Back

OSINT Investigation: How to Use IP Address

You've probably heard of IP addresses and even seen them but never wondered what it was. What seems like just a set of digits is actually the number assigned to your device on the Internet. It consists of digits from 0 to 255, which are separated by dots, for example, 195.123.56.78.

In essence, an IP is the identifier of your device at a specific time in a specific location. It can be changed by special programs to make using the Internet safer. The most famous is the VPN you probably also used at least once. When you turn it on, you may notice that your location in the search engine changes, which happens because the VPN changes your IP address.

However, not all people use VPNs, especially when it comes to companies. So, the IP address can provide a lot of useful information, including:

  • The IP's host name
  • The ISP and organization's name
  • Location of the device (city or coordinates)
  • Any known services running on that IP
  • The area code for that region
  • Domains hosted at that IP

Nevertheless, it is important to understand that this data is often quite inaccurate as different programs and services only give their best guesses, and companies or individuals can block their IP from being tracked. Still, we will look at some of the methods and tools that are used in OSINT investigations related to IP.

How to find an IP address

Let's start with how to find the IP address because without it we can't do a reverse search.

This is quite simple to do for your device by checking the properties of your Internet connection or using any online service. You can even just google “how to find my IP address” and the answer will be in the null search result.

IP address of a site

You can also find out the IP of someone's site or device using online tools. There are dozens of them, such as DNSLytics, ViewDNS, or SecurityTrails. One of the most popular resources used to be WHOis. It can still provide a lot of useful information in some cases, but in others, it will be useless due to the new legal rules and restrictions on access to information by the companies themselves. Still, you can try.

All of these services work in a similar way: you type the URL of the site or domain in the search bar, hit enter, and the site gives you the results. Usually, such services provide information not only on the IP but also on the domains that use these IPs, as well as connection types and other parameters.

Note that there may be several IPs and they differ if the company has several offices or tries to hide its location. In this case, you will have to check each IP address.

The IP address of a person

You can also find a person's IP address using social networks and online tools. All approaches that we will describe work with all social networks, but we will take Instagram as an example.

The first option is to use tools that track the IP by username, such as Storyslash. All you need to do is enter the target's username into the search bar, and the app will give you the IP. However, it may not be accurate or outdated as people use Instagram in different places from smartphones.

The second option is to use the Command Prompt tool, which is installed on every computer. You need:

  1. Close all applications on your computer, including background ones, so that the program tracks only Instagram IP.
  2. Using the desktop app, start a conversation with your target, preferably via video or audio call.
  3. Press Win+R to open the search menu and type cmd to find the Command Prompt.
  4. Type in the command netstat -an, and the application will show you all the IPs connected to your Instagram. One of them is the IP of your target.

As you can see, it is not the most accurate method but still effective

The third option is for IP loggers such as Grabify. Here you need to be smart and lure the user into opening the link you send them. So, you should:

  • Choose interesting content for the target, such as a funny meme.
  • Enter the meme's link in Grabify, and it will generate a compressed URL that you can use and a tracking code. Copy both.
  • Send the target's compressed link and when they open it, go back to Grabify and enter the tracking code into the search box on the homepage. The application will show you a person's IP address and other interesting information.

Don't worry: your target won't even notice your trick, as the link you send track the IP in seconds and then direct a person to the content. 

How to find geolocation with IP address

One of the most popular IP-related queries is geolocation search. Dozens of different resources offer a precise location, including a city and a specific area, and you can use them. But, do not think that everything is so simple since all these services can show different addresses.

For example, if we enter one of the IP addresses that we received in the last search for the bbc.com domain, we will see that:

  • ViewDNS.info gives us the USA with latitude 37.751 and longitude -97.822 (literally a center of Cheney Reservoir in Kansas).
  • Ipgeolpcation gives us the US too, but IP is located in San Francisco, California.
  • BigDataCloud also says that the IP is located in California.
  • IPinsight can't find this address at all.

Of course, if you only need to know the country, checking through several services can be relatively accurate, although not in all cases. However, if you want to find an exact address or at least a city, you need to check the IP more carefully.

In this case, use traceroute first. This tool sends several data packets to the target and traces the path of internet traffic. You need to pay attention to the last or second last result, to the part with the abbreviated name of the place, for example, “qc.ca”. This part hints that the IP's likely location is Quebec, Canada.

Next, you need to check this result using “ping,” which sends small requests to the server and waits for a response. This can be done with the KeyCDN service: you enter the IP in the search bar and get the response time for each country where it’s located. The fastest response comes from the country closest to you.

For example, if you are somewhere in Kansas City, and the first response comes from Quebec and then from San Francisco, most likely the IP is located in Quebec. Or, the ping may show that there is no response from Quebec at all, so you can cross it off the checklist and settle on San Francisco.

So, as you can see, searching for a location by IP is not the most reliable practice, but if you have any additional information, it can help.

Other useful data you can get from a reverse IP Search

There are a few more useful things you can find out using a reverse IP Search.

Suspicious domains

If you scan an IP, you can see all the domains that are located on it. Most likely they are owned by the same company or person. If they were created on the same day or even the same hour, they are probably being used for phishing or other illegal activities. Avoid them and don't click on the links they provide.

Although sometimes the same IP address can be connected to multiple domains or people only because many people use the same device, for example, a school or public library computer used for computer science lessons.

Sites that belong to one person or company

In the same way, you can check if the same person or company owns different sites if you have any suspicions. For example, if you feel like an independent news site is putting out too many articles in support of the ideas of one party or ideology. 

If the domains of this news site and the official site of the party have the same IP address, most likely the party uses it as a source of propaganda. In this case, other domains associated with the IP may also belong to the party, although you did not even know about it.

Still, all your guesses need to be confirmed by other data, such as email verification, as you can wrongly accuse a person. 

Other OSINT tools for IP address

As you can see, there are a lot of IP-related tools. For example, you can check the reputation of an IP, find a location, or check ports and devices. But they do not always give accurate results if you use them separately. So, it is better to use the OSINT Framework site and try several dozens of tools for IP search to select your ideal set.

Conclusion

The IP address can be useful in an OSINT investigation as an additional source of information or as a starting point for a search. However, it must be used carefully to find accurate information. To do this, try different services and tools and check your guesses in several ways.