Perimeter

https://pentest-tools.com/home
https://hackertarget.com/ip-tools/
DNS
- $ nslookup example.com
- Subdomains & AXFR
- AS details
- $ whois example.com
- $ whois 127.0.0.1
- Check for DNS Amplification
CMS, Stack, Vulns
- WhatWeb, Wappalyzer
- Shodan / Censys / SecurityTrails
Google Dorks
- /robots.txt
- /sitemap.xml

Autonomous Systems

https://hackware.ru/?p=9245

Info via IP

dig:

$ dig $(dig -x 127.0.0.1 | grep PTR | tail -n 1 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}').origin.asn.cymru.com TXT +short

whois:

$ whois -h whois.cymru.com -- '-v 127.0.0.1'
$ whois -h whois.radb.net 127.0.0.1

Info via ASN

whois:

$ whois -h whois.cymru.com -- '-v AS48666'
$ whois -h whois.radb.net AS48666

Search AS

Map IP addresses to AS by origin and netname ignoring potentionally unwanted netname values by keywords:

whois.sh

 #!/bin/bash
 # Usage: whois.sh ip_list.txt

for ip in `cat $1`; do
  WHOIS=`whois $ip`
  ASNUM=`echo $WHOIS | grep -i "origin:" | tr -d ' ' | cut -d ":" -f 2 | tr $'\n' ','`
  NETNAME=`echo $WHOIS | grep -i "netname:" | tr -d ' ' | cut -d ":" -f 2`
  if ! echo "$NETNAME" | grep -iqF -e pppoe -e ipoe; then
    echo "$ASNUM,$NETNAME,$ip"
   fi
done

One-liner providing the input from DivideAndScan:

$ for i in `das -db corp scan -ports all -show -raw | sort -u`; do whois $i | grep -e org-name: -e netname: -e route: -e origin:; echo ---; done

Using ansmap:

$ asnmap -i `das -db corp scan -ports all -show -raw | sort -u | sed -z 's/\n/,/g;s/,$/\n/'` -silent
$ asnmap -d `cat domains.txt | sed -z 's/\n/,/g;s/,$/\n/'` -silent

Difference between as-name, aut-num, origin, netname, etc. may be found on RIPE.

Last updated 2 years ago