How to identify a company's public network address range?

Question

Which methods can I use to identify a company's public network address range(s)?

Answer 1

This relies on some factors. When its a big company and they own complete subnets these information are stored within the whois record. You can either use commercial tools which allow you to search a dump of whois records for the company or lookup all public available hostnames of that company. You would normally start with the address of the web, mail and dns server(s).

When it comes to small or middle sized companies there are in most cases only single hosts that are public accessable. In most cases this addresses and servers are rented or even shared hosting addresses. You can easily figure this out by performing reverse lookups of that address.

To find more hosts assigned to a domain you can download the latest dns dump from censys.io (formerly available on scans.io) and then grep it for the domain to find subdomains. You can then also perform a dns "bruteforce" by prepending commonly used hostnames to the targeted domainname. This can be done with dnsrecon for example.

Also there are situations where a subnet is assigned to the hosting company but the range contains more then one website of that company anyway. To find websites of that company in a ip range you can use a tool like EyeWittness which will create screenshots of every website in that range. To be said: This will not work with virtual hosts when you use the ip address of that webserver as an address.

Answer 2

There is no simple way. The company probably has a website, but it may be hosted on premises as well as elsewhere. And even if it is on their premises, it may have a different IP range as the rest of the network.

For example Microsoft.com's IP address is 104.43.195.251, which is in the range 104.40.0.0 - 104.47.255.255. But if you look for bing.com, it has the IP address 204.79.197.200, which is in the range 204.79.195.0 - 204.79.197.255.

The above ranges can be found using this command: whois $(dig +short microsoft.com | head -1) which in human terms is basically: 'grab one IP address from microsoft.com and run whois on that`.

The whois info also contains OrgName: Microsoft Corporation, what if you look for every IP range that is from Microsoft? I don't know how to do that (I'd have to look it up), but such a thing might work for a big company like Microsoft.

However, not every company has their own IP range in the first place. Take a random small business in the neighborhood, they'll probably have a website hosted with a hosting company, which is different from their ISP at the office. In that case it'd be impossible to find their IP address (or range) if they don't have RDNS set, and with RDNS, you'd still have to reverse-lookup millions of addresses.

Answer 3

You can do the bellow command for each of the entities. RIPE, ARIN, etc... Example with Asia Pacific.

You will get the return of everything that has the string you put that exists in the database.

It is the cheapest, fastest and you can build your own code.

whois -h whois.apnic.net COMPANYNAME

Example:

whois -h whois.apnic.net Microsoft 

or if you wish more focused response

whois -h whois.apnic.net microsoft | grep inetnum

Output:

% Abuse contact for '58.246.69.164 - 58.246.69.167' is 'hqs-ipabuse@chinaunicom.cn'

inetnum:        58.246.69.164 - 58.246.69.167
netname:        Microsoft
country:        cn
descr:          Microsoft (China) Co., Ltd.
admin-c:        YR194-AP
tech-c:         YR194-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CNCGROUP-SH
last-modified:  2008-12-13T14:48:23Z
source:         APNIC

Answer 4

There are different ways to do it. The generally accepted method is to use the “netblock” information in the WHOIS databases.

The process would be the following for a given company:

• Lookup the IP address one of the company's websites via DNS
• Issue a whois query on this address to identify the "netblock" that this address is a part of (won't work if the website is hosted by a third party like Amazon)

For example, let’s try to find the IP addresses operated by GitHub:

We'll start by looking up the IP address for the GitHub Pages website.

$ host -t a github.io
github.io has address 185.199.109.153
github.io has address 185.199.108.153
github.io has address 185.199.111.153
github.io has address 185.199.110.153

Then pick one of the records and issue a Whois query to find out the whole netblock:

$ whois 185.199.109.153
[...]

inetnum:        185.199.108.0 - 185.199.111.255
netname:        US-GITHUB-20170413
country:        US
org:            ORG-GI58-RIPE
admin-c:        GA9828-RIPE
tech-c:         NO1444-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         us-github-1-mnt
created:        2017-04-13T15:36:35Z
last-modified:  2018-12-14T10:48:39Z
source:         RIPE
[...]

We now have a much larger IP address range that contains at least github.io's main web server.

To find other ranges would require to find more web sites/servers operated by them and reuse the same technique, or obtain copies of the full Whois databases, and look for every reference to GitHub.

One online service does that is NetworksDB.io (Disclaimer: I am the owner/developer.)

The online tools can be used for free and there is a free API available for testing. For example, you can see all the public networks and IP addresses owned by Github on this page: https://networksdb.io/ip-addresses-of/github-inc

Even better, fetch the results via the command line:

$ curl -s https://networksdb.io/ip-addresses-of/github-inc | grep 'IP Range' | awk '{print $3" - "$5}' | sort
140.82.112.0 - 140.82.127.255
148.62.46.150 - 148.62.46.151
148.62.46.192 - 148.62.46.199
174.143.3.100 - 174.143.3.103
185.199.108.0 - 185.199.111.255
192.30.252.0 - 192.30.255.255
74.205.116.224 - 74.205.116.239

Answer 5

Try using Domain Dosier which can provide you some information about the company's public facing web server. You can look at the Network Whois record to see if there is a defined CIDR range. This range might give you an idea about the other public facing servers. You can then run a scan tool to see which of those IPs are in use and are hosting open services. Scanning in never recommended though.

Answer 6

There are ways, certainly. The first thing you'll want to do is identify the company's ASN, or ASN(s) if they are large enough to have more than one major network. Once you know the ASN, you should be able to find out all of the routes they're advertising.