Part 8 – ASN, IP Harvesting and Mapping Ranges to Assets

Introduction

So far, you have been working with domains and subdomains.
Now we go one layer deeper.

Behind every domain is an IP.
Behind many IPs is an ASN.

If subdomains show you the front doors,
IP and ASN mapping show you the entire building.

This is where recon starts expanding horizontally.

What is ASN (simple explanation)

ASN stands for Autonomous System Number.

It represents:

A group of IP ranges
Owned by a company or provider
Used to route traffic on the internet

Example:

Amazon has ASNs
Cloudflare has ASNs
Big companies sometimes have their own ASNs

ASN tells you who owns the network behind the app.

Why ASN and IP recon matters

Subdomains do not show everything
Many assets exist only on IP level
Internal tools may not have public DNS
IP ranges reveal hidden infrastructure
Helps in discovering:
- Admin panels
- Dev services
- Forgotten apps

This is how you go from one app to full infrastructure visibility.

What you are trying to find

ASN of the target
IP ranges linked to that ASN
Live hosts on those IPs
Services running on those hosts
Domains pointing to those IPs

This builds your network-level attack surface.

Tools you will use

whois – ASN lookup
amass intel – ASN + IP mapping
bgp.he.net – ASN and range analysis
dnsx / httpx – validation
masscan / nmap – port discovery (careful use)
Shodan / Censys – passive IP intelligence
netcat / curl – quick checks

Keep it controlled. Do not scan blindly.

Step-by-step ASN and IP recon workflow

1. Find ASN of the target

Start with a known domain.

whois example.com

Look for:

NetRange
OrgName
Hosting provider

Better approach:

amass intel -d example.com

This may return:

ASN
Associated IP ranges
Related domains

2. Use IP to find ASN

If you already have IP:

whois 1.2.3.4

Look for:

ASN number
CIDR block
Organisation

3. Explore ASN using bgp.he.net

Search ASN on browser:

https://bgp.he.net/ASXXXX

Check:

Announced prefixes
IP ranges
Peers

This shows full network footprint.

4. Extract IP ranges

From ASN or whois, collect CIDR ranges like:

1.2.3.0/24
5.6.7.0/24

Save them:

echo "1.2.3.0/24" > ip_ranges.txt

5. Find live hosts in IP range

Use safe and slow scanning.

nmap -sn 1.2.3.0/24

This gives:

Live IPs
Reachable hosts

Do not scan aggressively without permission.

6. Port discovery (controlled)

nmap -p 80,443,8080,8443 1.2.3.0/24

Focus only on web ports first.

This helps find:

Hidden web apps
Admin panels
APIs

7. Reverse IP lookup

Find domains pointing to same IP.

Use tools:

Shodan
Censys
SecurityTrails

Or basic check:

host 1.2.3.4

Then validate via HTTP.

8. HTTP probing of discovered IPs

httpx -l live_ips.txt -title -status-code -silent -o ip_http.txt

This reveals:

Web services
Page titles
Interesting endpoints

How to identify cloud vs owned infrastructure

This is important.

If IP belongs to:

AWS
Azure
GCP

Then:

It may be shared
Not all IPs belong to target

If ASN belongs to company:

Higher confidence
More direct attack surface

Always tag:

Cloud
Third-party
Owned

Passive IP intelligence (no scanning)

Use:

Shodan
Censys

Search by:

Domain
IP
SSL certificate

Example:
Search:

ssl:"example.com"

This reveals:

Services
Ports
Banners

No active traffic needed.

Linking IPs back to web apps

This is where value comes.

For each IP:

Check HTTP response
Compare titles
Look for familiar branding
Match certificates

Example:

curl -k https://1.2.3.4

If response contains:

Same HTML
Same headers
Same cert

Then it belongs to target.

Real-world use-cases

Finding admin panel running directly on IP
Discovering dev tools not mapped to DNS
Identifying staging apps via IP scanning
Finding services behind CDN bypass
Mapping internal architecture

These are common in real bug bounties.

Mini lab exercise (30–40 minutes)

Pick a domain you own.
Find ASN:

amass intel -d yourdomain.com

Extract one IP range.
Run host discovery:

nmap -sn your_ip_range

Probe web services:

httpx -l live_ips.txt -title -status-code -silent

Open 2–3 IPs in browser and observe differences.

Write notes:

Which ones look real
Which ones are noise

Common mistakes and fixes

Mistake: Scanning entire internet ranges
Fix: Stay within scope and permission

Mistake: Treating cloud IPs as owned assets
Fix: Always verify ownership

Mistake: Ignoring IP-level services
Fix: Some apps only exist on IP

Mistake: Over-scanning aggressively
Fix: Keep it slow and controlled

Quick command summary

ASN lookup:

amass intel -d example.com

IP whois:

whois 1.2.3.4

Host discovery:

nmap -sn 1.2.3.0/24

Port scan:

nmap -p 80,443 1.2.3.0/24

HTTP probing:

httpx -l live_ips.txt -title -status-code -silent

What to do after this Part

Add discovered IP-based hosts to your target list
Feed them into URL collection
Run JS analysis
Check authentication and APIs
Combine with DNS and subdomain data

Now your recon is not just domain-based.
It is infrastructure-aware.

Next post preview

Part 9 – Live Host Discovery and Safe Network-Level Recon

We will cover:

Smart host discovery techniques
Safe scanning strategies
Avoiding detection and noise
Prioritising real targets

This builds directly on ASN and IP work.

Closing thought

Domains show you what is visible.
IPs show you what is real.

When you connect both,
you stop guessing and start understanding.

Disclaimer

This content is for educational purposes only. Use it ethically and only against targets you own or have explicit permission to test. Do not use any techniques described here in ways that break laws, platform rules, or third-party rights. If in doubt, stop and get permission.

Share the Post:

CyberXsociety