If you're into hacking, there's a good chance that at least one of ProjectDiscovery's tools has been added to your toolbox over the last couple of years. In all honesty, ProjectDiscovery's tools now make up the majority of my toolbox. For this reason, I get excited when they release something new, and ASNMap is no exception.

What are ASNs?

An Autonomous System (AS) is one or more IP prefixes, typically run by one network operator, with a clearly defined routing policy. An Autonomous System Number (ASN) is the identifier for that Autonomous System.

Many large organizations have their own ASN. ASNs are extremely useful for reconnaissance because they allow us to enumerate IP prefixes owned by that organization.

What is ASNMap?

ASNmap is a brand new CLI tool, written in Golang, used to query Autonomous System data. The data is pulled from https://api.asnmap.sh, which returns data that is parsed from Frank Denis' legendary IPtoASN database.

Put simply, ASNMap converts:

  • Organization names to CIDR ranges
  • ASN numbers to CIDR ranges
  • IP addresses to CIDR ranges
  • Domain names to CIDR ranges

The results can be viewed in JSON, CSV and text formats, so it's easy to pipe the output into other tools.

Installation

There are many ways to install a Golang tool, I'm going to cover two of them in this article. Both of these methods require a Golang installation, which I'll leave as an exercise for the reader.

Go install method

The easiest is to run the following command simply:

go install github.com/projectdiscovery/asnmap/cmd/asnmap@latest


This will install and compile asnmap, then put the binary into your GOBIN folder, which is typically ~/go/bin.

Download and compile method

Another method is to download and compile the code yourself. Run the following command to grab the code from GitHub.

git clone https://github.com/projectdiscovery/asnmap

Then  navigate to the right directory, and compile the code:

cd asnmap/cmd/asnmap
go build


Now you can run asnmap!

$ ./asnmap

   ___   _____  __              
  / _ | / __/ |/ /_ _  ___ ____ 
 / __ |_\ \/    /  ' \/ _  / _ \
/_/ |_/___/_/|_/_/_/_/\_,_/ .__/
                         /_/    v0.0.1  

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
[FTL] no input defined

Options

The CLI options are split into three sections: input, configurations and output. Here's what they all do:

Input options

These options tell ASNMap what type of data you are feeding it:

  • -a or -asn is for querying an AS number, e.g. -a AS5650
  • -i or -ip is for querying an IP address, e.g. -i 100.19.12.21
  • -d or -domain is for querying a domain name, e.g. -d google.com
  • -org is for querying an organization name, e.g. -o GOOGLE
💡
PROTIP: Multiple inputs can be specified, whether they are of the same type or not.
asnmap -i 1.1.1.1 -i 1.3.3.7 -org GOOGLE -d facebook.com

Configuration options

  • -config allows you to specify a configuration file. When you install/run ASNMap for the first time, the default configuration template will be generated in ~/.config/asnmap/config.yaml
  • -r or -resolvers allows you to specify which DNS servers to use when a domain needs to be resolved.

Output options

These options allow you to specify how you would like to view the data output.

  • -j or -json allows you to view the data in JSON format
  • -c or -csv allows you to view the data in CSV format
  • -v enables verbose mode
  • -silent stops the banner from showing, and just outputs the data
  • -version displays the version of ASNMap that you're using
  • -v6 displays the IPv6 CIDR ranges in CLI output
  • -o or -output specifies a filename to write the output to

Usage demos

What would a tool release blog be without some demos?

Get IP ranges from an ASN

$ ./asnmap -silent -a AS394161

8.21.14.0/24
8.45.124.0/24
8.47.24.0/24
8.244.67.0/24
8.244.131.0/24
62.67.197.0/24
199.43.255.0/24
199.66.9.0/24
199.66.10.0/23
199.120.48.0/22
199.120.52.0/23
199.120.56.0/24
205.234.11.0/24
209.133.79.0/24
213.19.141.0/24
213.244.145.0/24

Get the CIDR range that an IP belongs to

$ ./asnmap -silent -i 1.1.1.1
1.1.1.0/24

Get CIDR ranges associated with an organization

./asnmap -silent -org GOOGLE

8.8.4.0/24
8.8.8.0/24
8.35.200.0/21
34.3.3.0/24
34.4.4.0/24
34.96.0.0/20
34.96.32.0/19
34.96.64.0/18
34.98.64.0/18
34.98.136.0/21
34.98.144.0/21
✂️ Snipped for brevity

