How to protect yourself from email bombs! How to map the Internet. How to keep from getting kicked off IRC! How to Read Email Headers and Find Internet Hosts The Dread GTMHH on Cracking How to Be a Hero in Computer Lab

========================================================================

How to protect yourself from email bombs!

How to map the Internet.

How to keep from getting kicked off IRC!

How to Read Email Headers and Find Internet Hosts

The Dread GTMHH on Cracking

How to Be a Hero in Computer Lab

========================================================================

How to protect yourself from email bombs! ________________________________________

Email bombs! People like angry johnny, AKA the “Unamailer,” have made the news lately by arranging for 20 MB or more of email -- tens of thousands of messages -- to flood every day into his victims’ email accounts.

Email bombing can be bad news for two reasons. One, the victim can’t easily find any of their legitimate email in that giant garbage heap of spam. Two, the flood of messages ties up mail servers and chews up communications bandwidth.

Of course, those are the two main reasons that email bombers make their attacks: to mess up people’s email and/or harm the ISPs they target. The email bomb is a common weapon of war against Internet hosts controlled by spammers and con artists. It also is used by lusers with a grudge.

News stories make it sound like email bombing victims are, ahem, s*** out of luck. But we aren’t. We know, because angry -- the Christmas email bomber -- told the press that he had targeted the Happy Hacker list’s Supreme Commanderess, Carolyn Meinel. (Someone simultaneously attempted to email bomb the Happy Hacker list itself but no one has stepped forward to take credit for the attempt).

But as you know from the fact that we got the Happy Hacker Digest out after the attack, and by the fact that I kept answering my email, there are ways to beat the email bombers.

Now most of these are techniques for use by experts only. But if you are, like most of us on this list, a newbie, you may be able to win points with your ISP by emailing its technical help people with some of the information within this guide. Maybe then they’ll forgive you if your shell log file gets to looking a little too exciting!

My first line of defense is to use several on-line services. That way, whenever one account is getting hacked, bombed, etc., I can just email all my correspondents and tell them where to reach me. Now I’ve never gotten bombed into submission, but I have gotten hacked badly and often enough that I once had to dump an ISP in disgust. Or, an ISP may get a little too anxious over your hacking experiments. So it’s a good idea to be prepared to jump accounts.

But that’s a pretty chicken way to handle email bombing. Besides, a member of the Happy Hacker list says that the reason angry johnny didn’t email bomb all the accounts I most commo nly use is because he

persuaded johnny to just bomb one for publicity purposes. But even if johnny had bombed all my favorite accounts, I could have been back on my feet in a hurry.

There are several ways that either your ISP or you can defeat these attacks.

The simplest defense is for your ISP to block mail bombs at the router. This only works, however, if the attack is coming from one or a few hosts. It also only works if your ISP agrees to help you out. Your ISP may just chicken out instead and close your account.

*************************** Newbie note: routers are specialized computers that direct traffic. A host is a computer on the Internet. ***************************

But what if the attack comes from many places on the Internet? That happened to me on Christmas day when angry johnny took credit for an email bombing attack that also hit a number of well-known US figures such as evangelist Billy Graham, President Bill Clinton and Speaker of the US House of Representatives Newt Gingrich. (I blush to find myself in such company.)

The way angry johnny worked this attack was to set up a program that would go to one computer that runs a program to handle email lists and automatically subscribe his targets to all lists handled by that computer. Then his program went to another computer that handles email lists and subscribed his targets to all the lists it handled, and so on.

I was able to fix my problem within a few minutes of discovery. johnny had subscribed all these lists to my address cmeinel@swcp.com. But I use my private domain, techbroker.com, to receive email. Then I pipe all this from my nameserver at Highway Technologies to whatever account I find useful at the time. So all I had to do was go to the Highway Technologies Web site and configure my mail server to pipe email to another account.

************************** Newbie note: a mail server is a computer that handles email. It is the one to which you hook your personal computer when you give it a command to upload or download your email. **************************

*********************** Evil genius tip: You can quickly reroute email by creating a file in your shell account (you do have a shell account, don’t you? SHELL ACCOUNT! All good hackers should have a SHELL ACCOUNT!) named .forward. This file directs your email to another email account of your choice. ***********************

If angry johnny had email bombed cmeinel@techbroker.com, I would have piped all that crud to dev/null and requested that my correspondents email to carolyn@techbroker.com, etc. It’s a pretty flexible way of handling things. And my swcp.com accounts work the same way. That ISP, Southwest Cyberport, offers each user several accounts all for the same price, which is based on total usage. So I can create new email addresses as needed.

Warning -- this technique -- every technique we cover here -- will still cause you to lose some email. But I figure, why get obsessive over it? According to a study by a major paging company, a significant percentage of email simply disappears. No mail daemon warning that the message failed, nothing. It just goes into a black hole. So if you are counting on getting every piece of email that people send you, dream on.

But this doesn’t solve my ISP’s problem. They still have to deal with the bandwidth problem of all that crud flooding in. And it’s a lot of crud. One of the sysadmins at Southwest Cyberport told me that almost every

day some luser email bombs one of their customers. In fact, it’s amazing that angry johnny got as much publicity as he did, considering how commonplace email bombing is. So essentially every ISP somehow has to handle the email bomb problem.

How was angry johnny was able to get as much publicity as he did? You can get an idea from this letter from Lewis Koch, the journalist who broke the story (printed with his permission):

From: Lewis Z Koch <lzkoch@mcs.net> Subject: Question

Carolyn:

First, and perhaps most important, when I called you to check if you had indeed been email bombed, you were courteous enough to respond with information. I think it is a tad presumptuous for you to state that "as a professional courtesy I am _letting_ Lewis Koch get the full scoop." This was a story that was, in fact, exclusive.

(Carolyn’s note: as a victim I knew technical details about the attack that Koch didn’t know. But since Koch tells me he was in contact with angry johnny in the weeks leading up to the mass email bombings of Christmas 1996, he clearly knew a great deal more than I about the list of johnny’s targets. I also am a journalist, but deferred to Koch by not trying to beat him to the scoop.)

Second, yes I am a subscriber and I am interested in the ideas you advance. But that interest does not extend to feeding you -- or single individual or group -- :"lots of juicy details." The details of any story lay in the writing and commentary I offer the public. "Juicy" is another word for sensationalism, a tabloid approach -- and something I carefully avoid.

(Carolyn’s note: If you wish to see what Koch wrote on angry johnny, you may see it in the Happy Hacker Digest of Dec. 28, 1996.)

The fact is I am extraordinarily surprised by some of the reactions I have received from individuals, some of whom were targets, others who are bystanders.

The whole point is that there are extraordinary vulnerabilities to and on the Net -- vulnerabilities which are being ignored...at the peril of us all.

Continuing: "However, bottom line is that the email bomber used a technique that is ridiculously lame -- so lame that even Carolyn Meinel could turn off the attack in mere minutes. Fry in dev/null, email bomber!"

johnny made the point several times that the attack was "simple." It was deliberately designed to be simple. I imagine -- I know -- that if he, or other hackers had chosen to do damage, serious, real damage, they could easily do so. They chose not to.

One person who was attacked and was angry with my report. He used language such as "his campaign of terror," "the twisted mind of 'johnny'," "psychos like 'johnny'," "some microencephalic moron," "a petty gangster" to describe johnny.

This kind of thinking ignores history and reality. If one wants to use a term such as "campaign of terror" they should check into the history of the Unabomber, or the group that bombed the Trade Center, or the Federal Building in Oklahoma City...or look to what has happened in Ireland or Israel. There one finds "terrorism."

What happened was an inconvenience --equivalent, in my estimation, to the same kind of inconvenience people experienced when young people blocked the streets of major cities in protest against the war in Vietnam. People were inconvenienced --- but the protesters were making a point about an illegal and unnecessary war that even the prosecutors of the war, like Robert McNamara knew from the beginning was a lost venture. Hundreds of thousands of people lost their lives in that war -- and if some people found themselves inconvenienced by people protesting against it -- I say, too d*** bad.

Thank you for forwarding my remarks to your list

Ahem. I’m flattered, I guess. Is Koch suggesting the Happy Hacker list -- with its habit of ***ing out naughty words -- and evangelist Billy Graham -- whose faith I share -- are of an Earth-shaking level of political bad newsness comparable to the Vietnam War?

So let’s say you don’t feel that it is OK for any two-bit hacker wannabe to keep you from receiving email. what are some more ways to fight email bombs?

For bombings using email lists, one approach is to run a program that sorts through the initial flood of the email bomb for those “Welcome to the Tomato Twaddler List!” messages which tell how to unsubscribe. These programs then automatically compose unsubscribe messages and send them out.

Another way your ISP can help you is to provide a program called Procmail (which runs on the Unix operating system. For details, Zach Babayco (zachb@netcom.com) has provided the following article. Thank you, Zach!

******************************* Defending Against Email-Bombing and Unwanted Mail

[Before I start this article, I would like to thank Nancy McGough for letting me quote liberally from her Filtering Mail FAQ, available at http://www.cis.ohio-state.edu/hypertext/faq/usenet/mail/filteringfaq/faq.html. This is one of the best filtering-mail FAQs out there, and if you have any problems with my directions or want to learn more about filtering mail, this is where you should look.]

Lately, there are more and more people out there sending you email that you just don't want, like "Make Money Fast!" garbage or lame ezines that you never requested or wanted in the first place. Worse, there is the email bomb.

There are two types of email bombs, the Massmail and the Mailing List bomb:

1) Massmail-bombing. This is when an attacker sends you hundreds, or perhaps even thousands of pieces of email, usually by means of a script and fakemail. Of the two types, this is the easier to defend against, since the messages will be coming from just a few addresses at the most.

2) Mailing List bombs. In this case, the attacker will subscribe you to as many mailing lists as he or she can. This is much worse than a massmail because you will be getting email from many different mailing lists, and will have to save some of it so that you can figure out how to unsubscribe from each list.

