Censys Search Engine Intro
Censys is a search engine for Internet-connected hosts and certificates. It’s similar to Shodan. It’s a useful resource for OSINT and CTI.
Censys sells paid accounts, but you can also register for a free non-commercial account, which is limited to 250 queries/month. You can view some info even without an account.
You can get ideas for what to search for on Hosts Examples and Search 2.0 Example Host Queries. To learn how to construct queries, see Hosts Query Help and Censys Search Language.
Search filters take the form fieldname: value. For example, to see hosts with an HTTP service which have an HTML title indicating that it’s exposing a directory, search services.http.response.html_title: “Index of /”.
When you search, you’ll see a page with the first 25 search results. Each result shows some data, and you can click links to view more info in Censys.
Along the left side, Censys will display host and service filters, including the following:
- Labels (e.g., remote-access, email, file-sharing, database, network-administration)
- Autonomous System
- Location
- Service Names
- Ports
- Software Vendor
- Software Product
Censys will show up to 5 lines for each of these categories, with links to view more. Near the top of each search results page is also a Report link to build a report.
Using Censys for OSINT & CTI
You can use Censys to find the following, which can be useful for OSINT or CTI investigations:
- Hosts with malicious content matching a hash
- History of how a host’s attributes have changed over time
- Hosts running software with a particular vulnerability, by searching by CPE-formatted software URI
- Hosts, certificates, and names connected/related to a particular host, certificate, or name
- Hosts running a specific combination of OS and application
- Hosts with an HTTP service with an open directory list and suspicious file names in their contents
