MSTICPy supports enriching IP address information with data from open source Whois services. Lookups are possible against IPs and ASNs (Autonomous System Number).
Whois lookups can be performed against a single IP address or a as a bulk lookup against a list or DataFrame column.
The ip_whois
function looks an single IP Address and returns a results as a Python dictionary.
>>> from msticpy.iptools import ip_whois
>>> ip_whois("65.55.44.109")
('MICROSOFT-CORP-MSN-AS-BLOCK, US', {'asn': '8075', 'query': '65.55.44.109', 'asn_cidr': '65.52.0.0/14', 'asn_country_code': 'US', 'asn_registry': 'arin', 'asn_date': '2001-02-14', 'asn_description': 'MICROSOFT-CORP-MSN-AS-BLOCK, US', 'nets': [{'cidr': '65.52.0.0/14', 'handle': 'NET-65-52-0-0-1', 'name': 'MICROSOFT-1BLK', 'startAddress': '65.52.0.0', 'endAddress': '65.55.255.255', 'created': None, ...
You can also lookup a single IP Address using the IpAddress.whois
function. This returns results as a pandas DataFrame.
>>> IpAddress.whois(["123.1.2.3", "124.5.6.7"])
If a list of IP addresses (or a pandas series) is passed to ip_whois
then the data is returned as a DataFrame.
This same feature can be accessed using the mp
pandas accessor or via the IpAddress.whois
pivot function.
Using the mp
pandas accessor:
>>> df.mp.whois(ip_column="IPAddress")
Using the whois pivot function:
>>> IpAddress.whois(["123.1.2.3", "124.5.6.7"])
>>> IpAddress.whois(data=df, column="IP")
It is also possible to lookup details of the ASN that an IP address belongs to. This is done with the get_asn_from_ip function.
>>> from msticpy.iptools import get_asn_from_ip
>>> get_asn_from_ip("65.55.44.109")
{'AS': '8075', 'IP': '65.55.44.109', 'BGP Prefix': '65.52.0.0/14', 'CC': 'US', 'Registry': 'arin', 'Allocated': '2001-02-14', 'AS Name': 'MICROSOFT-CORP-MSN-AS-BLOCK, US'}
The same function is also accessible via the IpAddress.whois_as
pivot function:
>>> IpAddress.whois_asn("65.55.44.109")
This function can accepts a single IP, an iterable of IPs or a DataFrame ( in the latter case specify the dataframe via the data
parameter and the IP column via the column
parameter).
You can get details of a specific to look up against an ASN. get_asn_details can be used to get details based on an ASN, along with details of the IP ranges belonging to that ASN.
>>> from msticpy.iptools import get_asn_details
>>> get_asn_details("AS3598")
{'Autonomous Number': 'AS3598', 'AS Name': 'MICROSOFT', 'Description': 'MICROSOFT', 'Contact': 'radb@microsoft.com', 'Last Updated': 'mkasten@microsoft.com 20180125', 'ranges': ['167.220.204.0/22', '157.57.0.0/16', '157.58.0.0/16', '157.58.31.0/24', '157.58.192.0/19', '157.59.0.0/16', ...
It is also possible to search ASNs based on the AS Name. For example, you can search for "Microsoft" to see a list of all ASNs that are associated with Microsoft with get_asns_from_name.
>>> get_asn_from_name("Microsoft")
{'AS3598': 'MICROSOFT-CORP-AS, US', 'AS5761': 'MICROSOFT-CORP-MSN-AS-SATURN, US', 'AS6182': 'MICROSOFT-CORP-MSN-AS-4, US', 'AS6291': 'MICROSOFT-CORP-MSN-AS, US', 'AS6584': 'MICROSOFT-GP-AS, US', ...