IP Addresses Torn Apart-----By Ankit Fadia ankit@bol.net.in Hacking Truths IP Address, Subnets, Classes, Hex IP, Octal, DWORD IP,Binary IP, Get IP with MSN, ICQ, Netstat, Tracing an IP____________________________________________________________________
 
IP Addresses Torn Apart By Ankit Fadia ankit@bol.net.in
____________________________________________________________________
 
Every system connected to the Internet or connected to a particular network has 
a unique Internet Protocol Address of an IP Address. Just as in the real world 
every person has his or her own Home Contact Address, similarly every system 
connected to the Internet has its own unique IP Address. Your IP Address is the 
address to which data should be sent to ensure that it reaches your system. The 
IP Address of a system acts as the systems unique identity on the net.
 
One of my earlier manuals described an IP Address in the following words: 
.Like in the real world everyone has got an individual Home Address or 
telephone number so that, that particular individual can be contacted on that 
number or address, similarly all computers connected to the Internet are given a 
unique Internet Protocol or IP address which can be used to contact that 
particular computer..
 
Now, that you know what exactly an IP Address is, let us move on to the 
structure of IP Addresses. 
 
An Internet Address (IP Address) is a 32-bit address or number, which is 
normally written as four decimal numbers (of 8 bits each) , each separated from 
the other by a decimal.. This standard is known as the dotted-decimal notation. 
 
Example: A Typical IP Address would be as follows: 202.34.12.23
It can be further broken down as: 
                                                                203 representing 
the first 8-bits.
                                                                34 representing 
the next 8-bits. 
                                                                12 representing 
the third 8-bits.
                                                                23 representing 
the fourth 8-bits.
 
Thus when considered together 202.34.12.23 represents 32-bits. So basically we 
can conclude that each decimal in an IP Address represents 1 byte or 8 bits. It 
is important to note than an IP Address can contain numbers from 0-255.
 
There are a huge number of IP Addresses in use in the present day wired age. All 
these IP Addresses have some sort of relation with each other and each 
individual IP Address can reveal a lot of secrets about the Network, of which it 
is a part. Before we move on to that, we need to understand the fact that all IP 
Addresses being used are divided into a number of ranges, which are as follows:
 
                           Class                                           Range
                                A                             0.0.0.0 to 
127.255.255.255
                                B                             128.0.0.0 to 
191.255.255.255
                                C                             192.0.0.0 to 
223.255.255.255
                                D                             224.0.0.0 to 
239.255.255.255
                                E                              240.0.0.0 to 
247.255.255.255
 
So, we can easily conclude that one can find out the Class to which an IP 
Address belongs to simply by comparing the numeral before the first decimal of 
the IP Address with the above table. 
 
For Example: In The IP Address 203.43.21.12, the number before the first decimal 
is 203 and the above table tells us that it belongs to Class C of the range of 
IP addresses.
 
The various IP Addresses are divided into the different classes on the basis of 
the structure of their Network or in other words on the basis of what the 
various numbers separated by decimals actually stand for. To understand this, 
let us refer to the following:
 
                Class                                      Information
                  A                                           It has the first 
8-Bits for Netid and the last 24-bits for Hostid
                  B                                           It has the first 
16-Bits for Netid and the last 16-bits for Hostid
                  C                                           It has the first 
24-Bits for Netid and the last 8-bits for Hostid
                  D                                           It represents a 
32-bit multicast Group ID.
                  E                                            Currently not 
being used.
 
The above table will be clearer after reading the following examples:
 
Examples: 
 
An IP Address 203.45.12.34 belonging to Class A means that the network ID is 203 
and the host ID is 45.12.34
 
If the Same IP Address belonged to Class B, then the network ID would become 
203.45 and the host ID would become 12.34
 
And if it belonged to Class C then the network ID would become 203.45.12 and the 
host ID would become 34.
 
Almost all ISPs prefer to use a Class B Network. If that is the case then each 
time you login to your ISP, then the first 2 octets of your IP Address would not 
change, while the last two are likely to change. However, even if only the last 
octet changes, and the remaining three remain constant, it is likely that the 
ISP uses Class B addressing. (Subnetting comes in. Explained later in the 
manual)
 
*****************
HACKING TRUTH:  How do you find out the IP Address of your own system? In order 
to get your own IP Address all you have do is, follow the below process:
 
Connect to the Internet.
Launch MSDOS.
Type: netstat n at the prompt.
 
