Irpass-Ass is a autonomous system scanner,Irpass-Ass is designed to find the AS of the router. Irpass-Ass supports the following protocols: IRDP, IGRP, EIGRP, RIPv1, RIPv2, CDP, HSRP and OSPF.
Irpass-Ass in passive mode (./ass -i eth0), it just listens to routing protocol packets (like broadcast and multicast hellos).
Irpass-Ass in active mode (./ass -i eth0 -A), it tries to discover routers by asking for information. Irpass-Ass is done to the appropriate address for each protocol (either broadcast or multicast addresses). If you specify a destination address, this will be used but may be not as effective as the defaults.
EIGRP scanning is done differently: While scanning, ASS listens for HELLO packets and then scans the AS directly on the router who advertised himself. You can force EIGRP scanning into the same AS-Scan behavior as IGRP uses by giving a destination or into multicast scanning by the option -M.
For Active mode, you can select the protocols you want to scan for. If you don’t select them, all are scanned. You select protcols by giving the option -P and any combination of the following chars: IER12, where:
I = IGRP
E = EIGRP
R = IRDP
1 = RIPv1
2 = RIPv2
[-v[v[v]]] -i <interface> [-p] [-c] [-A] [-M] [-P IER12] -a <autonomous system start> -b <autonomous system stop> [-S <spoofed source IP>] [-D <destination ip>] [-T <packets per delay>]
-i <interface> interface -v verbose -A this sets the scanner into active mode -P <protocols> see above (usage: -P EIR12) -M EIGRP systems are scanned using the multicast address and not by HELLO enumeration and direct query -a <autonomous system> autonomous system to start from -b <autonomous system> autonomous system to stop with -S <spoofed source IP> maybe you need this -D <destination IP> If you don't specify this, the appropriate address per protocol is used -p don't run in promiscuous mode (bad idea) -c terminate after scanning. This is not recommened since answers may arrive later and you could see some traffic that did not show up during your scans -T <packets per delay> packets how many packets should we wait some miliseconds (-T 1 is the slowest scan -T 100 begins to become unreliable)