Category Archives: Uncategorized

Finding your external IP address

As I carry out a significant amount of OSInt work I often bump into the problem of needing to enumerate IP addresses.  This can include knowing what my own external IP address is.  Simply running ifconfig (or ipconfig in Windows) will provide my internal addresses but not the internet facing address from the router.  This is especially important when trying to ensure that you are hidden from a target.  It could be that I connect to a VPN or proxy elsewhere in the world but how can I be sure that my IP address is hidden?

A student on my recent Advanced OSI course related a story of a colleague researching a very dangerous group and suddenly realising that their VPN software had crashed and that their Police IP address was now visible in their targets logs – not good!

Their are loads of tools, especially Firefox plugins, that will report your IP and the IP of the site you are on, WorldIP is a favourite.  However, I wanted to write a small program that would monitor my IP and report if it changes.  I also wanted to be able to write a tool to do batch look ups of domains and IP’s and extract their Geolocation information.

I stumbled across freegeoip.net.  It is a simple IP look up site but with an API. It allows 10,000 look ups per day for free which is more than enough (for most days!).

To use just type into your browser –

freegeoipnet/csv

and it will return information about your own external IP address into a CSV file.  Lovely!  The results look like this…

217.42.***.***,GB,United Kingdom,ENG,England,Bristol,BS3,Europe/London,51.43,-2.61,0

You can also specify /xml, /json and /jsonp.

By adding a URL or IP address to the query will return the information about that address…

freegeoip.net/csv/ibm.com

…and it returns…

129.42.38.1,US,United States,NY,New York,Somers,10589,America/New_York,41.33,-73.70,501

or if you specify /xml…

<Response><IP>129.42.38.1</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>Somers</City><ZipCode>10589</ZipCode><TimeZone>America/New_York</TimeZone><Latitude>41.325</Latitude><Longitude>-73.698</Longitude><MetroCode>501</MetroCode></Response>

To do this programmatically perhaps from a Shell script I can just use wget

Freegeoip.net from wget

Freegeoip.net from wget

wget freegeoip.net/csv/ibm.com

Using this I can write a simple background tool that monitors my IP address and notifies me of any change.  It will also be easy to have a tool which can be pointed at a text file of IPs or domains and returns all the information to me.  That will save loads of time.

I’ll post the tools when I’ve done them.

 

Skypeex

Download

This tool stems from the need to extract unencrypted Skype chat from a RAM dump.

Its a bit old now and needs some work but people still have good results from it:-

1. Run Strings against your RAM dump
2. Run the Skypeex tool against the resulting Strings file
3. It will carve out all the Skype chat lines it can see as well as trying to find and extract all the Skype sessions and ‘orphan’ chats that have been created.

It’s interesting to note that the latter process even seems to find the ‘spam’ message sessions that you sometimes receive.

This has been tested on dump files from Windows XP2, XP3 and 7 with Skype 3.8 through 4.2.

Please do not hesitate to get in touch with ideas and improvements.

Usage:

skypeex26 is designed for use under Python 2.6

For best testing results, have several Skype IM chats with friends and then image your RAM. On a windows box, use any tool to grab RAM (tested on Win XP SP2/3):

I recommend dumpit from Matthieu Suiche – http://windd.msuiche.net/

Run strings against the RAM image (e.g. Windows version can be found in Helix distro)
example: strings c:\ramdump.dd > c:\stringsout.txt

On linux box do:
strings ramdump.dd > stringsout.txt

Script usage –
from command shell – python skypeex.py – then, when prompted, simply provide the path to the strings output file.

The output files will be written to the folder where the script is run from. The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and carved orphan chats. Please expect many duplicates and some false positives.

In the CSV file the ‘Timestamp’ column is the date and time of the message in UNIX time. Sorting on this column gives you a timeline of messages. I’m writing a UNIX time decoder but it doesn’t work yet.

The primary message content is in the ‘body_xml’ column.

ivMeta – iPhone Metadata

Download

It's an iPhone!

It’s an iPhone with metadata in its video files!

ivMeta is a tool designed to extract useful forensic metadata from iPhone video.  It was written by Robin Wood from digininja.org (Top pen tester) in response to some research I posted about finding useful tags and data inside the iphone .mov filetype. (Read that here)

Usage:-

Unzip the zip container and read the readme file.  You know, the thing you never read because you can figure it out!

The tool will extract phone make, software version, created data, GPS data etc.

Drop us a line with any bugs.