How to trace someone's IP address Part 2

Doxing is the act of finding one's personal information through research and discovery, with little to no information to start with. You may have seen doxing in the news, for instance when not so long ago, hacker team Anonymous doxed and reported thousands of twitter accounts related to ISIS. Doxing can be useful for finding the address of a coworker, or simply investigating people on the internet. The tutorial I will provide to you now will teach you the basics of doxing and how you can protect yourself against malicious people on the internet.

 

Where to Start...

The thing about doxing that makes it a skill is that you must be prepared for many different situations, as no two people will have their social profile setup in the same exact way. You must be prepared to only have the resources of a name, email, username, or even phone number to find out all of the other information about a person. If you have an email, you are all set. An email is connected to social media (names) work (phone numbers) and accounts (information about the person). If you don't have an email, you should have a basic goal to get one, or at least a name...but for the sake of this tutorial, I will break up each step for a different scenario.

 

Usernames

Usernames are extremely difficult to make connections with. If you have a username you can use some websites that I will provide to see other accounts and profiles connected to those usernames. These websites are not always correct, but you should check with a couple of them before proceeding to mark down information about a person.

 

Social Media

Our social media pages are a huge source of personal information. From our social media pages, we can define our friends, family, best friends, locations, possibly phone numbers, photos of the person, and even information about the person's work. If you have somebody's social media page as a start, you can find out things like their address easily, even if they are under the age of 18. How? Well, with social media we can find out the city of the person, as well as some family members. From there we can use some websites I will show later in the tutorial to find addresses. Let's look at a random Facebook page and see what we can find.

 

Addresses and Phone Numbers

Now this is where we cross the line between the internet, and the real world. Taking information from the internet, and finding out where it is in real life. To find addresses, we will use the name, John Smith, that we investigated on Facebook. We will use a website called White Pages (whitepages.com) to look up this name and see what addresses are connected to it.

In a doxing attack, hackers might publish someone's:

• Real name
• Telephone number
• Social Security number
• Home address
• Employer
• Credit card numbers
• Bank account numbers
• Personal photographs
• Social media profiles

How does doxing work

• Running a WHOIS search on a domain name
• Tracking Usernames
• Phishing
• Stalking Social Media
• Checking Goverment Records
• Google Dorking
• Tracking IP address
• Reverse Mobile phone lookup
• Packet Sniffing
•  Data Brokers(Leaked Data)
• Searching on Darkweb

Examples of Doxing

1. Celebrity Doxxing

It’s not uncommon for journalists to find out a celebrity’s personal life information and to publish such gossip on their media platforms. However, doxxing isn’t your regular entertainment news. Here, the hacker publishes the celebrity’s sensitive information such as their payment card info, email address, social security number or phone numbers.

2. Faulty Doxxing

Sometimes, doxxing is done by internet vigilantes who can’t be bothered to properly research or investigate their victims to ensure they have the right person. Instead, they wrongly link people to activities or situations that are unrelated to them. Due to such “faulty” doxing, hence the name, innocent people face:

• reputation loss,
• employment loss,
• harassment,
• physical harm, or
• loss of life.

3. Revenge Doxxing

Sometimes, people use doxing as a means of taking revenge. They publish their enemy’s some publicly identifying information online to cause them shame.

4. Swatting Doxxing

Another method of doxing is known as “swatting.” This occurs when a person wrongly accuses someone of a crime and sends police (or a SWAT team, hence “swatting”) to the victim’s address to cause them harassment. However, often such doxxing can prove fatal for the victim.

5. Crime Doxxing

While the swatting is done for fun, there are some people that use doxxing to execute serious crimes like murder. They reveal their enemies’ personal information online and provoke others to harm them. The motive can be personal revenge or showing disagreement or hatred towards any specific cause, religion, activity or race.

Is Doxing is Illegal ?

Doxxing is immoral and illegal, and if you are discovered bothering individuals and disclosing their personal information, you could face serious legal consequences, including imprisonment. Detecting and prosecuting these types of crimes is often challenging for law enforcement.In India you get punishment under IT ACT 2000 for doxing or identity theft.

What is legal Way of Doxing ?

We can say that Open Source Intelligence is the legal way of Doxing.

Intelligence agencies use OSINT to track events, equipment such as weapons systems, and people. These are the 'targets of interest' (ToIs). But hackers use OSINT to identify technical vulnerabilities as well as human targets for phishing and social engineering attacks.Law Firms. Lawyers and private investigators can ethically and legally utilize OSINT techniques – especially information found on social media platforms – in legal and litigation intelligence to collect evidence and research about any suspect or potential juror.

