Many unconventional methods of network enumeration go far beyond the traditional whois, ping sweeps , and traceroute. One such method is using Google to find complete or nearly complete Cisco router and switch configuration files as well as other relevant pieces of data, such as MRTG web pages and configs . With some luck, you can even take over a misconfigured router or switch using nothing but your favorite web browser.
Another approach is to query the BGP protocoleither directly or via searching routing registry databases that are very likely to contain useful data about the network range of interest. The easiest way to find all networks that belong to an organization; their addresses, netmasks , and use; links to the outside world; border routers; connected networks; and directions of traffic flow on the Internet is to ask BGP about it. An attacker who plans a traffic rerouting and modification or a DDoS attack will find such information very useful.
As to enumeration of IGPs, unless the network border router is misconfigured, you need to be on the network the protocol runs through and you won't be able to do anything from the Internet. However, there are hacked-in hosts , internal attackers , social engineering, rogue devices, wireless, and other methodsthus there are many cases in which IGP enumeration comes in handy. When performed properly, the investigation of IGP routing provides an attacker with a complete map of the network and a lot of details about the routers involved. No network reconnaissance is better than this.