Censys Overview


Censys is a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet. Details on how Censys is architected and operated are available at About Censys. Instructions on how to use Censys are below.


Censys maintains three datasets through daily ZMap scans of the Internet and by synchronizing with public certificate transparency logs:

You can search for records that meet certain criteria (e.g., IPv4 hosts in Germany manufactured by Siemens, or browser trusted certificates for github.com), generate reports on how websites are configured (e.g., what cipher suites are chosen by popular websites?), and track how networks have patched over time.

We also post all of our raw data, provide programmatic access through a REST API, and publish reports on protocol deployment and the supporting PKI.

Simple Search


If you simply search for a word or phrase, Censys will return any records that contain the phrase. For example, searching for nginx will return any records that contain the word nginx. Searching for 23.0.0.0/8 will return all hosts in that network. Check out some of our example searches.

Advanced Search


Censys data is structured and supports more advanced queries including searching specific fields, specifying ranges of values, and boolean logic. For example, you can search for hosts with the HTTP Server Header "Apache" in Germany by running the query 80.http.get.headers.server: Apache and location.country_code: DE. [more information]

SQL Interface


To facilitate complex questions that can't be expressed in a single search, we also allow researchers to run SQL queries against the raw datasets and historical snapshots. [more information]

Below are a series of example queries:

Hosts in 23.0.0.0/8 and 8.8.8.0/24:


IPv4

Telnet and FTP hosts in Germany:


IPv4

Popular websites without browser trusted certificates:


Websites

Popular websites that use Apache and support HTTPS:


Websites

Mozilla NSS trusted intermediate CAs:


Certificates

Industrial Control Systems in the United States:


IPv4

Hosts in ASes that contain word University:


IPv4

1000–1010th most popular site per Alexa Top Million:


Websites

Trusted certificates for Github.com:


Certificates

By default, Censys performs full-text searches. For example, searching for Dell will find any hosts where the word Dell appears in the record—it won't limit the search to Dell manufactured devices. However, this is possible by querying specific fields using the follow syntax:

Specifying Fields


Censys records are structured and allow querying specific fields. For example, you can search for all hosts with a specific HTTP status code with the following query: 80.http.get.status_code: 200. You can view a list of defined fields under the Data Definitions tab or by looking at the details of a host. For example, here are the fields for the Censys web server.

Boolean Logic


You can compose multiple statements using the terms and, or, not, and parentheses. For example, ("Schneider Electric" or Dell) and 23.20.0.0/14. By default, all included terms are optional (i.e., executed as an or statement).

Networks, Host Names, and Protocols


You can search for IP addresses using CIDR notation (e.g., ip:23.20.0.0/14) or by specifying a range of addresses: ip:[23.20.0.0 TO 23.20.5.34]. You can search for hosts that serve a particular protocol by searching the protocols field, e.g., protocols: "102/s7".

Inline DNS queries are possible with the following syntax: a:facebook.com and mx:gmail.com.

Ranges


You can search for ranges of numbers using [ and ] for inclusive ranges and { and } for exclusive ranges. For example, 80.http.get.status_code:[200 TO 300]. Dates should be formatted using the following syntax: [2012-01-01 TO 2012-12-31]. One sided limits can also be specified: [2012-01-01 TO *]. Warning! The TO operator must be capitalized.

Wildcards and Regular Expressions


By default, Censys searches for complete words. In other words, the search Del will not return records that contain the word Dell. Wildcard searches can be run on individual terms, using ? to replace a single character, and * to replace zero or more characters. For example, if you want to search for words that start with Del, you would search for Del*.

You can also search using regular expressions, e.g., metadata.manufacturer:/De[ll]/. The full regex syntax is available here.

Boosting


The boost operator (^) can be used to make one term more relevant than another. For example, metadata.manufacturer: Dell^2 OR "Schneider Electric" places more preference on the Dell keyword.

Reserved Characters


The following characters must be escaped with a backslash: + - = & || > < ! ( ) { } [ ] ^ " ~ * ? : \ /.

Censys supports generating reports on aggregate statistics within a result set. For example, you can calculate the breakdown of cipher suites chosen by IPv4 hosts with browser trusted certificates by searching for 443.https.tls.validation.browser_trusted: true and then building a report in which you show the breakdown of the 443.https.tls.cipher_suite.name field:



Example Reports


Here are a couple of ideas to get you started:


The search interface only exposes current data and the query syntax is limited. To support more complex analysis and historical queries, Censys exposes daily snapshots of each dataset through Google BigQuery tables. These can be queried through the web interface and API, or imported into existing BigQuery projects.

For example, the following query would show the breakdown of cipher suites that IPv4 hosts with browser trusted certificates chose in December, 2015:

    SELECT p443.https.tls.cipher_suite.name, count(ip) FROM ipv4.20150902
    WHERE p443.https.tls.validation.browser_trusted=true
    GROUP BY p443.https.tls.cipher_suite.name;

Or you could download all data about hosts in the 8.8.0.0/16 network by exporting the results from the following query:

    SELECT * FROM ipv4.20150902
    WHERE ipint > PARSE_IP("8.8.0.0") and ipint < PARSE_IP("8.8.255.255");;

Warning! By default, SQL access is restricted to verified researchers and academic accounts. If you have a project that would benefit from SQL access, don't hesitate to contact us for access!