|
What's new?
------------
Version 1.7 - added this what's new section and two new appendixes
(E and F).
Note: if you're having a hard time reading this page because you
have to scroll to the right whenever a long line comes, it's probably
because you're not using "word wrapping".
Most UNIX text editors and advanced Windows editors (and some less
advanced ones like Wordpad) do this by themselves.
To do word wrapping on Microsoft Notepad, simply go to Edit and
then click on "Word wrapping".
Author's Notes
==============
Please do not read this tutorial before you read our previous ones,
since this one doesn't have a "Newbies Corner" and newcomers
might have some difficulties understanding large parts of this tutorial.
If you have any comments or questions regarding this tutorial (no
flames or spam, please) Email me at barakirs@netvision.net.il.
Visit blacksun.box.sk for more tutorials, free hacking/programming/unix
books to download and much more.
Disclaimer
==========
We do not encourage any kinds of illegal activities. If you believe
that breaking the law is a good way to impress someone, please stop
reading now and grow up. There is nothing impressive or cool in
being a criminal.
Contents
========
Introduction
* Info Gathering?
* How legal is it?
* Some notes about privacy
Finger
* What is finger?
* How can I use it to find information about a specific user?
* My ISP is running a finger daemon but I want privacy! What should
I do?
* What if I'm using Windows? Can I use finger?
Email
* What can I find out about a person using his Email address?
* What information can I find out of these headers of yours?
* I wanna learn more about Email. Where can I find more information?
Unix Network Diagnosis Tools
* nslookup
* tracert
* whois
* dig
* Suppose I have Windows, how can I run these things on my box?
Public Directories
* What kind of information can I find there?
* Where can I find these things?
* Help! My name is there! How do I remove it?
Password Files
* Password files are "world readable"?
* You mean I can get people's passwords out of it?
* No? So what good are they without the passwords?
IRC
* What can I find out about another user on IRC?
* How do I do it?
* Where can I learn more about IRC?
ICQ
* What can I find out about another user on ICQ?
* How do I do it?
* What about other instant messanging software?
Playing With Services
* How do I find out what services my target is running?
* How can I get information about my target out of these services?
Webstats
* What are webstats services?
* What kind of information can they reveal?
* How can I use them against my target?
Playing With Satellites
* WHAT?!
* How can I use these things to scare others like hell?
Appendix A: nslookup tips
Appendix B: the +x mode
Appendix C: using shares to get computer name
Appendix D: www.anywho.com
Appendix E: more URLs
Appendix F: expn
Appendix G: Usenet
Introduction
------------
This tutorial will teach you how to acquire more information regarding
a specific person in completely legal ways.
Why is this legal?
Because we are going to use information that is publicly available.
It is publicly available because you have software on your computer
that often needs to access such information for surfing, sending
Email etc'. You can use this information to find private information
about a specific person.
Also, some of the information is not necessary for your computer,
but it is still publicly available. Don't worry, I will explain
later.
During this tutorial I will show you how it is possible to find
somebody's:
1) Real first name.
2) Real last name.
3) Country.
4) Operating system.
5) Internet browser.
6) Screen resolution.
7) Username (at his/her ISP).
8) ISP.
9) IP address.
10) Hostname.
11) Phone number.
12) Home address.
13) Various services running on your target's machine (plus what's
their version).
Note: To learn more about privacy and how to increase your privacy,
refer to our anonymity tutorial at blacksun.box.sk.
Note 2: Please read our previous tutorials first. Otherwise, you
might not understand some of the terminology.
Finger
------
Finger is a service that runs on port 79 and allows you to find
information about users on the server that runs it.
Here, let me explain. A while ago my ISP, Netvision, had a finger
daemon running on their port 79. It was publicly available, meaning
that everyone was able to connect to port 79 on netvision.net.il
(Netvision's server). All you had to do is to connect to that port,
type in a username and hit enter. Or, you could simply type 'finger
username@netvision.net.il' (without the quotes) on a Unix system
and get the exact same results.
Anyway, this finger daemon was giving away private and often sensitive
information, such as who this account belongs to (first and last
name of the owner), whether this user is online or not (very useful.
