tips tools reconnaissance

SecurityTrails Blog · Oct 08 · SecurityTrails team

How to Find IP Ranges a Company Owns

Reading time: 6 minutes

Whether you’re an infosec beginner, an intermediate user, or one of the Internet’s most famous hackers, sooner or later you’ll get curious about how to identify a company’s public network address range.

This type of information is especially useful when you’re auditing a company’s network, or when you’re involved in some sort of cybersecurity investigation. Even if you aren’t researching a cybersecurity incident, sometimes you’ll need this information to configure whitelisting rules in your own firewall.

A few weeks ago we wrote about using IP scanner tools to find active hosts within corporate and remote networks. We also published an article about the best port scanners available, which included network discovery information.

While the utilities we mentioned are indeed useful for IP mapping and network discovery, they can fall short when you need to find the complete IP ranges a company owns. That’s the topic we’re exploring today.

How to identify a company’s public network address range

One of the most traditional ways to get the IP address of a company is to use the ping command, which allows you to get the main IP address of the webserver behind the webpage. But that doesn’t give you the full company’s public network address range. It’s only a single isolated IP.

When you need the full IP address ranges owned by a company, there are other terminal-based commands and web-based solutions that can help you. Let’s explore them.

Using WHOIS information

We’ve mentioned the powerful WHOIS command in a lot of our articles. It’s one of the oldest terminal-based commands available, and can help retrieve information from domain names and IP addresses. It’s also of great use when it comes to finding the public network IP ranges of any company.

When the company doesn’t own any network subnets, it may be using collocated hardware, dedicated servers or virtual instances on popular cloud providers. In this case, WHOIS commands might not be as effective as one might hope, and other types of network explorations are needed.

These types of companies are often digital agencies, development teams, or software developers that rely on 3rd party networks.

For these kinds of small companies, one way to detect their public network IP addresses is by using Nmap commands with popular NSE scripts like DNS-brute, or use any other subdomain scanner tool.

However, a faster and simple solution is to use the SecurityTrails IP Explorer feature, which allows you to visualize all DNS dependent records:

  • Go to https://securitytrails.com
  • Type the domain name of the company you need to investigate
  • Explore the results, as shown below:
Surfacebrowser search results

Here, we found the main IP addresses used by greynoise.com, which belong to network infrastructure provided by Squarespace, Inc. If you click on subdomains, you’ll find other subdomains used, along with each of their IP addresses:

SurfaceBrowser subdomains results

In another scenario, if a company owns complete subnets (often seen in big companies), this IP range information may be stored in WHOIS records, letting you use a simple WHOIS client to retrieve the needed information.

For this purpose, we can use the following syntax:

whois -h whois.apnic.net Microsoft

This will show you all the registered IP ranges on the Asia Pacific RIR that belong to Microsoft. Here’s an output example:

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '58.246.69.164 - 58.246.69.167'
% Abuse contact for '58.246.69.164 - 58.246.69.167' is 'hqs-ipabuse@chinaunicom.cn'
inetnum: 58.246.69.164 - 58.246.69.167
netname: Microsoft
country: cn
descr: Microsoft (China) Co., Ltd.
admin-c: YR194-AP
tech-c: YR194-AP
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-CNCGROUP-SH
last-modified: 2008-12-13T14:48:23Z
source: APNIC
person: yanling ruan
nic-hdl: YR194-AP
e-mail: sh-ipmaster@chinaunicom.cn
address: No.900,Pudong Avenue,ShangHai,China
phone: +086-021-61201616
fax-no: +086-021-61201616
country: cn
mnt-by: MAINT-CNCGROUP-SH
last-modified: 2008-12-15T08:05:03Z
source: APNIC

You’ll see a lot of results, including company information, organizational details, country, etc.

Only in Asia, we found around 23 IP ranges owned by Microsoft. Imagine how much you can find in the rest of the world!

This is one of the most classic of methods. However, it’s a manual one and not particularly friendly for non-technical users..

Using a RIR API

If you don’t like using manual commands, and you do have some programming skills, you could interact directly with any of the RIR’s API and run your queries from there.

The five RIRs allow access to their API so you can launch simple queries against any of the global WHOIS databases, letting you access data from specific IP ranges, or by searching strings such as company names.

For example, if you’re using RIPE¹ as one of the major RIRs and you want to explore an IP range, you can launch a simple HTTP request like this:

curl 'http://rest.db.ripe.net/ripe/inetnum/193.0.0.0%20-%20193.0.7.255?unfiltered'

If you need to explore a company’s data, you can do so by using its name, in the following way:

curl 'http://rest.db.ripe.net/search?source=ripe&query-string=Microsoft&flags=no-filtering&flags=no-referenced'

In both cases, the response will be returned in XML format by default.

You can do the same thing by checking the official API docs for each of the five RIRs. Remember these are free APIs, and there are limits in place for avoiding abuse. Keep that in mind.

Using SurfaceBrowserTM

What if you could avoid querying RIRs altogether, or query another WHOIS server to get the full IP blocks of any company in the world in just one second?

Brace yourself—such a tool really exists. It’s called SurfaceBrowser™.

SurfaceBrowser™ is our enterprise-grade product built as an attack surface analysis tool. And when it comes to network mapping, it can help you quickly retrieve the total IP blocks for any company in the world.

You can manually type the name of any company in the world, or choose to explore the full intelligence data we have ourselves (including total IP blocks) — from any of the Fortune 500 companies and Top 500 websites according to Alexa:

Surfacebrowser explore intelligence data

Here, we launched our test using Amazon as an example. Then, we clicked the IP Blocks option in the left menu, which can yield valuable results in less than a second.

Once you arrive at the results page, you’ll be able to obtain the total IP blocks, summarized by the Regional Registrar. You’ll be given the choice to show records between popular RIRs such as ARIN, RIPE, APNIC², AFRINIC and more. You’ll also be able to visualize IP blocks by subnet size including ranges such as /29, /30, /28, /18, /16, and others.

SurfaceBrowser IP blocks

The results will be displayed showing the IP Block number, IP Count, Unique User Agents, assigned RIR, as well as hostnames and number of hosted domains for each IP range.

SurfaceBrowser IP blocks results

From this interface, you’ll be able to jump into specific IP ranges, to fetch real-time information regarding that block, which includes IP Count, Bitmask, Base IP, Broadcast IP, Network Mask, Host Mask, Service Provider, ASN lookup, and Organization.

SurfaceBrowser specific IP range

If you’re also interested in discovering the IP neighbors for this IP range, it’s automatically displayed right below the IP Block information, showing complete stats of Unique User Agents and Hosted sites (a perfect DNS enumeration) for each neighbor range:

SurfaceBrowser IP range

Today we learned new ways to get the full IP blocks of any company in the world. Some of them involve manual queries against the top RIRs, while others are fully automated, secure and give you access to all the public network blocks within a second.

Jump to the next level of cybersecurity intelligence data: book a demo with our sales team to test SurfaceBrowser™, our enterprise-grade product that will reveal not only the total IP blocks of any company, but also critical information about DNS records, domain names, open ports and SSL certificates.


¹ https://www.ripe.net/
² https://whois.apnic.net