nslookup.exe
- File Path:
C:\Windows\SysWOW64\nslookup.exe - Description: nslookup
Hashes
| Type | Hash |
|---|---|
| MD5 | 9D2EB13476B126CB61B12CDD03C7DCA6 |
| SHA1 | 94EEF82037135C46AFADD641C58F8D46E2399C2B |
| SHA256 | 531A1B65E4E3869D65D2EAF6B07C92A34DD6FE18ED9A647BD1A257AB3D0C1AEB |
| SHA384 | 651645B8BFF5031268EA485B741D961A13E6BA96EB13BAAD78E2383A1D7C5DAE448F0DDDA879DE66D9FB4D9C306EB8F4 |
| SHA512 | 2BC9BB27FEA55ED715F977223EFD36999E22B1D86ACF19A0715DF65E15FD01023D7F12E63E83DB792B5E2BF27B0824DE542E486FBB183D5DF7142B44AB59D089 |
| SSDEEP | 768:IY0qLepllEGlKKQH9YBtmlXs1ggqwNzT3Dk90qFaqIWnrJWsEe6QYMLZmGIJYBRs:cyOuG1UByHrMCaYMLZQ+BRWgTMZmvuh |
| IMP | DA56B644408C06CA96A55143F44254E8 |
| PESHA1 | 782FB44FD69D3D1B4B84D34C289CB4697686A7E1 |
| PE256 | F15594A0C3E91D64B25AA87630F11B78EA6B2354F0B00D0CB75CCF2AA646DF08 |
Runtime Data
Usage (stdout):
Default Server: DESKTOP-IOOJLI7.mshome.net
Address: 172.26.224.1
>
Usage (stderr):
Usage:
nslookup [-opt ...] # interactive mode using default server
nslookup [-opt ...] - server # interactive mode using 'server'
nslookup [-opt ...] host # just look up 'host' using default server
nslookup [-opt ...] host server # just look up 'host' using 'server'
Child Processes:
conhost.exe
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\System32\en-US\nslookup.exe.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\nslookup.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: nslookup.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/531a1b65e4e3869d65d2eaf6b07c92a34dd6fe18ed9a647bd1a257ab3d0c1aeb/detection
Possible Misuse
The following table contains possible examples of nslookup.exe being misused. While nslookup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | apt_silence_eda.yml | - '$Command \| nslookup 2>&1 \| Out-String' |
DRL 1.0 |
| sigma | proc_creation_win_apt_chafer_mar18.yml | - '\nslookup.exe' |
DRL 1.0 |
| sigma | proc_creation_win_dnscat2_powershell_implementation.yml | description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally. |
DRL 1.0 |
| sigma | proc_creation_win_dnscat2_powershell_implementation.yml | Image\|endswith: '\nslookup.exe' |
DRL 1.0 |
| sigma | proc_creation_win_dnscat2_powershell_implementation.yml | CommandLine\|endswith: '\nslookup.exe' |
DRL 1.0 |
| sigma | proc_creation_win_dnscat2_powershell_implementation.yml | - Other powershell scripts that call nslookup.exe |
DRL 1.0 |
| sigma | proc_creation_win_multiple_suspicious_cli.yml | - nslookup.exe |
DRL 1.0 |
| sigma | proc_creation_win_shell_spawn_susp_program.yml | - '\nslookup.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_commands_recon_activity.yml | - nslookup |
DRL 1.0 |
| sigma | proc_creation_win_susp_execution_path_webserver.yml | - Tools that include ping or nslookup command invocations |
DRL 1.0 |
| sigma | proc_creation_win_susp_recon_net_activity.yml | - 'nslookup' |
DRL 1.0 |
| atomic-red-team | index.md | - Atomic Test #8: Remote System Discovery - nslookup [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #8: Remote System Discovery - nslookup [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | - Atomic Test #8 - Remote System Discovery - nslookup | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | ## Atomic Test #8 - Remote System Discovery - nslookup | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | foreach ($ip in 1..255 | % { “$firstOctet.$secondOctet.$thirdOctet.$_” } ) {cmd.exe /c nslookup $ip} | MIT License. © 2018 Red Canary |
| signature-base | apt_laudanum_webshells.yar | $s1 = “command = "nslookup -type=" & qtype & " " & query “ fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | gen_suspicious_strings.yar | $ = “nslookup” | CC BY-NC 4.0 |
| stockpile | ce485320-41a4-42e8-a510-f5a8fe96a644.yml | (nslookup -querytype=mx #{target.org.domain}. \| Select-String -pattern 'mail' \| Out-String).Trim() |
Apache-2.0 |
| stockpile | fa4ed735-7006-4451-a578-b516f80e559f.yml | name: Reverse nslookup IP |
Apache-2.0 |
| stockpile | fa4ed735-7006-4451-a578-b516f80e559f.yml | nslookup #{remote.host.ip} |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
nslookup
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Displays information that you can use to diagnose Domain Name System (DNS) infrastructure. Before using this tool, you should be familiar with how DNS works. The nslookup command-line tool is available only if you have installed the TCP/IP protocol.
The nslookup command-line tool has two modes: interactive and noninteractive.
If you need to look up only a single piece of data, we recommend using the non-interactive mode. For the first parameter, type the name or IP address of the computer that you want to look up. For the second parameter, type the name or IP address of a DNS name server. If you omit the second argument, nslookup uses the default DNS name server.
If you need to look up more than one piece of data, you can use interactive mode. Type a hyphen (-) for the first parameter and the name or IP address of a DNS name server for the second parameter. If you omit both parameters, the tool uses the default DNS name server. While using the interactive mode, you can:
-
Interrupt interactive commands at any time, by pressing CTRL+B.
-
Exit, by typing exit.
-
Treat a built-in command as a computer name, by preceding it with the escape character (
\). An unrecognized command is interpreted as a computer name.
Syntax
nslookup [exit | finger | help | ls | lserver | root | server | set | view] [options]
Parameters
| Parameter | Description |
|---|---|
| nslookup exit | Exits the nslookup command-line tool. |
| nslookup finger | Connects with the finger server on the current computer. |
| nslookup help | Displays a short summary of subcommands. |
| nslookup ls | Lists information for a DNS domain. |
| nslookup lserver | Changes the default server to the specified DNS domain. |
| nslookup root | Changes the default server to the server for the root of the DNS domain name space. |
| nslookup server | Changes the default server to the specified DNS domain. |
| nslookup set | Changes configuration settings that affect how lookups function. |
| nslookup set all | Prints the current values of the configuration settings. |
| nslookup set class | Changes the query class. The class specifies the protocol group of the information. |
| nslookup set d2 | Turns exhaustive Debugging mode on or off. All fields of every packet are printed. |
| nslookup set debug | Turns Debugging mode on or off. |
| nslookup set domain | Changes the default DNS domain name to the name specified. |
| nslookup set port | Changes the default TCP/UDP DNS name server port to the value specified. |
| nslookup set querytype | Changes the resource record type for the query. |
| nslookup set recurse | Tells the DNS name server to query other servers if it doesn’t have the information. |
| nslookup set retry | Sets the number of retries. |
| nslookup set root | Changes the name of the root server used for queries. |
| nslookup set search | Appends the DNS domain names in the DNS domain search list to the request until an answer is received. This applies when the set and the lookup request contain at least one period, but do not end with a trailing period. |
| nslookup set srchlist | Changes the default DNS domain name and search list. |
| nslookup set timeout | Changes the initial number of seconds to wait for a reply to a request. |
| nslookup set type | Changes the resource record type for the query. |
| nslookup set vc | Specifies to use or not use a virtual circuit when sending requests to the server. |
| nslookup view | Sorts and lists the output of the previous ls subcommand or commands. |
Remarks
-
If computerTofind is an IP address and the query is for an A or PTR resource record type, the name of the computer is returned.
-
If computerTofind is a name and doesn’t have a trailing period, the default DNS domain name is appended to the name. This behavior depends on the state of the following set subcommands: domain, srchlist, defname, and search.
-
If you type a hyphen (-) instead of computerTofind, the command prompt changes to nslookup interactive mode.
-
If the lookup request fails, the command-line tool provides an error message, including:
Error message Description timed out The server didn’t respond to a request after a certain amount of time and a certain number of retries. You can set the time-out period with the nslookup set timeout command. You can set the number of retries with the nslookup set retry command. No response from server No DNS name server is running on the server computer. No records The DNS name server doesn’t have resource records of the current query type for the computer, although the computer name is valid. The query type is specified with the nslookup set querytype command. Nonexistent domain The computer or DNS domain name doesn’t exist. Connection refused or Network is unreachable The connection to the DNS name server or finger server could not be made. This error commonly occurs with the ls and finger requests. Server failure The DNS name server found an internal inconsistency in its database and could not return a valid answer. Refused The DNS name server refused to service the request. format error The DNS name server found that the request packet was not in the proper format. It may indicate an error in nslookup.
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.