There are many reasons why you might need to track down an IP address. You might have discovered a hacking attempt in one of your logs. You might think you have found a spammer that you want to add to a black list. The “why” are as many as are the “how.” Every operating system has different tools for helping you track down an IP address. Compounded with this is that any tool that makes use of an IP address also has different tools for this purpose. So where do you start? What’s the easiest way to find IP addresses and help locate their sources?
I’m assuming you know what an IP address is and what it does, but that’s about it. Much of this information will be common knowledge to the seasoned administrator., but new administrators or support techs might glean some useful information here.
Finding the URL for an IP address
Let’s say whatever application you are using gives you a URL for an address that you want to block or track (for whatever reason). If you need the IP address of that URL there is a very simple way to do that - use ping. Let’s use google.com as an example. To find the IP address of that URL I would open up a command prompt in Windows (launch Terminal in Mac or from the command line in Linux) and type:
ping google.com
From that command you should see something like:
64 bytes from iwanttoblockthis.com 74.125.159.104: icmp_seq=1 ttl=52 time=29.0
As you can see, the ping tool locates the IP address associated with the URL google.com. In this example the address 74.111.159.104. Now this can be a bit misleading because that IP address might be only one address of many associated with the domain. You can find out all of the IP addresses associated with a URL using the nslookup command like so:
nslookup google.com
The above command should report something similar to:
Non-authoritative answer:
Name: google.com Address: 74.111.159.104
Name: google.com Address: 74.111.159.105
Name: google.com Address: 74.111.159.106
Name: google.com Address: 74.111.159.107
Name: google.com Address: 74.111.159.108
Name: google.com Address: 74.111.159.109
From the above information you should notice that the answers received are non-authoritative, which means none of those addresses are in charge of the domain. Let’s use the same tool to find the authoritative address for the domain. To do this ,first issue the command nslookup with no arguments. This will bring you a prompt that looks like:
>
Now set the querytype like so:
> set querytype=soa
and then enter the domain:
> google.com
You will then see output that looks like that shown in Figure A.
Figure A
Now you can see the IP address in charge of the domain google.com com is 216.239.32.10.
Finding the URL for an IP address
If you ping an IP address you will not receive a domain back. I know, I know…it’s unfair, but it’s the way it goes. So, how can you get the URL from an IP address? Simple, you take advantage of nslookup again. To do this, issue the command:
nslookup google.com
And you will see something like:
Non-authoritative answer: 10.32.239.216.in-addr.arpa name = ns1.google.com.
You instantly know that the IP address is associated with google.com. Of course you could also just enter the IP address in your web browser and, if that IP address is associated with a web server, you will see the results instantly. If the IP address is not associated with a web browser you will have to do more research.
You can find out even more information using the whois command like so:
whois 216.239.32.10
The above command will report something like this:
NetRange: 216.239.32.0 - 216.239.63.255 CIDR: 216.239.32.0/19 OriginAS: NetName: GOOGLE NetHandle: NET-216-239-32-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS2.GOOGLE.COM NameServer: NS3.GOOGLE.COM NameServer: NS4.GOOGLE.COM NameServer: NS1.GOOGLE.COM RegDate: 2000-11-22 Updated: 2001-05-11 Ref: http://whois.arin.net/rest/net/NET-216-239-32-0-1 OrgName: Google Inc. OrgId: GOGL Address: 1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country: US RegDate: 2000-03-30 Updated: 2009-08-07 Ref: http://whois.arin.net/rest/org/GOGL OrgTechHandle: ZG39-ARIN OrgTechName: Google Inc OrgTechPhone: +1-650-253-0000 OrgTechEmail: arin-contact@google.com OrgTechRef: http://whois.arin.net/rest/poc/ZG39-ARIN RTechHandle: ZG39-ARIN RTechName: Google Inc RTechPhone: +1-650-253-0000 RTechEmail: arin-contact@google.com RTechRef: http://whois.arin.net/rest/poc/ZG39-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html
Now, if you have someone (either URL or IP address) attacking you or sending you spam that you want to discover, or you need to block, report, or contact them, you can get the information you need.
You have neither an IP nor URL
What if you are sure you’re being attacked, but you have no idea by whom or what. The first place to look is your server’s log files. But if those escape you (you either have no idea where to find them or they don’t give you the information you need), you might need to employ a network monitoring tool. There are plenty of tools available for this task. One of my favorites is Wireshark. This is a very powerful, open source, cross-platform tool that can monitor your PC or your entire network. From this monitor you will see any and all traffic flowing through your network. Should anything look suspicious, you have the IP address that will then help you gain valuable information.
Sometimes “they” are just too good
There are times when you will be attacked, spammed, spoofed, etc. and you simply will not be able to track down the source. This is an unfortunate truth in the world of a networked computer. And when/if that time comes you will have to do your best to tighten down your security to make sure each and every computer is safe. Just remember, if a computer is attached to the network, no matter what operating system is on it, it is insecure. No machine, no operating system, no firewall, no anti-virus, no anti-malware is perfect.
The most important thing you can do is arm yourself with the tools and knowledge that will allow you to track down an address should you need to. And once you have the address (be it URL or IP address) you can always report the address to your service provider as well as sites like LiveIPMap.
Final thoughts
If you can get the IP address of someone doing nefarious deeds to your system or network you need to have the tools to enable you to gather the information in order to report the suspected address or culprit. Although the most challenging task in this process is actually locating the address, half of the battle is in the information recon. With the tools and methods outlined here, you should have everything you need.
No comments:
Post a Comment