Trace an IP Address

Imagine yourself in a situation where you need to know something about a website, its host or network. All the data you have so far is simply the ip you got from a ping through your cmd or shell.

We'll cover tracing where the server is situated, which ports are opened, OS detection, and the topology of the network, among others. All this data you might need, and will receive by just inputting an IP address.

Trace where the server is from

There are quite a lot of resources for this, but I will simply give you https://www.iplocation.net/ as an example.

Once you open the page, you see one single form, input the IP address you want to trace there and instantly you will receive 3 results (each by a different service, IP2Location, EurekAPI and DB-IP)

We now know where the server is based. This is not GPS level precision, but helps quite a lot.

Why we haven't seen yet what is going on this server?

Don't forget that the only thing we know about our hypothetical target is a mere IP address we received when we pinged them. What more can we get to know from only this number?

Well, it's quite magical, let me tell you as we dive in.

But as every magician we also have our trick. I present you, nmap.

This little and free tool (official page here - https://nmap.org/ ) will open a whole new world to your eyes.

All you have to do once you open this program is insert the IP address (or hostname) in the Target field and hit the “Scan” button. For this article I will only cover the “Intense Scan” profile output.

Nmap Process

1. 
   
2. The first step of this process is a ping, as mentioned earlier.
   
3. After this initial ping, there comes a port scan.
   

I'd guess that 80 is for Apache HTTP and 443 for HTTPS traffic, 111 shows that the system is most probably *nix based and 5666 probably for an instance of Nagios, another useful tool for *nix based servers, allowing to monitor server state and execute some commands. Then again, this is nothing more than a guess, but an educated guess, we know which ports are opened and in an instant we can see what their most probable usage is.

You can test it yourself here, http://www.speedguide.net/port.php?port=5666

Change the port value in the URL to the port you want to know about.

3. 
   
4. Ports table
   

If we look down on the output we see clearly that we were right, marked in green, port 80 and 443 are clearly responsible for the HTTP & HTTPS traffic. We can also see information about the HTTPS ssl certificate issuer, hashes and validity. You can also see more information on different hosts, as it depends on what is the server used for.

4. 
   
5. OS detection
   Following comes “Device type”, “OS CPE” and “Aggressive OS guesses”, all of which confirm our prediction for port 111, there is a 93% certainty that the OS is a Linux, based on a 2.6 or newer kernel.
   
6. Uptime, Network distance and miscellaneous data.
   

We can also get some data on the uptime, and the network distance. The network distance is all the routers we had to hop on for the data to travel (in this case, 12 hops, 12 routers) . You can see this in depth at the “Trace route” part of the output.

We now know that this server runs Linux, uses ports 80, 111, 443 and 5666, what applications use them, as well as the location of the server, and get to know the network structure around the server. And this is just a glimpse at the features of nmap. We got to know nmap and how to trace an ip address when we only knew the hostname of a website.