Harnessing the Power of Censys and Shodan for Effective Reconnaissance in Bug Hunting

December 6, 2023

Introduction to Censys and Shodan

Censys and Shodan are powerful search engines that allow cybersecurity professionals and bug hunters to discover devices and websites connected to the internet. They index information about these devices and sites, making it easier to find potential security vulnerabilities.

Setting Up Censys and Shodan

Getting Access Keys:
- Censys: Sign up at https://censys.com/. Once registered, navigate to your account settings to find your API key.
- Shodan: Register at http://www.shodan.io. After signing up, go to your account dashboard to access your API key.

2. Installing Tools:

Install the Censys and Shodan command-line tools using pip:

pip install censys
pip install shodan

Set up the API keys:

For Censys, use the command censys config and enter your API ID and secret.
For Shodan, run shodan init YOUR_SHODAN_API_KEY.

Using Censys and Shodan for Reconnaissance

Basic Searches:

Use Censys and Shodan to search for specific IP addresses, domains, or ports.
Example command:

shodan search apache

Advanced Queries:
Utilize advanced search queries to narrow down targets, such as specific server types, geographic locations, or software versions.

Automating Searches:

Automate your searches using scripts that interact with the Censys and Shodan APIs, allowing for more efficient data collection.

Finding New Bugs and CVEs with Censys and Shodan

Identifying Vulnerable Systems:
- Use these tools to find systems running outdated or vulnerable software versions.
- Cross-reference your findings with known CVEs to identify potential targets for bug hunting.
Expanding Your Scope:
- Censys and Shodan can help uncover less-known devices or services that might be overlooked, providing a broader field for finding new vulnerabilities.
Continuous Monitoring:
- Regularly monitor your areas of interest for new devices or changes in existing ones, which can reveal new security holes.

Example: Finding IPs Vulnerable to a Specific CVE (e.g., CVE-2021-44228)

Understand the CVE:
- First, understand what the CVE is about. For instance, CVE-2021-44228 refers to a vulnerability in Apache Log4j, a Java-based logging utility.
Determine Search Criteria:
- Identify unique characteristics or footprints left by the vulnerable software. In this case, you might look for web servers running specific versions of Log4j.
Using Shodan:
- Open the console or use the Shodan website.
- Use a search query that targets the specific characteristics of the vulnerability. For example:

http.title:"Apache" http.html:"Log4j 2.14"

This query attempts to find Apache servers that might be running the vulnerable Log4j version.

Using Censys:

Similar to Shodan, use Censys to search for devices running the vulnerable software.
A search query on Censys might look like:

80.http.get.headers.server: Apache AND 80.http.get.body: "Log4j 2.14"

Analyzing Results:

The search results from both platforms will provide a list of IP addresses and additional details about each potentially vulnerable server.
Remember, these results are not definitive proof of vulnerability. They indicate potential targets for further investigation.

Ethical Considerations:

It’s crucial to remember that scanning and probing networks without permission is illegal in many jurisdictions. Ensure you have proper authorization before investigating further.

Verification:

If you have permission, you can use vulnerability scanners or manual methods to verify if the identified targets are indeed vulnerable to the CVE in question.

Example in Bug Hunting:

In the context of bug hunting, discovering servers or systems potentially vulnerable to a specific CVE can be the first step in responsibly reporting these vulnerabilities. For instance, you might find a server that is running an outdated, vulnerable version of software and then report this to the server owner or through a bug bounty program.

Conclusion:

Tools like Shodan and Censys are powerful for initial reconnaissance in identifying potentially vulnerable targets. However, they should be used responsibly and legally, with a focus on ethical hacking and responsible disclosure.