Network Recon 101

So you have decided to investigate a web site. This could be for any of a multitude of reasons, all of which are Irrelevant to the purposes of this article. The point is, this hypothetical site and its staff are asking for it, and you are about to give it to them.

Lets say this site is scanme.nmap.org. So where to begin? To even start to do anything, you need to run some basic tools to profile where this site intersects with the rest of the internet, and the real world.

Every machine on the internet has an IP address, and every domain name resolves to an IP address. Domain names are only aliases for IP addresses because whatever.com is easier to remember than 187.158.173.109. The inverse is not necessarily true. An IP may have no domain name pointing to it.

Also note that several different sites under different domains may share an IP. Furthermore, different subdomains on the same domain name may resolve to different IP addresses.

There are a handful of basic commands in *nix/Windows/MacOS that can reveal a site's IP address. Note that all of these commands will require Terminal or PowerShell.

The classic ping command works on pretty much everyone's machine, without having to install anything. It functions by sending an echo request to the IP address or domain name specified, and waiting to receive a reply back. While this command is most useful for diagnosing connection issues, it will also reveal the IP address for a domain:

$ ping scanme.nmap.org

With the IP in the response:

PING scanme.nmap.org (45.33.32.156) 56(84) bytes of data.
64 bytes from scanme.nmap.org (45.33.32.156): icmp_seq=1 ttl=52 time=84.4 ms
64 bytes from scanme.nmap.org (45.33.32.156): icmp_seq=2 ttl=52 time=83.6 ms
64 bytes from scanme.nmap.org (45.33.32.156): icmp_seq=3 ttl=52 time=89.7 ms

What if we send a ping to the root domain?

$ ping nmap.org
PING nmap.org (50.116.1.184) 56(84) bytes of data.
64 bytes from ack.nmap.org (50.116.1.184): icmp_seq=1 ttl=53 time=84.7 ms
64 bytes from ack.nmap.org (50.116.1.184): icmp_seq=2 ttl=53 time=90.6 ms
64 bytes from ack.nmap.org (50.116.1.184): icmp_seq=3 ttl=53 time=86.6 ms

It reveals that Nmap's home page and ScanMe service run on two separate IP addresses! This is incredibly useful knowledge, for anyone conducting hypothetical attacks on Nmap's servers.

Another commonly bundled cross-platform command, nslookup checks DNS records to find the IP address of a given domain:

$ nslookup scanme.nmap.org
Non-authoritative answer:
Name:	scanme.nmap.org
Address: 45.33.32.156
Name:	scanme.nmap.org
Address: 2600:3c01::f03c:91ff:fe18:bb2f

You can also use it to find a hostname associated with a given IP address:

$ nslookup 45.33.32.156
156.32.33.45.in-addr.arpa	name = scanme.nmap.org.

Click here to read more nslookup command examples.

Sorry Windows users, but this one is for *nix systems (Unix, Linux, BSD, MacOS). The host command (much like nslookup) is a quick way look up DNS information on domains and IP addresses:

$ host scanme.nmap.org
scanme.nmap.org has address 45.33.32.156
scanme.nmap.org has IPv6 address 2600:3c01::f03c:91ff:fe18:bb2f

$ host 45.33.32.156
156.32.33.45.in-addr.arpa domain name pointer scanme.nmap.org.

Things we already knew. But what if we run host on the root domain?

$ host nmap.org
nmap.org has address 50.116.1.184
nmap.org has IPv6 address 2600:3c01:e000:3e6::6d4e:7061
nmap.org mail is handled by 1 aspmx.l.google.com.
nmap.org mail is handled by 5 alt1.aspmx.l.google.com.
nmap.org mail is handled by 5 alt2.aspmx.l.google.com.
nmap.org mail is handled by 10 aspmx2.googlemail.com.
nmap.org mail is handled by 10 aspmx3.googlemail.com.

$ host 50.116.1.184
184.1.116.50.in-addr.arpa domain name pointer ack.nmap.org.

A treasure trove of information. Turns out the Nmap project is using Google Workspace to manage their email and who knows what else. Wild!

chance@AMD64:~$ dig www.google.com

«» DiG 9.5.0-P2 «» www.google.com global options printcmd Got answer →>HEADER«- opcode QUERY, status: NOERROR, id: 48731 flags qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 QUESTION SECTION www.google.com. IN A ANSWER SECTION www.google.com. 42327 IN CNAME www.l.google.com. www.l.google.com. 94 IN A 209.85.225.103 www.l.google.com. 94 IN A 209.85.225.99 www.l.google.com. 94 IN A 209.85.225.147 www.l.google.com. 94 IN A 209.85.225.104

Query time 2 msec SERVER 10.10.256.1#53(10.10.256.1) WHEN Tue Mar 24 22:30:27 2009 MSG SIZE rcvd 126

Every site is being hosted on someone's server. Finding out which company hosts a site is a good way to find out what kind of bandwidth packages they have, etc.

• go here http://whois.domaintools.com/
• Enter the domain name
• look for Registrar

On all *nix based systems it's pretty easy to find out any available details about a domain. That's what the command 'whois' is for. Every domain registrar runs a whois database for the domains it is hosting. Their database usually contains information about the owner of the domain, a technical and an administrative contact including addresses of them (admins doing semi-legal/illegal things may lie on these forms). Some registrars require that the administrative contact is a natural person, not an organization. Some domain owners subscribe to privacy services (such as Domains by Proxy) in which case you will have to try another way to get the information.

Usage example:

$ whois partyvan.info

Once you have an IP address, you can find out who is hosting a site.

• go here https://www.ripe.net/db/whois.html
• enter IP address
• look for OrgName
• ???
• PROFIT!