New Community Resource: Attribution to IP

on

Introduction

The Curated Intelligence community has shared a new collection for CTI analysts and others who perform cybersecurity research duties. A new GitHub repository has been created that contains a collection of methods to learn who the owner of an IP address is.

Have you ever wondered "How do I found out who owns an IP address?" or "Who is the owner of these IP addresses?"

IP address ownership is an interesting topic. An analyst or researcher may want to know the attribution of an IP address could be for several reasons. This includes finding out who an IP belongs to that has been victimised in an attack, is currently compromised, or either has security misconfigurations and unpatched vulnerabilities that leave it exposed to attack.

These methods are useful for cyber threat intelligence (CTI) analysts performing victim notifications or security researchers working on bug bounty programs, among other use cases.

The main ways Curated Intelligence analysts noted how to find out who owns an IP address are as follows:
  • Passive DNS (pDNS): Shows historical DNS resolutions for an IP and allows you to identify domains that have pointed to the IP.
  • Domain DNS Records: Includes A, PTR, MX, TXT, and CNAME records. PTR records can reveal the hostname; TXT and MX can give clues about the domain’s owner or provider.
  • IP WHOIS: Queries registrar and network block registration info. Can directly identify the entity or ISP that registered the IP range.
  • Open Ports & Running Services: Scanning the IP for accessible ports and services. Banner grabbing can reveal software, versions, and sometimes organization names.
  • SSL Certificates: Examine SSL certs served on open HTTPS ports. Certs often contain domains, email addresses, or organization names.
  • Autonomous System Names (ASNs): ASNs describe ownership of blocks of IP addresses. Helps identify the ISP, hosting provider, or large organization behind a network.
  • IP Geolocation: Maps IP to approximate physical location. Helps determine country or city, which may assist in narrowing the scope of who the owner is.
  • Border Gateway Protocol (BGP): BGP announcements tell you who is routing the IP block and confirms the autonomous system or network managing the address.
  • Content Archives: Archived content of websites on the IP or screenshots of the services on the IP and may show earlier branding, contact info, or domains before a site changed.
  • Manual Browsing: Visiting the IP directly in a browser can sometimes reveals landing pages, admin panels, or redirect behavior with company names or logos.
  • Google Dorking: Use advanced search operators to find references to the IP online that could be used to identify its owner.
  • Code Repositories: Search in code repositories for references to the IP as the developers sometimes hardcode IPs in their code and configuration files.
  • Linked to Tor Nodes, VPNs, or Proxies: Checking in lists of Tor, VPNs, or Proxy nodes suggests the IP is not owned by a specific end-user but part of a privacy or anonymisation network.
  • Cloud Storage: Cloud storage buckets may contain config files, logs, build artifacts, or naming conventions that tie back to the IP owner.
  • IP Behaviours: Honeypot networks can also help discern what an IP is doing and who owns it based on it's observed interactions with honeypot IPs.
  • NetFlow: NetFlow captures metadata about traffic flows (source/destination IPs, ports, protocol, timestamps) and can be used to track communication patterns, peer IPs, and usage behavior. Repeated traffic between an IP and a corporate network could indicate ownership.
  • Breach Data: Breach Data includes leaked credentials, config files, and service records from compromised systems and could be used to directly connect an IP to an email address, domain, or username and imply corporate ownership.
In the repository, there are various free methods details, but paid accounts may be available for some of these services that offer more detailed information, authenticated APIs, and higher rate limits. There are also some notable paid services that are only typically available for enterprises or public sector organisations and provide more information and authenticated APIs.

The GitHub repository for this project is available below: