- A collection of methods to learn who the owner of an IP address is.
- The reason for this could be for the IP being victimised in an attack, being currently compromised, or having security misconfigurations and could be attacked.
- These methods are useful for cyber threat intelligence (CTI) analysts performing victim notifications or security researchers working on bug bounty programs.
Note
These are free methods, but paid accounts may be available for some of these services for more information, authenticated APIs, and higher rate limits.
| Method | Description | Source(s) |
|---|---|---|
| Passive DNS (pDNS) | Shows historical DNS resolutions for an IP and allows you to identify domains that have pointed to the IP. | ViewDNS.info / VirusTotal / OTX AlienVault / Mnemonic / DNSlytics / subdomainfinder / Validin / SilentPush / Driftnet / SecurityTrails / Rapid7 Project Sonar |
| Domain DNS Records | Includes A, PTR, MX, TXT, and CNAME records. PTR records can reveal the hostname; TXT and MX can give clues about the domain’s owner or provider. | ViewDNS.info / CentralOps / DNSlytics / DNSDumpster / VirusTotal / Validin / SilentPush / Driftnet / SecurityTrails / Rapid7 Project Sonar |
| IP WHOIS | Queries registrar and network block registration info. Can directly identify the entity or ISP that registered the IP range. | ViewDNS.info / DomainTools / CentralOps / Who.is / IPVOID / VirusTotal / Validin / SilentPush / ZoomEye / SANS ISC |
| Open Ports & Running Services | Scanning the IP for accessible ports and services. Banner grabbing can reveal software, versions, and sometimes organization names. | Shodan / FOFA / Censys / Onyphe / Modat / Odin / IPVOID / Driftnet / ZoomEye / Rapid7 Project Sonar |
| X509 Certificates | Examine SSL certs served on open HTTPS ports. Certs often contain domains, email addresses, or organization names. | Certificate Search / Certstream / Shodan / Censys / Modat / Odin / Validin / SilentPush / Driftnet / Rapid7 Project Sonar |
| Autonomous System Names (ASNs) | ASNs describe ownership of blocks of IP addresses. Helps identify the ISP, hosting provider, or large organization behind a network. | Team Cymru / IPinfo / InfoByIP / IPQS / Shodan / FOFA / Censys / Onyphe / Modat / Odin / IPVOID / Cloudflare Radar / VirusTotal / Driftnet / ZoomEye / SilentPush |
| IP Geolocation | Maps IP to approximate physical location. Helps determine country or city, which may assist in narrowing the scope of who the owner is. | MaxMind / IPinfo / InfoByIP / IPQS / Shodan / FOFA / Censys / Onyphe / Odin / IPVOID / Cloudflare Radar / SilentPush |
| Border Gateway Protocol (BGP) | BGP announcements tell you who is routing the IP block and confirms the autonomous system or network managing the address. | BGP Hurricane Electric / BGP Tools / Qrator Radar / BGPView |
| Content Archives | Archived content of websites on the IP or screenshots of the services on the IP and may show earlier branding, contact info, or domains before a site changed. | URLscan / Wayback Machine / Shodan / SilentPush / WebPageTest |
| Manual Browsing | Visiting the IP directly in a browser can sometimes reveals landing pages, admin panels, or redirect behavior with company names or logos. | Browserling / ANY.RUN |
| Google Dorking | Use advanced search engine operators to find references to the IP online search engine results that could be used to identify its owner. | Google Dork Examples / VirusTotal |
| Code Repositories | Search in code repositories for references to the IP as the developers sometimes hardcode IPs in their code and configuration files. | GitHub / BitBucket |
| Linked to Tor Nodes, VPNs, or Proxies | Checking in lists of Tor, VPNs, or Proxy nodes suggests the IP is not owned by a specific end-user but part of a privacy or anonymisation network. | TOR Node List / IPQS / Spur / IP2PROXY / Proxycheck.io / SilentPush |
| Cloud Storage | Cloud storage buckets may contain config files, logs, build artifacts, or naming conventions that tie back to the IP owner. | GrayHatWarfare / Odin |
| IP Behaviours | Honeypot networks and crowdsourced reporting sites can also help discern what an IP is doing and who owns it based on it's observed interactions with honeypot and victim IPs. | GreyNoise / AbuseIPDB / CrowdSec / Project Honeypot / SANS ISC |
| Security TXT Records | Querying the IP directly can reveal the security TXT file at .well_known/security.txt or /security.txt paths on a host ip. DNS implementations also exist for security TXT files, these can be found as DNS TXT records. | Browserling / Mxtoolbox / urlscan / security txt / dns security txt |
| Cryptocurrency Network Nodes | Lists of IPs used for publicly distributed networks supporting cryptocurrency mining and ledger recording activities. | Bitnodes.io / Ethernodes.org |
| Service Provider IP Ranges | Lists of IP addresses reported as belonging to Cloud, CDN, and other service providers. | Cloudflare / Oracle / GitHub / Microsoft Azure / Microsoft 365 / Google Cloud / Amazon Web Services / Fastly / Imperva / Akamai |
Warning
These are paid services only typically available for enterprises or public sector organisations and provide more information and authenticated APIs.
| Method | Description | Source(s) |
|---|---|---|
| NetFlow | NetFlow captures metadata about traffic flows (source/destination IPs, ports, protocol, timestamps) and can be used to track communication patterns, peer IPs, and usage behavior. Repeated traffic between an IP and a corporate network could indicate ownership. | Team Cymru Pure Signal |
| Breach Data | Breach Data includes leaked credentials, config files, and service records from compromised systems and could be used to directly connect an IP to an email address, domain, or username and imply corporate ownership. | SpyCloud / AmIBreached / Intelx / Dehashed / Socradar / Hudsonrock |
| Internet Scraping Databases | Internet scraping databases collect, store, and index citations from the darkweb, cybercrime forum posts, messaging services, paste sites, legit news sites, and technical blogs, among other sources. They may have data on IP addresses such as where they were first and last mentioned and in what context. | Recorded Future / Anomali ThreatStream / Intel471 / Flashpoint / Cyble |
- Pivot Atlas - A list of various tools and platforms that enable different types of pivots on different types of data.
- IOC Vetting Sources - A list of various tools and platforms to check the reputation of an IP address.
- ThreatFox - ThreatFox is a platform from abuse.ch and Spamhaus dedicated to sharing indicators of compromise (IOCs) associated with malware, with the infosec community, AV vendors and cyber threat intelligence providers. Upload IOCs and explore the database for valuable intelligence. Use the APIs to seamlessly push and pull signals, and automate bulk queries.
- Thanks to Dan, Conor, and Josh from Team Cymru
- Thanks to Amitai and Ralph from Curated Intel
