Strategic Hacking GEOIP

Fri, 12 Oct 2007 10:52:56 GMT

Not that long time ago, ap and I did a good play around with GEOIP: ip to country, country to ip mappings, geo locating the IP addresses from the Holy See, etc (yep we've done that). Nothing major, really! We find this topic quite interesting and largely educational, especially around the methodologies and tricks that we have developed in order to find the IP ranges/blocks of entire countries.

Although we've build a quite solid database over the time, we are planning to keep it private and use it for research purposes only. However, if you dig deep into some of our public research materials, you should be able to to create a tiny subset of our database by using some of the described techniques and also this bash script.

You can also download a database digest created with the bash script above.

DfcnvtDfcnvt
Now that you have the country of all it's ip address. What about the state in US or perhap the county in state?
DfcnvtDfcnvt
http://www.maxmind.com/app/city
pdppdp
yep, this is the one. although, as I mentioned in the post, the database is not 100% accurate, not to mention the fact that the interesting ranges are simple not even included.
vindicvindic
pdp will you sell this, or make a new service? if you can make more accurate db, then why you dont use it for protection of websites? i will be first in list who will buy it, because is very very usefull
pdppdp
vindic, what do you need this for? I mean Maxmind have a free database you can use for most things that come to mind.
vindicvindic
pdp i have theyr's db, have too bins of cc. i am providing payments services and trying protect us for fraud. i am looking for any way or stuff which can more protect ours customers.
cybergothcybergoth
I'm using ripe.net Europe RIR’s db to extract net blocks for entire country. You can check it at ftp://ftp.ripe.net/pub/stats/ripencc/2007
pdppdp
cybergoth, cool... I need to look at this!
RHWRHW
This is a cool idea. I scanned around for about 10 minutes and found about 5 boxes with open ports. What is the default user/pass for the slingboxes? I can't find any info on their website.
rickyricky
Seems some changes on how the ip database is being held has been made since the last time I ran the script my files come out in the form of
country-11.0.0.0.csv
country-112.63.162.116.csv
country-112.63.162.120.csv
country-112.63.162.148.csv
country-114.0.0.0.csv
country-116.0.0.0.csv
country-116.0.128.0.csv
country-116.0.16.0.csv
country-116.0.24.0.csv
country-116.0.32.0.csv
country-116.0.64.0.csv
country-116.0.64.128.csv
country-116.0.64.192.csv
country-116.0.64.224.csv
country-116.0.64.240.csv
country-116.0.64.64.csv
country-116.0.65.0.csv
If only I had backed them upbefore like I ment to. ./R B
pdppdp
ok, I have to look into this. I think that they have changed the positions of the CSV columns. Just rearrange the columns or better yet modify the script to outline these changes.
RickyRicky
Links seem to be broken on this page for the script an ppt file
pdppdp
yes, there are tones of bugs laying around since we moved. I will fix this now. thanks for the feedback.
pdppdp
all fixed now!
Andrew HortonAndrew Horton
I've published a tool that uses this technique and only just found out about your similar research from a post on the full disclosure mailing list. GeoIPgen is a tool for country to IP resolution written in ruby. It can produce IPs for 1 or a set of countries in ascending or random order, producing unique IPs with low overhead :) It has proved useful when penetration testing to reverse resolve an entire country in order to discover networks or IPs the client forgets to mention. It's available here, http://www.morningstarsecurity.com/research/geoipgen
pagvacpagvac
@Andrew: thank you for sharing your project with us! please keep us up to date with any significant feature additions to GeoIPgen. You might also be interested in taking a look at http://www.country2ip.com/