Leaked Network Security Information Analysis

862
-1

Published on

DNS Reconnaissance Analysis Leaked Network Security Information

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
862
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
45
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Leaked Network Security Information Analysis

  1. 1. Page 1 of 27 Name: Allen Galvan Due: 27 October 2005 CSFI 214: Information Security Systems Analysis – Fall 2005 Lab #2: Reconnaissance (Fingerprinting), Passive Information Gathering The Analysis of Leaked Network SecurityInformation Last printed 10/26/2005 1:40:00 a10/p10 Page 1
  2. 2. Page 2 of 27 Exercise 1 – Internet Service Registration............................................................. ....................3 Exercise 2 – Domain Name System......................................................................... ..................4 Nslookup (Authoritative & Non-Authoritative), Network-Tools on DNS Servers..........4 Dig (Unix tool to query DNS Servers).......................................................................... .....5 Zone Transfer.................................................................................................................... ..5 Brute Force Reverse DNS Lookup................................................................................... ..6 Exercise 3 – Search Engines................................................................................................. 7 ...... Exercise 4 – E Mail Systems................................................................................... ...................8 Exercise 5 – Naming Conventions........................................................................ .....................9 Exercise 6 – Website Analysis......................................................................... ........................10 Notes.........................................................................................................................................13 Appendix....................................................................................................................... ............14 Exercise 1 – Internet Service Registration........................................................... ....................15 Exercise 2 – Domain Name System........................................................................ .................15 Nslookup (Authoritative) using Network-Tools on ccc.edu...........................................15 . Nslookup (Non-Authoritative) using Network-Tools on ccc.edu...................................17 ....................................................................................................................................... ...........18 Nslookup (Authoritative) using Network-Tools on www.microsoft.com ......................18 Nslookup (Non-Authoritative) using Network-Tools on microsoft.com........................19 Zone-Transfer of nexiliscom.com..................................................................... ...............21 Zone-Transfer of microsoft.com................................................................ ......................23 Exercise 3 – Search Engines............................................................................................... 24 ...... Netcraft Search Web by Domain for .google.com...................................................... .....24 Exercise 4 – E Mail Systems.................................................................................. ..................25 Email Headers............................................................................................................... ....25 Exercise 5 – Naming Conventions...................................................................... .....................27 Tracert of www.ccc.edu....................................................................... ............................27 Exercise 6 – Website Analysis......................................................................... ........................27 Last printed 10/26/2005 1:40:00 a10/p10 Page 2
  3. 3. Page 3 of 27 Exercise 1 – Internet Service Registration Internet Service Registration information gathering finds information based on global registration and maintenance of IP address information. Whois is a service that queries top- level domains for information on a domain name. There are several Whois tools provided by Network Solutions, Arin, Geektools, and Sam Spade. Using these several tools, the whois information was look up on the below websites:  Ccc.edu  Microsoft.com  Citibank.com  Thesportsauthority.com  Baitnet.com Answer the following questions:  What kinds of information is available for social engineering attacks? o The actual name of the Registrant o An actual address. o An actual phone number  What kinds of information is available for technical attacks? o The Maintainer (MNTNER) password is information that is available for technical attacks. If the password is weak, it could be broken, and this would lead to attacks such as: DoS, Url spoofing, and Identity Theft.  Who owns the netblock (IP space)? o The netblock is owned by the organization name..  What are the authoritative DNS servers? o A server that knows the content of a DNS zone from local knowledge, and thus can answer queries about that zone without needing to query other servers. o The authoritative servers are given in an authoritative query using the Network Service-based Whois lookup tool of http://network- tools.com/nslook/Default.asp  What are the IP addresses of those servers? o The IP addresses of the servers are specified by the parameter inetnum, in a Network Service-based Whois lookup, The following table specifies Information leakagevulnerabilities, possible attacks, and possible countermeasures. Information Attack Countermeasures Leakage ISP DNS Server Attack. Pick an ISP that has well secured Man in the Middle Attack. Zone Transfers. Address Social Engineering Scams Pick PO Box, or use Accountant Last printed 10/26/2005 1:40:00 a10/p10 Page 3
  4. 4. Page 4 of 27 Information Address. Real Social Engineering Scams Pick generic function names, & Names Pick generic email names. Phone Social Engineering Scams Use a receptionist general number. Numbers Have receptionist take a message. MNTNER Unauthorized changes to Choose at least PGP authorization. Auth Registration. DoS. Url Choose strong passwords. Spoofing Whois Information Leakage, Attack & Countermeasures Summary Figure 1 Exercise 2 – Domain Name System Domain Name System (DNS) information gathering provides information on local and global registration and maintenance of host naming. Use service-based Whois (http://network-tools.com/nslook/Default.asp), to find record information of the below Url websites: Nslookup (Authoritative & Non-Authoritative), Network-Tools on DNS Servers  http://ccc.edu/ o A non-authoritative DNS server o An authoritative DNS server o Are there any differences?  Nslookup, using http://network-tools.com/nslook/Default.asp, retrieved more information regarding the authoritative response compared with the non-authoritative response. Specifically, more Name Servers (type=NS) and more Authoritative (Canonical or Alias) Servers (type=A) were found, regarding the authoritative queried response. o Capture the output of each query.  The output was captured on page regarding Exercise 2 on page 15.  http://www.microsoft.com/ o A non-authoritative DNS server o An authoritative DNS server o Are there any differences?  Nslookup, using http://network-tools.com/nslook/Default.asp, retrieved more information regarding the authoritative response compared with the non-authoritative response. Specifically, more Name Servers (type=NS) and more Authoritative (Canonical or Alias) Servers (type=A) were found, regarding the authoritative queried response. Also the primary DNS server is identified (Type=SOA), and all the Mail Servers are identified (Type=MX), all regarding the authoritative response. o Capture the output of each query. o Why are there multiple mail servers? Last printed 10/26/2005 1:40:00 a10/p10 Page 4
  5. 5. Page 5 of 27  There are multiple mail servers for load balancing and as redundant backups of each other. o Why are there differences with IP addresses?  There are different IP addresses for several reasons:  Load Balancing.  Redundant Backup.  To Accommodate different services to different customers.  Disaster Recovery.  To support Regional Branch Office Operations. Dig (Unix tool to query DNS Servers) Dig is the Unix-based Nslookup DNS query tool. Using Dig (http://www.ip- plus.net/tools/dig_dns_set.en. tml), the Domain nexilliscom.com is queried, regarding the h DNS Server 209.180.121.65. What kind of interesting information is learned from here?  The authoritative Servers, mail Servers, and primary DNS Server are displaying with this Dig query. The operating system is Linux. The network is sharing a printer. Zone Transfer A special service involves a DNS Server to exchange Authoritative Records for a domain between primary and secondary servers. Also any client system can query a DNS Server and request a Zone Transfer. Using Dig (http://www.ip- plus.net/tools/dig_dns_set.en. tml), the Domain nexilliscom.com is queried, regarding h the DNS Server 209.180.121.65.  What are the names and IP addresses of the systems? o Ns1.nexiliscom.com 209.180.121.65 o Ns2.nexiliscom.com 209.180.121.67 o revolvstore.nexiliscom.com 209.180.121.65 o there were many other IP addresses listed on p.22 regarding the “Zone- Transfer of nexiliscom.com”  Can you guess what each system does? o The primary name server is given: ns1.nexiliscom.com; & the IP address is 209.180.121.65. o Also the zone transfer associated the primary name server ns1.nexiliscom.com with postmaster.nexiliscom.com. The embedded word of “postmaster” implies an Email function. o The below Zone Transfer information suggests an Email function, regarding the words “mail,” “postmaster,” “newmail”:  “mail.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com,”  “ns1.nexiliscom.com postmaster.nexiliscom.com”  “newmail.nexiliscom.com address 64.119.36.25” Last printed 10/26/2005 1:40:00 a10/p10 Page 5
