aeondave/asnmap
offensive-tools/recon/asnmap/SKILL.md
ProjectDiscovery tool for mapping IP ranges from ASN data. Given a domain, IP, organization name, or ASN number, returns all associated CIDR ranges. Use during passive recon to discover the full IP space owned by a target organization before port sweeping, and to identify cloud vs. on-prem allocation.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill asnmapInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 4:50 AM143.9s1 file scanned
SKILL.md
- name:
- asnmap
- description:
- ProjectDiscovery tool for mapping IP ranges from ASN data. Given a domain, IP, organization name, or ASN number, returns all associated CIDR ranges. Use during passive recon to discover the full IP space owned by a target organization before port sweeping, and to identify cloud vs. on-prem allocation.
- license:
- MIT
- compatibility:
- Linux/macOS/Windows; Go binary. Requires network access for ASN API queries.
- author:
- AeonDave
- version:
- 1.0
asnmap
Map an organization's full IP space from ASN data. Feeds directly into masscan/nmap scopes.
Quick start
# Domain → ASN → IP ranges
asnmap -d target.com
# IP → ASN → all ranges for that ASN
asnmap -i 1.2.3.4
# Organization name → all ASNs and ranges
asnmap -org "Target Corporation"
# ASN number → CIDR ranges
asnmap -a AS12345
# Output CIDR list for tool consumption
asnmap -d target.com -o cidr_ranges.txt
Input modes
# Multiple domains
asnmap -d target.com,sub.target.com
# From file
asnmap -list domains.txt -o ranges.txt
# Multiple IPs
asnmap -i 1.2.3.4,5.6.7.8
# Org name (fuzzy match against WHOIS data)
asnmap -org "Target Inc" -json
Output formats
# Plain CIDR list (default)
asnmap -d target.com
# → 1.2.3.0/24
# → 10.0.0.0/16
# JSON output (includes ASN metadata)
asnmap -d target.com -json
# Silent mode (CIDRs only, no banners)
asnmap -d target.com -silent
# CSV output
asnmap -d target.com -csv
Pipeline integration
# Full pipeline: domain → CIDRs → masscan port sweep
asnmap -d target.com -silent | masscan --ports 80,443,8080,8443 -iL - --rate 5000
# CIDRs → nmap (small ranges only — use masscan for large ranges)
asnmap -d target.com -silent | nmap -iL - -sV --top-ports 100
# CIDRs → shodan API query
asnmap -d target.com -silent | while read cidr; do
shodan search "net:$cidr"
done
# Discover all subdomains per IP range (reverse DNS)
asnmap -d target.com -silent | dnsx -resp-only -ptr -o ptr_records.txt
CDN and cloud filtering
Before scanning, filter out CDN and cloud provider IP ranges to avoid wasting time on shared infrastructure.
# Download cloud provider CIDR lists
curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[].ip_prefix' > aws_ranges.txt
curl -s https://www.gstatic.com/ipranges/cloud.json | jq -r '.prefixes[].ipv4Prefix // empty' > gcp_ranges.txt
# Filter target ranges against cloud provider lists (remove overlaps)
asnmap -d target.com -silent > target_ranges.txt
# Use cdncheck to tag CDN-hosted IPs before scanning
cat target_ips.txt | cdncheck -resp -o cdncheck_results.txt
Cloud-hosted ranges are valid targets, but:
- Scanning Cloudflare/Akamai origin IPs leaks your source to CDN logs.
- Scanning shared cloud ranges may hit other tenants — check authorization scope.
ASN investigation workflow
# 1. Find all ASNs for a domain
asnmap -d target.com -json | jq '.asn'
# 2. For each ASN, get full CIDR list
asnmap -a AS12345 -silent
# 3. Check if ranges are consistent with WHOIS
whois AS12345
# 4. Look for additional ASNs via BGP neighbors
# Check: https://bgp.he.net/AS12345#_peers
# 5. Cross-reference against Shodan (passive)
shodan search "asn:AS12345" --fields ip_str,port,org
OPSEC notes
- asnmap queries public ASN databases (WHOIS, BGP sources) — passive, no target contact.
- Combine with
cdncheckto tag CDN-hosted IPs before active scanning. - Large organizations may have dozens of ASNs across regions — always run org name search in addition to domain lookup.
- Cloud provider subnets change frequently — pull fresh CIDR lists before each engagement.
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026