Tutorial: IP Addresses: What are they and how do i find them
Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: Tutorial: IP Addresses: What are they and how do i find them

  1. #1
    Junior Member
    Join Date
    Sep 2001
    Posts
    17

    Tutorial: IP Addresses: What are they and how do i find them

    Over the last few days i have seen a lot of post saying how do i get a IP Address, well basically you can't just pull anybodys ip address you want of the net. So i will explain what a IP address is and how to find them.

    1) IP ADDRESS STRUCTURE
    2) IP AND PORT INFO USING Netstat


    1)IP ADDRESS STRUCTURE:


    Every station on a PSN (packet switched network) that is based on the TCP/IP protocol (your computer is one, for example. Yes, we're referring to a host that is connected to the net) must have an IP address, so it can be identified, and information can be relayed and routed to it in an orderly fashion.

    An IP address consists of a 32 bit logical address. The address is divided into two fields:

    1) The network address:
    Assigned by InterNIC (Internet Network Information Center).
    In fact most ISPs (internet service providers) purchase a number of addresses and assign them individually.

    2) The host address:
    An address that identifies the single nodes throughout the network. It can be assigned by the network manager, by using protocols for it such as DHCP, or the workstation itself.
    [The IP networking protocol is a logically routed protocol, meaning that address 192.43.54.2 will be on the same physical wire as address 192.43.54.3 (of course this is not always true. It depends on the subnet mask of the network, but all of that can fill a text of its own)

    IP address structure:

    ---.---.---.---

    ^ ^
    | |
    network | host

    Every " --- " = 8 bits.
    The first bits ===> network address
    The last bits ===> host address.

    with 8 bits you can present from 0-255 . (binary=(2 to the power of 8)-1)
    Example:
    11000010.01011010.00011111.01001010 (binary)
    194.90.31.74 (decimal)
    IP address CLASSES :
    We can classify IP addreses to 5 groups. You can distinguish them by comparing the "High Order" bits (the first four bits on the
    left of the address):
    type | model | target | MSB |addr.range |bit number| max.stations|
    | | groups | | |net./hosts| |
    ------|--------|--------|-----|--------------|----------|-------------|
    A |N.h.h.h | ALL | 0 | 1.0.0.0 | 24/7 | 16,777,214 |
    | | ACCEPT | | to | | |
    | | HUGE | | 127.0.0.0 | | |
    | | CORPS | | | | |
    -----------------------------------------------------------------------
    |N.N.h.h | TO ALL | 10 | 128.1.00 | 16/14 | 65,543 |
    B | | LARGE | | to | | |
    | | CORPS | | 191.254.00 | | |
    -----------------------------------------------------------------------
    |N.N.N.h |TO ALOT | 110 | 192.0.1.0 | 8/22 | 254 |
    C | |OF | | to | | |
    | |SMALL | | 223.225.254 | | |
    | |CORPS | | | | |
    -----------------------------------------------------------------------
    D | NONE |MULTI-CA|1110 | 224.0.0.0 | NOT FOR | UNKNOWN |
    | |ST ADDR.| | to | USUAL | |
    | |RFC-1112| |239.255.255.255| USE | |
    -----------------------------------------------------------------------
    E | NOT FOR|EXPERIME|1,1,1,1| 240.0.0.0 |NOT FOR| NOT FOR USE|
    | USE |NTAL | | to |USE | |
    | |ADDR. | |254.255.255.255| | |
    -----------------------------------------------------------------------

    N=NETWORK , h=HOST .

    Notice the address range 127.X.X.X.
    These addresses are assigned to internal use to the network device, and are
    used as an application tool only. For example: 127.0.0.1, the most common one,
    is called the loopback address - everything sent here goes directly back to
    you, without even traveling out on the wire.
    Also, some IPs are reserved for VPNs - Virtual Private Networks. These are
    local area networks over wide area networks that use the Internet Protocol to
    communicate, and each computer inside the network is assigned with an IP
    address. So, suppose a certain computer wants to send a data packet to
    another host on the network with the IP 'x', but there's also another host on
    the Internet that has the same IP - what happens now? So this is why you
    cannot use these and other forms of reserved IPs on the Internet.


    Distinguishing different groups:

    You have to compare the first byte on the left in the address as follows:

    Type | First byte | MSB
    | in decimal |
    ----------------------------
    A | 1-127 | 0
    ----------------------------
    B | 128-191 | 10
    ----------------------------
    C | 192-223 | 110
    ----------------------------
    D | 224-239 | 1110
    ----------------------------
    E | 240-254 | 1111
    ----------------------------


    Multicast: (copied from RFC 1112)
    IP multicasting is the transmission of an IP datagram to a "host
    group", a set of zero or more hosts identified by a single IP
    destination address. A multicast datagram is delivered to all
    members of its destination host group with the same "best-efforts"
    reliability as regular unicast IP datagrams, i.e., the datagram is
    not guaranteed to arrive intact at all members of the destination
    group or in the same order relative to other datagrams.

