Route out IP Origin With Free Tools

There is so much information available to us over the internet.  If I want to research something I just open a browser and type in the subject and I am presented with a ton of data.  The same goes for if I want to find a geolocation.  Now you have likely all used google maps etc, however what if I want to find the location of device on the internet?

Today we are going to discuss how to find the geolocation of an IP address.

I wanted to collect various tools that would show me where in the world a public IP address was originating from.  Not all these tools are built equally and some return data that is questionable in its accuracy.

For the research today I have chosen a popular IP address that millions of people access on a daily basis.  I'm not reviewing the tools per se, I want to see what they return as a geolocation and what we can surmise from the findings.

Target: 196.196.193.12 (Find out who this is at the end of the blog)

Head to the end of the blog to see all the coordinates mapped out! You will see my assessment on the findings.  Also I reveal my assumptions on information gathered.

1. Censys.io

This is a clean website that returns the lat/long of a public ip address.  It will also returns port information about the target system.  The simplicity of the website structure leans very well to scraping, so I built a script to do just that.

Above you can see the script source code.  Scrapes like this are nice because at line 10 we only need to go through 2 levels of html tags in order to find the data we want.  It's almost like they designed this site to be scraped.

The script produces the following

Returned value: 53.3338, -6.2488

ASN: 41564 (this is important, if this number changes something is screwy)

2. Ipstack.com

Another tidy little site that puts all of your data in to json format.  With json you can access the data like a dictionary and pull out exactly what you want.  You could integrate this json into a script and produce all the information you need.

Returned: 53.35388946533203,-6.243330001831055

ASN: 41564

[3]

3. IP2location.com

Site with lots of information.  Comes with an API you have to subscribe for.

Interesting it also has a Twitter bot and Slack bot you can access. I'm not entirely sure why the bots are necessary, but hey.

Result: 53.343990, -6.267190

ASN 41564 (This time it is labeld Proxy ASN)

Website states that the IP is located in a data centre

[4]

4. Keycdn tools

Nothing special about the site

Returned value: 53.3338, -6.2488 (curiously exactly the same as censys.io--> coincience?)

ASN: 41564

[5]

5. IPgeolocation.io

The site layout and service is almost exactly like ipstack.  Eerily similar.




Retruned Value: 53.34980,-6.26031

ASN:41564

[6]

6. ipapi.io

Exactly like ipstack and ipgeolocation

Returned Value: 53.333800, -6.248800

ASN: 41564

[6]

7. Ipinfo.io

Returned Value: 53.3331,-6.2489

ASN: 41564

[8]

FINDINGS

I took the coordinates of these 7 ip geolocation tools and plotted them on a map.  As you can see they are reasonably close, however they are still scattered around Dublin. 

1. Through my research I suspect that some "free" ip geolocators are piggy backing off of one another

It would be extremely easy, as they are providing an API and literally coaching you on how to use it in a script.

2. If the coordinates are not 100% accurate why utilize these APIs?  Well if all you want is a general idea of where people are visiting from, then it does the job well.  Imagine you have a website and you want to track how many people visited from outside of your country, this method would be great.

3.Probably not ideal for a detailed APT (Advanced Persistent Threat).  However with the compiled data we can get a slightly better picture of what is going on and potentially make some educated guesses.

Let's make some educated guesses based on the information gathered.  (Keep in mind the sampling is small, only 7 tools.  4 out of the seven land relatively close to one another.  That means that 57% are in relative close proximity.  Had I gone even more crazy with research there is a high probability that this number would increase even marginally.  Let's take a look at the map again at these specific locations.

These four locations land right in between two big online players.  LinkedIn and Amazon.  This is where I take some leaps, I don't have 100% conclusive evidence keep that in mind. 

-Amazon is huge player in the web services hosting business.

-One of our free tools provided evidence that the IP was from a data centre.

-It is very close to the LinkedIn head office, which [LinkedIn] spends $13 million [8] monthly on AWS Services.

-Amzaon has 3 major availability zones located in Ireland [9] [10] which act as fault tolerant hubs for their services. (One being in in Dublin)

-Here is the big assumption I am making.  That the owner of this IP is utilizing AWS (Amazon Web Services).  This may not seem like a big deal until you learn that the company that owns this IP is also one of the biggest Private VPN providers in the world. *look it up ;)

Andrew Campbell

Reference:

[1] https://en.wikipedia.org/wiki/Geolocation

[2] https://censys.io/

[3] https://ipstack.com/

[4] https://www.ip2location.com/demo/196.196.193.12

[5] https://tools.keycdn.com/geo?host=196.196.193.12

[6] https://ipgeolocation.io/ip-location/196.196.193.12

[7] https://ipapi.co/196.196.193.12/

[8] https://ipinfo.io/

[9] https://www.contino.io/insights/whos-using-aws

[9] https://stelligent.com/2014/05/02/list-all-the-availability-zones/

[10] https://aws.amazon.com/about-aws/global-infrastructure/