This chapter covers Shodan and Censys, two powerful search engines for internet-connected devices. These tools are critical for the Reconnaissance and Enumeration domain of the PT0-002 exam, specifically under Objective 2.1: Given a scenario, conduct passive reconnaissance. Expect approximately 5-10% of exam questions to involve Shodan or Censys, either directly or as part of a broader recon strategy. You will learn how to query these databases, interpret results, and apply findings during a penetration test.
Jump to a section
Imagine you are a security researcher who wants to find all the unlocked houses in a city. You can't walk down every street and check every door—that would take too long and might get you arrested. Instead, you build a giant telescope that can scan the entire city from a mountaintop. This telescope uses a powerful lens that can see through windows and read the labels on mailboxes. Every day, it takes a picture of every house and records which doors are open, what color the roof is, and whether there's a welcome mat. You then store all this data in a searchable database. When you want to find unlocked houses with red roofs, you query your database: 'door:open AND roof:red'. The database returns a list of addresses. This is exactly how Shodan and Censys work. They constantly scan the entire public IPv4 address space (and parts of IPv6) on all ports, collecting banners—the initial greeting messages that services send. These banners contain information like the service name, version, and sometimes configuration details. The search engines index this banner data, allowing you to search for specific services, versions, or even default credentials. For example, a search for 'port:22 SSH-2.0-OpenSSH_7.4' finds all SSH servers running that specific version. The key difference between Shodan and Censys is like comparing a telescope with a camera that takes snapshots at intervals (Shodan) versus a telescope that records a continuous video feed with more detail (Censys). Shodan updates its data periodically, while Censys performs more frequent scans and provides richer metadata, such as SSL certificate details and HTTP response headers. Both are essential for passive reconnaissance, allowing penetration testers to identify exposed assets without ever sending a packet to the target network.
What are Shodan and Censys?
Shodan and Censys are search engines that index information about internet-connected devices and services. Unlike Google, which indexes web pages, these tools scan IP addresses and ports to collect banners—the initial data a service sends when a connection is established. This allows penetration testers to discover exposed assets, identify vulnerable software versions, and map an organization's external footprint without sending any traffic to the target (passive reconnaissance).
How They Work: The Scanning Process
Both Shodan and Censys continuously scan the entire IPv4 address space (approximately 4.3 billion addresses) on all 65,535 TCP and UDP ports. The scanning process involves:
Sending a probe (e.g., a SYN packet or a complete HTTP request) to each IP:port combination.
Receiving the response banner—this is the initial data the service sends, such as an SSH version string ("SSH-2.0-OpenSSH_7.4") or an HTTP response header ("Server: Apache/2.4.41 (Ubuntu)").
Parsing the banner to extract metadata: service name, version, operating system, SSL certificate details, etc.
Storing this metadata in a searchable database.
Shodan typically updates its data every 1-2 weeks for most services, while Censys scans more frequently—some services are rescanned daily. Both platforms use distributed scanning infrastructure to avoid overwhelming any single network.
Key Components and Search Syntax
#### Shodan Search Filters
Shodan allows powerful filtering using keywords and operators. Common filters include:
- port: – Filter by port number (e.g., port:22)
- country: – Filter by two-letter country code (e.g., country:US)
- city: – Filter by city name (e.g., city:"San Francisco")
- org: – Filter by organization name (e.g., org:"Microsoft")
- hostname: – Filter by hostname (e.g., hostname:"example.com")
- product: – Filter by product name (e.g., product:"Apache httpd")
- version: – Filter by version number (e.g., version:"2.4.49")
- os: – Filter by operating system (e.g., os:"Windows 10")
- vuln: – Filter by CVE ID (e.g., vuln:CVE-2021-41773) – requires a paid account.
You can combine filters with Boolean operators + (AND) and - (NOT). For example:
port:22 country:US -org:"Amazon" finds SSH servers in the US that are not hosted by Amazon.
#### Censys Search Syntax
Censys uses a query language similar to Elasticsearch. Key fields include:
- ip – IP address
- services.port – Port number
- services.service_name – Service name (e.g., "HTTP", "SSH")
- services.banner – Raw banner text
- services.http.response.html_title – HTML title tag
- services.tls.certificate.parsed.subject.common_name – SSL certificate common name
Example queries:
- services.service_name: SSH AND services.port: 22 – Finds SSH services on port 22.
