Asset Discovery Beyond Domains: ASN, IP Ranges, Acquisitions

Cybersecurity

Subdomains are only the surface. Walk ASNs, parse IP ranges, and track acquisitions to find the assets other hunters miss on bug bounty targets.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 6, 2023 · 9 min read

Subdomains are a slice, not the pie

If your recon stops at target.com, you are competing with every other hunter on the program. The unique finds live one layer deeper, in IP space the organization owns, in subsidiaries the scope quietly includes, and in cloud accounts nobody mapped.

Start with the ASN

• Look up the org on bgp.he.net to see registered ASNs
• Pull all announced prefixes per ASN, save as CIDR blocks
• Use mapcidr to expand the blocks into IPs when you need them
• Cross check with whois on a few sampled IPs to confirm ownership

Not every program permits scanning owned IP space directly. Read the policy. When it does, you have a whole new attack surface that domain based recon never sees.

Reverse DNS and certificate pivots

Run reverse DNS across the ranges. Names you never would have guessed appear. Then pivot through Censys and Shodan certificate searches, filtering on the organization name and on common name patterns. A single self signed cert with the org name in the subject can hand you a list of forgotten boxes.

Acquisitions are gold

1. Read the parent company section of the policy carefully
2. Check Crunchbase and the company press page for recent acquisitions
3. Search the SEC filings for subsidiaries when the target is public
4. Re run your full subdomain pipeline against each new root domain

Most large Bugcrowd and HackerOne programs include subsidiaries in scope. Most hunters never check. A six month old acquisition often still runs on its old infra, with its old bugs, and now sits inside a paying scope.

Cloud account fingerprints

S3 buckets, Azure storage accounts, GCP buckets. Permutate the org name and product names against known cloud patterns. Tools like cloud_enum and s3scanner are noisy, so run them carefully and only when scope clearly allows.

Putting it on a map

Workflow that scales

• Maintain a yaml file per target with roots, ASNs, and known subsidiaries
• Re run the pipeline on a schedule, diff against the last run
• Tag every asset with its source so you can prove scope later
• Keep a do not touch list for borderline assets pending policy clarification

The hunters who consistently find unique bugs are the ones who treat asset discovery as ongoing research, not a one time scan.

Report what you can defend

Every report you file must include a clean scope justification. When you find a bug on an acquired companys old box, link the press release, link the policy clause, and make the triager's job easy. That single habit is the difference between paid and N/A.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.