IP Investigation

From Phoenix Labs Wiki

Jump to: navigation, search

Investigating IPs before submitting them to Blocklist.org is important - a solid comment will make the life of moderators easier and will result in your IP being added much quicker. This details common routes of investigation.

Contents

Resolving hostnames

If all you have is a hostname (eg, google.com), the first step is to find out all the IPs associated with it. You can do this by opening up a command window and typing nslookup <hostname> in the console: 

>nslookup www.google.com

You should be given output similar to this: 

>nslookup www.google.com
Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  216.239.37.99, 216.239.37.104, 216.239.37.147
Aliases:  www.google.com

Now we have the IPs to investigate: 216.239.37.99, 216.239.37.104, 216.239.37.147.

The WHOIS

Performing a WHOIS is an easy way to see who owns the netblock which contains an IP. There are many WHOIS applications out there, but we will be using the RWhois Web Interface.

Typing 216.239.37.99 into the Query field and submitting should give you a referral like rwhois://rwhois.arin.net:4321/auth-area=0.0.0.0/0. Click it and you will be given the results of our query: 

class-name       network
auth-area        0.0.0.0/0
id               NET-216-239-32-0-1.0.0.0.0/0
handle           NET-216-239-32-0-1
ip-network       216.239.32.0/19
ip-network-block 216.239.032.000 - 216.239.063.255
org-name         Google Inc.
street-address   1600 Amphitheatre Parkway
city             Mountain View
state            CA
postal-code      94043
country-code     US
tech-contact     ZG39-ARIN.0.0.0.0/0
created          20001122170000000
updated          20010511070610000

So we found our IPs are all part of one big Google-owned range, 216.239.032.0 - 216.239.063.255.

Reverse DNS

Reversing DNS is the process used to find a hostname associated with an IP. This doesn't always work, but it may give us a domain to peek around at. A reverse DNS can be done by opening a command prompt and typing nslookup <ip> in the console: 

>nslookup 72.36.170.34

You should be given familiar output: 

>nslookup 72.36.170.34
Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1

Non-authoritative answer:
Name:    phoenixlabs.org
Address:  72.36.170.34

Now we know 72.36.170.34 is associated with phoenixlabs.org.

Services

If a WHOIS doesn't give enough information, it may be worthwhile to see if services running on that IP can give us anything more.

Finding Services

You can use nmap to find open services: 

>nmap -sS -O -A -v phoenixlabs.org

This may take a few minutes to run depending on your connection speed. You will be given a lot of output, but it's the stuff at the end that we want: 

>nmap -sS -O -A -v phoenixlabs.org
...
Interesting ports on phoenixlabs.org (72.36.170.34):
(The 1645 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE      VERSION
21/tcp    open     ftp          ProFTPD 1.2.10
22/tcp    open     ssh          OpenSSH 3.8.1p1 Debian-8.sarge.4 (protocol 2.0)
25/tcp    open     smtp         Exim smtpd 4.50
80/tcp    open     http         lighttpd 1.4.5
111/tcp   open     rpcbind       2 (rpc #100000)
113/tcp   open     ident        OpenBSD identd
143/tcp   open     imap         Dovecot imapd
199/tcp   open     smux         Linux SNMP multiplexer
636/tcp   open     status        1 (rpc #100024)
...

So we've got a lot of services open. Many services can be configured to spit out organization info, so they are a valid source of information. Connecting to all of them is a task beyond this document, but you should be able to recognize at least HTTP and FTP.

Retrieved from "http://wiki.phoenixlabs.org/wiki/IP_Investigation"
Personal tools