Wednesday, July 2, 2008

Script to identify domains and IP addresses by ASN and CC

I wrote this more than a year ago and it has been tested pretty well. Figured since Jim over at ISC has released a similar tool, it's time to publish mine.

Usage:
# cat > queries.txt
domain1
domain2
ip3
domain4
ip5
...
^C
# perl finger.pl queries.txt

###### finger.pl ######

#This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.


if (-e "$ARGV[0]") {
open (IFILE, "$ARGV[0]");
while () {
chomp;
undef $ipaddr; undef @whois_results; undef @resolve_results; undef $domainname; undef $a; undef @results; undef @resultr;
if (/^\s*$/) {
next;
} elsif (/^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
$ipaddr = $_;
@whois_results = &whois($ipaddr);
foreach $a (@whois_results) {
print "$a\n";
}
} elsif (/.+?\...?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif (/.+?\....?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif (/.+?\.....?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}

} else { print "BAD INPUT LINE: $_\n"; }
}
} elsif ($ARGV[0] =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
$ipaddr = $ARGV[0];
@whois_results = &resolve($ipaddr);
# @whois_results = &whois($ipaddr);
foreach $a (@whois_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\...?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\....?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\.....?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}

} else { print "BAD INPUT: $ARGV[0]\n"; }


sub resolve {
undef $domain; undef @answersr; undef $answerr; undef @reresolve; undef @resultr; undef $infor;
my $domain = shift;
if ($domain =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
my @answersr = `dig +short -x $domain`;
@resultr;
foreach my $answerr (@answersr) {
my @whois_resultr = &whois($domain);
foreach my $whois_answerr (@whois_resultr) {
if ($answerr =~ /^\s*$/) {
$infor = join(' | ', "NO RDNS", $whois_answerr);
} else {
$infor = join(' | ', substr($answerr,0,$answerr-1), $whois_answerr);
}
@resultr = (@resultr,$infor);
}
}
return @resultr;
# } elsif ($domain =~ /.+?\.....?\.?$/) {
} else {
my @answersr = `dig +short $domain`;
chomp(@answersr);
@resultr;
foreach my $answerr (@answersr) {
if ($answerr =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
my @whois_resultr = &whois($answerr);
foreach my $whois_answerr (@whois_resultr) {
$infor = join(' | ', $domain, $whois_answerr);
@resultr = (@resultr,$infor);
}
# } elsif ($answerr =~ /.+?\.....?\.$/) {
} else {
my @reresolve = &resolve(substr($answerr,0,$answerr-1));
foreach $reresolve (@reresolve) {
@resultr = (@resultr,$reresolve);
}
# } else { print "COULD NOT RESOLVE: $domain\n"; }
}
}
return @resultr;
# } else {
# print "BAD DOMAIN: $domain\n";
# return("$domain \| UNKNOWN");
}
}


sub whois {
undef $octet1; undef $octet2; undef $octet3; undef $octet4;
undef @answers; undef @results;

my $ip = shift;
if ($ip =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
my $octet1 = $1;
my $octet2 = $2;
my $octet3 = $3;
my $octet4 = $4;

# Perform the IP WHOIS lookup and parse the result
my @answers = `dig +short -t TXT $octet4\.$octet3\.$octet2\.$octet1\.origin\.asn\.cymru\.com`;
chomp(@answers);
foreach my $answer (@answers) {
undef @afields;
undef $ip_as; undef $ip_netblock; undef $ip_cc; undef $ip_as_source; undef $ip_as_date;
undef $as_num; undef $as_cc; undef $as_source; undef $as_date; undef $as_desc;
undef $info;

$answer =~ s/\t//g;
$answer =~ s/\"//g;
$answer =~ s/\s\|\s/\|/g;
my @afields = (split/\|/,$answer);
my $ip_as = $afields[0];
my $ip_netblock = $afields[1];
my $ip_cc = $afields[2];
my $ip_as_source = $afields[3];
my $ip_as_date = $afields[4];

# Perform the AS WHOIS lookup and parse the result
$answer = `dig +short -t TXT AS$ip_as\.asn\.cymru\.com`;
chomp($answer);
$answer =~ s/\t//g;
$answer =~ s/\"//g;
$answer =~ s/\s\|\s/\|/g;
my @afields = (split/\|/,$answer);
my $as_num = $afields[0];
my $as_cc = $afields[1];
my $as_source = $afields[2];
my $as_date = $afields[3];
my $as_desc = $afields[4];

my $info = join(' | ',sprintf("%15.15s",$ip),sprintf("%18.18s",$ip_netblock),sprintf("%2.2s",$ip_cc),sprintf("%5.5s",$ip_as),$as_desc);
@results = (@results,$info);
}

return(@results);
} else {
print "BAD IP ADDRESS: $ip\n";
return("$ip \| UNKNOWN");
}

}

No comments: