Using the Ronin CLI - Networking

Table of Contents


The ronin-asn command can query the ASN for a given IP:

$ ronin asn -I AS3356 (US) LEVEL3

ASNs can also be searched by number, country-code, name:

ronin asn -n AS3356
ronin asn -C CN
ronin asn -N LEVEL3

The ronin-asn command can also update it’s internal database of ASNs:

ronin asn --update


The ronin ip command can query the system’s external/public IP address:

ronin ip --public

The ronin ip command can also convert an IP address into decimal format:

$ ronin ip --decimal

The ronin ip command can also be passed a text file of IP addresses (one per-line) and convert them into http:// URIs:

ronin ip --file targets.txt --http

Supported formatting options:


The ronin iprange can enumerate over every IP address in the IP CIDR range:

$ ronin iprange

The ronin iprange command also supports nmap-style glob ranges:

$ ronin iprange 10.1-3.0.*

The ronin iprange can enumerate over every IP address between two IP addresses:

$ ronin iprange --start --stop


The ronin netcat command is very similar to the ncat or nc commands, but written in Ruby and with more consistent options.

You can use ronin netcat to connect to a remote port.

ronin netcat -v 80

Listen on a local TCP port:

ronin netcat -v -l 1337

Connect to a remote SSL/TLS service:

ronin netcat -v --ssl 443

Connect to a remote UDP service:

ronin netcat -v -u 1337

Listen on a local UDP port:

ronin netcat -v -u -l 1337

Opens a UNIX socket:

ronin netcat -v --unix /path/to/unix.socket

The --hexdump option will hexdump all data received from a socket:

$ ronin netcat --hexdump 80
GET / HTTP/1.1
User-Agent: Ruby

00000000  48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d  |HTTP/1.1 200 OK.|
00000010  0a 41 67 65 3a 20 32 35 30 38 30 36 0d 0a 43 61  |.Age: 250806..Ca|
00000020  63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6d 61 78  |che-Control: max|
00000030  2d 61 67 65 3d 36 30 34 38 30 30 0d 0a 43 6f 6e  |-age=604800..Con|
00000040  74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f  |tent-Type: text/|
00000050  68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54  |html; charset=UT|


The ronin dns command allows querying DNS records:

ronin dns -t TXT

The ronin dns command can also query multiple records read from a text file:

ronin dns -t TXT -f targets.txt


The ronin host command allows parsing and manipulating host names.

The --enum-tlds option will enumerate over every TLD of the host name. The --registered option will then filter the host names based on which have any DNS records.

$ ronin host --enum-tlds --registered

The --enum-suffix option is similar to --enum-tlds, but enumerates over every public suffix of the host name.

$ ronin host --enum-suffix --registered

The --enum-subdomains option will change the sub-domain part of the host name using a wordlist file.

$ ronin host --enum-subdomains subdomains.txt --has-addresses


The ronin typosquat command by default will enumerate every typo variation of a domain name:

$ ronin typosquat

The --registered option will filter the typosquat domains by which ones have DNS records.

ronin typosquat --registered

The --registered option will filter the typosquat domains by which ones have IP addresses.

ronin typosquat --has-addresses

The --registered option will filter the typosquat domains by which ones do not have any DNS records.

ronin typosquat --unregistered


The ronin email-addr command allows parsing and manipulating email addresses. For example, the ronin email-addr can deobfuscate an obfuscated email address:

$ ronin email-addr --deobfuscate "john [dot] smith [at] example [dot] com"

The ronin email-addr command can also enumerate over every obfuscation of an email address:

$ ronin email-addr --enum-obfuscations
john.smith @
john.smith AT
john.smith at

The ronin email-addr command also supports a --file option for reading email addresses from a file. For example, if you wanted to map a list of email addresses to their domains:

ronin email-addr --file emails.txt --domain


The ronin cert-dump command will request the SSL/TLS certificate of a website and pretty print it’s information.

$ ronin cert-dump
Serial:     16115816404043435608139631424403370993
Version:    2
Not Before: 2023-01-13 00:00:00 UTC
Not After:  2024-02-13 23:59:59 UTC

Public Key:
  Type: RSA
  Public-Key: (2048 bit)
  Exponent: 65537 (0x10001)

  Common Name:
  Organization: Internet Corporation for Assigned Names and Numbers
  Locality:     Los Angeles
  State:        California
  Country:      US
  Alt Names:

  Common Name:  DigiCert TLS RSA SHA256 2020 CA1
  Organization: DigiCert Inc
  Country:      US

The ronin cert-dump command also accepts host:port pairs and files.

ronin cert-dump
ronin cert-dump cert.pem


The ronin cert-grab command will download the SSL/TLS certificate of a SSL/TLS service or a website:

ronin cert-grab
ronin cert-grab

The SSL/TLS certificate will be saved into a file named <domain-name>:<port>.crt.


The ronin cert-gen command allows for quickly generating SSL/TLS certificates. By default it will generate a self-signed certificate.

ronin cert-gen -c -O "Test Co" -U "Test Dept" \
               -L "Test City" -S NY -C US

By default a new RSA key will be generated and saved into key.pem. The destination key file path can be changed using --generate-key, or a pre-existing key can be specified using --key-file.


The ronin http command allows for quickly performing HTTP requests, but with some additional useful features. By default ronin http will perform an HTTP GET request and print syntax highlighted output:

ronin http

The --post option will perform an HTTP POST request and the --header option will add additional raw headers to the request:

ronin http --post --header "Authorization: ..."

The --user-agent option allows quickly changing the User-Agent string to a known common value:

ronin http --post --user-agent chrome-android

The --user-agent-string option allows setting a custom User-Agent string value:

ronin http --post --user-agent-string "..."

The --shell option will spawn an interactive shell with commands for sending HTTP requests to the given website:

$ ronin http --shell> help
  help [COMMAND]                      	Prints the list of commands or additional help
  get PATH[?QUERY] [BODY]             	Performs a GET request
  head PATH[?QUERY]                   	Performs a HEAD request
  patch PATH[?QUERY] [BODY]           	Performs a PATCH request
  post PATH[?QUERY] [BODY]            	Performs a POST request
  put PATH [BODY]                     	Performs a PUT request
  copy PATH DEST                      	Performs a COPY request
  delete PATH[?QUERY]                 	Performs a DELETE request
  lock PATH[?QUERY]                   	Performs a LOCK request
  options PATH[?QUERY]                	Performs a OPTIONS request
  mkcol PATH[?QUERY]                  	Performs a MKCOL request
  move PATH[?QUERY] DEST              	Performs a MOVE request
  propfind PATH[?QUERY]               	Performs a PROPFIND request
  proppatch PATH[?QUERY]              	Performs a PROPPATCH request
  trace PATH[?QUERY]                  	Performs a TRACE request
  unlock PATH[?QUERY]                 	Performs a UNLOCK request
  cd PATH                             	Changes the base URL path
  headers [{set | unset} NAME [VALUE]]	Manages the request headers


The ronin url command provides options for parsing and extracting data from URLs, such as --query-param option which will extract the value of the given query parameter:

ronin url --file urls.txt --query-param id

The ronin url also provides the --status option, which will perform an HTTP request for the URL and return the HTTP status for each URL:

ronin url --file urls.txt --status