IP Address OSINT

 

An IP Address is a numerical label assigned to a computing device by the network administrator that identifies each device using the Internet Protocol to communicate over a network.

 An IP address serves two major function:

• Network interface identification
• Location addressing
  

IP Addresses holds a probative value to the identification process in digital forensics. This 32-bit or 128-bit number is a unique identifier that is beneficial in many investigations (i.e., network, email, memory). IP addresses can reveal important information regarding the device that the user uses during Internet activity.

 The way that you encounter IP addresses as a target of your investigation will vary widely. Law enforcement may receive an IP address of an offender after submitting a subpoena to an internet provider. Any online researcher may locate an IP address while researching a domain with these methods. While only one website can be on a domain, multiple domains can be hosted on one IP address. We now consider the various methods/tools useful in IP address investigations.

ViewDNS Reverse IP

Takes a domain or IP address and does a reverse lookup to quickly show all other domains hosted from the same server. Useful for finding phishing sites or identifying other sites on the same shared hosting server.

ViewDNS IP Location

This tool will display geographic information about a supplied IP address including city, country, latitude, longitude and more. search of 151.139.128.10 revealed the following location.

IP Location Results for 151.139.128.10
==============

City:         Dallas
Zip Code:     75201
Region Code:  TX
Region Name:  Texas
Country Code: US
Country Name: United States
Latitude:     32.7889
Longitude:    -96.8021
GMT Offset:   
DST Offset

ViewDNS Port Scan

This web-based port scanner will test whether common ports are open on a server. Useful in determining if a specific service (e.g. HTTP) is up or down on a specific server. Ports scanned are: 21, 22, 23, 25, 80, 110, 139, 143, 445, 1433, 1521, 3306 and 3389.

 A search of 151.139.128.10 revealed that ports 80, and 443 are open to outside connections.

ViewDNS IP Whois

Displays owner/contact information for a domain name or IP address. Can also be used to determine if a domain name is registered or not. A search of 151.139.128.10 revealed it to belong to RIPE Network Coordination Center and provided the  public registration details.

ViewDNS Traceroute

Traces the series of servers that data traverses from the ViewDNS server to the specified domain name or IP address. This can identify IP addresses of servers that were contacted while you tried to establish communication with the target's address. These will occasionally identify associated networks, routers, and servers. Additional IP addresses can be later searched for further details. The numbers after the IP addresses indicate the number of milliseconds that each "hop" took.

ViewDNS Reverse DNS

Find the reverse DNS entry (PTR) for a given IP. This is generally the server or host name. Searching my target IP address reveals the following:

Reverse DNS results for 151.139.128.10
==============

10.128.139.151.in-addr.arpa domain name pointer map3.hwcdn.net.

 Bing IP

Once you have identified an IP address of your target, you can search for websites hosted on that IP address. A specific search on Bing will present any other websites on that server. If your target is stored with a large host, such as GoDaddy, there will not be much intelligence provided. It will only list websites that share a server but are not necessarily associated with each other. If the user is hosting the website on an individual web server, this search will display all other websites that the user hosts. This search only works on Bing. The results of this search identify every website hosted by a specific local website design company. The direct URL follows.

https://www.bing.com/search?q=+151.139.128.10

IP Location

IPLocation offers unlimited free IP address searches, and queries eight unique services within the same search results. The results are the most detailed I have seen for a free service.

While GPS coordinates of an IP address are available, this most often returns to the Internet Service Provider (ISP). This usually does not identify the precise location of where the IP address is being used. The information about the country, region, and city should be accurate. If an organization name is presented in the results, this indicates that the address returns to the identified company. The exception here is when an internet service provider is identified. This only indicates that the IP address belongs to the specified provider. Most results translate an IP address into information including business name, general location, and internet service provider. This can be used to determine if the IP address that a target is using belongs to a business providing free wireless internet. This can also quickly confirm if a target IP address is associated with a VPN service.

ThatsThem

The previous resources rely on conventional IP address data gleaned from various registration documents and server scanning. There is very little information that is sensitive or personal. That's them differs in this regard as it takes a more invasive approach to collecting data. This service collects marketing data from many sources to populate its database. This often includes IP address information. These details could have been obtained during an online purchase or website registration. Regardless of the source, the results can be quite beneficial. This tool will work best when searching static business IP addresses, and not traditional home addresses that can change often.

I Know What You Download 

This resource might be the most personal of all invasive websites. This service monitors online torrents (ways to download large files which often violate copyright laws) and discloses the files associated with any collected IP addresses. Searching my own IP address revealed the following.

 

It identifies that the target IP address was downloading the above movies on May 6 and May 8, 2022. Clicking on the movie title presents every IP address captured that also downloaded the same file. Again, this will work best with IP addresses that rarely change, such as a business, organization, or public Wi-Fi network. On one occasion, this revealed an employee that was downloading enormous amounts of pornography on his employer's network. He should have used a VPN, which would have masked his online activity. In order to see the power of this type of service, try searching a known VPN address such as an address provided by Private Internet Access (PIA) 173.244.48.163.The direct URL query follows:

https://iknowwhatyoudownload.com/en/peer/?ip=105.112.160.123

Exonerator

If you cannot locate any valuable information about your target IP address using the previous techniques,  it is possible that the address was part of the Tor network and there is no relevant data to be located.

The ExoneraTor service maintains a database of IP addresses that have been part of the Tor network.  It answers the question whether there was a Tor relay running on a given IP address on a given date. While a date is required, you could provide the current date if your target time frame is unknown. Most IP addresses are typically always or never a part of the Tor network.

Shodan

Shodan is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. General search engines, such as Google and Bing, are great for finding websites; however, they do not search for computers or devices. Shodan indexes "banners", which are metadata that a device sends back to a client. This can be information about the server software, what options the service supports, or a welcome message. Devices that are commonly identified through Shodan include servers, routers, online storage devices, surveillance cameras, webcams, and VOIP systems. Network security professionals use this site to identify vulnerabilities on their systems. Criminals use it to illegally access networks and alter devices. In order to take advantage of Shodan's full search capabilities, you must create a free account. Only a name and email address is required. The following shows the result of searching the IP address 70.39.81.131

ZoomEye

Developed by Chinese security company Knownsec Inc. This Shodan competitor provides a similar service, often with unique results.

IP2Location

IP2Location™ is a non-intrusive IP location lookup technology that retrieves geolocation information with no explicit permission required from users. A search of my IP address 105.112.160.93 reveals the following information.

{
    "response": "OK",
    "country_code": "NG",
    "country_name": "Nigeria",
    "region_name": "Lagos",
    "city_name": "Lagos",
    "latitude": 6.45306,
    "longitude": 3.39583,
    "zip_code": "102103",
    "time_zone": "+01:00",
    "isp": "Airtel Networks Limited",
    "domain": "airtel.com",
    "net_speed": "DSL",
    "idd_code": "234",
    "area_code": "0704",
    "weather_station_code": "NIXX0012",
    "weather_station_name": "Lagos",
    "mcc": "621",
    "mnc": "20",
    "mobile_brand": "Airtel",
    "elevation": 9,
    "usage_type": "ISP\/MOB",
    "address_type": "Unicast",
    "category": "IAB19-18",
    "category_name": "Internet Technology",
    "geotargeting": {
        "metro": "-"
    },
    "continent": {
        "name": "Africa",
        "code": "AF",
        "hemisphere": [
            "north",
            "east"
        ],
        "translations": {
            "zh-cn": "\u975e\u6d32"
        }
    },
    "country": {
        "name": "Nigeria",
        "alpha3_code": "NGA",
        "numeric_code": "566",
        "demonym": "Nigerians",
        "flag": "https:\/\/cdn.ip2location.com\/assets\/img\/flags\/ng.png",
        "capital": "Abuja",
        "total_area": "923768",
        "population": "206139589",
        "currency": {
            "code": "NGN",
            "name": "Nigerian Naira",
            "symbol": "\u20a6"
        },
        "language": {
            "code": "EN",
            "name": "English"
        },
        "idd_code": "234",
        "tld": "ng",
        "is_eu": false,
        "translations": {
            "zh-cn": "\u5c3c\u65e5\u5229\u4e9a"
        }
    },
    "country_groupings": [
        {
            "acronym": "African Union",
            "name": "African Union"
        },
        {
            "acronym": "Commonwealth of Nations",
            "name": "Commonwealth of Nations"
        }
    ],
    "region": {
        "name": "Lagos",
        "code": "NG-LA",
        "translations": {
            "zh-cn": "\u62c9\u5404\u65af"
        }
    },
    "city": {
        "name": "Lagos",
        "translations": []
    },
    "time_zone_info": {
        "olson": "Africa\/Lagos",
        "current_time": "2022-05-14T21:29:24+01:00",
        "gmt_offset": 3600,
        "is_dst": "no",
        "sunrise": "06:30",
        "sunset": "18:55"
    },
    "credits_consumed": 35
}

IP2Location email tracer provides a large text box into which an entire email header can be copied for analysis. The response includes the IP address and location of the sender; interactive map identifying the originating location; internet service provider; and links to additional information from an IP search. Anyone wanting more information from an email threat should start here.

