Nslookup (ls -d) for DNS Zone Tranfer
[root@rh8 root]# host -l winrace.com 192.168.0.201
Using domain server:
Name: 192.168.0.201
Address: 192.168.0.201#53
Aliases:winrace.com SOA winrace.com. root.localhost.winrace.com. 2 28800 7200 604800 86400
winrace.com name server rh8.winrace.com.winrace.com.
chow.winrace.com has address 192.168.0.110
chow8.winrace.com has address 192.168.0.100
jen.winrace.com has address 192.168.0.179
rh8.winrace.com has address 192.168.0.201
rh8p1.winrace.com has address 192.168.0.200
winrace.com SOA winrace.com. root.localhost.winrace.com. 2 28800 7200 604800 86400
[root@alpha root]# host -l 128.198.1.250
250.1.198.128.in-addr.arpa domain name pointer klingon.uccs.edu.
[root@alpha root]# host -l uccs.edu
Host uccs.edu not found: 5(REFUSED)
; Transfer failed.
[root@alpha root]# nslookup
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
> set type=any
> ls -d uccs.edu
The 'ls' command is not implemented.
On windows
C:\Documents and Settings\chow>nslookup
Default Server: Vincent.mshome.net
Address: 192.168.0.1> server 192.168.0.201
Default Server: [192.168.0.201]
Address: 192.168.0.201> ls -d winrace.com
[[192.168.0.201]]
winrace.com. SOA winrace.com root.localhost.winrace.com. (
2 28800 7200 604800 86400)
winrace.com. NS rh8.winrace.com.winrace.com
chow A 192.168.0.110
chow8 A 192.168.0.100
jen A 192.168.0.179
rh8 A 192.168.0.201
rh8p1 A 192.168.0.200
winrace.com. SOA winrace.com root.localhost.winrace.com. (
2 28800 7200 604800 86400)
>C:\Documents and Settings\chow>nslookup
Default Server: Vincent.mshome.net
Address: 192.168.0.1> server 192.168.0.201
Default Server: [192.168.0.201]
Address: 192.168.0.201> ls -d winrace.com
[[192.168.0.201]]
winrace.com. SOA winrace.com root.localhost.winrace.com. (
2 28800 7200 604800 86400)
winrace.com. NS rh8.winrace.com.winrace.com
chow A 192.168.0.110
chow8 A 192.168.0.100
jen A 192.168.0.179
rh8 A 192.168.0.201
rh8p1 A 192.168.0.200
winrace.com. SOA winrace.com root.localhost.winrace.com. (
2 28800 7200 604800 86400)
> ls -d ucs.edu >> ucs_zone_out
[[128.199.3.133]]
#####################################
Received 1901 records.
(This is not good! Some DNS server allows zone transfer!)
sanluis.uccs.edu> nmap -sP 128.198.60.1-255
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host cs-content-switch1-router.uccs.edu (128.198.60.1) appears to be up.
Host (128.198.60.10) appears to be up.
Host (128.198.60.12) appears to be up.
Host archie.uccs.edu (128.198.60.21) appears to be up.
Host dilbert.uccs.edu (128.198.60.23) appears to be up.
Host snoopy.uccs.edu (128.198.60.32) appears to be up.
Host (128.198.60.65) appears to be up.
Host (128.198.60.129) appears to be up.
Host lamar.uccs.edu (128.198.60.168) appears to be up.
Host lizzie.uccs.edu (128.198.60.171) appears to be up.
Host b2b.uccs.edu (128.198.60.172) appears to be up.
Host frodo.uccs.edu (128.198.60.183) appears to be up.
Host eca.uccs.edu (128.198.60.188) appears to be up.
Host oblib.uccs.edu (128.198.60.195) appears to be up.
Host wait.uccs.edu (128.198.60.202) appears to be up.
Host walden.uccs.edu (128.198.60.203) appears to be up.
Host wind.uccs.edu (128.198.60.204) appears to be up.
Nmap run completed -- 255 IP addresses (17 hosts up) scanned in 27 seconds
sanluis.uccs.edu> nmap -sP 128.198.61.1-255Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host cs-content-switch2-router.uccs.edu (128.198.61.1) appears to be up.
Host alpha.uccs.edu (128.198.61.15) appears to be up.
Host (128.198.61.65) appears to be up.
Host (128.198.61.129) appears to be up.
Host willow.uccs.edu (128.198.61.130) appears to be up.
Host wiper.uccs.edu (128.198.61.132) appears to be up.
Host wireless-01.eas.uccs.edu (128.198.61.154) appears to be up.
Nmap run completed -- 255 IP addresses (7 hosts up) scanned in 14 seconds
sanluis.uccs.edu> nmap -v 128.198.61.15Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
Host alpha.uccs.edu (128.198.61.15) appears to be up ... good.
Initiating Connect() Scan against alpha.uccs.edu (128.198.61.15)
Adding open port 111/tcp
Adding open port 1024/tcp
Adding open port 6000/tcp
Adding open port 22/tcp
The Connect() Scan took 0 seconds to scan 1601 ports.
Interesting ports on alpha.uccs.edu (128.198.61.15):
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
1024/tcp open kdm
6000/tcp open X11Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
[root@rh8 root]# nmap -v 128.198.61.15
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
Host (128.198.61.15) appears to be up ... good.
Initiating SYN Stealth Scan against (128.198.61.15)
Adding open port 1024/tcp
Adding open port 22/tcp
Adding open port 389/tcp
Adding open port 1720/tcp
adjust_timeout: packet supposedly had rtt of 4294965425 microseconds. Ignoring time.
Adding open port 21/tcp
adjust_timeout: packet supposedly had rtt of 10140422 microseconds. Ignoring time.
Adding open port 1002/tcp
Adding open port 6000/tcp
The SYN Stealth Scan took 28 seconds to scan 1601 ports.
Interesting ports on (128.198.61.15):
(The 1588 ports scanned but not shown below are in state: closed)
Port State Service
19/tcp filtered chargen
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
87/tcp filtered priv-term-l
111/tcp filtered sunrpc
389/tcp open ldap
515/tcp filtered printer
540/tcp filtered uucp
1002/tcp open unknown
1024/tcp open kdm
1720/tcp open H.323/Q.931
6000/tcp open X11Nmap run completed -- 1 IP address (1 host up) scanned in 39 seconds
Strange. I donot remember ftp is open on alpha. False positives?[root@rh8 root]# ftp 128.198.61.15
Connected to 128.198.61.15 (128.198.61.15).
421 Service not available, remote server has closed connection
sanluis.uccs.edu> nmap -O 128.198.61.15
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
TCP/IP fingerprinting (for OS scan) requires root privileges which you do not appear to possess. Sorry, dude.QUITTING!
sanluis.uccs.edu> nmap -O 128.198.61.15
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
TCP/IP fingerprinting (for OS scan) requires root privileges which you do not appear to possess. Sorry, dude.QUITTING!
[root@wiper root]# nmap -sS -O 128.198.61.15/24
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (128.198.61.0) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Interesting ports on cs-content-switch2-router.uccs.edu (128.198.61.1):
(The 1600 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
Remote OS guesses: Cisco 3600 running IOS 12.2(6c), Cisco router running IOS 12.1.5-12.2(6a), Cisco IOS 12.1(5)-12.2(7a)Interesting ports on alpha.uccs.edu (128.198.61.15):
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
1024/tcp open kdm
6000/tcp open X11
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20Host (128.198.61.63) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host (128.198.61.64) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Interesting ports on (128.198.61.65):
(The 1600 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
Remote OS guesses: Cisco 3600 running IOS 12.2(6c), Cisco router running IOS 12.1.5-12.2(6a), Cisco IOS 12.1(5)-12.2(7a)Host (128.198.61.127) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.
Host (128.198.61.128) seems to be a subnet broadcast address (returned 3 extra pings). Skipping host.
Interesting ports on (128.198.61.129):
(The 1600 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
Remote OS guesses: Cisco 3600 running IOS 12.2(6c), Cisco router running IOS 12.1.5-12.2(6a), Cisco IOS 12.1(5)-12.2(7a)Interesting ports on willow.uccs.edu (128.198.61.130):
(The 1598 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
23/tcp open telnet
80/tcp open http
Remote operating system guess: SonicWall SOHO firewall, Enterasys Matrix E1, or Accelerated Networks VoDSLInteresting ports on wiper.uccs.edu (128.198.61.132):
(The 1598 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
6000/tcp open X11
Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.5.25 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)Interesting ports on wireless-01.eas.uccs.edu (128.198.61.154):
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
515/tcp open printer
6000/tcp open X11
Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4 on AlphaHost (128.198.61.191) seems to be a subnet broadcast address (returned 3 extra pings). Skipping host.
Nmap run completed -- 256 IP addresses (7 hosts up) scanned in 42 seconds
Enumeration
dumpsec (for window)
Eumerate Users
C:\Documents and Settings\chow>c:\progra~1\SystemTools\dumpsec /computer=\\vivia
n /rpt=usersonly /saveas=tsv /outfile=c:\temp\users.txt
The following shows the content of c:\temp\users.txt
4/24/2003 2:24 PM - Somarsoft DumpSec (formerly DumpAcl) - \\vivian
UserName FullName Comment__vmware_user__ __vmware_user__ VMware User
Administrator Built-in account for administering the computer/domain
chow chow
Guest Built-in account for guest access to the computer/domain
HelpAssistant Remote Desktop Help Assistant Account Account for Providing Remote Assistance
SQLDebugger SQLDebugger This user account is used by the Visual Studio.NET Debugger
SUPPORT_388945a0 CN=Microsoft Corporation,L=Redmond,S=Washington,C=US This is a vendor's account for the Help and Support Service
user2sid and sid2user is available at http://www.chem.msu.su:8080/~rudnyi/NT/
C:\Documents and Settings\chow>user2sid "users"
S-1-5-32-545
Number of subauthorities is 2
Domain is BUILTIN
Length of SID in memory is 16 bytes
Type of SID is SidTypeAliasC:\Documents and Settings\chow>
C:\Documents and Settings\chow>sid2user 5 32 545
Name is Users
Domain is BUILTIN
Type of SID is SidTypeAliasC:\Documents and Settings\chow>user2sid "chow"
S-1-5-21-1506848435-2690979997-1571554456-1005
Number of subauthorities is 5
Domain is VIVIAN
Length of SID in memory is 28 bytes
Type of SID is SidTypeUserC:\Documents and Settings\chow>sid2user 5 21 1506848435 2690979997 1571554456 10
05Name is chow
Domain is VIVIAN
Type of SID is SidTypeUser
MS Getmac
C:\Documents and Settings\chow>getmac
Physical Address Transport Name
=================== ==========================================================
00-00-39-B4-86-E0 \Device\Tcpip_{146EB053-AC31-46A7-A7DF-44A3DEAB56DA}
00-02-2D-59-4F-CB Media disconnected
00-50-56-C0-00-01 \Device\Tcpip_{7A662A25-BD47-4FBA-812B-798D266882E0}
00-50-56-C0-00-08 \Device\Tcpip_{E9C34069-3128-40A7-85C5-AB497CD352CB}C:\Documents and Settings\chow>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : eas.uccs.edu
IP Address. . . . . . . . . . . . : 128.198.172.90
Subnet Mask . . . . . . . . . . . : 255.255.224.0
Default Gateway . . . . . . . . . : 128.198.160.1Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
C:\Documents and Settings\chow>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : VIVIAN
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : uccs.eduEthernet adapter VMware Network Adapter VMnet8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for
VMnet8
Physical Address. . . . . . . . . : 00-50-56-C0-00-08
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.8.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :Ethernet adapter VMware Network Adapter VMnet1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for
VMnet1
Physical Address. . . . . . . . . : 00-50-56-C0-00-01
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : eas.uccs.edu
Description . . . . . . . . . . . : Intel(R) PRO/100 M Mobile ConnectionPhysical Address. . . . . . . . . : 00-00-39-B4-86-E0
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 128.198.172.90
Subnet Mask . . . . . . . . . . . : 255.255.224.0
Default Gateway . . . . . . . . . : 128.198.160.1
DHCP Server . . . . . . . . . . . : 128.198.160.74
DNS Servers . . . . . . . . . . . : 128.198.160.64
128.198.160.66
128.198.1.250
Lease Obtained. . . . . . . . . . : Friday, April 25, 2003 9:42:05 PM
Lease Expires . . . . . . . . . . : Friday, April 25, 2003 11:42:05 PMEthernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Toshiba Wireless LAN Mini PCI Card
Physical Address. . . . . . . . . : 00-02-2D-59-4F-CB