-

5 min read

Introducing ASNMap: A Golang CLI tool for speedy reconnaissance using ASN data

Introducing ASNMap: A Golang CLI tool for speedy reconnaissance using ASN data

If you're into hacking, there's a good chance that at least one of ProjectDiscovery's tools has been added to your toolbox over the last couple of years. In all honesty, ProjectDiscovery's tools now make up the majority of my toolbox. For this reason, I get excited when they release something new, and ASNMap is no exception.

What are ASNs?

An Autonomous System (AS) is one or more IP prefixes, typically run by one network operator, with a clearly defined routing policy. An Autonomous System Number (ASN) is the identifier for that Autonomous System.

Many large organizations have their own ASN. ASNs are extremely useful for reconnaissance because they allow us to enumerate IP prefixes owned by that organization.

What is ASNMap?

ASNmap is a brand new CLI tool, written in Golang, used to query Autonomous System data. The data is pulled from https://api.asnmap.sh, which returns data that is parsed from Frank Denis' legendary IPtoASN database.

Put simply, ASNMap converts:

  • Organization names to CIDR ranges
  • ASN numbers to CIDR ranges
  • IP addresses to CIDR ranges
  • Domain names to CIDR ranges

The results can be viewed in JSON, CSV and text formats, so it's easy to pipe the output into other tools.

Installation

There are many ways to install a Golang tool, I'm going to cover two of them in this article. Both of these methods require a Golang installation, which I'll leave as an exercise for the reader.

Go install method

The easiest is to run the following command simply:

cli

1go install github.com/projectdiscovery/asnmap/cmd/asnmap@latest


This will install and compile asnmap, then put the binary into your GOBIN folder, which is typically ~/go/bin.

Download and compile method

Another method is to download and compile the code yourself. Run the following command to grab the code from GitHub.

cli

1git clone https://github.com/projectdiscovery/asnmap

Then navigate to the right directory, and compile the code:

cli

1cd asnmap/cmd/asnmap
2go build


Now you can run asnmap!

console

1$ ./asnmap
2
3   ___   _____  __              
4  / _ | / __/ |/ /_ _  ___ ____ 
5 / __ |_\ \/    /  ' \/ _  / _ \
6/_/ |_/___/_/|_/_/_/_/\_,_/ .__/
7                         /_/    v0.0.1  
8
9		projectdiscovery.io
10
11Use with caution. You are responsible for your actions
12Developers assume no liability and are not responsible for any misuse or damage.
13[FTL] no input defined

Options

The CLI options are split into three sections: input, configurations and output. Here's what they all do:

Input options

These options tell ASNMap what type of data you are feeding it:

  • -a or -asn is for querying an AS number, e.g. -a AS5650
  • -i or -ip is for querying an IP address, e.g. -i 100.19.12.21
  • -d or -domain is for querying a domain name, e.g. -d google.com
  • -org is for querying an organization name, e.g. -o GOOGLE
💡
PROTIP: Multiple inputs can be specified, whether they are of the same type or not.

cli

1asnmap -i 1.1.1.1 -i 1.3.3.7 -org GOOGLE -d facebook.com

Configuration options

  • -config allows you to specify a configuration file. When you install/run ASNMap for the first time, the default configuration template will be generated in ~/.config/asnmap/config.yaml
  • -r or -resolvers allows you to specify which DNS servers to use when a domain needs to be resolved.

Output options

These options allow you to specify how you would like to view the data output.

  • -j or -json allows you to view the data in JSON format
  • -c or -csv allows you to view the data in CSV format
  • -v enables verbose mode
  • -silent stops the banner from showing, and just outputs the data
  • -version displays the version of ASNMap that you're using
  • -v6 displays the IPv6 CIDR ranges in CLI output
  • -o or -output specifies a filename to write the output to

Usage demos

What would a tool release blog be without some demos?

Get IP ranges from an ASN

bash

1$ ./asnmap -silent -a AS394161
2
38.21.14.0/24
48.45.124.0/24
58.47.24.0/24
68.244.67.0/24
78.244.131.0/24
862.67.197.0/24
9199.43.255.0/24
10199.66.9.0/24
11199.66.10.0/23
12199.120.48.0/22
13199.120.52.0/23
14199.120.56.0/24
15205.234.11.0/24
16209.133.79.0/24
17213.19.141.0/24
18213.244.145.0/24

Get the CIDR range that an IP belongs to

cli

1$ ./asnmap -silent -i 1.1.1.1
21.1.1.0/24

Get CIDR ranges associated with an organization

cli

1./asnmap -silent -org GOOGLE
2
38.8.4.0/24
48.8.8.0/24
58.35.200.0/21
634.3.3.0/24
734.4.4.0/24
834.96.0.0/20
934.96.32.0/19
1034.96.64.0/18
1134.98.64.0/18
1234.98.136.0/21
1334.98.144.0/21
14✂️ Snipped for brevity

Get CIDR ranges associated with a domain name

bash

1$ ./asnmap -silent -d facebook.com
2
3157.240.4.0/22
4157.240.8.0/21
5157.240.16.0/20
6157.240.32.0/19
7157.240.64.0/18

Get CIDR ranges associated with multiple domain names

bash

1$ ./asnmap -silent -d facebook.com,twitter.com
2
3157.240.4.0/22
4157.240.8.0/21
5157.240.16.0/20
6157.240.32.0/19
7157.240.64.0/18
8104.244.40.0/23
9104.244.42.0/24

JSON output

💡
Note that the JSON and CSV outputs also contain more details, not just CIDR ranges!

bash

1$ ./asnmap -a AS394161 -silent -json | jq
2
3{
4  "timestamp": "2022-09-22 23:05:26.866957 +1000 AEST",
5  "input": "AS394161",
6  "as_number": "AS394161",
7  "as_name": "TESLA",
8  "as_country": "US",
9  "as_range": [
10    "8.21.14.0/24"
11  ]
12}
13{
14  "timestamp": "2022-09-22 23:05:26.867265 +1000 AEST",
15  "input": "AS394161",
16  "as_number": "AS394161",
17  "as_name": "TESLA",
18  "as_country": "US",
19  "as_range": [
20    "8.45.124.0/24"
21  ]
22}
23{
24  "timestamp": "2022-09-22 23:05:26.867277 +1000 AEST",
25  "input": "AS394161",
26  "as_number": "AS394161",
27  "as_name": "TESLA",
28  "as_country": "US",
29  "as_range": [
30    "8.47.24.0/24"
31  ]
32}

CSV output

bash

1asnmap$ ./asnmap -a AS394161 -silent -csv
2
3timestamp|input|as_number|as_name|as_country|as_range
42022-09-22 23:22:29.881525 +1000 AEST|AS394161|AS394161|TESLA|US|8.21.14.0/24
52022-09-22 23:22:29.881842 +1000 AEST|AS394161|AS394161|TESLA|US|8.45.124.0/24
62022-09-22 23:22:29.881851 +1000 AEST|AS394161|AS394161|TESLA|US|8.47.24.0/24
72022-09-22 23:22:29.881859 +1000 AEST|AS394161|AS394161|TESLA|US|8.244.67.0/24
82022-09-22 23:22:29.881866 +1000 AEST|AS394161|AS394161|TESLA|US|8.244.131.0/24
92022-09-22 23:22:29.881875 +1000 AEST|AS394161|AS394161|TESLA|US|62.67.197.0/24
102022-09-22 23:22:29.881881 +1000 AEST|AS394161|AS394161|TESLA|US|199.43.255.0/24
112022-09-22 23:22:29.881887 +1000 AEST|AS394161|AS394161|TESLA|US|199.66.9.0/24,199.66.10.0/23
122022-09-22 23:22:29.881933 +1000 AEST|AS394161|AS394161|TESLA|US|199.120.48.0/22,199.120.52.0/23
132022-09-22 23:22:29.88196 +1000 AEST|AS394161|AS394161|TESLA|US|199.120.56.0/24
142022-09-22 23:22:29.881967 +1000 AEST|AS394161|AS394161|TESLA|US|205.234.11.0/24
152022-09-22 23:22:29.881976 +1000 AEST|AS394161|AS394161|TESLA|US|209.133.79.0/24
162022-09-22 23:22:29.881982 +1000 AEST|AS394161|AS394161|TESLA|US|213.19.141.0/24
172022-09-22 23:22:29.881988 +1000 AEST|AS394161|AS394161|TESLA|US|213.244.145.0/24
182022-09-22 23:22:29.881994 +1000 AEST|AS394161|AS394161|TESLA|US|2620:137:d000:1::/64

Conclusion

Using AS numbers as a recon method is a widely known technique, but the process of gathering this information has always been quite manual and slow. ASNMap allows you to get this information easily, and without leaving the comfort of your terminal 🧑‍💻🙂.

If this sounds like a useful tool, you should see what else ProjectDiscovery has available for free on their GitHub profile!

- Luke Stephens (@hakluke)

Related stories

View all