Lab 2
Footprinting a Target Network Using the nslookup Tool
nslookup is a network administration command-line tool available for many
computer operating systems for querying the Domain Name System (DNS) to
obtain the domain name, the IP address mapping, or any other specific DNS record.
Lab Scenario
111 the previous lab, we gathered information such as IP address. Ping Statistics. Maximum Frame Size, and TTL Response using the ping utility. Using the IP address found, an attacker can perform further hacks like port scanning, Netbios, etc. and can also tlnd country or region 111 which the IP is located and domain name associated with the IP address.
111 the next step of reconnaissance, you need to find the DNS records. Suppose 111 a network there are two domain name systems (DNS) servers named A and B, hosting the same Active Directory-Integrated zone. Using the nslookup tool an attacker can obtain the IP address of the domain name allowing him or her to find the specific IP address of the person he or she is hoping to attack. Though it is difficult to restrict other users to query with DNS server by using nslookup command because tins program will basically simulate the process that how other programs do the DNS name resolution, being a penetration tester you should be able to prevent such attacks by going to the zone’s properties, on the Zone Transfer tab, and selecting the option not to allow zone transfers. Tins will prevent an attacker from using the nslookup command to get a list of your zone’s records, nslookup can provide you with a wealth of DNS server diagnostic information.
Lab Objectives
The objective of tins lab is to help students learn how to use the nslookup command.
This lab will teach you how to:
■ Execute the nslookup command
■ Find the IP address of a machine
■ Change the server you want the response from
■ Elicit an authoritative answer from the DNS server
■ Find name servers for a domain
■ Find Cname (Canonical Name) for a domain
■ Find mail servers tor a domain
■ Identify various DNS resource records
Lab Environment
To carry out the lab, you need:
■ Administrative privileges to run tools
■ TCP/IP settings correctly configured and an accessible DNS server
■ Tins lab will work 111 the CEH lab environment - 011 Windows Server 2012. Windows 8 , Windows Server 2008 י and Windows 7
■ It the nslookup command doesn’t work, restart the command
window, and type nslookup tor the interactive mode.
Lab Duration
Time: 5 Minutes
Overview of nslookup
nslookup means name server lookup. To execute quenes, nslookup uses die operating system’s local Domain Name System (DNS) resolver library, nslookup operates in interactive 01־ non-interactive mode. When used interactively by invoking it without arguments 01־ when die first argument is -(minus sign) and die
second argument is host name 01־ IP address, the user issues parameter configurations 01־ requests when presented with the nslookup prompt (>). When 110 arguments are given, then the command queries to default server. The - (minus sign) invokes subcommands which are specified 011 command line and should
precede nslookup commands. In non-interactive mode. i.e. when first argument is name 01־ internet address of the host being searched, parameters and the query are specified as command line arguments 111 the invocation of the program. The noninteractive mode searches the information for specified host using default name server.
With nslookup you will eidier receive a non-audiontative or authoritative answer. You receive a non-authoritative answer because, by default, nslookup asks your nameserver to recurse 111 order to resolve your query and because your nameserver is not an authority for the name you are asking it about. You can get an authoritative answer by querying the authoritative nameserver for die domain you are interested in
Lab Tasks
1. Launch Start menu by hovering the mouse cursor 111 the lower-left corner of the desktop
 |
| FIGURE 2.1: Windows Server 2012 — Desktop view |
 |
| FIGURE 2.2: Windows Server 2012—Apps |
3. 111 the command prompt, type nslookup, and press Enter
4. Now, type help and press Enter. The displayed response should be similar to die one shown 111 the following figure
 |
| FIGURE 2.3: The nslookup command with help option |
5. 111 the nslookup interactive mode, type “set type=a” and press Enter
6. Now, type www.certifiedhacker.com and press Enter. The displayed response should be similar to die one shown 111 die following figure
Note: The DNS server Address (202.53.8.8) will be different from die one shown 111 die screenshot
 |
| FIGURE 2.4: hi nslookup command, set type=a option |
8. 111 nslookup interactive mode, type set type=cname and press Enter
9. Now, type certifiedhacker.com and press Enter
Note: The DNS server address (8 .8 .8 .8) will be different dian die one 111 screenshot
10. The displayed response should be similar to die one shown as follows:
> set type=cname
> certifiedhacker.com
Server: google-public-dns-a.google.com
Address: 8. 8.8. 8
 |
| FIGURE 2.5:111 iislookup command, set type=cname option |
12. Now, type se t type=a and press Enter.
13. Type www.certifiedhacker.com and press Enter. The displayed response should be similar to the one shown 111 die following tigure.
 |
| FIGURE 2.6:111 nslookiip command, set type=a option |
15. 111 nslookup interactive mode, type set type=mx and press Enter.
16. Now, type certifiedhacker.com and press Enter. The displayed response should be similar to the one shown 111 die following figure.
 |
| FIGURE 2.7: In nslookup command, set type=mx option |
Không có nhận xét nào:
Đăng nhận xét