Skip to content
Breachfolio
CYBERSECURITY · OSINT

Shodan and Censys explained.

Shodan and Censys are search engines for internet-exposed devices — what they index, real query examples, the legal line, OPSEC and free-tier limits.

July 16, 202613 min read

Google indexes what people publish: pages, links, words on a screen. Shodan and Censys index what machines expose: the open ports, running services, software versions, and TLS certificates of devices connected directly to the internet. They are search engines for the infrastructure layer — the routers, servers, webcams, databases, industrial controllers, and forgotten staging boxes that answer when something knocks on a port. If you do OSINT or defend an attack surface, these two are among the first tools you learn, and the pair that most beginners confuse. This article explains what they actually do, how they differ, how to query them with real examples, and where the legal and ethical line sits.

IP addressOpen portsService bannersTLS certificateGeolocation / ASN
What internet-wide scanners index for every exposed host.

Search engines that connect, not crawl

A web crawler like Googlebot follows hyperlinks. It starts on a page, reads the links, follows them, and builds an index of human-readable content. It never opens a raw port or asks a server "what are you running?" — it just requests web pages the way a browser would.

Shodan and Censys work the opposite way. They continuously scan the entire routable IPv4 address space (and a growing slice of IPv6), connecting to common ports — 21, 22, 23, 80, 443, 3389, and thousands more — and recording exactly what answers. They do not care whether a link points to the device. If it has a public IP and a service listening, it eventually shows up in the index. This is the same class of activity as an internet-wide port scan, but done once, centrally, and stored so you can query the results instead of scanning yourself.

The practical consequence: you can learn an enormous amount about internet-facing infrastructure without ever sending a single packet to the target. From your side, a Shodan or Censys search is passive — you are reading a database somebody else already collected.

What a banner is, and why it is the whole game

When you connect to a service, it usually greets you. That greeting — the service type, software name, version, supported options, sometimes a hostname or a login prompt — is called a banner. Grabbing banners at internet scale is the core of what these engines do. Here is what a plain HTTP banner looks like when you fetch it by hand:

$ curl -sI http://example.org
HTTP/1.1 200 OK
Server: nginx/1.24.0            # software + exact version
Date: Wed, 15 Jul 2026 09:14:02 GMT
Content-Type: text/html
X-Powered-By: PHP/8.2.4         # even more version detail leaks here

An SSH service is just as chatty before you ever authenticate:

$ nc example.org 22
SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13   # protocol, product, build, distro

Multiply that across every open port on the internet and you have Shodan and Censys. From a banner alone you can often tell the exact software, its version (and therefore its known vulnerabilities), the operating system, and sometimes the organisation that owns it.

What they index

Both engines store far more than a raw text banner. A typical host record contains:

  • Open ports and services. Which ports answer, and what protocol each speaks (HTTP, SSH, RDP, MQTT, Modbus, and so on).
  • Software and versions. Parsed from banners — nginx 1.24.0, OpenSSH 9.6, MongoDB 7.0 — which maps directly to CVEs.
  • TLS certificates. Subject and issuer, common name (CN) and subject alternative names (SANs), validity dates, and fingerprints. Certificates are a goldmine for pivoting between hosts that share one.
  • HTTP metadata. Page title, response headers, and even a hash of the favicon — a surprisingly reliable way to fingerprint a specific application or admin panel.
  • Geolocation and network ownership. Approximate country and city, plus the ASN and organisation the IP belongs to (see how names, IPs and networks relate in domains vs subdomains).
  • Vulnerability hints. Both tag hosts with likely CVEs based on the version they advertise. This is inference from a banner, not proof of exploitability.
  • Screenshots of exposed web, VNC, and RDP services (Shodan, on paid tiers).

Shodan vs Censys: two philosophies

Shodan (shodan.io)

Created by John Matherly and public since 2009, Shodan is the original "search engine for internet-connected devices." Its personality is device- and protocol-centric. It shines on the weird, non-web corners of the internet: industrial control systems (ICS/SCADA), IoT, VNC, RDP, databases, printers, maritime and building-automation gear. It carries deep historical banner data, a friendly one-line filter syntax, a well-documented API, an official command-line client, and bolt-on products like Shodan Maps, Images, Monitor, and an Exploits index. If your question is "what strange thing is exposed on this network?", Shodan usually gets you there first.

Censys (censys.io)

Censys grew out of academic research at the University of Michigan — the same group behind the ZMap fast-scanner — and went commercial in 2017. Its personality is data- and certificate-centric. It performs frequent full-internet scans, keeps a rigorously structured host schema, and treats TLS certificates as a first-class dataset fed by both its own scans and Certificate Transparency logs. The query language is more verbose but more precise: you filter on explicit nested fields rather than short keywords. Analysts who want clean, structured, certificate-heavy data for attack-surface management tend to prefer Censys.

Neither is strictly "better." Shodan is faster to eyeball and stronger on odd protocols and history; Censys is stronger on structured queries, certificates, and fresh full-scan coverage. Serious researchers use both and cross-check.

Shodan queries you will actually use

Shodan filters are key:value pairs; bare words are full-text banner matches. Note that Shodan uses two-letter country codes (ES, not "Spain"). These examples are framed around inventorying infrastructure you own or are authorised to assess:

product:"Apache httpd" country:"ES" port:443   # Apache on 443, hosted in Spain
http.title:"Login"                             # pages whose <title> contains "Login"
org:"Your Company Ltd"                          # everything Shodan maps to that org
net:203.0.113.0/24                              # a specific CIDR block you own
ssl.cert.subject.cn:"example.com"               # hosts serving a cert with that CN
hostname:example.com                            # banners tied to that hostname
http.favicon.hash:-1234567890                   # every host sharing one favicon
vuln:CVE-2021-44228                             # hosts flagged for a CVE (paid filter)

Combine filters with spaces (implicit AND) and prefix with - to negate. Before running a full search, count is your friend — it returns just the number of matches and is cheap:

$ shodan init YOUR_API_KEY
$ shodan count 'port:443 country:ES'
1893472
$ shodan host 8.8.8.8                            # everything known about one IP
$ shodan search --fields ip_str,port,org 'ssl.cert.subject.cn:"example.com"'

Censys queries

Censys Search uses a structured language with explicit field paths joined by and / or. It accepts country names, and the fields read almost like documentation:

services.service_name: HTTP and location.country: "Spain"
services.port: 443 and services.tls.certificates.leaf_data.subject.common_name: "example.com"
autonomous_system.organization: "Your Company Ltd"
services.software.product: "nginx" and location.country_code: ES
dns.names: example.com and services.service_name: HTTPS

The verbosity is the point: because every attribute lives at a known path, a Censys query is unambiguous and easy to script against the API. The same certificate-pivot idea as Shodan's ssl.cert.subject.cn becomes the explicit services.tls.certificates.leaf_data.subject.common_name.

The command line: shodan and nrich

You do not need the website. The official shodan Python CLI covers search, count, host lookups, and streaming. For quick triage of a list of IPs, Shodan also ships nrich, which queries the free InternetDB service (no paid key required) and prints open ports and known CVEs per IP:

$ cat my-ips.txt
203.0.113.10
203.0.113.42
$ nrich my-ips.txt
203.0.113.10 (host.example.com)
  Ports: 22, 80, 443
  CVEs:  CVE-2023-38408
203.0.113.42
  Ports: 3389
  CVEs:  None found

That single command turns a raw IP list into a first-pass exposure report — ideal for auditing your own ranges.

Legitimate uses, and the legal line

These are mainstream, defensible tools when used for the right things:

  • Know your own attack surface. Search your CIDR blocks, org name, and certificate CN to find shadow IT, forgotten staging servers, exposed databases, and management interfaces you never meant to publish.
  • Threat intelligence. Fingerprint and track adversary infrastructure, C2 panels, and phishing kits by certificate, favicon hash, or banner signature.
  • Research and measurement. Study how a vulnerability spreads or how quickly the internet patches after a disclosure.
  • Investigations. Enrich an IP or domain during an inquiry — this pairs naturally with investigating a suspicious domain and reading WHOIS.

Now the boundary, stated plainly. Querying Shodan or Censys is passive OSINT: you are reading a dataset, not touching the target, and looking at a banner someone chose to expose is not a crime. But the results are addresses of real systems, and what you do next is where the law lives. The moment you connect to a discovered device you do not own, try a default or leaked credential, submit input to probe for flaws, or run an exploit, you have left OSINT and almost certainly broken computer-misuse law — the US Computer Fraud and Abuse Act, the UK Computer Misuse Act, and their equivalents elsewhere. "It was open on Shodan" has never been a defence. Observe, do not interact; document, do not exploit; and only act against systems you own or have explicit, written authorisation to test.

OPSEC and the limits of free plans

Because you query the engines rather than the target, your searches do not appear in the target's logs — but the search provider does log you. Use it accordingly, and mind the free-tier ceilings:

  • Shodan. A free account is required even to use filters, and it caps how much you see. Historically Shodan sells a one-time lifetime membership (often discounted) that unlocks more filters, results, and API query credits; some filters (like vuln:) and screenshots require higher tiers. Watch your API query creditscount spends far fewer than a full search.
  • Censys. A free community tier gives a limited number of queries per month and shallow result pagination, with bulk export and the richer datasets reserved for paid plans.
  • General OPSEC. Research from a dedicated account and, for sensitive work, a separate browser profile or VM behind a VPN. Never turn a search result into an unauthorised connection. If you do need to actively verify a host, do it only inside a signed scope — and remember that active scanning is a different legal posture from querying an index.

Alternatives worth knowing

  • ZoomEye — a device and web-app search engine from Knownsec, historically strong on assets in Asia, with a Shodan-like app:/country: dork syntax and a credit-based free tier.
  • FOFA — a Chinese internet-asset engine known for powerful fingerprint queries over title=, body=, cert=, and domain= fields; excellent for hunting look-alike infrastructure.
  • Netlas — searchable internet-scan data (hosts, certificates, DNS, WHOIS) with an Elasticsearch-style query DSL and a relatively generous free daily allowance.
  • GreyNoise — the odd one out, and the perfect complement. Instead of cataloguing exposed devices, it characterises the scanners. When an IP hits your firewall, GreyNoise tells you whether it is internet "background noise" hammering everyone or something actually targeting you, and its RIOT dataset flags benign common services — a huge cut in false positives during triage.
  • Shodan Exploits and Exploit-DB — once you have a version from a banner, these map it to known exploits and PoCs. Use them to understand and prioritise risk on your own systems, never to attack others.

The engines side by side

EngineFree tier?Strong atQuery style
ShodanYes (limited); one-time paid membership commonIoT, ICS/SCADA, odd protocols, history, exploitsShort key:value filters, e.g. port:443 org:"..."
CensysYes (limited monthly queries)Certificates, structured host data, fresh full scansExplicit field paths, e.g. services.port: 443 and ...
ZoomEyeYes (credit-based)Web apps and assets, strong Asia coverageDorks, e.g. app:"nginx" country:"CN"
NetlasYes (daily allowance)Certificates, DNS/WHOIS, responses in one placeElasticsearch-style DSL, e.g. http.title:"Login"

Tools and resources

The mindset that ties it together is simple. Shodan and Censys do not hack anything; they hold a mirror up to the internet and let you read what is already exposed. That makes them indispensable for defenders auditing their own surface and for researchers mapping the wider one — and it puts the entire ethical weight on the step after the search. Find, understand, and fix what is yours. Never touch what is not.

Frequently asked questions

Is using Shodan legal?
Yes. Searching Shodan (or Censys) is passive OSINT — you are querying a database of banners the engine already collected, not connecting to or attacking any target, so simply looking is legal in the vast majority of jurisdictions. The tools are used every day by defenders, researchers, and academics. The legality changes entirely based on what you do with a result: the moment you connect to a device you do not own, try a credential, probe for flaws, or run an exploit, you cross into unauthorised access and likely break laws such as the US Computer Fraud and Abuse Act or the UK Computer Misuse Act. "It was exposed on Shodan" is not a defence. Observe and document; never interact with systems you are not authorised to test.
Shodan vs Censys — which is better?
Neither is universally better; they have different strengths. Shodan is faster to skim, has a friendlier one-line filter syntax, keeps deep historical data, and is stronger on IoT, industrial control systems, and unusual non-web protocols. Censys has a more rigid but more precise structured query language, excellent TLS-certificate data fed by Certificate Transparency, and frequent full-internet scans that keep coverage fresh. For odd exposed devices and quick eyeballing, reach for Shodan; for structured, certificate-heavy attack-surface work you will script against, reach for Censys. Experienced analysts use both and cross-check, because each occasionally sees a host the other misses.
Is Shodan free?
Partly. You can browse some results and need a free account to use filters at all, but the free tier caps how many results and which filters you can access. Shodan has historically sold a one-time lifetime membership (frequently discounted) that unlocks more filters, screenshots, larger result sets, and API query credits, with higher subscription tiers for heavy or commercial use. Censys offers a similar model: a free community tier with a limited number of monthly queries and shallow pagination, and paid plans for bulk data and the richer datasets. For zero-cost host triage, Shodan's InternetDB and the nrich CLI need no paid key at all.
Can Shodan find my devices, and how do I protect them?
If a device has a public IP with a service listening, Shodan and Censys will eventually index it — no link or exposure on your part is required beyond being reachable. To reduce your footprint: put management interfaces (SSH, RDP, databases, admin panels) behind a VPN or firewall instead of the open internet, close ports you do not need, require authentication everywhere and change default credentials, keep software patched so version banners do not advertise known CVEs, and periodically search your own IP ranges, organisation name, and certificate common names on both engines to catch anything exposed by mistake. Shodan Monitor and Censys attack-surface features can alert you when something new appears.
Shodan vs Nmap — what is the difference?
They answer related questions in opposite ways. Nmap is an active scanner: you point it at targets and it sends packets to them in real time to discover ports, services, and versions — which means it touches the target, appears in their logs, and requires authorisation to be legal against systems you do not own. Shodan is a search engine over data already collected by someone else's continuous internet-wide scanning: querying it sends nothing to the target and is passive from your side. Use Shodan for fast, no-touch reconnaissance and inventory; use Nmap when you have permission and need current, precise, verified results. For how large-scale active scanning itself works, see our Nmap vs Masscan comparison.
What can attackers actually do with Shodan?
Shodan gives an attacker the same passive reconnaissance it gives a defender — a map of exposed services, versions, and likely vulnerabilities across the internet — which is precisely why defenders should use it first. It cannot break into anything on its own; it only reveals what is already reachable. The realistic risk is that it makes finding low-hanging fruit trivial: unpatched software with a known CVE, databases left open without authentication, or default-credentialed devices. The defence is the same list that protects you from anyone: do not expose what does not need exposing, patch so your banners do not advertise old vulnerabilities, authenticate everything, and audit your own attack surface on these engines before someone else does.