WEBVTT 00:00:00.000 --> 00:00:06.500 align:middle line:90% 00:00:06.500 --> 00:00:10.790 align:middle line:84% In this video, we're talking about tracking by IP address. 00:00:10.790 --> 00:00:12.440 align:middle line:84% Now as we talked about previously, 00:00:12.440 --> 00:00:15.350 align:middle line:84% an IP address, or Internet Protocol address, 00:00:15.350 --> 00:00:19.350 align:middle line:84% is a numeric value assigned to a network device. 00:00:19.350 --> 00:00:24.780 align:middle line:84% So an IP address can be used for identification and location. 00:00:24.780 --> 00:00:26.820 align:middle line:84% So say we have a malicious hacker trying 00:00:26.820 --> 00:00:28.215 align:middle line:90% to get on our network. 00:00:28.215 --> 00:00:31.020 align:middle line:84% The malicious hacker goes to the server. 00:00:31.020 --> 00:00:36.020 align:middle line:84% Say, they're connecting with 10.1.20.189, for example. 00:00:36.020 --> 00:00:39.430 align:middle line:84% We view this log file, and we may potentially 00:00:39.430 --> 00:00:42.340 align:middle line:84% be able to take that IP address and find out 00:00:42.340 --> 00:00:47.740 align:middle line:84% the malicious hacker's identity, his location, his ISP, 00:00:47.740 --> 00:00:48.670 align:middle line:90% things of that nature. 00:00:48.670 --> 00:00:52.390 align:middle line:90% 00:00:52.390 --> 00:00:54.840 align:middle line:84% So we do need be careful, because an IP 00:00:54.840 --> 00:00:57.120 align:middle line:84% address can be obfuscated by using things 00:00:57.120 --> 00:00:59.400 align:middle line:90% like a VPN or proxy. 00:00:59.400 --> 00:01:03.500 align:middle line:84% So we do want to be careful about tracking IP addresses. 00:01:03.500 --> 00:01:06.530 align:middle line:84% We do need - we should be verifying this information 00:01:06.530 --> 00:01:07.770 align:middle line:90% in some manner. 00:01:07.770 --> 00:01:11.240 align:middle line:84% And just because you find a IP address 00:01:11.240 --> 00:01:13.670 align:middle line:84% and you're able to track it down, 00:01:13.670 --> 00:01:16.310 align:middle line:84% doesn't always necessarily mean that that's really 00:01:16.310 --> 00:01:18.110 align:middle line:90% the person's real IP address. 00:01:18.110 --> 00:01:21.980 align:middle line:90% 00:01:21.980 --> 00:01:25.050 align:middle line:84% So let's take a look at a couple of tools here. 00:01:25.050 --> 00:01:28.770 align:middle line:84% So this one is called IP2Location. 00:01:28.770 --> 00:01:33.520 align:middle line:84% Now IP2Location is a browser-based tool. 00:01:33.520 --> 00:01:37.150 align:middle line:90% It's free, pretty easy to use. 00:01:37.150 --> 00:01:41.190 align:middle line:84% We just put the IP address in this lookup field here, 00:01:41.190 --> 00:01:46.080 align:middle line:84% so I'm going to type an IP in here, 00:01:46.080 --> 00:01:47.820 align:middle line:90% and then you click Lookup. 00:01:47.820 --> 00:01:51.910 align:middle line:90% 00:01:51.910 --> 00:01:54.120 align:middle line:84% So once we have this, we can actually just start 00:01:54.120 --> 00:01:55.080 align:middle line:90% scrolling down in here. 00:01:55.080 --> 00:01:58.570 align:middle line:90% We can see various information. 00:01:58.570 --> 00:02:01.410 align:middle line:90% So we can see an IP address. 00:02:01.410 --> 00:02:03.610 align:middle line:84% We can see the country the IP address is. 00:02:03.610 --> 00:02:04.780 align:middle line:90% We can see the region. 00:02:04.780 --> 00:02:05.950 align:middle line:90% We can see in the city. 00:02:05.950 --> 00:02:09.660 align:middle line:90% We can see the geolocation. 00:02:09.660 --> 00:02:11.700 align:middle line:84% So if I put this in, say, Google Maps, 00:02:11.700 --> 00:02:16.260 align:middle line:84% for example, I could actually pull down a satellite map, 00:02:16.260 --> 00:02:17.430 align:middle line:90% potentially. 