Leaked Network Security Information Analysis

of 27

Name: Allen Galvan
Due: 27 October 2005
CSFI 214: Information Security Systems Analysis – Fall 2005
Lab #2: Reconnaissance (Fingerprinting),
Passive Information Gathering
The Analysis of Leaked Network SecurityInformation

Last printed 10/26/2005 1:40:00 a10/p10 Page 1

of 27

Exercise 1 – Internet Service Registration............................................................. ....................3
Exercise 2 – Domain Name System......................................................................... ..................4
Nslookup (Authoritative & Non-Authoritative), Network-Tools on DNS Servers..........4
Dig (Unix tool to query DNS Servers).......................................................................... .....5
Zone Transfer.................................................................................................................... ..5
Brute Force Reverse DNS Lookup................................................................................... ..6
Exercise 3 – Search Engines................................................................................................. 7 ......
Exercise 4 – E Mail Systems................................................................................... ...................8
Exercise 5 – Naming Conventions........................................................................ .....................9
Exercise 6 – Website Analysis......................................................................... ........................10
Notes.........................................................................................................................................13
Appendix....................................................................................................................... ............14
Exercise 1 – Internet Service Registration........................................................... ....................15
Exercise 2 – Domain Name System........................................................................ .................15
Nslookup (Authoritative) using Network-Tools on ccc.edu...........................................15 .
Nslookup (Non-Authoritative) using Network-Tools on ccc.edu...................................17
.......................................................................................................................................
...........18
Nslookup (Authoritative) using Network-Tools on www.microsoft.com ......................18
Nslookup (Non-Authoritative) using Network-Tools on microsoft.com........................19
Zone-Transfer of nexiliscom.com..................................................................... ...............21
Zone-Transfer of microsoft.com................................................................ ......................23
Exercise 3 – Search Engines............................................................................................... 24 ......
Netcraft Search Web by Domain for .google.com...................................................... .....24
Exercise 4 – E Mail Systems.................................................................................. ..................25
Email Headers............................................................................................................... ....25
Exercise 5 – Naming Conventions...................................................................... .....................27
Tracert of www.ccc.edu....................................................................... ............................27
Exercise 6 – Website Analysis......................................................................... ........................27


of 27

Exercise 1 – Internet Service Registration

Internet Service Registration information gathering finds information based on global
registration and maintenance of IP address information. Whois is a service that queries top-
level domains for information on a domain name. There are several Whois tools provided by
Network Solutions, Arin, Geektools, and Sam Spade. Using these several tools, the whois
information was look up on the below websites:

 Ccc.edu
 Microsoft.com
 Citibank.com
 Thesportsauthority.com
 Baitnet.com

Answer the following questions:
 What kinds of information is available for social engineering attacks?
o The actual name of the Registrant
o An actual address.
o An actual phone number
 What kinds of information is available for technical attacks?
o The Maintainer (MNTNER) password is information that is available for
technical attacks. If the password is weak, it could be broken, and this would
lead to attacks such as: DoS, Url spoofing, and Identity Theft.
 Who owns the netblock (IP space)?
o The netblock is owned by the organization name..
 What are the authoritative DNS servers?
o A server that knows the content of a DNS zone from local knowledge, and
thus can answer queries about that zone without needing to query other
servers.
o The authoritative servers are given in an authoritative query using the
Network Service-based Whois lookup tool of http://network-
tools.com/nslook/Default.asp

 What are the IP addresses of those servers?
o The IP addresses of the servers are specified by the parameter inetnum, in a
Network Service-based Whois lookup,

The following table specifies Information leakagevulnerabilities, possible attacks, and
possible countermeasures.

Information Attack Countermeasures
Leakage
ISP DNS Server Attack. Pick an ISP that has well secured
Man in the Middle Attack.
Zone Transfers.
Address Social Engineering Scams Pick PO Box, or use Accountant


of 27

Information Address.
Real Social Engineering Scams Pick generic function names, &
Names Pick generic email names.
Phone Social Engineering Scams Use a receptionist general number.
Numbers Have receptionist take a message.
MNTNER Unauthorized changes to Choose at least PGP authorization.
Auth Registration. DoS. Url Choose strong passwords.
Spoofing
Whois Information Leakage, Attack & Countermeasures Summary
Figure 1

Exercise 2 – Domain Name System

Domain Name System (DNS) information gathering provides information on local and
global registration and maintenance of host naming. Use service-based Whois
(http://network-tools.com/nslook/Default.asp), to find record information of the below Url
websites:
Nslookup (Authoritative & Non-Authoritative), Network-Tools on DNS Servers

 http://ccc.edu/
o A non-authoritative DNS server
o An authoritative DNS server
o Are there any differences?
 Nslookup, using http://network-tools.com/nslook/Default.asp,
retrieved more information regarding the authoritative response
compared with the non-authoritative response. Specifically, more
Name Servers (type=NS) and more Authoritative (Canonical or Alias)
Servers (type=A) were found, regarding the authoritative queried
response.
o Capture the output of each query.
 The output was captured on page regarding Exercise 2 on page 15.

 http://www.microsoft.com/
o A non-authoritative DNS server
o An authoritative DNS server
o Are there any differences?
 Nslookup, using http://network-tools.com/nslook/Default.asp,
retrieved more information regarding the authoritative response
compared with the non-authoritative response. Specifically, more
Name Servers (type=NS) and more Authoritative (Canonical or Alias)
Servers (type=A) were found, regarding the authoritative queried
response. Also the primary DNS server is identified (Type=SOA),
and all the Mail Servers are identified (Type=MX), all regarding the
authoritative response.
o Capture the output of each query.
o Why are there multiple mail servers?


of 27


There are multiple mail servers for load balancing and as redundant
backups of each other.
o Why are there differences with IP addresses?
 There are different IP addresses for several reasons:
 Load Balancing.
 Redundant Backup.
 To Accommodate different services to different customers.
 Disaster Recovery.
 To support Regional Branch Office Operations.
Dig (Unix tool to query DNS Servers)
Dig is the Unix-based Nslookup DNS query tool. Using Dig (http://www.ip-
plus.net/tools/dig_dns_set.en. tml), the Domain nexilliscom.com is queried, regarding the
h
DNS Server 209.180.121.65. What kind of interesting information is learned from here?

 The authoritative Servers, mail Servers, and primary DNS Server are displaying with
this Dig query. The operating system is Linux. The network is sharing a printer.

Zone Transfer
A special service involves a DNS Server to exchange Authoritative Records for a
domain between primary and secondary servers. Also any client system can query a
DNS Server and request a Zone Transfer. Using Dig (http://www.ip-
plus.net/tools/dig_dns_set.en. tml), the Domain nexilliscom.com is queried, regarding
h
the DNS Server 209.180.121.65.

 What are the names and IP addresses of the systems?
o Ns1.nexiliscom.com 209.180.121.65
o Ns2.nexiliscom.com 209.180.121.67
o revolvstore.nexiliscom.com 209.180.121.65
o there were many other IP addresses listed on p.22 regarding the “Zone-
Transfer of nexiliscom.com”

 Can you guess what each system does?
o The primary name server is given: ns1.nexiliscom.com; & the IP address is
209.180.121.65.
o Also the zone transfer associated the primary name server
ns1.nexiliscom.com with postmaster.nexiliscom.com. The embedded word
of “postmaster” implies an Email function.
o The below Zone Transfer information suggests an Email function, regarding
the words “mail,” “postmaster,” “newmail”:
 “mail.nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com,”
 “ns1.nexiliscom.com postmaster.nexiliscom.com”
 “newmail.nexiliscom.com address 64.119.36.25”


of 27

o The below Zone Transfer information suggests possible services. The
suggestive word is store.
 “revolvstore.nexiliscom.com address 209.180.121.65”
o The below Zone Transfer information suggest that it might be a web server.
The suggestive word is web.
 “webtoo.nexiliscom.com address 64.119.36.28”

 Try this against the domain of Microsoft.com, using DNS Server NS1.MSFT.NET
o Can a Zone Transfer be performed?
 Yes, a Zone Transfer was performed.
o Why or why not?
 Yes, a Zone Transfer was performed, but it seems like it yielded less
information. The usual information of authoritative and name server
information were available, as in authoritative and non-authoritative
Whois lookups.

 How could an attacker user a Zone Transfer?
o First, the host name (for e.g. postmaster.nexiliscom.com) suggests its
function by using the embedded word of “postmaster.”
o Second, these suggestive host names (for e.g. “mail.nexiliscom.com address
209.180.121.65”) are associated with an IP address. One could enter that IP
address into a browser to see the web site, and infer its function.

Brute Force Reverse DNS Lookup
Do a brute force lookup on all of the IP addresses in the Class C space of www.cc.edu, and
answer the following questions.

 Can you figure out how the batch file does it work?
s
o The input file is ips.txt. All desired IP addresses to lookup are input into this
file. First all the IP addresses are automatically input into the output file
dsnout.txt. Next if nslookup finds a “hot” existing IP address, it looks for a
string called “Name” and outputs the parameter variable, with the reverse
lookup of the IP (for e.g. 206.166.50.100) into its corresponding host address
(for e.g. dns.lth1.k12.il.us)

 What use is the output?
o The script quickly and automatically searched an IP range and identifies
“hot” existing IP addresses.
o It identified the existing IP address along with its reverse lookup host
address. It basically did an nslookup.
o This is the 1st stage of identifying places to look (IP addresses) to start to find
any vulnerabilities.

 What else do you know about the target network?


of 27

o It is possible to run a script on an IP address range based on the Primary DNS
server (type=SOA). This information was divulged from the nslookup tool of
network-tools.
o One could start with all the name servers and authoritative and non-
authoritative server information from all the public whois and nslookup
information, and configure an IP address block (for e.g. 206.166.50.0-
206.166.50.254), and search for all host “hot” existing IP address including
servers and PC’s. The question always in mind would be, what hosts are
vulnerable?

Leakage
Zone A Zone Transfer Only allow Zone Transfers to
Transfer Could be downloaded to yield the Trusted Systems. Configure
entire network the server to only allow
Configuration, as the certain Ip addresses. Restrict
Initial stage of a DoS, DDoS, or port 53.
Social
Engineering Attack.
Reverse Given netblock information, it Is The server should Be
Lookup possible to Reverse lookup Configured to only allow
Host names. This could Be the access on a
first stage of a DoS, DDoS, or Restricted basis and only to
Social Engineering Attack. trusted system Ip Addresses.

Exercise 3 – Search Engines

Search engines gather information on an organization and its employees.

Go to the web site www.netcraft.com, and answer the following questions, regarding
“.google.com” (remembering to include the dot preceding Google.com):

 How many systems are there?
o The search found 144 systems.
 Which systems are NOT using Linux operating systems?
o There are some systems that are designated as “unknown” operating systems.
 Which systems are NOT using Google netblocks?
o All the systems yielded information on Goog netblocks.
le
 What kinds of information can you learn from the site information link?
o Domain: google.com
o NetBlock Owner: Google Inc.
o Domain Registry: markmonitor.com
o Site DNS name: http://1.qos.google.com
o IP address 66.102.9.147


of 27

Go to the web site www.netcraft.com, and answer the following questions, regarding
“.ccc.edu’ (remembering to include the dot preceding ccc.edu):
 Of the servers owned by City Colleges in Chicago,are there any differences between
this list and the list found doing the brute force DNS lookup?

Information Attacks Countermeasures
Leakage
Cache Information Cache pages and Control the cache information
Information could be And meta data to limit third
Retrieved as the first stage Party caching.
Of a DoS, DDoS, or
Social Engineering Attack.
Error Messages Information on Make error messages generic
Hardware configuration Without hardware or
And component information Application information
Could be leaked in the error Embedded in the message.
Messages. This could be
used as the first stage of a
DoS, DDoS, or Social
Engineering Attack.
Company Employees could leak Train employees to not be
Confidential Information that could be Allowed to leak confidential
Information made Used as the first stage Company information into
Public Of a DoS, DDoS, or The public domain.
Public Documents Company Documents could If company documents
Be made public that Leak Are to be posted publically on
Information that could be The web, remove all sensitive
Used as the first stage Internal information.
Of a DoS, DDoS, or
the Robots.txt file An attacker could get Restrict access to this file.
Information on a Restrict the information in
Company’s system, With This file.
which to Perpetrate a DoS
DDoS, or Social
Engineering Attack.

Exercise 4 – E Mail Systems

Email system information gathering uses information found within the Email system and
Email messages.

Go to http://www.spamcop.net/fom-serve/cache/19.html, to discover how to look at headers
regarding email. Send an email from your school email account to your personal email
account. Look at the headers and answer the following questions:


of 27

 What are the IP addresses of the systems that handled this mail?
o Received: from 207.115.20.36 (flpvm06.prodigy.net)
o Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])
(scholarmail.ccc.edu) Apache/2.0.49a NETWARE mod_jk/1.2.6-dev
o by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id
j8R3rwmF014910
o Received: from agalvan1 [216.125.49.114] by student.ccc.edu ()

 What kinds of servers handled the mail?
o SMTP Servers
o Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])
(scholarmail.ccc.edu) Apache/2.0.49a NETWARE mod_jk/1.2.6-dev

 Is the same path taken both ways?
o Yes the same path is taken both ways.

 Can you tell what kind of email systems handled the messages?
o SMTP Servers

Using the list of possible SMTP mail systems, grab ccc.edu’s mail server banner.
o I couldn’t find the ccc.edu server banner.

Exercise 5 – Naming Conventions

Naming conventions describe how an organization categorizes their host devices.

At a DOS command line prompt type the command “tracert www.ccc.edu” and answer the
following questions.

 Can you deduce the naming convention (if any)?
o The physical location is used in the naming convention.
o The owner company is used in the namingconvention.
o One of the routers indicates it could be part of a Virtual LAN (VLAN).

 Can you deduce what operating system is being used from the name?
o The Operating system might be VLAN 5.0

 Can you deduce the physical location of the host from the name?
o Theses routers are all in Chicago
 Ads1-68-72-175-254.ds1.chcgil.ameritech.net
 Dist2-vlan50.chcgil.ameritech.net
 Bb2-g7-0.chcgil.ameritech.net
 Ex1-p0-0.eqchil.sbcglobal.net
 Chcgil1wcx1-pos9-0-oc48.wcg.net
 Chcgil1wxc1-dept-central-mgmt.wcg.net


of 27

 Ge-1-0-ans-sob1.chicago.lincon.net
 Ge2-1.sob11.chicago.lincon.net

 Can you determine which device is the perimeter router?
o 192.168.1.1 is my originating perimeter router
o 206.166.90.246 is the target perimeter router

 Which netblock (IP block) is owned by the target?
o Illinois Century Network owns t e netblock.
h

Leakage
Device Could be used to Refrain from naming
Location Determine the Devices with location
Network configuration Information.
And lead to Dos, DDoS
Or stealing financial or
Confidential information.
Device Could be used to Refrain from naming
Function Determine the Conventions with
Network configuration Function information.
And lead to Dos, DDoS
Or stealing financial or
Confidential information.

Exercise 6 – Website Analysis

Website analysis is an information gatherin technique that uses public information via web
g
sites. The discovered information may expose the system to unintended vulnerabilities.

There are many sources of information from the website:
Look at the HTML source code for:

 Passwords.
 Comments and other useful information.
 Disabled code.
 Meta-tags containing the signatures of the development tools used to
build the site
 Email addresses for social engineering attacks.
 Accidental links to internal resources.
 Error pages can leak important details about the structure of the website
 For example the website is stored on drive D.

When I looked at the web page http://www.robotstxt.org/wc/active/html/googlebot.html, it
was clean of any extraneous information that d not pertain to the displayed web page.
id


of 27

WebSPHINX
o By looking at the source code and the structure of the web site, what kinds of
information can you glean?
 The HTML source code yielded hyperlinks to other colleges and other
hyperlinks related to www.ccc.edu.
o How might it be used in an attack?
 By using Websphinx on the web site of
http://wright.ccc.edu/department/forensics/in dex.asp, websphinx touched
all the links to http://wright.ccc.edu/department/forensics
.
 All the different hyperlinks could be perused for information that could
be used in a social engineering attack.

Information in Binary Files regarding the downloaded file,
http://www.bergkaprowlewis.co.uk/budget2002 /revce1.doc:

o Use the “strings” program to extract ASCII text.
o I couldn’t extract any ASCII text using Strings.

o What kinds of metadata are found here?

o I found the below metadata:
 the author was found to be “Fred Rothwell.”
 the company name was “Her Majesty’s Treasure.”
 Date Created: 9/27/2005 2:21 AM
 Date Last Saved 9/29/2005 2:21 AM
 Last Printed 4/17/2002 4:11 AM
 Edit Time: 12:00 AM

o Anything that could be useful in an attack?
o The Author’s name and company name could be used in a social engineering
attack.

o What is the redacted text from line 4 – 12?
o The redacted text was “draft”

Leakage
Personal Could be used All personal information
Information In a Social Should be restricted. Any
Engineering Contact information should
Attack. Be to generic emails or to the
Main company phone number.
Error Message Could be used to Error messages should be made
Pages Determine the devices To be standard and generic without
Of a network as a Function, device, or location
Prelude to a DoS, DDoS Information.


of 27

Or financial information
Attack.
Web Server Could be used to Web Server Banners should be
Banners Determine the Rewritten in a way different than
Network configuration The manufacturer standard header
As a prelude to a DoS And without Function, device, or
DDos, or financial locationInformation.
Information stealing
Attack.
Document Could be used Strong passwords should be used.
Properties In a Social User names should be restricted
Engineering
Attack.
Web code and Could be used to All code should be
Client code Determine the Cleaned of all
Network configuration “dead” code.
As a prelude to a DoS
DDos, or financial
Information stealing
Attack.


of 27

Notes

This is the other paper of reference:
An Overview of Passive Information Gathering Techni ues for Network Security,
q
http://www.ottawa.drdc-rddc.gc.ca/docs/e/TM2004-073.pdf, &

Passive Information Gathering, The Analysis of Leaked Network Security Information,
http://www.ngssoftware.com/papers/NGSJan2004PassiveWP.pdf

NGS NISR
Next Generation Security SoftwareLtd.

