5 min read
Introducing ASNMap: A Golang CLI tool for speedy reconnaissance using ASN data
Table of Contents
- What are ASNs?
- What is ASNMap?
- Go install method
- Download and compile method
- Configuration options
- Output options
- Usage demos
- Get IP ranges from an ASN
- Get the CIDR range that an IP belongs to
- Get CIDR ranges associated with an organization
- Get CIDR ranges associated with a domain name
- Get CIDR ranges associated with multiple domain names
- JSON output
- CSV output
- Conclusion
Authors
If you're into hacking, there's a good chance that at least one of ProjectDiscovery's tools has been added to your toolbox over the last couple of years. In all honesty, ProjectDiscovery's tools now make up the majority of my toolbox. For this reason, I get excited when they release something new, and ASNMap is no exception.
What are ASNs?
An Autonomous System (AS) is one or more IP prefixes, typically run by one network operator, with a clearly defined routing policy. An Autonomous System Number (ASN) is the identifier for that Autonomous System.
Many large organizations have their own ASN. ASNs are extremely useful for reconnaissance because they allow us to enumerate IP prefixes owned by that organization.
What is ASNMap?
ASNmap is a brand new CLI tool, written in Golang, used to query Autonomous System data. The data is pulled from https://api.asnmap.sh, which returns data that is parsed from Frank Denis' legendary IPtoASN database.
Put simply, ASNMap converts:
- Organization names to CIDR ranges
- ASN numbers to CIDR ranges
- IP addresses to CIDR ranges
- Domain names to CIDR ranges
The results can be viewed in JSON, CSV and text formats, so it's easy to pipe the output into other tools.
Installation
There are many ways to install a Golang tool, I'm going to cover two of them in this article. Both of these methods require a Golang installation, which I'll leave as an exercise for the reader.
Go install method
The easiest is to run the following command simply:
cli
1go install github.com/projectdiscovery/asnmap/cmd/asnmap@latest
This will install and compile asnmap, then put the binary into your GOBIN folder, which is typically ~/go/bin
.
Download and compile method
Another method is to download and compile the code yourself. Run the following command to grab the code from GitHub.
cli
1git clone https://github.com/projectdiscovery/asnmap
Then navigate to the right directory, and compile the code:
cli
1cd asnmap/cmd/asnmap
2go build
Now you can run asnmap!
console
1$ ./asnmap
2
3 ___ _____ __
4 / _ | / __/ |/ /_ _ ___ ____
5 / __ |_\ \/ / ' \/ _ / _ \
6/_/ |_/___/_/|_/_/_/_/\_,_/ .__/
7 /_/ v0.0.1
8
9 projectdiscovery.io
10
11Use with caution. You are responsible for your actions
12Developers assume no liability and are not responsible for any misuse or damage.
13[FTL] no input defined
Options
The CLI options are split into three sections: input, configurations and output. Here's what they all do:
Input options
These options tell ASNMap what type of data you are feeding it:
-a
or-asn
is for querying an AS number, e.g.-a AS5650
-i
or-ip
is for querying an IP address, e.g.-i 100.19.12.21
-d
or-domain
is for querying a domain name, e.g.-d google.com
-org
is for querying an organization name, e.g.-o GOOGLE
cli
1asnmap -i 1.1.1.1 -i 1.3.3.7 -org GOOGLE -d facebook.com
Configuration options
-config
allows you to specify a configuration file. When you install/run ASNMap for the first time, the default configuration template will be generated in~/.config/asnmap/config.yaml
-r
or-resolvers
allows you to specify which DNS servers to use when a domain needs to be resolved.
Output options
These options allow you to specify how you would like to view the data output.
-j
or-json
allows you to view the data in JSON format-c
or-csv
allows you to view the data in CSV format-v
enables verbose mode-silent
stops the banner from showing, and just outputs the data-version
displays the version of ASNMap that you're using-v6
displays the IPv6 CIDR ranges in CLI output-o
or-output
specifies a filename to write the output to
Usage demos
What would a tool release blog be without some demos?
Get IP ranges from an ASN
bash
1$ ./asnmap -silent -a AS394161
2
38.21.14.0/24
48.45.124.0/24
58.47.24.0/24
68.244.67.0/24
78.244.131.0/24
862.67.197.0/24
9199.43.255.0/24
10199.66.9.0/24
11199.66.10.0/23
12199.120.48.0/22
13199.120.52.0/23
14199.120.56.0/24
15205.234.11.0/24
16209.133.79.0/24
17213.19.141.0/24
18213.244.145.0/24
Get the CIDR range that an IP belongs to
cli
1$ ./asnmap -silent -i 1.1.1.1
21.1.1.0/24
Get CIDR ranges associated with an organization
cli
1./asnmap -silent -org GOOGLE
2
38.8.4.0/24
48.8.8.0/24
58.35.200.0/21
634.3.3.0/24
734.4.4.0/24
834.96.0.0/20
934.96.32.0/19
1034.96.64.0/18
1134.98.64.0/18
1234.98.136.0/21
1334.98.144.0/21
14✂️ Snipped for brevity
Get CIDR ranges associated with a domain name
bash
1$ ./asnmap -silent -d facebook.com
2
3157.240.4.0/22
4157.240.8.0/21
5157.240.16.0/20
6157.240.32.0/19
7157.240.64.0/18
Get CIDR ranges associated with multiple domain names
bash
1$ ./asnmap -silent -d facebook.com,twitter.com
2
3157.240.4.0/22
4157.240.8.0/21
5157.240.16.0/20
6157.240.32.0/19
7157.240.64.0/18
8104.244.40.0/23
9104.244.42.0/24
JSON output
bash
1$ ./asnmap -a AS394161 -silent -json | jq
2
3{
4 "timestamp": "2022-09-22 23:05:26.866957 +1000 AEST",
5 "input": "AS394161",
6 "as_number": "AS394161",
7 "as_name": "TESLA",
8 "as_country": "US",
9 "as_range": [
10 "8.21.14.0/24"
11 ]
12}
13{
14 "timestamp": "2022-09-22 23:05:26.867265 +1000 AEST",
15 "input": "AS394161",
16 "as_number": "AS394161",
17 "as_name": "TESLA",
18 "as_country": "US",
19 "as_range": [
20 "8.45.124.0/24"
21 ]
22}
23{
24 "timestamp": "2022-09-22 23:05:26.867277 +1000 AEST",
25 "input": "AS394161",
26 "as_number": "AS394161",
27 "as_name": "TESLA",
28 "as_country": "US",
29 "as_range": [
30 "8.47.24.0/24"
31 ]
32}
CSV output
bash
1asnmap$ ./asnmap -a AS394161 -silent -csv
2
3timestamp|input|as_number|as_name|as_country|as_range
42022-09-22 23:22:29.881525 +1000 AEST|AS394161|AS394161|TESLA|US|8.21.14.0/24
52022-09-22 23:22:29.881842 +1000 AEST|AS394161|AS394161|TESLA|US|8.45.124.0/24
62022-09-22 23:22:29.881851 +1000 AEST|AS394161|AS394161|TESLA|US|8.47.24.0/24
72022-09-22 23:22:29.881859 +1000 AEST|AS394161|AS394161|TESLA|US|8.244.67.0/24
82022-09-22 23:22:29.881866 +1000 AEST|AS394161|AS394161|TESLA|US|8.244.131.0/24
92022-09-22 23:22:29.881875 +1000 AEST|AS394161|AS394161|TESLA|US|62.67.197.0/24
102022-09-22 23:22:29.881881 +1000 AEST|AS394161|AS394161|TESLA|US|199.43.255.0/24
112022-09-22 23:22:29.881887 +1000 AEST|AS394161|AS394161|TESLA|US|199.66.9.0/24,199.66.10.0/23
122022-09-22 23:22:29.881933 +1000 AEST|AS394161|AS394161|TESLA|US|199.120.48.0/22,199.120.52.0/23
132022-09-22 23:22:29.88196 +1000 AEST|AS394161|AS394161|TESLA|US|199.120.56.0/24
142022-09-22 23:22:29.881967 +1000 AEST|AS394161|AS394161|TESLA|US|205.234.11.0/24
152022-09-22 23:22:29.881976 +1000 AEST|AS394161|AS394161|TESLA|US|209.133.79.0/24
162022-09-22 23:22:29.881982 +1000 AEST|AS394161|AS394161|TESLA|US|213.19.141.0/24
172022-09-22 23:22:29.881988 +1000 AEST|AS394161|AS394161|TESLA|US|213.244.145.0/24
182022-09-22 23:22:29.881994 +1000 AEST|AS394161|AS394161|TESLA|US|2620:137:d000:1::/64
Conclusion
Using AS numbers as a recon method is a widely known technique, but the process of gathering this information has always been quite manual and slow. ASNMap allows you to get this information easily, and without leaving the comfort of your terminal 🧑💻🙂.
If this sounds like a useful tool, you should see what else ProjectDiscovery has available for free on their GitHub profile!
- Luke Stephens (@hakluke)