Hacking Exposed: Leveraging Google Dorks, Shodan, and Censys for Cyber Attacks and the Defense Against Them

Abstract

In recent years, cyberattacks have increased in sophistication, using a variety of tools to exploit vulnerabilities across the global digital landscapes. Among the most commonly used tools at an attacker’s disposal are Google dorks, Shodan, and Censys, which offer unprecedented access to exposed systems, devices, and sensitive data on the World Wide Web. While these tools can be leveraged by professional hackers, they have also empowered “Script Kiddies”, who are low-skill, inexperienced attackers who use readily available exploits and scanning tools without deep technical knowledge. Consequently, cyberattacks targeting critical infrastructure are growing at a rapid rate, driven by the ease with which these solutions can be operated with minimal expertise. This paper explores the potential for cyberattacks enabled by these tools, presenting use cases where these platforms have been used for both offensive and defensive purposes. By examining notable incidents and analyzing potential threats, we outline proactive measures to protect against these emerging risks. In this study, we delve into how these tools have been used offensively by attackers and how they serve defensive functions within cybersecurity. Additionally, we also introduce an automated all-in-one tool designed to consolidate the functionalities of Google dorks, Shodan, and Censys, offering a streamlined solution for vulnerability detection and analysis. Lastly, we propose proactive defense strategies to mitigate exploitation risks associated with such tools, aiming to enhance the resilience of critical digital infrastructure against evolving cyber threats.

1. Introduction

The vast amount of data and devices connected to the Internet today, estimated at over 29.3 billion IoT devices by 2023, poses a significant challenge for cybersecurity experts globally [1]. These connected devices generate massive amounts of data, which are projected to reach 79 zettabytes in 2025, creating an increasingly appealing target for cyber attackers who exploit vulnerabilities in Internet-connected systems [1]. Figure 1 showcases the distribution of detected global cyberattacks by type in 2022 [1,2].

Figure 1. Distribution of detected worldwide cyberattacks by type in 2022.

According to the data, as depicted in Figure 1, in 2022, cyberattacks were dominated by ransomware, which accounted for 68.42% of all detected incidents. Ransomware attacks involve malicious software that encrypts a victim’s files, with hackers demanding a ransom payment for their release. Following ransomware, network breaches made up 18.42% of attacks, where unauthorized access to networks allows attackers to steal data, cause disruptions, or plant further malware. Data exfiltration, representing 3.95%, involves the theft of sensitive data from systems, often targeting confidential or personal information. Closely linked are loaders, which comprised 3.29% of attacks; these are initial malware payloads designed to deliver other harmful software onto a victim’s system, setting the stage for more dangerous attacks. Web shells, at 2.63%, are scripts that provide hackers with a backdoor to control compromised web servers, often used for persistent unauthorized access. Another 2.63% of attacks were data extortion, where attackers steal data and threaten its release unless a ransom is paid, which is distinct from ransomware in that it focuses on the threat of exposure. Lastly, coin miners, though only 0.66% of attacks, are a form of malware that hijacks a victim’s computer resources to mine cryptocurrencies, consuming processing power and energy for the attacker’s benefit. These varied attacks highlight the diverse tactics cybercriminals employ, ranging from direct financial gain to subtle, long-term resource exploitation [2].

In order to execute such a cyberattack, the hacking process typically unfolds in several distinct phases (as depicted in Figure 2), starting with reconnaissance, where attackers gather information about their target to identify potential weaknesses [3,4,5,6]. This stage can involve passive methods, like scanning public websites, or active techniques, such as engaging directly with the target’s systems to collect detailed data [3,4,5,6]. Once sufficient information is obtained, the hacker moves on to the scanning phase, using tools to scan the underlying networks, identify open ports, and detect vulnerabilities in the target’s infrastructure. The aim here is to pinpoint exploitable weaknesses that can be targeted later. Following the scanning phase, the hacker attempts to gain access by exploiting the vulnerabilities discovered. This could involve using malware, exploiting software flaws, or employing tactics, like phishing, to infiltrate the system. If successful, the attacker shifts to maintaining access, ensuring they can repeatedly enter the compromised system without detection. This often involves installing backdoors, rootkits, or trojans that provide persistent access even if the original vulnerability is patched. On the other hand, to avoid detection, the hacker will then work on covering their tracks, removing or modifying any logs, files, or system traces that could reveal their presence. This step is crucial for remaining anonymous and evading cybersecurity defenses. Sometimes, an additional phase, called exfiltration, is included, where the attacker extracts valuable data from the target system. This stage focuses on the covert transfer of sensitive information, which can include personal details, intellectual property, or financial records. Understanding these hacking phases is vital for cybersecurity professionals, as it helps them develop targeted defenses to detect and mitigate each stage of an attack.

Figure 2. Key steps involved in executing a cyberattack.

To execute such cyberattacks, cyber attackers frequently use advanced search engines and network discovery tools, such as Google dorks, Shodan, and Censys, to locate vulnerabilities in such public-facing assets. These tools, initially intended to help researchers and ethical hackers, have been increasingly exploited by “script kiddies”, who are unskilled individuals using automated tools to initiate cyberattacks [1,2].

Whilst executing such cyberattacks, reconnaissance is often considered the most critical phase of a cyberattack because it lays the groundwork for the entire attack operation [1,7,8,9,10]. In this phase, attackers gather as much information as possible about their target to identify vulnerabilities and determine the best attack strategies. Effective reconnaissance maximizes the chances of success in the later stages, such as scanning and gaining access, by minimizing guesswork and focusing efforts on the weakest points of a target. Tools like Google dorks, Shodan, and Censys are particularly powerful in this phase because they provide deep insights into the target’s public-facing infrastructure [11,12,13].

Google dorks allows attackers to use advanced search queries to discover sensitive information, such as exposed login pages, unsecured databases, and misconfigured directories, that are indexed by search engines but are not intended to be public [7,8,9,10,14,15,16,17]. This method can reveal significant vulnerabilities with minimal effort, providing a low-cost and efficient way to gather detailed information. Shodan on the other hand, known as the “search engine for hackers”, scans and indexes Internet-connected devices, including servers, webcams, routers, and industrial control systems [16,17,18,19]. It provides detailed information about the software versions, open ports, and configurations of these devices, allowing attackers to pinpoint weaknesses in IoT systems and critical infrastructure. Similarly, Censys offers comprehensive visibility into the Internet’s infrastructure by indexing devices, certificates, and services, enabling attackers to map a target’s digital footprint with high accuracy [20]. These tools are vital because they automate and expedite the information-gathering process, reducing the need for manual probing and making the reconnaissance phase faster and more effective.

By using such tools, attackers can conduct stealthy and efficient reconnaissance, gathering enough intelligence to craft tailored attacks without triggering alarms or interacting directly with the target, thus avoiding detection. This makes reconnaissance not only the most important phase but the safest and least intrusive stage of a cyberattack, setting the stage for more aggressive tactics to follow.

