Tuesday, June 4, 2013

How to track Hackers and attacks .

Now, I will be showing you how to query a specific WHOIS server directly, you can use the host parameter (-h HOST, --host=HOST)

This is an example below:

Quote:$ whois -h whois.networksolutions.com floors.com

Let's do a whois on the domain floors.com

As you can see I used: Whois Server: whois.networksolutions.com

To do a direct whois to the server.

Now, if you want to see DNS records on the IP or domain, you can ping the domain to get the IP or use the IP directly if you already have it.

Using the shell use this command:

Quote:$ host -t ANY thedomaingoeshere.com

An example:

Quote:$ host -t ANY floors.com

[b]The Dig Command[/b]

The dig command is another useful DNS lookup utility for Unix-based systems is 'dig'. To obtain the IP address using the 'dig' command, do the following from the command line:

Quote:$ dig thedomaingoeshere.com

If you want to return just the IP address of the site and nothing else, you can modify the command by adding the +short query option:


Quote:$ dig +short thedomaingoeshere.com

This query is pretty much similar to ping, where you can acquire the IP, except no packets are sent.

The dnslookup command

'nslookup' is an administrative tool for testing and troubleshooting DNS servers. The utility takes a hostname as an arguement and returns the associated IP addres, as shown in the following command:

The 'nslookup' can be done on either MS DOS or a Linux Shell. On this example I'll show you with a MS DOS.

Spoiler (Click to Hide)

Quote:Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\KingCobraMan>nslookup hackforums.net
Server: cns.cmc.co.denver.comcast.net

Non-authoritative answer:
Name: hackforums.net


The ping command

The main purpose of the 'ping' command is to see if a computer is online or not. And if it is, it checks if it's reachable. It works by sending a packet of data to the remote computer's IP address and then waiting for a reply. When you use 'ping', you can supply either the IP address or the hostname of the remote computer. If you supply the hostname, 'ping' will perform a DNS resolution of the hostname and print the associated IP address in its output.

Here's an example:

Spoiler (Click to View)

You should use 'ping' with caution because it will attempt to contact the remote system which will reveal your IP address to attackers if they're watching traffic. A good way to use 'ping', but avoid sending any traffic to the destination, is to set the packet's time to live (TTL) value to 1.

The complete query to assure that your information does not gets shown is like this:

Quote:C:\Users\KingCobraMan> ping i 1 hackforums.net

Now, if you are one of those who loves to use "easy" tools to do all the work for you, you can use websites like these below to do all the work for you.


Researching IP Addresses

Whether malware uses a domain name or not, it will have to use an IP address in some capacity if the malware plans on contacting other hosts on the Internet. As you learned earlier, malware may find an IP address through DNS, however many malware authors hard-code IP addresses into their programs, so they don't need to use DNS at all. In either case, you will want to investigate the IP addresses once you figure out which one(s) the malware contacts and for this you will need to decompile the malware and decypher the code.

I'll mention information such as:

Where is this IP address geographically located?
Who is the responsible for this IP?
How many other IP addresses are in the same network?
Does this IP address have a bad reputation?
What DNS entries point to an IP address?

Obviously, you will need an IP to begin with before you can even begin doing any of this stuff above.

Use this website that I personally use to track down the IP


When it comes to IP addresses, a regional Internet registry (RIR) is responsible for maintaining information about them. The Internet Assigned Numbers Authority (IANA) delegates IP addresses to one of the five different RIRs based on its location. This means that you can go directly to the website of the of the RIRs and perform IP address lookup.

Registry Geographic Location Web Address

AfriNIC Africa portions of the Indian http://www.afrinic.net/

APNIC Portions of Asia, Portions of http://www.apnic.net/

ARIN Canada, Caribbean, and North http://www.arin.net/
Atlantic islands, and the US.

LACNIC Latin America, portions of Caribbean. http://www.lacnic.net/en/

RIPE NCC Europe, the Middle East, Central Asia http://www.ripe.net/

No comments:

Post a Comment