Censys

Censys provides comprehensive data on internet hosts, certificates, and services. Query via web interface or API for IP reconnaissance, SSL/TLS enumeration, and vulnerability discovery.

Getting Started

Web Interface

• Visit https://censys.io/
• Create free account (limited data)
• Premium account for full dataset and API access

API Setup

# Get API ID and Secret from Settings
export CENSYS_API_ID="your_api_id"
export CENSYS_API_SECRET="your_api_secret"

# Test API connection
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  https://censys.io/api/v2/account

# Check query credits
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  https://censys.io/api/v2/account | jq '.query_credits'

Basic Search Syntax

IPv4 Search

Query Type	Syntax	Example
Port	80:*	22:*
Service	service: "ssh"	service: "http"
Operating System	os: "Linux"	os: "Windows"
Organization	autonomous_system.organization: "Google"	autonomous_system.organization: "AWS"
Country	location.country_code: "US"	location.country_code: "CN"
Hostname	dns.names: "example.com"	dns.names: google.com
Certificate	tls.certificate.parsed.fingerprint: "..."	Subject name search
Banner	http.get.body: "nginx"	ftp.banner: "vsFTPd"

SSL/TLS Certificate Search

Query Type	Syntax	Example
Domain	dns_names: example.com	dns_names: google.com
Organization	parsed.subject.organization: "Google"	parsed.subject.organization: "Microsoft"
Issuer	parsed.issuer.organization: "Let's Encrypt"	parsed.issuer.organization: "DigiCert"
Expiration	not valid_to: [2024-01-01 TO 2024-12-31]	Date range queries
Self-signed	parsed.self_signed: true	parsed.self_signed: false
Wildcard	parsed.extensions.subject_alt_name.dns_names: *.example.com	Wildcard searches

Web Interface Queries

Finding Exposed Services

# Web servers on uncommon ports
80:* OR 8080:* OR 8000:* OR 3000:*

# SSH accessible
22:*

# Databases exposed
3306:* OR 5432:* OR 27017:* OR 6379:*

# RDP accessible
3389:*

# Elasticsearch exposed
9200:*

# Redis exposed
6379:*

# MongoDB exposed
27017:*

# MySQL accessible
3306:*

# PostgreSQL exposed
5432:*

Organization Reconnaissance

# All hosts for organization
autonomous_system.organization: "Google"

# By country and org
autonomous_system.organization: "Amazon" AND location.country_code: "US"

# Specific ASN
autonomous_system.asn: 15169

# Organization with specific port
autonomous_system.organization: "Microsoft" AND 443:*

# All services for organization
autonomous_system.organization: "Apple" AND service: *

# Websites hosted by organization
autonomous_system.organization: "CloudFlare" AND service: "HTTP"

Port & Service Enumeration

# Common web ports
80:* OR 443:* OR 8080:* OR 8443:*

# SSH servers
22:* AND service: "ssh"

# Specific service version
service: "OpenSSH 7.4"

# Mail servers
25:* OR 587:* OR 993:*

# DNS servers
53:*

# VNC servers
5900:*

# SSH with banner grab
22:* AND ssh.server.banner: *

# Custom services
service: "custom-app"

Vulnerability Hunting

# Outdated OpenSSL
tls.certificate.parsed.fingerprint: * AND tls.version: "TLSv1"

# Unpatched Web Servers
service: "Apache" AND service.banner: "2.2.*"

# Heartbleed-vulnerable (search for old OpenSSL)
service: "OpenSSL" AND tls.version: "TLSv1"

# Weak certificates (MD5)
tls.certificate.parsed.signature_algorithm.name: "md5WithRSAEncryption"

# Self-signed certificates (unusual)
not valid_from: [1970-01-01 TO 2024-12-31] AND self_signed: true

# Expired certificates
valid_to: [2000-01-01 TO 2020-12-31]

# Certificates expiring soon
valid_to: [2024-06-01 TO 2024-12-31]

API Usage

Query IPv4 Hosts

# Basic search
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  "https://censys.io/api/v2/hosts/search?q=80:*&per_page=50"

# Search with filters
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  "https://censys.io/api/v2/hosts/search?q=22:* AND location.country_code:US&per_page=100"

# Get specific IP details
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  "https://censys.io/api/v2/hosts/1.2.3.4"

# Get historical data
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  "https://censys.io/api/v2/hosts/1.2.3.4/trace?days=90"

Query Certificates

# Certificate search
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  "https://censys.io/api/v2/certificates/search?q=dns_names:example.com&per_page=100"

# Get certificate details
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  "https://censys.io/api/v2/certificates/86e2c7e7f8f3d3e4f5f6f7f8"

# Find hosts serving certificate
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  "https://censys.io/api/v2/certificates/86e2c7e7f8f3d3e4f5f6f7f8/services"

# Date range certificates
curl -u "$CENSYS_API_ID:$CENSYS_API_SECRET" \
  "https://censys.io/api/v2/certificates/search?q=parsed.validity.start:[2024-01-01 TO 2024-03-30]"

Python API Wrapper

#!/usr/bin/env python3
import requests
import json
import os

class CensysAPI:
    def __init__(self, api_id, api_secret):
        self.api_id = api_id
        self.api_secret = api_secret
        self.base_url = "https://censys.io/api/v2"
        self.auth = (api_id, api_secret)

    def search_ipv4(self, query, per_page=50):
        """Search IPv4 hosts"""
        url = f"{self.base_url}/hosts/search"
        params = {"q": query, "per_page": per_page}
        response = requests.get(url, auth=self.auth, params=params)
        return response.json()

    def get_host(self, ip):
        """Get details for specific IP"""
        url = f"{self.base_url}/hosts/{ip}"
        response = requests.get(url, auth=self.auth)
        return response.json()

    def get_host_history(self, ip, days=90):
        """Get historical data for IP"""
        url = f"{self.base_url}/hosts/{ip}/trace"
        params = {"days": days}
        response = requests.get(url, auth=self.auth, params=params)
        return response.json()

    def search_certificates(self, query, per_page=50):
        """Search SSL/TLS certificates"""
        url = f"{self.base_url}/certificates/search"
        params = {"q": query, "per_page": per_page}
        response = requests.get(url, auth=self.auth, params=params)
        return response.json()

    def get_certificate(self, cert_fingerprint):
        """Get certificate details"""
        url = f"{self.base_url}/certificates/{cert_fingerprint}"
        response = requests.get(url, auth=self.auth)
        return response.json()

    def get_certificate_hosts(self, cert_fingerprint):
        """Find hosts serving certificate"""
        url = f"{self.base_url}/certificates/{cert_fingerprint}/services"
        response = requests.get(url, auth=self.auth)
        return response.json()

# Usage
api_id = os.getenv("CENSYS_API_ID")
api_secret = os.getenv("CENSYS_API_SECRET")
censys = CensysAPI(api_id, api_secret)

# Search for hosts
results = censys.search_ipv4("80:* AND location.country_code:US", per_page=100)
print(json.dumps(results, indent=2))

# Get IP details
ip_data = censys.get_host("1.2.3.4")
print(ip_data)

# Search certificates
cert_results = censys.search_certificates("dns_names:example.com")
print(cert_results)

# Get certificate details
cert_data = censys.get_certificate("86e2c7e7f8f3d3e4f5f6f7f8")
print(cert_data)

Advanced Search Techniques

Reconnaissance Workflows

Domain Intelligence

# Find all hosts for domain (via DNS)
dns.names: example.com

# Get all certificates for domain
dns_names: example.com

# Hosts with MX records
autonomous_system.organization: example AND 25:*

# All services for domain
dns.names: example.com AND service: *

# Subdomain enumeration
dns.names: "*.example.com"

Organization ASN Enumeration

# Find ASN for organization
autonomous_system.organization: "Target Org"

# All hosts in ASN
autonomous_system.asn: 65000

# By country
autonomous_system.asn: 65000 AND location.country_code: US

# With specific ports
autonomous_system.asn: 65000 AND 22:*

Vulnerability Discovery

# Outdated services
service.banner: "Apache/2.2.*"

# Self-signed certs (suspicious)
tls.certificate.parsed.self_signed: true

# Soon-to-expire certificates
valid_to: [2024-09-01 TO 2024-12-31]

# Weak TLS
tls.version: "TLSv1" OR tls.version: "SSLv3"

# Specific vulnerable versions
service.banner: "OpenSSL 1.0.1*"

Large-Scale Enumeration

# All web servers in country
80:* AND location.country_code: US

# All SSH servers in organization
22:* AND autonomous_system.organization: "Google"

# Database servers
3306:* OR 5432:* OR 27017:*

# Uncommon ports (potential misconfigurations)
9000:* OR 9200:* OR 8888:*

# Admin interfaces
80:* AND http.get.body: "admin"

Command-Line Tools

Using censysctl (if available)

# Install censysctl
pip install censysctl

# Configure credentials
censysctl config set api_id $CENSYS_API_ID
censysctl config set api_secret $CENSYS_API_SECRET

# Search hosts
censysctl hosts search "80:*" --limit 100

# Get IP details
censysctl hosts view 1.2.3.4

# Search certificates
censysctl certs search "dns_names:example.com"

Reconnaissance Playbooks

Target Organization Enumeration

#!/bin/bash
# Complete organization reconnaissance

ORG="Target Organization"
API_ID=$CENSYS_API_ID
API_SECRET=$CENSYS_API_SECRET

# Find ASN
echo "Finding ASN for $ORG..."
curl -u "$API_ID:$API_SECRET" \
  "https://censys.io/api/v2/hosts/search?q=autonomous_system.organization:\"$ORG\"&per_page=1" \
  | jq '.results[0].autonomous_system.asn' > asn.txt

ASN=$(cat asn.txt)
echo "ASN: $ASN"

# Enumerate all hosts in ASN
echo "Enumerating ASN $ASN..."
curl -u "$API_ID:$API_SECRET" \
  "https://censys.io/api/v2/hosts/search?q=autonomous_system.asn:$ASN&per_page=500" \
  | jq '.results[] | {ip: .ip, ports: .services[].port}' | tee asn_hosts.json

# Find web servers
curl -u "$API_ID:$API_SECRET" \
  "https://censys.io/api/v2/hosts/search?q=autonomous_system.asn:$ASN AND 80:*&per_page=100" \
  | jq '.results[].ip' > web_servers.txt

# Find SSH
curl -u "$API_ID:$API_SECRET" \
  "https://censys.io/api/v2/hosts/search?q=autonomous_system.asn:$ASN AND 22:*&per_page=100" \
  | jq '.results[].ip' > ssh_servers.txt

echo "Results saved"

SSL/TLS Certificate Enumeration

#!/bin/bash
# Find all certificates and host relationships

DOMAIN="example.com"
API_ID=$CENSYS_API_ID
API_SECRET=$CENSYS_API_SECRET

# Find certificates
echo "Searching certificates for $DOMAIN..."
curl -u "$API_ID:$API_SECRET" \
  "https://censys.io/api/v2/certificates/search?q=dns_names:$DOMAIN&per_page=100" \
  | jq '.results[] | {fingerprint: .fingerprint_sha256, names: .dns_names}' | tee certs.json

# For each certificate, find hosts serving it
while IFS= read -r fingerprint; do
  echo "Finding hosts for cert: $fingerprint"
  curl -u "$API_ID:$API_SECRET" \
    "https://censys.io/api/v2/certificates/$fingerprint/services" \
    | jq '.services[] | {ip: .ip, port: .port}' >> cert_hosts.json
done < <(jq -r '.[] | .fingerprint' certs.json)

Rate Limiting

• Free tier: Limited queries per month
• Premium: Higher quotas
• Check query credits: curl -u "$API_ID:$API_SECRET" https://censys.io/api/v2/account
• Implement delays between requests

import time

def rate_limited_search(censys_obj, query, delay=2):
    """Search with rate limiting"""
    time.sleep(delay)
    return censys_obj.search_ipv4(query)

Common Issues

High Memory Usage on Large Datasets

# Use pagination with per_page limit
curl -u "$API_ID:$API_SECRET" \
  "https://censys.io/api/v2/hosts/search?q=80:*&per_page=50&page=1"

# Process in batches
for page in {1..100}; do
  curl -u "$API_ID:$API_SECRET" \
    "https://censys.io/api/v2/hosts/search?q=80:*&per_page=50&page=$page" \
    | jq '.results[] | .ip' >> ips.txt
  sleep 2  # Rate limiting
done

Resources

• Censys Official Site
• Query Language Docs
• GitHub: Censys Tools
• Community Forum

---

Last updated: 2026-03-30