  6. 6. Page 6 of 27 o The below Zone Transfer information suggests possible services. The suggestive word is store.  “revolvstore.nexiliscom.com address 209.180.121.65” o The below Zone Transfer information suggest that it might be a web server. The suggestive word is web.  “webtoo.nexiliscom.com address 64.119.36.28”  Try this against the domain of Microsoft.com, using DNS Server NS1.MSFT.NET o Can a Zone Transfer be performed?  Yes, a Zone Transfer was performed. o Why or why not?  Yes, a Zone Transfer was performed, but it seems like it yielded less information. The usual information of authoritative and name server information were available, as in authoritative and non-authoritative Whois lookups.  How could an attacker user a Zone Transfer? o First, the host name (for e.g. postmaster.nexiliscom.com) suggests its function by using the embedded word of “postmaster.” o Second, these suggestive host names (for e.g. “mail.nexiliscom.com address 209.180.121.65”) are associated with an IP address. One could enter that IP address into a browser to see the web site, and infer its function. Brute Force Reverse DNS Lookup Do a brute force lookup on all of the IP addresses in the Class C space of www.cc.edu, and answer the following questions.  Can you figure out how the batch file does it work? s o The input file is ips.txt. All desired IP addresses to lookup are input into this file. First all the IP addresses are automatically input into the output file dsnout.txt. Next if nslookup finds a “hot” existing IP address, it looks for a string called “Name” and outputs the parameter variable, with the reverse lookup of the IP (for e.g. 206.166.50.100) into its corresponding host address (for e.g. dns.lth1.k12.il.us)  What use is the output? o The script quickly and automatically searched an IP range and identifies “hot” existing IP addresses. o It identified the existing IP address along with its reverse lookup host address. It basically did an nslookup. o This is the 1st stage of identifying places to look (IP addresses) to start to find any vulnerabilities.  What else do you know about the target network? Last printed 10/26/2005 1:40:00 a10/p10 Page 6
  7. 7. Page 7 of 27 o It is possible to run a script on an IP address range based on the Primary DNS server (type=SOA). This information was divulged from the nslookup tool of network-tools. o One could start with all the name servers and authoritative and non- authoritative server information from all the public whois and nslookup information, and configure an IP address block (for e.g. 206.166.50.0- 206.166.50.254), and search for all host “hot” existing IP address including servers and PC’s. The question always in mind would be, what hosts are vulnerable? Information Attack Countermeasures Leakage Zone A Zone Transfer Only allow Zone Transfers to Transfer Could be downloaded to yield the Trusted Systems. Configure entire network the server to only allow Configuration, as the certain Ip addresses. Restrict Initial stage of a DoS, DDoS, or port 53. Social Engineering Attack. Reverse Given netblock information, it Is The server should Be Lookup possible to Reverse lookup Configured to only allow Host names. This could Be the access on a first stage of a DoS, DDoS, or Restricted basis and only to Social Engineering Attack. trusted system Ip Addresses. Exercise 3 – Search Engines Search engines gather information on an organization and its employees. Go to the web site www.netcraft.com, and answer the following questions, regarding “.google.com” (remembering to include the dot preceding Google.com):  How many systems are there? o The search found 144 systems.  Which systems are NOT using Linux operating systems? o There are some systems that are designated as “unknown” operating systems.  Which systems are NOT using Google netblocks? o All the systems yielded information on Goog netblocks. le  What kinds of information can you learn from the site information link? o Domain: google.com o NetBlock Owner: Google Inc. o Domain Registry: markmonitor.com o Site DNS name: http://1.qos.google.com o IP address 66.102.9.147 Last printed 10/26/2005 1:40:00 a10/p10 Page 7
  8. 8. Page 8 of 27 Go to the web site www.netcraft.com, and answer the following questions, regarding “.ccc.edu’ (remembering to include the dot preceding ccc.edu):  Of the servers owned by City Colleges in Chicago,are there any differences between this list and the list found doing the brute force DNS lookup? Information Attacks Countermeasures Leakage Cache Information Cache pages and Control the cache information Information could be And meta data to limit third Retrieved as the first stage Party caching. Of a DoS, DDoS, or Social Engineering Attack. Error Messages Information on Make error messages generic Hardware configuration Without hardware or And component information Application information Could be leaked in the error Embedded in the message. Messages. This could be used as the first stage of a DoS, DDoS, or Social Engineering Attack. Company Employees could leak Train employees to not be Confidential Information that could be Allowed to leak confidential Information made Used as the first stage Company information into Public Of a DoS, DDoS, or The public domain. Social Engineering Attack. Public Documents Company Documents could If company documents Be made public that Leak Are to be posted publically on Information that could be The web, remove all sensitive Used as the first stage Internal information. Of a DoS, DDoS, or Social Engineering Attack. the Robots.txt file An attacker could get Restrict access to this file. Information on a Restrict the information in Company’s system, With This file. which to Perpetrate a DoS DDoS, or Social Engineering Attack. Exercise 4 – E Mail Systems Email system information gathering uses information found within the Email system and Email messages. Go to http://www.spamcop.net/fom-serve/cache/19.html, to discover how to look at headers regarding email. Send an email from your school email account to your personal email account. Look at the headers and answer the following questions: Last printed 10/26/2005 1:40:00 a10/p10 Page 8
