IP Range Enumeration

Resolving Identified Domains/Subdomains

One of the simplest ways to identify an IP associated with an organization is to take an identified domain or subdomain and perform DNS resolution. To be thorough look for more than just A or AAAA records which you would get by running commands like dig {domain} or nslookup {domain} without specifying additional options. There may also be MX (Mail exchange), NS (Name Server), or others that can contain IP address or domains to further resolve to an IP.

For example, looking at A records running the command dig belastingdienst.nl for a domain returns the following: Dig Example However, using the following to request any type of DNS record dig any belastingdienst.nl will return several more domains/subdomains to further resolve. Dig Example Any

Service Metadata Correlation

It is possible to use correlation of service metadata from internet scale scans to identify other similar systems. Due to the number of various potential services possible, the method and specifics of this correlation can vary. The following is an example to demonstrate what this could look like. This example is similar to a real situation during the course of enumeration for a client and for confidentiality this is a random IP found on Shodan that is similar. We found a domain/subdomain for the client that resolves to the IP 20.168.98.192. Looking at Shodan/Censys we can see that it exposes it’s hostname through a certificate and RDP NTLM information. Shodan RDP Info From the format of the hostname “SP-AZR-TEST01”, we identify enough of a unique string to attempt to search for hosts that are similar. Going back to Shodan/Censys we can search for “SP-AZR-” and identify another system/IP that may be managed by the organization.

Public Breach Databases

Databases that have been published from company breaches provide IP information and a potential source of identifying IPs associated with a company. It is common for individuals to use their organization’s email address for third-party accounts, such as Facebook, LinkedIn, and others. When these companies experience data breaches, the compromised information sometimes becomes publicly accessible on forums, torrents, and other platforms. These data dumps can vary, but they typically include usernames, email addresses, hashed passwords, and occasionally plaintext passwords (if they weren’t stored securely), as well as phone numbers, addresses, and IP addresses.

By analyzing these dumps, it is possible to search based on domains or other fields to identify records containing IP addresses, which could potentially correspond to company internet access. The dumps can be manually downloaded and parsed. For example, torrent links to public wordlists are available in this GitHub repository. Alternatively, services like IntelX, Dehashed, and others can be used for automated searches. Below is an example using a Dutch government domain to identify a potentially related IP address, 193.176.224.155.

Dehashed Example

curl 'https://api.dehashed.com/search?query=domain:minaz.nl' \
    -u $CREDENTIALS  -H 'Accept: application/json' \
    | jq .entries[].ip_address | sort | uniq
"193.176.224.155"

Sources

Dehashed Breach Database

Description

Dehashed is a breach database service that allows users to search for compromised credentials, emails, passwords, IP addresses, and other data involved in public data breaches. It supports various queries and can be integrated with API access for automation.

Access Model Paid

Dehashed operates on a subscription-based model, offering the following tiers:

Enthusiast Plan: $5.49 for 1 week (7 days)
Monthly Plan: $15.49 for 1 month (30 days)
Annual Plan: $179.99 for 12 months (365 days)

A subscription is required for API access, and each API credit costs $0.03.

Input Types

Domain
Email
Address
Phone Number
Username
Hashed Password
Password

Output Types

Domain
Email
Address
Phone Number
Username
Hashed Password
Password

Usage

curl 'https://api.dehashed.com/search?query=domain:{domain}' -u {email}:{API key}  -H 'Accept: application/json'
# Supported search query types include email, ip_address, username, password, hashed_password, name.

References

https://dehashed.com/docs

Internet Infrastructure

There are various organizations that are involved with the infrastructure of the internet and by querying them it is possible to obtain obtain IP ranges, addresses, emails, phone numbers, and other information associated to an organization.

Internet Registries Background

The global management of IP addresses, the focus of this, and domain names relies on a hierarchical structure, with the Internet Assigned Numbers Authority (IANA) at the top. IANA is responsible for overseeing several key global resources, including IP address allocation, management of domain name root zones, and maintaining protocol registries.

