Censys sells paid accounts, but you can also register for a free non-commercial account, which is limited to 250 queries/month. You can view some info even without an account.
Search filters take the form fieldname: value. For example, to see hosts with an HTTP service which have an HTML title indicating that it’s exposing a directory, search services.http.response.html_title: “Index of /”.
When you search, you’ll see a page with the first 25 search results. Each result shows some data, and you can click links to view more info in Censys.
Along the left side, Censys will display host and service filters, including the following:
- Labels (e.g., remote-access, email, file-sharing, database, network-administration)
- Autonomous System
- Service Names
- Software Vendor
- Software Product
Censys will show up to 5 lines for each of these categories, with links to view more. Near the top of each search results page is also a Report link to build a report.
Using Censys for OSINT & CTI
You can use Censys to find the following, which can be useful for OSINT or CTI investigations:
- Hosts with malicious content matching a hash
- History of how a host’s attributes have changed over time
- Hosts running software with a particular vulnerability, by searching by CPE-formatted software URI
- Hosts, certificates, and names connected/related to a particular host, certificate, or name
- Hosts running a specific combination of OS and application
- Hosts with an HTTP service with an open directory list and suspicious file names in their contents
Hosts - Censys
When no field is specified, Censys attempts a full-text search over all fields. For example, searching for will return…
Censys Search Language
The Censys Search Language is what you use to find hosts that are of interest to you. Queries written in the Censys…
What Is Censys Search Used For?
Censys builds searchable data sets to aid security practitioners in their efforts to make Internet-facing systems-and…