Passive Footprinting Using Windows Command-Line Utilities
Nerd Cafe | نرد کافه
Scenario Context
Role: Ethical Hacker / Security Analyst
Objective: Perform initial footprinting on a publicly accessible domain using only native Windows tools
Target:www.certifiedhacker.com(or an instructor-approved domain)
Rules of Engagement:
No exploitation
No credentialed access
Passive reconnaissance only
Authorized lab or written permission assumed
Lab Objective
By the end of this exercise, you will be able to:
Resolve a domain to its IP address
Verify host reachability
Identify effective MTU size on the network path
Enumerate intermediate routers (hops)
Extract DNS infrastructure details
Understand how attackers and defenders interpret these results
Environment Setup (Pre-Lab Checklist)
Windows 10 / 11 / Server 2016+
Command Prompt opened as Administrator
Active internet connection
DNS resolution working (ipconfig /all should show a DNS server)
Target domain is reachable from your network
Hint: If commands fail immediately, verify DNS and gateway configuration before proceeding.
Task 1: Domain Reachability & IP Resolution (Ping)
Goal
Determine whether the target is alive and identify its resolved IP address.
Steps
Open Command Prompt
Execute:
Observe
Resolved IP address
Packet statistics (sent, received, lost)
Round-trip time (RTT)
Hints
The first reply line reveals the IP address
Even if replies fail, DNS resolution may still succeed
ICMP Echo Request = Type 8
ICMP Echo Reply = Type 0
Analyst Notes
No reply ≠ system offline
Firewalls commonly block ICMP to reduce reconnaissance
Task 2: Identify Maximum Frame Size (MTU Discovery)
Goal
Determine the largest packet size that can traverse the network without fragmentation.
Steps
Send a packet with DF bit set:
If fragmentation error occurs, reduce packet size:
Continue adjusting size until replies succeed
Fine-tune by incrementing/decrementing by 1 byte
Hints
-f = Do Not Fragment
-l = Payload size only (does not include headers)
IP + ICMP headers = 28 bytes
Expected Insight
If 1472 succeeds → MTU is 1500
If fragmentation occurs → path MTU is lower
Why This Matters
Fragmentation increases detection risk
Used in stealth scanning, DoS tuning, and packet crafting
Task 3: Validate Using Tracert
Goal
Compare manual TTL discovery with Windows traceroute.
Steps
Observe
Number of hops
Latency per hop
Asterisks (*) indicating blocked probes
Security Insight
High latency hops may indicate:
Congestion
Geographic distance
Filtering or rate limiting
Task 4: DNS Enumeration with Nslookup
Goal
Identify DNS records and authoritative infrastructure.
Steps
Enter interactive mode:
Check default DNS server
Set record type to A:
Query domain:
Change record type:
Query root domain:
Hints
Non-authoritative = cached response
CNAME reveals backend hosting or DNS structure
Authoritative servers are high-value targets
Task 5: Enumerate Name Server IP
Goal
Resolve authoritative DNS server to its IP address.
Steps
Hint: Replace with your discovered name server.
Analyst Notes
DNS servers are critical infrastructure
Attacks often target availability, not data
Documentation & Reporting (Mandatory)
Record the following:
Target domain
Resolved IP address
Packet loss & RTT
Maximum payload size (MTU discovery)
Hop IPs and count
Authoritative DNS servers and IPs
Hint: Professional penetration tests are judged as much by documentation as by execution.
💖 Support Our Work
If you find this post helpful and would like to support my work, you can send a donation via TRC-20 (USDT). Your contributions help us keep creating and sharing more valuable content.
C:\>ping www.certifiedhacker.com
Pinging certifiedhacker.com [162.241.216.11] with 32 bytes of data:
Reply from 162.241.216.11: bytes=32 time=274ms TTL=48
Reply from 162.241.216.11: bytes=32 time=275ms TTL=48
Reply from 162.241.216.11: bytes=32 time=274ms TTL=48
Reply from 162.241.216.11: bytes=32 time=270ms TTL=48
Ping statistics for 162.241.216.11:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 270ms, Maximum = 275ms, Average = 273ms
C:\>
C:\>ping www.certifiedhacker.com -f -l 1500
Pinging certifiedhacker.com [162.241.216.11] with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 162.241.216.11:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
C:\>ping www.certifiedhacker.com -f -l 1400
Pinging certifiedhacker.com [162.241.216.11] with 1400 bytes of data:
Reply from 162.241.216.11: bytes=1400 time=273ms TTL=48
Reply from 162.241.216.11: bytes=1400 time=261ms TTL=48
Reply from 162.241.216.11: bytes=1400 time=282ms TTL=48
Reply from 162.241.216.11: bytes=1400 time=292ms TTL=48
Ping statistics for 162.241.216.11:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 261ms, Maximum = 292ms, Average = 277ms
C:\>
C:\>tracert www.certifiedhacker.com
Tracing route to certifiedhacker.com [162.241.216.11]
over a maximum of 30 hops:
1 4 ms <1 ms 1 ms 192.168.1.1
2 * * * Request timed out.
3 47 ms 57 ms 57 ms 10.176.211.65
4 * * * Request timed out.
5 69 ms 53 ms 35 ms 10.136.131.142
6 32 ms 170 ms 46 ms 10.21.249.46
7 125 ms 138 ms 123 ms 213.144.184.50
8 133 ms 157 ms 156 ms 89.221.34.189
9 * * * Request timed out.
10 310 ms 274 ms 272 ms 4.7.247.122
11 269 ms 275 ms 269 ms 140.91.195.223
12 267 ms 272 ms 290 ms box5331.bluehost.com [162.241.216.11]
Trace complete.
C:\>
