Resources
Censys identifies 230+ Internet protocols across all 65K ports,
uncovering services and labeling applications that would otherwise go unseen.
Below are protocols and applications within the Internet Map, searchable within our platform.
Apache ActiveMQ is an open-source message broker used to move data between applications and services. Exposed brokers matter because messaging systems can reveal internal workflows, credentials, or command paths between distributed systems.
Android Debug Bridge is a remote management and debugging protocol for Android devices. Reachable debug bridges are high-risk because they can enable shell access, device control, data extraction, or malware deployment.
Apple Filing Protocol is a legacy Apple file-sharing protocol for macOS and classic Mac OS environments. Exposed AFP is useful for finding older Apple file-sharing infrastructure, misplaced Time Machine backups, and NAS services that may lack modern hardening.
Advanced Message Queuing Protocol is a messaging protocol used by applications and distributed systems to exchange operational data. Censys researchers explored how to identify exposed AMQP and MQTT infrastructure, which matters because unauthenticated or unencrypted brokers can expose business-critical message flows.
ANERMA CF-FORTH is an industrial control protocol associated with specialized automation systems. Exposed niche ICS protocols are relevant because they often identify sensitive operational technology assets that should not be reachable from the public Internet.
Cisco AnyConnect is a VPN service used to provide secure remote access into enterprise networks. Exposed VPN infrastructure is important to track because it is frequently targeted for credential attacks, vulnerability exploitation, and initial access.
Apache JServ Protocol is used to connect web servers with Java application servers. Exposed backend connector protocols are security-relevant because they can disclose application internals or enable attacks when misconfigured.
APC UPS Daemon is used to monitor and manage uninterruptible power supply devices. Exposed power-management services can reveal availability-sensitive infrastructure dependencies and may create risk around backup power operations.
Apple AirPort Admin is used to remotely manage Apple AirPort networking devices. Exposed administrative interfaces are useful for identifying unmanaged or legacy network equipment.
Apple Remote Desktop is a remote administration protocol for managing macOS systems. Exposed ARD can indicate remote access paths that attackers may probe for weak credentials, misconfiguration, or unauthorized administration.
Asterisk Manager Interface is a control protocol for managing Asterisk PBX systems. Exposed AMI services can reveal VoIP administration paths and may invite brute force, call-routing abuse, or telephony fraud.
Automated Tank Gauge protocols are used to monitor fuel tanks and related industrial systems. Internet-exposed ATG systems are security-relevant because they can reveal sensitive physical infrastructure, fuel operations, and remote monitoring equipment.
BACnet is a building automation protocol used for HVAC, access control, lighting, and facility systems. Censys researched internet-exposed BACnet systems, making exposed BACnet especially relevant for finding building systems that may lack strong authentication or network isolation.
Beanstalkd is a lightweight work queue protocol for background job processing. Exposed queues can leak application workflows or allow attackers to interfere with job execution.
Border Gateway Protocol is used to exchange routing information between autonomous systems. BGP exposure is relevant because routing infrastructure can reveal network ownership, peering relationships, and internet-scale dependency patterns.
Bitcoin protocol services support peer-to-peer communication across the Bitcoin network. Censys investigated crypto phishing sites that attempted to block security researchers, and exposed Bitcoin nodes help researchers map cryptocurrency infrastructure and investigate nodes tied to abuse, mining, or illicit operations.
BitTorrent tracker services coordinate peers participating in file-sharing swarms. Exposed trackers are useful for understanding distribution infrastructure used for legitimate content, piracy ecosystems, or malware delivery.
BOLT is a graph database protocol commonly associated with Neo4j. Exposed BOLT services can reveal graph-backed applications and may indicate sensitive relationship data is reachable.
Apache Cassandra is a distributed NoSQL database protocol. Exposed Cassandra services matter because internet-facing databases can reveal application data, cluster metadata, and weak authentication posture.
CCSO Nameserver is an older directory lookup protocol. Legacy directory services are useful to researchers because they can expose stale identity or organizational information.
Character Generator Protocol returns arbitrary character streams for testing. Exposed CHARGEN can be abused for reflection attacks and often signals legacy network services.
Checkmk Agent is used to collect host and service monitoring data. Exposed monitoring agents can leak system details, software inventory, and operational context that help attackers profile infrastructure.
Check Point topology services expose network security gateway topology information. These services matter because firewall topology and VPN metadata can aid perimeter reconnaissance.
Chromecast services support discovery and control of Google Cast devices. Exposed media devices can indicate unmanaged consumer technology on networks.
