OSINT

Open Source Intelligence on DNS records – ASN

asn of google

During a Red Teaming engagement you have to map the external perimeter of the organization. There are several ways to accomplish this. Each of these ways offer something different in terms of information. OSINT (Open Source Intelligence) on DNS records can be used to identify digital assets and gather useful information before the attack is initiated.

In this blog post we will explore the ways to gather the Autonomous System Numbers (ASN) and the ASN peers of a target. This is the first step in discovering not only the digital assets of our target exposed to the internet but also identify any related domains and IP addresses with the targeted organization.

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet. Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use (and should therefore not be announced to the global Internet).

https://en.wikipedia.org/wiki/Autonomous_system_(Internet)

Retrieve the ASN of a domain

We need to translate our domain name to an IP address and then using the whois.cymru.com server we will get the ASNs of the domain.

Domain to IP address translation
host google.gr
ASN retrieval
whois -h whois.cymru.com " -v 142.250.185.67
Retrieve basic AS information
whois -h whois.cymru.com " -v AS23028"
Retrieve ASN Peers
whois -h peer.whois.cymru.com " -v 142.250.185.67"

https://team-cymru.com/community-services/

Border Gateway Protocol (BGP)

Border Gateway Protocol (BGP) is the routing protocol for the Internet. It is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP is classified as a path-vector routing protocol, and it makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator. When someone submits data across the Internet, BGP is responsible for looking at all of the available paths that data could travel and picking the best route, which usually means hopping between autonomous systems. BGP is the protocol that makes the Internet work. It does this by enabling data routing on the Internet. When a user in Singapore loads a website with origin servers in Argentina, BGP is the protocol that enables that communication to happen quickly and efficiently.

https://www.cloudflare.com/learning/security/glossary/what-is-bgp/

https://en.wikipedia.org/wiki/Border_Gateway_Protocol

Domain to IP address translation
host google.gr
Map IP address to BGP Origin ASN
dig +short 99.185.250.142.origin.asn.cymru.com TXT
Map IP address to possible BGP peer ASNs that are one AS hop away from the BGP Origin ASN’s prefix
dig +short 99.185.250.142.peer.asn.cymru.com TXT
Determine the AS description of a given BGP ASN
dig +short AS209.asn.cymru.com TXT

https://team-cymru.com/community-services/