HardCIDR will query ARIN and a pool of BGP route servers (opens in new tab)

(github.com)

85 pointscrystalPalace9y ago47 comments

47 comments

31 comments · 10 top-level

natch9y ago· 7 in thread

Beware, this script will hose / clobber and then silently clean up (delete) a ton of various different files if files with those names happen to already exist. To see the exact file names you'll have to carefully pick through the script. So obviously? run it in its own directory, which is no guarantee of safety, but should be safer.

If you have a subdirectory where you run it named after your email hostname (such as "example/" for "example.com"), then it will prompt you to "overwrite the contents of the directory" and then, if you accept, it will not only overwrite the contents, it will remove the entire contents with:

    cd $outdir
    rm * 2>/dev/null

There's a slight violation of user expectations here. Removing and replacing the contents isn't quite the same as overwriting the contents. It may be a fine line, but it's better to err on the side of protecting the user's files, not deleting them, when deciding where to come down on that fine line.

And if $outdir is empty or not there, it tries to detect that by first doing a check for -d $outdir, but this won't save the user if $outdir gets moved aside by another process while they are reading the prompt and before the cd happens, leaving them in another directory. Hopefully the user has rm aliased to rm -i but that still won't help since the rm is being run in its own shell in the script.

I know we're not supposed to focus on the negative here on HN. I'm sure the script is awesome for whatever it does. Just be careful out there!

joshka9y ago

You seem to have a good eye for picking up problems in scripts, and enough of an interest to write about it. Have you considered submitting a PR with your suggested changes, or if you don't have time for that, perhaps an issue with your problems?

natch9y ago

No, because the README for this project leaves me having utterly no idea who the audience is, what it is for, why it exists, etc., so I wouldn't feel I have the right background to do a proper PR against it.

CJefferson9y ago

I wish modern OSes made this easier. I would love to have an easy bullrtproof way of saying "give me a temp directory for writing, don't let me write anywhere else, clean up my directory after me".

cheeseprocedure9y ago

Chances are that every system this script runs on has "mktemp," and trapping exit makes it easy to clean up when things are finished.

https://www.mktemp.org/manual.html

http://redsymbol.net/articles/bash-exit-traps/

2 more replies

stuuuuuuuuu9y ago

A good usecase for Docker, maybe? Put the script in a container and let it run wild, then delete the container when it's done.

the84729y ago

on linux the following might work:

    - enter a user and mount namespace
    - mount a tmpfs, e.g. over /tmp
    - remount everything else as readonly

alternatively

    firejail --overlay-tmpfs <command>

LinuxBender9y ago

That is bad. One should always use set -u on scripts that rm any files or perform any destructive actions. One can always unset that if you need to accept args further along in a script to use in a variable.

packetized9y ago· 7 in thread

Oh, this is superfly. Easy way to build your own up-to-date ASN DB, similar to the one from Maxmind. Think: embellishing Apache/Nginx logs with up-to-date information about the IP address of the client, including ASN/OrgId. Useful for identifying snowshoers spreading their footprint across a lot of discontiguous IP addresses in one ASN/Org.

jlgaddis9y ago

If you just want to build your own IP-to-ASN table, you can download dumps of "RIS Raw Data" [0] from RIPE and parse them if you don't yourself run BGP.

I'm a network engineer at an ISP and it's pretty common to use something like this for analyzing traffic network when considering peering sessions, for example. Even if you don't run BGP, you could use it for answering questions like "how much traffic do we send to/receive from Facebook?" and such.

RIPE's RIS dumps are performed every five minutes from more than a dozen different "vantage points" across the Internet.

ARIN used to provide an "originAS" file [1] but it looks like they quit doing that a few years ago. You may be able to find some interesting stuff browsing around /pub on their FTP server, though [2].

[0]: https://www.ripe.net/analyse/internet-measurements/routing-i...

[1]: ftp://ftp.arin.net/pub/originAS/

[2]: ftp://ftp.arin.net/pub/

packetized9y ago

I always forget that this exists - thanks for the reminder.

justinsaccount9y ago

Oh, if that's what you want:

https://iptoasn.com/ https://pypi.python.org/pypi/pyasn

I've been working on tweaking pyasn a bit and building a service around that.

coderholic9y ago

Or if an API works for you, https://ipinfo.io

    $ curl ipinfo.io/8.8.8.8
    {
      "ip": "8.8.8.8",
      "hostname": "google-public-dns-a.google.com",
      "city": "Mountain View",
      "region": "California",
      "country": "US",
      "loc": "37.3860,-122.0840",
      "org": "AS15169 Google Inc.",
      "postal": "94035",
      "phone": "650"
    }

    $ curl ipinfo.io/8.8.8.8/org
    AS15169 Google Inc.