Chrome DevTools exposes remote debugging interfaces for Chromium-based browsers and applications. Internet-exposed DevTools endpoints are high-risk because they can reveal active browser targets, runtime state, and remote control surfaces.
CIMON PLC protocols are used by programmable logic controllers in industrial environments. Exposed PLC services can identify operational systems that should be isolated from the public Internet.
Cisco fingerd is a legacy user information service on Cisco devices. Exposed fingerd services can leak device or user information useful for reconnaissance.
Cisco IP SLA is used to measure network performance from Cisco devices. Exposed IP SLA services can reveal network monitoring infrastructure and device configuration patterns.
Cisco NSI is associated with Cisco network service interfaces. Exposed Cisco management-adjacent services can reveal network device footprint and possible administrative attack surface.
Cisco Smart Install is a management protocol for provisioning Cisco switches. Exposed switch provisioning services have historically created serious network device risk because they can expose management functions on core infrastructure.
Citrix protocols support remote application and desktop access. Exposed Citrix infrastructure matters because remote access systems are frequent targets for exploitation, credential attacks, and initial access.
C-more protocols are associated with industrial HMI systems. Exposed HMI services can reveal operator interfaces connected to physical processes.
C-more HMI identifies human-machine interfaces used in automation environments. Exposed HMI panels are high-value findings because they may provide visibility into industrial operations and process controls.
Constrained Application Protocol is a lightweight protocol for IoT and constrained devices. Exposed CoAP services can reveal device telemetry and control surfaces in IoT environments.
Cobalt Strike is a threat emulation framework commonly abused for post-exploitation command and control. Censys ARC researched ways to find Cobalt Strike infrastructure, making this data valuable for tracking watermarks, beacon behavior, certificates, and related adversary infrastructure.
CODESYS is an automation software platform used with PLCs and industrial controllers. Exposed CODESYS services can reveal programmable control systems and industrial engineering environments.
Crestron CP3 identifies Crestron control processors used in AV and building automation. Exposed control systems can reveal conference rooms, automation infrastructure, and physical-space dependencies.
Crestron DIN-AP2 identifies DIN rail automation controllers. These services matter because building automation systems often sit near sensitive physical operations.
Crestron over IP supports Crestron device communication and control. Exposed Crestron services can reveal unmanaged building control infrastructure.
CPE WAN Management Protocol is used by ISPs to manage customer-premises equipment. Exposed CWMP services can identify routers and broadband devices that may be vulnerable, misconfigured, or remotely managed through TR-069-style workflows.
Daytime Protocol returns the current date and time from a host. Exposed Daytime services are mostly legacy signals but can still aid fingerprinting.
IBM Db2 is an enterprise relational database protocol. Exposed Db2 services can indicate sensitive business data systems reachable from the Internet.
Distributed Computing Environment Remote Procedure Call supports remote procedure calls across Windows and enterprise systems. Exposed DCERPC can reveal Windows service surfaces and lateral movement pathways.
DHCP discovery is used to locate DHCP servers on a network. Internet-visible DHCP responses can reveal misconfigured network infrastructure.
DICOM is used to store and exchange medical imaging data. Censys examined the state of internet-exposed healthcare systems, making exposed DICOM services especially sensitive because they may relate to healthcare systems, imaging workflows, and patient data handling.
DICT is a dictionary server protocol for querying word databases. Exposed DICT services are usually low-value but can still help identify legacy or unusual server configurations.
Digi protocols are associated with Digi industrial and network devices. Exposed Digi services can reveal serial-to-IP gateways or industrial connectivity infrastructure.
Distributed Network Protocol 3 is used in electric utilities and industrial control systems. Exposed DNP3 services can reveal critical infrastructure telemetry and control paths.
Domain Name System resolves names to internet infrastructure. DNS is central to security research because it connects domains, hosts, name servers, and attacker infrastructure over time.
DVR/IP protocols identify digital video recorder services. Exposed DVRs are relevant because camera systems are often unmanaged, internet-facing, and commonly targeted.
Echo Protocol returns received data to the sender. Exposed Echo services are legacy signals that can support fingerprinting and reflection-style abuse.
EtherNet/IP is an industrial protocol used for automation and control systems. Exposed EIP services are important for identifying PLCs, sensors, and manufacturing environments that may be reachable from the public Internet.
Elasticsearch is a search and indexing application used to store and query structured and unstructured data. Exposed Elasticsearch instances are security-relevant because they can reveal sensitive datasets, internal logs, indexes, and cluster metadata.
ELF file detection identifies services returning Linux executable content. This is useful for malware and exposure research when binaries are directly reachable from public services.
Endpoint path data captures non-root web paths such as login pages, admin panels, device portals, and application-specific routes. These paths matter because they reveal web application structure beyond `/`, helping researchers find exposed management pages, vulnerable appliances, shadow applications, and high-value investigation pivots.
Erlang Port Mapper Daemon helps Erlang nodes discover each other. Exposed EPMD can reveal distributed application clusters and sometimes unauthenticated node metadata.
etcd is a distributed key-value store used heavily in cloud-native infrastructure. Exposed etcd can leak secrets, configuration, service discovery data, and Kubernetes-related state.
Ethereum protocol services support peer-to-peer Ethereum node communication. Exposed nodes help researchers map blockchain infrastructure and investigate abuse tied to cryptocurrency ecosystems.
EZVIZ protocols identify connected camera and smart home devices. Exposed camera infrastructure can reveal unmanaged IoT and surveillance systems.
Finger is a legacy protocol for querying user information. Exposed Finger services can leak usernames and system metadata useful for reconnaissance.
FINS is an Omron industrial automation protocol. Exposed FINS services can reveal PLCs and factory automation systems.
Flash Socket Policy services supported legacy Adobe Flash socket connections. Exposed services are mostly legacy indicators but can reveal outdated application infrastructure.
FortiGate identifies Fortinet perimeter firewall and VPN interfaces exposed over HTTP or HTTPS. Exposed FortiGate services are important because they can reveal remote access infrastructure, version details, CVE exposure, and perimeter security misconfigurations.
FortiGuard-related services are associated with Fortinet security infrastructure. Exposed Fortinet services can reveal perimeter security devices and management surfaces.
Fortinet FCM is associated with Fortinet communication services. Exposed Fortinet infrastructure is relevant because security appliances are commonly targeted for exploitation.
Fox is a protocol used by Tridium Niagara building automation systems. Exposed Fox services can reveal building management systems, HVAC, and facility automation.
FreeSWITCH is an open-source telephony platform. Exposed FreeSWITCH services can identify VoIP infrastructure that may be targeted for fraud, unauthorized access, or call-routing abuse.
FRP Server is used by Fast Reverse Proxy for exposing internal services through tunnels. Exposed FRPS infrastructure can reveal tunneling services used for remote access, administration, or abuse.
File Transfer Protocol is a legacy protocol for transferring files between clients and servers. Censys ARC examined internet-facing FTP exposure, making FTP useful for measuring legacy risk, anonymous access, weak encryption, and accidental file exposure.
Gearman is a job server protocol for distributing background work. Exposed Gearman services can reveal application task queues and create opportunities to disrupt processing.
Gemini is a lightweight internet protocol for serving simple documents. Exposed Gemini services are useful for mapping alternative web infrastructure and niche content ecosystems.
GeoVision NVR protocols identify network video recorder systems. Exposed NVRs can reveal surveillance infrastructure and unmanaged physical security systems.
GE SRTP is an industrial protocol used by GE automation controllers. Exposed SRTP services can reveal PLCs and industrial control systems.
Ghost is a publishing platform commonly exposed over web services. Exposed Ghost instances matter because CMS platforms can reveal content infrastructure, software versions, and web application attack surface.
Git protocol services expose repositories for source code transfer. Exposed Git can leak source code, secrets, commit history, and internal development context.
GraphQL is an API query language used to request application data through structured schemas. Exposed GraphQL endpoints matter because introspection and verbose responses can reveal application models, hidden fields, and backend data relationships.
GPRS Tunneling Protocol is used in mobile carrier networks. Exposed GTP services can reveal telecom infrastructure and mobile network control-plane surfaces.
HART is an industrial protocol used with process automation instruments. Exposed HART services can reveal sensors, actuators, and industrial control environments.
hddtemp reports hard drive temperature information over the network. Exposed hddtemp services can leak host hardware details and indicate poorly secured monitoring endpoints.
HID VertX identifies access control systems used for physical security. Exposed access control infrastructure is highly sensitive because it may relate to building entry systems.
Hikvision protocols identify cameras and surveillance devices. Exposed Hikvision devices are important because internet-facing cameras are frequently targeted and often poorly managed.
HL7 is used to exchange healthcare data between clinical systems. Exposed HL7 services are sensitive because they may reveal medical workflows or patient-related system interfaces.
Hypertext Transfer Protocol is the foundation of web communication. HTTP is central to security research because web services expose applications, headers, software, certificates, screenshots, and attacker-controlled infrastructure.
IBM NJE is used for network job entry in mainframe environments. Exposed NJE services can reveal legacy enterprise computing infrastructure.
