Identifying the ownership of a website

This is a quick step-by-step guide with the steps to follow to identify Internet web site coordinates (IP address, registration data, connectivity and name service provider).

Step 0 Download a copy of the website (if required for investigation purposes)

You can do that using wget, compressing using tar and gzip and finally keeping an md5 hash.
wget -m -k -K -E webname
tar -cf webname.tar *
gzip webname.tar (or get both steps together with tar -czvf webname.tar.gz)
md5sum webname.tar.gz > webname.tar.gz.md5

Step 1 Obtaining the IP address of the site (e.g. with www.google.com)
Launch a nslookup query (in Linux or Windows) to get the IP address of the site

$ nslookup www.google.com

An alternative to this command is

$ dig +qr www.google.com

There are many online sites providing online nslookup services e.g.
http://centralops.net/asp/co/NsLookup.vbs.asp
http://www.kloth.net/services/dig.php

If you need a name server IP address to bind to, some examples are

142.77.1.1
193.196.32.1
208.07.222.222
129.206.100.126
70.84.161.11

Step 2 Determine the owner of the IP address
Go to arin whois service and introduce the IP address from step 1 and you will read something like NetType: Allocated to RIPE NCC. The RIPE NCC is one of five Regional Internet Registries (RIRs) providing Internet resource allocations, registration services and co-ordination activities that support the operation of the Internet globally. Others are AfriNIC, APNIC, LACNIC, RIPE and InterNIC.

Step 3 Obtain the hosting company name
Go to the Internet register that the previous step signalled as owner of the IP range requested e.g. http://www.db.ripe.net/whois/ and insert the same IP address. You will get the hosting company.

Step 4 Name service provider
$ dig +qr www.website NS (ns in lower letters will also work - provides information on the authoritative name servers for that website)
Search on the Internet infomation on the name service (company name and contact point)
More on this command
$ dig +qr www.website MX (tells about the mail server associated to the site)
$ dig +qr www.website A (tells the IP address of the site)
$ dig +qr www.website ANY (provides a subset of the three commands above)

This step will tell us which authoritative name servers provides the name to the website (there are occasions when the name server provider differs from the hosting company).

N.B. Thanks to Melkiades for his help on this entry.

0 comments: