So the other day i was doing some consulting a problem occur in a network, causing a failure of inaccessibility to a server created by an application, in other words a client could not connect error type of thing, the client pays a consulter to actually tell him the solution of his problem, so whit that been said, i power on my laptop find some wire to plug in, open a terminal and start the digging (The real values of Ips address have been modified).
First i drop a traceroute to the IP address the client was trying to connect to and found this:
root@inspiration:/home/flux# traceroute 200.109.126.74traceroute to 200.109.126.74 (200.109.126.74), 30 hops max, 60 byte 0.459 ms 0.516 ms 3 10.1.94.46 (12.1.94.46) 0.352 ms 0.411 ms 0.465 ms 4 10.1.178.129 (192.1.178.129) 0.323 ms0.340 ms 0.374 ms 5 200.109.126.241 (200.103.126.251) 0.775 ms 0.825 ms 0.843 ms 6 10.150.0.105 (10.150.0.105)4.336ms 2.458 ms 1.786 ms 7 10.150.0.90 (10.160.0.90) 5.199 ms 5.194 ms 5.189 ms 8 XXX-0X-txxx-0.gw.cantv.net (200.55.45.71) 1.265 ms 1.347 ms 1.645 ms9 * * *10 * * *11 * * *12 * * *13 * * *14 * * *15 * * *16 * * *17 * * *18 * * *19 * * *20 * * *21 * * *22 * * *23 * * *24 * * *25 * * *26 * * *27 * * *28 * * *29 * * *30 * * *root@inspiration:/home/flux#
With this output we can certify that host bloking or not sending packets in and out was this gateway right here “XXX-0X-txxx-0-0.gw.cantv.net” with the IP address (200.55.45.71) but what was this IP is this a gateway a firewall a server a routing device? thinking about this i execute the good old nmap with the -O flag to find out about the OS running in this device found this:
root@inspiration:/home/flux# nmap -O 200.55.45.71Starting Nmap 5.00 ( http://nmap.org ) at 2012-08-22 12:08 ASTAll 1000 scanned ports on XXX-0X-txxx-0-0.gw.cantv.net (200.55.45.71) are closedWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: switch|WAPRunning: Cisco IOS 12.XOS details: Cisco 3750 switch (IOS 12.2), Cisco Aironet 1231G WAP (IOS 12.3)OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2.20 secondsroot@inspiration:/home/flux#
Obviously this was a routing device nothing to do with OS & Servers then the guy from infrastructure says:
¿Ok now where is this device? (they start looking for it in a Excel cheat).
It has to be a better way to do this, then i remember a very old command called “whois”.
root@inspiration:/home/flux# whois -H 200.55.45.71% Joint Whois – whois.lacnic.net% This server accepts single ASN, IPv4 or IPv6 queries% LACNIC resource: whois.lacnic.net% Copyright LACNIC lacnic.net% The data below is provided for information purposes% and to assist persons in obtaining information about or% related to AS and IP numbers registrations% By submitting a whois query, you agree to use this data% only for lawful purposes.% 2012-08-22 13:12:38 (BRT -03:00)inetnum: 200.55.40/22status: reassignedowner: CANTV.net, Venezuelaownerid: VE-CAVE-LACNICaddress: Av. Fco. de Miranda Centro XXXX Torre B Piso XX Ofic XXX ElRosalcountry: VEowner-c: IRC2-ARINcreated: 19990601changed: 19990601inetnum-up: 200.55/16source: ARIN-HISTORICnic-hdl: IRC2-ARINperson: Ip Registration CANTV.nete-mail: xxxxxx@CANTV.NETaddress: CANTV.net, Venezuelaaddress: Av. Fco. de Miranda Centro XXXX Torre B Piso XX Ofic XXX ElRosalcountry: VEphone: +582 2592565source: ARIN-HISTORIC% whois.lacnic.net accepts only direct match queries.% Types of queries are: POCs, ownerid, CIDR blocks, IP% and AS numbers.root@inspiration:/home/flux#
We found lots of answers whit this one, so now that the intel was already on the table. I start my report and handed it to the appropriate person in the team of work to endorse him the correction of the failure and you are done, and effective day of work. Now what other commands you would it execute to get more info? . . .
wow i like this piece of info.