IP Address Block Enumeration

[SynJunkie]

I would like to what tools and methods other people may use for IP address block enumeration.  I have used qtrace.pl in the past but i’m not aware of any other tools / websites that may be of use.

I find that in books, articles and websites there is often very little emphasis on clearly identify the network boundaries of the target.

Does anyone have any suggestions?

Thanks

SynJunkie

[BillV]

I guess I’m a bit confused on what you’re looking for. Are you looking for owners of IP blocks? A simple whois command/lookup won’t work?

[SynJunkie]

I find that in general a whois might give me the isp assigned block.  but where i have found a host in a range by using something like Fierce, i want to find the size of that range assigned to the target network..

[RoleReversal]

SynJunkie,

in theory whois should provide the inform you require as BillV states. However not all LIR’s keep the whois database updated to that level despite the rules and regs stating that they should so your mileage may vary.

As an alternative you could try pinging some potential network boundaries, often (not always) I have seen a broadcast IP create multiple ICMP replies to a single request.

[SynJunkie]

Thanks RoleReversal.  That was one of my methods (nmap xxx.xxx.xxx.xxx/24 -sP) and then look for typical boundary type devices such as routers or firewalls.  Obviously this method isn’t that reliable and I was hoping that there was another more reliable option for footprinting the target.

Oh well, worth a try.

Cheers.

Syn

[Anonymous]

It may also be of use to enumerate any DNS hostnames you can find and see where they resolve to. This could help define the size of the network. You can start by trying reverse lookups of the IP addreses you think are in the network. Results for an unexpected domain might indicate you are beyond the network boundaries.

If you can do a zone transfer then check the addresses where the hostnames point to. Check out DNS records such as MX and NS. Using data from separate sources and queries can help build a better understanding and increase your confidence in the results.

Jimbob

[SynJunkie]

Thanks Jimbob.  Again, these are methods I already use.  Maybe I was looking for a tool that does the same as Senseposts qtrace.pl but it doesn’t exist.

Thanks for the reply though.

[Anonymous]

a combination of maltego and fierce should do the trick for you

[slimjim100]

Another thing I do because I am a router guy is to ping and trace route the range you suspect. With ISP’s some times using there own host names you can find smaller subnet ranges with ping times. Host normally have very different reply times than routers and ture network devices. So the wire address and the network broadcast of a smaller network inside a class C IP network can some times be identified by a similar ping time. Also trace route will give you host names. I think it was already stated but reverse DNS also can help ID a smaller subnet range.

my 2 cents 🙂

Brian
aka Slimjim100

[SynJunkie]

The reverse DNS i was well aware ofbut the traceroute and ping method is pretty interesting.  I had thought that traceroute might be useful for certain types of mapping or helping to ID honeynets but your method certainly sounds useful.

Thanks. 🙂

[Author]

Posts