Networking

The best tools and methods to track down suspect IP addresses and URLs

Jack Wallen provides some basic recon tools and methods for finding IP addresses and URLs that you may need to track down for purposes of blocking, contacting, or satisfying simple curiosity.

There are many reasons why you might need to track down an IP address. You might have discovered a hacking attempt in one of your logs. You might think you have found a spammer that you want to add to a black list. The "why" are as many as are the "how." Every operating system has different tools for helping you track down an IP address. Compounded with this is that any tool that makes use of an IP address also has different tools for this purpose. So where do you start? What's the easiest way to find IP addresses and help locate their sources?

I'm assuming you know what an IP address is and what it does, but that's about it. Much of this information will be common knowledge to the seasoned administrator., but new administrators or support techs might glean some useful information here.

Finding the URL for an IP address

Let's say whatever application you are using gives you a URL for an address that you want to block or track (for whatever reason). If you need the IP address of that URL there is a very simple way to do that - use ping. Let's use google.com as an example. To find the IP address of that URL I would open up a command prompt in Windows (launch Terminal in Mac or from the command line in Linux) and type:

ping google.com

From that command you should see something like:

64 bytes from iwanttoblockthis.com 74.125.159.104: icmp_seq=1 ttl=52 time=29.0

As you can see, the ping tool locates the IP address associated with the URL google.com. In this example the address 74.111.159.104. Now this can be a bit misleading because that IP address might be only one address of many associated with the domain. You can find out all of the IP addresses associated with a URL using the nslookup command like so:

nslookup google.com

The above command should report something similar to:

Non-authoritative answer:
Name:    google.com
Address: 74.111.159.104
Name:    google.com
Address: 74.111.159.105
Name:    google.com
Address: 74.111.159.106
Name:    google.com
Address: 74.111.159.107
Name:    google.com
Address: 74.111.159.108
Name:    google.com
Address: 74.111.159.109

From the above information you should notice that the answers received are non-authoritative, which means none of those addresses are in charge of the domain. Let's use the same tool to find the authoritative address for the domain. To do this ,first issue the command nslookup with no arguments. This will bring you a prompt that looks like:

>

Now set the querytype like so:

> set querytype=soa

and then enter the domain:

> google.com
You will then see output that looks like that shown in Figure A.

Figure A

Now you can see the IP address in charge of the domain google.com com is 216.239.32.10.

Finding the URL for an IP address

If you ping an IP address you will not receive a domain back. I know, I know...it's unfair, but it's the way it goes. So, how can you get the URL from an IP address? Simple, you take advantage of nslookup again. To do this, issue the command:

nslookup google.com

And you will see something like:

Non-authoritative answer:
10.32.239.216.in-addr.arpa    name = ns1.google.com.

You instantly know that the IP address is associated with google.com. Of course you could also just enter the IP address in your web browser and, if that IP address is associated with a web server, you will see the results instantly. If the IP address is not associated with a web browser you will have to do more research.

You can find out even more information using the whois command like so:

whois  216.239.32.10

The above command will report something like this:

NetRange:       216.239.32.0 - 216.239.63.255

CIDR:           216.239.32.0/19

OriginAS:

NetName:        GOOGLE

NetHandle:      NET-216-239-32-0-1

Parent:         NET-216-0-0-0-0

NetType:        Direct Allocation

NameServer:     NS2.GOOGLE.COM

NameServer:     NS3.GOOGLE.COM

NameServer:     NS4.GOOGLE.COM

NameServer:     NS1.GOOGLE.COM

RegDate:        2000-11-22

Updated:        2001-05-11

Ref:            http://whois.arin.net/rest/net/NET-216-239-32-0-1

OrgName:        Google Inc.

OrgId:          GOGL

Address:        1600 Amphitheatre Parkway

City:           Mountain View

StateProv:      CA

PostalCode:     94043

Country:        US

RegDate:        2000-03-30

Updated:        2009-08-07

Ref:            http://whois.arin.net/rest/org/GOGL

OrgTechHandle: ZG39-ARIN

OrgTechName:   Google Inc

OrgTechPhone:  +1-650-253-0000

OrgTechEmail:  arin-contact@google.com

OrgTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

RTechHandle: ZG39-ARIN

RTechName:   Google Inc

RTechPhone:  +1-650-253-0000

RTechEmail:  arin-contact@google.com

RTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

#

# ARIN WHOIS data and services are subject to the Terms of Use

# available at: https://www.arin.net/whois_tou.html

Now, if you have someone (either URL or IP address) attacking you or sending you spam that you want to discover, or you need to block, report, or contact  them, you can get the information you need.

