eliferjunior/censys
.claude/skills/ts-censys/SKILL.md
Censys search engine for internet-connected hosts, TLS certificates, and domains. Use when: certificate transparency monitoring, finding hosts by certificate fingerprint, alternative to Shodan for TLS/SSL analysis, discovering hosts running specific services, or tracking infrastructure changes via cert issuance.
testing
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add eliferjunior/Claude censysInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 1:25 AM20.2s1 file scanned
SKILL.md
- name:
- censys
- description:
- >-
- license:
- Apache-2.0
- compatibility:
- Python 3.9+
- author:
- terminal-skills
- version:
- 1.0.0
- category:
- research
- tags:
- [censys, certificates, tls, attack-surface, recon]
- agents:
- [claude-code, openai-codex, gemini-cli, cursor]
Censys
Overview
Censys continuously scans the entire internet and indexes every reachable host with detailed information about open ports, TLS/SSL certificates, service banners, and configurations. Censys is particularly strong for certificate-based discovery — it indexes certificate transparency logs and lets you pivot from certificate subject names to IP addresses and vice versa. This makes it excellent for finding unknown infrastructure tied to a target organization.
Requires: Censys API key (free account at censys.io gives 250 queries/month).
Instructions
Step 1: Install and configure
pip install censys
import os
from censys.search import CensysHosts, CensysCerts
from censys.common.exceptions import CensysRateLimitExceededException, CensysNotFoundException
import json
import time
# Set credentials via environment variables (recommended)
# export CENSYS_API_ID="your-api-id"
# export CENSYS_API_SECRET="your-api-secret"
# Or pass directly
CENSYS_API_ID = os.getenv("CENSYS_API_ID", "YOUR_API_ID")
CENSYS_API_SECRET = os.getenv("CENSYS_API_SECRET", "YOUR_API_SECRET")
# Initialize clients
h = CensysHosts(api_id=CENSYS_API_ID, api_secret=CENSYS_API_SECRET)
# Check account quota
account = h.account()
print(f"Quota: {account.get('quota', {})}")
Step 2: Search for hosts by query
def search_hosts(query, max_results=100, fields=None):
"""
Search Censys for hosts matching a query.
Common query examples:
- services.tls.certificates.leaf_data.subject.common_name: "example.com"
- services.port: 3389 and autonomous_system.name: "Company"
- services.http.response.html_title: "Dashboard"
- services.service_name: "REDIS" and not ip: "10.0.0.0/8"
"""
if fields is None:
fields = ["ip", "services.port", "services.service_name", "autonomous_system.name",
"autonomous_system.asn", "location.country", "services.tls.certificates.leaf_data.subject.common_name"]
print(f"Searching: {query}")
results = []
try:
for hit in h.search(query, fields=fields, pages=max_results // 100 + 1):
results.append(hit)
if len(results) >= max_results:
break
time.sleep(0.1) # Gentle rate limiting
except CensysRateLimitExceededException:
print("Rate limit reached. Results so far:")
print(f"Found {len(results)} hosts")
for r in results[:20]:
ip = r.get("ip")
services = r.get("services", [])
ports = [str(s.get("port", "?")) for s in services]
asn_name = r.get("autonomous_system", {}).get("name", "N/A")
country = r.get("location", {}).get("country", "N/A")
print(f" {ip:<20} ports: {','.join(ports):<20} {asn_name} ({country})")
return results
# Find hosts serving TLS certs for a domain
search_hosts('services.tls.certificates.leaf_data.subject.common_name: "*.example.com"')
# Find exposed Redis servers
search_hosts('services.service_name: "REDIS"', max_results=50)
# Find hosts in a specific org
search_hosts('autonomous_system.name: "Example Corporation" and services.port: 443')
Step 3: Look up a specific IP address
def lookup_host(ip_address):
"""Get detailed information about a specific IP from Censys."""
try:
host = h.view(ip_address)
print(f"\n=== Censys Host View: {ip_address} ===")
print(f"IP: {host.get('ip')}")
asn = host.get("autonomous_system", {})
print(f"ASN: {asn.get('asn')} — {asn.get('name')} ({asn.get('country_code')})")
loc = host.get("location", {})
print(f"Location: {loc.get('city')}, {loc.get('country')}")
print(f"\nServices:")
for service in host.get("services", []):
port = service.get("port")
svc_name = service.get("service_name", "unknown")
transport = service.get("transport_protocol", "tcp")
banner = service.get("banner", "")[:80]
tls = service.get("tls", {})
cert_cn = ""
if tls:
leaf = tls.get("certificates", {}).get("leaf_data", {})
cert_cn = leaf.get("subject", {}).get("common_name", "")
print(f" {port}/{transport} — {svc_name}", end="")
if cert_cn:
print(f" | cert: {cert_cn}", end="")
if banner:
print(f" | banner: {banner}", end="")
print()
return host
except CensysNotFoundException:
print(f"Host {ip_address} not found in Censys.")
return None
lookup_host("8.8.8.8")
Step 4: Certificate-based discovery
def find_hosts_by_domain_cert(domain, include_subdomains=True):
"""
Find all IP addresses serving TLS certificates for a domain.
This is highly effective for finding unknown/shadow infrastructure.