Internet Content Adaptation Protocol is used by proxies for content inspection and modification. Exposed ICAP services can reveal security gateways, proxy workflows, and data inspection infrastructure.
Ident Protocol maps TCP connections to local users. Exposed Ident can leak user or service metadata useful for reconnaissance.
IEC 60870-5-104 is used for telecontrol in electric power systems. Exposed IEC 104 services can reveal utility and critical infrastructure control networks.
Internet Key Exchange is used to negotiate IPsec VPN security associations. IKE is useful for identifying VPN infrastructure, authentication modes, remote access exposure, and perimeter configuration patterns.
Internet Message Access Protocol is used by clients to retrieve email. Exposed IMAP services matter because mail access is a common credential attack target and can reveal mailbox infrastructure.
imqbrokerd is associated with message broker infrastructure. Exposed brokers can reveal application messaging systems and internal service dependencies.
IOTA protocol services support nodes in the IOTA distributed ledger ecosystem. Exposed IOTA nodes help map cryptocurrency and distributed ledger infrastructure.
Intelligent Platform Management Interface provides out-of-band server management. Censys ARC included IPMI in ICS/OT honeypot research, making exposed IPMI high-risk because it can provide powerful hardware-level administrative access.
Internet Printing Protocol supports network printing. Exposed IPP services matter because printers can reveal device details, queues, and overlooked office infrastructure.
Internet Relay Chat is a real-time chat protocol. IRC remains relevant because it has historically been used for botnet command and control as well as legitimate communities.
IRC bouncers proxy or persist IRC connections for users. Exposed bouncers can reveal chat infrastructure and may be abused for anonymity or persistence.
iSCSI carries block storage traffic over IP networks. Exposed iSCSI can create serious risk because it may provide direct access to raw disks or storage volumes.
Ivanti Avalanche is a device and endpoint management application used to administer mobile and enterprise devices. Exposed Avalanche instances are security-relevant because management consoles can reveal software versions, administrative surfaces, and endpoint fleet infrastructure.
Java Remote Method Invocation supports remote Java object calls. Exposed Java RMI is security-relevant because it has a long history of dangerous deserialization and remote execution risks.
Jenkins is an open-source automation server used for CI/CD pipelines and software delivery workflows. Exposed Jenkins instances matter because jobs, nodes, labels, build history, and weak access controls can expose source code, secrets, and deployment paths.
Apache Kafka is a distributed event streaming protocol. Censys researched unauthenticated message queue exposure, and exposed Kafka brokers can reveal high-volume event pipelines, internal topics, and sensitive operational data.
Kerberos is an authentication protocol used heavily in enterprise identity systems. Exposed Kerberos is useful for identifying domain infrastructure and credential-focused attack paths.
KRPC is used by BitTorrent distributed hash table nodes. Exposed KRPC helps researchers map peer-to-peer infrastructure and content distribution networks.
Kubernetes is a container orchestration platform used to deploy, scale, and manage containerized applications. Censys previously added visibility for exposed Kubernetes components, making this data useful for finding dashboards, API endpoints, roles, versions, and cluster metadata exposed to the Internet.
Layer 2 Tunneling Protocol is used for VPN tunneling. Exposed L2TP services can reveal remote access infrastructure and legacy VPN deployments.
Lightweight Directory Access Protocol is used to query directory services. Exposed LDAP can leak users, groups, naming contexts, and organizational metadata.
Line Printer Daemon protocol supports network printing. Exposed LPD services can reveal legacy printers, queues, and document handling paths.
LSP identifies Lantronix Serial Protocol services. Exposed serial device services can reveal industrial, networking, or embedded systems reachable over IP.
Model Context Protocol is an open protocol that connects AI applications to external tools, resources, and prompts. Exposed MCP servers are security-relevant because tool definitions, resources, prompts, and reachable actions can reveal how AI-enabled systems interact with sensitive data or operational workflows.
Multicast DNS supports local network service discovery. Internet-visible mDNS is valuable for detecting leaked hostnames, device types, and local network details.
MELSEC is a Mitsubishi Electric PLC protocol. Exposed MELSEC services can reveal industrial automation controllers and manufacturing systems.
Memberlist is a gossip-based cluster membership protocol. Exposed memberlist services can reveal distributed system nodes and cluster topology.
Memcached is an in-memory caching protocol. Exposed Memcached is relevant because unauthenticated instances can leak cached data or be abused for amplification.
MikroTik bandwidth test services measure network throughput on MikroTik devices. Exposed services can reveal router infrastructure and may aid device fingerprinting.