If someone puts you on invisible in ICQ, you could simply finger
him and therefore tell whether he is online or not), when did he
go online (or when was the last time he went online) and for how
long, whether the user has new mail (and how many mail messages
are waiting for him) and the user's home directory on Netvision's
server.
Some finger daemons will go even further and tell you the user's
phone number and home address. Ouchie...
Anyway, I called Netvision, yelled at them for a while and they
decided to remove that little finger daemon of theirs.
So anyway, in case you're interested, here is how finger daemons
work.
Every user on a Unix system has a home directory. This directory
stores his private configurations files and suchlikes. When finger
is given a username, it looks at the password file (see the 'Password
Files' chapter), finds the user's home directory and looks for two
files in this directory - '.project' and '.plan' (without the quotes).
The .project file contains private information about this user,
There are programs out there that will generate such a file for
every user on the system and let you decide what information you
want to include in it. Anyway, the second file, .plan, contains
information written by the user.
Back on Netvision's finger server, I was able to telnet into netvision.net.il
on port 23, access a menu shell, choose option number 3 and change
my .plan file, but I wasn't able to delete or fake the information
in my .project file. Most admins won't let the users on their system
tamper with the .project file so it won't include any fake information
or won't get "accidentally deleted".
Well, these are the basics of finger. For more information, I suggest
trying to set up a finger daemon on a Unix box and playing around
with it. If you don't want people to start snoofing around after
you and the rest of the users on your machine, I suggest putting
the finger daemon on a very high and unstandard port (such as 63982),
so it won't be detected on a portscan (unless it's a very, very,
very long portscan).
Note: on Windows, finger can be done by either:
(a) Telneting to port 79 on the server that hosts the user of your
choice and typing in the username.
(b) Getting a Unix shell account and using the finger command.
(c) Downloading SamSpade from samspade.org.
Email
-----
Yes, Email. Emails aren't that simple, you know. There are tons
of information just waiting to be discovered.
You know these things you see on the top of Email messages? Sender,
recipient, date, etc' etc' etc'. This is called a header. But this
is not the entire header! This is just a partial header, or what
most Email clients call "a normal header". Almost every
Email client will let you view the full header, which contains a
lot of valuable information about the sender. For more information,
read the Sendmail tutorial. It will teach you what Sendmail is,
how it works, how Email works and how to gather valuable information
from a full header.
Unix Network Diagnosis Tools
----------------------------
nslookup - as you should know by now, hostnames and domains (domain
is the shortest hostname possible - something.org/net/com/etc')
and actually aliases to IP addresses, so people won't have to remember
the IP address of the server that hosts their favorite website.
Instead, you would simply need to remember the hostname.
Anyway, these hostnames are stored on DNSs, or NSs. DNS is a short
for Domain Name Server, and NS is a short for Name Server. These
are actually two different words for the exact same thing.
Anyway, the Unix command nslookup looks up the IP addresses of hostnames
or the hostnames of IP addresses. Now, if you have someone's IP
address, this means you can find his hostname, right? So what good
is a hostname anyway?
When I am connected to the Internet, my hostname is usually something
like this: RAS54-79.hfa.netvision.net.il. It tells us that I am
connected through extension number RAS54-79 (this information is
no use to us, so you may disregard it), my ISP is Netvision and
I live in Israel (the .il extension stands for Israel. For more
country extensions, head to blacksun.box.sk and checkout the acros.txt
file on the projects page) in the city Haifa (hfa is a short for
Haifa).
nslookup can do much much more than this. For more information,
type 'man nslookup' (no quotes) to get to nslookup's man (manual)
page. Also check out Appendix A: nslookup tips.
tracert - tracert stands for traceroute. This Unix command will
show you what route your packets will have to go through until they
will reach the given IP address / hostname.
How this works: every packet has a value in it that is called TTL.
TTL stands for Time To Live. This value is decreased every time
a packet goes through a router. When the TTL hits zero, the packet
is discarded and an ICMP error is sent back to the sender of the
packet, telling him what happened and that he should resend the
packet with a higher TTL (the recommended TTL these days is 64).
This is done in order to prevent packets from getting lost and looping
across the Internet.
Now, what tracert does is quite simple - first, it sends a packet
to the given IP or hostname with TTL=1. The packet takes one step
and then dies. The first router informs us what happened. Since
the error packet, like every other packet, contains the IP of the
sender (the first router, in this case), we know who he is. Next,
a packet with TTL=2 is sent. The second router returns it and tells
us what happened, so we know who the second router is.
Every time the TTL is increased by one, until the packet finally
reaches it's destination. Meanwhile, tracert builds a list of routers
that passed this packet along.
Tracert is quite useful, since it can tell you a lot about a given
IP or a given hostname. For example, if you entered an IP that does
not have a hostname, you could traceroute it instead and see who's
the ISP of that IP (the last routers in the list should belong to
this IP's ISP). You could also use it to find out who's the ISP
of large websites in the same way.
For more information, type 'man tracert' (without the quotes) on
a Unix system.
whois - whois works like this: first, you put in a domain name.
Then, whois checks InterNIC's (the nice guys that register domains
in exchange for 70$ in cash, cheque or credit) database.
You see, whenever you register a domain you have to enter a lot
of information. Whois can extract this information out of InterNIC's
database.
So why is this useful? If you know what is the ISP of your target,
you can find out a lot of information about it, such as where it
is located, etc'. Normally, users of that ISP would live somewhere
nearby, or at least in the same state. Besides, sometimes ISPs will
have a country extension, say... .net, but will actually be in,
say... Israel. So on normal conditions the extension would be .net.il,
but there are exceptions. Whois can find out where this ISP (or
any other given server with a domain name) is really located at.
dig - dig finds tons and tons of information about a given IP address
or a given hostname. Since this program is very complex, we will
not discuss it at the moment. Please refer to dig's man page for
further information.
What if I'm running Windows, you ask?
Well, my friend, your answer is at www.samspade.org. On SamSpade's
website you can send commands to their server using javascript text
boxes, or you could download a program called SamSpade and do it
yourself. They also have a good texts library, so take a look at
it.
Public Directories
------------------
Yes, it's true. Most ISPs sell private information about their users
to "web directories" such as whowhere.com.
Simply head off to whowhere.com and play around with it. If you
find more "web directories", tell me about them (my Email
address is barakirs@netvision.net.il).
In case you find your name there, you will see an option to remove
it. It is recommended that you will do so.
Password Files
--------------
On Unix systems, there are usually two kinds of password files.
The first one is located at /etc/passwd. It is world-readable (everyone
can read this file) and it is called the "shadowed" password
file. It contains everything besides the passwords. The passwords
(encrypted) are in /etc/shadow and only root has read and write
access to it (or other users, if root decides to let them read it).
Why do everyone need access to the password file, you ask? I'll
explain.
The password file has seven fields. Each field is seperated by a
:, so it looks like this:
field1:field2:field3:field4:field5:field6:field7
Now, field1 contains the username. Field2 contains the encrypted
password. Field3 contains some free text about the user. Field4
contains the user's UID (User ID. If the user's UID is zero he has
root priviledges. Two users with the same UID have identical priviledges).
Field5 contains the user's GID (Group ID. Same as UID, only you
can give priviledges to a large group of users in a single command.
GID zero is root). Field6 contains the user's home directory (where
his personal configurations files are stored). Field7 contains the
user's shell (a program that is executed once the user logs in.
Usually a command interpreter, which is a program that accepts commands
from you and executes them).
Now, everyone needs read access to the shadowed file for certain
reasons. For example: each file has an owner. The owner of the file
can change access patterns (priviledges) to himself or to other
users for that file using the command chmod xxx (the first x is
for your priviledges, the second is for priviledges for your group
and the third is for the rest of the outside world. 1 is read, 2
is write, 4 is execute. If you want read, write and execute for
yourself, read only for your group and nothing for the rest of the
world, type chmod 710 filename. read+write+execute=1+2+4=7, read=1,
nothing=0. Got it?). He can also use the owner of the file using
the command chown filename new-owner.
Anyway, the owner's UID is embedded into the file. If you actually
want to know the owner's name, you will need to look at the password
file and find out who owns this UID. Get it?
