I'm going to talk about a few network recon tools. Just the basics for this one. If you're reading this without having read some sort of networking primer you should stop reading and read up on networking first.
Or search on your own until you feel you have the basics down.
This is not an OS dependent thread, but a unix type computer is best. You can use a linux livedvd as I've explained in this post:
There are Windows and Mac alternatives (you'll have to find them for yourself) for all the tools I explain, as well as web-based (that I'll provide a link for).
Picture the internet like your cell phone. When you want to call Flaw you just scroll to Flaw's name and hit send/call. You don't need to remember that his number is 1-800-BUTT-SMEX. It doesn't matter where he lives and who owns the house he lives in. You could care less what telecom provides his phone service, or how many other lines he has in his house. You just need to know his name.
The same is true with networking. Every day you visit websites, only knowing the url, and nothing more. You send email only knowing the recipient's email address. Securing a network always begins with a good recon.
whois
If you have a second level domain and a top level domain you can do a whois on it to find out contact information. Name(s), address, phone number(s), email(s) and most importantly, domain name servers (DNS). Obviously, everything can be forged with the exception of the DNS. Here's an ouput of a whois on gentoo.org (notice I'm just using a SLD - gentoo and a TLD - .org):
Try it out yourself with a few different domains:
dig
dig stands for domain information groper. It has pretty much replaced nslookup (if you've ever used it or heard about it). It usually comes packaged with all linux distros (it's on the linux livedvd in the above link). For Windows you would probably have to install ISC Bind to get dig
You can also use it web-based here
dig will query a DNS server for various records such as IP address lookup for a Domain name, finding email and name servers for a domian, reverse DNS lookups, DNS zone transfers etc. It's basically the swiss army knife of DNS tools.
I'm going to use narutobase as an example for dig, to show you why you should be eternally grateful to Versuvio for hosting this network for you.
Let's start off with a simple request. All I want is an A name record so I can get an IP address:
Simply typing dig with the SLD.TLD will give us the A NAME record
and where it came from
If you want to know the mail server(s) for a particular domain you use MX:
To get the nameservers, NS:
Once you have the NS records for a domain you can often get a domain transfer. That's when you query the nameserver(s) directly to tell you everything they have on a particular domain. Sometimes it works and sometimes it doesn't. It's a security feature that can be turned off:
And that (above) is why narutobase.net blows away every other Naruto fan site out there. Next time you feel like complaining about something remember that. U_U
There's more to dig, but that's the jist of it. If you're using unix type "man dig" to get all the options.
ping
ping is a tool that can tell you if a host is up or down, the round trip time it takes to go from you to them and back again, TTL, packets dropped, etc. It's an ICMP echo request packet and it can be a useful tool or a headache (or a fun joke if you know how to inject packets).
I'm pretty sure you can ping from a DOS prompt in Windows. I know you can't inject packets with Windows though. Mac folks just open a terminal (same as unix users). Also there's a web-based utility
Ctrl-C stops ping, or if you're using unil/linux/Mac OSX you can specify the number of pings:
The stats tell you how many packets were transmitted, and how many were received, as well as the times. There's a lot more to ping, but for now that's good enough to know. Be careful you don't keep pinging someone, especially if you're on a fast connection or they may get a little angry.
The last tool is the best tool.....
nmap
nmap (network mapper) has been around for a long time. It's so badass it's been in 8 movies
nmap is available for all OS's, but works best on unix types. It's preinstalled on the linux livedvd (above). This one I'm not going to go through examples. I'm just going to tell you what it does and where to get it. Play around with it and learn it. It's the best tool out there for network recon/exploration.
From the nmap website:
Get it, learn it and use it. You'll be surprised what you can learn.
Feel free to post your questions here. Any requests, send me a VM or reply to this thread. Good luck.
You must be registered for see links
You must be registered for see links
You must be registered for see links
You must be registered for see links
Or search on your own until you feel you have the basics down.
This is not an OS dependent thread, but a unix type computer is best. You can use a linux livedvd as I've explained in this post:
You must be registered for see links
There are Windows and Mac alternatives (you'll have to find them for yourself) for all the tools I explain, as well as web-based (that I'll provide a link for).
Picture the internet like your cell phone. When you want to call Flaw you just scroll to Flaw's name and hit send/call. You don't need to remember that his number is 1-800-BUTT-SMEX. It doesn't matter where he lives and who owns the house he lives in. You could care less what telecom provides his phone service, or how many other lines he has in his house. You just need to know his name.
The same is true with networking. Every day you visit websites, only knowing the url, and nothing more. You send email only knowing the recipient's email address. Securing a network always begins with a good recon.
whois
If you have a second level domain and a top level domain you can do a whois on it to find out contact information. Name(s), address, phone number(s), email(s) and most importantly, domain name servers (DNS). Obviously, everything can be forged with the exception of the DNS. Here's an ouput of a whois on gentoo.org (notice I'm just using a SLD - gentoo and a TLD - .org):
Code:
fuhq fuhq # whois gentoo.org
NOTICE: Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Public Interest Registry
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and Public Interest Registry does not guarantee its
accuracy. This service is intended only for query-based access. You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations. All
rights reserved. Public Interest Registry reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy.
