loading
loading
Network
Quickly discover exposed hosts on the internet using multiple search engines.
overview
uncover queries multiple internet search engines with one CLI so a single hunt expression can return hosts from Censys, Fofa, Quake, and related sources.
JSON output and field selection make it easy to feed IPs or hostnames into httpx or nmap without hand-parsing engine-specific formats.
Use it when you want passive exposure data from search engines rather than scanning the whole internet yourself.
use cases
Query Shodan or Censys for an org's exposed services and pull back the matching ips and ports, all sourced passively from the engines' own data.
Run the same search through Shodan, FOFA, Quake, and ZoomEye in a single node so coverage compounds across each provider's index.
Emit JSONL and choose the ip:port field so a downstream prober or port scanner receives clean, structured targets to confirm.
Set limit, rate-limit, and retry to keep a wide query within each engine's free or paid tier while still covering the surface.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| raw | BOOLEAN | -raw | write raw output as received by the remote api |
| fofa | FILE | -fofa | search query for fofa |
| json | BOOLEAN | -json | write output in JSONL(ines) format |
| field | STRING | -field | field to display in output (ip,port,host) (default "ip:port") |
| limit | STRING | -limit | limit the number of results to return (default 100) |
| quake | FILE | -quake | search query for quake |
| retry | STRING | -retry | number of times to retry a failed request (default 2) |
Showing key inputs. uncover exposes 29 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| raw | BOOLEAN | -raw | write raw output as received by the remote api |
| fofa | FILE | -fofa | search query for fofa |
| json | BOOLEAN | -json | write output in JSONL(ines) format |
| field | STRING | -field | field to display in output (ip,port,host) (default "ip:port") |
| limit | STRING | -limit | limit the number of results to return (default 100) |
| quake | FILE | -quake | search query for quake |
| retry | STRING | -retry | number of times to retry a failed request (default 2) |
| censys | FILE | -censys | search query for censys |
| config | FILE | -config | configuration file |
| engine | STRING | -engine | search engine to query (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas,publicwww,criminalip,hunterhow) (default shodan) |
| FILE | search query for google | ||
| hunter | FILE | -hunter | search query for hunter |
| netlas | FILE | -netlas | search query for netlas |
| shodan | FILE | -shodan | search query for shodan |
| silent | BOOLEAN | -silent | show only results in output |
| timeout | STRING | -timeout | timeout in seconds (default 30) |
| verbose | BOOLEAN | -v | show verbose output |
| zoomeye | FILE | -zoomeye | search query for zoomeye |
| no-color | STRING | -no-color | disable colors in output |
| provider | FILE | -provider | provider configuration file |
| hunterhow | FILE | -hunterhow | search query for hunterhow |
| publicwww | FILE | -publicwww | search query for publicwww |
| criminalip | FILE | -criminalip | search query for criminalip |
| query-file | FILE | -query | search query file |
| rate-limit | STRING | -rate-limit | maximum number of http requests to send per second |
| shodan-idb | FILE | -shodan-idb | search query for shodan-idb |
| query-string | STRING | -query | search query string |
| rate-limit-minute | STRING | -rate-limit-minute | maximum number of requests to send per minute |
| awesome-search-queries | STRING | -awesome-search-queries | use awesome search queries to discover exposed assets on the internet (example: -asq 'jira') |
example
# uncover: pull hosts matching an SSL title from multiple enginesuncover -q 'ssl:"example.com"' -censys -fofa -json -limit 50198.51.100.10:443203.0.113.5:8443api.example.com:443dev.example.com:443192.0.2.8:80staging.example.com:443guidance
Use uncover when you want a wide view of exposed hosts without scanning them yourself, by reading search-engine data. It needs API keys for the engines you query. Pair it with a prober like httpx or a port scanner to actively confirm the hosts it surfaces, since the engine data may be stale.
Talks to Shodan directly. uncover fans the same query across many engines at once.
Enriches a list of IPs with Shodan data. uncover discovers the hosts in the first place.
Active port scanner. Run it after uncover to confirm the ports the engines reported.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A search query feeds uncover, which pulls matching hosts from internet search engines and passes them to httpx for active confirmation before they land as a queryable output.
Facts on this page come from the live Trickest tool library.