Get CIDR ranges associated with a domain name

$ ./asnmap -silent -d facebook.com

157.240.4.0/22
157.240.8.0/21
157.240.16.0/20
157.240.32.0/19
157.240.64.0/18

Get CIDR ranges associated with multiple domain names

$ ./asnmap -silent -d facebook.com,twitter.com

157.240.4.0/22
157.240.8.0/21
157.240.16.0/20
157.240.32.0/19
157.240.64.0/18
104.244.40.0/23
104.244.42.0/24

JSON output

💡
Note that the JSON and CSV outputs also contain more details, not just CIDR ranges!
$ ./asnmap -a AS394161 -silent -json | jq

{
  "timestamp": "2022-09-22 23:05:26.866957 +1000 AEST",
  "input": "AS394161",
  "as_number": "AS394161",
  "as_name": "TESLA",
  "as_country": "US",
  "as_range": [
    "8.21.14.0/24"
  ]
}
{
  "timestamp": "2022-09-22 23:05:26.867265 +1000 AEST",
  "input": "AS394161",
  "as_number": "AS394161",
  "as_name": "TESLA",
  "as_country": "US",
  "as_range": [
    "8.45.124.0/24"
  ]
}
{
  "timestamp": "2022-09-22 23:05:26.867277 +1000 AEST",
  "input": "AS394161",
  "as_number": "AS394161",
  "as_name": "TESLA",
  "as_country": "US",
  "as_range": [
    "8.47.24.0/24"
  ]
}

CSV output

asnmap$ ./asnmap -a AS394161 -silent -csv

timestamp|input|as_number|as_name|as_country|as_range
2022-09-22 23:22:29.881525 +1000 AEST|AS394161|AS394161|TESLA|US|8.21.14.0/24
2022-09-22 23:22:29.881842 +1000 AEST|AS394161|AS394161|TESLA|US|8.45.124.0/24
2022-09-22 23:22:29.881851 +1000 AEST|AS394161|AS394161|TESLA|US|8.47.24.0/24
2022-09-22 23:22:29.881859 +1000 AEST|AS394161|AS394161|TESLA|US|8.244.67.0/24
2022-09-22 23:22:29.881866 +1000 AEST|AS394161|AS394161|TESLA|US|8.244.131.0/24
2022-09-22 23:22:29.881875 +1000 AEST|AS394161|AS394161|TESLA|US|62.67.197.0/24
2022-09-22 23:22:29.881881 +1000 AEST|AS394161|AS394161|TESLA|US|199.43.255.0/24
2022-09-22 23:22:29.881887 +1000 AEST|AS394161|AS394161|TESLA|US|199.66.9.0/24,199.66.10.0/23
2022-09-22 23:22:29.881933 +1000 AEST|AS394161|AS394161|TESLA|US|199.120.48.0/22,199.120.52.0/23
2022-09-22 23:22:29.88196 +1000 AEST|AS394161|AS394161|TESLA|US|199.120.56.0/24
2022-09-22 23:22:29.881967 +1000 AEST|AS394161|AS394161|TESLA|US|205.234.11.0/24
2022-09-22 23:22:29.881976 +1000 AEST|AS394161|AS394161|TESLA|US|209.133.79.0/24
2022-09-22 23:22:29.881982 +1000 AEST|AS394161|AS394161|TESLA|US|213.19.141.0/24
2022-09-22 23:22:29.881988 +1000 AEST|AS394161|AS394161|TESLA|US|213.244.145.0/24
2022-09-22 23:22:29.881994 +1000 AEST|AS394161|AS394161|TESLA|US|2620:137:d000:1::/64

Conclusion

Using AS numbers as a recon method is a widely known technique, but the process of gathering this information has always been quite manual and slow. ASNMap allows you to get this information easily, and without leaving the comfort of your terminal 🧑‍💻🙂.

If this sounds like a useful tool, you should see what else ProjectDiscovery has available for free on their GitHub profile!

- Luke Stephens (@hakluke)