 

 Doxing Method and Tools & Website

 Some things may not work as it is old stuff

Search by USA phone number

1. gofindwho.com — database search
2. @SafeCallsBot — free anonymous calls to any phone number with Caller ID spoofing
3. PhoneInfoga (https://demo.phoneinfoga.crvx.fr/#/) — determines the type of the number, gives Google dorks for the number, determines the city
4.  spiderfoot.net (r) — automatic search using a huge number of methods, but can be used in the cloud if registered
5.  truepeoplesearch.com — will find records about the owners of the phone number
6.  www.zabasearch.com — will find the name, address, and much more
7.  truecaller.com (r) — phone book, will find the name and operator of the phone
8. intelius.com (https://www.intelius.com/criminal-records/) — search in the criminal database, find the address, places of work, phone numbers and show where the person studied
9. account.lampyre.io (t) (r) - the program searches for accounts, passwords and many other data
10. @get_kontakt_bot — will show how the number is written in the phone book
11. @GetFb_bot — bot finds Facebook
12. globfone.com (https://globfone.com/call-phone/) — free anonymous calls to any phone number
13. @clerkinfobot — the bot takes the data from the GetContact application and shows how the phone number in the contacts is recorded
14. cyberbackgroundchecks.com (https://www.cyberbackgroundchecks.com/phone) — will find all data of the U.S. citizen, access to the site is allowed only from the U.S. IP address
    

Access recovery

1. ICQ
 (https://icq.com/password/ru)

2. Yahoo
 (https://login.yahoo.com/?display=login)

3. Steam
 (https://help.steampowered.com/ru/wizard/HelpWithLoginInfo/)

4. Twitter
 (https://twitter.com/account/begin_password_reset)

5. VK.com
 (https://vk.com/restore)

6. Facebook
 (https://www.facebook.com/login/identify?ctx=recover)

7. Microsoft
 (https://account.live.com/acsr)

8. Instagram

(https://www.instagram.com/accounts/password/reset/)

How to find the domain to which the email address belongs

For example, you only know somebody@g****.***

1. Install the browser extension for Chrome Find+
 (https://chrome.google.com/webstore/detail/find%2B-regex-find-in-page/fddffkdncgkkdjobemgbpojjeffmmofb) 

2. Open the following lists of sites

1.  (https://github.com/Matchistador/threat/blob/64edd837b611b55083d71f5611ced789b542e6ba/free_email_provider_domains.txt)  
2. https://github.com/Kixiron/Anti-Phish/blob/513cbc16729bead0ba4c2e17ec705cdbe949b928/Anti-Phish/data/alldomains.json)  
3. https://github.com/vidyasagarpanati/opensource-data/blob/0c10f2b764ef8824becb00f5174ab786a22a9e2c/Email%20Domains
4.  https://github.com/gyankos/graphjoin/blob/1d71a2102c2c95a634d61079a8ab3002b2c467a8/usergenerator/src/main/resources/email.txt

3. Open the extension and enter a regular expression there
X\w{A}\.\w{B}$

Where you need to replace X with the first known letter A by the number of stars in the domain, and B by the number of stars in the first level domain

For example, we know the address somebody@g****.*** and the regular expression for it will be g\w4\.\w3$ (only with curly brackets).

4. By substituting your regular expression for the search from the extension you will find sites that match the mask of your email address

