Trace IP Address

[BrianS]

This might be totally out there and a little off topic but maybe someone can help me. A couple days ago, a friend of mine had her laptop stolen. She has AIM on it and she told me that someone with her screen name just signed on at another location. She only used AIM on her laptop and on her work computer so it is kind of obvious that it is the person on her laptop.

Is there any way that you guys know of that you could find the IP address of the person using her laptop and then tracing that in hopes that she could inform local authorities and maybe get it back? I know this is really out there, but any ideas would be great.

Brian

 

[freestyler105]

Well, to get their IP address through AIM, you'd have to be in a direct connect session. Normally, all the IMs go through AOL's servers and then to the other person, but with direct connect you're directly connected to them, so you can get their IP.

The easiest way, however, would be to get them to click on a link that brings them to some page that logs their IP. Something like this would work:
http://www.imchaos.com/link/

Even if you can't get their IP, just report it to the police. They may be able to get AOL to give them the IP, and plus the police will be able to trace the IP better than you can.

 

[0x0161]

This might be totally out there and a little off topic but maybe

someone can help me. A couple days ago, a friend of mine had her laptop

stolen. She has AIM on it and she told me that someone with her screen name

just signed on at another location. She only used AIM on her laptop and on

her work computer so it is kind of obvious that it is the person on her

laptop.

If her notebook was stolen, and someone signed on under her screen name to

AIM BTW, (they are very stupid for doing that) unless they used a proxy

with AIM either way, it wasnt the smartest thing to do.



Also, AIM logs all IM sign on & sign off sessions. So he/she who stole it,

is now on a log file on one of the AOL servers. (Evidence)

Is there any way that you guys know of that you could find the IP address of the person using her laptop

Sure. open AIM start a conversation, then open the command prompt and type

netstat -ano


Look for your IP address in the list then look next to it, and their will be the culprits. Also, everything the culprit says can be watched by a packet sniffer(if you have direct connection thatis) unless, he uses some combination of a *proxy/encrypted client* (like GAIM/trillian).


Another method, setup a webpage/website. A free one from www.dot.tk (thats what I use)works excellent that captures all 'visitors' IP addresses and their system information. www.danasoft.com offers the CODE you can place in on yourwebsite for doing this.


Another method, Send the culprit an email. Social engineering comes to mind here. Have him respond his IP addy will be in the email headers.

and then tracing that in hopes that she could inform local authorities and maybe get it back?

Once you have their IP address, run it through a WHOIS server http://www.arin.net/whois/ or www.ip2location.com <--- for a visual layout.
Basically your just querying the IP address to see *WHO* it belongs too.


Once you have this information you can contact the CULPRITS ISP and inform them of whats going on from their local authority, more than likely cops will want serial number off of the notebook, proof of purchase copy of receipt (for ownership, validation, that is) etc....


Cheers, 0X0161

 

[BrianS]

That is so much good info right there but i do have a question, this is what I got by just testing it out so I know what to do when I see her and can do it for her.

 

[BrianS]

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.26
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
Ethernet adapter Local Area Connection 3:
Media State . . . . . . . . . . . : Media disconnected

 

[BrianS]

C:\Documents and Settings\Brian>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1164
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:990 0.0.0.0:0 LISTENING 2280
TCP 0.0.0.0:22831 0.0.0.0:0 LISTENING 2488
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 628
TCP 127.0.0.1:1033 127.0.0.1:1034 ESTABLISHED 2488
TCP 127.0.0.1:1034 127.0.0.1:1033 ESTABLISHED 2488
TCP 127.0.0.1:1036 127.0.0.1:1037 ESTABLISHED 2488
TCP 127.0.0.1:1037 127.0.0.1:1036 ESTABLISHED 2488
TCP 127.0.0.1:1038 127.0.0.1:1039 ESTABLISHED 2488
TCP 127.0.0.1:1039 127.0.0.1:1038 ESTABLISHED 2488
TCP 127.0.0.1:2161 127.0.0.1:2162 ESTABLISHED 4436
TCP 127.0.0.1:2162 127.0.0.1:2161 ESTABLISHED 4436
TCP 127.0.0.1:2163 127.0.0.1:2164 ESTABLISHED 4436
TCP 127.0.0.1:2164 127.0.0.1:2163 ESTABLISHED 4436
TCP 127.0.0.1:5679 0.0.0.0:0 LISTENING 2224
TCP 127.0.0.1:6880 0.0.0.0:0 LISTENING 2488
TCP 127.0.0.1:7438 0.0.0.0:0 LISTENING 2224
TCP 127.0.0.1:10025 0.0.0.0:0 LISTENING 1216
TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 1216
TCP 127.0.0.1:45100 0.0.0.0:0 LISTENING 2488
TCP 192.168.0.26:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.26:139 192.168.0.29:2863 ESTABLISHED 4
TCP 192.168.0.26:2601 89.149.169.81:80 CLOSE_WAIT 5620
TCP 192.168.0.26:3015 64.12.24.60:5190 ESTABLISHED 844
TCP 192.168.0.26:3042 205.188.248.144:5190 ESTABLISHED 844
TCP 192.168.0.26:3332 64.12.31.84:5190 ESTABLISHED 844
TCP 192.168.0.26:3343 216.155.193.153:5050 ESTABLISHED 844
TCP 192.168.0.26:3603 72.213.37.59:41975 ESTABLISHED 2488
TCP 192.168.0.26:3641 24.141.21.113:9593 ESTABLISHED 2488
TCP 192.168.0.26:3684 219.94.81.242:51231 ESTABLISHED 2488
TCP 192.168.0.26:3712 83.226.123.191:57408 ESTABLISHED 2488
TCP 192.168.0.26:3735 85.30.227.226:49481 ESTABLISHED 2488
TCP 192.168.0.26:3742 71.71.62.104:19959 ESTABLISHED 2488
TCP 192.168.0.26:3789 218.103.137.163:6000 ESTABLISHED 2488
TCP 192.168.0.26:3803 212.72.109.53:49256 ESTABLISHED 2488
TCP 192.168.0.26:3816 121.45.161.194:54040 ESTABLISHED 2488
TCP 192.168.0.26:3903 85.66.43.86:19363 ESTABLISHED 2488
TCP 192.168.0.26:3918 75.23.135.171:61240 ESTABLISHED 2488
TCP 192.168.0.26:3920 208.120.207.200:58875 ESTABLISHED 2488
TCP 192.168.0.26:3942 60.241.232.46:49956 ESTABLISHED 2488
TCP 192.168.0.26:3946 213.112.112.54:41850 ESTABLISHED 2488
TCP 192.168.0.26:3952 203.206.114.45:59527 ESTABLISHED 2488
TCP 192.168.0.26:3961 24.9.191.207:11233 ESTABLISHED 2488
TCP 192.168.0.26:4006 85.73.67.46:6889 ESTABLISHED 2488
TCP 192.168.0.26:4011 190.48.154.92:32612 ESTABLISHED 2488
TCP 192.168.0.26:4029 74.13.84.205:25365 ESTABLISHED 2488
TCP 192.168.0.26:4035 83.40.221.131:28000 ESTABLISHED 2488
TCP 192.168.0.26:4036 89.129.180.28:60948 FIN_WAIT_1 2488
TCP 192.168.0.26:4052 74.102.151.91:36402 ESTABLISHED 2488
TCP 192.168.0.26:4059 212.68.197.150:52688 ESTABLISHED 2488
TCP 192.168.0.26:4063 220.238.165.101:12658 ESTABLISHED 2488
TCP 192.168.0.26:4064 202.161.23.114:60115 ESTABLISHED 2488
TCP 192.168.0.26:4074 71.114.183.48:19948 ESTABLISHED 2488
TCP 192.168.0.26:4083 68.122.7.191:44222 ESTABLISHED 2488
TCP 192.168.0.26:4100 217.208.27.38:30824 ESTABLISHED 2488
TCP 192.168.0.26:4108 64.86.95.64:80 TIME_WAIT 0
TCP 192.168.0.26:4111 64.233.161.167:80 TIME_WAIT 0
TCP 192.168.0.26:4112 64.86.95.42:80 TIME_WAIT 0
TCP 192.168.0.26:4113 64.86.95.42:80 TIME_WAIT 0
TCP 192.168.0.26:4115 85.178.240.198:42900 ESTABLISHED 2488
TCP 192.168.0.26:4135 64.86.95.64:80 TIME_WAIT 0
TCP 192.168.0.26:4136 64.212.198.162:80 TIME_WAIT 0

 

[BrianS]

Tcp 192.168.0.26:4138 80.47.231.191:14457 Last_ack 2488
Tcp 192.168.0.26:4147 81.222.204.157:7486 Established 2488
Tcp 192.168.0.26:4150 80.202.221.141:14807 Established 2488
Tcp 192.168.0.26:4159 83.226.204.215:47711 Established 2488
Tcp 192.168.0.26:4161 83.251.21.32:60608 Established 2488
Tcp 192.168.0.26:4162 82.131.12.44:10788 Established 2488
Tcp 192.168.0.26:4163 58.8.74.11:6882 Established 2488
Tcp 192.168.0.26:4167 91.122.20.114:57237 Established 2488
Tcp 192.168.0.26:4169 194.146.135.196:30364 Established 2488
Tcp 192.168.0.26:4172 89.210.75.168:30000 Established 2488
Tcp 192.168.0.26:4173 83.237.231.224:64927 Established 2488
Tcp 192.168.0.26:4179 89.112.11.227:61541 Established 2488
Tcp 192.168.0.26:4185 190.45.85.26:13279 Established 2488
Tcp 192.168.0.26:4186 85.140.104.141:36597 Established 2488
Tcp 192.168.0.26:4189 216.99.42.147:35490 Established 2488
Tcp 192.168.0.26:4201 201.235.243.215:45081 Last_ack 2488
Tcp 192.168.0.26:4202 75.22.67.7:26054 Established 2488
Tcp 192.168.0.26:4203 68.54.112.159:38341 Established 2488
Tcp 192.168.0.26:4204 219.95.46.116:10145 Established 2488
Tcp 192.168.0.26:4205 24.164.23.100:6881 Established 2488
Tcp 192.168.0.26:4206 81.180.252.9:40195 Established 2488
Tcp 192.168.0.26:4212 88.113.27.13:9090 Established 2488
Tcp 192.168.0.26:4215 162.105.113.168:60893 Established 2488
Tcp 192.168.0.26:4220 80.198.0.179:40337 Established 2488
Tcp 192.168.0.26:4230 70.45.23.133:40340 Established 2488
Tcp 192.168.0.26:4231 74.99.178.179:10753 Established 2488
Tcp 192.168.0.26:4243 82.225.231.79:4662 Established 2488
Tcp 192.168.0.26:4246 82.17.104.41:51402 Established 2488
Tcp 192.168.0.26:4247 85.176.24.94:11478 Established 2488
Tcp 192.168.0.26:4259 72.14.253.95:80 Established 4436
Tcp 192.168.0.26:4262 76.177.109.107:49150 Established 2488
Tcp 192.168.0.26:4265 192.168.0.26:22831 Time_wait 0
Tcp 192.168.0.26:4267 85.235.20.108:9000 Established 2488
Tcp 192.168.0.26:4268 202.151.66.31:26300 Established 2488
Tcp 192.168.0.26:4269 60.48.109.95:49222 Established 2488
Tcp 192.168.0.26:4270 212.52.153.63:61084 Established 2488
Tcp 192.168.0.26:4272 81.20.178.139:63579 Established 2488
Tcp 192.168.0.26:4273 68.227.226.191:35631 Established 2488
Tcp 192.168.0.26:4274 72.131.21.78:51348 Established 2488
Tcp 192.168.0.26:4276 81.154.104.237:46412 Established 2488
Tcp 192.168.0.26:4282 213.93.115.57:55938 Established 2488
Tcp 192.168.0.26:4287 24.2.94.148:24294 Syn_sent 2488
Tcp 192.168.0.26:4291 85.73.185.210:64886 Established 2488
Tcp 192.168.0.26:4292 203.214.107.230:14001 Established 2488
Tcp 192.168.0.26:4293 81.225.223.189:49876 Syn_sent 2488
Tcp 192.168.0.26:4888 172.204.68.251:41916 Established 2488
Udp 0.0.0.0:445 *:* 4
Udp 0.0.0.0:500 *:* 940
Udp 0.0.0.0:1025 *:* 1420
Udp 0.0.0.0:1036 *:* 1672
Udp 0.0.0.0:1059 *:* 1420
Udp 0.0.0.0:1089 *:* 1420
Udp 0.0.0.0:1090 *:* 1420
Udp 0.0.0.0:1345 *:* 1420
Udp 0.0.0.0:1346 *:* 1420
Udp 0.0.0.0:1347 *:* 1420
Udp 0.0.0.0:1348 *:* 1420
Udp 0.0.0.0:4500 *:* 940
Udp 0.0.0.0:16680 *:* 2488
Udp 0.0.0.0:22831 *:* 2488
Udp 127.0.0.1:123 *:* 1284
Udp 127.0.0.1:1033 *:* 1284
Udp 127.0.0.1:1900 *:* 1456
Udp 127.0.0.1:3018 *:* 844
Udp 127.0.0.1:3019 *:* 844
Udp 127.0.0.1:3052 *:* 844
Udp 127.0.0.1:3053 *:* 844
Udp 127.0.0.1:3335 *:* 844
Udp 127.0.0.1:3336 *:* 844
Udp 127.0.0.1:3346 *:* 844
Udp 127.0.0.1:3347 *:* 844
Udp 127.0.0.1:4616 *:* 4436
Udp 192.168.0.26:123 *:* 1284
Udp 192.168.0.26:137 *:* 4
Udp 192.168.0.26:138 *:* 4
Udp 192.168.0.26:1044 *:* 2488
Udp 192.168.0.26:1900 *:* 1456
Udp 192.168.0.26:5353 *:* 5620

 

[BrianS]

Sorry, I had to break that up. I did have an AIM conversation active to simulate the situation if we get the chance to try this against the person that stole the laptop.

 

[0x0161]

but i do have a question, this is what I got by just testing it out so I know what to do when I see her and can do it for her.

Yes this is correct netstat -ano. do that when you have a direct connection to the person so you can get their info. IM curious what is PID 2488 on your machine? A lot of established connections, are you running limewire or another P2P when you issued that command?

Cheers, 0x0161

 

[BrianS]

and in order to get a direct connection i would have to send them a picture or something beside just talking to them because normal connections just get routed through AOL's servers and would just return their IP and not the theif's.