Regional Internet Registries (RIR)

To effectively manage IP addresses across the world, IANA delegates responsibilities to RIRs. Each RIR is responsible for a specific geographical region and works to allocate and manage IP address blocks, ASNs, and related data for that region. There are five RIRs:

African Network Information Centre (AFRINIC)
American Registry for Internet Numbers (ARIN)
Asia Pacific Network Information Centre (APNIC)
Latin America and Caribbean Network Information Centre (LACNIC)
Réseaux IP Européens Network Coordination Centre (RIPE NCC)

Internet Registries Map

National Internet Registries (NIRs) and Local Internet Registries (LIRs)

Further delegation of internet number resources, such as IP addresses and ASNs, from the RIRs is given to NIRs and LIRs. These organizations manage the distribution of these resources at a more localized level. NIRs operate within specific countries or regions, taking responsibility for managing internet resources within their designated area. LIRs, which are typically Internet Service Providers (ISPs), large enterprises, or hosting providers, assign or sub-allocate resources directly to end users and smaller networks. As far as I could discern, only APNIC further delegates to NIRs, and these are shown below. LACNIC works with some Network Information Centers in Brazil, Mexico, and possibly others; however, they do not appear to function as full NIRs.

APNIC:

Indonesia Network Information Centre-Asosiasi Penyelenggara Jasa Internet Indonesia (IDNIC-APJII)
China Internet Network Information Center (CNNIC)
Japan Network Information Center (JPNIC)
Korea Internet & Security Agency (KISA)
Taiwan Network Information Center (TWNIC)
Vietnam Internet Network Information Center (VNNIC)
Indian Registry for Internet Names and Numbers (IRINN)

Internet Registries Map

Internet Routing Background

Internet Routing Registries (IRRs) are databases used to store information related to routing policies and the allocation of IP address prefixes for Autonomous Systems (AS) across the world. They play a role in the Border Gateway Protocol (BGP) and the global routing system by allowing network operators to publish and share routing policies. IRRs are often queried by network operators to build prefix filters and ensure that only valid routes are propagated across the internet.

Autonomous System Number (ASN)

An ASN is a unique identifier assigned to an Autonomous System (AS), which is a collection of IP networks under the control of a single organization that presents a unified routing policy to the internet. ASNs are used in Border Gateway Protocol (BGP) routing to manage the exchange of data between different networks on the internet. BGP routing and also Autonomous Systems are one of the fundamentals of how all the networks that compose the internet route traffic.

Example

Starting from a domain we can identify the AS where it is hosted and what other ranges originate from it. For this example, we will start by getting one of the IPs for the Netherlands main government website with a DNS query with dig.

> dig www.government.nl +short
government.nl.
178.22.85.9
178.22.85.8
178.22.85.10
178.22.85.11

Then using Team Cymru’s whois server we can query the ASN from the IP address.

> whois -h whois.cymru.com " -v 178.22.85.9"
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
41887   | 178.22.85.9      | 178.22.84.0/22      | NL | ripencc  | 2010-04-06 | PROLOCATION Prolocation, NL

Using Hurricane Electric, IRR Explorer, or even one of the RIRs we can then search the ASN and see the IP ranges that originate from that AS. HE ASN IP Ranges IRRExplorer ASN IP Ranges

From the ASN and then the ranges and what is hosted at them, we can tell that this AS is used for more than just the Netherland government. Instead, the AS is owned by Prolocation, a Dutch hosting provide. We will get into more how we can narrow down ownership than just at the AS level to find specific ranges tied to an organization as some may use an AS that originates their IP range for them.

Identifying IP Ranges

RIRs maintain public databases that provide whois information on the ownership and allocation of IP addresses, ASNs, and other network resources. These databases can be queried using a variety of different methods, depending on the RIR, such as the WHOIS protocol, newer Registration Data Access Protocol (RDAP) protocol, FTP, or web services. For a given IP range you can know who the owner of it is. This is public information for the purpose of reporting abuse or technical issues. In the specific sources below more information is included on how they can be queried and what information is returned.

As mentioned, all RIRs also provide by FTP a version of their database that can then be searched with something like the tool SHADOWSTAR. However, these downloadable datasets do not contain contact information to comply with privacy regulations. There is specific approval and agreance with acceptable use policies required to download the suplemental contact information. Also RIPE NCC does not even provide a suplementary contact information dataset and the API would be the preffered method of access.

RIPE Example

If we want to look up IP ranges related to the Dutch government’s National Cyber Security Centre we can query the RIPE web service as they are responsible for assigning ranges in Europe. We can go to https://apps.db.ripe.net/db-web-ui/fulltextsearch and perform a full text search with “NCSC-NL” as the keyword. This returns a variety of object types that can then be filtered to just inetnum as shown. RIPE NCC Example

ARIN Example

If you are looking for ranges in America you can query ARIN’s WHOIS-RWS. This is more flexible in the queries supported than their Whois/RDAP search. However, neither are as flexible as RIPE. Going to https://whois.arin.net/ui/advanced.jsp we have the option to, for example, search for a point of contact with a given email domain.

Searching for any point of contact with a domain of “google.com”:

Search results contain multiple point of contacts:

Using the point of contacts from the last search allows to see the organizations associated with them. Alternatively, you could start by searching by organization name to find these. ARIN Search Example POC

The related organizations for the point of contact: ARIN Search Example Organizations

Using the related organizations from the list of point of contacts you can finally identify the associated networks: ARIN Search Example Org

The related networks for the organization: ARIN Search Example Nets

The following diagram helps to visualize the various registries and the information that can be searched on and returned by each.

UPDATE ^

Sources

AFRINIC

RIR

Description

AFRINIC is the Regional Internet Registry (RIR) for Africa and parts of the Indian Ocean region. It manages the allocation and registration of internet number resources, including IPv4, IPv6, and Autonomous System Numbers (ASNs), in its service region.

Access Model

AFRINIC provides access to this information through several services, including:

Open Whois: A public whois service at whois.afrinic.net that allows querying for IP address blocks, ASNs, and organization information.
Open Whois Web Interface: A public web interface at https://www.afrinic.net/whois-web/public/?lang=en#cli for querying AFRINIC’s WHOIS database.
Open RDAP (Registration Data Access Protocol): A public web interface at https://rdap.afrinic.net/rdap that provides structured, machine-readable access to AFRINIC data.
Open By Request FTP: Redacted bulk Whois data is available via FTP for general use. Access to non-redacted contact information in bulk is available upon request and requires AFRINIC’s approval based on its terms of service and data privacy concerns as noted at https://afrinic.net/support/whois/bulk.

Input Types

First/Last Name
Organization Name
IP Address
ASN

Output Types

First/Last Name
Organization Name
IP Address
ASN
Phone Number
Address

Usage

whois -h whois.afrinic.net '{ASN|IP address|Organization Name|First Last Name}'

curl 'https://www.afrinic.net/whois-web/public/?lang=en' \
  --data 'key={ASN|IP address|Organization Name|First Last Name}&sourceDatabases=afrinic&tabs=on'

curl https://rdap.afrinic.net/rdap/autnum/{ASN}

curl https://rdap.afrinic.net/rdap/ip/{IP Address}

curl https://rdap.afrinic.net/rdap/entity/{handle}

curl https://rdap.afrinic.net/rdap/entities?fn={First Last Name|Organization Name}

curl https://rdap.afrinic.net/rdap/entities?handle={Search Term}

References

https://afrinic.net/faqs/non-members

APNIC

RIR

Description

APNIC is the Regional Internet Registry (RIR) for the Asia-Pacific region. It manages the allocation and registration of internet number resources, including IPv4, IPv6, and Autonomous System Numbers (ASNs), in its service region.

Access Model Open

APNIC provides access to this information through several services, including:

Open Whois: A public whois service at whois.apnic.net that allows querying for IP address blocks, ASNs, and organization information.
Open Whois Web Interface: A public web interface at https://wq.apnic.net/query for querying APNIC’s WHOIS database.
Open RDAP (Registration Data Access Protocol): A public web interface at https://rdap.apnic.net that provides structured, machine-readable access to APNIC data.
Open By Request FTP: Redacted bulk Whois data is available via FTP for general use. Access to non-redacted contact information in bulk is available upon request and requires APNIC’s approval based on its terms of service and data privacy concerns as noted at https://www.apnic.net/manage-ip/using-whois/bulk-access/.

Input Types

First/Last Name
Organization Name
IP Address
ASN
Email

Output Types

First/Last Name
Organization Name
IP Address
ASN
Email
Phone Number
Address

Usage

whois -h whois.apnic.net {Entity Handle|Email|First Last Name|IP address|ASN}

curl "https://wq.apnic.net/query?searchtext={Entity Handle|Email|First Last Name|IP address|ASN}"

curl https://rdap.apnic.net/autnum/{ASN}

curl https://rdap.apnic.net/ip/{IP Address}

curl https://rdap.apnic.net/entity/{handle}

curl https://rdap.apnic.net/entities?fn={First Last Name|Organization Name}

curl https://rdap.apnic.net/entities?handle={Search Term}

References

https://www.apnic.net/about-apnic/whois_search/

RIPE

RIR

Description

RIPE is the Regional Internet Registry (RIR) for Europe, the Middle East, and parts of Central Asia. It manages the allocation and registration of internet number resources, including IPv4, IPv6, and Autonomous System Numbers (ASNs), in its service region.

