Oprand CLI Tool Overview

Installing Oprand CLI

You can download our latest release on Github: https://github.com/oprand/opr/releases

If you have the Golang compiler on your machine, you can install it with:

go install github.com/oprand/opr/cmd/opr@latest

Authenticate with API Credentials

The opr config command allows you to configure your authentication credentials.

These API crendentials are available on your dashboard.

opr config
OPRAND API KEY: 01GW45C1HNX6ZWH3515AA30YXV
OPRAND API SECRET: NzFiYzk5YzRjNzc0MTA5YTBlZTZjODg1M2FkYTM2NTkyYzA0YmNjZQo=
Config file successfully written at `/home/emmett/.config/oprand/credentials.toml`

Possible output if the crendential file already exists:

opr config
WARN: Config file at `/home/emmett/.config/oprand/credentials.toml` already exists.
WARN: Content will be overwritten by new values entered. Press Ctrl+C to keep current values.

You can verify the credentials have been successfully written with:
cat ~/.config/oprand/credentials.toml.

Global Flags

• --help, -h: Show help with usage instructions
• --version, -v: Print the version

Lookup Methods

Lookup directly by specifying the AS number:

opr asn AS3

Find what ASN an IP belongs to:

opr asn 1.1.1.1

Lookup a domain, we will resolve its IP addresses and look for any ASN matching all of them:

opr asn example.com

ASN contact details include email addresses. You can look up any ASN by the domain of the registrant, admin and abuse email address:

opr asn @orange.com

A shortcut to get the ASN in charge of your own current IP:

opr asn me

IPs Under ASN

A common task when performing cybersecurity duties is to know all IP addresses belonging to a single organization. Here is how to get all IP addresses under one ASN:

opr asn --ip AS5

Similarly, all IP addresses under all AS registered with an @amazon.com or @amazonaws.com email address:

opr asn --ip @amazon.com @amazonaws.com

You can also see the CIDR (netblock) for IPv4 and IPv6:

opr asn --cidr @amazon.com @amazonaws.com

Batch queries

Several queries can be specified, regarless of their type:

opr asn AS3 example.com @orange.com 1.1.1.1

You can also have opr reads from stdin:

cat queries.txt | opr asn

JSON output

By default the output will be human-friendly, showing a hierarchy data for each ASN:

opr asn 1.1.1.1

INPUT       1.1.1.1
ASN         13335
HANDLE      AS13335
SOURCE      https://oprand.com/asn/AS13335
NAME        CLOUDFLARENET
STATUS      active
DOMAIN      cloudflare.com
REGISTRY    ARIN (https://rdap.arin.net/registry/autnum/13335)
TYPE        -
DESC        -
COUNTRY     United States
ALLOCATED   2010-07-14 22:35:57 +0000 UTC
UPDATED     2017-02-17 23:04:32 +0000 UTC
REGISTRANT
    HANDLE  CLOUD14
    TYPE    Org
    NAME    Cloudflare, Inc.
    COUNTRY United States
... more data

Use the --json flag to output data in JSON format. See the API documentation for a description of the schema.

opr asn --json 1.1.1.1

List Verified Domains

A verified domain is the original domain used to genered fuzzed domains.

A fuzzed domain is the result of a fuzzing operation against a verified domain. A fuzzing operation uses a fuzzer. An homoglyph fuzzer will swap some letters in the verified domains with lookalike letters. Another fuzzer is a tld-swap fuzzer, it will swap the domain tld to another. We operate several fuzzers, and combine them all.

You can list your verified domains with the `opr domains` command. Its output will indicate if the domain is current being monitored for impersonation (active) or not (inactive).

opr domains
DOMAINS:
    * example.com	[active]
    * oprand.com	[active]

INFO: active/inactive indicates whether or not suspicious domains are being checked for this domain.

The domains command accepts the --json and --csv flags.

opr domains --json

opr domains --csv

Human-Friendly Output

By default scan results are outputted in a human friendly format. Here is a sample for one scan results.

opr results kraken.com
krạken.com  fuzzer:homoglyph  scanned:2023-03-05 15:23 (17d ago)
DNS    A          198.51.100.1
       NS         ns29.domaincontrol.com  ns30.domaincontrol.com
WHOIS  REGISTRAR  Wild West Domains, LLC
                  [email protected]  480-624-2505
                  IANA ID: 440
       REGISTRANT

WEB    VALID URL   http://xn--krken-k11b.com
       HTTP BANNER openresty
       HTTP STATUS 200
       HTML TITLE The real kraken exchabge
       LANGUAGE    EN
       CRED. HARVESTER FALSE
       Mention Domain  FALSE
       Mention Brand   FALSE
       Redirect        FALSE
SSL    ISSUER ZeroSSL ECC Domain Secure Site CA, ZeroSSL
       CERT   VALID       TRUE (expires 2023-08-07 23:59:59 +0000 UTC)
              SIGNATURE   ECDSA-SHA384 / 577EEB62 (last 8 char)
              SUBJECT     CN=xn--krken-k11b.com
              ISSUER      CN=ZeroSSL ECC Domain Secure Site CA,O=ZeroSSL,C=AT
    
TOTAL: 626 results

List as JSON Array

Append the --json flag to return results in JSON format.

