Chapter 14: Network Reconnaissance Tools
One of the precursors to a
targeted attack on your network is the collection of information related to its
footprint, or its points of presence on the Internet. As mentioned several times
in this book, information gathering is an essential first step of a hacker's
attack plan. Although many of the tools throughout this book can be used to
enumerate important information about a system or network, the tools in this
chapter perform fundamental queries and lay the groundwork for more
sophisticated tools. In many cases, these tools gather information from sources
that are not directly associated with the target network. This makes it more
difficult to determine if or when someone is "casing" the network.
One of the precursors to a
targeted attack on your network is the collection of information related to its
footprint, or its points of presence on the Internet. As mentioned several times
in this book, information gathering is an essential first step of a hacker's
attack plan. Although many of the tools throughout this book can be used to
enumerate important information about a system or network, the tools in this
chapter perform fundamental queries and lay the groundwork for more
sophisticated tools. In many cases, these tools gather information from sources
that are not directly associated with the target network. This makes it more
difficult to determine if or when someone is "casing" the network.
WHOIS/FWHOIS
Whois and fwhois are extremely simple but useful tools that
query particular "whois" databases for information about a domain name or an IP
address.
Whois servers are databases that are maintained by domain name
authorities around the world. A whois database contains a plethora of
information, the most relevant of which is the location, contact information,
and IP address ranges for every domain name under its authority.
Whois tools are usually installed by default on most Unix
distributions. Windows users can gain identical functionality through the Cygwin
environment.
Tip
Linux users may find the bw-whois command
(available as an RPM or package for most systems) more useful than the system
whois command.
Whois and fwhois are extremely simple but useful tools that
query particular "whois" databases for information about a domain name or an IP
address.
Whois servers are databases that are maintained by domain name
authorities around the world. A whois database contains a plethora of
information, the most relevant of which is the location, contact information,
and IP address ranges for every domain name under its authority.
Whois tools are usually installed by default on most Unix
distributions. Windows users can gain identical functionality through the Cygwin
environment.
| Tip |
Linux users may find the bw-whois command
(available as an RPM or package for most systems) more useful than the system
whois command.
|
Implementation
The whois command itself is simple. The command
takes the hostname of a whois server on the command line using a –h
flag. The rest of the command indicates the query we wish to send. The
fwhois command (found on Linux systems) has the query specified first,
with the optional @whois_server specified at the end.
This command,
bash% whois -h whois.alldomains.com yahoo.com
is the same as
bash% fwhois yahoo.com@whois.alldomains.com
The default whois server is usually http://whois.internic.net or http://www.whois.crsnic.net. We can run a whois
without specifying a whois server to get basic information about the domain:
[Paris:~] mike% whois yahoo.com
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic
.net for detailed information.
YAHOO.COM.ZZZZ.DNSW.COM
YAHOO.COM.WANADOODOO.COM
YAHOO.COM.TWIXTEARS.COM
YAHOO.COM.TW
YAHOO.COM.TACTICALBATON.COM
YAHOO.COM.SG
YAHOO.COM.PURRFURRED.COM
YAHOO.COM.OPTIONSCORNER.COM
YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM
YAHOO.COM.DALLARIVA.COM
YAHOO.COM.BR
YAHOO.COM.BERKELEYNATURALBEAUTIES.COM
YAHOO.COM.AU
YAHOO.COM
To single out one record, look it up with "xxx", where xxx is one
of the records displayed above. If the records are the same,
look them up with "=xxx" to receive a full display for each record.
>>> Last update of whois database: Fri, 23 Sep 2005 14:02:50 EDT <<<
In this example, we've discovered several matches for "http://www.yahoo.com."
To obtain further information, we need to put an equal sign in front of our
target.
[Paris:~] mike% whois =yahoo.com
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic
.net for detailed information.
Domain Name: YAHOO.COM
Registrar: EMARKMONITOR INC. DBA MARKMONITOR
Whois Server: whois.markmonitor.com
Referral URL: http://www.markmonitor.com
Name Server: NS1.YAHOO.COM
Name Server: NS5.YAHOO.COM
Name Server: NS2.YAHOO.COM
Name Server: NS3.YAHOO.COM
Name Server: NS4.YAHOO.COM
Status: REGISTRAR-LOCK
Updated Date: 22-jul-2005
Creation Date: 18-jan-1995
Expiration Date: 19-jan-2012
This tells us the name
servers authoritative for the domain and when the record was last updated, but
it doesn't give us information such as location or contacts. Thankfully, there's
a referral to another whois server that should have this information. So if we
try whois –h http://whois.markmonitor.com http://www.yahoo.com, we should
receive the same information we received here, as well as contact and location
information.
Registrant:
Yahoo! Inc.