- services.http.response.html_title: "Login" – Finds web pages with "Login" in the title.
Practical Usage for Penetration Testing
#### Identifying Exposed Assets
Search for your target organization's IP ranges (obtained via WHOIS) to see what services are exposed. For example:
org:"TargetCorp" port:3389 finds RDP services (port 3389) belonging to TargetCorp.
#### Finding Vulnerable Software
Search for known vulnerable versions. For instance, during the Log4j vulnerability (CVE-2021-44228), you could search for:
product:"Apache Log4j" version:"2.14.1"
#### Discovering Default Credentials
Many devices ship with default credentials. Shodan can find devices that still use default passwords by searching for banners that include default usernames. For example:
"default password" or "admin/admin"
#### Mapping SSL Certificates
Censys excels at SSL/TLS certificate enumeration. You can find all certificates issued to a specific domain or organization:
services.tls.certificate.parsed.subject.organization: "TargetCorp"
API Usage
Both platforms offer APIs for automated queries. Shodan's API has a rate limit of 1 query per second for free accounts, while Censys allows 250 queries per month for free. Example Shodan API call in Python:
import shodan
api = shodan.Shodan('YOUR_API_KEY')
results = api.search('port:22 country:US')
for result in results['matches']:
print(result['ip_str'])Limitations and Anti-Automation
Both platforms may miss devices that block scanning (e.g., via firewalls or rate-limiting).
Results are not real-time; there is a delay between scanning and data availability.
Shodan's free tier shows only the first 50 results; Censys free tier shows 100 results per query.
Some services (e.g., those requiring a full TCP handshake or specific application-layer interactions) may not be accurately fingerprinted.
Integration with Other Tools
Metasploit: Use the shodan_search module to import Shodan results directly into Metasploit.
Nmap: Combine Shodan results with Nmap for targeted scanning—first use Shodan to find live hosts, then scan only those.
Maltego: Shodan and Censys transforms allow you to visualize discovered assets.
Exam Relevance
For PT0-002, know the difference between Shodan and Censys: Censys provides richer SSL/TLS certificate data and more frequent scans, while Shodan has a larger historical database and better IoT device coverage. Both are used for passive reconnaissance. Be able to construct effective search queries using filters.
Define Target Scope
Identify the target organization's IP ranges, domain names, and ASN. Use WHOIS lookups or tools like `whois` on Linux to find netblocks. For example: `whois targetcorp.com` returns the organization's IP range. Also, use BGP tools to find ASN. This scope will be used to filter Shodan/Censys results to only the target's assets.
Query Shodan for Exposed Services
Using the Shodan search engine, apply filters to narrow results to the target. For example: `org:"TargetCorp"` or `net:192.168.1.0/24`. Examine the results for services on unusual ports, outdated software versions, or default credentials. Shodan displays a summary of open ports, service banners, and location data. Note any findings that could be exploited, such as SSH servers running versions vulnerable to known exploits.
Query Censys for SSL and HTTP Details
Censys provides deeper SSL/TLS certificate information and HTTP response headers. Search for the target domain or IP range: `ip: 192.168.1.0/24`. Look for certificates issued to the target, which may reveal subdomains or internal hostnames. Also, examine HTTP responses for server headers, cookies, and HTML titles that disclose software versions. For example, a server header `Apache/2.4.49` indicates a version vulnerable to path traversal (CVE-2021-41773).
Analyze Results for Vulnerabilities
Cross-reference discovered software versions with known vulnerabilities (CVEs). Use Shodan's `vuln:` filter (paid) or manually check against databases like NVD. For example, if you find `Apache httpd 2.4.49`, note that it is vulnerable to CVE-2021-41773. Also, look for default credentials by searching banners for common strings like "admin", "password", or "default". Document all findings for the penetration test report.
Document and Report Findings
Compile the discovered IPs, ports, services, versions, and potential vulnerabilities into a structured report. For each finding, include the evidence (screenshot or banner text) and risk rating. The report should clearly distinguish between passive reconnaissance findings (no traffic sent to target) and active scanning results. This step is crucial for the PT0-002 exam's emphasis on proper documentation and reporting.
