Scribd
Upload
94 views4 pages

Network Reconnaissance Tools Lab

1. The document discusses using network reconnaissance tools like WHOIS, dig, traceroute, and nslookup to gather information about networks and domain registrations. 2. It provides examples of using these tools and explains their purposes - WHOIS searches registration databases, dig queries DNS servers, traceroute maps network hops, and nslookup looks up domain names and IP addresses. 3. The objectives are to understand how to use these tools to analyze networks, identify problems, and validate configurations.

Uploaded by

krkshyam27
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
94 views4 pages

Network Reconnaissance Tools Lab

1. The document discusses using network reconnaissance tools like WHOIS, dig, traceroute, and nslookup to gather information about networks and domain registrations. 2. It provides examples of using these tools and explains their purposes - WHOIS searches registration databases, dig queries DNS servers, traceroute maps network hops, and nslookup looks up domain names and IP addresses. 3. The objectives are to understand how to use these tools to analyze networks, identify problems, and validate configurations.

Uploaded by

krkshyam27
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

BISY3006/ISY2003/ISY203 Information Security @ Australian Institute of Higher Education, Sydney

Lab 1

Aim: Study the use of network reconnaissance tools like WHOIS, dig, traceroute, nslookup to
gather information about networks and domain registers

Objectives: To know how to gather information about the networks by using different n/w
reconnaissance tools.

Outcomes: The learner will be able to:-

• Understand, identify, analyze and design the problem, implement the same using
current techniques, skills, and tools and validate the solution including both hardware
and software.

• Use network-based tools for network analysis.

Hardware / Software Required : WHOIS client

Theory:

Whois - whois searches for an object in a WHOIS database. WHOIS is a query and response
protocol that is widely used for querying databases that store the registered users of an Internet
resource, such as a domain name or an IP address block, but is also used for a wider range of
other information. Most modern versions of whois try to guess the right server to ask for the
specified object. If no guess can be made, whois will connect to whois.networksolutions.com
for NIC handles or whois.arin.net for IPv4 addresses and network names.

Examples:

• Obtaining the domain WHOIS record for aih.nsw.edu.au

• WHOIS record by IP querying

• Querying WHOIS in google search engine

Dig - Dig is a networking tool that can query DNS servers for information. It can be very
helpful for diagnosing problems with domain pointing and is a good way to verify that your
configuration is working. The most basic way to use dig is to specify the domain we wish to
query: dig example.com

Traceroute - Traceroute prints the route that packets take to a network host. Traceroute utility
uses the TTL field in the IP header to achieve its operation. For users who are new to TTL
BISY3006/ISY2003/ISY203 Information Security @ Australian Institute of Higher Education, Sydney

field, this field describes how much hops a particular packet will take while traveling on
network. So, this effectively outlines the lifetime of the packet on network. This field is usually
set to 32 or 64. Each time the packet is held on an intermediate router, it decreases the TTL
value by 1. When a router finds the TTL value of 1 in a received packet then that packet is not
forwarded but instead discarded. After discarding the packet, router sends an ICMP error
message of ―Time exceeded‖ back to the source from where packet generated. The ICMP
packet that is sent back contains the IP address of the router. So now it can be easily understood
that traceroute operates by sending packets with TTL value starting from 1 and then
incrementing by one each time. Each time a router receives the packet, it checks the TTL field,
if TTL field is 1 then it discards the packet and sends the ICMP error packet containing its IP
address and this is what traceroute requires. So traceroute incrementally fetches the IP of all
the routers between the source and the destination.

Example: traceroute example.com

traceroute to example.com (64.13.192.208), 64 hops max, 40 byte packets 1 72.10.62.1


(72.10.62.1) 1.000 ms 0.739 ms 0.702 ms

2 10.101.248.1 (10.101.248.1) 0.683 ms 0.385 ms 0.315 ms

3 10.104.65.161 (10.104.65.161) 0.791 ms 0.703 ms 0.686 ms

4 10.104.65.161 (10.104.65.161) 0.791 ms 0.703 ms 0.686 ms

5 10.0.10.33 (10.0.10.33) 2.652 ms 2.260 ms 5.353 ms

6 acmkokeaig.gs01.gridserver.com (64.13.192.208) 3.384 ms 8.001 ms 2.439 ms

Nslookup - The nslookup command is used to query internet name servers interactively for
information. nslookup, which stands for "name server lookup", is a useful tool for finding out
information about a named domain. By default, nslookup will translate a domain name to an
IP address (or vice versa). For instance, to find out what the IP address of microsoft.com is,
you could run the command:

nslookup microsoft.com

Server: 8.8.8.8

Address: 8.8.8.8#53

Non-authoritative

answer: Name:

microsoft.com

Address: 134.170.185.46

Name:
BISY3006/ISY2003/ISY203 Information Security @ Australian Institute of Higher Education, Sydney

microsoft.com

Address: 134.170.188.221

Here, 8.8.8.8 is the address of our system's Domain Name Server. This is the server our system
is configured to use to translate domain names into IP addresses. "#53" indicates that we are
communicating with it on port 53, which is the standard port number domain name servers use
to accept queries. Below this, we have our lookup information for microsoft.com. Our name
server returned two entries, 134.170.185.46 and 134.170.188.221. This indicates that
microsoft.com uses a round robin setup to distribute server load. When you
accessmicrsoft.com, you may be directed to either of these servers and your packets will be
routed to the correct destination. You can see that we have received a "Non-authoritative
answer" to our query. An answer is "authoritative" only if our DNS has the complete zone file
information for the domain in question. More often, our DNS will have a cache of information
representing the last authoritative answer it received when it made a similar query, this
information is passed on to you, but the server qualifies it as "non-authoritative": the
information was recently received from an authoritative source, but the DNS server is not itself
that authority.

Figure: Using nslookup to enumerate basic mx records

Conclusion:

In this experiment you learned how to take the first steps toward ethical hacking. Information
gathering, in the form of reconnaissance, foot printing, and social engineering, is necessary to
learn as much about the target as possible. By following the information-gathering
methodology, ethical hackers can ensure they are not missing any steps and valuable
information. Time spent in the information-gathering phase is well worth it to speed up and
produce successful hacking exploits.
BISY3006/ISY2003/ISY203 Information Security @ Australian Institute of Higher Education, Sydney

Questions:

1. How to use traceroute to identify network problem?

2. What is "WHOIS" database?

3. Which command is used for verifying and troubleshooting problems?

4. How to Use Nslookup to Verify DNS Configuration?

Submit the screenshots of your lab and the answers to the above questions in a document file
(.doc/.pdf)

You might also like