Table of Contents
As I continue down the path of trying to transition into InfoSec and continuing to study for my OSCP exam, I thought I’d take advantage of what I’m doing here to make this a study habit for myself.
I thought about starting with a deep dive in and cover
nc, but that seems to be really diving in the deep-end.
Let’s start with
host and see where this takes me.
host command is a simple DNS lookup utility. Similar to
nslookup, each of which I’ve used a few times, but have yet to untap their full potential.
host is normally used to convert names to IP addresses and vice versa.
It is maintained by the Internet Systems Consortium, originally released in 2000.
Sadly, I couldn’t find the source code anywhere.
The default execution prints a brief description of how it operates.
I wont go over every flag here, but rather some basic examples that you can build off of.
host Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time] [-R number] [-m flag] hostname [server] -a is equivalent to -v -t ANY -c specifies query class for non-IN data -C compares SOA records on authoritative nameservers -d is equivalent to -v -i IP6.INT reverse lookups -l lists all hosts in a domain, using AXFR -m set memory debugging flag (trace|record|usage) -N changes the number of dots allowed before root lookup is done -r disables recursive processing -R specifies number of retries for UDP packets -s a SERVFAIL response should stop query -t specifies the query type -T enables TCP/IP mode -U enables UDP mode -v enables verbose output -V print version number and exit -w specifies to wait forever for a reply -W specifies how long to wait for a reply -4 use IPv4 query transport only -6 use IPv6 query transport only
As the man page states, its commonly used to convert names to IP addresses. Let’s give that a go.
host drt.sh drt.sh has address 184.108.40.206 drt.sh mail is handled by 20 mailsec.protonmail.ch. drt.sh mail is handled by 10 mail.protonmail.ch.
Using drt.sh as an example, it returned the A record and the MX records.
If we wanted only the MX records, we could use the
-t flag to narrow it down.
It can also be used to display records that are not shown by a default lookup.
The NS records can be found using this option.
host -t mx drt.sh drt.sh mail is handled by 10 mail.protonmail.ch. drt.sh mail is handled by 20 mailsec.protonmail.ch. host -t ns drt.sh drt.sh name server ns3.digitalocean.com. drt.sh name server ns1.digitalocean.com. drt.sh name server ns2.digitalocean.com.
Let’s try a reverse lookup, the other part to this utility. To give an idea of what output can look like, here’s a few domains and their IP addresses that will be test against.
|IP Address||Domain Name||Hostname|
|192.168.1.5||none (local server IP)||tanuki|
This site results in a not found; the IP address used for google.com is…not…google.com (although the URL points to a 404 webpage owned by Google); and my local server seems to work just fine (๑•̀ㅂ•́)و
host 220.127.116.11 Host 18.104.22.168.in-addr.arpa. not found: 3(NXDOMAIN) host 22.214.171.124 126.96.36.199.in-addr.arpa domain name pointer ord37s09-in-f14.1e100.net. host 192.168.1.5 188.8.131.52.in-addr.arpa domain name pointer tanuki.
If you wanted to try and see a list of all the hosts in a domain, you can pass the
host command uses the AXFR protocol in attempts to get the information.
I wont go into it here as that out of scope, but I recommend looking into zone transfers, why they’re so important, and how they can be abused.
No dice, 残念. Not surprising though as most domains will have this blocked, rendering the
host -l drt.sh ns3.digitalocean.com. Using domain server: Name: ns3.digitalocean.com. Address: 184.108.40.206#53 Aliases: Host drt.sh not found: 4(NOTIMP) ; Transfer failed.
-loption not usable. For an example of what it can look like, I found a domain with a working example.
host -l zonetransfer.me nsztm1.digi.ninja. Using domain server: Name: nsztm1.digi.ninja. Address: 220.127.116.11#53 Aliases: zonetransfer.me has address 18.104.22.168 zonetransfer.me name server nsztm1.digi.ninja. zonetransfer.me name server nsztm2.digi.ninja. 22.214.171.124.IN-ADDR.ARPA.zonetransfer.me domain name pointer www.zonetransfer.me. asfdbbox.zonetransfer.me has address 127.0.0.1 canberra-office.zonetransfer.me has address 126.96.36.199 dc-office.zonetransfer.me has address 188.8.131.52 deadbeef.zonetransfer.me has IPv6 address dead:beaf:: email.zonetransfer.me has address 184.108.40.206 home.zonetransfer.me has address 127.0.0.1 internal.zonetransfer.me name server intns1.zonetransfer.me. internal.zonetransfer.me name server intns2.zonetransfer.me. intns1.zonetransfer.me has address 220.127.116.11 intns2.zonetransfer.me has address 18.104.22.168 office.zonetransfer.me has address 22.214.171.124 ipv6actnow.org.zonetransfer.me has IPv6 address 2001:67c:2e8:11::c100:1332 owa.zonetransfer.me has address 126.96.36.199 alltcpportsopen.firewall.test.zonetransfer.me has address 127.0.0.1 vpn.zonetransfer.me has address 188.8.131.52 www.zonetransfer.me has address 184.108.40.206
For the last example, we can have
host return oodles of information.
Returning data for an ANY query.
To do this, pass in the
It is equivalent to using
-v -t ANY, but that’s a lot of keystrokes, eh?
host -a drt.sh Trying "drt.sh" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7817 ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 6 ;; QUESTION SECTION: ;drt.sh. IN ANY ;; ANSWER SECTION: drt.sh. 3600 IN TXT "v=spf1 include:_spf.protonmail.ch mx ~all" drt.sh. 3600 IN TXT "protonmail-verification=512fcc96d3a38984dd285faa82dcf62b7743db18" drt.sh. 14400 IN MX 20 mailsec.protonmail.ch. drt.sh. 14400 IN MX 10 mail.protonmail.ch. drt.sh. 1800 IN SOA ns1.digitalocean.com. hostmaster.drt.sh. 1575061248 10800 3600 604800 1800 drt.sh. 3600 IN A 220.127.116.11 drt.sh. 1800 IN NS ns3.digitalocean.com. drt.sh. 1800 IN NS ns2.digitalocean.com. drt.sh. 1800 IN NS ns1.digitalocean.com. ;; ADDITIONAL SECTION: ns1.digitalocean.com. 873 IN A 18.104.22.168 ns2.digitalocean.com. 161926 IN A 22.214.171.124 ns3.digitalocean.com. 81895 IN A 126.96.36.199 ns1.digitalocean.com. 81895 IN AAAA 2400:cb00:2049:1::adf5:3a33 ns2.digitalocean.com. 81895 IN AAAA 2400:cb00:2049:1::adf5:3b29 ns3.digitalocean.com. 81895 IN AAAA 2400:cb00:2049:1::c629:dead Received 478 bytes from 10.211.55.1#53 in 191 ms
This is my first time really diving into the world of networking utilities. I apologize if there are some misconceptions or flat out wrong information out there. I will do my best to update this post as I dive deeper into networking tools. Keep an eye out as I stray a bit from the GNU coreutils and jump into some not-so-every-day-use utilities. Cheers!