2007
A HACKING ODYSSEY PART I: RECONNAISSANCE CONT...
WHOIS
The Internet is a huge directory of domain names and due to various
copyright laws, trading laws and DNS workings, there can not be two
identical domain names in existence at the same time on the Internet.
A domain name refers to an organisations “Internet presence” and is
usually related to their normal company name. I.e. The domain name for
Barclays Bank is Barclays.co.uk (http://www.barclays.co.uk/) 99% of the
time this also means their email addresses will end in Barclays.co.uk.
Keeping track of all these domain names was historically done by
Network Solutions until 1999 when they lost the monopoly for domain
name registration. As the Internet grew so did the amount of suffixes
attached to domain names ( .com, .co.uk, .org etc) and so did the
amount of registrars.
Any domain name ending in . .aero, .arpa, .biz, .cat, .com, .coop,
.edu, .info, .int, .jobs, .mobi, .museum, .name, .net, .org, .pro, and
.travel are registered with Internic; who can be found here:
http://www.internic.net .
The country code top-level domains – which are two letter suffixes that
refer to the country, I.e. uk, jp, au will inform the attacker what
country the target is in. A list of ccTLD’s can be found here:
http://www.iana.org/root-whois/index.html
What if your targets domain name does not fall under InterNIC’s remit?
Well, there is a very helpful site called Uwhois that will inform us of
where to look for the registration details or our particular domain.
http://www.uwhois.com/domains.html
We browse to Uwhois and enter “shedstore” in the domain box, tick
.co.uk and click Go.
Depending on who the domain is registered with Uwhois may show us the
complete registration record or it may tell us where to go and look for
the records.
In our case we are told that the domain name is registered:
Quote:
The answer to your domain search is
________________________________________
Uwhois search forshedstore.co.uk Registered
Notice shedstore.co.uk is a hyperlink? Click on it and you will be
taken to either the registration details or you will be told where to
look:
Quote:
[whois.nic.uk]
We now know that whois.nic.uk holds the registration records. Type that
into Google and the first hit you get is for Nominet.
http://www.nominet.org.uk/other/whois/
Browse to Nominet and enter shedstore.co.uk as the search term:
Quote:
Domain name:
shedstore.co.uk
Registrant:
Keith Taylor
Trading as:
Guardian Buildings
Registrant type:
UK Partnership
Registrant's address:
Guardian Buildings
Unit 1
Southview Park
Caversham
Reading
Berkshire
RG4 5AF
United Kingdom
Registrant's agent:
Thus plc t/a DSVR [Tag = DSVR]
URL: http://www.dsvr.co.uk
Relevant dates:
Registered on: 24-Jan-2000
Renewal date: 24-Jan-2008
Last updated: 20-Jun-2006
Registration status:
Registered until renewal date.
Name servers:
ns0.serve.co.uk
ns0.serve.net.uk
Now we are getting some information that we can use to aid our attack.
We have a name of someone who is probably fairly high up in the
Guardian Buildings organisation; Keith Taylor. We also know Shed Store
is part of the Guardian Building group from information we were able to
get from their web site.
We have the address of both Shed Store and Guardian buildings; again we
have this from their web site and from this WHOIS record.
We now know who they use to host their web site and who they used to
register their domain name from the Registrant’s Address information:
URL: http://www.dsvr.co.uk .
We can see the record was renewed in June 2006, so ‘Keith Taylor’ is
probably still working for the organisation.
Finally we have the most important piece of information to us so far;
the name servers, which I will talk about in a minute.
You maybe thinking, Yeah, Ok I have all this information but what use
is it to me? It will all become apparent right after I run through DNS
and DNS zone transfers.
Domain Name Service – DNS
DNS could be considered the post office and telephone directory of the
Internet. Without it the Internet would not be anywhere near as
efficient and easy to use as it is today.
In a nut shell DNS takes an IP address and ties it in to a domain name.
I will presume most people know what an IP address is and will not
insult you all be explaining it (PM J_K9 if you need to know)
To explain DNS it is best to give an example; so if you go to your RUN
prompt (Start > Run) and type CMD into it and press enter(Or your
Linux equivalent) You will get a black box popping up; this is your
command prompt.
Whenever we want to perform any DNS queries, or interact with DNS in
anyway we use a program called ‘nslookup’. (Linux users may want to use
‘dig’ instead of nslookup as most recent Linux distro’s have butchered
the nslookup program somewhat)
Type nslookup:
Code:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Nokia>nslookup
Default Server: speedtouch.lan
Address: 192.168.1.254
>
Notice the prompt changes to ‘>’, this tells us we are now in the
nslookup application and not in the normal command prompt.
The Default Server will tell you what your own DNS server is. (this may
not always be an actual server, especially if you are using a home
router. If you are using a home router then the IP address show will
usually be that of the router)
At the ‘>’ prompt type google.com:
Code:
C:\Documents and Settings\Nokia>nslookup
Default Server: speedtouch.lan
Address: 192.168.1.254
> google.com
Server: speedtouch.lan
Address: 192.168.1.254
Non-authoritative answer:
Name: google.com
Addresses: 64.233.187.99, 64.233.167.99, 72.14.207.99
>
You will see that the output of the command you entered is three
different IP addresses.
Now at the prompt type in one of these IP addresses:
Code:
> 64.233.167.99
Server: speedtouch.lan
Address: 192.168.1.254
Name: py-in-f99.google.com
Address: 64.233.167.99
>
**Tip – right click the blue bar on top of your command prompt and
select properties, in the Edit Options field make sure Quick Edit and
Insert Mode are ticked. You can now copy and paste as you would normal
text. Try highlighting a Google IP address in the normal way by moving
your cursor over it with the mouse button pressed, the text will go
white; now right click. To paste the text simply right click again and
the text will be pasted where the flashing cursor is.**
The output from the above command tells us the IP belongs to Google.com.
What you have just done is preformed a DNS query to find out the IP
address(es) that Google use for their web presence; when you entered
the domain name you done a forward DNS lookup and when you entered the
IP address you done a reverse DNS lookup (rDNS).
You may still be thinking what the hell you are on about but it will
become apparent now:
Try typing one of the IP addresses you got from your DNS lookup into
your web browser. You are still taken to Google.
Your computer does not talk to other computers by using words such as
Google.com. When you enter Google.com into your browser your computer
needs to convert this into a form both it and other computers will
understand. As you probably know everything on the Internet needs an IP
address, as this is how all traffic is addressed on the Internet (it is
different on an internal LAN but for now assume everything uses IP
addresses). So something needs to take google.com and convert it to an
IP address to enable your computer to go out on to the Internet and
find the server that hosts the Google web site.
If you haven’t guessed it already, it is DNS’s job to do this.
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on February 7th, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.