What is Censys?
Censys was created in 2015 at the University of Michigan, by the security researchers who developed ZMap, the most widely used tool for Internet-wide scanning. So, Censys is a platform that helps information security practitioners discover, monitor, and analyze devices that are accessible from the Internet. Censys regularly probe every public IP address and popular domain names, curate and enrich the resulting data, and make it intelligible through an interactive search engine and API.
What is use of Censys?
Enterprises use Censys to understand their network attack surfaces. CERTs and security researchers use it to discover new threats and assess their global impact. From the creators of ZMap, the leading Internet-wide scanner, censys mission is to make security be driven by data.
How to use Censys?
Censys maintains three datasets through daily ZMap scans of the Internet and by synchronizing with public certificate transparency logs:
You can search for records that meet certain criteria (e.g., IPv4 hosts of google.com, or browser trusted certificates for google.com), generate reports on how websites are configured (e.g., what cipher suites are chosen by popular websites?), and track how networks have patched over time.
1. Simple Search
If you simply search for a word or phrase, Censys will return any records that contain the phrase. For example, searching for google will return any records that contain the word google. Searching for 184.108.40.206/8 will return all hosts in that network. Here are some simple search example -
- Hosts in 220.127.116.11/8 and 18.104.22.168/24
- Telnet and FTP hosts in India
- Popular websites without browser trusted certificates
- Popular websites that use Apache and support HTTPS
- Industrial Control Systems in India
- 100–110th most popular site per Alexa Top Million
- Trusted certificates for google.com
2. Advanced Search
Censys data is structured and supports more advanced queries including searching specific fields, specifying ranges of values, and boolean logic. For example, you can search for hosts with the HTTP Server Header "Apache" in India by running the query
80.http.get.headers.server: Apache and location.country_code: IN.
2.1 Specifying Fields
Censys records are structured and allow querying specific fields. For example, you can search for all hosts with a specific HTTP status code with the following query:
80.http.get.status_code: 200. You can view a list of defined fields under the Data Definitions tab or by looking at the details of a host. For example, here are the fields for one of Google web server.
2.2 Boolean Logic
You can compose multiple statements using the terms
parentheses. For example,
(Jio or BSNL) and 22.214.171.124/14. By default, all included terms are optional (i.e., executed as an or statement).
2.3 Networks, Host Names, and Protocols
You can search for IP addresses using
CIDR notation (e.g.,
ip:126.96.36.199/14) or by specifying a range of addresses:
ip:[188.8.131.52 TO 184.108.40.206]. You can search for hosts that serve a particular protocol by searching the protocols field, e.g.,
protocols: "102/s7". Inline DNS queries are possible with the following syntax:
You can search for ranges of numbers using
] for inclusive ranges and
} for exclusive ranges. For example,
80.http.get.status_code:[200 TO 300]. Dates should be formatted using the following syntax:
[2012-01-01 TO 2012-12-31]. One sided limits can also be specified:
[2012-01-01 TO *].
2.5 Wildcards and Regular Expressions
By default, Censys searches for complete words. In other words, the search BSN will not return records that contain the word BSNL. Wildcard searches can be run on individual terms, using
? to replace a single character, and
* to replace zero or more characters. For example, if you want to search for words that start with BSN, you would search for BSN*. You can also search using regular expressions, e.g., metadata.manufacturer:/BS[ll]/. You can find the full regex syntax here.
The boost operator (
^) can be used to make one term more relevant than another. For example,
metadata.manufacturer: BSNL^2 OR Jio places more preference on the BSNL keyword.
2.7 Reserved Characters
The following characters must be escaped with a backslash:
3. Censys REST API
The Censys REST API provides programmatic access to the same data accessible through the web interface. All API endpoints are hosted at https://censys.io/api/v1/ and require authenticating with HTTP basic auth using the API ID and secret that are shown under My Account. This page also lists the rate limits that apply to your account.
Censys provide the following API endpoints: search, view, report, and data