Google dorks, originally intended for refining search results, enables attackers to uncover sensitive information, like unsecured websites, files, databases, exposed admin panels, and login credentials, by using specific search parameters. In a recent analysis, 43% of organizations admitted having at least one internet-facing vulnerability discoverable via Google dorks, emphasizing the ease of access to critical weaknesses [2,3,8,9,10]. Similarly, Shodan, a search engine for IoT devices, indexes millions of exposed assets, ranging from industrial control systems and servers to unsecured cameras. It is estimated that 58% of IoT devices connected to the Internet are vulnerable to common exploits, making them prime targets for cyberattacks [2,3]. On the other hand, Censys offers a comprehensive view of internet-connected devices and services, highlighting potential weaknesses in system configurations. In 2023, a study found that about 35% of publicly accessible databases could be identified using tools like Shodan and Censys, demonstrating how these platforms can be used for both defensive and malicious purposes [2,3]. Such incidents highlight the critical need for advanced security measures and constant vigilance, as the global cost of cybercrime is expected to reach $10.5 trillion annually in 2025 [5]. Cybersecurity professionals must stay ahead of these threats by continuously monitoring and securing public-facing assets, utilizing the same tools in ethical ways to preempt potential attacks.

Overall, Google dorks, Shodan, and Censys are particularly valued in the reconnaissance phase because they each offer unique capabilities that make information gathering both efficient and comprehensive in a really simple way. Unlike other reconnaissance tools that require direct scanning, potentially alerting the target, Google dorks, Shodan, and Censys extract publicly available data, maintaining a stealthy approach that minimizes detection risk. This combination of visibility, depth, ease of use, and non-intrusive information gathering make these three tools the preferred choice for reconnaissance over other available options and have become popular even among inexperienced cyber criminals. Thus, motivated by the fact that they are becoming common and appealing solutions for offensive cyberattacks, this paper aims to examine the ways in which these tools are misused by cyber criminals, providing an in-depth look at the risks associated with their misuse. Nonetheless, we also explore defensive strategies to mitigate such kinds of attacks. In this regard, the major contributions of this study are as follows:

• Provide a brief overview of Google dorks, Shodan, and Censys, highlighting their functionalities and how they work; also highlight the latest state of the art with their application context and major contributions.
• Explore the potential for cyberattacks enabled by these tools, presenting use cases where these platforms have been used for both offensive and defensive purposes.
• Propose proactive defense strategies to mitigate exploitation risks associated with Google dorks, Shodan, and Censys, aiming to enhance the resilience of critical digital infrastructure against evolving cyber threats.
• Introduce an automated all-in-one tool designed to consolidate the functionalities of Google dorks, Shodan, and Censys, offering a streamlined solution for vulnerability detection and analysis.

The remainder of this study is organized as follows: Section 2 presents a brief overview of Google dorks, Shodan, and Censys, along with a discussion of the script kiddies who frequently use these tools. Section 3 explores use cases where these tools have been employed for offensive exploitation purposes. Section 4 discusses defensive use cases, while Section 5 highlights the development of an automated all-in-one Python-based console application designed to consolidate the functionalities of Google dorks, Shodan, and Censys. Section 6 highlights the defense strategies that can counter cyberattacks facilitated by these tools. Finally, this study concludes with a summary.

2. Background and Overview of Script Kiddies, Google Dorks, Shodan, and Censys

This section aims to provide a concise overview of script kiddies, detailing the tools they commonly use, including Google dorks, Shodan, and Censys. Further, it also highlights the functionalities and applications of these tools and summarizes recent advancements in related research.

2.1. Who Are Script Kiddies?

Script kiddies are inexperienced hackers who use pre-built tools and automated scripts to launch cyberattacks without much technical understanding [3,4,5]. Unlike professional hackers who create unique scripts, malware, or exploits, using specialized expertise, script kiddies employ pre-built tools, scripts, and automated programs created by others. These tools allow them to launch attacks without understanding the complexities of the technology they are exploiting, making it simple to carry out cyber-attacks with little effort [3,4,5]. One distinguishing feature of script kiddies is their excessive dependence on automated tools and pre-existing scripts. Rather than carrying out complex cyberattacks manually, they rely on software and tools that exploit existing weaknesses, such as Google dorks (a popular tool for obtaining information passively), Shodan (used to scan inter-networked devices), Censys (used to scan, monitor, and index devices, systems, and networks connected to the Internet), and Metasploit (used to attack system vulnerabilities) [4,5,6,7]. These tools are generally available on hacker forums, the dark web, or online groups, making them easily accessible to new attackers.

Script kiddies are frequently driven by a need for attention or just the joy of causing a disturbance. Unlike hackers motivated by ideological ideas or financial gain, script kiddies prefer to target high-profile but easily accessible systems, such as social media accounts, unprotected IoT devices, or websites with poor security [4,5,6,7]. On the other hand, because of their poor technical understanding, script kiddies concentrate on easy targets with weak or obsolete security protections that can be easily compromised. While script kiddies may appear to be less hazardous than more experienced hackers, their sheer quantity and frequent, wide targeting can considerably increase risk and create long-term security difficulties for enterprises and individuals [20,21,22,23].

While many script kiddies remain at the novice level, some script kiddies improve their abilities over time and eventually progress to more expert hacking. For some, these first ventures into hacking might serve as a springboard to more advanced cybercriminal actions. Thus, while script kiddies are frequently viewed as low-level risks who use tools that require less expertise, their actions contribute to the greater cybersecurity picture and highlight the importance of effective defenses against all types of attackers, regardless of competence.

2.2. Google Dorks

Google dorks, also known as Google hacking, refers to using advanced search queries to identify hidden or exposed information through the Google search engine [7,8]. For years, professional hackers have used these search strings to discover sensitive data, unsecured databases, and web application vulnerabilities. However, with the publication of dorking techniques on hacker forums and social media, even low-skilled attackers, who are often referred to as script kiddies, can operate such tools with ease.

Johnny Long, a computer security specialist, first unveiled Google dorks in 2002 [7,8]. Google dorks has come a long way since its creation as an obscure approach to one of the most well-known open-source intelligence (OSINT) techniques in the cybersecurity and IT worlds, while also improving search capabilities [8,9,10]. Overall, the use of Google dorks has gradually increased as a result of the community’s important contributions in developing new search strategies and operators. These joint efforts have resulted in more exact search results and assessments, establishing Google dorks as an effective tool for information discovery [7,8,9,10].

Google dorking uses custom queries using sophisticated search operators (particular symbols or phrases) to retrieve focused search results [8]. The custom Google dork query only needs to be put into the Google search field, as showcased in Figure 3 (the dork query searches for directories with “index of” in the title and “passwords” in the text, and it is used to find publicly accessible directories that might contain sensitive password information). To adhere to ethical and privacy guidelines, certain data and specific outcomes have been omitted from the study in order to uphold ethical standards and ensure the protection of privacy.

Figure 3. Example of a Google dork query.

When the Google search engine crawls the web, it indexes numerous aspects of web pages, some of which may not be apparent to normal visitors, whereas Google dorks allows normal users to retrieve this information using sophisticated Google search queries [10,11,12]. While Google dorking is legal and effective for acquiring publicly available data, it must be used carefully and ethically. Attempting to exploit security flaws in website setups or code without authorization violates most websites’ terms of service and may result in legal implications if traced and found.

Security researchers and authorized staff performing penetration testing frequently employ Google dorking to locate particular information or possible vulnerabilities on the Internet by constructing complex search queries. While tools like Google Search Console assist website owners in optimizing their sites for more visibility, Google dorking enables security experts to uncover unintended exposures of sensitive information or security threats [11,12]. Nonetheless, Google dorking is also used as a passive reconnaissance technique during the early step of penetration testing. This approach requires the use of predetermined search words, known as dorks, which are cataloged in sites, such as the Google Hacking database, which has thousands of dorks for a variety of purposes [12].

On the other hand, cybercriminals employ Google dorking as a passive attack approach to find and exploit vulnerabilities in poorly secured websites. Hackers may utilize sophisticated Google dorks to gain access to sensitive information, such as usernames, passwords, and personal identifying information. As a result, it is critical to proceed with caution and avoid employing Google dorks to gain unauthorized access to private or restricted material, since this might have legal ramifications. Table 1 lists 10 widely used Google dork queries and their respective actions.

Table 1. Examples of Google dork queries.

Google Dork Query	Action
filetype:pdf	Searches for specific file types (e.g., PDF). For instance, filetype:pdf confidential finds PDF files containing the word “confidential”
intitle:index of	Locates directory listings indexed by search engines. This is often used to find open directories containing files or folders not meant for public access.
allintext:password filetype:log	Finds log files containing passwords. This dork searches for pages where the entire text includes “password” and specifies .log files.
intext:“ssn” filetype:xls	Locates files that may contain sensitive information, like social security numbers (SSNs), in Excel file formats. This can help find publicly accessible spreadsheets with sensitive data.
intitle:“login” “password”	Finds login pages or files that mention “login” and “password” in the title or content, which might provide insight into potentially unsecured login pages.
inurl:/phpmyadmin	Looks for PhpMyAdmin web interfaces. This can identify exposed database management pages, which are critical if left unprotected.
inurl:edu “login”	Searches for websites on .edu domains that contain the words “login”. This dork searches for school websites that contain student login information.
filetype:txt “email”	Finds text files that contain email addresses
inurl:“.env” “DB_PASSWORD”	Searches for exposed .env files containing database passwords.
inurl:“view/view.shtml”	Searches for publicly accessible IP cameras.

Having provided a brief overview of Google dorks and how it has been used with example queries, Table 2 categorizes the recent relevant research in the domain, highlighting their application context and major contributions.

Table 2. Summarization of recent related state-of-the-art studies.

Reference	Application Context	Major Contributions
[7]	Scam detection	This paper introduces a method for identifying gender from social media text, focusing on challenges like emoticons and special characters to improve scam detection. It leverages tools like Google dorking and web scraping for comprehensive analysis, aiding forensic investigators in understanding scammer profiles and enhancing online safety.
[8]	Security of web applications	The paper addresses the misuse of Web 2.0 technologies through Google dorking. It presents a three-step solution: first, a large-scale analysis of dorks to understand how attackers identify targets; second, a defense mechanism to neutralize URL-based dorks; and third, a method to prevent fingerprinting by using only generic word combinations, thereby protecting web applications effectively.
[9]	Security of content management systems	This paper examines the vulnerabilities of popular content management systems (CMSs), like WordPress and Joomla, which are attractive targets for hackers due to exploitable themes and plugins. It stresses the importance of regular updates, security-focused design, and removing outdated components to protect against cyber threats.
[10]	Employ Natural Language Processing (NLP) to enhance the Google Hacking database.	This paper explores using NLP to enhance the Google Hacking database by converting textual dork values to numerical ASCII, enabling the application of machine learning techniques. The study conducted a seven-step process to enrich the database, and results showed the methodology successfully met its goals, yielding positive outcomes in machine learning evaluations.
[11]	Security of critical infrastructure	The paper analyzes the digital transformation of the fuel and energy market, proposing an ecosystem for major participants while addressing new attack vectors targeting critical infrastructure. It utilizes classical testing theories on Web applications and the Modbus protocol, with penetration testing examples on APCS and supervisory control and data acquisition (SCADA) systems, guided by OWASP standards and customized Google dorks for enhanced security analysis.

2.3. Shodan

Shodan is an Internet search engine designed to index publicly accessible devices connected to the Internet, including webcams, routers, SCADA systems, and IoT devices [13,14,15]. It is often referred to as “The search engine for the IoT”, because it allows users to discover and explore Internet-connected devices worldwide. While Shodan provides valuable insights for security researchers, it has also become a common tool for cyber criminals, including script kiddies, due to its straightforward interface and vast database of exposed systems. Shodan was designed by computer scientist John Matherly as a hobby to track any type of device connected to the Internet [13,14,15].

Shodan’s indexing works by scanning open ports on Internet-connected devices and services, gathering information on their public interfaces rather than focusing on web pages like traditional search engines. Instead of indexing site content, Shodan collects “banners”, the information that services provide in response to requests, which reveal details about the device or software configuration. This process includes scanning for various protocols, such as HTTP, HTTPS, FTP, SSH, Telnet, SNMP, and SIP, allowing Shodan to catalog a wide range of Internet-connected services [13].

Users can leverage Shodan’s filtering tools to search for specific devices within particular geographic regions or by applying other criteria [16,17,18,19,20]. The breadth of Shodan’s reach is extensive and has raised concerns due to its ability to find virtually any device connected to the Internet. As Vice aptly put it, Shodan has been called “The most dangerous search engine in the world”, because it can locate everything from smartphones and refrigerators to security cameras and even nuclear plants, that are exposed online [16,17,18,19,20]. Further, Shodan collects information through the Internet’s public-facing interfaces and compiles it into a searchable database. This data provides insights into not only what devices are online but their configurations, vulnerabilities, and software details.

Overall, Shodan has become a crucial tool in cybersecurity, as it highlights devices that may be inadvertently exposed to the Internet without adequate security. By searching for specific devices or network types, users can uncover systems with weak security settings, default passwords, or outdated firmware. As a result, Shodan is valuable for both security researchers and cyber criminals, who may exploit exposed systems. Ethical hackers and organizations leverage Shodan to identify and address potential risks in their networks proactively, while malicious users might target vulnerable systems for cyberattacks.

One of the key features of Shodan is its ability to filter searches by criteria, such as geographic location, device type, and operating system, allowing users to perform highly targeted scans [21,22,23]. Shodan has both free and paid versions, with the latter offering more advanced tools and access to a broader database of indexed devices. The tool has raised important discussions around the security of IoT devices and the need for improved security standards, as many users are often unaware of the vulnerabilities these devices may introduce. Shodan underscores the growing intersection between cybersecurity and everyday technology, making it both a valuable research tool and a reminder of the importance of safeguarding connected devices. Figure 4 showcases an example of a Shodan query that returns a list of IP addresses for devices running Apache within the specified country. Nonetheless, as shown in Figure 5, to narrow results further, filters can be added specifying open ports (e.g., port 80 for HTTP or port 443 for HTTPS).

