Sunday, July 10, 2016

WHOIS


Let's tackle another small problem. 

I would like to find out what are the names (and IP addresses of Microsoft DNS servers. 

There are many ways of accomplishing this goal. Let's try the easiest one first.


pi@tron:~ $ host -t ns microsoft.com
microsoft.com name server ns2.msft.net.
microsoft.com name server ns4.msft.net.
microsoft.com name server ns1.msft.net.
microsoft.com name server ns3.msft.net.
pi@tron:~ $

The 'host' utility is the equivalent of 'nslookup' in MS Windows. It resolves names to IP addresses. If I use option '-t' followed by 'ns' I am asking for DNS record entry releted to DNS servers. Simple enough.

Now, let's convert them into IP addresses. In order to do that, I am going to extract DNS server names and save them into a file.

pi@tron:~ $ host -t ns microsoft.com | cut -d " " -f4 > servers.txt 
pi@tron:~ $ 
pi@tron:~ $ cat servers.txt 
ns4.msft.net.
ns2.msft.net.
ns3.msft.net.
ns1.msft.net.
pi@tron:~ $ 

Now, let's learn what IP addresses represent each one of them. One way of doing it is to use 'for' loop available in bash like that:
 
pi@tron:~ $ for name in $(cat servers.txt); do host $name | grep "has address" | cut -d " " -f4; done > ms.dns.ip.txt
pi@tron:~ $ 
pi@tron:~ $ cat ms.dns.ip.txt 
208.76.45.53
208.84.2.53
193.221.113.53
208.84.0.53
pi@tron:~ $

Another way could be to use 'whois' to get more information about Microsoft domain. Raspberry PI does not come with 'whois' installed by default:

pi@tron:~ $ whois microsoft.com
-bash: whois: command not found
pi@tron:~ $ 
pi@tron:~ $

No big deal! Let's install it:

pi@tron:~ $ sudo apt-get install whois
 
Now, repeat test:

pi@tron:~ $ whois microsoft.com > microsoft.txt
pi@tron:~ $ 

File 'microsoft.txt' contains all output provided by 'whois' command. 

Since we already figured out what IP addresses of Microsoft servers are, let's try to obtain all other IPs that belong to that domain.

'Cat' on the file shows that entries are in blocks that look like this:

Server Name: MICROSOFT.COM.IS.NICE.WHEN.TOASTED.COMKAL.NET
   IP Address: 210.8.201.142
   Registrar: SYNERGY WHOLESALE PTY LTD
   Whois Server: whois.synergywholesale.com
   Referral URL: http://synergywholesale.com

 

Server Name: MICROSOFT.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
   IP Address: 217.148.161.5
   Registrar: HOSTING CONCEPTS B.V. D/B/A OPENPROVIDER
   Whois Server: whois.registrar.eu
   Referral URL: http://www.openprovider.com


I can use 'Server Name' string to extract the IP addresses of their servers. Let's try this:

pi@tron:~ $ grep -A1 'Server Name' microsoft.txt

I used it like that to show -A1 (after 1 line) option of grep. It comes in handy every now and then.

Now, I have two lines and will now grep for just 'IP Address:' string and save it in file 'server.ips.txt:

  
pi@tron:~ $ grep -A1 'Server Name' microsoft.txt | grep "IP Address:" | awk '{print $3}' | grep -v 8.8.8.8 > server.ips.txt
pi@tron:~ $


In the output I find server 8.8.8.8 (Google Public DNS server address which I get rid of using:
grep -v 8.8.8.8 command). The option -v means: not including what follows it (here 8.8.8.8)

The last thing I am going to do is to use bash sort command to sort them based on 1st byt of IP address, second, third and fourth to get a nice output:

pi@tron:~ $ cat server.ips.txt | sort -t . -k1,1n -k2,2n -k3,3n -k4,4n

It's only a reconnaissance, a passive enumeration. Just getting warmed up!