~ INTERNET PROTOCOL ADDRESSES ~
#####################################################################
Ok , Not really a guide , more like a compilation of information
But as bruce would say "I can only show you the path, the rest is up to you".
If you have any questions or find a bad link or if you have anything good to add , please post it in the online security discussion forum , thanks ..
#####################################################################
For extensive information on IP Addresses , Internet Protocols and all the other good stuff try these links first:
Great Online Guide to TCP/IP :
http://www.redbooks.ibm.com/redbooks/GG243376.html
TCP/IP Guide:
http://www.tcpipguide.com/free/index.htm
Complete TCP/IP Resources Guide:
http://www.private.org.il/tcpip_rl.html
Bleeping Computers Guide to IP Addresses = Explained
http://www.bleepingcomputer.com/forums/ind...showtutorial=37
http://www.wbglinks.net/pages/reads/misc/ip.html
http://en.wikipedia.org/wiki/IP_address
http://www.dshield.org/primer.php
#######################################################################
Currently there are two types of Internet Protocol (IP) addresses in active use: IP version 4 (IPv4) and IP version 6 (IPv6). IPv4 was initially deployed on 1 January 1983 and is still the most commonly used version.
[quote]IPv4 addresses are 32-bit numbers often expressed as 4 octets in "dotted decimal" notation (for example, 192.0.32.67). Deployment of the IPv6 protocol began in 1999.
IPv6 addresses are 128-bit numbers and are conventionally expressed using hexadecimal strings (for example, 1080:0:0:0:8:800:200C:417A).[/quote]
Both IPv4 and IPv6 addresses are assigned in a delegated manner.
INTERNET REGISTRY IP ALLOCATION GUIDELINES:
http://www.arin.net/library/guidelines/ipv4.html
http://www.arin.net/library/rfc/rfc2050.txt
Users are assigned IP addresses by Internet service providers (ISPs).
ISPs obtain allocations of IP addresses from a local Internet registry (LIR) or national Internet registry (NIR),
or from their appropriate Regional Internet Registry (RIR):
[quote]APNIC (Asia Pacific Network Information Centre) - Asia/Pacific Region
ARIN (American Registry for Internet Numbers) - North America and Sub-Sahara Africa
LACNIC (Regional Latin-American and Caribbean IP Address Registry) – Latin America and some Caribbean Islands
RIPE NCC (Réseaux IP Européens) - Europe, the Middle East, Central Asia, and African countries located north of the equator[/quote]
The IANA's Role in the Internet:
The IANA serves as a bookkeeper in recording the assignments that are made.
In Internet terminology, the record-keeping service IANA performs is called a registration service, and IANA serves as a registry.
Allocation of IP Addresses:
The IANA maintains a high-level registry of IP addresses. It works with the Regional Internet Registries (RIRs) to distribute the large blocks of IP addresses among the RIRs. There are currently 4 RIRs, distributed around the world:
[quote] APNIC (Asia/Pacific Region), ARIN (North America and Sub-Sahara Africa), LACNIC (Latin America and some Caribbean Islands), and RIPE NCC (Europe, the Middle East, Central Asia, and African countries located north of the equator). (A fifth regional registry is in formation for Africa.)[/quote]
The RIRs are the organizations that actually allocate IP addresses to ISPs.
These allocations are in smaller blocks of addresses.
[quote]Allocate versus Assign
A distinction is made between address allocation and address assignment.
Internet Service Providers (ISP) are allocated address space as described herein, while end-users are assigned address space. ARIN allocates blocks of IP addresses to ISPs for the purpose of subsequent distribution of that space to their customers. An end-user is an organization receiving assignments of IP addresses exclusively for use within the Internet infrastructure they operate, not for sub-delegation of those addresses outside of its organization.[/quote]
The IANA web page "Internet Protocol v4 Address Space" documents how the IPv4 address space is distributed among the RIRs.
INTERNET PROTOCOL V4 ADDRESS SPACE:
- http://www.iana.org/assignments/ipv4-address-space
IANA – Internet assigned numbers authority
http://www.bluetack.co.uk/forums/index.php...?showtopic=1057
The IANA is not an ISP, and it has absolutely no control over the use of any Internet Protocol (IP) addresses except the very few that are directly tied to the iana.org domain name.
http://iana.netnod.se/
Whois searches with “IANA” as the result are either:
[quote]
· Forged IP Address(the next "received" line up may be valid)
· On your own network (virus generated e-mail).
· On an IANA company computer. This in not likely.[/quote]
IANA is the agency that assigns all internet number.
They assign IP’s to the Regional Internet Registries (RIRs) to re-distribute.