Figure 4. Example of a Shodan query that returns a list of IP addresses for devices running Apache within the specified country: United States.

Figure 5. Example of a Shodan query with filtered options.

In order to better understand how Shodan works, Table 3 showcases 10 widely used Shodan queries and their respective actions.

Table 3. Example of Shodan queries.

Shodan Query	Action
http	Shows devices with HTTP servers open on any port (80, 8080, etc.).
port:23	Identifies devices with Telnet service (port 23) open
port:3389	Returns systems with Remote Desktop Protocol enabled on port 3389
http.title:“webcam”	Targets devices labeled as webcams in the HTTP title
“SCADA” port:502	Lists SCADA systems on port 502, often associated with the Modbus protocol, used in industrial applications.
port:21 “230 Login successful”	Targets FTP servers allowing anonymous login, which can be exploited for unauthorized access.
product:Redis “authentication required” false	Finds Redis instances that do not require authentication
port:5060	Targets devices using Session Initiation Protocol on port 5060, commonly found in VoIP systems.
product:OpenSSL version:<1.1.1	Finds systems running vulnerable versions of OpenSSL.
ssl.cert.expired:true	Identifies servers using expired SSL certificates.

Having provided a brief overview of Shodan and how it has been used with example queries, Table 4 categorizes the recent relevant research in the domain, highlighting their application context and major contributions.

Table 4. Summarization of recent related state-of-the-art studies.

Reference	Application Context	Major Contributions
[14]	Passive information gathering	This research examines IoT-related discussions on underground forums, focusing on how hackers use the Shodan search engine for cybercriminal activities. The findings reveal that Shodan is commonly used for passive information gathering, with key applications in remote device control, botnet creation, DDoS attacks, and accessing open databases.
[15]	Security of smart infrastructure	This study explores vulnerabilities in smart buildings, introducing a novel Shodan-based assessment method to identify and evaluate security risks in building systems. The findings highlight primary security concerns and propose a framework to improve smart building resilience through targeted mitigation strategies, enhancing security and safety in interconnected urban spaces.
[16]	Security of smart infrastructure	This paper examines security assessment methods and hardening techniques for IoT infrastructure, focusing on Shodan’s impact on identifying and probing IoT devices. It provides example attacks and an in-depth analysis of device hardening techniques and aims to equip security professionals to tackle emerging IoT security challenges.
[17]	Security of critical infrastructure	This paper examines Shodan’s capabilities in identifying Internet-exposed industrial control systems, which pose significant risks to critical infrastructure security.
[18]	Security of the IoT	As IoT devices become more prevalent, security threats related to IP are increasing, particularly in developing countries like India, where preventing these threats is challenging. This paper provides an overview of Shodan in the Indian context, evaluating various IoT devices and discussing how they can be exploited using the search engine.
[19]	Security of the IoT	This paper investigates Shodan’s use in assessing IoT device vulnerabilities, revealing that many publicly known query terms still expose devices to security risks. The study expands on original Shodan queries to include additional terms for backdoor access, finding persistent vulnerabilities, particularly default or weak passwords, in IoT devices across the US and globally.
[20]	Internet scanning search engines	This paper provides an empirical evaluation of Internet-scanning engines like Censys and Shodan, focusing on result freshness, resource consumption, and operational differences. Preliminary findings show that both engines update device information within 24 h and consume minimal resources, making them valuable tools for the research community.
[21]	Vulnerability detection	The paper introduces ShoBeVODSDT, a tool that uses OSINT and IoT search engines to detect vulnerabilities in open data sources like MySQL, MongoDB, and Redis, assessing their visibility and value to attackers. The tool provides scalable, non-intrusive testing for both rational and NoSQL databases, revealing potential security risks from unprotected data sources accessible outside the organization.
[22]	Security of the IoT/Internet-facing services	This paper introduces ShoVAT, a novel Shodan-based vulnerability assessment tool that enhances Shodan’s capabilities by performing an in-depth analysis of service-specific data, such as service banners, to identify vulnerabilities. ShoVAT uses advanced algorithms and in-memory data structures to accurately reconstruct platform names and extract vulnerabilities from the national vulnerability database, offering automated vulnerability detection, historical analysis, and high accuracy, as demonstrated by experiments on 1501 services across 12 institutions.
[23]	Security of the IoT	This study examines Shodan, a widely used IoT search engine, and its probing behavior on newly connected IPv4 hosts, revealing insights into its scanning algorithms and detection patterns for different network services. Over 331 days, researchers analyzed Shodan’s interaction with traffic traps, identifying both regular and covert crawlers, and proposed mechanisms to shield protected hosts from Shodan’s reach, reducing their exposure to potential threats.
[24]	Security of the IoT	This study presents Shodan as a tool for cybersecurity audits on IoT devices, enabling researchers to identify vulnerabilities from weak security mechanisms and poor configurations without direct scanning. It proposes a use case-based methodology for teaching users to assess and secure IoT devices and includes guidance on automating vulnerability assessments with Shodan scripts, making it a practical introduction to IoT cybersecurity.
[25]	Security of ICSs	This study addresses security concerns for industrial control systems (ICSs), which are increasingly connected to the public Internet, exposing them to potential intrusions. By evaluating ICS communication protocols, the research found that certain ports are more vulnerable due to the nature of their services, though no direct correlation exists between the number of open ports and total vulnerabilities.
[26]	Security of the IoT	This paper explores the security and privacy challenges in the IoT, emphasizing vulnerability scanning of IoT devices in Jordan using Shodan to highlight their susceptibility to attacks. The findings aim to raise awareness among IoT users in Jordan about the security risks to help improve device protection and maintain privacy standards.
[27]	Security of ICSs	This paper investigates the impact of Shodan on ICSs using honeypots and a DFA-SVM recognition model to detect Shodan scans based on traffic features, surpassing traditional IP-reversal methods. Through three months of data analysis, the study examines Shodan’s scanning behavior, including frequency, ports, and protocol preferences, and suggests defensive measures to reduce ICS vulnerabilities to Shodan’s exposure.

2.4. Censys

Censys is a powerful search engine that continuously scans the Internet, mapping out exposed devices, services, and vulnerabilities, making it a valuable resource for cybersecurity professionals [28,29,30]. While similar to Shodan, Censys takes a more analytical approach, allowing users to filter devices based on a range of protocols, configurations, and vulnerabilities. Although intended for security experts, it can also be used by less experienced individuals to identify potentially weak targets over the Internet [30,31,32,33].

Available at censys.io, the platform serves as a critical tool for assessing the attack surface of Internet-connected assets, including IoT and industrial internet of things (IIoT) devices, as well as ICSs. It supports various data ingestion formats (web UI, API, raw data, Google BigQuery), enabling users to integrate its data into any cybersecurity ecosystem, regardless of size [31,32,33,34,35]. Censys also supports integration with prominent vulnerability management tools, logging aggregators, and other scanning systems, allowing seamless incorporation into enterprise security infrastructures [30,31,32,33].

For the users employing Censys for OSINT or cyber threat intelligence (CTI), it offers both free and paid accounts. A free account provides up to 250 queries per month, while a paid account offers more extensive access. Even without an account, users can view some publicly accessible data, as showcased in Figure 6 (the query finds all devices with a software product with the word “Windows” in it) [30,31,32].

Figure 6. Example of a Censys search to find all devices with a software product with the word “Windows” in it.

In order to better understand how Censys works, Table 5 showcases 10 widely used Censys queries and their respective functionalities.

Table 5. Examples of Censys queries.

Censys Query	Action
services.http.title: “webcam”	Finds devices with “webcam” in the HTTP title, typically used to find Internet-connected cameras.
services.port: 3389 AND services.service_name: “rdp”	Identifies devices running RDP on port 3389, which is commonly used for remote access.
services.http.html: “SCADA”	Detects SCADA systems, often used in industrial environments.
services.port: 3306 AND services.service_name: “mysql”	Locates publicly accessible MySQL databases, potentially exposing sensitive data.
services.http.title: “NAS” OR services.http.html: “Network Attached Storage”	Finds NAS devices, which often contain sensitive files and should be secured from public access.
services.port: 6379 AND services.service_name: “redis”	Detects open Redis servers, which may allow unauthorized access and data manipulation.
services.port: 5432 AND services.service_name: “postgresql”	Identifies PostgreSQL databases exposed to the internet, which could risk data breaches.
services.port: 5060 AND services.service_name: “sip”	Finds VOIP servers using the SIP protocol on port 5060, which can be exploited in VOIP attacks.
services.port: 27017 AND services.mongodb.status: “Unauthorized”	Identifies MongoDB databases with no authentication, exposing data publicly.
services.port: 9200 AND services.elasticsearch.version: “*”	Finds open Elasticsearch databases, which may be vulnerable to unauthorized access.

Having provided a brief overview of Censys and how it has been used with example queries, Table 6 categorizes the recent relevant research in the domain, highlighting their application context and major contributions.

Table 6. Summarization of recent related state-of-the-art studies.

Reference	Application Context	Major Contributions
[30]	Vulnerability detection	This paper introduces Censys, a search engine and data processing platform for Internet-wide security research, enabling quick identification of vulnerabilities and device trends through full-text protocol searches and various field queries. By significantly reducing the time and effort for obtaining data on Internet-connected devices, Censys facilitates answering complex security questions and provides valuable insights into global usage patterns.
[31]	Security of Internet connected devices	This study proposes a detection method for Shodan and Censys scans to prevent unauthorized disclosure of IP device information by monitoring and identifying abnormal packet behavior. By combining traditional scan detection methods and using stateful TCP inspection, the approach classifies suspicious activities, such as SYN Scans and Banner Grabbing, helping to block these search engines from indexing vulnerable devices.
[33]	Security of OBE	This study examines the security risks of Internet-facing on-board equipment (OBE) in connected cars, discovering 2532 exposed devices across 27 countries that could serve as entry points for cyberattacks on in-vehicle networks. The findings reveal that most of these devices have vulnerabilities, including outdated software and Telnet access, with some even exposing sensitive information, like GPS location, underscoring the security risks in connected automotive systems.

3. Use Cases of Employment of Google Dorks, Shodan, and Censys for Offensive Exploitation

3.1. Offensive Exploitation Use Cases of Google Dorks

Cybercriminals often leverage Google dorks to exploit vulnerabilities, capitalizing on its simplicity and ease of use [7]. By following online tutorials and pre-built dork queries, they can readily identify unprotected databases, exposed credentials, webcams, and sensitive data [12,13]. Table 7 discusses the major cyber security incidents that happened in recent years, that employed Google dorking techniques.

Table 7. Cyber security incidents that employed Google dorking techniques.

Reference	Incident	How Google Dorks Have Used	Impact of the Incident
[36]	LinkedIn data breach in 2016: LinkedIn faced a significant data breach where information from 167 million accounts, including hashed passwords, was stolen. This breach had initially started with an attack in 2012 but was expanded in 2016 with additional data being sold on the dark web.	In this incident, cyber attackers used Google dorks to locate unsecured databases and leaked login credentials related to LinkedIn. Simple search queries were used to find database backups that had been improperly indexed.	The stolen credentials were later sold on the dark web, making LinkedIn accounts vulnerable to identity theft and account takeovers.
[37]	Adobe’s data breach in 2013: The data breach that endangered Adobe in 2013 exposed 153 million user records, including login credentials and encrypted passwords. Nonetheless, the source code for several Adobe products was also stolen.	Attackers used Google dorks to discover unsecured databases and configuration files containing sensitive information, which helped them to locate files that contained password hints and encryption keys.	This breach emphasized the importance of securing backup files and avoiding indexing sensitive documents. Exposed source code further impacted Adobe’s reputation, as it highlighted weaknesses in its security practices.
[38]	Capital One data breach in 2019: A former Capital One employee exploited a misconfigured firewall, gaining access to the sensitive data of over 100 million individuals.	Google dorks queries were used by attackers and researchers alike to locate exposed S3 buckets and misconfigured cloud databases, that contained Capital One’s sensitive customer information.	This breach led to lawsuits, regulatory scrutiny, and a $80 million fine for Capital One. It also highlighted the importance of securing cloud environments and limiting search engine indexing.
[39]	Facebook data exposure in 2019: Facebook accidentally exposed hundreds of millions of records due to third-party applications improperly storing user data on public cloud servers.	Dorking techniques were used by attackers to locate and access unsecured S3 buckets holding user data.	This incident led to severe privacy concerns and intensified scrutiny of Facebook’s data practices. Eventually, Facebook took measures to restrict data access for third-party applications, but this event emphasized the risks of misconfigurations in cloud storage.

In all these cases, Google dorks amplified the ease with which attackers could find sensitive data. Through simple search engine queries, cyber attackers without advanced skills were able to exploit vulnerabilities that had been indexed publicly. Overall, these incidents underscore the importance of restricting sensitive information.

3.2. Offensive Exploitation Use Cases of Shodan

Cybercriminals often use Shodan to gain unauthorized access to ICSs. Although ICSs were historically insulated from the Internet, many are now online due to remote monitoring needs, making them vulnerable to exploitation by even inexperienced attackers. Table 8 discusses the major cyber security incidents that happened in recent years, that employed Shodan.

Table 8. Cyber security incidents that employed Shodan.

Reference	Incident	How Shodan Used	Impact of the Incident
[40]	USA water treatment plant attack (Oldsmar, Florida, 2021): In February 2021, hackers accessed the water treatment plant in Oldsmar, Florida, and attempted to raise the sodium hydroxide levels in the water supply to dangerous levels. While the intrusion was quickly detected and reversed, it exposed significant vulnerabilities in industrial systems.	Although Shodan was not directly cited in this attack, it has been widely reported that water treatment facilities across the USA have unsecured ICS devices accessible via Shodan searches.	The attack underscored the risks of remote access in critical infrastructure and led to a reevaluation of cybersecurity practices across water treatment facilities nationwide.
[41]	Iranian pipeline attacks: Iran and other Middle Eastern countries have seen frequent attacks targeting ICSs, including pipelines and petrochemical facilities. In many instances, attackers have used Shodan to locate and exploit vulnerable devices connected to critical infrastructure.	Attackers leveraged data retrieved from Shodan to probe and compromise the ICSs, causing disruptions in operations.	These attacks revealed the ease with which ICS devices could be located and exploited using search engines like Shodan, prompting countries to reassess their ICS security protocols.
[42]	Ukrainian power grid attack (2015): The 2015 Ukrainian power grid attack, attributed to a state-sponsored group, led to a massive blackout affecting hundreds of thousands of people. Attackers remotely accessed control systems and shut down power substations across Ukraine.	Shodan was reportedly used by attackers to identify Internet-facing ICS endpoints in Ukraine.	This incident was the first publicly acknowledged power grid attack, drawing attention to the vulnerability of power infrastructure.
[43]	Tesla Powerpack System Exposure (2018): In 2018, a security researcher discovered that several Tesla Powerpack systems, part of the renewable energy infrastructure, were exposed online without authentication. These systems were accessible to unauthorized users who could potentially control energy distribution and monitor performance.	Using Shodan, the researcher found Tesla Powerpack systems with open ports and weak security. A simple Shodan query revealed connected devices that were left exposed on the Internet.	This incident highlighted the risks of poorly configured IoT and ICS devices in the renewable energy sector. Tesla took immediate action to secure exposed systems, but it raised awareness of the need for better security in the IoT-connected energy infrastructure.
[44]	Vulnerable gas stations in the USA (2015): A researcher in 2015 found that numerous gas stations in the United States had unsecured tank monitoring systems exposed online. These systems could be manipulated to shut down pumps or alter fuel levels.	Shodan searches, such as “country: US inurl:/Gascard” or “port:10001” for specific tank monitoring systems, revealed vulnerable devices accessible without authentication.	The discovery led to increased scrutiny of ICS security in the fuel and energy sectors. The US Department of Homeland Security issued guidelines for securing these systems against unauthorized access.

These examples demonstrate how Shodan provides attackers with a powerful tool to search for exposed ICS devices and critical infrastructure. Shodan’s ability to index Internet-connected devices, combined with insufficient security on these systems, has significantly increased the potential for industrial system attacks, underscoring the need for robust security measures in ICS environments.

3.3. Offensive Exploitation Use Cases of Censys

The rise of the IoT has introduced new vulnerabilities, and Censys provides a platform for attackers to identify such weak IoT devices. Cybercriminals exploit default credentials and poor security measures in IoT devices searched through Censys to create large botnets used for DDoS attacks. Table 9 discusses the major cyber security incidents that happened in recent years, that employed Censys.

Table 9. Cyber security incidents that employed Censys.

Reference	Incident	How Google Dorks Have Used	Impact of the Incident
[45]	Mirai botnet attack on IoT devices (2016): The Mirai botnet, one of the most notorious IoT botnets, exploited vulnerabilities in thousands of IoT devices, including IP cameras, routers, and printers, to launch massive DDoS attacks. It caused widespread Internet outages, affecting popular services like Netflix, Twitter, and PayPal.	Censys helped security researchers track exposed IoT devices vulnerable to Mirai’s default username/password combinations. On the other hand, searches like “tags:” “mirai” OR “dvr” OR “ipcam” OR “router” allowed researchers and attackers to locate vulnerable devices with ease.	This attack demonstrated the dangers of insecure IoT devices, as they can be exploited at scale to disrupt major Internet services.
[46]	Research on Medical IoT Device Vulnerabilities (2019): In 2019, security researchers used Censys to investigate vulnerabilities in IoT devices within healthcare facilities, including infusion pumps, heart monitors, and MRI machines. Many devices were found to be exposed online without proper security protections.	Censys allowed researchers to search for devices by protocol and filter results by keywords related to health care. This revealed the presence of medical devices with open ports and outdated firmware, making them vulnerable to cyberattacks.	The findings raised alarms in the healthcare industry, leading to new guidelines for securing medical IoT devices. It underscored the potential risks to patient safety and healthcare service continuity.
[47]	Vulnerable smart home devices exposure (2020): Researchers found that several smart home devices, including smart thermostats, security cameras, and smart locks, were exposed online and vulnerable to attacks. Censys was instrumental in identifying these devices and their specific vulnerabilities.	By using Censys search researchers pinpointed devices that were improperly configured, revealing open ports and weak credentials.	This research highlighted the privacy risks associated with smart home devices. The findings encouraged manufacturers to improve device security and prompted consumers to adopt better security practices for IoT devices.
[48]	Power grid substation exposure (2021): In 2021, researchers discovered that various IoT devices used in power grid substations were accessible online without proper authentication or encryption, potentially allowing attackers to manipulate energy distribution systems.	Censys enabled the discovery of these devices revealing unprotected entry points into the power infrastructure.	This vulnerability raised serious concerns about the security of critical infrastructure. It led to federal mandates and regulations to secure IoT devices in the power sector and improve network monitoring.
[49]	Smart meter hacking in smart cities (2019): Several smart cities deployed Internet-connected meters to monitor energy and water usage. In 2019, researchers discovered that many of these devices were vulnerable to attacks due to weak security settings.	Censys was instrumental in identifying insecure smart meters with searches like “tag:smart-meter” and “service:modbus city:nyc”, revealing devices that were publicly accessible and could potentially be manipulated to disrupt utilities.	This exposure raised concerns about the security of smart city infrastructure. Municipalities started adopting more robust security measures for their IoT deployments to protect against tampering and data breaches.

4. Defensive Use of Google Dorks, Shodan, and Censys

In the context of cybersecurity, Google dorks, Shodan, and Censys are widely known for their offensive capabilities in discovering vulnerabilities across the Internet. However, these tools can also be employed defensively to improve an organization’s security posture by identifying exposed services, vulnerabilities, and misconfigurations before attackers can exploit them, which gives ample time to take precautionary actions. The following subsections briefly outline the defensive uses of each of these tools.

4.1. Google Dorks for Defense

Google dorks involves leveraging advanced search operators to query specific strings that could reveal sensitive information about web servers, applications, and configurations, as earlier mentioned [8,9,10]. In a defensive capacity, security teams can use Google dorks to identify inadvertently exposed data, misconfigured databases, or sensitive files that are publicly accessible on the web, which should be secured [8,9,10].

By regularly monitoring Google dork queries related to their domain, organizations can proactively discover vulnerabilities and eliminate potential attack surfaces before malicious actors exploit them. For instance, searching for exposed login pages, configuration files, or outdated software versions can help identify areas that need immediate attention [8,9,10,11]. On the other hand, Google dorks can be an essential tool for ethical hackers, who use it to audit exposed information and identify misconfigurations before malicious actors can. Regular audits using Google dorks can help prevent accidental data exposure and unauthorized access. For example, as a part of its bug bounty program in 2020, Google encouraged ethical hackers to use Google dorks to discover vulnerabilities in their systems. These efforts led to the early detection of numerous vulnerabilities, preventing them from being exploited by malicious cybercriminals [7,8,9].

