Censys maintains three datasets through daily ZMap scans of the Internet and by synchronizing with public certificate transparency logs:
You can search for records that meet certain criteria (e.g., IPv4 hosts in Germany manufactured by Siemens, or browser trusted certificates for github.com), generate reports on how websites are configured (e.g., what cipher suites are chosen by popular websites?), and track how networks have patched over time.
We also post all of our raw data, provide programmatic access through a REST API, and publish reports on protocol deployment and the supporting PKI.
Simple Search
If you simply search for a word or phrase,
Censys will return any records that contain the phrase. For example, searching
for nginx
will return any records that contain the word nginx.
Searching for 23.0.0.0/8
will return all hosts in that
network. Check out some of our example searches.
Advanced Search
Censys data is structured and supports more
advanced queries including searching specific fields, specifying ranges of
values, and boolean logic. For example, you can search for hosts with the HTTP
Server Header "Apache" in Germany by running the query
80.http.get.headers.server: Apache and location.country_code: DE
.
[more information]
By default, Censys performs full-text searches. For example, searching for
Dell
will find any hosts where the word Dell appears in the
record—it won't limit the search to Dell manufactured devices. However, this is possible
by querying specific fields using the follow syntax:
Specifying Fields
Censys records are structured and allow
querying specific fields. For example, you can search for all hosts with a
specific HTTP status code with the following query: 80.http.get.status_code:
200
. You can view a list of defined fields under the Data
Definitions tab or by looking at the details of a host.
For example, here are the fields for the Censys certificate.
Boolean Logic
You can compose multiple statements using the terms and
,
or
, not
, and parentheses. For example, ("Schneider Electric" or Dell) and 23.20.0.0/14
. By
default, all included terms are optional (i.e., executed as an or
statement).
Ranges
You can search for ranges of numbers using [
and ]
for inclusive ranges and {
and }
for exclusive
ranges. For example, 80.http.get.status_code:[200 TO 300]
.
Dates should be formatted using the following syntax: [2012-01-01
TO 2012-12-31]
. One sided limits can also be specified:
[2012-01-01 TO *]
. Warning!
The TO
operator must be capitalized.
Wildcards and Regular Expressions
By default, Censys searches for complete words. In other words, the search
Del
will not return records that contain the word Dell
.
Wildcard searches can be run on individual terms, using ?
to
replace a single character, and *
to replace zero or more
characters. For example, if you want to search for words that start with
Del, you would search for Del*
.
You can also search using regular expressions, e.g.,
metadata.manufacturer:/De[ll]/
. The full regex syntax is available
here.
Boosting
The boost operator (^
) can be used to
make one term more relevant than another. For example,
metadata.manufacturer: Dell^2 OR "Schneider Electric"
places more
preference on the Dell keyword.
Reserved Characters
The following characters must be escaped with a backslash:
+
-
=
&
||
>
<
!
(
)
{
}
[
]
^
"
~
*
?
:
\
/
.
Hosts in 23.0.0.0/8 and 8.8.8.0/24:
Telnet and FTP hosts in Germany:
Popular websites without browser trusted certificates:
Popular websites that use Apache and support HTTPS:
Mozilla NSS trusted intermediate CAs:
Industrial Control Systems in the United States:
Hosts in ASes that contain word University:
1000–1010th most popular site per Alexa Top Million:
Trusted certificates for Github.com:
Below are the fields defined in the index.
Query Expansion
Censys expands queries to provide additional functionality. For example, the query a:zmap.io
executes a DNS lookup and expands to ip:141.212.120.90
.
Your query was changed from:
parsed.serial_number: 121426
parsed.serial_number: 121426
If this isn't what you intended, you can run your raw query without expansion.