opr results --json example.com
{
  [       
    {
      "fuzzer": "homoglyph",
      "domain": "example.com",
      "fuzzed_domain": "xn--exmple-xc8b.com",
      "fuzzed_domain_unicode": "exạmple.com",
      "scanned_at": "2023-03-25T15:50:41.336839+08:00",
      "dns_a": ["198.51.100.1"],
      "dns_aaaa": [2404:6800:400a:80c::200e],
      "dns_txt": ["v=spf1 -all"],
      "dns_mx": "smtp.exạmple.com",
      "dns_ns": ["michael.ns.cloudflare.com", "kallie.ns.cloudflare.com"],
      "dns_cname": null,
      "dns_spf": "v=spf1 -all",
      "dns_dmarc": null,
      "dns_dkim": null,
      "whois_created": "2020-10-04T08:54:16Z",
      "whois_updated": "2023-02-15T10:25:58Z",
      "whois_expiring": "2023-10-04T08:54:16Z",
      "whois_abuse_email": "[email protected]",
      "whois_abuse_phone": "+1.6613102107",
      "whois_registrar": "NameCheap, Inc.",
      "whois_registrar_iana_id": "1068",
      "whois_registrant_name": "Emmett Labs",
      "whois_registrant_id": 1242,
      "whois_registrant_address": null,
      "whois_registrant_email": "[email protected]",
      "whois_registrant_country": "US",
      "web_has_http_server": true,
      "web_start_url": "http://xn--exmple-xc8b.com",
      "web_end_url": "https://xn--exmple-xc8b.com",
      "web_redirect_to_domain": false,
      "web_page_contains_domain": true,
      "web_page_contains_brand_name": true,
      "web_has_credential_harvester": true,
      "web_http_status_code": 200,
      "web_html_title": "Welcome to Example.com",
      "banner_http": "Apache",
      "web_lang": "en-US",
      "ssl_issuer_org": "Let's Encrypt",
      "ssl_issuer_country": "US",
      "ssl_issuer_addr": null,
      "ssl_issuer_common_name": R3,
      "ssl_issuer_rfc_2253_name": "CN=R3,O=Let's Encrypt,C=US",
      "ssl_subject_rfc_2253_name": "CN=xn--exmple-xc8b.com",
      "ssl_cert_not_before": "2023-02-07 14:22:08+00",
      "ssl_cert_not_after": "2023-05-08 14:22:07+00",
      "ssl_cert_sig": "165E637901...37C68D",
      "ssl_cert_sig_alg": "SHA256-RSA"
    },
    ...        
  ],
  "meta": {
    "total": 626
  }
}

To filter specific data point of interest, we recommend using the jq CLI tool.

CSV Export

Append the --csv flag to return results in CSV format.

opr results --csv example.com

All keys in the JSON output above will be a different column in the CSV file.

We recommend csvkit to further filter and transform the data.

asn

opr help asn
NAME:
   OPRAND CLI tool asn - Get Autonomous System information from:
                           * Its AS number (ex: AS3)
                           * Any of its member IPv4 address (ex: 1.1.1.1)
                           * Any domain (ex: oprand.com)
                           * The email address' domain used to register the ASN (ex: @mit.edu)
                           * Or use "me" to get your IP's Autonomous System information

USAGE:
   opr asn [command flags] <as-number | ipv4 | @example.com | example.com | "me">

CATEGORY:
   PUBLIC

OPTIONS:
   --json                           Output results in JSON format (default: false)
   --ip, --ips                      Output only the assignable IPv4 under the ASN (default: false)
   --cidr, --netblocks, --netblock  Output only CIDR (IPv4 and IPv6) under the ASN (default: false)
   --help, -h                       show help

config

opr help config
NAME:
   opr config - Setup your API authentication tokens

USAGE: opr config

domains

opr help domains
NAME:
   opr domains - List verified domains, used to generate fuzzed domains

USAGE:
   opr domains

OPTIONS:
   --csv                    Output results in CSV format (default: false)
   --json                   Output results in JSON format (default: false)

results

opr result
NAME:
   opr result - Fetch all scan results

USAGE:
   opr result [command options] [arguments...]

OPTIONS:
   --csv                    Output results in CSV format (default: false)
   --json                   Output results in JSON format (default: false)
   --query value, -q value  Filter results by type  (accepts multiple inputs)

The --query argument accepts the following values:

• whois: Return fuzzed domains with a Whois entry
• whois30d: Return fuzzed domains registered less than 30 days ago
• whois30d: Return fuzzed domains registered less than 6 months days ago
• http: Return fuzzed domains with an HTTP server
• mx: Return fuzzed domains with a DNS MX record
• spf: Return fuzzed domains with a DNS TXT record set for SPF purposes
• redirect: Return fuzzed domains redirecting to the verified domain
• ssl: Return fuzzed domains hosting a HTTP server over SSL

You can prefix each value with a hyphen (-) to negate the query.

For instance to get all scan results with an HTTP server running, their MX/SPF DNS record set, but without SSL configured:

opr results --query=http,mx,spf,-ssl example.com

License

GNU General Public License v3.0
https://www.gnu.org/licenses/gpl-3.0.en.html