One of the cooler sections in Extreme Exploits covers ways to learn about a target network by looking at routes to those networks. I showed a few ways to use this data two years ago, but here's a more recent example.
Let's say I want to find out more about the organization hosting the Extreme Exploits Web site. First I resolve the hostname to an IP address.
host www.extremeexploits.com
www.extremeexploits.com has address 69.16.147.21
Now I use whois to locate the owner's netblock.
whois 69.16.147.21
Puregig, Inc. PUREGIG1 (NET-69-16-128-0-1)
69.16.128.0 - 69.16.191.255
VOSTROM Holdings, Inc. PUREGIG1-VOSTROM1 (NET-69-16-147-0-1)
69.16.147.0 - 69.16.147.255
# ARIN WHOIS database, last updated 2005-08-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Now I telnet to a route server and make queries about this netblock.
route-server.phx1>sh ip bgp 69.16.147.0
BGP routing table entry for 69.16.147.0/24, version 84120350
Bestpath Modifiers: always-compare-med, deterministic-med
Paths: (2 available, best #2)
Not advertised to any peer
22822 11588, (received & used)
67.17.64.89 from 67.17.81.24 (67.17.81.24)
Origin IGP, metric 0, localpref 300, valid, internal
Community: 3549:4044 3549:30840 22822:4012 22822:9120
Originator: 67.17.80.225, Cluster list: 0.0.0.11
22822 11588, (received & used)
67.17.64.89 from 67.17.80.251 (67.17.80.251)
Origin IGP, metric 0, localpref 300, valid, internal, best
Community: 3549:4044 3549:30840 22822:4012 22822:9120
Originator: 67.17.80.225, Cluster list: 0.0.0.11
I learn a few details:
- The autonomous system for this network is truly a /24, as shown by "BGP routing table entry for 69.16.147.0/24"
- The AS number for 69.16.147.0/24 is 11588. Its upstream provider AS is 22822. (AS data is read right-to-left.)
Now I want to find out if any other networks belong to this AS.
route-server.phx1>sh ip bgp regexp _11588$
BGP table version is 97334640, local router ID is 67.17.81.28
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i63.78.12.0/22 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.128.0/19 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.147.0/24 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.187.0/24 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.191.0/24 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i140.99.96.0/19 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i208.247.17.0 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i209.50.48.0/20 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i209.50.56.0/21 67.17.64.89 0 300 0 22822 11588 i
Network Next Hop Metric LocPrf Weight Path
*>i 67.17.64.89 0 300 0 22822 11588 i
We could then run queries on the new networks to learn more about them, e.g.:
whois 63.78.12.0
UUNET Technologies, Inc. UUNET63 (NET-63-64-0-0-1)
63.64.0.0 - 63.127.255.255
ElDorado Sales, Inc. UU-63-78-12 (NET-63-78-12-0-1)
63.78.12.0 - 63.78.15.255
# ARIN WHOIS database, last updated 2005-08-14 19:10
One final cool tool: Victor has a project called Pwhois that provides prefix query information:
whois -h whois.pwhois.org 69.16.147.21
IP: 69.16.147.21
Origin-AS: 11588
Prefix: 69.16.147.0/24
AS-Path: 3356 11588
Cache-Date: 1122289900
I am a real newbie with this BGP and AS stuff. If anyone wants to comment (Trevor, Nate, etc.) I appreciate it.
0 komentar:
Posting Komentar