0% found this document useful (0 votes)
436 views1 page

Censys Quick Start Reference Censys - Io

Censys is a search engine that scans the entire internet and indexes data on hosts, services, and web certificates that it discovers. It stores this information in structured fields that can be queried to search for specific details like IP addresses, operating systems, web technologies, SSL/TLS configurations, and more. Censys also indexes WHOIS data and provides examples of common search queries users can perform across its indexed internet data.

Uploaded by

aplis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
436 views1 page

Censys Quick Start Reference Censys - Io

Censys is a search engine that scans the entire internet and indexes data on hosts, services, and web certificates that it discovers. It stores this information in structured fields that can be queried to search for specific details like IP addresses, operating systems, web technologies, SSL/TLS configurations, and more. Censys also indexes WHOIS data and provides examples of common search queries users can perform across its indexed internet data.

Uploaded by

aplis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

SHODAN Quick Start Reference Guide CENSYS Quick Start Reference censys.

io
@mdholcomb
What is Censys? Physical Location Web Apps
Censys is a publicly available search engine, similar to Country – Search by country code Page’s Title – Search for text in page’s title
Shodan but unique in its own right, which scans the Example: location.country_code:”US” Example: 443.https.get.title:"Index of /ftp"
entire Internet for a limited number of services and
enumerates discovered services by their banner City – Search by city name Page’s HTML Body – Search body of webpage for text string
responses, indexes that data and makes it searchable. Example: location.city:Paris Example: 443.https.get.body:"XML-RPC server accepts"

Censys stores the information in structured fields which State – Search by state name Web Technologies – Search for specific web technologies
can be queried specifically for enumerating data on Example: location.province:South Carolina Example: 443.https.get.metadata.product: php
hosts, services and (in particular) web certificates.
Zip Code – Search by postal ZIP code TLS Version – Determine most recent version supported
Be sure to use the ‘Raw Data’ option on any discovered Example: location.postal_code:92127 Example: 443.https.tls.version:TLSv1.2
host to see all of the data types Censys has stored.
Geo : Latitude Range – Search GPS coordinates - Latitude SSLv3 – Find instances of SSLv3
Censys also indexes WHOIS data which can be viewed Example: location.latitude:[45.0 TO 59.0] Example: 443.https.ssl_3.support:true
from the same menu under “Raw WHOIS”.
Geo : Longitude Range – Search GPS coordinates - Longitude Expired Certificates – Search for expired HTTPS certs
IP Addresses & Subnets Example: location.longitude:[15.0 TO 18.5] Example:
443.https.tls.certificate.parsed.validity.end:[2018-12-31 TO *]
Single IP Address – Search for findings on single IP
Example: 52.179.197.205 or ip:52.179.197.205
Operating Systems & Products
Operating System – Search by operating system type Self-Signed Certificates – Search for expired HTTPS certs
Examples: metadata.os:Windows Example:
IP Subnet by CIDR – Search across a specific CIDR
443.https.tls.certificate.parsed.signature.self_signed:true
Example: ip:52.179.197.0/24
Product (Web Service) – Search by known product name
Example: 443.https.get.metadata.product:nginx Invalid Cert Signatures – Find invalid cert signatures
IP Subnet by Range – Search across a specific range
Example:
Example: ip:[216.189.94.1 TO 216.189.94.32]
Manufacturer – Search for known manufacturers 443.https.tls.certificate.parsed.signature.valid:false
Hostname – Search on result of a DNS “A” / host entry Example: metadata.manufacturer:"Huawei”
Trusted Certs – Determine trusted certs by browsers
Example: a:panerabread.com
Microsoft SMBv1 – Search for instances of SMBv1 Example: 443.https.tls.validation.browser_trusted
Mail Servers – Search on DNS “MX” entries for domain Example: 445.smb.banner.smbv1_support:true
Heartbleed – Find potential instances of Heartbleed vuln
Example: mx:panerabread.com
Dates & Ranges Example:
443.https.heartbleed.heartbleed_vulnerable:true
Port – Find any instances of active services on a port Date: After – Search for findings that appear after a date
Example: ports:21 Example: updated_at:[2018-12-15 TO *] Tags
Service – Search for instances of specific services Date: Before – Search for findings that appear before a date A list of common tags that I’ve found useful:
Example: protocols:”21/ftp” Example: updated_at:[* TO 2018-12-31] bacnet, database, DSL/cable modem, embedded, Heartbleed,
industrial control system, known-private-key, modbus, mssql,
Autonomous System Number (ASN) – Search by ASN Date : Range – Search for findings that appear within a range mysql, network, oracle, postgres, printer, rdp,
Example: autonomous_system.asn: 7018 Example: updated_at:[2018-12-15 TO 2018-12-31] remote_display, raspberry pi, scada, smb, vnc
A special thank you to the Censys team (@censysio) and the University of Michigan (@UMich) !!! By Michael Holcomb (@mdholcomb)

You might also like