  9. 9. Page 9 of 27  What are the IP addresses of the systems that handled this mail? o Received: from 207.115.20.36 (flpvm06.prodigy.net) o Received: from student.ccc.edu (student.ccc.edu [216.125.49.18]) (scholarmail.ccc.edu) Apache/2.0.49a NETWARE mod_jk/1.2.6-dev o by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j8R3rwmF014910 o Received: from agalvan1 [216.125.49.114] by student.ccc.edu ()  What kinds of servers handled the mail? o SMTP Servers o Received: from student.ccc.edu (student.ccc.edu [216.125.49.18]) (scholarmail.ccc.edu) Apache/2.0.49a NETWARE mod_jk/1.2.6-dev  Is the same path taken both ways? o Yes the same path is taken both ways.  Can you tell what kind of email systems handled the messages? o SMTP Servers Using the list of possible SMTP mail systems, grab ccc.edu’s mail server banner. o I couldn’t find the ccc.edu server banner. Exercise 5 – Naming Conventions Naming conventions describe how an organization categorizes their host devices. At a DOS command line prompt type the command “tracert www.ccc.edu” and answer the following questions.  Can you deduce the naming convention (if any)? o The physical location is used in the naming convention. o The owner company is used in the namingconvention. o One of the routers indicates it could be part of a Virtual LAN (VLAN).  Can you deduce what operating system is being used from the name? o The Operating system might be VLAN 5.0  Can you deduce the physical location of the host from the name? o Theses routers are all in Chicago  Ads1-68-72-175-254.ds1.chcgil.ameritech.net  Dist2-vlan50.chcgil.ameritech.net  Bb2-g7-0.chcgil.ameritech.net  Ex1-p0-0.eqchil.sbcglobal.net  Chcgil1wcx1-pos9-0-oc48.wcg.net  Chcgil1wxc1-dept-central-mgmt.wcg.net Last printed 10/26/2005 1:40:00 a10/p10 Page 9
  10. 10. Page 10 of 27  Ge-1-0-ans-sob1.chicago.lincon.net  Ge2-1.sob11.chicago.lincon.net  Can you determine which device is the perimeter router? o 192.168.1.1 is my originating perimeter router o 206.166.90.246 is the target perimeter router  Which netblock (IP block) is owned by the target? o Illinois Century Network owns t e netblock. h Information Attack Countermeasures Leakage Device Could be used to Refrain from naming Location Determine the Devices with location Network configuration Information. And lead to Dos, DDoS Or stealing financial or Confidential information. Device Could be used to Refrain from naming Function Determine the Conventions with Network configuration Function information. And lead to Dos, DDoS Or stealing financial or Confidential information. Exercise 6 – Website Analysis Website analysis is an information gatherin technique that uses public information via web g sites. The discovered information may expose the system to unintended vulnerabilities. There are many sources of information from the website: Look at the HTML source code for:  Passwords.  Comments and other useful information.  Disabled code.  Meta-tags containing the signatures of the development tools used to build the site  Email addresses for social engineering attacks.  Accidental links to internal resources.  Error pages can leak important details about the structure of the website  For example the website is stored on drive D. When I looked at the web page http://www.robotstxt.org/wc/active/html/googlebot.html, it was clean of any extraneous information that d not pertain to the displayed web page. id Last printed 10/26/2005 1:40:00 a10/p10 Page 10
  11. 11. Page 11 of 27 WebSPHINX o By looking at the source code and the structure of the web site, what kinds of information can you glean?  The HTML source code yielded hyperlinks to other colleges and other hyperlinks related to www.ccc.edu. o How might it be used in an attack?  By using Websphinx on the web site of http://wright.ccc.edu/department/forensics/in dex.asp, websphinx touched all the links to http://wright.ccc.edu/department/forensics .  All the different hyperlinks could be perused for information that could be used in a social engineering attack. Information in Binary Files regarding the downloaded file, http://www.bergkaprowlewis.co.uk/budget2002 /revce1.doc: o Use the “strings” program to extract ASCII text. o I couldn’t extract any ASCII text using Strings. o What kinds of metadata are found here? o I found the below metadata:  the author was found to be “Fred Rothwell.”  the company name was “Her Majesty’s Treasure.”  Date Created: 9/27/2005 2:21 AM  Date Last Saved 9/29/2005 2:21 AM  Last Printed 4/17/2002 4:11 AM  Edit Time: 12:00 AM o Anything that could be useful in an attack? o The Author’s name and company name could be used in a social engineering attack. o What is the redacted text from line 4 – 12? o The redacted text was “draft” Information Attack Countermeasures Leakage Personal Could be used All personal information Information In a Social Should be restricted. Any Engineering Contact information should Attack. Be to generic emails or to the Main company phone number. Error Message Could be used to Error messages should be made Pages Determine the devices To be standard and generic without Of a network as a Function, device, or location Prelude to a DoS, DDoS Information. Last printed 10/26/2005 1:40:00 a10/p10 Page 11
