Gaining Network Information
Gaining Network Information Via Whois And Nslookup
An important step in foot printing is to gain information, where possible, about a target’s network. Fortunately, there are plenty of tools available for this purpose, many of which you may already familiar with.
Whois This utility helps you gain information about a domain name, including ownership information, IP information, netblock data, and other information where available. The utility is freely available in Linux and Unix and must be downloaded as a third-party add-on for windows.
Working With Whois
This article will demonstrate how to use the whois command to gain information about a domain. If you are on windows, you will need to download the utility from the following link:
http://technet.microsoft.com/en-us/sysinternals/bb897435.aspx
- Open a command prompt
- At the command prompt, enter Whois <domain name> and press Enter.
At this point you should see a listing of information about the domain you looked up. In practice the information will provide data about the owner of the site as well as information about the DNS servers handling the domain name. You should make note of this information for late use.
Ping Utilizing ICMP, this utility is used to determine not only if a host is reachable, but also if it is up or down.
Nslookup This utility is used to query DNS server and gain information about various parts of the DNS namespace or individual hosts. The name stands for Name Server lookup, which accurately describes its role. On the UNIX and Linux platform the DIG command is used to perform the same function as nslookup.
Working with Nslookup
This article will demonstrates how to use the nslookup command to gain information about DNS:
- At a command prompt, type nslookup, and then press Enter.
- Type server <IP address>, where IP address is the IP address of your external DNS server, and then press Enter.
- Type set type=mx, and then press Enter.
- Type <domain name>, where domain name is the name of your domain, and then press Enter. The MX record for the domain you entered should be displayed.
So what does the result tell you? In this example the server names and IP addresses returned are for the mail servers that process mail for the domain.
If you wish, you can also use the set type command to search for all DNS records for a domain by replacing MS with A. You can also retrieve the start of authority record for a domain by replacing MX with SOA.
Tracert This utility is designed to follow the path of traffic from one point to another, including points in between. The utility provides information on the relative performance and latency between hops. Such information can be useful if a specific victim is targeted because if may reveal network information such as server names and related details. The utility is freely available for all OSs.
There also are many non-command-line versions available of tracert if you find them easier to use. Tools such as visual traceroute and others offer views of the information that may be easier for some.