3.2 NIC Querying


Network Information Centers (NICs) store useful information in WHOIS databases, primarily as network, route, or person objects. WHOIS database objects define which areas of Internet space are registered to which organizations, with other information such as routing and contact details in the case of abuse.

There are three primary regions under which all public Internet-based network blocks and IP address spaces fall. The following international registrars around the world can retrieve useful information (including names of technical IT staff, details of IP network blocks, and physical office locations):

  • American Registry for Internet Numbers (ARIN) at http://www.arin.net

  • Asia Pacific Network Information Centre (APNIC) at http://www.apnic.net

  • Réseaux IP Européens (RIPE) at http://www.ripe.net

Each respective regional registrar's WHOIS database contains information relevant to that particular region. For example, the RIPE WHOIS database doesn't contain information about network space and other objects that are found in the Americas.

3.2.1 NIC Querying Tools and Examples

Tools that are used to query NIC WHOIS databases include:

  • The Sam Spade Windows client (available from http://www.samspade.org)[1]

    [1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

  • The whois client found within Unix-based environments

  • Direct querying via the appropriate regional WHOIS

3.2.1.1 Using the Sam Spade Windows client

The Sam Spade client is a powerful and easy-to-use Windows tool that can perform many public-record query functions, as shown in Figure 3-4.

Figure 3-4. The Sam Spade Windows client
figs/nsa_0304.gif

In this case, I used it to submit a WHOIS query of 144.51.92.35, which reveals that the IP address is part of an IP network block called NCSC (144.51.0.0 to 144.51.255.255), belonging to the NCSC. Information also provided includes contact details and DNS name server information.

You will often find that company web servers and key Internet-based hosts are hosted in collocation suites or web farms run by third parties. When performing professional network security assessment work, you should check the IP addresses or ranges you enumerate to ensure that they do in fact belong to the client, as opposed to a hosting center or third party that provides their web development and support.


3.2.1.2 Using the Unix whois utility

The Unix whois command-line utility can perform WHOIS queries against specific servers. In Example 3-1, I submit a query of cs-security-mnt. The client is intelligent in the way that it attempts to collect this information from all three of the Network Information Centers (ARIN, RIPE, and APNIC), so I don't need to specify within which database to look for the string.

Example 3-1. Enumerating the cs-security-mnt object from RIPE
# whois cs-security-mnt % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html mntner:       CS-SECURITY-MNT descr:        Charles Stanley & Co Ltd maintainer admin-c:      SN1329-RIPE tech-c:       SN1329-RIPE upd-to:       sukan.nair@charles-stanley.co.uk mnt-nfy:      sukan.nair@charles-stanley.co.u auth:         MAIL-FROM sukan.nair@charles-stanley.co.uk auth:         MAIL-FROM .*@uk.easynet.net mnt-by:       CS-SECURITY-MNT referral-by:  RIPE-DBM-MNT changed:      phil.duffen@uk.easynet.net 20020111 source:       RIPE person:       Sukan Nair address:      Charles-Stanley address:      25 Luke Street address:      London EC2A 4AR address:      UK phone:        +44 20 8491 5889 e-mail:       sukan.nair@charles-stanley.co.uk nic-hdl:      SN1329-RIPE notify:       ripe@ftech.net mnt-by:       AS5611-MNT changed:      ripe@ftech.net 19991021 source:       RIPE

Maintenance objects are used for administrative purposes within the RIPE and APNIC databases. For further information relating to NIC security, please see a white paper I wrote in June 2002, available from the Matta web site at http://www.trustmatta.com/downloads/Matta_NIC_Security.pdf.

3.2.1.3 Directly querying ARIN

Web interfaces at ARIN, APNIC, and RIPE can enumerate useful information. In Figure 3-5, I use the WHOIS web interface at ARIN to launch a query of microsoft.

Figure 3-5. Using ARIN to list Microsoft entries
figs/nsa_0305.gif

WHOIS requests can take many forms, from specific object queries (of which the interesting types of objects are networks, people, and routes), to vague searches of organization names or IP addresses.

3.2.1.4 Harvesting user details through WHOIS

User details relating to a specific domain can easily be harvested from the Unix command line with the whois utility. Example 3-2 shows a query launched against citicorp.com through ARIN, revealing usernames, email addresses, and telephone numbers.

Example 3-2. Enumerating Citicorp staff through ARIN
# whois "@citicorp.com"@whois.arin.net [whois.arin.net] Bleak, Glen (GB375-ARIN) glen.bleak@citicorp.com +1-725-768-3812 Ching, David (DCH37-ARIN) David.ching@citicorp.com +1-302-126-2879 Ciati, John (JC2107-ARIN) john.ciati@citicorp.com +1-725-768-6570 Isle, Toby (TI21-ARIN) toby.isle@citicorp.com +1-302-154-7642 Lamb, Rudolph (RL3908-ARIN) rudy.lamb@citicorp.com +1-725-218-1565 Nixon, Tom (TN69-ARIN) Tom.Nixon@citicorp.com +1-725-768-1154 Sabol, Gary (GS364-ARIN) gary.sabol@citicorp.com +1-302-132-7168 Sadler, Katie (KS330-ARIN) katie.sadler@citicorp.com +1-354-132-5481 Strafe, Walter (WS86-ARIN) walter.strafe@citicorp.com +1-542-120-5464 Wood, Mark (MW340-ARIN) mark.wood@citicorp.com +1-743-120-4052 Yarr, Diane (DY613-ARIN) diane.yarr@citicorp.com +1-542-249-1553

After gathering details of Internet network blocks, usernames and email addresses, you can probe further to identify potential weaknesses that can be leveraged. After querying public records, such as web search engines and WHOIS databases, DNS querying can find network-specific information that may be useful.



Network Security Assessment
Network Security Assessment: Know Your Network
ISBN: 059600611X
EAN: 2147483647
Year: 2006
Pages: 166
Authors: Chris McNab

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net