  12. 12. Page 12 of 27 Or financial information Attack. Web Server Could be used to Web Server Banners should be Banners Determine the Rewritten in a way different than Network configuration The manufacturer standard header As a prelude to a DoS And without Function, device, or DDos, or financial locationInformation. Information stealing Attack. Document Could be used Strong passwords should be used. Properties In a Social User names should be restricted Engineering Attack. Web code and Could be used to All code should be Client code Determine the Cleaned of all Network configuration “dead” code. As a prelude to a DoS DDos, or financial Information stealing Attack. Last printed 10/26/2005 1:40:00 a10/p10 Page 12
  13. 13. Page 13 of 27 Notes This is the other paper of reference: An Overview of Passive Information Gathering Techni ues for Network Security, q http://www.ottawa.drdc-rddc.gc.ca/docs/e/TM2004-073.pdf, & Passive Information Gathering, The Analysis of Leaked Network Security Information, http://www.ngssoftware.com/papers/NGSJan2004PassiveWP.pdf NGS NISR Next Generation Security SoftwareLtd. Passive Information Gathering The Analysis of Leaked Network Security Information Gunter Ollmann, Professional Services Director Abstract, (p.1) Information Leakage, (p.2) Definition of “Passive” (p.2) Passive Information Gathering Techniques (p.4) Whois, (p.5) Network Service-Based WHOIS (p.6)  Network service-based WHOISdata provides details of network management data. Netblock Registration Maintenance (p.9) ,  Netblock registration maintenance is normally carriedout in a secure & controlled manner. Name Service-Based WHOIS (p.11)  Name service-based WHOIS data provides a number of details about a domain. Domain Name System, (p.16) Zone Transfers, (p.20) Reverse resolution, (p.22) DNS Brute force, (p.24) Search Engines, (p.26) Email sytems, (p.29) Trace Route (tracert), (p.36) Displays # of hops between originating host ip (192.168.100.1)  ww.example.com  Cisco-gw.example.com [212.84.xx.1] o Probably the start of a netblock; suggests it is a border router, for example.com & it is made by Cisco.  Cpfw1.examle.com [212.84.xx.2] o Almost certainly is a Checkpoint firewall-1 firewall host. Last printed 10/26/2005 1:40:00 a10/p10 Page 13
  14. 14. Page 14 of 27 Web Server Banner (p.39)  Server: Zues / 4.2  Server: Microsoft IIS / 6.0  Server: Apache / 2.0.48-dev (Unix) Appendix Last printed 10/26/2005 1:40:00 a10/p10 Page 14
  15. 15. Page 15 of 27 Exercise 1 – Internet Service Registration Exercise 2 – Domain Name System Nslookup (Authoritative) using Network-Tools on ccc.edu NsLookup Query the DNS for resource records domain ccc.edu query type ANY - Any type server NS1.ILLINOIS.NET query class IN - Internet port 53 timeout (ms) 5000 no recursion advanced output NS1.ILLINOIS.NET [206.166.83.22] returned an authoritative response in 31 ms: Answer records name class type data time to live ccc.edu IN MX preference: 0 exchange: pobox.ccc.edu 600s (10m) ccc.edu IN MX preference: 5 exchange: pobox2.ccc.edu 600s (10m) ccc.edu IN MX preference: 10 exchange: guardian.ccc.edu 600s (10m) ccc.edu IN NS ns1.msa1.illinois.net 600s (10m) ccc.edu IN NS ns1.illinois.net 600s (10m) ccc.edu IN NS ns2.illinois.net 600s (10m) ccc.edu IN NS guardian.ccc.edu 600s (10m) ccc.edu IN A 216.125.49.11 600s (10m) ccc.edu IN SOA server: ns1.msa1.illinois.net email: msa1hostmaster@illinois.net serial: 2005062401 refresh: 10800 retry: 3600 expire: 604800 minimum ttl: 600 600s (10m) Authority records name class type data time to live NsLookup - Query the DNS for resource records Page 1 of 2 http://network-tools.com/nslook/default.asp 9/20/2005 -- end -- URL for this output ccc.edu IN NS ns1.msa1.illinois.net 600s (10m) ccc.edu IN NS ns1.illinois.net 600s (10m) ccc.edu IN NS ns2.illinois.net 600s (10m) ccc.edu IN NS guardian.ccc.edu 600s (10m) Last printed 10/26/2005 1:40:00 a10/p10 Page 15
  16. 16. Page 16 of 27 Additional records name class type data time to live pobox.ccc.edu IN A 216.125.49.10 600s (10m) pobox2.ccc.edu IN A 216.125.49.50 600s (10m) guardian.ccc.edu IN A 216.125.49.254 600s (10m) ns1.msa1.illinois.net IN A 206.166.50.100 60s (1m) ns1.illinois.net IN A 206.166.83.22 3600s (1h) ns2.illinois.net IN A 206.166.17.200 3600s (1h) Page NsLookup - Query the DNS for resource records e 2 of 2 http://network-tools.com/nslook/default.asp 9/20/2005 Last printed 10/26/2005 1:40:00 a10/p10 Page 16
  17. 17. Page 17 of 27 Nslookup (Non-Authoritative) using Network-Tools on ccc.edu NsLookup Query the DNS for resource records domain ccc.edu query type ANY - Any type server 66.98.244.52 query class IN - Internet port 53 timeout (ms) 5000 no recursion advanced output [66.98.244.52] returned a non-authoritative response in 94 ms: Answer records name class type data time to live ccc.edu IN MX preference: 0 exchange: pobox.ccc.edu 600s (10m) ccc.edu IN MX preference: 5 exchange: pobox2.ccc.edu 600s (10m) ccc.edu IN MX preference: 10 exchange: guardian.ccc.edu 600s (10m) ccc.edu IN NS ns1.msa1.illinois.net 600s (10m) ccc.edu IN NS ns1.illinois.net 600s (10m) ccc.edu IN NS ns2.illinois.net 600s (10m) ccc.edu IN NS guardian.ccc.edu 600s (10m) ccc.edu IN A 216.125.49.11 600s (10m) ccc.edu IN SOA server: ns1.msa1.illinois.net email: msa1hostmaster@illinois.net serial: 2005062401 refresh: 10800 retry: 3600 expire: 604800 minimum ttl: 600 600s (10m) Authority records [none] Additional records NsLookup - Query the DNS for resource records Page 1 of 2 http://network-tools.com/nslook/default.asp 9/20/2005 -- end -- URL for this output name class type data time to live pobox.ccc.edu IN A 216.125.49.10 600s (10m) pobox2.ccc.edu IN A 216.125.49.50 600s (10m) guardian.ccc.edu IN A 216.125.49.254 600s (10m) Page NsLookup - Query the DNS for resource records e 2 of 2 http://network-tools.com/nslook/default.asp 9/20/2005 Last printed 10/26/2005 1:40:00 a10/p10 Page 17
