Censys Internet Scanning Introduction
Censys provides the most complete view of the entire public-facing internet. Understanding what we scan helps you understand the data set.
Note
Censys only scans to get information. Censys never tries to log into any service, read any database, or otherwise gain authenticated access to any system.
What Censys scans
Censys continually scans the entire public IPv4 address space across all possible IP and port combinations using automatic protocol detection. The results are the most accurate representation of the Internet’s current state.
Censys also leverages redirects and the Domain Name System to discover and scan in-use IPv6 addresses.
Scan frequency
Discovery means finding a service on an IP/port that was not there the last time we looked. Censys continuously scans for discovery using the following methods.
-
Global scan of popular ports. Censys continually and rapidly scans the whole IPv4 space on over 100 ports with IANA-assigned services.
-
Cloud provider scans. Our accelerated cloud docket contains a list of IPs and common ports for AWS, Azure, and GCP cloud hosting providers. This docket is optimized to hit each item at least one time per day, sometimes more.
Using both the current and historical data from the services found on these dockets and other data in our dataset, we generate dynamic scanning targets on a continual basis.
-
Predictive scanning engine. Using both the current and historical data from the services found via Global and Cloud Provider scans, we generate dynamic scanning targets on a continual basis using the Predictive Scanning engine. The methods described above essentially act as seeds as the input to this engine which can be used to more accurately find and predict the best possible IPs and ports to scan. Predictive scanning accounts for over 40% of all services we find on the Internet today.
- For more information on how Predictive Scanning works, see the Censys blog: Raising the Bar on Internet Coverage: Predictive Scanning Takes The Censys Internet Map to the Next Level.
-
IPv4 Internet scan. Censys continuously scans all 65k ports on the IPv4 Internet with a port walk to gather as much background information as possible across all possible IP and port combinations.
Data refresh cadence for known services
After a service is discovered, Censys prioritizes refreshing the information about that service to ensure it is accurate and up to date.
Every day, the age of each of the ~3 billion services in our data set is checked. Any (unnamed) service with an observation timestamp older than 24 hours is rescanned. With this process, the average age of high-value service data is about 16 hours!
Censys scan methodology
Censys includes multiple global perspectives and sophisticated scanning techniques to produce the richest, most useful data set for the security community.
Global scanning perspectives
Censys peers with and scans from 5 Tier-1 ISPs (NTT, Tata, Hurricane Electric, Telia, Orange) to produce nearly 99% coverage of listening hosts across the globe with enhanced protection against packet drop.
The ISP that Censys scanned any given service from is recorded in the services.perspective
field.
Deep protocol scans
On ports with IANA-assigned protocols, Censys tries to complete a handshake with the assigned protocol (for example, Telnet on port 23). If that fails, we try additional handshakes based on our experience with protocol and port pairings.
Predictive scanning
Predictive scanning provides coverage of 65k ports across all possible IP and port combinations. Predictive scanning enhances the Censys Internet Map. With Predictive scanning, security teams have better visibility into all 65k ports, enabling faster detection of services. Predictive Scanning adds over 107M new services to the nearly 3 billion global Internet services that Censys continuously monitors.
Predictive scanning accounts for over 40% of all services Censys finds on the Internet today.
Predictive scanning typically discovers services such as:
-
Services from the Internet of Things (IoT), which businesses are leveraging for growth but also present high risk due to lagging security standards.
-
Autonomous Systems only run services on non-standard ports that attackers might use to host malicious infrastructure and hide from scanners.
-
A massive proliferation of newer services by vendors like online portals, data analysis tools, and business productivity enhancers. These services are especially popular in hybrid and remote environments that are typically run on high, non-standard ports.
- Attackers may hide services on non-standard ports to try and obfuscate their activities.
Automatic protocol detection
The Censys scanner analyzes every server response to identify its service, even if it’s non-standard for the port, allowing us to uncover the vast majority of services in unexpected places.
For example, if an HTTP request results in an SSH banner, Censys closes the HTTP connection and reattempts an SSH handshake.
Censys can detect many protocols on any port.
Lightweight protocol scans
Some protocols do not have a lot of data to parse and index.
Censys identifies more than 47 lightweight services and collects a banner.
Protocols detected by Censys
Censys can detect and complete scans for over one hundred Layer 7 protocols. The default Layer 4 protocol used by our scanners is TCP. Some protocols, such as DNS, are scanned with UDP. HTTP can be detected over QUIC.
Service names are the most specific service information we have. For example, a generic HTTP service has a service name of HTTP
, while an HTTP service that’s actually an ElasticSearch server has a service name of ELASTICSEARCH
.
Censys also uses an UNKNOWN
fallback, which means that Censys cannot identify the protocol in use by an open service. This can be because the service is not adhering to a protocol (there are many HTTP-like services) or because the protocol is very uncommon and Censys does not yet have a protocol-specific scanner written for it.
The following list provides a limited selection of scanned protocols. It is not a comprehensive list of all protocols scanned and presented in Censys datasets. For complete protocol information, please use the metadata API endpoint.
Protocols that can be detected on any port number at lower cadences in general and higher cadences on specific ports |
Protocols that can be detected on any port number based only on banner scan data |
Protocols that can be detected on any port number |
---|---|---|
ADB | ANDROMOUSE | ACTIVEMQ |
AFP | ATG | AMQP |
APACHE_JRSERV | BITTORENT_TRACKER | ANYCONNECT |
APPLE_AIRPORT_ADMIN | CCSO_NAMERSERVER | BGP |
ARD | CISCO_FINGERD | CASSANDRA |
BACNET | CISCO_SMI | CISCO_IPSLA |
BASIC | DB2 | CKPT_TOPOLOGY |
BEANSTALKD | DIGI | COAP |
BITCOIN | ECHO | CRESTRON_CP3 |
BITTORRENT | FINGERD | CWMP |
BOLT | FORTIGUARD | DARKCOMET |
CHARGEN | FREESWITCH | DCERPC |
CHECKPOINT_TOPOLOGY | GHOST | DHCPDISCOVER |
CHROMECAST | HART | DNS |
CIMON_PLC | IDENT | DTLS |
CITRIX | IMQBROKERD | ELASTICSEARCH |
CLOUD_STORAGE | IRC | ELF_FILE |
CMORE | IRC_BOUNCER | ETCD |
CMORE_HMI | KERBEROS | FTP |
COBALT_STRIKE | MULTISTREAM_SELECT | GEARMAN |
CODESYS | MURMUR | HTTP |
DARKGATE | NETIS | IBMNJE |
DAYTIME | NNTP | IKE |
DICOM | RADIUS | IMAP |
DICT | RCON | IOTA |
DNP3 | SLP | IPP |
DVR_IP | SNPP | ISCSI |
ECHO | SVR | KRPC |
EIP | TERRARIA | KUBERNETES |
EPMD | TUYA | L2TP |
ETHEREUM | VALVE | LDAP |
EZVIZ | VOTIFIER | MINECRAFT |
FINS | WDBRPC | MODBUS |
FORTIGATE | WHOIS | MONGODB |
FORTINET_FCM | WOW | MURMUR |
FOX | XMPP | MYSQL |
GIT | YAHOO_SMART_TV | NMEA |
GRAPHQL | ZABBIX | NTP |
GTP | NTRIP | |
HDDTEMP | PCA | |
HID_VERTX | PGBOUNCER | |
HIKVISION | POP3 | |
HINTER | PPTP | |
HTTP2 | PROMETHEUS | |
ICAP | PROMETHEUS_TARGET | |
IEC60870_5_104 | RDP | |
IPMI | REALPORT | |
IVANTI_AVALANCHE | REDIS | |
JARM | RIFATRON | |
JAVA_RMI | RIPPLE | |
KAFKA | RTSP | |
LPD | SAP_ROUTER | |
LSP | SER2NET | |
MDNS | SEVEN_DAYS_TO_DIE | |
MEMCACHED | SIP | |
MIKROKTIK_BW | SMTP | |
MMS | SNMP | |
MONERO_P2P | SOCKS | |
MONERO_ZEROMQ | SPICE | |
MQTT | SSH | |
MSMQ | TACACS_PLUS | |
MSSQL | TELNET | |
MULTI | UPNP | |
NATPMP | VNC | |
NETBIOS | WEBLOGIC_T3 | |
NFS_MOUNTD | ZEROMQ | |
NIL | ||
ONC_RPC | ||
ONVIF | ||
OPC_UA | ||
OPENVPN | ||
ORACLE | ||
PCWORX | ||
PIGEONHOLE | ||
PJL | ||
POPPASSD | ||
PORTMAP | ||
POSTGRES | ||
PPROF | ||
PRO_CON_OS | ||
QOTD | ||
RDATE | ||
RDP | ||
REDLION_CRIMSON | ||
RETHINKDB | ||
RIPV1 | ||
RLOGIN | ||
ROCKETMQ | ||
RSH | ||
RSYNC | ||
S7 | ||
SCCM | ||
SCPI | ||
SENTINEL | ||
SMP | ||
STATSD | ||
STEAM_IHS | ||
TEAMSPEAK | ||
TFTP | ||
TIBIA | ||
TLS | ||
TORCONTROL | ||
TPLINK_KASA | ||
UBIQUITI | ||
VE_STRP | ||
VENTRILIO | ||
WINRM | ||
WS_DISCOVERY | ||
X11 | ||
XDMCP | ||
ZOOKEEPER |
More information about Censys data collection by protocol category is provided below.
