Introduction
So far, you have been working with domains and subdomains.
Now we go one layer deeper.
Behind every domain is an IP.
Behind many IPs is an ASN.
If subdomains show you the front doors,
IP and ASN mapping show you the entire building.
This is where recon starts expanding horizontally.
What is ASN (simple explanation)
ASN stands for Autonomous System Number.
It represents:
- A group of IP ranges
- Owned by a company or provider
- Used to route traffic on the internet
Example:
- Amazon has ASNs
- Cloudflare has ASNs
- Big companies sometimes have their own ASNs
ASN tells you who owns the network behind the app.
Why ASN and IP recon matters
- Subdomains do not show everything
- Many assets exist only on IP level
- Internal tools may not have public DNS
- IP ranges reveal hidden infrastructure
- Helps in discovering:
- Admin panels
- Dev services
- Forgotten apps
This is how you go from one app to full infrastructure visibility.
What you are trying to find
- ASN of the target
- IP ranges linked to that ASN
- Live hosts on those IPs
- Services running on those hosts
- Domains pointing to those IPs
This builds your network-level attack surface.
Tools you will use
- whois – ASN lookup
- amass intel – ASN + IP mapping
- bgp.he.net – ASN and range analysis
- dnsx / httpx – validation
- masscan / nmap – port discovery (careful use)
- Shodan / Censys – passive IP intelligence
- netcat / curl – quick checks
Keep it controlled. Do not scan blindly.
Step-by-step ASN and IP recon workflow
1. Find ASN of the target
Start with a known domain.
whois example.com
Look for:
- NetRange
- OrgName
- Hosting provider
Better approach:
amass intel -d example.com
This may return:
- ASN
- Associated IP ranges
- Related domains
2. Use IP to find ASN
If you already have IP:
whois 1.2.3.4
Look for:
- ASN number
- CIDR block
- Organisation
3. Explore ASN using bgp.he.net
Search ASN on browser:
https://bgp.he.net/ASXXXX
Check:
- Announced prefixes
- IP ranges
- Peers
This shows full network footprint.
4. Extract IP ranges
From ASN or whois, collect CIDR ranges like:
1.2.3.0/24
5.6.7.0/24
Save them:
echo "1.2.3.0/24" > ip_ranges.txt
5. Find live hosts in IP range
Use safe and slow scanning.
nmap -sn 1.2.3.0/24
This gives:
- Live IPs
- Reachable hosts
Do not scan aggressively without permission.
6. Port discovery (controlled)
nmap -p 80,443,8080,8443 1.2.3.0/24
Focus only on web ports first.
This helps find:
- Hidden web apps
- Admin panels
- APIs
7. Reverse IP lookup
Find domains pointing to same IP.
Use tools:
- Shodan
- Censys
- SecurityTrails
Or basic check:
host 1.2.3.4
Then validate via HTTP.
8. HTTP probing of discovered IPs
httpx -l live_ips.txt -title -status-code -silent -o ip_http.txt
This reveals:
- Web services
- Page titles
- Interesting endpoints
How to identify cloud vs owned infrastructure
This is important.
If IP belongs to:
- AWS
- Azure
- GCP
Then:
- It may be shared
- Not all IPs belong to target
If ASN belongs to company:
- Higher confidence
- More direct attack surface
Always tag:
- Cloud
- Third-party
- Owned
Passive IP intelligence (no scanning)
Use:
- Shodan
- Censys
Search by:
- Domain
- IP
- SSL certificate
Example:
Search:
ssl:"example.com"
This reveals:
- Services
- Ports
- Banners
No active traffic needed.
Linking IPs back to web apps
This is where value comes.
For each IP:
- Check HTTP response
- Compare titles
- Look for familiar branding
- Match certificates
Example:
curl -k https://1.2.3.4
If response contains:
- Same HTML
- Same headers
- Same cert
Then it belongs to target.
Real-world use-cases
- Finding admin panel running directly on IP
- Discovering dev tools not mapped to DNS
- Identifying staging apps via IP scanning
- Finding services behind CDN bypass
- Mapping internal architecture
These are common in real bug bounties.
Mini lab exercise (30–40 minutes)
- Pick a domain you own.
- Find ASN:
amass intel -d yourdomain.com
- Extract one IP range.
- Run host discovery:
nmap -sn your_ip_range
- Probe web services:
httpx -l live_ips.txt -title -status-code -silent
- Open 2–3 IPs in browser and observe differences.
Write notes:
- Which ones look real
- Which ones are noise
Common mistakes and fixes
Mistake: Scanning entire internet ranges
Fix: Stay within scope and permission
Mistake: Treating cloud IPs as owned assets
Fix: Always verify ownership
Mistake: Ignoring IP-level services
Fix: Some apps only exist on IP
Mistake: Over-scanning aggressively
Fix: Keep it slow and controlled
Quick command summary
ASN lookup:
amass intel -d example.com
IP whois:
whois 1.2.3.4
Host discovery:
nmap -sn 1.2.3.0/24
Port scan:
nmap -p 80,443 1.2.3.0/24
HTTP probing:
httpx -l live_ips.txt -title -status-code -silent
What to do after this Part
- Add discovered IP-based hosts to your target list
- Feed them into URL collection
- Run JS analysis
- Check authentication and APIs
- Combine with DNS and subdomain data
Now your recon is not just domain-based.
It is infrastructure-aware.
Next post preview
Part 9 – Live Host Discovery and Safe Network-Level Recon
We will cover:
- Smart host discovery techniques
- Safe scanning strategies
- Avoiding detection and noise
- Prioritising real targets
This builds directly on ASN and IP work.
Closing thought
Domains show you what is visible.
IPs show you what is real.
When you connect both,
you stop guessing and start understanding.
Disclaimer
This content is for educational purposes only. Use it ethically and only against targets you own or have explicit permission to test. Do not use any techniques described here in ways that break laws, platform rules, or third-party rights. If in doubt, stop and get permission.