  18. 18. Page 18 of 27 Nslookup (Authoritative) using Network-Tools on www.microsoft.com NsLookup Query the DNS for resource records domain microsoft.com query type ANY - Any type server 207.46.138.20 query class IN - Internet port 53 timeout (ms) 5000 no recursion advanced output [207.46.138.20] returned an authoritative response in 94 ms: Header rcode: Success id: 0 opcode: Standard query is a response: True authoritative: True recursion desired: True recursion avail: False truncated: False questions: 1 answers: 12 authority recs: 0 additional recs: 11 Questions name class type microsoft.com IN ANY Answer records name class type data time to live microsoft.com IN A 207.46.250.119 3600s (1h) microsoft.com IN A 207.46.130.108 3600s (1h) microsoft.com IN NS ns3.msft.net 172800s (2d) microsoft.com IN NS ns4.msft.net 172800s (2d) microsoft.com IN NS ns5.msft.net 172800s (2d) microsoft.com IN NS ns1.msft.net 172800s (2d) NsLookup - Query the DNS for resource records Page 1 of 2 http://network-tools.com/nslook/default.asp 9/20/2005 -- end -- URL for this output microsoft.com IN NS ns2.msft.net 172800s (2d) microsoft.com IN SOA server: dns.cp.msft.net email: msnhst@microsoft.com serial: 2005092003 refresh: 300 retry: 600 expire: 2419200 minimum ttl: 3600 3600s (1h) microsoft.com IN MX preference: 10 exchange: mailc.microsoft.com 3600s (1h) microsoft.com IN MX preference: 10 exchange: maila.microsoft.com 3600s (1h) Last printed 10/26/2005 1:40:00 a10/p10 Page 18
  19. 19. Page 19 of 27 microsoft.com IN MX preference: 10 exchange: mailb.microsoft.com 3600s (1h) microsoft.com IN TXT v=spf1 mx redirect=_spf.microsoft.com 3600s (1h) Authority records [none] Additional records name class type data time to live ns3.msft.net IN A 213.199.144.151 3600s (1h) ns4.msft.net IN A 207.46.66.75 3600s (1h) ns5.msft.net IN A 207.46.138.20 3600s (1h) ns1.msft.net IN A 207.46.245.230 3600s (1h) ns2.msft.net IN A 64.4.25.30 3600s (1h) mailc.microsoft.com IN A 207.46.121.52 3600s (1h) mailc.microsoft.com IN A 207.46.121.53 3600s (1h) maila.microsoft.com IN A 131.107.3.125 3600s (1h) maila.microsoft.com IN A 131.107.3.124 3600s (1h) mailb.microsoft.com IN A 131.107.3.123 3600s (1h) mailb.microsoft.com IN A 207.46.121.51 3600s (1h) Page NsLookup - Query the DNS for resource records e 2 of 2 http://network-tools.com/nslook/default.asp 9/20/2005 Nslookup (Non-Authoritative) using Network-Tools on microsoft.com NsLookup Query the DNS for resource records domain microsoft.com query type ANY - Any type server 66.98.244.52 query class IN - Internet port 53 timeout (ms) 5000 no recursion advanced output [66.98.244.52] returned a non-authoritative response in 0 ms: -- end -- URL for this output Answer records name class type data time to live microsoft.com IN NS ns5.msft.net 171510s (1d 23h 38m 30s) microsoft.com IN NS ns4.msft.net 171510s (1d 23h 38m 30s) microsoft.com IN NS ns3.msft.net 171510s (1d 23h 38m 30s) microsoft.com IN NS ns2.msft.net 171510s (1d 23h 38m 30s) microsoft.com IN NS ns1.msft.net 171510s (1d 23h 38m 30s) Authority records [none] Additional records [none] NsLookup - Query the DNS for resource records Page 1 of 1 Last printed 10/26/2005 1:40:00 a10/p10 Page 19
  20. 20. Page 20 of 27 http://network-tools.com/nslook/default.asp 9/20/2005 Last printed 10/26/2005 1:40:00 a10/p10 Page 20
  21. 21. Page 21 of 27 Zone-Transfer of nexiliscom.com 1 of 2 9/26/2005 1:56 AM DNS check tool Back Domain nexiliscom.com, DNS server 209.180.121.65 Setting Source IP Address to : quot;164.128.36.54quot; Check if the server quot;209.180.121.65quot; is configured for quot;nexiliscom.comquot; ... ok. Check SOA Record ... Server: ns1.nexiliscom.com Address: 209.180.121.65 Query about nexiliscom.com for record types SOA Trying nexiliscom.com ... nexiliscom.com 3600 IN SOA ns1.nexiliscom.com postmaster.nexiliscom.com ( 2005083001 ;serial (version) 3600 ;refresh period (1 hour) *** WARNING *** Refresh 3600 , use recommended value quot;10800quot; 3600 ;retry interval (1 hour) 3600 ;expire time (1 hour) *** WARNING *** Expire 3600 , use recommended value quot;604800quot; 3600 ;default ttl (1 hour) *** WARNING *** TTL 3600 , use recommended value quot;86400quot; Check NS Records ... Server: ns1.nexiliscom.com Address: 209.180.121.65 Query about nexiliscom.com for record types NS Trying nexiliscom.com ... Query done, 2 answers, authoritative status: no error nexiliscom.com 3600 IN NS ns2.nexiliscom.com ns2.nexiliscom.com is secondary nameserver nexiliscom.com 3600 IN NS ns1.nexiliscom.com ns1.nexiliscom.com is primary nameserver Additional information: ns1.nexiliscom.com 3600 IN A 209.180.121.65 ns2.nexiliscom.com 3600 IN A 209.180.121.67 Found IP address quot;209.180.121.67quot; for server quot;ns2.nexiliscom.comquot; Found IP address quot;209.180.121.65quot; for server quot;ns1.nexiliscom.comquot; Check SOA Record for Consistency on all Servers ... nexiliscom.com NS ns1.nexiliscom.com ns1.nexiliscom.com postmaster.nexiliscom.com (2005083001 3600 3600 3600 3600) *** WARNING *** !!! nexiliscom.com SOA refresh+retry exceeds expire *** WARNING *** !!! nexiliscom.com SOA expire is less than 1 week (1 hour) nexiliscom.com NS ns2.nexiliscom.com ns1.nexiliscom.com postmaster.nexiliscom.com (2005060901 3600 3600 3600 3600) *** WARNING *** !!! ns2.nexiliscom.com and ns1.nexiliscom.com have different serial for nexiliscom.Check Zone Transfer This may take a while, please wait ... /opt/wwwtools-1.0/checkdom/hostsqs -Z -a -l -v -A -G -D done. *** WARNING *** !!! nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com *** WARNING *** !!! atensubmissions.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom. IP-Plus http://www.ip-plus.net/tools/domaincheck.cgi Last printed 10/26/2005 1:40:00 a10/p10 Page 21
  22. 22. Page 22 of 27 2 of 2 9/26/2005 1:56 AM *** WARNING *** !!! mail.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com *** WARNING *** !!! memorial-unborn.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.*** WARNING *** !!! mms1.nexiliscom.com address 64.119.36.27 maps to ip027.nexilis.cr3.tus.simplybits.*** WARNING *** !!! netsaint.nexiliscom.com address 209.180.121.67 maps to ns2.nexiliscom.com *** WARNING *** !!! newmail.nexiliscom.com address 64.119.36.25 maps to newmail1.nexiliscom.com *** WARNING *** !!! newmail.nexiliscom.com address 209.180.121.66 maps to newmail2.nexiliscom.com *** WARNING *** !!! ns3.nexiliscom.com address 64.119.36.26 maps to ip026.nexilis.cr3.tus.simplybits.*** WARNING *** !!! pop.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com *** WARNING *** !!! revolvstore.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com *** WARNING *** !!! smtp.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com *** WARNING *** !!! test.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com *** WARNING *** !!! webtoo.nexiliscom.com address 64.119.36.28 maps to ip028.nexilis.cr3.tus.simplybits.*** WARNING *** !!! www.nexiliscom.com address 209.180.121.65 maps to ns1.nexiliscom.com No errors found in quot;nexiliscom.comquot; 21 warnings found in quot;nexiliscom.comquot; Possible error messages and warnings Last printed 10/26/2005 1:40:00 a10/p10 Page 22
  23. 23. Page 23 of 27 Zone-Transfer of microsoft.com IP-Plus http://www.ip-plus.net/tools/domaincheck.cgi 1 of 2 9/26/2005 6:36 PM DNS check tool Back Domain microsoft.com, DNS server ns1.msft.net Found IP address quot;207.46.245.230quot; for server quot;ns1.msft.netquot; Setting Source IP Address to : quot;164.128.36.54quot; Check if the server quot;ns1.msft.netquot; is configured for quot;microsoft.comquot; ... ok. Check SOA Record ... Server: ns1.msft.net Address: 207.46.245.230 Query about microsoft.com for record types SOA Trying microsoft.com ... microsoft.com 3600 IN SOA dns.cp.msft.net msnhst.microsoft.com ( 2005092601 ;serial (version) 300 ;refresh period (5 minutes) *** WARNING *** Refresh 300 , use recommended value quot;10800quot; 600 ;retry interval (10 minutes) *** WARNING *** Retry 600 , use recommended value quot;3600quot; 2419200 ;expire time (4 weeks) *** WARNING *** Expire 2419200 , use recommended value quot;604800quot; 3600 ;default ttl (1 hour) *** WARNING *** TTL 3600 , use recommended value quot;86400quot; Check NS Records ... Server: ns1.msft.net Address: 207.46.245.230 Query about microsoft.com for record types NS Trying microsoft.com ... Query done, 5 answers, authoritative status: no error microsoft.com 172800 IN NS ns5.msft.net ns5.msft.net is secondary nameserver microsoft.com 172800 IN NS ns1.msft.net ns1.msft.net is secondary nameserver microsoft.com 172800 IN NS ns2.msft.net ns2.msft.net is secondary nameserver microsoft.com 172800 IN NS ns3.msft.net ns3.msft.net is secondary nameserver microsoft.com 172800 IN NS ns4.msft.net ns4.msft.net is secondary nameserver Additional information: ns5.msft.net 3600 IN A 207.46.138.20 ns1.msft.net 3600 IN A 207.46.245.230 ns2.msft.net 3600 IN A 64.4.25.30 ns3.msft.net 3600 IN A 213.199.144.151 ns4.msft.net 3600 IN A 207.46.66.75 Found IP address quot;207.46.138.20quot; for server quot;ns5.msft.netquot; *** WARNING *** failed reverse lookup for quot;207.46.138.20quot; *** WARNING *** 207.46.138.20 does not exist at ns1.msft.net (Authoritative answer) *** WARNING *** It's recommended to have reverse lookup for your nameservers Found IP address quot;207.46.245.230quot; for server quot;ns1.msft.netquot; *** WARNING *** failed reverse lookup for quot;207.46.245.230quot; Last printed 10/26/2005 1:40:00 a10/p10 Page 23
  24. 24. Page 24 of 27 *** WARNING *** 207.46.245.230 does not exist at ns1.msft.net (Authoritative answer) *** WARNING *** It's recommended to have reverse lookup for your nameservers IP-Plus http://www.ip-plus.net/tools/domaincheck.cgi 2 of 2 9/26/2005 6:36 PM Found IP address quot;64.4.25.30quot; for server quot;ns2.msft.netquot; *** WARNING *** failed reverse lookup for quot;64.4.25.30quot; *** WARNING *** 64.4.25.30 does not exist at ns1.msft.net (Authoritative answer) *** WARNING *** It's recommended to have reverse lookup for your nameservers Found IP address quot;213.199.144.151quot; for server quot;ns3.msft.netquot; *** WARNING *** failed reverse lookup for quot;213.199.144.151quot; *** WARNING *** 213.199.144.151 does not exist at ns1.msft.net (Authoritative answer) *** WARNING *** It's recommended to have reverse lookup for your nameservers Found IP address quot;207.46.66.75quot; for server quot;ns4.msft.netquot; *** WARNING *** failed reverse lookup for quot;207.46.66.75quot; *** WARNING *** 207.46.66.75 does not exist at ns1.msft.net (Authoritative