8 Linux Commands for Information Gathering by d3hydr8 > www.darkc0de.com date: 12/19/07 1) dig dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig. --------------------------------------------------------------------- d3hydr8@linuxbox:~> dig google.com ; <<>> DiG 9.4.1-P1 <<>> google.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8918 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 58 IN A 64.233.187.99 google.com. 58 IN A 64.233.167.99 google.com. 58 IN A 72.14.207.99 ;; AUTHORITY SECTION: google.com. 345549 IN NS ns1.google.com. google.com. 345549 IN NS ns2.google.com. google.com. 345549 IN NS ns3.google.com. google.com. 345549 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 345549 IN A 216.239.32.10 ns2.google.com. 345549 IN A 216.239.34.10 ns3.google.com. 345549 IN A 216.239.36.10 ns4.google.com. 345549 IN A 216.239.38.10 ;; Query time: 12 msec ;; SERVER: 24.158.63.8#53(24.158.63.8) ;; WHEN: Sun Jan 6 09:21:53 2008 ;; MSG SIZE rcvd: 212 --------------------------------------------------------------------- 2) nslookup Nslookup is a program to query Internet domain name servers. Examples of issueing a simple query: nslookup name nslookup IP_address nslookup name server nslookup IP_address server --------------------------------------------------------------------- d3hydr8@linuxbox:~> nslookup 72.14.207.99 Server: 24.173.63.8 Address: 24.173.63.8#53 Non-authoritative answer: 99.207.14.72.in-addr.arpa name = eh-in-f99.google.com. Authoritative answers can be found from: 207.14.72.in-addr.arpa nameserver = ns3.google.com. 207.14.72.in-addr.arpa nameserver = ns4.google.com. 207.14.72.in-addr.arpa nameserver = ns1.google.com. 207.14.72.in-addr.arpa nameserver = ns2.google.com. ns3.google.com internet address = 216.239.36.10 ns4.google.com internet address = 216.239.38.10 ns1.google.com internet address = 216.239.32.10 ns2.google.com internet address = 216.239.34.10 --------------------------------------------------------------------- 3) host host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host prints a short summary of its command line arguments and options. --------------------------------------------------------------------- d3hydr8@linuxbox:~> host google.com google.com has address 64.233.167.99 google.com has address 72.14.207.99 google.com has address 64.233.187.99 google.com mail is handled by 10 smtp2.google.com. google.com mail is handled by 10 smtp3.google.com. google.com mail is handled by 10 smtp4.google.com. google.com mail is handled by 10 smtp1.google.com. --------------------------------------------------------------------- 4) whois whois searches for an object in a RFC 3912 database. This version of the whois client tries to guess the right server to ask for the specified object. If no guess can be made it will connect to whois.networksolutions.com for NIC handles or whois.arin.net for IPv4 addresses and network names. --------------------------------------------------------------------- d3hydr8@linuxbox:~> whois syr.edu Domain Name: SYR.EDU Registrant: Syracuse University Room 200 Machinery Hall Syracuse, NY 13244 UNITED STATES Administrative Contact: Susan Heeley Senior Administrator Syracuse University IT Dept. Center for Science and Technology Syracuse, NY 13244 UNITED STATES (315) 443-2716 sheeley@syr.edu Technical Contact: NISC Syracuse University Room 200 Machinery Hall Syracuse, NY 13244 UNITED STATES (315) 443-2677 nisc@syr.edu Name Servers: LURCH.CNS.SYR.EDU 128.230.12.5 ICARUS.SYR.EDU 128.230.1.49 SUEC1.SYR.EDU 209.164.131.32 NS3.BROADWING.NET NS4.BROADWING.NET Domain record activated: 02-Sep-1986 Domain record last updated: 11-Jul-2007 Domain expires: 31-Jul-2008 --------------------------------------------------------------------- 5) nmap * we all know this one Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. --------------------------------------------------------------------- linuxbox:/home/d3hydr8 # nmap -P0 -sS syr.edu Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-06 09:45 EST Interesting ports on cwis01.syr.edu (128.230.18.35): Not shown: 1656 closed ports, 49 filtered ports PORT STATE SERVICE 80/tcp open http 4045/tcp open lockd 7937/tcp open nsrexecd 7938/tcp open lgtomapper 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 Nmap done: 1 IP address (1 host up) scanned in 215.657 seconds --------------------------------------------------------------------- 6) ping ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (``pings'') have an IP and ICMP header, followed by a struct timeval and then an arbitrary number of ``pad'' bytes used to fill out the packet. --------------------------------------------------------------------- linuxbox:/home/d3hydr8 # ping -c 2 128.230.18.35 PING 128.230.18.35 (128.230.18.35) 56(84) bytes of data. 64 bytes from 128.230.18.35: icmp_seq=1 ttl=240 time=70.6 ms 64 bytes from 128.230.18.35: icmp_seq=2 ttl=240 time=69.6 ms --- 128.230.18.35 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 69.685/70.155/70.625/0.470 ms --------------------------------------------------------------------- 7) traceroute (mtr) As mtr starts, it investigates the network connection between the host mtr runs on and HOSTNAME. by sending packets with pur‐ posly low TTLs. It continues to send packets with low TTL, noting the response time of the intervening routers. This allows mtr to print the response percentage and response times of the internet route to HOSTNAME. A sudden increase in packetloss or response time is often an indication of a bad (or simply overloaded) link. --------------------------------------------------------------------- linuxbox:/home/d3hydr8 # traceroute 128.230.18.35 traceroute to 128.230.18.35 (128.230.18.35), 30 hops max, 40 byte packets 1 192.168.1.1 (192.168.1.1) 1.934 ms 1.855 ms 2.097 ms 2 10.114.0.1 (10.114.0.1) 10.197 ms 12.492 ms 15.662 ms 3 172.22.5.13 (172.22.5.13) 16.707 ms 16.737 ms 8.981 ms 4 172.22.5.69 (172.22.5.69) 8.570 ms 12.523 ms 12.354 ms 5 172.22.32.114 (172.22.32.114) 14.607 ms 21.783 ms 11.076 ms 6 172.22.32.106 (172.22.32.106) 14.286 ms 14.387 ms 14.173 ms 7 12.86.87.29 (12.86.87.29) 18.481 ms 21.724 ms 14.085 ms 8 tbr2.attga.ip.att.net (12.122.96.74) 36.853 ms 40.701 ms 41.588 ms 9 tbr1.dlstx.ip.att.net (12.122.2.89) 46.345 ms 44.641 ms 47.791 ms 10 ggr3.dlstx.ip.att.net (12.123.16.193) 45.555 ms 44.932 ms 44.856 ms 11 br2-a3120s2.attga.ip.att.net (192.205.33.206) 46.336 ms 45.324 ms 35.904 ms 12 66.192.240.226 (66.192.240.226) 64.172 ms 63.947 ms 109.761 ms 13 64-132-176-170.static.twtelecom.net (64.132.176.170) 74.404 ms 77.708 ms 78.053 ms 14 128.230.61.1 (128.230.61.1) 78.784 ms 76.568 ms 78.336 ms 15 c6509r-srv.syr.edu (128.230.61.58) 77.995 ms 78.127 ms 78.214 ms 16 cwis01.syr.edu (128.230.18.35) 78.310 ms 70.660 ms 74.593 ms --------------------------------------------------------------------- 8) telnet The telnet command is used to communicate with another host using the TELNET protocol. If telnet is invoked without the host argument, it enters command mode, indicated by its prompt (telnet>). In this mode, it accepts and executes the commands listed below. If it is invoked with arguments, it performs an open command with those arguments. --------------------------------------------------------------------- d3hydr8@linuxbox:~> telnet os.edu 21 Trying 209.34.161.32... Connected to os.edu. Escape character is '^]'. 220 FTP server... ---------------------------------------------------------------------