SANS Penetration Testing

Pen Test Poster: "White Board" - Bash - What's My Public IP Address?

Board Elements_clean_WhatGÇÖs My Public IP address-

By Matthew Toussain, Geoff Pamerleau



After hours of digging, you finally reach your goal and exclaim, "I GOT SHELL!" You brush the dirt off your shoulders and suddenly wonder, "Now what?" Fortunately, if it's a Unix system, we can leverage the rich functionality that comes with Bash in order to move our pentest along whilst maintaining our shadowy veil.

Let's first take a moment to evaluate a few potential use cases. The system's external IP address is often a key piece of information for us to consider. It can help us continually appraise our intrusion campaign to maintain awareness of what systems become compromised so that we remain within the narrow scope of our test. Alternately, we might launch an attack against a DNS name that resolves to multiple host IP addresses on the far end and we need to determine which specific IP address we've compromised in order to leverage that access to move laterally within the target environment. Why not just check the IP address assigned to the network interface? As penetration testers most systems we engage live behind a firewall in a Network Address Translation, or NAT environment. In these situations a system's internal IP address may not accurately reflect how they appear on the Internet. Either way, determining ?where' this box is a solid first step in any post-compromise scenario. Let's look at the some common ways to get this info.


Methods Covered in this Section

curl: curl -4

wget: wget -qO-

dig: dig +short

telnet: telnet

telnet + nc:

nc -vlp 9000
telnet [hostname/IP Address] 9000

telnet web client:

telnet 80
GET /plain HTTP/1.1

ftp: echo close | ftp

PowerShell: Invoke-RestMethod | Select -exp ip



So many options...

For a typical user learning their public IP address is often as simple as a Google search for: ?what's my IP'. For us this might also be a viable option however, as pentesters, we're often confronted with terminal access as opposed to a graphical user interface and web browser. It might seem like a limitation, but with Bash, there is no such thing! There are tons of different utilities that can reach out and get the info we're interested in. Let's begin by targeting the simplest and most effective options:

  • IP identification with command line web access utilities
    • curl
    • wget
  • Using DNS to determine our IP address
    • dig

Command Line HTTP External IP Identification

On differentiated Unix type operating systems there are generally two major command line utilities for downloading the content of websites: curl and wget. Depending on which specific flavor is used (e.g. Mac OSX, Ubuntu, etc.), only one or potentially both will be available. For continuity's sake we'll discuss both:


Command Breakdown

curl: curl -4


1. curl - Command line tool that can make web request
2. -4 - Option for curl to prefer IPv4 addresses over IPv6 for domain resolution
3. - Public domain that returns an IP address when queried


Command Breakdown

wget: wget -qO-


  1. 1. wget - Command line tool that can make web request
  2. 2. -q - Option for wget to run in quiet mode suppressing status output
  3. 3. -O - Option for output - specifies stdout as the output type (O not zero)
  4. 4. - Public domain that returns an IP address when queried

Occasionally, arbitrary outbound http access is not available. For instance, a network that requires authentication to join could use network access controls (NAC) to redirect all unauthenticated web traffic to a captive portal. Networks using authenticated proxies or whitelisting controls can also provide egress challenges. In these situations outbound DNS traffic is often still required and therefore available. In these cases the dig command has got you covered!


Command Breakdown

dig: dig +short


1. dig - Command line tool for interrogating DNS name servers
2. +short - Option for dig to provide an abbreviated response
3. - Host to resolve
4. - DNS server to query



But wait, there's more!

So what if curl, wget, and dig are all unavailable? Perhaps the network is blocking,, and

telnet and ftp can provide alternative, if clunky, solutions. telnet like nc can make TCP connections to any port specified. This can be used to connect to a server owned by you, to connect to a telnet public ip service (port 23), or connect to a web server as a client. telnet has the added benefit of working from Windows systems as well however, the command must be enabled in order to do so. Some ftp servers respond to failed login requests with the IP address that attempted and failed to connect. We can utilize this behavior to determine public IP address as well.


Command Breakdown

telnet: telnet

GET /plain HTTP/1.1


1. telnet - Connect to telnet service that responds with Public IP Address


Command Breakdown

telnet + nc:

nc -vlp 9000
telnet [hostname/IP Address] 9000


1. nc -vlp 9000 - Run on your publicly available server to open a listening port
2. telnet [hostname/IP Address] 9000 - Connect to remote netcat listener

Netcat prints information on newly established connections to stdout (Connection from X.X.X.X)


Command Breakdown

telnet as a web client: telnet 80

telnet 80
GET /plain HTTP/1.1


1. telnet 80 - Connect to web server with telnet
2. GET /plain HTTP/1.1 - HTTP Protocol syntax for GET request
3. HOST: - HTTP Protocol HOST header


ftp: echo close | ftp



We've beaten the proverbial Linux horse to death, but what about Windows? As a bonus, here's an option in PowerShell: Invoke-RestMethod | Select -exp ip



There are tons of different ways this task can be accomplished and many different tools at your disposal to do so. If you have a favorite or unique take on determining the public IP address of a Linux system from the command line please share in the comments below!

Matthew Toussain


Upcoming SANS Special Event - 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen


Posted February 8, 2017 at 8:49 AM | Permalink | Reply


The actual bash method is missing from the list '
Following uses bash's built-in network redirection to connect to the target host:
$ cat

Posted June 3, 2018 at 9:29 AM | Permalink | Reply


Thanks for the wonderful post information very useful guide, helped me a lot.

Post a Comment


* Indicates a required field.