Class: TE Sem.

: VI

Course: Cryptography and System Security Lab

PART A
(PART A : TO BE REFFERED BY STUDENTS)

Experiment No.07
A.1 Aim: Study the use of network reconnaissance tools like WHOIS, dig, traceroute, nslookup
to gather information about networks and domain registrars.

A.2 Prerequisite:
1. Basic Knowledge of IP addresses, DNS.

A.3 Outcome:
After successful completion of this experiment students will be able to

Apply basic network command to gather basic network information.

A.4 Theory:
Network Reconnaissance:
• Act of reconnoitoring ---explore with the goal of finding something(especially to
gain information about enemy)
• In the world of hacking, reconnaisance begins with “Footprinting”
• i.e accumulating data about target’s environment, and finding vulnerabilities.
• Attacker gathers information in two phases viz: passive attacks and active attacks

Passive attacks
• Gathering information about a target without his/her knowledge….Eavesdropping
• Yahoo or google search
• Surfing online community groups
• Gathering information from websites of organisations. e.g. contact details, email
address etc.
• Blogs, newsgroups, press releases etc.
• Going through job posting in particular job profiles
Reconnaissance Tools

• WHOIS, dig, traceroute, nslookup

1. WHOIS : WHOIS is the Linux utility for searching an object in a WHOIS

database. The WHOIS database of a domain is the publicly displayed
information about a domains ownership, billing, technical, administrative, and
nameserver information. Running a WHOIS on your domain will look the
domain up at the registrar for the domain information. All domains have
WHOIS information. WHOIS database can be queried to obtain the following
information via
WHOIS:

• Administrative contact details, including

names, email addresses, and telephone
numbers
• Mailing addresses for office locations relating to the target organization

• Details of authoritative name servers for each given domain

Example: Querying Facebook.com

ssc@ssc-OptiPlex-380:~$ whois facebook.com

For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.

• Domain Name: facebook.com

• Registry Domain ID: 2320948_DOMAIN_COM-VRSN
• Registrar WHOIS Server: whois.markmonitor.com Registrar
URL: http://www.markmonitor.com
• Updated Date: 2014-10-28T12:38:28-0700
• reation Date: 1997-03-28T21:00:00-0800
• Registrar Registration Expiration Date: 2020-03-29T21:00:00-0700
Registrar: MarkMonitor, Inc.
• Registrar IANA ID: 292
 • Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar
Abuse Contact Phone: +1.2083895740

• Domain Status: clientUpdateProhibited

(https://www.icann.org/epp#clientUpdateProhibited)

• Domain Status: clientTransferProhibited

(https://www.icann.org/epp#clientTransferProhibited)

• Domain Status: clientDeleteProhibited

(https://www.icann.org/epp#clientDeleteProhibited)

• Registry Registrant ID:

• Registrant Name: Domain Administrator Registrant Organization: Facebook, Inc.
Registrant Street: 1601 Willow Road, Registrant City: Menlo Park
• Registrant State/Province: CA Registrant Postal Code: 94025
• Registrant Country: US
• Registrant Phone: +1.6505434800
• Registrant Phone Ext:
• Registrant Fax: +1.6505434800
• Registrant Fax Ext:
• Registrant Email: domain@fb.com Registry Admin ID:
• Admin Name: Domain Administrator Admin Organization: Facebook, Inc. Admin Street:
1601 Willow Road, Admin City: Menlo Park
• Admin State/Province: CA Admin Postal Code: 94025 Admin Country: US
• Admin Phone: +1.6505434800 Admin Phone Ext:
• Admin Fax: +1.6505434800
• Admin Fax Ext:
• Admin Email: domain@fb.com Registry Tech ID:
• Tech Name: Domain Administrator
• Tech Organization: Facebook, Inc. Tech Street: 1601 Willow Road, Tech City:
Menlo Park
 • Tech State/Province: CA

• Tech Postal Code: 94025

• Tech Country: US
• Tech Phone: +1.6505434800
• Tech Phone Ext:
• Tech Fax: +1.6505434800
• Tech Fax Ext:
• Tech Email: domain@fb.com
• Name Server: b.ns.facebook.com
• Name Server: a.ns.facebook.com
• DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-07-16T21:08:30-0700 <<<

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for

information purposes, and to assist persons in obtaining information about orrelated to a domain
name registration record. MarkMonitor.com does not guarantee its accuracy. By submitting a
WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no
circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail (spam);
or
(2) Enable high volume, automated, electronic processes that apply to MarkMonitor.com
(or its systems).