Search by Email from Gmail

1. haveibeenpwned.com — check in leaked databases
2. emailrep.io — find websites where account has been registered by email
3. dehashed.com — checking mail in leaked databases
4. @Smart_SearchBot — find full name, DoB, address and phone number
5. intelx.io — multifunctional search engine, the search is also carried out on the darknet
6.  @mailsearchbot — search in database, gives password partially
7. @info_baza_bot — show from what base mail leaked, 2 free scans
8. leakedsource.ru —  show from what base mail leaked
9. mostwantedhf.info — find skype account
10. email2phonenumber (https://github.com/martinvigo/email2phonenumber) (t) — automatically collects data from account recovery pages, and finds the phone number
11. spiderfoot.net (r) — automatic search using a huge number of methods, tool available in the cloud with registration
12. reversegenie.com — find location, first letter of the name and phone numbers
13. @last4mailbot — bot will find the last 4 digits of the Sberbank client’s phone number
14. searchmy.bio — find instagram account with email in description
15. leakprobe.net (https://leakprobe.net/search.php) — it will find nickname and source of leaked database
16.  recon.secapps.com (https://recon.secapps.com/) — automatic search and mapping of relationships
17. @AvinfoBot — find VK account
18. account.lampyre.io (https://account.lampyre.io/email-and-phone-lookup) (r) — web version of e-mail search, account search in social networks and messengers
19. @EyeGodBot — finds the VK account and finds the lost passwords
20. @GetPhone_bot — search in leaked databases
21. @StealDetectorBOT — get leaked passwords
22. @GetGmail_bot — bot will find the account ID, link to Google Maps and albums, 2 free results and an infinite number of attempts
23. scylla.sh — search engine by leak databases, find passwords, IP, nicknames and much more, in the search field enter e-mail: and after e-mail address, for example email:example@gmail.com
24. @Quick_OSINT_bot — will find passwords, social networks, logins, phones and much more
25. GHunt (https://github.com/mxrch/GHunt) (t) — the tool will get the Google ID, devices, account name, find out which services Google uses, data from the reviews on Google maps
26. cyberbackgroundchecks.com (http://www.cyberbackgroundchecks.com/email) — find all U.S. citizen data - phones, address, emails, family and more, access to the site is allowed only from the U.S. IP address
27. holehe (https://github.com/megadose/holehe) (t) — the tool checks the accounts of which sites are registered to the e-mail address you are looking for, and searches 30 sources

Search via URL

https://my.mail.ru/gmail/LOGIN — search for an account on My World, replace LOGIN https://filin.mail.ru/pic?email=LOGIN@gmail.com — account picture on mail.ru, replace LOGIN@gmail.com with email address of Yandex

 

USEFULL OSINT TOOLS

OSINT FRAMEWORK

While OSINT FRAMEWORK isn't a tool to be run on your servers, it's a very useful way to get valuable information by querying free search engines, resources, and tools publicly available on the Internet. They are focused on bringing the best links to valuable sources of OSINT data.

While this web application was originally created focused on IT security, with the time it has evolved and today you can get other kinds of information from other industries as well. Most of the websites it uses to query the information are free, but some may require paying a low fee.

CheckUserNames

CheckUserNames is an online OSINT tool that can help you to find usernames across over 170 social networks. This is especially useful if you are running an investigation to determine the usage of the same username on different social networks.

It can be also used to check for brand company names, not only individuals.

HaveIbeenPwned

HaveIbeenPwned can help you to check if your account has been compromised in the past. This site was developed by Troy Hunt, one of the most respected IT security professionals of this market, and it's been serving accurate reports since years.

If you suspect your account has been compromised, or want to verify for 3rd party compromises on external accounts, this is the perfect tool. It can track down web compromise from many sources like Gmail, Hotmail, Yahoo accounts, as well as LastFM, Kickstarter, Wordpress.com, Linkedin and many other popular websites.

Once you introduce your email address, the results will be displayed, showing something like:

BeenVerified

BeenVerified is another similar tool that is used when you need to search people on public internet records. It can be pretty useful to get more valuable information about any person in the world when you are conducting an IT security investigation and a target is an unknown person.

After done, the results page will be displayed with all the people that match the person's name, along with their details, geographic location, phone number, etc. Once found, you can build your own reports.

The amazing thing about BeenVerified it's that it also includes information about criminal records and official government information as well.

BeenVerified background reports may include information from multiple databases, bankruptcy records, career history, social media profiles and even online photos.

Censys

Censys is a wonderful search engine used to get the latest and most accurate information about any device connected to the internet, it can be servers or domain names.

You will be able to find full geographic and technical details about 80 and 443 ports running on any server, as well as HTTP/S body content & GET response of the target website, Chrome TLS Handshake, full SSL Certificate Chain information, and WHOIS information.

Google Dorks

While investigating people or companies, a lot of IT security newbies forget the importance of using traditional search engines for recon and intel gathering.

In this case, GOOGLE  DORKS can be your best friend. They have been there since 2002 and can help you a lot in your intel reconnaissance.

Google Dorks are simply ways to query Google against certain information that may be useful for your security investigation.

Search engines index a lot of information about almost anything on the internet, including individual, companies, and their data.

Some popular operators used to perform Google Dorking:

• Filetype: you can use this dork to find any kind of filetypes.
• Ext: can help you to find files with specific extensions (eg. .txt, .log, etc).
• Intext: can perform queries helps to search for specific text inside any page.
• Intitle: it will search for any specific words inside the page title.
• Inurl: will look out for mentioned words inside the URL of any website.

Log files aren't supposed to be indexed by search engines, however, they do, and you can get valuable information from these Google Dorks, as you see below:

Maltego

Is an amazing tool to track down footprints of any target you need to match. This piece of software has been developed by Paterva, and it's part of the Kali Linux distribution.

Using Maltego will allow you to launch reconnaissance testes against specific targets.

One of the best things this software includes is what they call 'transforms'. Transforms are available for free in some cases, and on others, you will find commercial versions only. They will help you to run a different kind of tests and data integration with external applications.

In order to use Maltego you need to open a free account on their website, after that, you can launch a new machine or run transforms on the target from an existing one. Once you have chosen your transforms, Maltego app will start running all the transforms from Maltego servers.

Finally, Maltego will show you the results for the specified target, like IP, domains, AS numbers, and much more.

Recon-Ng

Recon-ng comes already built in the Kali Linux distribution and is another great tool used to perform quickly and thoroughly reconnaissance on remote targets.

This web reconnaissance framework was written in Python and includes many modules, convenience functions and interactive help to guide you on how to use it properly.

The simple command-based interface allows you to run common operations like interacting with a database, run web requests, manage API keys or standardizing output content.

Fetching information about any target is pretty easy and can be done within seconds after installing. It includes interesting modules like google_site_web and bing_domain_web that can be used to find valuable information about the target domains.

While some recon-ng modules are pretty passive as they never hit the target network, others can launch interesting stuff right against the remote host.

theHarvester

theHarvester is another great alternative to fetch valuable information about any subdomain names, virtual hosts, open ports and email address of any company/website.

This is especially useful when you are in the first steps of a penetration test against your own local network, or against 3rd party authorized networks. Same as previous tools, theHarvester is included inside Kali Linux distro.

theHarvester uses many resources to fetch the data like PGP key servers, Bing, Baidu, Yahoo and Google search engine, and also social networks like Linkedin, Twitter and Google Plus.

It can also be used to launch active penetration test like DNS brute force based on dictionary attack, rDNS lookups and DNS TLD expansion using dictionary brute force enumeration.

Shodan

Shodan is a network security monitor and search engine focused on the deep web & the internet of things. It was created by John Matherly in 2009 to keep track of publicly accessible computers inside any network.

It is often called the 'search engine for hackers', as it lets you find and explore a different kind of devices connected to a network like servers, routers, webcams, and more.

Shodan is pretty much like Google, but instead of showing you fancy images and rich content / informative websites, it will show you things that are more related to the interest of IT security researchers like SSH, FTP, SNMP, Telnet, RTSP, IMAP and HTTP server banners and public information. Results will be shown ordered by country, operating system, network, and ports.

Shodan users are not only able to reach servers, webcams, and routers. It can be used to scan almost anything that is connected to the internet, including but not limited to traffic lights systems, home heating systems, water park control panels, water plants, nuclear power plants, and much more.

Nmap

Nmap is one of the most popular and widely used security auditing tools, its name means "Network Mapper". Is a free and open source utility utilized for security auditing and network exploration across local and remote hosts.

Some of the main features include:

• Host detection: Nmap has the ability to identify hosts inside any network that have certain ports open, or that can send a response to ICMP and TCP packets.
• IP and DNS information detection: including device type, Mac addresses and even reverse DNS names.
• Port detection: Nmap can detect any port open on the target network, and let you know the possible running services on it.
• OS detection: get full OS version detection and hardware specifications of any host connected.
• Version detection: Nmap is also able to get application name and version number.

Unicornscan

Unicornscan is one of the top intel gathering tools for security research. It has also a built-in correlation engine that aims to be efficient, flexible and scalable at the same time.

Main features include:

• Full TCP/IP device/network scan.
• Asynchronous stateless TCP scanning (including all TCP Flags variations).
• Asynchronous TCP banner detection.
• UDP Protocol scanning.
• A/P OS identification.
• Application and component detection.
• Support for SQL Relational Output

Foca

FOCA (Fingerprinting Organizations with Collected Archives) is a tool written by ElevenPaths that can be used to scan, analyze, extract and classify information from remote web servers and their hidden information.

Foca has the ability to analyze and collect valuable data from MS Office suite, OpenOffice, PDF, as well as Adobe InDesign and SVG and GIF files. This security tool also works actively with Google, Bing and DuckDuckGo search engines to collect additional data from those files. Once you have the full file list, it starts extracting information to attempt to identify more valuable data from the files.