How to find the IP address of a hacker, according to CSI: Cyber

The episode of the television documentary CSI: Cyber which aired on CBS last Wednesday demonstrated an elite trick to obtaining a hacker's IP address: Extract it from the email header.

Here's a screen shot from time code 14:35 that demonstrates the technique.

<meta id="viewport" content="" name="viewport"></m <link href="y/images/favicon.ico" rel="shortcut ic <link href="y/styles.css?s=1382384360" type="text/ <link href="y/mail.css?s=1382384360" type="text/cs <hidden: ip: 951.27.9.840 > < echo;off;>           <!--if lte IE 8><link rel="stylesheet" type="text/ <!--if lte IE 7><link rel="stylesheet" type="text/ <link href="plugins/jqueryui/themes/larry/jquery-u <link href="plugins/jqueryui/themes/larry/ui.js?s=

This technique is so awesome I had to share it.

Comments (50)
  1. I think the it would have been better if the bad guy's IP address were 127.x.x.x or (less obviously) 192.168.x.x or (even less obviously) 203.0.113.x. Then the script kiddies watching the show would go nuts trying to DoS that guy. (Also, that's not an "email header".)

  2. Chris Crowther @ Work says:

    It's not a "screenshot" either, Raymond ;)

  3. Leonardo Herrera says:

    "Television documentary" – heh, that's some subtle humor.

  4. Boris says:

    The Real WTF is that Raymond watched CSI in the first place.

  5. Steve says:

    Say what you will about the Hacker's inability to hide his IP address, but he at least appears to have solved the IPv4 exhaustion problem!

  6. 12BitSlab says:

    Raymond, thanks!  That gave me a smile this morning.

  7. Kevin says:

    But don't you need a "GUI interface" in VB to track an IP address?  Now I'm really confused.

  8. hacker says:

    Come on, we all know that the real way to find someone's IP address is using trace RT:

  9. Jeffrey__ says:

    OMG! There is a hacker on THIS forum.  He's right there!!

    Raymond, how can I get his IP address to stop him?

  10. MacASM says:

    This piece of markup language on red line doesn't make any sense. How hard is ask a programmer to write something that make more sense just to it look like more real?

  11. John Ludlow says:


    Maybe they did, and the real programmer gave them garbage to yank their chain

  12. calamarim says:

    The basic question is "who is Larry?"

  13. Dan Bugglin says:

    Is that Yahoo! Mail source?

    This reminds me of Stargate: The Ark of Truth. At one point, the scientist heroine is inspecting the source code of the evil robots, looking for a weakness as they close in (yeah I know how it sounds, they're pretty good with the psuedoscience though). However, it's pretty clear she's looking at simple JavaScript coded for some website. Fans searched for the code and found pretty quickly discovered the show crew had taken this code from a Canadian bank website (Stargate was made in Toronto, IIRC). So now all I can think of when I watch that scene is that the Replicators are coded in JavaScript.

    @Raymond about the IP I think I read or saw somewhere that they purposefully use bogus IPs to avoid any chance of reporting a real IP who's owner might object (as Josh seemed to be getting at). LAN/localhost IPs would seem to be a safe idea to use but I guess they just want to be SURE there won't be any problems.

  14. David Crowell says:


    When the machines take over, they'll be coded in PERL – and therefore totally unintelligible to us.

  15. Anonymous Cow Herd says:

    Is "last Wednesday" actually last Wednesday, or is it the Wednesday before this entered the queue? (Do non-technical posts get queued?)

  16. John Doe says:

    @The MAZZTer, that makes sense, the 555 of IP addresses, "to protect the innocent."

    Also, looking at random JS, possibly copy-pasted from somewhere else (e.g. a library of some sort), seems like a really good prediction.  I mean, look at how things are evolving, sooner or later, your average watch will be running JS and HTML too, with a F12 button and all (or just pair it with a bluetooth keyboard).

  17. David Totzke says:

    @MacASM – because if they got a programmer to write some code that person would have to be given a writing credit on the show.  

