🤗 🕵🏾 🌘 Intelligence with geo2ip and reverse-whois ↙️ 🛢️ 🦓

The reconnaissance of the company's network resources mainly consists in brute-force subdomains with the subsequent resolution of the found network blocks. Then new level 2 domains can be found and the procedure is repeated again. This allows new IP addresses to be found at each iteration.

This method is perhaps the most effective. However, there were situations where the whole / 24 subnet was not found.

Nowadays, another powerful tool has appeared - passive dns, which allows you to do the same as a classic DNS resolution, but using a special API. This can be, for example, "virustotal" or "passive-total". These services record DNS requests and responses that are collected from popular DNS servers. The advantage of this approach is that we don't need brute force. We just enter the IP address and get all known DNS records. Or, conversely, by specifying DNS, we get all the IP addresses that are associated with this name. This approach has an undeniable advantage - we can find old site servers that were resolved earlier. After all, older sites are more likely to contain vulnerabilities.

Despite the techniques described above, there are still several slightly less popular, but still giving results. In this article, we will look at two more intelligence techniques - looking up IP addresses by geographic data (geo2ip) and finding IP addresses by company name (reverse-whois).

Geo2ip

I think many of us know what geoip is. It is used quite often by both developers and administrators. However, geoip is mainly used in the ip -> geo direction. In our case, it is not so interesting. It's funny, but before developing your own solution, not a single library was found that allows you to make requests in the opposite direction geo → ip. Therefore, it was decided to write our own tool, moreover, it is not so difficult to implement it.