl.ja3s=45094d08156d110d8ee97b204143db14
Description: Find assets related to specific JA3S fingerprints
4. IP or Domain Name Related Information Search
Filter: ip="8.8.8.8"
Description: Search for assets related to the specified IPv4 address
Filter: ip="2600:3c00::f03c:91ff:fefc:574a"
Description: Search for assets related to specified IPv6 address
Filter: cidr="52.2.254.36/24"
Description: Search for C-class assets of IP
Tips:
- cidr=“52.2.254.36/16” is the B class of the IP
- cidr=“52.2.254.36/8” is the A class of the IP
Filter: org="Stanford University"
Description: Search for assets of related organizations
Tips: Used to locate IP assets corresponding to universities, structures, and large Internet companies
Filter: isp="China Mobile"
Description: Search for assets of related network service providers
Tips: Can be supplemented with org data
Filter: asn=42893
Description: Search for IP assets related to corresponding ASN (Autonomous system number)
Filter: port=80
Description: Search for related port assets
Tips: Currently does not support simultaneous open multi-port target search
Filter: hostname="google.com"
Description: Search for assets of related IP “hostname”
Filter: domain="baidu.com"
Description: Search for domain-related assets
Tips: Used to search domain and subdomain data
Filter: banner="FTP"
Description: Search by protocol messages
Tips: Used for searching HTTP response header data
Filter: http.header="http"
Description: Search by HTTP response header
Tips: Used for searching HTTP response header data
Filter: http.header_hash="27f9973fe57298c3b63919259877a84d"
Description: Search by the hash values calculated from HTTP header.
Filter: http.header.server="Nginx"
Description: Search by server of the HTTP header
Tips: Used for searching the server data in HTTP response headers
Filter: http.header.version="1.2"
Description: Search by version number in the HTTP header
Filter: http.header.status_code="200"
Description: Search by HTTP response status code
Tips: Search for assets with HTTP response status code 200 or other status codes, such as 302, 404, etc.
Filter: http.body="document"
Description: Search by HTML body
Filter: http.body_hash="84a18166fde3ee7e7c974b8d1e7e21b4"
Description: Search by hash value calculated from HTML body
5. Fingerprint Search
Filter: app="Cisco ASA SSL VPN"
Description: Search for Cisco ASA-SSL-VPN devices
Tips: Entering keywords such as “Cisco” in the search box will display related app prompts
Filter: service="ssh"
Description: Search for assets related to the specified service protocol
Tips: Common service protocols include: http, ftp, ssh, telnet, etc. (other services can be found in the domain name sidebar aggregation display of search results)
Filter: device="router"
Description: Search for router-related device types
Tips: Common types include router, switch, storage-misc, etc. (other types can be found in the domain name sidebar aggregation display of search results)
Filter: os="RouterOS"
Description: Search for related operating systems
Tips: Common systems include Linux, Windows, RouterOS, IOS, JUNOS, etc. (other systems can be found in the domain name sidebar aggregation display of search results)
Filter: title="Cisco"
Description: Search for data with “Cisco” in the title of the HTML content
Filter: industry="government"
Description: Search for assets related to the specified industry type
Tips: Common industry types include technology, energy, finance, manufacturing, etc. (other types can be supplemented with org data)
Filter: product="Cisco"
Description: Search for assets with “Cisco” in the component information
Tips: Support mainstream asset component search
Filter: protocol="TCP"
Description: Search for assets with the transmission protocol as TCP
Tips: Common transmission protocols include TCP, UDP, TCP6, SCTP
Filter: is_honeypot="True"
Description: Filter for honeypot assets
6. Time-based Search
Filter: after="2020–01–01" && port="50050"
Description: Search for assets with an update time after Jan 1, 2020 and a port 50050
Tips: Time filters need to be combined with other filters
Filter: before="2020–01–01" && port="50050"
Description: Search for assets with an update time before Jan 1, 2020 and a port 50050
Tips: Time filters need to be combined with other filters
7. Dig Search
Filter: dig="baidu.com 220.181.38.148"
Description: Search for assets with related dig content
8. Vulnerability Search
Filter: vul.cve="CVE-2021–44228"
Description: Search for assets with cve related content
9. Iconhash Search
Filter: iconhash="f3418a443e7d841097c714d69ec4bcb8"
Description: Analyze the target data by MD5 and search for assets with related content based on the icon
Tips: Search for assets with the “google” icon
Filter: iconhash="1941681276"
Description: Analyze the target data by MMH3 and search for assets with related content based on the icon
Tips: Search for assets with the “amazon” icon
10. Filehash Search
Filter: filehash="0b5ce08db7fb8fffe4e14d05588d49d9"
Description: Search for assets with related content based on the parsed file data
Tips: Search for assets parsed with “Gitlab”
11. BugBounty Related
Filter: is_bugbounty=true
Description: Filter for bug bounty assets collected by ZoomEye
Filter: bugbounty.source=all
Description: Bugbounty Data sources
Tips: “hackerone”, “bugcrowd”, “intigriti”, “yeswehack”, “openbugbounty”, “all”
Filter: is_changed=true
Description: Asset changed within 7 days
Tips: Including both new and updated assets
Filter: is_new=true
Description: Asset newly discovered within the last 7 days
Conclusion
The new ZoomEye query syntax brings much more flexibility and precision compared to earlier versions. By mastering these filters — ranging from certificates, ports, banners, IP ranges, to CVEs and bug bounty assets — analysts can perform deep reconnaissance and attack surface monitoring more effectively.
ZoomEye continues to evolve, so staying updated with syntax changes is crucial for maximizing its potential in security research and threat intelligence operations.
Top comments (0)