    As to the IP address, you need to think like a lawyer, not a tech.  Names, addresses, all that kind of stuff needs to be cleared through legal.  Not kidding:


    "@the_eye: I noticed in the scene in the "Black Forest" that the Land Rover had German-looking number-plates. Fine so far. Then I noticed that it was a plate that (currently) can't exist since the prefix you used doesn't reference any actual location. Is there a legal reason for this? Triggered by this I was reminded of one of the last Bonds (Quantum of Solace, I think) where there's a scene in Austria and there also, we get Austrian number plates but impossible ones.

    Yep, the same reason we don't use real phone numbers and have to use law books as library books (we'll get to that later).  They're called clearances, one of the most useless, time-consuming elements of film and television producing.  We need to make sure that nothing we do in the show can be connected in any way to anyone alive, lest they sue us for implying … I don't know, that they rent their truck out to world-spanning Librarians.  

    It's one of those petty things you need to do to make sure that just in case, as one lawyer explained it to me,  "you get the craziest client in the world in front of the craziest judge in the world with the craziest jury in the world, you're covered."

  18. OldFart says:

    On a somewhat related note:…/19

  19. M. Dudley says:

    @John Doe:

    RFC5737 (…/rfc5737) actually reserves several IP addresses for documentation that would be analogous the the 555 area code. They are blocks (TEST-NET-1), (TEST-NET-2), and (TEST-NET-3).

  20. TRWTF is using a relative URI for favicon.ico

  21. Thomas Freudenberg says:

    That reminds me of "The Net" starring Sandra Bullock. IP addresses were 75.748.86.91 and 23.75.345.200 (source:…/goofs)

  22. Rob Y says:

    NCIS once coerced their suspect to release the IP of a server… it was in the 192.168 range…

  23. alexx says:



    < echo;off;> <hidden: ip: 951.27.9.840 >

    would have made more sense.

  24. Alan Page says:

    Speaking of Cyber – I grabbed this screenshot from the show a few weeks ago. Apparently real hacking occurs in non-interactive text mode.

  25. ken says:

    That code snippet looks like it came from the open source webmail client roundcube. Larry is the name of the default theme for roundcube. Here's a snippet of the head block for roundcube:

    <link rel="shortcut icon" href="skins/larry/images/favicon.ico"/>

    <link rel="stylesheet" type="text/css" href="skins/larry/styles.min.css?s=1422112954" />

    <link rel="stylesheet" type="text/css" href="skins/larry/mail.min.css?s=1422112954" />

    <!–[if IE 9]><link rel="stylesheet" type="text/css" href="skins/larry/svggradients.min.css?s=1422112954" /><![endif]–>

    <!–[if lte IE 8]><link rel="stylesheet" type="text/css" href="skins/larry/iehacks.min.css?s=1422112954" /><![endif]–>

    <!–[if lte IE 7]><link rel="stylesheet" type="text/css" href="skins/larry/ie7hacks.min.css?s=1422112954" /><![endif]–>

    <link rel="stylesheet" type="text/css" href="plugins/jqueryui/themes/larry/jquery-ui-1.9.2.custom.css?s=1422112953">

    <script type="text/javascript" src="skins/larry/ui.min.js?s=1422112954"></script>

    <style type="text/css">

  26. Cesar says:

    I see a ?s=1382384360 "cache-busting" query string… Decoding as a Unix timestamp, I get 2013-10-21 17:39:20. Not sure what relevance it has.

  27. Alireza says:

    This was classic. I had a good laugh. Thanks for sharing :)

  28. DaveS says:

    I'm sure Larry wears a Leisure Suit :)

  29. Josh says:

    This will just give a bad name to all those honest people on the 951.*.*.* subnet. Bastards.

  30. boogaloo says:

    Everyone knows you find hackers using tracert

  31. boogaloo says:

    No fake computers in tv/movies is as awesome as Terminator, I would post a link but the blog thinks it's spam.

  32. boogaloo says:

    The person who chose the 951.27.9.840 IP address probably knew it was invalid. Similar to how telephone numbers always start 555. Although they could have picked a 127 address.

  33. XPosition says:

    A smart Hacker which using the EBE Algorithm. Never heard from the Eight Bit Extender ?

