FR.

CONCEICAO RODRIGUES COLLEGE OF ENGINEERING

Department of Computer Engineering
1. Course , Subject & Experiment Details

Estimated
Academic Year 2022-23 03 - Hours
Time

Course & T.E. (CMPN)- Sem VI Subject Name CSS - (CSC602))

Semester & Code

Chapter No. 5 – Mapped to CO2 Chapter Title Network Security

and Applications

Practical No: 7

Title: Study the use of network reconnaissance tools like WHOIS,

dig, traceroute, ns lookup to gather information about
networks and domain registrars.

Date of Performance: 06/03/2024

Date of Submission: 20/03/2024

Roll No: 9555

Name of the Student: Melbin Koshy

Evaluation:

Sr. No Rubric Grade

1 On time submission
Or completion (2)

2 Preparedness(2)

3 Skill (4)

4 Output (2)
Signature of the Teacher:

Date:
Title: Study the use of network reconnaissance tools like Ping, nslookup to gather
information about networks and domain registrars.

Lab Scenario:
Internet enabled Desktop machine and this lab is focused towards gathering data about target
systems using online resources and command line utility that queries Authorative systems.

Lab Objective:
This lab provides insight into:
● The ping command and shows how to gather information.
● The nslookup command and find name servers for a domain.
● Analyze domain and ip address queries and get information on a hostname, IP address and
domain registrant’s information using Whois databases.

Lab Environment:
To carry out this lab you need:
● Administrative privileges to run tools.
● TCP/IP settings correctly configured and an accessible DNS server.
● A web browser with an Internet connection.
● An Ubuntu 14.04 machine with internet access and connected to a LAN network.
Lab Tasks:

1. PING

Ping is a computer network administration utility used to test the reachability ofhost on Internet
Protocol (IP) network and to measure the round-trip time for messages sent from the originating
host to a destination computer.

● Open your command prompt

● Type ping followed by website address. For eg. : ping www.certifiedhacker.com
● You receive the IP address 202.75.54.101 for www.certifiedhacker.com , Ping Statistics
such as packet sent, received, lost and Approximate round-trip time.

● Now find out the maximum frame size on the network. In command Prompt, type ping
www.certifiedhacker.com –f –l 1500.
● You receive “Packet needs to be fragmented but DF set”, it means that the frame is too
large to be on the network and needs to be fragmented. Since we used –f switch with the
ping command, the packet was not sent, and the ping command returned this error.
● Now let’s ping with reducing frame size to 1300

● You can see the maximum packet size is less than 1500 bytes and more than 1300 bytes. ●
Try different values until you find the maximum frame size.For instance,
● Ping www.certifiedhacker.com –f –l 1453 replies with Packet needs to be fragmented but
DF set and ping www.certifiedhacker.com –f –l 1452 replies with a successfulping.
● It indicates that 1452 bytes is the maximum frame size on this machine network.
2. NSLOOKUP

The nslookup command is used to query internet name servers interactively for information.
nslookup stands for "name server lookup".

1. nslookup followed by the domain name will display the “A Record” ( IP Address ) ofthe
domain.

In the above output, server refers to the IP address of the DNS server. Then the below section
provides the “A Record” ( IP Address ) of the domain “redhat.com”.

The default output of nslookup command is less cluttered than the default output of dig
command. Some of you might be comfortable using dig command for DNS lookups.
2. Query the MX Record using -query=mx

MX ( Mail Exchange ) record maps a domain name to a list of mail exchange servers for that
domain. The MX record tells that all the mails sent to “@redhat.com” should be routed to the
Mail server in that domain.

In the above example, we have 2 MX records for the domain “redhat.com”. The number ( 5, 10 ),
associated with the MX records tells the preference of mail server. Lower the number, higher the
preference. So when a mail is sent to “@redhat.com”, first preference will be “mx1.redhat.com”,
then “mx2.redhat.com”.
Authoritative Answer vs Non-Authoritative Answer

You may also noticed the keyword “Authoritative Answer” and “Non-Authoritative Answer” in
the above output.

Any answer that originates from the DNS Server which has the complete zone file information
available for the domain is said to be authoritative answer.

In many cases, DNS servers will not have the complete zone file information available for a
given domain. Instead, it maintains a cache file which has the results of all queries performed in
the past for which it has gotten authoritative response. When a DNS query is given, it searches
the cache file, and return the information available as “Non-Authoritative Answer”.

3. Query the NS Record using -query=ns

NS ( Name Server ) record maps a domain name to a list of DNS servers authoritative for that
domain. It will output the name serves which are associated with the given domain.
4. Query the SOA Record using -query=soa
SOA record ( start of authority ), provides the authoritative information about the domain, the e
mail address of the domain admin, the domain serial number, etc.

∙ mail addr – specifies the mail address of the domain admin ( [email protected] ) ∙ serial –
sort of revision numbering system. The standard convention is to use “YYYYMMYYNN”
 format. ( 2012-07-16. 01 will be incremented, if more than one edit has taken place on a
same day )
∙ refresh – specifies ( in seconds ), when the secondary DNS will poll the primary to see if
the serial number has been increased. If increased, secondary will make a new request to
copy the new zone file.
∙ retry – specifies the interval to re-connect with the Primary DNS
∙ expire – specifies the time that the secondary DNS will keep the cached zone file as valid ∙
minimum – specifies the time that the secondary DNS should cache the zone file

5. View available DNS records using -query=any

We can also view all the available DNS records using -query=any option.
6. Reverse DNS lookup

You can also do the reverse DNS look-up by providing the IP Address as argument to nslookup.

7. Using Specific DNS server

Instead of using default DNS server’s for querying, you can also specify a particular name
server to resolve the domain name.
In the above command, we have used the ns1.redhat.com as the DNS server. Here you may
notice that, we don’t get any “Non-authoritative answer:” header, since ns1.redhat.com has all
the zone information of redhat.com

8. Change the port number to connect with

By default DNS servers uses the port number 53. If for any reasons, the port number got
changed, then we can specify the port number using -port option

9. Change timeout interval to wait for a reply

You can change the default timeout to wait for a reply using -timeout option.
 $

nslookup -timeout=10 redhat.com

10. Enabling debug mode using -debug

You can turn on/off the debugging using -debug option in the command line
 The debug mode will display the packets information during searching.

3. Whois databases

Whois is a widely used Internet record listing that contains the details of who owns a domain
name and how to get in touch with them. The contact details can be for both the domain’s
registrar or the web hosting company providing space or storage for that specific website.

You can find multiple Whois lookup tools on the Internet - like everything else, the best tool
is the one that meets your needs or requirements. Sometimes we only need a couple of details
so any Whois lookup tool can do the job, but if you are looking for extensive information then
you should try using one with a good historical record.

Here is a short list of Whois lookup tools that you can use, we recommend having a play
with them and use the one which you're most comfortable with.

http://who.godaddy.com/

http://whois.domaintools.com/

http://www.whois.net/

http://www.whois.sc/

http://dnsquery.org/

http://www.whoismydomain.eu/

All these tools are free, some of them could offer you a subscription or paid plan in order to
get more features or solutions within that website, it’s up to you to review if these features are
helpful for what you want.
In addition to those websites, you can try finding an extension for your preferred web
browser.

Instructions

1. Visit the following URL: http://whois.domaintools.com/

2. When the page loads up completely, you will see an interface where you can
insertthe domain name or IP address you need information from. [see Image 1]
 Image 1. Main interface where you can insert the domain name or IP address. You can whether
insert it into the small field on the top right or the big field with yellow button in the middle.

3. Insert the domain name you want to find information about and press the yellow
button “Lookup”. For the sake of this guide, we are going to use our own domain name as
an example www.microlancer.com. [see Image 2]

Image 2. Insert domain name and hit the button “Lookup”

4. After hitting the button “Lookup”, you will be redirected to a screen where you’ll
see lots of details such as registrar, registrant, email address, name server, etc.
The details you’ll find on this screen will be part of the tab “Whois Record”. We’ll check the
other tabs later. [see Image 3]

Image 3. Whois record tab with lots of details about the domain name.
If we take a look at the previous screenshot we can see that the Registrant is Envato Pty Ltd
and the Registrar is MarkMonitor.
Registrar is the company or commercial entity which has registered the domain name but it
doesn’t necessarily mean that it is the same company currently hosting the website.

So the big question is. If I find my items being illegally distributed on a website. Should I
contact the registrar or the web hosting company?

You should contact the registrar to report an abuse if you are dealing with a case which
affects the domain name or trademark directly. A typo squatting or URL hijacking for
example. e.g. www.microlancers.com

You should contact the web hosting company to report a copyright infringement or any case
related to illegal use of your copyrighted work or illegal distribution on that specific website.

Remember the correct way to report your copyrighted work is by submitting a DMCA
takedown notice to the web hosting company which is providing storage or space to that
particular website.

You can find a full guide on how to send your own DMCA takedown notice by visiting the
following link: SENDING A DMCA TAKEDOWN NOTICE

So the next question is. How do I know which company is currently hosting the website that
is illegally distributing my items?

Considering the previous screenshot of the “Whois record” tab, if you scroll down to the
bottom of that page, you should be able to see something called “Name Server”.

A Name Server is a specialised computer/server on the Internet that handles queries from
your local computer; these computers/servers regularly have the name of the company that
owns them. e.g. ns1.mediatemple.net (MediaTemple owns this server), ns2.godaddy.com
(GoDaddy owns this server)

Let’s take another look at the Name Server of

Microlancer.com ns-1757.awsdns-27.co.uk ns-337.awsdns-

42.com ns-563.awsdns-06.net ns-1446.awsdns-52.org

Unlike previous examples, these names look a little more complicated, but there is always a
solution for this problem. Let’s move on to step 5.
5. Press the tab “Server Stats”, you’ll see a new screen containing very
helpfulinformation about the server or company providing the storage for that website. We
now have an IP address, ASN, IP Location and status of the domain. [see Image 4]
 Image 4. Server Stats tab with additional information about the domainname.

6. In the previous screenshot we already have a clue on which company is hosting the
website, it’s Amazon. We can see that by reading the ASN or Autonomous System Number
line. But we should double check, we don’t want to send a mistaken DMCA to Amazon.

Click on the link containing the IP Address (54.225.218.100) and we’ll get an extensive
report about the hosting company or the server associated to that IP Address. [see Image
5]
Image 5. By clicking on the IP Address you can see more details about the company
currently hosting the website.
Congratulations! You know now that you must contact Amazon Web
Services (http://aws.amazon.com/) if you want to report a copyright infringement or illegal
distribution of your work happening on this website.

The purpose of this lab is to help you find more information about the specific company
which is hosting a website infringing your rights. This tool must be used responsibly,
sending a false or wrong report can have legal consequences.
4. tracert
TRACERT (Trace Route), a command-line utility that you can use to trace the path
that an Internet Protocol (IP) packet takes to its destination.

MY RESULT: