Oprand CLI Tool Overview
Learn how to use the Oprand command-line interface (CLI) to configure, manage and access your domain impersonation threat data from your terminal.
Getting Started
» opr --help
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
NAME opr - OPRAND CLI tool
AUTHOR https://oprand.com
──────────────────────────────────────────────────────────────────────
USAGE opr [global flags] <command> [command flags] <input>
──────────────────────────────────────────────────────────────────────
PUBLIC COMMANDS
asn, a Get Autonomous System (ASN) information.
‣ By AS number ..... opr asn AS3
‣ By IP address .... opr asn 1.1.1.1
‣ By domain ........ opr asn example.com
‣ By the registrant
email's domain ... opr asn @orange.com
‣ Your IP's ASN .... opr asn me
help, h Shows this list of commands or help for one command
──────────────────────────────────────────────────────────────────────
PRIVATE COMMANDS - Requires an oprand.com account
domains, d List your verified domains.
results, r Fetch your verified domains' scan results.
config, c Setup your Oprand API authentication credentials.
──────────────────────────────────────────────────────────────────────
GLOBAL OPTIONS
--help, -h show help
--version, -v print the version
──────────────────────────────────────────────────────────────────────
VERSION 0.0.3 - Commit: 4CA35C2D
LICENSE GPL-3.0
──────────────────────────────────────────────────────────────────────
DISCLAIMER
We (oprand.com and its authors) assume no liability and are not
responsible for any misuse or damage caused by this software.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Installing Oprand CLI
You can download our latest release on Github: https://github.com/oprand/opr/releases
If you have the Golang compiler on your machine, you can install it with:
go install github.com/oprand/opr/cmd/opr@latest
Authenticate with API Credentials
The opr config
command allows you to configure your authentication
credentials.
These API crendentials are available on your dashboard.
opr config
OPRAND API KEY: 01GW45C1HNX6ZWH3515AA30YXV
OPRAND API SECRET: NzFiYzk5YzRjNzc0MTA5YTBlZTZjODg1M2FkYTM2NTkyYzA0YmNjZQo=
Config file successfully written at `/home/emmett/.config/oprand/credentials.toml`
Possible output if the crendential file already exists:
opr config
WARN: Config file at `/home/emmett/.config/oprand/credentials.toml` already exists.
WARN: Content will be overwritten by new values entered. Press Ctrl+C to keep current values.
You can verify the credentials have been successfully written
with:
cat ~/.config/oprand/credentials.toml
.
Global Flags
- --help, -h: Show help with usage instructions
- --version, -v: Print the version
ASN
Lookup Methods
Lookup directly by specifying the AS number:
opr asn AS3
Find what ASN an IP belongs to:
opr asn 1.1.1.1
Lookup a domain, we will resolve its IP addresses and look for any ASN matching all of them:
opr asn example.com
ASN contact details include email addresses. You can look up any ASN by the domain of the registrant, admin and abuse email address:
opr asn @orange.com
A shortcut to get the ASN in charge of your own current IP:
opr asn me
IPs Under ASN
A common task when performing cybersecurity duties is to know all IP addresses belonging to a single organization. Here is how to get all IP addresses under one ASN:
opr asn --ip AS5
Similarly, all IP addresses under all AS registered with an @amazon.com or @amazonaws.com email address:
opr asn --ip @amazon.com @amazonaws.com
You can also see the CIDR (netblock) for IPv4 and IPv6:
opr asn --cidr @amazon.com @amazonaws.com
Batch queries
Several queries can be specified, regarless of their type:
opr asn AS3 example.com @orange.com 1.1.1.1
You can also have opr
reads from stdin:
cat queries.txt | opr asn
JSON output
By default the output will be human-friendly, showing a hierarchy data for each ASN:
opr asn 1.1.1.1
INPUT 1.1.1.1
ASN 13335
HANDLE AS13335
SOURCE https://oprand.com/asn/AS13335
NAME CLOUDFLARENET
STATUS active
DOMAIN cloudflare.com
REGISTRY ARIN (https://rdap.arin.net/registry/autnum/13335)
TYPE -
DESC -
COUNTRY United States
ALLOCATED 2010-07-14 22:35:57 +0000 UTC
UPDATED 2017-02-17 23:04:32 +0000 UTC
REGISTRANT
HANDLE CLOUD14
TYPE Org
NAME Cloudflare, Inc.
COUNTRY United States
... more data
Use the --json
flag to output data in JSON format. See the API documentation for a description of the schema.
opr asn --json 1.1.1.1
Domains
List Verified Domains
A verified domain is the original domain used to genered fuzzed domains.
A fuzzed domain is the result of a fuzzing operation against a verified domain. A fuzzing operation uses a fuzzer. An homoglyph fuzzer will swap some letters in the verified domains with lookalike letters. Another fuzzer is a tld-swap fuzzer, it will swap the domain tld to another. We operate several fuzzers, and combine them all.
You can list your verified domains with the `opr domains
` command. Its output will indicate if the domain is current being
monitored for impersonation (active) or not (inactive).
opr domains
DOMAINS:
* example.com [active]
* oprand.com [active]
INFO: active/inactive indicates whether or not suspicious domains are being checked for this domain.
The domains
command accepts the --json
and --csv
flags.
opr domains --json
opr domains --csv
Scan Results
Human-Friendly Output
By default scan results are outputted in a human friendly format. Here is a sample for one scan results.
opr results kraken.com
krạken.com fuzzer:homoglyph scanned:2023-03-05 15:23 (17d ago)
DNS A 198.51.100.1
NS ns29.domaincontrol.com ns30.domaincontrol.com
WHOIS REGISTRAR Wild West Domains, LLC
[email protected] 480-624-2505
IANA ID: 440
REGISTRANT
WEB VALID URL http://xn--krken-k11b.com
HTTP BANNER openresty
HTTP STATUS 200
HTML TITLE The real kraken exchabge
LANGUAGE EN
CRED. HARVESTER FALSE
Mention Domain FALSE
Mention Brand FALSE
Redirect FALSE
SSL ISSUER ZeroSSL ECC Domain Secure Site CA, ZeroSSL
CERT VALID TRUE (expires 2023-08-07 23:59:59 +0000 UTC)
SIGNATURE ECDSA-SHA384 / 577EEB62 (last 8 char)
SUBJECT CN=xn--krken-k11b.com
ISSUER CN=ZeroSSL ECC Domain Secure Site CA,O=ZeroSSL,C=AT
TOTAL: 626 results
List as JSON Array
Append the --json
flag to return results in JSON
format.
opr results --json example.com
{
[
{
"fuzzer": "homoglyph",
"domain": "example.com",
"fuzzed_domain": "xn--exmple-xc8b.com",
"fuzzed_domain_unicode": "exạmple.com",
"scanned_at": "2023-03-25T15:50:41.336839+08:00",
"dns_a": ["198.51.100.1"],
"dns_aaaa": [2404:6800:400a:80c::200e],
"dns_txt": ["v=spf1 -all"],
"dns_mx": "smtp.exạmple.com",
"dns_ns": ["michael.ns.cloudflare.com", "kallie.ns.cloudflare.com"],
"dns_cname": null,
"dns_spf": "v=spf1 -all",
"dns_dmarc": null,
"dns_dkim": null,
"whois_created": "2020-10-04T08:54:16Z",
"whois_updated": "2023-02-15T10:25:58Z",
"whois_expiring": "2023-10-04T08:54:16Z",
"whois_abuse_email": "[email protected]",
"whois_abuse_phone": "+1.6613102107",
"whois_registrar": "NameCheap, Inc.",
"whois_registrar_iana_id": "1068",
"whois_registrant_name": "Emmett Labs",
"whois_registrant_id": 1242,
"whois_registrant_address": null,
"whois_registrant_email": "[email protected]",
"whois_registrant_country": "US",
"web_has_http_server": true,
"web_start_url": "http://xn--exmple-xc8b.com",
"web_end_url": "https://xn--exmple-xc8b.com",
"web_redirect_to_domain": false,
"web_page_contains_domain": true,
"web_page_contains_brand_name": true,
"web_has_credential_harvester": true,