  34. Matt says:

    Extra kudos to the hackers who managed to squeeze the values 951 and 840 into a byte.

  35. Kirby FC says:

    [# calamarim    The basic question is "who is Larry?"]

    That would be me.  Why is this guy hacking me?

  36. cheong00 says:

    @alexx: Btw,

    <echo off="true"><hidden ip="951.27.9.840" /></echo>

    would have made even more sense.

  37. Sven2 says:

    If they want to be covered from lawsuits, an invalid IP address is probably better than something like 192.168.*.*. Someone might claim that it's an internal IP used by their company and now this TV show published their IP address! From the internal network! It was a big secret and now they might get hacked!

    You never know how technically knowledgeable the judge is.

  38. RobT says:

    I saw this yesterday talking about TV/Film telephone numbers in the UK (also a mention of the same in the US): The 20,000 fake phone numbers…/blogs-magazine-monitor-32348371

  39. boogaloo says:

    @RobT: Saw that too, it's a shame Doctor Who's number doesn't have a recorded message.

  40. Steve says:

    My favourite is Jeff Goldblumm in Independence Day – with one MacBook and about 15 seconds total analysis + coding he manages to not only hack an alien spaceship's OS but find and exploit a vulnerability.

    A whole generation of project managers now think that if Jeff Goldblum can do all that in 15 seconds, we developers are just yanking their chain when we argue it takes days or weeks to get a feature added to one of our systems …

  41. Matt says:

    @Steve: In fairness, it's because aliens don't parameterize their SQL statements, and so all alien spaceships are trivially vulnerable to SQL-injection.

  42. Nick says:

    Be careful with 555 numbers, they can be assigned for real things (555-1212 comes to mind, it's how you get directory services (411) for faraway area codes).…/555_numbers.html

    According to the Wikipedia (since there isn't an obvious link on the Nanpa site for fictional 555 numbers and Wikipedia doesn't cite a source), the fictional number have to be in the format 555-01NN.…/North_American_Numbering_Plan

  43. Erik F says:

    @Matt: It's easy to squeeze those values *into* a byte; getting them out again is another story altogether! ;-)

  44. Mark says:

    Interesting note: the FBI did actually use a Visual Basic GUI to track the killer's IP address…/Study-says-Carnivore-functions-as-intended.aspx

  45. Iain says:

    Speaking of real/fake hacking in movies – I worked on about 50 isolated power station control systems over 12 years, back when we had to dial-up a 33k modem.  We used ssh1 (and then later ssh2).

    In the ear'y 2000's the matrix sequel came out where they hacked and shut-down the power grid using a theoretical ssh1 exploit.  It actually looked like they were running a real "hack" script with real ip addresses (internal of course – 10.x.x.x range).  It was impressive.  We had a good laugh at work… and then double checked we'd replaced ssh1 everywhere!

  46. cheong00 says:

    @Mark: At the other side of the ocean, Taiwanese hackers used command prompt to successfully hack someone's system, despite it repetitively says "Bad command or file name.". :P

  47. Stuart says:

    @Steve – Apple products aren't compatible with any EARTH technology, makes perfect sense that they'd interface seamlessly with something alien.

  48. Alberto says:

    The real hack here is that Raymond posted the entry on 20 Apr 2015 7:00 AM but managed to put the first comment on 19 Apr 2015 11:00 AM. Maybe the MS Research department was successful at last? :)

  49. Erik F says:

    @Alberto: It doesn't sound that surprising to me. I bet that the comment was added before the posting was released (Raymond has a huge queue of postings!) The blog software probably shows the release date, not the creation date, as the "posting date".

    [FRIST! (The reason is that I didn't want to break character in the post, so I put the meta-commentary as the first comment before publishing.) -Raymond]
  50. danb1974 says:

    At least it's better than in the movie "Unthinkable" (if my memory serves me right). Near the end, when they defuse the bomb, camera passes over a screen laptop. If you pause there, you'll see an excel sheet filled with garbage (keyboard pounding in random cells).

Comments are closed.

Skip to main content