Information gathering using windows command line utility
Information Gathering using
Windows Command Line Utility
By: Vishal Kumar (CEH | CHFI | CISE | MCP)
Lab - 1
Windows offers several powerful
command line utilities that help
attackers as well as Ethical Hackers
and pen testers to gather open
source information about the target
of the evaluation.
Overview of Window’s Command
As a professional Ethical Hacker or Pen Tester,
your first step will be to check for the
reachability of a computer in the target
network. Operating systems offers serval
utilities that you can readily use for primary
information-gathering. Windows command-line
utilities such as Ping, Nslookup, and tracert
gather important information like IP address,
maximum Packet Frame size, etc. about a target
network or system that form a base of security
assessment and pen test.
This lab demonstrate how to use ping, Nslookup,
and tracert utilities to gather information about
a target. The lab teaches how to:
Use ping utilities to find the IP address of a
Use ping utility to emulate the tracert
Find the maximum frame size for the network .
Identify Internet Control Message (ICMP) type
and code for echo request and echo reply packets.
Open the command prompt and type the following
command: Ping www.theprohackers.in
Here you can see the response of ping command and
the IP address of the target that is: 22.214.171.124
1. Finding IP Address of Target
PING stand for Packet Internet Groper.
Ping command syntax: ping [-q] [-v] [-R] [-c
count] [-i Ward] [-s PacketSize] Host.
For the command, ping –c count, specify the
number of echo request to send.
2. Finding the Maximum Frame Size
of the Target Domain.
Now, find the maximum frame size on the
network using the command utility.
Open the command prompt and type the
command: ping www.theprohackers.in –f –l 1500
The response, Packet needs to be fragmented but the DF set,
means that the frame is too large to be on the network and need
to be fragmented. Since we use the –f switch with the ping
command, the packet was not sent, and return this error.
Note:- -f switch sets the Do Not Fragment bit on the ping packet. By default, the ping
packets allows fragmentation.
Try the different combination of packet size with the ping
command until you get the echo reply.
Note:- in the ping command, the –l size option means to send the buffer size.
Observe the maximum packet size is less then 1500
Now, try different values until you find the maximum
Note:- The maximum frame size will differ depending upon the target network.
Every frame on the network has TTL (Time to Live)
defined. If TTL reach's 0, the router discard the
packets. This mechanism prevents the loss of packets.
Type the command: ping www.theprohackers.in –i 3. this
option sets Time to Live (-i) value as 3.
Note:- The maximum value you can set for TTL is 255.
3. Now find what happen when the
TTL (Time to Live) expires.
Reply from the target: TTL expired in transit means the
router (10.228.21.22) discard the frame, because the
TTL has expired (reached 0).
Try the different value of TTL until you get the echo
reply from the target.
Here I find the echo reply when the TTL value in 50. try
the different combination of TTL value until you can find
the maximum value of TTL on the target network.
Note:- In the ping command –n switch used to specify the number of packets to be sent (i.e. -n
4. Emulate Tracert.
Launch the command prompt and type the command: tracert
So here is the output of the tracert command.
As you can see in the above snapshot, tracert
command displays the complete route from the
attacker machine to the target machine with the
IP address and location.
5. Finding the Details using
Open the Run and type Nslookup and press Enter. This
will open the command prompt with the nslooup with the
Default server (DNS) name and Default Address
(Address of DNS).
5.1 Obtaining IP Address of the Target
In the nslookup interactive mode, type set type=a and
press Enter. Setting the type a configures nslookup to
query for the IP address of a given domain.
Type the target domain www.theprohackers.in and press
enter. This resolve the IP address and displays the result
5.2 Finding Cname of the Target Domain.
Type set type=cname and press enter.
Note:-The CNAME lookup is done directly against the domain’s authoritative name server
and list the CNAME records for the domain.
Type the target domain www.theprohackers.in and hit
enter. This will return the domain's authoritative name
servers, along with the mail server address as shown in
the below screenshot.
Open the nslookup interactive mode and type set type=soa
and hit enter.
Now the type the target domain that is www.theprohackers.in
and press enter. This command will displays the Primary name
server, mail server details.
5.3 Finding SoA (start of Authority)
records of the Target Domain.
In the above screenshot the primary name server is:
ns47.domaincontrol.com and the mail address is:
Open the command prompt on the nslookup mode and
type set type=a and press enter.
Now type the primary name server address of the
target domain that is ns47.domaincontrol.com and hit
enter. This command will display the name and IP
address of the primary name server.
5.4 Finding the IP addr. of primary
name server of the Target Domain
In the above screenshot we can see the IP address of
the primary name server the is xxx.xxx.xxx.xxx
The authoritative name server store the records
associated with the domain. So, if an attacker can
determine the authoritative name server (primary name
server) and obtain the associated IP address. He/she
might attempt to exploit the sever to perform attacks
which includes DoS, DDoS, URL redirection and so on…
For the videos relating to the Hacking please
subscribe my YouTube channel:
For any query please mail us at