IP Addresses
IP Addresses Investigation Tools
- ViewDNS Reverse IP (viewdns.info/reverseip)
It will display additional domains hosted on an individual IP address.
- ViewDNS IP Location (viewdns.info/iplocation)
This utility cross-references an IP address with publicly available location data connected to the server hosting any domains associated with the IP address.
- ViewDNS Port Scan (viewdns.info/portscan)
This online port scanner looks for common ports that may be open.
- ViewDNS IP Whois (viewdns.info/whois)
Entering an IP address will attempt to identify details about any domain registrations associated with the address.
- ViewDNS IP Traceroute (viewdns.info/traceroute)
This tool identifies the path that ViewDNS took from their servers to the target IP address.
These will occasionally identifv associated networks, routers, and servers. The numbers after the IP addresses indicate the number of milliseconds that each "hop" took.
- ViewDNS Reverse DNS (viewdns.info/reversedns)
This simply finds the reverse DNS entry for a given IP.
- Ultra Tools direct IP address query URLs
https://www.ultratools.com/tools/ipWhoisLookupResult?ipAddress=70.39.110.82
https://www.ultratools.com/tools/geolpResult?ipAddress=70.39.110.82
https://www.ultratools.com/tools/pingResult?hostName=70.39.110.82
- Bing IP (bing.com)
Search for websites hosted on that IP address. This search only works on Bing and must have "ip:", ex: ip:54.208.51.71
- IPLocation (iplocation.net)
Location offers unlimited free IP address searches, and queries five unique services within the same search results.
This usually does not identify the exact location where the IP address is being used. The country, region, and city information should be accurate.
Most results translate an IP address into information including business name, general location, and internet service provider. This can be used to determine if the IP address that a target is using belongs to a business providing free wireless internet.
This can also confirm if an IP address is associated with a VPN service.
- That's Them (thatsthem.com/reverse-ip-lookup)
This service, mentioned previously during person, email, and telephone search, collects marketing data from many sources to populate its database.
The result identified a person's name, home address, company, email address, and age range.
This tool will work best when searching static business IP addresses, and not traditional home IP addresses that can change often.
https://thatsthem.com/ip/70.39.110.82
- I Know What You Download (iknowwhatyoudownload.com)
This service monitors online torrents and discloses the files associated with any collected IP addresses.
This will work best with IP addresses that rarely change. Can be used to determine the files being downloaded from a currently connected network.
- Exonerator (metrics.torproject.org/exonerator.html)
Exonerator is a tool that will verify the usage of an IP address on the Tor network. Provide the IP address and a date of usage, and the service will display whether it was used as a Tor connection. While a date is required, you could provide the current date if your target time frame is unknown. Most IP addresses are typically always or never a part of the 'Tor network.
- Wigle (wigle.net)
Wigle-is a crowd-sourced database of wireless access points.
This allows anyone to browse an area for wireless access points or search an address to locate specific devices. Additionally, you can search for either a specific router name or MAC address and locate any matching devices.
You will need to register for a free account.
You can identify the wireless access points in the immediate area of a target's home.
You can identify the router names including potential sensitive information. It displays wireless router SSID's. Clicking View and then Search in the upper left of the page presents a detailed query engine. A search of tankers _network, as identified previously in the map view, displays details of the wireless access point.
You could also search by the target's name. This may identify routers that have the target's name within the SSID.
Many internet users will use the same name for their wireless router as they use for their online screen name.
- Shodan (shodan.io)
To locate specific systems neat a target location.
Create a free account. The following example will identify how to locate live public surveillance cameras based on location:
“geo:39.55,-111.45 netcam“
For camera discovering and hacking go to “Camera Hacking” section.
Shodan Maps (maps.shodan io), allows you to conduct any of these searches based on location alone.
Shodan Images (images.shodan.io), displays collected webcam captures from open devices.
These two options are premium services and require a modest fee.
Shodan Beta (beta.shodan.io) offers complete details of a specified IP address.
- Zoom Eye (zoomeye.org)
This Shodan competitor provides a similar service, often with unique results.
- Threat Crowd (threatcrowd.org)
Threat Crowd is a system for finding and researching artifacts relating to cyber threats. Searching an IP address can reveal an association to malicious software being spread over the internet. A positive result will display the type of malware, associated domain names, dates of discovery, and any comments by other researchers.
- Censys (censys.io)
Ipv6 Specific Investigation Tools
Many providers are switching to Ipv6.
While many of the utilities mentioned here are adapting to this input, we should query these types of addresses through designated Ipv6 engines.
https://www.ultratools.com/tools/ipv6InfoResultPipAddress=2001:db8::822e:370:7334
https://www.ultratools.com/tools/ping6?ipAddress=2001:db8::8a2e:370:7334
Email Headers
The vast majority of users rely on web-based email such as Gmail or Yahoo. These services do not disclose the IP address of an individual user within the email headers.
The only valuable IP addresses are business users that sent emails within a desktop client such as Outlook.
- IP2Location (ip2location.com/free/email -tracer)
Provides a large text box into which an entire email header can be copied for analysis. The response includes the IP address and location of the sender; interactive map identifying the originating location; internet service provider; and links to additional information from an IP search.
- MX Toolbox (mxtoolbox.com/EmailHeaders.aspx)
Alternative.
Obtaining a Target’s IP Address
We want know the IP address of the person you are researching as provided by their internet service provider.
This could be used to verify an approximate location of the person; to provide law enforcement details that would be needed for a court order; or to determine if multiple email addresses belong to the same subject.
- IP Logger (iplogger.org)
This specific technique involves some trickery and the need to contact the target from a covert account.
Link: You can generate a URL which will redirect to any website that you provide. IP Logger will save the IP address of each user who clicked the link. In the box provided, enter any address that you want the target to see when clicking on a link. A URL shortening service such as Bitly (bit.ly) would make the link look less suspicious.
Image: You can provide a digital image to this service, and it will create a tracker out of it for placement onto a website, forum, or email message.
The first link forwards to the image provided. During this process, the IP address, operating system, and bowser details are collected and stored on the page that stored the links. The second link could be inserted directly into a web page or email message.
- Canary Tokens (canarytokens.org)
Canary Tokens to be the superior option of all. It allows creation of a PDF or DOC file that contains a tracker, and is the most user-friendly of the services.
After choosing a tracking option, it walks you through the process.
https://inteltechniques.com/canary
Always remember that technologies such as VPNs, Tor, and other forms of IP masking may create inaccurate results.
- LinkBait (github.com/AmIJesse/LinkBait)
These public IP logging services are well-known and may be blocked by email providers.
We should rely on self-hosted options. This includes all files required to host your own IP Logger on your website. You simply need to copy the PHP file into a web-accessible directory on your Apache web server, including shared web hosts and rename the file to "index.php”.
Too see what details your computer would submit to this script:
https://inteltechniques.com/logger/
- GetNotify (getnotify.com)
GetNotify tracks the opening of email messages and presents the connection information of the target.
You will need to create an account and you will be limited to five email messages per day. After you have registered the email address you will be using, you can send emails from that account as usual. However, you will need to add @getnotify.com" after each email recipient. Instead of sending an email message to the valid account of Michael@inteltechniques.com, Michael@inteltechniques.com.getnotify.com. This will force the email message to go through Get Notify's servers and route the message to the valid address. When your target reads the email message, Get Notify will track the user's IP address, geographical location, and notify you whether your message was viewed for a length of time or deleted right away.
Get Notify works by adding a small invisible tracking image in your outgoing emails.
You can also view log files within your online account. The tracking image inserted by Get Notify is invisible to the recipient. Optionally, you can specify your own images to be used as tracking images by going to the preferences section after signing in to GetNotify.com. Your recipient will not see "getnotify.com" at the end of his or her email address. If you want to send a single email to multiple recipients, you should add "getnotify.com" at the end of every email address.
IntelTechniques IP Addresses Tool
Automates some of the most common IP address searches.
Code in IP.html.
Last updated