Ethical hacking researcher details, on how to use nslookup for ethical hacking activities and help in finding various DNS Queries that can help us in information gathering phase of websites analyzing. DNS acts like an Address book for the internet. If you know any particular address name but don’t know their IP Address you can easily look it up in the address book. DNS works the same way.

For Instance it can be taken if user visits (webimprints.com) in a browser, computer will use DNS to receive the website IP Address which is 23.229.216.201.

DNS RECORD TYPES:-

DNS record types are generally used by DNS editor who make changes in Domain Name Server.

• A – SHOWS HOST IP ADDRESS
• MX – SHOWS TO DOMAIN MAIL SERVER
• CNAME – CANOMICAL NAME POINTS ONE OR SUB DOMAIN
• NS – SHOWS HOST NAME SERVER
• SRV – SHOWS SERVICE RECORDS
• PTR – MAPS IP ADDRESS TO HOSTNAME
• RP – RSEPONSIBLE PERSON
• HINFO – HOST INFORMATIN RECORD HOLDS
• TXT – WHERE RECORDS POINTS TO

The above mentioned DNS record types are commonly used are used to gather information about the website, mention ethical hacking consultants.

NOW THE NSLOOKUP:-

NSLOOKUP is used to figure out whether DNS record are configured properly or not.

• To start using NSLOOKUP, firstly a user need to open COMMAND PROMPT.
• In Windows GO TO START MENU TYPE CMD. There you can see the COMMAND PROMPT CLICK ON CMD.EXE

• After opening CMD Type NSLOOKUP:-

• Type NSLOOKUP in the COMMAND PROMPT as shown in screenshot below:

• The result will be Firstly line it will tell us the

Default Server: Unknown

And the

Address (Default Gateway).

• The Default server is Unknown because you have not set Reverse lookup zoneas, as per ethical hacking courses. Normally DNS are forward lookup queries. A reverse lookup zone is opposite to forward lookup. To enable reverse lookup you have to create PTR. To host actual domain name the PTR record maps in-addr.arpa domain name.
• The Address will be the default gateway of your ISP (INTERNET SERVICE PROVIDER).

NOW YOU CAN START WITH THE DNS RECORD TYPES:

DNS RECORD TYPE = A : SHOWS THE ADDRESS RECORD

• After above command, type particular domain name

webimprints.com

As you can see in above screenshot NSLOOKUP is showing

• Name of the server – webimprints.com
• After name you can see the Address of the server which is 23.229.216.201.
• If you type set type=A and press enter you will get the same result as shown in above image. By default NSLOOKUP command inquire the DNS server for type A records.

DNS RECORD TYPE = MX : SHOWS TO DOMAIN MAIL SERVER

• Type set type = MX and press enter
• Now type webimprints.com

In the above screen shot you see mail server. This MX record means that website of webimprints.com is having mail exchange record. MX record or you can say it mail exchange record tells the mail delivery destination for a particular domain .i.e. webimprints.com as shown above.

• As you know that first two lines shows the rDNS (Reverse DNS) of google DNS and google DNS server IP address. Which is 8.8.8.8.
• The next 5 lines shows, 5 MX (Mail Exchange) records.
• Each MX record have its own preference and the lower numbers have a higher preference. So when mail is sent is uses MX record with the lowest preference, if lowest preference MX record is not reachable than MX record with the next high preference will be used. However if the records have same value MX preference, both MX records will be used simultaneously.
• If ALT1.ASPMX.L.GOOGL.COM is down it, will be send to ALT2.ASPMX.L.GOOGLE.COM.
• If ALT2.ASPMX.L.GOOGLE.COM is down it will be send to ASPMX.L.GOOGLE.COM and this cycle goes on until the mail send.
• Each targeted domain needs have its own A record that resolves around to your ALT1.ASPMX.L.GOOGLE.COM.

DNS RECORD TYPE = CNAME : SHOWS CANONICAL NAME

• Type set type=CNAME and press enter
• Now type https://www.webimprints.com

In the above screen shot you see a canonical name points. This CNAME record means that the website of webimprints.com is having one alias name to another.

• In CNAME canonical record matches the domain or a subdomain to different domain. Each CNAME record, DNS lookups use the target domain’s DNS resolution as to indicate a resolution.
• When a name server is requested the first DNS lookup will try to find the CNAME entry with target of name server.
• CNAME record exists so that domains can have same canonical names. You should not use a CNAME record to send/receive an email, as mail server handles the mail in abrupt manner. The targeted domain for a CNAME record should also have a normal A record.

DNS RECORD TYPE = NS : SHOWS HOST NAME SERVER

• Type set type=NS and press enter
• Now type webimprints.com

In the above screen shot you see a host name server. This name server is the NS record for webimprints.com domain. This NS record means that website of webimprints.com is having 2 host DNS server.

• At rooting level its get important that there should be some trustworthy name server configured to respond to queries against a domain name, explain ethical hacking specialists.
• A nameserver is a server that has DNS package installed on it. So nameserver owned by a web host that is specifically used to manage the domain names associated with their web hosting customers.
• The request to the DNS are send randomly if one host is not responding another host will be use.

DNS RECORD TYPE = SRV : INDICATE AUTHORITY FOR DOMAIN

• Type set type=SRV and press enter
• Now type webimprints.com

SRV looks like:-

_service.protocol.webimprints.com SRV 10 0 5060 service.webimprint.com

_service.protocol.webimprints.com SRV 10 0 5020 service.webimprint.com

• SRV record is used to match the specific service that runs on the domain to a target domain. In some cases SRV allows direct traffic for some specific services.
• SRV normally defines name & transport protocol used in domain name.
• Priority of both records is coming out to be 10 and weight of both records is 0.

• Let us breaks the whole SRV record:-
  • Service- This service element should be proceeded with an underscore (_) and followed by an (.)
  • Protocol- This service element should also be proceeded with an underscore (_).
  • Domain- Here name of the domain that receive original traffic.
  • Priority- The number mentioned in red is used in setting up the target. You can set target according to your priority which allows to see fallback server to get the target server. Lowest numbers are always given high priority.
  • Weight- If two records has same priority. Than weight will be considered as the next priority.
  • Port- The services on which these ports are running TCP/UDP.
  • Target- It shows the target domain and that targeted domain should have an A record to resolve an IP address.

DNS RECORD TYPE=PTR : MAP IP ADDRESS TO HOSTNAME

• Type set type=PTR and press enter
• Now type webimprints.com
• PTR record allows RDNS (Reverse DNS) query, to match IP address to a domain. It works opposite to an A (Address) record. Take for example 2 hosts:

• For 172.16.0.1:

Type: PTR

Host: 1

Points to: host1.example.com

• For 172.16.0.2:

Type: PTR

Host: 2

Points to: host2.example.com

The PTR records will be shown in Control Panel like this:

• After PTR record, always make sure that the hosts mentioned should have A records. In above example, host1.example.com should have A record pointed to 172.16.0.1 and host2.example.com with 172.16.0.2

DNS RECORD TYPE = RP : RESPONSIBLE PERSON

• Type set type=RP and press enter
• Now type webimprints.com
• RP stores an email address who is holding the domain. RP is actually pointing out that the person is responsible for the host.
• The mailbox name stored with a single space between more information pointers.
• For instance: info.webimprints.com.info.people.webimprints.com to indicate info@webimprints.com.

DNS RECORD TYPE = HINFO : HOST INFORMATION HOLDS

• Type set type=HINFO and press enter
• Now type yourwebsite.com

HINFO looks like:-

Owner-name ttl class rr Hardware OS

IN HINFO PC-INTEL-700MHZ REDHAT LINUX

• HINFO records the host information in which it includes CPU type and OS.
• Such information is used in application protocols which communicates with operating system type and CPU of a computer.

DNS RECORD TYPE = TXT

• Type set type=TXT and press enter
• Now type webimprints.com

In the above screen shot where records is pointed. These pointed record are the TXT record for webimprints.com domain.