MarkMonitor.com reserves the right to modify these terms at any time. By submitting this
query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection. MarkMonitor Domain

Management(TM)

MarkMonitor Brand Protection(TM) MarkMonitor AntiPiracy(TM) MarkMonitor

AntiFraud(TM) Professional and Managed Services

Visit MarkMonitor at http://www.markmonitor.com Contact us at

+1.8007459229 In Europe, at +44.02032062220 ssc@ssc-OptiPlex-380:~$
2. Dig - Dig is a networking tool that can query DNS servers for information. It
can be very helpful for diagnosing problems with domain pointing and is a
good way to verify that your configuration is working. The most basic way to
use dig is to specify the domain we wish to query:

Example:

$ dig duckduckgo.com

3. Traceroute - traceroute prints the route that packets take to a network host.
Traceroute utility uses the TTL field in the IP header to achieve its operation.
For users who are new to TTL field, this field describes how much hops a
particular packet will take while traveling on network. So, this effectively
outlines the lifetime of the packet on network. This field is usually set to 32 or
64. Each time the packet is held on an intermediate router, it decreases the
TTL value by 1. When a router finds the TTL value of 1 in a received packet
then that packet is not forwarded but instead discarded. After discarding the
packet, router sends an ICMP error message of ―Time exceeded‖ back to the
source from where packet generated. The ICMP packet that is sent back
contains the IP address of the router. So now it can be easily understood that
traceroute operates by sending packets with TTL value starting from 1 and
then incrementing by one each time. Each time a router receives the packet, it
checks the TTL field, if TTL field is 1 then it discards the packet and sends the
ICMP error packet containing its IP address and this is what traceroute
requires. So traceroute incrementally fetches the IP of all the routers between
the source and the destination.

Example: $traceroute example.com

 PART B
(PART B : TO BE COMPLETED BY STUDENTS)

Roll No. B75 Name: Harshal Rajendra Bade

Class : TE-B Batch : B4
Date of Experiment: Date of Submission:-
Grade :

B.1 Output of Reconnaissance Tools

WHOIS
Traceroute

nslookup

Dig

B.2. Commands / tools used with syntax:

Traceroute
Tracert www.google.com

Dig
Dig google.com
Whois

B.3 Question of Curiosity:

1. What information is grabbed from
Whois? Ans :-
WHOIS database can be queried to obtain the following information via
WHOIS:
1> Administrative contact details, including names, email
addresses, and telephone numbers
2> Mailing addresses for office locations relating to the target
organization
3> Details of authoritative name servers for each given domain
2. What information is grabbed from traceroute?
Ans:-

Traceroute is a network diagnostic tool used to track in real-time the pathway taken
by a packet on an IP network from source to destination, reporting the IP addresses of
all the routers it pinged in between. Traceroute also records the time taken for each hop
the packet makes during its route to the destination.

3. What information is grabbed from

dig? Ans :-

Dig will let you perform any valid DNS query, the most common of which are:
A (the IP address), TXT
(text annotations),

MX (mail exchanges), and

NS nameservers.

4. After using traceroute how attacker can use the information, based on the same
what kind of attacks can be applied.
Ans:-
An adversary uses a traceroute utility to map out the route which data flows through the
network in route to a target destination. Tracerouting can allow the adversary to construct a
working topology of systems and routers by listing the systems through which data passes through
on their way to the targeted machine. This attack can return varied results depending upon the
type of traceroute that is performed. Traceroute works by sending packets to a target while
incrementing the Time-to-Live field in the packet header. As the packet traverses each hop along
its way to the destination, its TTL expires generating an ICMP diagnostic message that identifies
where the packet expired. Traditional techniques for tracerouting involved the use of ICMP and
UDP, but as more firewalls began to filter ingress ICMP, methods of traceroute using TCP were
developed.