IP reconnaissance is often the base and a starting point of any security research or bug hunt. This is simply because scanning any IP address can lead you to an individual host in question—and once you've found the host, the possibilities are limitless. From there you may find running services, open ports, databases, unsecured files and much more. Everything begins with finding and scanning the IP address.
Doing this is relatively easy for smaller organizations; looking up the ASN of an organization often nets you almost all of its IP addresses. When looking at larger organizations, however, you can get multiple departments running on different network spaces, ASNs and locations with tens and thousands of IPs.
Some larger organizations like IBM, Amazon, Ford Motor Company have /8's of their own which is approximately 16,777,216 individual IPv4 addresses. Scanning and finding open ports and services on half a million IPs or even, say, 10,000 IPs (which is commonly seen at many larger organizations) is quite a time consuming and difficult task.
But not all hope is lost! Some tools like our own SecurityTrails SurfaceBrowser™, actively scan and gather information for you, empowering your security research and IP reconnaissance in literally seconds.
- How to perform IP reconnaissance for Bug Bounty Hunting
- Looking further into per-IP information with SurfaceBrowser™
- What about IP neighbors?
How to perform IP reconnaissance for Bug Bounty Hunting
Let's see how anyone can perform a complete IP reconnaissance using SurfaceBrowser™, our all-in-one surface analysis tool:
To begin your IP reconnaissance, first head over to your user area and log into your account. Once logged in, click on "Access SurfaceBrowser™" on the left-hand side or load this URL: https://securitytrails.com/app/sb/.
In our example, we'll be scanning the company domain "ge.com"
From the left-hand sidebar, select "IP Blocks" under the "IP Addresses" heading:
Give it a few seconds for SurfaceBrowser™ to generate your report, after which you'll see all the IP addresses associated with the company GE:
As you can see, the IP blocks along with IP counts, RIR, open ports, hostnames and apex domains hosted on those IP addresses are also revealed.
Looking further into per-IP information with SurfaceBrowser™
Scanning the IP 126.96.36.199 as an example, SurfaceBrowser™ now shows you a summary of all the available information, and allows you to jump from one tab to another to discover even more details:
The Domains tab lists the number of domains associated with this IP address, current/active domains on the IP address and past domains/domain history associated with the IP address.
The Ports History tab lists ports that were open in the past (and might still be open), or are closed now and when they were last seen open.
The P2P tab lists any peer-to-peer activity which may have occurred on or via this IP address, including data such as date, torrent, category and source.
Open Ports and Software
The Open Ports and Software section lists services and applications running as well as each open port found on the IP address. Services and applications include web servers, DNS servers such as Nginx, Unbound (DNS-Server), other services like HTTP proxy and more.
This section lists all associated forward DNS and reverse DNS addresses and information for the IP address.
This section indicates which autonomous system number (ASN) the IP address belongs to, helping to further trace out associated IP ranges and network uplinks/providers.
Latest Seen Certificates
The last or latest seen certificates seen on this IP address, the port it is assigned to, location and validity are indicated in this area.
Combined, the above information gives you a great headstart into gathering information about the IP address in question.
What about IP neighbors?
Sometimes an IP address might not have much to offer, simply because it could be well secured or running nothing of value to the investigation. On the other hand, its neighbours might be running services of interest—and finding these IP neighbors is super easy with the SurfaceBrowser™ tool as well:
We find neighbouring IPs to the IP being searched for, the organization it belongs to, and the related hostnames and ports seen open.
As we've shown you, large organizations can have multiple thousands of IP allocations between their departments actively in use. In such cases, scanning each IP block for live hosts and then scanning each individual IP for open ports is time consuming and often impossible for an individual dealing with larger organizations like IBM, Amazon, and Ford Motor Company, all of whom have their own /8 IPv4 allocations (~16 million individual IP addresses).
Using SecurityTrails SurfaceBrowser™ helps by automatically scanning IP ranges and listing open ports and services running on them, which can speed up your IP reconnaissance tasks significantly.