Harnessing the Power of Censys and Shodan for Effective Reconnaissance in Bug Hunting


2. Installing Tools:

  • Install the Censys and Shodan command-line tools using pip:
pip install censys
pip install shodan

Set up the API keys:

  • For Censys, use the command censys config and enter your API ID and secret.
  • For Shodan, run shodan init YOUR_SHODAN_API_KEY.

Using Censys and Shodan for Reconnaissance

Basic Searches:

  • Use Censys and Shodan to search for specific IP addresses, domains, or ports.
  • Example command:
shodan search apache

Finding New Bugs and CVEs with Censys and Shodan

  1. Identifying Vulnerable Systems:
    • Use these tools to find systems running outdated or vulnerable software versions.
    • Cross-reference your findings with known CVEs to identify potential targets for bug hunting.
  2. Expanding Your Scope:
    • Censys and Shodan can help uncover less-known devices or services that might be overlooked, providing a broader field for finding new vulnerabilities.
  3. Continuous Monitoring:
    • Regularly monitor your areas of interest for new devices or changes in existing ones, which can reveal new security holes.

Example: Finding IPs Vulnerable to a Specific CVE (e.g., CVE-2021-44228)

  1. Understand the CVE:
    • First, understand what the CVE is about. For instance, CVE-2021-44228 refers to a vulnerability in Apache Log4j, a Java-based logging utility.
  2. Determine Search Criteria:
    • Identify unique characteristics or footprints left by the vulnerable software. In this case, you might look for web servers running specific versions of Log4j.
  3. Using Shodan:
    • Open the console or use the Shodan website.
    • Use a search query that targets the specific characteristics of the vulnerability. For example:
http.title:"Apache" http.html:"Log4j 2.14"
  1. This query attempts to find Apache servers that might be running the vulnerable Log4j version.

Using Censys:

  • Similar to Shodan, use Censys to search for devices running the vulnerable software.
  • A search query on Censys might look like:
80.http.get.headers.server: Apache AND 80.http.get.body: "Log4j 2.14"

Analyzing Results:

  • The search results from both platforms will provide a list of IP addresses and additional details about each potentially vulnerable server.
  • Remember, these results are not definitive proof of vulnerability. They indicate potential targets for further investigation.

Ethical Considerations:

  • It’s crucial to remember that scanning and probing networks without permission is illegal in many jurisdictions. Ensure you have proper authorization before investigating further.


  • If you have permission, you can use vulnerability scanners or manual methods to verify if the identified targets are indeed vulnerable to the CVE in question.

Example in Bug Hunting:

In the context of bug hunting, discovering servers or systems potentially vulnerable to a specific CVE can be the first step in responsibly reporting these vulnerabilities. For instance, you might find a server that is running an outdated, vulnerable version of software and then report this to the server owner or through a bug bounty program.


Tools like Shodan and Censys are powerful for initial reconnaissance in identifying potentially vulnerable targets. However, they should be used responsibly and legally, with a focus on ethical hacking and responsible disclosure.

Leave a Reply

Your email address will not be published. Required fields are marked *