Protocol |
Description |
---|---|
HTTP + HTTPS |
On ports running HTTP(S), we request the root (/) page and follow local HTTP redirects. In addition, Censys performs follow-up requests to identify and classify HTTP applications. |
Databases |
Censys checks for popular database servers. Tip: Censys only scans to get information. Censys never tries to log into any service, read any database, or otherwise gain authenticated access to any system. |
Core Internet Protocols |
On ports running protocols that find and coordinate services on the internet, Censys completes a protocol-specific handshake or collects the banner. |
Internet of Things Protocols |
On ports running message broker protocols, Censys completes an initial protocol-specific handshake with no attempt to authenticate. For (MQTT) services not requiring authentication that are broadcasting messages, Censys may collect a sample of these messages. |
Remote Access Protocols |
On detection of remote access protocols, Censys never attempts to authenticate and never collects any screenshots, even if the functionality is enabled with no credential requirements. |
Mail Protocols |
On ports running common mail protocols, Censys collects banner data and completes a STARTTLS handshake if the server indicates support. |
VoIP Protocols |
On ports running common VoIP protocols, Censys collects banner data and completes a STARTTLS handshake if the server indicates support. |
Network Administration Protocols |
On ports running network administration protocols, Censys completes an initial protocol-specific handshake with no attempt to authenticate. |
File Sharing Protocols |
On ports running file-sharing protocols, Censys completes an initial protocol-specific handshake with no attempt to authenticate. |
Industrial Control (SCADA) Protocols |
On ports running industrial control protocols, Censys completes an initial protocol-specific handshake with no attempt to authenticate. |
Ports scanned by Censys
Censys conducts ongoing Internet-wide scans that cover over 3500 ports as part of its scheduled discovery process. The following table lists some of these ports.
Note: HTTP redirects can lead to scans of ports not explicitly listed here.
TCP |
UDP |
---|---|
2, 21,22, 25, 43, 80, 81, 82, 88 |
17, 19, 53, 69 |
101, 102, 103, 104, 110, 113, 119, 135, 143, 179 |
111, 123, 137, 161, 177 |
222 |
500, 520, 523 |
389 |
1604, 1645 |
427, 443, 445, 465 |
1701 |
501, 502, 503, 554, 587, 591 |
1812 |
623, 631, 636 |
1967 |
771, 788, 789, 790 |
2361, 2362, 2363 |
808, 830, 831, 832, 833, 888 |
3283 |
990, 993, 995 |
3702, 3784 |
1024, 1098, 1099 |
4070 |
1194 |
4500 |
1200, 1201, 1224, 1244 |
4786 |
1311 |
5093, 5094, 5095 |
1433 |
5351, 5353 |
1521 |
5632 |
1723 |
6881 |
1801, 1883 |
6969 |
1911, 1912, 1913, 1961, 1962, 1963 |
17184, 17185, 17186 |
2000, 2003, 2004, 2052,2053, 2077, 2078, 2079, 2080, 2082, 2083, 2086, 2087, 2095, 2096 |
27015, 27036 |
2181 |
27105 |
2222, 2281 |
37810 |
2323, 2375, 2376, 2380 |
53413 |
2403, 2404, 2405, 2443, 2454, 2455 |
64738 |
2628 |
|
2701, 2761, 2762 |
|
3128 |
|
3260, 3299 |
|
3306, 3389, 3390 |
|
4242 |
|
4369 |
|
4433 |
|
4443, 4444 |
|
4567 |
|
4730 |
|
4839, 4840, 4841 |
|
5000, 5060, 5061 |
|
5222 |
|
5432 |
|
5671, 5672, 5683, 5684 |
|
5900, 5901, 5902, 5903, 5938, 5884, 5985, 5986 |
|
6000, 6001, 6002, 6003, 6004, 6005, 6006, 6007, 6008, 6009 |
|
6362, 6379 |
|
6443 |
|
6513 |
|
6667, 6697, 6699 |
|
7001 |
|
7170 |
|
7443 |
|
7547 |
|
8000, 8008, 8010, 8013, 8020, 8080, 8081, 8082, 8085, 8088, 8089, 8090 |
|
8159 |
|
8389 |
|
8443 |
|
8545 |
|
8636 |
|
8880, 8883, 8888 |
|
9000, 9042, 9090 |
|
9142 |
|
9200, 9201 |
|
9300, 9301 |
|
9599 |
|
9600, 9601 |
|
9876 |
|
9999 |
|
10000, 10001, 10002 |
|
10252, 10258, 10259, 10260, 10261 |
|
10443 |
|
11101, 11102, 11103, 11112 |
|
11211 |
|
11300 |
|
14265 |
|
15443 |
|
16992, 16993 |
|
17777, 17778 |
|
18080, 18082, 18084 |
|
18244, 18245, 18246 |
|
18333 |
|
18444 |
|
19999 |
|
20000, 20001 |
|
20201, 20256 |
|
20547, 20548 |
|
22222 |
|
25565 |
|
26257 |
|
27017 |
|
28015, 28080 |
|
30005 |
|
33389 |
|
37215 |
|
40000 |
|
48501, 49502 |
|
50001 |
|
50580 |
|
50805 |
|
50995 |
|
51200 |
|
52200 |
|
58000, 58603 |
|
60000 |
|
61616 |