Jack Wallen provides some basic recon tools and methods for finding IP addresses and URLs that you may need to track down for purposes of blocking, contacting, or satisfying simple curiosity.
There are many reasons why you might need to track down an IP address. You might have discovered a hacking attempt in one of your logs. You might think you have found a spammer that you want to add to a black list. The "why" are as many as are the "how." Every operating system has different tools for helping you track down an IP address. Compounded with this is that any tool that makes use of an IP address also has different tools for this purpose. So where do you start? What's the easiest way to find IP addresses and help locate their sources?
I'm assuming you know what an IP address is and what it does, but that's about it. Much of this information will be common knowledge to the seasoned administrator., but new administrators or support techs might glean some useful information here.
Finding the URL for an IP address
Let's say whatever application you are using gives you a URL for an address that you want to block or track (for whatever reason). If you need the IP address of that URL there is a very simple way to do that - use ping. Let's use google.com as an example. To find the IP address of that URL I would open up a command prompt in Windows (launch Terminal in Mac or from the command line in Linux) and type:
From that command you should see something like:
64 bytes from iwanttoblockthis.com 220.127.116.11: icmp_seq=1 ttl=52 time=29.0
As you can see, the ping tool locates the IP address associated with the URL google.com. In this example the address 18.104.22.168. Now this can be a bit misleading because that IP address might be only one address of many associated with the domain. You can find out all of the IP addresses associated with a URL using the nslookup command like so:
The above command should report something similar to:
Name: google.com Address: 22.214.171.124
Name: google.com Address: 126.96.36.199
Name: google.com Address: 188.8.131.52
Name: google.com Address: 184.108.40.206
Name: google.com Address: 220.127.116.11
Name: google.com Address: 18.104.22.168
From the above information you should notice that the answers received are non-authoritative, which means none of those addresses are in charge of the domain. Let's use the same tool to find the authoritative address for the domain. To do this ,first issue the command nslookup with no arguments. This will bring you a prompt that looks like:
Now set the querytype like so:
> set querytype=soa
and then enter the domain:
> google.comYou will then see output that looks like that shown in Figure A.
Now you can see the IP address in charge of the domain google.com com is 22.214.171.124.
Finding the URL for an IP address
If you ping an IP address you will not receive a domain back. I know, I know...it's unfair, but it's the way it goes. So, how can you get the URL from an IP address? Simple, you take advantage of nslookup again. To do this, issue the command:
And you will see something like:
Non-authoritative answer: 10.32.239.216.in-addr.arpa name = ns1.google.com.
You instantly know that the IP address is associated with google.com. Of course you could also just enter the IP address in your web browser and, if that IP address is associated with a web server, you will see the results instantly. If the IP address is not associated with a web browser you will have to do more research.
You can find out even more information using the whois command like so:
The above command will report something like this:
NetRange: 126.96.36.199 - 188.8.131.52
NetType: Direct Allocation
OrgName: Google Inc.
Address: 1600 Amphitheatre Parkway
City: Mountain View
OrgTechName: Google Inc
RTechName: Google Inc
Now, if you have someone (either URL or IP address) attacking you or sending you spam that you want to discover, or you need to block, report, or contact them, you can get the information you need.
You have neither an IP nor URL
What if you are sure you're being attacked, but you have no idea by whom or what. The first place to look is your server's log files. But if those escape you (you either have no idea where to find them or they don't give you the information you need), you might need to employ a network monitoring tool. There are plenty of tools available for this task. One of my favorites is Wireshark. This is a very powerful, open source, cross-platform tool that can monitor your PC or your entire network. From this monitor you will see any and all traffic flowing through your network. Should anything look suspicious, you have the IP address that will then help you gain valuable information.
Sometimes "they" are just too good
There are times when you will be attacked, spammed, spoofed, etc. and you simply will not be able to track down the source. This is an unfortunate truth in the world of a networked computer. And when/if that time comes you will have to do your best to tighten down your security to make sure each and every computer is safe. Just remember, if a computer is attached to the network, no matter what operating system is on it, it is insecure. No machine, no operating system, no firewall, no anti-virus, no anti-malware is perfect.
The most important thing you can do is arm yourself with the tools and knowledge that will allow you to track down an address should you need to. And once you have the address (be it URL or IP address) you can always report the address to your service provider as well as sites like LiveIPMap.Final thoughts
If you can get the IP address of someone doing nefarious deeds to your system or network you need to have the tools to enable you to gather the information in order to report the suspected address or culprit. Although the most challenging task in this process is actually locating the address, half of the battle is in the information recon. With the tools and methods outlined here, you should have everything you need.