Welcome back, my tenderfoot hackers!
Have you ever wondered where the physical location of an IP address is? Maybe you want to know if that proxy server you are using is actually out of your local legal jurisdiction. Or, maybe you have the IP address of someone you are corresponding with and want to make certain they are where they say they are. Or, maybe you are a forensic investigator tracking down a suspect who wrote a threatening email or hacked someone's company.
Now you can find the location of that IP address without a subpoena or search warrant.
A company called MaxMind maintains a database of the location of every IP address on the planet complete with GPS coordinates, area code, zip code, and country. This database is not in a typical relational database format, but rather in a flat file. MaxMind charges a $370 site license and $90/month (or $1360/year) for updates to this database. Their software has a beautiful front end that makes querying the database easy enough that even Windows or Mac users can manage.
MaxMind also gives away a free developers version of this database without any software or tools to read it. Although slightly less accurate than the commercial version, the price is certainly right. All we need to find the location of the IP is a program to read this data.
Two programmers, Jennifer Ennis and T. Williams, have developed a small Python script called pygeoip and released it under the GPL license that enables us to input an IP address and output this critical information. I think this tutorial is self-explanatory, but if you want to refresh your Python skills before diving in, take a look at our Python tutorials.
Note: Be cautious of the formatting below for commands. The formatting of this article will create big space gaps since it stretches lines out to fit the margins. This is because of long URLs that try to fit themselves on a separate line. Large spaces equals just one space, so keep that in mind. Refer to the screenshots to see how they actually look.
Now we need to download the database from MaxMind, and we can get it by typing the following.
kali > wget -N -q http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
Then we need to unzip it.
kali> gzip -d GeoLiteCity.dat.gz
Let's now check that the database is in place by listing the directory.
kali > ls -alh GeoLiteCity.dat
Next, we need to install the Python script to read the database, pygeoip. We can download it by typing the following.
Then, unzip it.
kali > unzip pygeoip-0.1.3.zip
We next need to download some setup tools into the pygeoip directory.
kali > cd /pygeoip-0.1.3
Let's now move and then build and install the setup tools.
kali > mv setuptools-0.6c11-py2.5.egg setuptools-0.7a1-py2.5.egg
kali > python setup.py build
kali > python setup.py install
We need to move the database to the pygeoip directory so that script can access it without having to use the full path.
kali > mv GeoLiteCity.dat /pygeoip-0.1.3/GeoLiteCity.dat
Now that we have the database in place and the pygeoip script downloaded and installed, we can begin to query that database with pygeoip.
First, we need to start a Python shell.
kali > python
Then, you will be greeted will the triple >>> indicating you are now in an interactive python shell. Let's import the module and instantiate the class.
>>>gip = pygeopip.GeoIP('GeoLiteCity.dat')
Next, we are ready to begin our query. Let's see where Google is located.
>>>rec = gip.record_by_addr('220.127.116.11')
>>>for key.val in rec.items():
... print "%s: %s" %(key,val)
Please note that it is critical to indent the "print". If not, you will throw an error.
As you can see, we were able to locate Google's IP in Mountain View, CA at area code 650, postal code 94043, longitude -122.0574, and latitude 37.4192. Not bad! Now, let's try to locate the IP of cnn.com.
Once again, the combination of the database and pygeoip script was able to provide us with key location information on CNN's IP address.
This little tool is great for locating any IP address in the world, albeit, it is a bit clunky. Maybe someone here in the Null Byte community with good Python skills would like to write an interactive script with a nice user interface where the user can simply enter the IP and get the record information?
Keep coming back, my tenderfoot hackers, as we continue to explore the tools and techniques of hacking!