 

Obtaining the IP Address of a Target

 You may wish to get the IP address of your target from their ISP. This IP address could be used to confirm the approximate location of the suspect, offer law enforcement information for a court order or to determine if multiple email addresses belong to the same suspect.

IP Logger

This specific technique involves some trickery and the need to contact the target from a covert account. For this demonstration, assume your target has a Facebook page that he checks regularly. You can send him a private message that includes "bait" in the form of an online link. A detailed set of instructions should explain the processes. The main website presents several options, but only the "URL & Image Shortener" service will be explained.

Link

You can generate a URL which will redirect to any website that you provide. IP Logger will save the IP address of each user who clicked the link. In the box provided, enter any address that you want the target to see when clicking on a link. This could be something generic such as twitter.com. After submitting, you will receive a series of links. This page also serves as the log of visitors, and I recommend documenting it. In an example, I received the following link at the beginning of this list.

https://iplogger.org/2NB947

Clicking this link or typing it into a browser forwards the target to twitter.com. This action collects his or her IP address, operating system, and browser details. These details, along with the date and time of capture, can be viewed at the link generated previously. A URL shortening service such as Bitly (bit.ly) would make the link look less suspicious. 

Image

You can provide a digital image to this service, and it will create a tracker out of it for placement onto a website, forum, or email message. I provided an image that is present on this blog at

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3ERl-uUHz2z6cePizTDip0E6KlH4DV5Wvc6yLIHqHUgDcqAnCZN9G8-tRekJFzl5f_hiQtENu5jx885uZDySbb2Cy24CEc5YCEM6P-Q18ZmsNT7XilRjofCVTKqogU4bJfaINL4nHn9NgECloPIXzZQOC_uTy92TlHs943dxsS1cKbmDaUxpcnkOD/s781/osintemail.JPG.jpg

This presented a page similar to the previous example. I was provided the following link.

https://iplogger.org/3njw44

This link forwards to the image that I provided. During this process, the IP address, operating system, and browser details are collected and stored on the page that stored the links.

Canary Tokens

Canarytokens is a tool that helps you discover you've been breached by having attackers announce. It is a file, URL, API key, or other resource (containing a tracker) that is monitored for access. Once the resource has been accessed, an alert is triggered notifying the object owner of said access.

Ultimately, you should familiarize yourself with all options and choose which works best for you.

Always remember that technologies such as VPNs, Tor, and other forms of IP masking may create inaccurate results. Always use caution when sending these types of trackers, and make sure you are not violating any laws or internal policies. Due to the heavy usage of VPNs within the communities in which I investigate, I find these services slowly becoming less useful.

Get Notify

There is a glaring problem with all of these public IP logging services. They are well-known and may be blocked by email providers. Gmail typically blocks any domains associated with either IP Logger or Canary Tokens. A tech-savvy target may recognize these tactics which could jeopardize your investigation. For these reasons, I prefer GetNotify.

GetNotify tracks the opening of email messages and presents the connection information of the target. This service is completely free and does not require Gmail as your email provider. You will need to create an account through the Get Notify website and you will be limited to five email messages per day. After you have registered the email address you will be using, you can send emails from that account as usual. However, you will need to add ".getnotify.com" after each email recipient. Instead of sending an email message to the valid account of  

meetjosephmoronwi@programmer.net, you would send the message to a modified email address of meetjosephmoronwi@programmer.net.getnotify.com. This will force the email message to go through Get Notify's servers and route the message to the valid address. When your target reads the email message, Get Notify will track the user's IP address, geographical location, and notify you whether your message was viewed for a length of time or deleted right away.

Get Notify works by adding a small invisible tracking image in your outgoing emails. When your email recipient opens your message, this image gets downloaded from a GetNotify server. GetNotify will know exactly when your sent email was opened and it notifies you through an email that your sent message was read by the recipient. You can also view log files within your online account. The tracking image inserted by Get Notify is invisible to the recipient. Optionally, you can specify your own images to be used as tracking images by going to the preferences section after signing in to GetNotify.com. Your recipient will not see ".getnotify.com" at the end of his or her email address. If you want to send a single email to multiple recipients, you should add ".getnotify.com" at the end of every email address.

There are countless scenarios that may make these techniques beneficial to your online research. While it might be beneficial to law enforcement, civilians can use it for many different things. Private investigators have used it on dating websites while hunting cheating spouses. Singles have used it to verify that the potential mate they have been chatting with is local and not in another state or country. The possibilities are endless.