    The membership of a host group is dynamic; that is, hosts may join
    and leave groups at any time. There is no restriction on the
    location or number of members in a host group. A host may be a
    member of more than one group at a time. A host need not be a member
    of a group to send datagrams to it.

    A host group may be permanent or transient. A permanent group has a
    well-known, administratively assigned IP address. It is the address,
    not the membership of the group, that is permanent; at any time a
    permanent group may have any number of members, even zero. Those IP
    multicast addresses that are not reserved for permanent groups are
    available for dynamic assignment to transient groups which exist only
    as long as they have members.

    Internetwork forwarding of IP multicast datagrams(ip packets)is handled by
    "multicast routers" which may be co-resident with, or separate from,
    internet gateways. A host transmits an IP multicast datagram as a
    local network multicast which reaches all immediately-neighboring
    members of the destination host group. If the datagram has an IP
    time-to-live greater than 1, the multicast router(s) attached to the
    local network take responsibility for forwarding it towards all other
    networks that have members of the destination group. On those other
    member networks that are reachable within the IP time-to-live, an
    attached multicast router completes delivery by transmitting the
    datagram(ip packet) as a local multicast.

    *if you donot understand the above do not worry, it is complicated and dry
    but reread it and read it again get a dictionary if it helps.
    Hacking is not easy.

    MSB: Most Significent Bit:
    In set numbers the first number on the left is the most important because it
    holds the highest value as opposed to the LSB=> least significent bit, it
    always holds the the smallest value.

    2)IP and port Info using Netstat

    Use of Netstat

    - (To OPEN Netstat) - To open [Netstat] you must do the following: Click on the
    - [Start] button-->Then click [Programs]--> Then look for [Ms-Dos Prompt].
    Netstat is a very helpful tool that has many uses. I personally use Netstat
    to get IP addresses from other users I'm talking with on ICQ or AIM. Also
    you can use Netstat go moniter your port activity for attackers sending syn
    requests (part of the TCP/IP 3 way handshake) or just to see what ports are
    listening/Established. Look at the example below for the average layout of
    a responce to typing Netstat at the C:\windows\ prompt.
    ~~~~~~~~~~~~~~~~~~~~
    C:\WINDOWS>netstat

    Active Connections

    Proto Local Address Foreign Address State
    TCP pavilion:25872 WARLOCK:1045 ESTABLISHED
    TCP pavilion:25872 sy-as-09-112.free.net.au:3925 ESTABLISHED
    TCP pavilion:31580 WARLOCK:1046 ESTABLISHED
    TCP pavilion:2980 205.188.2.9:5190 ESTABLISHED
    TCP pavilion:3039 24.66.10.101.on.wave.home.com:1031 ESTABLISHED
    ~~~~~~~~~~~~~~~~~~~
    Now look above at the example. You will see [Proto] on the top left. This just
    tells you if the protocal is TCP/UDP etc. Next to the right you will see
    [Local Address] this just tells you the local IP/Hostname:Port open. Then to the
    right once again you will see [Foreign Address] this will give you the persons
    IP/Hostname and port in the format of IP:Port with ":" in between the port and IP.
    And at last you will see [State] Which simply states the STATE of the connection.
    This can be Established if it is connected or waiting connect if its listening.
    Now with this knowledge we will dive into deeper on how to use this for monitering
    and port activity and detecting open ports in use.

    Detecting Open ports

    Now so you are noticeing something funny is going on with your computer? Your cd-rom
    tray is going crazy...Opening and closing when your doing nothing. And you say What the
    phruck is going on..or you realize someones been messing with a trojan on your computer.
    So now your goal is to locate what trojan it is so you can remove it right? Well your right.
    So you goto your ms-dos prompt. Now there are many ways to use Netstat and below is a help
    menu. Look through it.
    ~~~~~~~~~~~~~~~~~~~~
    C:\WINDOWS>netstat ?

    Displays protocol statistics and current TCP/IP network connections.

    NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

    -a Displays all connections and listening ports.
    -e Displays Ethernet statistics. This may be combined with the -s
    option.
    -n Displays addresses and port numbers in numerical form.
    -p proto Shows connections for the protocol specified by proto; proto
    may be TCP or UDP. If used with the -s option to display
    per-protocol statistics, proto may be TCP, UDP, or IP.
    -r Displays the routing table.
    -s Displays per-protocol statistics. By default, statistics are
    shown for TCP, UDP and IP; the -p option may be used to specify
    a subset of the default.
    interval Redisplays selected statistics, pausing interval seconds
    between each display. Press CTRL+C to stop redisplaying
    statistics. If omitted, netstat will print the current
    configuration information once.
    ~~~~~~~~~~~~~~~~~~~~~
    I personally like using (C:\Windows\Netstat -an) Which Displays all connections and
    listening ports in the form of IP instead of Hostname. As you see how i did the command
    Netstat(space)-a(Displays all connections and listening ports.)n(in numerical form)
    Netstat -an -So doing that does TWO of the options at once no need for -a-n. So
    now that you know how to use netstat to view all your connections and listening you
    can search for common ports like 12345(old Netbus Trojan),1243(subseven) etc.

