Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Finding out who owns particular IP addresses

Re: Finding out who owns particular IP addresses

From: maillist <maillist_at_GO.RO>
Date: Mon, 8 Jan 2001 23:56:52 +0200

Hi.
You can use the www.samspade.org to identify the owner of the IP address.
Just insert the address there and do a 'whois' search :)

Regards.

----- Original Message -----
From: "Russell Fulton" <r.fulton_at_AUCKLAND.AC.NZ>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Monday, January 08, 2001 10:45 PM
Subject: Finding out who owns particular IP addresses

> Moderator: Please use your discretion :)
>
> Greetings All,
> I received this request for clarification about how one
> finds out who 'owns' particular IP addresses. After having spent some
> time composing a response I thought that there might be other neophytes
> on the list who will find this useful.
>
> To the old hands Hit delete now ;-)
>
>
> On Mon, 8 Jan 2001 14:02:31 +0100 "Licher, Ansgar" <A.Licher_at_mbn.de>
> wrote:
>
> > Hi Russell,
> >
> > I read your contribution regarding that stuff about the probable port
> > scanning on port 12345.
> >
> > Since I am not a security expert yet, I am seriously working to increase
my
> > knowledge to the max. What I just want to know is, where or how can I
> > resolve, what you were wrting about:
> >
> > "Source IPs were all dialup or cable/dsl belonging to major ISPs with a
lot
> > in Korea (210.0.0.0/7) as you observered, but also with a sprinkling
from
> > big North American providers. "
> >
> > How do you know, that 210.0.0.0/7 is Korea??? Where do you know that
several
> > addresses came from major ISPs???
>
> The IP address space is managed by a group of Network Information
> Centres (NICs) with ARIN (American -- I forget exactly what the rest of
> the acronym is) at the top. All the NICs maintain searchable databases
> which you access via whois (most now also have web interfaces too --
> surprise) Unfortunately these databases are not as well coordinated as
> one might hope and to find the owner of a particular address you have
> to search the various whois databases starting with ARIN.
>
> So for 210.96.87.189
>
> bluebottle:~ >whois -h whois.arin.net 210.96.87.189
> Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
> These addresses have been further assigned to Asia-Pacific users.
> Contact information can be found in the APNIC database,
> at WHOIS.APNIC.NET or http://www.apnic.net/
> Please do not send spam complaints to APNIC.
>
> Netname: APNIC-CIDR-BLK2
> Netblock: 210.0.0.0 - 211.255.255.255
>
> Coordinator:
> Administrator, System (SA90-ARIN) sysadm_at_APNIC.NET
> +61-7-3367-0490
>
> Domain System inverse mapping provided by:
>
> NS.APNIC.NET 203.37.255.97
> SVC00.APNIC.NET 202.12.28.131
> NS.TELSTRA.NET 203.50.0.137
> NS.RIPE.NET 193.0.0.193
>
> Regional Internet Registry for the Asia-Pacific Region.
>
> *** Use whois -h whois.apnic.net <object> ***
>
> *** or see http://www.apnic.net/db/ for database assistance ***
>
>
> Record last updated on 03-May-2000.
> Database last updated on 8-Jan-2001 06:20:22 EDT.
>
> and we see that 210/7 is allocated to APNIC (Asia Pacific) so we repeat
> the search at apnic.
>
> bluebottle:~ >whois -h whois.apnic.net 210.96.87.189
>
> % Rights restricted by copyright. See
> http://www.apnic.net/db/dbcopyright.html
>
> inetnum: 210.96.0.0 - 210.97.191.255
> netname: KRNIC-KR-14
> descr: National Computerization Agency
> descr: Korea Network Information Center
> country: KR
> admin-c: WK1-AP
> tech-c: SH3-KR
> tech-c: SL40-AP
> remarks: National NIC
> remarks: These addresses have been assigned to organisations in
> KoRea.
> remarks: Further information can be obtained from whois.krnic.net
> mnt-by: MAINT-APNIC-AP
> changed: hostmaster_at_apnic.net 19980521
> changed: apnic-dbm_at_apnic.net 20000216
> source: APNIC
>
> person: Weon Kim
> address: Korea Network Information Center (KRNIC)
> address: **************** Important Notice **********************
> address: KRNIC is the National Internet Registry.
> address: If you want to find detail assignment information
> address: about above IP address, please use "http://whois.nic.or.kr"
> address: *****************************************************
> address: Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
> address: Seoul, 137-070, Republic of Korea
> phone: +82-2-2186-4500
> fax-no: +82-2-2186-4496
> country: KR
> e-mail: hostmaster_at_nic.or.kr
> nic-hdl: WK1-AP
> mnt-by: MNT-KRNIC-AP
> changed: hostmaster_at_nic.or.kr 20000927
> source: APNIC
>
> person: Sangyong Ha
