Shodan and Censys explained.
Shodan and Censys are search engines for internet-exposed devices — what they index, real query examples, the legal line, OPSEC and free-tier limits.
Google indexes what people publish: pages, links, words on a screen. Shodan and Censys index what machines expose: the open ports, running services, software versions, and TLS certificates of devices connected directly to the internet. They are search engines for the infrastructure layer — the routers, servers, webcams, databases, industrial controllers, and forgotten staging boxes that answer when something knocks on a port. If you do OSINT or defend an attack surface, these two are among the first tools you learn, and the pair that most beginners confuse. This article explains what they actually do, how they differ, how to query them with real examples, and where the legal and ethical line sits.
Search engines that connect, not crawl
A web crawler like Googlebot follows hyperlinks. It starts on a page, reads the links, follows them, and builds an index of human-readable content. It never opens a raw port or asks a server "what are you running?" — it just requests web pages the way a browser would.
Shodan and Censys work the opposite way. They continuously scan the entire routable IPv4 address space (and a growing slice of IPv6), connecting to common ports — 21, 22, 23, 80, 443, 3389, and thousands more — and recording exactly what answers. They do not care whether a link points to the device. If it has a public IP and a service listening, it eventually shows up in the index. This is the same class of activity as an internet-wide port scan, but done once, centrally, and stored so you can query the results instead of scanning yourself.
The practical consequence: you can learn an enormous amount about internet-facing infrastructure without ever sending a single packet to the target. From your side, a Shodan or Censys search is passive — you are reading a database somebody else already collected.
What a banner is, and why it is the whole game
When you connect to a service, it usually greets you. That greeting — the service type, software name, version, supported options, sometimes a hostname or a login prompt — is called a banner. Grabbing banners at internet scale is the core of what these engines do. Here is what a plain HTTP banner looks like when you fetch it by hand:
$ curl -sI http://example.org
HTTP/1.1 200 OK
Server: nginx/1.24.0 # software + exact version
Date: Wed, 15 Jul 2026 09:14:02 GMT
Content-Type: text/html
X-Powered-By: PHP/8.2.4 # even more version detail leaks here
An SSH service is just as chatty before you ever authenticate:
$ nc example.org 22
SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13 # protocol, product, build, distro
Multiply that across every open port on the internet and you have Shodan and Censys. From a banner alone you can often tell the exact software, its version (and therefore its known vulnerabilities), the operating system, and sometimes the organisation that owns it.
What they index
Both engines store far more than a raw text banner. A typical host record contains:
- Open ports and services. Which ports answer, and what protocol each speaks (HTTP, SSH, RDP, MQTT, Modbus, and so on).
- Software and versions. Parsed from banners —
nginx 1.24.0,OpenSSH 9.6,MongoDB 7.0— which maps directly to CVEs. - TLS certificates. Subject and issuer, common name (CN) and subject alternative names (SANs), validity dates, and fingerprints. Certificates are a goldmine for pivoting between hosts that share one.
- HTTP metadata. Page title, response headers, and even a hash of the favicon — a surprisingly reliable way to fingerprint a specific application or admin panel.
- Geolocation and network ownership. Approximate country and city, plus the ASN and organisation the IP belongs to (see how names, IPs and networks relate in domains vs subdomains).
- Vulnerability hints. Both tag hosts with likely CVEs based on the version they advertise. This is inference from a banner, not proof of exploitability.
- Screenshots of exposed web, VNC, and RDP services (Shodan, on paid tiers).
Shodan vs Censys: two philosophies
Shodan (shodan.io)
Created by John Matherly and public since 2009, Shodan is the original "search engine for internet-connected devices." Its personality is device- and protocol-centric. It shines on the weird, non-web corners of the internet: industrial control systems (ICS/SCADA), IoT, VNC, RDP, databases, printers, maritime and building-automation gear. It carries deep historical banner data, a friendly one-line filter syntax, a well-documented API, an official command-line client, and bolt-on products like Shodan Maps, Images, Monitor, and an Exploits index. If your question is "what strange thing is exposed on this network?", Shodan usually gets you there first.
