Always wondered what the few steps are to tracking a IP?

[UberDave]

Say I have a IP address that I would like to know who it is, say for harrasment or what have you. Can you do it on a personal level as in from your own computer? Or would you have to contact an ISP, even though you wouldn't know what ISP to go to?

thanks
-Dave

 

[Yossarian451]

There are just a few steps you can take to find out the owner and or location. It all depends on what kind of isp and or system/firewalls they are running. Many things to start off with:
1. The IP is registered to the ip given a certain range which your isp buys depending on class A,B or C which they have purchased this can be traced back to the isp
2. You can try to trace it to see what kind of information is availible, use simple tracert first or even more advanced programs like neotrace ( this is a nifty program which basically traces the persons ip to the levels and gives a map to see, there may be better programs but I have used this before. Interestingly I traced my brother's ip once and actually got exact coordinates and his name off of it, because his computer name was his name, first and last,)
3. Look around on-line and or call the isp, if they have a relatively permanant ip like cable, t1, dsl, ect. they isp may be able to give an actuall account for legal purposes.
But if they use dail-up fat-chance they usually won't I think, but try anyway, if it is legal you never know what a techie will be willing to dig up.

These are just some suggestions good luck.

 

[bobdavis]

Just an addendum to what Yossarian451 said: if you do have a legal reason to get the identity of a person using a particular IP, then the ISP is required to divulge such information to law enforcement, I believe. And, as for whether or not you can find someone's IP who uses dialup, I know that the ISP that I work for has records of what IP each dialup user was using during each call, at least for the past 30 days, so information like this is not necessarily out of the question to obtain.

 

[Yossarian451]

that is good to know I wasn't sure how much the dial-up isp keeps in records. but I knew they must always relese information avalible to them to the law enforcement or a judge for a harassment case

 

[J.Zorg]

<< Text Just an addendum to what Yossarian451 said: if you do have a legal reason to get the identity of a person using a particular IP, then the ISP is required to divulge such information to law enforcement, I believe. And, as for whether or not you can find someone's IP who uses dialup, I know that the ISP that I work for has records of what IP each dialup user was using during each call, at least for the past 30 days, so information like this is not necessarily out of the question to obtain. >>



but in fact most of the ISP lose their logs due to harware errors od database problems...
they just don´t want to go through all their logs, because nobody pays for the work...

 

[antioed]

The quickest tool for determining what IP is from where would be if you have an *NIX box somewhere with a whois server running or go to http://www.arin.net and run a whois query there. I had an unfortunate situation of harassment after Sept. 11th that the FBI got involved with which was essentially what we are talking about here. Basically someone was threatening my family from a mobile phone text messaging site. They traced the logs on that website and contacted the ISP who had that IP registered who in turn divulged that during the time that said messages were sent there was a particular user account associated with that IP and the number they were dialing from. So I guess their uhh...Radius servers or whatever have caller ID on them, although I don't know if this is standard to most dial up ISP's. Cable modem or DSL IP info usually don't change much and probably would be even easier to trace back to particular users/equipment. The cable modems that I used to work with were all registered IP's by MAC address so you could easily determine which IP belonged to which modem where and at what time.

 

[GoldMember]

If you use BlackIce firewall by Network Ice, you can get IP, Domain, PC name, and even the MAC addresses in some cases. It works real well in the information area. Here is a little demo:

Black Ice

Now.. don't go and use this persons info that is shown in the pic to be a stupid f**k and mess around with him/her... I used this pic as an educational tool.

So you see.. black ice is good.

You can also go into the DOS prompt and type in netstat -a
to see all incoming connections. Also the tracert that was mentioned above.. it's

tracert (IP) (do this in the run line)

works just like neotrace.. just with out the GUI that neotrace has.

Hope that helps you.. if I think of anything else I'll let you know. Good luck.

 

[mrzed]

Just wanted to inject a little warning here. Not so much for the veterans who really know what they are doing, but for anyone who passes this by and thinks they might be able to trace some warning they got from Zone Alarm.

My girlfriend was getting harrassing phone calls (on her cell of all things) from a guy who was convinced she was hacking into his computer. He assured her he had "traced" her IP to that number, and wanted to know what she was trying to do. Of course he did not beleive her when she said "leave me alone I have nothing to do with this" and kept at her for about a week until she reminded him that she had his number too, and would be happy to supply it to the police.

Just know that a little information can be a dangerous thing. consumer level tracing services and firewalls are neither reliable nor accurate 100% of the time, and you may not in fact be under attack from a hacker.

 

[CTho9305]

make sure you remember that most "personal firewall" programs are overagressive about reporting hack attacks... they want to make you think you're under "attack" more than you actually are, and they're protecting you.

in actuallity, a firewall doesn't protect you from attacks on services you don't run. For most people, a firewall doenst add any benefit at all, since nothing is running. If you're not running an IIS webserver, incoming connections on port 80 don't really matter. you aren't being protected b/c you aren't vulnerable

disclaimer: there may be sitations where you are vulnerable on ports that you aren't listening on, but not that I know of

 

[CTho9305]

lets say I wanted to be a good netizen and deal with the people who constantly hit me with nimda/code red...

here is a code red attacker:
<censored>- - [12/Apr/2002:18:44:57 -0500] "GET /default.ida?NNNN<cut out a lot of it>00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 342


<<
C:\Documents and Settings\Chris>tracert <censored>

Tracing route to host<ceonsored>.in-addr.btopenworld.com [censored]
over a maximum of 30 hops: >>



so I would go to btopenworld.com and report an abuse/file a complaint. if they're a responsible ISP, they will deal with the user. I know at CMU machines that get infected get kicked off the network until they are properly patched.

you could do a similar thing for personal harassment. just make sure you're complaining about the right person.