Finding a Target Using DNS Lookups
by fU9A5i
So you've decided you want to hack XYZ.com, none of my business why, but you have a problem.
How do you find XYZ's network in the expanse of the Internet?
Firstly, if XYZ is connected to the Internet via a dial-up link (i.e., ISDN or PSTN - POTS in the U.S.), your job is going to be hard because it s likely that XYZ uses a dynamically assigned IP address from their ISP.
This IP address is likely to change every time a connection is made from their network to the Internet. They will almost certainly also be using Network Address Translation (NAT) ensuring that their entire network remains hidden behind a single dynamically assigned IP address.
Fixed connections (leased lines/private circuits) are however easier to find. This is because XYZ is permanently connected to the Internet and the router at their end of the said permanent circuit requires a fully qualified IP address assigned to it. Usually behind this router is some kind of firewall or security device that protects the internal network of XYZ from the likes of you and me.
So Where Does DNS Come Into Things?
Most medium (and some small) to large organizations have their own mail servers on site.
These mail servers need to be visible from the Internet for that organization to send and receive mail. So to find the XYZ network, not just their website which may be hosted at an ISP somewhere, follow the trail of the mail!
When you send mail to a-user@xyz.com, a DNS lookup is performed to determine where this mail should be sent. This type of lookup is called a mail exchange or MX lookup; the resulting IP address resolved from this will usually point directly at that company's network.
Therefore, mail sent to XYZ.com will be sent to TCP port 25 (SMTP) on 195.123.26.2. The IP address is determined from the MX lookup. This IP address may be the company's mail server itself or just the outside interface (network interface) of the corporate firewall. Either way, you should have located the network you are seeking.
How to Do DNS Lookups
The hard way is to use the raw nslookup program.
nslookup is the name of a program that lets an Internet server administrator or user enter a host name (for example, microsoft.com) and find out the corresponding Internet address. It will also do reverse name lookup and find the hostname for an IP address you specify.
For example, if you entered microsoft.com, you would receive as a response our IP address, which would be something like: 207.46.130.14 or if you entered 207.46.130.14, it would return microsoft.com.
nslookup sends a domain name query packet to a designated (or defaulted) Domain Name System (DNS) server. Depending on the system you are using, the default may be the local DNS name server at your service provider, some intermediate name server, or the root name server (at InterNIC) for the entire domain name system hierarchy.
You can go directly to the command prompt and type: nslookup microsoft.com, however not all operating systems include this utility (NT and most flavors of UNIX do) and if DNS is not correctly configured on your machine it will not work anyway.
The Easy Way
It is far easier to use one of the web-based lookups detailed at the end of this article or to download and use a DNS utility from one of the file mine sites (get one that specifies it can do all types of DNS records).
Here is the dump (from DNScape, inettools.com) of what a complete DNS lookup of the Microsoft domain gives:
Address Query Name Actual Name Auth Type TTL Other ATBD.microsoft.com. microsoft.com microsoft.com. NA NS 117400 DNS4.CP.MSFT.NET. microsoft.com microsoft.com. NA NS 117400 DNS5.CP.MSFT.NET. microsoft.com microsoft.com. NA NS 117400 DNS1.microsoft.com. microsoft.com microsoft.com. NA NS 117400 dns.CP.MSFT.NET. microsoft.com microsoft.com. NA SOA 5915 Resp: msnhst.microsoft.com. Sn:2000071902 Refresh:900 Retry:600 Expire:7200000 Minimum:43200 207.46.130.14 microsoft.com microsoft.com. NA A 21914 207.46.130.149 microsoft.com microsoft.com. NA A 21914 207.46.130.45 microsoft.com microsoft.com. NA A 21914 207.46.131.137 microsoft.com microsoft.com. NA A 21914 207.46.131.30 microsoft.com microsoft.com. NA A 21914 mail1.microsoft.com. microsoft.com microsoft.com. NA MX 26288 Pref:10 mail2.microsoft.com. microsoft.com microsoft.com. NA MX 26288 Pref:10 mail3.microsoft.com. microsoft.com microsoft.com. NA MX 26288 Pref:10 mail4.microsoft.com. microsoft.com microsoft.com. NA MX 26288 Pref:10 mail5.microsoft.com. microsoft.com microsoft.com. NA MX 26288 Pref:10 ATBD.microsoft.com. microsoft.com microsoft.com. NA NS 117400 DNS4.CP.MSFT.NET. microsoft.com microsoft.com. NA NS 117400 DNS5.CP.MSFT.NET. microsoft.com microsoft.com. NA NS 117400 DNS1.microsoft.com. microsoft.com microsoft.com. NA NS 117400 207.46.138.11 microsoft.com DNS4.CP.MSFT.NET. NA A 64800 207.46.138.12 microsoft.com DNS5.CP.MSFT.NET. NA A 50237 131.107.1.7 microsoft.com DNS1.microsoft.com. NA A 20735 131.107.3.125 microsoft.com mail1.microsoft.com. NA A 7291 131.107.3.124 microsoft.com mail2.microsoft.com. NA A 26288So what does all that stuff mean?
Basically, what you are looking at is a list of Microsoft's servers with their corresponding IP addresses. In the expanse of the Internet you have just found Microsoft's network. Just look for the MX records...
Programs and Web-based Lookups
www.simplelogic.com/net_utils/NsLookup.asp
For Linux system users, here is the Linux manual page for nslookup: www.elcafe.com/man/man1/nslookup.1.html
Trumphurst Ltd. provides a free nslookup program for Windows 9x/NT users: www.trumphurst.com/dnsocx/nslookup.phtml