ASN Lookup Tool and Traceroute Server

Container support:

OS support:

Description

ASN / RPKI validity / BGP stats / IPv4v6 / Prefix / ASPath / Organization / IP reputation / IP geolocation / IP fingerprinting / Network recon / lookup tool / Web traceroute server.

This script serves the purpose of having a quick OSINT command line tool at disposal when investigating network data, which can come in handy in incident response scenarios as well (with features such as bulk geolocation and threat scoring).

It can be used as a recon tool by querying Shodan for data about any type of target (CIDR blocks/URLs/single IPs/hostnames). This will quickly give the user a complete breakdown about open ports, known vulnerabilities, known software and hardware running on the target, and more - without ever sending a single packet to the target. JSON output of the results, multiple simultaneous targets and IP list file inputs and are also supported. Click here for more information about Shodan scanning mode.

It can also be used as a web-based traceroute server, by running it in listening mode and launching lookups and traces from a local or remote browser (via a bookmarklet or custom search engine) or terminal (via curl, elinks or similar tools). Click here for more information about server mode functionality.

Furthermore, it can serve as a self-hosted lookup API endpoint and output JSON-formatted data while running in both interactive and server mode. Click here for more information about API mode functionality.

Features:

It will lookup relevant Autonomous System information for any given AS number, including:
- Organization name and RIR region
- IXP Presence (Internet Exchange facilities where the AS is present)
- Global AS rank (derived from the size of its customer cone, number of peering relationships and more)
- BGP statistics (neighbours count, originated v4/v6 prefix count)
- BGP incident history (number of BGP hijacks and route leaks involving the target AS in the past 12 months, as a victim or a hijacker)
- Peering relationships separated by type (upstream/downstream/uncertain), and sorted by observed path count, to give more reliable results (so for instance, the first few upstream peers are most likely to be transits). Furthermore, a recap of transits/peers/customers amount (per latest CAIDA data) is displayed.
- Announced prefixes aggregated to the most relevant less-specific INET(6)NUM object (actual LIR allocation).
It will perform an AS path trace (using mtr and retrieving AS data from the results) for single IPs or DNS results, optionally reporting detailed data for each hop, such as RPKI ROA validity, organization/network name, geographic location, etc.
It will detect IXPs (Internet Exchange Points) traversed during the trace, and highlight them for clarity.
It will attempt to lookup all relevant abuse contacts for any given IP or prefix.
It will perform RPKI validity lookups for every possible IP. Data is validated using the RIPEStat RPKI validation API. For path traces, the tool will match each hop's ASN/Prefix pair (retrieved from the Prefix Whois public server) with relevant published RPKI ROAs. In case of origin AS mismatch or unallowed more-specific prefixes, it will warn the user of a potential route leak / BGP hijack along with the offending AS in the path (requires -d option, see below for usage info).
- Read more about BGP hijkacking here.
- Read more about RPKI here, here, or here.
It will perform IP geolocation lookups according to the logic described below.
- geolocation can be performed in bulk mode. See here for more info.
- the script can also map all IPv4/IPv6 CIDR blocks allocated to any given country, by querying data from Marcel Bischoff's country-ip-blocks repo. See below for more info.
It will perform IP reputation, noise classification and in-depth threat analysis reporting (especially useful when investigating foreign IPs from log files).
It will perform IP fingerprinting using Shodan's InternetDB API and report any known vulnerabilities, open ports and services/operating system/hardware pertaining to target IPs and individual trace hops (detailed traces only).
- Directly querying Shodan for any type of targets (including CIDR blocks) is also possible. More informations here about how to use the script as a recon tool.
It will perform IP type identification (Anycast IP/Mobile network/Proxy host/Datacenter or hosting provider/IXP prefix) for target IPs and individual trace hops. Broad type classification comes from ip-api, while detailed DC+region identification comes from incolumitas.com
- It will also identify bogon addresses being traversed and classify them according to the relevant RFC (Private address space/CGN space/Test address/link-local/reserved/etc.)
It is possible to search by organization name in order to retrieve a list of IPv4/6 network ranges related to a given company. A multiple choice menu will be presented if more than one organization matches the search query.
It is possible to search for ASNs matching a given name, in order to map the ASNs for a given organization. The list will be enriched by each result's AS rank and useful tags highlighting the highest-ranking ASNs found.
It is possible to quickly identify the transit/upstream AS network(s) for a given prefix, through analysis of observed BGP updates and ASPATHs.
- the tool will also inform the user when a prefix is likely coming from a large tier-1 or multihomed network.
Lookup data can be integrated by third party tools by choosing JSON output and parsing the results externally, turning the script into a lookup API endpoint.

Screenshots for every lookup option are below.

The script uses the following services for data retrieval:

Team Cymru
The Prefix WhoIs Project
PeeringDB
CAIDA ASRank
ifconfig.co
ipify
ipinfo.io
RIPEStat
RIPE IPmap
ip-api
StopForumSpam
IP Quality Score
Cloudflare Radar
ISC DSHIELD
GreyNoise
Shodan
NIST National Vulnerability Database
Incolumitas.com
RestCountries
Marcel Bischoff's country-ip-blocks repo

It also provides hyperlinks (in server mode) to the following external services when appropriate:

Requires Bash v4.2+. Tested on:

Linux
FreeBSD
Windows (WSL2, Cygwin)
MacOS (thanks Antonio Prado and Alessandro Barisone)

Screenshots

Generic usage

IPv4 lookup with IP type detection (Anycast, Hosting/DC) and classification as good
IPv4 lookup (bad reputation IP) with threat analysis/scoring, CPE/CVE identification and open ports reporting
IP fingerprinting with advanced datacenter+region identification, known vulnerabilities affecting the target and honeypot identification according to Shodan data
IPv6 lookup
Autonomous system number lookup with AS ranking, operational region, BGP stats and incident history, peering and prefix informations
Hostname/URL lookup

AS Path tracing

ASPath trace to www.github.com
ASPath trace traversing both an unannounced PNI prefix (FASTWEB->SWISSCOM at hop 11) and an IXP (SWISSCOM -> RCN through Equinix Ashburn at hop 16)
Detailed ASPath trace to 8.8.8.8 traversing the Milan Internet Exchange (MIX) IXP peering LAN at hop 6

Network search by organization

Organization search for "github"

Shodan scanning

Scanning for Shodan informations for a list of IPs

Country IPv4/IPv6 CIDR mapping

Displaying a list of CIDR blocks allocated to Jamaica

Bulk Geolocation / country stats

Performing bulk extraction, geolocation and stats for IPs from a logfile

Suggested ASNs search

Suggested ASNs (and respective AS rankings) for "google"

Transit/Upstream lookup

A large tier-1 network (COMCAST, AS7922) prefix is reachable through multiple other tier-1 networks like COGENT (AS174), LEVEL3 (AS3356) etc. - likely through settlement-free peering rather than BGP transit: