Introduction to RIRs

- [Narrator] While ethical hacking sounds exciting, the only thing that makes you different from cyber criminals is that you have authorization. It's a fine line between being an ethical hacker and breaking the law. A colleague of mine once hacked into a router within the scope and rules of engagement agreed upon by him and his client. After getting access to the router things weren't making sense, and my colleague called his client to go over his findings. When he read back the IP address for the compromised router, the client apologized, and said he made a typo on the IP address. It quickly dawned on my colleague that he had just hacked into someone else's router and, to make things worse, the compromised router belonged to the US government. Ever since hearing my colleague's story, and how his client's mistake could have sent him to jail for a long time, I've been diligent about double checking the scope of work during offensive security engagements. One tool I regularly use to verify that IP addresses belong to my clients are Regional Internet Registries, or RIRs for short. RIRs are organizations that manage the allocation and registration of IP addresses within different regions of the world. ARIN has jurisdiction over North America. AFRINIC covers Africa. APNIC is responsible for Asia Pacific. LACNIC serves Latin America and some of the Caribbean islands, and RIPE contains registrations from Europe, the middle East and central Asia. RIRs can be used for more than just checking IP addresses given to you by clients. Using a RIRs Whois search function or API integration, you can search by organization name. If your target organization has IP addresses registered under their name, you'll not only get network ranges containing external IP addresses registered to your target, but you'll also get the date of registration, last updated date, and their full address. If there's no matches found in the RIR your using to search you may need to search other registrars in different regions. After searching all five RIRs without any results for your target organization, It may mean one of a few things. First I've seen companies acquire other businesses or take over internet contracts from other organizations where the internet provider did not update the local RIR with the name change. Second, if your target organization did not purchase a static IP address, or is paying for a low cost internet service, the public IP address being used for your target may be registered under the internet providers name instead of the target organization. Finally, if the organization is using cloud services or a co-location facility, the IP addresses in use may be registered under the cloud provider or co-location facilities name. While using RIRs as part of your technical reconnaissance can provide new IP address ranges, the physical location of your target and more, don't make the false assumption that IP addresses registered to your target organization are the only IP addresses they use.