This type of information is especially useful when you’re auditing a company’s network, or when you’re involved in some sort of cybersecurity investigation. Even if you aren’t researching a cybersecurity incident, sometimes you’ll need this information to configure whitelisting rules in your own firewall.
A few weeks ago we wrote about using IP scanner tools to find active hosts within corporate and remote networks. We also published an article about the best port scanners available, which included network discovery information.
While the utilities we mentioned are indeed useful for IP mapping and network discovery, they can fall short when you need to find the complete IP ranges a company owns. That’s the topic we’re exploring today.
How to identify a company’s public network address range
One of the most traditional ways to get the IP address of a company is to use the ping command, which allows you to get the main IP address of the webserver behind the webpage. But that doesn’t give you the full company’s public network address range. It’s only a single isolated IP.
When you need the full IP address ranges owned by a company, there are other terminal-based commands and web-based solutions that can help you. Let’s explore them.
Using WHOIS information
We’ve mentioned the powerful WHOIS command in a lot of our articles. It’s one of the oldest terminal-based commands available, and can help retrieve information from domain names and IP addresses. It’s also of great use when it comes to finding the public network IP ranges of any company.
When the company doesn’t own any network subnets, it may be using collocated hardware, dedicated servers or virtual instances on popular cloud providers. In this case, WHOIS commands might not be as effective as one might hope, and other types of network explorations are needed.
These types of companies are often digital agencies, development teams, or software developers that rely on 3rd party networks.
For these kinds of small companies, one way to detect their public network IP addresses is by using Nmap commands with popular NSE scripts like DNS-brute, or use any other subdomain scanner tool.
However, a faster and simple solution is to use the SecurityTrails IP Explorer feature, which allows you to visualize all DNS dependent records:
- Go to https://securitytrails.com
- Type the domain name of the company you need to investigate
- Explore the results, as shown below:
Here, we found the main IP addresses used by greynoise.com, which belong to network infrastructure provided by Squarespace, Inc. If you click on subdomains, you’ll find other subdomains used, along with each of their IP addresses:
In another scenario, if a company owns complete subnets (often seen in big companies), this IP range information may be stored in WHOIS records, letting you use a simple WHOIS client to retrieve the needed information.
For this purpose, we can use the following syntax:
whois -h whois.apnic.net Microsoft
This will show you all the registered IP ranges on the Asia Pacific RIR that belong to Microsoft. Here’s an output example:
[Querying whois.apnic.net] [whois.apnic.net] % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '22.214.171.124 - 126.96.36.199' % Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' inetnum: 220.127.116.11 - 18.104.22.168 netname: Microsoft country: cn descr: Microsoft (China) Co., Ltd. admin-c: YR194-AP tech-c: YR194-AP status: ASSIGNED NON-PORTABLE mnt-by: MAINT-CNCGROUP-SH last-modified: 2008-12-13T14:48:23Z source: APNIC person: yanling ruan nic-hdl: YR194-AP e-mail: email@example.com address: No.900,Pudong Avenue,ShangHai,China phone: +086-021-61201616 fax-no: +086-021-61201616 country: cn mnt-by: MAINT-CNCGROUP-SH last-modified: 2008-12-15T08:05:03Z source: APNIC
You’ll see a lot of results, including company information, organizational details, country, etc.
Only in Asia, we found around 23 IP ranges owned by Microsoft. Imagine how much you can find in the rest of the world!
This is one of the most classic of methods. However, it’s a manual one and not particularly friendly for non-technical users..
Using a RIR API
If you don’t like using manual commands, and you do have some programming skills, you could interact directly with any of the RIR’s API and run your queries from there.
The five RIRs allow access to their API so you can launch simple queries against any of the global WHOIS databases, letting you access data from specific IP ranges, or by searching strings such as company names.
For example, if you’re using RIPE¹ as one of the major RIRs and you want to explore an IP range, you can launch a simple HTTP request like this:
If you need to explore a company’s data, you can do so by using its name, in the following way:
In both cases, the response will be returned in XML format by default.
You can do the same thing by checking the official API docs for each of the five RIRs. Remember these are free APIs, and there are limits in place for avoiding abuse. Keep that in mind.
What if you could avoid querying RIRs altogether, or query another WHOIS server to get the full IP blocks of any company in the world in just one second?
Brace yourself—such a tool really exists. It’s called SurfaceBrowser™.
SurfaceBrowser™ is our enterprise-grade product built as an attack surface analysis tool. And when it comes to network mapping, it can help you quickly retrieve the total IP blocks for any company in the world.
You can manually type the name of any company in the world, or choose to explore the full intelligence data we have ourselves (including total IP blocks) — from any of the Fortune 500 companies and Top 500 websites according to Alexa:
Here, we launched our test using Amazon as an example. Then, we clicked the IP Blocks option in the left menu, which can yield valuable results in less than a second.
Once you arrive at the results page, you’ll be able to obtain the total IP blocks, summarized by the Regional Registrar. You’ll be given the choice to show records between popular RIRs such as ARIN, RIPE, APNIC², AFRINIC and more. You’ll also be able to visualize IP blocks by subnet size including ranges such as /29, /30, /28, /18, /16, and others.
The results will be displayed showing the IP Block number, IP Count, Unique User Agents, assigned RIR, as well as hostnames and number of hosted domains for each IP range.
From this interface, you’ll be able to jump into specific IP ranges, to fetch real-time information regarding that block, which includes IP Count, Bitmask, Base IP, Broadcast IP, Network Mask, Host Mask, Service Provider, ASN lookup, and Organization.
If you’re also interested in discovering the IP neighbors for this IP range, it’s automatically displayed right below the IP Block information, showing complete stats of Unique User Agents and Hosted sites (a perfect DNS enumeration) for each neighbor range:
Today we learned new ways to get the full IP blocks of any company in the world. Some of them involve manual queries against the top RIRs, while others are fully automated, secure and give you access to all the public network blocks within a second.
Jump to the next level of cybersecurity intelligence data: book a demo with our sales team to test SurfaceBrowser™, our enterprise-grade product that will reveal not only the total IP blocks of any company, but also critical information about DNS records, domain names, open ports and SSL certificates.
¹ https://www.ripe.net/ ² https://whois.apnic.net