
Find and analyze any reachable server and device on the internet - rmason
https://censys.io/
======
snowwindwaves
I have the schneider unity PLC programming software and was able to connect to
about 12 out of 16 of the PLCs I tried that were shown on censys. of the ones
I could connect to, two had 'security' enabled so that I couldn't see the
program, but still could have stopped it from running or downloaded an
entirely new program. 6 PLCs didn't have the program stored in them, so same
situation. 4 PLCs I was able to download the program. One was a hydro electric
power plant, one was some kind of food factory that used barley, and two were
some kind of pumping stations, one of which had a bunch of logic for
controlling pH and chlorine. The last modified date for all the programs was
in the last 3 years.

None of the programs had any contact information for the programmer or the
company that owned the infrastructure.

It is hard to believe people are still putting their plants straight on the
internet. Anyone can control any of the outputs which then control real
equipment like 200 kV circuit breakers and disconnects, turbines, valves,
conveyors, mixers, pumps, etc. If interlocks are implemented in the software
as opposed to electrically or mechanically then they can be bypassed which
could easily result in equipment damage, injury to personnel, or death.

~~~
buildbuildbuild
PLEASE report this to ICS-CERT immediately. If you want a direct DHS contact
email me. This is not something to sit on, and you can do a great service to
the cybersecurity of our critical infrastructure.

ics-cert@hq.dhs.gov

[https://www.us-cert.gov/report](https://www.us-cert.gov/report)

~~~
snowwindwaves
I'm not American. I do like to travel the united states, but the last thing I
need is to be labelled as a hacker in my profile when I cross the border and
am greeted by the homeland security officers.

DHS can use the Censys search engine and find all the PLCs will open modbus
ports just as easily as anyone else in the world!

~~~
buildbuildbuild
Report it anonymously. Knowing of vulnerable systems and intentionally NOT
reporting them is also quite a label.

~~~
snowwindwaves
I have no incentive. US-CERT should offer rewards. I'm not worried about
labels on HN but I am concerned about what shows up on officer Wendy's screen
when I want to enter the USA.

------
mholt
Censys has some really great data. If you find this kind of thing important or
useful, I'd invite you to participate in a project happening right now in the
Caddy web server where we're trying to observe the Internet from a server-side
perspective (rather than having clients scan servers) to gain insights and
understanding as to the health of the Web and its clients. We seek to answer
questions like, "What is being advertised in TLS ClientHellos?" and "Which
clients fail to adhere to HSTS?" and "Is this surge of traffic possibly a
rising global botnet or a DDOS attack?" and "How many HTTPS connections are
being intercepted?" (this one builds off work by some of the Censys team) --
with many more (almost 100 questions). This data set will be unique in that it
will be collected from many diverse networks rather than a single
proprietary/corporate network, and will be made available to the public for
research.

I really encourage you to get involved and participate in this project by
submitting feedback, especially if you are a researcher or work in this field.
We're at the early stages of choosing technologies, but we'll need more voices
to refine the ideas and help with the implementation. The more who contribute,
the better. More info: [https://caddy.community/t/the-caddy-telemetry-
project/3224?u...](https://caddy.community/t/the-caddy-telemetry-
project/3224?u=matt)

~~~
marmaduke
Maybe naive, but is Caddy collecting and reporting info to Censys?

I have a Caddy server which showed up on Censys after searching by subnet.

~~~
mholt
No, I believe Censys is doing client-side scans.

------
ramblenode
"Just like people use popular search engines to find relevant content on the
Internet, Censys allows users to discover the devices, networks, and
infrastructure on the Internet and monitor how it changes over time."

"Censys was created in 2015 at the University of Michigan, by the security
researchers who developed ZMap, the most widely used tool for Internet-wide
scanning. Over the past five years, the team has performed thousands of
Internet-wide scans, consisting of trillions of probes, and has played a
central role in the discovery or analysis of some of the most significant
Internet-scale vulnerabilities: FREAK, Logjam, DROWN, Heartbleed, and the
Mirai botnet."

How does this compare with shodan.io?

~~~
zitterbewegung
Showdan is more like a search engine . This tool is a service that lets you
perform arbitrary queries on the internet from a port. It’s like an indexer or
a scraper .

~~~
scandinavian
No, that's not true. This is exactly the same as shodan.

It's just a frontend for their public datasets:
[https://censys.io/data](https://censys.io/data)

------
greyface-
"Requesting Results Removal

If you would like your host to be excluded from the Censys results, you can
block traffic from the following subnets: 141.212.121.0/24 and
141.212.122.0/24\. However, we would encourage you to consider whether this
actually accomplishes what you are intending. Internet-wide scanning is
pervasive and others will still find your host even if it's not listed in
Censys. We will not censor specific hosts or certificates from the Censys
results or historical datasets."

If I notify them that they are unauthorized to scan my networks, and they
continue to scan them, have they violated the CFAA?

~~~
throwawayeo5
No, because it’s not against the law to scan servers on the internet. If you
don’t want people to scan listening services, don’t let those services listen
publicly on the internet. If you were to log into the server, though, that
would violate the CFAA.

~~~
greyface-
I know that current caselaw holds that it's not a violation of the CFAA to
portscan in the general case[1]. I'm not asking in the general case; I'm
asking specifically in the case where the scans are regular and ongoing, and
the scanning party has been explicitly given notice that they are
unauthorized.

[1]: [https://nmap.org/book/legal-issues.html](https://nmap.org/book/legal-
issues.html)

~~~
pfg
The courts recently ruled on a similar case[1] and came to the conclusion that
it was not a CFAA violation. That said, there's a difference between a public
website such as LinkedIn and a host that just happens to be reachable over the
internet, so I'm not sure it would be fully applicable.

[1]: [https://arstechnica.com/tech-policy/2017/08/court-rejects-
li...](https://arstechnica.com/tech-policy/2017/08/court-rejects-linkedin-
claim-that-unauthorized-scraping-is-hacking/)

------
zb3
They only scan few ports. Alternatives that scan more ports are: shodan.io,
zoomeye.org and fofa.so

------
matte_black
I'm not a security expert, can someone explain to me how this product is used
and why it's worth $1000 a month (or even more)? What's the alternative?

~~~
gravypod
You can likely take every public IP your organization has, run it through
that, and see what your attack surface looks like. Very useful if you have an
unmanageable and public computer network.

~~~
cm2187
Isn't that something nmap does for free?

~~~
gravypod
Not for wan which is where most commercial firewalls will do their magic.

To do this on wan you need to run zmap which is considered mean.

~~~
ngharo
Huh. nmap cares not about wan vs lan.

~~~
tastythrowaway
You're correct, but i think it's that zmap scans way, way faster than nmap

------
oh_sigh
Is something like this possible/realistic with IPv6?

~~~
AdamJacobMuller
Yes. It's just harder. massscan can scan at absurd packet rates now.

~~~
blattimwind
A 10 GbE uplink gives you something on the order of a dozen mpps.

2^32 / 10 mpps = 7 minutes.

2^120 / 10 mpps = 4e19 centuries.

~~~
AdamJacobMuller
You're assuming you need to scan the entire IPv4 space, and limiting yourself
to a single 10ge uplink. Neither of these are required.

------
marmaduke
I searched by subnet and had some false positives and false negatives, and out
of date data. Still, it was a bit unnerving to see the right IPs show up with
the right web servers.

------
elorant
So I tried "web cam" and pretty much every result was from live adult cam
shows. I though this works like Shodan but apparently that's not the case.

------
voidmain0001
I tried it, and I'm disappointed that it doesn't include nmap fingerprinting
to determine the OS type. Perhaps that is a paid for feature.

------
amelius
I searched for "scihub", and it tells me it is located in Singapore.

~~~
zyberzero
GeoIP isn't that good. It put two of my machines (located in Frankfurt, DE and
Amsterdam, NL) in the US. They also put my home IP located in Sweden in the
neighbooring country Norway (I have a Norweigan ISP though).

