(or How I survive behind a high security proxy server)
By Adespoton; Exclusively for Happle Magazine.
This article starts out pretty basic, and continues to grow more complex as you read through. If you are new to the hacking community, you'll probably want to start at the beginning. If you spend your weekends service scanning for open UDP ports and QPOP TCP ports, you'll probably want to skim (or ignore) the first bit, and go right to the end of the article. If you feel you've missed something, just scan back up a few paragraphs.
Here we go...
Every once in a while, you will end up on a Hotline site, IRC channel, ICQ discussion group, etc. and suddenly someone you don't know will say something like "So what's it like going to Georgia State University?" or "Oh, so you live in South Edmonton (Canada) too!"
How do they get this information about you?
There have been a few articles in past Happle and HackAddict magazines that cover this topic. If you haven't read them already, you should.
The long and short of it is that they have some way of tracing your IP (your computer's identifying address on the internet, 127.0.0.1 for instance :^). From there, they go through various services (namely Whois, Finger, and Traceroute for the big ones) to find out who owns the connection from your computer to the rest of the internet. --All this information is public, and anyone with the proper query tools has access to it.
I still remember one time I was lurking on a Hotline site, saw someone downloading some "questionable content," and since I had user info privileges, I was able to get his IP. Using AGNetTools, I did a whois lookup on him; his computer belonged to a University, and the actual computer was registered with ARIN, along with the guy's name, address, and telephone number!
Along these lines, the amount of information required for holding a domain name in europe is much more detailed than in North America. For some N. American sites, all you get is the registrant's name.
So now, on with the saga...
You've been playing around with WhoIs and Finger and the rest of the Network Toys family for a while through your dialup connection at home. However, let's say you are in a school lab, or are at work. Chances are, they've put up a firewall to keep people from taking over the server's ports and doing nasty things to the network. Unfortuneately, this also has the site effect that you can't use ping, whois, finger, traceroute, or any of the other tools. Or does it?
While the World Wide Web has its definite down sides, one up side is that most networks have outgoing web access. If they don't, it is usually fairly easy to obtain.
Now is where the fun begins.
Let's say you're at work. You're on a Hotline server where you have user lookup privs, and some jerk keeps annoying you with his whining about some serial number he wants, or how he's the best thing that's ever happened to this server or.... You get the idea.
You can still get his IP (no problems here). What do you do with it now?
The first thing I usually do is mosey on over to
http://www.arin.net/whois/arinwhois.html
This is whois database central, based out of ARIN -- the American Registry of Internet Names -- it is linked to APIC (the Asia/Pacific equivalent) as well as others. These guys provide a web form for all those people who can't do direct queries to their database! They're nice folks; don't kill their server.
Once there, you can enter their IP in the box provided (no domain names, like www.widgets.com; only 127.0.0.1 types please). Hit return, and presto! You've got a standard Whois reply.
For a slightly different flavour of lookup try the NSLookup site.
This is a British nameserver database; it does Domain Name and Reverse Domain Name lookup; it also has limited built in whois, and an IP validity checker.
http://www.nslookup.net/
This allows you to get the domain name that goes with the IP, and it also sometimes gives information about the owner that gets skipped in the ARIN results.
Although most servers don't supply the Finger service anymore, due to the security holes this service punches in your server, the following finger site may sometimes be useful for getting a bit of info:
http://www.finger.com/
If you would rather find someone's geographic location via traceroute (follow the links, and you find a path to their connection), try the Traceroute site.
This URL gives you a list of sites which will do a traceroute for you and send you the results.
http://www.traceroute.org/
The sweet thing about this site is that you can pick starting points all over the world for your traceroutes... pick a traceroute service in Eastern Canada, and one in California, and one in Florida, and you'll likely be able to triangulate fairly accurately on what the person's actual physical location is in the United States of America. Of course, for other parts of the world, pick other starting points for your traceroutes.
You want more info on someone?
I've found that the two best sources for getting personal information about someone are through the ICQ web site
http://www.mirabilis.com/people/
and the AOL Internet Messenger site
http://www.aol.com/community/chat/home.html
Isn't it interesting that both these services are now owned by the same megacorporation?
Using these resources, it is possible (especially if you're chatting with the victim, and so can slip little bits of information about them that hint that you know more) to find out your victim's name, phone number, address, etc.
I don't condone stalking, or theft, or any other illegal use of this information once you have it. However, it can be fun just to know that if they harass you, you've got their number.
There are many more information gathering services out there, but these are the ones I keep in my web toolkit; I find that for finding people, they're usually all I need.
----------
Part 2: for those who think that the above is lame, juvenile, or just a plain waste of good internet tools:
OK... so you think that Finding Out somebody is about as fun as having an interview with a rock.
The above tools, when mixed with others, have many other fun uses.
For instance... let's say you are looking for a wingate service that wouldn't mind you using them as a proxy, or you want to show M$ how horribly they write their server software...
The following query searches a pre compiled database of indexed sites to find the keyword "IIS" -- the Microsoft Internet Server; not only do such servers have vulnerabilities, but they quite often run a wingate.
After playing around with this service, you may find that other keywords bring up a list of servers that have the vulnrabilities that you are looking for. For instance, replacing IIS with NT4 will usually bring up a list of servers hosted on Windows NT 4. The possibilities are endless....
The beauty of this website, is that if you give them a new address, they will index it and do a thorough service scan of it for you. They will also add the site to their searchable database, so you can check back at any time, and see if it is still providing the services it was before, and if it has added new ones.
Submitting the following URL allows you to scan a port on a target URL:
After entering this in your web browser, the database will do constant check ups on the server at "target.address.here". Also, the above query will tell you whether port 23 is being used for any services. The cool thing about this query is that it doesn't just ping the port, it actually archives the text it receives from the port, and any other information you can find out about it.
That's about it for this article... if you'd like something explained in more depth in a future issue, let the Happle site know....
===
EXAMPLES
The following are real output from real queries to the above URLs:
---
Query Http://www.arin.net/whois for IP address "204.212.44.2"
US Sprint (NETBLK-SPRINT-BLKB2)
13221 Woodland Pk. Rd
Herndon, VA 22071
Netname: SPRINT-BLKB2
Netblock: 204.212.0.0 - 204.215.255.255
Maintainer: SPRN
Coordinator:
Sprintlink Internet Service Center (SPRINT-NOC-ARIN) NOC@SPRINT.NET
800-232-6895
Fax- - 703-478-5471
Domain System inverse mapping provided by:
NS1.SPRINTLINK.NET 204.117.214.10
NS2.SPRINTLINK.NET 199.2.252.10
NS3.SPRINTLINK.NET 204.97.212.10
Record last updated on 10-Sep-96.
Database last updated on 22-Feb-99 16:12:49 EDT.
---
Query Http://www.arin.net/whois for IP address "204.212"
(*
NOTE: this is a good way to find wingates... look for IP ranges that have each owner only owning 15 or less IP addresses... you've got small businesses who can't afford anything more expensive in the way of firewalls
*)
US Sprint (NETBLK-SPRINT-BLKB2) SPRINT-BLKB2 204.212.0.0 - 204.215.255.255
Stanford Global Link (NETBLK-SPRINT-CCD421-2) SPRINT-CCD421-2
