Censys - Great tool for OSINT gathering!

A great new resource has become available called Censys. https://www.censys.io/

This great resource was created by some guys at the University of Michigan.

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the internet. You will notice it is similar to Shodan (shodan.io) but from what I have seen, looks much more powerful… what a great tool for OSINT gathering!

@danweis is this a tool you have used? Any experience with it?

Yes Censys has been around for a long time, the last time I used it was probably 5 year or longer ago. At that stage it was comparative with Shodan, its a service that scans for systems belonging to a target and organisation across a large set of IP addresses. It would be an ok tool for monitoring and identifying of rogue systems, but i’d prefer to do the enumeration work manually these days, enumerate DNS, IP ranges, Shodan etc to determine live targets (and with no price tags attached).:slight_smile:


Can you share some tips with new people how some of the things you do here and how you do it?

I know it will be extremely helpful to others to learn these skills, and your tips since you do this all the time.

First up leverage sites like robtex and Shodan to identify any systems (IP Ranges) they might have. (Remember you are only allowed to scan IP’s you have permission to scan :slightly_smiling_face: )Then perform DNS bruteforcing against the domain(s), you can use tools like dnsrecon & fierce via Kali or DNSDumpster is also a great service. This will give you a list of assets that a client has externally facing before you move into your active recon which involves port scanning, banner grabbing etc).