\"Foot-printing exercise.\" Choose a suitable target organization that interests

Question

"Foot-printing exercise." Choose a suitable target organization that interests you, and report on each of the following items you learn about your chosen organization:

Use Google (you're encouraged to experiment with other search engines as well) to perform searches against established domain names and target networks to identify hostnames, domain names, and useful data residing on publicly accessible web servers. Report on what you discover. Side note: you might find this classic article about Google dorking helpful: http://www.informit.com/articles/article.aspx?p=170880 (Links to an external site.)Links to an external site., and there are a few Google hacking notes in Red p48.

Do WHOIS querying on domain and IP registrars' Whois databases to retrieve and report on

network block
size of reserved network block
routing and any AS number information
contact details
related to the target networks and domain names.

Use DNS related commands (such as dig, host, nslookup, ...) on a terminal command line in Kali, or use DNS web tools, to query and report on publicly accessible DNS servers. Try to enumerate

hostnames
subdomains
operating platforms of network devices, if available
other network information, if available.

There are many automated spidering tools that identify web server information and content. Kali includes several web crawlers, and also includes the command-line web clients wget and curl. Many of these are fairly invasive in terms of crawling and mirroring (downloading) entire site trees. We need to take a less invasive route in this course to enumerate information about web servers. The approach we will follow here in this course:

Do not crawl, and do not copy entire sites to your local machine unless you have explicit permission by the owner, or it is your own site.
For web enumeration, focus on using toolkits on the web including sites like netcraft.com or all-nettools.com
For students wanting to work with Windows-based tools such as Wikto, HTTrack, or Black Widow, only perform non-aggressive research, e.g., no mirroring of sites.

Use mxtoolbox.com to identify public mail transport servers. Try sending e-mail messages to nonexistent accounts at the target domain. In a terminal window use telnet or netcat to try using SMTP commands to communicate directly with a mail transport server. Report on your session transcript and analysis of noteworthy information.

Explanation / Answer

Every computer connected to the Internet has a unique identity.

Connected machine in either of two ways:

By its IP address (a four-part number string such as "18.72.0.3").

By its host name which consists of the machine name (e.g., "bitsy") and the domain name(e.g., "mit.edu".

The Internet Domain Name Service (DNS) can translate host names into equivalent IP addresses and vice versa, as needed by various Internet programs.

This document explains these identifiers, and describes how to find out the IP address and how to find out the host name and domain name of a specific computer.

IP Addresses

Every computer connected to the Internet is identified by a unique four-part string, known as its Internet Protocol (IP) address. An IP address consists of four numbers (each between 0 and 255) separated by periods. For example, one machine at MIT has the IP address, e.g., 18.72.0.3.

While we tend to think of the IP address as four numbers separated by periods, the whole string actually forms a single 32-bit "dotted decimal" number. This is why each part can only go up to 255: each part - or "octet" - is the decimal representation of an 8-bit binary number.

Host Names and Domain Names

This whole string is known as the computer's host name. In this string, the first part ("bitsy") is the name of the machine itself, while everything else ("mit.edu") is the domain name.

The domain name is the name of a network associated with an organization. For sites in the United States, domain names typically take the form: org-name.org-type

The org-type is usually one of the following:

For example, the hostname www.car.com refers to a World Wide Web server named "www" in the cars.com domain (the network associated with the cars automotive company).

Although every machine has only one IP address at any given time, a machine may have several host names (the additional host names are known as "aliases"). For example, MIT's official web service is run on a machine with the host name "arachnophobia.mit.edu" (IP address 18.69.0.27), but users refer to the machine by the alias host name "web.mit.edu".

Domain Name Service (DNS)

On the Internet, many communications programs deal only with IP addresses, yet allow their users to specify machines in terms of their host names (or alias host names). Or a program which already knows the IP address must determine the domain name for the network to which the machine is connected.

Find Out an IP Address

There are several ways to find out what IP address is assigned to a specific computer at MIT:

The local network administrator (who probably configured the machine).

The person in the department who pays the bills (the IP address will show up on the IS&T bill).

Related Questions

Navigate

• Browse (All)
• Browse #
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.