Chat with
Hackers

How to Defend
Your Computer 

The Heretic! 
A Hacker Thriller

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

It Sucks to Be Me!

If people are going to try to social engineer me into committing crime, I wish they would at least show me the honor of using a tiny bit of intelligence. Here are two examples of people trying to trick me into committing computer crime against a web site.

Message-ID: <20030618062121.72586.qmail@web13310.mail.yahoo.com>
Received: from [213.153.175.62] by web13310.mail.yahoo.com via HTTP; Tue, 17 Jun 2003 23:21:21 PDT
Date: Tue, 17 Jun 2003 23:21:21 -0700 (PDT)
From: habib shalom <henrylllll@yahoo.com>
Subject: hi amateurs

hi european amateurs of the web sea...lets hack our web site www.binzayed.com we protect it...arab hackers...why don*t yo try to show your valuable abilities to us :) if there any :)

Carolyn's note: Here's how I investigated this blowhard, using Windows XP Personal Edition.

First, I viewed all headers of the above email in Eudora by clicking the "blah blah blah" button. (Free email program from http://www.eudora.com)

Then in Windows, click Start --> All Programs --> Accessories --> Command Prompt

In the command prompt window (the program is cmd.exe) I take the number in the "Received from:" line and do this:

C:\Documents and Settings\Owner>nslookup 213.153.175.62
Server: ns1.abq.com
Address: 204.252.57.249

Name: c760.tnn.net
Address: 213.153.175.62

C:\Documents and Settings\Owner>tracert 213.153.175.62

Tracing route to c760.tnn.net [213.153.175.62]
over a maximum of 30 hops:

1 668 ms 143 ms 151 ms abq-tch1-arc.foobar.com [204.252.999.252] (foobarred to protect my ISP)
2 140 ms 143 ms 135 ms abq-gw1.foobar.com [204.252.999.254]
3 2053 ms 167 ms 167 ms 47.ATM5-0.GW5.DFW7.ALTER.NET [157.130.225.153]
4 189 ms 183 ms 175 ms 0.so-3-1-0.xr2.dfw7.alter.net [152.63.101.38]
5 965 ms 167 ms 167 ms 190.at-1-0-0.xr2.dfw9.alter.net [152.63.96.218]
6 180 ms 167 ms 167 ms 0.so-2-1-0.xl2.dfw9.alter.net [152.63.102.1]
7 221 ms 175 ms 167 ms 0.so-7-0-0.br6.dfw9.alter.net [152.63.103.78]
8 188 ms 175 ms 167 ms sl-st21-dal-15-3-1620xt1.sprintlink.net [144.232.9.133]
9 203 ms 198 ms 175 ms sl-bb25-fw-4-0.sprintlink.net [144.232.20.145]
10 189 ms 183 ms 279 ms sl-bb23-atl-10-0.sprintlink.net [144.232.20.60]
11 205 ms 207 ms 823 ms sl-bb26-rly-14-1.sprintlink.net [144.232.20.65]
12 229 ms 504 ms 209 ms sl-st21-ash-15-3.sprintlink.net [144.232.20.44]
13 752 ms 415 ms 302 ms sl-st20-ash-12-0.sprintlink.net [144.232.19.240]
14 500 ms 303 ms 286 ms sl-deutsche-4-0.sprintlink.net [144.223.246.30]
15 412 ms 519 ms 447 ms bs-ea1.bs.de.net.dtag.de [62.154.100.66]
16 948 ms 695 ms 302 ms 212.110.255.233
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 2395 ms 1791 ms 1031 ms c760.tnn.net [213.153.175.62]

Trace complete.

This shows where the sender of the email got his/her Internet access. I look up http://www.tnn.net and learn it is a Turkish ISP. So the sender of this email lives in Turkey. That's the first suspicious thing -- there aren't many Arabs in Turkey.

Alert reader Satyanarayana Shanmugam saw this traceroute and asked,

Is it possible that the person merely accessed his inbox using a proxy like proxy.cjb.net and then sent you an email? I attempted this and when I looked the IP in the email (I used the above proxy) in
http://www.dnsstuff.com/ it said that the IP was in someplace which was not even in the same continent as I live!

