TROJAN HORSE SECURITY IS TEACHING THESE CONCEPTS FOR EDUCATIONAL PURPOSES ONLY. WE DO NOT CONDONE ILLEGAL HACKING. TROJAN HORSE SECURITY CONSULTANTS ARE HIRED AS ETHICAL HACKERS AT THE REQUEST OF ORGANIZATIONS WITH PERMISSION TO HACK THEIR NETWORKS AND SYSTEMS.

There are many ways to discover the IP ranges owned by a company. Let's go through some of the most common ways to give you an idea.

The easiest way to get started is to run a whois query against the company name. This is done on the command line on your Linux box:

# whois -h whois.arin.net Google

<snip>

GOOGLE (C00975227) ABOV-T324-64-124-112-24-29 (NET-64-124-112-24-1) 64.124.112.24 - 64.124.112.31
GOOGLE (C00975291) ABOV-T324-209-249-73-64-29 (NET-209-249-73-64-1) 209.249.73.64 - 209.249.73.71
GOOGLE (C00976518) ABOV-T324-64-124-229-168-29 (NET-64-124-229-168-1) 64.124.229.168 - 64.124.229.175
GOOGLE (C01039107) UU-65-214-255-96 (NET-65-214-255-96-1) 65.214.255.96 - 65.214.255.111
GOOGLE (C01069311) UU-65-211-194-96-D8 (NET-65-211-194-96-1) 65.211.194.96 - 65.211.194.111
GOOGLE (C01069313) UU-65-223-8-48-D6 (NET-65-223-8-48-1) 65.223.8.48 - 65.223.8.63
Google (C01069315) UU-65-221-133-176-D6 (NET-65-221-133-176-1) 65.221.133.176 - 65.221.133.191
GOOGLE (C01226236) UU-63-84-190-224-D4 (NET-63-84-190-224-1) 63.84.190.224 - 63.84.190.255
Google (C01226466) TWTC-GOOGLE-01 (NET-64-128-207-160-1) 64.128.207.160 - 64.128.207.175
GOOGLE (C01325434) UU-65-196-235-32-D4 (NET-65-196-235-32-1) 65.196.235.32 - 65.196.235.47
Google (C01326476) TWTC-ATLA-C-GOOGLE-0 (NET-66-192-134-32-1) 66.192.134.32 - 66.192.134.47
GOOGLE (C01330493) UU-65-214-112-96-D21 (NET-65-214-112-96-1) 65.214.112.96 - 65.214.112.127
Google (C01791017) GOOGLE (NET-70-90-219-72-1) 70.90.219.72 - 70.90.219.79
Google (C01791073) GOOGLE (NET-70-90-219-48-1) 70.90.219.48 - 70.90.219.55
Google (C02765668) GOOGLE (NET-199-87-241-32-1) 199.87.241.32 - 199.87.241.63
Google (C04633564) C04633564-NET (NET-208-74-177-144-1) 208.74.177.144 - 208.74.177.159
Google (C05412539) ZAYO-IPYX-099410-128-177-174-32-28 (NET-128-177-174-32-1) 128.177.174.32 - 128.177.174.47

As you can see, this revealed many IP ranges for Google.

This will not always give you back information. Sometimes, you need to enter an IP address instead and find a range owned by your target. You get this IP address by querying DNS for domain names owned by your company. This is covered in the Querying DNS Lesson. I suggest you take that lesson and then come back here with some IP addresses to play with.

Once you have an IP address, run the following command to find the whole IP Subnet it belongs with:

# whois -h whois.arin.net 199.87.241.50

<snip>

NetRange:       199.87.240.0 - 199.87.243.255
CIDR:               199.87.240.0/22
NetName:         FNI-BLOCKA
NetHandle:       NET-199-87-240-0-1
Parent:             NET199 (NET-199-0-0-0-0)
NetType:          Direct Allocation
OriginAS:         AS22873
Organization:   Fiber Networx Inc. (FN)
RegDate:         2011-02-03
Updated:          2012-02-24
Ref:                  http://whois.arin.net/rest/net/NET-199-87-240-0-1

Here you can see we are given the full Subnet range on the 1st and 2nd line.

You may also notice in the last line that it is possible to view this information via a web browser. This is sometimes a simple way to go. For North American targets, simply browse to arin.net and in the top right you will see a search box where you can run your queries. You can also click on the links in the findings to find all the ranges owned by the company. You can click ORGANIZATION > RELATED NETWORKS and you will see these IP ranges. They are not always comprehensive and you may need to do some more searching but with a little work you can find out all the IP ranges owned by a company. Now you have some targets!