Posts Tagged ‘whois’

HOWTO: Gathering All The Information About An IP Address

Thursday, May 21st, 2009

Would you like to know more about that attacker or who the sucker that draws all your bandwidth is? You can!

The information is stored all around the internet, I will use one of the addresses that RIPE resolves to in this example.
I am using a linux system, but here is an online whois tool that you can use.

$ host ripe.net
ripe.net has address 193.0.19.25
ripe.net has IPv6 address 2001:610:240:11::c100:1319

Now, it’s is not always like this because some of the addresses have records in ARIN (North American Region) and other registries around the world, but I will focus a bit on the RIPE database right now.

As we can see, ripe.net resolves to 193.0.19.25, to figure out a bit more you can do a whois for that IP address.

$ whois 193.0.19.25
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘193.0.18.0 – 193.0.21.255’

inetnum: 193.0.18.0 – 193.0.21.255
netname: RIPE-NCC
descr: RIPE Network Coordination Centre
descr: Amsterdam, Netherlands
remarks: Used for RIPE NCC infrastructure.
country: NL
admin-c: AMR68-RIPE
admin-c: BRD-RIPE
tech-c: OPS4-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-MNT
mnt-lower: RIPE-NCC-MNT
source: RIPE # Filtered

role: RIPE NCC Operations
address: Singel 258
address: 1016 AB Amsterdam
address: The Netherlands
phone: +31 20 535 4444
fax-no: +31 20 535 4445
e-mail: X@ripe.net
admin-c: AMR68-RIPE
admin-c: BRD-RIPE
tech-c: GL7321-RIPE
tech-c: JA47
tech-c: MENN1-RIPE
tech-c: EMIL-RIPE
tech-c: SSIE-RIPE
tech-c: RCO-RIPE
tech-c: APZ-RIPE
tech-c: CNAG-RIPE
tech-c: SMCA-RIPE
tech-c: BOH-RIPE
nic-hdl: OPS4-RIPE
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered

… output omitted …

% Information related to ‘193.0.18.0/23AS3333’

route: 193.0.18.0/23
descr: RIPE-NCC
origin: AS3333
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered

You can see from the whois output that this address is part of the address range 193.0.18.0 – 193.0.21.255 which has been delegated to RIPE NCC. It lives in the prefix 193.0.18.0/23 which is supposedly announced by AS3333.

Check the Real World BGP
We can check if this is correct by using a looking glass, I found that AS6453 got an online looking glass.
Choose BGP and enter the IP address 193.0.19.25.
Look for: BGP routing table entry for 193.0.0.0/21. Right, it is announced as a /21 on the internet.

We can go further and perform an inverse query to check for other prefixes that AS3333 have registered to see if it’s part of a larger range.

This time I have to ask whois.ripe.net directly because the whois tool on linux automatically chooses the correct whois server for an object, and it does not understand which whois server it should send inverse queries to.

$ whois -h whois.ripe.net — -i origin AS3333
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘193.0.0.0/21AS3333’

route: 193.0.0.0/21
descr: RIPE-NCC
origin: AS3333
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered

% Information related to ‘193.0.12.0/23AS3333’

route: 193.0.12.0/23
descr: RIPE-NCC
descr: Specific range for nameserver operations.
origin: AS3333
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered

% Information related to ‘193.0.18.0/23AS3333’

route: 193.0.18.0/23
descr: RIPE-NCC
origin: AS3333
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered

% Information related to ‘193.0.20.0/23AS3333’

route: 193.0.20.0/23
descr: RIPE-NCC
origin: AS3333
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered

There we go 193.0.0.0/21 is registered there as well, now this is actually part of a (seems like) special /18 which parts of is handed out to network operators. According to remarks, RIPE itself has taken 193.0.0.0/19 for their own network. (And this is just a little of what information I gathered in three minutes.)

A whois of the AS Number:

$ whois AS3333
[… output omitted ….]
% Information related to ‘AS3333’

aut-num: AS3333
as-name: RIPE-NCC-AS
descr: RIPE Network Coordination Centre
[… output omitted …]

Usually you can find references to an org, to check a prefix just use the command whois PREFIX | grep ^org, or use egrep to also get type of address space; you will then often get a result like this:

$ whois 193.0.0.0/18 | egrep \(^org\|^status\)
org: ORG-NCC1-RIPE
status: ALLOCATED UNSPECIFIED
organisation: ORG-NCC1-RIPE
org-name: RIPE NCC
org-type: RIR

The org-name is the name of the organisation, the type can be for example:

  1. RIR – Regional Internet Registry (king of the hill [or continent])
  2. LIR – Local Internet Registry (basically an ISP)
  3. OTHER – Other type, for example users of PI address space

The status is the type of address space, it can be for example:

  1. ALLOCATED UNSPECIFIED – This is often legacy address space which was not handed out under current conditions.
  2. ALLOCATED PA – Provider Aggregatable, which is a larger address space handed out to LIRs for sub delegations.
  3. ALLOCATED PI – Provider Independent, handed out to smaller organisations (registered as OTHER) which are NOT members of the RIPE NCC (LIRs), this kind of address space makes it possible for a company to multihome and change providers without changing IP addresses. (Rather than getting assignments from a larger PA address space)

I guess you figured out that you can also whois the org name, ‘ORG-NCC1-RIPE’.

Let me know if I also should write a tutorial on how to update and perform changes to the RIPE whois database!

8 Great Resources that Every Computer Technician Should Know About

Tuesday, March 3rd, 2009

This post is a must read for computer technicians, and the resources can be used by both amateurs and professionals. I hereby share some of my clues for knowledge!

  1. The MAC address vendor search lets you identify the vendor for a MAC address, it is very helpful when troubleshooting ARP tables. Just insert the MAC address such as 00-00-01, you will see that it is identified as XEROX.
  2. Ever been on the lookout for a BGP looking glass? Wonder what your network look like on the Internet? Need to traceroute yourself? Thomas Kernen maintains traceroute.org, which is a public looking glass listing service. Alternatively you can use routeviews.org which also provides an excellent service!
  3. Need Cisco documentation? Ciscos own site can be a very good source for information, at least when you learn to find your way around. You can find an article about mostly every technology in a Cisco box on their website!
  4. Need something that can calculate your subnets on the fly? I have an Online IPv4 and IPv6 IP Calculator, and I also made an AJAX version of it which is available on ipv6calculator.net, it can be faster to use in some situations.
  5. The RIRs (Regional Internet Registry) can give you information about IP addresses, you can find out mostly anything you would like to know about the EU IP address space from querying for example RIPEs Whois Database.
    Here is a list of the RIRs and their respective Whois Database

    • RIPE Serves the EU Region
    • ARIN Serves the US Region
    • LACNIC Serves Latin America and the Carribean
    • AfriNIC serves the African Region
    • APNIC serves the Asian Region
    • If you just want to query one time, here is a free whois proxy
  6. To monitor your BGP announced prefix from the outside you can use the service BGPmon, which will monitor your prefixes and alert you in case of path changes.
  7. Dynamips is a Cisco emulator, it successfully emulates Cisco 7200, 3600 (3620, 3640 and 3660), 2691, 3725, 3745 and the 2600 platform. You can for example use it for testing network scenarios before deploying it!
  8. New software! Fresh meat! Check out freshmeat.net, this has been around forever now. New versions of open software projects are announced there, and it is also a browsable site for Open Software.

Now it is time for you to do your homework, let me know which sites you find useful or funny in your work or sites that you use on a daily basis, GO COMMENT!