And ASN details are available on the web, eg https://ipinfo.io/AS15169

3 more replies

yusyusyus9y ago

Route server operators would prefer people didn't do something like this against their devices.

packetized9y ago

Agreed, that's why I'd run it against systems I operate that have at least one full view of the DFZ.

lucaspiller9y ago

Is this how Maxmind gets their data?

javajosh9y ago· 2 in thread

Note that this script installs "ipcalc" (or really, whatever is in http://jodies.de/ipcalc-archive/ipcalc-0.41.tar.gz) without user interaction.

I'm generally pretty not okay with scripts that curl | tar things (or apt-get install things, which this does if it's run on a linux) from the interwebs without my explicit consent.

jlgaddis9y ago

That shouldn't be an issue if you don't run it as root.

By running it as root, I'd argue that you did give explicit consent for the script to do anything it wants.

sigjuice9y ago

Sorry, no. The opposite, in fact. A script that demands to run as root on my computer needs to be extremely well mannered.

1 more reply

simplehuman9y ago· 2 in thread

I guess this is on hn because it sounds cool? It's impossible to understand what it is.

finnn9y ago

From the top of the script:

> A tool to enumerate CIDRs by querying RIRs & BGP ASN prefix lookups

> Currently queries: ARIN, RIPE NCC, APNIC, AfriNIC, LACNIC

> Queries are made for the Org name, network handles, org handles, customer handles,

> BGP prefixes, PoCs with target email domain, and 'notify' email address - used by

> some RIRs.

> Note that severl RIRs currently limit query results to 256 or less, so large

> target orgs may not return all results.

> LACNIC only allows query of ASN or IP address bloks & cannot search for Org names

> directly. The entire DB as been downloaded to a separate file for queries to this RIR.

> The file will be periodically updated to maintain accurate information.

> Output saved to two csv files - one for org & one for PoCs

> A txt file is also output with a full list of enumerated CIDRs

> Author: Jason Ashton (@ninewires)

> Created: 09/19/2016

simplehuman9y ago

This might well be Arabic. I have been in the industry for over 10 years and that explanation is meaningless

4 more replies

jauer9y ago· 1 in thread

OK, but what does it do? The README is pretty sparse. Some examples would really help.

Edit: the header from the script is good, toss it into the README for great success.

jlgaddis9y ago

It simplifies the process of finding the IP address blocks allocated/assigned to an organization.

> HardCidr is written by Jason Ashton, Senior Security Consultant at TrustedSec

I'm guessing it was written with pen-testing in mind.

mixologic9y ago· 1 in thread

This might give it some more context: https://www.trustedsec.com/march-2017/classy-inter-domain-ro...

mablap9y ago

It all makes sense now! This is much more pertinent than the code if you don't know much about the subject matter.

TheRealPomax9y ago· 1 in thread

Those are some cool acronyms that I've never heard of. Reading the README does not explain any more. It's quite the mystery how this got to the top-30...

jlgaddis9y ago

Perhaps because some of the people here do know what the acronyms stand for?

popol129y ago

I can't find how to make it work for european companies. For instance, fnac.com doesn't give any result with the -r option. Did I miss something ?

natch9y ago

>The script with no specified options will query ARIN and a pool of BGP route servers.

To what end?

blockfinder9y ago

see also blockfinder:

https://github.com/ioerror/blockfinder

j / k navigate · click thread line to collapse

47 comments

31 comments · 10 top-level

natch9y ago· 7 in thread

    cd $outdir
    rm * 2>/dev/null

I know we're not supposed to focus on the negative here on HN. I'm sure the script is awesome for whatever it does. Just be careful out there!

joshka9y ago

natch9y ago

CJefferson9y ago

I wish modern OSes made this easier. I would love to have an easy bullrtproof way of saying "give me a temp directory for writing, don't let me write anywhere else, clean up my directory after me".

cheeseprocedure9y ago

Chances are that every system this script runs on has "mktemp," and trapping exit makes it easy to clean up when things are finished.

https://www.mktemp.org/manual.html

http://redsymbol.net/articles/bash-exit-traps/

2 more replies

stuuuuuuuuu9y ago

A good usecase for Docker, maybe? Put the script in a container and let it run wild, then delete the container when it's done.

the84729y ago

on linux the following might work:

    - enter a user and mount namespace
    - mount a tmpfs, e.g. over /tmp
    - remount everything else as readonly

alternatively

    firejail --overlay-tmpfs <command>

LinuxBender9y ago

packetized9y ago· 7 in thread

jlgaddis9y ago

If you just want to build your own IP-to-ASN table, you can download dumps of "RIS Raw Data" [0] from RIPE and parse them if you don't yourself run BGP.

