ASN Lookup Tool and Traceroute Server

Container support:

OS support:

Table of contents:

• Description
• Screenshots
• Running the script from a container
• Installation
  • Optional: adding your API tokens to improve functionalities
• Usage (as a command line tool)
• Usage (as a lookup & traceroute server)
• Usage (as a lookup API with JSON output)

---

Description

ASN / RPKI validity / BGP stats / IPv4v6 / Prefix / ASPath / Organization / IP reputation / IP geolocation / IP fingerprinting / Network recon / lookup tool / Web traceroute server.

This script serves the purpose of having a quick OSINT command line tool at disposal when investigating network data, which can come in handy in incident response scenarios as well (with features such as bulk geolocation and threat scoring).

It can be used as a recon tool by querying Shodan for data about any type of target (CIDR blocks/URLs/single IPs/hostnames). This will quickly give the user a complete breakdown about open ports, known vulnerabilities, known software and hardware running on the target, and more - without ever sending a single packet to the target. JSON output of the results, multiple simultaneous targets and IP list file inputs and are also supported. Click here for more information about Shodan scanning mode.

It can also be used as a web-based traceroute server, by running it in listening mode and launching lookups and traces from a local or remote browser (via a bookmarklet or custom search engine) or terminal (via curl, elinks or similar tools). Click here for more information about server mode functionality.

Furthermore, it can serve as a self-hosted lookup API endpoint and output JSON-formatted data while running in both interactive and server mode. Click here for more information about API mode functionality.

Features:

• It will lookup relevant Autonomous System information for any given AS number, including:

  • Organization name and RIR region
  • IXP Presence (Internet Exchange facilities where the AS is present)
  • Global AS rank (derived from the size of its customer cone, number of peering relationships and more)
  • BGP statistics (neighbours count, originated v4/v6 prefix count)
  • BGP incident history (number of BGP hijacks and route leaks involving the target AS in the past 12 months, as a victim or a hijacker)
  • Peering relationships separated by type (upstream/downstream/uncertain), and sorted by observed path count, to give more reliable results (so for instance, the first few upstream peers are most likely to be transits). Furthermore, a recap of transits/peers/customers amount (per latest CAIDA data) is displayed.
  • Announced prefixes aggregated to the most relevant less-specific INET(6)NUM object (actual LIR allocation).

• It will perform an AS path trace (using mtr and retrieving AS data from the results) for single IPs or DNS results, optionally reporting detailed data for each hop, such as RPKI ROA validity, organization/network name, geographic location, etc.

• It will detect IXPs (Internet Exchange Points) traversed during the trace, and highlight them for clarity.

• It will attempt to lookup all relevant abuse contacts for any given IP or prefix.

• It will perform RPKI validity lookups for every possible IP. Data is validated using the RIPEStat RPKI validation API. For path traces, the tool will match each hop's ASN/Prefix pair (retrieved from the Prefix Whois public server) with relevant published RPKI ROAs. In case of origin AS mismatch or unallowed more-specific prefixes, it will warn the user of a potential route leak / BGP hijack along with the offending AS in the path (requires -d option, see below for usage info).

  • Read more about BGP hijacking here.
  • Read more about RPKI here, here, or here.

• It will perform IP geolocation lookups according to the logic described below.

  • geolocation can be performed in bulk mode. See here for more info.
  • the script can also map all IPv4/IPv6 CIDR blocks allocated to any given country, by querying data from Marcel Bischoff's country-ip-blocks repo. See below for more info.

• It will perform IP reputation, noise classification and in-depth threat analysis reporting (especially useful when investigating foreign IPs from log files).

• It will perform IP fingerprinting using Shodan's InternetDB API and report any known vulnerabilities, open ports and services/operating system/hardware pertaining to target IPs and individual trace hops (detailed traces only).

  • Directly querying Shodan for any type of targets (including CIDR blocks) is also possible. More information here about how to use the script as a recon tool.

• It will perform IP type identification (Anycast IP/Mobile network/Proxy host/ISP/Government/Education/Datacenter or hosting provider/IXP prefix, and more) for target IPs and individual trace hops. Broad type classification comes from ip-api, while detailed DC+region and org type identification comes from Ipapi.is

  • It will also identify bogon addresses being traversed and classify them according to the relevant RFC (Private address space/CGN space/Test address/link-local/reserved/etc.)

• It is possible to search by organization name in order to retrieve a list of IPv4/6 network ranges related to a given company. A multiple choice menu will be presented if more than one organization matches the search query.

• It is possible to search for ASNs matching a given name, in order to map the ASNs for a given organization. The list will be enriched by each result's AS rank and useful tags highlighting the highest-ranking ASNs found.

• It is possible to quickly identify the transit/upstream AS network(s) for a given prefix, through analysis of observed BGP updates and ASPATHs.

  • the tool will also inform the user when a prefix is likely coming from a large tier-1 or multihomed network.

• Lookup data can be integrated by third party tools by choosing JSON output and parsing the results externally, turning the script into a lookup API endpoint.

Screenshots for every lookup option are below.

The script uses the following services for data retrieval:

• Team Cymru
• The Prefix WhoIs Project
• [Peeri