Geographical IP Registries Geographical IP registries such as ARIN, RIPE, and APNIC are a gold mine for scouting: Look up owners of "seed" IPs discovered earlier to learn netblock range, owners, administrators, routing AS Numbers, etc. Then lookup up all netblocks owned by the same company, administrated by the same contacts, etc. Repeat, until you stop finding new IPs Collect phone numbers, office addresses, and emails while you're at it. Decide whether to include corporate siblings, subsidiaries, partnerships, etc. ARIN whois help screens: whois -h whois.arin.net \? whois -h rr.arin.net help