"""
if include_subdomains:
query = f'services.tls.certificates.leaf_data.names: "{domain}"'
else:
query = f'services.tls.certificates.leaf_data.subject.common_name: "{domain}"'
fields = [
"ip",
"services.port",
"services.tls.certificates.leaf_data.subject.common_name",
"services.tls.certificates.leaf_data.names",
"services.tls.certificates.leaf_data.issuer.common_name",
"autonomous_system.name",
"location.country",
]
print(f"Finding hosts with TLS certs for: {domain}")
results = []
for hit in h.search(query, fields=fields, pages=5):
results.append(hit)
print(f"\n{len(results)} hosts found:\n")
for r in results:
ip = r.get("ip")
asn = r.get("autonomous_system", {}).get("name", "?")
country = r.get("location", {}).get("country", "?")
services = r.get("services", [])
for svc in services:
tls = svc.get("tls", {})
if tls:
leaf = tls.get("certificates", {}).get("leaf_data", {})
cn = leaf.get("subject", {}).get("common_name", "")
names = leaf.get("names", [])
issuer = leaf.get("issuer", {}).get("common_name", "")
port = svc.get("port")
print(f" {ip}:{port} | CN: {cn} | SAN: {names[:3]} | Issuer: {issuer} | {asn} ({country})")
return results
find_hosts_by_domain_cert("example.com")
Step 5: Aggregation queries
def aggregate_query(query, field, num_buckets=10):
"""
Aggregate Censys results to get a distribution overview.
Useful for understanding what products/versions/countries/orgs are common.
"""
result = h.aggregate(query, field, num_buckets=num_buckets)
print(f"\nAggregation: {query}")
print(f"Field: {field}")
print(f"Total matching: {result.get('total', 0):,}")
print(f"\nTop {num_buckets} values:")
for bucket in result.get("buckets", []):
print(f" {bucket['key']:<50} {bucket['count']:>10,}")
# Distribution of countries for Apache servers on port 80
aggregate_query("services.http.response.headers.Server: Apache", "location.country", 15)
# Distribution of services for a specific ASN
aggregate_query("autonomous_system.asn: 15169", "services.service_name", 20)
# TLS version distribution
aggregate_query("services.tls: *", "services.tls.version_selected", 10)
Step 6: Export results to file
def export_hosts_to_json(query, output_file, max_results=500):
"""Export Censys search results to a JSON file for offline analysis."""
print(f"Exporting up to {max_results} hosts for query: {query}")
results = []
for hit in h.search(query, pages=max_results // 100 + 1):
results.append(hit)
if len(results) >= max_results:
break
with open(output_file, "w") as f:
json.dump(results, f, indent=2)
print(f"Exported {len(results)} records to {output_file}")
return results
# Export all exposed Elasticsearch instances
export_hosts_to_json(
'services.service_name: "ELASTICSEARCH" and services.elasticsearch.indices_count > 0',
"exposed_elasticsearch.json",
max_results=200
)
Censys Query Language Reference
| Query | Description |
|-------|-------------|
| services.port: 443 | Hosts with port 443 open |
| services.service_name: "HTTP" | Hosts running HTTP |
| services.tls.certificates.leaf_data.subject.common_name: "*.example.com" | Wildcard cert for domain |
| services.tls.certificates.leaf_data.names: "example.com" | Any cert naming the domain |
| autonomous_system.name: "Amazon" | Hosts in Amazon ASN |
| autonomous_system.asn: 16509 | Hosts in ASN 16509 |
| location.country: "Germany" | Hosts in Germany |
| ip: "8.8.8.0/24" | Hosts in CIDR range |
| services.http.response.html_title: "Kibana" | Exposed Kibana instances |
| labels: "cloud" | Cloud-hosted infrastructure |
Guidelines
- Certificate pivoting: The most powerful Censys use case is pivoting from a known domain → certificate → IPs → more domains. This often reveals shadow IT and forgotten assets.
- Quota management: Free accounts have 250 queries/month. Use aggregation queries to preview result counts before pulling full data.
- Combine with Shodan: Censys and Shodan index different things. Use both for complete coverage. Censys is stronger on TLS/certificate data; Shodan is stronger on IoT and raw service banners.
- Historical data: Censys Search 2.0 does not provide historical data by default. Use the Censys Data platform for historical snapshots.
- SDK vs REST: The Python SDK handles authentication, pagination, and rate limiting automatically. Prefer it over raw REST calls.
Related Skills
eliferjunior/fireworks-ai
development
VerifiedTrustedCommunity
Expert guidance for Fireworks AI, the platform for running open-source LLMs (Llama, Mixtral, Qwen, etc.) with enterprise-grade speed and reliability. Helps developers integrate Fireworks' inference API, fine-tune models, and deploy custom model endpoints with function calling and structured output support.
SKILL.mdUpdated Apr 17, 2026
eliferjunior/firecrawl
development
VerifiedTrustedCommunity
Convert any website into clean, structured data with Firecrawl — API-first web scraping service. Use when someone asks to "turn a website into markdown", "scrape website for LLM", "Firecrawl", "extract website content as clean text", "crawl and convert to structured data", or "scrape website for RAG". Covers single-page scraping, full-site crawling, structured extraction, and LLM-ready output.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/firebase
tools
VerifiedTrustedCommunity
Expert guidance for Firebase, Google's platform for building and scaling web and mobile applications. Helps developers set up authentication, Firestore/Realtime Database, Cloud Functions, hosting, storage, and analytics using Firebase's SDK and CLI.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/file-upload-processor
development
VerifiedTrustedCommunity
When the user needs to build file upload functionality for a web application. Use when the user mentions "file upload," "image upload," "upload endpoint," "multipart upload," "presigned URL," "S3 upload," "file validation," "upload to cloud storage," or "accept user files." Handles upload endpoints, file validation (type, size, magic bytes), cloud storage integration, and upload status tracking. For image/video processing after upload, see media-transcoder.
SKILL.mdUpdated Apr 16, 2026