Access Model

RIPE provides access to this information through several services, including:

Open Whois: A public whois service at whois.ripe.net that allows querying for IP address blocks and ASNs.
Open Whois Web Interface: A public web interface at https://apps.db.ripe.net/db-web-ui/fulltextsearch that allows for querying APNIC’s WHOIS database. This interface allows full text searching and is very flexible.
Open Whois API Web Interface: A public API at https://apps.db.ripe.net/db-web-ui/ that allows querying RIPE’s WHOIS database.
Open RDAP (Registration Data Access Protocol): A public web interface at https://rdap.db.ripe.net that provides structured, machine-readable access to RIPE data.
Open FTP: Bulk Whois data is available via FTP with personal data removed. Unlike other RIRs there is not the option to get whois data with approval. Even the Near-Real-Time Mirror (NRTM) has personal data redacted as described at https://docs.db.ripe.net/FAQ/#can-i-download-the-ripe-database.

Input Types

First/Last Name
Organization Name
IP Address
ASN
Email
Phone Number
Address

Output Types

First/Last Name
Organization Name
IP Address
ASN
Email
Phone Number
Address

Usage

whois -h whois.ripe.net {Entity Handle|Email|First Last Name|IP address|ASN}

curl "https://rest.db.ripe.net/search.json?query-string={query}"

curl "https://apps.db.ripe.net/db-web-ui/api/rest/fulltextsearch/select?q={query}"

curl https://rdap.db.ripe.net/autnum/{ASN}

curl https://rdap.db.ripe.net/ip/{IP Address}

curl https://rdap.db.ripe.net/entity/{handle}

curl https://rdap.db.ripe.net/entities?fn={First Last Name|Organization Name}

curl https://rdap.db.ripe.net/entities?handle={Search Term}

References

https://docs.db.ripe.net/

ARIN

RIR

Description

ARIN is the Regional Internet Registry (RIR) for North America. It manages the allocation and registration of internet number resources, including IPv4, IPv6, and Autonomous System Numbers (ASNs), in its service region.

Access Model

ARIN provides access to this information through several services, including:

Open Whois: A public whois service at whois.arin.net that allows querying for IP address blocks and ASNs.
Open Whois-RWS (RESTful Web Service): A public web interface that allows querying using more types of search terms than the RDAP alternative. https://whois.arin.net/ui/
Open RDAP (Registration Data Access Protocol): A public web interface at https://search.arin.net/rdap/ that provides structured, machine-readable access to RIPE data.
Open By Request FTP: Redacted bulk Whois data is available via FTP for general use. Access to non-redacted contact information in bulk is available upon request and requires ARIN’s approval based on its terms of service and data privacy concerns as noted at https://www.arin.net/reference/research/bulkwhois/.

Input Types

First/Last Name
Domain
ASN
IP Address
Organization Name

Output Types

First/Last Name
Domain
ASN
IP Address
Organization Name
Phone
Email
Address

Usage

whois -h whois.arin.net 'z @ {Email}'

whois -h whois.arin.net 'z @ {Last Name, First|Organization Name}'

curl "http://whois.arin.net/rest/ip/{IP_Address}"

curl -s "http://whois.arin.net/rest/orgs;name={Org_Name}"

curl "http://whois.arin.net/rest/org/{ARIN_Org_Handle}/nets"

curl "http://whois.arin.net/rest/org/{ARIN_Org_Handle}/pocs"

curl "http://whois.arin.net/rest/org/{ARIN_Org_Handle}"

curl -s "http://whois.arin.net/rest/pocs;company={Organization_Name}"
curl -s "http://whois.arin.net/rest/pocs;domain={Domain}"
curl -s "http://whois.arin.net/rest/pocs;first={Firstname};last={Lastname}"

curl "http://whois.arin.net/rest/poc/{ARIN_POC_Handle}/nets"

curl "http://whois.arin.net/rest/pocs/{ARIN_POC_Handle}"

curl https://rdap.arin.net/registry/autnum/{ASN}

curl https://rdap.arin.net/registry/ip/{IP Address}

curl https://rdap.arin.net/registry/entity/{handle}

curl https://rdap.arin.net/registry/entities?fn={First Last Name|Organization Name}

curl https://rdap.arin.net/registry/entities?handle={Search Term}

References

https://www.arin.net/resources/registry/whois/rws/api/

LACNIC

RIR

Description

LACNIC is the Regional Internet Registry (RIR) for Europe, the Middle East, and parts of Central Asia. It manages the allocation and registration of internet number resources, including IPv4, IPv6, and Autonomous System Numbers (ASNs), in its service region.

Access Model

LACNIC provides access to this information through several services, including:

Open Whois: A public whois service at whois.lacnic.net that allows querying for IP address blocks and ASNs. It only allows querying by entity handle, an IP address, or AS number.
Open Whois Web Interface: A public web interface at https://query.milacnic.lacnic.net/ that allows for querying APNIC’s WHOIS database.
Open RDAP (Registration Data Access Protocol): A public web interface at https://rdap.lacnic.net/rdap/ that provides structured, machine-readable access to RIPE data.
Open By Request FTP: Redacted bulk Whois data is available via FTP for general use. Access to non-redacted contact information in bulk is available upon request and requires ARIN’s approval based on its terms of service and data privacy concerns as noted at https://www.lacnic.net/2472/2/lacnic/accessing-bulk-whois.

Input Types

IP Address
ASN
Organization Name
First/Last Name

Output Types

First/Last Name
Domain
ASN
IP Address
Organization Name
Phone
Email
Address

Usage

whois -h whois.lacnic.net {Entity Handle|IP address|ASN}

https://rdap-redirect.lacnic.net/rdap/entity/GAC https://rdap-redirect.lacnic.net/rdap/whois/{}

curl "https://rdap-redirect.lacnic.net/rdap/entity/{Entity Handle}"

https://rdap-redirect.lacnic.net/rdap/whois/{Entity Handle|IP address|ASN}"

curl https://rdap.lacnic.net/rdap/autnum/{ASN}

curl https://rdap.lacnic.net/rdap/ip/{IP Address}

curl https://rdap.lacnic.net/rdap/entity/{handle}

curl https://rdap.lacnic.net/rdap/entities?fn={First Last Name|Organization Name}

curl https://rdap.lacnic.net/rdap/entities?handle={Search Term}

References

Database Dumps

IRR RIR

Description

These are publicly available database dumps for various Internet Routing Registries (IRR) and Regional Internet Registries (RIR). These databases contain routing information, including prefixes, ASNs, and related data.

Access Model

Open

Databases can be accessed and downloaded through publicly available FTP services.

Input Types

First/Last Name
Domain
ASN
IP Address
Organization Name
Phone
Email
Address

Output Types

First/Last Name
Domain
ASN
IP Address
Organization Name
Phone
Email
Address

Usage

wget -r ftp://whois.rogerstelecom.net -X /radb/dbase/archive -nc
wget -r ftp://ftp.radb.net -X /radb/dbase/archive -nc
wget -r ftp://ftp.afrinic.net/zones -nc
wget -r ftp://ftp.afrinic.net/dbase -nc
wget -r ftp://ftp.altdb.net -nc
wget -r ftp://ftp.apnic.net/public/zones -nc
wget -r ftp://ftp.apnic.net/apnic/whois/ -nc
wget -r ftp://ftp.apnic.net/public/apnic/dbase/data/ -nc
wget -r ftp://ftp.bgp.net.br -nc
wget -r ftp://ftp.lacnic.net/lacnic/irr/lacnic.db.gz -nc
wget -r ftp://ftp.lacnic.net/pub/zones/ -nc
wget -r ftp://ftp.nestegg.net/irr/ -nc
wget -r ftp://ftp.nic.ad.jp/jpirr/ -nc
wget -r ftp://ftp.panix.com/pub/rrdb -nc
wget -r ftp://ftp.radb.net -X /radb/dbase/archive/ -nc
wget -r ftp://ftp.ripe.net/pub/zones/ -nc
wget -r ftp://ftp.ripe.net/ripe/dbase/ -nc
wget -r ftp://irr-mirror.idnic.net -nc
wget -r ftp://irr.bboi.net -nc
wget -r ftp://rr.level3.net -X bmp,pub,sdata -nc
wget -r ftp://rr1.ntt.net/nttcomRR/ -nc
wget -r ftp://whois.gts.net/pub/irrd -nc
wget -r ftp://whois.in.bell.ca -nc
find . -name '*.gz' -exec gunzip -f {} \;