Since we can now fingerprint incoming connections from our WordPress visitors and even detect proxies (visit Springtrap Part 1 if you are interested), we now have the power to investigate the connecting party further, should we be interested in more specific information.
Not-ToDo
To get one thing out of the way first:
A process we might not want to start automatically is running a port scan against the IP. This has many reasons:
While not considered strictly illegal in a lot of states, running an nmap scan without written consent can lead to trouble, such as getting banned/blocked by your ISP, civil lawsuits and certainly unwanted attention. We want to focus on free, easy to obtain information, not system exploitation.
ToDo
So first off we use command line tools to check whether or not the IP is part of some known infrastructure. With
dig -x [IP]we can easily find out if the address resolves to some domain.
If it does, combine that knowledge with what you already know and build a profile of who you’re dealing with. We can get the WHOIS entry of the (sub)domain and see either ISP information or (even better) information about where they might work.
Going a step further we can use IP geolocation to roughly estimate where the request came from. I say “roughly estimate”, because based solely on your IP, all I can do is check it against some frequently updated lookup-tables.
ip2geotools has some commercial as well as free/non-commercial databases, the former of which require paid API keys to query.
pip install ip2geotoolsUsing
ip2geotools [IP] -f json -d hostipyou can then get a JSON output of the location from the desired database. This turned out to be accurate to 10-50 kilometers in my own testing.
We are confining ourselves to IP geolocation because using browser tools like JavaScript on the client side is a bit too intrusive for my taste, and it might (and should) trigger a pop up in most modern browsers/phones prompting for approval. The general idea is for the target to remain unaware of your “research”.
And yes, making a blog post describing how you’re doing it is not the best way to go about this, but we’re doing this solely for education purposes after all, aren’t we? 😉
Painting a picture
The beauty of this information is how powerful it can be when applied correctly.
Do you maybe know a little more about the individual you are gathering info on? Small things that don’t seem like a big deal? A first name? A nickname? Maybe a phone number?
If you know a first name and, for example, a company whose infrastructure they used to make requests to your website, this would be a great time to open up LinkedIn and see how many people over there share that name. How many, you reckon, might sometimes post private pictures on social media?
Their user agent, which we logged in part one of this project might tell you what phone they were using, when browsing your site. Is that person an Apple user, perhaps?
From my experience, this is a funny way to mess with scammers.
How far you go, after gathering this info, is up to you.