8 Linux Commands for Information Gathering

8 Linux Commands for Information Gathering 

by d3hydr8 > www.darkc0de.com
date: 01/06/08

1) dig

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.


---------------------------------------------------------------------

d3hydr8@linuxbox:~> dig google.com

; <<>> DiG 9.4.1-P1 <<>> google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8918
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             58      IN      A       64.233.187.99
google.com.             58      IN      A       64.233.167.99
google.com.             58      IN      A       72.14.207.99

;; AUTHORITY SECTION:
google.com.             345549  IN      NS      ns1.google.com.
google.com.             345549  IN      NS      ns2.google.com.
google.com.             345549  IN      NS      ns3.google.com.
google.com.             345549  IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         345549  IN      A       216.239.32.10
ns2.google.com.         345549  IN      A       216.239.34.10
ns3.google.com.         345549  IN      A       216.239.36.10
ns4.google.com.         345549  IN      A       216.239.38.10

;; Query time: 12 msec
;; SERVER: 24.158.63.8#53(24.158.63.8)
;; WHEN: Sun Jan  6 09:21:53 2008
;; MSG SIZE  rcvd: 212

---------------------------------------------------------------------

2) nslookup

Nslookup is a program to query Internet domain name servers. Examples of issuing a simple query: nslookup name nslookup IP_address nslookup name server nslookup IP_address server


---------------------------------------------------------------------
d3hydr8@linuxbox:~> nslookup 72.14.207.99
Server:         24.173.63.8
Address:        24.173.63.8#53

Non-authoritative answer:
99.207.14.72.in-addr.arpa       name = eh-in-f99.google.com.

Authoritative answers can be found from:
207.14.72.in-addr.arpa  nameserver = ns3.google.com.
207.14.72.in-addr.arpa  nameserver = ns4.google.com.
207.14.72.in-addr.arpa  nameserver = ns1.google.com.
207.14.72.in-addr.arpa  nameserver = ns2.google.com.
ns3.google.com  internet address = 216.239.36.10
ns4.google.com  internet address = 216.239.38.10
ns1.google.com  internet address = 216.239.32.10
ns2.google.com  internet address = 216.239.34.10

---------------------------------------------------------------------

3) host

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host prints a short summary of its command line arguments and options.


---------------------------------------------------------------------

d3hydr8@linuxbox:~> host google.com
google.com has address 64.233.167.99
google.com has address 72.14.207.99
google.com has address 64.233.187.99
google.com mail is handled by 10 smtp2.google.com.
google.com mail is handled by 10 smtp3.google.com.
google.com mail is handled by 10 smtp4.google.com.
google.com mail is handled by 10 smtp1.google.com.

---------------------------------------------------------------------

4) whois

whois searches for an object in a RFC 3912 database.

This version of the whois client tries to guess the right server to ask for the specified object. If no guess can be made it will connect to whois.networksolutions.com for NIC handles or whois.arin.net for IPv4 addresses and network names.


---------------------------------------------------------------------

d3hydr8@linuxbox:~> whois syr.edu

Domain Name: SYR.EDU

Registrant:
   Syracuse University
   Room 200 Machinery Hall
   Syracuse, NY 13244
   UNITED STATES

Administrative Contact:
   Susan Heeley
   Senior Administrator
   Syracuse University
   IT Dept.
   Center for Science and Technology
   Syracuse, NY 13244
   UNITED STATES
   (315) 443-2716
   sheeley@syr.edu

Technical Contact:

   NISC
   Syracuse University
   Room 200 Machinery Hall
   Syracuse, NY 13244
   UNITED STATES
   (315) 443-2677
   nisc@syr.edu

Name Servers:
   LURCH.CNS.SYR.EDU      128.230.12.5
   ICARUS.SYR.EDU         128.230.1.49
   SUEC1.SYR.EDU          209.164.131.32
   NS3.BROADWING.NET
   NS4.BROADWING.NET

Domain record activated:    02-Sep-1986
Domain record last updated: 11-Jul-2007
Domain expires:             31-Jul-2008

---------------------------------------------------------------------

5) nmap

* we all know this one

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing.