Domain ID:D10959563-LROR
Domain Name:GENTOO.ORG
Created On:04-Oct-1999 16:08:45 UTC
Last Updated On:28-Dec-2010 02:30:34 UTC
Expiration Date:04-Oct-2017 16:08:45 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR30586107
Registrant Name:Gentoo Foundation
Registrant Organization:Gentoo Foundation
Registrant Street1:20 First Plaza
Registrant Street2:Ste. 517
Registrant Street3:
Registrant City:Albuquerque
Registrant State/Province:New Mexico
Registrant Postal Code:87102
Registrant Country:US
Registrant Phone:+1.6044175974
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:[email protected]
Admin ID:CR30586109
Admin Name:Gentoo Foundation
Admin Organization:Gentoo Foundation
Admin Street1:20 First Plaza
Admin Street2:Ste. 517
Admin Street3:
Admin City:Albuquerque
Admin State/Province:New Mexico
Admin Postal Code:87102
Admin Country:US
Admin Phone:+1.6044175974
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:[email protected]
Tech ID:CR30586108
Tech Name:Gentoo Foundation
Tech Organization:Gentoo Foundation
Tech Street1:20 First Plaza
Tech Street2:Ste. 517
Tech Street3:
Tech City:Albuquerque
Tech State/Province:New Mexico
Tech Postal Code:87102
Tech Country:US
Tech Phone:+1.6044175974
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:[email protected]
Name Server:NS1.GENTOO.ORG
Name Server:NS2.GENTOO.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
You must be registered for see links
dig
dig stands for domain information groper. It has pretty much replaced nslookup (if you've ever used it or heard about it). It usually comes packaged with all linux distros (it's on the linux livedvd in the above link). For Windows you would probably have to install ISC Bind to get dig
You must be registered for see links
You can also use it web-based here
You must be registered for see links
dig will query a DNS server for various records such as IP address lookup for a Domain name, finding email and name servers for a domian, reverse DNS lookups, DNS zone transfers etc. It's basically the swiss army knife of DNS tools.
I'm going to use narutobase as an example for dig, to show you why you should be eternally grateful to Versuvio for hosting this network for you.
Let's start off with a simple request. All I want is an A name record so I can get an IP address:
Code:
fuhq fuhq # dig narutobase.net
; <<>> DiG 9.4.3-P2 <<>> narutobase.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10613
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;narutobase.net. IN A
;; ANSWER SECTION:
narutobase.net. 60 IN A 178.21.21.6
;; AUTHORITY SECTION:
narutobase.net. 900 IN NS ns1.smoved.nl.
narutobase.net. 900 IN NS ns3.smoved.nl.
narutobase.net. 900 IN NS ns2.smoved.nl.
;; Query time: 123 msec
;; SERVER: 68.105.28.12#53(68.105.28.12)
;; WHEN: Thu Dec 30 01:17:49 2010
;; MSG SIZE rcvd: 111
Code:
;; ANSWER SECTION:
narutobase.net. 60 IN A 178.21.21.6
Code:
;; AUTHORITY SECTION:
narutobase.net. 900 IN NS ns1.smoved.nl.
narutobase.net. 900 IN NS ns3.smoved.nl.
narutobase.net. 900 IN NS ns2.smoved.nl.
Code:
fuhq fuhq # dig MX narutobase.net
; <<>> DiG 9.4.3-P2 <<>> MX narutobase.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51281
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;narutobase.net. IN MX
;; ANSWER SECTION:
narutobase.net. 600 IN MX 30 aspmx5.googlemail.com.
narutobase.net. 600 IN MX 10 aspmx.l.google.com.
narutobase.net. 600 IN MX 20 alt1.aspmx.l.google.com.
narutobase.net. 600 IN MX 20 alt2.aspmx.l.google.com.
narutobase.net. 600 IN MX 30 aspmx2.googlemail.com.
narutobase.net. 600 IN MX 30 aspmx3.googlemail.com.
narutobase.net. 600 IN MX 30 aspmx4.googlemail.com.
;; AUTHORITY SECTION:
narutobase.net. 332 IN NS ns2.smoved.nl.
narutobase.net. 332 IN NS ns1.smoved.nl.
narutobase.net. 332 IN NS ns3.smoved.nl.
;; ADDITIONAL SECTION:
aspmx.l.google.com. 10 IN A 74.125.127.27
aspmx2.googlemail.com. 601 IN A 74.125.43.27
aspmx3.googlemail.com. 86 IN A 72.14.213.27
;; Query time: 146 msec
;; SERVER: 68.105.28.12#53(68.105.28.12)
;; WHEN: Thu Dec 30 01:23:00 2010
;; MSG SIZE rcvd: 322
Code:
fuhq fuhq # dig NS narutobase.net
; <<>> DiG 9.4.3-P2 <<>> NS narutobase.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44421
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;narutobase.net. IN NS
;; ANSWER SECTION:
narutobase.net. 600 IN NS ns3.smoved.nl.
narutobase.net. 600 IN NS ns1.smoved.nl.
narutobase.net. 600 IN NS ns2.smoved.nl.
