GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 Number 2
How to map the Internet. Dig!
Whois! Nslookup! Traceroute! Netstat port is getting hard to
use anymore, however...
____________________________________________________________
Why map the Internet?
* Because it's fun -- like exploring unknown continents. The
Internet is so huge, and it changes so fast, no one has a complete
map.
* Because when you can't make contact with someone in a distant
place, you can help your ISP trouble shoot broken links in the
Internet. Yes, I did that once that when email failed to a friend
in Northern Ireland. How will your ISP know that their communications
provider is lying down on the job unless someone advises them
of trouble?
* Because if you want to be a computer criminal, your map
of the connections to your intended victim gives you valuable
information.
Now since this is a lesson on *legal* hacking, we're not going
to help you out with how to determine the best box in which to
install a sniffer or how to tell what IP address to spoof to
get past a packet filter. We're just going to explore some of
the best tools available for mapping the uncharted realms of
the Internet.
For this lesson, you can get some benefit even if all you
have is Windows. But to take full advantage of this lesson, you
should either have some sort of Unix on your personal computer,
or a shell account! SHELL ACCOUNT! If you don't have one, you
may find an ISP that will give you a shell account at http://www.celestin.com/pocia/.
****************************
Newbie note: A shell account is an account with your ISP that
allows you to give commands on a computer running Unix. The "shell"
is the program that translates your keystrokes into Unix commands.
Trust me, if you are a beginner, you will find bash (for Bourne
again shell) to be easiest to use. Ask tech support at your ISP
for a shell account set up to use bash. Or, you may be able to
get the bash shell by simply typing the word "bash"
at the prompt. If your ISP doesn't offer shell accounts, get
a new ISP that does offer it. A great book on using the bash
shell is _Learning the Bash Shell_, by Cameron Newham and Bill
Rosenblatt, published by O'Reilly.
****************************
So for our mapping expedition, let's start by visiting the
Internet in Botswana! Wow, is Botswana even on the Internet?
It's a lovely landlocked nation in the southern region of Africa,
famous for cattle ranching, diamonds and abundant wildlife. The
language of commerce in Botswana is English, so there's a good
chance that we could understand messages from their computers.
Our first step in learning about Botswana's Internet hosts
is to use the Unix program nslookup.
****************************
Evil genius tip: Nslookup is one of the most powerful Internet
mapping tools in existence. We can hardly do it justice here.
If you want to learn how to explore to the max, get the book
_DNS and BIND_ by Paul Albitz and Cricket Liu, published by O'Reilly,
1997 edition.
***************************
The first step may be to find where your ISP has hidden the
program by using the command "whereis nslookup." (Or
your computer may use the "find" command.) Aha
-- there it is! I give the command:
->/usr/etc/nslookup
Default Server: swcp.com
Address: 198.59.115.2
>
These two lines and the slightly different prompt (it isn't
an arrow any more) tell me that my local ISP is running this
program for me. (It is possible to run nslookup on another computer
from yours.) Now we are in the program, so I have to remember
that my bash commands don't work any more. Our next step is to
tell the program that we would like to know what computers handle
any given domain name.
> set type=ns
Next we need to know the domain name for Botswana. To do that
I look up the list of top level domain names on page 379 of the
1997 edition of _DNS and BIND_. For Botswana it's bw. So
I enter it at the prompt, remembering -- this is VERY important
-- to put a period after the domain name:
> bw.
Server: swcp.com
Address: 198.59.115.2
Non-authoritative answer:
This "non-authoritative answer" stuff tells me that
this information has been stored for awhile, so it is possible,
but unlikely, that the information below has changed.
bw nameserver = DAISY.EE.UND.AC.ZA
bw nameserver = RAIN.PSG.COM
bw nameserver = NS.UU.NET
bw nameserver = HIPPO.RU.AC.ZA
Authoritative answers can be found from:
DAISY.EE.UND.AC.ZA inet address
= 146.230.192.18
RAIN.PSG.COM inet address = 147.28.0.34
NS.UU.NET inet address =
137.39.1.3
HIPPO.RU.AC.ZA inet address = 146.231.128.1
I look up the domain name "za" and discover it stands
for South Africa. This tells me that the Internet is in its infancy
in Botswana -- no nameservers there -- but must be well
along in South Africa. Look at all those nameservers!
***********************
Newbie note: a nameserver is a computer program that stores data
on the Domain Name System. The Domain Name System makes sure
that no two computers have the same name. It also stores information
on how to find other computers. When various nameservers get
to talking with each other, they eventually, usually within seconds,
can figure out the routes to any one of the millions of computers
on the Internet.
***********************
Well, what this tells me is that people who want to set up
Internet host computers in Botswana usually rely on computers
in South Africa to connect them. Let's learn more about South
Africa. Since we are still in the nslookup program, I command
it to tell me what computers are nameservers for South Africa:
> za.
Server: swcp.com
Address: 198.59.115.2
Non-authoritative answer:
za nameserver = DAISY.EE.UND.AC.za
za nameserver = UCTHPX.UCT.AC.za
za nameserver = HIPPO.RU.AC.za
za nameserver = RAIN.PSG.COM
za nameserver = MUNNARI.OZ.AU
za nameserver = NS.EU.NET
za nameserver = NS.UU.NET
za nameserver = UUCP-GW-1.PA.DEC.COM
za nameserver = APIES.FRD.AC.za
Authoritative answers can be found from:
DAISY.EE.UND.AC.za inet address
= 146.230.192.18
UCTHPX.UCT.AC.za inet
address = 137.158.128.1
HIPPO.RU.AC.za inet address = 146.231.128.1
RAIN.PSG.COM inet address = 147.28.0.34
MUNNARI.OZ.AU inet address = 128.250.22.2
MUNNARI.OZ.AU inet address = 128.250.1.21
NS.EU.NET inet address =
192.16.202.11
UUCP-GW-1.PA.DEC.COM inet address = 204.123.2.18
UUCP-GW-1.PA.DEC.COM inet address = 16.1.0.18
APIES.FRD.AC.za inet address = 137.214.80.1
***********************
Newbie note: What is inet address = 137.214.80.1 supposed to
mean? That's the name of a computer on the Internet (inet) --
in this case APIES.FRD.AC -- in octal. Octal is like regular
numbers except in base 8 rather than base 10. All computer names
on the Internet must be changed into numbers so that other computers
can understand them.
**********************
Aha! Some of those nameservers are located outside South Africa.
We see computers in Australia (au) and the US (com domain). Next,
we exit the nslookup program with the command ^D. That's made
by holding down the control key while hitting the small "d"
key. It is VERY IMPORTANT to exit nslookup this way and not with
^C.
Next, we take one of the nameservers in South Africa and ask:
->whois HIPPO.RU.AC.ZA
[No name] (HIPPO)
Hostname: HIPPO.RU.AC.ZA
Address: 146.231.128.1
System: SUN running SUNOS
Domain Server
Record last updated on 24-Feb-92.
To see this host record with registered users,
repeat the command with a star ('*') before the name; or,
use '%' to show JUST the registered users.
The InterNIC Registration Services Host contains
ONLY Internet Information (Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET
Information.
Kewl! This tells us what kind of computer it is -- a Sun --
and the operating system, Sun OS.
Now, just for variety, I use the whois command with the numerical
address of one of the nameservers. This doesn't always give back
the text name, but sometimes it works. And, voila, we get:
->whois 146.230.192.18
[No name] (DAISY1)
Hostname: DAISY.EE.UND.AC.ZA
Address: 146.230.192.18
System: HP-9000 running HP-UX
Domain Server
Record last updated on 14-Sep-94.
Ah, but all this is doing so far is just telling us info about
who is a nameserver for whom. Now how about directly mapping
a route from my computer to South Africa? For that we will use
the traceroute command.
************************
Netiquette tip: The traceroute program is intended for use in
network testing, measurement and management. It
should be used primarily for manual fault isolation, like the
time I couldn't email my friend in Northern Ireland. Because
of the load it could impose on the network, it is unwise to use
traceroute from automated scripts which could cause that program
to send out huge numbers of queries. Use it too much and your
ISP may start asking you some sharp questions.
************************
************************
YOU COULD GO TO JAIL WARNING: If you just got an idea of how
to use traceroute for a denial of service attack, don't call
your favorite journalist and tell him or her that you are plotting
a denial of service attack against the ISPs that serve famous
people like Bill Clinton and Carolyn Meinel!:-) Don't write that
script. Don't use it. If you do, I'll give another interview
to PC World magazine (http://www.pcworld.com/news/newsradio/meinel/index.html)
about how a three-year-old could run the attack. And if you get
caught we'll all laugh at you as you get hustled off in chains
while your journalist friend gets a $250K advance on his or her
book deal about you.
************************
I give the command:
->whereis traceroute
traceroute: /usr/local/bin/traceroute
OK, now we're ready to map in earnest. I give the command:
->/usr/local/bin/traceroute DAISY.EE.UND.AC.ZA
And the answer is:
traceroute to DAISY.EE.UND.AC.ZA (146.230.192.18), 30 hops
max, 40 byte packets
1 sisko (198.59.115.1) 3 ms 4 ms
4 ms
2 glory-cyberport.nm.westnet.net (204.134.78.33)
47 ms 8 ms 4 ms
3 ENSS365.NM.ORG (129.121.1.3) 5 ms 10
ms 7 ms
4 h4-0.cnss116.Albuquerque.t3.ans.net (192.103.74.45)
17 ms 41 ms 28 ms
5 f2.t112-0.Albuquerque.t3.ans.net (140.222.112.221)
7 ms 6 ms 5 ms
6 h14.t16-0.Los-Angeles.t3.ans.net (140.223.17.9)
31 ms 39 ms 84 ms
7 h14.t8-0.San-Francisco.t3.ans.net (140.223.9.13)
67 ms 43 ms 68 ms
8 enss220.t3.ans.net (140.223.9.22) 73 ms
58 ms 54 ms
9 sl-mae-w-F0/0.sprintlink.net (198.32.136.11)
97 ms 319 ms 110 ms
10 sl-stk-1-H11/0-T3.sprintlink.net (144.228.10.109)
313 ms 479 ms 473 ms
11 sl-stk-2-F/T.sprintlink.net (198.67.6.2) 179 ms
* *
12 sl-dc-7-H4/0-T3.sprintlink.net (144.228.10.106)
164 ms * 176 ms
13 sl-dc-7-F/T.sprintlink.net (198.67.0.1) 143 ms
129 ms 134 ms
14 gsl-dc-3-Fddi0/0.gsl.net (204.59.144.197) 135
ms 152 ms 130 ms
15 204.59.225.66 (204.59.225.66) 583 ms 545
ms 565 ms
16 * * *
17 e0.csir00.uni.net.za (155.232.249.1) 516 ms
436 ms 400 ms
18 s1.und00.uni.net.za (155.232.70.1) 424 ms
485 ms 492 ms
19 e0.und01.uni.net.za (155.232.190.2) 509 ms
530 ms 459 ms
20 s0.und02.uni.net.za (155.232.82.2) 650 ms *
548 ms
21 Gw-Uninet1.CC.und.ac.za (146.230.196.1) 881 ms
517 ms 478 ms
22 cisco-unp.und.ac.za (146.230.128.8) 498 ms
545 ms *
23 IN.ee.und.ac.za (146.230.192.18) 573 ms
585 ms 493 ms
So what does all this stuff mean?
The number in front of each line is the number of hops since
leaving the computer that has the shell account I am using.
The second entry is the name of the computer through which
this route passes, first in text, and then in parentheses its
numerical representation.
The numbers after that are the time in milliseconds it takes
for each of three probe packets in a row to make that hop. When
an * appears, the time for the hop timed out. In the case of
this traceroute command, any time greater than 3 seconds causes
an * to be printed out.
How about hop 16? It gave us no info whatsoever. That silent
gateway may be the result of a bug in the 4.1, 4.2 or 4.3BSD
Unix network code. A computer running one of these operating
systems sends an "unreachable" message. Or it
could be something else. Sorry, I'm not enough of a genius yet
to figure out this one for sure. Are we having phun yet?
************************
Evil genius tip: If you want to get really, truly excruciating
detail on the traceroute command, while in your shell account
type in the command:
->man traceroute
I promise, on-line manual stuff is often written in a witty,
entertaining fashion. Especially the Sun OS manual. Honest!
************************
************************
Note for the shell-account-challenged: If you have Windows 95,
you can get the same results -- I mean, for mapping the Internet,
not going to jail -- using the "tracert" command. Here's
how it works:
1. Open a PPP connection. For example, if you use Compuserve
or AOL, make a connection, then minimize your on-line access
program.
2. Click on the Start menu.
3. Open a DOS window.
4. At the DOS prompt type in "tracert <distant.computer.com>
where "distant.computer.com" is replaced by the name
of the computer to which you want to trace a route. Press the
Enter key.
5. Be patient. Especially if your are tracing a route to a distant
computer, it takes awhile to make all the connections. Every
time your computer connects to another computer on the Internet,
it first has to trace a route to the other computer. That's why
it sometimes take a long while for your browser to start downloading
a Web page.
6. If you decide to use Windows for this hacking lesson, Damien
Sorder has a message for us: "DON'T ENCOURAGE THEM TO USE
WIN95!@#$!@#!" He's right, but since most of you reading
this are consenting adults, I figure it's your funeral if you
stoop to Windows hacking on an AOL PPP connection!
***********************
Now this is getting interesting. We know that Daisy is directly
connected to at least one other computer, and that computer in
turn is connected to cisco-unp.und.ac.za. Let's learn a little
something about this cisco-unp.und.ac.za, OK?
First, we can guess from the name that is it a Cisco router.
In fact, the first hop in this route is to a computer named "sisco,"
which is also probably a Cisco router. Since 85% of the routers
in the world are Ciscos, that's a pretty safe bet. But we are
going to not only make sure cisco-unp.und.ac.za is a Cisco. We
are also going to find out the model number, and a few other
goodies.
First we try out whois:
->whois cisco-unp.und.ac.za
No match for "CISCO-UNP.UND.AC.ZA".
The InterNIC Registration Services Host contains ONLY Internet
Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
Huh? Traceroute tells us cisco-unp.und.ac.za exists, but whois
can't find it! Actually this is a common problem, especially
trying to use whois on distant computers. What do we do next?
Well, if you are lucky, the whereis command will turn up another
incredibly cool program: dig!
**********************
Newbie note: Dig stands for "domain information groper."
It does a lot of the same things as nslookup. But dig is a much
older program, in many ways harder to use than nslookup. For
details on dig, use the command from your shell account "man
dig."
**********************
In fact, on my shell account I found I could run dig straight
from my bash prompt:
->dig CISCO-UNP.UND.AC.ZA
; <<>> DiG 2.0 <<>> CISCO-UNP.UND.AC.ZA
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 6
;; flags: qr aa rd ra; Ques: 1, Ans: 4, Auth: 5, Addit: 5
;; QUESTIONS:
;; CISCO-UNP.UND.AC.ZA, type =
A, class = IN
;; ANSWERS:
CISCO-UNP.UND.AC.ZA. 86400 A
146.230.248.1
CISCO-UNP.UND.AC.ZA. 86400 A
146.230.12.1
CISCO-UNP.UND.AC.ZA. 86400 A
146.230.60.1
CISCO-UNP.UND.AC.ZA. 86400 A
146.230.128.8
;; AUTHORITY RECORDS:
und.ac.za. 86400 NS
Eagle.und.ac.za.
und.ac.za. 86400 NS
Shrike.und.ac.za.
und.ac.za. 86400 NS
ucthpx.uct.ac.za.
und.ac.za. 86400 NS
hiPPo.ru.ac.za.
und.ac.za. 86400 NS
Rain.psg.com.
;; ADDITIONAL RECORDS:
Eagle.und.ac.za. 86400
A 146.230.128.15
Shrike.und.ac.za. 86400
A 146.230.128.13
ucthpx.uct.ac.za. 86400
A 137.158.128.1
hiPPo.ru.ac.za. 86400 A
146.231.128.1
Rain.psg.com. 14400 A
147.28.0.34
;; Total query time: 516 msec
;; FROM: llama to SERVER: default -- 198.59.115.2
;; WHEN: Fri Jan 17 13:03:49 1997
;; MSG SIZE sent: 37 rcvd: 305
Ahhh, nice. The first few lines, the ones preceded by the
;; marks, mostly tell what the default settings of the command
are and what we asked it. The line "Ques: 1, Ans: 4, Auth:
5, Addit: 5" tells us how many items we'll get under each
topic of questions, answers, authority records, and additional
records. (You will get different numbers on that line with
different queries.) This "records" stuff refers to
information stored under the domain name system.
We learn from dig is that CLASS=IN, meaning CISCO-UNP.UND.AC.ZA
is a domain name within the Internet. But we already knew that
. The first really *new* thing we learn is that four routers
all share the same domain name. We can tell that because their
numerical Internet numbers are different. The reverse can also
happen: several domain names can all belong to the same numerical
address. If you use the dig command on each link in the route
to DAISY.EE.UND.AC.ZA, you'll find a tremendous variation in
whether the routers map to same or different domain names. As
hackers, we want to get wise to all these variations in how domain
names are associated with boxes.
But we can still learn even more about that Cisco router named
CISCO-UNP.UND.AC.ZA. We go back to nslookup and run it in interactive
mode:
->/usr/etc/nslookup
Default Server: swcp.com
Address: 198.59.115.2
>
Now let's do something new with nslookup. This is a command
that comes in really, really handy when we're playing vigilante
and need to persecute a spammer or bust a child porn Web site
or two. Here's how we can get the email address for the
sysadmin of an Internet host computer.
> set type=soa
Then I enter the name of the computer about which I am curious.
Note that I put a period after the end of the host name. It often
helps to do this with nslookup:
> CISCO-UNP.UND.AC.ZA.
Server: swcp.com
Address: 198.59.115.2
*** No start of authority zone information is available for
CISCO-UNP.UND.AC.ZA.
Now what do I do? Give up? No, I'm a hacker wannabe, right?
So I try entering just part of the domain name, again remembering
to put a period at the end:
> und.ac.za.
Server: swcp.com
Address: 198.59.115.2
und.ac.za origin = Eagle.und.ac.za
mail addr = postmaster.und.ac.za
serial=199610255,
refresh=10800, retry=3600, expire=3000000, min=86400
Eagle.und.ac.za inet address = 146.230.128.15
Shrike.und.ac.za inet
address = 146.230.128.13
ucthpx.uct.ac.za inet
address = 137.158.128.1
hiPPo.ru.ac.za inet address = 146.231.128.1
Rain.psg.com inet address = 147.28.0.34
Bingo!!! I got the email address of a sysadmin whose domain
includes that Cisco router, AND the IP addresses of some other
boxes he or she administers. But notice it doesn't list
any of those routers which the sysadmin undoubtedly knows a thing
or two about.
But we aren't done yet with cisco-unp.und.ac.za (146.230.128.8).
Of course we have a pretty good guess that it is a Cisco router.
But why stop with a mere guess when we can port surf? So we fall
back on our friend the telnet program and head for port 2001:
->telnet 146.230.128.8 2001
Trying 146.230.128.8 ...
Connected to 146.230.128.8.
Escape character is '^]'.
C
*************************************************
*** Welcome to the University of Natal
***
***
***
*** Model : Cisco 4500 with ATM and 8 BRI ports
***
***
***
*** Dimension Data Durban - 031-838333
***
***
***
************************************************
Hey, we know now that this is a Cisco model 4500 owned
by the University of Natal, and we even got a phone number for
the sysadmin. From this we also can infer that this router handles
a subnet which serves the U of Natal and includes daisy.
But why did I telnet to port 2001? It's in common use among
routers as the administrative port. How do I know that? From
the RFC (request for comments) that covers all commonly used
port assignments. You can find a copy of this RFC at http://www.internic.net/help/domain/rfc1739.txt.
Read it and you'll be in for some happy port surfing!
************************
Evil Genius tip: there are a bunch of ports used by Cisco routers:
cisco-fna 130/tcp
cisco FNATIVE
cisco-tna 131/tcp
cisco TNATIVE
cisco-sys 132/tcp
cisco SYSMAINT
licensedaemon 1986/tcp cisco license
management
tr-rsrb-p1 1987/tcp
cisco RSRB Priority 1 port
tr-rsrb-p2 1988/tcp
cisco RSRB Priority 2 port
tr-rsrb-p3 1989/tcp
cisco RSRB Priority 3 port
stun-p1 1990/tcp
cisco STUN Priority 1 port
stun-p2 1991/tcp
cisco STUN Priority 2 port
stun-p3 1992/tcp
cisco STUN Priority 3 port
snmp-tcp-port 1993/tcp cisco SNMP TCP
port
stun-port 1994/tcp
cisco serial tunnel port
perf-port 1995/tcp
cisco perf port
tr-rsrb-port 1996/tcp cisco Remote
SRB port
gdp-port 1997/tcp
cisco Gateway Discovery Protocol
x25-svc-port 1998/tcp cisco X.25
service (XOT)
tcp-id-port 1999/tcp cisco
identification port
************************
But what about the "normal" telnet port, which is
23? Since it is the "normal" port, the one you usually
go to when you want to log in, we don't need to put the 23 after
the host name:
->telnet 146.230.128.8
Trying 146.230.128.8 ...
Connected to 146.230.128.8.
Escape character is '^]'.
C
***************************************************
*** Welcome to the University of Natal
***
***
***
*** Model : Cisco 4500 with ATM and 8 BRI ports
***
***
***
*** Dimension Data Durban - 031-838333
***
***
***
*****************************************************
User Access Verification
Password:
Hey, this is interesting, no username requested, just a password.
If I were the sysadmin, I'd make it a little harder to log in.
Hmmm, what happens if I try to port surf finger that site? That
means telnet to the finger port, which is 79:
->telnet 146.230.128.8 79
Trying 146.230.128.8 ...
Connected to 146.230.128.8.
Escape character is '^]'.
C
*************************************************
*** Welcome to the University of Natal
***
***
***
*** Model : Cisco 4500 with ATM and 8 BRI ports ***
***
***
*** Dimension Data Durban - 031-838333 ***
***
***
**************************************************
Line User
Host(s)
Idle Location
* 2 vty 0
idle
0 kitsune.swcp.com
BR0:2
Sync PPP
00:00:00
BR0:1
Sync PPP
00:00:00
BR1:2
Sync PPP
00:00:00
BR1:1
Sync PPP
00:00:00
BR2:2
Sync PPP
00:00:01
BR2:1
Sync PPP
00:00:00
BR5:1
Sync PPP
00:00:00
Connection closed by foreign host.
Notice that finger lists the connection to the computer I
was port surfing from: kitsune. But no one else seems to be on
line just now. Please remember, when you port surf, unless you
know how to do IP spoofing, your target computer knows where
you came from. Of course I will be a polite guest.
Now let's try the obvious. Let's telnet to the login port
of daisy. I use the numerical address just for the heck of it:
->telnet 146.230.192.18
Trying 146.230.192.18 ...
Connected to 146.230.192.18.
Escape character is '^]'.
NetBSD/i386 (daisy.ee.und.ac.za) (ttyp0)
login:
Hey, this is interesting. Since we now know this is a university,
that's probably the electrical engineering (EE) department. And
NetBSD is a freeware Unix that runs on a PC! Probably a 80386
box.
Getting this info makes me almost feel like I've been hanging
out at the University of Natal EE computer lab. It sounds like
a friendly place. Judging from their router, security is somewhat
lax, they use cheap computers, and messages are friendly. Let's
finger and see who's logged in just now:
Since I am already in the telnet program (I can tell by the
prompt "telnet>"), I go to daisy using the "open"
command:
telnet> open daisy.ee.und.ac.za 79
Trying 146.230.192.18 ...
telnet: connect: Connection refused
telnet> quit
Well, that didn't work, so I exit telnet and try the finger
program on my shell account computer:
->finger @daisy.ee.und.ac.za
[daisy.ee.und.ac.za]
finger: daisy.ee.und.ac.za: Connection refused
Sigh. It's hard to find open finger ports any more. But it's
a good security practice to close finger. Damien Sorder points
out, "If you install the new Linux distributions, it comes
with Cfingerd. Why would I (and others) want to shut it down?
Not because of hackers and abuse or some STUPID S*** like that.
Because it gives out way too much information when you finger
a single user. You get machine load and all the user information."
I manage to pull up a little more info on how to map the interconnections
of University of Natal computers with an search of the
Web using http://digital.altavista.com. It links me to the site
http://www.frd.ac.za/uninet/sprint.html, which is titled "Traffic
on the UNINET-SPRINTLINK Link." However, all the links to
netwrok traffic statistics from that site are dead.
Next, let's look into number 20 on that traceroute that led
us to the University of Natal. You can pretty much expect that
links in the middle of a long traceroute will be big computers
owned by the bigger companies that form the backbone of the Internet.
->telnet 155.232.82.2 2001
Trying 155.232.82.2 ...
Connected to 155.232.82.2.
Escape character is '^]'.
Id: und02
Authorised Users Only!
------------------------
User Access Verification
Username:
Yup, we're out of friendly territory now. And since port 2001
works, it may be a router. Just for laughs, though, let's go
back to the default telnet port:
->telnet 155.232.82.2
Trying 155.232.82.2 ...
Connected to 155.232.82.2.
Escape character is '^]'.
Id: und02
Authorised Users Only!
------------------------
User Access Verification
Username:
Now just maybe this backbone-type computer will tell us gobs
of stuff about all the computers it is connected to. We
try telneting to the netstat port, 15. This, if it happens to
be open to the public, will tell us all about the computers that
connect through it:
->telnet 155.232.82.2 15
Trying 155.232.82.2 ...
telnet: connect: Connection refused
Sigh. I gave an example of the incredible wealth of information
you can get from netstat on the GTMHH on port surfing. But every
day it is harder to find a public netstat port. That's because
the information netstat gives is so useful to computer criminals.
In fact, port 15 is no longer reserved as the netstat port (as
of 1994, according to the RFC). So you will find few boxes using
it.
******************************
Newbie note: want to know what port assignments your ISP uses?
Sorder points out " /etc/services on most machines will
[tell you this]."
How can you can read that information? Try this:
First, change to the /etc/ directory:
->cd /etc
Then command it to print it out to your screen with:
->more services
#
# @(#)services 1.16 90/01/03 SMI
#
# Network services, Internet style
# This file is never consulted when the NIS are running
#
tcpmux
1/tcp
# rfc-1078
echo
7/tcp
... and so on...
Alas, just because your shell account has a list of port assignments
doesn't mean they are actually in use. It also probably won't
list specialized services like all those Cisco router port assignments.
*************************
In fact, after surfing about two dozen somewhat randomly chosen
netstat ports, the only answer I get other than "Connection
refused" is:
->telnet ns.nmia.com 15
Trying 198.59.166.10 ...
Connected to ns.nmia.com.
Escape character is '^]'.
Yes, but will I see the EASTER BUNNY in skintight leather
at an IRON MAIDEN concert?
Now what about all those Sprintlink routers in that traceroute?
That's a major Internet backbone based in the US provided by
Sprint. You can get some information on the topology of the Sprintlink
backbone at http://www.sprintlink.net/SPLK/HB21.html#2.2. Alas,
Sprintlink used to give out much more information than they do
today. All I can pick up on their Web site today is pretty vague.
Sigh. The Internet is getting less friendly, but more secure.
Some day when we're really ancient, say five years from now,
we'll be telling people, "Why, I remember when we could
port surf! Why, there used to be zillions of open ports and people
could choose ANY password they wanted. Hmph! Today it's just
firewalls everywhere you look!" Adds Sorder, "Gee.
How do you think people like me feel.. port surfing over 6 years
ago."
Our thanks to Damien Sorder (jericho@dimensional.com) for
assistance in reviewing and contributing to this GTMHH.
_________________________________________________________
Want to share some kewl stuph with the Happy Hacker list? Correct
mistakes?
To send me confidential email (please, no discussions of illegal
activities) use ">and be sure to state in your message that you want me to keep
this confidential. If you wish your message posted anonymously,
please say so! Please direct flames to dev/null@techbroker.com.
Happy hacking!
© 1997 Carolyn P. Meinel. You may forward or post
on your Web site this GUIDE TO (mostly) HARMLESS HACKING as long
as you leave this notice at the end..