(DOM-272993)
701 First Avenue Sunnyvale
CA
94089 US
Domain Name: yahoo.com
Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com
Administrative Contact:
Domain Administrator
(NIC-1382062)
Yahoo! Inc.
701 First Avenue Sunnyvale
CA
94089 US
domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301
Technical Contact, Zone Contact:
Domain Administrator
(NIC-1372925)
Yahoo! Inc.
701 First Avenue Sunnyvale
CA
94089 US
domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301
Created on.............. : 1995-Jan-18.
Expires on.............. : 2012-Jan-19.
Record last updated on..: 2005-Aug-11 15:05:12.
Domain servers in listed order:
NS4.YAHOO.COM
NS5.YAHOO.COM
NS1.YAHOO.COM
NS2.YAHOO.COM
NS3.YAHOO.COM
There's a lot of information here! And we have e-mail addresses
for both the technical and administrative contacts. Notice, however, that Yahoo!
has been clever and has not put any real people's names in
its list of contacts. This makes it more difficult for hackers to use social
engineering tactics against them. If a hacker knows the name and address of an
organization's administrator, he might be able to use that information to coax
other members of the organization into revealing information they normally
wouldn't, either by masquerading as the administrator or claiming that he's
working for the administrator.
Is it a good idea to have all this information publicly available?
Well, much of it is necessary to keep the Internet running. From one
perspective, this information enables an administrator to contact someone at an
organization or network from which some port scan or attack has originated. But
what if we don't have a hostname in our logs? We're more likely to only have an
IP address in the logfile. Thankfully, there's a whois server that handles
IP-based queries.
If we're interested in a particular IP address, then we query the
whois.arin.net server. This server maps IP addresses to network blocks.
[Paris:~] mike% whois -h whois.arin.net 66.94.234.13
OrgName: Yahoo!
OrgID: YAOO
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US
NetRange: 66.94.224.0 - 66.94.255.255
CIDR: 66.94.224.0/19
NetName: YAHOO-3
NetHandle: NET-66-94-224-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
Comment:
RegDate: 2003-07-17
Updated: 2005-05-20
OrgAbuseHandle: NETWO857-ARIN
OrgAbuseName: Network Abuse
OrgAbusePhone: +1-408-349-3300
OrgAbuseEmail: network-abuse@cc.yahoo-inc.com
OrgTechHandle: NA258-ARIN
OrgTechName: Netblock Admin
OrgTechPhone: +1-408-349-3300
OrgTechEmail: netblockadmin@yahoo-inc.com
We can also look up network block handles to track down ownership.
In the previous example, Yahoo! is listed as the owner for the 22.94.224.0/19
range. This corresponds to the NET-66-94-224-0-1
network block. We could also check out the Parent block: NET-66-0-0-0-0.
[Paris:~] mike% whois -h whois.arin.net NET-66-0-0-0-0
OrgName: American Registry for Internet Numbers
OrgID: ARIN
Address: 3635 Concorde Parkway, Suite 200
City: Chantilly
StateProv: VA
PostalCode: 20151
Country: US
NetRange: 66.0.0.0 - 66.255.255.255
CIDR: 66.0.0.0/8
NetName: NET66
NetHandle: NET-66-0-0-0-0
Parent:
NetType: Allocated to ARIN
NameServer: chia.arin.net
NameServer: dill.arin.net
NameServer: epazote.arin.net
NameServer: figwort.arin.net
NameServer: BASIL.ARIN.NET
NameServer: henna.arin.net
NameServer: indigo.arin.net
Comment:
RegDate: 2000-07-01
Updated: 2004-07-22
OrgNOCHandle: ARINN-ARIN
OrgNOCName: ARIN NOC
OrgNOCPhone: +1-703-227-9840
OrgNOCEmail: noc@arin.net
OrgTechHandle: ARIN-HOSTMASTER
OrgTechName: Registration Services Department
OrgTechPhone: +1-703-227-0660
OrgTechEmail: hostmaster@arin.net
Following is a list of popular whois servers and their purposes.
Chances are that if these servers don't know about your domain name or IP, one
of them will be able to tell you who does.