---------------------------------------------------------------------

linuxbox:/home/d3hydr8 # nmap -P0 -sS syr.edu

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-06 09:45 EST
Interesting ports on cwis01.syr.edu (128.230.18.35):
Not shown: 1656 closed ports, 49 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
4045/tcp  open  lockd
7937/tcp  open  nsrexecd
7938/tcp  open  lgtomapper
32771/tcp open  sometimes-rpc5
32772/tcp open  sometimes-rpc7

Nmap done: 1 IP address (1 host up) scanned in 215.657 seconds

---------------------------------------------------------------------

6) ping

ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (``pings'') have an IP and ICMP header, followed by a struct timeval and then an arbitrary number of ``pad'' bytes used to fill out the packet.


---------------------------------------------------------------------

linuxbox:/home/d3hydr8 # ping -c 2 128.230.18.35
PING 128.230.18.35 (128.230.18.35) 56(84) bytes of data.
64 bytes from 128.230.18.35: icmp_seq=1 ttl=240 time=70.6 ms
64 bytes from 128.230.18.35: icmp_seq=2 ttl=240 time=69.6 ms

--- 128.230.18.35 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 69.685/70.155/70.625/0.470 ms

---------------------------------------------------------------------

7) traceroute (mtr)

As mtr starts, it investigates the network connection between the host mtr runs on and HOSTNAME. by sending packets with pur‐ posly low TTLs. It continues to send packets with low TTL, noting the response time of the intervening routers. This allows mtr to print the response percentage and response times of the internet route to HOSTNAME. A sudden increase in packetloss or response time is often an indication of a bad (or simply overloaded) link.


---------------------------------------------------------------------

linuxbox:/home/d3hydr8 # traceroute 128.230.18.35
traceroute to 128.230.18.35 (128.230.18.35), 30 hops max, 40 byte packets
 1  192.168.1.1 (192.168.1.1)  1.934 ms   1.855 ms   2.097 ms
 2  10.114.0.1 (10.114.0.1)  10.197 ms   12.492 ms   15.662 ms
 3  172.22.5.13 (172.22.5.13)  16.707 ms   16.737 ms   8.981 ms
 4  172.22.5.69 (172.22.5.69)  8.570 ms   12.523 ms   12.354 ms
 5  172.22.32.114 (172.22.32.114)  14.607 ms   21.783 ms   11.076 ms
 6  172.22.32.106 (172.22.32.106)  14.286 ms   14.387 ms   14.173 ms
 7  12.86.87.29 (12.86.87.29)  18.481 ms   21.724 ms   14.085 ms
 8  tbr2.attga.ip.att.net (12.122.96.74)  36.853 ms   40.701 ms   41.588 ms
 9  tbr1.dlstx.ip.att.net (12.122.2.89)  46.345 ms   44.641 ms   47.791 ms
10  ggr3.dlstx.ip.att.net (12.123.16.193)  45.555 ms   44.932 ms   44.856 ms
11  br2-a3120s2.attga.ip.att.net (192.205.33.206)  46.336 ms   45.324 ms   35.904 ms
12  66.192.240.226 (66.192.240.226)  64.172 ms   63.947 ms   109.761 ms
13  64-132-176-170.static.twtelecom.net (64.132.176.170)  74.404 ms   77.708 ms   78.053 ms
14  128.230.61.1 (128.230.61.1)  78.784 ms   76.568 ms   78.336 ms
15  c6509r-srv.syr.edu (128.230.61.58)  77.995 ms   78.127 ms   78.214 ms
16  cwis01.syr.edu (128.230.18.35)  78.310 ms   70.660 ms   74.593 ms

---------------------------------------------------------------------

8) telnet

The telnet command is used to communicate with another host using the TELNET protocol. If telnet is invoked without the host argument, it enters command mode, indicated by its prompt (telnet>). In this mode, it accepts and executes the commands listed below. If it is invoked with arguments, it performs an open command with those arguments.


---------------------------------------------------------------------

d3hydr8@linuxbox:~> telnet os.edu 21
Trying 209.34.161.32...
Connected to os.edu.
Escape character is '^]'.
220 FTP server...

---------------------------------------------------------------------

I hope you learned something about some default tools linux gives and how
they can be used for information gathering.
visit darkc0de.com, thanks d3hydr8[at]darkc0de[dot]com