Scenario 1: External Penetration Test for a Financial Institution
A penetration tester is hired to assess the external security of a bank. The tester starts with passive reconnaissance using Shodan. By searching org:"BankCorp", they discover an exposed RDP service on port 3389 that should not be accessible from the internet. Further analysis reveals the server is running Windows Server 2012 R2, which is end-of-life. The tester also uses Censys to find SSL certificates issued to the bank, which reveal a forgotten subdomain test.bankcorp.com hosting a development application. This subdomain is not in scope but represents an asset the client was unaware of. The tester documents these findings and recommends removing the RDP exposure and retiring the test subdomain. In production, the tester would have used Shodan's API to automate the search across multiple IP ranges, but the free web interface sufficed for a small scope.
Scenario 2: IoT Device Discovery for a Healthcare Provider
A healthcare provider wants to ensure no medical devices are directly exposed to the internet. The tester uses Shodan to search for common medical device banners, such as "DICOM" or "HL7". They find a PACS server (Picture Archiving and Communication System) exposed on port 104 (DICOM). The banner reveals the vendor and version, which has a known vulnerability. The tester also uses Censys to check the SSL certificate on the device's web interface, finding it self-signed and expired. The tester reports the exposure and recommends placing the device behind a VPN. Performance considerations: Scanning the entire IPv4 space for niche services like DICOM is inefficient manually; instead, the tester uses Shodan's product: filter to narrow down. Misconfiguration: If the tester had not used the correct banner string, they might miss the device. For example, some PACS servers use non-standard ports.
Scenario 3: Red Team Engagement for a Tech Company
During a red team exercise, the team uses Shodan and Censys to identify potential entry points. They discover a Jenkins server exposed on port 8080 with a banner indicating version 2.289, which is vulnerable to remote code execution (CVE-2021-21679). They also find a GitLab instance with an open registration page. The team uses these findings to plan their attack vector. However, they must be cautious: Shodan results may be stale, and the Jenkins server might have been patched since the last scan. The team uses Censys's more frequent scans to verify the version. Common mistake: Assuming all Shodan results are current. The team always cross-references with active scanning after passive recon.
What PT0-002 Tests (Objective 2.1)
The exam expects you to know:
The difference between Shodan and Censys: Shodan focuses on service banners and IoT devices; Censys provides richer SSL certificate data and more frequent scans.
How to construct effective search queries using filters like port:, country:, org:, and product:.
That both tools are used for passive reconnaissance—no packets are sent to the target.
The limitations: results are not real-time, free tiers have limited results, and some services may be missed.
Common Wrong Answers and Why
"Shodan is an active reconnaissance tool." This is false because Shodan does not require you to send packets; it queries a pre-existing database. Candidates confuse scanning with querying.
"Censys only scans web servers." Censys scans all ports and services, not just HTTP. Its strength is in SSL/TLS, but it covers all protocols.
"Shodan provides real-time data." Shodan data is typically 1-2 weeks old. Candidates overlook the delay.
"You need to install software to use Shodan." Shodan is a web-based service; no installation is required. The API can be used programmatically, but the web interface is sufficient.
Specific Numbers and Values to Memorize
Shodan free tier: 50 results per query, 1 API query per second.
Censys free tier: 100 results per query, 250 queries per month.
Shodan scans all 65,535 ports on IPv4; Censys does the same.
Both support IPv4 and limited IPv6.
Edge Cases and Exam Traps
The exam may present a scenario where a target uses a CDN (e.g., Cloudflare). Shodan results will show the CDN's IP, not the origin server. Candidates must understand that Shodan returns the IP that responded to the scan, which may be a reverse proxy.
If a service requires a full TLS handshake, Shodan may not capture the banner if it only sends a SYN probe. Censys performs full handshakes for some services.
The exam might ask which tool is best for finding SSL certificate misconfigurations. The answer is Censys, as it parses certificate details in depth.
How to Eliminate Wrong Answers
If the question asks about "passive reconnaissance", eliminate any answer that involves sending packets or scanning.
If the question mentions "SSL/TLS certificates", lean toward Censys.
If the question mentions "IoT devices" or "industrial control systems", Shodan is more likely the correct choice.
Watch for answers that claim real-time data or unlimited results—these are incorrect.
Shodan and Censys are passive reconnaissance tools that query pre-scanned databases—no packets sent to the target.
Shodan is best for IoT/ICS devices and service banners; Censys excels at SSL/TLS certificate data.
Shodan free tier returns 50 results; Censys free tier returns 100 results per query.
Data is not real-time; Shodan updates every 1-2 weeks, Censys more frequently.
Use filters like `port:`, `country:`, `org:`, `product:` to narrow results.
Censys provides deeper HTTP response and certificate parsing than Shodan.
Both scan all 65,535 TCP/UDP ports on IPv4 and limited IPv6.
Results may show CDN IPs, not origin servers—be aware of this limitation.
These come up on the exam all the time. Here's how to tell them apart.
Shodan
Focuses on service banners and IoT/ICS devices.
Data updated every 1-2 weeks on average.
Free tier: 50 results per query, 1 API query/sec.
Stronger for finding default credentials and vulnerable IoT devices.
Provides a 'vuln' filter for paid users to find CVE-affected devices.
Censys
Excels at SSL/TLS certificate enumeration and analysis.
Scans more frequently—some services daily.
Free tier: 100 results per query, 250 queries/month.
Richer HTTP response details (headers, HTML titles).
Provides raw banner data and parsed certificate fields.
Mistake
Shodan and Censys are active scanning tools that send packets to the target.
Correct
They are passive reconnaissance tools. The scanning is done by the service providers, not by the user. The user queries a pre-built database, so no packets are sent to the target during the search.
Mistake
Shodan provides real-time data on all devices.
Correct
Shodan's data is typically 1-2 weeks old. Scans are not continuous for every IP; they are batched. Censys scans more frequently but still not real-time.
Mistake
Censys only indexes web servers (HTTP/HTTPS).
Correct
Censys scans all ports and services. While it is known for SSL/TLS certificate data, it captures banners for any service, including SSH, FTP, and databases.
Mistake
You can use Shodan to find devices behind a firewall.
Correct
Shodan can only find devices that are directly reachable from the internet. If a device is behind a firewall that blocks inbound connections, Shodan will not see it.
Mistake
Shodan and Censys give identical results for the same query.
Correct
Results differ because of different scanning methodologies, update frequencies, and parsing techniques. Censys often has more detailed SSL data, while Shodan has broader IoT coverage.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Shodan and Censys are both search engines for internet-connected devices, but they differ in focus. Shodan specializes in service banners and is particularly strong for IoT and industrial control systems. Censys provides richer SSL/TLS certificate data and more frequent scans. For penetration testing, use Shodan to find exposed services and default credentials, and Censys to analyze certificate misconfigurations and HTTP response details. On the PT0-002 exam, if a question involves SSL certificates, the answer is likely Censys; if it involves IoT or ICS, lean toward Shodan.
No, Shodan is a passive reconnaissance tool. You do not send any packets to the target; you query Shodan's pre-existing database. The scanning is performed by Shodan's infrastructure, not by the user. On the exam, any option that describes Shodan as active scanning is incorrect. Active reconnaissance involves tools like Nmap that send probes directly to the target.
Shodan typically updates its data every 1 to 2 weeks, depending on the service and IP address. Critical services may be scanned more frequently, but there is no real-time guarantee. Censys updates more often, sometimes daily. For the exam, remember that Shodan data is not real-time and may be stale.
The most useful Shodan filters include `port:` (e.g., `port:3389` for RDP), `org:` (e.g., `org:"TargetCorp"`), `product:` (e.g., `product:"Apache httpd"`), `version:` (e.g., `version:"2.4.49"`), and `country:` (e.g., `country:US`). For finding vulnerabilities, the `vuln:` filter (paid) allows searching by CVE ID. Combine filters with `+` (AND) and `-` (NOT).
No, Censys scans all ports and services, not just HTTP/HTTPS. It captures banners for SSH, FTP, databases, and any other TCP/UDP service. However, Censys is particularly known for its deep SSL/TLS certificate analysis. On the exam, do not choose an answer that claims Censys only scans web servers.
Install the Shodan Python library with `pip install shodan`. Then use your API key: `import shodan; api = shodan.Shodan('API_KEY'); results = api.search('port:22'); for result in results['matches']: print(result['ip_str'])`. The free API allows 1 query per second. The exam may ask about API rate limits or how to automate queries.
Key limitations: (1) Data is not real-time; there is a delay. (2) Results may be incomplete if the target blocks scanning or uses a CDN. (3) Free tiers have result limits (50 for Shodan, 100 for Censys). (4) Some services require a full handshake and may not be fingerprinted correctly. (5) IPv6 coverage is limited. Be aware of these for exam questions about tool limitations.
You've just covered Shodan and Censys for Asset Discovery — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?