"web_http_status_code": 200,
"web_html_title": "Welcome to Example.com",
"banner_http": "Apache",
"web_lang": "en-US",
"ssl_issuer_org": "Let's Encrypt",
"ssl_issuer_country": "US",
"ssl_issuer_addr": null,
"ssl_issuer_common_name": R3,
"ssl_issuer_rfc_2253_name": "CN=R3,O=Let's Encrypt,C=US",
"ssl_subject_rfc_2253_name": "CN=xn--exmple-xc8b.com",
"ssl_cert_not_before": "2023-02-07 14:22:08+00",
"ssl_cert_not_after": "2023-05-08 14:22:07+00",
"ssl_cert_sig": "165E637901...37C68D",
"ssl_cert_sig_alg": "SHA256-RSA"
},
...
],
"meta": {
"total": 626
}
}
To filter specific data point of interest, we recommend using the jq CLI tool.
CSV Export
Append the --csv
flag to return results in CSV
format.
opr results --csv example.com
All keys in the JSON output above will be a different column in the CSV file.
We recommend csvkit to further filter and transform the data.
Commands Reference
asn
opr help asn
NAME:
OPRAND CLI tool asn - Get Autonomous System information from:
* Its AS number (ex: AS3)
* Any of its member IPv4 address (ex: 1.1.1.1)
* Any domain (ex: oprand.com)
* The email address' domain used to register the ASN (ex: @mit.edu)
* Or use "me" to get your IP's Autonomous System information
USAGE:
opr asn [command flags] <as-number | ipv4 | @example.com | example.com | "me">
CATEGORY:
PUBLIC
OPTIONS:
--json Output results in JSON format (default: false)
--ip, --ips Output only the assignable IPv4 under the ASN (default: false)
--cidr, --netblocks, --netblock Output only CIDR (IPv4 and IPv6) under the ASN (default: false)
--help, -h show help
config
opr help config
NAME:
opr config - Setup your API authentication tokens
USAGE: opr config
domains
opr help domains
NAME:
opr domains - List verified domains, used to generate fuzzed domains
USAGE:
opr domains
OPTIONS:
--csv Output results in CSV format (default: false)
--json Output results in JSON format (default: false)
results
opr result
NAME:
opr result - Fetch all scan results
USAGE:
opr result [command options] [arguments...]
OPTIONS:
--csv Output results in CSV format (default: false)
--json Output results in JSON format (default: false)
--query value, -q value Filter results by type (accepts multiple inputs)
The --query
argument accepts the following values:
- whois: Return fuzzed domains with a Whois entry
- whois30d: Return fuzzed domains registered less than 30 days ago
- whois30d: Return fuzzed domains registered less than 6 months days ago
- http: Return fuzzed domains with an HTTP server
- mx: Return fuzzed domains with a DNS MX record
- spf: Return fuzzed domains with a DNS TXT record set for SPF purposes
- redirect: Return fuzzed domains redirecting to the verified domain
- ssl: Return fuzzed domains hosting a HTTP server over SSL
You can prefix each value with a hyphen (-) to negate the query.
For instance to get all scan results with an HTTP server running,
their MX/SPF DNS record set, but without SSL configured:
opr results --query=http,mx,spf,-ssl example.com
Further Information
Contribute
We welcome issues and pull requests on our GitHub repository:
https://github.com/oprand/opr
License
GNU General Public License v3.0
https://www.gnu.org/licenses/gpl-3.0.en.html