Aim: Study the use of network reconnaissance tools like WHOIS, dig, traceroute, nslookup to gather

information about networks and domain registers

Objectives: To know how to gather information about the networks by using different n/w
reconnaissance tools.

Outcomes: The learner will be able to:- Use network-based tools for network analysis.

1. Whois - whois searches for an object in a WHOIS database. WHOIS is a query and response
protocol that is widely used for querying databases that store the registered users of an Internet
resource, such as a domain name or an IP address block, but is also used for a wider range of other
information. Most modern versions of whois try to guess the right server to ask for the specified
object. If no guess can be made, whois will connect to whois.networksolutions.com for NIC
handles or whois.arin.net for IPv4 addresses and network names.
Examples:
Obtaining the domain WHOIS record for computersolutions.com
Querying WHOIS in google search engine

Hardware / Software Required : WHOIS client

Use online website (instead of installing WHOIS Client on Windows):

2. Dig - Dig is a networking tool that can query DNS servers for information. It can be very helpful
for diagnosing problems with domain pointing and is a good way to verify that your configuration is
working. The most basic way to use dig is to specify the domain we wish to query: dig example.com.

Use online website (instead of installing BIND tool on Windows): https://digwebinterface.com/

3. Traceroute / Tracert - Traceroute prints the route that packets take to a network host. Traceroute
utility uses the TTL field in the IP header to achieve its operation. For users who are new to TTL field,
this field describes how much hops a particular packet will take while traveling on network. So, this
effectively outlines the lifetime of the packet on network. This field is usually set to 32 or 64. Each
time the packet is held on an intermediate router, it decreases the TTL value by 1. When a router finds
the TTL value of 1 in a received packet then that packet is not forwarded but instead discarded. After
discarding the packet, router sends an ICMP error message of ―Time exceeded‖ back to the source
from where packet generated. The ICMP packet that is sent back contains the IP address of the router.
So now it can be easily understood that traceroute operates by sending packets with TTL value starting
from 1 and then incrementing by one each time. Each time a router receives the packet, it checks the
TTL field, if TTL field is 1 then it discards the packet and sends the ICMP error packet containing its
IP address and this is what traceroute requires. So traceroute incrementally fetches the IP of all the
routers between the source and the destination.
Example: traceroute example.com
traceroute to example.com (64.13.192.208), 64 hops max, 40 byte packets 1 72.10.62.1 (72.10.62.1)
1.000 ms 0.739 ms 0.702 ms
2 10.101.248.1 (10.101.248.1) 0.683 ms 0.385 ms 0.315 ms
3 10.104.65.161 (10.104.65.161) 0.791 ms 0.703 ms 0.686 ms
4 10.104.65.161 (10.104.65.161) 0.791 ms 0.703 ms 0.686 ms
5 10.0.10.33 (10.0.10.33) 2.652 ms 2.260 ms 5.353 ms
6 acmkokeaig.gs01.gridserver.com (64.13.192.208) 3.384 ms 8.001 ms 2.439 ms

4. Nslookup - The nslookup command is used to query internet name servers interactively for
information. nslookup, which stands for "name server lookup", is a useful tool for finding out
information about a named domain. By default, nslookup will translate a domain name to an IP address
(or vice versa). For instance, to find out what the IP address of microsoft.com is, you could run the
command:

nslookup microsoft.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer: Name:
microsoft.com
Address: 134.170.185.46
Name: microsoft.com
Address: 134.170.188.221
Here, 8.8.8.8 is the address of our system's Domain Name Server. This is the server our system is
configured to use to translate domain names into IP addresses. "#53" indicates that we are
communicating with it on port 53, which is the standard port number domain name servers use to
accept queries. Below this, we have our lookup information for microsoft.com. Our name server
returned two entries, 134.170.185.46 and 134.170.188.221. This indicates that microsoft.com uses a
round robin setup to distribute server load. When you accessmicrsoft.com, you may be directed to
either of these servers and your packets will be routed to the correct destination. You can see that we
have received a "Non-authoritative answer" to our query. An answer is "authoritative" only if our DNS
has the complete zone file information for the domain in question. More often, our DNS will have a
cache of information representing the last authoritative answer it received when it made a similar query,
this information is passed on to you, but the server qualifies it as "non-authoritative": the information
was recently received from an authoritative source, but the DNS server is not itself that authority.