
                                        /-----------------------------\
                                        | Xine - issue #2 - Phile 018 |
                                        \-----------------------------/


b0z0/iKx presents.....

   ------------------------------------------------------------------
   | Gaining information about a site (an account) from the outside |
   ------------------------------------------------------------------
 Of course before we start to crack or even attack an internet host we
must first of all know at least some basic things about it: which
operating system does that system use, who is logged there, which services
are avaiable from there, which is the rule of that host in its network and
so on and so on...
 In this article i'll try to explain how to get as much informations on a
host (and in some cases on a specific account) from the outside using both
very simple and also present programs up to a little more advanced and
more interesting scanning.

/\/\/\
finger
\/\/\/
Finger is a very simple program that allows you to get many interesting
informations. Infact with finger you can see who is currently logged on an
internet server. 

ikx:~$ finger @coolhost.org
[coolhost.org]
Login    Name        Tty  Idle  Login Time   Office     OfficePhone
root     root         2    2d  Nov 26 16:17
bozo     da b0z0      p2   1   Nov 28 16:19 (shit.coolhost.o)

As you see we now know who is currently logged on coolhost.org, on which
tty the user is logged, if he is working or he just forgot to logout, when
he logged in and from where. Obvisiously it seems that the supervisor
forgot to logout, because there wasn't any keypress in two days.
 But finger offers you more. With finger we can take more informations
also a specific account. If we are going to crack a password or hack a
site it may be adeguate to use an account that is sometime used or the
others may notice us.

ikx:~$ finger bozo@coolhost.org
[coolhost.org]
Login: bozo                             Name: b0z0
Directory: /home/b0z0                   Shell: /bin/ash
Last login Thu Nov 28 16:19 (MET) on ttyp2 from shit.coolhost.org
Mail last read Thu Nov 28 16:31 1996 (MET)
No Plan.

So we now know many interesting things about that account. Infact it is
also interesting to see where the user home is located and which shell
does it use and if the user has logged in recently. This may be very
interesting also with some general more important account such as root.
 On the other side anyone can install a better finger (such as the
cfingerd) or, in a more fast way, directly disable the finger daemon. So
we must now look for something else....

/\/\
host
\/\/
host is a very powerfull program, that gives you a lot of informations
about an internet host. 

ikx:~$ host shitty
shitty.coolhost.org is a nickname for shit.coolhost.org
shit.coolhost.org has address 202.123.26.2

So we now know a little more about the host. It's IP and a nickame. But of
course host isn't just this. Infact with host we can get many other
interesting stuff like the mail excanger for that host, the operating
system that it runs (this isn't really true. I am now talking about the
"HINFO" which is basically a description of the server, generally set to
the operating system and/or platform that the server uses), the
authoritative name server, who is responsable for the server and so on.
To get all the possible informations with host we can use the "-a" switch.
For more infos look at host(1) and named(8).

ikx:~$ host -a shitty
Trying domain "coolhost.org"
rcode = 0 (Success), ancount=1
shitty.coolhost.org   60480 IN    CNAME  shit.coolhost.org
shit.coolhost.org     60480 IN    HINFO  VAX-11/780 VMS
For authoritative answers, see:
coolhost.org          60480 IN    NS     master.coolhost.org
Additional information:
master.coolhost.org   60480 IN    A      202.123.26.1
Trying null domain
rcode = 0 (Success), ancount=1
shit.coolhost.org     60480 IN    A      202.123.26.2
For authoritative answers, see:
coolhost.org          60480 IN    NS     master.coolhost.org
Additional information:
master.coolhost.org   60480 IN    A      202.123.26.1


Nice. As you can see we got (again) the canonical name of the server and
we also now know that it runs on a VAX machine using VMS. It will be of
help when we will search for old known holes.
For a complete list of possible platform and operating system names (there
is a convention for the names that can be used as the HINFO that is
generally respected) give a look at the RFC 1700 (Assigned Numbers).

/\/\/\/\
nslookup
\/\/\/\/
With nslookup you can get basically get all the informations that you can
get with host and finger at the same time. It is an interactive program.
Well (watch out, the commands i'll type are preceeded by the ">"):

ikx:~$ nslookup
Default Server:  master.coolhost.org
Address:  202.123.26.1

> shitty

Server:  master.coolhost.org
Address:  202.123.26.1

Name:    shit.coolhost.org
Address:  202.123.26.2
Aliases:  shitty.coolhost.org

> finger

[shit.coolhost.org]
Login    Name     Tty  Idle  Login Time   Office     Office Phone
bozo     b0z0      4   1:02  Nov 28 16:19

> set querytype=HINFO
> shitty

Server:  master.coolhost.org
Address:  202.123.26.1

shitty.coolhost.org     canonical name = shit.coolhost.org
shit.coolhost.org       CPU = VAX-11/780      OS = VMS
coolhost.org            nameserver = master.coolhost.org
master.coolhost.org  internet address = 202.123.26.1

> exit

ikx:~$ 

As you may see we got all the information that we may also get with the
other services i described above. But the cool thing of nslookup is that
you can also examine an entire domain. 

> ls coolhost.org
[master.coolhost.org]
 coolhost.org.                  server = master.coolhost.org
 dalamah                        202.123.26.3
 master                         202.123.26.1
 shit                           202.123.26.2
 otherone                       202.123.26.22
 localhost                      127.0.0.1

And using the various switches you can obtain the various informations
(such as HINFO for example) for all the other hosts in the network. For
example to get the OS and platform (of course where avaiable) of the
various servers just do a "ls -h %host%".
 As for many other services also here some things may be limitated.
Expecially the domain examination part is usually restricted.

/\/\/\/\
dnsquery
\/\/\/\/
Another useful tool to comunicate to the name server is dnsquery. This is
a better tool that may replace nslookup and such. Basically with this you
can get the same (well DNS requests don't change with the client, hehe :)
) data as with traceroute. So no examples for this, just read the manpage
and you will find that there are some more features.

/\/
dig
\/\
As with for example nslookup also with dig you can do domain name queryes
to name servers. Read the manuals and get the right switches :) You can do
quite interesting things, for example a zone transfer (this is getting a
lot of infos of the enitre network) if it wasn't disabled. Definitely a
really cool utility, don't forget about this one :))

/\/\/\/\/\
traceroute
\/\/\/\/\/
traceroute is a program that displays you the route that a packet must do
to a host on the network. This may be very useful to obtain informations
on how the packet you send (or the victim sends) go throught the net, so
you can plan where you may modify or inject some packet for him or for
example where you can alteratively break his connection. On the
other side you may just also try to understand who is his ISP or which is
the gateway in his net. So very useful for sniffing, packet injecting or
also denial of service attacks. Let's see:

ikx:~$ traceroute warz.tradz.net

traceroute to warz.tradz.net (193.4.1.13), 30 hops max, 40 byte packets

1  pk-who-6.iam.dk (123.45.101.66)  469.262 ms  256.949 ms  329.12 ms
2  pk-who-3.iam.dk (123.45.101.32)  769.212 ms  546.742 ms  539.42 ms
3  pk-who-1.iam.dk (123.45.101.1)  742.262 ms  956.299 ms  1239.98 ms
4  pk-main-1.danger.net (154.123.4.32)  801.148 ms  1039.42 ms  950.054 ms
5  cool.danger.net (114.23.0.17)  1129.75 ms  954.136 ms  1560.16 ms
6  lamahs.com (204.41.23.12)  1280.69 ms  914.573 ms  1379.91 ms
7  warz.tradz.net (193.4.1.13)  1594.3 ms  1648.09 ms 1234.3ms

Want an example of traceroute use? You got it: denial of service attack.
The most classic, UDP war. You know that the host we would like to attack
has UDP services active. Of course you must also get another host that
will "fight" with him. So instead of chosing one on the other side of the
world, examine the traceroute output and choose the closer :) (UDP war in
the local network may be really funny, yea :-)) )

/\/\/\/
rpcinfo
\/\/\/\
rpcinfo is a program that makes an rpc call to an rpc server and reports
what it finds. Basically this is useful to see if services like nfs are
running on the host.

ikx:~$ rpcinfo -p coolhost.org
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100003    2   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100005    1   udp    664  mountd
    100005    1   tcp    666  mountd

Or for example you can directly check if a RPC service is avaiable (using
UDP or TCP). For example to see if the NFS daemon is running on the
machine:

ikx:~$ rpcinfo -u coolhost.org nfs
program 100003 version 2 ready and waiting

/\/\/\/\/
showmount
\/\/\/\/\
showmount is a program that displays which parts of the filesystem can be
exported and from where.

ikx:~$ showmount -e shit
Export list for shit:
/cdrom          *.coolhost.org
/files/warez    otherone.coolhost.org

So of course you may have to read (or even also write) to some part of his
filesystem.

/\/\/\
rusers
\/\/\/ 
rusers is another program that can be useful to see who is currently
logged on the machine. To see who is currently online just

ikx:~$ rusers -l coolhost.org
hurd     coolhost.org:ttyp0 Nov 28 16:17      :05 (shit.coolhost.or)
root     coolhost.org:ttyp3 Nov 28 16:26      :03 (shit.coolhost.or)

As you may see the output is very similiar to the finger one. Anyway
generally, as far as i saw around various servers, there aren't many (to
be sincere there are just a few) servers that run the rusers daemon, so
generally you will just get a:

rusers: RPC: Program not registered

/\/\
ping
\/\/
it might sound stupid but also ping can became of use when observing a
host. Infact it may be useful to see the speed of the host, if a host even
replyes or something like, but in a very fast way.

ikx:~$ ping coolhost.org
PING master.coolhost.org (202.123.26.1): 56 data bytes
64 bytes from 202.123.26.1: icmp_seq=0 ttl=64 time=2.1 ms
64 bytes from 202.123.26.1: icmp_seq=1 ttl=64 time=1.7 ms
64 bytes from 202.123.26.1: icmp_seq=2 ttl=64 time=1.7 ms

--- master.coolhost.org ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.7/1.8/2.1 ms

/\/\/\/\/
using ftp
\/\/\/\/\
Also FTP can be used to get some interesting information about the site
that you would like to examine. With the command "syst" infact you can get
the operating system that is running on their machine. 

ikx:~$ ftp coolhost.org
Connected to master.coolhost.org
220 master FTP server server (Version 5.60) ready
Name (master:gurgo): --> ftp
331 Guest login ok, send ident as password.
Password: --> cool@mail.org
230 Guest login ok, access restrictions apply.
ftp> --> syst
215 UNIX Type: L8
ftp> 

Well, it doesn't tell you a lot of things. It is a UNIX like operating
system (again look at RFC 1700 for used names) and every byte is composed
by 8 bits (this is the mean of L8). Well, some ftpds will give you some
more infos. For example on a FreeBSD machine i can get:

215 UNIX Type: L8 Version: BSD 199306

/\/\/\/\/\/\/\/\/\/\
IP adresses scanning
\/\/\/\/\/\/\/\/\/\/
Since usually name servers doesn't allow zone transfers (this is to get
the entire list of machines in the net using for example "ls xxxx.yyy"
with nslookup) you may not be able to know about all the machines are in a
network. Of course it may be very usefull to know about all (or at least
many) of the servers in the netowrk.
So we will now practise IP scanning, this is very simply and it is
basically just a trivial scanning of all the IPs of a network or of a part
of it. As for example you want to know more about the 123.123.123.*
computers. You may manually ping or try in some way to look for each one,
but you may more likely get a IP scanner (one in included in this zine)
that will do the work for you.
The scanner included in this zine will basically try to determinate if a
host is there by sending a ping and, if requested, by doing a name server
look up.
Let's see a sample:

ikx:~$ ipscan -H 123.123.123.1 -e 5 -z 1

IPScan - by b0z0/iKx
Looking for 123.123.123.1 ..... Seems reachable
1.123.123.123.in-addr.arpa PTR first.onetwothree.com

Looking for 123.123.123.2 ..... Seems unreachable
2.123.123.123.in-addr.arpa PTR second.onetwothree.com

Looking for 123.123.123.3 ..... Seems unreachable
3.123.123.123.in-addr.arpa PTR third.onetwothree.com

Looking for 123.123.123.4 ..... Seems unreachable
Host not found.

