Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File asn-query

Download: http://nmap.org/svn/scripts/asn-query.nse

User Summary

Maps IP addresses to autonomous system (AS) numbers.

The script works by sending DNS TXT queries to a DNS server which in turn queries a third-party service provided by Team Cymru (team-cymru.org) using an in-addr.arpa style zone set up especially for use by Nmap.

The responses to these queries contain both Origin and Peer ASNs and their descriptions, displayed along with the BGP Prefix and Country Code.

The script caches results to reduce the number of queries and should perform a single query for all scanned targets in a BGP Prefix present in Team Cymru's database.

Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and Team Cymru. In addition your IP address will be sent along with the ASN to a DNS server (your default DNS server, or whichever one you specified with the dns script argument).

Script Arguments

dns

The address of a recursive nameserver to use (optional).

Example Usage 

nmap --script asn-query.nse [--script-args dns=<DNS server>] <target>

Script Output 

Host script results:
|  asn-query:
|  BGP: 64.13.128.0/21 | Country: US
|    Origin AS: 10565 SVCOLO-AS - Silicon Valley Colocation, Inc.
|      Peer AS: 3561 6461
|  BGP: 64.13.128.0/18 | Country: US
|    Origin AS: 10565 SVCOLO-AS - Silicon Valley Colocation, Inc.
|_     Peer AS: 174 2914 6461

Requires

categories discovery external safe

author jah, Michael

copyright © Same as Nmap--See http://nmap.org/book/man-legal.html

Action

action (host)

Cached results are checked before sending a query for the target and extracting the relevent information from the response. Mutual exclusion is used so that results can be cached and so a single thread will be active at any time.

Parameters

  • host: Host table.

Return value:

Formatted answers or nil on errors.

Hostrule

hostrule (host)

This script will run for any non-private IP address.

Parameters

  • host:

Functions

asn_description (asn)

Performs an AS Number to AS Description lookup.
check_cache (ip)

Checks whether the target IP address is within any BGP prefixes for which a query has already been performed and returns a pointer to the HOST SCRIPT RESULT displaying the applicable answers.
get_assignment (ip, prefix)

Given an IP address and a prefix length, returns a string representing a valid IP address assignment (size is not checked) which contains the supplied IP address. For example, with ip = "192.168.1.187" and prefix = 24 the return value will be "192.168.1.1-192.168.1.255"
get_prefix_length (range)

Calculates the prefix length for the given IP address range.
ip_to_asn (query)

Performs an IP address to ASN lookup. See http://www.team-cymru.org/Services/ip-to-asn.html#dns.
nice_output (output, combined_records)

Decides what to output based on the content of the supplied parameters and formats it for return by action.
process_answers (records, output, ip)

Processes records which are recognized DNS answers by combining them into unique BGPs before caching them in the registry and returning combined_records. If there aren't any records (No Such Name message or DNS failure) we signal this fact to other threads by using the cache and return with an empty table.
result_recog (answers, asn_type, recs, discoverer_ip)

Extracts fields from the supplied DNS answer sections and generates a records entry for each.

Tables

cymru

Team Cymru zones for rDNS-like queries. The zones are as follows:

  • nmap.asn.cymru.com for IPv4 to Origin AS lookup.
  • peer-nmap.asn.cymru.com for IPv4 to Peer AS lookup.
  • nmap6.asn.cymru.com for IPv6 to Origin AS lookup.


Functions

asn_description (asn)

Performs an AS Number to AS Description lookup.

Parameters

  • asn: String AS number.

Return value:

String description or "".
check_cache (ip)

Checks whether the target IP address is within any BGP prefixes for which a query has already been performed and returns a pointer to the HOST SCRIPT RESULT displaying the applicable answers.

Parameters

  • ip: String representing the target IP address.

Return values:

  1. Boolean true if there are cached answers for the supplied target, otherwise false.
  2. Table containing a string for each answer or nil if there are none.
get_assignment (ip, prefix)

Given an IP address and a prefix length, returns a string representing a valid IP address assignment (size is not checked) which contains the supplied IP address. For example, with ip = "192.168.1.187" and prefix = 24 the return value will be "192.168.1.1-192.168.1.255"

Parameters

  • ip: String representing an IP address.
  • prefix: String or number representing a prefix length. Should be of the same address family as ip.

Return values:

  1. String representing a range of addresses from the first to the last hosts (or nil in case of an error).
  2. nil or error message in case of an error.
get_prefix_length (range)

Calculates the prefix length for the given IP address range.

Parameters

  • range: String representing an IP address range.

Return value:

Number - prefix length of the range.
ip_to_asn (query)

Performs an IP address to ASN lookup. See http://www.team-cymru.org/Services/ip-to-asn.html#dns.

Parameters

  • query: String - PTR-like DNS query.

Return values:

  1. Boolean true for a successful DNS query resulting in an answer, otherwise false.
  2. Table of answers or a string error message.
nice_output (output, combined_records)

Decides what to output based on the content of the supplied parameters and formats it for return by action.

Parameters

  • output: String non-answer message to be returned as is or an empty table.
  • combined_records: Table containing combined records.

Return value:

Formatted nice output string.
process_answers (records, output, ip)

Processes records which are recognized DNS answers by combining them into unique BGPs before caching them in the registry and returning combined_records. If there aren't any records (No Such Name message or DNS failure) we signal this fact to other threads by using the cache and return with an empty table.

Parameters

  • records: Table of recognized answers (may be empty).
  • output: String non-answer message or an empty table.
  • ip: String host.ip.

Return value:

Table containing combined records for the target (or an empty table).
result_recog (answers, asn_type, recs, discoverer_ip)

Extracts fields from the supplied DNS answer sections and generates a records entry for each.

Parameters

  • answers: Table containing string DNS answers.
  • asn_type: String denoting whether the query is for Origin or Peer ASN.
  • recs: Table of existing recognized answers to which to add (refer to the records table inside action.
  • discoverer_ip:

Return value:

Boolean true if successful otherwise false.

Tables

cymru

Team Cymru zones for rDNS-like queries. The zones are as follows:

  • nmap.asn.cymru.com for IPv4 to Origin AS lookup.
  • peer-nmap.asn.cymru.com for IPv4 to Peer AS lookup.
  • nmap6.asn.cymru.com for IPv6 to Origin AS lookup.

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]