This is where Procmail comes in. Procmail (pronounced prok-mail) is a email filtering program that can do some very neat things with your mail, like for example, if you subscribe to several high-volume mailing lists,

it can be set up to sort the mail into different folders so that all the messages aren't all mixed up in your Inbox. Procmail can also be configured to delete email from certain people and addresses.

Setting up Procmail -------------------

First, you need to see if your system has Procmail installed. From the prompt, type:

> which procmail

If your system has Procmail installed, this command will tell you where Procmail is located. Write this down - you will need it later.

*NOTE* If your system gives you a response like "Unknown command: which" then try substituting 'which' with 'type', 'where', or 'whereis'.

If you still cannot find Procmail, then it is probably a good bet that your system does not have it installed. However, you're not completely out of luck - look at the FAQ I mentioned at the beginning of this file and see if your system has any of the programs that it talks about.

Next, you have to set up a resource file for Procmail. For the rest of this document, I will use the editor Pico. You may use whichever editor you feel comfortable with.

Make sure that you are in your home directory, and then start up your editor.

> cd > pico .procmailrc

Enter the following in the .procmailrc file:

# This line tells Procmail what to put in its log file. Set it to on when # you are debugging. VERBOSE=off

# Replace 'mail' with your mail directory. MAILDIR=$HOME/mail

# This is where the logfile and rc files will be kept PMDIR=$HOME/.procmail

LOGFILE=$PMDIR/log # INCLUDERC=$PMDIR/rc.ebomb (yes, type the INCLUDERC line WITH the #)

Now that you've typed this in, save it and go back up to your home directory.

> cd > mkdir .procmail

Now go into the directory that you just made, and start your editor up with a new file: rc.ebomb:

IMPORTANT: Be sure that you turn off your editor's word wrapping during this part. You will need to have the second, third, and fourth lines of this next example all on one line. With Pico, use the -w flag. Consult your editor's manual page for instructions on turning off its word wrapping. Make sure that when you edit it, you leave NO SPACES in that line.

> cd .procmail > pico -w rc.noebomb

# noebomb - email bomb blocker

Lets see what these do. The first line tells Procmail that this is the beginning of a "recipe" file. A recipe it basically what it sounds like -- it tells the program what it should look for in each email message, and if it finds what it is looking for, it performs an action on the message - forwarding it to someone; putting it in a certain folder; or in this case, deleting it.

The second, third, and fourth lines (the ones beginning with a *)are called CONDITIONS. The asterisk (*) tells Procmail that this is the beginning of a condition. The ! tells it to do the OPPOSITE of what it would normally do.

Condition 1:

Don't freak out over this, it is simpler than it seems at first glance. This condition tells Procmail to look at the header of a message, and see if it is from one of the administrative addresses like root or postmaster, and also check to see if it is from a mailer-daemon (the thing that sends you mail when you bounce a message). If a message IS from one of those addresses, the recipe will put the message into your inbox and not delete it.

Advanced User Note: Those of you who are familiar with Procmail are probably wondering why I require the user to type in that whole long line of commands, instead of using the FROM_MAILER command. Well, it looked like a good idea at first, but I just found out a few days ago that FROM_MAILER also checks the Precedence: header for the words junk, bulk, and list. Many (if not all) mailing-list servers have either Precedence: bulk or Precedence: list, so if someone subscribes you to several hundred lists, FROM_MAILER would let most of the messages through, which is NOT what we want.

Condition 2:

* ! ^From:.*(listproc|majordomo|cmeinel|johnb)

This condition does some more checking of the From: line in the header. In this example, it checks for the words listproc, majordomo, cmeinel, and johnb. If it is from any of those people, it gets passed on to your Inbox. If not, it's a goner. This is where you would put the usernames

of people who normally email you, and also the usernames of mailing-list servers, such as listproc and majordomo. When editing this line, remember to: only put the username in the condition, not a persons full email address, and remember to put a | between each name.

Condition 3:

* ! ^TO(netnews|crypto-stuff|pcgames)

This final condition is where you would put the usernames of the mailing lists that you are subscribed to (if any). For example, I am subscribed to the netnews, crypto-stuff, and pcgames lists. When you get a message from most mailing lists, most of the time the list address will be in the To: or Cc: part of the header, rather than the From: part. This line will check for those usernames and pass them through to your Inbox if they match. Editing instructions are the same as the ones for Condition 2.

The final line, /dev/null, is essentially the trash can of your system. If a piece of email does not match any of the conditions, (i.e. it isn't from a mail administrator, it isn't from a listserver or someone you write to, and it's not a message from one of your usual mailing lists) Procmail dumps the message into /dev/null, never to be seen again.

Ok. Now you should have created two files: .procmailrc and rc.noebomb. We need one more before everything will work properly. Save rc.noebomb and exit your editor, and go to your home directory. Once there, start your editor up with the no word wrapping command.

> cd > pico -w .forward

We now go to an excerpt from Nancy M.'s Mail Filtering FAQ:

Enter a modified version of the following in your ~/.forward:

"|IFS=' ' && exec /usr/local/bin/procmail -f- || exit 75 #nancym"

== IMPORTANT NOTES == * Make sure you include all the quotes, both double (") and single ('). * The vertical bar (|) is a pipe. * Replace /usr/local/bin with the correct path for procmail (see step 1). * Replace `nancym' with your userid. You need to put our userid in your .forward so that it will be different than anyother .forward ile on your system. * Do NOT use ~ or environment variables, like $HOME, in your .forward file. If procmail resides below your home directory write out the *full* path.

On many systems you need to make your .forward world readable and your home directory world searchable in order for the mail transport agent to "see" it. To do this type:

cd chmod 644 .forward chmod a+x .

If the .forward template above doesn't work the following alternatives might be helpful:

In a perfect world: "|exec /usr/local/bin/procmail #nancym" In an almost perfect world:

"|exec /usr/local/bin/procmail USER=nancym" In another world: "|IFS=' ';exec /usr/local/bin/procmail #nancym"

In a different world: "|IFS=' ';exec /usr/local/bin/procmail USER=nancym"

In a smrsh world: "|/usr/local/bin/procmail #nancym"

Now that you have all the necessary files made, it's time to test this filter. Go into your mailreader and create a new folder called Ebombtest. This procedure differs from program to program, so you may have to experiment a little. Then open up the rc.noebomb file and change /dev/null to Ebombtest. (You should have already changed Conditions 2 and 3 to what you want; if not, go do it now!) Finally, open up .procmailrc and remove the # from the last line.

You will need to leave this on for a bit to test it. Ask some of the people in Condition 2 to send you some test messages. If the messages make it through to your Inbox, then that condition is working fine. Send yourself some fake email under a different name and check to see if it ends up in the Ebombtest folder. Also, send yourself some fakemail from root@wherever.com to make sure that Condition 1 works. If you're on any mailing lists, those messages should be ending up in your Inbox as well.

If all of these test out fine, then congratulations! You now have a working defense against email bombs. For the moment, change the Ebombtest line in the rc.noebomb file back to /dev/null, and put the # in front of the INCLUDERC line in the .procmailrc file. If someone ever decides to emailbomb you, you only need to remove the #, and you will have greatly cut down on the amount of messages coming into your Inbox, giving you a little bit of breathing room to start unsubscribing to all those lists, or start tracking down those idiots who did it and get their asses kicked off their ISP's.

If you have any comments or questions about this, email me at zachb@netcom.com. Emailbombs WILL go to /dev/null, so don't bother!

Disclaimer: When you activate this program, it is inevitable that a small amount of wanted mail MAY get put into /dev/null, due to the fact that it is nearly impossible to know the names of all the people that may write to you. Therefore, I assume no responsibility for any email which may get lost, and any damages which may come from those lost messages.

******************** Don’t have procmail? If you have a Unix box, you can download procmail from ftp://ftp.informatik.rwthaachen.de/pub/packages/procmail/ *******************

A note of thanks goes to Damien Sorder (jericho@dimensional.com) for his assistance in reviewing this guide.

And now, just to make certain you can get this invaluable Perl script to automatically unsubscribe email lists, here is the listing: #!/usr/local/bin/perl

# unsubscribe

# # A perl script by Kim Holburn, University of Canberra 1996. # kim@canberra.edu.au

# Feel free to use this and adjust it. If you make any useful adjustments or # additions send them back to me. # # This script will unsubscribe users in bulk from whatever mail lists they are # subscribed to. It also mails them that it has done this. # It is useful for sys admins of large systems with many accounts and # floating populations, like student servers. # This script must be run by root although I don't check for this. # You have to be root to read someone else's mailbox and to # su to their account, both of which this script need to do. # # This script when applied to a mailbox will look through it to find # any emails sent by mailing lists, attempt to determine the address of the # mailing list and then send an unsubscribe message from that user. # If invoked with no options only the mailbox name(s) it will assume # the mailbox filename is the same as the username, as it is on a sun. # # Technical details: # To find emails from mailing lists it looks for "owner" as part of # the originating email address in the BSD From line (envelope). # list servers that don't do this will be missed if you can figure a way # round this let me know. # The script doesn't do any file locking but then it only reads the mailbox # file.

sub fail_usage { if (@_ ne '') { print "Error : ", @_, "\n"; } print "Usage : $0 [-d] mailboxes\n"; print "Usage : $0 [-d] -u user mailbox \n"; print "Usage : $0 [-d] -u user -l listname -h host -a listserver\n"; print "where listserver is the full email address of the listserver\n"; exit; }

sub unsub { local ($myuser, $mylist, $myhost, $myaddress) = @_;

if (!$debug) { if (!open (SEND, "|(USER=$myuser;LOGNAME=$myuser;su $myuser -c \"/usr/ucb/mail $myaddress\")")) { print "Couldn't open mailer for user \"$myuser\"\n"; next; } print SEND "unsubscribe $mylist\n" ; close SEND;

} else { print "No unsub \"$myuser\" on \"$mylist@$myhost\" to :\n"; print " $myaddress\n"; } }

sub notify { local($myuser, $mylist, $myhost, $myaddress) = @_; if (!$debug) { if (!open (SEND, "|/usr/ucb/mail -s \"unsubscribed $mylist\" $myuser")) { print "Couldn't open mailer for user \"$myuser\"\n"; next; }