> address: Korea Network Information Center
> address: National Computerization Agency
> address: 128, Jukjun-lee, Suji-myun, Yongin-gun, Kyonggi-do, Korea
> address: 449-840
> phone: +82 331 289 1674
> fax-no: +82 331 284 2753
> e-mail: syha_at_rs.krnic.net
> nic-hdl: SH3-KR
> notify: hostmaster_at_rs.krnic.net
> mnt-by: MAINT-NULL
> changed: syha_at_rs.krnic.net 19960419
> source: APNIC
>
> person: Seungmin Lee
> address: Korea Network Information Center (KRNIC)
> address: **************** Important Notice **********************
> address: KRNIC is the National Internet Registry
> address: If you want to find detail assignment information
> address: about above IP address, please use ?http://whois.nic.or.kr"
> address: *****************************************************
> address: Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
> address: Seoul, 137-070, Republic of Korea
> phone: +82-2-2186-4500
> fax-no: +82-2-2186-4496
> country: KR
> e-mail: hostmaster_at_nic.or.kr
> nic-hdl: SL40-AP
> mnt-by: MNT-KRNIC-AP
> changed: hostmaster_at_nic.or.kr 20000928
> source: APNIC
>
> Which tells us that 210.96.0.0/15 is allocated to KRNIC
>
> bluebottle:~ >whois -h whois.nic.or.kr 210.96.87.189
>
> Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 )
>
> query: 210.96.87.189
>
> # ENGLISH
>
> IP Address : 210.96.87.128-210.96.87.191
> Connect ISP Name : PUBNET
> Connect Date : 98804
> Registration Date : 19980808
> Network Name : CHANGSOO-E
>
> [ Organization Information ]
> Orgnization ID : ORG30441
> Name : Chang-su Elementary School
> State : KYONGGI
> Address : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code : 487-920
>
> [ Admin Contact Information]
> Name : Dongil Lim
> Org Name : Chang-su Elementary School
> State : KYONGGI
> Address : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code : 487-920
> Phone : 0357-33-0009
> Fax : 0357-33-0120
> E-Mail : kgromc_at_soback.kornet.ne.kr
>
> [ Technical Contact Information ]
> Name : Dongil Lim
> Org Name : Chang-su Elementary School
> Address : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code : 487-920
> Phone : 0357-33-0009
> Fax : 0357-33-0120
> E-Mail : kgromc_at_soback.kornet.ne.kr
>
> No the good folk at geektools.com have automated this process so you
> can:
>
> bluebottle:~ >whois -h whois.geektools.com 210.96.87.189
> Query: 210.96.87.189
> Registry: whois.nic.or.kr
> Results:
>
> Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 )
>
> query: 210.96.87.189
>
>
> # ENGLISH
>
> IP Address : 210.96.87.128-210.96.87.191
> Connect ISP Name : PUBNET
> Connect Date : 98804
> Registration Date : 19980808
> Network Name : CHANGSOO-E
>
> [ Organization Information ]
> Orgnization ID : ORG30441
> Name : Chang-su Elementary School
> State : KYONGGI
> Address : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code : 487-920
>
> [ Admin Contact Information]
> Name : Dongil Lim
> Org Name : Chang-su Elementary School
> State : KYONGGI
> Address : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code : 487-920
> Phone : 0357-33-0009
> Fax : 0357-33-0120
> E-Mail : kgromc_at_soback.kornet.ne.kr
>
>
> which gets you the information in one go -- most of the time.
> Sometimes it comes unstuck because various NICs are not entirely
> consistent in how they format the entries in their own databases so
> automated tools like the geektools proxy hit sometimes hit dead ends.
> I know this because I wrote my own recursive whois lookup in perl
> before someone kindly pointed me to geektools. Anyway the point is
> that even with clever tools like those supplied by geektools you still
> need to know how to drill down through the whois databases by hand.
>
> One can also use whois for finding out information about who owns
> domain names, but coverage is much more patchy (I don't think that
> there is a whois server for .nz domain for example). However if you
> give a domain name to whois.geektools.com it will try to find a
> database to search.
>
> As you have no doubt noticed my assertion that 210/7 is Korea was
> inaccurate, it is, in fact, Asia Pacific. I happen to know (for doing
> two or three lookups a day that large chunks of 210/7 are allocated to
> Korea and that if we get an incident from this range then the odds are
> good that it is Korea. (In fact other parts of 210/7 are allocated to
> many other countries including Japan and China and possibly even New
> Zealand.
>
>
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland, New Zealand
>
Received on Jan 08 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos