Differences

This shows you the differences between two versions of the page.

--- diy:network-recon [2024/06/08 00:59] – Humphrey Boa-Gart
+++ diy:network-recon [2024/08/06 05:48] (current) – external edit 127.0.0.1
@@ Line 3: / Line 3: @@
 So you have decided to investigate a web site. This could be for any of a multitude of reasons, all of which are Irrelevant to the purposes of this article. The point is, this hypothetical site and its staff are asking for it, and you are about to give it to them.
-Lets say this site is [[scanme.nmap.org]]. So where to begin? To even start to do anything, you need to run some basic tools to profile where this site intersects with the rest of the internet, and the real world.
+Lets say this site is, hypothetically, [[http://scanme.nmap.org|scanme.nmap.org]]. So where to begin? Before you can start to do anything (dox, attack, shut down, etc) you first need to run some basic tools. You have to profile where this site intersects with the rest of the internet, and the real world.
-===== IP Addresses =====
+===== Finding IP Addresses & DNS Info =====
-Every machine on the internet has an **IP address**. Every domain name resolves to an IP address. Domain names are only aliases for IP addresses because //whatever.com// is easier to remember than //187.158.173.109//. The inverse is not necessarily true. An IP may have no domain name pointing to it. Also note that several different sites under different domains may share an IP.
+Every machine (or **host**) on the internet has an **IP address**, and every domain name resolves to an IP address. Domain names are only aliases for IP addresses because //whatever.com// is easier to remember than //187.158.173.109//. The inverse is not necessarily true. An IP may have no domain name pointing to it.
-==== Finding IP Addresses ====
+Also note that several different sites under different domains **can share an IP**. Furthermore, different subdomains on the **same domain name** can resolve to //different IP addresses//.
-There are a handful of basic commands in *nix/Windows/MacOS that can reveal a site's IP address.
+There are a handful of basic commands in *nix/Windows/MacOS that can reveal a site's IP address. Note that all of these commands will require [[tools:bash|Terminal]] or [[tools:powershell|PowerShell]].
-===== Old Article Remnants =====
+==== ping ====
-The [[https://addons.mozilla.org/en-US/firefox/addon/590|ShowIP]] Firefox extension displays a site's IP address in the Firefox statusbar, and the extension works on Windows and Linux. Read: If you aren't a macfag, just use it.
+The classic ''ping'' command works on pretty much everyone's machine, without having to install anything. It functions by sending a simple echo request to the IP address or domain name specified, and waiting to receive a reply back. While this command is most useful for diagnosing connection issues, a ping will also reveal the host IP address for a given domain:
-  * nix, OS X
+  $ ping scanme.nmap.org
-januszeal@sumomo ~ $ host www.google.com www.google.com is an alias for www.l.google.com. www.l.google.com has address 74.125.47.99 www.l.google.com has address 74.125.47.103 www.l.google.com has address 74.125.47.104 www.l.google.com has address 74.125.47.147
+With the IP in the response:
-or
+  PING scanme.nmap.org (45.33.32.156) 56(84) bytes of data.
+bytes from scanme.nmap.org (45.33.32.156): icmp_seq=1 ttl=52 time=84.4 ms
+bytes from scanme.nmap.org (45.33.32.156): icmp_seq=2 ttl=52 time=83.6 ms
+bytes from scanme.nmap.org (45.33.32.156): icmp_seq=3 ttl=52 time=89.7 ms
+What if we send a ping to the root domain?
-chance@AMD64:~$ dig www.google.com
+  $ ping nmap.org
+  PING nmap.org (50.116.1.184) 56(84) bytes of data.
+bytes from ack.nmap.org (50.116.1.184): icmp_seq=1 ttl=53 time=84.7 ms
+bytes from ack.nmap.org (50.116.1.184): icmp_seq=2 ttl=53 time=90.6 ms
+bytes from ack.nmap.org (50.116.1.184): icmp_seq=3 ttl=53 time=86.6 ms
-<<>> DiG 9.5.0-P2 <<>> www.google.com
+It reveals that Nmap's home page and ScanMe service run on two separate IP addresses! This is incredibly useful knowledge, for anyone conducting hypothetical attacks on Nmap's servers.
-global options
-printcmd
-Got answer
-->>HEADER<<- opcode
-QUERY, status: NOERROR, id: 48731
-flags
-qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
-QUESTION SECTION
-www.google.com. IN A
-ANSWER SECTION
-www.google.com. 42327 IN CNAME www.l.google.com. www.l.google.com. 94 IN A 209.85.225.103 www.l.google.com. 94 IN A 209.85.225.99 www.l.google.com. 94 IN A 209.85.225.147 www.l.google.com. 94 IN A 209.85.225.104
-Query time
+==== nslookup ====
-msec
-SERVER
-.10.256.1#53(10.10.256.1)
-WHEN
-Tue Mar 24 22:30:27 2009
-MSG SIZE rcvd
-   * Windows
-C:\Documents and Settings\janus zeal>ping www.lulzhost.net
-Pinging www.lulzhost.net [209.62.62.138] with 32 bytes of data:
+Another commonly bundled cross-platform command, ''nslookup'' checks DNS records to find the IP address formally associated with a given domain:
-Reply from 209.62.62.138: bytes=32 time=40ms TTL=50 Reply from 209.62.62.138: bytes=32 time=44ms TTL=50 Reply from 209.62.62.138: bytes=32 time=38ms TTL=50
+  $ nslookup scanme.nmap.org
+  Non-authoritative answer:
+  Name:	scanme.nmap.org
+  Address: 45.33.32.156
+  Name:	scanme.nmap.org
+  Address: 2600:3c01::f03c:91ff:fe18:bb2f
-PINGING A HOST WILL NOT CAUSE ANY KIND OF HARM TO IT, STOP TRYING TO TAKE DOWN SITES BY PINGING THEM YOU FUCKING RETARDS.
+You can also use it to find a hostname associated with a given IP address:
-Hmm... The FireFox extension FoxyFlag may be interesting. It supposedly gives you a site's IP, although when I did on google it gave me 64.233.161.147
+  $ nslookup 45.33.32.156
+.32.33.45.in-addr.arpa	name = scanme.nmap.org.
-   * That is correct, however I find Domain Details to be a better add-on janus zealtalkwat 01:54, 8 July 2008 (UTC)
+[[https://www.cloudns.net/blog/10-most-used-nslookup-commands/|Click here]] to read more ''nslookup'' command examples.
-===== Web hosting =====
+==== host ====
-Every site is being hosted on someone's server. Finding out which company hosts a site is a good way to find out what kind of bandwidth packages they have, etc.
+Sorry Windows users, but this one is for *nix systems (Unix, Linux, BSD, MacOS). The ''host'' command (much like ''nslookup'') is a quick way look up DNS information on domains and IP addresses:
-==== Finding domain name registrar ====
+  $ host scanme.nmap.org
+  scanme.nmap.org has address 45.33.32.156
+  scanme.nmap.org has IPv6 address 2600:3c01::f03c:91ff:fe18:bb2f
+  $ host 45.33.32.156
+.32.33.45.in-addr.arpa domain name pointer scanme.nmap.org.
-  * go here http://whois.domaintools.com/
+Things we already knew. But what if we run ''host'' on the root domain?
-  * Enter the domain name
-  * look for Registrar
-=== *nix based systems ===
+  $ host nmap.org
+  nmap.org has address 50.116.1.184
+  nmap.org has IPv6 address 2600:3c01:e000:3e6::6d4e:7061
+  nmap.org mail is handled by 1 aspmx.l.google.com.
+  nmap.org mail is handled by 5 alt1.aspmx.l.google.com.
+  nmap.org mail is handled by 5 alt2.aspmx.l.google.com.
+  nmap.org mail is handled by 10 aspmx2.googlemail.com.
+  nmap.org mail is handled by 10 aspmx3.googlemail.com.
+  $ host 50.116.1.184
+.1.116.50.in-addr.arpa domain name pointer ack.nmap.org.
-On all *nix based systems it's pretty easy to find out any available details about a domain. That's what the command 'whois' is for. Every domain registrar runs a whois database for the domains it is hosting. Their database usually contains information about the owner of the domain, a technical and an administrative contact including addresses of them (admins doing semi-legal/illegal things may lie on these forms). Some registrars require that the administrative contact is a natural person, not an organization. Some domain owners subscribe to privacy services (such as Domains by Proxy) in which case you will have to try another way to get the information.
