• Support
  • Forums
  • Blogs

Share your moves to investigate an IP address

KyleKatKyleKat

Little green alien
+8
From time to time I find myself having the need to identify an IP address and when it's in the public internet... this can get tricky. More often than not sites like Domain Dossier or WhoIs can point us in the right direction, but was hoping to learn a few tricks from other AlienVault members.

Any recommendations on this would be greatly appreciated!
tracy.dangerblesliedrussellrperlsteinFrontlineCyberSeckatebrewehortonwathsala

Share post:

Best Answers

  • The most popular tools in are office are-

    Virus Total lets you search a url or domain name and shows you a list of programs and there findings on your search. 
    https://www.virustotal.com/

    A in depth whois with IP history.
    https://centralops.net/co/

    Lets you preview the front page of your search, gives you the host, connected host names and URLs and history of the IP.
    http://urlquery.net/
    bleslieKyleKatLBarracoJ4vv4DMontiehorton
  • Answer ✓
    It really depends on what you want to find out and why. In general I find there's little value in identifying malicious IPs.  You typically just find yourself playing an endless game of whack-a-mole or you simply find yourself at an impasse because the attacker is in a country that doesn't play nice with local law enforcement. 

    With that said, it's conceivable that you are observing potentially legitimate traffic and you want to make sure that the source or destination is from a known good source. In these case I am a fan of https://centralops.net/co/domaindossier.aspx (which you already mentioned) and https://geoiptool.com/ for location lookups. This is usually sufficient to identify legitimate traffic. 

    Every once in awhile I find a useful nugget of information on https://pastebin.com/.  Also, don't overlook twitter.  There's a large security community online and there's a chance that someone else has seen what you are looking at. 

    Just my 2¢.  Hope it helps.  


    bleslieKyleKatLBarracoJ4vv4DrperlsteinMontikratoskatebrew
  • Answer ✓
    Learned some tools from previous answers, thanks

    little to add, but I also try to identify websites that have been registered recently, or with recent changes. The idea is that old malicious websites are often already blacklisted and reported, and DNS records that are only days old are very suspicious.

    For that, I use the following tools:

    KyleKatbleslieJ4vv4DLBarraco
«1345

Answers

Sign In or Register to comment.