CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [16]
Understand DNS Enumeration
DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can yield information such as usernames, computer names, and IP addresses of potential target systems.
NSlookup, DNSstuff, the American Registry for Internet Numbers (ARIN), and Whois can all be used to gain information that can then be used to perform DNS enumeration.
Nslookup and DNSstuff
One powerful tool you should be familiar with is nslookup (see Figure 2.2). This tool queries DNS servers for record information. It's included in Unix, Linux, and Windows operating systems. Hacking tools such as Sam Spade also include nslookup tools.
FIGURE 2.2 Nslookup
Building on the information gathered from Whois, you can use nslookup to find additional IP addresses for servers and other hosts. Using the authoritative name server information from Whois (AUTH1. NS. NYI . NET), you can discover the IP address of the mail server.
The explosion of easy-to-use tools has made hacking easy, if you know which tools to use. DNSstuff is another of those tools. Instead of using the command-line nslookup tool with its cumbersome switches to gather DNS record information, just access the website http: // www. dnsstuff. com, and you can do a DNS record search online. Figure 2.3 shows a sample DNS record search on http: //www. eccounci 1 . org using DNSstuff. com.
This search reveals all the alias records for http : //www. eccounci l . org and the IP address of the web server. You can even discover all the name servers and associated IP addresses.
The exploits available to you because you have this information are discussed in Chapter 4, "System Hacking."
FIGURE 2.3 DNS record search of http://www.eccouncil.org
Understand Whois and ARIN Lookups
Whois evolved from the Unix operating system, but it can now be found in many operating systems as well as in hacking toolkits and on the Internet. This tool identifies who has registered domain names used for e-mail or websites. A uniform resource locator (URL), such as www. Mi crosoft . com, contains the domain name (Microsoft. com) and a host name or alias (www).
The Internet Corporation for Assigned Names and Numbers (ICANN) requires registration of domain names to ensure that only a single company uses a specific domain name. The Whois tool queries the registration database to retrieve contact information about the individual or organization that holds a domain registration.
Hacking Tool
Smart Whois is an information-gathering program that allows you to find all available information about an IP address, host name, or domain, including country, state or province, city, name of the network provider, administrator, and technical-support contact information. Smart Whois is a graphical version of the basic Whois program.
The ARIN is a database of information including such information as the owners of static IP addresses. The ARIN database can be queried using the Whois tool, such as the one located athttp://www.arin.net/whois.
Figure 2.4 shows an ARIN Whois search for http: //www. yahoo. com. Notice that addresses, e-mails, and contact information are all contained in this Whois search. This information can be used by an ethical hacker to find out who is responsible for a certain IP address and which organization owns that target system, or it can be used by a malicious hacker to perform a social engineering attack against the organization. As a security professional, you need to be aware of the information available to the public in searchable databases such as ARIN and ensure that a malicious