4.2. Shodan for Defense

Shodan, a search engine for IoT devices, indexes publicly accessible devices, services, and servers connected to the Internet [18,19,20]. While Shodan is commonly used by attackers to identify vulnerable devices, it can also be leveraged defensively to monitor the organization’s network and the broader Internet for any exposed assets. Security teams can conduct routine Shodan searches for their IP ranges to detect exposed devices or services that may have been left unsecured or misconfigured [19,20,21,22]. For example, a company might use Shodan to identify IoT devices, such as cameras, routers, or ICSs, that are publicly accessible and prone to exploitation. With such insights, they can take corrective actions, such as applying patches, changing default passwords, or even disconnecting unnecessary services [18,19,20]. This proactive approach minimizes the risk of cyber criminals exploiting open devices.

4.3. Censys for Defense

Censys is a powerful search engine designed to provide visibility into the Internet’s infrastructure by scanning and indexing web servers, websites, and IoT devices based on specific properties, such as software versions, encryption protocols, and service banners [30,31]. For cybersecurity professionals, Censys can be used to track changes in an organization’s infrastructure, identify potential vulnerabilities, and assess whether services are running outdated or insecure software, similar to Shodan.

On the other hand, Censys’s ability to scan large portions of the Internet continuously and provide detailed reports about vulnerabilities (such as those listed in the national vulnerability database) makes it an invaluable tool for defense teams [50,51,52,53,54]. By integrating Censys into their regular vulnerability assessment workflows, organizations can gain real-time insights into potential threats and address them before attackers can exploit them. Several universities have incorporated Censys into their cybersecurity programs, teaching students how to secure IoT devices [30,31,32]. This hands-on experience enables them to defend against cyber criminals who rely on publicly accessible IoT devices.

5. Development of Automated Cyber Threat Hunting Tool

After providing a brief overview of Google dorks, Shodan, and Censys, including their exploitation attempts and defensive uses, this section discusses the development of an automated all-in-one tool (Automated Cyber Threat Hunting V1.0) that integrates the functionalities of Google dorks, Shodan, and Censys. This tool offers a comprehensive platform for vulnerability detection and analysis. By automating the manual processes of searching and parsing data from these platforms, it enhances the efficiency of identifying exposed systems, devices, and sensitive information. Integrating these functionalities into a single tool saves time, reduces human error, and makes vulnerability detection more accessible to both cybersecurity professionals and individuals with limited expertise. The tool was developed using Python as a console-based application.

The development of the tool involved several key steps: (1) importing necessary libraries, (2) integrating API keys and secrets from Shodan and Censys, (3) automating data retrieval processes, and (4) consolidating results for streamlined analysis. The tool was refined through iterative testing to ensure accuracy and usability, culminating in its deployment as a Python-based console application.

The main intention behind developing this tool is to demonstrate that Google dorks, Shodan, and Censys can be effectively utilized not only for offensive purposes but as powerful resources for defensive and proactive cybersecurity measures. Integrating these tools into a single platform highlights their potential to enhance vulnerability detection and fortify critical systems against emerging threats.

5.1. Performance Metrics and Scalability Analysis

To evaluate the performance and scalability of the Automated Cyber Threat Hunting Tool V1.0, several metrics were considered:

Performance metrics:

• Response time
  The tool’s efficiency was measured by the average time it takes to retrieve and process results from Google dorks, Shodan, and Censys based on various queries.
• Accuracy
  The precision of the results was evaluated by comparing the tool’s findings with manually verified vulnerabilities and exposed systems.
• Resource utilization
  The tool’s CPU and memory usage were monitored to assess its efficiency during the scanning and data consolidation processes.
• Success rate
  The percentage of successful queries and retrieved results from each platform was tracked to measure the reliability of the tool.

Scalability analysis:

The tool was tested under varying conditions with increasing query volumes and system complexities. The performance was observed when processing queries with many filtration options from platforms like Shodan and Censys.

• Throughput
  The tool was assessed on how many queries it could handle within a given time frame, ensuring it can scale up to support enterprise-level operations.
• API limitations
  The tool’s scalability is also influenced by the API limits imposed by Shodan and Censys, which may impact its ability to handle large-scale data retrieval.

5.2. Tool Workflow and User Interaction

Once the user enters queries for Google dorks, Shodan, and Censys (as shown in Figure 7), the tool validates the input and processes it through its respective modules. For Google dorks, the tool generates a search URL that the user can access directly to view results (as shown in Figure 7). For Shodan and Censys, the tool uses API keys and credentials to securely interact with their services, retrieving data based on the user’s query. The results include details, such as exposed IPs, services, and sensitive information, depending on the platform’s functionality. The tool consolidates and presents these results in a user-friendly format, automating the traditional manual process of searching and parsing data. This allows users to efficiently identify vulnerabilities without needing in-depth expertise in using these platforms.

Figure 7. Automated Cyber Threat Hunting Tool V1.0.

The tool’s significance lies in its ability to streamline the vulnerability scanning process, providing users with a unified solution for detecting critical risks in digital infrastructure. As cyberattacks continue to grow in sophistication, tools like this become essential for proactive defense strategies, which will be discussed in detail in the next section. By automating vulnerability searches and consolidating results, the tool helps users quickly identify potential threats, assess risks, and take immediate action to protect sensitive systems. It empowers cybersecurity teams to respond faster to emerging threats and bolsters the overall resilience of critical infrastructure against evolving cyber risks.

5.3. Limitations

In terms of the limitations of the developed tool, its reliance on API access to Shodan and Censys may affect its functionality if API quotas are exceeded, or access is restricted. The accuracy of the tool’s results relies on the timeliness of the data indexed by these platforms, which may sometimes lag behind real-time updates to exposed systems. While it excels at reconnaissance and vulnerability scanning, the tool does not extend to penetration testing or exploit analysis, limiting its scope of analysis. Furthermore, as with any cybersecurity tool, there is a potential risk of misuse if it falls into unauthorized hands, underscoring the need for ethical usage guidelines. Even though the developed tool simplifies many processes, users still require a fundamental understanding of cybersecurity concepts to interpret the results effectively and take appropriate actions.

6. Proactive Defense Strategies Against Exploitation

In the ever-evolving landscape of cybersecurity, organizations must adopt proactive defense strategies to stay ahead of potential attackers. Unlike reactive defense, which addresses threats after they occur, proactive defense emphasizes the anticipation of attacks, identifying vulnerabilities before exploitation, and taking steps to mitigate risks early. This approach not only improves an organization’s ability to prevent security breaches but strengthens its overall resilience against sophisticated cyber threats. The following lists the proactive defense strategies that can be taken against Google dorks, Shodan, and Censys.

• Vulnerability management and patch management
  One of the fundamental strategies in proactive defense is the identification and management of vulnerabilities in an organization’s systems. Regular vulnerability assessments using tools like Shodan, Censys, and Google dorks can help identify exposed assets, outdated software, and security misconfigurations that may be susceptible to exploitation [2,3,4]. Once vulnerabilities are identified, patch management becomes crucial. This involves applying security patches, updates, and fixes promptly to prevent attackers from exploiting known vulnerabilities. Implementing automated patch management systems can reduce the risk of human error and ensure that updates are applied across the organization in a timely manner, making it more difficult for attackers to exploit known flaws.
• Network segmentation and least privilege access
  Another proactive defense measure is network segmentation, which involves dividing the network into smaller, isolated segments to limit the impact of a breach. If an attacker compromises one segment, they are restricted from moving laterally across the entire network [10,11]. This reduces the potential for exploitation of other critical systems. Additionally, the principle of least privileged access should be enforced, ensuring that users and systems are granted only the minimum permissions necessary to perform their tasks. This minimizes the attack surface and prevents attackers from gaining unauthorized access to sensitive data or critical infrastructure if they breach one part of the system [10,11].
• Continuous monitoring and threat intelligence
  Proactive defense strategies rely heavily on continuous monitoring to detect unusual activities and early indicators of compromise. Security information and event management (SIEM) tools can aggregate and analyze log data from across the network to identify suspicious patterns or signs of an attack in real-time. Threat intelligence services, such as those provided by vendors like FireEye, CrowdStrike, or open-source platforms like MISP, offer actionable insights into emerging threats and known attack methods that can be integrated into security protocols to prepare defenses accordingly [40,41,42,43]. By continuously monitoring the environment and incorporating threat intelligence, organizations can quickly identify and respond to potential attacks, even before they fully materialize [54].
• Red teaming and penetration testing
  Another highly effective proactive strategy is red teaming or penetration testing, where cybersecurity professionals simulate real-world attacks on the organization’s systems to identify vulnerabilities that could be exploited. Unlike traditional security audits, which focus on identifying specific vulnerabilities, red teaming provides a more comprehensive, adversarial approach that simulates the tactics, techniques, and procedures (TTPs) of actual cyber attackers [46,47,48,49,55,56]. This allows organizations to assess how well their defenses hold up against sophisticated attacks and identify weaknesses that may not be apparent through conventional testing. Penetration testing tools, like Metasploit and Nessus, help security teams uncover hidden vulnerabilities and flaws that could be exploited by attackers, providing them with actionable information to strengthen security before an attack occurs [46,47,48,49].
• User awareness and security training
  Human error remains one of the most significant factors in security breaches, making security awareness training a critical component of proactive defense. Organizations should provide ongoing training to employees on recognizing phishing emails, avoiding suspicious links, and adhering to best security practices, such as strong password policies and multi-factor authentication (MFA). Social engineering attacks, such as phishing, remain a major vector for exploitation, and training users to be aware of these tactics is essential in preventing initial access to systems. Regular drills, phishing simulations, and cybersecurity workshops can help build a security-conscious culture, reducing the likelihood of successful exploitation through human vulnerabilities [50,51,52,53].
• Incident response planning and simulation
  Proactive defense also includes having a well-defined incident response plan in place, which outlines the steps to take in the event of a breach. The plan should include procedures for containment, eradication, and recovery, ensuring that teams can respond swiftly to minimize damage. Conducting tabletop exercises and live simulations of cyberattacks can help prepare the response teams for real-world incidents. These exercises can identify gaps in the response plan and improve the organization’s ability to recover quickly from an attack [50,51,52,53].
• Regular vulnerability scanning
  Using Google dorks, Shodan, and Censys proactively allows organizations to stay ahead of potential attackers. By regularly scanning for exposed data and devices, vulnerabilities can be identified and patched before script kiddies or more advanced attackers can exploit them [6,7,8,55].
• Implementation of strong access controls
  Limiting access to sensitive systems through robust access controls is key to minimizing exposure [6,7,8]. This is especially critical in preventing script kiddies from using automated tools to access exposed systems [55,56].
• Encryption and proper configuration
  Encrypting sensitive data and ensuring that devices are properly configured can significantly reduce the risk posed by cybercriminals. Strong encryption protocols make it harder for attackers to exploit exposed vulnerabilities even if they are identified through these tools [6,7,8,9,10,55,56].

7. Conclusions

This paper explored the significant role of tools like Google dorks, Shodan, and Censys in modern cybersecurity, highlighting their dual nature as both assets and threats. These tools, initially designed for ethical purposes, are increasingly exploited by attackers, including low-skilled script kiddies, to locate vulnerabilities and launch sophisticated cyberattacks. Our findings emphasize the growing urgency for cybersecurity professionals to harness these tools defensively to mitigate the risks they pose. In the background and overview, we provided an in-depth analysis of script kiddies and their reliance on automated tools to exploit vulnerabilities in systems. By detailing the functionalities and evolution of Google dorks, Shodan, and Censys, we have demonstrated how these platforms simplify reconnaissance for attackers while offering valuable insights for defensive purposes. The inherent simplicity and accessibility of these tools make them both powerful and dangerous, depending on their application. The use cases section illustrated real-world incidents where these tools have been employed offensively. Google dorks has been instrumental in uncovering sensitive data through advanced search queries, as evidenced by major breaches like LinkedIn and Adobe. Similarly, Shodan has exposed vulnerabilities in critical infrastructure, such as the Ukrainian power grid and Tesla Powerpack systems, raising alarms about industrial system security. Censys has been used to identify weaknesses in IoT devices, with incidents like the Mirai botnet and healthcare IoT vulnerabilities demonstrating the far-reaching impacts of insecure connected devices. By contrast, the defensive applications of these tools were also highlighted. Organizations can use Google dorks to identify misconfigurations and exposed sensitive data, while Shodan and Censys allow for the detection of unsecured IoT devices, misconfigured systems, and outdated software. Employing these tools ethically enables organizations to preemptively address vulnerabilities and strengthen their cybersecurity posture. Nonetheless, with the addition of an automated all-in-one tool integrating these functionalities, we have demonstrated how these platforms can be harnessed for proactive defense. The tool streamlines vulnerability detection, reduces human error, and empowers users to efficiently identify and mitigate threats. By consolidating the capabilities of Google dorks, Shodan, and Censys into a single Python-based application, this development highlights their potential for enhancing critical infrastructure resilience. Ultimately, this work underscores the importance of adopting proactive strategies to address evolving cyber threats. The proactive defense strategies section outlined key measures to mitigate risks, including regular vulnerability scanning, patch management, network segmentation, and continuous monitoring. Emphasis was placed on fostering a culture of cybersecurity through user awareness training, red teaming exercises, and implementing robust incident response plans. These strategies ensure organizations can anticipate and counter potential threats effectively.

In conclusion, Google dorks, Shodan, and Censys exemplify the blurred lines between tools for protection and exploitation. Their widespread availability and powerful capabilities demand vigilant and ethical use. By adopting a proactive and layered defense strategy, organizations can leverage these tools to enhance their resilience against the ever-evolving cyber threat landscape. The findings of this study underline the critical importance of continuous monitoring, awareness, and adaptive defenses in safeguarding digital infrastructures.