Censys Quick Start Guide
This article applies to our legacy Search product. Censys Search 2.0 is now public and an updated version of this article can be found here.
We suggest you begin by prioritizing your goals. Here’s what Censys can help you with:
- What servers at my company are publicly accessible?
- Is my organization exposing any building control systems, security cameras, or printers on the Internet?
- Are any of those servers or devices running vulnerable software?
Impersonation and Phishing Behavior
- Are any websites attempting to impersonate your company in order to phish or mislead users?
- Have we seen this C2 infrastructure previously? What behaviors do we see these known adversaries using and repeating?
Want to get a sense of what you can scan for using Censys?
As you go through these lists, you’ll find a lot of other similar cases and you can begin querying for areas you’re particularly concerned about within your organization or your client’s company and branch out or delve deeper from that starting point.
Our FAQs are also worth a quick read.
Quick and Dirty Tips from the Censys Team:
- Databases, Points of Sale—both Servers and Client devices are some of the most sought-after assets for attackers. (2018 Verizon Data Breach Report)
- Note that if you do find MySQL, FTP, or industrial control systems (think solar panels, HVAC, building control, SCADA controller, power distribution unit) - remember there’s no good reason these devices should be online, as they only open you up to attackers.
- Be sure to specify a field in your query. When you don’t specify a field in your query, you are searching a field called “_all.” The results you get back will include everything we find on the internet, and most results will be irrelevant to you if you don’t utilize this field.
- When a new CVE is published or an attack is brought to light that you fear may affect your organization, run a few queries in Censys to determine if you need to take action (patch, remove, take offline, etc.). The key here, as with all cybersecurity strategies, should be to prevent disaster, rather than having to react after the fact.
-- Example: You read this headline HP printer critical flaws open up organizations to attack when coupled with EternalBlue tool
- Take action: Do a quick, on-the-fly scan for these printers and get a sense of what your attack surface looks like, then apply the patch or take these printers offline, in the event that no patch is yet available.
-- Example: The Oracle critical database vulnerability, which required users to patch immediately to keep their data secure. In this particular case, you might do something like this:
If you click on any of those versions you’ll see a results page with the specific hosts.
Start running your scans today
Real-world scenarios that you can prevent by having visibility into your infrastructure and adversary behaviors and methodologies: