Hosts search
The hosts search allows you to discover new assets and easily refine your search by clicking on their details (certificate, title, protocol, etc).
The hosts are machines or services exposed on the internet. If you want to retrieve subdomains, you probably want to take a look to the DNS page or use the subdomain enumeration API.
How to build my queries?
First, we recommend you try to run the hosts sample query. As you can see, a search query is composed of one or more <field_name>:<value> like host:*.example.com. You can always search by exact value (e.g. host:sub.example.com) on all fields, and also use a wildcard (*) in most of them.
If you are interested in a more advanced usage, you can use parentheses to group conditions.
host:*.example.com AND (protocol:"https" OR status_code:"400")
You can use wildcards (*) is almost all fields, e.g. as_number:"564*" AND protocol:http*. Double quotes can be omitted most of the time except when the value you are looking for contains spaces, e.g. cert_subj_org:"Your Organization" or cert_subj_org:"*Your Organization*".
How many concurrent fields can I use?
The maximum number of fields you can use in your search query is related to your subscription plan. Higher plans can use more fields. It is the same when you use the API.
How is my quota impacted?
When you perform a search request, your quota is impacted. We recommend that you read the dedicated page.
How to speed up my searches?
The search queries usually take a few seconds at most, however they may take more time when being composed of multiple fields, or when using multiple wildcards (*). When possible, try to narrow your search on a specific domain (e.g. host:*.example.com).
Page results export
You can retrieve the page results as a JSON file. This does not impact your quota as the data is already visible in the web UI.
Which search fields can I use?
| Field name | Description | Examples |
|---|---|---|
host | The hostname. | host:*.example.com — host:sub.domain.com — host:sub.*.xyz — host:"*anything.com" |
port | The port. You can also use the < and > operators for this field. | port:80 — port:84* — NOT port:84* AND port:8080 — host:*.example.com AND port<8080 |
protocol | The protocol (e.g. smtp, dns, http, etc). | protocol:smtp — protocol:http* |
headers | The response headers. In case of non http(s) protocols, the string returned by the server during the negociation is used. The searches using this field may be slow and should always be prefixed by host:somevalue (cf the example on the right). | host:*.example.com AND headers:"Set-Cookie: PHPSESSID=*; path=*" |
status_code | The status code returned by the server. | NOT status_code:503 |
technologies | The detected technologies. | technologies:jquery* — host:*.example.com AND NOT technologies:cloudflare |
header_server_name | The server name (header) returned by the server. | header_server_name:nginx* AND port:8080 |
favicon_hash | The murmur3 hash of the favicon. | favicon_hash:"3236809339" |
status_code_message | The message associated with the status code and returned by the server. | status_code:"403" AND NOT status_code_message:"Forbidden" |
status_code_range | The status code range (e.g. 200, 300, 400 or 500). | host:*.example.com AND status_code_range:200 |
title | The web page title. | title:"Node Exporter" |
cert_subj | The subject of the certificate returned by the server. | cert_subj:*.example.com |
cert_issuer_cn | The issuer of the certificate returned by the server. | cert_issuer_cn:"Encryption Everywhere *" |
cert_subj_org | The organization in the certificate subject returned by the server. | cert_subj_org:*some-company-name* |
resolution | The hostname DNS resolution. Can be an IP address or a CNAME record. | resolution:"*.elb.us-east-1.amazonaws.com" — resolution:"103.21.*" |
ip_country_code | The country code of the server IP address. | ip_country_code:US — ip_country_code:GE AND protocol:"http" |
ip_city | The server IP address city (may not be accurate). | ip_city:"New Delhi" |
ip_state | The server IP address state (may not be accurate). | ip_state:"Ohio" |
analytics_tags | The web analytics tags detected on the web page. | analytics_tags:* — analytics_tags:some-value |
as_name | The IP address AS name. | as_name:"TEAMINTERNET-AS*" |
as_number | The IP address AS number. | NOT as_number:"13335" |
content_length | The content length of the web server response. You can also use the < and > operators for this field. | host:*.example.com AND content_length<2000 |