RK

Rabi Kishan Rauniyar

@07iamravi
Nepal 18 years UTC+5:45
"Breaking things to make them safer. I automate, audit, and write PoCs. OSCP aspirant."
18
Age
🇳🇵
Nepal
10+
Projects
CTF
Player
Skills & Tools
Python Kali Linux Penetration Testing Offensive Security Automation Bug Bounty Metasploit Wireshark Burp Suite Nmap SQL Injection XSS
Research Projects

PUNY-GEN

Homoglyph generator for security research
Educational

ThisIsNotRat

Remote access PoC for educational labs
Research

x-crypter

Advanced script obfuscation techniques
Educational

x-zone

Social engineering awareness platform
Awareness
Ethical Hacking Only
⚡ Systems I own or have explicit written permission.
All testing in labs/CTFs. Responsible disclosure always. Certified ethical hacker.
GitHub YouTube Contact Discord

Thursday, February 19, 2026

Bug-Bounty

Bug Hunting: ASN & IP Discovery

Thursday, February 19, 2026 X-MAXXX comments min read
Bug Hunting: ASN & IP Discovery - Complete Guide 2026

🌍 Part 2: ASN & IP Discovery

Find network ranges, IP addresses, and infrastructure details

⚠️ Only test domains you own or have permission to test

Enter Target Domain:

Current: example.com
📌 What is ASN & IP Discovery?
ASN (Autonomous System Number) discovery helps identify all IP ranges owned by an organization. This reveals the entire network infrastructure, including cloud hosts, servers, and internal services.

🔍 Basic ASN Discovery

ASN Lookup
whois -h whois.radb.net -- '-i origin AS-example' | grep -Eo "([0-9.]+){4}/[0-9]+" | sort -u
Find all IP ranges for an ASN
ASNMap
asnmap -d example.com | dnsx -silent -resp-only
Discover IP addresses associated with domain's ASN

🎯 Amass Intelligence Gathering

Amass Intel - Organization
amass intel -org "Target Organization Name"
Discover assets by organization name (replace with actual org name)
Amass Intel - CIDR
amass intel -active -cidr 192.168.1.0/24
Discover assets within specific IP range
Amass Intel - ASN
amass intel -active -asn AS12345
Discover assets by ASN number
Amass Intel - Whois
amass intel -whois -d example.com
Find netblocks using whois information

🔌 API-Based IP Discovery

⚠️ These commands require API keys. Sign up for free API keys at each service.
VirusTotal IP Lookup
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?domain=example.com&apikey=YOUR_API_KEY" | jq -r '.resolutions[]?.ip_address' | sort -u
Extract historical IP addresses from VirusTotal
AlienVault OTX
curl -s "https://otx.alienvault.com/api/v1/indicators/hostname/example.com/url_list?limit=500" | jq -r '.url_list[]?.result?.urlworker?.ip // empty' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u
Get IP addresses from AlienVault OTX
URLScan.io
curl -s "https://urlscan.io/api/v1/search/?q=domain:example.com&size=10000" | jq -r '.results[]?.page?.ip // empty' | sort -u
Extract IP addresses from URLScan.io scans

🔎 Shodan & Censys

Shodan SSL Search
shodan search Ssl.cert.subject.CN:"example.com" 200 --fields ip_str
Find IP addresses using SSL certificate search
Shodan Domain Search
shodan search hostname:example.com --fields ip_str,port,org,hostnames
Search Shodan for all IPs hosting the domain
Censys Search
curl -X POST "https://search.censys.io/api/v2/hosts/search" -H "Accept: application/json" -H "Authorization: Basic YOUR_API_KEY" -d '{"q":"example.com"}'
Censys API search for certificates and hosts

📡 DNS-Based Discovery

DNS History
dnsrecon -d example.com -t std,rev,brt
Comprehensive DNS reconnaissance
Reverse DNS Lookup
for ip in $(cat ips.txt); do echo "$ip:"; nslookup $ip | grep 'name =' | awk '{print $4}'; done
Find domains pointing to IP addresses

📊 IP Range Expansion

Expand CIDR Ranges
prips 192.168.1.0/24 > ips.txt
Generate all IPs from a CIDR range
Mass Scanning IPs
masscan -iL ips.txt -p80,443,8080,8443 --rate=1000 -oJ masscan.json
Fast port scanning of discovered IPs

📈 Processing Results

Merge All IPs
cat *.txt | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u > all_ips.txt
Extract and deduplicate all IP addresses
Port Scan Live Hosts
nmap -iL all_ips.txt -p80,443,8080,8443,22,21,25,3306,5432 --open -oG nmap_results.txt
Nmap scan of discovered IPs

📦 Installation Commands

# Install Go tools go install -v github.com/projectdiscovery/asnmap/cmd/asnmap@latest go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest # Install with apt sudo apt update sudo apt install amass whois prips masscan nmap dnsrecon -y # Install Shodan CLI pip install shodan shodan init YOUR_API_KEY

💡 Pro Tips

  • ✓ Get Shodan API key (free with academic email) for better results
  • ✓ Check multiple WHOIS servers for complete information
  • ✓ Cloud providers (AWS, Azure, GCP) have their own IP ranges - check their published lists
  • ✓ Monitor for new IPs over time as infrastructure changes
  • ✓ Always verify IP ownership before testing

📚 Common Cloud ASNs

Provider ASN
AWS AS16509, AS14618
Google Cloud AS15169, AS396982
Cloudflare AS13335
Microsoft Azure AS8075, AS12076
07iamravi@blog:~$