In my previous post, I described how I use our ASN API service to get the IP ranges of an ASN and then subsequently summarize those ranges to get an overview of the ASN. It is a super easy and powerful operation that is useful for us in discovering interesting servers for our ProbeNet, and it can be used for threat intelligence, OSINT, and network administration tasks.
However, one thing to point out is that the ASN API comes with a lot of features and is a paid service. Fortunately for us, we have the IP to ASN free database that is updated daily and comes with full accuracy. We only need the ranges of the ASN and not the full suite of data available on the ASN API (like ASN type, ASN country of origin, breakdown of WHOIS record prefixes by ASN, etc.).
Let’s try to replicate the solution for free.
For example, we would like to summarize the ASN AS59895.
AS59895
Prerequisites
For this we need two things:
Here is the full script
curl -sL https://ipinfo.io/data/free/asn.csv.gz?token=$token -o asn.csv.gz;
gunzip *.gz;
grep ",AS59895," asn.csv | ipinfo range2cidr | ipinfo grepip --cidrs-only --ipv4 -o | ipinfo summarize
Script breakdown
Step 1: Downloading the IP to ASN database
curl -sL https://ipinfo.io/data/free/asn.csv.gz?token=$token -o asn.csv.gz
This command downloads the IP to ASN (free) database to the current path. Make sure to pass your IPinfo access token here by replacing $token
. The downloaded file will be called asn.csv.gz
. This is a gzipped CSV file that we will need to unzip.
Step 2: Unzipping the gzipped CSV file
gunzip *.gz
We use the gunzip
CLI utility to unzip the .gz
compressed file, but you can use any decompression software you like that supports .gz
files. The unzipped file will be called asn.csv
.
Step 3: Extracting IP data rows for the ASN using grep
grep ",AS59895," asn.csv
Then we grep for the ASN (AS59895
). Definitely make sure to add the prefix and the trailing comma (,AS59895,
) as we are running a grep
operation on a CSV file. This is a trick we often use and you can find featured in different posts (1, 2) where we use it. This will grep the rows for the ASN (AS59895
).
Step 4: Converting the IP range to it’s CIDR format using range2cidr
ipinfo range2cidr
The IP data rows from the grep output contain values in the IP range format (start_ip,end_ip
), which is a bit tricky to handle. To make our lives easier, we are going to use the IPinfo CLI’s range2cidr
command, which converts IP ranges to their CIDR format (41.77.142.0,41.77.143.255
→ 41.77.142.0/23
). We are going to summarize these ranges.
Step 5: Extracting the IPv4 networks of the ASN using grepip
ipinfo grepip --cidrs-only --ipv4 --only-matching
So far, we have the IP data rows in their CIDR for the target ASN (AS59895
). However, the data is not clean enough to be passed to our summarize command. Instead of figuring out Regex or the cut
command, we are going to cheat by grep
ping these IP address CIDRs with our other IPinfo CLI command, grepip
. The grepip
is one of the most powerful commands in the IPinfo CLI and comes with a ton of features. Here we are using the following features:
--cidrs-only
: Extracts the CIDRs only from plaintext.--ipv4
(-4
): Extract the IPv4 IP addresses.--only-matching
(-o
): Outputs only the matching text.
Then, the grepip
command gives us the IPv4 CIDRs of the ASN.
Step 6: Summarize the networks of the ASN using summarize
ipinfo summarize
Summary
- Total 5120
- Unique 5120
- Anycast 0
- Bogon 0
- Mobile 0
- VPN 517
- Proxy 0
- Hosting 5120
- Tor 0
- Relay 0
Top ASNs
- AS59895 Binary Racks Limited 5120 (100.0%)
Top Usage Types
- Hosting 5120 (100.0%)
Top Routes
- 41.216.187.0/24 (AS59895) 256 (5.0%)
- 41.216.179.0/24 (AS59895) 256 (5.0%)
- 41.215.243.0/24 (AS59895) 256 (5.0%)
- 41.77.143.0/24 (AS59895) 256 (5.0%)
- 41.77.142.0/24 (AS59895) 256 (5.0%)
Top Countries
- United Kingdom 5120 (100.0%)
Top Cities
- London, England, GB 4600 (89.8%)
- Slough, England, GB 512 (10.0%)
- Bournemouth, England, GB 8 (0.2%)
Top Regions
- England, GB 5120 (100.0%)
Top Privacy Services
- AstrillVPN 256 (5.0%)
- VanishedVPN 255 (5.0%)
- Invisible Browsing VPN 1 (0.0%)
Top Domains
- yamanhosting.com 256 (5.0%)
- binaryracks.net 210 (4.1%)
- mubasherhost.com 71 (1.4%)
- binaryracks.com 60 (1.2%)
Now we will summarize the IPv4 CIDRs of the ASN. The summarize command supports up to 500,000 IPs in a single request, so please be aware of CIDR size and IPv6 IPs.
It is that simple. You can create a basic shell script that accepts ASN and the path to the IP to ASN database and always generate summary reports like this. If you want, I can also write the code for that.
Feel free to ask any questions you have. Thanks for reading.