;; Query time: 139 msec
;; SERVER: 68.105.28.12#53(68.105.28.12)
;; WHEN: Thu Dec 30 01:24:07 2010
;; MSG SIZE rcvd: 95
Code:
fuhq fuhq # dig @ns3.smoved.nl narutobase.net axfr
; <<>> DiG 9.4.3-P2 <<>> @ns3.smoved.nl narutobase.net axfr
; (1 server found)
;; global options: printcmd
narutobase.net. 600 IN SOA ns1.smoved.nl. hostmaster.smoved.nl. 2010120600 10800 3600 604800 3600
narutobase.net. 600 IN NS ns1.smoved.nl.
narutobase.net. 600 IN NS ns2.smoved.nl.
narutobase.net. 600 IN NS ns3.smoved.nl.
*.narutobase.net. 600 IN A 178.21.21.6
www.narutobase.net. 60 IN A 178.21.21.6
narutobase.net. 60 IN A 178.21.21.6
localhost.narutobase.net. 600 IN A 127.0.0.1
images.narutobase.net. 600 IN A 94.23.34.161
webmail.narutobase.net. 600 IN CNAME ghs.google.com.
calendar.narutobase.net. 600 IN CNAME ghs.google.com.
media-01.narutobase.net. 600 IN A 91.205.174.160
media-02.narutobase.net. 600 IN A 94.23.34.161
cdn02.narutobase.net. 60 IN CNAME 3894.voxcdn.com.
img01.narutobase.net. 600 IN A 94.23.34.161
narutobase.net. 600 IN MX 20 alt1.aspmx.l.google.com.
narutobase.net. 600 IN MX 10 aspmx.l.google.com.
narutobase.net. 600 IN MX 20 alt2.aspmx.l.google.com.
narutobase.net. 600 IN MX 30 aspmx2.googlemail.com.
narutobase.net. 600 IN MX 30 aspmx3.googlemail.com.
narutobase.net. 600 IN MX 30 aspmx4.googlemail.com.
narutobase.net. 600 IN MX 30 aspmx5.googlemail.com.
*.narutobase.net. 600 IN AAAA 2a00:1ca8:4::6
narutobase.net. 600 IN AAAA 2a00:1ca8:4::6
www.narutobase.net. 600 IN AAAA 2a00:1ca8:4::6
images.narutobase.net. 600 IN AAAA 2a00:1ca8:4::6
narutobase.net. 600 IN SOA ns1.smoved.nl. hostmaster.smoved.nl. 2010120600 10800 3600 604800 3600
;; Query time: 255 msec
;; SERVER: 81.4.93.201#53(81.4.93.201)
;; WHEN: Thu Dec 30 01:26:40 2010
;; XFR size: 27 records (messages 3, bytes 1333)There's more to dig, but that's the jist of it. If you're using unix type "man dig" to get all the options.
ping
ping is a tool that can tell you if a host is up or down, the round trip time it takes to go from you to them and back again, TTL, packets dropped, etc. It's an ICMP echo request packet and it can be a useful tool or a headache (or a fun joke if you know how to inject packets).
I'm pretty sure you can ping from a DOS prompt in Windows. I know you can't inject packets with Windows though. Mac folks just open a terminal (same as unix users). Also there's a web-based utility
You must be registered for see links
Code:
ping google.com
PING google.com (66.102.7.99) 56(84) bytes of data.
64 bytes from lax04s01-in-f99.1e100.net (66.102.7.99): icmp_seq=1 ttl=54 time=102 ms
64 bytes from lax04s01-in-f99.1e100.net (66.102.7.99): icmp_seq=2 ttl=52 time=102 ms
64 bytes from lax04s01-in-f99.1e100.net (66.102.7.99): icmp_seq=3 ttl=54 time=96.4 ms
64 bytes from lax04s01-in-f99.1e100.net (66.102.7.99): icmp_seq=4 ttl=52 time=121 ms
64 bytes from lax04s01-in-f99.1e100.net (66.102.7.99): icmp_seq=5 ttl=52 time=97.5 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 96.471/104.033/121.148/8.919 ms
Code:
ping www.google.com -c5The last tool is the best tool.....
nmap
nmap (network mapper) has been around for a long time. It's so badass it's been in 8 movies
You must be registered for see links
nmap is available for all OS's, but works best on unix types. It's preinstalled on the linux livedvd (above). This one I'm not going to go through examples. I'm just going to tell you what it does and where to get it. Play around with it and learn it. It's the best tool out there for network recon/exploration.
From the nmap website:
Code:
Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are avalable for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).
Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in eight movies, including The Matrix Reloaded, Die Hard 4, and The Bourne Ultimatum.
You must be registered for see links
Get it, learn it and use it. You'll be surprised what you can learn.
Feel free to post your questions here. Any requests, send me a VM or reply to this thread. Good luck.
