# Tools ## nslookup ### Possible Information * IP owner company * IP purpose * Website domain from PTR record Nslookup can provide useful information on an IP when a PTR record is present. This lookup shows that the IP is allocated to something on the Optus network. ![[CleanShot 2022-10-25 at 10.29.47.png]] This lookup is a bit more useful in that it implies that the IP is for statically assigned to an AMNET DSL customer ![[CleanShot 2022-10-25 at 10.32.38.png]] ## whois ### Possible information * IP owner company * Geographical information Whois provides ownership and assignment info for an IP/range as well as some geographical information about the allocation ![[CleanShot 2022-10-25 at 10.39.07 1.png]] ## Routing/Peering Info RADB and other Databases as APNIC NetOX ### Possible information * More fine-grained information about the network such as usage or more detailed network descriptions. Routing info can show associate networks within a network that can allude to the usage of the IP In the below example the whois information for the network queried in whois shows a description of Optus Internet but doesn't indicate whether its retail etc. ![[CleanShot 2022-10-25 at 10.45.36.png]] We can potentially glean more information by querying RADB https://www.radb.net/ ![[CleanShot 2022-10-25 at 10.48.36.png]] ## Open Threat Intelligence platforms (OTX/Xforce) ### Possible information * Threat information * Geographical information * IP owner company * IP history * Passive DNS These platforms often track information about an IP using passive DNS (forward resolutions that return this IP), whois history, and information from members of the platform. Below is an example of a search for a Telstra IP on IBM's X-Force Exchange ![[CleanShot 2022-10-25 at 10.50.13.png]] ## Google ### Possible information * Varies Googling an IP directly can immediately yield the answer you are looking for. In the below example. the below IP may have triggered an alert in a SIEM solution and you've not seen it before. ![[CleanShot 2022-10-25 at 10.52.51.png]] DO NOT accept results that are not exact as sources of information. Below is an example of a result you should disregard. ![[CleanShot 2022-10-25 at 10.56.39.png]] # How to Use This Generally, I would suggest working through each option until you receive a conclusive indication of what you're looking for. For example, if you were simply looking for the country an IP is assigned to a WHOIS search is most likely enough. If you were investigating something suspicious you may lean towards using Google and Threat platforms.