Passive Information Gathering
The Analysis of Leaked Network Security Information
Gunter Ollmann, Professional Services Director

Abstract, (p.1)
Information Leakage, (p.2)
Definition of “Passive” (p.2)
Passive Information Gathering Techniques (p.4)

Whois, (p.5)
Network Service-Based WHOIS (p.6)
 Network service-based WHOISdata provides details of network management data.
Netblock Registration Maintenance (p.9)
,
 Netblock registration maintenance is normally carriedout in a secure & controlled
manner.
Name Service-Based WHOIS (p.11)
 Name service-based WHOIS data provides a number of details about a domain.
Domain Name System, (p.16)
Zone Transfers, (p.20)

Reverse resolution, (p.22)
DNS Brute force, (p.24)
Search Engines, (p.26)
Email sytems, (p.29)

Trace Route (tracert), (p.36)
Displays # of hops between originating host ip (192.168.100.1)  ww.example.com
 Cisco-gw.example.com [212.84.xx.1]
o Probably the start of a netblock; suggests it is a border router, for
example.com & it is made by Cisco.
 Cpfw1.examle.com [212.84.xx.2]
o Almost certainly is a Checkpoint firewall-1 firewall host.


of 27

Web Server Banner (p.39)
 Server: Zues / 4.2
 Server: Microsoft IIS / 6.0
 Server: Apache / 2.0.48-dev (Unix)

Appendix


of 27

Exercise 1 – Internet Service Registration

Exercise 2 – Domain Name System

Nslookup (Authoritative) using Network-Tools on ccc.edu

NsLookup Query
the DNS
for
resource
records
domain ccc.edu query type ANY - Any type
server NS1.ILLINOIS.NET query class IN - Internet
port 53 timeout (ms) 5000
no recursion advanced output
NS1.ILLINOIS.NET [206.166.83.22] returned an authoritative response in 31 ms:
Answer records
name class type data time to live
ccc.edu IN MX preference: 0
exchange: pobox.ccc.edu
600s (10m)
exchange: pobox2.ccc.edu
600s (10m)
exchange: guardian.ccc.edu
600s (10m)
ccc.edu IN NS ns1.msa1.illinois.net 600s (10m)
ccc.edu IN NS ns1.illinois.net 600s (10m)
ccc.edu IN NS guardian.ccc.edu 600s (10m)
ccc.edu IN A 216.125.49.11 600s (10m)
ccc.edu IN SOA server: ns1.msa1.illinois.net
email: msa1hostmaster@illinois.net
serial: 2005062401
refresh: 10800
retry: 3600
expire: 604800
minimum
ttl:
600
600s (10m)
Authority records
NsLookup - Query the DNS for resource records Page 1 of 2
http://network-tools.com/nslook/default.asp 9/20/2005
-- end --
URL for this output


of 27

Additional records
pobox.ccc.edu IN A 216.125.49.10 600s (10m)
pobox2.ccc.edu IN A 216.125.49.50 600s (10m)
guardian.ccc.edu IN A 216.125.49.254 600s (10m)
ns1.msa1.illinois.net IN A 206.166.50.100 60s (1m)
ns1.illinois.net IN A 206.166.83.22 3600s (1h)
ns2.illinois.net IN A 206.166.17.200 3600s (1h)
Page NsLookup - Query the DNS for resource records e 2 of 2


of 27

Nslookup (Non-Authoritative) using Network-Tools on ccc.edu

NsLookup Query the
DNS for
resource
records
domain ccc.edu query type ANY - Any type
server 66.98.244.52 query class IN - Internet
[66.98.244.52] returned a non-authoritative response in 94 ms:
Answer records
exchange: pobox.ccc.edu
600s (10m)
exchange: pobox2.ccc.edu
600s (10m)
exchange: guardian.ccc.edu
600s (10m)
ccc.edu IN A 216.125.49.11 600s (10m)
ccc.edu IN SOA server: ns1.msa1.illinois.net
email: msa1hostmaster@illinois.net
serial: 2005062401
refresh: 10800
retry: 3600
expire: 604800
minimum
ttl:
600
600s (10m)
Authority records
[none]
Additional records
-- end --
URL for this output
pobox.ccc.edu IN A 216.125.49.10 600s (10m)
pobox2.ccc.edu IN A 216.125.49.50 600s (10m)
guardian.ccc.edu IN A 216.125.49.254 600s (10m)


of 27

Nslookup (Authoritative) using Network-Tools on www.microsoft.com

NsLookup Query the
DNS for
resource
records
domain microsoft.com query type ANY - Any type
[207.46.138.20] returned an authoritative response in 94 ms:
Header
rcode: Success
id: 0 opcode: Standard query
is a response: True authoritative: True
recursion desired: True recursion avail: False
truncated: False
questions: 1 answers: 12
authority recs: 0 additional recs: 11
Questions
name class type
microsoft.com IN ANY
Answer records
microsoft.com IN A 207.46.250.119 3600s (1h)
microsoft.com IN A 207.46.130.108 3600s (1h)
microsoft.com IN NS ns3.msft.net 172800s (2d)
-- end --
URL for this output
microsoft.com IN SOA server: dns.cp.msft.net
email: msnhst@microsoft.com
serial: 2005092003
refresh: 300
retry: 600
expire: 2419200
minimum
ttl:
3600
3600s (1h)
microsoft.com IN MX preference: 10
exchange: mailc.microsoft.com
3600s (1h)
exchange: maila.microsoft.com
3600s (1h)


of 27

exchange: mailb.microsoft.com
3600s (1h)
microsoft.com IN TXT v=spf1 mx
redirect=_spf.microsoft.com
3600s (1h)
Authority records
[none]
Additional records
ns3.msft.net IN A 213.199.144.151 3600s (1h)
ns4.msft.net IN A 207.46.66.75 3600s (1h)
ns5.msft.net IN A 207.46.138.20 3600s (1h)
ns1.msft.net IN A 207.46.245.230 3600s (1h)
ns2.msft.net IN A 64.4.25.30 3600s (1h)
mailc.microsoft.com IN A 207.46.121.52 3600s (1h)
mailc.microsoft.com IN A 207.46.121.53 3600s (1h)
maila.microsoft.com IN A 131.107.3.125 3600s (1h)
maila.microsoft.com IN A 131.107.3.124 3600s (1h)
mailb.microsoft.com IN A 131.107.3.123 3600s (1h)
mailb.microsoft.com IN A 207.46.121.51 3600s (1h)

Nslookup (Non-Authoritative) using Network-Tools on microsoft.com

NsLookup Query the DNS for resource
records
domain microsoft.com query type ANY - Any type
[66.98.244.52] returned a non-authoritative response in 0 ms:
-- end --
URL for this output
Answer records
microsoft.com IN NS ns5.msft.net 171510s (1d 23h 38m
30s)
30s)
30s)
30s)
30s)
Authority records
[none]
Additional records
[none]


of 27



of 27

Zone-Transfer of nexiliscom.com
1 of 2 9/26/2005 1:56 AM
DNS check tool Back
Domain nexiliscom.com, DNS server 209.180.121.65
Setting Source IP Address to : quot;164.128.36.54quot;
Check if the server quot;209.180.121.65quot; is configured for quot;nexiliscom.comquot;
... ok.
Check SOA Record ...
Server: ns1.nexiliscom.com
Address: 209.180.121.65
Query about nexiliscom.com for record types SOA
Trying nexiliscom.com ...
nexiliscom.com 3600 IN SOA ns1.nexiliscom.com postmaster.nexiliscom.com (
2005083001 ;serial (version)
3600 ;refresh period (1 hour)
*** WARNING *** Refresh 3600 , use recommended value quot;10800quot;
3600 ;retry interval (1 hour)
3600 ;expire time (1 hour)
*** WARNING *** Expire 3600 , use recommended value quot;604800quot;
3600 ;default ttl (1 hour)
*** WARNING *** TTL 3600 , use recommended value quot;86400quot;
Check NS Records ...
Server: ns1.nexiliscom.com
Address: 209.180.121.65
Query about nexiliscom.com for record types NS
Trying nexiliscom.com ...
Query done, 2 answers, authoritative status: no error
nexiliscom.com 3600 IN NS ns2.nexiliscom.com
ns2.nexiliscom.com is secondary nameserver
nexiliscom.com 3600 IN NS ns1.nexiliscom.com
ns1.nexiliscom.com is primary nameserver
Additional information:
ns1.nexiliscom.com 3600 IN A 209.180.121.65
ns2.nexiliscom.com 3600 IN A 209.180.121.67
Found IP address quot;209.180.121.67quot; for server quot;ns2.nexiliscom.comquot;
Found IP address quot;209.180.121.65quot; for server quot;ns1.nexiliscom.comquot;
Check SOA Record for Consistency on all Servers ...
nexiliscom.com NS ns1.nexiliscom.com
ns1.nexiliscom.com postmaster.nexiliscom.com (2005083001 3600 3600 3600
3600)
*** WARNING *** !!! nexiliscom.com SOA refresh+retry exceeds expire
*** WARNING *** !!! nexiliscom.com SOA expire is less than 1 week (1
hour)
nexiliscom.com NS ns2.nexiliscom.com
ns1.nexiliscom.com postmaster.nexiliscom.com (2005060901 3600 3600 3600
3600)
*** WARNING *** !!! ns2.nexiliscom.com and ns1.nexiliscom.com have
different serial for nexiliscom.Check Zone Transfer
This may take a while, please wait ... /opt/wwwtools-1.0/checkdom/hostsqs
-Z -a -l -v -A -G -D done.
*** WARNING *** !!! nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com
*** WARNING *** !!! atensubmissions.nexiliscom.com address 209.180.121.65
maps to ns1.nexiliscom.
IP-Plus http://www.ip-plus.net/tools/domaincheck.cgi


