..:: MacHacking.net ::.. Article from MacHacking.net Knowledge Base: http://kb.machacking.net ********** Title: Identifying someone's IP address Author: DimBulb Author Contact: marcmeadows100@hotmail.com ********** Identifying someone's IP address Via e-mail. Note: If you are using Hotmail you must set your account options to show the e-mail headers. Look in the e-mail header for the originating IP. For instance: Return-Path: Received: from [10.0.1.50] (12-233-168-201.client.attbi.com [12.233.168.201]) In this example the originating IP is a 10.x.x.x number (private subnet) but the routable IP to that subnet is listed as 12.233.168.201. This means that they have a router such as an Airport Base Station, Linksys, DLink etc. and they probably have more than one computer behind that router. If the e-mail originated from a webmail client or AOL it probably will not show the actual IP address of the user that wrote the e-mail. If you do not have an e-mail from them and you know their e-mail address, setup a bogus hotmail box and send them an e-mail requesting that they reply. Via their domain name(s) Note: Don't bother with this one unless you are sure they host their own web page or e-mail (otherwise, the address you get will probably be for a hosting service or ISP and not for the intended target.) There are lots of web-based network utilities to perform reverse DNS look-ups, try: http://network-tools.com/ Use the Network Utility that comes with OS X. For instance, assuming that the specific target is "ZZZ Company", run "Network Utility" and click the lookup tab and then under the pop-up for "Select the information to lookup:" select "Internet Address", enter the domain name for the target (such as www.zzzcompany.com) and click the "Lookup" button. Hopefully you will see: ;; ANSWER SECTION: www.zzzcompany.com. 15M IN A 192.168.1.40 Now repeat the search for mail.zzzcompany.com ;; ANSWER SECTION: mail.zzzcompany.com. 15M IN A 192.168.1.40 In this case the web and the e-mail servers are at the same address - this may mean that they are on the same system and therefore not hosted by an ISP (which would typically have seperate servers for mail and web.) It could also be that there are two different servers inside the LAN and that the router is port-mapping the services (port 80 for web/http and ports 25/110 for POP & SMTP to the different computers.) In OS X's terminal application, type Code: host www.zzzcompany.com and/or Code: host mail.zzzcompany.com or Code: dig www.zzzcompany.com and/or Code: dig www.zzzcompany.com mx Other methods of identifying someone's IP address. iVisit Connect to the iVisit server and join a room or connect with any individual. If in a room, click a user from the ÒGuest ListÓ window. Now click the small blue triangle at the bottom of that personÕs window. You should see ÒRecording prohibitedÓ followed by their IP address and whether they are using the Mac or Windows version of iVisit. On IRC type Code: /whois or Code: /dns Carracho Option-click the server name in the servers list - the IP is in the top line. Timbuktu This is a longshot but if you know that they use Timbuktu there is a chance that they have setup Timbuktu to use the locator service. You will need to know or guess their e-mail address . Just open Timbuktu and attempt to connect to their e-mail address to find out. If it finds them, use MacSniffer or do netstat -d in Terminal to see the IP address. BitTorrent Some BitTorrent web sites keep connection information such as a list of all the IPs seeding or downloading the file. If you know that they downloaded a torrent recently and from which site, their IP may be listed (although you won't know which one they are in the list for certain without further work.) The last three numbers may be obscured so scan the whole c-block looking for port 548 (assuming that they have sharing on...) for instance if an IP is 192.168.1.xxx then scan 192.168.1.1 through 192.168.1.255 (although of course 192.168.x.x is reserved for private subnets - you canÕt actually scan private IP numbers over the internet.) Web usage If they have a website, or you know that they frequent a particular website then look for a web usage page or log of recent visitor's IP addresses. Here is an example page: http://escati.linkopp.net/counter2001/431720.shtml Also Try searching with google for site:thewebsiteyouknowtheyvisit.com intitle:"log" (or stat, usage, recent, addresses, visitors etc.) Forum posts Some forums display the IP address that the poster originated from (if they are using a proxy it won't be right!) If they are using a forum that does show their IP, all you need is to figure out their username. Here is an example page: http://www.wargamesdirectory.com/html/forum/topic.asp?ID=2268&Page=1&txtSearch= Once you know their username, google for the username to look for other forums where they may use the same name. Hotline The Pitbull Pro client actually showÕs the server IPÕs in the server list - just ignore the :xxxxx number at the end (which is the hotline server port number.) If the xxxxx number is not the default 5500 then it may indicate they have more than one computer on a private subnet and thus canÕt use the default port for each one.) Mass-grabbing IPÕs from Pitbull Pro: Use Grab (in OS X's Utilities folder) to grab a selection of the screen which is the IP addresses column in pitbull pro. (then scroll down one screenfull and repeat until all IPÕs are recorded via screenshots. If desired you can filter the server list by typing ÒmacÓ in the search box.) Save as tiff. Open file in photoshop and adjust>image size>resolution to 200dpi. Save the files. Open the resulting tiff files in Omnipage and OCR. Output is a single text file (from multiple screenshots of Pitbull) listing all the server IPs. Other programs & Dynamic DNS names If you can get a direct (your IP to their IP without going through a server) connection for chat, file-transfer or gaming with someone you can get their IP (with netstat -d or use MacSniffer if the chat program does not display it) but of course they can get your IP that way as well. If you know their dynamic DNS name just try to connect to it (in anything, even a browser) while monitoring connections with MacSniffer or netstat. While opening the connection, switch to OS X's Terminal app and type: Code: netstat -d From another machine they use or connect to Check the Recent Servers or Servers folders of machines they use. Check the logs of machines they connect to - the system log in an OS X machine will show their originating IP. If they have Timbuktu or VNC installed look at the recent connections or logs for those as well. A server "favorite" will work provided it's address was a public one and the favorite / url file / shortcut / alias can also be opened in HexEdit to find the actual IP address (or run MacSniffer or netstat -d while you connect.) Send them an email with a line saying "free music downloads", the link will actually take them to ANYPLACE that records their IP address (or your own box wherein you have logs of access...) If you have physical access to their computer or can connect to their LAN (or their wireless LAN) just browse to www.showmyip.com or www.whatismyip.com to see their external (publicly routable) IP address. (If all the address on their LAN are public the one you get by joining their LAN will not be theirs but you will have the range xxx.xxx.xxx.??? to narrow it down.) (Note, in some cases this may NOT be the proper number for external entry to their systems! In other cases it may be their router address while they have a seperate range of public IPÕs that are totally different numbers.) ********** Article from MacHacking.net Knowledge Base: http://kb.machacking.net