Let's first of all talk about footprinting.Footprinting
refers to collecting as much as possible information about a network target from publicly available resources. It’s the first step in ethical hacking. Using Footprinting
helps the hacker to find several ways to intrude the target’s network/system.Ethical hackers
, or pen testers, use several tools
to collect important information about the target. Some of the techniques involve using web search services, Google hacking, web archives, whois lookups and more.
Information Gathering through Windows Command Line
Windows offers several command line utilities that are helpful to hackers for information gathering such as the ping
is a very know and powerful utility used to test hosts reachability and counting the round-trip time of packet from sender to receiver. This utility uses the ICMP protocol, sending ICMP echo-request packets to a destination and waiting for a response.Tracert
is a command-line utility that helps to follow the path of a certain packet.IP packets are routed to the destination by switching from one router to another. Each router examines its routing table to determine the next router. Tracert will allow to identify the routers used, to indicate the delay between each routers and the possible losses of packets. This information will be useful to diagnose routing problems, such as loops, to determine if there is congestion or another problem on one of the links to the destination.nslookup
is a network administration command-line tool generally used to query domain name system (DNS) to obtain in IP address or a domain name for a specific dns record.
Use Ping Command:
Ping command useful options:
- -f: prohibit packet fragmentation.
- -l: set frame size
- -n: number of echo-request to send
- -i: set TTL (time to live) value.
We are going to start with a normal ping:ping www.google.com
Ping command will show you the target’s domain IP address, and some ping statistics, such as number of packets sent, received and lost. It shows also the round trip times.Now we are going to guess the maximum frame size
, but before showing the command let’s talk more about frame size.The frame size
is measured in bytes and has min/max values depending on the implemented technology. The minimum frame size for an Ethernet LAN is 64 bytes and the maximum frame size is 1518 bytes. The minimum/maximum for a Token Ring LAN is 32 bytes/16 kilobytes (KB), respectively.The maximum frame size is also known as the maximum transmission unit (MTU). When a frame is larger than the MTU, it is broken down, or fragmented, into smaller pieces by the Layer 3 protocol to accommodate the MTU of the network.Min/max values are important because they enable you to ensure that your users' message traffic gets to where it needs to go quickly and accurately.ping www.google.com –f –l 1500
In this command we have set defragmentation on and we have set the frame size to 1420.We had a reply from "192.168.1.1" saying that the packet needs to be fragmented and since we disabled fragmentation the packet was discarded. So this tell us that we are above the MTU.Try to choose a smaller value like 1400. If you receive reply with no loss, then the frame hasn’t yet reach the MTU. Now play between those two values to identify the MTU.Time To Live
(TTL) is a mechanism that limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. If the TTL reaches “0” before reaching the destination, the router discards the packet to prevent packets loss and infinite loops.ping www.google.com -i 3
The router "18.104.22.168" send an ICMP error
(11- time exceeded) and this message appears “TTL expired in transit” which means that the TTL reached “0” before reaching its destination and was discarded by router 22.214.171.124.
Use Tracert Command (traceroute)Tracert www.google.com
This command (tracert) can be emulated by our previous command (ping) when playing with the MTU and setting the number of echo-requests to be sent to 1.ping www.google.com -i 3 -n 1
We got a reply from “126.96.36.199”. Then we increase the TTL to 4 and so on and so forth till we reach the “188.8.131.52”. If we write down all IP address’ so we emulate the tracert command.
Use Nslookup CommandDNS records
provide important information about the location and types of servers. Here descriptive table about record types:
|Points to the host’s IP address|
|Points to the domain’s mail server|
|Points to the host’s name server|
|Canonical naming allows aliases to a host|
|Indicate authority for domain|
|Maps IP address to a hostname|
|Host info (CPU, OS)|
|Unstructured text records|
Open a command-line and type nslookup.
This command will display the default server and its address.
Nslookup is by default in its interactive mode that why we see “>” in the screenshot.We can configure the record type by typing set type=a.
This will return a non-authoritative answer because the answer was returned by our local machine’s server and not by the server that legitimately hosts the domain. Now we should seek an authoritative answer by trying set type=cname.
From here we can reset type to “A” and put the primary name server “a.ns.facebook.com” to get its IP address.
We need to write down IP addresses, TTLs, DNS information to facilitate the analysis.Also, it’s important for reporting at the end of the pen test.
This was a practical guide for information gathering-using windows command-line brought to you by Zyed Nammouchi