RIPE's RIS dumps are performed every five minutes from more than a dozen different "vantage points" across the Internet.

[0]: https://www.ripe.net/analyse/internet-measurements/routing-i...

[1]: ftp://ftp.arin.net/pub/originAS/

[2]: ftp://ftp.arin.net/pub/

packetized9y ago

I always forget that this exists - thanks for the reminder.

justinsaccount9y ago

Oh, if that's what you want:

https://iptoasn.com/ https://pypi.python.org/pypi/pyasn

I've been working on tweaking pyasn a bit and building a service around that.

coderholic9y ago

Or if an API works for you, https://ipinfo.io

    $ curl ipinfo.io/8.8.8.8
    {
      "ip": "8.8.8.8",
      "hostname": "google-public-dns-a.google.com",
      "city": "Mountain View",
      "region": "California",
      "country": "US",
      "loc": "37.3860,-122.0840",
      "org": "AS15169 Google Inc.",
      "postal": "94035",
      "phone": "650"
    }

    $ curl ipinfo.io/8.8.8.8/org
    AS15169 Google Inc.

And ASN details are available on the web, eg https://ipinfo.io/AS15169

3 more replies

yusyusyus9y ago

Route server operators would prefer people didn't do something like this against their devices.

packetized9y ago

Agreed, that's why I'd run it against systems I operate that have at least one full view of the DFZ.

lucaspiller9y ago

Is this how Maxmind gets their data?

javajosh9y ago· 2 in thread

Note that this script installs "ipcalc" (or really, whatever is in http://jodies.de/ipcalc-archive/ipcalc-0.41.tar.gz) without user interaction.

I'm generally pretty not okay with scripts that curl | tar things (or apt-get install things, which this does if it's run on a linux) from the interwebs without my explicit consent.

jlgaddis9y ago

That shouldn't be an issue if you don't run it as root.

By running it as root, I'd argue that you did give explicit consent for the script to do anything it wants.

sigjuice9y ago

Sorry, no. The opposite, in fact. A script that demands to run as root on my computer needs to be extremely well mannered.

1 more reply

simplehuman9y ago· 2 in thread

I guess this is on hn because it sounds cool? It's impossible to understand what it is.

finnn9y ago

From the top of the script:

> A tool to enumerate CIDRs by querying RIRs & BGP ASN prefix lookups

> Currently queries: ARIN, RIPE NCC, APNIC, AfriNIC, LACNIC

> Queries are made for the Org name, network handles, org handles, customer handles,

> BGP prefixes, PoCs with target email domain, and 'notify' email address - used by

> some RIRs.

> Note that severl RIRs currently limit query results to 256 or less, so large

> target orgs may not return all results.

> LACNIC only allows query of ASN or IP address bloks & cannot search for Org names

> directly. The entire DB as been downloaded to a separate file for queries to this RIR.

> The file will be periodically updated to maintain accurate information.

> Output saved to two csv files - one for org & one for PoCs

> A txt file is also output with a full list of enumerated CIDRs

> Author: Jason Ashton (@ninewires)

> Created: 09/19/2016

simplehuman9y ago

This might well be Arabic. I have been in the industry for over 10 years and that explanation is meaningless

4 more replies

jauer9y ago· 1 in thread

OK, but what does it do? The README is pretty sparse. Some examples would really help.

Edit: the header from the script is good, toss it into the README for great success.

jlgaddis9y ago

It simplifies the process of finding the IP address blocks allocated/assigned to an organization.

> HardCidr is written by Jason Ashton, Senior Security Consultant at TrustedSec

I'm guessing it was written with pen-testing in mind.

mixologic9y ago· 1 in thread

This might give it some more context: https://www.trustedsec.com/march-2017/classy-inter-domain-ro...

mablap9y ago

It all makes sense now! This is much more pertinent than the code if you don't know much about the subject matter.

TheRealPomax9y ago· 1 in thread

Those are some cool acronyms that I've never heard of. Reading the README does not explain any more. It's quite the mystery how this got to the top-30...

jlgaddis9y ago

Perhaps because some of the people here do know what the acronyms stand for?

popol129y ago

I can't find how to make it work for european companies. For instance, fnac.com doesn't give any result with the -r option. Did I miss something ?

natch9y ago

>The script with no specified options will query ARIN and a pool of BGP route servers.

To what end?

blockfinder9y ago