Looking for 123.123.123.5 ..... Seems reachable
5.123.123.123.in-addr.arpa PTR fifth.onetwothree.com

As you may see .1 and .5 seems to be reachable, so we suppose they are
up and running. We also see that .2 and .3 seem to be configured in the
network, but currently down or something.

/\/\/\/\/\/\/\/\/
TCP port scanning
\/\/\/\/\/\/\/\/\
TCP port scanning is one of the most classic and also most useful parts
when gaining informations about a site. Infact with TCP port scanning i
intend the act to try to look at all (well, generally only to a part of
them) of the TCP ports of a server to see if a service is running on it.
For example the smtp is usually running at port 25. Of course it would be
very nice to see if the site that we would like to examine has that
service activated and/or what is the response on that port (we may would
like to see which version of Sendmail is running there for example). Of
course you are not going to scan every port manually doing a telnet.
Generally such called "TCP Port scanners" are used. There are many
scanners of this type around, one if for example the TUPoSca that is also
included with this zine. Let's try to see which services are active on a
host. In this case we may not scan all the ports, but for example we will 
start from port 19 (which is chargen) up to 25 (smtp):

ikx:~$ tuposca -H pirolo.coolhost.org -l 19 -h 25

TUPoSca v0.1b - by b0z0/iKx


Looking if server seems reachable....
Well, it seems that it is reachable
Service chargen at port 19 present!
Service Unknown at port 20 not present!
Service ftp at port 21 present!
Service ssh at port 22 not present!
Service telnet at port 23 present!
Service Unknown at port 24 not present!
Service smtp at port 25 not present!

As you may see the host has for example activated chargen, ftp and telnet,
but it doens't have smtp running. So for example you can already forgot
all the attacks that may be possible by using some weakness of Sendmail.
Well, the host has ftp active. But this isn't really enought for us.
Infact we may also need to know which version of ftp is running. Maybe a
buggy ftp may be of help for us. By the way we may also see which system
is running there, so:

ikx:~$ tuposca -H pirolo.coolhost.org -l 21 -h 21 -o 1 -s 'SYST'

[snip]
Service ftp at port 21 present!
220 pirolo FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995)
ready.
215 UNIX Type: L8
[snip]

Nice. So we now know that is in a UNIX based (not a lot of interesting
info from this :-( ) and that it is running wuftpd 2.4(1). It is cool to
know that a buggy ftp daemon is installed.
As for the ftp you may also want to log the replyes of all the other
active services (expecially for those that you have already a bug report).
From all this data then you may have to see for weakness or for probable
tipical (as encountered usually on systems or as founded on
distribuitions) misconfiguration errors. 
But pay attention! When you use a TCP scanner (or at least most of TCP
scanners works in this way) the target host will of course log that
someone has logged into it. So if you are going to scan massively a host
the sysadm may notice a lot of consequential logins (on various ports of
course) from your host. There are also some utilityes that checks for this
scans automatically (one of these is for example Courtney). They basically
checks the number of connections (on one, all, or also on a set of TCP
ports) in a determinate interval of time. If more than X (say for example
10 or 15) connections have been done in a very small amount of time (1
minute would be a good example) then the program will hypotize that a scan
is being done (well, it will be very probable, because not very
frequently a normal user connects to 10-15 different ports at once).
Don't try to get all the information in a small amount of time. Place a
small pause between each connection or better scan a few ports at a day.

\/\/\/\/\/\/\/\/\
UDP port scanning
/\/\/\/\/\/\/\/\/
Some services also listen/work on UDP ports. There aren't many of them,
but some may result quite interesting. With the difference from TCP, UDP
is connectionless, so you can't just try to connect at an UDP port to see
if it is active. To check if it is you must try to send a packet and see
if you get an error from the host (to be more precise if no service is
active on a certain UDP port you will get an ICMP of the Destination
Unreachable[Port] type). Some UDP services like for example chargen (port
19) will also give a response to you. On the other side some services like
for example the talk (port 517) will need an appropriately composed
packet or it will seem that nothing is on there. UDP ports aren't usually
used for cracking a site but are rather used in denial of service
attacks. Infact a host that isn't configured fine can be very vulnerable
to denial of service attacks. An UDP war (this mean a continuous sending
of packet from an UDP port to another UDP war) between two hosts may
drastically lower the two hosts performance.
Please take note of some very hot servics based on udp. First of all the
Internet name service. This means that name resolution is easly subverted.
Another class of UDP based services are those built on RCP. The most
useful (and those that may be a good target also) are NFS and NIS.

/\/\/\/\/\/\/\
using sendmail
\/\/\/\/\/\/\/
When searching for some information on an account also sendmail may be of
a little use. Infact we can see who belongs to an Login ID and where the
mail for that user is really sent. (the "-->" are what i typed)

ikx:~$ telnet coolhost.org 25
Trying 202.123.26.1...
Connected to master.coolhost.org.
Escape character is '^]'.
220-master.coolhost.org Sendmail 8.6.12/8.6.12 ready at Thu, 28 Nov 1996
18:26:51 +0100
220 ESMTP spoken here
---> VERB
---> VRFY b0z0
050 /etc/aliases: 8 aliases, longest 4 bytes, 100 bytes total
250 <b0z0@master.coolhost.org>
---> EXPN b0z0
050 /etc/aliases: 8 aliases, longest 4 bytes, 100 bytes total
250 Lt. Joe Doe Boe BoZo <bozo@master.coolhost.org>
---> EXPN forwy
050 /etc/aliases: 8 aliases, longest 4 bytes, 100 bytes total
050 forwy... aliased to someone
250 <someone@master.coolhost.org>

Of course these options can be easily disabled, but not many sysadms take
care of this. Anyway if it is disabled you may get:

EXPN joedoe
502 Sorry, we do not allow this operation
VRFY joedoe
252 Who's to say?

/\/\/\/\/\/\
using httpds
\/\/\/\/\/\/
Of course really a lot of servers around have a www server activated.
Generally you can get it on the standard 80 port, often on 8080 as proxy
also. Often the used server will tell you his name when an error occours,
but this may also not be true. So with the classic command 
"GET / HTTP/1.0" you can get some more interesting info about the running,
let's see:

[snip]
HTTP/1.1 200 OK
Date: Tue, 11 Feb 1997 16:07:22 GMT
Server: Apache/1.2b4
Connection: close
Content-Type: text/html
Last-Modified: Tue, 5 Feb 1997 11:21:33 GMT
ETag: "13d04-b3-11226543"
Content-Length: 666
Accept-Ranges: bytes
[snip]

You got the real server type and some not very interesting info. Another
may give you some more informations (for example the cookies one).
After this stage you may for example (to continue the www server speech)
look for interesting buggy cgis that are shipped by default with a
specific kind of server. Just to mention to continue the Apache example
you may try to get some interesting configuration files trought the old
phf, or maybe just see how is composed the directory structure using the
test-cgi or the nph-test-cgi. But that's old stuff and doesn't even have
really any connection with this article.

/\/\/\/\/\
using auth
\/\/\/\/\/
The auth service is used by some programs to authentificate a user access.
The identd (the daemon that offers the auth service) stays on port 113.
With this you can know which user from a remote server is currently
working on a port of the your server. So this may be of use if you are
looking who is accessing actually on a port of your server. For example

ikx:~$ telnet coolhost.org 113
Trying 202.123.26.1...
Connected to master.coolhost.org.
Escape character is '^]'.
--->1296,25
1296 , 25 : USERID : UNIX : Manzo
Connection closed by foreign host.

The line with "--->" is what we sent. Well in this example we have asked
coolhost.org who is connecting from the port 1296 to our 25 port. As you
can see the user was Manzo.
 As you noticed with auth you won't get directly some new information
about the other host. But this may be of course useful in some cases where
you want to determinate some transactions to your server.