|
What's
new?
------------
Version 1.7 - added this what's new section and two new
appendixes (E and F).
Note: if you're having a hard time reading this page
because you have to scroll to the right whenever a long line
comes, it's probably because you're not using "word
wrapping".
Most UNIX text editors and advanced Windows editors (and
some less advanced ones like Wordpad) do this by themselves.
To do word wrapping on Microsoft Notepad, simply go to Edit
and then click on "Word wrapping".
Author's Notes
==============
Please do not read this tutorial before you read our
previous ones, since this one doesn't have a "Newbies
Corner" and newcomers might have some difficulties
understanding large parts of this tutorial.
If you have any comments or questions regarding this
tutorial (no flames or spam, please) Email me at:
barakirs@netvision.net.il.
Visit blacksun.box.sk for more tutorials, free
hacking/programming/unix books to download and much more.
Disclaimer
==========
We do not encourage any kinds of illegal activities. If you
believe that breaking the law is a good way to impress
someone, please stop reading now and grow up. There is
nothing impressive or cool in being a criminal.
Contents
========
Introduction
* Info Gathering?
* How legal is it?
* Some notes about privacy
Finger
* What is finger?
* How can I use it to find information about a
specific user?
* My ISP is running a finger daemon but I want
privacy! What should I do?
* What if I'm using Windows? Can I use finger?
Email
* What can I find out about a person using his
Email address?
* What information can I find out of these
headers of yours?
* I wanna learn more about Email. Where can I
find more information?
Unix Network Diagnosis Tools
* nslookup
* tracert
* whois
* dig
* Suppose I have Windows, how can I run these
things on my box?
Public Directories
* What kind of information can I find there?
* Where can I find these things?
* Help! My name is there! How do I remove it?
Password Files
* Password files are "world readable"?
* You mean I can get people's passwords out of
it?
* No? So what good are they without the
passwords?
IRC
* What can I find out about another user on IRC?
* How do I do it?
* Where can I learn more about IRC?
ICQ
* What can I find out about another user on ICQ?
* How do I do it?
* What about other instant messanging software?
Playing With Services
* How do I find out what services my target is
running?
* How can I get information about my target out
of these services?
Webstats
* What are webstats services?
* What kind of information can they reveal?
* How can I use them against my target?
Playing With Satellites
* WHAT?!
* How can I use these things to scare others
like hell?
Appendix A: nslookup tips
Appendix B: the +x mode
Appendix C: using shares to get computer name
Appendix D: www.anywho.com
Appendix E: more URLs
Appendix F: expn
Appendix G: Usenet
Introduction
------------
This tutorial will teach you how to acquire more
information regarding a specific person in completely legal
ways.
Why is
this legal?
Because we are going to use information that is publicly
available. It is publicly available because you have
software on your computer that often needs to access such
information for surfing, sending Email etc'. You can use
this information to find private information about a
specific person.
Also, some of the information is not necessary for your
computer, but it is still publicly available. Don't worry, I
will explain later.
During this tutorial I will show you how it is possible to
find somebody's:
1) Real first name.
2) Real last name.
3) Country.
4) Operating system.
5) Internet browser.
6) Screen resolution.
7) Username (at his/her ISP).
8) ISP.
9) IP address.
10) Hostname.
11) Phone number.
12) Home address.
13) Various services running on your target's machine (plus
what's their version).
Note: To learn more about privacy and how to increase your
privacy, refer to our anonymity tutorial at blacksun.box.sk.
Note 2: Please read our previous tutorials first.
Otherwise, you might not understand some of the terminology.
Finger
------
Finger is a service that runs on port 79 and allows you to
find information about users on the server that runs it.
Here, let me explain. A while ago my ISP, Netvision, had a
finger daemon running on their port 79. It was publicly
available, meaning that everyone was able to connect to port
79 on netvision.net.il (Netvision's server). All you had to
do is to connect to that port, type in a username and hit
enter. Or, you could simply type 'finger
username@netvision.net.il' (without the quotes) on a Unix
system and get the exact same results.
Anyway, this finger daemon was giving away private and
often sensitive information, such as who this account
belongs to (first and last name of the owner), whether this
user is online or not (very useful. If someone puts you on
invisible in ICQ, you could simply finger him and therefore
tell whether he is online or not), when did he go online (or
when was the last time he went online) and for how long,
whether the user has new mail (and how many mail messages
are waiting for him) and the user's home directory on
Netvision's server.
Some finger daemons will go even further and tell you the
user's phone number and home address. Ouchie...
Anyway, I called Netvision, yelled at them for a while and
they decided to remove that little finger daemon of theirs.
So anyway, in case you're interested, here is how finger
daemons work.
Every user on a Unix system has a home directory. This
directory stores his private configurations files and
suchlikes. When finger is given a username, it looks at the
password file (see the 'Password Files' chapter), finds the
user's home directory and looks for two files in this
directory - '.project' and '.plan' (without the quotes). The
.project file contains private information about this user,
There are programs out there that will generate such a file
for every user on the system and let you decide what
information you want to include in it. Anyway, the second
file, .plan, contains information written by the user.
Back on Netvision's finger server, I was able to telnet
into netvision.net.il on port 23, access a menu shell,
choose option number 3 and change my .plan file, but I
wasn't able to delete or fake the information in my .project
file. Most admins won't let the users on their system tamper
with the .project file so it won't include any fake
information or won't get "accidentally deleted".
Well, these are the basics of finger. For more information,
I suggest trying to set up a finger daemon on a Unix box and
playing around with it. If you don't want people to start
snoofing around after you and the rest of the users on your
machine, I suggest putting the finger daemon on a very high
and unstandard port (such as 63982), so it won't be detected
on a portscan (unless it's a very, very, very long
portscan).
Note: on Windows, finger can be done by either:
(a) Telneting to port 79 on the server that hosts the user
of your choice and typing in the username.
(b) Getting a Unix shell account and using the finger
command.
(c) Downloading SamSpade from samspade.org.
Email
-----
Yes, Email. Emails aren't that simple, you know. There are
tons of information just waiting to be discovered.
You know these things you see on the top of Email messages?
Sender, recipient, date, etc' etc' etc'. This is called a
header. But this is not the entire header! This is just a
partial header, or what most Email clients call "a normal
header". Almost every Email client will let you view the
full header, which contains a lot of valuable information
about the sender. For more information, read the Sendmail
tutorial. It will teach you what Sendmail is, how it works,
how Email works and how to gather valuable information from
a full header.
Unix
Network Diagnosis Tools
----------------------------
nslookup - as you should know by now, hostnames and domains
(domain is the shortest hostname possible -
something.org/net/com/etc') and actually aliases to IP
addresses, so people won't have to remember the IP address
of the server that hosts their favorite website. Instead,
you would simply need to remember the hostname.
Anyway, these hostnames are stored on DNSs, or NSs. DNS is
a short for Domain Name Server, and NS is a short for Name
Server. These are actually two different words for the exact
same thing.
Anyway, the Unix command nslookup looks up the IP addresses
of hostnames or the hostnames of IP addresses. Now, if you
have someone's IP address, this means you can find his
hostname, right? So what good is a hostname anyway?
When I am connected to the Internet, my hostname is usually
something like this: RAS54-79.hfa.netvision.net.il. It tells
us that I am connected through extension number RAS54-79
(this information is no use to us, so you may disregard it),
my ISP is Netvision and I live in Israel (the .il extension
stands for Israel. For more country extensions, head to
blacksun.box.sk and checkout the acros.txt file on the
projects page) in the city Haifa (hfa is a short for Haifa).
nslookup can do much much more than this. For more
information, type 'man nslookup' (no quotes) to get to
nslookup's man (manual) page. Also check out Appendix A:
nslookup tips.
tracert - tracert stands for traceroute. This Unix command
will show you what route your packets will have to go
through until they will reach the given IP address /
hostname.
How this works: every packet has a value in it that is
called TTL. TTL stands for Time To Live. This value is
decreased every time a packet goes through a router. When
the TTL hits zero, the packet is discarded and an ICMP error
is sent back to the sender of the packet, telling him what
happened and that he should resend the packet with a higher
TTL (the recommended TTL these days is 64). This is done in
order to prevent packets from getting lost and looping
across the Internet.
Now, what tracert does is quite simple - first, it sends a
packet to the given IP or hostname with TTL=1. The packet
takes one step and then dies. The first router informs us
what happened. Since the error packet, like every other
packet, contains the IP of the sender (the first router, in
this case), we know who he is. Next, a packet with TTL=2 is
sent. The second router returns it and tells us what
happened, so we know who the second router is.
Every time the TTL is increased by one, until the packet
finally reaches it's destination. Meanwhile, tracert builds
a list of routers that passed this packet along.
Tracert is quite useful, since it can tell you a lot about
a given IP or a given hostname. For example, if you entered
an IP that does not have a hostname, you could traceroute it
instead and see who's the ISP of that IP (the last routers
in the list should belong to this IP's ISP). You could also
use it to find out who's the ISP of large websites in the
same way.
For more information, type 'man tracert' (without the
quotes) on a Unix system.
whois - whois works like this: first, you put in a domain
name. Then, whois checks InterNIC's (the nice guys that
register domains in exchange for 70$ in cash, cheque or
credit) database.
You see, whenever you register a domain you have to enter a
lot of information. Whois can extract this information out
of InterNIC's database.
So why is this useful? If you know what is the ISP of your
target, you can find out a lot of information about it, such
as where it is located, etc'. Normally, users of that ISP
would live somewhere nearby, or at least in the same state.
Besides, sometimes ISPs will have a country extension,
say... .net, but will actually be in, say... Israel. So on
normal conditions the extension would be .net.il, but there
are exceptions. Whois can find out where this ISP (or any
other given server with a domain name) is really located at.
dig - dig finds tons and tons of information about a given
IP address or a given hostname. Since this program is very
complex, we will not discuss it at the moment. Please refer
to dig's man page for further information.
What
if I'm running Windows, you ask?
Well, my friend, your answer is at www.samspade.org. On
SamSpade's website you can send commands to their server
using javascript text boxes, or you could download a program
called SamSpade and do it yourself. They also have a good
texts library, so take a look at it.
Public
Directories
------------------
Yes, it's true. Most ISPs sell private information about
their users to "web directories" such as whowhere.com.
Simply head off to whowhere.com and play around with it. If
you find more "web directories", tell me about them (my
Email address is
barakirs@netvision.net.il).
In case you find your name there, you will see an option to
remove it. It is recommended that you will do so.
Password Files
--------------
On Unix systems, there are usually two kinds of password
files.
The first one is located at /etc/passwd. It is
world-readable (everyone can read this file) and it is
called the "shadowed" password file. It contains everything
besides the passwords. The passwords (encrypted) are in
/etc/shadow and only root has read and write access to it
(or other users, if root decides to let them read it).
Why do everyone need access to the password file, you ask?
I'll explain.
The password file has seven fields. Each field is seperated
by a :, so it looks like this:
field1:field2:field3:field4:field5:field6:field7
Now, field1 contains the username. Field2 contains the
encrypted password. Field3 contains some free text about the
user. Field4 contains the user's UID (User ID. If the user's
UID is zero he has root priviledges. Two users with the same
UID have identical priviledges). Field5 contains the user's
GID (Group ID. Same as UID, only you can give priviledges to
a large group of users in a single command. GID zero is
root). Field6 contains the user's home directory (where his
personal configurations files are stored). Field7 contains
the user's shell (a program that is executed once the user
logs in. Usually a command interpreter, which is a program
that accepts commands from you and executes them).
Now, everyone needs read access to the shadowed file for
certain reasons. For example: each file has an owner. The
owner of the file can change access patterns (priviledges)
to himself or to other users for that file using the command
chmod xxx (the first x is for your priviledges, the second
is for priviledges for your group and the third is for the
rest of the outside world. 1 is read, 2 is write, 4 is
execute. If you want read, write and execute for yourself,
read only for your group and nothing for the rest of the
world, type chmod 710 filename. read+write+execute=1+2+4=7,
read=1, nothing=0. Got it?). He can also use the owner of
the file using the command chown filename new-owner.
Anyway, the owner's UID is embedded into the file. If you
actually want to know the owner's name, you will need to
look at the password file and find out who owns this UID.
Get it?
So anyway, the shadowed password file needs to be read by
everyone for various purposes. So why is this interesting?
Because of the free text field (field3).
Some admins insert the user's real name, telephone number,
home address and other information about him in this field,
so it might be very very useful if you want to find
information about this user.
IRC
---
Normally (unless you're spoofing your IP address or your
hostname or something like this), everyone on IRC who knows
your nickname are able to find your IP. This means they can
find your hostname as well. This means they can find out in
which country (maybe even which city) you live, what is your
ISP, information about your ISP etc' etc'.
Use the command /whois nickname to find this person's IP or
hostname. If you're IRCing through a raw session (see IRC
Warfare tutorial), type whois nickname instead.
Also, the command /finger may be quite useful in some
cases, but it is possible to fake the returned information
as well, so don't count on it.
ICQ
---
On ICQ, it is quite simple to find a person's IP if he's
hiding it. There are two ways: the easy way and the cool
way.
The easy way: go to come.to/isoaq, download a crack for
your ICQ version and you will see everyone's IP address in
their info (this is for Windows. If you're using a Unix ICQ
clone, you'll probably won't need a crack, 'cause it'll
reveal IPs anyway. If not, go for try "the cool way").
The cool way: open a terminal window or another terminal
(in Unix) or a DOS window (in Windows. The easiest way is to
simply click start==>run and then type 'command' (without
the quotes). To change the size of the window, hit
alt+enter) and type netstat -a. This will display all
connections and all listening ports.
Then, send a message (or another event, such as a url) to
your target. Do netstat -a again (after the event is sent).
You will see a new connection which will probably be in
"established" mode. In the same line, you will be able to
see your target's IP address.
So what's so cool about this way? Well, it could impress
your friends, in case you wanna show them a hack but you
don't want to use a simple crack (you wanna do this "the
elite way").
"The cool way" also seems to work on other instant
messangers. There should also be cracks for them.
Playing With Services
---------------------
If your target is running some services, such as Telnet,
FTP, Sendmail, IRC etc' on it's computer, you could simply
telnet into them and you will get a daemon banner.
What's
a daemon banner, you ask?
Well, companies that produce daemons want to tell the world
how great and widespread they are, so they put a little ad
about themselves when you connect to them. This is called a
daemon banner. Here are some examples for daemon banners:
Welcome to 11.22.33.44, running RedHat 6.0 (Hedwig)
login:
password:
220 alpha.someone.com ESMTP Sendmail 8.9.3/8.8.6; Thu, 8
Jul 1999 21:46:04 +0000 (GMT).
Well, you get the point. Anyway, these daemon banners will
tell you what kinds of services your target is running, what
OS and a little more... if you havn't noticed, the second
daemon banner, which happens to be a Sendmail daemon, tells
you what's the time on your target's machine. Why is this so
interesting? 'Cause it reveals the target's longitude! This
should only be used to verify that the target is really on
the country you thought it is on, but don't count on it. The
timezone may be set wrong, the time may be set wrong etc'.
Anyway, if you want to find out the time on your target's
machine, there's another way to do it. There is a service
called daytime that waits for incoming connections on port
13. The problem is that it doesn't exist on every computer
in the world, and again, the time may be set wrong, so don't
count on it.
Webstats
--------
Webstats services are services that allow you to learn more
about the people that come to your website. They can tell
you where they come from, their IP/hostname, lots of info
about their computer (OS, screen resolution and color
palette, Internet browser etc') and much more.
Search the net for free webstats services, put up a page
somewhere, insert the webstats tracker into it (full
instructions on doing this should be available on the
webstats's website) and then ask someone to enter this page.
The webstats tracker will immediately collect all this
information about his computer and store it for later
retrieval.
GENERATOR Tags
--------------
If you know your way around HTML, you probably know what
HTML tags are. Anyway, some people don't just write HTML by
themselves, they use an HTML editor to do the dirty work for
them.
Most HTML editors will leave a meta tag somewhere on top of
the page with information about the HTML editor that was
used, and sometimes the OS of the user.
If you know of a page that your target has written, try
viewing it's source and looking for GENERATOR tags.
Note: sometimes you won't even need to have the OS included
in the GENERATOR. For example: if the user is using
FrontPage, he's probably using some version of Windows.
Playing With Satellites
-----------------------
Well, this one is kinda stupid, but whatever...
There are websites that allow you to capture satellite
photos of places in the world. If you find someone really
stupid, you could find his country and his city and then
grab a satellite picture of his city and tell him that you
hacked a satellite a long while ago and you're using it to
home into his computer's signals or something. Some people
will actually believe this crap.
You can grab satellite photos at
http://terraserver.microsoft.com/default.asp. Simply click
on the appropriate area in the world map.
If you don't know where the country and city of your target
is located, consult map.com's search or weather.com's
weather maps. Also, cnn.com's weather maps may be useful as
well. Once you find a map of the target's location, return
to the TerraServer (the satellite page) and grab a photo of
this area.
Appendix A: nslookup tips
-------------------------
Here is a text file about nslookup I dug up somewhere.
Happy reading.
[nslookup]
Nslookup is a great little tool for making DNS queries that
comes with NT, Linux, etc. The easiest way to use nslookup
is in non- interactive mode. This means that you submit a
request at the command line, and you get a response back
with no other input. For example, from the command prompt,
type:
$nslookup foobar.edu
Server: localhost
Address: 127.0.0.1
Name: foobar.edu
Address: 289.13.266.37
The Server and Address response you see above will vary
depending upon your operating system, and how it's set up.
But you can see that this is a quick and easy way to look up
the IP address of a host given the name...we have performed
a query for the "A" resource record. We can do a "reverse
lookup" by entering the IP address at the command prompt,
rather than the host name:
$nslookup 289.13.266.37
Server: localhost
Address: 127.0.0.1
Name: www.foobar.edu
Address: 289.13.266.37
Wait a minute! What's this "www.foobar.edu" stuff? Well,
what we've found is an alias for the host "foobar.edu". A
single host can have multiple host names that all point to
the same IP address.
The other way to play with nslookup is to enter interactive
mode by typing "nslookup" (with no arguments) at the command
prompt, and then hitting <Enter>. You will get a prompt back
that looks
like:
>
>From here you can enter commands. For example, type:
>foobar.edu
Wow! We get the same information back as we did for the
non- interactive mode query. To look up specific resource
records for the foobar.edu domain, all we need to do is tell
nslookup which RR type we want:
>set type=<RR>
where <RR> refers to the resource record type, as we saw
listed above (A, PTR, MX, CNAME, etc). This way you can look
up just those records you are interested in. Note: If you
enter "ANY" in place of "<RR>", you will be doing a lookup
in the domain for all resource records...mail exchangers
(email servers), name servers, etc.
Now, let's try one more little trick. This involves listing
hosts within the domain we are interested in...it doesn't
mean _all_ of the hosts, though. We already know the names
and IP addresses of the nameservers that point to
foobar.edu, so start nslookup in interactive mode. Then
change the nameserver used to resolve queries to the
nameserver that points to the
foobar.edu domain:
$nslookup
Once you're in interactive mode, change the default
nameserver that is used to resolve your queries to a
nameserver that points to the foobar.edu domain...this
information was retrieved using the whois query above:
>server 287.128.192.4
Now we want to list the hosts in the domain that have
records available, so
type:
>ls foobar.edu
You will see something similar to:
[ns01.nameserver.org]
foobar.edu. server = ns.nameserver.org
foobar.edu. server = ns2.nameserver.org
foobar.edu. server = ns3.nameserver.org
foobar.edu. 289.13.266.37
ftp 289.13.266.37
smtp 289.13.266.37
www 289.13.266.37
In the real world (vice the "example" world) you will
likely get a lot more hosts back than this...in fact, you
may get upwards to 500 or more hosts! However, what this
tells us is that the host "foobar.edu" has the same IP
address as the hosts listed as "ftp", "smtp", and "www".
This means that these are services aliased to the
host...performing a lookup on "ftp.foobar.edu" or trying to
connect to "ftp.foobar.edu" will point or connect you to the
host "foobar.edu".
If you do list the hosts in the domain, you may want to use
redirection to save this information in a file, so that you
can read over it:
>ls foobar.edu > foobar.txt
Appendix B: the +x mode
-----------------------
In IRC, it is possible to put yourself into mode x by
typing '/mode yournick +x' (do not include the quotes and
replace yournick with your own nick. For example: /mode
raven +x).
This tells the IRC server to hide your IP, so when others
try to /whois you or /dns you, they won't be able to get
your IP (they will get a partial IP instead).
This will only work on some servers, but when you're on
IRC, it is recommended to use this option.
Also, there is a way to bypass this. By simply creating a
DCC connection with someone else (either a DCC chat or a DCC
file transfer), you could then type 'netstat' (without the
quotes) on either Unix or Windows/DOS and see what
connections your computer is currently handling. One of them
will be the DCC connection to that other guy.
Why is that? Because DCC stands for Direct Client
Communication, which means that DCC actions are not done
through the server, but directly (think - why would the
owners of the IRC server want people to transfer files
through their servers and initiate private chats through
their servers? It'll just chew up some bandwidth). The
netstat command shows all current connections (local or
remote), and one of them will be your DCC connection with
that other guy. You will then be able to see his/her IP or
hostname.
Appendix C: using shares to get a computer name
-----------------------------------------------
Here is an interesting Email I received. It is quite
self-explanatory.
Subject: The Info-Gathering Tutorial
Date: Thu, 18 Nov 1999 20:06:29 +0000
From: Juan Baldovi Ortells <baldovi@nexo.es>
To: barakirs@netvision.net.il
-----BEGIN PGP SIGNED MESSAGE-----
Hi, I've just read your tutorial about info gathering and I
think you can and another cool way or getting some info
(mostly about windozers).
This is effective againts people on irc because you have to
know the ip of the victim. The method consists in using smb
querys so you can get the computer name and group name of
the computers victim, a lot of people put their names as the
computer name. You can really scare people this way.
>From windows:
nbtstat -A ip_addr
>From linux:
I've found three programs beside the one that comes with
samba
tellme
nmbname
These only get the computer name and don't work always
The other one, and the best one is ADM-smb from "the ADM
crew" it works all
times and gets you additional info.
Well, thats my suggestion, thanks for the tut.
--
+---[ Juan Baldovi ]----------------------------[
baldovi@nexo.es ]---+
| "Theory means you have ideas; ideology means ideas have
you" |
| -unknown anarchist- |
+------------------------[ PGP Key avaliable
]------------------------+
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: Q010MNYn8RZijeGPq+TawVFwEZbK6+lM
iQA/AwUBODRch+AwCAt0++N3EQI46wCgwNX88M2cVlG1ogyR33XoH/PMEewAnR1s
SaugG6m+sfFBJjEy4zdbhCOd
=QhxE
-----END PGP SIGNATURE-----
Appendix D: www.anywho.com
--------------------------
If your target lives within the U.S., you can try to look
it up at www.anywho.com. You'll be amazed to see how much
cool information you can find there. Thanks to Dogman for
this tip. :-)
Appendix E: more URLs
---------------------
http://www.worldpages.com - pretty much like whowhere.com
and anywho.com.
http://www.wdia.com/lycos/voter-records.htm - determine
someone's status as a registered voter and his political
affiltrations (US residents only).
http://www.tray.com/fecinfo/zip.htm - determine which
candidates someone supports and how much he contributed from
federal election records (US residents only).
http://kadima.com - get someone's social security number
and date of birth (US residents only).
Appendix F: expn
----------------
In some versions of Sendmail (see the Sendmail tutorial),
you can log in to a Sendmail server that runs from the
target's ISP's network, and type the following command:
expn email-address@host.com
It will expand this username into lots of valuable pieces
of information by looking at the password file.
Appendix G: Usenet
------------------
If your target uses Usenet (a network of "news servers",
which are pretty much like a message board) often, a good
idea would be to go to www.deja.com and run a search for
their Email address (all posts that include this address).
That way, you can locate posts made by your target or posts
by other people that refer to your target.
You won't believe the amount of information you can uncover
from a person's posts to Usenet.
Credits:
written by R a v e N (blacksun.box.sk)
version 1.8, 5/2/2000 |