Censys is a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet. Details on how Censys is architected and operated are available at About Censys. Instructions on how to use Censys are below.
You can search for records that meet certain criteria (e.g., IPv4 hosts in Germany manufactured by Siemens, or browser trusted certificates for github.com), generate reports on how websites are configured (e.g., what cipher suites are chosen by popular websites?), and track how networks have patched over time.
If you simply search for a word or phrase,
Censys will return any records that contain the phrase. For example, searching
nginx will return any records that contain the word nginx.
220.127.116.11/8 will return all hosts in that
network. Check out some of our example searches.
Censys data is structured and supports more
advanced queries including searching specific fields, specifying ranges of
values, and boolean logic. For example, you can search for hosts with the HTTP
Server Header "Apache" in Germany by running the query
80.http.get.headers.server: Apache and location.country_code: DE.
To facilitate complex questions that can't be expressed in a single search, we also allow researchers to run SQL queries against the raw datasets and historical snapshots. [more information]
Below are a series of example queries:
Hosts in 18.104.22.168/8 and 22.214.171.124/24:
Telnet and FTP hosts in Germany:
Popular websites without browser trusted certificates:
Popular websites that use Apache and support HTTPS:
Mozilla NSS trusted intermediate CAs:
Industrial Control Systems in the United States:
Hosts in ASes that contain word University:
1000–1010th most popular site per Alexa Top Million:
Trusted certificates for Github.com:
By default, Censys performs full-text searches. For example, searching for
Dell will find any hosts where the word Dell appears in the
record—it won't limit the search to Dell manufactured devices. However, this is possible
by querying specific fields using the follow syntax:
Censys records are structured and allow
querying specific fields. For example, you can search for all hosts with a
specific HTTP status code with the following query:
200. You can view a list of defined fields under the Data
Definitions tab or by looking at the details of a host.
For example, here are the fields for the Censys web server.
You can compose multiple statements using the terms
not, and parentheses. For example,
("Schneider Electric" or Dell) and 126.96.36.199/14. By
default, all included terms are optional (i.e., executed as an
Networks, Host Names, and Protocols
You can search for IP
addresses using CIDR notation (e.g.,
ip:188.8.131.52/14) or by specifying a range of addresses:
ip:[184.108.40.206 TO 220.127.116.11]. You can search for
hosts that serve a particular protocol by searching the protocols field, e.g.,
You can search for ranges of numbers using
for inclusive ranges and
} for exclusive
ranges. For example,
80.http.get.status_code:[200 TO 300].
Dates should be formatted using the following syntax:
TO 2012-12-31]. One sided limits can also be specified:
[2012-01-01 TO *]. Warning!
TO operator must be capitalized.
Wildcards and Regular Expressions
By default, Censys searches for complete words. In other words, the search
Del will not return records that contain the word
Wildcard searches can be run on individual terms, using
replace a single character, and
* to replace zero or more
characters. For example, if you want to search for words that start with
Del, you would search for
You can also search using regular expressions, e.g.,
metadata.manufacturer:/De[ll]/. The full regex syntax is available
The boost operator (
^) can be used to
make one term more relevant than another. For example,
metadata.manufacturer: Dell^2 OR "Schneider Electric" places more
preference on the Dell keyword.
The following characters must be escaped with a backslash:
Censys supports generating reports on aggregate statistics within a result
set. For example, you can calculate the breakdown of cipher suites chosen by
IPv4 hosts with browser trusted certificates by searching for
443.https.tls.validation.browser_trusted: true and then
building a report in which you show the breakdown of the
Here are a couple of ideas to get you started:
The search interface only exposes current data and the query syntax is limited. To support more complex analysis and historical queries, Censys exposes daily snapshots of each dataset through Google BigQuery tables. These can be queried through the web interface and API, or imported into existing BigQuery projects.
For example, the following query would show the breakdown of cipher suites that IPv4 hosts with browser trusted certificates chose in December, 2015:
SELECT p443.https.tls.cipher_suite.name, count(ip) FROM ipv4.20150902 WHERE p443.https.tls.validation.browser_trusted=true GROUP BY p443.https.tls.cipher_suite.name;
Or you could download all data about hosts in the 18.104.22.168/16 network by exporting the results from the following query:
SELECT * FROM ipv4.20150902 WHERE ipint > PARSE_IP("22.214.171.124") and ipint < PARSE_IP("126.96.36.199");;
Warning! By default, SQL access is restricted to verified researchers and academic accounts. If you have a project that would benefit from SQL access, don't hesitate to contact us for access!