nslookup Lab

nsLookup is one of the most important tools you'll use for Penetration Testing. nsLookup  helps you understand the interrelationships within a given system regarding full qualified domain names, the name resolution process, etc.  nsLookup also defines the difference between authoritative and non-authoritative name answering. nsLookup  functions differently from one operating system (OS) to another (Windows, Mac, Unix, Kali) as a Footprinting tool.  To master nsLookup, you must analyze its performance and its results in each operating system (OS). [toggle_content title="Transcript"] Let us talk about footprinting and reconnaissance. I am going to use a tool nslookup and I want to you to know this tool better than anybody else out there into to be that fluent with the tool you realistically have to use it on a variety of systems and a variety of platforms and just kind of see how this tool tweaks a little bit from system to system. We are going to use this tool on windows basically perform a handful of commands and to understand the relationship between name resolution in terms of fully qualified domain names and IP addresses and we are going to see how the responses from the server can change as you do this over and over and over again. We are also going to talk about the differences between the authoritative answers. Authoritative means that it actually comes from the name server that you already have specified and non-authoritative answer comes from somebody else's name server. We are also going to look at other types of records like cnames and MX records and pointer records and things like that and how do you find a male server for a particular domain and look at some other record types. You can realistically use these commands in just about any version of windows and it is going to be the same. Nonetheless I would recommend using it on UNIX, using it on Kali, using it on Windows but we are just going to take a couple of minutes here and we are going to learn DNS inside now. So the first thing I want you to do is open up a command prompt and type in nslookup - now you can do this just from the command prompt and type in your name but www.cybrary.it and see where it comes from and these are all of the default settings but we can also go actually into the interactive mode this is one of the few utilities that actually has an interactive mode. So we are going to look at that - so right what you can see is that. I did just from a one liner which is just a half - I want the answer to know exactly what I am looking for and I know exactly how to type it and I can just type it and be done with it and you can see cybrary.it is currently located at but I can also go interactively here and do basically the same thing. So I can do nslookup hit enter and then I can just type www.cybrary.it and you can see that the answer for the most part looks exactly the same except that you can see that my terminal prompt right here is just a carrot sign while before it was that SQL, so I am still in interactive mode let us go ahead and type help and see what we can see here. Do you can see the basic constructs of the command - name 1 and name 2 I can set a particular options. I particularly like set type =x because this talks about all of the different record types that you are likely to be using. So for example it talks about a records which is your host name resolution or any means all of them or c name if there is an alias or mx record if you are looking for the mail server or ns whoever the name servers or ptr records which is the exact opposite of an a record and the a record you are looking for an IP to name. I can also do start of authority over locate service resource records mostly service resource records are more valuable inside when you are interrogating and internal companies DNS as opposed to externally but nonetheless it is still hopeful to try that. I can also do the server - I can actually specify the server that i want used. So that is pretty common and I can also list out all of the domain records and that is a very helpful options too. Because if I can do a zone transfer and basically ls-d from a particular domain works really, really well. I typically use the OS-d when I am interrogating an internal companies DNS records as opposed to and external name server. So let us go ahead and start looking at this. The first thing we will do is we will do a set type which is equal to a which is more likely the default anyway and you just hit enter and it comes back and now I have got that parameter set. So I can now just type www.cybrary.it again and you can see that the response basically looks the same but what we are going to do here is change some of these records types. So if I change the type is equal to MX - you get the command prompt back and then I basically hit the upper room and hit my record again and notice that my results change and that is the important one and you can see that I am hitting the home router here that is located at 1.1 which is pretty much the same for everybody I love it when people try to grey out this information and it is pretty much the same for everybody here is not sensitive information being disclosed. The answer is non authoritative information because I basically asked my name servers as opposed to the name servers on the internet. So it says cybrary.it canonical name also known as there is another name an alias here. Cybrary.it and the mail server it has got a preference of zero and then the exchange - the mail exchanger is cybrary.it .mail .protection .outlook.com denoted here. So right way I can basically start getting a little bit of reconnaissance. Nothing really a game changer in terms of showing anybody's hand of cards but I can still - we always wanted to know what the responses are and does that tell you information and I am basically just reading the results as they come to me here. And I am just interpreting them and I am particularly looking for any one thing. So let us set the type using another type let us do a set type = start of authority SOA and then the up arrow twice and you can see here that I have actually got a completely different response altogether. It is again not authoritative because I am asking my name servers but I would be still able to approve the record. I have got the primary name server at ns81.domaincontrol.com so it is some sort of hosting environment like DNS.JoeMax.Net i have got the serial number and this case the serial number is actually listed as a date and if I was a hacker I would be interested in that because if I see something really, really old that tells me when is the last time they changed the domain name information. But in this case is actually just a few days ago. So that is pretty current in their grand scheme of things. Also, I have the refresh that is how many times is the zone going to be attempted refreshed in this case. It is every 8 hours or 28800 seconds or if it doesn't get a response after 8 hours, it will continue to try every two hours or 7200 seconds and eventually if it doesn't get any response from any other name servers in seven days and the 64800 seconds it will start timing out. The name servers will not answer any requests. I also have a default TTL time to live which is ten minutes in itself. So I would look for this information when I am dong this and basically document it and some of the things I am looking for here. It really depends on if it is an internal name server versus an external name server but having said that one of the common ones that you look for externally is just using Google. It is a very, very popular thing amongst people in their trade. So let us go ahead and ask a different name server. Let us do a server which is google's and you can see it say google public dns for a.google.com and we can cycle through this and we see if we can get any sort of differences. So cybrary.it we are still in the start of authority record so name server 81 came back both times. We set the type is equal to a run through the command again works pretty much the same except in this case. My server is different we could change the type to MX if there is any difference here. No difference here and I would record all of this - now one of the problems that you end up having in interactive mode is there is not really good way to capture the information. So let us go ahead and exit out of here. I want to share with you a little bit of a trick. So let us do nslookup let us do www.cybrary.it and let us go ahead and append the output to file.txt and basically the command runs it says none authoriative answer and then I will do a notepad file.txt and I can see that the response actually got dumped to my file. Now the advanced way to use this utility especially for documentation purposes is I run this all from a single command line and keep appending to the file and what I mean by that is in this case. I did file.txt but noticed I used two greater signs right here. This appends - if I used a single greater sign then it just replaces, if I use a double then it appends. If I continue to go through here and set the type a little bit differently. Let me go in here and go in interactive mode nslookup and set type equal to MX and then I will exit out and then do the same thing again and then lookup cybrary.it and append that to file.txt a close out of that file. So I can open it back up and then you can see that it appended the results to the file and that is definitely more of the advanced options that you are likely to have. So the takeaway here - so let us go ahead and summarize - let us go ahead and clear screens and let us do an nslookup and then do help. So it is the name which you apply that would be the cybrary.it in this example we can set particular options what we did was set the particular types if you looked at start of authority records host records, mail records we could have also done name server if I wanted to get an authoritative answer I could have specified that specifically and then I could actually set the name server here using the server base - the name of the server you want and then I could also list the ls or tech D for a particular server and that would basically pull any of the records that it could possibly could get from that destination. So that is it - no other record types - the differences between authoritative versus non authoritative and learn to use this on multiple systems. Particularly windows and UNIX because there is going to be more than likely the place where you are going to spend the most time here. So once again my name is Leo Dregier, thank you for joining cybrary.it we are working our tails off here to make sure that we are the best out there in what we do to give you the best information in the hands on labs in the information possible. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?