You will get an output similar to the below:
 
C:\WINDOWS>netstat -n
 
Active Connections
 
  Proto   Local Address          Foreign Address        State
  TCP    203.94.253.183:1025    64.4.13.56:1863        ESTABLISHED
  TCP    203.94.253.183:1031    209.143.242.119:80     ESTABLISHED 
 
The IP Address shown under the Local Address Field denotes the IP address of 
your system.
*****************
 
An IP Address, which belongs to the Class-A addressing system having a network 
ID equal to 127, is referred to as the special address. It is actually known as 
the Loopback Interface. It allows clients and servers on the same system to 
communicate with each other. 
 
The loopback address, which is commonly used, is 127.0.0.1. Almost all systems 
have also given the loopback address the special name localhost.
 
Till now we learnt that an IP Address is a decimal notation of a computers 
address in the wired world. However, the address of a computer does not have to 
necessarily be in the decimal notation form. We will learn about the various 
forms of an IP Address in the following section.
 
An IP Address does not necessarily have to be represented in the dotted decimal 
form. There is more than a single way in which one can represent an IP Address. 
Some of there are as follows-:
 
  Decimal System:  If an IP Address is being represented in the Decimal system, 
  then it means that it is being represented in the Base 10 system. The normal 
  IP Addresses are represented in the Decimal System. Example: 216.115.108.245 
 
  Domain Name System: If an IP Address is being represented in the form of human 
  recognizable characters and names then it is said to be in the form of DNS 
  system. Example: www.yahoo.com 
 
  DWORD Format: DWORD is short for double word. It basically consists of two 
  binary
  "words" (or lengths) of 16 bits. However, it is almost always represented in 
  the decimal number system i.e. having a base 10. Example: D8736CF5, which when 
  represented in the form of a decimal number system with a Base 10 becomes 
  3631443189 
 
  Octal System:  If an IP Address is represented in the octal system, then it 
  means that it is being represented in the Base 8. Example: 33034666365 
 
  Hexadecimal System: If an IP Address is represented in the Hexadecimal System, 
  then it is actually being represented in the Base 16 system. 
 
  A Cross Breed: If an IP Address is being represented in the mixture of any of 
  the above two systems, then it is said to be a Cross Breed. 
 
All the examples portrayed above are some form or the other of the same address 
of the same system. What I mean to say by this is that typing any of the 
following in your browser will take you to the same site: www.yahoo.com , 
3631443189, 33034666365 and 216.115.108.245. The Binary form of this address, 
which is 11011000011100110110110011110101 may also work with certain 
applications. 
 
NOTE: Please note that not all of the above work in all browsers. And if you or 
your ISP has a Proxy or a firewall installed then some of the above may not 
work. The author does not hold any responsibility for failure of working on any 
of the above.
 
Now, that you have seen the various forms in which an IP Address can be 
represented let us move on to as to how one can convert the domain name into the 
above different forms. 
 
To understand how the conversion works, let us take www.yahoo.com as the example 
domain. The first step in our quest to represent www.yahoo.com in various forms 
of IPs is to get its normal decimal-dotted IP Address.  One can easily get the 
IP Address of a domain by various methods like WHOIS, netstat, ping, traceroute 
etc.
 
In this manual, I have used ping to get the IP:
 
C:\WINDOWS>ping yahoo.com
 
Pinging yahoo.com [216.115.108.245] with 32 bytes of data:
 
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
The above screenshot clearly shows that the IP Address of our example target 
system is 216.115.108.245.
Now that we have the IP Address, let us move on to converting it into other 
forms.
 
In order to convert a decimal dotted IP Address into its DWORD equivalent, one 
has to consider each number separated from the other number by a decimal 
separately. So, in effect, 216.115.108.245 is broken down into:
 
216.115.108.245=
 
216
115
108
245
 
Now, first one has to convert the above decimals into their hexadecimal 
equivalents. This can easily be done by referring to the below Decimal into 
Hexadecimal chart (or vis-a-versa):
 
 
    0   1   2   3   4   5   6   7   8   9   A   B   C   D   E   F.
0  000 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015
1  016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031
2  032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047
3  048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063
4  064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079
5  080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095
6  096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111
7  112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127
8  128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143
9  144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159
A  160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175
B  176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191
C  192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207
D  208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223
E  224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239
F  240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255
 
Thus we get:
 
216=D8
115=73
108=6C
245=F5
 
As a result, 216.115.108.245 = D8736CF5
 
It is important to note that D8736CF5 is the Hex equivalent of our IP and would 
always be a eight character long representation, however, as a DWORD value is 
represented in the base-10 system, we also need to convert in into the Decimal 
form. In order to do so, we need to follow the below process:
 
  Click on Start > Programs > Accessories > Calculator. 
  Click on View > Scientific 
  Now, select Hex from the right top corner and type in D8736CF5 in the field. 

  Then click on Dec (Decimal). You will find that the value that you typed in 
  would have changed to: 3631443189. 
 
Thus you now have the DWORD value represented in the Base-10 system.  Typing 
www.yahoo.com or 3631443189 or 216.115.108.245 in your browser would all take 
you to the same site. 
 
For all those of you to whom the above process seems to be extremely cumbersome, 
the following Perl Script too would do the same process less the calculations:
_____________________________
 
#!/usr/bin/perl
# By Ben H. Originally by neeko.
# Usage: dword.pl [ -q | --quiet ] host/ip
#
 
use Socket;                           # for gethostbyname()
use Math::BigInt;                 # so it fits..
my $quiet, $host, @ip;                        # get some vars started.
 
if ( $#ARGV < 0 ) {
   print "$0";
   print "Usage: $0 [-q | --quiet] host \n";
   exit;
}
if ( $ARGV[0] =~ /-q|--quiet/ ) {
   $quiet=1;
   $name = $ARGV[1];
}
else {
   $name = $ARGV[0];
}
@host = gethostbyname( $name );    # get the ip, if a hostname is used
$foo = $host[4];
 
# This parses the result of the gethostbyname into numbers
 
for $n (1..4) {
   $ip[$n] = ord( substr( $foo , ($n-1) , 1 ) );
}
if ($quiet != 1) {
   print "$name = $ip[1].$ip[2].$ip[3].$ip[4] = ";
}
for $n (1..4) {
   $ip[$n] = ( $ip[$n] * ( 2 ** ( ( 3 - ($n-1)) * 8 ) ) );
}
print ($ip[1] + $ip[2] + $ip[3] + $ip[4]);
print "\n";
exit;
____________________________
 
*******************
HACKING TRUTH: One can arrive at the DWORD in the base-10 value by the following 
mathematical formula too: 
 
IP Address= 216.115.108.245    (Found out Above)
Value of DWORD in Base-10 system: 3631443189 (Calculated) 
 
216          *              (256)3   = 216          *              16777216      
          = 3623878656
115          *              (256)2   = 115          *              65536         
             = 7536640                      
108          *              (256)1  = 108           *              256           
               = 27648
245          *              (256)0  = 245           *              1             
                 = 245
 
Adding the last column we get: 3631443189, which is equal to the DWORD value 
that we calculated earlier.
*****************
 
Without closing the Windows Calculator, one can get the various other forms of 
the same IP Address (216.115.108.245) by simply selecting the corresponding 
number system. 
 
To get the Binary form of the IP Address, one needs to follow the below process:
 
  Click on Start > Programs > Accessories > Calculator. 
  Click on View > Scientific. 
  Now, select Hex from the right top corner and type in D8736CF5 in the field. 

  Then click on Bin (Binary). You will find that the value that you typed in 
  would have changed to: 11011000011100110110110011110101. 
 
Please note that most browsers do not accept IP Addresses in Binary. The only 
way to use them would be by converting them to their Decimal form, which would 
actually be nothing but the DWORD form represented in the base-10 system.
 
To get the Binary form of the IP Address (216.115.108.245), one needs to follow 
the below process:
 
  Click on Start > Programs > Accessories > Calculator. 
  Click on View > Scientific. 
  Now, select Dec and type in the first part of the IP Address i.e. 216. 
  Now, select Oct, this will give you the Octal equivalent (i.e. 324) of the 
  first part of the IP Address. 
  Note this down somewhere and follow the process for all parts of the IP 
  Address. 
 
Thus 216.115.108.245, would become:
 
216= 330
115=163
108=154
245=365
 
Now, when you type the Octal equivalent of the IP Address in your browser then 
you have preeceed each field with a 0. Thus in our example:
 
http://216.115.108.245 becomes http://0330.0163.0154.0365
 
One could also have used the below chart for the conversion process:
 
 
    0   1   2   3   4   5   6   7   8   9   A   B   C   D   E   F.
0  000 001 002 003 004 005 006 007 010 011 012 013 014 015 016 017
1  020 021 022 023 024 025 026 027 030 031 032 033 034 035 036 037
2  040 041 042 043 044 045 046 047 050 051 052 053 054 055 056 057
3  060 061 062 063 064 065 066 067 070 071 072 073 074 075 076 077
4  100 101 102 103 104 105 106 107 110 111 112 113 114 115 116 117
5  120 121 122 123 134 125 126 127 130 131 132 133 134 135 136 137
6  140 141 142 143 144 145 146 147 150 151 152 153 154 155 156 157
7  160 161 162 163 164 165 166 167 170 171 172 173 174 175 176 177
8  200 201 202 203 204 205 206 207 210 211 212 213 214 215 216 217
9  220 221 222 223 224 225 226 227 230 231 232 233 234 235 236 237
A  240 241 242 243 244 245 246 247 250 251 252 253 254 255 256 257
B  260 261 262 263 264 265 266 267 270 271 272 273 274 275 276 277
C  300 301 302 303 304 305 306 307 310 311 312 313 314 315 316 317
D  320 321 322 323 324 325 326 327 330 331 332 333 334 335 336 337
E  340 341 342 343 344 345 346 347 350 351 352 353 354 355 356 357
F  360 361 362 363 364 365 366 367 370 371 372 373 374 375 376 377
 
********************
HACKING TRUTH: In an Octal IP Address there can be any number of zeros preceding 
the numbers, without resulting in a change in the address of the remote system. 
This means that http://0330.0163.0154.0365 can also be written as 
http://000330.000163.000154.000365
*******************
                
Typing www.yahoo.com or 3631443189 or 216.115.108.245 or 
http://0330.0163.0154.0365 in your browser would all take you to the same site.
 
One could also represent an IP address in its Hexadecimal form. Remember the Hex 
value that we obtained while converting 216.115.108.245 into its DWORD 
equivalent? Well, in this case we make use of that same value. We had calculated 
that:
 
216.115.108.245 = D8736CF5
 
Now, when we write an IP Address in Hexadecimal form, then we do so by writing 
the following (Preceding each value with a 0x which denotes that the following 
value is in Hexadecimal):
 
http://0xD8.0x73.0x6C.0xF5
 
The above could also be written as: http://0xD8736CF5
 
Note: Most versions of Netscape do not Support Hexadecimal IP Addresses.
 
Thus, typing www.yahoo.com or 3631443189 or 216.115.108.245 or 
http://0330.0163.0154.0365 or http://0xD8.0x73.0x6C.0xF5 or http://0xD8736CF5 in 
your browser would all take you to the same site.
 
You can create a cross breed by combining any one or more of the above formats. 
However, one has to keep in mind the browser compatibility while doing so. 
 
Obtaining the IP Address of other systems
 
The most common method of getting the IP Address of other systems, is through 
Instant Messaging Software like ICQ, MSN Messenger, Yahoo Messenger, AIM etc. In 
this manual we briefly discuss them all.
 
I Seek You or ICQ is one of the most popular chatting software around. With it 
not only comes easy pastime, but also security concerns. ICQ has an inbuilt IP 
Address Hider, which when enabled is supposedly able to hide your IP from the 
users you are chatting with. However, like most IP Hiding software, this too is 
nowhere near good. You can find out the IP Address of any ICQ user, even if IP 
Hiding has been enabled, by following the below process.
 
1.)      Launch MSDOS and type Netstat n to get a list of already open ports 
and the IPs of the machines with which a connection has been established. Note 
down this list somewhere.
2.)      Now, launch ICQ and send a message to the victim. 
3.)      While you are still chatting, go back to DOS and again give the Netstat 
n command. You will find that a new IP signifying a new connection. This would 
be the IP Address of the victim. 
 
This method of obtaining the IP Address of the person with whom you are chatting 
to is quite common. However, it works only with ICQ and other select Instant 
Messengers. It certainly does not work with MSN Messenger and Yahoo Messenger 
etc. The main reason behind this is the difference in the working of ICQ and MSN 
Messenger. 
 
Let us assume that your IP Address is xx.xx.xx.xx and your friends IP Address 
is yy.yy.yy.yy
 
Case I (ICQ):
 
Whenever you start a chat session with your friend in ICQ a direct connection 
between you and your friend is opened by the ICQ software with the help of the 
ICQ server. Thus all messages that you type are sent in the following manner:
 
                xx.xx.xx.xx ------------------ yy.yy.yy.yy
                   (you)                                                   
(friend)
 
And all the messages that your friend types, reach you in the following manner:
 
                yy.yy.yy.yy----------------- xx.xx.xx.xx
                  (friend)                                       (you)
 
Thus a direct connection has been established between your system (xx.xx.xx.xx) 
and your friends system (yy.yy.yy.yy) As a result when you give the netstat n 
command, you can obtain his IP Address.
 
Case II (MSN Messenger):
 
Whenever you start a chat session with your friend in MSN Messenger an indirect 
connection between you and your friend is opened via the MSN Server. Thus all 
messages that you type first go the MSN server which then forwards them to your 
friend and vis-a-versa. Communication takes place in the following manner:
 
                xx.xx.xx.xx ------------------ MSN 
Server---------------yy.yy.yy.yy
                   (you)                                                         
                                    (friend)
 
And all the messages that your friend types, reach you in the following manner:
 
                yy.yy.yy.yy-----------------MSN Server----------------- 
xx.xx.xx.xx
                  (friend)                                                       
                                          (you)
 
Thus as an indirect connection has been established between your system 
(xx.xx.xx.xx) and your friends system (yy.yy.yy.yy) giving the netstat n 
command does not give you your friends IP, but instead displays the IP address 
of the MSN server.
 
The same is the case for Yahoo Messenger and also some other Messaging Software. 

 
However, even such utilities are vulnerable to giving away the IP Address of the 
target system on issuing the Netstat n command. All one has to do is (Please 
note that I am using MSN Messenger as an example) :
 
  Get the victim to come online. 
  Then use the inbuilt File Transfer Facility to send a file to the victim. 
  When he accepts the file transfer and the transfer starts launch MSDOS and 
  give the netstat n command. This will reveal his IP because when files are 
  being transferred, a direct connection exists between you and the victim. That 
  is, there is no mediator MSN Server between you and the victim. 
 
The same will work if you send a Request for a Call and the victim accepts it.
 
Besides Instant Messengers, there are some others ways in which one can get 
someone elses IP Address. Say you have a site and want to get the IP Addresses 
of all the people who visit your site then the following script can be modified 
to create a file which records them all:
 
<HTML>
<BODY>
<SCRIPT>
 var ip = new java.net.InetAddress.getLocalHost();
 var ipStr = new java.lang.String(ip);
 document.writeln(ipStr.substring(ipStr.indexOf("/")+1));
 </SCRIPT>
</body>
</HTML>
 
With that we come to the end of the first edition of the IP Addresses Torn Apart 
manual. In the next edition we will go deeper into the secrets of IP Addresses 
and their structures and workings. Hope you liked this manual and do send in 
your comments. Thanks and till next time, take care.
 
 Ankit Fadia
ankit@bol.net.in
http://hackingtruths.box.sk
 
To receive tutorials written by Ankit Fadia on everything you ever dreamt of in 
your Inbox, join his mailing list by sending a blank email to: 
programmingforhackers-subscribe@egroups.com
 
Wanna ask a question? Got a comment to make? Criticize, Comment and more..by 
sending me an Instant Message on MSN Messenger. The ID that I use is: 
ankit_fadia@hotmail.com
 
Do you live in New Delhi? Wanna learn Hacking? Wanna attend monthly lectures and 
discussions on various Networking/Hacking topics? Well, then simply join by The 
Hacking Truths club by clicking Here
 
Take the HTCH examination to give recognition to your Hacking Skills. Click 
Here.


