Find IM user location via netstat?

Question

I got sent an article today (http://hakerin.com/facebook-user-location-finder-noobs/). With the click-bait title "Facebook User location Finder" Of course I clicked it.

Going through the "article" there is not a lot of details given. And I thought I would try it out.

It basically stated that it was possible to find out the location of a Facebook user that sent you a Facebook message. Specifically, by looking at the IP addresses that appear in the "Foreign Address" column of Netstat. To find the geo-location one has to copy the last added IP address from the list into a IP address lookup tool like http://whatismyipaddress.com/. Then copy the coordinates and use google maps to find the exact location of the person.

After some time getting the preferred Netstat arguments and some filtering with awk netstat -ntpw | awk '{print $5}'. The GEO locations the IP addresses hold are mostly in America some in Ireland and some in the Netherlands. When I enter the coordinates in google maps I get unknown locations.

This is just fake, right? Or did it used to work like this? If so, that would seem very concerning.

I'm not sure if you still can, but at one point you could get somebody's location directly on Facebook messenger just by hovering over the message. I found an old screenshot, but don't know if this functionality still exists - http://www.functionfound.com/wp-content/uploads/2013/01/Fb-seen-and-sent-from-features.jpg — JMK, Oct 19 '17 at 15:55
I did not even try to read the article. I would doubt of any uppercase title or attention-catching expressions ("INCREDIBLE", "HERE IS HOW I DID....", "LOOK AT THIS!") — usr-local-ΕΨΗΕΛΩΝ, Oct 20 '17 at 08:45
@JMK That is/was a consequence of a Facebook application on mobile phones obtaining the GPS location of users, and not from Facebook divulging IP address information. As I noted in my answer, there's not a whole lot of precise information to obtain from an IP address alone because they're not bound to locations. Similarly, there isn't a whole lot of information you can obtain from that image, since GPS units in mobile phones can be made to report false information. — autistic, Nov 14 '17 at 22:34

score 89 · Answer 1 · answered Oct 19 '17 at 14:23

89

That article is wrong and that website in general seems like a very unreliable source for anything.

With the netstat tool, among other stuff, you can see established TCP connections.

When you use Facebook messenger (or any other chat), at least one server is between you and the person on the other side, it's not a peer-to-peer connection. Hence the IP you see using netstat is an IP of a chat server (or whatever other obscure infrastructure, not know to us simple users) that you established connection with.

answered Oct 19 '17 at 14:23

skooog

1,008
7
17

48

Worth mentioning for fun and profit that old services (like ICQ) were indeed peer to peer. Also, if you establish a WebRTC connection you will be able to see the IP of the user using system tools since you have a direct connection. – Benjamin Gruenbaum Oct 19 '17 at 15:21
18

And even if you get the IP address of the user themselves, that often won't tell you much reliable info about their location, depending how their ISP/mobile provider routes things. – TripeHound Oct 19 '17 at 17:19
16

Plus, IP geolocation currently places me at 228 km from where I am located. Yeah I know, 228 km is nothing in the USA, but here it's approximately 1/2 across the country... – Damon Oct 19 '17 at 18:47
5

All that being said, geolocation, even with its laundry list of issues and caveats is better than nothing, and it is possible to narrow down where someone's accessing the internet from. Sometimes you're off by a few hundred kilometers, sometimes you can narrow it down to a precise location. – HopelessN00b Oct 19 '17 at 22:18
4

Obligatory article about geolocation problems: https://splinternews.com/how-an-internet-mapping-glitch-turned-a-random-kansas-f-1793856052. – jpmc26 Oct 19 '17 at 22:25
worth mentioning also, some ISP does not give you public IP, instead they make you as part of their "internal" network, so the IP your partner will see is just your ISP's IP – am05mhz Oct 20 '17 at 08:17
@Damon In a very large fraction of the continental US, a location error of 230km (about 140 miles) in the right direction is enough to put you in the wrong state. Almost all the states are less than 500km/300mi across in at least one direction. For example, Montana is the largest non-coastal state but you're never more than 250km from one of Canada, Idaho and Wyoming. (Restricting to non-coastal since I assume geolocation isn't gonna claim you're in the ocean.) – David Richerby Oct 20 '17 at 10:30
@am05mhz: its always your ISP's IP, if you have no own direct Internet access.... – Zaibis Oct 20 '17 at 11:43
@Zaibis well, in a way, yes, even when you sign for a public IP, technically its still your ISP's IP, the difference when you sign for a public IP is that, the public IP is specifically assigned to you and some ISP even register your city with it – am05mhz Oct 21 '17 at 01:41
1

@DavidRicherby: http://www.datacenterknowledge.com/archives/2017/01/09/microsoft-wants-to-patent-an-underwater-data-center-reef :) – dave_thompson_085 Oct 21 '17 at 07:10
It was fun trying and using awk for the first time. In the end the results show it was bogus, just got me thinking and had to be sure, thank you for you answer. – LoJoe Dec 15 '17 at 08:41

wizzwizz4 · Answer 2 · 2017-10-20T15:47:52.660

In addition to @skooog's answer which states that the IP address that you are detecting is not that of the user:

IP address geolocation is, at least for IPv4, doomed to fail except in specific edge-cases. Many ISPs dynamically allocate IPv4 addresses, meaning that increased precision gained from a user who enables GPS location on their browser or posts geo-tagged images to (e.g.) Facebook is lost once the IP address is re-allocated. This is also complicated by IP-sharing, which happens when addresses are scarce.

