Who's there?
In lieu of know how a site is configured, or finding a reputable site with enough foresight to configure their site in a fashion to be interesting to look at. So who might we inspect? How about one of the popular open-source relational database systems, Postgresql?
Staring with the basics, let's do a quick A record lookup and check the name servers for the zone:
C:\>nslookup www.postgresql.org
Server: google-public-dns-b.google.com
Address: 8.8.4.4
Non-authoritative answer:
Name: www.mirrors.postgresql.orgAddresses: 2001:4800:7903:4::126
2a02:c0:301:0:ffff::32
2a02:16a8:dc51::50
217.196.149.50
87.238.57.232
98.129.198.126
Aliases: www.postgresql.org
Ooooh, not only do we have six endpoints, it's a CNAME record with IPV6 addresses. It's left as an exercise to the reader to play with IPv6 and discuss the merits of CNAMES, so let's look at name servers.
C:\>nslookup -query=ns postgresql.org
Server: google-public-dns-b.google.com
Address: 8.8.4.4
Non-authoritative answer:
postgresql.org nameserver = ns4.postgresql.org
postgresql.org nameserver = ns3.postgresql.org
postgresql.org nameserver = ns2.postgresql.org
postgresql.org nameserver = ns1.postgresql.org
Looks like these guys are smart enough to host and manage their own name servers. Not something I'd personally want to spend my time on (thanks to Dyn and now Route 53).
Where are they coming from?
So obviously they're behind three endpoints, so a quick WHOIS lookup should give us an idea of where they're at, right?
217.196.149.50 : RIPE Network Coordination Centre
87.238.57.232 : RIPE Network Coordination Centre
98.129.198.126 : Rackspace Hosting RSCP-NET-4
We all know who Rackspace is and that's about all I can get there short of inside knowledge of Rackspace's netblock allocation, but who on earth is RIPE Network? And why is this interesting? So how can I know where those two IPs are hosted? tracert is always a nice idea, but sometimes it yields the same results.
Six hops out of the interesting bits of my own network and we find:
7 13 ms 13 ms 12 ms 208.178.58.89
8 193 ms 191 ms 193 ms 64.209.102.34
9 202 ms 201 ms 208 ms asr01-0-0-0.dc1.conova.com [195.70.99.142]
10 204 ms 198 ms 200 ms 217.196.158.12
11 198 ms 197 ms 197 ms 217.196.158.38
12 195 ms 198 ms 204 ms zalkon.postgresql.org [217.196.149.50]
And also:
11 80 ms 81 ms 88 ms xe-4-3-0-0.nyk2nqp1.us.ip.tdc.net
12 187 ms 188 ms 186 ms static-213.50.153.37.addr.tdcsong.se
13 191 ms 184 ms 192 ms ge-1-0-0.cr2-ksd1.n.bitbit.net [213.50.153.38]
14 187 ms 185 ms 192 ms vlan-1.cs1-ksd1.n.bitbit.net [87.238.62.145]
15 191 ms 186 ms 197 ms bond0.fw2-ksd1.n.bitbit.net [87.238.62.151]
16 189 ms 185 ms 187 ms zetar.postgresql.org [87.238.57.232]
Certainly interesting and partially information. I'm guessing bitbit.net might be one hosting provider or ISP.
How do we find out more?
Let's have even more fun, courtesy of DNS. Reverse lookups were popularized a few weeks back by the tracert replay of the intro to Star Wars: A New Hope, but let's use this fact to our advantage.
Since we know that a reverse DNS lookup will give us the name of an IP and given that in most cases ISPs or service providers allocate chunks of RIR networks in contiguous blocks, let's try looking up a CIDR block of the respective ARPA addresses of those IPs:
C:\>nslookup -query=ptr 149.196.217.in-addr.arpa
Server: google-public-dns-b.google.com
Address: 8.8.4.4
149.196.217.in-addr.arpa
primary name server = adns001.dc1.conova.com
responsible mail addr = domainadmin.conova.com
serial = 2012092001
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 1814400 (21 days)
default TTL = 86400 (1 day)
And then:
C:\>nslookup -query=ptr 57.238.87.in-addr.arpa
Server: google-public-dns-b.google.com
Address: 8.8.4.4
57.238.87.in-addr.arpa
primary name server = ns-foo.linpro.net
responsible mail addr = hostmaster.linpro.no
serial = 2013032700
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 2419200 (28 days)
default TTL = 86400 (1 day)
And that's a wrap. There's a good chance that the other two IPs are hosted by Conova and LinPro, who's TXT record has this little nugget:
C:\>nslookup -query=txt linpro.no
Server: google-public-dns-b.google.com
Address: 8.8.4.4
Non-authoritative answer:
linpro.no text =
"never-gonna-give-you-up"
linpro.no text =
"google-site-verification=ChNtbQK1HLTM6oP5E3yV5SLo8NOQJmwJibARqdN0Ypo"
No comments:
Post a Comment