• This TXT record means that website of webimprints.com is having records that are not used in direct traffic.
• The TXT record provides text information of some other sources on internet. This text can be human readable or machine readable.
• TXT can holds the domain name, its contact number, address.
• TXT records can have some common uses like-Domain keys (DK), Sender Policy Framework (SPF), Domain key identified email (DKIM).

> server 8.8.8.8

Default Server: google-public-dns-a.google.com

Address: 8.8.8.8

> webimprints.com

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:



webimprints.com text =



"google-site-verification=MXyHGRdPZ908baDtS31INOP5-ULVmF0APQl3XpTlY"

• TXT records contains human readable information like:
  • Name – This is the host name for your domain as marked in RED. Domain name is automatically used in your name. Your base domain will be used by default if you leave the name blank.
  • Value – Now we are talking about what is marked in BLUE. If the quotes are not used in one or more strings it will be treated as separate strings.

Authoritative and Non-Authoritative DNS server

When you do nslookup for webimprints.com you get a response from one of your local DNS server configured in computer. The local DNS server configured in your computer is not the NS Server of webimprints.com. The response which we receive from the local DNS server configured on computer is shown as non-authoritative.

> server 192.168.1.1

Default Server: [192.168.1.1]

Address: 192.168.1.1

> webimprints.com

Server: [192.168.1.1]

Address: 192.168.1.1

Non-authoritative answer:

Name: webimprints.com

Address: 23.229.216.201

> set type=NS

> webimprints.com

Server: [192.168.1.1]

Address: 192.168.1.1

Non-authoritative answer:

webimprints.com nameserver = ns20.domaincontrol.com

webimprints.com nameserver = ns19.domaincontrol.com

>

Now if we change the DNS server to one of the NS in the list and then do a nslookup against subdomain.webimprints.com, we will get an authoritative answer back, according to ethical hacking courses. This servers have authority from webimprints.com and all other nameservers are non-authoritative nameservers.

The post Use nslookup for footprinting appeared first on Information Security Newspaper | Hacking News.

DNS acts like an Address book for the internet. If you know any particular address name but don’t know their IP Address you can easily look it up in the address book. DNS works the same way, ethical hacking teachers assure.

For Instance it can be taken if user visits (webimprints.com) in a browser, computer will use DNS to receive the website IP Address which is 23.229.216.201.

DNS RECORD TYPES:-

DNS record types are generally used by DNS editor (Network Admins) who make changes in Domain Name Server.

• A – SHOWS HOST IP ADDRESS
• MX – SHOWS TO DOMAIN MAIL SERVER
• NS – SHOWS HOST NAME SERVER
• rDNS – SHOWS REVERSE DNS LOOKUP
• VIEW ANY FILE – MOSTLY USED IN BULD DNS LOOKUPS.
• PORT NO. – SPECIFYING THE PORT NUMBER.
• DNS PATH – SHOWING THE DNS PATH.
• IPV4/IPV6 – SHOW IN THE IP ADDRESSES.
• SOA- SHOWS THE SOA RECORD.

The above mentioned DNS record types are commonly used to gather information about the website, ethical hacking consultants clarifie.

NOW THE DIG:-

DIG is used to figure out whether DNS record are configured properly or not.

By default Dig is available for Kali linux.

• To start using dig, go to linux terminal. By simply typing dig webimprints.com
• Type dig in the Linux Terminal as shown in screen shot below:

• In the output screen you can see that webimprints.com showing the IP address using A record.

TO CHECK YOUR DNS SERVER IN LINUX:-

• Type cat /etc/resolv.conf.
• You can see below the default configured DNS configures.

SPECIFYING NAME SERVER:-

• After above command type dig @192.168.1.1 webimprints.com

• In the above output we can see specified name server. At rooting level there should be some trustworthy name server configured to respond to queries against a domain name.
• NS which have been designated by registrar carries zone file for domain. Subdomain are configured in name servers.

