Revueltas o requintas

• WHOIS

• System information

• Resource viewer

Wikto

The features of the Wikto footprinting tool (Figure 2-8) are as follows:

• Web server fingerprinting using Net-Square’s HTTPrint

• Directory and link extraction from mirrors using HTTrack

• Indexable director detection in BackEnd

• One-click updates of both Nikto and Google Hack databases

• Built-in SSL support for Wikto and BackEnd miner

WHOIS Tools

WHOIS

Several operating systems provide a WHOIS utility. To conduct a query from the command line, the format is the following:

whois -h hostname identifier

In order to obtain a more specific response, the query can be conducted using flags. Many of these flags can be specified at the same time to determine a specific output. The syntax requirement is that flags should be separated from each other and from the search term by a space. Flags can be categorized under query types, and only one flag may be used from a query type.

Figure 2-8 Wikto is a footprinting tool with a wide range of features.

Name Server: NS3.GOOGLE.COM

The following are the results of querying WHOIS at internic.net for registrar ALLDOMAINS.COM INC:

Registrar Name: ALLDOMAINS.COM INC.

Address: 2261 Morello Ave, Suite C, Pleasant Hill, CA 94523, US Phone Number: 925-685-9600

The following are the results of querying WHOIS at internic.net for the name server NS2.GOOGLE.COM:

Server Name: NS2.GOOGLE.COM IP Address: 216.239.34.10

Registrar: ALLDOMAINS.COM INC.

Whois Server: whois.alldomains.com Referral URL: http://www.alldomains.com

As seen above, a normal query will result in contact information, name of registrar and name servers, which can be resolved further into specific IP addresses.

WHOIS Tools 2-17

A domain name identifies a zone. Each zone has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of separate resource records (RRs). The order of RRs in a set is not significant and need not be preserved by name servers, resolvers, or other parts of DNS.

A specific RR is assumed to have the following:

• Owner: the domain name where the RR is found

• Type: an encoded 16-bit value that specifies the type of the resource in this resource record; types refer to abstract resources

Table 2-1 describes the different types in a resource record.

Type Description

A a host address

CNAME identifies the canonical name of an alias

HINFO identifies the CPU and OS used by a host

MX identifies a mail exchange for the domain

NS the authoritative name server for the domain

PTR for reverse lookup

SOA identifies the start of a zone of authority

CLASS an encoded 16-bit value, which identifies a protocol family

or instance of a protocol

IN the Internet system

CH the Chaos system

TTL the time to live of the RR

RDATA the type and sometimes class-dependent data that

describes the resource

CNAME a domain name

MX a 16-bit preference value followed by a host name willing

to act as a mail server

NS a host name

PTR a domain name

SOA several fields

Table 2-1 This table describes the various types of information in a resource record

TypAs seen in the table, the information stored can be useful to gather further information for the target domain. To summarize, there are five types of queries that can be carried out on a WHOIS database.

• Registrar: This type displays specific registrar information and associated WHOIS servers. It provides details about the potential domains that correlate to the target.

• Organizational: This type displays all information related to a particular organization. This query can list all known instances associated with the particular target and the number of domains associated with the organization.

• Domain: A domain query provides information about a specific domain. A domain query arises from information gathered from an organizational query. This type of query is used by an attacker to find the address, domain name, and phone number of administrator and system domain servers of the company.

• Network: A network query provides information about a network with one IP address. Network enu-meration can help ascertain the network block assigned or allotted to the domain.

• Point of contact (POC): This type of query provides information about personnel that deal with admin-istration, technical, or billing accounts.

If the organization is a high-security organization, it can opt to register a domain in the name of a third party, as long as that party agrees to accept responsibility. The organization must also take care to keep its public data updated and relevant for faster resolution of any administrative or technical issues. The public data is available only to the organization that is performing the registration, and that entity is responsible for keep-ing it current.

SmartWhois

SmartWhois allows users to find information about an IP address, host name, or domain. Like other WHOIS utilities, SmartWhois provides information about the city, state or province, country, name of the registered owner, and contact information. SmartWhois intelligently chooses the correct database from a pool of 60 dif-ferent databases from all over the world. Users can archive the results of queries to build their own private databases of WHOIS information. SmartWhois also integrates into Internet Explorer and Outlook to allow a user to look up information directly from e-mail headers.

Figure 2-9 shows a screenshot from SmartWhois.

ActiveWhois

ActiveWhois is a network tool that retrieves information such as countries, e-mail addresses, and postal ad-dresses of the owners of IP adad-dresses and Internet domains. Users can investigate any Web site or domain, including top-level domains, and retrieve its ownership details and the location of the servers hosting the site. It intelligently accesses information stored in over 120 WHOIS servers worldwide.

The following are some of the features of ActiveWhois:

• ActiveWhois can work in offline mode; this means all complete WHOIS requests are saved to disk and are accessible even without an Internet connection.

• It can be used to check and register domains, as it provides links to domain registrars in each country.

• ActiveWhois also includes tools for investigating attacks, spam, suspicious Web sites, and IRC and IM screen names.

Figure 2-10 shows a screenshot from ActiveWhois.

Figure 2-9 SmartWhois is a WHOIS utility that provides information about the registered owner of a Web site.

WHOIS Tools 2-19

LanWhoIs

LanWhoIs helps a user find out who registered a domain, and where and when that domain was registered. It provides complete WHOIS information about the person who registered the domain. LanWhoIs archives this information and can save it to an HTML-formatted file for later viewing.

CountryWhois

A user can make IP-to-country correlations using CountryWhois. This is a quick and easy tool that is ideal in situations when a user only needs to know the country of origin of an IP address. Figure 2-11 shows a screenshot from CountryWhois.

CallerIP

A user can use CallerIP to see when someone has connected to his or her computer. CallerIP determines the IP address of the external system and runs a trace on that address. It provides reports, including service provider contact information, so the user can report the invasion to the attacker’s service provider. CallerIP keeps detailed logs that the user can provide as evidence of the invasion. Figure 2-12 shows a screenshot from CallerIP.