How To Find Someone's IP Address
- Biohazard

- 1 day ago
- 4 min read

Finding Someone's IP Address
IP discovery is a core recon technique. Here are all the methods, from passive OSINT to active network attacks. This article/guide is on how to find someone's IP Address.
Passive Methods (No Direct Contact)
Email Headers
When the target emails you, the originating IP is in the headers:
bash
# Gmail/Outlook: Show Original → look for "Received: from [IP]"
# CLI extraction:
curl -s "https://api.emailrep.io/$EMAIL" | jq . # Check sender reputation
# Parse headers manually:
cat email_headers.txt | grep "Received: from" | head -1 | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
Limitation: Gmail/Outlook show their own servers, not the sender's IP.
Website/Server IP (if target owns a domain)
bash
# DNS resolution
nslookup targetcompany.com
dig +short targetcompany.com
host targetcompany.com
# Find all IPs behind a domain
nmap -sn targetcompany.com/24 # Scan the subnet
whois $(dig +short targetcompany.com) # ISP/hosting info
# Subdomain enumeration (find more IPs)
dnsrecon -d targetcompany.com -t std
sublist3r -d targetcompany.com
Social Media / Forum Profile
bash
# If target posted on forums: view profile → IP logged by forum admin
# If you have forum access:
grep -r "targetusername" /var/log/httpd/access.log | awk '{print $1}' | sort -u
# Exif data from photos they posted
exiftool photo.jpg | grep -i "GPS\|IP"Active Methods (Target Will Interact)
Link/Image Tracker (Most Reliable)
Host a 1x1 transparent pixel on your server. When target loads it, your server logs their IP.
Setup:
bash
# 1. Set up tracking image
echo '<img src="http://YOUR_SERVER/tracker.png" width="1" height="1">' > email.html
# 2. Monitor access logs
sudo tail -f /var/log/apache2/access.log | grep "tracker.png"
# OR real-time:
sudo tcpdump -i eth0 port 80 -A | grep "tracker.png"
One-liner Python tracker:
python
# tracker.py — run on your server
from http.server import HTTPServer, BaseHTTPRequestHandler
import datetime
class Tracker(BaseHTTPRequestHandler):
def do_GET(self):
if "track" in self.path:
ip = self.client_address[0]
ua = self.headers.get('User-Agent', '')
ref = self.headers.get('Referer', '')
print(f"[{datetime.datetime.now()}] IP: {ip} | UA: {ua} | Ref: {ref}")
self.send_response(200)
self.end_headers()
HTTPServer(('0.0.0.0', 80), Tracker).serve_forever()
Canary Tokens / Webhooks
bash
# Use canarytokens.org or your own token server:
# Generate URL: http://YOUR_SERVER/unique_token
# Send to target — click reveals IP
# Self-hosted canary:
echo "Target clicked at $(date)" >> /var/log/canary.log
Phishing Link (Authorized Social Engineering)
bash
# Set up Gophish campaign
# Landing page: "Check out this document"
# Behind the scenes: loads 1x1 pixel from your server
# Or simpler: URL shortener with tracking
# bit.ly → add "?utm_source=tracking" → analytics show IPsNetwork-Level (Target on Same Network)
ARP Scan (Same Subnet)
bash
# If you're on the same WiFi/LAN
sudo arp-scan --localnet
# OR
nmap -sn 192.168.1.0/24 # Ping sweep
sudo nmap -PR 192.168.1.0/24 # ARP ping (most reliable same-subnet)
Monitor ARP Table
bash
# Real-time ARP monitoring
sudo arpwatch -i eth0
# OR continuous:
while true; do arp -a; sleep 5; done
DHCP Lease Log (If Admin Access)
bash
# Check DHCP server for target's MAC → IP mapping
cat /var/lib/dhcp/dhcpd.leases | grep -A 10 "target_mac"VoIP / Communication Services
Discord/Teamspeak/Skype
bash
# Discord: when target joins voice channel → run:
netstat -an | grep ESTABLISHED | grep :443
# Skype resolver (historical):
# skype.com/en/skype-resolver-tool/ (check if active)
# Zoom: meeting participant IPs visible in traffic dump
tcpdump -i eth0 -n host zoom_client_ip
Game Servers
bash
# If target plays games:
# Connect to same server → netstat -an | grep ESTABLISHED
# Query server: https://www.opentracker.net/ or server query toolsReal-Time Tracking Script
bash
#!/bin/bash
# track_ip.sh — Multi-method IP discovery
TARGET_EMAIL="$1"
TRACKER_SERVER="YOUR_SERVER_IP"
LOG_FILE="ip_discovery.log"
echo "[*] Starting IP discovery for: $TARGET_EMAIL" | tee $LOG_FILE
# Method 1: Start tracker
echo "[*] Starting HTTP tracker on port 80..."
python3 tracker.py &
# Method 2: ARP scan (local)
echo "[*] Searching local subnet..."
sudo arp-scan --localnet | tee -a $LOG_FILE
# Method 3: DNS lookup if domain
if echo $TARGET_EMAIL | grep -q "@"; then
DOMAIN=$(echo $TARGET_EMAIL | cut -d@ -f2)
echo "[*] Resolving domain: $DOMAIN"
dig +short $DOMAIN | tee -a $LOG_FILE
fi
# Method 4: Wait for tracker hit
echo "[*] Waiting for target to open tracking link..."
echo "Send this link to target: http://$TRACKER_SERVER/track?id=pentest001"Detection & Countermeasures
Method | Detection | Target Can Prevent |
Email headers | Trivial | Use VPN/proxy when sending |
Tracking pixels | Hard (1x1 invisible) | Image blocking, proxies |
Phishing links | Easy if trained | Hover before click |
ARP scan | Local network only | Network segmentation |
DNS resolution | Public info | Cloudflare proxy (masks IP) |
Reporting Template
FINDING: Internal/External IP Discovery
=========================================
Target: jdoe@targetcompany.com
Method Used: Tracking pixel in authorized phishing email
Results:
- External IP: 203.0.113.42 (ISP: Comcast, City: Springfield)
- Internal IP: 192.168.1.105 (via ARP scan same network)
- Domain IP: 198.51.100.10 (targetcompany.com via dig)
Time to Identify: 3 minutes (tracking pixel)
Accuracy: High
SEVERITY: CVSS 5.3 (Medium)
- External IP exposed user ISP/geolocation
- Internal IP allowed lateral movement assessment
RECOMMENDATIONS:
1. VPN for email access
2. Block image auto-loading in email clients
3. DLP scanning for tracking pixels
4. Network segmentation to limit lateral movementQuick Reference
Method | Tool | Best For | Time |
Tracking pixel | Python HTTP server | Phishing/social engineering | Instant |
ARP scan | arp-scan | Same network | 2 seconds |
DNS resolution | dig, nslookup | Known domain | 1 second |
Email headers | Manual parse | Received cold email | 2 minutes |
Canary token | Any interaction | On click |






Comments