Originally posted on December 4th, 2019
We’ve recently added a significant amount of data (about 1000 additional ports) that you can use to search for assets on uncommon ports. We call this our Universal Internet Data Set data set, and it gives you more data about more things! Some of the new ports we’re scanning will help you find things like Kibana, Docker, Redis, and ElasticSearch, for example. To get the full list of these new protocols, head over to our technical documentation page.
With the introduction of this data set you can find 35-50% more assets, giving you the broadest real-time view of your entire attack surface, including many assets hidden away on uncommon ports. This broad, global view is critical when you’re trying to defend an organization.
For analysts and threat hunters, more data on more things means you’re getting a more complete global view of threats (like malware and phishing infrastructure), making Censys the best data source for analyzing attacker behavior and gathering intelligence.
Real World Threats Found with This Newly Added Data
Censys customers have made some surprising discoveries of assets hosted on obscure ports that were potentially hosted to hide them from security teams. For example, one team found a remote login system that they were unaware of because it was hidden away on one of these obscure ports. Similarly, another customer found a Command and Control (C2) server hidden away on a port in this data set, which was there purely to launch targeted attacks against them.
The ability to find those hidden threats (and even just services and assets your organization is hosting without your knowledge) gives you a broader, more updated view of your entire attack surface to help you defend and protect your organization.
The Universal Internet Data Set set is one of the information sources we’re using to drive our attack surface discovery, monitoring, and tracking features in our Censys SaaS Platform offering.
What Can I Find in this New Data Set?
These broad, lightweight scans provide additional data from atypical ports, allowing you to better understand the infrastructure you’re analyzing and we’re updating them at least weekly. Our lightweight scanner gathers available banner data, and will complete an HTTP GET or TLS handshake when possible. For each detected IP, this dataset contains:
- Banners, including HTTP responses from a simple GET request if the host is HTTP
- Any TLS certificates presented by the server
Anyone can now view the data we’re collecting from these newly-added ports within the host details pages. What you’ll see is additional data about that particular host, similar to what you see here:
How to Access New Data
All Censys users, including our Pro and (free) Censys Community users, can view this data in the host detail pages. Enterprise users have, full, searchable access to search this data. All Censys SaaS Platform users have access to the data as well. Find more details about how to access this data and what new information you can expect to find via our FAQs page.
The Censys SaaS Platform has the most complete dataset of its kind on the internet powering the product and informing discovery, monitoring and alerting about customers’ attack surfaces.
Find 35-50% More Hosts on 1000+ New Ports
For more detailed information about what ports are included in this data set and how to download the data, visit our technical documentation page.