Get External IP by watching Youtube videos

Ok, so I was playing around with Fiddler, and EKFiddle and at a certain point I noticed that my external IP was provided back in an URL path from googlevideo.com. I like to always keep in the back of my mind on how to get information back to an (infected) device via ‘legitimate’ sources.

External IP provided back in HTTPS path

Now there have been hundreds of cases where cybercriminals used legitimate environments to control their botnets. In this way, cybercriminals can also retrieve back the external IP by simply waiting for the endpoint to start communicating to googlevideo.com. This is done when you watch a Youtube video.

Limitations

  • Yes, the endpoint has to be infected, and some type of sniffing needs to take place. Could this also be done with the installed sniffer in Google Chrome? Thats something for later 🙂

Pro

  • Small chance that googlevideo.com will get blacklisted or monitored by security solutions.
  • It is actual legitimate traffic