ZoomEye

ZoomEye is a cyberspace search engine focused on discovering vulnerabilities and internet-connected devices. Requires API credentials or web interface access.

Getting Started

Web Interface

Visit https://www.zoomeye.org/
Register free account (limited queries)
Premium account for advanced features

API Key Setup

# Get API key from settings at https://www.zoomeye.org/api
export ZOOMEYE_API_KEY="your_api_key_here"

# Test API access
curl -H "Authorization: JWT $ZOOMEYE_API_KEY" https://api.zoomeye.org/user/info

Basic Search Syntax

Search Type	Syntax	Example
Hostname	`hostname:example.com`	`hostname:github.com`
IP address	`ip:1.2.3.4`	`ip:8.8.8.8`
Port	`port:22`	`port:3306`
Service/Banner	`service:ssh`	`service:apache`
Organization	`org:google`	`org:microsoft`
Country	`country:US`	`country:CN`
Autonomous System	`asn:65001`	`asn:8075`
CIDR range	`ip:10.0.0.0/24`	`ip:192.168.0.0/16`
Keyword	`keyword:admin`	`keyword:jenkins`

Web Interface Queries

Finding Vulnerable Devices

# Exposed Redis instances (port 6379)
port:6379

# Elasticsearch clusters
port:9200 service:elasticsearch

# Exposed Jenkins instances
keyword:jenkins

# Exposed Docker API
port:2375 service:docker

# Exposed Kubernetes dashboard
keyword:kubernetes port:10250

# Exposed MongoDB
port:27017 service:mongodb

# Exposed MySQL
port:3306 service:mysql

# RDP accessible
port:3389

# Exposed Grafana
keyword:grafana port:3000

Organization/ASN Reconnaissance

# Find all devices for organization
org:microsoft

# Find all services in autonomous system
asn:16509  # AWS AS number

# Specific organization and port
org:google port:22

# Organization and country filter
org:amazon country:US

# Devices in specific CIDR (if known)
ip:54.0.0.0/8

Service Enumeration

# Find specific service versions
service:apache version:2.4

# Search for specific application
service:nginx keyword:wordpress

# Find IIS servers
service:iis

# Find Apache Tomcat
service:tomcat

# Specific port with organization
port:8080 org:ibm

Vulnerability-Specific Searches

# Heartbleed-affected OpenSSL versions
service:openssl version:1.0

# Known vulnerable Struts versions
service:tomcat keyword:struts

# Unpatched web servers
service:apache version:2.2

# CVE-related (requires knowing expected signatures)
service:jboss port:8080

# Search for debug/admin interfaces
keyword:admin port:8000
keyword:debug port:8080

API Usage

Search via API

# Get API key first, then make requests

# Basic search
curl -H "Authorization: JWT $ZOOMEYE_API_KEY" \
  "https://api.zoomeye.org/host/search?query=port:22 org:example&page=1"

# Search with filters
curl -H "Authorization: JWT $ZOOMEYE_API_KEY" \
  "https://api.zoomeye.org/host/search?query=port:3306&page=1&facet=os"

# Get device details
curl -H "Authorization: JWT $ZOOMEYE_API_KEY" \
  "https://api.zoomeye.org/host/1.2.3.4"

# Certificate search (Web component)
curl -H "Authorization: JWT $ZOOMEYE_API_KEY" \
  "https://api.zoomeye.org/cert/search?query=example.com&page=1"

Python API Wrapper

#!/usr/bin/env python3
import requests
import json
import os

class ZoomEyeAPI:
    def __init__(self, api_key):
        self.api_key = api_key
        self.base_url = "https://api.zoomeye.org"
        self.headers = {"Authorization": f"JWT {api_key}"}

    def search(self, query, page=1, limit=20):
        """Search for hosts"""
        params = {
            "query": query,
            "page": page,
            "limit": limit
        }
        url = f"{self.base_url}/host/search"
        resp = requests.get(url, headers=self.headers, params=params)
        return resp.json()

    def get_ip_info(self, ip):
        """Get details for specific IP"""
        url = f"{self.base_url}/host/{ip}"
        resp = requests.get(url, headers=self.headers)
        return resp.json()

    def cert_search(self, query, page=1):
        """Search certificates"""
        params = {"query": query, "page": page}
        url = f"{self.base_url}/cert/search"
        resp = requests.get(url, headers=self.headers, params=params)
        return resp.json()

# Usage
api_key = os.getenv("ZOOMEYE_API_KEY")
zee = ZoomEyeAPI(api_key)

# Search for exposed databases
results = zee.search("port:3306 country:US", page=1)
print(json.dumps(results, indent=2))

# Get specific IP details
ip_info = zee.get_ip_info("8.8.8.8")
print(ip_info)

# Search certificates
certs = zee.cert_search("example.com")
print(certs)

Advanced Search Techniques

Dork-Style Queries

# Wide net for insecure services
port:22 keyword:root password

# Exposed admin panels
keyword:admin login password

# Version-specific vulnerabilities
service:apache version:2.0 port:80

# Exposed development tools
keyword:debug keyword:dev port:8000

# Misconfigured cloud instances
org:aws port:22 keyword:ubuntu

# Exposed credentials (be careful with these)
keyword:password port:8080

# Search combining multiple filters
port:3306 service:mysql org:startup country:US

# Find honeypots or testing infrastructure
keyword:honeypot keyword:test

Geolocation Filtering

# Find servers in specific countries
port:22 country:CN

# Multi-country search
port:3389 country:RU

# Exclude countries
port:22 -country:US

# By region
port:443 country:JP

# US organizations globally
org:microsoft -country:US

Advanced Operators

# AND operator (space)
port:22 service:openssh

# OR operator (|)
service:ssh | service:openssh

# Negation (-)
port:22 -country:CN

# Exact match
hostname:"example.com"

# Wildcard
hostname:*.example.com

# IP range
ip:1.2.3.0/24

# CIDR blocks
asn:65001

Reconnaissance Workflows

Target Organization Reconnaissance

#!/bin/bash
# Complete enumeration of target organization

ORG="target-company"
API_KEY=$ZOOMEYE_API_KEY

# Find all visible servers
curl -H "Authorization: JWT $API_KEY" \
  "https://api.zoomeye.org/host/search?query=org:$ORG&limit=100" > org_servers.json

# Find web servers
curl -H "Authorization: JWT $API_KEY" \
  "https://api.zoomeye.org/host/search?query=org:$ORG port:80 port:443" > web_servers.json

# Find mail servers
curl -H "Authorization: JWT $API_KEY" \
  "https://api.zoomeye.org/host/search?query=org:$ORG port:25 port:587" > mail_servers.json

# Find databases
curl -H "Authorization: JWT $API_KEY" \
  "https://api.zoomeye.org/host/search?query=org:$ORG port:3306 port:5432 port:27017" > databases.json

# Find potentially vulnerable services
curl -H "Authorization: JWT $API_KEY" \
  "https://api.zoomeye.org/host/search?query=org:$ORG service:redis" > insecure_services.json

# Extract summary
echo "=== Servers by Port ==="
jq -r '.matches[] | "\(.ip) \(.port) \(.service)"' org_servers.json | sort -u

echo "=== Unique Services ==="
jq -r '.matches[] | .service' org_servers.json | sort | uniq -c

Vulnerability Hunting

#!/bin/bash
# Search for specific vulnerability patterns

API_KEY=$ZOOMEYE_API_KEY

# Search for potentially vulnerable configurations
declare -a VULN_QUERIES=(
  "service:tomcat port:8080"
  "service:jboss port:8080"
  "port:9200 service:elasticsearch"
  "port:6379 service:redis"
  "port:27017 service:mongodb"
  "port:3389 service:rdp country:US"
)

for query in "${VULN_QUERIES[@]}"; do
  echo "Searching: $query"
  curl -H "Authorization: JWT $API_KEY" \
    "https://api.zoomeye.org/host/search?query=${query// /+}" \
    | jq '.matches[0:3] | .[] | "\(.ip) \(.port) \(.service)"' \
    >> vuln_search_results.txt
done

echo "Results saved to vuln_search_results.txt"

ISP/ASN Enumeration

#!/bin/bash
# Enumerate large network blocks

API_KEY=$ZOOMEYE_API_KEY

# Common ASNs (examples)
ASNs=(
  "15169"  # Google
  "16509"  # AWS
  "8075"   # Alibaba
  "45839"  # Tencent
)

for asn in "${ASNs[@]}"; do
  echo "=== Enumerating ASN $asn ==="
  curl -H "Authorization: JWT $API_KEY" \
    "https://api.zoomeye.org/host/search?query=asn:$asn&limit=100&page=1" \
    | jq '.matches[] | {ip: .ip, port: .port, service: .service}' \
    | tee asn_${asn}.json
done

Rate Limiting & Ethics

API Limits

Free tier: 1,000 queries/month
Premium: 10,000-100,000 queries/month
Respect rate limits: ~10 req/sec
Implement delays between requests

import time
import requests

def respectful_search(api_key, query, delay=1):
    """Search with rate limiting"""
    headers = {"Authorization": f"JWT {api_key}"}
    url = "https://api.zoomeye.org/host/search"

    time.sleep(delay)  # Respect rate limits
    response = requests.get(
        url,
        headers=headers,
        params={"query": query}
    )
    return response.json()

Responsible Disclosure

Verify findings before reporting
Contact organizations before public disclosure
Give reasonable time for patching (90 days)
Follow CVSS/CVID guidelines
Never exploit vulnerabilities found

Common Issues

No Results Despite Valid Query

# Query might be too specific or no matches
# Try broader search first
port:3306

# Add limit for pagination
curl -H "Authorization: JWT $API_KEY" \
  "https://api.zoomeye.org/host/search?query=port:3306&limit=100&page=1"

# Check API quota
curl -H "Authorization: JWT $API_KEY" \
  https://api.zoomeye.org/user/info | jq '.plan'

Authentication Failures

# Verify API key
echo $ZOOMEYE_API_KEY

# Test with curl verbose
curl -v -H "Authorization: JWT $ZOOMEYE_API_KEY" \
  https://api.zoomeye.org/user/info

Resources

Last updated: 2026-03-30