Tracking by IP

In this video, we’re talking about tracking by IP address. Now as we talked about previously, an IP address, or Internet Protocol address, is a numeric value assigned to a network device. So an IP address can be used for identification and location. So say we have a malicious hacker trying to get on our network. The malicious hacker goes to the server. Say, they’re connecting with 10.1.20.189, for example. We view this log file, and we may potentially be able to take that IP address and find out the malicious hacker’s identity, his location, his ISP, things of that nature.

So we do need be careful, because an IP address can be obfuscated by using things like a VPN or proxy. So we do want to be careful about tracking IP addresses. We do need - we should be verifying this information in some manner. And just because you find a IP address and you’re able to track it down, doesn’t always necessarily mean that that’s really the person’s real IP address.

So let’s take a look at a couple of tools here. So this one is called IP2Location. Now IP2Location is a browser-based tool. It’s free, pretty easy to use. We just put the IP address in this lookup field here, so I’m going to type an IP in here, and then you click Lookup.

So once we have this, we can actually just start scrolling down in here. We can see various information. So we can see an IP address. We can see the country the IP address is. We can see the region. We can see in the city. We can see the geolocation. So if I put this in, say, Google Maps, for example, I could actually pull down a satellite map, potentially. We could see the ISP. We could see the local time, the domain, net speed, the IDD and area code, zip code. So there’s a lot of really amazing information here just for my IP address.

So assuming that this IP address is really the person’s actual IP address, then we have a lot of info here. Again, we have the ASN records, when it was last seen.

But again, we do need to be careful because of VPNs and proxies that are potentially being used. So this is one tool, IP2Location. Let’s take a look at another tool here. So this one’s called IPQualityScore. And this one will help detect if it’s a proxy or a VPN. So if we put that same IP address in here, we could run a check on it.

So right off the bat, we could see that there’s RP. Yes, it does match the right country. It has a fraud score of 55. It hasn’t been reported for spam. But a proxy or VPN was detected. And we could verify the information here - Detroit Lakes, Minnesota, Lakes PC Help, LLC. So seeing this information here and seeing this proxy VPN detected, this is probably a VPN provider. This is probably one of the IPs from this ISP Great Lakes, which I’m going to assume is running some sort of VPN here. So running IP through multiple tools has a couple of advantages. One, we could verify the information.

The IP should be giving us the same information, same city, same region, same ISP, and whatnot. If you see a difference, then you need to take a closer look because one of these sites running that ISP has something wrong. So we do want to verify that we do have the right information. The other thing that we want to do is, again, see if that’s a VPN or a proxy address. Again, IPQualityScore is a good site to run that against.

Now another tool we could use is ExoneraTor. And this is part of the Tor network. Now, this one will tell you if it was used from the Tor network. Now if you type the address in here and type the date in here, you can do a search. Now the thing about this is it’s got to be at least 48 hours old. So if you just pull a IP address today, you won’t be able to run it for two more days. That’s essentially how this programme works, though. So you’re going have to wait 48 hours at least, and then put the data in and then run it.

So once you have everything set, you can click on Search. And then it’ll tell you whether this is a Tor network IP address. So if you scroll down, you can see, nope, negative. Tor did not use this address on this day. But again, if it did, it’s a pretty handy tool to be able to identify that, well, the person is running through the Tor network, meaning either they’re running a Tor browser to do something or they were using the Tor - on your router is something like ghost Tor or proxy chains to do whatever they were doing. But again, it’s just another way to help identify and isolate that.

So wrapping up, IPs can be a useful tool for tracking a malicious attacker. There’s a number of useful tools that we could use to find things like the ISP, location, if a VPN was used, or even if the Tor network was being used for this. We do want to be careful, verify if the IP is a true IP address or a proxy VPN address. And also, personally, I like to run it against several different sources to make sure all that information does match up with each other. So this was about IP addresses. The next video, we’re going to be talking about canary tokens. Thank you for watching. I’ll see you in the next video.