feat: get Autonomous System (AS) of IP Address

[LucianoHanna]

Is there an existing feature or issue for this?

• I have searched the existing issues

Expected feature

Show ASN of an IP Address

Alternative solutions

No response

Anything else?

No response

[github-actions]

👋 Hi @LucianoHanna,
Issues is only for reporting a bug/feature request. Please read documentation before raising an issue https://rengine.wiki
For very limited support, questions, and discussions, please join reNgine Discord channel: https://discord.gg/azv6fzhNCE
Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

[LucianoHanna]

Maybe can get this info from httpx, I have never tested how accurate it is.

Or could use some API like BigDataCloud.

[yogeshojha]

@LucianoHanna httpx gives ASN but looks like API key is required. :/

[yogeshojha]

@LucianoHanna I have been thinking about this for a while, where do you think IP - to - asn would be helpful?

And is it that you want ASN info right next to IP?

One use case I can think is to get all domains/hosts associated with ASN during ASN import, this could be a good addition and wont take long time, maybe next immediate release we can have it.

But if its during scan we want to find IP - ASN, this would take a lot of time to develop as we would also want to filter by ASN etc

Would appreciate if you can help me with it.

[ncharron]

I will chime in here but it may have to be tracked into another conversation given the structure I have been trying to work on this for a bit.

A use case is when you target an org (or in charge of attack surface management for the org) you typically get your list of subdomains and then you try and do some OSINT on what ip addresses they own. So there are 2 target types in my opinion, a subdomain and an ip. The reason why they are different is that an org may have some ip addresses that do not necessarily have a domain associated to it.

However at the moment the only way to add an ip address to rengine is through adding it as a target. It becomes quite inefficient and impossible to keep track of if you have to manage say even just a /16. You aren't about to add 65k targets to rengine.

I can see that a way to do this would be to have another entity like a domain, same type of info (especially the whois) to track the owner info and what type of addresses can be targeted for a cidr block. That way you can add a /24 or /16 (or whatever else fits in that regard) as a target and you can run the same set of tools against those hosts.

So the individual ip addresses should show up as entities like a subdomain. That way we can track the open ports and services the same way. Scan Engines might have to be customized for IPs but that can be left as an exercise to the operator to know what they can and cannot run against an ip address.

Essentially I am saying that IP addresses would be a great thing to track but not as a target in rengine but rather as a subdomain while having cidr blocks as targets. You can then have overarching ASN covering different CIDR blocks. Which honestly can act as Organizations in the same way. So the structure is kind of already there but naming conventions would need to be changed :)