[quote]There are currently 4 RIRs, distributed around the world: APNIC (Asia/Pacific Region), ARIN (North America and Sub-Sahara Africa), LACNIC (Latin America and some Caribbean Islands), and RIPE NCC (Europe, the Middle East, Central Asia, and African countries located north of the equator). (A fifth regional registry is in formation for Africa.) [/quote]
If the address is reported as being from IANA, you should try all 4 RIRs.
An IP address may report as being from IANA if they are:
[quote]"Private Use" IP addresses:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255[/quote]
The above address blocks are reserved for use on private networks, and should never appear in the public Internet. If you see an apparent attack, or spam, coming from one of these address ranges, then either it is coming from your local environment, or the address has been "spoofed".
[quote]"Autoconfiguration" IP Addresses:
169.254.0.0 - 169.254.255.255
Addresses in the range 169.254.0.0 to 169.254.255.255 are used automatically by some PCs and Macs when they are configured to use IP, do not have a static IP Address assigned, and are unable to obtain an IP address using DHCP.
This traffic is intended to be confined to the local network, so the administrator of the local network should look for misconfigured hosts. Some ISPs inadvertently also permit this traffic, so you may also want to contact your ISP.[/quote]
[quote]"Loopback" IP addresses:
127.0.0.0 - 127.255.255.255
Each computer on the Internet uses 127.0.0.0/8 to identify itself, to itself. [/quote]
"Unallocated" IP addresses:
The IPv4 Address Registry and the Whois use the word unallocated (sometimes "reserved") to mean that the addresses are reserved for future allocation. No one should be using these addresses now.
[quote]Multicast IP addresses:
224.0.0.0 - 239.255.255.255
Addresses in the range 224.0.0.0 to 239.255.255.255 are set aside for the special purpose of providing multicast services in the Internet. These addresses are available for any host that wants to participate in multicast, and typically are assigned dynamically.[/quote]
Hints for Finding a Person Responsible for a Given IPv4 Address
Step 1 - :
Look up the IP address in the Regional Internet Registries (RIRs) "whois" servers. By using the "Whois" service, look up the IP address in all four Regional Internet Registries or RIRs. If the RIR Whois says the IP address is registered to the IANA, make sure you try the other RIRs to verify that they also say the IP addresses are registered to the IANA. (Some of the RIRs database may not have caught the latest delegations to other RIRs).
-American Registry for Internet Numbers
ARIN WHOIS Database Search;
- http://www.arin.net/whois/index.html
-APNIC Whois & Search;
Asia Pacific Network Information Centre
- http://www.apnic.net/search/
-RIPE
(Réseaux IP Européens)
- http://www.ripe.net/
- help: http://www.ripe.net/nicdb.html
-LACNIC:
The Latin American and Caribbean Internet Addresses Registry :
- http://lacnic.net/en/index.html
- African Region
The African Network Information Center (AfriNIC),
is the emerging organization that will administer IP allocation for Africa.
Web Site: http://www.afrinic.org
Step 2 - :
If all RIRs list an address as assigned to the IANA, you should check to see if this address is for "Special Use" or if it is "Unallocated" ("Reserved").
[quote]If the address that you are inquiring about does not have contact information in one of the RIRs, is not mentioned in the explanations above, or you have further questions, please send an e-mail to <ip-problems@iana.org> so that they may look into the problem further.[/quote]
--------------------------------------------------------------------------------
Information from IANA’s web pages: <http://www.iana.org/faqs/abuse-faq.htm>
-Whois (.aero,.arpa,.biz,.com,.coop,.edu,.info,.int,.museum,.net,and.org):
- http://www.internic.net/whois.html
#################################################################
What are CIDR netmasks?
[quote](Excerpt from url: http://public.pacbell.net/dedicated/cidr.html ) CIDR is an addressing scheme for the Internet which allows for more i efficient
allocation of IP addresses than the old Class A, B, and C address scheme.
CIDR Block Equivalent Class C IP Addresses Usable Addresses Subnet Mask
/32 1/256th of a Class C 1 1 255.255.255.255
/30 1/64th of a Class C 4 2 255.255.255.252
/29 1/32nd of a Class C 8 6 255.255.255.248
/28 1/16th of a Class C 16 14 255.255.255.240
/27 1/8th of a Class C 32 30 255.255.255.224
/26 1/4th of a Class C 64 62 255.255.255.192
/25 1/2 of a Class C 128 126 255.255.255.128
/24 1 Class C 256 254 255.255.255.0
/23 2 Class C 512 510 255.255.254.0
/22 4 Class C 1,024 1022 255.255.252.0
/21 8 Class C 2,048 2046 255.255.248.0
/20 16 Class C 4,096 4094 255.255.240.0
/19 32 Class C 8,192 8190 255.255.224.0
/18 64 Class C 16,384 16,382 255.255.192.0
/17 128 Class C 32,768 32,766 255.255.128.0
/16 256 Class C 65,536 65,534 255.255.0.0
/15 512 Class C 131,072 131,070 255.254.0.0
/14 1,024 Class C 262,144 262,142 255.252.0.0
/13 2,048 Class C 524,288 524,286 255.248.0.0
For more detailed technical information on CIDR, check out the following RFCs:
* RFC 1517: Applicability Statement for the Implementation of CIDR
* RFC 1518: An Architecture for IP Address Allocation with CIDR
* RFC 1519: CIDR: An Address Assignment and Aggregation Strategy
* RFC 1520: Exchanging Routing Information Across Provider Boundaries in the
CIDR Environment[/quote]
RFCs are available at http://www.rfc-editor.org/rfcsearch.html
=====================================================================
~ BOGONS ~
http://www.cymru.com/Bogons/
Bogons is the name used to describe ip blocks not allocated by IANA and RIRs to ISPs and organizations plus all other ip blocks that are reserved for private or special use by RFCs (the actual term "bogons" comes from word "bogus", as in bogus ip announcements).
As these ip blocks are not allocated or specially reserved, such ip blocks should not be routable and used on the internet, however some of these ip blocks do appear on the net primarily used by those individuals and organizations that are often specifically trying to avoid being identified and are often involved in such activities as DoS attacks, email abuse, hacking and other security problems.
These activities obviously pose great danger to everyone and ISPs should try to filter all these bad ip routes and we are trying to help in that by working to create complete detailed list of unassigned bogon ips based on whois data.
Completewhois has developed a system that can track changes for all RIRs (we use whois database for ARIN, RIPE, APNIC and allocation statistics data for LACNIC), and on daily basis we produce new list of allocated and unallocated blocks and check if any unallocated blocks are in active use on the internet.
All this data is available in several formats, the most often used ones are below, for all other lists please see BOGONS IP LISTS page:
http://www.completewhois.com/bogons/bogons_info.htm
Also available are listing only for specific /8 or for RIR regions (ARIN, RIPE, etc), these you can find in various files in this directory (look for files that start with "activebogons" and "announced")
All currently available BOGONS in >> NETRANGE Format << (example: 10.0.0.0 - 10.255.255.255)
All currently available BOGONS in CIDR Bit Notation format (example: 10.0.0.0/8)
All currently available BOGONS in CIDR Netmask format (example: 10.0.0.0/255.0.0.0)
All currently available BOGONS in Dotted Decimal format (example: 10.0.0.0 255.0.0.0)
http://www.completewhois.com/bogons/bogonips_lists.htm
Bogus ASN Report
http://www.cymru.com/BGP/asnbogusrep.html
Below is a list of bogon (unallocated) ip blocks that are actively being routed and used on the internet right now (this list is updated once/day in the morning and reflects announcements and that time) and list of networks (ASNs) that are announcing those ips. You can also find this data in raw cidr format in this file and in raw text format (same as text below) in in this text file.
Updated April 2 2004 :
http://www.completewhois.com/bogons/data/d...on-cidr-all.txt
please check these sites for more information:
http://www.apnic.net/stats/bgp/TOTAL/totalbogus.html
Pataroo CIDR Report Announced Bogons - http://bgp.potaroo.net/cidr/#Bogons
Netatlantis Announced Bogons List - http://www.netlantis.org/index.html?menu=2...&page=listbogon
Bogon Presentatoin by Geoff Huston on RIPE meeting:
http://www.ripe.net/ripe/meetings/ripe-45/...5-eof-geoff.pdf
Bogon Route Servers page maintained by SixXS: http://www.sixxs.net/tools/brs/
and also their bogons information page: http://www.sixxs.net/tools/grh/bogons/
APNIC BGP Statistics (see bogus routes under it) - http://www.apnic.net/stats/bgp/
RF330 "Special-Use IPv4 Addresses" - ftp://ftp.rfc-editor.org/in-notes/rfc3330.txt
Tracking Spoofed IP Addresses
http://www.cymru.com/Documents/tracking-spoofed.html
[quote]Tracking spoofed IP addresses back to the source can be quite a difficult task. For myriad reasons, such as limited router access, attacks of a short duration, and the manual nature of spoofed address tracking, finding the actual generator of the spoofed packets can be very difficult. For this reason, attackers often use the bogon address ranges, where a bogon address range is any unassigned and likely unrouted (by BGP4 in the Internet) netblock.
This includes the RFC1918 addresses as well as a collection of other address spaces, such as 1/8, 169.254/16, and the like.
However, with a certain combination of features enabled on a Cisco router, it is possible to determine the source of the spoofed packets. Further, this can be done without the laborious and CPU intensive task of adding ACLs to filter the spoofed packets[/quote]
XX######################################XX
HIJACKED IPS
XX######################################XX
Hijacked IP space" are ip blocks that are being used without permission by organizations that have no relation to original organization (or its legal successor) that received the ip block.
In essence its stealing of somebody else's ip resources.
http://www.completewhois.com/hijacked/index.htm
http://www.completewhois.com/hijacked/hijacked_qa.htm
http://www.completewhois.com/invalidwhois/index.htm
[quote]Because most organizations actively use their ip blocks, they can easily notice if somebody else begins to use them (and network providers would usually not announce ip space that is already being announced somewhere else) and this would lead to immediate shutdown of improper ip block announcements, But there are number of old ip blocks where organization may not be aware that it has them and as such the ip block is not used on the internet, there are also some ip blocks that are "private" (i.e. used only inside organization on their local network) and are also not announced on the internet and then some organizations have too much ip space (the organization may have become smaller or its network more efficient) and they are not using ip space any more. These categories (ip blocks that are not in active use on the internet) are most common targets of ip hijackers. [/quote]
Current List of Hijacked IPs ":
http://www.completewhois.com/hijacked/hija...ced-details.txt
=================================================================
well heres everything you wanted to know about IP ADDRESSES:please READ IT !
http://www.wbglinks.net/pages/reads/misc/ip.html
--------------------------------------------------------------------------------------------------------
Subnet masking:
http://www.ipprimer.com/bitbybit.cfm
online Subnet calculators, can make life a little easier:
http://www.bluetack.co.uk/subnet.html
http://www.bluetack.co.uk/range2subnet.html
http://www.ipprimer.com/subnet.cfm
Great IP Subnet Calculators: (very handy).
- http://www.wildpackets.com
- http://www.solarwinds.com
============================
--------------------------------------------------------------------------------------------------------
More good stuff:
http://www.unixhub.com/docs/cisco/ccna.html
============================================================
Reporting network abuse: spamming and hacking:
what you can do with whois and how much information can you really get?
- http://www.apnic.net/info/faq/abuse/index.html
Sam Spade Library:
- http://www.samspade.org/d/
--------------------------------------------------------------------------------------------------------------
-WHOIS-
(Not all records are maintained or are totally reliable but a good place to start)
It is a protocol used to find information about networks, domains and hosts.
The whois records normally include data on the organizations and the contacts associated with these networks and domains.
To find details about the IP address you are searching for, simply enter it into the text box and click "Search Whois".
[quote]Remember that whois servers are being used and abused. Whois server administrators have responded with limits on how many lookups may be performed per minute, per day, etc.
If your internet connection has a permanent IP, you should be very careful while using public resources like whois servers. Make sure that your IP doesn't find its way into various registrar ban lists.[/quote]
so dont get banned it makes things a little bit harder.
one good hint is to do DNS lookups from your computer to your isps DNS server (with your whois tools),
as they will possibly have cached requests so that you wont need to look any further.
to find your isp dns server , go to start > run > type cmd.exe [xp] or command.exe [98/me]
in command prompt type: ipconfig/all , at the bottom will show your ISP DNS SERVER IP addresses.
==================================================================
Many operating systems provide a WHOIS utility.
To conduct a query from the command line, the format is:
whois -h hostname identifier e.g. whois -h whois.arin.net <query string>
To obtain a more specific response, you may conduct a search by using certain flags. Many of these flags can be combined to indicate the desired output. Flags must be separated from each other and from the search term by a space. Your results will vary depending on the refinements you apply in your search. Listed below are the flags currently available; you may only use one flag from each flag-type in a query (i.e. one record type, one attribute, etc.).
Query-by-record-type:
To limit your query to a specific record type, include one of the following flags:
n Network address space
a Autonomous systems
p Points of contact
o Organizations
c End-user customers
Query-by-attribute:
To limit your query to a specific record attribute, include one of the following flags:
@ <domain name> Searches for matches by the domain-portion of an e-mail address
! <handle> Searches for matches by handle or ID
. <name> Searches for matches by name
Searches that retrieve a single record will display the full record. Searches that retrieve more than one record will be displayed in list output.
Display flags:
To modify the way that the query results display, include one of the following flags:
+ Shows detailed (aka 'full' output) display for EACH match
- Shows summary only (aka 'list' output), even if single match returned
The + flag cannot be used with the sub-query feature described below.
-----------------------------------------------------------------
How do you find out what IP range a website / company uses:
http://www.bluetack.co.uk/forums/index.php...?showtopic=1067
=----------------------------------------------------------------
Using your firewall logs or connection viewers to gather suspicious IPs is just the start, then the search for information on those ips begins....
i usually start with a WHOIS search, maybe i will try a few different places if i dont get what im looking for...google the IP address can sometimes bring up results as well , so never forget to use google before you go off in other places looking for the information and spam databases can be helpful.
yes they are a little bit evil , thats why they are so good.
- http://www.google.com/
After the WHOIS , i sometimes choose to to a TRACEROUTE on the IP to get a closer look at the network it belongs to.
- great WHOIS Overview :
- http://navigators.com/whois.html
- great TRACEROUTE Overview:
- http://navigators.com/traceroute.html
-Excellent Online Internet search tools page;
Whois-traceroute-domain name lookups etc
- http://www.samspade.org/
- http://www.dnsstuff.com/
- http://www.completewhois.com/ <- thanks to Redzulu for the link..
- http://www.ratite.com/whois/whois.cgi
- http://combat.uxn.com/
- http://www.network-tools.com/
- http://www.tom-cat.com/lookup.html
IP whois: Dshield also gives you statistics on some attacking ips - if they are very active etc...
- http://www.dshield.org/ipinfo.php?ip=XXX.XXX.XXX.XXX
- http://www.whoisview.com/support/kb/ipwhois.php
-Wildcard searches are recommended fun activities by DDD
:(try baytsp* for a good starting point
)- http://ws.arin.net/cgi-bin/whois.pl
-Domain Name Lookup/Whois Page
- http://www.networksolutions.com/cgi-bin/whois/whois
- http://www.traceroute.org/
- http://www.cybergeography.org/atlas/routes.html :Traceroute:visual tracking.
- http://www.geektools.com/traceroute.php
===========================================================
an important aspect of security while connected to the internet is the ability to view all IP connections to your computers virtual ports (65535), there are many tools to let you do this, some are even already built into windows.
Read the Firewall and Trojan protection guides for further security information..
ok the most simple way to view IP connections to your computer is to use netstat ,
which is already a part of all windows operating systems and ready to be used,
just run it from the command prompt.
(although i prefer to use TCPView and you will too!)
for windows users:
all you need to do is go to START > run > type: cmd (for xp)
and START > run > type: command (for win98)
ok then type in: netstat ?
that should bring up the list of commands you can use...
and try...: netstat -an
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.
interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.
there are dos utilities like the sniffer INETWATCH and F-PORT that are much better than Netstat, so if you like command line stuff , try them out too..or go all out and get windump and winsnort..
-----------------------------------
----------------
Using Netstat help/INFO:
http://www.computerhope.com/netstat.htm
http://www.hackinthebox.org/article.php?sid=4858
The Art of Interpreting Netstat :
http://www.winnetmag.com/Article/ArticleID...0316/40316.html
great TCP/IP information page
http://www.private.org.il/tcpip_rl.html
-------------------------------------------------------------------------------------------------------------------
-Traceroute-
- http://www.freesoft.org/CIE/Topics/54.htm
- http://www.computerhope.com/tracert.htm
A utility that traces a packet from your computer to an Internet host, showing how many hops the packet requires to reach the host and how long each hop takes.
Windows includes a traceroute utility called tracert.
In Windows, you can run tracert by selecting Start->Run…, cmd or command (xp or 9x) and then entering tracert followed by the domain name of the host.
For example:
tracert www.pcwebopedia.com
tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
Options:
-d Do not resolve addresses to hostnames.
-h maximum_hops Maximum number of hops to search for target.
-j host-list Loose source route along host-list.
-w timeout Wait timeout milliseconds for each reply.
[quote]Traceroute transmits packets with small TTL values. Recall that the TTL (Time To Live) is an IP header field that is designed to prevent packets from running in loops. Every router that handles a packet subtracts one from the packet's TTL. If the TTL reaches zero, the packet has expired and is discarded. Traceroute depends on the common router practice of sending an ICMP Time Exceeded message, documented in RFC 792, back to the sender when this occurs. By using small TTL values which quickly expire, traceroute causes routers along a packet's normal delivery path to generate these ICMP messages which identify the router. A TTL value of one should produce a message from the first router; a TTL value of two generates a message from the second; etc. [/quote]
[quote]``Traceroute'' is a network debugging utility that attempts to trace the path a packet takes through the network - its route. A key word here is ``attempts'' - by no means does traceroute work in all cases. [/quote]
============================================================
other free tools you can use for monitoring IP connections besides using a good personal firewall and [not free] TDS-3 include:
Tcpview
Tdimon
Netmon
Netstat viewer
theres probably a hundred and one other tools out there to do the same thing
unfortunately some port monitors can supposedly be bad.
read GRCs spin on evil port monitors
[quote]Spotting an Evil Port Monitor . . .
The rule of thumb is simple: Internet monitors should JUST monitor. They should NOT alter the exterior "open port profile" of your computer as seen from the Internet. Yet monitoring without opening ports is MUCH more difficult and requires system-level programming expertise. The products I mention on the next page are able to do it, and my forthcoming freeware firewall will too, but I'm unaware of any other free software that can. [/quote]
i recommend Tcpview for exactly these reasons:
- its free (unknown obviously to mr.gibson)
- you can and should be able to block all outbound/inbound connections and still use it without any problem,
solving the evil port monitor problem of exposing your system-
eg : it should be placed in untrusted firewall zone and operate normally, it just wants to connect to DNS port otherwise.
The only program that should have access to the net is your firewall, and all your programs should run its connections through it for basic security.
----------------------------------------------------------------
TCPView
is one of the greatest freeware program on the net, runs on all window$ versions and will show you
: detailed listings of all TCP and UDP endpoints on your system,
including the local and remote addresses and state of TCP connections.
; allows you to close the connections by right click or kill the process, or just get more info on the application.
On Windows NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint.
TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows.
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
more excellent free utilities here from Sysinternals.com. [^]
others worth checking out are ..
process explorer,autoruns,tdimon,filemon,portmon,access enum and a whole lot more...
http://www.sysinternals.com/sitemap.shtml
-------------------------------------------------------------------
The following programs also allow you to look up ips using various methods from your own computer:
--------------------------------------------------------------------
The Bluetack Blocklist Manager
is the best freeware IP management tool on the net in my opinion,
many handy internet tools and other good stuff, get it youll like it and you wont need much else.
http://www.bluetack.co.uk/forums/index.php?c=3
=------------------------------------=-------------------------------------=--------------------------=
Sam Spade
Sam Spade is an integrated network query tool for
Windows 95, 98, NT4.0 & Windows 2000-XP.
It's freeware.
Some Things That It Does;
ping!, nslookup, whois, IP block whois, dig, traceroute,
finger, SMTP VRFY ,web browser,, keep-alive, DNS zone transfer SMTP relay check, Usenet cancel check,
website download, website search, email header analysis, Email blacklist query, Abuse address query,
S-Lang scripting--Very Good Program!
Download
features
-----------------------------------------------------------------------------------------------------------------
Whoisview:
WhoisView is a Windows and Mac OS X software tool for finding the owner of an IP block or domain name.
The main feature of WhoisView is its simplicity. Type in a host name or IP address and it will retrieve the ownership information by digging through various authoritative whois servers. WhoisView will find information all other similar tools are unable to or don't bother to locate.
http://www.whoisview.com/products/whoisview/
--------------------------------------------------------------------------------------------------------------------
NS-Batch :
JIM PRICE created this utility to allow host name lookups of lots of IP addresses.
It also lets you interactively look up host name from IP addresses or IP addresses from hostnames.
Just feed it a file with IP addresses in it (of the format 127.0.0.1), and it will dig out the addresses,
look up the hostnames, and create a text file containing:
1) the IP address in hex (useful for sorting)
2) the IP address in dotted-octet format (i.e., 207.43.183.2)
3) the corresponding hostname, (i.e., www.jimprice.com) and
4) the hostname reversed (i.e. com.jimprice.www)
5) additional status information about the lookup (whether or not it worked)
You can then import the text file into your favorite word processor, spreadsheet, or other program, and sort it by IP address or other fields. Also, the program now includes features to probe a subnet (listing all the computers on a given network), and to display your local host's IP address, as well as some amount of flexibility in the output format.
- http://www.jimprice.com/jim-soft.htm#nsbatch
----------------------------------------------------
NeoTrace Express 3.25
NeoTrace Express is a freeware version of the popular NeoTrace tool. This version offers the mapping features of the Professional version and the essential features you need to trace web sites. It's multithreaded, so it's very fast and can simultaneously check multiple hops on the route. It shows the route on a world map with detail on the path taken by your Internet traffic. NeoTrace Express can integrate with Internet Explorer to offer one-click tracing to web sites and URLs.
Features include:
tracing websites and IP addresses
viewing a world map with the results of the trace viewing the network information associated with the trace destination
http://www.networkingfiles.com/PingFinger/...raceexpress.htm
----------------------------------------------------
uh oh - traceroute is usually blocked by firewalls.
But there is a TCP traceroute option here: - http://michael.toren.net/code/tcptraceroute/
[quote]tcptraceroute is a traceroute implementation using TCP packets.
The more traditional traceroute(8) sends out either UDP or ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets are taking to reach the destination.
The problem is that with the widespread use of firewalls on the modern Internet, many of the packets that traceroute(8) sends out end up being filtered, making it impossible to completely trace the path to the destination. However, in many cases, these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on. By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.
It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host. If the host is not listening for incoming connections, it will respond with an RST indicating that the port is closed. If the host instead responds with a SYN|ACK, the port is known to be open, and an RST is sent by the kernel tcptraceroute is running on to tear down the connection without completing three-way handshake.
This is the same half-open scanning technique that nmap uses when passed the -sS flag. [/quote]
-------------------------------------------------
3d Traceroute - visual traceroute tool
3d Traceroute full blown three dimensional traceroute program that allows you to visually monitor internet connectivity. It offers an attractive and fast loading 3D interface as well as optional text results. The 3D graphs can be manipulated by rotation, zoom and several other options. You can also record and playback individual traces for detailed investigation. 3d Traceroute also offers statistical displays as well as keeping track of trace history.
Additional support is offer for OpenGL interface. Very nice tool!
Working with 98, ME, NT, 2K, XP
and if you are lucky, 95, too.
http://www.hlembke.de/prod/3dtraceroute/
FAQ:
http://www.hlembke.de/prod/3dtraceroute/faq.htm
---------------------------------------------------
HYPER TRACE-
AnalogX HyperTrace is a GUI version of traceroute, which shows you the route that information travels from your machine to another machine on the internet. Of course, AnalogX wasn't happy just making a GUI version, HyperTrace is also faster, and not just a little bit; an average of 20-30x faster than before! It displays each hop, machine name, machine response time, and the route TTL.
http://www.analogx.com/contents/download/n...work/htrace.htm
-------------------------------------------------------------------------
XIPL is an small freeware utility for offline retrieving the country information from IP-address or hostname,
viewing IP-address blocks allocated for specified countries and seeking the country by code or code by country.
info page:
http://www.irnis.net/soft/xipl/
Download page:
http://www.irnis.net/free.shtml
==============================
--------------------------------------------
~HELP/HISTORY/INFORMATION~
--------------------------------------------
==============================
-American Registry for Internet Numbers
ARIN WHOIS Database Search;
- http://www.arin.net/whois/index.html
-APNIC Whois & Search;
Asia Pacific Network Information Centre
- http://www.apnic.net/search/
-RIPE
(Réseaux IP Européens)
- http://www.ripe.net/
- help: http://www.ripe.net/nicdb.html
-LACNIC:
The Latin American and Caribbean Internet Addresses Registry :
- http://lacnic.net/en/index.html
- African Region
The African Network Information Center (AfriNIC),
is the emerging organization that will administer IP allocation for Africa.
Web Site: http://www.afrinic.org
-Whois (.aero,.arpa,.biz,.com,.coop,.edu,.info,.int,.museum,.net,and.org):
- http://www.internic.net/whois.html
------------------------------------------------------------------
-Look up Ip Blocks
- http://www.networkinformation.com/ip/ipind...ndex/index.html
----------------------------------------
- IANA : Internet Assigned Numbers Authority:
- http://www.iana.org
-The Internet Corporation :
for Assigned Names and Numbers
- http://www.icann.org/
-Internet Authorities and Entities :
- http://www.elfqrin.com/docs/internetentities.html
-Private Internet Addresses :
- http://www.faqs.org/rfcs/rfc1918.html
-How Reverse DNS Works:
- http://www.dnsstuff.com/info/revdns.htm
Connected: An Internet Encyclopedia
- http://www.freesoft.org/CIE/index.htm
-Internet Protocol Addressing
- http://www.samspade.org/d/ipdns.html
-Gude to submitting IP attacks to isp:
- http://www.computer-forums.co.uk/forum/vie...424345ab7d7be75
a good read is this guide to tracing software pirates:
- http://www.cat-soft.com/Tracing.htm
About spam/tracing e-mail & How to avoid spam
- http://www.computer-forums.co.uk/forum/vie...31a991985baf13a
================================================================
- Generic TLDs -
[quote]
In the 1980s, seven gTLDs (.com, .edu, .gov, .int, .mil, .net, and .org) were created.
Domain names may be registered in three of these (.com, .net, and .org) without restriction;
the other four have limited purposes.
Over the next twelve years, various discussions occurred concerning additional gTLDs,
leading to the selection in November 2000 of seven new TLDs for introduction.
These were introduced in 2001 and 2002. Four of the new TLDs (.biz, .info, .name, and .pro) are unsponsored.
The other three new TLDs (.aero, .coop, and .museum) are sponsored.
Generally speaking, an unsponsored TLD operates under policies established by the global Internet community directly through the ICANN process, while a sponsored TLD is a specialized TLD that has a sponsor representing the narrower community that is most affected by the TLD.
The sponsor thus carries out delegated policy-formulation responsibilities over many matters concerning the TLD.
http://www.icann.org/tlds/[/quote]
-----------------------------------------------------------------------------------------
RIPE Network Coordination Centre
Spamming / Hacking / Connectivity Issues
· What is the RIPE NCC?
· Finding the correct database
· Finding contacts for an IP address
What is the RIPE NCC?
[quote]The RIPE NCC is a Regional Internet Registry (RIR).
This means we allocate address space to ISPs and other organisations.
These organisations are responsible for the activities originating from the address space allocated to them.
Since the RIPE NCC is not the organisation using or responsible for activities originating from the address space,
any concerns or responses should be directed to them and not the RIPE NCC.
You are welcome to use the RIPE NCC Whois Database to locate details of IP address registrations
within the RIPE NCC service region.
However, the RIPE Database does not contain information on all IP addresses in the world.
There are four RIRs that allocate IP addresses to organisations in their service regions
and store information about those addresses in a Whois database.[/quote]
Finding the correct database:
To find the correct database containing information on an IP address you should first find the appropriate allocation block.
A list of allocation blocks with the corresponding RIR can be found at:
http://www.iana.org/assignments/ipv4-address-space
For example, if your IP address begins with "193" you should locate this range within the list:
193/8 May 93 RIPE NCC (whois.ripe.net)
In this example you can see that address space beginning with "193" has been allocated to the RIPE NCC
and therefore you should use the RIPE Database (whois.ripe.net) to search for the responsible party.
If the allocated block states "Various Registries" you are required to search all four RIR databases until the contact information is found.
The 4 RIRs are:
ARIN, for North America and African countries located south of the equator
(Whois database on 'whois.arin.net'; Web interface available.)
LACNIC, for South America and the Caribbean
(Whois database on 'whois.lacnic.net'; Web interface available.)
RIPE NCC, for Europe, Central Asia, the Middle East and African countries located north of the equator
(Whois database on 'whois.ripe.net'; Web interface available.)
APNIC, for Asia and the Pacific region
(Whois database on 'whois.apnic.net'; Web interface available.)
Finding contacts for an IP address
To find the contacts responsible for address space that originates
within the RIPE NCC service region please use the RIPE Whois Database for example:
Enter the IP address into the Whois search box.
The output will list a number of objects. Firstly an inetnum object:
inetnum: 193.0.0.0 - 193.0.1.255
netname: RIPE-NCC
...
The last objects listed will be person or role objects that detail the persons responsible
for the administration of the IP address. Please check these objects for remarks
on who to send e-mails on spamming, hacking or connectivity issues.
If you are unable to find any remarks please use the e-mail address included within the object.
For example:
[quote]
person: John P.diddy Smith
address: Example LTD
Very High street 12
St.Mery Mead
Essex, UK
phone: +44 1737 892 004
e-mail: john.smith@example.com
nic-hdl: JS9-TEST
mnt-by: EXAMPLE-MNT
remarks: *******************************
remarks: This object is only an example!
remarks: *******************************
changed: john.smith@example.com 20020827
changed: john.smith@example.com 20020828
source: TEST
Please only use the e-mail address specified in the "e-mail" attribute.
Do not send mails to the other e-mail addresses within the objects because
these e-mail addresses are used for specific purposes in the RIPE Database.
Therefore messages may not be directed to the correct party.
Please also be aware that the person listed in the object may be only
an employee of the organisation responsible for the address range
and may not be the individual using the specific IP address.
If you are unsuccessful in locating the responsible contact person,
you may write to ripe-dbm@ripe.net.
We will try to help you find the appropriate contact details.
Please include the IP address that you are researching in your e-mail request. [/quote]
=======================================================
Q: What is a domain name?
A: Practically speaking, your domain name (Web address)
is the core of your Internet identity, your online brand.
Your customers will remember this name and use it to find your Web site,
your products or your services.
And since no two parties can ever hold the same domain name (Web address)
simultaneously, your Internet identity is totally unique.
Technically, a domain name (Web address) is an addressing construct
used for identifying and locating computers on the Internet.
While computers use Internet Protocol (IP) numbers to locate each other on the Internet,
people find them hard to remember.
Therefore, domain names (Web addresses) were developed to permit
the use of easily remembered words and phrases to identify Internet addresses.
For example, the domain name (Web address)
networksolutions.com represents Network Solutions Web sites.
When you type networksolutions.com into a Web browser
or send e-mail to someone at networksolutions.com,
the Domain Name System (DNS) trans