25 de out de 2010

The best tools and methods to track down suspect IP addresses and URLs

The best tools and methods to track down suspect IP addresses and URLs: "

There are many reasons why you might need to track down an IP address. You might have discovered a hacking attempt in one of your logs. You might think you have found a spammer that you want to add to a black list. The “why” are as many as are the “how.” Every operating system has different tools for helping you track down an IP address. Compounded with this is that any tool that makes use of an IP address also has different tools for this purpose. So where do you start? What’s the easiest way to find IP addresses and help locate their sources?


I’m assuming you know what an IP address is and what it does, but that’s about it. Much of this information will be common knowledge to the seasoned administrator., but new administrators or support techs might glean some useful information here.


Finding the URL for an IP address


Let’s say whatever application you are using gives you a URL for an address that you want to block or track (for whatever reason). If you need the IP address of that URL there is a very simple way to do that - use ping. Let’s use google.com as an example. To find the IP address of that URL I would open up a command prompt in Windows (launch Terminal in Mac or from the command line in Linux) and type:


ping google.com

From that command you should see something like:


64 bytes from iwanttoblockthis.com 74.125.159.104: icmp_seq=1 ttl=52 time=29.0

As you can see, the ping tool locates the IP address associated with the URL google.com. In this example the address 74.111.159.104. Now this can be a bit misleading because that IP address might be only one address of many associated with the domain. You can find out all of the IP addresses associated with a URL using the nslookup command like so:


nslookup google.com

The above command should report something similar to:


Non-authoritative answer:

Name:    google.com
Address: 74.111.159.104

Name:    google.com
Address: 74.111.159.105

Name:    google.com
Address: 74.111.159.106

Name:    google.com
Address: 74.111.159.107

Name:    google.com
Address: 74.111.159.108

Name:    google.com
Address: 74.111.159.109

From the above information you should notice that the answers received are non-authoritative, which means none of those addresses are in charge of the domain. Let’s use the same tool to find the authoritative address for the domain. To do this ,first issue the command nslookup with no arguments. This will bring you a prompt that looks like:


>

Now set the querytype like so:


> set querytype=soa

and then enter the domain:


> google.com

You will then see output that looks like that shown in Figure A.


Figure A



Now you can see the IP address in charge of the domain google.com com is 216.239.32.10.


Finding the URL for an IP address


If you ping an IP address you will not receive a domain back. I know, I know…it’s unfair, but it’s the way it goes. So, how can you get the URL from an IP address? Simple, you take advantage of nslookup again. To do this, issue the command:


nslookup google.com

And you will see something like:


Non-authoritative answer:
10.32.239.216.in-addr.arpa name = ns1.google.com.

You instantly know that the IP address is associated with google.com. Of course you could also just enter the IP address in your web browser and, if that IP address is associated with a web server, you will see the results instantly. If the IP address is not associated with a web browser you will have to do more research.


You can find out even more information using the whois command like so:


whois  216.239.32.10

The above command will report something like this:


NetRange:       216.239.32.0 - 216.239.63.255
CIDR: 216.239.32.0/19
OriginAS:
NetName: GOOGLE
NetHandle: NET-216-239-32-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.GOOGLE.COM
NameServer: NS3.GOOGLE.COM
NameServer: NS4.GOOGLE.COM
NameServer: NS1.GOOGLE.COM
RegDate: 2000-11-22
Updated: 2001-05-11
Ref: http://whois.arin.net/rest/net/NET-216-239-32-0-1
OrgName: Google Inc.
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2009-08-07
Ref: http://whois.arin.net/rest/org/GOGL
OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc
OrgTechPhone: +1-650-253-0000
OrgTechEmail: arin-contact@google.com
OrgTechRef: http://whois.arin.net/rest/poc/ZG39-ARIN
RTechHandle: ZG39-ARIN
RTechName: Google Inc
RTechPhone: +1-650-253-0000
RTechEmail: arin-contact@google.com
RTechRef: http://whois.arin.net/rest/poc/ZG39-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html

Now, if you have someone (either URL or IP address) attacking you or sending you spam that you want to discover, or you need to block, report, or contact them, you can get the information you need.


You have neither an IP nor URL


What if you are sure you’re being attacked, but you have no idea by whom or what. The first place to look is your server’s log files. But if those escape you (you either have no idea where to find them or they don’t give you the information you need), you might need to employ a network monitoring tool. There are plenty of tools available for this task. One of my favorites is Wireshark. This is a very powerful, open source, cross-platform tool that can monitor your PC or your entire network. From this monitor you will see any and all traffic flowing through your network. Should anything look suspicious, you have the IP address that will then help you gain valuable information.


Sometimes “they” are just too good


There are times when you will be attacked, spammed, spoofed, etc. and you simply will not be able to track down the source. This is an unfortunate truth in the world of a networked computer. And when/if that time comes you will have to do your best to tighten down your security to make sure each and every computer is safe. Just remember, if a computer is attached to the network, no matter what operating system is on it, it is insecure. No machine, no operating system, no firewall, no anti-virus, no anti-malware is perfect.


The most important thing you can do is arm yourself with the tools and knowledge that will allow you to track down an address should you need to. And once you have the address (be it URL or IP address) you can always report the address to your service provider as well as sites like LiveIPMap.


Final thoughts

If you can get the IP address of someone doing nefarious deeds to your system or network you need to have the tools to enable you to gather the information in order to report the suspected address or culprit. Although the most challenging task in this process is actually locating the address, half of the battle is in the information recon. With the tools and methods outlined here, you should have everything you need.





"

Nenhum comentário:

Postar um comentário