This article is about how to trace down an IP number. A lot of people find them selves getting harassed in some form or another when they are on the internet. I get asked this question a lot, and quite frankly, the best you can do is trace an IP address down to its block owner, or ISP.
The ISP has records of who their IP’s belong too, but they will not disclose this information without a court order or legal action of some type, so therefore, being a normal user, you simply CANNOT get a person’s name, address, and phone number from their IP address. Not too mention that if the IP is coming from a company, or school, or some other type of LAN, then chances are that it could be any one of many people behind that IP.
The only way to actually get the origin of the IP beyond it’s block owner is either by acquiring a lawyer and bringing law enforcement into the picture or performing illegal actions like hacking into an ISP to acquire records, but that isn’t what we are here to discuss, for we neither promote or condone illegal activities. Another note is the fact that there is a good possibility if you are being harassed or attacked, the antagonist is using a proxy or something to that effect, and you would not be able to track beyond that source anyways.
With all that said, let us begin on how to track an IP number.
There are many ways in which to acquire an IP address. Some examples include:
2- Firewall logs
3- netstat output of a direct connection (netstat -n)
4- Server logs
Just to name a few. For this article, we will use email as an example.
Let’s say one is being harassed via emails, and they want to find out the IP address the emails are coming from. In order to get the source IP you must analyze the header information. (*note- Sometimes email headers are forged, but we will assume for purposes of this article that they are not. Perhaps I will produce an individual article on forged email headers in the future.)
What is an email header?
In an email, the body (content text) is always preceded by header lines that identify particular routing information of the message, including the sender, recipient, date and subject. Some headers are mandatory, such as the FROM, TO and DATE headers. Others are optional, but very commonly used, such as SUBJECT and CC. Other headers include the sending time stamps and the receiving time stamps of all mail transfer agents that have received and sent the message. In other words, any time a message is transferred from one user to another (i.e. when it is sent or forwarded), the message is date/time stamped by a mail transfer agent (MTA) – a computer program or software agent that facilitates the transfer of email message from one computer to another. This date/time stamp, like FROM, TO, and SUBJECT, becomes one of the many headers that precede the body of an email.
To really understand what an email header is, you must see one. Here is an example of a full email header. (note: email headers should be read from the bottom up)
Delivered-To: firstname.lastname@example.org Received: by 10.67.123.15 with SMTP id a15cs304554ugn; Wed, 8 Oct 2008 23:40:04 -0700 (PDT) Received: by 10.90.28.12 with SMTP id b12mr886461agb.96.1223534403777; Wed, 08 Oct 2008 23:40:03 -0700 (PDT) Return-Path: Received: from bosmailout07.eigbox.net (bosmailout07.eigbox.net [126.96.36.199]) by mx.google.com with ESMTP id 7si4980730wrl.22.2008.10.08.23.40.02; Wed, 08 Oct 2008 23:40:03 -0700 (PDT) Received-SPF: pass (google.com: domain of SRS0=/+PoA5=2Remail@example.com designates 188.8.131.52 as permitted sender) client-ip=184.108.40.206; Authentication-Results: mx.google.com; spf=pass (google.com: domain of SRS0=/+PoA5=2Rfirstname.lastname@example.org designates 220.127.116.11 as permitted sender) smtp.mail=SRS0=/+PoA5=2Remail@example.com Received: from bosmailscan22.eigbox.net ([10.20.15.22]) by bosmailout07.eigbox.net with esmtp (Exim) id 1KnpBq-0003rC-9z for firstname.lastname@example.org; Thu, 09 Oct 2008 02:40:02 -0400 Received: from bosimpout01.eigbox.net ([10.20.55.1]) by bosmailscan22.eigbox.net with esmtp (Exim) id 1KnpBq-0001kQ-BG for email@example.com; Thu, 09 Oct 2008 02:40:02 -0400 Received: from bosauthsmtp03.eigbox.net ([10.20.18.3]) by bosimpout01.eigbox.net with NO UCE id QWfq1a00203yW760000000; Thu, 09 Oct 2008 02:39:50 -0400 X-EN-OrigOutIP: 10.20.18.3 X-EN-IMPSID: QWfq1a00203yW760000000 Received: from 253.67-212-36-net.sccoast.net ([18.104.22.168] helo=blah) by bosauthsmtp03.eigbox.net with esmtpa (Exim) id 1KnpBf-0008Mz-BT for firstname.lastname@example.org; Thu, 09 Oct 2008 02:39:51 -0400 From: "user" To: Subject: FW: Mail delivery failed: returning message to sender Date: Thu, 9 Oct 2008 02:39:49 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-EN-UserInfo: 49878fe7b8bf42da0775bac78e39a15f:1699f3d7cb7944a0c6fbc035085feb10 X-EN-AuthUser: email@example.com Sender: "user" X-EN-OrigIP: 22.214.171.124 X-EN-OrigHost: 253.67-212-36-net.sccoast.net
Here we see the IP of the original sender is 126.96.36.199 (firstname.lastname@example.org)
How do I find email headers?
There are different ways to view headers in an email. If you are using a client, such as Microsoft OUtlook then the client itself will have options to enable you to view the headers. An example of this in Outlook would be as follows:
1- Select the message you want to view the headers of.
2- Right click the mouse, select OPTIONS
3- Headers will be displayed within the “Internet Headers” area of a pop-up window.
Since the majority of users simply go to their emails in their browsers, this is what we will concentrate on. I will use a few of the most popular web mail services as an example here. I will use gmail, hotmail (live full version), and yahoo (both old and new yahoo).
Google Mail (GMail)
1- Open the message you want to view the headers of.
2- Click the down arrow next to the “Reply” link in the top right hand corner.
3- Select “Show Original” to open a new window with the full headers
Windows Live Hotmail (Full Version)
*This does not work with Safari on Mac OS X
1- Right click on the message. (From the list of emails)
2- Select “View Source”
3- A new window with the full headers and HTML source of the email will open
Yahoo Mail “New” Version
1- Right click on the message.
2- Select “View Full Headers”
3- A new window with the full headers will open
Yahoo Mail “Classic” Version
1- Click on the message.
2- Click “Full Headers” on the bottom right of the screen
Get IP by Sending Them an Email:
There is no 100% working way of tracking emails mainly because of the limitations of the email protocol. The only option that users have to track emails is to make use of html emails. If the recipient of the email turned them off or uses an advanced spam filter there is no way to track emails. There are basically two options for html messages that allow a user to track if a recipient has opened the email in a mail client.
The first is to add an object to the email that has to be loaded to be displayed. This is usually a 1×1 transparent gif image that is loaded from an external server that records a hit if the user opened the email. A hit is recorded when the image is pulled from the server hosting it. This is the most common form of tracking emails. Users who have configured their email client to display only text messages will not be bothered by the tracking code and the sender will not know if the email has been read. The same is true for antispam software and email servers that filter out code that looks like it was installed for tracking purposes.
The second option is to make the user click on a hyperlink in the email. The web server hosting the link would record that the user clicked on the link and the email sender would know that the email was read. This method has the same limitations that the transparent image method has. The second method has the added disadvantage that the email recipient needs to click on the link to make it count. It could very well be that he reads the email but does not click on that link.
Ok. Now Hopefully we have an IP address to track from our examples above , we’ll use the first IP (188.8.131.52)
You may not be able to get to the specific owner in all cases, but you can find out who owns the block of IP addresses that this address comes from, which is typically the ISP.
The first thing we need to do is resolve the host of the IP in order to determine whom the host domain is. There are many good online services to perform this for you. A few good sources are: http://www.dnstools.com/ http://www.webyield.net/domainquery.html.
There is also a great tool by Nir Sofer called IPNetInfo that allows you to paste the whole header into his program and it will automatically parse the text for the found IP addresses and perform a WHOIS on each IP address it find thus making your job 10 times easier/faster
Also, you can download a number of internet tools to perform these types of queries, or simply use tracert in command prompt.
To do this, open command prompt, and type in this: tracert 184.108.40.206
Here is our output:
Tracing route to 253.67-212-36-net.sccoast.net [220.127.116.11] over a maximum of 30 hops: 1 7 ms 5 ms 5 ms 10.125.0.1 2 15 ms 7 ms 5 ms 18.104.22.168 3 6 ms 11 ms 9 ms srp0-0.rlghncj-rtr5.nc.rr.com [22.214.171.124] 4 7 ms 10 ms 10 ms pos1-3.rlghnca-rtr2.nc.rr.com [126.96.36.199] 5 14 ms 13 ms 16 ms ge-2-3-0.chrlncpop-rtr1.southeast.rr.com [24.93. 64.176] 6 17 ms 15 ms 13 ms te-3-4.car1.Charlotte1.Level3.net [188.8.131.52] 7 26 ms 25 ms 25 ms HORRY-TELEP.car1.Charlotte1.Level3.net [4.71.124 .26] 8 24 ms 27 ms 24 ms 106.207-avail-core.sccoast.net [184.108.40.206] 9 29 ms 25 ms 25 ms 90.207-core02-et.14.13.sccoast.net [220.127.116.11 0] 10 30 ms 27 ms 35 ms 81.207-core-rb61.sccoast.net [18.104.22.168] 11 27 ms 28 ms 26 ms 73.207-core-rb60.sccoast.net [22.214.171.124] 12 * * * Request timed out. 13 * * 73.207-core-rb60.sccoast.net [126.96.36.199] reports: Destination net unreachable. Trace complete.
Now we can clearly see in the first line that 188.8.131.52 resolves to 253.67-212-36-net.sccoast.net
If we refer back to our email header, we see that this information is also revealed, thus confirming our query.
Note: “reports: Destination net unreachable” simply means the sender is not online at this time.
So now what? Well we want to find out who and where sccoast.net is. To do this we need to do a whois domain query.
You can go to just about any domain name registrar and perform a whois lookup. Simply google for domain registrars, or for that matter google whois lookup. It’s not that hard now that you know you need a whois query.
Using the service at http://www.webyield.net/domainquery.html, we find out that the whois information is as follows:
Registration Service Provided By: HORRY TELEPHONE COOPERATIVE Contact: +1.8433698567 Domain Name: SCCOAST.NET Registrant: Horry Telephone Cooperative Domain Administrator (email@example.com) PO Box 1820 Conway SC,29526 US Tel. +1.8433698567 Fax. +1.8433652855 Creation Date: 25-Apr-1995 Expiration Date: 26-Apr-2010 Domain servers in listed order: dns1.sccoast.net dns2.sccoast.net Administrative Contact: Horry Telephone Cooperative Domain Administrator (firstname.lastname@example.org) PO Box 1820 Conway SC,29528 US Tel. +1.8433698567 Fax. +1.8433650855 Technical Contact: Horry Telephone Cooperative Domain (email@example.com) 3480 Hwy 701 North Conway SC,29526 US Tel. +1.8433698284 Fax. +1.8433650300 Billing Contact: Horry Telephone Cooperative Domain Administrator (firstname.lastname@example.org) PO Box 1820 Conway SC,29528 US Tel. +1.8433698567 Fax. +1.8433650855
Now we know the name and location of the ISP of our IP address.
We can email the administrator and attempt to social engineer them for information, but unless your really good, you will not succeed.
Our best bet at this point is to present our information to a lawyer or a law enforcement official.
Gather any records you may have such as your harassing emails and/or any logs and your query information.
Here is a quick and simple way to obtain a persons IP address while chatting.
Most chat services, whether it be MSN, Yahoo, IRC, etc, will protect their users from someone being able to get their IP simply from chatting. IN other words, if you are chatting with a person and you do a netstat, you are going to get the IP number of the server providing the chat communication, which is essentially useless to you. If you wish to obtain the person’s IP whom you are chatting with, you must first obtain some type of direct connection with them. The best way to do this is to initiate a file transfer of some type with the user, such as trading pictures. Once you have established this connection, you can perform a netstat and get their IP.
The netstat command comes with several switches, but in order to get the actual numbers, and not hostnames or domain names, you must use the -n switch.
Establish a direct connection, open command prompt, and type: netstat -n
Here is an example of an netstat output:
C:\Users\mani>netstat Active Connections Proto Local Address Foreign Address State TCP 184.108.40.206:49376 irc-m:6669 ESTABLISHED TCP 220.127.116.11:49405 yx-in-f99:http CLOSE_WAIT TCP 18.104.22.168:50326 by1msg3245814:msnp ESTABLISHED TCP 127.0.0.1:14147 Leviathan3:49158 ESTABLISHED TCP 127.0.0.1:49158 Leviathan3:14147 ESTABLISHED C:\Users\mani>
Now below, I have provided the ports used in file transfers by some popular services.
MSN – Both incoming and outgoing TCP connections use the range of ports from 6891 to 6900…
Yahoo – Yahoo! Messenger will automatically search the firewall for an open port, and, if it finds one, use that to connect.
The order in which Yahoo Messenger scans for available ports is:
-All available ports
IRC (dcc) – IRC port ranges are too broad to define, particularly since clients are able to configure specific ports used.
The default listening port for dcc transactions is 59
Website – It’s pretty trivial to setup a IP logging script that will log the persons’ IP when they visit your website. Something similar to this php which you can save as log.php and upload to a site that supports php writing scripts like this is beyond the scope of this tutorial check google.com for more information on how to setup a website and web scripting languages
this will create a log.html output in the same directory with an output similar to this:
October 9, 2008, 10:54 am: 22.214.171.124 Hartford,Connecticut,United States October 9, 2008, 11:20 am: 126.96.36.199 Lincoln,Nebraska,United States
What does this information mean for me?
Well when you initiate a file transfer and you do a netstat to obtain the IP, you can look for the ports used to help determine which IP is the one you are seeking. My suggestion to you is to play with the netstat command while you are using the internet. Each time you open or close a connection, issue a netstat command so that you can start to get a feel for sorting through various connection addresses and learn how to pinpoint said connections.
There are many things to consider when tracking IP addresses. Like for example, proxies and routers. A person hiding behind a router isn’t going to show his real IP but his router IP instead, and a person using a proxy is going to be coming from the proxy.
I hope this has helped someone in learning how to track down an IP address. My intention was to inform the average user who has little to no knowledge on the subject.
Of course, there are much more complex methods known to savvy users on different platforms which involve using a computer to perform these types of functions or queries. Perhaps I will produce a more detailed tutorial on this subject in the future for more advanced users, but as I said before, this is geared for the average user to inform them how to use available online methods.
Here are some useful, related links.
This website has a good deal of online querying tools such as port scanners, traceroute, ping, whois and dns, etc.
Just one many many, many downloadable querying tools available to users.
written by mani, aka codecorrupted, 10/09/2008 – email@example.com
Formatted ,pimped and tweaked by firstname.lastname@example.org