Carolyn replies: That's a thoughtful and valuable insight. Yes, you can hide your headers by going to web-based email through a proxy. However, "Habib Shalom" didn't do this. Here's how to tell whether someone used a proxy or sent email directly from his or her home computer.

First, make certain you can see everything in the headers of the email. In Outlook, click View --> All headers. In Eudora, click the "Blah blah blah" button.

Next, ignore any number that begins with 10., 192.168, or any numbers in the range of 172.16.0.0 - 172.31.255.255. These numbers only occur inside a private network and never represent Internet addresses.

Then run a traceroute on the remaining "received from" number according to the instructions at the top of this page.

Look at the last two items in your traceroute to see what kinds of computers they are. The first and easiest test is to enter the IP address in the location window of your browser like this: http://213.153.175.62/ . If it brings up the website of a proxy server, you'll know the person you are trying to track was using that proxy. In that case you can't track down him or her. Too bad. (However, the police can force the owner of the proxy server to track down its users, so proxy servers are no good for committing crime!)

If this number doesn't bring up anything in your browser, then it wasn't a web proxy. If you want to be absolutely certain about whether the email didn't use a proxy, your next step is to use a port scanner such as nmap, free from http://www.insecure.org to see what servers run on the last two links on that traceroute. With home computers, usually you will see that the second to last IP address is a router and the last IP address doesn't run a webserver. Also, if the last IP address is either a DSL or dialup line, that is a sign it is a home computer.

Here's how to run nmap in Windows.

Get into MS-DOS with Start --> Run --> command.com (for Windows 98, SE and ME) or cmd.exe for Windows NT, 2000 or XP. To get a listing of all command options, just type "nmap". Here's an example of how to scan. At the prompt type:

nmap -sTU -P0 happyhacker.org > c:\scanlog.txt

Starting Nmap 4.03 ( http://www.insecure.org/nmap ) at 2006-04-25 11:38 Mountain Standard Time

This should make a file named "scanlog.txt" that will show all active ports. OK, that's the nmap theory. In reality, nmap will be totally fooled if you run it against this website, happyhacker.org! We've set it up to fool nmap into thinking it is running tens of thousands of servers, muhahaha! Too bad, because nmap is the best port scanner you can get, so that's what you are stuck with. However, most computers aren't set up to fool nmap. Here's an example from the second to last computer in the traceroute above:

C:\Documents and Settings\Owner>nmap -sT -P0 -p 1-1024 212.110.255.233 > c:\log
file.txt

C:\Documents and Settings\Owner>type c:\logfile.txt

Starting Nmap 4.03 ( http://www.insecure.org/nmap ) at 2006-04-25 12:31 Mountain
Standard Time
Interesting ports on 212.110.255.233:
(The 1018 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
19/tcp open chargen
23/tcp open telnet
514/tcp open shell

Nmap finished: 1 IP address (1 host up) scanned in 439.902 seconds

Just for fun I tried telnetting into that computer and got:

User Access Verification

username:

Looks like a router for satellite communications!

The last number in the traceroute isn't always the computer of the person who sent the email. Many home computers get a different IP number whenever they get on the Internet. So all the traceroute can really tell you is the Internet Service provider of the person who sent you the email.

Next -- let's get back to this Mr. "Shalom"character. What is this web site he/she claims to defend? First we look at the site itself: http://www.binzayed.com. It says it belongs to a company that is located in Dubai, United Arab Emirates. That's a long way from Turkey. But, hey, just on the one chance in a million that the sender of this email isn't lying, I do a whois lookup. Here's how to find out who owns and sysadmins any web site.

The only centralized feature of the Internet is that you must get an assignment of an Internet domain name and address. The databases of these assignments are crucial for your exploration activities. The world-wide database of assigned domain names is coordinated by these organizations:

The Internet Assigned Numbers Authority (IANA, http://www.iana.org) is dedicated to preserving the central coordinating functions of the global Internet for the public good.

Internet Corporation for Assigned Names and Numbers http://www.internic.net

The American Registry for Internet Numbers (ARIN, http://arin.net) is a non-profit organization established for the purpose of administration and registration of Internet Protocol (IP) numbers for North America, South America, the Caribbean and sub-Saharan Africa.

