driftnet

Driftnet API

A comprehensive RESTful JSON API.

Getting StartedInternet ScansScan ContentOpen PortsDomain ScansForward DNSDNS MX & TXTReverse DNSIP RegistrationsDomain RegistrationsCertificate TransparencyJARM FingerprintsFavicon Fingerprints
Getting StartedInternet ScansScan ContentOpen PortsDomain ScansForward DNSDNS MX & TXTReverse DNSIP RegistrationsDomain RegistrationsCertificate TransparencyJARM FingerprintsFavicon Fingerprints

IP Registrations

Overview

Driftnet contains comprehensive IP registration data, and makes that data reverse-searchable.

Quick Summary

To get a quick summary of Driftnet's take on the owner/user of an IP address, call the ip/summary endpoint:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/summary?ip=8.8.8.8' \
  | jq .
{
  "domain": {
    "apex_domain": "dns.google",
    "cidr": "8.8.8.8/32",
    "context": "rdns"
  },
  "entity": {
    "cidr": "8.8.8.0/24",
    "context": "bgpasn",
    "name": "Google LLC"
  }
}

The result contains two sections: domain, which shows the apex domain associated with the IP address, and entity, which shows the name of the owning organization. Both results also show a context which describes why Driftnet has made this association, and the enclosing CIDR block to which this summary applies.

Optionally, we can restrict the summary to one of Driftnet's data sources: whois, bgp, rwhois or rdns. For example,

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/summary?ip=8.8.8.8&restrict=whois' \
  | jq .
{
  "domain": {
    "apex_domain": "google.com",
    "cidr": "8.8.8.0/24",
    "context": "net"
  },
  "entity": {
    "cidr": "8.8.8.0/24",
    "context": "net",
    "name": "Google LLC"
  }
}

Reverse Searching

One of the most powerful features of Driftnet is the ability to reverse-search IP registration data. Reverse searching is often essential for asset discovery.

IP registration reverse search uses the ip/reverse endpoint. The query you'll want to use most often is phrase=:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/reverse?phrase=virgin+atlantic' \
  | jq .
{
  "page": 0,
  "pages": 1,
  "result_count": 29,
  "results": [
    {
      "cidr": "108.178.189.8/29",
      "contexts": [
        "net"
      ],
      "matches": [
        "VIRGIN ATLANTIC AIRWAYS"
      ]
    },
    ...

Driftnet returns a maximum of 100 results per page. Use the page= parameter to select a particular page number. Page numbering starts at zero. The context field tells you how Driftnet made a match.

For more fine-grained control over where the reverse search matches, use the address= and phone= parameters. To search organization names, but allow the terms to occur in any order, use the name= parameter.

Other useful reverse searches are domain:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/reverse?domain=virginatlantic.com' \
  | jq .

...and email:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/[email protected]' \
  | jq .

Enclosing Ranges

When reverse-searching, it can be annoying to see IP ranges which are enclosed completely within other results.

For example, if you get a result 8.8.0.0/16, you might not want to also be told about 8.8.8.0/24. If that is the case, set the outer_only=true parameter:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/reverse?phrase=virgin+atlantic&outer_only=true' \
  | jq .

IP WHOIS

We can search IP WHOIS data using the ip/whois endpoint.

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/whois?ip=8.8.8.8' \
  | jq .
{
  "net": {
    "cidr": "8.8.8.0/24",
    "name_address": [],
    "net_name": "LVLT-GOGL-8-8-8",
    "created": "2014-03-14T16:52:05.000Z",
    "last_modified": "2014-03-14T16:52:05.349Z",
    "registry": "ARIN"
  },
  "org": {
    "address": [
      "1600 Amphitheatre Parkway",
      "Mountain View",
      "CA",
      "94043",
      "US"
    ],
    "cidr": "8.8.8.0/24",
    "name": "Google LLC",
    "created": "2000-03-30T00:00:00.000Z",
    "last_modified": "2019-10-31T15:45:45.762Z",
    "registry": "ARIN"
  }
}

This endpoint returns information on the net (network block) surrounding the IP, and the org (organization) that is responsible for it.

The API also makes available more detailed information on the points-of-contact associated with the IP address:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/whois/pocs?ip=8.8.8.8' \
  | jq .
[
  {
    "address": [
      "1600 Amphitheatre Parkway",
      "Mountain View",
      "CA",
      "94043",
      "US"
    ],
    "cidr": "8.8.8.0/24",
    "name": "Google Inc.",
    "types": [
      "org-abuse"
    ],
    "created": "2015-11-06T15:36:35.219Z",
    "emails": [
      "[email protected]"
    ],
    "last_modified": "2022-10-24T08:43:11.730Z",
    "registry": "ARIN"
  },
  ...
]

Notice the types section here: this describes the type, or role, of point-of-contact being reported. Where the same point-of-contact is repeated in multiple roles, this array has multiple entries.

BGP WHOIS

IP WHOIS data shows the registered user of IP space. BGP WHOIS ("pwhois") data is a little different: it first checks the internet's core routing tables to see where traffic for your target IP address is actually routed, and then returns the registration data for the Autonomous System associated with that route.

In other words, BGP WHOIS can tell you who is actually using an IP address, not just who owns it. IP WHOIS and BGP WHOIS each have their advantages, and you'll typically want to check both.

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/pwhois?ip=8.8.8.8' \
  | jq .
{
  "as": {
    "as_name": "GOOGLE",
    "as_number": "AS15169",
    "cidr": "8.8.8.0/24",
    "name_address": [],
    "created": "2000-03-30T00:00:00.000Z",
    "last_modified": "2012-02-24T09:44:34.000Z",
    "registry": "ARIN"
  },
  "org": {
    "address": [
      "1600 Amphitheatre Parkway",
      "Mountain View",
      "CA",
      "94043",
      "US"
    ],
    "as_name": "GOOGLE",
    "as_number": "AS15169",
    "cidr": "8.8.8.0/24",
    "name": "Google LLC",
    "created": "2000-03-30T00:00:00.000Z",
    "last_modified": "2019-10-31T15:45:45.762Z",
    "registry": "ARIN"
  }
}

To get point-of-contact information for BGP WHOIS, call ip/pwhois/pocs, which works in a similar way to ip/whois/pocs:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/pwhois/pocs?ip=8.8.8.8' \
  | jq .

Both the ip/pwhois and ip/pwhois/pocs endpoints accept an asn= parameter, which can be used to look up registration data by Autonomous System Number.

Referral WHOIS

Referral WHOIS ("rwhois") is ISP-level IP WHOIS data. It can be a little messy compared to the higher-level data, but it can still be useful. You can search it using the ip/rwhois endpoint.

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/rwhois?ip=104.149.7.236' \
  | jq .

DNS PTR records

Driftnet collects reverse DNS records (DNS PTRs) for the entire IPv4 space, and summarizes them. To see the CIDR around a specific IP address, call ip/rdns:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/rdns?ip=104.149.7.236' \
  | jq .

BGP routes

To find the Autonomous Systems advertising routes to a specific IP address, call ip/routes with the ip parameter set:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/routes?ip=8.8.8.8' \
  | jq .

To find all routes advertised by a particular AS, use the same endpoint with the asn parameter:

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/ip/routes?asn=AS15169' \
  | jq .