I just downloaded Wireshark so that hopefully I can track a scammers IP address. However, this is harder than I expected (mainly because I have almost no experience with anything dealing with networking). My main problem is that I don’t know which of the IP addresses showing up is the scammers’. I was wondering if anybody had any tips or tutorials I could look at to get started.
Before I can help you, I need to know how your system is set up.
Are you using a VM? What are the network adapter settings being used, if you are (bridge, NAT, etc.)?
Where is Wireshark installed? The HOST or the VM?
What applications are being used when the scammer connects to you? LogMeIn, TeamViewer, Supremo?
Some of these applications wont reveal the IP address of the scammer.
Why cant you use NETSTAT -a to find out who is connected to you, instead of Wireshark?
If not sure which is scammers’ IP, just go to one of the website fr Geo-location based on IP. example:
https://www.ipfingerprints.com/
If the scammer is not using VPN, this will give location of the ISP. So the scammer’s location is nearby.
Example the IP 45.249.80.210 belongs to a Kolkata, India scammer.
@reportingscammers007#67918
I am running a VirtualBox VM and Wireshark is installed on the host computer. I am not sure what network adapter settings I am using (again, I don’t know much about networking).
The applications the scammer uses differs from scammer to scammer, call center to call center. Because of this, I would like to still be able to use Wireshark to find the scammers' IP address.
As for using NETSTAT -a, I have the same problem of not knowing where to look, and which IP is the scammer's IP.
@drwat#67922
The problem with that is that I would have to check way too many IP addresses in order to find which one is the scammers. If you have seen any videos from people like Jim Browning, you will find that they don’t use any website. They use Wireshark by itself to find the IP address and location.
@JohnGolferd#67937 What I believe Jim B. is doing is packet forwarding, which is beyond the scope of what I will be able to help you with over a forum. Essentially, he captures all the packets from the Virtual Machine that the tech support agent is connected to, and then filters out the connections, using software like PfSense.
Regardless, you want to make sure that you dont have any other applications using network activities running on the Virtual Machine, since that will cause unwanted packet capturing.
You will need to make a list of common applications that the scammers use (such as TeamViewer, etc.), because some of those applications will not give you the IP of the scammer. So in those cases, packet capturing is useless.
You also need to consider that Jim B. MAY be using malware/RATS/Trojans to get the IP address of the scammer. I dont condone this method, because where I live, it is illegal.
TLDR: You likely need to reach out to Jim B. to ask what his network topography looks like, and you will need to understand the basics of networking and VirtualBox to implement various settings.
@reportingscammers007#67946
Alright, Thank you!
@JohnGolferd#67938 One solution is to use GeoIP This requires you to download a couple of database files first. Example available for free at MaxMind (the file format we need for Wireshark is now called “legacy”)
The problem John will face is that Wireshark or Netstat will show a lot of IP addresses, and trying to pinpoint which one is the scammers is the hardest. Its like finding a needle in a haystack… nearly impossible unless you create a multitude of filters to weed out the cruft.