Certification Courses
Hands-On Labs
Threat Intelligence
Latest Cyber News
MITRE ATT&CK Breakdown
All Cyber Keywords
Latest News
MITRE ATT&CK • Enterprise • Reconnaissance
Gather Victim Network Info:
IP Addresses T1590.005
Adversaries enumerate a target's public IP allocations, ASN blocks, and BGP routing entries to map the organization's internet-facing attack surface before launching targeted operations.
Tactic: Reconnaissance • Technique: T1590 • Sub-technique: T1590.005
Live IP Discovery Simulation
CIDR Range Discovered
192.168.1.0/24
Clean • 256 hosts • US-East
CIDR Range Discovered
10.0.0.0/16
Suspicious • 65,536 hosts • EU-West
CIDR Range Discovered
172.16.5.0/28
Malicious • 14 hosts • AP-South
| IP Range / CIDR | Organization | ASN | Region | Reputation | Status |
|---|---|---|---|---|---|
| 203.0.113.0/24 | Acme Corp | AS64512 | US-East | Clean | Scanning… |
| 198.51.100.0/22 | Acme Corp | AS64512 | EU-Central | Clean | Scanning… |
| 192.0.2.0/28 | Acme Corp | AS64513 | AP-Southeast | Suspicious | Scanning… |
| 10.128.0.0/16 | Acme Cloud | AS64514 | US-West | Clean | Queued |
| 172.31.5.0/24 | Acme Staging | AS64512 | SA-East | Malicious | Scanning… |
| 185.220.101.0/24 | Acme Legacy | AS64515 | EU-North | Suspicious | Queued |
ASN Lookup
ASNAS64512
OrgAcme Corporation
CountryUS
Prefixes12
Peers47
BGP Routing Entries
203.0.113.0/24 → AS64512 AS174 AS1299
198.51.100.0/22 → AS64512 AS3356 AS6461
192.0.2.0/28 → AS64513 AS6939 AS1239
185.220.101.0/24 → AS64515 AS1273 AS701
Geographic IP Distribution
US-East
128 IPs
EU-Central
256 IPs
AP-South
64 IPs
SA-East
32 IPs
US-West
32 IPs
Context & Impact
Why IP Address Discovery Matters
IP addresses are the fundamental building blocks of internet-facing infrastructure, serving as the unique identifiers that enable every connection, every transaction, and every communication across the global network. Every organization with an online presence is assigned one or more public IP ranges by Regional Internet Registries (RIRs) including ARIN (North America), RIPE NCC (Europe), APNIC (Asia-Pacific), LACNIC (Latin America), and AFRINIC (Africa). These allocations are matters of public record, freely accessible through WHOIS databases, BGP routing tables, and reverse DNS enumeration tools that anyone can query without restriction or authentication. When adversaries systematically collect a target's public IP ranges, they gain a comprehensive, detailed map of the organization's internet-facing attack surface , every server, every cloud instance, every network segment directly reachable from the open internet. This information is not merely academic; it forms the operational foundation for all subsequent attack stages, enabling precision scanning, vulnerability exploitation, credential harvesting, and lateral movement planning that can compromise entire enterprise networks and supply chains with devastating consequences.
2,200+
Cyberattacks Daily (Global)
Source: DeepStrike Threat Report
$10.5T
Global Cybercrime Cost by 2025
Source: VikingCloud Analysis
2024
Unprecedented Active Scanning Levels
Source: Fortinet Threat Landscape
Public Records Expose Infrastructure
IP address allocations are inherently public. RIR databases, BGP announcements, and DNS records collectively reveal an organization's complete internet footprint. This transparency, essential for internet routing, also provides adversaries with a detailed blueprint of every network segment, data center, and cloud deployment an organization operates. The information includes precise geographic locations, hosting providers, network capacity, and interconnection relationships that are invaluable for attack planning.
IP Intelligence Enables Targeted Attacks
Once armed with a complete IP inventory, attackers can cross-reference addresses against vulnerability databases, exploit kits, and historical breach records to identify the weakest entry points. They can determine which IP ranges host legacy systems, which belong to recently acquired subsidiaries with potentially weaker security postures, and which ranges are associated with specific services like VPNs, email servers, or remote access gateways that represent high-value targets for initial compromise.
Forgotten Assets Create Critical Risk
Large organizations frequently accumulate IP allocations across decades of growth, mergers, and technology transitions. Development servers, forgotten testing environments, abandoned office networks, and decommissioned-but-not-returned IP ranges persist as shadow infrastructure. Adversaries who meticulously map IP ranges often discover these orphaned assets, which typically lack current security controls, monitoring, and patch management , making them ideal beachheads for establishing persistent access.
Definitions
Key Terms & Concepts
Simple Definition
IP Addresses (T1590.005) is a sub-technique under MITRE ATT&CK's Reconnaissance tactic where adversaries systematically gather a target organization's public IP addresses and network ranges. Public IP addresses are allocated in blocks (CIDR notation) by Regional Internet Registries and are discoverable through multiple open-source intelligence channels including BGP routing tables, WHOIS registration queries, forward and reverse DNS lookups, certificate transparency logs, and internet scanning platforms like Shodan, Censys, and ZoomEye. Adversaries leverage this intelligence to build comprehensive maps of the target's internet-facing infrastructure, identify network segments associated with different business units or geographic locations, and prioritize IP ranges for subsequent vulnerability scanning and exploitation attempts.
Core Mechanism: Querying public registries and routing data to enumerate all IP ranges assigned to a target, then cross-referencing discovered addresses against vulnerability databases and scanning platforms.
Everyday Analogy
Imagine IP addresses as the street addresses of the internet. Just as a city's planning office maintains a public database mapping every address to its owner and zoning information, internet registries map every IP range to its assigned organization. When an attacker performs IP address reconnaissance, it is comparable to someone visiting city hall and requesting the complete property records for your company , learning exactly how many buildings you occupy, where they are located geographically, how large each property is, and which addresses appear to be actively maintained versus abandoned. They can then systematically visit every address, test every door and window, and note which properties have broken locks or vacant lots. The city needs this information to function, but in the wrong hands, it becomes a complete guide to targeting every asset you own.
Key Insight: The same public infrastructure that enables global internet connectivity simultaneously provides adversaries with the intelligence needed to plan sophisticated, targeted cyberattacks against specific organizations.
CIDR
BGP
ASN
WHOIS
RIR
ARIN
RIPE NCC
APNIC
Reverse DNS
Shodan
Censys
RPKI
Subnet
Netblock
Prefix
Case Study
Real-World Attack Scenario
The following scenario illustrates how IP address reconnaissance (T1590.005) serves as the critical foundation for a devastating supply chain compromise targeting maritime logistics infrastructure.
Before Compromise
Elena Popov, Director of Network Engineering
Oceanic Shipping Lines • Global Maritime Logistics
Oceanic Shipping Lines operated 512 public IP addresses distributed across 8 offices spanning Singapore, Rotterdam, Houston, Lagos, São Paulo, Sydney, Shanghai, and Dubai. Every one of these IP ranges was discoverable through standard BGP route announcements, publicly accessible reverse DNS records, and passive DNS databases. A state-sponsored APT group spent three months meticulously mapping Oceanic's complete IP footprint using Shodan queries, WHOIS lookups against ARIN, RIPE, and APNIC databases, and BGP table analysis through public route collectors. During this reconnaissance phase, the attackers identified a critical vulnerability: a forgotten test server in Oceanic's Singapore office (allocated from the 203.0.113.64/28 subnet) was running an outdated Apache Struts installation with a known remote code execution vulnerability (CVE-2017-5638). This server had been deployed by a former employee during a proof-of-concept project six months earlier and was never decommissioned or included in the organization's vulnerability management program. Exploiting this single forgotten asset, the APT group established persistent access, moved laterally through the corporate network over several weeks, and ultimately compromised the cargo management and manifest systems. For three uninterrupted months, the attackers manipulated shipping manifests, redirecting 200 containers valued at $45 million to coordinated theft operations across Southeast Asian ports before Oceanic's security team detected anomalous network traffic patterns during a routine audit.
After Remediation
Elena's Security Transformation
Following the devastating breach, Elena led a comprehensive overhaul of Oceanic's network visibility and IP management posture. She implemented BGP security protocols (RPKI/ROV) to prevent route hijacking and ensure the authenticity of announced IP prefixes. Working with the infrastructure team, she reduced public IP exposure by consolidating 70% of public-facing services behind CDN reverse proxies and cloud security gateways, dramatically shrinking the directly attackable surface. She deployed continuous IP reputation monitoring integrated with threat intelligence feeds to receive immediate alerts when any Oceanic IP range appeared in malicious context databases, botnet reports, or exploit kit targeting lists. Recognizing the danger of dormant infrastructure, Elena established darknet monitoring on all unused and reserved IP space, enabling detection of any unauthorized traffic or scanning activity targeting allocated but inactive addresses. She instituted mandatory quarterly Shodan exposure assessments to identify publicly visible services, open ports, and leaked credentials across every Oceanic IP range. Additionally, she implemented automated IP asset inventory reconciliation, cross-referencing RIR allocation records with internal CMDB data monthly to detect orphaned or forgotten network assets before adversaries could discover and exploit them.
Attack Methodology
How IP Reconnaissance Works
Adversaries follow a methodical, multi-stage process to discover and catalog a target's complete IP infrastructure. Each stage builds upon the previous, progressively refining the attacker's understanding of the target's network topology, geographic distribution, and potential vulnerabilities.
01
WHOIS and RIR Database Enumeration
Attackers query Regional Internet Registry databases (ARIN, RIPE, APNIC, LACNIC, AFRINIC) using the target organization's name, known domain names, and parent company identifiers. These queries return complete IP allocation records including CIDR blocks, netnames, organization contacts, and allocation dates. Historical WHOIS records also reveal previously held IP ranges that may still be partially in use.
whois
ARIN API
RIPE Stat
RDAP
02
BGP Routing Table Analysis
By examining BGP routing data from public route collectors (such as RouteViews and RIPE RIS), attackers identify exactly which IP prefixes the target organization actively announces to the global internet. This reveals the current, operational IP footprint including any ranges that may not appear in WHOIS due to recent transfers, mergers, or cloud provider assignments.
BGPStream
RouteViews
RIPE RIS
bgp.he.net
03
DNS and Reverse DNS Enumeration
Forward DNS zone transfers (AXFR), subdomain enumeration, and reverse DNS lookups against discovered IP ranges map IP addresses to hostnames and services. This phase reveals internal naming conventions, service types (mail, vpn, web, api), geographic indicators, and potentially sensitive hostnames that disclose technology stacks, departmental structures, and development environments.
dig
dnscan
Sublist3r
Amass
04
Passive Internet Scanning (Shodan/Censys)
Adversaries leverage internet-wide scanning platforms like Shodan, Censys, and ZoomEye to discover open ports, running services, software versions, and exposed protocols across every identified IP range. These platforms maintain continuously updated databases of internet-facing services, revealing vulnerabilities, misconfigurations, and forgotten infrastructure without the attacker generating any detectable scanning traffic against the target.
Shodan
Censys
ZoomEye
Fofa
05
Cross-Referencing and Target Prioritization
Finally, all collected data is aggregated and cross-referenced against vulnerability databases (NVD, Exploit-DB), breach disclosure records, threat intelligence feeds, and historical compromise data. IP ranges and individual hosts are scored and prioritized based on discovered vulnerabilities, service exposure, geographic location, and inferred business criticality. This prioritized target list directly feeds into subsequent active scanning (T1595) and vulnerability exploitation phases of the attack chain.
NVD
VirusTotal
AbuseIPDB
MITRE ATT&CK
Defensive Visibility
Detection Strategies
Detecting IP address reconnaissance is inherently challenging because adversaries primarily query publicly available data sources rather than directly interacting with target systems. However, defenders can employ several analytical techniques to identify when their organization is being actively profiled through IP intelligence gathering.
Monitor WHOIS Query Patterns
While individual WHOIS queries are difficult to attribute, organizations can monitor for unusual spikes in WHOIS queries against their IP ranges through RIR API access logs. Work with ARIN, RIPE, and APNIC to enable query logging and alerting. Sudden increases in WHOIS lookups targeting your allocated blocks often precede active scanning campaigns and should trigger heightened monitoring of corresponding IP ranges.
Track BGP Route Anomaly Detection
Deploy BGP monitoring systems that alert on any changes to route announcements involving your AS numbers and IP prefixes. Unauthorized route announcements, prefix hijacks, or unexpected changes in AS path information may indicate adversary reconnaissance or preparation for man-in-the-middle attacks. Validate all routes using RPKI Resource Public Key Infrastructure to detect unauthorized announcements targeting your IP space.
Analyze Reverse DNS Query Volume
Monitor authoritative DNS servers for unusual patterns of reverse DNS (PTR) queries against your IP ranges. Systematic PTR record enumeration across entire CIDR blocks is a strong indicator of IP reconnaissance activity. Implement rate limiting on reverse DNS lookups and log all queries for forensic analysis. Correlate PTR query spikes with subsequent connection attempts to identify reconnaissance-to-exploitation chains.
Certificate Transparency Log Monitoring
Continuously monitor Certificate Transparency logs for new TLS certificates issued to your IP addresses rather than domain names. Attackers who discover exposed IP addresses may attempt to obtain fraudulent certificates to enable man-in-the-middle interception. Automated CT log monitoring can detect this activity early and provide additional intelligence about which IP ranges adversaries are actively targeting.
Darknet and Sinkhole Analysis
Deploy unused IP addresses as darknet sensors that log all incoming traffic without advertising any services. Any connection attempts to these allocated-but-unused addresses indicates that someone has discovered your IP ranges through reconnaissance. The source, timing, and nature of these probes provide valuable intelligence about which adversaries are interested in your infrastructure and what techniques they are employing.
Shodan and Scanning Platform Exposure Tracking
Establish continuous automated monitoring of your IP ranges across Shodan, Censys, ZoomEye, and similar internet scanning platforms. Track new service discoveries, exposed ports, and software version changes over time. Sudden increases in discovered hosts or newly exposed services within your IP ranges may indicate either internal infrastructure changes or adversary-initiated scanning that the scanning platforms have subsequently indexed.
Defensive Actions
Mitigation Measures
While IP address allocations cannot be made fully private, organizations can significantly reduce their attack surface and limit the intelligence value adversaries gain from IP reconnaissance through proactive management and strategic architecture decisions.
Minimize Public IP Exposure
Consolidate internet-facing services behind CDNs (Cloudflare, Akamai), cloud load balancers, and reverse proxy architectures. By funneling traffic through intermediary infrastructure, you reduce the number of directly exposed IP addresses and make it significantly harder for adversaries to enumerate your actual server infrastructure. Migrate internal applications to VPN or Zero Trust Network Access (ZTNA) models that eliminate direct internet exposure entirely.
Implement RPKI and BGP Security
Deploy Resource Public Key Infrastructure (RPKI) on all advertised IP prefixes to cryptographically validate route announcements and prevent BGP hijacking. This ensures that only your authorized AS numbers can announce your IP ranges to the global internet, preventing adversaries from intercepting traffic or using your IP space for malicious purposes. Regularly audit BGP announcements for unauthorized or unexpected route advertisements.
Conduct Regular IP Exposure Audits
Perform monthly automated assessments of your complete IP footprint using Shodan, Censys, and custom scanning tools. Maintain a current inventory of all allocated, advertised, and actively used IP ranges. Cross-reference this inventory with RIR allocation records to identify orphaned or forgotten blocks. Immediately decommission or secure any discovered shadow infrastructure, test servers, or development environments exposed to the public internet.
Deploy Darknet Monitoring
Allocate unused IP ranges as network telescopes or darknets that receive and log all unsolicited traffic. This provides early warning when adversaries discover and probe your IP ranges, as any traffic to unused addresses indicates reconnaissance or scanning activity. Correlate darknet observations with threat intelligence feeds to identify specific threat actors targeting your organization and their operational patterns.
IP Reputation and Threat Intelligence Integration
Subscribe to IP reputation services and threat intelligence platforms that monitor your IP ranges for appearances in botnet lists, spam blacklists, malware command-and-control databases, and exploit kit targeting lists. Establish automated alerting for any reputation changes affecting your allocated IP space. This enables rapid response when your infrastructure is compromised and used in secondary attacks or when adversaries begin actively targeting your ranges.
Enforce IP Asset Lifecycle Management
Implement formal processes for requesting, allocating, deploying, and decommissioning IP addresses across the organization. Every IP assignment should be tracked in a centralized asset management database with owner, purpose, location, and expiration information. Conduct quarterly reconciliation between RIR allocations, BGP announcements, DNS records, and the internal asset database to ensure complete visibility and eliminate orphaned IP resources that adversaries could discover and exploit.
Sources
References & Further Reading
DONATE · SUPPORT
ROOT::DONATE
- February 13, 2026
- No Comments