76
◾
Ethical Hacking and Penetration Testing Guide
Nslookup
Nslookup is available in both Windows and Linux OS. Let’s say that we want the DNS servers to
return all the
mail server records
of an organization. We would do the following:
Step 1—
Issue the
nslookup
command from the command prompt.
Step 2—
Issue the following command:
set type = mx
Step 3—
Next, we would enter the domain.
www.msn.com
The query returned mail servers for msn.com.
We can also ask for all the DNS servers for that domain by using the
set type = ns
command.
The query has returned all the name servers associated with ifixit.com.
DIG
Let me introduce you to another great tool called DIG. We can run the
same queries with dig as
we did with nslookup. However, it’s very handy and has more functionalities than nslookup. So
let’s ask dig to return mx records for Wikipedia.org. We will use the following command:
dig Wikipedia.org mx
Information Gathering Techniques
◾
77
Similarly, you can use
ns
in
place of
mx
for returning all ns-related records.
Forward DNS Lookup
In
this method, we use brute forcing technique to guess the valid domain names.
For example: services.rafayhackingarticles.net
This domain will resolve to an IP. If a domain resolves to an IP,
it is an existing domain name;
if it doesn’t, it does not exist. One can write a script to search for valid hostnames. Alternatively,
you can also use the
fierce
tool,
discussed earlier, for performing this attack.
Dostları ilə paylaş: 
