CyberCheatsheets

Censys Cheat Sheet

Internet-wide scan data and certificate intelligence for hosts, services, and attack surface research.

Reconnaissance & OSINTasmcertificatesinternet-scanosintUpdated 2026-06-02

Overview

Censys (Search / Platform) provides structured data on hosts, certificates, and services from Internet scanning. Strong for certificate-based subdomain discovery, TLS analysis, and historical exposure compared to live scanning alone.

Authorized testing only. Use API credentials under your account’s terms. Only investigate assets within engagement scope.

Install

pip install censys

Legacy Search API v1 style (check your account / docs for v2 Platform API)

censys config
censys --help

Essential commands

Certificate search (v1-style examples; verify against current docs)

censys search "target.example.com" --index certificates

Host search

censys search "services.service_name: HTTP" --index hosts

View host details

censys view 1.2.3.4

Common workflows

Subdomains from certificates —

censys search "parsed.names: target.example.com" --fields parsed.names --index certificates

Exposed services on netblock —

censys search "ip:203.0.113.0/24 and services.port: 445" --index hosts

Platform API (Python SDK – adapt to your tenant) —

from censys.search import CensysHosts
h = CensysHosts()
for page in h.search('dns.names: target.example.com', per_page=100):
print(page)

Export for httpx —

censys search 'names: *.target.example.com' --fields ip,dns.names -o censys.json

Flags: censys search

--index hosts

Index: hosts, certificates, etc.

--fields ip,services.port

Limit returned fields

-o results.json

Output file

'services.port: 443'

Search query (positional)

Commands: censys CLI

Store API ID and secret

censys config

Detailed host record

censys view hosts 1.2.3.4

Detailed certificate record

censys view certificates FINGERPRINT

Reference: Censys Platform API

Platform API / Python SDK

Host and certificate search via REST (v2) when CLI Search 1.x is deprecated

Tips

  • Censys migrated features to Platform API—confirm whether your install uses Search 1.x or Platform 2.x.
  • Certificate pivots often find forgotten subdomains missed by brute force.
  • Validate live exposure with httpx/nmap; historical certs may be expired.
  • Pair with [search.censys.io](https://search.censys.io/) for manual query building.

References

Aide-mémoires similaires