You have neither an IP nor URL

What if you are sure you're being attacked, but you have no idea by whom or what. The first place to look is your server's log files. But if those escape you (you either have no idea where to find them or they don't give you the information you need), you might need to employ a network monitoring tool. There are plenty of tools available for this task. One of my favorites is Wireshark. This is a very powerful, open source, cross-platform tool that can monitor your PC or your entire network. From this monitor you will see any and all traffic flowing through your network. Should anything look suspicious, you have the IP address that will then help you gain valuable information.

Sometimes "they" are just too good

There are times when you will be attacked, spammed, spoofed, etc. and you simply will not be able to track down the source. This is an unfortunate truth in the world of a networked computer. And when/if that time comes you will have to do your best to tighten down your security to make sure each and every computer is safe. Just remember, if a computer is attached to the network, no matter what operating system is on it, it is insecure. No machine, no operating system, no firewall, no anti-virus, no anti-malware is perfect.

The most important thing you can do is arm yourself with the tools and knowledge that will allow you to track down an address should you need to. And once you have the address (be it URL or IP address) you can always report the address to your service provider as well as sites like LiveIPMap.

Final thoughts

If you can get the IP address of someone doing nefarious deeds to your system or network you need to have the tools to enable you to gather the information in order to report the suspected address or culprit. Although the most challenging task in this process is actually locating the address, half of the battle is in the information recon. With the tools and methods outlined here, you should have everything you need.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

22 comments
seanferd
seanferd

In lieu of nslookup, anyway. You'll find it on OS X and probably most Linux distros. I'm unsure whether it is included in BSD base installs. But you can get DiG for Windows as well: http://members.shaw.ca/nicholas.fong/dig/ Also, ping and any other ICMP-based utility may fail on the internet, and are intended generally for LAN use anyway. Why? Because of DoS attacks using ICMP packets, many servers/routers do not respond to these. Sort of ironic in context...

Michael Kassner
Michael Kassner

" From this monitor you will see any and all traffic flowing through your network." In most network topologies this would not be possible. It would require having all network traffic flow through a single device. And that device would have to be a hub or managed switch with an active monitoring port. In most cases (not many hubs used anymore) the only traffic captured is that of the computer with the packet analyzer.

adaviel
adaviel

When you log the ip address, you need to log the date, time and timezone accurately. Use NTP. When you complain, add this information. IP's change over time.

ernied
ernied

1. Not every IP address on the internet is going to respond to pings. In fact, *most* IP addresses will not respond to pings. Use "nslookup" *first*. 2. URLs are useless. This is an assumption that you're trying to look up an IP of something that offers services to the public. 3. If the reason you're trying to do a reverse lookup on an IP address is because that IP address is attacking (or spamming) you, there's about a > 99.9% chance that the person who's attacking you is nowhere near that IP address. See also: botnet, virus, worm, and unsecured wireless routers. This IP address actually belongs to some poor schmuck who hasn't updated his antivirus program (assuming he has one at all) in 2 years because he's not computer savvy. 4. Unless you're planning on submitting the IP address to a database like Spamcop.net or SORBS.net - or more accurately, unless you're planning on creating and maintaining a database like it, because you *can't* submit IPs to these blacklists - then there's no point in trying to do anything but firewall the IP address yourself. That's because the attackers are cycling through the IP addresses of their botnets faster than anyone - even the realtime blacklists - can keep up with. So really, who cares who the IP actually belongs to? Are you going to go knock on their door and ask them to secure their computers (and show them how)?

TobiF
TobiF

I'd love to have a normal "whois" command under windows. But, which version of Windows are you using, if you have a native "whois" there? Maybe you've installed some kind of utility pack? (i.e. what output do you get from "whois /?" ?)

cqvoip.net
cqvoip.net

I believe your link to Wireshark is in error. It is linking to wireshark .com ?? However, that does not appear to be the opensource version of wireshark your article is referring to. It appears to me that www.wireshark.org is the correct link address for the opensource version of wireshark. Regards, Jeff - cqvoip.net P.S. Thanks for the useful information in your article.

ultimitloozer
ultimitloozer

In his example, he was using ping to obtain the IP address of a given domain/machine. The DNS resolution is all that matters in this case and will be performed correctly even if the ICMP packets are dropped by the outgoing router or firewall (most are only dropped incoming while outgoing tend to be allowed). The only piece of the process that needs to function for his example to work is the name resolution. If you really want to pick nits, the command given for nslookup to translate an IP into a URL (should say named machine instead) is wrong. It should be nslookup IP-address not nslookup machine/domain-name.

pgit
pgit

You still get some useful information, eg broadcast/multicast traffic, eg ipp or UPnP and other discovery services. I'm guessing IPv6 will obviate a lot of the non-specific traffic we're currently using. Continuous polling looks a lot like a dinosaur in a world where every individual can have a dedicated relationship with every other...

robo_dev
robo_dev

There's a little entry box in the upper right corner of the web page. Simply type the IP address into the box and hit the little > button.

twaynesdomain-22354355019875063839220739305988
twaynesdomain-22354355019875063839220739305988

Google Whois and you'll find it means web sites that do the lookups for you; it's NOT a program on your computer. This is a very poorly written article and misleading in some areas. Of the many whois/lookup/etc. services available, I find Robtex.com to be the most all inclusive site and it's fast compater to many others. Beware: Some whois sites are simply probing your computer trying to steal information; stick to the mainstream sites. www.whois.com is another one. And there are hundreds more of them around the 'net, some good, some suck, a few very, very useful. The article did another disservice in that it talks about cli commands from the Command Prompt, NOT gui interfaces, but neglects to plainly state that, among many other things.

Ron_007
Ron_007

cool, but NSLOOKUP doesn't do me any good getting IP. All I get back is my router IP, ie: > set querytype=soa > google.com Server: UnKnown Address: 192.168.0.1 Non-authoritative answer: google.com primary name server = ns1.google.com responsible mail addr = dns-admin.google.com serial = 1431258 refresh = 7200 (2 hours) retry = 1800 (30 mins) expire = 1209600 (14 days) default TTL = 300 (5 mins) > exit C:\Users\User>nslookup google.ca Server: UnKnown Address: 192.168.0.1 Non-authoritative answer: Name: google.ca Addresses: 74.125.95.147 74.125.95.103 74.125.95.104 74.125.95.105 74.125.95.99 74.125.95.106 C:\Users\User> Suggestions would be welcome.

eclypse
eclypse

Well, whois is a program on _my_ computer. In fact, just about any non-Windows OS has it installed by default. Plenty of people were able to figure out how to google it - including you, so this is kind-of a non-issue - especially for the admins or support techs that this is directed toward. "To find the IP address of that URL I would open up a ___command prompt___ in Windows (launch Terminal in Mac or from the command line in Linux) and type:" How is that misleading? How does it not plainly state that you are working from the command line and not a GUI? Or were you just out Jack-bashing this morning? There are several other valid complaints about this article, but they're much less combative and more on point.

TobiF
TobiF

I've read somehwere, that *nix systems typically have the whois command natively. But in Windows, one would have to install some additional toolkit to get the corresponding command. (One such source is, for instance, Sysinternals.) However, I don't use whois every day, so when I need it, I turn to some web based service. I rather reacted to the article using a non-native windows command without even mentioning it. (This can happen when you "pimp your computer" with different toolkits first thing and then just forget about it. And I guess a simple "whois /?" would have revealed the source of this whois command, which, most probably, does not come as a native part of Windows.)

seanferd
seanferd

Not sure how you are missing the IP addresses. Your router is your DNS server, so you see that address in that position. If you had internet DNS server addresses configured directly in TCP/IP configuration as opposed to your router address, those would be the IP addresses seen in that position. nslookup = name server lookup, not IP address lookup. If you don't do an SOA query, you see the IP addresses for the domain as shown in your second command result. Second, due to the nature of nslookup, it is best practice to use a trailing dot after the domain name, so that DNS suffixes from your enterprise LAN, or those foisted upon you for whatever unknown reason by your ISP are not appended, rendering the lookup useless. ( nslookup google.ca. ) - Yours did work fine without the dot, but this is worth remembering.

twaynesdomain-22354355019875063839220739305988
twaynesdomain-22354355019875063839220739305988

Hmm, I wonder if you're thinking of ipconfig? That would read and report your own IP I believe. At any rate, it appears to me that we're syntactically at odds most likely, not fully understanding each other. As for the article presentation, I agree with you; it certainly could have been a lot better and IMO wasn't that useful for any but those familiar with the CLI (Command Line Interface - Command Prompt commands). Cheers,