+A treasure trove of information. Turns out the Nmap project is using [[https://workspace.google.com|Google Workspace]] to manage their email and who knows what else. Wild!
-Usage example:
+==== dig ====
-  $ whois partyvan.info
+Another popular *nix utility is the ''dig'' command:
-==== Finding host ====
+  $ dig scanme.nmap.org
-Once you have an IP address, you can find out who is hosting a site.
+Which reveals the IP address in the "Answer Section":
-  * go here [[https://www.ripe.net/db/whois.html]]
+  ;; ANSWER SECTION:
-  * enter IP address
+  scanme.nmap.org.	1943	IN	A	45.33.32.156
-  * look for OrgName
-  * ???
+You can force ''dig'' to use specific DNS servers, instead of your local default. For example, to query [[https://quad9.net|Quad9]] about Nmap, you would run:
-  * PROFIT!
+  $ dig @9.9.9.9 scanme.nmap.org
+It can also do reverse DNS lookups:
+  $ dig -x 45.33.32.156
+  ...
+  ;; QUESTION SECTION:
+  ;156.32.33.45.in-addr.arpa.	IN	PTR
+  ;; ANSWER SECTION:
+.32.33.45.in-addr.arpa. 300	IN	PTR	scanme.nmap.org.
+Read more [[https://phoenixnap.com/kb/linux-dig-command-examples|dig command examples]].
+===== WHOIS =====
+[[wp>WHOIS]] is a query and response protocol that is used for querying databases that store an Internet resource's registered users or assignees. These resources include domain names, IP address blocks and autonomous systems, but it is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.
+WHOIS lookups are a great way to find out more information about a web site or IP address. They can clue you in to who the target uses for a host or domain registrar, geographic locations, and sometimes even the real-world names & addresses of the site owners or administrators. WHOIS lookups are a necessary fundamental skill for  {{tagpage>recon}} and [[tactics:dox|doxxing]].
+==== Domain Information ====
+**WHOIS** lookups are extremely easy to do. That's what the ''whois'' command is for. Every domain registrar runs a WHOIS database for the domains it is hosting. These databases usually contain information about the owner & assigned contacts of the domain, such as email, phone, and street address. Keep in mind that some domain owners will lie about this, which can be grounds for domain suspension, but it is hardly enforced. Some domain owners subscribe to privacy services (such as **Domains by Proxy** or **Withheld for Privacy**) in which case you will have to try another way to get the information.
+''whois'' generally doesn't like being run against subdomains, so you will have to point it at the root domain:
+  $ whois nmap.org
+The lengthy results of this command (which we will not paste here) reveal that Nmap does in fact use one of the aforementioned domain privacy services. It also shows that they use [[https://www.dynadot.com|Dynadot]] as a domain registrar, which in turn points to [[https://linode.com|Linode's nameservers]], revealing two more of their service providers.
+==== More IP Information ====
+''whois'' can be run against IP addresses as well:
+  $ whois 45.33.32.156
+Running ''whois'' against either of Nmap's IP addresses brings up more information about Nmap's host, including the email address to send abuse and DMCA shutdown notices to. (Very exploitable.)
+===== Browser Based Tools =====
+If you don't have access to the command line, there are a handful of sites you can use for DNS & WHOIS lookups in your browser:
+  * [[https://whois.domaintools.com|DomainTools]]
+  * [[https://lookup.icann.org/en|ICANN Lookup]]
+  * [[https://www.whois.com/whois/|Whois.com]]
+  * [[https://nslookup.io|NsLookup.io]]
+===== More Things You Can Do =====
+Congratulations! You have now done the absolute bare minimum it takes to profile a web site. But what to do with this information? There are several directions in which you can proceed:
+  * You can compile the info you found into [[tactics:dox|a dox file]] for the target.
+  * You can [[arms:nmap|run a port scan]] on the host(s) to further profile the server environment(s) of the target.
 {{tag>Tutorials Recon}}

User Tools

Site Tools

Differences