$mess = <<EOM; You have been automatically unsubscribed from the mailing list : $mylist@$myhost to resubscribe follow the original directions or EOM print SEND $mess;

if ($myaddress !~ /,/) { print SEND "send a message to the address $myaddress \n" ; } else { print SEND "send a message to the appropriate one of the addresses: \n"; print SEND "$myaddress \n" ; } $mess4 = <<EOM2; with no subject, no signature and a single line : subscribe (your name)

EOM2 print SEND $mess4 ; close SEND;

} else { print "No notify \"$myuser\" on \"$mylist@$myhost\" to :\n"; print " $myaddress\n"; } }

$debug=0; $usersupplied=0; while (($#ARGV > (-1)) && ($ARGV[0] =~ /^-/)) { if ($ARGV[0] eq '-d') { shift ARGV; $debug=1; } elsif ($#ARGV < 1) { &fail_usage("option \"$ARGV[0]\" needs an argument"); } elsif ($ARGV[0] eq '-u') { shift ARGV; $user=shift ARGV; } elsif ($ARGV[0] eq '-l') { shift ARGV; $list=shift ARGV; } elsif ($ARGV[0] eq '-h') { shift ARGV; $host=shift ARGV; } elsif ($ARGV[0] eq '-a') { shift ARGV; $address=shift ARGV; } else { &fail_usage(); } } $usersupplied = ($user ne '') ;

#print "debug d=\"$debug\" u=\"$user\" l=\"$list\" h=\"$host\"\n"; #print "debug \$#ARGV=$#ARGV a=\"$address\" \n"; if ($#ARGV == (-1)) { if ($usersupplied && $list ne '' && $host ne '' && $address ne '' && $#ARGV) { $list =~ s/@.*$//; $user =~ s/@.*$//;

$host =~ s/^.*@//;

if ($address !~ /@/) { &fail_usage("bad address"); } &unsub ($user, $list, $host, $address); &notify ($user, $list, $host, $address); exit; } else { &fail_usage("no files and no addresses"); } }

if ($usersupplied && $#ARGV > 0) { &fail_usage(); }

foreach $file (@ARGV) { %addresses=(); if (!$usersupplied) { $user=$file; } $user =~ s@^.*/@@; if ($file =~ /^\./) { print "skipping wrong type of file \"$file\"\n"; next; } if ($file =~ /\.lock/) { print "skipping lock file \"$file\"\n"; next; } if ($file =~ /\./) { print "skipping wrong type of file \"$file\"\n"; next; } $user =~ s/^\.//; $user =~ s/\..*$//; if (!open (MYFILE, "<$file" )) { print "Couldn't open file \"$file\"\n"; next; } print "--------------------------opening file \"$file\"\n";

while (<MYFILE>) { # if (/(\bnews-[-\w.]+@)|([-\w.]+-news@)/i) # if (/(\brequest-[-\w.]+@)|([-\w.]+-request@)/i) if (/(\bowner-[-\w.]+@)|([-\w.]+-owner@)/i) { chop;

tr/A-Z/a-z/;

if (/\bowner-[-\w.]+@/) { s/^.*\bowner-([-\w.]+@[\w.]+)\b.*$/\1/; } else { s/(^|^.*[^-\w.])([-\w.]+)-owner(@[\w.]+)\b.*$/\2\3/; } if (/[^a-z0-9@.-]/) { next; } if (!defined ($addresses{$_})) { $addresses{$_}=""; } } if (/(\bl-[-\w.]+@)|([-\w.]+-l@)/i) { chop;

tr/A-Z/a-z/;

if (/\bl -[-\w.]+@/) { s/^.*\bl-([-\w.]+@[\w.]+)\b.*$/\1/; } else { s/(^|^.*[^-\w.])([-\w.]+)-l(@[\w.]+)\b.*$/\2\3/; } if (/[^a-z0-9@.-]/) { next; } if (!defined ($addresses{$_})) { $addresses{$_}=""; } } } close MYFILE; while (($key,$value)=each %addresses) { print "$key\n"; } if (! keys %addresses ) { print "no listservers\n"; next; } if (! open (MYFILE, "<$file" )) { print "Couldn't open file \"$file\"\n"; next; } print "looking for listserver addresses\n"; while (<MYFILE>) { foreach $address (keys %addresses) { $host=$address; $host =~ s/^.*@//; if (/(listserv|listproc|majordomo)@$host/i) { $addresses{$address}=$1; # print "found 1 = \"$1\"\n"; } } } close MYFILE; while (($key,$value)=each %addresses) { $host=$key; $host=~s/^.*@//; $list=$key;

$list=~s/@.*$//; # print "$value@$host key=\"$key\" list=\"$list\" \n"; if ($value eq '') { $address="listserv@$host,listproc@$host,majordomo@$host"; } else { $address="$value@$host"; } print "address=\"$address\"\n"; print "unsubscribe $list\n";

if (!$debug) { print "Mailing $user\n";

&unsub ($user, $list, $host, $address); &notify ($user, $list, $host, $address); } else { print "debug no mail\n"; } } }

____________________________________________________________

GUIDE TO (mostly) HARMLESS HACKING

Vol. 3 Number 2

How to map the Internet. Dig! Whois! Nslookup! Traceroute! Netstat port is getting hard to use anymore, however... ____________________________________________________________

Why map the Internet?

* Because it’s fun -- like exploring unknown continents. The Internet is so huge, and it changes so fast, no one has a complete map.

* Because when you can’t make contact with someone in a distant place, you can help your ISP trouble shoot broken links in the Internet. Yes, I did that once that when email failed to a friend in Northern Ireland. How will your ISP know that their communications provider is lying down on the job unless someone advises them of trouble?

* Because if you want to be a computer criminal, your map of the connections to your intended victim gives you valuable information.

Now since this is a lesson on *legal* hacking, we’re not going to help you out with how to determine the best box in which to install a sniffer or how to tell what IP address to spoof to get past a packet filter. We’re just going to explore some of the best tools available for mapping the uncharted realms of the Internet.

For this lesson, you can get some benefit even if all you have is Windows. But to take full advantage of this lesson, you should either have some sort of Unix on your personal computer, or a shell account! SHELL ACCOUNT! If you don’t have one, you may find an ISP that will give you a shell account at http://www.celestin.com/pocia/.

**************************** Newbie note: A shell account is an account with your ISP that allows you to give commands on a computer running Unix. The “shell” is the program that translates your keystrokes into Unix commands. Trust me, if

you are a beginner, you will find bash (for Bourne again shell) to be easiest to use. Ask tech support at your ISP for a shell account set up to use bash. Or, you may be able to get the bash shell by simply typing the word “bash” at the prompt. If your ISP doesn’t offer shell accounts, get a new ISP that does offer it. A great book on using the bash shell is _Learning the Bash Shell_, by Cameron Newham and Bill Rosenblatt, published by O’Reilly. ****************************

So for our mapping expedition, let’s start by visiting the Internet in Botswana! Wow, is Botswana even on the Internet? It’s a lovely landlocked nation in the southern region of Africa, famous for cattle ranching, diamonds and abundant wildlife. The language of commerce in Botswana is English, so there’s a good chance that we could understand messages from their computers.

Our first step in learning about Botswana’s Internet hosts is to use the Unix program nslookup.

**************************** Evil genius tip: Nslookup is one of the most powerful Internet mapping tools in existence. We can hardly do it justice here. If you want to learn how to explore to the max, get the book _DNS and BIND_ by Paul Albitz and Cricket Liu, published by O’Reilly, 1997 edition. ***************************

The first step may be to find where your ISP has hidden the program by using the command “whereis nslookup.” (Or your computer may use the “find” command.) Aha -- there it is! I give the command:

->/usr/etc/nslookup Default Server: swcp.com Address: 198.59.115.2 >

These two lines and the slightly different prompt (it isn’t an arrow any more) tell me that my local ISP is running this program for me. (It is possible to run nslookup on another computer from yours.) Now we are in the program, so I have to remember that my bash commands don’t work any more. Our next step is to tell the program that we would like to know what computers handle any given domain name.

> set type=ns

Next we need to know the domain name for Botswana. To do that I look up the list of top level domain names on page 379 of the 1997 edition of _DNS and BIND_. For Botswana it’s bw. So I enter it at the prompt, remembering -- this is VERY important -- to put a period after the domain name:

> bw. Server: swcp.com Address: 198.59.115.2

Non-authoritative answer:

This “non-authoritative answer” stuff tells me that this information has been stored for awhile, so it is possible, but unlikely, that the information below has changed.

bw nameserver = DAISY.EE.UND.AC.ZA bw nameserver = RAIN.PSG.COM bw nameserver = NS.UU.NET bw nameserver = HIPPO.RU.AC.ZA Authoritative answers can be found from: DAISY.EE.UND.AC.ZA inet address = 146.230.192.18

RAIN.PSG.COM inet address = 147.28.0.34 NS.UU.NET inet address = 137.39.1.3 HIPPO.RU.AC.ZA inet address = 146.231.128.1

I look up the domain name “za” and discover it stands for South Africa. This tells me that the Internet is in its infancy in Botswana -- no nameservers there -- but must be well along in South Africa. Look at all those nameservers!

