Have you
ever wondered where the physical location
of an IP address is? Maybe you want to know if that proxy server you are using
is actually out of your local legal jurisdiction. Or,
maybe you have the IP address of someone you are corresponding with and want to
make certain they are where they say they are. Or, maybe you are a forensic
investigator tracking down a suspect who wrote a threatening email or hacked
someone's company.
Now
you can find the location of that IP address without a subpoena or search
warrant.
A
company called MaxMind maintains
a database of the location of every IP address on the planet complete with GPS
coordinates, area code, zip code, and country. This database is not in a
typical relational database format, but rather in a flat file. MaxMind charges
a $370 site license and $90/month (or $1360/year) for updates to this database.
Their software has a beautiful front end that makes querying the database easy
enough that even Windows or Mac users can manage.
MaxMind also gives away a free
developers version of this database without any software or tools to read it.
Although slightly less accurate than the commercial version, the price is
certainly right. All we need to find the location of the IP is a program to
read this data.
Two
programmers, Jennifer Ennis and T. Williams, have developed a small Python
script called pygeoip and released it under the GPL license that enables us to
input an IP address and output this critical information.
Step 1: Fire Up Kali & Open
a Terminal
The
first step, of course, is to fire up our our trusty Kali system,
or in this case, any Linux
distribution. Then, open a terminal.
Note: Be cautious of the
formatting below for commands. The formatting of this article will create big
space gaps since it stretches lines out to fit the margins. This is because of
long URLs that try to fit themselves on a separate line. Large spaces equals
just one space, so keep that in mind. Refer to the screenshots to see how they
actually look.
Step 2: Download the Database
Now we need to download the
database from MaxMind, and we can get it by typing the following.
Then we need to unzip it.
kali>
gzip -d GeoLiteCity.dat.gz
Let's
now check that the database is in place by listing the directory.
kali > ls -alh
GeoLiteCity.dat
Step
3: Download & Install Pygeoip
Next, we need to install the Python script to read the
database, pygeoip. We can download it by typing the following.
Then, unzip it.
kali
> unzip pygeoip-0.1.3.zip
We next need to download some
setup tools into the pygeoip directory.
kali
> cd /pygeoip-0.1.3
Let's now move and then build
and install the setup tools.
kali
> mv setuptools-0.6c11-py2.5.egg setuptools-0.7a1-py2.5.egg
kali
> python setup.py build
kali
> python setup.py install
We need to move the database to
the pygeoip directory so that script can access it without having to use the
full path.
kali
> mv GeoLiteCity.dat /pygeoip-0.1.3/GeoLiteCity.dat
Step 4: Query the Database
Now that we have the database in
place and the pygeoip script downloaded and installed, we can begin to query
that database with pygeoip.
First, we need to start a Python
shell.
kali
> python
Then, you will be greeted will
the triple >>> indicating you are now in an interactive python shell.
Let's import the module and instantiate the class.
>>>import
pygeoip
>>>gip = pygeopip.GeoIP('GeoLiteCity.dat')
>>>gip = pygeopip.GeoIP('GeoLiteCity.dat')
Next, we are ready to begin our
query. Let's see where Google is located.
>>>rec
= gip.record_by_addr('64.233.161.99')
>>>for key.val in rec.items():
... print "%s: %s" %(key,val)
...
>>>for key.val in rec.items():
... print "%s: %s" %(key,val)
...
Please note that it is critical
to indent the "print". If not, you will throw an error.
As you can see, we were able to
locate Google's IP in Mountain View, CA at area code 650, postal code 94043,
longitude -122.0574, and latitude 37.4192. Not bad! Now, let's try to locate
the IP of cnn.com.
Once again, the combination of
the database and pygeoip script was able to provide us with key location
information on CNN's IP address.
No comments:
Post a comment