provocativo_
back to the arsenal
// arsenal·Recon & OSINTBeginnerFreemium

Censys

Internet-scale scanning platform — Shodan's academic-origin sibling.

Recon & OSINT

$ censys --help

Censys

// what it is

Description

Founded out of University of Michigan's ZMap research in 2015. Indexes every IPv4 host every few days, with first-class certificate transparency integration. Strong API + ability to pivot between hosts and certificates.

// use cases

What people use it for

  • Find every host serving a specific TLS cert (great for misconfig hunting)
  • Track an organization's public exposure over time
  • Pivot from a leaked subdomain to other hosts behind the same cert

// commands

The commands you'll type

Search hosts by org

$ censys search 'services.tls.certificates.leaf_data.subject.organization: "Example Corp"'

View host

$ censys view 1.1.1.1

// facts

category
Recon & OSINT
platforms
WEB · LIN · WIN · MAC
license
Freemium
difficulty
Beginner

// links

// related in Recon & OSINT

Recon & OSINTBeginner

Nmap/en-map/

The Network Mapper — Fyodor's port-scanner and host-discovery framework.

FOSS
LIN·WIN·MAC
open entry →
Recon & OSINTIntermediate

Masscan

Internet-scale TCP port scanner — claims 10M packets/second on the right hardware.

FOSS
LIN·WIN·MAC
open entry →
Recon & OSINTBeginner

Shodan

Search engine for internet-connected devices — banners, certs, screenshots.

Freemium
WEB·LIN·WIN·MAC
open entry →