*********************** Newbie note: a nameserver is a computer program that stores data on the Domain Name System. The Domain Name System makes sure that no two computers have the same name. It also stores information on how to find other computers. When various nameservers get to talking with each other, they eventually, usually within seconds, can figure out the routes to any one of the millions of computers on the Internet. ***********************

Well, what this tells me is that people who want to set up Internet host computers in Botswana usually rely on computers in South Africa to connect them. Let’s learn more about South Africa. Since we are still in the nslookup program, I command it to tell me what computers are nameservers for South Africa:

> za. Server: swcp.com Address: 198.59.115.2

Non-authoritative answer: za nameserver = DAISY.EE.UND.AC.za za nameserver = UCTHPX.UCT.AC.za za nameserver = HIPPO.RU.AC.za za nameserver = RAIN.PSG.COM za nameserver = MUNNARI.OZ.AU za nameserver = NS.EU.NET za nameserver = NS.UU.NET za nameserver = UUCP-GW -1.PA.DEC.COM za nameserver = APIES.FRD.AC.za Authoritative answers can be found from: DAISY.EE.UND.AC.za inet address = 146.230.192.18 UCTHPX.UCT.AC.za inet address = 137.158.128.1 HIPPO.RU.AC.za inet address = 146.231.128.1 RAIN.PSG.COM inet address = 147.28.0.34 MUNNARI.OZ.AU inet address = 128.250.22.2 MUNNARI.OZ.AU inet address = 128.250.1.21 NS.EU.NET inet address = 192.16.202.11 UUCP-GW-1.PA.DEC.COM inet address = 204.123.2.18 UUCP-GW-1.PA.DEC.COM inet address = 16.1.0.18 APIES.FRD.AC.za inet address = 137.214.80.1

*********************** Newbie note: What is inet address = 137.214.80.1 supposed to mean? That’s the name of a computer on the Internet (inet) -- in this case APIES.FRD.AC -- in octal. Octal is like regular numbers except in base 8 rather than base 10. All computer names on the Internet must be changed into numbers so that other computers can understand them. **********************

Aha! Some of those nameservers are located outside South Africa. We see computers in Australia (au) and the US (com domain). Next, we exit the nslookup program with the command ^D. That’s made by holding

down the control key while hitting the small “d” key. It is VERY IMPORTANT to exit nslookup this way and not with ^C.

Next, we take one of the nameservers in South Africa and ask:

->whois HIPPO.RU.AC.ZA

[No name] (HIPPO)

Hostname: HIPPO.RU.AC.ZA Address: 146.231.128.1 System: SUN running SUNOS

Domain Server

Record last updated on 24-Feb-92.

To see this host record with registered users, repeat the command with a star ('*') before the name; or, use '%' to show JUST the registered users.

The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.

Kewl! This tells us what kind of computer it is -- a Sun -- and the operating system, Sun OS.

Now, just for variety, I use the whois command with the numerical address of one of the nameservers. This doesn’t always give back the text name, but sometimes it works. And, voila, we get:

->whois 146.230.192.18 [No name] (DAISY1)

Hostname: DAISY.EE.UND.AC.ZA Address: 146.230.192.18 System: HP-9000 running HP-UX

Domain Server

Record last updated on 14-Sep-94.

Ah, but all this is doing so far is just telling us info about who is a nameserver for whom. Now how about directly mapping a route from my computer to South Africa? For that we will use the traceroute command.

************************ Netiquette tip: The traceroute program is intended for use in network testing, measurement and management. It should be used primarily for manual fault isolation, like the time I couldn’t email my friend in Northern Ireland. Because of the load it could impose on the network, it is unwise to use traceroute from automated scripts which could cause that program to send out huge numbers of queries. Use it too much and your ISP may start asking you some sharp questions. ************************

************************ YOU COULD GO TO JAIL WARNING: If you just got an idea of how to use traceroute for a denial of service attack, don’t call your favorite journalist and tell him or her that you are plotting a denial of service attack against the ISPs that serve famous people like Bill Clinton and Carolyn Meinel!:-) Don’t write that

script. Don’t use it. If you do, I’ll give another interview to PC World magazine (http://www.pcworld.com/news/newsradio/meinel/index.html) about how a three-year-old could run the attack. And if you get caught we’ll all laugh at you as you get hustled off in chains while your journalist friend gets a $250K advance on his or her book deal about you. ************************

I give the command:

->whereis traceroute

traceroute: /usr/local/bin/traceroute

OK, now we’re ready to map in earnest. I give the command:

->/usr/local/bin/traceroute DAISY.EE.UND.AC.ZA

And the answer is:

traceroute to DAISY.EE.UND.AC.ZA (146.230.192.18), 30 hops max, 40 byte packets 1 sisko (198.59.115.1) 3 ms 4 ms 4 ms

2 glory-cyberport.nm.westnet.net (204.134.78.33) 47 ms 8 ms 4 ms 3 ENSS365.NM.ORG (129.121.1.3) 5 ms 10 ms 7 ms 4 h4-0.cnss116.Albuquerque.t3.ans.net (192.103.74.45) 17 ms 41 ms 28 ms

5 f2.t112-0.Albuquerque.t3.ans.net (140.222.112.221) 7 ms 6 ms 5 ms 6 h14.t16-0.Los-Angeles.t3.ans.net (140.223.17.9) 31 ms 39 ms 84 ms 7 h14.t8-0.San-Francisco.t3.ans.net (140.223.9.13) 67 ms 43 ms 68 ms 8 enss220.t3.ans.net (140.223.9.22) 73 ms 58 ms 54 ms 9 sl-mae-w-F0/0.sprintlink.net (198.32.136.11) 97 ms 319 ms 110 ms 10 sl-stk-1-H11/0-T3.sprintlink.net (144.228.10.109) 313 ms 479 ms 473 ms 11 sl-stk-2-F/T.sprintlink.net (198.67.6.2) 179 ms * * 12 sl-dc-7-H4/0-T3.sprintlink.net (144.228.10.106) 164 ms * 176 ms 13 sl-dc-7-F/T.sprintlink.net (198.67.0.1) 143 ms 129 ms 134 ms

