Getting public IP address ranges for an organization

Small bash script to automate the work with Qrator Radar public API.

Qrator Radar

The idea is to get autonomous system (AS) number of the organization by it’s name and retrieve all related IPv4 Prefixes. Why you may need it? To be sure, for example, that you scan all the hosts of organization available from the Internet for vulnerability management, penetration testing or bug bounty activity. For smaller organizations that don’t have own AS that obviously will not work.

name="Facebook"; as=`curl -s "https://radar.qrator.net/search?query=$name" | egrep -o '/as[0-9]+' | egrep -o "[0-9]+" | head -n 1`; echo "name: $name (as$as)"; curl -s "https://radar.qrator.net/api/prefixes/$as?tab_id=current&page=1" | egrep -o '(1 \\/ [0-9]*|"pager":")' | awk 'BEGIN{a=1}{if($3==""){print 1}else{while(a<=$3){print a;a++}}}' | xargs -i curl -s "https://radar.qrator.net/api/prefixes/$as?tab_id=current&page={}" | egrep -o '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\\/[0-9]*' | sed 's|\\/|/|g' | sort -n | uniq
name: Facebook (as32934)
31.13.24.0/21
31.13.64.0/18
31.13.64.0/19
31.13.64.0/24
...
179.60.195.0/24
185.60.216.0/22
185.60.216.0/24
185.60.218.0/24
204.15.20.0/22

You can search for this range at Shodan and get some scan results. That works only for registered users:
net:"185.60.218.0/24"

Shodan Facebook results

Leave a Reply

Your email address will not be published. Required fields are marked *