What is ASN ?

An Autonomous System Number (ASN) is a globally unique identifier used to label autonomous systems (AS), which are large networks or groups of networks operated by a single organization or entity such as Internet Service Providers (ISPs), data centers, large enterprises, or universities. These systems exchange routing information with each other using the Border Gateway Protocol (BGP), a critical part of internet infrastructure.

An autonomous system allows an organization to present a unified routing policy to the rest of the internet. Each AS has a unique ASN that distinguishes it from others, and it operates under a single administrative domain.

ASNs play a crucial role in internet routing. They help direct the flow of internet traffic between different networks, allowing organizations to control how their data is routed and to ensure efficient data transfer. When two autonomous systems exchange routing information, ASNs are used to determine the most efficient path for data to travel across the internet.

Types of ASN

There are two types of ASNs:

• 2-byte ASNs: Range from 1 to 65,535.
• 4-byte ASNs: Range from 65,536 to 4,294,967,295, allowing for more networks.

Why are ASN's Important for Recon

ASNs are invaluable in network reconnaissance as they help identify the IP address ranges that belong to an organization. By determining an organization's ASN, security researchers and penetration testers can map the external network infrastructure and potentially identify services or vulnerabilities that can be exploited. ASNs give insight into the organization’s network structure and help identify public-facing systems that could be entry points for an attack.

Tools for finding ASN Numbers

Several online services and tools allow you to look up ASN information for organizations:

• https://hackertarget.com/as-ip-lookup/
• https://bgp.he.net/ These tools allow you to input an organization’s name or IP address and retrieve its ASN, IP ranges, and associated information.

Enumerating IP Addresses from ASN

One of the best tools for ASN-based IP range enumeration is asnmap, developed by Project Discovery. This tool enables you to quickly gather IP ranges from an ASN. It’s efficient and easy to use, making it a great starting point for network reconnaissance. https://github.com/projectdiscovery/asnmap

asnmap -a <ASN>

Portscanning IP ranges

There are a variety of tools that we can use to do port scans of targets but here we are going to use another tool by project discovery which is called naabu. This is an extrememly fast port scanner which we can use in tandem with the asn enumeration. The specific combined command can be found at the end of the blog. https://github.com/projectdiscovery/naabu

To check for web servers on ASN's IP ranges we can use the command.

echo AS14421 | naabu -p 80,443

(This command might be deprecated, use the command given at the end for enumeration)

Combining asnmap and naabu

 echo <ASN NUM> | asnmap -silent | naabu -silent 

Here each autonomous system number is entered in the echo command which pipes it into asnmap to enumerate the IP ranges and the further pipes it into naabu for port scanning.Remove the '-silent' option to display the output.

echo <ASN NUM> | asnmap -silent | naabu -silent -nmap-cli 'nmap -sV'

This set of commands can be used to run service scan on the IP ranges given by asnmap.

The github repo mentioned below can be used to automate the ASN Recon process to detect webservers and run portscanning on the enumerated IP.

• https://github.com/icarusec/Automated-ASN-Enumeration

ASNs are key to understanding an organization’s network infrastructure. By leveraging tools like asnmap and naabu, you can efficiently enumerate IP ranges and perform port scans to uncover vulnerabilities. This method streamlines network reconnaissance, helping identify attack surfaces more effectively. Always ensure you have proper authorization when using these techniques.