asnip – ASN Reconnaissance via Domain and IP Mapping

In red team operations, one of the earliest and most valuable tasks is to expand the external attack surface. Autonomous System Numbers (ASNs) provide insight into which IP ranges belong to an organisation. asnip is a lightweight Go tool that automates this process: given a target domain or IP, it identifies the ASN, retrieves the related Classless Inter-Domain Routing (CIDR) blocks, and enumerates them into IP addresses.

Unlike more heavyweight recon frameworks, asnip focuses purely on ASN → CIDR → IP mapping. This makes it fast, simple, and practical for reconnaissance phases where operators need to quickly turn a single known host into a broader network footprint.

Features

Domain/IP to ASN mapping: Automatically resolves domains or IPs to their owning ASN.
CIDR retrieval: Queries an external API (HackerTarget) to fetch associated CIDR ranges.
IP enumeration: Converts CIDR blocks into a list of individual IP addresses.
Console output: Optional printing of results alongside file output.
Written in Go: Small, portable binary suitable for integration into recon workflows.

Installation

Install directly with Go:

go install github.com/harleo/asnip@latest

Requires a Go environment to be present on the host.

Usage

Usage: -t string Domain or IP address (Required) -p string Print results to console

Example

$ asnip -t google.com -p

[?] ASN: "15169" ORG: "GOOGLE, US" 8.8.4.0/24 ... snip ... [.] Writing 616 CIDRs to file... [.] Converting to IPs... 8.8.8.1 ... snip ... [.] Writing 14725936 IPs to file... [!] Done.

Attack Scenario

A red team begins reconnaissance on a financial services company. With only the primary domain name in scope, they run:

asnip -t targetbank.com -p

The tool resolves the organization’s ASN and extracts dozens of associated CIDR ranges. Converting these to IPs reveals not just the main web servers, but forgotten legacy mail infrastructure still tied to the company. This expanded list becomes the foundation for further vulnerability scanning and exploitation attempts.

Red Team Relevance

asnip’s simplicity is its strength. It strips ASN reconnaissance down to the essentials: map domains and IPs to ASNs, get the ranges, and convert them to targets. For operators, this reduces time spent manually querying routing databases and ensures coverage of entire network blocks that might otherwise be missed.

Defenders can also benefit by running asnip on their own domains to confirm whether shadow IP ranges or forgotten allocations are still tied to their organisation.

Conclusion

asnip is a focused, Go-based tool for ASN reconnaissance. Automating ASN lookups and CIDR expansion enables red teams to move quickly from a single seed host to a comprehensive list of potential targets. For attackers, it means faster surface discovery. For defenders, it highlights the value of monitoring ASN allocations as part of external asset management.

You can read more or download asnip here: https://github.com/harleo/asnip