However, a side-effect of most ISPs' dynamic allocation systems is that they split both the world and their subnet into regions, which they then assign in a mostly one-to-one relationship. This allows approximations of the user from their IP address, but unlike telephone numbers it is not possible to get a precise location from this.

This is why not even Google can accurately identify the specific location of a user before they have signed into their Google account. The country and region can be attained, but a more precise location requires other techniques (e.g. GPS, SSID-sniffing) which aren't passive and require collaboration with the user's device.

So: even if you did have the user's IP address, it would not tell you "the exact location of the person" - it would tell you their ISP and the centre of their IP range.

Absolutely, and don't even get me started on proxy/VPN connections... — Darren H, Oct 20 '17 at 05:31

score 4 · Answer 3 · answered Oct 20 '17 at 18:40

That article isn't just making unjustified assumptions about the nature of the chat protocol and the accuracy of IP address geolocation. There's also this helpful tip about netstat:

Here, you will have to look out for your friend’s IP address among the hundred other IPs, well, that is simple: The last one in the foreign address column is your friend’s IP since it was the last data packet came in into your web browser.

netstat doesn't order its output that way. And if you did have a way of sorting it to find the most recently active socket... you'd still be assuming that nothing else is active in the background while you're doing this.

It's baloney all the way down.

mootmoot · Answer 4 · 2017-10-19T16:38:50.310

2

No, even Facebook is one of the worst privacy invasion services, it doesn't make the blunder by making Peer to Peer chat: Facebook record the chat contents as well, there is no chance that they will let the opportunities slip away from their hand then giving you a P2P private chat services. Those IP gather definitely belongs to facebook. Using a linux "dig" upon those IP will reveal who is the netblock owner/ISP.

The site is probably a content farm that publishes fake contents, some sort of Blackhat SEO mechanism to boost its website traffic and display tons of junks ads to earn some money.

edited Oct 19 '17 at 16:38

answered Oct 19 '17 at 15:03

mootmoot

2,387
10
16

3

Is peer to peer a blunder though? If I were to phone a landline number, that number is fixed to a location, and a reverse lookup can find me their address. This might be behaviour that you don't want, but I don't think I would call it a security mistake. Typically, you would only chat to people you would want to talk to anyway. Third parties knowing where you are... that would be more of a problem. – Baldrickk Oct 19 '17 at 15:56
4

@Baldrickk It's a blunder for Facebook - they make their money by knowing lots about you and real-time chat is the perfect opportunity to harvest data. – wizzwizz4 Oct 19 '17 at 16:08
Making a peer to peer connection doesn't preclude giving them a copy of the data, it just makes it cost extra bandwidth. But since they aren't paying for the peer to peer bandwidth it might be a win by allowing compressing larger message groups and only having to receive and not send with the central server. – Oct 19 '17 at 17:44
1

Landlines are a bad example to choose for an analogy, given that Baldrickk's presented truths about landlines do not actually hold true nowadays. At least in North America and much of Western Europe, those comforting assumptions about geographic numbers are not valid any more. – JdeBP Oct 20 '17 at 05:27
@notstoreboughtdirt: If the copy to the server was separate from the copy to the recipient, the copy to the server could be blocked separately, too. IN the beginning only geeks would deny Facebook their copy, but very soon there would be browser extensions or similar that make it possible for Joe Average User to stop Facebook's snooping. So yes, making a peer to peer connection does preclude Facebook guaranteeing itself a copy. – Ben Voigt Oct 20 '17 at 14:15
@BenVoigt The OP mentioned article is talking about Facebook messaging services, not other P2P services. – mootmoot Oct 20 '17 at 15:33
@mootmoot: Yes, that's what my comment discusses. Well, actually the proposed variation that the even earlier comments outlined. – Ben Voigt Oct 20 '17 at 15:38

score 2 · Answer 5 · answered Oct 19 '17 at 19:38

So this is just fake right?

Most certainly.

Specifically, by looking at the IP addresses that appear in the "Foreign Address" column of Netstat. To find the geo-location one has to copy the last added IP address from the list into a IP address lookup tool like http://whatismyipaddress.com/. Then copy the coordinates and use google maps to find the exact location of the person.

The IP address you see is the IP address of most probably some Facebook CDN. The coordinates, if they're correct or ever were correct, are/were likely that of a datacentre.

As IP addresses are virtual resources (not tied to any physical location) which might be transferred from location to location, the information you obtain via this process comes from a database which could be out-of-date or inaccurate about the state or even country, and is almost certainly inaccurate about the city that the IP address is being used by.

To confirm, I found ip2c.info, which is another such database you can query (this one supporting IPV6) and they explain this on the front page:

Well it appears IP to country is as good as it gets, most of the time RIR don't even have the right information in their databases, so anyone claiming that they do provide IP to city is probably giving you false information half of the time. My IP location is registered to my ISP and if I perform an IP to city look up on it, I receive the location of the ISP, which is on the other side of the country.

... so whatever you mean by exact location, you and I will likely disagree about. I guess you could say "he's located on precisely the same planet as that Facebook CDN datacentre"...

Find IM user location via netstat?

5 Answers5