Blog

find owner of ip

Bugbounty – How to find the owner of IP address

Hi everyone — I’m Shreya. In this post, I’ll explain how to identify the owner or owning organization of an IP address.

When doing bug bounty work, we often use tools like FOFA and Shodan to discover IPs that might belong to the organization we’re targeting. Many times, the program you are submitting to may respond that the IP isn’t owned by them.

While it’s true that identifying the correct owner can be challenging about 10% of the time, in roughly 90% of cases you can accurately determine the rightful owner. Knowing this will help you decide whether or not to submit the bug you’ve found.

Here’s a compact, practical playbook you can use right away to find the organisation/company that “owns” any IPv4/IPv6 address.
Let’s get started.

  1. WHOIS lookup — primary source for allocation and org info.
    Command (Linux/macOS): whois 8.8.8.8 Look for fields like OrgName, NetName, NetRange/CIDR, country, and origin or originAS (sometimes different on ARIN vs RIPE).

    Windows: install Sysinternals whois or use online WHOIS.
  2. Check the originating AS / BGP info — tells you which Autonomous System routes the IP (often company / ISP).
    Use a web tool like https://bgp.he.net/ip/8.8.8.8 or: whois -h whois.radb.net -- '-i origin AS15169' (Or visit bgpview.io, bgp.he.net, or bgp.tools and paste the IP.)
  3. Reverse DNS (PTR) — gives a hostname that may reveal the provider/company: dig -x 8.8.8.8 +short # or nslookup 8.8.8.8
  4. Traceroute — useful to see which networks an IP transits (may hint at ISP / company): traceroute 8.8.8.8 # Windows: tracert 8.8.8.8
  5. Online IP lookup services — fast summary + useful metadata:
    • ipinfo.io (curl ipinfo.io/8.8.8.8/json)
    • ip-api.com (curl http://ip-api.com/json/8.8.8.8)
    • whois.domaintools.com, bgpview.io, viewdns.info, ARIN/RIPE/APNIC web WHOIS pages
  6. Search SSL certificate / website info (if port 443 responds) — the cert owner can point to the organization: openssl s_client -connect 8.8.8.8:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject,issuer Or curl with -v to inspect server headers.
  7. Use Internet-wide scanners / archives — Shodan, Censys, ZoomEye show services running on the IP and sometimes organisational tags (requires account):
    • shodan.io, censys.io

Example: interpret WHOIS output (what to look for)

WHOIS snippet might show:

  • OrgName / OrgId — the registered organisation
  • NetRange or CIDR — the IP block assigned
  • NetName — short name for block (e.g., GOOGLE, AKAMAI)
  • country — country of registration
  • origin / originAS — BGP AS number (e.g., AS15169)
  • abuse or tech contact — who to contact for abuse reports

If WHOIS shows a Regional Internet Registry (RIR) like ARIN/RIPE/APNIC, follow the RIR link to get the canonical org record.

Handy one-liners

WHOIS:

whois 1.2.3.4 | egrep -i 'org|netname|origin|cidr|abuse|descr'

IP info via curl:

curl -s ipinfo.io/1.2.3.4/json

Get ASN and prefix (using ipinfo):

curl -s ipinfo.io/1.2.3.4/org

The IP I found belongs to Microsoft/ Google/ Amazon or similar Cloud provider

You might have come across IP addresses where the WHOIS response shows information related to Microsoft, Google, or Amazon. Naturally, you get excited and rush to submit your findings — only to face disappointment when the report gets closed as “Not our IP.”

This usually happens because these companies are major cloud providers with massive pools of IP addresses that are allocated to their customers. The bugs you discover on such IPs typically belong to the customer’s infrastructure, not the cloud provider’s — and since the provider has no control over those assets, these reports are generally closed.

So, the real question is: How do you know whether you’re hunting on a customer-owned IP or a program-owned IP?

Finding this out can sometimes be tricky, and there will be cases where identifying the true owner of an IP just isn’t possible. However, here are a few simple techniques I use to make an informed decision about whether to submit a report:

  • Check the footer of the landing page. If it’s a customer-owned IP, their company name often appears there.
  • Look at the page title. Sometimes, the organization’s name is visible in the title bar.
  • If you find a bug on an IP like 12.13.45.65:8081 and there’s no identifying information, try removing the port number. It may redirect you to the main domain — for example, example.com — revealing the actual owner.

These quick and easy tricks can save you a lot of time when hunting on IPs.

If you have any other techniques for identifying IP ownership, share them in the comments below — I’d love to learn about them!

That’s all for this post. See you in the next one — until then, happy hunting!

Tags: , , ,

shreyapohekar

I’m Shreya Pohekar, a Security Researcher at Microsoft. I’m passionate about breaking down complex security concepts into simple, relatable stories and sharing my journey through blogging. Writing helps me connect with others in the community, inspire aspiring security professionals, and reflect on the lessons I pick up along the way.

Leave a Reply