BOOK THIS SPACE FOR AD
ARTICLE ADAfter exploring ZMap in part one, where entire networks can be actively scanned (occasionally drawing some unwanted attention), it’s time to look at a quieter approach. Enter Censys, the internet’s resident snoop that has already scanned the entire web so no one else has to.
With Censys, everything from IP addresses, domain information, and SSL certificate data is neatly cataloged and ready for inspection. It’s like having a complete map of the internet at one’s fingertips, ripe for network exploration without needing to raise alarms or send packets flying across the globe. Whether for vulnerability research, bug bounty programs, or passive reconnaissance, Censys provides a treasure trove of public data that’s just waiting to be utilized by ethical hackers and cybersecurity professionals.
I. What is Censys?
Censys is the ultimate passive scanning tool for cybersecurity researchers, ethical hackers, and bug bounty hunters. While tools like ZMap actively probe the network, Censys takes a different approach by offering a rich database of pre-scanned internet data. From IP addresses to domain information, and even SSL certificates, Censys has already done the heavy lifting, making it a perfect choice for anyone looking to explore without triggering alarms or drawing attention.
Creating a Censys account is free, and it comes with 250 queries per month — plenty to start digging into the vast treasure trove of data. With just a simple query, users can access detailed insights into internet infrastructure and network services.
In a way, Censys is like Harry Potter’s magic wand: the real magic lies in knowing what to say. With the right Censys query, the platform will obediently reveal exactly what is being searched for, whether it’s vulnerable devices, open ports, or insecure services across the web. Just wave the proverbial wand, and the internet’s secrets are laid bare for ethical hackers and cybersecurity experts alike.
Let’s Start with a Real Example — Exploring Apple’s Network
Let’s take Apple’s CIDR block 17.0.0.0/8. This range, associated with Apple, is a goldmine of public-facing infrastructure just waiting to be discovered. Want to double-check? The BGP routing information can be verified at bgp.he.net/AS714#_prefixes.
Using tools like Censys (and without raising a single eyebrow), cybersecurity researchers and ethical hackers can analyze Apple’s public infrastructure, potentially uncovering vulnerabilities or exposed services that need fixing.
Finding Alive IPs from Apple’s CIDR Range
Curious to see which IPs are alive in Apple’s range? Here’s the Censys query:
ip: `17.0.0.0/8`This simple query will return all the alive IPs from Apple’s CIDR block that Censys has already picked up during its internet scans. No need to send even a single packet — just sit back and let the data roll in.
Filtering Only for “200 OK” Responses
Want to be more specific? Just filter out responses with the “200 OK” status code for healthy endpoints. Try this query:
ip: `17.0.0.0/8` and "200 OK"Why hunt for broken servers when the good ones will happily serve up their data?
Searching for Admin Pages (Because Who Doesn’t Love Finding Admin pages?)
Now, if an attacker (or an ethical hacker, of course) wanted to find admin pages, here’s a neat query for that:
ip: `17.0.0.0/8` and "admin"With this, Censys will reveal any pages with “admin” in it, which is usually a sign of a juicy portal just waiting to be found.
Finding Domains with Virtual Hosts
What if the goal is to find domains instead of just raw IPs? Simple. Just search for virtual hosts with this option:
Suddenly, it’s like peeling back a layer of the internet onion.
Hunting for Login Pages
For those obsessed with login pages, this query can help narrow down the search:
(ip: `17.0.0.0/8`) and labels=`login-page`Because, let’s be honest — who doesn’t get excited seeing a “login” prompt?
Other Fun Queries for the Adventurous Explorer
Finding Lodash pages:
(ip: `17.0.0.0/8`) and labels=`lodash`Tracking down Jenkins instances:
(ip: `17.0.0.0/8`) and services.software.vendor=`Jenkins`Hunting for PHP instances (for the good ol’ web vulnerabilities):
(ip: `17.0.0.0/8`) and services.software.product=`PHP`Some Intriguing Keywords to Spice Things Up
For those really looking to impress, here are some fun search queries that can uncover more interesting endpoints:
ip: `17.0.0.0/8` and "config"Filtering for dashboard pages:
ip: `17.0.0.0/8` and "dashboard"Searching for console pages:
ip: `17.0.0.0/8` and "console"Conclusion:
By now, it should be clear that Censys is the quiet, reliable powerhouse in the world of network scanning and ethical hacking. While ZMap might make noise, Censys allows for a stealthy, data-driven approach to uncovering vulnerabilities and exploring internet infrastructure. With 250 free queries per month and a vast pool of pre-scanned internet data, researchers and bug bounty hunters can easily conduct passive reconnaissance, gaining invaluable insights into everything from IP addresses to SSL certificates.
And here’s the thing: the sky is truly the limit. The more an attacker (or ethical hacker) can imagine, the deeper they can go in their reconnaissance efforts. With the right Censys queries, there’s virtually no corner of the internet that can’t be explored — vulnerable devices, open ports, admin pages, and even specific software instances are just a query away. The internet is a goldmine, and Censys is the map. So, go ahead and start imagining, because the more creative the queries, the more hidden gems will be uncovered.
But as always, with great power comes great responsibility — use these insights wisely.
ip: `17.0.0.0/8` and “console” for filtering out console pages
<picture>