Server
Purpose
Default whois servers—launching point for many other whois
queries
New whois authority for .org domain names
Server for customers who registered their domain names with
Network Solutions
Another popular domain name registration
service
Yet another popular registrar
Server from the American Registry for Internet Numbers—does
IP-based whois queries
Server for Asia Pacific Network Information Center Whois
Database
Réseaux IP Européens—handles most of Europe
Russian Network Information Center (for .ru and
.su)
U.S. Government whois server (for .gov)
Military (U.S. Department of Defense) whois server (for
.mil)
More recent versions of whois are much more sophisticated
than older versions. For one, whois will now try to identify the proper whois
server depending on the target you provide. It does this by using the special
whois-servers.net domain. The DNS entries for this domain are actually pointers
to whois servers. For example, com.whois-servers.net points to whois.crsnic.net,
and org.whois-servers.net points to whois.publicinterestregistry.net. Each
top-level domain (.com, .org, .net, and so on) has an alias that points to the
proper authoritative whois server. This keeps users from having to remember all
of the specific whois server information we just discussed! Additionally, whois
will scan the output it receives from the default whois server looking for a
referral (such as whois.alldomains.com in our yahoo.com example) and
automatically perform the same whois query with the referral server. Whois on
FreeBSD even has command-line arguments to save typing (such as using
–a as a shortcut for –h whois.arin.net).
The whois command itself is simple. The command
takes the hostname of a whois server on the command line using a –h
flag. The rest of the command indicates the query we wish to send. The
fwhois command (found on Linux systems) has the query specified first,
with the optional @whois_server specified at the end.
This command,
bash% whois -h whois.alldomains.com yahoo.com
is the same as
bash% fwhois yahoo.com@whois.alldomains.com
The default whois server is usually http://whois.internic.net or http://www.whois.crsnic.net. We can run a whois
without specifying a whois server to get basic information about the domain:
[Paris:~] mike% whois yahoo.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic .net for detailed information. YAHOO.COM.ZZZZ.DNSW.COM YAHOO.COM.WANADOODOO.COM YAHOO.COM.TWIXTEARS.COM YAHOO.COM.TW YAHOO.COM.TACTICALBATON.COM YAHOO.COM.SG YAHOO.COM.PURRFURRED.COM YAHOO.COM.OPTIONSCORNER.COM YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM YAHOO.COM.DALLARIVA.COM YAHOO.COM.BR YAHOO.COM.BERKELEYNATURALBEAUTIES.COM YAHOO.COM.AU YAHOO.COM To single out one record, look it up with "xxx", where xxx is one of the records displayed above. If the records are the same, look them up with "=xxx" to receive a full display for each record. >>> Last update of whois database: Fri, 23 Sep 2005 14:02:50 EDT <<<
In this example, we've discovered several matches for "http://www.yahoo.com."
To obtain further information, we need to put an equal sign in front of our
target.
[Paris:~] mike% whois =yahoo.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic .net for detailed information. Domain Name: YAHOO.COM Registrar: EMARKMONITOR INC. DBA MARKMONITOR Whois Server: whois.markmonitor.com Referral URL: http://www.markmonitor.com Name Server: NS1.YAHOO.COM Name Server: NS5.YAHOO.COM Name Server: NS2.YAHOO.COM Name Server: NS3.YAHOO.COM Name Server: NS4.YAHOO.COM Status: REGISTRAR-LOCK Updated Date: 22-jul-2005 Creation Date: 18-jan-1995 Expiration Date: 19-jan-2012
This tells us the name
servers authoritative for the domain and when the record was last updated, but
it doesn't give us information such as location or contacts. Thankfully, there's
a referral to another whois server that should have this information. So if we
try whois –h http://whois.markmonitor.com http://www.yahoo.com, we should
receive the same information we received here, as well as contact and location
information.
Registrant:
Yahoo! Inc.
(DOM-272993)
701 First Avenue Sunnyvale
CA
94089 US
Domain Name: yahoo.com
Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com
Administrative Contact:
Domain Administrator
(NIC-1382062)
Yahoo! Inc.
701 First Avenue Sunnyvale
CA
94089 US
domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301
Technical Contact, Zone Contact:
Domain Administrator
(NIC-1372925)
Yahoo! Inc.
701 First Avenue Sunnyvale
CA
94089 US
domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301
Created on.............. : 1995-Jan-18.
Expires on.............. : 2012-Jan-19.
Record last updated on..: 2005-Aug-11 15:05:12.
Domain servers in listed order:
NS4.YAHOO.COM
NS5.YAHOO.COM
NS1.YAHOO.COM
NS2.YAHOO.COM
NS3.YAHOO.COM
There's a lot of information here! And we have e-mail addresses
for both the technical and administrative contacts. Notice, however, that Yahoo!
has been clever and has not put any real people's names in
its list of contacts. This makes it more difficult for hackers to use social
engineering tactics against them. If a hacker knows the name and address of an
organization's administrator, he might be able to use that information to coax
other members of the organization into revealing information they normally
wouldn't, either by masquerading as the administrator or claiming that he's
working for the administrator.
Is it a good idea to have all this information publicly available?
Well, much of it is necessary to keep the Internet running. From one
perspective, this information enables an administrator to contact someone at an
organization or network from which some port scan or attack has originated. But
what if we don't have a hostname in our logs? We're more likely to only have an
IP address in the logfile. Thankfully, there's a whois server that handles
IP-based queries.
If we're interested in a particular IP address, then we query the
whois.arin.net server. This server maps IP addresses to network blocks.
[Paris:~] mike% whois -h whois.arin.net 66.94.234.13 OrgName: Yahoo! OrgID: YAOO Address: 701 First Ave City: Sunnyvale StateProv: CA PostalCode: 94089 Country: US NetRange: 66.94.224.0 - 66.94.255.255 CIDR: 66.94.224.0/19 NetName: YAHOO-3 NetHandle: NET-66-94-224-0-1 Parent: NET-66-0-0-0-0 NetType: Direct Allocation NameServer: NS1.YAHOO.COM NameServer: NS2.YAHOO.COM Comment: RegDate: 2003-07-17 Updated: 2005-05-20 OrgAbuseHandle: NETWO857-ARIN OrgAbuseName: Network Abuse OrgAbusePhone: +1-408-349-3300 OrgAbuseEmail: network-abuse@cc.yahoo-inc.com OrgTechHandle: NA258-ARIN OrgTechName: Netblock Admin OrgTechPhone: +1-408-349-3300 OrgTechEmail: netblockadmin@yahoo-inc.com
We can also look up network block handles to track down ownership.
In the previous example, Yahoo! is listed as the owner for the 22.94.224.0/19
range. This corresponds to the NET-66-94-224-0-1
network block. We could also check out the Parent block: NET-66-0-0-0-0.
[Paris:~] mike% whois -h whois.arin.net NET-66-0-0-0-0 OrgName: American Registry for Internet Numbers OrgID: ARIN Address: 3635 Concorde Parkway, Suite 200 City: Chantilly StateProv: VA PostalCode: 20151 Country: US NetRange: 66.0.0.0 - 66.255.255.255 CIDR: 66.0.0.0/8 NetName: NET66 NetHandle: NET-66-0-0-0-0 Parent: NetType: Allocated to ARIN NameServer: chia.arin.net NameServer: dill.arin.net NameServer: epazote.arin.net NameServer: figwort.arin.net NameServer: BASIL.ARIN.NET NameServer: henna.arin.net NameServer: indigo.arin.net Comment: RegDate: 2000-07-01 Updated: 2004-07-22 OrgNOCHandle: ARINN-ARIN OrgNOCName: ARIN NOC OrgNOCPhone: +1-703-227-9840 OrgNOCEmail: noc@arin.net OrgTechHandle: ARIN-HOSTMASTER OrgTechName: Registration Services Department OrgTechPhone: +1-703-227-0660 OrgTechEmail: hostmaster@arin.net
Following is a list of popular whois servers and their purposes.
Chances are that if these servers don't know about your domain name or IP, one
of them will be able to tell you who does.
|
Server
|
Purpose
|
|---|---|
|
Default whois servers—launching point for many other whois
queries
| |
|
New whois authority for .org domain names
| |
|
Server for customers who registered their domain names with
Network Solutions
| |
|
Another popular domain name registration
service
| |
|
Yet another popular registrar
| |
|
Server from the American Registry for Internet Numbers—does
IP-based whois queries
| |
|
Server for Asia Pacific Network Information Center Whois
Database
| |
|
Réseaux IP Européens—handles most of Europe
| |
|
Russian Network Information Center (for .ru and
.su)
| |
|
U.S. Government whois server (for .gov)
| |
|
Military (U.S. Department of Defense) whois server (for
.mil)
|
More recent versions of whois are much more sophisticated
than older versions. For one, whois will now try to identify the proper whois
server depending on the target you provide. It does this by using the special
whois-servers.net domain. The DNS entries for this domain are actually pointers
to whois servers. For example, com.whois-servers.net points to whois.crsnic.net,
and org.whois-servers.net points to whois.publicinterestregistry.net. Each
top-level domain (.com, .org, .net, and so on) has an alias that points to the
proper authoritative whois server. This keeps users from having to remember all
of the specific whois server information we just discussed! Additionally, whois
will scan the output it receives from the default whois server looking for a
referral (such as whois.alldomains.com in our yahoo.com example) and
automatically perform the same whois query with the referral server. Whois on
FreeBSD even has command-line arguments to save typing (such as using
–a as a shortcut for –h whois.arin.net).
|
| ||
Để đặt mua sản phẩm xin vui lòng .gif)
ĐỊA CHỈ VĂN PHÒNG TẠI MỸ
LIÊN HỆ: USAORDER.COM.VN
USAOrder (VN): .png){kind=small}
: (024) 3 200 2116
Không có nhận xét nào:
Đăng nhận xét