Quartz 4

Censys.io

3 min read

Censys.io

📝 Overview

What it is: Censys is a specialized search engine and Attack Surface Management (ASM) platform that continuously scans the entire public internet. Unlike Google, which indexes web pages, Censys indexes IP addresses, open ports, software versions, and SSL/TLS certificates. It is heavily used by security teams to discover internet-facing assets and by attackers to find exposed infrastructure. Target Phase: Reconnaissance (Specifically OSINT / Passive Recon) Operating System: Web-based (SaaS) / Command Line via API

⚙️ Core Capabilities

  • Continuous Internet Scanning: It constantly probes the IPv4 address space, keeping a massive, searchable database of what is listening on open ports globally.
  • Certificate Transparency Search: One of its most powerful features. Censys parses SSL/TLS certificates, allowing you to search for a company’s domain name and instantly find all their subdomains and associated IP addresses, even if they aren’t publicly advertised.
  • Attack Surface Management: Enterprise defense teams use it to find “Shadow IT”—servers, databases, or development environments that employees spun up and forgot about, which are accidentally exposed to the public internet.
  • High-Fidelity Fingerprinting: It doesn’t just see that port 22 is open; it grabs the banner to tell you exactly what version of OpenSSH is running on that specific IP.

💻 Common Commands

Note: Most users interact with Censys via the web interface at search.censys.io, but it has a powerful Python CLI tool for automation once you plug in your API keys.

CommandDescription
censys search "example.com"Searches the Censys database via the CLI for hosts associated with that domain.
censys search "parsed.names: example.com"A specific web query to search for SSL certificates issued to that domain, excellent for finding hidden subdomains.
censys search "services.port: 3389"Finds hosts globally (or within a specific subnet) that have Remote Desktop (RDP) exposed to the internet.

⚠️ Notes & Limitations

  • Stealth (100% Passive): This is the most crucial concept when comparing Censys to Nikto or Nessus. When you query Censys, you are searching a database that Censys already built. You are never sending a single packet directly to your target. Because of this, it is entirely stealthy and will not trigger the target’s Intrusion Detection System (IDS).
  • Limitations: It only sees what is facing the public internet. It cannot see internal corporate networks or assets hidden behind robust firewalls/WAFs that drop scanning packets.

How Censys Fits into Your Pentesting Methodology

Since you are building out your knowledge graph, it is highly useful to link Censys in direct contrast to the tools we just covered:

  1. Passive Recon (Censys): You start here. You sit at your desk and search the Censys database to find out that your target company has a forgotten, public-facing server at a specific IP address. The target has no idea you are doing this.

  2. Active Recon (nmap/Nikto): You take that IP address you found on Censys and actively scan it with Nmap to confirm the ports are still open, or Nikto to see if the web server is misconfigured. The target’s firewall logs will see this activity.

  3. Vulnerability Assessment (Nessus/OpenVAS): Once you have a map of their assets, you point Nessus at that specific server to find out exactly which CVEs (vulnerabilities) it is susceptible to.

🔗 Links & Resources

🏷️ Tags

Censys #OSINT #PassiveRecon #AttackSurfaceManagement #InformationGathering #geoip

Graph View

Backlinks