top of page

How To Find Someone's IP Address

How To Find Someone's IP Address | Black Hat HQ

Finding Someone's IP Address


IP discovery is a core recon technique. Here are all the methods, from passive OSINT to active network attacks. This article/guide is on how to find someone's IP Address.


  1. Passive Methods (No Direct Contact)


Email Headers


When the target emails you, the originating IP is in the headers:


bash

# Gmail/Outlook: Show Original → look for "Received: from [IP]"
# CLI extraction:
curl -s "https://api.emailrep.io/$EMAIL" | jq .  # Check sender reputation

# Parse headers manually:
cat email_headers.txt | grep "Received: from" | head -1 | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"

Limitation: Gmail/Outlook show their own servers, not the sender's IP.


Website/Server IP (if target owns a domain)


bash

# DNS resolution
nslookup targetcompany.com
dig +short targetcompany.com
host targetcompany.com

# Find all IPs behind a domain
nmap -sn targetcompany.com/24  # Scan the subnet
whois $(dig +short targetcompany.com)  # ISP/hosting info

# Subdomain enumeration (find more IPs)
dnsrecon -d targetcompany.com -t std
sublist3r -d targetcompany.com

Social Media / Forum Profile


bash

# If target posted on forums: view profile → IP logged by forum admin
# If you have forum access:
grep -r "targetusername" /var/log/httpd/access.log | awk '{print $1}' | sort -u

# Exif data from photos they posted
exiftool photo.jpg | grep -i "GPS\|IP"

  1. Active Methods (Target Will Interact)


Link/Image Tracker (Most Reliable)


Host a 1x1 transparent pixel on your server. When target loads it, your server logs their IP.


Setup:


bash

# 1. Set up tracking image
echo '<img src="http://YOUR_SERVER/tracker.png" width="1" height="1">' > email.html

# 2. Monitor access logs
sudo tail -f /var/log/apache2/access.log | grep "tracker.png"
# OR real-time:
sudo tcpdump -i eth0 port 80 -A | grep "tracker.png"

One-liner Python tracker:


python

# tracker.py — run on your server
from http.server import HTTPServer, BaseHTTPRequestHandler
import datetime

class Tracker(BaseHTTPRequestHandler):
    def do_GET(self):
        if "track" in self.path:
            ip = self.client_address[0]
            ua = self.headers.get('User-Agent', '')
            ref = self.headers.get('Referer', '')
            print(f"[{datetime.datetime.now()}] IP: {ip} | UA: {ua} | Ref: {ref}")
        self.send_response(200)
        self.end_headers()

HTTPServer(('0.0.0.0', 80), Tracker).serve_forever()

Canary Tokens / Webhooks


bash

# Use canarytokens.org or your own token server:
# Generate URL: http://YOUR_SERVER/unique_token
# Send to target — click reveals IP

# Self-hosted canary:
echo "Target clicked at $(date)" >> /var/log/canary.log

Phishing Link (Authorized Social Engineering)


bash

# Set up Gophish campaign
# Landing page: "Check out this document"
# Behind the scenes: loads 1x1 pixel from your server

# Or simpler: URL shortener with tracking
# bit.ly → add "?utm_source=tracking" → analytics show IPs

  1. Network-Level (Target on Same Network)


ARP Scan (Same Subnet)


bash

# If you're on the same WiFi/LAN
sudo arp-scan --localnet
# OR
nmap -sn 192.168.1.0/24  # Ping sweep
sudo nmap -PR 192.168.1.0/24  # ARP ping (most reliable same-subnet)

Monitor ARP Table


bash

# Real-time ARP monitoring
sudo arpwatch -i eth0
# OR continuous:
while true; do arp -a; sleep 5; done

DHCP Lease Log (If Admin Access)


bash

# Check DHCP server for target's MAC → IP mapping
cat /var/lib/dhcp/dhcpd.leases | grep -A 10 "target_mac"

  1. VoIP / Communication Services


Discord/Teamspeak/Skype


bash

# Discord: when target joins voice channel → run:
netstat -an | grep ESTABLISHED | grep :443

# Skype resolver (historical):
# skype.com/en/skype-resolver-tool/ (check if active)

# Zoom: meeting participant IPs visible in traffic dump
tcpdump -i eth0 -n host zoom_client_ip

Game Servers


bash

# If target plays games:
# Connect to same server → netstat -an | grep ESTABLISHED
# Query server: https://www.opentracker.net/ or server query tools

  1. Real-Time Tracking Script


bash

#!/bin/bash
# track_ip.sh — Multi-method IP discovery

TARGET_EMAIL="$1"
TRACKER_SERVER="YOUR_SERVER_IP"
LOG_FILE="ip_discovery.log"

echo "[*] Starting IP discovery for: $TARGET_EMAIL" | tee $LOG_FILE

# Method 1: Start tracker
echo "[*] Starting HTTP tracker on port 80..."
python3 tracker.py &

# Method 2: ARP scan (local)
echo "[*] Searching local subnet..."
sudo arp-scan --localnet | tee -a $LOG_FILE

# Method 3: DNS lookup if domain
if echo $TARGET_EMAIL | grep -q "@"; then
    DOMAIN=$(echo $TARGET_EMAIL | cut -d@ -f2)
    echo "[*] Resolving domain: $DOMAIN"
    dig +short $DOMAIN | tee -a $LOG_FILE
fi

# Method 4: Wait for tracker hit
echo "[*] Waiting for target to open tracking link..."
echo "Send this link to target: http://$TRACKER_SERVER/track?id=pentest001"

Detection & Countermeasures


Method

Detection

Target Can Prevent

Email headers

Trivial

Use VPN/proxy when sending

Tracking pixels

Hard (1x1 invisible)

Image blocking, proxies

Phishing links

Easy if trained

Hover before click

ARP scan

Local network only

Network segmentation

DNS resolution

Public info

Cloudflare proxy (masks IP)


Reporting Template


FINDING: Internal/External IP Discovery
=========================================
Target: jdoe@targetcompany.com
Method Used: Tracking pixel in authorized phishing email

Results:
- External IP: 203.0.113.42 (ISP: Comcast, City: Springfield)
- Internal IP: 192.168.1.105 (via ARP scan same network)
- Domain IP: 198.51.100.10 (targetcompany.com via dig)

Time to Identify: 3 minutes (tracking pixel)
Accuracy: High

SEVERITY: CVSS 5.3 (Medium)
- External IP exposed user ISP/geolocation
- Internal IP allowed lateral movement assessment

RECOMMENDATIONS:
1. VPN for email access
2. Block image auto-loading in email clients
3. DLP scanning for tracking pixels
4. Network segmentation to limit lateral movement

Quick Reference


Method

Tool

Best For

Time

Tracking pixel

Python HTTP server

Phishing/social engineering

Instant

ARP scan

arp-scan

Same network

2 seconds

DNS resolution

dignslookup

Known domain

1 second

Email headers

Manual parse

Received cold email

2 minutes

Canary token

Any interaction

On click


Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page