19

I found a private IP address displayed on a video. What can you learn from a private IP address, if anything at all?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Doshik
  • 199
  • 1
  • 4
  • 14
    You can basically learn nothing from the private IP alone. Anybody can own use such IP address. – Steffen Ullrich Jul 23 '23 at 14:41
  • 22
    This is a little like asking, "what can you know about a house when you know one pet's name?" – schroeder Jul 23 '23 at 15:32
  • 3
    OP, Does the IP address have four numbers in it, separated by dots? If so, what is the first number? – mti2935 Jul 23 '23 at 15:39
  • 30
    Can we have a reality check here please: do you mean that an IP address that you know is in one of the private (RFC-1918 etc.) ranges, or that a numeric IP address has been displayed which you would normally consider to be private information? – Mark Morgan Lloyd Jul 24 '23 at 10:45
  • What, exactly, do you mean by a "private" address? How is a "private" address different from a normal address? – John Gordon Jul 26 '23 at 13:50
  • Actually, this is kind of like asking what information you can get from knowing that a person lives in house number 10. There are literally millions of houses number 10 in the world because that number can be reused by any street and city on the planet. – slebetman Jul 26 '23 at 18:25

4 Answers4

48

Private IP addresses as defined by RFC 1918 (10.0.0.0/8, 172.16.0.0/12 & 192.168.0.0/16) can be used as anyone wishes, so a private IP address alone does not tell much and nothing is definite. However, many use the defaults from their router vendor, so on some occasions that might give a hunch on which kind of network equipment there are in use.

Again, any of the following is not definite and you would need to cross-check from other sources like the MAC address of the router or its login page. None of this information would be available on a video displaying just the IP address, so you would need an access to the network. Still, it is already some start for reconnaissance.

  • 10.0.0.0/24, 192.168.0.0/24, 192.168.1.0/24 & 192.168.2.0/24 are so common that it could be anything.
  • 10.8.0.0/24 suggests it might be an OpenVPN with default configuration.

If no link for another source, the following subnets are based on the articles from TechSpot & Software Testing Help, but ordered by subnets rather than brands. Brands are only listed for delimiting subnets.

Subnet Router Brand(s)
10.0.0.0/24 More than 10 possibilities
10.0.1.0/24 Apple, WatchGuard Firebox
10.1.1.0/24 Belkin, D-Link
10.10.1.0/24 Asus
10.90.90.0/24 D-Link
172.16.16.0/24 Sophos Firewall
192.168.0.0/24 More than 10 possibilities
192.168.1.0/24 More than 10 possibilities
192.168.2.0/24 More than 10 possibilities
192.168.3.0/24 Amped Wireless, Huawei
192.168.4.0/24 Zoom, Zyxel
192.168.8.0/24 Eminent, Huawei
192.168.10.0/24 Motorola, NetComm, Repotec, Trendnet, Zoom, Zyxel
192.168.11.0/24 Buffalo
192.168.15.0/24 D-Link, Linksys, Motorola, Sweex
192.168.16.0/24 Repotec, Linksys
192.168.20.0/24 Motorola, NetComm
192.168.30.0/24 Motorola
192.168.42.0/24 Android (USB Tethering)
192.168.43.0/24 Android (WiFi Tethering)
192.168.44.0/22 Android (Bluetooth Tethering)
192.168.48.0/24 Android (Bluetooth Tethering)
192.168.50.0/24 Sweex
192.168.55.0/24 Sweex
192.168.62.0/24 Motorola
192.168.86.0/24 Google (only on Techspot article)
192.168.88.0/24 MikroTik
192.168.100.0/24 Huawei, Motorola, Thomson, ZTE
192.168.102.0/24 Motorola
192.168.123.0/24 LevelOne
192.168.168.0/24 Sonicwall
192.168.178.0/24 FRITZ!Box
192.168.251.0/24 Sweex
192.168.254.0/24 Actiontec

The lists are not exhaustive.

Esa Jokinen
  • 18,957
  • 6
  • 58
  • 61
  • 1
    192.168.100.1 is the common address for most cable modems, so it's not meaningful. – Barmar Jul 24 '23 at 05:55
  • Thanks for your feedback! I've updated the answer. – Esa Jokinen Jul 24 '23 at 06:05
  • 1
    192.168.178.0/24 is used by FritzBox. – Simon Richter Jul 24 '23 at 08:24
  • 1
    192.168.88.0/24 Mikrotik – fraxinus Jul 24 '23 at 08:55
  • 1
    @Barmar it strongly depends on which brand of modem and/or which ISP. 100 is absolutely not universal. – user253751 Jul 24 '23 at 09:51
  • I have updated the list with more router brands that are now all based on a source. For additions to the list I would prefer a link to a source validating it is a common default configuration. – Esa Jokinen Jul 24 '23 at 10:41
  • 1
    @Barmar: I wasn't able to find a source telling that 192.168.100.0/24 would be used more commonly in cable modems than those from Huawei, Motorola, Thomson & ZTE. – Esa Jokinen Jul 24 '23 at 10:49
  • 1
    @user253751 From ComputerWorld: DSLReports has a list of modems and their private IP addresses. Most modems in their list use 192.168.100.1 but some use 10.0.0.1, 10.1.10.1 or 192.168.0.1. – Barmar Jul 24 '23 at 19:33
  • 1
    @Barmar: The article suggests those aren't the subnets those devices would assign addressess from, but maybe a hidden routed network for the administrative interface. Hence, it might be a bit far from answering this question. – Esa Jokinen Jul 24 '23 at 20:10
  • 3
    True, AFAIK it's the specific address 192.168.100.1, I don't think the entire subnet is used for anything. But if you see that address in the video, it's a good bet it's a cable modem. – Barmar Jul 24 '23 at 20:14
  • While it could be added as a single 192.168.100.1/32 address without the subnet, I think it would be enough and more describing to keep it here in the comments. An interesting finding, indeed! – Esa Jokinen Jul 24 '23 at 20:17
13

There's nothing that can be said with certainty, but it does help make assumptions:

  • You can try deduce the smallest possible subnet: e.g. if you see 10.2.8.7 then one can assume that 10.2.8.1 - 10.2.8.254 might be reachable
  • Seeing an address end in .1 or .254 might indicate the default gateway, and might, with some country or ISP specific info tell you which ISP they have (e.g. in the Netherlands 192.168.178.1 is usually the Fritz!Box gateway, and the ISPs that give Fritz!Boxes here are.. 2? 3? depending on the region even 1)
  • It might help make assumptions about their LAN topology and location (usually where I come from 172.16/12 might be located in an educational institute, 10.x usually used by companies, 192.168.x.x usually personal homes)
Raf
  • 231
  • 2
  • 5
    Consider a /24 is not the smallest subnet. It could be a /30, or in some cases a /31, or even a point to point address (though that is unlikely) – Criggie Jul 24 '23 at 22:24
5

You can learn that's it private (not routable on the Internet), that's it.

Artem S. Tashkinov
  • 3,312
  • 7
  • 19
1

You can assume that if this RFC1918 IPv4 address is used to get to the internet at large, then there is a device somewhere in the path doing NAT.

That NAT device might be the router, and it might be doing DHCP and DNS and NTP services as well.

Or it could be fake info put there in a video for a laugh or a hidden message or "dog whistle". There are some Nazi-related numbers that fit inside the 0-255 range.

Example: My IP could be 10.69.420.1337 (but it isn't)

Criggie
  • 522
  • 3
  • 12