Censys (censys.io)
Censys grew out of academic research at the University of Michigan — the same group behind the ZMap fast-scanner — and went commercial in 2017. Its personality is data- and certificate-centric. It performs frequent full-internet scans, keeps a rigorously structured host schema, and treats TLS certificates as a first-class dataset fed by both its own scans and Certificate Transparency logs. The query language is more verbose but more precise: you filter on explicit nested fields rather than short keywords. Analysts who want clean, structured, certificate-heavy data for attack-surface management tend to prefer Censys.
Neither is strictly "better." Shodan is faster to eyeball and stronger on odd protocols and history; Censys is stronger on structured queries, certificates, and fresh full-scan coverage. Serious researchers use both and cross-check.
Shodan queries you will actually use
Shodan filters are key:value pairs; bare words are full-text banner matches. Note that Shodan uses two-letter country codes (ES, not "Spain"). These examples are framed around inventorying infrastructure you own or are authorised to assess:
product:"Apache httpd" country:"ES" port:443 # Apache on 443, hosted in Spain
http.title:"Login" # pages whose <title> contains "Login"
org:"Your Company Ltd" # everything Shodan maps to that org
net:203.0.113.0/24 # a specific CIDR block you own
ssl.cert.subject.cn:"example.com" # hosts serving a cert with that CN
hostname:example.com # banners tied to that hostname
http.favicon.hash:-1234567890 # every host sharing one favicon
vuln:CVE-2021-44228 # hosts flagged for a CVE (paid filter)
Combine filters with spaces (implicit AND) and prefix with - to negate. Before running a full search, count is your friend — it returns just the number of matches and is cheap:
$ shodan init YOUR_API_KEY
$ shodan count 'port:443 country:ES'
1893472
$ shodan host 8.8.8.8 # everything known about one IP
$ shodan search --fields ip_str,port,org 'ssl.cert.subject.cn:"example.com"'
Censys queries
Censys Search uses a structured language with explicit field paths joined by and / or. It accepts country names, and the fields read almost like documentation:
services.service_name: HTTP and location.country: "Spain"
services.port: 443 and services.tls.certificates.leaf_data.subject.common_name: "example.com"
autonomous_system.organization: "Your Company Ltd"
services.software.product: "nginx" and location.country_code: ES
dns.names: example.com and services.service_name: HTTPS
The verbosity is the point: because every attribute lives at a known path, a Censys query is unambiguous and easy to script against the API. The same certificate-pivot idea as Shodan's ssl.cert.subject.cn becomes the explicit services.tls.certificates.leaf_data.subject.common_name.
The command line: shodan and nrich
You do not need the website. The official shodan Python CLI covers search, count, host lookups, and streaming. For quick triage of a list of IPs, Shodan also ships nrich, which queries the free InternetDB service (no paid key required) and prints open ports and known CVEs per IP:
$ cat my-ips.txt
203.0.113.10
203.0.113.42
$ nrich my-ips.txt
203.0.113.10 (host.example.com)
Ports: 22, 80, 443
CVEs: CVE-2023-38408
203.0.113.42
Ports: 3389
CVEs: None found
That single command turns a raw IP list into a first-pass exposure report — ideal for auditing your own ranges.
Legitimate uses, and the legal line
These are mainstream, defensible tools when used for the right things:
- Know your own attack surface. Search your CIDR blocks, org name, and certificate CN to find shadow IT, forgotten staging servers, exposed databases, and management interfaces you never meant to publish.
- Threat intelligence. Fingerprint and track adversary infrastructure, C2 panels, and phishing kits by certificate, favicon hash, or banner signature.
- Research and measurement. Study how a vulnerability spreads or how quickly the internet patches after a disclosure.
- Investigations. Enrich an IP or domain during an inquiry — this pairs naturally with investigating a suspicious domain and reading WHOIS.
Now the boundary, stated plainly. Querying Shodan or Censys is passive OSINT: you are reading a dataset, not touching the target, and looking at a banner someone chose to expose is not a crime. But the results are addresses of real systems, and what you do next is where the law lives. The moment you connect to a discovered device you do not own, try a default or leaked credential, submit input to probe for flaws, or run an exploit, you have left OSINT and almost certainly broken computer-misuse law — the US Computer Fraud and Abuse Act, the UK Computer Misuse Act, and their equivalents elsewhere. "It was open on Shodan" has never been a defence. Observe, do not interact; document, do not exploit; and only act against systems you own or have explicit, written authorisation to test.
OPSEC and the limits of free plans
Because you query the engines rather than the target, your searches do not appear in the target's logs — but the search provider does log you. Use it accordingly, and mind the free-tier ceilings:
- Shodan. A free account is required even to use filters, and it caps how much you see. Historically Shodan sells a one-time lifetime membership (often discounted) that unlocks more filters, results, and API query credits; some filters (like
vuln:) and screenshots require higher tiers. Watch your API query credits —countspends far fewer than a fullsearch. - Censys. A free community tier gives a limited number of queries per month and shallow result pagination, with bulk export and the richer datasets reserved for paid plans.
- General OPSEC. Research from a dedicated account and, for sensitive work, a separate browser profile or VM behind a VPN. Never turn a search result into an unauthorised connection. If you do need to actively verify a host, do it only inside a signed scope — and remember that active scanning is a different legal posture from querying an index.
Alternatives worth knowing
- ZoomEye — a device and web-app search engine from Knownsec, historically strong on assets in Asia, with a Shodan-like
app:/country:dork syntax and a credit-based free tier. - FOFA — a Chinese internet-asset engine known for powerful fingerprint queries over
title=,body=,cert=, anddomain=fields; excellent for hunting look-alike infrastructure. - Netlas — searchable internet-scan data (hosts, certificates, DNS, WHOIS) with an Elasticsearch-style query DSL and a relatively generous free daily allowance.
- GreyNoise — the odd one out, and the perfect complement. Instead of cataloguing exposed devices, it characterises the scanners. When an IP hits your firewall, GreyNoise tells you whether it is internet "background noise" hammering everyone or something actually targeting you, and its RIOT dataset flags benign common services — a huge cut in false positives during triage.
- Shodan Exploits and Exploit-DB — once you have a version from a banner, these map it to known exploits and PoCs. Use them to understand and prioritise risk on your own systems, never to attack others.
The engines side by side
| Engine | Free tier? | Strong at | Query style |
|---|---|---|---|
| Shodan | Yes (limited); one-time paid membership common | IoT, ICS/SCADA, odd protocols, history, exploits | Short key:value filters, e.g. port:443 org:"..." |
| Censys | Yes (limited monthly queries) | Certificates, structured host data, fresh full scans | Explicit field paths, e.g. services.port: 443 and ... |
| ZoomEye | Yes (credit-based) | Web apps and assets, strong Asia coverage | Dorks, e.g. app:"nginx" country:"CN" |
| Netlas | Yes (daily allowance) | Certificates, DNS/WHOIS, responses in one place | Elasticsearch-style DSL, e.g. http.title:"Login" |
Tools and resources
- Shodan and its search filter reference — the canonical list of every filter.
- Shodan CLI docs and nrich — command-line search and the free InternetDB triage tool.
- Censys Search and its query syntax reference — the full field schema.
- crt.sh — Certificate Transparency search that pairs perfectly with certificate-based pivoting on either engine.
- GreyNoise — separate real threats from mass-scan noise when triaging an IP.
The mindset that ties it together is simple. Shodan and Censys do not hack anything; they hold a mirror up to the internet and let you read what is already exposed. That makes them indispensable for defenders auditing their own surface and for researchers mapping the wider one — and it puts the entire ethical weight on the step after the search. Find, understand, and fix what is yours. Never touch what is not.
