ASN: The OSINT Swiss Army Knife for Network Intelligence Gathering

Hook

When a Russian state-sponsored APT compromised a telecom provider in 2022, incident responders traced the attack vector in minutes using a Bash script, not a $50K SIEM platform. That script was ASN.

Context

Network reconnaissance has traditionally required stitching together dozens of specialized tools and services. Need to check if an IP belongs to a legitimate organization? Fire up WHOIS. Want to verify BGP routing integrity? Query RIPE NCC's looking glass. Curious about exposed services? Open Shodan. Each query lives in isolation, forcing analysts to manually correlate data across browser tabs and terminal windows.

This fragmentation becomes painful during incident response when every second counts. Security teams investigating suspicious traffic need to answer multiple questions simultaneously: Who owns this ASN? Is the BGP route cryptographically valid? What services are exposed? Is this IP flagged by threat intel? Has the route changed recently? ASN emerged to solve this correlation problem, wrapping Team Cymru's BGP feeds, RPKI validators, Shodan's database, and a dozen other authoritative sources into a single command-line interface that delivers contextualized intelligence in under three seconds.

Technical Insight

ASN's architecture is deceptively elegant: it's a 3,000-line Bash script that orchestrates API calls to public databases, parses responses with jq, and renders findings in color-coded terminal output. The genius lies not in complex algorithms but in knowing which services to query and how to correlate their responses.

The tool operates in three modes from the same codebase. As a CLI tool, you pass it an IP, ASN, domain, or URL. It fingerprints the input type and dispatches parallel requests to Team Cymru (for BGP origin data), RIPEStat (for RPKI validation and AS relationships), IPinfo or IP2Location (for geolocation), Shodan (for exposed services), and AbuseIPDB (for reputation scoring). Here's a typical invocation:

# Query comprehensive intel on an IP address
$ asn 1.1.1.1

 ╔═══════════════════════════════════════════════════════╗
 ║ ASN lookup for 1.1.1.1                                 ║
 ╚═══════════════════════════════════════════════════════╝

→ ASN:           AS13335
→ Organization:  CLOUDFLARENET
→ BGP Prefix:    1.1.1.0/24
→ Country:       US (United States)
→ RPKI:          ✓ Valid (ROA found, prefix authorized)
→ Reputation:    Clean (AbuseIPDB confidence 0%)
→ Shodan:        53/tcp (DNS), 80/tcp (HTTP), 443/tcp (HTTPS)

The RPKI validation workflow showcases the correlation power. ASN queries RIPEStat's RPKI validator to check if the BGP announcement matches a Route Origin Authorization (ROA) certificate. If the prefix owner hasn't published a ROA, or if the announcing ASN doesn't match the authorized origin, ASN flags it with a red warning—critical for detecting BGP hijacks where attackers announce someone else's IP space. This happens automatically on every lookup, unlike manual workflows where analysts forget to check RPKI status.

The web traceroute mode transforms ASN into a self-hosted service that looks like bgp.he.net but with RPKI validation and threat intel baked in. Run asn -w 8080 and it spawns a lightweight HTTP server using netcat. Users hit the web interface, enter a destination IP or domain, and the backend executes mtr (my traceroute) while enriching each hop with AS information, geolocation, and security context. No JavaScript frameworks, no npm packages—just Bash generating HTML with embedded CSS:

# Start web traceroute server on port 8080
$ asn -w 8080

[*] Starting ASN web traceroute server on port 8080
[*] Access via http://localhost:8080
[*] Press Ctrl+C to stop

The JSON API mode (asn -j) returns machine-readable output, enabling integration with SOAR platforms or custom dashboards. The same Bash script detects whether output goes to a terminal (colorized human-readable), a web client (HTML), or a script (JSON). This mode switching happens through simple conditional checks on environment variables and output redirection, demonstrating that bash can build production-ready APIs without heavyweight frameworks.

One underappreciated feature is the AS path analysis. When you query an ASN directly (not an IP), ASN reconstructs the typical routing path from your location to that network using Team Cymru's BGP feeds and RIPEStat's AS relationship database. It visualizes upstream/downstream relationships, peer links, and transit providers—essentially showing you the business relationships between autonomous systems:

# Analyze AS relationships and paths
$ asn AS15169

→ Upstream Providers:  None (Tier 1 network)
→ Peers:               3,800+ networks
→ Downstream:          120+ customer networks
→ IPv4 Prefixes:       435 announced
→ IPv6 Prefixes:       187 announced

This is invaluable for understanding Internet topology. If you're investigating why traffic to a cloud provider routes through an unexpected country, AS path analysis reveals the transit relationships causing the routing decision. Security teams use this to identify potential BGP manipulation points where nation-states could intercept traffic.

Dependency management is minimalist: ASN requires bash 4+, jq for JSON parsing, curl for API requests, whois for registry lookups, and optionally mtr for traceroutes. No pip install, no npm, no gem—just standard Unix utilities. The script even degrades gracefully when optional tools are missing, simply omitting those features rather than crashing.

Gotcha

ASN's biggest liability is its dependency on external API availability and rate limits. Every feature relies on third-party services that can go offline, throttle requests, or change response formats. Shodan queries require a paid API key for meaningful results (the free tier allows 1 query per second). IPinfo's free tier caps at 50,000 requests per month. RIPEStat occasionally returns stale BGP data during cache updates. If Team Cymru's whois service hiccups—which happens during infrastructure maintenance—ASN's BGP origin lookups fail entirely. There's no local caching beyond the current session, so repeated queries against the same IP burn through API quotas.

Performance limitations emerge with bulk operations. Because it's written in Bash with sequential API calls, processing hundreds of IPs takes minutes compared to compiled tools with connection pooling. The traceroute mode requires mtr, which sends ICMP packets—firewalls often block these, resulting in incomplete hop data. RPKI validation only catches unsigned or mismatched BGP announcements; it can't detect sophisticated attacks where adversaries compromise the legitimate ASN's infrastructure to publish fraudulent ROAs. The tool also inherits WHOIS database inaccuracies—many organizations never update their registry records, leading to stale contact information and incorrect geolocation data.

Verdict

Use ASN if you're conducting incident response investigations, OSINT reconnaissance, or network troubleshooting where you need BGP routing context, RPKI validation, and threat intelligence correlated into a single view. It's ideal for security analysts triaging alerts, SOC teams investigating suspicious IPs, or network engineers debugging routing anomalies. The zero-installation footprint makes it perfect for jump boxes and ephemeral investigation VMs. Skip it if you need programmatic integration at enterprise scale with guaranteed SLAs (build against the underlying APIs directly instead), require offline operation without internet access to public databases, or need sub-second response times for real-time monitoring (the API orchestration latency averages 2-4 seconds per lookup). Also avoid it for active network scanning—this tool specializes in passive reconnaissance via public data sources, not port scanning or vulnerability assessment.