#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=8.9.10.0?showDetails=true&showARIN=
# false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 8.0.0.0 - 8.255.255.255
CIDR: 8.0.0.0/8
NetName: LVLT-ORG-8-8
NetHandle: NET-8-0-0-0-1
Parent:
()
NetType:
Direct Allocation
OriginAS:
Organization: Level
3
Communications, Inc.
(
LVLT
)
RegDate: 1992-12-01
Updated: 2012-02-24
Ref: https://whois.arin.net/rest/net/NET-8-0-0-0-1
When larger blocks are broken up, a
whois
lookup will tell you not only who owns the
block you are looking up but also what the parent block is and who it came from.
Let’s take another chunk out of the 8.0.0.0–8.255.255.255 range. In
Example 3-14
, you
can see a subset of that block.
This one belongs to Google, as you can see. However,
before the output you see here, you would see the same block as you saw in the earlier
example, where Level 3 Communications owns the complete
8.
block.
Example 3-14. whois query showing a child block
# start
NetRange: 8.8.8.0 - 8.8.8.255
CIDR: 8.8.8.0/24
NetName: LVLT-GOGL-8-8-8
NetHandle: NET-8-8-8-0-1
Parent: LVLT-ORG-8-8
(
NET-8-0-0-0-1
)
NetType: Reallocated
OriginAS:
Organization: Google LLC
(
GOGL
)
RegDate: 2014-03-14
Updated: 2014-03-14
Ref: https://whois.arin.net/rest/net/NET-8-8-8-0-1
OrgName: Google LLC
OrgId: GOGL
Address:
1600
Amphitheatre Parkway
City:
Mountain View
StateProv: CA
PostalCode: 94043
98 | Chapter 3: Reconnaissance
Country: US
RegDate: 2000-03-30
Updated: 2017-10-16
Ref: https://whois.arin.net/rest/org/GOGL
OrgTechHandle: ZG39-ARIN
OrgTechName: Google LLC
OrgTechPhone: +1-650-253-0000
OrgTechEmail: arin-contact@google.com
OrgTechRef: https://whois.arin.net/rest/poc/ZG39-ARIN
The way we can use this is to take an IP address we have located,
such as a web server
or an email server, and determine who owns the whole block. In some cases, such as
the O’Reilly
web server, the block belongs to a service provider, so we won’t be able to
get other targets from that block. However, when you find a block that belongs to a
specific company, you have several target IP addresses. These
IP blocks will be useful
later, when we start doing some more active reconnaissance. In the meantime, you
can also use
dig
or
nslookup
to find the hostnames that belong to the IP addresses.
Finding the hostname from the IP requires the organization to have a reverse zone
configured. To look up the
hostname from the IP address, there needs to be pointer
records (PTRs) for each IP address in the block that has a hostname associated with
it. Keep in mind, however, that a relationship doesn’t necessarily
exist between the
reverse lookup and the forward lookup. If
www.foo.com
resolves to 1.2.3.42, that
doesn’t mean that 1.2.3.42 necessarily resolves back to
www.foo.com
. IP addresses may
point to systems that have many purposes and potentially multiple names to match
those purposes.