    SYN and ACK


    When you here Syn and Ack(ACKnowledge) you do not think of the communication of packets on
    your system. Well let me tell you what SYN and ACK do.
    [SYN] - SYN in common words is a request for a connection used in the 3-way handshake
    in TCP/IP. Once you send a SYN out for a connection, the target computer will reply with a SYN and ACK. So basically when you see in [State] catagory Syn that means you are sending
    out a request to connect to something.
    [ACK] - Now the ACK is a ACKnowledgement to the request made by a computer that is
    trying to connect to you. Once a Syn is sent to you you need to ACK it, then Send back another syn to the computer requesting connection to confirm the packet sent was correct.

    Using Netstat for ICQ and AIM

    Have you ever wanted to get someones IP address or hostname using [Aol Instant Messanger]
    or [ICQ]? Well your in Luck.
    [AIM] - With AIM you can not ussually find the exact IP address without some trial and error because most of the time it seems to open up all online users on Port
    5190. So Less users online easier it is. So goto Ms-Dos Prompt and type netstat -n here you will see under [Foreign Addresses] a IP:With port 5190. Now one of those IP's connected
    to you with 5190 is going to be your target aim user. Just use trial and error to find out
    is ussually the easiest way.
    [ICQ] - To get a IP using netstat of a ICQ user is easy before talking to the person on ICQ you must open ms-dos prompt and do netstat -n to list all IP's and ports.Write them
    down or copy them somewhere you will remember to look back. Now it's time to find out his
    IP. Message the user witha single message now quickly do Nestat -n. And you will have a new added line of a IP address, just search for the new one on the list under foreign and once you find it you now have your buddys ip.

    Other Uses

    Netstat can be used to get IPs of anything and anyone, as long as there's a direct connection between you and the target (i.e. direct messages, file transfers or ICQ chats in ICQ, DCC (Direct Client Connection) chat and file transfers in IRC etc' etc').

    Tools and Utilities:

    Port scanning: To look for any open ports on a computer:
    - [7th Sphere Port scanner] - (2 mirror sites so if one link doesnt work)
    - http://members.xoom.com/Cryptog/7spereportscan.exe
    - http://members.xoom.com/gohan_3/7spereportscan.exe
    For Communicating better:
    - [ICQ]
    - http://www.icq.com
    - [Aol Instant Messanger]
    - http://www.aol.com

    Chris@zxtech.net
    www.ZXtech.net
    www.XSecurity.org
    Share on Google+

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    boy ZX, where did you cut that one from? Good post too.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust
    Share on Google+

  3. #3
    Banned
    Join Date
    Sep 2001
    Posts
    12

    Post WOW

    that was some post my friend i'm sure it will help many i actually didn't know about the netstat part for icq or aim
    thankz for the tip
    Share on Google+

  4. #4
    Member
    Join Date
    Sep 2001
    Posts
    50
    Thanks for the very informative post! I learned a lot.
    Share on Google+

  5. #5
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007

    Re: Tutorial: IP Addresses: What are they and how do i find them

    (of course this is not always true. It depends on the subnet mask of the network, but all of that can fill a text of its own)
    I'll start a new thread on that. I have it halfway (re)written already.
    [HvC]Terr: L33T Technical Proficiency
    Share on Google+

  6. #6
    Junior Member
    Join Date
    Jul 2001
    Posts
    5
    Exellent post ZX,

    It took me many hours and many web pages to learn all the stuff you just listed in 1 post.

    Good job.
    Share on Google+

  7. #7
    Junior Member
    Join Date
    Sep 2001
    Posts
    11

    Lightbulb IP's

    Thanks for the Post I learned a lot!
    Share on Google+

  8. #8
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    I spent all that time writing on Subnet Masks and I don't even get a reply. Waah. Boohoo. Poor me. In case it was because nobody noticed, you can go here!
    [HvC]Terr: L33T Technical Proficiency
    Share on Google+

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    534

    good terr i am with u..pal...

    hey terr my full support is with u...i will post maximum on this thread because i am also very much interested on ips...and this was really a very good informative....post....
    good good ....terr i am with u...
    intruder...
    Share on Google+

  10. #10
    Member
    Join Date
    Oct 2001
    Posts
    64
    Is there anyway to do that for MSN messanger?
    ?

    I get these ppl juming on my MSN once and a while trying to sell me stuff, I want to get there IP's is there any way to do that?

    LB
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides