homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Pen Test Poster: "White Board" - Bash - What's My Public IP Address?
370x370_Matthew-Toussain.jpg
Matthew Toussain

Pen Test Poster: "White Board" - Bash - What's My Public IP Address?

February 2, 2017

Board-Elements

Introduction

After hours of digging, you finally reach your goal and exclaim, "I GOT SHELL!" You brush the dirt off your shoulders and suddenly wonder, "Now what?" Fortunately, if it's a Unix system, we can leverage the rich functionality that comes with Bash in order to move our pentest along whilst maintaining our shadowy veil.

Let's first take a moment to evaluate a few potential use cases. The system's external IP address is often a key piece of information for us to consider. It can help us continually appraise our intrusion campaign to maintain awareness of what systems become compromised so that we remain within the narrow scope of our test. Alternately, we might launch an attack against a DNS name that resolves to multiple host IP addresses on the far end and we need to determine which specific IP address we've compromised in order to leverage that access to move laterally within the target environment. Why not just check the IP address assigned to the network interface? As penetration testers most systems we engage live behind a firewall in a Network Address Translation, or NAT environment. In these situations a system's internal IP address may not accurately reflect how they appear on the Internet. Either way, determining ?where' this box is a solid first step in any post-compromise scenario. Let's look at the some common ways to get this info.

Methods Covered in this Section

curl: 

curl -4 icanhazip.com

wget: 

wget -qO- ifconfig.me/ip

dig: 

dig +short myip.opendns.com @resolver1.opendns.com

telnet: 

telnet myip.gelma.net

telnet + nc: 

nc -vlp 9000
telnet [hostname/IP Address] 9000

telnet web client: 

telnet ipecho.net 80
GET /plain HTTP/1.1
HOST: ipecho.net

ftp:

 echo close | ftp ifcfg.me

PowerShell:

 Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
whatsmyip

So many options...

For a typical user learning their public IP address is often as simple as a Google search for: ?what's my IP'. For us this might also be a viable option however, as pentesters, we're often confronted with terminal access as opposed to a graphical user interface and web browser. It might seem like a limitation, but with Bash, there is no such thing! There are tons of different utilities that can reach out and get the info we're interested in. Let's begin by targeting the simplest and most effective options:

  • IP identification with command line web access utilities
    • curl
    • wget
  • Using DNS to determine our IP address
    • dig

Command Line HTTP External IP Identification

On differentiated Unix type operating systems there are generally two major command line utilities for downloading the content of websites: curl and wget. Depending on which specific flavor is used (e.g. Mac OSX, Ubuntu, etc.), only one or potentially both will be available. For continuity's sake we'll discuss both:

Command Breakdown

curl: 

curl -4 icanhazip.com
whatsmyip
1. curl - Command line tool that can make web request
2. -4 - Option for curl to prefer IPv4 addresses over IPv6 for domain resolution
3. icanhazip.com - Public domain that returns an IP address when queried

Command Breakdown

wget: 

wget -qO- ifconfig.me/ip
whatsmyip

1. wget - Command line tool that can make web request
2. -q - Option for wget to run in quiet mode suppressing status output
3. -O - Option for output - specifies stdout as the output type (O not zero)
4. ifconfig.co/ip - Public domain that returns an IP address when queried

    Occasionally, arbitrary outbound http access is not available. For instance, a network that requires authentication to join could use network access controls (NAC) to redirect all unauthenticated web traffic to a captive portal. Networks using authenticated proxies or whitelisting controls can also provide egress challenges. In these situations outbound DNS traffic is often still required and therefore available. In these cases the dig command has got you covered!

    Command Breakdown

    dig: 

    dig +short myip.opendns.com @resolver1.opendns.com
    whatsmyip
    1. dig - Command line tool for interrogating DNS name servers
    2. +short - Option for dig to provide an abbreviated response
    3. myip.opendns.com - Host to resolve
    4. @resolver1.opendns.com - DNS server to query
    whatsmyip

    But wait, there's more!

    So what if curl, wget, and dig are all unavailable? Perhaps the network is blocking opendns.com, ifconfig.me, and icanhazip.com?

    telnet and ftp can provide alternative, if clunky, solutions. telnet like nc can make TCP connections to any port specified. This can be used to connect to a server owned by you, to connect to a telnet public ip service (port 23), or connect to a web server as a client. telnet has the added benefit of working from Windows systems as well however, the command must be enabled in order to do so. Some ftp servers respond to failed login requests with the IP address that attempted and failed to connect. We can utilize this behavior to determine public IP address as well.

    Command Breakdown

    telnet: telnet myip.gelma.net 

    telnet myip.gelma.net
    GET /plain HTTP/1.1
    HOST: ipecho.net
    whatsmyip_06

    1. telnet myip.gelma.net - Connect to telnet service that responds with Public IP Address

    Command Breakdown

    telnet + nc:

    nc -vlp 9000
    telnet [hostname/IP Address] 9000
    whatsmyip_07
    1. nc -vlp 9000 - Run on your publicly available server to open a listening port
    2. telnet [hostname/IP Address] 9000 - Connect to remote netcat listener

    Netcat prints information on newly established connections to stdout (Connection from X.X.X.X)

    Command Breakdown

    telnet as a web client: telnet ipecho.net 80

    telnet ipecho.net 80
    GET /plain HTTP/1.1
    HOST: ipecho.net
    whatsmyip_08

    1. telnet ipecho.net 80 - Connect to web server with telnet
    2. GET /plain HTTP/1.1 - HTTP Protocol syntax for GET request
    3. HOST: ipecho.net - HTTP Protocol HOST header

    Command Breakdown

    ftp: 

    echo close | ftp ifcfg.me
    whatsmyip_09

    Bonus

    We've beaten the proverbial Linux horse to death, but what about Windows? As a bonus, here's an option in PowerShell: 

    Invoke-RestMethod http://ipinfo.io/json | Select -exp ip

    Conclusion

    There are tons of different ways this task can be accomplished and many different tools at your disposal to do so. If you have a favorite or unique take on determining the public IP address of a Linux system from the command line please share in the comments below!

    Matthew Toussain
    https://twitter.com/0sm0s1z

    Share:
    TwitterLinkedInFacebook
    Copy url Url was copied to clipboard
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Tags:
    • Penetration Testing and Red Teaming

    Related Content

    Blog
    Penetration Testing and Red Teaming, Cybersecurity and IT Essentials
    January 4, 2023
    Cloud Scanning for Vulnerability Discovery
    In this article we'll look at the step-by-step process of scanning a cloud provider's network for target enumeration.
    370x370_Joshua-Wright.jpg
    Joshua Wright
    read more
    Blog
    Untitled_design-43.png
    Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
    December 8, 2021
    Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
    They’re virtual. They’re global. They’re free.
    370x370-person-placeholder.png
    Emily Blades
    read more
    Blog
    Penetration Testing and Red Teaming
    January 17, 2018
    SANS Poster - White Board of Awesome Command Line Kung Fu (PDF Download)
    Imagine you are sitting at your desk and come across a great command line tip that will assist you in your career as an information security professional, so you jot the tip down on a note, post-it, or scrap sheet of paper and tape it to your white board... now imagine you do this all the time...
    SANS Pen Test
    read more
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters & Cheat Sheets
    • White Papers
    • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Cybersecurity Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    • © 2023 SANS™ Institute
    • Privacy Policy
    • Contact
    • Careers
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn