Combining the capabilities of ASNmap and TLSx provides threat hunters with powerful tools to uncover and combat phishing attacks, malware campaigns, and scams effectively.
For The Threat Hunters
ASNmap enables threat hunters to map organization network ranges using ASN information. By leveraging ASN to CIDR lookups and ORG to CIDR lookups, threat hunters can identify the network infrastructure associated with malicious entities behind these threats. This information aids in proactive monitoring, investigation, and dismantling of phishing, malware, and scam networks.
TLSx complements this effort by providing fast and configurable TLS connections. With customizable cipher suites, SNI, and TLS versions, TLSx allows threat hunters to analyze the encrypted traffic associated with these threats. By leveraging JARM/JA3 TLS fingerprinting and detecting TLS misconfigurations, TLSx helps identify malicious actors and their infrastructure.
Empowered
The combination of ASNmap and TLSx empowers threat hunters to:
- Uncover Phishing Campaigns: By mapping CIDR ranges associated with phishing ASNs and analyzing TLS connections, threat hunters can reveal the infrastructure used for phishing attacks, aiding in detection and mitigation efforts.
- Detect Malware Campaigns: ASNmap’s network mapping capabilities, along with TLSx’s analysis of TLS connections, enable threat hunters to identify and track malicious infrastructure used for malware command and control (C2) communication, helping disrupt malware campaigns.
- Identify Scam Networks: Leveraging ASNmap’s organization mapping and TLSx’s TLS analysis, threat hunters can expose interconnected CIDR ranges and TLS connections associated with scams, facilitating the understanding and dismantling of scam networks.
The combination of ASNmap and TLSx provides threat hunters visibility into the infrastructure behind phishing, malware, and scam activities.
How to install and work with it
The team at ProjectDiscovery.io shared a nice command to map out IP ranges of an ASN and extract linked domain names from them.
Use asnmap and tlsx to map out the IP ranges of an ASN and then extract domain names from their TLS certificates! - ProjectDiscovery.io
ASNmap
ASNmap is a powerful command-line interface (CLI) tool and library designed to swiftly map organization network ranges using Autonomous System Number (ASN) information.
Key Features:
- ASN to CIDR Lookup: ASNmap allows you to look up and map CIDR ranges associated with a specific ASN, providing valuable information about an organization’s network infrastructure.
- ORG to CIDR Lookup: With ASNmap, you can also perform CIDR lookups based on an organization’s name, enabling you to map network ranges related to a particular entity.
- DNS to CIDR Lookup: The tool supports mapping CIDR ranges based on domain names, giving you insights into the IP address ranges associated with a specific domain.
- IP to CIDR Lookup: ASNmap enables you to retrieve CIDR information for a given IP address, helping you determine the network range to which an IP belongs.
- ASN/DNS/IP/ORG input: You can input ASN, DNS, IP, or organization names into ASNmap, providing flexibility in retrieving CIDR mapping information based on different types of input.
- JSON/CSV/TEXT output: The tool offers multiple output formats, including JSON, CSV, and plain text, allowing you to choose the most convenient format for further analysis or integration with other tools.
- STD IN/OUT support: ASNmap supports standard input/output streams, enabling seamless integration with other command-line tools and scripts.
TLSx
TLSx is a versatile and efficient tool designed specifically for cybersecurity professionals, offering a wide range of features for TLS-based data collection and analysis.
Key Features:
- Swift and configurable TLS connections: TLSx allows for fast and customizable TLS connections, enabling quick and adaptable data retrieval.
- Multiple TLS connection modes: The tool offers various modes for establishing TLS connections, giving users the flexibility to choose the most suitable option for their specific needs.
- Multiple TLS probes: TLSx supports the use of multiple probes, enhancing the accuracy and comprehensiveness of TLS data collection.
- Automatic TLS fallback for older versions: To ensure compatibility and comprehensive analysis, TLSx automatically handles TLS fallback for older versions, maintaining data integrity.
- Pre-Handshake TLS connection (early termination): This feature allows for terminating TLS connections before the handshake process, optimizing data collection efficiency.
- Customizable cipher suites, SNI, and TLS versions: Users have the ability to customize and fine-tune their TLS connections by selecting specific cipher suites, Server Name Indications (SNI), and TLS versions.
- JARM/JA3 TLS fingerprinting: TLSx incorporates JARM and JA3 TLS fingerprinting techniques, providing valuable insights for identifying and classifying TLS connections.
- Detection of TLS misconfigurations: The tool identifies and reports any misconfigurations within TLS connections, aiding in the detection of potential vulnerabilities.
- Support for ASN, CIDR, IP, HOST, and URL input: TLSx accepts various input formats, including Autonomous System Numbers (ASN), Classless Inter-Domain Routing (CIDR) notation, IP addresses, hosts, and URLs, facilitating versatile data collection.
- Flexible output options: TLSx allows for output through standard input/output streams (STD IN/OUT) or in TXT/JSON formats, offering flexibility for further analysis.
Example
You can use the following command to try the combination of the tools:
echo [ASN] | asnmap -silent | tlsx -san -cn -silent -resp-only | sort -u
Resources
- Download TLSx (Github link)
- Download ASNmap (Github link)
