Download the Packet Capture File, Open It in Wireshark and Perform Following Tasks

Home , Host (Unix), Iftop, More (command), Sudo

SM LAB 8

MORE ON NETWORKING

WORK NO. 1 - DNS COMMANDS

1. nslookup COMMAND: nslookup is a network administration tool for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or any other specific DNS record.

It is also used to troubleshoot DNS related problems. nslookup can operate on both “Interactive mode”and “Non-Interactive mode‛. Interactive mode allows the user to querythe DNS-Server about various host, and domains. Non-Interactive mode allows the user to query the information for a particular host or domain.

INTERACTIVE MODE: nslookup

NON INTERACTIVE MODE: nslookup www.iiitd.ac.in

Some simple examples of nslookup command and their uses: $ nslookup www.iiitd.ac.in

In the above output, server refers to the IP address of the DNS server. Then the below section provides the IP Address of the domain www.iiitd.ac.in.

$ nslookup -query=mx iiitd.ac.in

MX (Mail Exchange) record maps a domain name to a list of mail exchange servers for that domain. The MX record tells that all the mails sent to ‚@iiitd.ac.in‛ should be routed to the Mail server in that domain.

In the above example, we have 5 MX records. The number (10, 1, 5, 5, 10), associated with the MX records tells the preference of mail server. Lower the number, higher the preference. So when a mail is sent to ‚@iiitd.ac.in‛, first preference will be ‚aspmx.l.google.com‛.

Authoritative Answer vs. Non-Authoritative Answer

Just notice the keyword ‚Authoritative Answer‛ and ‚Non-Authoritative Answer‛ in the above output.

Any answer that originates from the DNS Server which has the complete zone file information available for the domain is said to be authoritative answer.

In many cases, DNS servers will not have the complete zone file information available for a given domain. Instead, it maintains a cache file which has the results of all queries performed in the past for which it has gotten authoritative response. When a DNS query is given, it searches the cache file, and return the information available as ‚Non-Authoritative Answer‛.

$ nslookup -type=ns iiitd.ac.in

NS (Name Server) record maps a domain name to a list of DNS servers authoritative for that domain. It will output the name serves which are associated with the given domain.

Ø $ nslookup -type=soa iiitd.ac.in

SOA record (start of authority), provides the authoritative information about the domain, the email address of the domain admin, the domain serial number etc.

Description of different fields:

 mail addr – specifies the mail address of the domain admin .  serial – sort of revision numbering system. The standard convention is to use ‚YYYYMMYYNN‛ format.  refresh – specifies ( in seconds ), when the secondary DNS will poll the primary to see if the serial number has been increased. If increased, secondary will make a new request to copy the new zone file.  retry – specifies the interval to re-connect with the Primary DNS  expire – specifies the time that the secondary DNS will keep the cached zone file as valid  minimum – specifies the time that the secondary DNS should cache the zone file.

Ø $ nslookup 8.8.8.8

You can also do the reverse DNS look-up by providing the IP Address as argument to nslookup.

2. host Command: host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.

$ host iiitd.ac.in

-v attributes of host can be used to get all canonical names of a server.

Do it yourself:- $ host -v www.iiitd.ac.in

Execute this command and check the output by yourself.

3.) dig COMMAND:

Dig stands for domain information groper.

Using dig command you can query DNS name servers for your DNS lookup related tasks.

Some simple examples on how to use dig command:-

$ dig iiitd.ac.in

When you pass a domain name to the dig command, by default it displays the A record (the ip address of the site that is queried) as shown below.

In this example, it displays the A record of iiitd.ac.in in the ‚ANSWER SECTION‛ of the dig command output.

NOTE: In some cases dig would not work because by default the dig command will use the /etc/resolv.conf file and use name servers listed there to query if no name server is provided in the command itself.

To resolve this specify the name server in the command itself by typing the command : dig @8.8.8.8 iiitd.ac.in note that 8.8.8.8 is the google DNS server.

The dig command output has the following sections:

 Header:This displays the dig command version number, the global options used by the dig command, and few additional header information.

 QUESTION SECTION:This displays the question it asked the DNS. i.e. This is your input. Since we said ‘dig www.iitd.ac.in’, and the default type dig command uses is A record, it indicates in this section that we asked for the A record of the website we asked for.

 ANSWER SECTION:This displays the answer it receives from the DNS. i.e. this is your output. This displays the A record of iiitd.ac.in.

 Stats sectionat the bottom displays few dig command statistics including how much time it took to execute this query.

Except these there may be authority section and additional section.

• AUTHORITY SECTION:This displays the DNS name server that has the authority to respond to this query. Basically this displays available name servers of redhat.com

• ADDITIONAL SECTION:This displays the ip address of the name servers listed in the authority section.

Do it yourself:

If you want to see only the IP address you can write +short extra. $ dig iiitd.ac.in +short

You can just examine is it working or not by yourself.

$ dig iiitd.ac.in +nocomments +noquestion +noauthority+noadditional +nostats

For most part, all you need to look at is the ‚ANSWER SECTION‛ of the dig command. So, we can turn off all other sections as shown below.

 +nocomments – Turn off the comment lines  +noauthority – Turn off the authority section  +noadditional – Turn off the additional section  +nostats – Turn off the stats section  +noanswer – Turn off the answer section (Of course, you wouldn’t want to turn off the answer section)

The following dig command displays only the ANSWER SECTION.

Do it yourself:- Instead of disabling all the sections that we don’t want one by one, we can disable all sections using +noall (this turns off answer section also), and add the +answer which will show only the answer section.

The above command can also be written in a short form as shown below, which displays only the ANSWER SECTION.

$ dig iiitd.ac.in +noall +answer Check it yourself whether it is running or not.

$ dig -t MX iiitd.ac.in +noall +answer

To query MX records this command is used.

Do it yourself:-

To query MX records, we can pass MX as an argument to the dig command also.

$ dig iiitd.ac.in MX +noall +answer

It will give the same answer as above. Check the command by yourself whether it is working or not.

$ dig iiitd.ac.in NS +noall +answer To query the NS record as shown below.

Do it yourself:- $ dig iiitd.ac.in NS +noall +answer

It will give the same answer as above. Check the command by yourself whether it is working or not.

$ dig –x 180.92.169.153

To perform a DNS reverse look up using the ip-address use the dig - x option as shown below :

For example, if you just have an external IP-address and would like to know the website that belongs to it, do the following.

To view the full details of the DNS reverse look-up, remove the +short option.

Both the cases have been shown in the picture below.

-f attributes of dig can be used to query servers written ina text file with each line consisting of one server address.

Do it yourself:-

Make a .txt file(eg. Servercheck.txt) in the home folder. Write some server addresses in that text file. One line should consist only one server address. Eg. www.iiitd.ac.in www.facebook.com www.yahoo.com

Now execute this command: $ dig -f abc.txt

See by yourself what is the output of the command.

Work No. 2 – Monitor Network Bandwidth

Bandwidth in computer networking refers to the data rate supported by a network connection or interface. One most commonly used term to express bandwidth is bits per second(bps). Bandwidth represents the capacity of the connection. The greater the capacity, the more likely that greater performance will follow, though overall performance also depends on other factors, such as latency.

There are many bandwidth monitoring tools for your network bandwidth. We will study one of them here:

1. iftop command: iftop does for network usage what top does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts.

Install iftop in ubuntu:

$ sudo apt-get install iftop

This will complete the installation.

If you want to run the application you need to use the following command.

$ sudo iftop

Output looks like below:

sudo iftop -i eth0

It will give the result for the LAN interface. The output will look like the following:

See the last few lines. TX signifies transmitted data and RX signifies received data.

If you open some heavy bandwidth page in your browser ( eg. You can open any youtube video) then you will find the value of TX and RX are changed. Here’s a picture that proves it(Taken after opening a youtube video).

Look the value RX has now changed into MB as the received data is increased due to that youtube video.

Check this yourself:-

$ sudo iftop -i wlan0 -B

This command will show the size of the data in Bytes rather than bits.

$ sudo iftop -i wlan0 -F /

-F attributes helps us to see data transmission between two particular IP address.

$ sudo iftop –i wlan0 -P

-P attributes helps us to see the port number of the website along with the IP addresses.

WORK No. 3 - WIRESHARK RELATED TASKS

1.) Password Sniffing

As demonstrated in the wireshark demo your task is to: i) Locate a http based authentication website. ii) Fire up wireshark at the backend and start capturing packets on the interface through which you are connected to the internet. iii) Try to login with any dummy login credentials. iv) Try to locate the login credentials in the packet capture in wireshark. v) Same has to be done for a HTTPS authentication website(facebook, gmail etc.). vi) Figure out why you were able to see login credentials for HTTP website and not for a HTTPS website.

2.) Finding specific details in a packet capture

You are provided with a packet capture of a network. Download the packet capture file, open it in wireshark and perform following tasks :

i) List all the protocols present in the packet capture such as HTTP, TCP, ARP etc.(Obvious thinking would be to see each and every packet and list the protocols, but since the file contains a lot of packets this option won't be feasible. Try to search for an alternative option. One more advice : don't use filters).

ii) Use different kinds of filters and try to study headers of specific protocols.

iii) Tell the LAN(local area network) IP Address.

iv) Try to extract and list out all the image files from the capture file.(This task is optional as it is a bit difficult, but it will be fun if you are able to do this.)

WORK No. 4 – PLAYING WITH ROUTING TABLES

1.) route command

This command is used for altering routing tables in a linux machine.

Every machine has its own routing table which it uses to route or send packets to different nodes.

For seeing the current routing table : route -n

Notice that there is a destination route for 0.0.0.0 which stands for the default route i.e. if any match is not found in the routing table then the packet will be sent to this default route 0.0.0.0 whose gateway is 10.0.2.2.

Adding the default gateway: route add default gw

Adding a specific route: route add -net netmask gw

Deleting a route: route del -net netmask gw