MikroTik Winbox is a router management protocol. Exposed Winbox services are security-relevant because router management interfaces are frequent targets.
Minecraft server protocol supports multiplayer game servers. Exposed game servers can still matter to researchers because they reveal hosting patterns, communities, and sometimes abused infrastructure.
Manufacturing Message Specification is an industrial protocol used in automation and utility environments. Exposed MMS services can reveal control systems in critical infrastructure.
Modbus is a widely used industrial control protocol. Censys ARC observed Modbus traffic in ICS/OT honeypot research, making exposed Modbus important because it often lacks authentication and can expose read/write access to physical process state.
Monero P2P supports Monero cryptocurrency node communication. Exposed Monero nodes help map cryptocurrency infrastructure and investigate mining-related abuse.
MongoDB is a document database protocol. Exposed MongoDB services matter because misconfigured databases have repeatedly led to large-scale data exposure.
Message Queuing Telemetry Transport is a lightweight publish-subscribe protocol common in IoT. Censys researchers showed how to find MQTT and AMQP services, making MQTT useful for identifying exposed brokers, weak authentication, and unencrypted device telemetry.
Microsoft Message Queuing is a Windows messaging protocol. Exposed MSMQ services can reveal enterprise application messaging infrastructure and legacy Windows attack surface.
Microsoft SQL Server is a relational database protocol. Exposed MSSQL can reveal enterprise data stores, authentication posture, and database-to-OS abuse paths.
Multistream Select is used in libp2p to negotiate protocols. Exposed services help researchers map peer-to-peer and decentralized application infrastructure.
Murmur is the server component for Mumble voice chat. Exposed Murmur services can identify voice infrastructure and unmanaged collaboration systems.
MySQL is a widely used relational database protocol. Exposed MySQL services often contain sensitive application and customer data.
NAT Port Mapping Protocol allows clients to request port mappings from routers. Exposed NAT-PMP can reveal routers that may allow unintended inbound access.
NATS is a messaging system for cloud-native applications. Censys researched unauthenticated message queue exposure, and exposed NATS services can reveal internal service communication and event-driven architecture.
Network Block Device exposes block storage over a network. Exposed NBD services can create serious risk because they may provide direct access to raw storage.
.NET Binary Formatter is a serialization format associated with .NET applications. Exposed deserialization surfaces matter because unsafe deserialization can lead to serious compromise.
NetBIOS supports legacy Windows name and session services. Exposed NetBIOS can leak hostnames, workgroups, and Windows network information.
Netis protocols identify Netis networking devices. Exposed router services can reveal consumer or small business network equipment.
NFS mountd supports Network File System mount requests. Exposed NFS mount services can reveal shared file systems and create data exposure risk.
NMEA protocols carry navigation and positioning data. Exposed NMEA services can reveal GPS, maritime, or location-related infrastructure.
Network News Transfer Protocol supports Usenet message distribution. Exposed NNTP servers can reveal legacy discussion infrastructure and content distribution services.
Network Time Protocol synchronizes clocks across systems. Exposed NTP matters because time underpins authentication, logging, cryptographic workflows, and incident reconstruction.
Networked Transport of RTCM via Internet Protocol streams GNSS correction data. Exposed NTRIP services can reveal geospatial and precision positioning infrastructure.
Odette FTP is a file transfer protocol used in business-to-business data exchange. Exposed OFTP services can reveal supply chain and enterprise integration workflows.
Ollama is an open-source tool for running large language models locally or on hosted infrastructure. Censys ARC investigated exposed Ollama instances, making this data useful for identifying exposed models, version details, and AI infrastructure that may be unintentionally reachable.
ONVIF is used for discovery and control of IP cameras and physical security devices. Exposed ONVIF services can reveal surveillance infrastructure and unmanaged camera systems.
OPC Unified Architecture is an industrial interoperability protocol. Exposed OPC UA services can reveal industrial systems, telemetry, and automation environments.
Open directories are web-accessible directory listings that expose file and folder metadata without authentication. Censys introduced additional open directory intelligence, making this data useful for finding exposed files, suspicious staging directories, malware hosting, leaked credentials, and adversary tooling.
OpenVPN is a VPN protocol for secure remote access. Exposed OpenVPN services identify remote access infrastructure that attackers may target for credentials or vulnerabilities.
OpenVPN Management Interface controls and monitors OpenVPN instances. Exposed management interfaces are risky because they may reveal or alter VPN state.
Oracle Database protocol supports Oracle relational database services. Exposed Oracle services can identify high-value enterprise data systems and legacy database attack surface.
pcAnywhere is a legacy remote access protocol. Exposed pcAnywhere services are concerning because old remote access products often carry high operational risk.
PCOM is associated with industrial control communications. Exposed PCOM services can reveal automation controllers and operational technology assets.
PC Worx is a Phoenix Contact automation protocol. Exposed PC Worx services can identify PLC programming and industrial control environments.
PgBouncer is a PostgreSQL connection pooler. Exposed PgBouncer services can reveal database infrastructure and potential access paths to PostgreSQL backends.
Pigeonhole is associated with mail filtering and Sieve services. Exposed mail filtering interfaces can reveal email infrastructure and policy-management surfaces.
Printer Job Language is used to control printers. Exposed PJL can reveal printers and may allow unwanted configuration changes or document handling abuse.
Plex Media Server is an application used to host and stream videos, music, and other personal media. Exposed Plex servers are useful for identifying consumer or small-business media infrastructure and may reveal software versions, ownership patterns, or unintended public access.
Post Office Protocol v3 is used to retrieve email from mail servers. Exposed POP3 services matter because mailbox access is a common credential attack target.
poppassd allows users to change mail passwords. Exposed password-changing services can become targets for brute force or account takeover attempts.
Portmap maps RPC program numbers to network services. Exposed portmap can reveal NFS and RPC service inventory useful for reconnaissance.
PostgreSQL is an open-source relational database protocol. Exposed PostgreSQL services are important because they can indicate sensitive data stores and backend application infrastructure.
pprof is a Go profiling interface used to collect runtime performance data such as heap, goroutine, mutex, trace, and CPU profile information. Exposed pprof endpoints are high-risk because they can leak stack traces, runtime internals, and in some cases raw process memory.
Point-to-Point Tunneling Protocol is a legacy VPN protocol. Exposed PPTP often indicates outdated remote access infrastructure.
ProConOS is an industrial runtime used with PLCs. Exposed ProConOS services can reveal control systems connected to physical operations.
PROFINET Context Manager is used in industrial Ethernet automation. Exposed PROFINET services can reveal manufacturing and industrial control environments.
Prometheus is a monitoring and metrics system used to collect application, infrastructure, and service telemetry. Censys researched exposed Prometheus endpoints, making this data useful for finding exposed scrape targets, configuration details, version data, and operational metadata.
Prometheus target data represents individual scrape endpoints and the metrics exposed by monitored services. These targets are security-relevant because metric names, labels, exporters, and scrape metadata can reveal internal services, runtimes, containers, jobs, and application behavior.
Quote of the Day returns a short text quote from a server. Exposed QOTD is a legacy service that can aid fingerprinting or reflection abuse.
Remote Authentication Dial-In User Service provides centralized authentication for network access. Exposed RADIUS services can reveal identity and network access infrastructure.
Remote Console is used to administer game servers and other services. Exposed RCON can allow remote administrative control if authentication is weak.
Remote Date Protocol returns the current system time. Exposed RDATE is mostly legacy but can aid service fingerprinting.
Remote Desktop Protocol provides graphical remote access to Windows systems. Censys ARC has shown that RDP certificates and hostnames can expose cloned Windows infrastructure used in bulletproof hosting, making exposed RDP a major signal for credential risk, ransomware access, and attacker infrastructure.
Digi RealPort provides network access to serial devices. Exposed RealPort services can reveal serial-connected industrial, medical, or embedded equipment.
Redis is an in-memory data store used for caching, queues, and application state. Censys researched exposed Redis databases, making exposed Redis especially important because unauthenticated instances can expose data or enable configuration abuse.
Redline protocol data is associated with adversary investigation visibility. It is relevant to security research because it can help identify infrastructure tied to malware or adversary tooling.
Red Lion Crimson is associated with industrial HMI and automation devices. Exposed Crimson services can reveal operational interfaces and industrial device management.
Red Lion web instances expose web-accessible interfaces for Red Lion industrial devices and automation systems. These endpoints are important for critical infrastructure research because exposed logs, titles, and interface metadata can reveal operational technology assets connected to public networks.
RethinkDB is a distributed document database protocol. Exposed RethinkDB services can reveal application data infrastructure and potential administrative surfaces.
Rifatron protocols identify surveillance and DVR equipment. Exposed Rifatron systems can reveal video infrastructure and unmanaged physical security devices.
Ripple protocol services support XRP Ledger node communication. Exposed Ripple nodes help researchers map cryptocurrency infrastructure.
Routing Information Protocol version 1 exchanges routing information between routers. Exposed RIP can leak routing details and indicate legacy network configurations.
