Thursday, January 28, 2016

Using the nslookup tool to examine DNS and Mailservers

NSLOOKUP is a tool that is available both on windows and in most Linux distributions. It can be used in settings such as quering DNS-servers for records such as A records (ip-address(es) of server(s) that hosts the domain), MX records(mailexchangeservers), do reverse lookups etc.

Observe that MX records is relevant when someone wants to send a mail to a an emailaddress associated with a domain. The sender's email-client will have to resolve the IP address of the domains mailserver, which is in the MX record of its DNS-server.

NSLOOKUP could thus be useful for troubleshooting situations where a domain has problems receiving emails, i.e to confirm that the domain actually has an MX record and that the MX record is pointed to the correct IP address.

Note that when running:

 nslookup domainname


NSLOOKUP will assume domainname is on the local network and thus will try to resolve the domainname using the internal DNS-server. This will fail but nslookup will proceed to query an external
nameserver that will present the non-authoritative answer obtained.

Example:


C:\Users\jo>nslookup www.google.com
Server:  Myisp.lan
Address:  192.168.2.1:53

Non-authoritative answer:
Name:    www.google.com
Addresses:  82.147.54.27, 82.147.54.21, 82.147.54.16, 82.147.54.28
          82.147.54.15, 82.147.54.23, 82.147.54.25, 82.147.54.26, 82.147.54.24
          82.147.54.19, 82.147.54.18, 82.147.54.17, 82.147.54.29, 82.147.54.22
          82.147.54.22


To use nslookup interactively and set other DNS-server than your own, enter nslookup shell ,
specify the relevant DNS-server-ip(Google DNS), specify type(MX-record) and target(google.com):

nslookup                          
server 8.8.8.8                      
set type=mx                         
google.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
google.com      MX preference = 50, mail exchanger = alt4.aspmx.l.google.com
google.com      MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
google.com      MX preference = 40, mail exchanger = alt3.aspmx.l.google.com
google.com      MX preference = 10, mail exchanger = aspmx.l.google.com
google.com      MX preference = 30, mail exchanger = alt2.aspmx.l.google.com



There is also the possibility to make queries directly without first entering nslookup shell::

C:\Users\jo>nslookup -query=mx google.com
Server:  Myisp.lan
Address:  192.168.2.1:53
Non authoritative answer::
google.com      MX preference = 30, mail exchanger = alt2.aspmx.l.google.com
google.com      MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
google.com      MX preference = 50, mail exchanger = alt4.aspmx.l.google.com
google.com      MX preference = 40, mail exchanger = alt3.aspmx.l.google.com
google.com      MX preference = 10, mail exchanger = aspmx.l.google.com

google.com      nameserver = ns1.google.com
google.com      nameserver = ns3.google.com
google.com      nameserver = ns4.google.com
google.com      nameserver = ns2.google.com
aspmx.l.google.com      internet address = 74.125.136.26
alt1.aspmx.l.google.com internet address = 74.125.200.26
alt2.aspmx.l.google.com internet address = 74.125.23.26
alt3.aspmx.l.google.com internet address = 173.194.72.26
alt4.aspmx.l.google.com internet address = 74.125.25.26
ns1.google.com  internet address = 216.239.32.10
ns2.google.com  internet address = 216.239.34.10
ns3.google.com  internet address = 216.239.36.10
ns4.google.com  internet address = 216.239.38.10




Query for Google nameservers:
nslookup -query=ns google.com
Server:  Myisp.lan
Address:  192.168.2.1:53

Non-authoritative-answer:
google.com      nameserver = ns3.google.com
google.com      nameserver = ns4.google.com
google.com      nameserver = ns2.google.com
google.com      nameserver = ns1.google.com

ns1.google.com  internet address = 216.239.32.10
ns2.google.com  internet address = 216.239.34.10
ns3.google.com  internet address = 216.239.36.10
ns4.google.com  internet address = 216.239.38.10



Same result is also obtained via
nslookup -type=ns google.com














Posted by at

Monday, January 18, 2016

Retrieving lost .jpg-files

Scalpel is a file carving software that in most linux distributions can be installed from the repositories via

sudo apt-get install scalpel

According to the standard definition of .jpg format these files may have two different signatures,
 i.e two different setups of headers:


\xff\xd8\xff\xe0\x00\x10

And:

\xff\xd8\xf1\xe1


For both of the above variants of the header, there is a trailing footer at the end of each file:

\xff\xd9


Note that '\x' before each hexadecimal number is the standard marker for hexadecimal notation.

To be convinced about the above, just open a random .jpeg file in a hexeditor and observe the header and footer.

The above info will then be used to make a custom scalpel configuration file, here called
customscalpel.conf:

jpg y 20000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
jpg y 20000000 \xff\xd8\xf1\xe1 \xff\xd9


The configuration file is thus customized to make scalpel look in a specified filesystem for .jpg
 files up to 20Mb. The second row enables scalpel to not discard .jpeg files with the other
allowed signature.

If the target drive that is supposed  to be examined with scalpel is /dev/sda, then scalpel is launched via


sudo scalpel -c customscalpel.conf -o someoutfilename /dev/sda


Here the -o flag  generates an outputfile where the results are collected.

Note that upon installing scalpel a standard configuration file, scalpel.conf, is automatically placed in

/etc/scalpel


To use it, just open the config-file in a text-editor and remove the '#' sign in front of relevant fileformats.

However, many formats are not present in the default installed configuration file.













Posted by at
Subscribe to: Posts (Atom)