Intelligence notes

Shodan and Censys — Internet Infrastructure OSINT Guide

5 min read

Shodan and Censys — Internet Infrastructure OSINT Guide

BLUF

Shodan (John Matherly, 2009) and Censys (University of Michigan research project, 2015; now Censys Inc.) are the two primary internet-wide scanning services that provide OSINT analysts with searchable access to banner data, service fingerprints, TLS/SSL certificates, and device metadata for every publicly accessible internet-connected device and service globally. Where Google indexes web page content, Shodan and Censys index the devices and services themselves: the SSH banner of a Linux server in Tehran, the exposed industrial control system panel in a Belarusian power plant, the certificate transparency log entries for a domain cluster operated by a threat actor, or the JARM TLS fingerprint of a C2 server. These tools transform infrastructure analysis from a target-by-target sequential process into a searchable, queryable database — enabling analysts to pivot from a single IP address to an entire hosting infrastructure, or from a certificate to all domains sharing that certificate, in seconds. Both tools provide free API tiers sufficient for most OSINT analytical workflows; Shodan’s paid tier adds historical data and expanded API access.

Shodan

Core Capabilities

Banner collection: Shodan’s scanning infrastructure probes every IPv4 address across common ports (21, 22, 23, 25, 80, 443, 8080, etc.) and records the response banner — the raw text response from the service. Banners often contain: server software version, operating system, hostname, organization, and country.

Device categories: industrial control systems (ICS/SCADA), routers, webcams, printers, storage systems (exposed S3-equivalent), VPN endpoints, mail servers, databases (MongoDB, Elasticsearch, Redis with no auth).

Search interface: shodan.io/search — query syntax similar to Google advanced operators.

Shodan Search Syntax

QueryDescription
hostname:example.comAll services on a specific hostname
ip:192.0.2.0/24CIDR range
org:"Rostelcom"By organization name (ASN owner)
country:IRBy country code
port:22 product:"OpenSSH" version:"7.9"Specific service version
ssl.cert.subject.cn:*.example.comSSL certificate subject wildcard
http.title:"Login"HTTP page title contains string
has_screenshot:trueHas a screenshot (useful for exposed web UIs)
net:5.9.0.0/16 port:4444Common C2 port on a specific CIDR

Shodan API

import shodan
api = shodan.Shodan('YOUR_API_KEY')
 
# IP lookup
result = api.host('8.8.8.8')
print(result['org'], result['country_name'])
 
# Search
results = api.search('org:"Rostelcom" port:22')
for r in results['matches']:
    print(r['ip_str'], r['port'], r.get('banner', '')[:100])
 
# Count (no API credits)
count = api.count('port:4444 country:RU')
print(f"Found: {count['total']}")

Free tier: 1 result per search, 100 search credits/month; $49/month Freelancer removes most limits.

Intelligence Applications

C2 infrastructure hunting: common C2 ports (4444, 8080, 9090, 1080) + specific Metasploit/Cobalt Strike JARM TLS fingerprints → identify threat actor infrastructure clusters before formal disclosure.

Exposed ICS/SCADA discovery: search port:502 (Modbus), port:102 (S7comm), port:44818 (EtherNet/IP) + target country → critical infrastructure exposure assessment.

Domain infrastructure mapping: ssl:"target.com" → all SSL certificates naming the target domain → pivot to additional infrastructure.

Censys

Core Capabilities

Certificate transparency integration: Censys integrates CT (Certificate Transparency) logs — the public log of all TLS certificates issued by trusted CAs. Every certificate issued is logged; Censys makes this searchable, enabling discovery of subdomains and infrastructure before DNS propagation.

IPv4 host + X.509 certificate database: Censys scans IPv4 + scans port 443 globally + collects all X.509 certificates from TLS handshakes. The resulting database is queryable by certificate fields (CN, SAN, issuer, serial number, fingerprint).

Differences from Shodan: Censys emphasizes certificate transparency and structured protocol parsing; Shodan emphasizes raw banner collection and broader port coverage. Both are complementary — use both for complete infrastructure coverage.

Censys Search Syntax

Search hosts (search.censys.io/hosts):

QueryDescription
ip:192.0.2.0/24CIDR range
services.port:22 AND location.country_code:IRService + country
services.tls.certificate.parsed.subject.common_name:*.example.comCertificate CN wildcard
services.http.response.headers.server:nginx/1.18Specific web server version
autonomous_system.name:ROSTELCOMASN organization

Search certificates (search.censys.io/certificates):

QueryDescription
parsed.subject.common_name:*.malicious-domain.comCertificate for domain wildcard
parsed.names:example.comAny certificate field containing domain
parsed.issuer.organization:Let's Encrypt AND parsed.subject.organization:VPNLet’s Encrypt VPN certs
parsed.fingerprint_sha256:ABC123...Specific certificate fingerprint

Censys API

from censys.search import CensysHosts
h = CensysHosts(api_id="YOUR_ID", api_secret="YOUR_SECRET")
 
# IP lookup
host = h.view("8.8.8.8")
print(host['autonomous_system']['name'])
 
# Search
query = "services.port:4444 AND location.country_code:RU"
for page in h.search(query, pages=2):
    for host in page:
        print(host['ip'], host.get('services', [{}])[0].get('port'))

Free tier: 250 queries/month; Researcher tier (application-based) provides expanded access for academic/security research.

JARM TLS Fingerprinting

JARM (Salesforce Security, 2020) is an active TLS fingerprinting technique that identifies the TLS implementation of a server by its response to 10 specifically crafted TLS handshakes. The resulting 62-character hexadecimal hash identifies the TLS library and configuration, enabling identification of specific software stacks.

Intelligence application: known Cobalt Strike, Metasploit, and other C2 frameworks produce distinctive JARM fingerprints. Search for these fingerprints across Shodan/Censys to identify uncategorized instances of the same C2 infrastructure.

# Search Shodan for Cobalt Strike default JARM
# Common CS JARM: 07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba37e62256
results = api.search('ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba37e62256')

Investigation Workflow — Domain to Infrastructure Cluster

  1. Seed: target domain suspicious-news.org
  2. Shodan: ssl:"suspicious-news.org" → retrieve all SSL certs naming this domain → note hosting IPs
  3. Censys: parsed.names:suspicious-news.org → same, with CT log coverage → find additional subdomains not in DNS
  4. IP pivot: take the hosting IP → ip:X.X.X.X in Shodan → get full list of domains on same IP → check for infrastructure cluster
  5. Certificate pivot: take the SSL certificate serial number → Censys certificate search → find other domains that share the same certificate (same Subject Alternative Names or same issuer account)
  6. WHOIS pivot: take the registrant email (if not privacy-protected) → passive DNS → find other domains registered with same email
  7. Maltego integration: import identified domains and IPs into Maltego for continued entity expansion

Key Connections

Maltego Guide — Shodan/Censys as Maltego Transform data sources Network Analysis Methodology — infrastructure network construction Dark Web Methodology — infrastructure analysis applied to dark web hosting Cyber Threat Intelligence — C2 infrastructure hunting Attribution — infrastructure attribution chain

Graph View

Backlinks