of 27

2 of 2 9/26/2005 1:56 AM
*** WARNING *** !!! mail.nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com
*** WARNING *** !!! memorial-unborn.nexiliscom.com address 209.180.121.65
maps to ns1.nexiliscom.*** WARNING *** !!! mms1.nexiliscom.com address
64.119.36.27 maps to ip027.nexilis.cr3.tus.simplybits.*** WARNING *** !!!
netsaint.nexiliscom.com address 209.180.121.67 maps to ns2.nexiliscom.com
*** WARNING *** !!! newmail.nexiliscom.com address 64.119.36.25 maps to
newmail1.nexiliscom.com
*** WARNING *** !!! newmail.nexiliscom.com address 209.180.121.66 maps to
newmail2.nexiliscom.com
*** WARNING *** !!! ns3.nexiliscom.com address 64.119.36.26 maps to
ip026.nexilis.cr3.tus.simplybits.*** WARNING *** !!! pop.nexiliscom.com
address 209.180.121.65 maps to ns1.nexiliscom.com
*** WARNING *** !!! revolvstore.nexiliscom.com address 209.180.121.65
maps to ns1.nexiliscom.com
*** WARNING *** !!! smtp.nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com
*** WARNING *** !!! test.nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com
*** WARNING *** !!! webtoo.nexiliscom.com address 64.119.36.28 maps to
ip028.nexilis.cr3.tus.simplybits.*** WARNING *** !!! www.nexiliscom.com
address 209.180.121.65 maps to ns1.nexiliscom.com
No errors found in quot;nexiliscom.comquot;
21 warnings found in quot;nexiliscom.comquot;
Possible error messages and warnings


of 27

Zone-Transfer of microsoft.com
1 of 2 9/26/2005 6:36 PM
DNS check tool Back
Domain microsoft.com, DNS server ns1.msft.net
Found IP address quot;207.46.245.230quot; for server quot;ns1.msft.netquot;
Setting Source IP Address to : quot;164.128.36.54quot;
Check if the server quot;ns1.msft.netquot; is configured for quot;microsoft.comquot; ...
ok.
Check SOA Record ...
Server: ns1.msft.net
Address: 207.46.245.230
Query about microsoft.com for record types SOA
Trying microsoft.com ...
microsoft.com 3600 IN SOA dns.cp.msft.net msnhst.microsoft.com (
2005092601 ;serial (version)
300 ;refresh period (5 minutes)
*** WARNING *** Refresh 300 , use recommended value quot;10800quot;
600 ;retry interval (10 minutes)
*** WARNING *** Retry 600 , use recommended value quot;3600quot;
2419200 ;expire time (4 weeks)
*** WARNING *** Expire 2419200 , use recommended value quot;604800quot;
3600 ;default ttl (1 hour)
*** WARNING *** TTL 3600 , use recommended value quot;86400quot;
Check NS Records ...
Server: ns1.msft.net
Address: 207.46.245.230
Query about microsoft.com for record types NS
Trying microsoft.com ...
Query done, 5 answers, authoritative status: no error
microsoft.com 172800 IN NS ns5.msft.net
ns5.msft.net is secondary nameserver
Additional information:
ns5.msft.net 3600 IN A 207.46.138.20
ns1.msft.net 3600 IN A 207.46.245.230
ns2.msft.net 3600 IN A 64.4.25.30
ns3.msft.net 3600 IN A 213.199.144.151
ns4.msft.net 3600 IN A 207.46.66.75
*** WARNING *** failed reverse lookup for quot;207.46.138.20quot;
*** WARNING *** 207.46.138.20 does not exist at ns1.msft.net
(Authoritative answer)
*** WARNING *** It's recommended to have reverse lookup for your
nameservers


of 27

nameservers
2 of 2 9/26/2005 6:36 PM
*** WARNING *** 64.4.25.30 does not exist at ns1.msft.net (Authoritative
answer)
nameservers
nameservers
nameservers
*** ERROR *** NS record for primary nameserver quot;dns.cp.msft.netquot; missing.
Check SOA Record for Consistency on all Servers ...
microsoft.com NS ns1.msft.net
dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)
*** WARNING *** !!! microsoft.com SOA primary dns.cp.msft.net is not
advertised via NS
*** WARNING *** !!! microsoft.com SOA retry exceeds refresh
Check Zone Transfer
This may take a while, please wait ... /opt/wwwtools-1.0/checkdom/hostsqs
-Z -a -l -v -A -G -D done.
*** ERROR *** 207.46.245.230 (207.46.245.230) connect: Connection timed
out
2 errors found in quot;microsoft.comquot; please correct
11 warnings found in quot;microsoft.comquot;
Possible error messages and warnings

Exercise 3 – Search Engines
Netcraft Search Web by Domain for .google.com

Netcraft - Search Web by Domain http://searchdns.netcraft.com/?host=.google.com&position=limited&loo...
1 of 1 9/26/2005 9:48 PM


of 27

Site Search

Search Web by Domain
Explore 70,884,595 web sites 27th September 2005
Search: search tips

site contains lookup!
example: site contains .sco.com

Results for .google.com
Found 144 sites
Site Site Report First seen Netblock OS
1. 1.qos.google.com May 2004 Google Inc. Linux
2. 35820365512262.qos.google.com November 2002 Google Inc. Linux
3. adsense.google.com September 2004 Google Inc. Linux
4. adwords.google.com.au August 2004 Google Inc. unknown
5. adwords.google.com.br November 2003 Google Inc. Linux
6. adwordstest.google.com October 2003 Google Inc. Linux
7. america.google.com November 2003 Google Inc. Linux
8. answer.google.com January 2003 Google Inc. Linux
9. aol.google.com August 2004 Google Inc. Linux
10. api.google.com June 2002 Google Inc. Linux
11. asia.google.com November 2003 Google Inc. Linux
12. catalog.google.com April 2002 Google Inc. Linux
13. catalogues.google.com June 2002 Google Inc. Linux
14. console.google.com May 2001 Google Inc. Linux
15. desktop.google.com December 2004 Google Inc. Linux
16. dir.google.com November 2001 Google Inc. Linux
17. directory.google.com August 2001 Google Inc. Linux
18. download.google.com November 2004 Google Inc. Linux
19. ent-demo9.google.com October 2004 Google Inc. Linux
20. europe.google.com November 2003 Google Inc. Linux
Next page
COP Y R I GH T © NE T CR A F T L TD 2 0 0 4

.google.com
Netcraft News

Exercise 4 – E Mail Systems

Email Headers

X-Apparently-To: allengalvan@sbcglobal.net via 66.163.170.105; Mon, 26 Sep 2005
20:54:45 -0700
X-Originating-IP: [216.125.49.18]
Return-Path: <agalvan1@student.ccc.edu>
Authentication-Results: mta812.mail.scd.yahoo.com
from=student.ccc.edu; domainkeys=neutral (no sig)
Received: from 207.115.20.36 (EHLO flpvm06.prodigy.net) (207.115.20.36)
by mta812.mail.scd.yahoo.comwith SMTP; Mon, 26 Sep 2005 20:54:44 -0700


of 27

Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])
by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j8R3rwmF014910
for <allengalvan@sbcglobal.net>; Mon, 26 Sep 2005 20:53:58 -0700
Received: from agalvan1 [216.125.49.114] by student.ccc.edu
with NetMail ModWeb Module; Mon, 26 Sep 2005 22:54:42 -0500
Subject: csfi214 - test msg
From: quot;ALLEN GALVANquot; <agalvan1@student.ccc.edu>
To: allengalvan@sbcglobal.net
Date: Mon, 26 Sep 2005 22:54:43 -0500
X-Mailer: NetMail ModWeb Module
X-Sender: agalvan1
MIME-Version: 1.0
Message-ID: <1127793283.e602380agalvan1@student.ccc.edu>
Content-Type: text/plain; charset=quot;UTF-8quot;
Content-Transfer-Encoding: quoted-printable

X-Apparently-To: allengalvan@sbcglobal.net via 66.163.170.105; Mon, 26 Sep 2005
20:54:45 -0700
Return-Path: <agalvan1@student.ccc.edu>
Authentication-Results: mta812.mail.scd.yahoo.com
from=student.ccc.edu; domainkeys=neutral (no sig)
Received: from 207.115.20.36 (EHLO flpvm06.prodigy.net) (207.115.20.36)
by mta812.mail.scd.yahoo.comwith SMTP; Mon, 26 Sep 2005 20:54:44 -0700
Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])
by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id j8R3rwmF014910
for <allengalvan@sbcglobal.net>; Mon, 26 Sep 2005 20:53:58 -0700
Received: from agalvan1 [216.125.49.114] by student.ccc.edu
with NetMail ModWeb Module; Mon, 26 Sep 2005 22:54:42 -0500
Subject: csfi214 - test msg
From: quot;ALLEN GALVANquot; <agalvan1@student.ccc.edu>
To: allengalvan@sbcglobal.net
Date: Mon, 26 Sep 2005 22:54:43 -0500
X-Mailer: NetMail ModWeb Module
X-Sender: agalvan1
MIME-Version: 1.0
Message-ID: <1127793283.e602380agalvan1@student.ccc.edu>
Content-Type: text/plain; charset=quot;UTF-8quot;
Content-Transfer-Encoding: quoted-printable

nobody here but us chickens
Allen
allengalvan@netzero.net


of 27

Exercise 5 – Naming Conventions
Tracert of www.ccc.edu

Exercise 6 – Website Analysis


Leaked Network Security Information Analysis

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Viewers also liked

Viewers also liked (8)

Similar to Leaked Network Security Information Analysis

Similar to Leaked Network Security Information Analysis (20)

Recently uploaded

Recently uploaded (20)

Leaked Network Security Information Analysis