Identifying a Server
There are a number of useful sources on the Web which will allow you to collect information about domain names and IP addresses.
Identifying the Owner of a Domain
The first step in identifying a remote system is to look at the domain name or IP address. Using a Whois lookup, you can discover valuable information, including the identity of the owner of a domain and contact information, which may include addresses and phone numbers. Note that there are now a number of domain name registrars, and not all whois databases contain information for all domains. You may have to look at more that one whois database to find information on the domain that you are investigating.
Identifying the IP address of a Domain
There are a number of ways to determine the IP address of a domain. The address may be contained in the whois information or you may have to use a DNS or Domain Name Service lookup. (A web search engine will provide a number of resources for discovering IP addresses from domain names.)
Once you have the IP address, you can access the records of the various members of the Number Resource Organization (http://www.arin.net/ or http://www.ripe.net/), to gain information about how IP addresses are distributed. IP numbers are assigned to service providers and networks in large groups, and knowing which group an IP address is contained in, and who has the rights to that group, can be very useful. This can help you determine information about the server or service provider that a website uses.
Once you have established the owner and the IP address of a domain, then you can start to look for information about the server to which that domain refers.
Ping and TraceRoute
Now that you know who owns the domain, and who the IP number has been assigned to, you can check to see if the server that the website is on is actually active. The ping command will tell you if there is actually a computer associated with that domain or IP.
ping domain or
will tell you if there is an active computer at that address.
If the output of the ping command indicates that the packets sent were received, then you can assume that the server is active.
Another command, tracert (in Windows) or traceroute (in Linux) will show you the steps that information takes as it travels from your computer to the remote computer. Tracing the route that the packets take will sometimes give you additional information about the computers in the network with the computer that is the target of your trace. For example, computers will similar IP addresses will often be part of the same network.
Identifying Services from Ports and Protocols
You can also determine what programs are running on a system by looking at what ports are open and what protocols are in use.
Start by looking at your own local computer. Go to a command line or shell prompt and run the netstat program using the -a (or all) switch:
The computer will display a list of open ports and some of the services that are using those ports:
Now that you know how to identify a server and how to scan for open ports and use this information to determine what services are running, you can put this information together to fingerprint a remote system, establishing the most likely operating system and services that the remote computer is running.
Scanning Remote Computers
Using an IP address or a domain name other than 127.0.0.1 as an argument for nmap allows you to scan for open ports on remote computers. It doesn’t mean that there will be open ports, or that you will find them, but it does allow you to try.
For example, imagine that you have been receiving a large amount of spam e-mails, and you want to discover information about the person who is sending you these e-mails. Looking at the headers of one of the e-mails, you see that many of the e-mails have originated from the same IP address: 218.104.22.168 (see Lesson 9: E-mail Security for more details on reading email headers).
A whois lookup shows you that the address is part of a block assigned to a large ISP, but gives you no information regarding this particular IP address.