So anyway, the shadowed password file needs to be read by everyone
for various purposes. So why is this interesting? Because of the
free text field (field3).
Some admins insert the user's real name, telephone number, home
address and other information about him in this field, so it might
be very very useful if you want to find information about this user.
IRC
---
Normally (unless you're spoofing your IP address or your hostname
or something like this), everyone on IRC who knows your nickname
are able to find your IP. This means they can find your hostname
as well. This means they can find out in which country (maybe even
which city) you live, what is your ISP, information about your ISP
etc' etc'.
Use the command /whois nickname to find this person's IP or hostname.
If you're IRCing through a raw session (see IRC Warfare tutorial),
type whois nickname instead.
Also, the command /finger may be quite useful in some cases, but
it is possible to fake the returned information as well, so don't
count on it.
ICQ
---
On ICQ, it is quite simple to find a person's IP if he's hiding
it. There are two ways: the easy way and the cool way.
The easy way: go to come.to/isoaq, download a crack for your ICQ
version and you will see everyone's IP address in their info (this
is for Windows. If you're using a Unix ICQ clone, you'll probably
won't need a crack, 'cause it'll reveal IPs anyway. If not, go for
try "the cool way").
The cool way: open a terminal window or another terminal (in Unix)
or a DOS window (in Windows. The easiest way is to simply click
start==>run and then type 'command' (without the quotes). To
change the size of the window, hit alt+enter) and type netstat -a.
This will display all connections and all listening ports.
Then, send a message (or another event, such as a url) to your target.
Do netstat -a again (after the event is sent). You will see a new
connection which will probably be in "established" mode.
In the same line, you will be able to see your target's IP address.
So what's so cool about this way? Well, it could impress your friends,
in case you wanna show them a hack but you don't want to use a simple
crack (you wanna do this "the elite way").
"The cool way" also seems to work on other instant messangers.
There should also be cracks for them.
Playing With Services
---------------------
If your target is running some services, such as Telnet, FTP, Sendmail,
IRC etc' on it's computer, you could simply telnet into them and
you will get a daemon banner.
What's a daemon banner, you ask?
Well, companies that produce daemons want to tell the world how
great and widespread they are, so they put a little ad about themselves
when you connect to them. This is called a daemon banner. Here are
some examples for daemon banners:
Welcome to 11.22.33.44, running RedHat 6.0 (Hedwig)
login:
password:
220 alpha.someone.com ESMTP Sendmail 8.9.3/8.8.6; Thu, 8 Jul 1999
21:46:04 +0000 (GMT).
Well, you get the point. Anyway, these daemon banners will tell
you what kinds of services your target is running, what OS and a
little more... if you havn't noticed, the second daemon banner,
which happens to be a Sendmail daemon, tells you what's the time
on your target's machine. Why is this so interesting? 'Cause it
reveals the target's longitude! This should only be used to verify
that the target is really on the country you thought it is on, but
don't count on it. The timezone may be set wrong, the time may be
set wrong etc'.
Anyway, if you want to find out the time on your target's machine,
there's another way to do it. There is a service called daytime
that waits for incoming connections on port 13. The problem is that
it doesn't exist on every computer in the world, and again, the
time may be set wrong, so don't count on it.
Webstats
--------
Webstats services are services that allow you to learn more about
the people that come to your website. They can tell you where they
come from, their IP/hostname, lots of info about their computer
(OS, screen resolution and color palette, Internet browser etc')
and much more.
Search the net for free webstats services, put up a page somewhere,
insert the webstats tracker into it (full instructions on doing
this should be available on the webstats's website) and then ask
someone to enter this page. The webstats tracker will immediately
collect all this information about his computer and store it for
later retrieval.
GENERATOR Tags
--------------
If you know your way around HTML, you probably know what HTML tags
are. Anyway, some people don't just write HTML by themselves, they
use an HTML editor to do the dirty work for them.
Most HTML editors will leave a meta tag somewhere on top of the
page with information about the HTML editor that was used, and sometimes
the OS of the user.
If you know of a page that your target has written, try viewing
it's source and looking for GENERATOR tags.