SHOWING DOMAIN MAIL SERVERS:-

• Type dig @192.168.1.1 webimprints.com MX

• In the above screen shot you see webimprints.com mail server. This MX record means that website of webimprints.com is having mail exchange record.
• Each MX record have its own preference and the lower numbers have a higher preference. So when mail is sent is uses MX record with the lowest preference, if lowest preference MX record is not reachable than MX record with the next high preference will be used. However if the records have same value MX preference, both MX records will be used simultaneously.

SHOWING REVERSE DNS LOOKUP:-

Type dig –x 23.229.216.201 (IP address)

• PTR record allows rDNS query to match IP address to a domain. It works opposite to an A record.
• PTR record allows RDNS (Reverse DNS) query, to match IP address to a domain. It works opposite to an A (Address) record. Take for example 2 hosts:

• For 172.16.0.1:

Type: PTR

Host: 1

Points to: host1.example.com

• For 172.16.0.2:

Type: PTR

Host: 2

Points to: host2.example.com

The PTR records will be shown in Control Panel like this:

• After PTR record, always make sure that the hosts mentioned should have A records. In above example, host1.example.com should have A record pointed to 172.16.0.1 and host2.example.com with 172.16.0.2

VIEWING A FILE:-

Type dig –f query.txt +short.

• You have to create any file. In that file you can enter any domain name. This command is useful in bulk DNS lookups.
• –f is used in reading the file. +short is used to only see the IP addresses.

INDICATE ANY PORT NUMBER:-

Type dig @8.8.8.8 –p 21 webimprints.com

• In the above screenshot, you can specify an alternate port. For some reason an external name server is configured for non-standard port.
• External name server actually listening to traffic on port (21) specified, and its firewall also need to allow the traffic, otherwise lookup will fail. As you can see the connection time out because 8.8.8.8 is not configured on random port which is 21 as above in screenshot.

DNS TRACING:-

• Type dig @8.8.8.8 webimprints.com +trace

• In the above screen shot, querying webimprints.com you can see how DNS make its path. First it will go to root name servers, then .com domain.

USING IPV4 OR IPV6:-

• Type dig @8.8.8.8 -4 webimprints.com.

• In the above screen shot, using the ipv4 query to get the ipv4. If you want to query ipv6 you can -6 instead -4.
• If you want to see the ipv6 you have to configure ipv6 network to work correctly.

GETTING THE SOA:-

• Type dig @8.8.8.8 webimprints.com SOA.

• In the above screen shot, using the query SOA(State of authority) shows simple information about the domain like, how often it is updated, when it was last updated. A zone file can contain only one SOA record.

As per ethical hacking researcher of international institute of cyber security, dig is quite helpful for network administrator in information gathering phase.

The post Use dig for footprinting appeared first on Information Security Newspaper | Hacking News.

For installing Datasploit:

• Type git clone https://github.com/datasploit/datasploit
• Then type cd /root/Downloads/Datasploit.
• Then type pip install -r requirements.txt
• Type mv datasploit_config.py config.py
• In the config.py you have to enter API key/secrets for different components in datasploit.
• For generating the API keys go to https://datasploit.readthedocs.io/en/latest/apiGeneration/

• For generating the API key you have to create account in each of the website like – shodan API, censyso API etc and follow the instruction as needed.

NOTE; the more you get API’s, more information can be enumerated.

• After generating API go to config.py and save generated API in config.py
• cd /root/Downloads/Datasploit
• vim config.py
• Save API in config.py as shown below:

• The above API keys will be used while executing the queries.

• Type ./datasploit.py

• Type python domainOsist.py arinagrande.com as shown below:

===========OUTPUT SNIP============

========OUTPUT SNIP===========

=========OUTPUT SNIP==========

• After executing the above query information like- domain history, whois information fetched from the target which can be used in further hacking activities.
• The target contain information like domain history, whois information, finding hosts. All these information can be used in information gathering.

The post Footprinting a target with datasploit appeared first on Information Security Newspaper | Hacking News.