Remote Login is a legacy remote access protocol. Exposed rlogin is risky because it predates modern secure authentication practices.
Apache RocketMQ is a distributed messaging and streaming platform. Exposed RocketMQ brokers can reveal application event flows and create messaging abuse risk.
RouterOS API is used to manage MikroTik routers. Exposed router APIs can provide administrative attack surface on network infrastructure.
Remote Shell is a legacy protocol for executing shell commands remotely. Exposed rsh is high-risk because it lacks modern security protections.
rsync synchronizes files between systems. Exposed rsync services can leak file listings or allow unauthorized data transfer when misconfigured.
Real Time Streaming Protocol controls streaming media sessions. Exposed RTSP commonly identifies cameras, DVRs, and other video streaming devices.
RustDesk heartbeat services support RustDesk remote access infrastructure. Exposed RustDesk components can reveal remote support infrastructure that should be monitored closely.
RustDesk relay services help route remote desktop sessions. Exposed relay infrastructure is relevant because remote access tooling can be used legitimately or abused by attackers.
RustDesk rendezvous services help clients discover and connect to peers. Exposed rendezvous servers can identify remote access infrastructure and possible unmanaged support paths.
Siemens S7 is an industrial protocol used by Siemens PLCs. Censys ARC observed S7comm as the most common protocol in its ICS/OT honeypot research, making exposed S7 services important for identifying high-value automation systems in manufacturing and critical infrastructure.
SAProuter controls network access between SAP systems. Exposed SAP routing services can reveal enterprise application infrastructure and access paths into SAP environments.
3CX Session Border Controller supports 3CX voice infrastructure. Exposed 3CX components matter because VoIP systems are targets for fraud, espionage, and exploitation.
SCADAview identifies industrial automation interfaces and HMIs exposed over web-accessible services. This data is security-relevant because screenshots, titles, and descriptions can reveal process visibility, facility context, and operational technology interfaces that should be tightly controlled.
Microsoft System Center Configuration Manager supports endpoint management. Exposed SCCM-related services can reveal device management infrastructure and administrative reach.
Standard Commands for Programmable Instruments controls test and measurement equipment. Exposed SCPI services can reveal lab, manufacturing, or research equipment.
Sentinel services are associated with licensing or device management systems. Exposed Sentinel services can reveal software licensing infrastructure or unmanaged hosts.
ser2net exposes serial ports over TCP. Exposed ser2net services can reveal serial-connected devices, including industrial or embedded equipment.
Seven Days to Die protocol identifies multiplayer game servers. Exposed game infrastructure can help researchers map hosting behavior and abused commodity servers.
Session Initiation Protocol sets up voice and video communications. Exposed SIP services are relevant because VoIP infrastructure is targeted for fraud, enumeration, and denial of service.
Skinny Client Control Protocol is a Cisco VoIP signaling protocol. Exposed SCCP services can reveal enterprise voice infrastructure.
Service Location Protocol helps systems discover services on a network. Exposed SLP can leak service inventory and has been associated with amplification risk.
Server Message Block supports Windows file sharing and network services. Censys ARC has tracked bulletproof hosting and abused Windows infrastructure, and exposed SMB is highly security-relevant because it has been central to major worms, ransomware, and lateral movement.
Simple Mail Transfer Protocol sends email between servers. Exposed SMTP is important for mapping mail infrastructure and investigating spam, phishing, abuse, and user enumeration risk.
Simple Network Management Protocol monitors and manages network devices. Exposed SNMP can leak device configuration, interfaces, routing details, and operational metadata.
Simple Network Paging Protocol sends messages to pagers. Exposed SNPP services can reveal legacy alerting systems and operational communications.
SOCKS is a proxy protocol for routing client traffic through another server. Censys ARC researched unauthenticated SOCKS proxies, making exposed SOCKS relevant because open proxies can mask traffic origin and support abuse.
SPICE provides remote access to virtual desktop sessions. Exposed SPICE services can reveal virtualization infrastructure and remote console access.
Simple Service Discovery Protocol helps devices discover services using UPnP. Exposed SSDP can leak device information and support reflection abuse.
Secure Shell provides encrypted remote administration. Censys ARC tracked DDoSia command-and-control infrastructure, and exposed SSH is a core security signal because it identifies administrative access surfaces, authentication posture, and potential credential risk.
StatsD receives application and infrastructure metrics. Exposed StatsD services can reveal monitoring pipelines or allow metric pollution.
Steam In-Home Streaming services support Steam game streaming. Exposed services can reveal consumer or entertainment devices on public networks.
Session Traversal Utilities for NAT helps clients discover network address mappings. Exposed STUN services can reveal real-time communication infrastructure and NAT traversal dependencies.
SVR identifies specialized or vendor-specific services. Unknown or niche services matter because they can indicate unmanaged infrastructure that deserves triage.
TACACS+ provides centralized authentication for network devices. Exposed TACACS+ is sensitive because it relates to administrative access for routers, switches, and firewalls.
TeamSpeak is a voice communication protocol. Exposed TeamSpeak servers can reveal collaboration infrastructure and unmanaged community or enterprise voice systems.
TeamViewer enables remote access and support. Exposed TeamViewer infrastructure is relevant because remote support tools can be abused for persistence or unauthorized access.
Telnet provides plaintext remote terminal access. Exposed Telnet is high-risk because credentials and sessions are not encrypted.
Terraria protocol identifies multiplayer game servers. Exposed game servers help map commodity hosting and user-run infrastructure.
Trivial File Transfer Protocol is a simple unauthenticated file transfer protocol. Censys ARC’s FTP exposure brief distinguishes TFTP from FTP and SFTP, making TFTP relevant for finding network-device file transfer paths and risky unauthenticated transfers.
Tibia protocol identifies servers for the Tibia online game. Exposed game services can reveal niche hosting infrastructure and potential abuse staging environments.
Tor Control Protocol manages Tor processes and configuration. Exposed Tor control services are sensitive because they can reveal or alter anonymity infrastructure.
TP-Link Kasa protocols identify smart plugs, bulbs, and IoT devices. Exposed Kasa services can reveal unmanaged smart devices and consumer IoT risk.
Tuya protocols identify smart home and IoT devices using the Tuya ecosystem. Exposed Tuya devices are relevant because they reveal connected physical devices and automation systems.
Ubiquiti protocols identify network devices and management services. Exposed Ubiquiti infrastructure can reveal routers, wireless controllers, and small business networks.
Universal Plug and Play supports device discovery and port mapping. Exposed UPnP can reveal consumer devices or allow unintended network exposure.
Valve protocol services identify Source engine and Steam-related game servers. Exposed Valve services help map gaming infrastructure and commodity hosting environments.
Ventrilo is a voice communication protocol. Exposed Ventrilo servers can reveal legacy voice infrastructure.
Virtual Network Computing provides graphical remote desktop access. Censys has written about finding and monitoring exposed RDP and VNC, making exposed VNC high-risk because weak or absent authentication can expose full interactive desktops.
Votifier is commonly used by Minecraft servers to receive voting notifications. Exposed Votifier services can reveal game server infrastructure and plugin ecosystems.
WDBRPC is a VxWorks debugging and management service. Exposed WDBRPC is sensitive because embedded device debugging interfaces can provide powerful access.
WebLogic T3 is Oracle WebLogic’s proprietary protocol for server communication. Exposed T3 services are important because WebLogic has a long history of remotely exploitable vulnerabilities.
WHOIS provides registration and ownership information for internet resources. WHOIS is useful for connecting domains, networks, registrars, abuse contacts, and infrastructure timelines.
Windows Remote Management supports remote administration over WS-Management. Exposed WinRM is a strong signal of Windows administrative access risk because it can enable remote command execution and PowerShell-based administration.
Web Services Discovery helps devices advertise services on local networks. Internet-visible WS-Discovery can leak device information or support reflection abuse.
X11 provides remote graphical display capabilities for Unix-like systems. Exposed X11 matters because misconfiguration can allow unauthorized access to graphical sessions.
X Display Manager Control Protocol manages remote graphical login sessions. Exposed XDMCP can reveal legacy Unix remote desktop infrastructure.
Extensible Messaging and Presence Protocol supports real-time messaging and presence. Exposed XMPP services can reveal collaboration infrastructure or command-and-control patterns.
Yahoo Smart TV services identify legacy connected TV functionality. Exposed smart TV services can reveal unmanaged consumer devices on public networks.
Zabbix is an infrastructure monitoring platform. Exposed Zabbix services can reveal monitoring systems, host inventories, and operational metadata.
ZeroMQ is a messaging library and protocol pattern for distributed applications. Censys researched unauthenticated message queue exposure, and exposed ZeroMQ services can reveal custom application messaging infrastructure.
Apache ZooKeeper coordinates distributed systems and service state. Exposed ZooKeeper can leak cluster metadata and create risk for cloud-native or distributed applications.
US: +1-888-985-5547
Intl: +1-877-438-9159
connect@censys.com