Finding a companys IP ranges
To place an attack into the right direction you will sooner or later be able to find their oficcially owned IP addresses and webservers.
Below is a list of notes I use to accomplish this task
curl -s http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip | gunzip | cut -d"," -f3 | sed 's/"//g' | sort -u | grep -i [what ever your searching for]
You'll get the AS of your search string)
whois -h whois.radb.net -- '-i origin ASxxxxx' | grep -Eo "([0-9a-f.:]+){4}/[0-9]+"
This will list the IP v4+v6 addresses associated with the AS
Download use ans search the whois databases from:
ftp://ftp.ripe.net/ripe/dbase/
ftp://ftp.apnic.net/apnic/whois/
https://github.com/RIPE-NCC/whois.git