What is FOFA?
FOFA is a search engine for global cyberspace mapping belonging to Beijing Huashun Xin’an Technology Co., Ltd.
Through continuous active detection of global Internet assets, more than 4 billion assets and more than 350,000 fingerprint rules have been accumulated, identifying most software and hardware network assets. Asset data supports external presentation and application in various ways and can perform hierarchical portraits of assets based on IP.
URL: https://fofa.info
Result Page
You can click in the left column of the result page to automatically add syntax for data filtering. The classification includes:
Fingerprint Ranking, Type Statistics, Fid Ranking, Year, Country/Region Ranking, Category Ranking, Domain Ranking, IP Statistics, JARM Ranking, Port Ranking, Server Ranking, Protocol Ranking, Operating System Ranking, Title Ranking, Cloud Name Ranking, Certificate Subject Ranking, Certificate Validity Statistics, Asn Ranking, TCP/UDP Statistics, IPV4/IPV6 Statistics.
Asset Result Sample
Please click the “Web body” button to check the asset body.
You can also click the URL to see the page source.
Banner/header see below:
Click the button to see more certificate details.
IP View
Click the “IP View” button; you can see a refined portrait of the asset for this IP address, which includes:
Statistics Table
Click the button in the top right corner to switch. FOFA will statistics the asset in different ways:
Most of the data is directly clickable and automatically searched for syntax recognition.
Other Buttons
The result page has three buttons in the top right.
Collection Rules: You can save your query syntax to your favorite list.
Download Results: Download the result page assets from the website.
Registered user: 1F coin (Maximum of 10,000 results)/time
Member: Free Credit for 100 results/time
Senior Member: Free Credit for 10,000 results/time
Select your field: Default some fields, but you can add or delete them if necessary.
Use API: Search results can be pulled directly using the API, which is very friendly to FOFA engineers.
Query Description
FOFA now has more than 46 syntaxes. You can find the document on the homepage.
If the query keyword has no syntax or filter, it will default to search from HTML, HTTP header, and URL.
For more information, please follow: FOFA Homepage
This page will describe all the logic operators and syntax queries.
Logic Operator example:
Sample 1:
title="powered by" && title!="Discuz"
Description: title matching “powered by” and title mismatching “Discuz”
Sample 2:
body="content=WordPress" || (header="X-Pingback" && header="/xmlrpc.php" && body="/wp-includes/") && host="gov.com"
Description: Body matching “content=WordPress” or (header matching “X-Pingback” and header matching “/xmlrpc.php” and body matching “/wp-includes/”) and host matching “gov.com”
Fingerprint Introduction
Definition
FOFA’s fingerprint rule is an expression composed of one or more query syntaxes, which can also interpret as a chapter name. Click on it to direct you to the chapter you need.
The core capability of fingerprint rules is to help users search for fingerprint rule names without manually collecting asset features when combing assets. In addition, FOFA directly provides the association recommendation function during the search. At the same time, users can create custom rules for use, and the User can make the complex query syntax into a fingerprint rule for direct use.
You can find the fingerprint rule like:
Asset Type
There are two types of assets: Service and Subdomain. One IP address is bound to multiple hosts (host ports), and the content of each host is different.
Service: All protocols are called services. HTTP/HTTPS protocols do not contain HTML source code.
Subdomain: HTTP/HTTPS captured packets containing HTML source code and parsed other fields.
There are three ways to distinguish between two types of assets.
Method 1: You can directly use syntax type to query.
type="service"
type="subdomain"
We can use 80 port as an example:
port="80" && type="service"
port="80" && type="subdomain"
Mehod2: You can find the TYPE STATISTICS on the result page. See the figure below:
- If you did not find it, please click the button ”all”.
Method3: Check whether there is a website text button under each data. If there is a button, this data is a website. If there is no button, this data is a service.
Subdomain Asset
Service Asset
API Reference
An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, that offers a service to other pieces of software. An API specification is a document or standard describing how to build or use such a connection or interface. A computer system that meets this standard is said to implement or expose an API. The term API may refer either to the specification or to the implementation.
For more FOFA API knowledge, please visit: FOFA API Reference
Query Interface:
curl -X GET "https://fofa.info/api/v1/search/all?email=your_email&key=your_key&qbase64=dGl0bGU9ImJpbmci"
Response example:
{
"error": false, // Error or not
"size": 8555, // Total query results
"page": 1, // page number
"mode": "extended",
"query": "title=\"bing\"", // Queries syntax
"results": [
[
"110.78.208.152",
"110.78.208.152",
"80"
],
[
"https://v.sxty.xyz",
"185.183.84.232",
"443"
],
[
"https://ss.summeres.site",
"8.9.11.105",
"443"
],
[
"https://www.bingarticles.info",
"172.67.147.25",
"443"
],
[
"173.249.199.131",
"173.249.199.131",
"80"
],
[
"https://47.87.148.124",
"47.87.148.124",
"443"
],
[
"155.94.140.98",
"155.94.140.98",
"80"
],
[
"50.114.56.7",
"50.114.56.7",
"80"
],
[
"155.94.184.229",
"155.94.184.229",
"80"
],
[
"https://hk.65mai.com",
"149.129.82.155",
"443"
]
]
}
Statistic Aggregation
curl -X GET "https://fofa.info/api/v1/search/stats?fields=title&qbase64=dGl0bGU9IueZvuW6piI%3D&email=your_email&key=your_key"
Response example:
{
"error": false,
"distinct": {
"ip": 41471,
"title": 29743
},
"aggs": {
"countries": [
],
"title": [
{
"count": 19398,
"name": "WordPress on Google Compute Engine – Just another WordPress site"
},
{
"count": 5134,
"name": "Google"
},
{
"count": 657,
"name": "경찰청 폴-안티스파이 3.0 - Google Play 앱"
},
{
"count": 564,
"name": "WordPress Multisite on Google Compute Engine – Just another WordPress site"
},
{
"count": 437,
"name": "Google Translate"
}
]
},
"lastupdatetime": "2022-09-27 17:00:00"
}
HOST Aggregation
curl -X GET "https://fofa.info/api/v1/host/78.48.50.249?email=your-email&key=your-key"
Response example:
{
"error": false,
"host": "78.48.50.249",
"ip": "78.48.50.249",
"asn": 6805,
"org": "Telefonica Germany",
"country_name": "Germany",
"country_code": "DE",
"protocol": [
"sip",
"http",
"https"
],
"port": [
5060,
8089,
7170,
443
],
"category": [
"CMS"
],
"product": [
"Synology-WebStation"
],
"update_time": "2022-05-24 12:00:00"
}
When the detail=true, default will have detail mode, Take cURL as an example:
curl -X GET "https://fofa.info/api/v1/host/78.48.50.249?detail=true&email=your-email&key=your-key"
Response example:
{
"error": false,
"host": "78.48.50.249",
"ip": "78.48.50.249",
"asn": 6805,
"org": "Telefonica Germany",
"country_name": "Germany",
"country_code": "DE",
"ports": [
{
"port": 8089,
"protocol": "http"
},
{
"port": 7170,
"protocol": "http"
},
{
"port": 443,
"protocol": "https",
"products": [
{
"product": "Synology-WebStation",
"category": "Content Management System (CMS)",
"level": 5,
"sort_hard_code": 2
}
]
},
{
"port": 5060,
"protocol": "sip"
}
],
"update_time": "2023-05-24 12:00:00"
}
Please let us know if you have any qestions.
Contact Email: service@baimaohui.net