nslookup.exe

  • File Path: C:\Windows\SysWOW64\nslookup.exe
  • Description: nslookup

Hashes

Type Hash
MD5 9D2EB13476B126CB61B12CDD03C7DCA6
SHA1 94EEF82037135C46AFADD641C58F8D46E2399C2B
SHA256 531A1B65E4E3869D65D2EAF6B07C92A34DD6FE18ED9A647BD1A257AB3D0C1AEB
SHA384 651645B8BFF5031268EA485B741D961A13E6BA96EB13BAAD78E2383A1D7C5DAE448F0DDDA879DE66D9FB4D9C306EB8F4
SHA512 2BC9BB27FEA55ED715F977223EFD36999E22B1D86ACF19A0715DF65E15FD01023D7F12E63E83DB792B5E2BF27B0824DE542E486FBB183D5DF7142B44AB59D089
SSDEEP 768:IY0qLepllEGlKKQH9YBtmlXs1ggqwNzT3Dk90qFaqIWnrJWsEe6QYMLZmGIJYBRs:cyOuG1UByHrMCaYMLZQ+BRWgTMZmvuh
IMP DA56B644408C06CA96A55143F44254E8
PESHA1 782FB44FD69D3D1B4B84D34C289CB4697686A7E1
PE256 F15594A0C3E91D64B25AA87630F11B78EA6B2354F0B00D0CB75CCF2AA646DF08

Runtime Data

Usage (stdout):

Default Server:  DESKTOP-IOOJLI7.mshome.net
Address:  172.26.224.1

> 

Usage (stderr):

Usage:
   nslookup [-opt ...]             # interactive mode using default server
   nslookup [-opt ...] - server    # interactive mode using 'server'
   nslookup [-opt ...] host        # just look up 'host' using default server
   nslookup [-opt ...] host server # just look up 'host' using 'server'

Child Processes:

conhost.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\nslookup.exe.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\nslookup.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: nslookup.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/531a1b65e4e3869d65d2eaf6b07c92a34dd6fe18ed9a647bd1a257ab3d0c1aeb/detection

Possible Misuse

The following table contains possible examples of nslookup.exe being misused. While nslookup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_eda.yml - '$Command \| nslookup 2>&1 \| Out-String' DRL 1.0
sigma proc_creation_win_apt_chafer_mar18.yml - '\nslookup.exe' DRL 1.0
sigma proc_creation_win_dnscat2_powershell_implementation.yml description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally. DRL 1.0
sigma proc_creation_win_dnscat2_powershell_implementation.yml Image\|endswith: '\nslookup.exe' DRL 1.0
sigma proc_creation_win_dnscat2_powershell_implementation.yml CommandLine\|endswith: '\nslookup.exe' DRL 1.0
sigma proc_creation_win_dnscat2_powershell_implementation.yml - Other powershell scripts that call nslookup.exe DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - nslookup.exe DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\nslookup.exe' DRL 1.0
sigma proc_creation_win_susp_commands_recon_activity.yml - nslookup DRL 1.0
sigma proc_creation_win_susp_execution_path_webserver.yml - Tools that include ping or nslookup command invocations DRL 1.0
sigma proc_creation_win_susp_recon_net_activity.yml - 'nslookup' DRL 1.0
atomic-red-team index.md - Atomic Test #8: Remote System Discovery - nslookup [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #8: Remote System Discovery - nslookup [windows] MIT License. © 2018 Red Canary
atomic-red-team T1018.md - Atomic Test #8 - Remote System Discovery - nslookup MIT License. © 2018 Red Canary
atomic-red-team T1018.md ## Atomic Test #8 - Remote System Discovery - nslookup MIT License. © 2018 Red Canary
atomic-red-team T1018.md Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1018.md foreach ($ip in 1..255 | % { “$firstOctet.$secondOctet.$thirdOctet.$_” } ) {cmd.exe /c nslookup $ip} MIT License. © 2018 Red Canary
signature-base apt_laudanum_webshells.yar $s1 = “command = "nslookup -type=" & qtype & " " & query “ fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $ = “nslookup” CC BY-NC 4.0
stockpile ce485320-41a4-42e8-a510-f5a8fe96a644.yml (nslookup -querytype=mx #{target.org.domain}. \| Select-String -pattern 'mail' \| Out-String).Trim() Apache-2.0
stockpile fa4ed735-7006-4451-a578-b516f80e559f.yml name: Reverse nslookup IP Apache-2.0
stockpile fa4ed735-7006-4451-a578-b516f80e559f.yml nslookup #{remote.host.ip} Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


nslookup

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays information that you can use to diagnose Domain Name System (DNS) infrastructure. Before using this tool, you should be familiar with how DNS works. The nslookup command-line tool is available only if you have installed the TCP/IP protocol.

The nslookup command-line tool has two modes: interactive and noninteractive.

If you need to look up only a single piece of data, we recommend using the non-interactive mode. For the first parameter, type the name or IP address of the computer that you want to look up. For the second parameter, type the name or IP address of a DNS name server. If you omit the second argument, nslookup uses the default DNS name server.

If you need to look up more than one piece of data, you can use interactive mode. Type a hyphen (-) for the first parameter and the name or IP address of a DNS name server for the second parameter. If you omit both parameters, the tool uses the default DNS name server. While using the interactive mode, you can:

  • Interrupt interactive commands at any time, by pressing CTRL+B.

  • Exit, by typing exit.

  • Treat a built-in command as a computer name, by preceding it with the escape character (\). An unrecognized command is interpreted as a computer name.

Syntax

nslookup [exit | finger | help | ls | lserver | root | server | set | view] [options]

Parameters

Parameter Description
nslookup exit Exits the nslookup command-line tool.
nslookup finger Connects with the finger server on the current computer.
nslookup help Displays a short summary of subcommands.
nslookup ls Lists information for a DNS domain.
nslookup lserver Changes the default server to the specified DNS domain.
nslookup root Changes the default server to the server for the root of the DNS domain name space.
nslookup server Changes the default server to the specified DNS domain.
nslookup set Changes configuration settings that affect how lookups function.
nslookup set all Prints the current values of the configuration settings.
nslookup set class Changes the query class. The class specifies the protocol group of the information.
nslookup set d2 Turns exhaustive Debugging mode on or off. All fields of every packet are printed.
nslookup set debug Turns Debugging mode on or off.
nslookup set domain Changes the default DNS domain name to the name specified.
nslookup set port Changes the default TCP/UDP DNS name server port to the value specified.
nslookup set querytype Changes the resource record type for the query.
nslookup set recurse Tells the DNS name server to query other servers if it doesn’t have the information.
nslookup set retry Sets the number of retries.
nslookup set root Changes the name of the root server used for queries.
nslookup set search Appends the DNS domain names in the DNS domain search list to the request until an answer is received. This applies when the set and the lookup request contain at least one period, but do not end with a trailing period.
nslookup set srchlist Changes the default DNS domain name and search list.
nslookup set timeout Changes the initial number of seconds to wait for a reply to a request.
nslookup set type Changes the resource record type for the query.
nslookup set vc Specifies to use or not use a virtual circuit when sending requests to the server.
nslookup view Sorts and lists the output of the previous ls subcommand or commands.

Remarks

  • If computerTofind is an IP address and the query is for an A or PTR resource record type, the name of the computer is returned.

  • If computerTofind is a name and doesn’t have a trailing period, the default DNS domain name is appended to the name. This behavior depends on the state of the following set subcommands: domain, srchlist, defname, and search.

  • If you type a hyphen (-) instead of computerTofind, the command prompt changes to nslookup interactive mode.

  • If the lookup request fails, the command-line tool provides an error message, including:

    Error message Description
    timed out The server didn’t respond to a request after a certain amount of time and a certain number of retries. You can set the time-out period with the nslookup set timeout command. You can set the number of retries with the nslookup set retry command.
    No response from server No DNS name server is running on the server computer.
    No records The DNS name server doesn’t have resource records of the current query type for the computer, although the computer name is valid. The query type is specified with the nslookup set querytype command.
    Nonexistent domain The computer or DNS domain name doesn’t exist.
    Connection refused or Network is unreachable The connection to the DNS name server or finger server could not be made. This error commonly occurs with the ls and finger requests.
    Server failure The DNS name server found an internal inconsistency in its database and could not return a valid answer.
    Refused The DNS name server refused to service the request.
    format error The DNS name server found that the request packet was not in the proper format. It may indicate an error in nslookup.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.