Updated: Apr 6, 2020
Welcome back, my aspiring OSINT cyber warriors!
John Matherly began Shodan in 2009 to collect banner information from nearly early IP address on the planet, put that data into a huge database,and index that data for our use. Shodan has been so successful that it has inspired others to imitate and improve upon it.
Censys.com is a relatively new site (2015) that has sought to improve and benefit upon on the success of Shodan. Unlike Shodan that captures the data in banners, Censys is built upon the Zmap. Zmap is a faster alternative to nmap that can scan the entire 4 billion IPv.4 address space in about one hour This enables it to have an almost real-time update on every IP address.
Shodan is a great source of open-source information on nearly every IP address and port, but Censys allows you to get real-time data and to dig a bit deeper and with more granular detail.
I think Censys takes us to the next level of understanding the attack surface of nearly every system on the planet in something approximating real-time. That makes Censys an incredibly powerful tool to monitor the threat landscape of your company and cyber war landscape of geopolitics.
Let's take a look at Censys.
Open a Free Account on Censys
The first step is to open an account on censys.io. The folks at Censys make it simple and free.
Once you open an account, you can begin use Censys's interface almost instantly.
Like Shodan, you can put in a keyword and Censys will return all the results of that contain that keyword (remember, these are Zmap results and not banners, so your results will likely differ from Shodan).
Here we searched for Hosts that contain "apache" in their results.
Here, we search for "debian".
Of course, you can also see the results for IP address or range of IP addresses such as;
Censys will accept a range of IP addresses in CIDR notation such 84.247.68/24
Censys allows you to use the common Boolean (AND, OR, NO, etc) operators you are accustomed to using in other applications. So, you can find all the Debian servers in Romania by combining the keyword search "debian" with location.country_code:RO with a logical AND.
We can also lookup results for any HOST by simply specifying its IP address in the search field.
Censys displays the data in a table of attributes and values. Of course, the attribute is simply a particular data field specified in that protocol. As you can see below, here we have the multitude of fields in the POP3 protocol.
When we find one interesting field, we can COPY and PASTE it into the search window to find systems with that same attribute.
This can be extremely useful to finding all the other systems that have that same value and/or vulnerability.
To search within a particular parsed field, you can run a regular expression to further narrow your search results. The user-interface (UI) uses Elasticsearch regex syntax (for more on regex see this article).
You are able to run queries within the search bar, such as:
parsed.issuer_dn.raw: /.*localhost\, emailAddress\=webmaster\@localhost.*/
We could use our BOOLEAN operators to add the additional condition that the certificates must be self-signed.
parsed.issuer_dn.raw: /.*localhost\, emailAddress\=webmaster\@localhost.*/ AND tags.raw..'"self-signed"
Using Censys to Find Specific SCADA targets
Censys uses heuristic techniques to categorize hosts into "tags". These tags simply represent hosts that have similar "heuristics". Think of heuristics as "if it walks like duck and quacks like a duck, there is VERY high probability it IS a duck!
But as we know, these types of heuristic systems are prone to some error. Take these results as less than deterministic but with a high probability of being correct.
The figure below shows a list of the most widely found "tags" that Censys identifies on the internet.
We can use these tags to help us find systems that "quack" like a SCADA system. SCADA systems are so distinctively different than other systems when scanned by Zmap scan or nmap, that their probability of being SCADA systems is very high.
We can narrow our search by a multitude of choices, but if we were looking for SCADA systems where the PLC's were manufactured by the German industrial giant, Siemens (their PLC's were the target of the Stuxnet attack on Iran) we could create a search such as;
tags:scada AND metadata.manufacturer:siemens
We can further narrow our search to those found in a particular country such as Germany, using the logical AND and then appending an additional condition of location.country_code and giving it a value of DE.
tags:scada AND metadata.manufacturer:siemens AND location.country_code:DE
One of the features I like best about Censys if the concept of "boosting". This comes in handy if you have two fields where one is far more important than the other. The logical "AND" normally gives equal weight to both terms. In this way, you can relay that one field is more important than the other. Furthermore, this boosting can be weighted.
For instance, if I were looking for systems with the modbus protocol and had a tag of "SCADA", I would probably want to place a lot on more weight on the modbus protocol and less on Censys's SCADA tag. Remember, the tag is developed by heuristics and won't always be correct.
We could convey to Censys this unweighted importance by appending a "^" plus a number registering the weight you want to give to that field.
tags:scada AND protocols:"502/modbus"^3
As you can see in the results above, we were able to retrieve information on sites that are tagged SCADA AND are running the modbus protocol with a heavier emphasis on "modbus".
Shodan is an excellent tool to scan for information in the banner of the web servers connected to the Internet, but Censys is able to augment that data with nearly real-time data from a wide variety of fields gathered via Zmap.
I think Censys takes us to the next level of understanding the attack surface of nearly every system on the planet in nearly real-time. That makes Censys an incredibly powerful too to monitor the threat landscape of your company and cyber war landscape of geopolitics.