1
00:00:00,360 --> 00:00:03,180
Now in this video we're going to cover nslookup,

2
00:00:03,180 --> 00:00:04,740
dig, and hostname.

3
00:00:04,740 --> 00:00:06,660
These are three command line tools,

4
00:00:06,660 --> 00:00:09,000
and you need to understand how to use them in maintaining

5
00:00:09,000 --> 00:00:10,710
and troubleshooting your networks.

6
00:00:10,710 --> 00:00:12,720
First we have nslookup.

7
00:00:12,720 --> 00:00:15,120
nslookup stands for Name Server Lookup,

8
00:00:15,120 --> 00:00:17,820
and it's going to be used to query the domain name system

9
00:00:17,820 --> 00:00:20,880
to provide the mapping between domain names and IP addresses

10
00:00:20,880 --> 00:00:22,590
or other DNS records.

11
00:00:22,590 --> 00:00:24,390
Now, if we need to get the IP address

12
00:00:24,390 --> 00:00:26,610
of a fully qualified domain name,

13
00:00:26,610 --> 00:00:29,040
nslookup is the tool that will help us do that.

14
00:00:29,040 --> 00:00:30,720
For example, let's pretend you wanted

15
00:00:30,720 --> 00:00:33,720
to find out the IP address for diontraining.com.

16
00:00:33,720 --> 00:00:35,700
Well, you can open up your command prompt

17
00:00:35,700 --> 00:00:39,750
and you can type in nslookup www.diontraining.com

18
00:00:39,750 --> 00:00:40,920
and press Enter.

19
00:00:40,920 --> 00:00:41,850
When you do that,

20
00:00:41,850 --> 00:00:44,190
you're going to get the IP address shown on your screen

21
00:00:44,190 --> 00:00:46,770
that tells you where Dion Training servers are.

22
00:00:46,770 --> 00:00:48,120
Now, when you enter the command

23
00:00:48,120 --> 00:00:50,790
and the domain name like this all one line,

24
00:00:50,790 --> 00:00:53,490
we call this the Non-interactive Mode.

25
00:00:53,490 --> 00:00:55,260
Now with non-interactive modes,

26
00:00:55,260 --> 00:00:57,060
you're going to be able to display just the name

27
00:00:57,060 --> 00:00:58,740
and the requested information for a host

28
00:00:58,740 --> 00:01:00,810
or domain name to your screen,

29
00:01:00,810 --> 00:01:04,319
but you can also use nslookup in an interactive mode.

30
00:01:04,319 --> 00:01:07,110
Now, interactive mode allows a user to query name service

31
00:01:07,110 --> 00:01:09,780
for information about various hosts and domains,

32
00:01:09,780 --> 00:01:13,230
or allows 'em to print a list of hosts inside of a domain.

33
00:01:13,230 --> 00:01:14,700
To enter the interactive mode,

34
00:01:14,700 --> 00:01:17,790
you just type nslookup at the prompt and hit Enter.

35
00:01:17,790 --> 00:01:20,250
Now you're going to enter the nslookup shell,

36
00:01:20,250 --> 00:01:22,710
and you can perform more in-depth queries here.

37
00:01:22,710 --> 00:01:24,510
Using this interactive mode will allow you

38
00:01:24,510 --> 00:01:26,940
to have more detailed control over the environment,

39
00:01:26,940 --> 00:01:29,460
including allowing you to change the server you're using

40
00:01:29,460 --> 00:01:30,840
to conduct those lookups

41
00:01:30,840 --> 00:01:32,250
and changing the different types of records

42
00:01:32,250 --> 00:01:33,960
that you want to respond with.

43
00:01:33,960 --> 00:01:36,210
Now, if you want to change the DNS server that's being used

44
00:01:36,210 --> 00:01:38,730
for the query, just enter the term server

45
00:01:38,730 --> 00:01:42,270
and the DNS server's name or IP address and hit Enter.

46
00:01:42,270 --> 00:01:44,010
Now, if you instead want to change the type

47
00:01:44,010 --> 00:01:45,450
of record you want to search for,

48
00:01:45,450 --> 00:01:49,230
you can enter set q = and then the record type.

49
00:01:49,230 --> 00:01:53,070
This stands for set query type equals, and then that thing.

50
00:01:53,070 --> 00:01:55,770
So for example, if I wanted to search for mail records,

51
00:01:55,770 --> 00:01:57,960
which are known as mx Records in DNS,

52
00:01:57,960 --> 00:02:02,040
I would type set q = mx and hit Enter.

53
00:02:02,040 --> 00:02:03,690
Then I get my next prompt

54
00:02:03,690 --> 00:02:06,360
and I can start searching mail records for any domain name.

55
00:02:06,360 --> 00:02:08,610
So I'm going to be able to find all the different mail records,

56
00:02:08,610 --> 00:02:10,830
for instance, for diontraining.com.

57
00:02:10,830 --> 00:02:13,770
Here I can see all five mail exchange server records

58
00:02:13,770 --> 00:02:15,240
for diontraining.com,

59
00:02:15,240 --> 00:02:17,430
and you can see they're all hosted by Google,

60
00:02:17,430 --> 00:02:19,380
because Google Workspace is what we use

61
00:02:19,380 --> 00:02:21,750
for our company's email and file servers.

62
00:02:21,750 --> 00:02:23,550
Now, next to each mx record,

63
00:02:23,550 --> 00:02:25,140
you can also see the preferences

64
00:02:25,140 --> 00:02:26,970
with one being the highest preference

65
00:02:26,970 --> 00:02:28,740
and the two being listed with five acting

66
00:02:28,740 --> 00:02:30,510
in a load balance configuration.

67
00:02:30,510 --> 00:02:31,890
And then we have those backed up

68
00:02:31,890 --> 00:02:33,840
by two more exchange mail servers

69
00:02:33,840 --> 00:02:35,370
that have a preference of 10,

70
00:02:35,370 --> 00:02:38,430
which is also load balance between those two servers.

71
00:02:38,430 --> 00:02:42,150
Next, let's search for some CNAME or canonical name records.

72
00:02:42,150 --> 00:02:45,060
To do this, I first need to set my query type to CNAME,

73
00:02:45,060 --> 00:02:48,120
because we're still set to mx records at this point in time.

74
00:02:48,120 --> 00:02:52,290
So I'm going to enter set q=CNAME and hit Enter.

75
00:02:52,290 --> 00:02:54,390
Then I enter the domain name that I want

76
00:02:54,390 --> 00:02:55,890
to get the CNAME records for,

77
00:02:55,890 --> 00:02:59,070
and again, in this case, I'm going to use diontraining.com.

78
00:02:59,070 --> 00:03:00,270
Now, in response to this,

79
00:03:00,270 --> 00:03:03,180
the nslookup is going to display all the CNAME records

80
00:03:03,180 --> 00:03:04,830
right there on my screen.

81
00:03:04,830 --> 00:03:06,810
Here, I'm just showing you the first one,

82
00:03:06,810 --> 00:03:08,910
because I have about 20 different CNAME records

83
00:03:08,910 --> 00:03:10,470
for diontraining.com.

84
00:03:10,470 --> 00:03:12,120
If we scroll down through these screens,

85
00:03:12,120 --> 00:03:14,490
you'd be able to see each and every one of them.

86
00:03:14,490 --> 00:03:17,250
As you can see, nslookup is a very useful tool

87
00:03:17,250 --> 00:03:19,380
when it comes to troubleshooting your DNS records

88
00:03:19,380 --> 00:03:20,520
and other DNS issues

89
00:03:20,520 --> 00:03:22,170
that you may be experiencing.

90
00:03:22,170 --> 00:03:23,820
If you become a cybersecurity analyst

91
00:03:23,820 --> 00:03:24,930
later on in your career,

92
00:03:24,930 --> 00:03:26,160
you can also use nslookup

93
00:03:26,160 --> 00:03:28,620
to conduct reconnaissance against other organizations

94
00:03:28,620 --> 00:03:31,890
that you may be hired to work for during a penetration test.

95
00:03:31,890 --> 00:03:36,360
nslookup exists for Windows, Linux, Unix, and OS X systems.

96
00:03:36,360 --> 00:03:38,850
In these examples, I was using the Windows version,

97
00:03:38,850 --> 00:03:41,910
but the other versions operate the exact same way.

98
00:03:41,910 --> 00:03:43,680
The only difference is that you will use something

99
00:03:43,680 --> 00:03:45,390
like set type = mx

100
00:03:45,390 --> 00:03:47,550
instead of set q = mx

101
00:03:47,550 --> 00:03:49,530
if you're using things on a Linux, Unix,

102
00:03:49,530 --> 00:03:52,620
or OS X system and doing record type searches.

103
00:03:52,620 --> 00:03:54,480
Next we have the dig command.

104
00:03:54,480 --> 00:03:55,800
dig is another tool that's used

105
00:03:55,800 --> 00:03:58,380
to conduct queries against DNS name servers.

106
00:03:58,380 --> 00:04:00,570
dig is only available for Linux, Unix,

107
00:04:00,570 --> 00:04:02,400
and OS X systems by default,

108
00:04:02,400 --> 00:04:03,930
but there are Windows versions

109
00:04:03,930 --> 00:04:05,460
that can be installed if you'd like

110
00:04:05,460 --> 00:04:07,410
to use it on a Windows machine.

111
00:04:07,410 --> 00:04:08,490
Now, to use dig,

112
00:04:08,490 --> 00:04:11,700
it works a lot like the non-interactive mode nslookup.

113
00:04:11,700 --> 00:04:15,030
If you enter dig and the domain name like diontraining.com,

114
00:04:15,030 --> 00:04:17,550
you're going to get back the A records for that domain name,

115
00:04:17,550 --> 00:04:19,709
and those A records contain the IP addresses

116
00:04:19,709 --> 00:04:21,029
for that domain.

117
00:04:21,029 --> 00:04:23,610
Now, in this example, you can see there are two A records

118
00:04:23,610 --> 00:04:25,050
for diontraining.com,

119
00:04:25,050 --> 00:04:27,390
because we use a load balancing web cluster

120
00:04:27,390 --> 00:04:28,950
to host our website.

121
00:04:28,950 --> 00:04:31,440
Now, dig does not support an interactive mode

122
00:04:31,440 --> 00:04:32,850
the way nslookup does.

123
00:04:32,850 --> 00:04:35,280
So if you want to search for other types of records,

124
00:04:35,280 --> 00:04:38,220
you're simply going to specify those when entering the command.

125
00:04:38,220 --> 00:04:39,930
For example, let's say I wanted to look

126
00:04:39,930 --> 00:04:42,270
for those mail exchange or mx records.

127
00:04:42,270 --> 00:04:45,450
I'm going to enter dig -t, which stands for type,

128
00:04:45,450 --> 00:04:47,790
and then mx, which stands for mail exchange,

129
00:04:47,790 --> 00:04:49,530
and then I'm going to enter the domain name,

130
00:04:49,530 --> 00:04:51,960
in this case, diontraining.com.

131
00:04:51,960 --> 00:04:54,990
Here again, you can see we have five mx records associated

132
00:04:54,990 --> 00:04:56,310
with diontraining.com,

133
00:04:56,310 --> 00:04:58,530
and they're all pointing to the Google Mail servers,

134
00:04:58,530 --> 00:05:00,630
because that's who's hosting our company's email

135
00:05:00,630 --> 00:05:02,580
using Google Workspaces.

136
00:05:02,580 --> 00:05:04,980
Now, finally, we have the hostname command.

137
00:05:04,980 --> 00:05:06,480
The hostname command is going to be used

138
00:05:06,480 --> 00:05:07,920
to display the hostname portion

139
00:05:07,920 --> 00:05:10,560
of the full computer name for a given system.

140
00:05:10,560 --> 00:05:13,920
Now the hostname command works on Windows, Linux, Unix,

141
00:05:13,920 --> 00:05:15,930
and OS X operating systems.

142
00:05:15,930 --> 00:05:18,510
Now to use hostname, you simply enter hostname

143
00:05:18,510 --> 00:05:20,670
and press Enter at the command prompt.

144
00:05:20,670 --> 00:05:22,950
As an example, I entered the hostname command

145
00:05:22,950 --> 00:05:26,550
on an OS X system here, in this case, my MacBook Pro.

146
00:05:26,550 --> 00:05:27,902
Now, you can quickly see the full name

147
00:05:27,902 --> 00:05:32,370
of my laptop is Jasons-MBP.localdomain.

148
00:05:32,370 --> 00:05:33,450
Now, this means the computer

149
00:05:33,450 --> 00:05:36,870
is going to be named Jason's MacBook Pro or Jason's MBP,

150
00:05:36,870 --> 00:05:38,850
and it exists on our local domain,

151
00:05:38,850 --> 00:05:40,260
because here I'm not connected

152
00:05:40,260 --> 00:05:42,810
to an active-directory-based domain environment.

153
00:05:42,810 --> 00:05:44,910
At some organizations I worked for in the past,

154
00:05:44,910 --> 00:05:47,850
we run large active-directory-based Windows domains,

155
00:05:47,850 --> 00:05:49,890
and for those systems you might see something

156
00:05:49,890 --> 00:05:53,790
like jasonspc.intranet.diontraining.com,

157
00:05:53,790 --> 00:05:57,600
as it's FQDN or fully qualified host and domain name,

158
00:05:57,600 --> 00:05:59,800
since it's becoming a member of that domain.