Sunday, July 10, 2016


Let's tackle another small problem. 

I would like to find out what are the names (and IP addresses of Microsoft DNS servers. 

There are many ways of accomplishing this goal. Let's try the easiest one first.

pi@tron:~ $ host -t ns name server name server name server name server
pi@tron:~ $

The 'host' utility is the equivalent of 'nslookup' in MS Windows. It resolves names to IP addresses. If I use option '-t' followed by 'ns' I am asking for DNS record entry releted to DNS servers. Simple enough.

Now, let's convert them into IP addresses. In order to do that, I am going to extract DNS server names and save them into a file.

pi@tron:~ $ host -t ns | cut -d " " -f4 > servers.txt 
pi@tron:~ $ 
pi@tron:~ $ cat servers.txt
pi@tron:~ $ 

Now, let's learn what IP addresses represent each one of them. One way of doing it is to use 'for' loop available in bash like that:
pi@tron:~ $ for name in $(cat servers.txt); do host $name | grep "has address" | cut -d " " -f4; done > ms.dns.ip.txt
pi@tron:~ $ 
pi@tron:~ $ cat ms.dns.ip.txt
pi@tron:~ $

Another way could be to use 'whois' to get more information about Microsoft domain. Raspberry PI does not come with 'whois' installed by default:

pi@tron:~ $ whois
-bash: whois: command not found
pi@tron:~ $ 
pi@tron:~ $

No big deal! Let's install it:

pi@tron:~ $ sudo apt-get install whois
Now, repeat test:

pi@tron:~ $ whois > microsoft.txt
pi@tron:~ $ 

File 'microsoft.txt' contains all output provided by 'whois' command. 

Since we already figured out what IP addresses of Microsoft servers are, let's try to obtain all other IPs that belong to that domain.

'Cat' on the file shows that entries are in blocks that look like this:

   IP Address:
   Whois Server:
   Referral URL:


   IP Address:
   Whois Server:
   Referral URL:

I can use 'Server Name' string to extract the IP addresses of their servers. Let's try this:

pi@tron:~ $ grep -A1 'Server Name' microsoft.txt

I used it like that to show -A1 (after 1 line) option of grep. It comes in handy every now and then.

Now, I have two lines and will now grep for just 'IP Address:' string and save it in file 'server.ips.txt:

pi@tron:~ $ grep -A1 'Server Name' microsoft.txt | grep "IP Address:" | awk '{print $3}' | grep -v > server.ips.txt
pi@tron:~ $

In the output I find server (Google Public DNS server address which I get rid of using:
grep -v command). The option -v means: not including what follows it (here

The last thing I am going to do is to use bash sort command to sort them based on 1st byt of IP address, second, third and fourth to get a nice output:

pi@tron:~ $ cat server.ips.txt | sort -t . -k1,1n -k2,2n -k3,3n -k4,4n

It's only a reconnaissance, a passive enumeration. Just getting warmed up!