Information Gathering Using Windows Command-Line

July 21, 2017 | Views: 5226

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Let’s first of all talk about footprinting.

Footprinting refers to collecting as much as possible information about a network target from publicly available resources. It’s the first step in ethical hacking. Using Footprinting helps the hacker to find several ways to intrude the target’s network/system.

Ethical hackers, or pen testers, use several tools and techniques to collect important information about the target. Some of the techniques involve using web search services, Google hacking, web archives, whois lookups and more.


Information Gathering through Windows Command Line

Windows offers several command line utilities that are helpful to hackers for information gathering such as the ping, tracert or nslookup command.

Ping is a very know and powerful utility used to test hosts reachability and counting the round-trip time of packet from sender to receiver. This utility uses the ICMP protocol, sending ICMP echo-request packets to a destination and waiting for a response.

Tracert is a command-line utility that helps to follow the path of a certain packet.

IP packets are routed to the destination by switching from one router to another. Each router examines its routing table to determine the next router. Tracert will allow to identify the routers used, to indicate the delay between each routers and the possible losses of packets. This information will be useful to diagnose routing problems, such as loops, to determine if there is congestion or another problem on one of the links to the destination.

nslookup is a network administration command-line tool generally used to query domain name system (DNS) to obtain in IP address or a domain name for a specific dns record.


Use Ping Command:

Ping command useful options:

  • -f: prohibit packet fragmentation.
  • -l: set frame size
  • -n: number of echo-request to send
  • -i: set TTL (time to live) value.

We are going to start with a normal ping:

ping www.google.com

Ping command will show you the target’s domain IP address, and some ping statistics, such as number of packets sent, received and lost. It shows also the round trip times.

Now we are going to guess the maximum frame size, but before showing the command let’s talk more about frame size.

The frame size is measured in bytes and has min/max values depending on the implemented technology. The minimum frame size for an Ethernet LAN is 64 bytes and the maximum frame size is 1518 bytes. The minimum/maximum for a Token Ring LAN is 32 bytes/16 kilobytes (KB), respectively.

The maximum frame size is also known as the maximum transmission unit (MTU). When a frame is larger than the MTU, it is broken down, or fragmented, into smaller pieces by the Layer 3 protocol to accommodate the MTU of the network.

Min/max values are important because they enable you to ensure that your users’ message traffic gets to where it needs to go quickly and accurately.

ping www.google.com –f –l 1500

In this command we have set defragmentation on and we have set the frame size to 1420.

We had a reply from “192.168.1.1” saying that the packet needs to be fragmented and since we disabled fragmentation the packet was discarded. So this tell us that we are above the MTU.

Try to choose a smaller value like 1400. If you receive reply with no loss, then the frame hasn’t yet reach the MTU. Now play between those two values to identify the MTU.

Time To Live (TTL) is a mechanism that limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. If the TTL reaches “0” before reaching the destination, the router discards the packet to prevent packets loss and infinite loops.

ping www.google.com -i 3

The router “196.203.188.1” send an ICMP error (11- time exceeded) and this message appears “TTL expired in transit” which means that the TTL reached “0” before reaching its destination and was discarded by router 196.203.188.1.

Use Tracert Command (traceroute)

Tracert www.google.com

This command (tracert) can be emulated by our previous command (ping) when playing with the MTU and setting the number of echo-requests to be sent to 1.

ping www.google.com -i 3 -n 1

We got a reply from “196.203.188.1”. Then we increase the TTL to 4 and so on and so forth till we reach the “216.58.198.4”. If we write down all IP address’ so we emulate the tracert command.

Use Nslookup Command

DNS records provide important information about the location and types of servers. Here descriptive table about record types:

Record types

Description

A

Points to the host’s IP address

MX

Points to the domain’s mail server

NS

Points to the host’s name server

CNAME

Canonical naming allows aliases to a host

SDA

Indicate authority for domain

SRV

Services records

PTR

Maps IP address to a hostname

RP

Responsible person

HINFO

Host info (CPU, OS)

TXT

Unstructured text records

 

Open a command-line and type nslookup. This command will display the default server and its address.

Nslookup is by default in its interactive mode that why we see “>” in the screenshot.

We can configure the record type by typing set type=a.

This will return a non-authoritative answer because the answer was returned by our local machine’s server and not by the server that legitimately hosts the domain. Now we should seek an authoritative answer by trying set type=cname.

From here we can reset type to “A” and put the primary name server “a.ns.facebook.com” to get its IP address.


Final notes:

We need to write down IP addresses, TTLs, DNS information to facilitate the analysis.

Also, it’s important for reporting at the end of the pen test.


This was a practical guide for information gathering-using windows command-line brought to you by Zyed Nammouchi.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. Interesting use of ping to emulate tracert, I’d never considered that before.
    In what situations would you use ping in this way?

    The only thing that comes to my mind would be if instead of blocking all ICMP traffic they instead somehow just block tracert?

  2. Good work, thx! +5

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel