Chapter 14: Network Reconnaissance Tools

Before they can do any real harm to you, your computers, or your network, hackers have to do their homework. As we point out several times in this book, information gathering is an essential first step of a hacker’s attack plan. Although many of the tools throughout this book can be used to gather important information about a system or network, the tools in this chapter are fundamental and lay the groundwork for more sophisticated tools.

Whois/Fwhois

Whois and fwhois are extremely simple but useful tools that query particular “whois” databases for information about a domain name or an IP address.

Whois servers are databases that are maintained by domain name authorities around the world. A whois database can contain a plethora of information, but typically it contains such information as location, contact information, and IP address ranges for every domain name under its authority.

Whois tools are usually installed by default on most Unix distributions. For Windows systems, many of the port scanning tools discussed in Chapter 4 include whois querying capabilities, such as NetScanTools and SuperScan.

Implementation

The whois command itself is simple. The command takes the hostname of a whois server on the command line using a –h flag. The rest of the command indicates the query we wish to send. The fwhois command (found on Linux systems) has the query specified first, with the optional @whois_server specified at the end.

The following two commands are the same:

bash% whois –h whois.alldomains.com yahoo.com

is the same as

bash% fwhois yahoo.com@whois.alldomains.com

The default whois server is usually whois.internic.net or whois.crsnic.net. We can run a whois without specifying a whois server to get basic information about the domain:

bash-2.03$ whois yahoo.com
   
Whois Server Version 1.3
   
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
   
YAHOO.COM.TW
YAHOO.COM.SG
YAHOO.COM.BR
YAHOO.COM.AU
YAHOO.COM
   
To single out one record, look it up with "xxx", where xxx is one of the
of the records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

In this example, we’ve discovered several matches for “yahoo.com.” To obtain further information, we need to put an equal sign in front of our target.

bash-2.03$ whois "=YAHOO.COM"
   
Whois Server Version 1.3
   
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
   
   Domain Name: YAHOO.COM
   Registrar: ALLDOMAINS.COM INC.
   Whois Server: whois.alldomains.com
   Referral URL: http://www.alldomains.com
   Name Server: NS1.YAHOO.COM
   Name Server: NS5.YAHOO.COM
   Name Server: NS2.YAHOO.COM
   Name Server: NS3.YAHOO.COM
   Name Server: NS4.YAHOO.COM
   Status: REGISTRAR-LOCK
   Updated Date: 13-may-2003
   Creation Date: 18-jan-1995
   Expiration Date: 19-jan-2012

This tells us the name servers authoritative for the domain and when the record was last updated, but it doesn’t give us information such as location or contacts. Thankfully, there’s a referral to another whois server that should have this information. So if we try whois –h whois.alldomains.com yahoo.com, we should receive the same information we received here, as well as contact and location information.

Registrant:
        Yahoo! Inc. (DOM-272993)
        701 First Avenue Sunnyvale CA 94089 US
   
    Domain Name: yahoo.com
   
        Registrar Name: Alldomains.com
        Registrar Whois: whois.alldomains.com
        Registrar Homepage: http://www.alldomains.com
   
    Administrative Contact:
        Domain Administrator (NIC-1382062)  Yahoo! Inc.
        701 First Avenue Sunnyvale CA 94089 US
        domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301
    Technical Contact, Zone Contact:
        Domain Administrator (NIC-1372925)  Yahoo! Inc.
        701 First Avenue Sunnyvale CA 94089 US
        domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301
   
    Created on..............: 1995-Jan-18.
    Expires on..............: 2012-Jan-19.
    Record last updated on..: 2003-Apr-07 10:42:46.
   
    Domain servers in listed order:
   
    NS4.YAHOO.COM               63.250.206.138
    NS5.YAHOO.COM               216.109.116.17
    NS1.YAHOO.COM               66.218.71.63
    NS2.YAHOO.COM               66.163.169.170
    NS3.YAHOO.COM               217.12.4.104

There’s a lot of information here! And we have e-mail addresses for both the technical and administrative contacts. Notice, however, that Yahoo! has been clever and has not put any real people’s names in its list of contacts. This makes it more difficult for hackers to use social engineering tactics against them. If a hacker knows the name and address of an organization’s administrator, he might be able to use that information to coax other members of the organization into revealing information they normally wouldn’t, either by masquerading as the administrator or claiming that he’s working for the administrator.

Is it a good idea to have all this information publicly available? Well, much of it is necessary to keep the Internet running. And from an administrative standpoint, if we’re being port scanned or attacked by “somesystem.some_loser.org,” this information allows us to contact the SomeLoser organization and complain. But what if we don’t have a hostname in our logs? What if we have only an IP address? Thankfully, there’s a whois server that handles IP-based queries.

We want to know who owns the IP address 64.58.76.229. So we send a whois request to whois.arin.net.

bash-2.03$ whois -h whois.arin.net 64.58.76.229
Cable & Wireless DC2-1 (NET-64-58-64-0-1)
                                  64.58.64.0 - 64.58.95.255
Yahoo EC17-1-YAHOO1 (NET-64-58-76-0-1)
                                  64.58.76.0 - 64.58.79.255

The entire network block containing this address is owned by Cable & Wireless, but the network this IP belongs to is owned by Yahoo!. We can use the contact in parentheses (in this case NET-64-58-76-0-1) to obtain information about the organization that owns this IP. To do this, we use the command whois –h whois.arin.net NET-64-58-76-0-1.

OrgName:    Yahoo
OrgID:      YHOO
Address:    701 First Avenue
City:       Sunnyvale
StateProv:  CA
PostalCode: 94089
Country:    US
   
NetRange:   64.58.76.0 - 64.58.79.255
CIDR:       64.58.76.0/22
NetName:    EC17-1-YAHOO1
NetHandle:  NET-64-58-76-0-1
Parent:     NET-64-58-64-0-1
NetType:    Reallocated
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
Comment:
RegDate:    2000-12-13
Updated:    2002-03-29
   
TechHandle: NA258-ARIN
TechName:   Netblock Admin, Netblock
TechPhone:  +1-408-349-7183
TechEmail:  netblockadmin@yahoo-inc.com
   
OrgTechHandle: NA258-ARIN
OrgTechName:   Netblock Admin, Netblock
OrgTechPhone:  +1-408-349-7183
OrgTechEmail:  netblockadmin@yahoo-inc.com

Following is a list of popular whois servers and their purposes. Chances are that if these servers don’t know about your domain name or IP, one of them will be able to tell you who does.

Server	Purpose
whois.internic.net whois.crsnic.net	Default whois servers—launching point for many other whois queries
whois.publicinterestregistry.net	New whois authority for .org domain names
whois.networksolutions.com	Server for customers who registered their domain names with Network Solutions
whois.opensrs.net	Another popular domain name registration service
whois.alldomains.com	Yet another popular registrar
whois.arin.net	Server from the American Registry for Internet Numbers—does IP-based whois queries
whois.apnic.net	Server for Asia Pacific Network Information Center Whois Database
whois.ripe.net	Réseaux IP Européens—handles most of Europe
whois.ripn.net	Russian Network Information Center (for .ru and .su)
whois.nic.gov	US Government whois server (for .gov)
whois.nic.mil	Military (DOD) whois server (for .mil)

More recent versions of whois are much more sophisticated than older versions. For one, whois will now try to identify the proper whois server depending on the target you provide. It does this by using the special whois-servers.net domain. The DNS entries for this domain are actually pointers to whois servers. For example, com.whois-servers.net points to whois.crsnic.net, and org.whois-servers.net points to whois.publicinterestregistry.net. Each top-level domain (.com, .org, .net, and so on) has an alias that points to the proper authoritative whois server. This keeps users from having to remember all of the specific whois server information we just discussed! Additionally, whois will scan the output it receives from the default whois server looking for a referral (such as whois.alldomains.com in our yahoo.com example) and automatically perform the same whois query with the referral server. Whois on FreeBSD even has command-line arguments to save typing (such as using –a as a shortcut for –h whois.arin.net).

---

< Day Day Up >