Routing Enumeration

One of the cooler sections in Extreme Exploits covers ways to learn about a target network by looking at routes to those networks. I showed a few ways to use this data two years ago, but here's a more recent example.

Let's say I want to find out more about the organization hosting the Extreme Exploits Web site. First I resolve the hostname to an IP address.

host www.extremeexploits.com
www.extremeexploits.com has address 69.16.147.21

Now I use whois to locate the owner's netblock.

whois 69.16.147.21
Puregig, Inc. PUREGIG1 (NET-69-16-128-0-1)
69.16.128.0 - 69.16.191.255
VOSTROM Holdings, Inc. PUREGIG1-VOSTROM1 (NET-69-16-147-0-1)
69.16.147.0 - 69.16.147.255

# ARIN WHOIS database, last updated 2005-08-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Now I telnet to a route server and make queries about this netblock.

route-server.phx1>sh ip bgp 69.16.147.0
BGP routing table entry for 69.16.147.0/24, version 84120350
Bestpath Modifiers: always-compare-med, deterministic-med
Paths: (2 available, best #2)
Not advertised to any peer
22822 11588, (received & used)
67.17.64.89 from 67.17.81.24 (67.17.81.24)
Origin IGP, metric 0, localpref 300, valid, internal
Community: 3549:4044 3549:30840 22822:4012 22822:9120
Originator: 67.17.80.225, Cluster list: 0.0.0.11
22822 11588, (received & used)
67.17.64.89 from 67.17.80.251 (67.17.80.251)
Origin IGP, metric 0, localpref 300, valid, internal, best
Community: 3549:4044 3549:30840 22822:4012 22822:9120
Originator: 67.17.80.225, Cluster list: 0.0.0.11

I learn a few details:

  • The autonomous system for this network is truly a /24, as shown by "BGP routing table entry for 69.16.147.0/24"

  • The AS number for 69.16.147.0/24 is 11588. Its upstream provider AS is 22822. (AS data is read right-to-left.)

Now I want to find out if any other networks belong to this AS.

route-server.phx1>sh ip bgp regexp _11588$
BGP table version is 97334640, local router ID is 67.17.81.28
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* i63.78.12.0/22 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.128.0/19 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.147.0/24 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.187.0/24 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.191.0/24 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i140.99.96.0/19 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i208.247.17.0 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i209.50.48.0/20 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i209.50.56.0/21 67.17.64.89 0 300 0 22822 11588 i
Network Next Hop Metric LocPrf Weight Path
*>i 67.17.64.89 0 300 0 22822 11588 i

We could then run queries on the new networks to learn more about them, e.g.:

whois 63.78.12.0
UUNET Technologies, Inc. UUNET63 (NET-63-64-0-0-1)
63.64.0.0 - 63.127.255.255
ElDorado Sales, Inc. UU-63-78-12 (NET-63-78-12-0-1)
63.78.12.0 - 63.78.15.255

# ARIN WHOIS database, last updated 2005-08-14 19:10

One final cool tool: Victor has a project called Pwhois that provides prefix query information:
whois -h whois.pwhois.org 69.16.147.21
IP: 69.16.147.21
Origin-AS: 11588
Prefix: 69.16.147.0/24
AS-Path: 3356 11588
Cache-Date: 1122289900

I am a real newbie with this BGP and AS stuff. If anyone wants to comment (Trevor, Nate, etc.) I appreciate it.

Comments

Anonymous said…
The route server information can be much more intresting if you query a route server with many more views of the BGP table. route-views.oregon-ix.net is a popular one. You have a better chance of seeing the multiple paths /providers to the destination network.

Regex extremely helpful too. _AS####_ may show other networks behind that network.


Querying the AS number at whois.arin.net or whois.ra.net (needs AS#####) can reveal more network information. Also querying the netblock (ie. whois -h whois.arin.net NET-63-78-12-0-1) can provide contact and delegation information.

May have to hunt for where their prefixes are registered if not at http://www.radb.net/. But many are.

John K
Anonymous said…
An awesome BGP site is http://www.bgp4.as/

Especially the collection of links under
/BGP tools/utilities/software and /BGP/Looking Glasses

I've also found http://www.completewhois.com/
to be very useful.
Anonymous said…
Richard,

One thing you might find help is the IRR (Internet Routing Registy) and thier RADB (Routing Assests Database).. It can be easily accessed by pointing your whois client to whois.radb.net.. For instance:


# whois -h whois.radb.net 69.16.147.0
route: 69.16.128.0/19
descr: Puregig, Inc.
origin: AS11588
mnt-by: MAINT-AS11588
changed: shawn@eldosales.com 20040225
source: SAVVIS

route: 69.16.128.0/19
descr: LLNW
origin: AS11588
mnt-by: MAINT-LLNW
changed: bill@limelightnetworks.com 20040327
source: ALTDB

route: 69.16.147.0/24
descr: PH CBS TRANSIT
origin: AS22773
remarks: Change Ticket# 23327
notify: matt.williams@cox.com
notify: thebackbone@cox.com
notify: CCIATL-NOCEngineer@cox.com
mnt-by: CCINET-2-MNT
changed: david.burns@cox.com 20040505
source: LEVEL3

route: 69.16.147.0/24
descr: Proxy-registered route object
origin: AS11588
remarks: auto-generated route object
remarks: this next line gives the robot something to recognize
remarks: L'enfer, c'est les autres
remarks:
remarks: This route object is for a Level 3 customer route
remarks: which is being exported under this origin AS.
remarks:
remarks: This route object was created because no existing
remarks: route object with the same origin was found, and
remarks: since some Level 3 peers filter based on these objects
remarks: this route may be rejected if this object is not created.
remarks:
remarks: Please contact routing@Level3.net if you have any
remarks: questions regarding this object.
mnt-by: LEVEL3-MNT
changed: roy@Level3.net 20050205
source: LEVEL3


You can also then query that same database for information on either the "orgin:" or the "mnt-by:"... So you could do:

# whois -h whois.radb.net AS22773
# whois -h whois.radb.net MAINT-AS11588

-Mestizo
Trevor said…
Yeah, what Mestizo said. (He's ex-UU also so he's cheating) :)

Richard: Since "I got nuthin", you should look at this:

http://www.secsup.org/CustomerBlackHole/

Lots of customers get flooded and attacked a lot (shell servers, etc.). Imagine if you had an IP on your network that kept getting flooded... Well you can use the method described at the URL above to black-hole-route your own IP's. By black hole, I mean you can inject routes into your provider's network that cause the IP to die at your provider's ingress points. Kinda a cool "firewall". Not only are you dropping ALL packets to the IP, but the IP is pretty much gone on your ISP's whole AS based on your command.

Of course, your ISP has to have clue to support this. This is helpful to the router engineer as he doesn't have to wake up at 4am to null-route ANOTHER v-host that's under attack.
Anonymous said…
Ahh yes, UUNet... The good ol' days. I'll never forget the time I got Trevor a shiney new TACACS+ login of his very own, and taught him how to log into his very first backbone router. My, how they grow up quick. :)
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics