Skip to main content

Unit 3

Vulnerability assessment: baseline analysis and plan

[Download PDF]

Scanning activity

Assignment

Perform a basic scan using standard tools such as traceroute, dig and nslookup. Please see these instructions on using traceroute, etc. Refer to this week's reading for further assistance. Do not use ping as it will cause confusion because of shared addresses.

Use these basic tools and make a list that details the following information:

  • How many hops from your machine to your assigned website?
  • Which step causes the biggest delay in the route? What is the average duration of that delay?
  • What are the main nameservers for the website?
  • Who is the registered contact?
  • What is the MX record for the website?
  • Where is the website hosted?

1. Run traceroute

Running the traceroute command with the default parameters does not yield any results likely due to the settings of the network infrastructure by the hosting provider. However it is possible to trace the route to the resource by using the TCP protocol and addressing requests to the port 443 that is open on the server (to serve HTTPS content):

traceroute -e -P TCP -p 443 ginandjuice.shop

The result of execution for the command is below; entries revealing local network setup as well as the local ISP have been redacted:

traceroute: Warning: ginandjuice.shop has multiple addresses; using 34.249.203.140
traceroute to ginandjuice.shop (34.249.203.140), 64 hops max, 40 byte packets
 1  [REDACTED]  4.144 ms  2.245 ms  2.102 ms
 2  [REDACTED]  9.637 ms  9.055 ms  8.574 ms
 3  [REDACTED]  9.727 ms  8.014 ms  7.851 ms
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  ec2-34-249-203-140.eu-west-1.compute.amazonaws.com (34.249.203.140)  48.305 ms  38.582 ms  39.576 ms
10  ec2-34-249-203-140.eu-west-1.compute.amazonaws.com (34.249.203.140)  43.642 ms  41.277 ms  39.860 ms
11  ec2-34-249-203-140.eu-west-1.compute.amazonaws.com (34.249.203.140)  43.121 ms  37.235 ms  37.876 ms

The trace ends with three entries that seem identical on the first sight. However, revealing packets’ contents with the Wireshark protocol analyzer reveals that packets with time to live (TTL) of 9 and 10 are still rejected due to expired TTL. Only after eleven hops the server tries to establish connection in reply to the packets sent by traceroute. The domain names reveal that the resource is hosted on the Amazon Web Services (AWS) infrastructure.

Therefore likely the replies after nine and ten hops are caused by the infrastructure setup in AWS like load balancers, and the actual website is hosted eleven hops away for a location in Western Europe.

2. Execute dig

Executing this command reveals the Domain Name System (DNS) settings for the domain.

> dig ginandjuice.shop

This reveals two A records for the domain that reveal IP addresses for the hosting:

; <<>> DiG 9.10.6 <<>> ginandjuice.shop
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60893
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1444
;; QUESTION SECTION:
;ginandjuice.shop.		IN	A

;; ANSWER SECTION:
ginandjuice.shop.	60	IN	A	34.246.169.176
ginandjuice.shop.	60	IN	A	34.249.203.140

;; Query time: 13 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Wed Aug 13 23:46:34 CEST 2025
;; MSG SIZE  rcvd: 77

Running dig to reveal any mail exchange (MX) records yields no results; no email service is associated with the domain.

3. whois

It is possible to reveal the ownership for the resources specified in the DNS records for the domain by using the whois tool:

> whois 34.246.169.176

The results confirm as well that the resource is hosted on the AWS infrastructure, as the IP address is associatesd with Amazon Technologies.

% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.arin.net

inetnum:      34.0.0.0 - 34.255.255.255
organisation: Administered by ARIN
status:       LEGACY

whois:        whois.arin.net

changed:      1993-03
source:       IANA

# whois.arin.net

NetRange:       34.192.0.0 - 34.255.255.255
CIDR:           34.192.0.0/10
NetName:        AT-88-Z
NetHandle:      NET-34-192-0-0-1
Parent:         NET34 (NET-34-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Amazon Technologies Inc. (AT-88-Z)
RegDate:        2016-09-12
Updated:        2016-09-12
Ref:            https://rdap.arin.net/registry/ip/34.192.0.0



OrgName:        Amazon Technologies Inc.
OrgId:          AT-88-Z
Address:        410 Terry Ave N.
City:           Seattle
StateProv:      WA
PostalCode:     98109
Country:        US
RegDate:        2011-12-08
Updated:        2024-01-24
Comment:        All abuse reports MUST include:
Comment:        * src IP
Comment:        * dest IP (your IP)
Comment:        * dest port
Comment:        * Accurate date/timestamp and timezone of activity
Comment:        * Intensity/frequency (short log extracts)
Comment:        * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref:            https://rdap.arin.net/registry/entity/AT-88-Z


OrgRoutingHandle: ARMP-ARIN
OrgRoutingName:   AWS RPKI Management POC
OrgRoutingPhone:  +1-206-555-0000 
OrgRoutingEmail:  [email protected]
OrgRoutingRef:    https://rdap.arin.net/registry/entity/ARMP-ARIN

OrgNOCHandle: AANO1-ARIN
OrgNOCName:   Amazon AWS Network Operations
OrgNOCPhone:  +1-206-555-0000 
OrgNOCEmail:  [email protected]
OrgNOCRef:    https://rdap.arin.net/registry/entity/AANO1-ARIN

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-555-0000 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://rdap.arin.net/registry/entity/AEA8-ARIN

OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-555-0000 
OrgTechEmail:  [email protected]
OrgTechRef:    https://rdap.arin.net/registry/entity/ANO24-ARIN

OrgRoutingHandle: IPROU3-ARIN
OrgRoutingName:   IP Routing
OrgRoutingPhone:  +1-206-555-0000 
OrgRoutingEmail:  [email protected]
OrgRoutingRef:    https://rdap.arin.net/registry/entity/IPROU3-ARIN

For the domain, in this case it is only possible to identify the registrar — GoDaddy, which is also the contact for the domain. The information about the DNS servers once again points to AWS: NS-1000.AWSDNS-61.NETNS-110.AWSDNS-13.COM, etc.

Domain Name: GINANDJUICE.SHOP
Registry Domain ID: DO6465675-GMO
Registrar WHOIS Server:
Registrar URL: http://www.godaddy.com
Updated Date: 2024-06-24T18:54:28.0Z
Creation Date: 2022-01-12T09:31:25.0Z
Registry Expiry Date: 2027-01-12T23:59:59.0Z
Registrar: GoDaddy.com LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Registrant State/Province: Arizona
Registrant Country: US
Registrant Email:
Admin Email:
Tech Email:
Name Server: NS-1000.AWSDNS-61.NET
Name Server: NS-110.AWSDNS-13.COM
Name Server: NS-1496.AWSDNS-59.ORG
Name Server: NS-1543.AWSDNS-00.CO.UK
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2025-08-13T23:13:43.0Z <<<