Note: sometimes you won't even need to have the OS included in the
GENERATOR. For example: if the user is using FrontPage, he's probably
using some version of Windows.
Playing With Satellites
-----------------------
Well, this one is kinda stupid, but whatever...
There are websites that allow you to capture satellite photos of
places in the world. If you find someone really stupid, you could
find his country and his city and then grab a satellite picture
of his city and tell him that you hacked a satellite a long while
ago and you're using it to home into his computer's signals or something.
Some people will actually believe this crap.
You can grab satellite photos at http://terraserver.microsoft.com/default.asp.
Simply click on the appropriate area in the world map.
If you don't know where the country and city of your target is located,
consult map.com's search or weather.com's weather maps. Also, cnn.com's
weather maps may be useful as well. Once you find a map of the target's
location, return to the TerraServer (the satellite page) and grab
a photo of this area.
Appendix A: nslookup tips
-------------------------
Here is a text file about nslookup I dug up somewhere. Happy reading.
[nslookup]
Nslookup is a great little tool for making DNS queries that comes
with NT, Linux, etc. The easiest way to use nslookup is in non-
interactive mode. This means that you submit a request at the command
line, and you get a response back with no other input. For example,
from the command prompt, type:
$nslookup foobar.edu
Server: localhost
Address: 127.0.0.1
Name: foobar.edu
Address: 289.13.266.37
The Server and Address response you see above will vary depending
upon your operating system, and how it's set up. But you can see
that this is a quick and easy way to look up the IP address of a
host given the name...we have performed a query for the "A"
resource record. We can do a "reverse lookup" by entering
the IP address at the command prompt, rather than the host name:
$nslookup 289.13.266.37
Server: localhost
Address: 127.0.0.1
Name: www.foobar.edu
Address: 289.13.266.37
Wait a minute! What's this "www.foobar.edu" stuff? Well,
what we've found is an alias for the host "foobar.edu".
A single host can have multiple host names that all point to the
same IP address.
The other way to play with nslookup is to enter interactive mode
by typing "nslookup" (with no arguments) at the command
prompt, and then hitting <Enter>. You will get a prompt back
that looks
like:
>
>From here you can enter commands. For example, type:
>foobar.edu
Wow! We get the same information back as we did for the non- interactive
mode query. To look up specific resource records for the foobar.edu
domain, all we need to do is tell nslookup which RR type we want:
>set type=<RR>
where <RR> refers to the resource record type, as we saw
listed above (A, PTR, MX, CNAME, etc). This way you can look up
just those records you are interested in. Note: If you enter "ANY"
in place of "<RR>", you will be doing a lookup in
the domain for all resource records...mail exchangers (email servers),
name servers, etc.
Now, let's try one more little trick. This involves listing hosts
within the domain we are interested in...it doesn't mean _all_ of
the hosts, though. We already know the names and IP addresses of
the nameservers that point to foobar.edu, so start nslookup in interactive
mode. Then change the nameserver used to resolve queries to the
nameserver that points to the
foobar.edu domain:
$nslookup
Once you're in interactive mode, change the default nameserver
that is used to resolve your queries to a nameserver that points
to the foobar.edu domain...this information was retrieved using
the whois query above:
>server 287.128.192.4
Now we want to list the hosts in the domain that have records available,
so
type:
>ls foobar.edu
You will see something similar to:
[ns01.nameserver.org]
foobar.edu. server = ns.nameserver.org
foobar.edu. server = ns2.nameserver.org
foobar.edu. server = ns3.nameserver.org
foobar.edu. 289.13.266.37
ftp 289.13.266.37
smtp 289.13.266.37
www 289.13.266.37
In the real world (vice the "example" world) you will
likely get a lot more hosts back than this...in fact, you may get
upwards to 500 or more hosts! However, what this tells us is that
the host "foobar.edu" has the same IP address as the hosts
listed as "ftp", "smtp", and "www".
This means that these are services aliased to the host...performing
a lookup on "ftp.foobar.edu" or trying to connect to "ftp.foobar.edu"
will point or connect you to the host "foobar.edu".
If you do list the hosts in the domain, you may want to use redirection
to save this information in a file, so that you can read over it:
>ls foobar.edu > foobar.txt
Appendix B: the +x mode
-----------------------
In IRC, it is possible to put yourself into mode x by typing '/mode
yournick +x' (do not include the quotes and replace yournick with
your own nick. For example: /mode raven +x).
This tells the IRC server to hide your IP, so when others try to
/whois you or /dns you, they won't be able to get your IP (they
will get a partial IP instead).
This will only work on some servers, but when you're on IRC, it
is recommended to use this option.
Also, there is a way to bypass this. By simply creating a DCC connection
with someone else (either a DCC chat or a DCC file transfer), you
could then type 'netstat' (without the quotes) on either Unix or
Windows/DOS and see what connections your computer is currently
handling. One of them will be the DCC connection to that other guy.
Why is that? Because DCC stands for Direct Client Communication,
which means that DCC actions are not done through the server, but
directly (think - why would the owners of the IRC server want people
to transfer files through their servers and initiate private chats
through their servers? It'll just chew up some bandwidth). The netstat
command shows all current connections (local or remote), and one
of them will be your DCC connection with that other guy. You will
then be able to see his/her IP or hostname.
Appendix C: using shares to get a computer name
-----------------------------------------------
Here is an interesting Email I received. It is quite self-explanatory.
Subject: The Info-Gathering Tutorial
Date: Thu, 18 Nov 1999 20:06:29 +0000
From: Juan Baldovi Ortells <baldovi@nexo.es>
To: barakirs@netvision.net.il
-----BEGIN PGP SIGNED MESSAGE-----
Hi, I've just read your tutorial about info gathering and I think
you can and another cool way or getting some info (mostly about
windozers).
This is effective againts people on irc because you have to know
the ip of the victim. The method consists in using smb querys so
you can get the computer name and group name of the computers victim,
a lot of people put their names as the computer name. You can really
scare people this way.
>From windows:
nbtstat -A ip_addr
>From linux:
I've found three programs beside the one that comes with samba
tellme
nmbname
These only get the computer name and don't work always
The other one, and the best one is ADM-smb from "the ADM crew"
it works all
times and gets you additional info.
Well, thats my suggestion, thanks for the tut.
--
+---[ Juan Baldovi ]----------------------------[ baldovi@nexo.es
]---+
| "Theory means you have ideas; ideology means ideas have you"
|
| -unknown anarchist- |
+------------------------[ PGP Key avaliable ]------------------------+
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: Q010MNYn8RZijeGPq+TawVFwEZbK6+lM
iQA/AwUBODRch+AwCAt0++N3EQI46wCgwNX88M2cVlG1ogyR33XoH/PMEewAnR1s
SaugG6m+sfFBJjEy4zdbhCOd
=QhxE
-----END PGP SIGNATURE-----
Appendix D: www.anywho.com
--------------------------
If your target lives within the U.S., you can try to look it up
at www.anywho.com. You'll be amazed to see how much cool information
you can find there. Thanks to Dogman for this tip. :-)
Appendix E: more URLs
---------------------
http://www.worldpages.com - pretty much like whowhere.com and anywho.com.
http://www.wdia.com/lycos/voter-records.htm - determine someone's
status as a registered voter and his political affiltrations (US
residents only).
http://www.tray.com/fecinfo/zip.htm - determine which candidates
someone supports and how much he contributed from federal election
records (US residents only).
http://kadima.com - get someone's social security number and date
of birth (US residents only).
Appendix F: expn
----------------
In some versions of Sendmail (see the Sendmail tutorial), you can
log in to a Sendmail server that runs from the target's ISP's network,
and type the following command:
expn email-address@host.com
It will expand this username into lots of valuable pieces of information
by looking at the password file.
Appendix G: Usenet
------------------
If your target uses Usenet (a network of "news servers",
which are pretty much like a message board) often, a good idea would
be to go to www.deja.com and run a search for their Email address
(all posts that include this address). That way, you can locate
posts made by your target or posts by other people that refer to
your target.
You won't believe the amount of information you can uncover from
a person's posts to Usenet.
|