answer) *** WARNING *** It's recommended to have reverse lookup for your nameservers *** ERROR *** NS record for primary nameserver quot;dns.cp.msft.netquot; missing. Check SOA Record for Consistency on all Servers ... microsoft.com NS ns1.msft.net dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600) *** WARNING *** !!! microsoft.com SOA primary dns.cp.msft.net is not advertised via NS *** WARNING *** !!! microsoft.com SOA retry exceeds refresh microsoft.com NS ns2.msft.net dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600) microsoft.com NS ns3.msft.net dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600) microsoft.com NS ns4.msft.net dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600) microsoft.com NS ns5.msft.net dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600) Check Zone Transfer This may take a while, please wait ... /opt/wwwtools-1.0/checkdom/hostsqs -Z -a -l -v -A -G -D done. *** ERROR *** 207.46.245.230 (207.46.245.230) connect: Connection timed out 2 errors found in quot;microsoft.comquot; please correct 11 warnings found in quot;microsoft.comquot; Possible error messages and warnings Exercise 3 – Search Engines Netcraft Search Web by Domain for .google.com Netcraft - Search Web by Domain http://searchdns.netcraft.com/?host=.google.com&position=limited&loo... 1 of 1 9/26/2005 9:48 PM Last printed 10/26/2005 1:40:00 a10/p10 Page 24
  25. 25. Page 25 of 27 Site Search Search Web by Domain Explore 70,884,595 web sites 27th September 2005 Search: search tips site contains lookup! example: site contains .sco.com Results for .google.com Found 144 sites Site Site Report First seen Netblock OS 1. 1.qos.google.com May 2004 Google Inc. Linux 2. 35820365512262.qos.google.com November 2002 Google Inc. Linux 3. adsense.google.com September 2004 Google Inc. Linux 4. adwords.google.com.au August 2004 Google Inc. unknown 5. adwords.google.com.br November 2003 Google Inc. Linux 6. adwordstest.google.com October 2003 Google Inc. Linux 7. america.google.com November 2003 Google Inc. Linux 8. answer.google.com January 2003 Google Inc. Linux 9. aol.google.com August 2004 Google Inc. Linux 10. api.google.com June 2002 Google Inc. Linux 11. asia.google.com November 2003 Google Inc. Linux 12. catalog.google.com April 2002 Google Inc. Linux 13. catalogues.google.com June 2002 Google Inc. Linux 14. console.google.com May 2001 Google Inc. Linux 15. desktop.google.com December 2004 Google Inc. Linux 16. dir.google.com November 2001 Google Inc. Linux 17. directory.google.com August 2001 Google Inc. Linux 18. download.google.com November 2004 Google Inc. Linux 19. ent-demo9.google.com October 2004 Google Inc. Linux 20. europe.google.com November 2003 Google Inc. Linux Next page COP Y R I GH T © NE T CR A F T L TD 2 0 0 4 .google.com Netcraft News Exercise 4 – E Mail Systems Email Headers X-Apparently-To: allengalvan@sbcglobal.net via 66.163.170.105; Mon, 26 Sep 2005 20:54:45 -0700 X-Originating-IP: [216.125.49.18] Return-Path: <agalvan1@student.ccc.edu> Authentication-Results: mta812.mail.scd.yahoo.com from=student.ccc.edu; domainkeys=neutral (no sig) Received: from 207.115.20.36 (EHLO flpvm06.prodigy.net) (207.115.20.36) by mta812.mail.scd.yahoo.comwith SMTP; Mon, 26 Sep 2005 20:54:44 -0700 X-Originating-IP: [216.125.49.18] Last printed 10/26/2005 1:40:00 a10/p10 Page 25
  26. 26. Page 26 of 27 Received: from student.ccc.edu (student.ccc.edu [216.125.49.18]) by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j8R3rwmF014910 for <allengalvan@sbcglobal.net>; Mon, 26 Sep 2005 20:53:58 -0700 Received: from agalvan1 [216.125.49.114] by student.ccc.edu with NetMail ModWeb Module; Mon, 26 Sep 2005 22:54:42 -0500 Subject: csfi214 - test msg From: quot;ALLEN GALVANquot; <agalvan1@student.ccc.edu> To: allengalvan@sbcglobal.net Date: Mon, 26 Sep 2005 22:54:43 -0500 X-Mailer: NetMail ModWeb Module X-Sender: agalvan1 MIME-Version: 1.0 Message-ID: <1127793283.e602380agalvan1@student.ccc.edu> Content-Type: text/plain; charset=quot;UTF-8quot; Content-Transfer-Encoding: quoted-printable X-Apparently-To: allengalvan@sbcglobal.net via 66.163.170.105; Mon, 26 Sep 2005 20:54:45 -0700 X-Originating-IP: [216.125.49.18] Return-Path: <agalvan1@student.ccc.edu> Authentication-Results: mta812.mail.scd.yahoo.com from=student.ccc.edu; domainkeys=neutral (no sig) Received: from 207.115.20.36 (EHLO flpvm06.prodigy.net) (207.115.20.36) by mta812.mail.scd.yahoo.comwith SMTP; Mon, 26 Sep 2005 20:54:44 -0700 X-Originating-IP: [216.125.49.18] Received: from student.ccc.edu (student.ccc.edu [216.125.49.18]) by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j8R3rwmF014910 for <allengalvan@sbcglobal.net>; Mon, 26 Sep 2005 20:53:58 -0700 Received: from agalvan1 [216.125.49.114] by student.ccc.edu with NetMail ModWeb Module; Mon, 26 Sep 2005 22:54:42 -0500 Subject: csfi214 - test msg From: quot;ALLEN GALVANquot; <agalvan1@student.ccc.edu> To: allengalvan@sbcglobal.net Date: Mon, 26 Sep 2005 22:54:43 -0500 X-Mailer: NetMail ModWeb Module X-Sender: agalvan1 MIME-Version: 1.0 Message-ID: <1127793283.e602380agalvan1@student.ccc.edu> Content-Type: text/plain; charset=quot;UTF-8quot; Content-Transfer-Encoding: quoted-printable nobody here but us chickens Allen allengalvan@netzero.net Last printed 10/26/2005 1:40:00 a10/p10 Page 26
  27. 27. Page 27 of 27 Exercise 5 – Naming Conventions Tracert of www.ccc.edu Exercise 6 – Website Analysis Last printed 10/26/2005 1:40:00 a10/p10 Page 27

×