Friday, March 22, 2013

Geographical IP Correlation, a tool!

TL;DR Version: I wrote a tool called GIPC (short for Geographical IP Correlation and pronounced Gypsy) which takes a list of IP address and returns the Geographical information you select based on the MaxMind.com GeoCity Database. Download here (Update, I've moved to SourceForge.com): https://sourceforge.net/projects/jcsocal/files/

Full Version:
As a security analyst, one of the first things I do when confronted with an unknown IP address is attempt to determine its physical location, called GeoLocation or GeoIP. Unfortunately, there is no mathematical calculation to determine the physical location. So, how does this work?

It starts with IANA (Internet Assigned Numbers Authority). IANA is the organization that allocates very large ranges to the RIR (Regional Internet Registries). These registries maintain the allocation of IP addresses for their respective regions. The graphic below shows both name of the registries and the regions they serve.


Source: wikipedia

From here, the RIR assigns blocks of IP addresses to ISPs (Internet Service Providers). The ISPs then assign IP addresses to their customers. It is essentially up to the ISP to provide the location of the demarcation point for that customer. In the even the exact physical location of the end customer is not provided, the ISP's location will be used instead. For the most part the ISP will be within the general vicinity of the actual location usually within 40 kilometers (based on MaxMind's statistics).

GeoLocation database providers typically mine data from WHOIS servers such as ARIN's WHOIS along with their own proprietary methods. Many of these methods are manual. MaxMind.com for instance provides a free database (which is needed for this tool to work) as well as an online demo here: http://www.maxmind.com/en/geoip_demo

With their demo, you can place up to 25 IP addresses in the list and get some decent location information. Below is a sample of the output for the IP 123.123.123.123 a notoriously known bad IP from China.

The above information is awesome, right? It even gives latitude and longitude coordinates to map the location. However, if you try the demo you may notice there is a 25 IP limit. Your may also notice that the data is not given to you in a very usable manner and you will need to copy and paste, as well as fix some formatting if you intended to use this for anything.

The fellows over at MaxMind provided a free copy of their GeoIP City database called GeoLite City which is less accurate. They also offer various APIs to query the information you need based on the IP you provide.  

Now, the lecture ends and the tool begins; enter GIPC (pronounced Gypsy): Geographical IP Correlation

The motivation for this tool was born of necessity. The output from the MaxMind Demo was great, but we don't have time to mess with a 25 IP limit and copy and pasting and then reformatting.

GIPC takes two inputs:
  1. The MaxMind GeoLite City database which you can download here
  2. A text file of IP addresses separated delimited by newlines

You can then toggle the headers on and off as well as the fields you need to display such as:
  • IP Address
  • City
  • Postal Code
  • Region
  • Area Code
  • Metro Code
  • 3 Letter Country Code
  • 2 Letter Country Code
  • Country Name 
  • Latitude
  • Longitude
  • Time Zone Continent
  • DMA Code (Designated Market Area)
Again, the accuracy of the information is dependent on a lot of variables.

The program can then display the results in 3 different ways:
  1. Display the results within the GUI
  2. Export the results to a CSV file
  3. Generate a Google Map html file that displays the aggregate IP count per country in an interactive map using the Google Chart Tool: Geomap Visualization.
Below is an image of the GUI itself:

Below is a sample picture of the google map (not interactive) of what this looks like. Please note that when you run the HTML file, it will connect to Google to fetch the javascript and images.

The GUI was written in Python using Tkinter as part of my personal project to learn how to write GUIs in Python. I compiled this into a Windows 32 bit executable that should run on Windows XP and 7 (I've tested these). I did this to stay in the spirit of the GUI, which with the various libraries that you would need in Python for this to operate smoothly, I could see someone becoming frustrated which isn't the spirit of the GUI; point and click!

Hope this helps,
JC

8 comments:

  1. Link above prompts a 404 from Github

    [https://github.com/JC-SoCal/GIPC/raw/master/GIPC32_1.4.zip] seems to work. I found that by just deleting everything after your user name (./JC-Socal/) and navigating the page. Clicking the Raw button once on the page that won't display it anyway downloads the file.

    ReplyDelete
    Replies
    1. Thanks! I've actually moved to SourceForge now ... https://sourceforge.net/projects/jcsocal/files/

      Delete
  2. P.S. Thank you for publishing this

    ReplyDelete
  3. Since when you host your stuff in Canada (referring to blogspot.ca)! Haha kick ass app JC keep up the crazy work. Im working on FPGA crypto cracking trying my hand at wep then going to move on to some more interesting cryptos like wpa and bluetooth pin cracking.

    ReplyDelete
  4. Thanks g4hsean! Any day you want to write a blog on your work! We need to find some time to get back to that x86 project we started.

    ReplyDelete
  5. Hello.
    What is IP File, and where can I download a list of IP addresses?

    ReplyDelete
  6. Hi dec909. The IP File is a text file with an ip address that you would like to look up on each line. This is a file that you create. You will also need the dat file which you can download and extract here: http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

    ReplyDelete