Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

   Official client to access the ONYPHE API.

   To know more:


  A/ Install all dependencies (Ubuntu/Debian/Kali systems)

  $ sudo apt-get install -y build-essential less cpanminus libreadline-dev coreutils libexpat1-dev phantomjs bsdutils libssl-dev libxml2-dev procps aptitude liblwp-protocol-https-perl perl-doc git

  B/ Install Metabrik and its Repository

  $ sudo cpanm -n Metabrik Metabrik::Repository

  C/ Install this module

  $ git clone onyphe
  $ cd onyphe
  $ perl Makefile.PL
  $ make
  $ make test
  $ sudo make install

  D/ Install client::onyphe Brik

  $ sudo perl -MMetabrik::Core::Context -e 'Metabrik::Core::Context->new_brik_run("brik::tool","install","client::onyphe")'

  E/ Set your API key in the configuration file

  $ echo '<APIKEY>' > ~/.onyphe_rc

  F/ Install custom functions (example: httpshot)

  $ sudo perl -MMetabrik::Core::Context -e 'Metabrik::Core::Context->new_brik_run("brik::tool","install","client::onyphe::function::httpshot")'

  Current list of custom functions:
  - addcount
  - allowlist
  - blocklist
  - count
  - dedup
  - exec
  - expand
  - fields
  - httpshot
  - lookup
  - merge
  - output
  - piechart
  - search
  - splitsubnet
  - top
  - uniq
  - where
  - whois

  G/ Enjoy

  $ onyphe


  # Query profile information (like API endpoints, available categories or remaining credits)
  $ onyphe -user | jq .

  # Query the Simple API
  # See for more APIs

  # Search DNS information for given IP address:
  $ onyphe -simple -category resolver

  # Search data from free text:
  $ onyphe -simple -category datascan 'WD My Cloud'

  # Get a summary of information from an IP address:
  $ onyphe -summary ip

  # Query the Search API (need subscription, see
  # See for more APIs

  # Search for some specific products:
  $ onyphe -search 'category:datascan product:Nginx' | jq .

  # Just display useful information to you:
  $ onyphe -search 'category:datascan product:Nginx -field:ip,port,tls,product,productversion,cpe'

  # Scroll more than just the first page (maximum page is 1,000 to get up to 10,000 results):
  # !!! WARNING: may consume up to 1,000 credits
  $ onyphe -maxpage 1000 -search 'category:datascan protocol:smb tag:smb::compression'

  # Save Mirai threatlist information from yesterday results
  $ onyphe -search 'category:threatlist threatlist:"ONYPHE - botnet/mirai" -dayago:1' > mirai.json

  # Execute a corelation search to return results that match criterias from another query
  # Here, we want to find modbus devices which also have a Web interface.
  # !!! WARNING: may consume up to 11,000 credits.
  $ onyphe -maxpage 1000 -search 'category:datascan protocol:modbus -dayago:1 | search category:datascan protocol:http ip:$ip'

  # Fetch all results
  $ onyphe -export 'category:datascan protocol:mongo' > mongo.json

  # Lookup a list of allowed IP against an input csv to know if they are threats:
  $ cat input.csv
  $ onyphe -export 'category:threatlist -exists:subnet | allowlist input.csv'

  # Display top countries for an organization:
  $ onyphe -export 'category:geoloc organization:"Global Layer B.V." | top country | piechart'

  # Uncloak .onion servers:
  onyphe -apikeepalive 1 -export 'category:onionscan -exists:app.http.bodymd5 | where category:datascan app.http.bodymd5:$app.http.bodymd5 | fields ip,domain,protocol,app.http.bodymd5,classification'

  # Uncloak CloudFlare-hosted servers:
  onyphe -apikeepalive 1 -export 'category:datascan ?organization:CLOUDFLARENET ?geolocus.netname:CLOUDFLARENET -exists:fingerprint.sha1 | search category:datascan !organization:CLOUDFLARENET !geolocus.netname:CLOUDFLARENET fingerprint.sha1:$fingerprint.sha1'

  # Execute a custom script
  # Note: will take the JSON document as input from a file script must read:
  onyphe -search 'product:nginx | exec'


   Copyright (c) 2018-2022, ONYPHE

   You may distribute this module under the terms of The BSD 3-Clause License.
   See LICENSE file in the source distribution archive.