tips

SecurityTrails Blog · Jul 15 · by Esteban Borges

IP Discovery: How to Create a Full IP Map of Your Organization

Reading time: 6 minutes
Listen to this article

IP intelligence involves information gathering on the IP addresses used to provide access to web applications and web services within an organization.

It provides a modern perspective for securing one’s virtual organization, in the same way that an organization’s physical office and assets are secured. And with the increasing frequency and sophistication of internet attacks, the need to secure one’s organization becomes more important every day.

With the rise of IPv6 and the shortage of IPv4, newly deployed services are often seen running dual-stack with both IPv4 and IPv6. However, IPv4 is usually accounted for and firewalled while IPv6 isn’t. This leads to your services being protected over IPv4 but accessible over the public internet for IPv6.

Thus, information gathering leads to asset discovery, which includes various software stacks including web servers, web applications, databases and even physical devices such as IoT devices and much more.

Why IP discovery is important for organizations

With organizations running multiple software stacks and internal teams running different versions of the very same software, it’s important to understand and track what runs where.

Consider the following: often, software is tested on legacy platforms to ensure compatibility for long term support (LTS) software versions. In this scenario it’s imperative to know whether the test platform itself is secure or not, as vulnerabilities can enter into the test platform itself—opening the software being tested to the threat of malicious code injections.

Maintenance is another important aspect to consider. Public internet-facing web applications are frequently set up and left running without maintenance, meaning components of the web application (such as the web server or database) can become out of date, left to run with vulnerabilities present. And these vulnerabilities can be further exploited by attackers to enter your organization’s network.

Simply put, IP reconnaissance is key—to know what service runs under your organization, for maintenance purposes and for security purposes.

IP discovery using Nmap

Nmap is a handy network-mapping tool which can be used from any Linux- or Windows-powered system to map one’s organization. When it comes to mapping larger organizations, however, Nmap does have certain speed- and time-related disadvantages.

Within each of your organization’s IP addresses, Nmap has to “ping” or “probe” each port available to determine whether it is OPEN, FILTERED or CLOSED to access. Multiply this process by 100 or even 1,000 IP addresses, and such a task becomes tedious and time-consuming. And with the rise of IPv6, wherein an organization can easily have 1,000 or 10,000s of IP addresses (with one or more IP addresses allocated to each of the organization’s devices or servers), the effort grows even more daunting.

Nmap is already shipped in most modern Linux distributions, but if you haven’t installed it, check out our Nmap Tutorial Guide, which covers the installation process.

Next, run Nmap to scan a range of IPs, 192.168.0.1 to 192.168.0.100, with the following command,

nmap 192.168.0.1-100

The ultimate “catch” in using Nmap remains that you should already know all of your organization’s IP address assets before starting. Only when all of your organization’s IP addresses have been scanned can you get complete coverage when searching for out-of-date software, misconfigured private services via public networks, and the like.

What about fping?

fping is another handy tool for discovering active hosts within your organization’s IP address space.

Consider the following example:

fping -g -r 1 192.168.0.0/24

With the above command, fping sends 1 ping request to each IP address within the subnet 192.168.0.0/24 (that is, from 192.168.0.1 to 192.168.0.254). All active hosts that reply to the ping request get listed on your terminal.

The catch with using fping is similar to the one with using Nmap: some host devices simply will not reply to ping requests by default (for example, Windows systems and other firewalled devices). This can lead to host devices being missed, which in turn can lead to your organization remaining vulnerable to attackers and a host of common network security threats.

Full IP discovery with SurfaceBrowser™

Let’s look at how you can perform a full IP discovery within your organization now.

Head over to SurfaceBrowser™ at https://securitytrails.com/app/sb.

Enter your organization’s domain name in the search box at the top:

Organization Domain Name

Once on the page, head over to the IP Addresses area

IP Addresses Area

and the IP Addresses dashboard.

IP Addresses Dashboard

Summary By Regional Registrar

This is the first block of information available to you via the SurfaceBrowser™ tool.

Regional Registrar

The regional registrar is often a key piece of information when trying to figure out where an IP address is used. Regional registrars frequently have limitations on which region the IP address can be used; IPs allocated by APNIC can only be used within the Asia and Pacific region, while LACNIC IPs can only be used in South America.

Stats by IP subnet size

The next key piece of information shown is IP subnet size.

IP Subnet

The IP subnet size gives you a count of how many IP subnets are present. Subnets are frequently used on a per-project basis, where a group of IPs will all be used for the same purpose or be attached to the same physical system.

IP Block List

If we scroll down further, we notice the IP Block list.

IP Block list

Now let’s take a look into an IP block:

IP Block Details

Next, we arrive at the IP Block 165.156.0.0/16 information page:

IP Addresses Information Page

Here you see the IP Count, which is the number of IP addresses within this block, along with other information about the IP block.

Most importantly, we see the Organization, which tells us which subdivision of GE this IP block is allocated to—in this case, GE Drive Systems.

If we scroll down further, we find the individual subnets and IP addresses within this large /16 IPv4 block:

Neighboring IP Addresses

Taking a look at the sub-block 165.156.128.0/20,

Neighboring IP Addresses Block

we see the Ports open on this IP block, the hostnames associated with this IP block and an indication the IP block has had Egress network activity.

Clicking on this IP block further gives us more information about the individual IPs and subnets within.

Summary

Using the SecurityTrails SurfaceBrowser™ gives you a clear insight into your organization’s IP assets and the services running on them.

With the rise of IPv6 and dual stack networks, it’s critical to know which addresses are assigned where, in order to deploy firewalls for IPv6-powered devices as well.

Protecting your organization’s web services and web applications begins with knowing and understanding your organization’s IP assets. Only then can you effectively organize and maintain the various pieces of software running on the IP addresses involved.

Esteban Borges Blog Author
ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.