Finding Attacker Geolocation [ There was never a good war, or a bad peace ]

Geolocating an IP address

Finding the location of IP addresses helps in tracking the origin of the attack. Thanks to Gorjan Petrovsk one of the active members of Nmap community, He submitted three Nmap NSE scripts that help us to find the Geolocation of a remote IP addresses

Script names are

1.     ip-geolocation-maxind
2.     ip-geolocation-ipinfodb
3.   ip-geolocation-geobytes 

For the script ip-geolocation-maxind there is no build-in database, so we need to download the external database from http://geolite.maxmind.com/download/geoip/ database/GeoLiteCity.dat.gz.

  After downloading  unzip it to the Nmap data folder

  File path : $NMAP_DATA/nselib/data/

  

For ip-geolocation-ipinfodb we need API key to push the requests and get desired results.we can get the key from  http://ipinfodb.com/register.php. I will be using ip-geolocation-ipinfodb because we can have any number of query request to the service provider.if you have a little bit of experience in writing a script you can add your own service provider.

Let's run the command and find the target.

nmap  - - script  ip-geolocation-ipinfodb.apikey=xxxxxxxxxxxxx 50.116.1.xxx  

PORT    STATE  SERVICE

22/tcp      closed         ssh

80/tcp       open          http 
113/tcp    closed          ident

Host script results:

| ip-geolocation-ipinfodb

| 50.116.1.xxx (Attacker)

|   coordinates (lat,lon): 39.489898681xxx,-74.47730255xxx

|_  state: Targetaddress, Galloway, NJ, USA

Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds
------------------------------------------------------------------------------------------

Thanks for reading out. Don't forget to check my previous posts.