00:02:17.430 --> 00:02:19.560 align:middle line:90% We could see the ISP. 00:02:19.560 --> 00:02:25.510 align:middle line:84% We could see the local time, the domain, net speed, the IDD 00:02:25.510 --> 00:02:29.570 align:middle line:90% and area code, zip code. 00:02:29.570 --> 00:02:34.760 align:middle line:84% So there's a lot of really amazing information here just 00:02:34.760 --> 00:02:37.880 align:middle line:90% for my IP address. 00:02:37.880 --> 00:02:41.260 align:middle line:84% So assuming that this IP address is really 00:02:41.260 --> 00:02:44.620 align:middle line:84% the person's actual IP address, then we 00:02:44.620 --> 00:02:46.150 align:middle line:90% have a lot of info here. 00:02:46.150 --> 00:02:49.045 align:middle line:84% Again, we have the ASN records, when it was last seen. 00:02:49.045 --> 00:02:51.560 align:middle line:90% 00:02:51.560 --> 00:02:53.060 align:middle line:84% But again, we do need to be careful 00:02:53.060 --> 00:02:58.870 align:middle line:84% because of VPNs and proxies that are potentially being used. 00:02:58.870 --> 00:03:03.420 align:middle line:84% So this is one tool, IP2Location. 00:03:03.420 --> 00:03:07.280 align:middle line:84% Let's take a look at another tool here. 00:03:07.280 --> 00:03:10.450 align:middle line:84% So this one's called IPQualityScore. 00:03:10.450 --> 00:03:15.160 align:middle line:84% And this one will help detect if it's a proxy or a VPN. 00:03:15.160 --> 00:03:19.920 align:middle line:84% So if we put that same IP address in here, 00:03:19.920 --> 00:03:21.750 align:middle line:90% we could run a check on it. 00:03:21.750 --> 00:03:25.980 align:middle line:90% 00:03:25.980 --> 00:03:29.690 align:middle line:84% So right off the bat, we could see that there's RP. 00:03:29.690 --> 00:03:31.790 align:middle line:84% Yes, it does match the right country. 00:03:31.790 --> 00:03:34.220 align:middle line:90% It has a fraud score of 55. 00:03:34.220 --> 00:03:37.130 align:middle line:84% It hasn't been reported for spam. 00:03:37.130 --> 00:03:41.250 align:middle line:90% But a proxy or VPN was detected. 00:03:41.250 --> 00:03:44.120 align:middle line:84% And we could verify the information here - 00:03:44.120 --> 00:03:49.340 align:middle line:84% Detroit Lakes, Minnesota, Lakes PC Help, LLC. 00:03:49.340 --> 00:03:51.530 align:middle line:84% So seeing this information here and seeing 00:03:51.530 --> 00:03:56.300 align:middle line:84% this proxy VPN detected, this is probably a VPN provider. 00:03:56.300 --> 00:03:59.900 align:middle line:84% This is probably one of the IPs from this ISP Great 00:03:59.900 --> 00:04:03.650 align:middle line:84% Lakes, which I'm going to assume is running some sort of VPN 00:04:03.650 --> 00:04:05.790 align:middle line:90% here. 00:04:05.790 --> 00:04:09.140 align:middle line:84% So running IP through multiple tools 00:04:09.140 --> 00:04:10.650 align:middle line:90% has a couple of advantages. 00:04:10.650 --> 00:04:13.620 align:middle line:84% One, we could verify the information. 00:04:13.620 --> 00:04:17.750 align:middle line:84% The IP should be giving us the same information, same city, 00:04:17.750 --> 00:04:21.769 align:middle line:84% same region, same ISP, and whatnot. 00:04:21.769 --> 00:04:24.470 align:middle line:84% If you see a difference, then you 00:04:24.470 --> 00:04:28.520 align:middle line:84% need to take a closer look because one of these sites 00:04:28.520 --> 00:04:30.840 align:middle line:84% running that ISP has something wrong. 00:04:30.840 --> 00:04:34.055 align:middle line:84% So we do want to verify that we do have the right information. 00:04:34.055 --> 00:04:35.510 align:middle line:84% The other thing that we want to do 00:04:35.510 --> 00:04:39.830 align:middle line:84% is, again, see if that's a VPN or a proxy address. 00:04:39.830 --> 00:04:43.880 align:middle line:84% Again, IPQualityScore is a good site to run that against. 00:04:43.880 --> 00:04:46.720 align:middle line:90% 00:04:46.720 --> 00:04:50.620 align:middle line:84% Now another tool we could use is ExoneraTor. 00:04:50.620 --> 00:04:53.110 align:middle line:84% And this is part of the Tor network. 00:04:53.110 --> 00:04:55.600 align:middle line:84% Now, this one will tell you if it 00:04:55.600 --> 00:04:57.970 align:middle line:90% was used from the Tor network. 00:04:57.970 --> 00:05:02.487 align:middle line:84% Now if you type the address in here and type the date in here, 00:05:02.487 --> 00:05:03.320 align:middle line:90% you can do a search. 00:05:03.320 --> 00:05:05.940 align:middle line:84% Now the thing about this is it's got 00:05:05.940 --> 00:05:08.200 align:middle line:90% to be at least 48 hours old. 00:05:08.200 --> 00:05:13.470 align:middle line:84% So if you just pull a IP address today, 00:05:13.470 --> 00:05:16.140 align:middle line:84% you won't be able to run it for two more days. 00:05:16.140 --> 00:05:19.612 align:middle line:84% That's essentially how this programme works, though. 00:05:19.612 --> 00:05:21.570 align:middle line:84% So you're going have to wait 48 hours at least, 00:05:21.570 --> 00:05:24.180 align:middle line:84% and then put the data in and then run it. 00:05:24.180 --> 00:05:26.690 align:middle line:90% 00:05:26.690 --> 00:05:31.690 align:middle line:84% So once you have everything set, you can click on Search. 00:05:31.690 --> 00:05:35.170 align:middle line:84% And then it'll tell you whether this is a Tor network IP 00:05:35.170 --> 00:05:36.830 align:middle line:90% address. 00:05:36.830 --> 00:05:40.900 align:middle line:84% So if you scroll down, you can see, nope, negative. 00:05:40.900 --> 00:05:45.110 align:middle line:84% Tor did not use this address on this day. 00:05:45.110 --> 00:05:47.207 align:middle line:84% But again, if it did, it's a pretty handy tool 00:05:47.207 --> 00:05:49.540 align:middle line:84% to be able to identify that, well, the person is running 00:05:49.540 --> 00:05:53.620 align:middle line:84% through the Tor network, meaning either they're running a Tor 00:05:53.620 --> 00:05:59.170 align:middle line:84% browser to do something or they were using the Tor - 00:05:59.170 --> 00:06:04.270 align:middle line:84% on your router is something like ghost Tor or proxy chains 00:06:04.270 --> 00:06:06.320 align:middle line:90% to do whatever they were doing. 00:06:06.320 --> 00:06:09.400 align:middle line:84% But again, it's just another way to help identify and isolate 00:06:09.400 --> 00:06:11.970 align:middle line:90% that. 00:06:11.970 --> 00:06:15.470 align:middle line:84% So wrapping up, IPs can be a useful tool for tracking 00:06:15.470 --> 00:06:17.043 align:middle line:90% a malicious attacker. 00:06:17.043 --> 00:06:18.710 align:middle line:84% There's a number of useful tools that we 00:06:18.710 --> 00:06:22.250 align:middle line:84% could use to find things like the ISP, location, 00:06:22.250 --> 00:06:26.690 align:middle line:84% if a VPN was used, or even if the Tor network was 00:06:26.690 --> 00:06:28.550 align:middle line:90% being used for this. 00:06:28.550 --> 00:06:31.910 align:middle line:84% We do want to be careful, verify if the IP is a true IP 00:06:31.910 --> 00:06:34.880 align:middle line:90% address or a proxy VPN address. 00:06:34.880 --> 00:06:36.680 align:middle line:84% And also, personally, I like to run it 00:06:36.680 --> 00:06:39.290 align:middle line:84% against several different sources 00:06:39.290 --> 00:06:42.140 align:middle line:84% to make sure all that information does match up 00:06:42.140 --> 00:06:45.340 align:middle line:90% with each other. 00:06:45.340 --> 00:06:46.647 align:middle line:90% So this was about IP addresses. 00:06:46.647 --> 00:06:49.230 align:middle line:84% The next video, we're going to be talking about canary tokens. 00:06:49.230 --> 00:06:50.260 align:middle line:90% Thank you for watching. 00:06:50.260 --> 00:06:52.310 align:middle line:90% I'll see you in the next video. 00:06:52.310 --> 00:06:54.000 align:middle line:90%