Reseaux IP Europeens (RIPE, http://www.ripe.net) handles registrations for Europe, Middle East, and parts of Africa.

The Asia Pacific Network Information Centre (APNIC, http://www.apnic.net) handles the Asia Pacific region.

Under these top level registries are many registrar companies, for example Network Solutions.

The U.S. government has two whois registries:
http://whois.nic.mil (Military)
http://whois.nic.gov (Everything else)

I start with http://www.internic.net because it should tell me in what registry binzayed.com resides. It's answer to my "whois" query is:

Domain Name: BINZAYED.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS1.INTERNET-DNS.NET
Name Server: NS2.INTERNET-DNS.NET
Status: ACTIVE
Updated Date: 06-dec-2001
Creation Date: 11-nov-1999
Expiration Date: 11-nov-2003

At Network Solutions I do a whois query and get:

Registrant:
Patrick McManaman (BINZAYED2-DOM)
Oasis Court PO Box 30036
Dubai, DUBAI 30036
UA

Domain Name: BINZAYED.COM

Administrative Contact:
Carvalho, Ryan (RCB221) ryanc@GTFS-GULF.COM
GTFS
Oasis Court 16th Street P.O. Box 30036
Dubai 30036 AE
009714-3973337 fax: 009714-3976262
Technical Contact:
iNNERHOST, Inc. (HO1350-ORG) Hostmaster@INNERHOST.COM
iNNERHOST, Inc.
2300 NW 89th Place, Dept H
Miami, FL 33172
US
305-717-6600 fax: 786-845-1694

Record expires on 11-Nov-2003.
Record created on 15-Oct-2002.
Database last updated on 18-Jun-2003 12:40:43 EDT.

Domain servers in listed order:

NS1.INTERNET-DNS.NET 66.234.2.27
NS2.INTERNET-DNS.NET 216.87.0.197

This sure doesn't look like a web site a guy/gal in Turkey would be defending. After all, how can he/she secure a web site without having physical access to it? Just to be totally sure, I do a trace route to see whether the physical location of this site may be in Turkey:

C:\Documents and Settings\Owner>tracert binzayed.com

Tracing route to binzayed.com [216.87.12.206]
over a maximum of 30 hops:

1 189 ms 167 ms 167 ms abq-tch1-arc.foobar.com [204.252.999.252]
2 188 ms 168 ms 159 ms abq-gw1.foobar.com [204.252.999.254]
3 261 ms 207 ms 207 ms 47.ATM5-0.GW5.DFW7.ALTER.NET [157.130.225.153]
4 302 ms 199 ms 191 ms 0.so-3-1-0.xr1.dfw7.alter.net [152.63.101.34]
5 301 ms 191 ms 191 ms 191.at-2-0-0.xr1.dfw9.alter.net [152.63.96.210]
6 309 ms 207 ms 199 ms 0.so-2-0-0.xl1.dfw9.alter.net [152.63.101.253]
7 310 ms 191 ms 183 ms pos6-0.br1.dfw9.alter.net [152.63.98.121]
8 239 ms 192 ms 198 ms 204.255.168.230
9 237 ms 183 ms 191 ms dal-core-01.inet.qwest.net [205.171.25.45]
10 269 ms 231 ms 207 ms iah-core-02.inet.qwest.net [205.171.8.126]
11 405 ms 278 ms 199 ms iah-core-01.inet.qwest.net [205.171.31.1]
12 413 ms 223 ms 231 ms tpa-core-02.inet.qwest.net [205.171.5.105]
13 333 ms 225 ms 207 ms tpa-core-03.inet.qwest.net [205.171.27.190]
14 293 ms 215 ms 223 ms 205.171.27.42
15 237 ms 231 ms 231 ms 65.115.128.14
16 326 ms 223 ms 223 ms 66.234.14.49
17 300 ms 224 ms 215 ms www.binzayed.com [216.87.12.206]

Trace complete.

Note that the last IP number, 66.234.14.49 is very similar to the IP number for a binsayed.com DNS server.

OK, time to let the bad guy/gal have it. Not what he/she wanted, but rather I'm reporting this character to the technical contact for the web site, abuse@yahoo.com, and postmaster@tnn.com.

Here's another example of some kode kiddie trying to trick me into attacking a web site. This person even tried several times to convince me. Sheesh!

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri, 13 Jun 2003 21:01:48 -0700
Received: from 202.57.90.219 by lw12fd.law12.hotmail.msn.com with HTTP;
Sat, 14 Jun 2003 04:01:48 GMT
X-Originating-IP: [202.57.90.219]
X-Originating-Email: [firsttimemo14@hotmail.com]
From: "Laurence Ysrael Velilla Ramos" <firsttimemo14@hotmail.com>

ive heard about your greatness. being a respectable hacker and you wrote a book. I'm challenging you to hack my rookie made web page namely pure-xa.com. im not trying to pick a fight or this isnt any kind of a trap. just an open challenge because i'm quite impressed with your reputation as a hacker. i hope you have the time. please insert the word "your webpage has been hacked" so I know that its been hacked. please pretty please and thank you! -Adel

I replied:

Do it the other way, I challenge you to break into happyhacker.org.

Note that unless what you say is your web site, pure-xa.com, advertises that it is a legitimate wargame target, you will need to send a signed, notarized statement authorizing me to attack it and saying you own it. It would make your offer more credible, too, if you were either the administrative or technical contact for pure-xa.com and if you were emailing me from Connecticut instead of an ADSL line in the Phillipines.

Domain Name Owner:
LaPionte Design
4 North Stonington Road PO Box 547
Old Mystic, CT 06372
US

Administrative Contact:
LaPionte Design
LaPionte, Trish [TL-89]
4 North Stonington Road PO Box 547
Old Mystic, CT 06372, US
Phone: 8605360879
Email: wowodgunman@yahoo.com

Technical Contact:
Omnis Network
Network, Omnis [ON-1]
3655 Torrance Blvd Suite 440
Torrance, CA 90503, US
Phone: (310)316-2744
Fax: (310)316-4991
Email: nicreg@omnis.com

He/she wrote back:

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Sun, 15 Jun 2003 23:08:10 -0700
Received: from 202.57.84.100 by lw15fd.law15.hotmail.msn.com with HTTP;
Mon, 16 Jun 2003 06:08:10 GMT
X-Originating-IP: [202.57.84.100]
X-Originating-Email: [firsttimemo14@hotmail.com]
From: "Laurence Ysrael Velilla Ramos" <firsttimemo14@hotmail.com>
To:
Bcc:
Date: Mon, 16 Jun 2003 06:08:10 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Law15-F90Ho49T0kOuM00029538@hotmail.com>
X-OriginalArrivalTime: 16 Jun 2003 06:08:10.0443 (UTC) FILETIME=[A9ABD9B0:01C333CD]

and believe me, im smiling from ear to ear. im not really expecting you would trace this. you could just forget about it.

Then he/she sent a second email,

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Sun, 15 Jun 2003 22:52:37 -0700
Received: from 202.57.84.100 by lw15fd.law15.hotmail.msn.com with HTTP;
Mon, 16 Jun 2003 05:52:37 GMT
X-Originating-IP: [202.57.84.100]
X-Originating-Email: [firsttimemo14@hotmail.com]
From: "Laurence Ysrael Velilla Ramos" <firsttimemo14@hotmail.com>

I really can't do it. but it was my friend's webpage and you can trust me on that. but can you hack it any way? oh and by the way. Im impressed by the way you traced me huh? real impressive.

Carolyn replies: I can't believe that some people think I'll commit crime against a computer just because someone claims the victim is a "friend." What kind of nasty person thinks it's OK to commit crime against anyone who is a "friend"? And why do they think I might commit that crime for them?

More it sucks to be me--->>

Tired of reading about people that want to be computer criminals or are just plain malicious? To read about hackers who use their skills to make the world a better place, click here for "Have a Great Life." 

Carolyn's most
popular book,
in 4th edition now!


For advanced
hacker studies,
read Carolyn's

Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

My SQL for Free
© 2006 Happy Hacker All rights reserved.