• shodan
  • censys
  • virus total
  • have i been pawned

shodan and censys are almost same but Shodan focuses on Internet-connected devices and systems, such as servers, routers, webcams, and IoT devices. Censys, on the other hand, focuses on Internet-connected hosts, websites, certificates, and other Internet assets.

Why use them

  • Map what your organisation exposes on the Internet (open ports, old software, admin pages).
  • Find outdated or vulnerable services (e.g., servers still running an old Apache version).
  • Investigate certificates and which hosts share the same TLS cert.
  • Useful for security audits, red‑team recon, incident response, and learning.

Shodan (web UI queries)

  • Find Lighttpd servers:
product:"lighttpd"
  • Find Apache servers mentioning version 2.4.1:
"Apache/2.4.1"
  • Find admin pages in South Korea on port 80:
http.title:"Admin" port:80 country:"KR"
  • Find SSH hosts with screenshots (to inspect web UIs):
port:22 has_screenshot:true
  • Limit to a company (by organization):
org:"Example Inc" port:443

How to read Shodan results

  • Each result shows IP, port, and a short banner.
  • Look at the right‑hand Facets panel to see top countries, ports, or ASNs (this quickly shows distribution).
  • Click a host to view detailed info and any screenshot.

Censys (web UI queries)

  • Find hosts using a certificate for example.com:
services.tls.certificates.leaf_data.names: "example.com"
  • Find HTTP pages containing the word "admin":
services.http.response.body: "admin"
  • Find hosts with OpenSSH banner:
services.ssh.banner: "OpenSSH"

How to read Censys results

  • Censys shows parsed fields (cert details, HTTP body, SSL issuer).
  • Use certificate results to find other domains hosted on the same cert — useful for discovering related assets.

Quick beginner workflows (what you might actually do)

  • Check your company: Search org:"Your Company Name" on Shodan → review open ports and top services.
  • Spot outdated software: Search "<software/version>" (e.g., "Apache/2.4.1") → review top countries and hosts to prioritize patching.
  • Certificate pivoting: In Censys search for your domain's cert → list IPs and other domains using the same cert to find forgotten assets.

VirusTotal — file & URL scanning

What it is: Multi‑engine malware/URL scanner and community hub. Useful to check if a file/URL is flagged, and to view community comments.

Use cases

  • Check file hash or URL reputation.
  • See detection ratio across engines and community notes.
  • Hunt for malicious payloads found in public repos or on websites.

Tip: Many OSINT workflows query VirusTotal hashes/URLs to triage suspicious files found during recon.

Have I Been Pwned (HIBP)

What it is: Database of breached accounts. Enter an email (or check via API) to see if it appears in known breaches or paste dumps.

Use cases

  • Check if corporate or personal emails have been compromised.
  • Drive password‑rotation and account hardening policies.

How Security Professionals Actually Use These Tools

Scenario 1: New Security Audit

You're hired to assess a company's security posture. Here's your workflow:

  1. Shodan search: org:"Target Company Inc"
  • Discover 47 IP addresses
  • Notice several still running Apache 2.4.1 (outdated)
  • Find an admin panel accidentally exposed on port 8080

2. Censys investigation: Search for company's SSL certificate

  • Find 3 forgotten subdomains using the same cert
  • Discover old staging server still running with default credentials

3. VirusTotal check: Scan the company's download page URLs

  • Confirm legitimate downloads aren't flagged
  • Check file hashes of software they distribute

4. HIBP monitoring: Check company email domain

  • Find 23 employee emails in recent breaches
  • Recommend immediate password resets

Scenario 2: Incident Response

Your company suffered a breach. You need to understand how attackers saw your infrastructure:

  1. Shodan: View your attack surface as attackers did
  2. Censys: Check if any certificates were compromised or misused
  3. VirusTotal: Search for any malicious files associated with your domains
  4. HIBP: Check if credentials were dumped publicly

Scenario 3: Vulnerability Management

A new critical vulnerability affects Apache 2.4.1:

  1. Shodan: org:"Your Company" "Apache/2.4.1"
  2. Generate list of affected servers
  3. Prioritize patching based on exposure
  4. Verify patches with follow-up scans

Ethics & operational notes

  • Only scan assets you own or have explicit permission to test. Internet scanning and exploiting are legally sensitive.
  • Use API keys responsibly (rate limits). Paid subscriptions unlock more data and historical trends.
  • When you find credentials or secrets: do not use them — follow responsible disclosure / contact owner.