Information Gathering using Windows Command

Line Utility

By: Vishal Kumar (CEH | CHFI | CISE | MCP)

Lab - 1

Windows offers several powerful command l ine ut i l i t ies that help attackers as wel l as Ethical Hackers and pen testers to gather open source information about the target of the evaluat ion.

Overview of Window’s Command Line Utility.

As a professional Ethical Hacker or Pen Tester, your first step will be to check for the reachability of a computer in the target network. Operating systems offers serval utilities that you can readily use for primary information-gathering. Windows command-line utilities such as Ping, Nslookup, and tracert gather important information like IP address, maximum Packet Frame size, etc. about a target network or system that form a base of security assessment and pen test.

Lab Scenario

This lab demonstrate how to use ping, Nslookup, and tracert utilities to gather information about a target. The lab teaches how to: Use ping utilities to find the IP address of a target

domain. Use ping utility to emulate the tracert (traceroute)

command Find the maximum frame size for the network . Identify Internet Control Message (ICMP) type and

code for echo request and echo reply packets.

Lab Objective

Open the command prompt and type the following command: Ping www.theprohackers.in

Here you can see the response of ping command and the IP address of the target that is: 184.168.221.33

1. Finding IP Address of Target Domain

PING stand for Packet Internet Groper. Ping command syntax: ping [-q] [-v] [-R] [-c

count] [-i Ward] [-s PacketSize] Host. For the command, ping –c count, specify the

number of echo request to send.

2. Finding the Maximum Frame Size of the Target Domain.

Now, find the maximum frame size on the network using the command utility.

Open the command prompt and type the command: ping www.theprohackers.in –f –l 1500

The response, Packet needs to be fragmented but the DF set, means that the frame is too large to be on the network and need to be fragmented. Since we use the –f switch with the ping command, the packet was not sent, and return this error.

Note:- -f switch sets the Do Not Fragment bit on the ping packet. By default, the ping packets allows fragmentation.

Try the different combination of packet size with the ping command until you get the echo reply.

Note:- in the ping command, the –l size option means to send the buffer size.

Observe the maximum packet size is less then 1500 bytes.

Now, try different values until you find the maximum frame size.

Note:- The maximum frame size will differ depending upon the target network.

Every frame on the network has TTL (Time to Live) defined. If TTL reach's 0, the router discard the packets. This mechanism prevents the loss of packets.

Type the command: ping www.theprohackers.in –i 3. this option sets Time to Live (-i) value as 3.

Note:- The maximum value you can set for TTL is 255.

3. Now find what happen when the TTL (Time to Live) expires.

Reply from the target: TTL expired in transit means the router (10.228.21.22) discard the frame, because the TTL has expired (reached 0).

Try the different value of TTL until you get the echo reply from the target.

Here I find the echo reply when the TTL value in 50. try the different combination of TTL value until you can find the maximum value of TTL on the target network.

Note:- In the ping command –n switch used to specify the number of packets to be sent (i.e. -n 2).

4. Emulate Tracert.

Launch the command prompt and type the command: tracert www.theprohackers.in

So here is the output of the tracert command.

As you can see in the above snapshot, tracert command displays the complete route from the attacker machine to the target machine with the IP address and location.

5. Finding the Details using Nslookup command.

Open the Run and type Nslookup and press Enter. This will open the command prompt with the nslooup with the Default server (DNS) name and Default Address (Address of DNS).

5.1 Obtaining IP Address of the Target Domain.

In the nslookup interactive mode, type set type=a and press Enter. Setting the type a configures nslookup to query for the IP address of a given domain.

Type the target domain www.theprohackers.in and press enter. This resolve the IP address and displays the result as shown.

5.2 Finding Cname of the Target Domain.

Type set type=cname and press enter. Note:-The CNAME lookup is done directly against the domain’s authoritative name server and list the CNAME records for the domain.

Type the target domain www.theprohackers.in and hit enter. This will return the domain's authoritative name servers, along with the mail server address as shown in the below screenshot.

Open the nslookup interactive mode and type set type=soa and hit enter.

Now the type the target domain that is www.theprohackers.in and press enter. This command will displays the Primary name server, mail server details.

5.3 Finding SoA (start of Authority) records of the Target Domain.

In the above screenshot the primary name server is: ns47.domaincontrol.com and the mail address is: dns.jomax.net.

Open the command prompt on the nslookup mode and type set type=a and press enter.

Now type the primary name server address of the target domain that is ns47.domaincontrol.com and hit enter. This command will display the name and IP address of the primary name server.

5.4 Finding the IP addr. of primary name server of the

Target Domain

In the above screenshot we can see the IP address of the primary name server the is xxx.xxx.xxx.xxx

The authoritative name server store the records associated with the domain. So, if an attacker can determine the authoritative name server (primary name server) and obtain the associated IP address. He/she might attempt to exploit the sever to perform attacks which includes DoS, DDoS, URL redirection and so on…

The conclusion…

For the videos relating to the Hacking please subscribe my YouTube channel:

https://www.youtube.com/channel/UCcyYSi1sh1SmyMlGfB-Vq6A

For any query please mail us at theprohackers2017@gmail.com