14 gsl -dc-3-Fddi0/0.gsl.net (204.59.144.197) 135 ms 152 ms 130 ms 15 204.59.225.66 (204.59.225.66) 583 ms 545 ms 565 ms 16 * * * 17 e0.csir00.uni.net.za (155.232.249.1) 516 ms 436 ms 400 ms 18 s1.und00.uni.net.za (155.232.70.1) 424 ms 485 ms 492 ms 19 e0.und01.uni.net.za (155.232.190.2) 509 ms 530 ms 459 ms 20 s0.und02.uni.net.za (155.232.82.2) 650 ms * 548 ms 21 Gw-Uninet1.CC.und.ac.za (146.230.196.1) 881 ms 517 ms 478 ms 22 cisco-unp.und.ac.za (146.230.128.8) 498 ms 545 ms * 23 IN.ee.und.ac.za (146.230.192.18) 573 ms 585 ms 493 ms

So what does all this stuff mean?

The number in front of each line is the number of hops since leaving the computer that has the shell account I am using.

The second entry is the name of the computer through which this route passes, first in text, and then in parentheses its numerical representation.

The numbers after that are the time in milliseconds it takes for each of three probe packets in a row to make that hop. When an * appears, the time for the hop timed out. In the case of this traceroute command, any time greater than 3 seconds causes an * to be printed out.

How about hop 16? It gave us no info whatsoever. That silent gateway may be the result of a bug in the 4.1, 4.2 or 4.3BSD Unix network code. A computer running one of these operating systems sends an “unreachable” message. Or it could be something else. Sorry, I’m not enough of a genius yet to figure out this one for sure. Are we having phun yet?

************************ Evil genius tip: If you want to get really, truly excruciating detail on the traceroute command, while in your shell account type in the command:

->man traceroute

I promise, on-line manual stuff is often written in a witty, entertaining fashion. Especially the Sun OS manual. Honest! ************************

************************ Note for the shell-account-challenged: If you have Windows 95, you can get the same results -- I mean, for mapping the Internet, not going to jail -- using the “tracert” command. Here’s how it works:

1. Open a PPP connection. For example, if you use Compuserve or AOL, make a connection, then minimize your on-line access program. 2. Click on the Start menu. 3. Open a DOS window. 4. At the DOS prompt type in “tracert <distant.computer.com> where “distant.computer.com” is replaced by the name of the computer to which you want to trace a route. Press the Enter key. 5. Be patient. Especially if your are tracing a route to a distant computer, it takes awhile to make all the connections. Every time your computer connects to another computer on the Internet, it first has to trace a route to the other computer. That’s why it sometimes take a long while for your browser to start downloading a Web page. 6. If you decide to use Windows for this hacking lesson, Damien Sorder has a message for us: “DON'T ENCOURAGE THEM TO USE WIN95!@#$!@#!” He’s right, but since most of you reading this are consenting adults, I figure it’s your funeral if you stoop to Windows hacking on an AOL PPP connection! ***********************

Now this is getting interesting. We know that Daisy is directly connected to at least one other computer, and that computer in turn is connected to cisco-unp.und.ac.za. Let’s learn a little something about this cisco-unp.und.ac.za, OK?

First, we can guess from the name that is it a Cisco router. In fact, the first hop in this route is to a computer named “sisco,” which is also probably a Cisco router. Since 85% of the routers in the world are Ciscos, that’s a pretty safe bet. But we are going to not only make sure cisco-unp.und.ac.za is a Cisco. We are also going to find out the model number, and a few other goodies.

First we try out whois:

->whois cisco-unp.und.ac.za No match for "CISCO-UNP.UND.AC.ZA".

The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.

Huh? Traceroute tells us cisco-unp.und.ac.za exists, but whois can’t find it! Actually this is a common problem, especially trying to use whois on distant computers. What do we do next? Well, if you are lucky, the whereis command will turn up another incredibly cool program: dig!

********************** Newbie note: Dig stands for “domain information groper.” It does a lot of the same things as nslookup. But dig is a much older program, in many ways harder to use than nslookup. For details on dig, use the command from your shell account “man dig.”

**********************

In fact, on my shell account I found I could run dig straight from my bash prompt:

->dig CISCO-UNP.UND.AC.ZA

; <<>> DiG 2.0 <<>> CISCO-UNP.UND.AC.ZA ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd ra; Ques: 1, Ans: 4, Auth: 5, Addit: 5 ;; QUESTIONS: ;; CISCO-UNP.UND.AC.ZA, type = A, class = IN

;; ANSWERS: CISCO-UNP.UND.AC.ZA. 86400 A 146.230.248.1 CISCO-UNP.UND.AC.ZA. 86400 A 146.230.12.1 CISCO-UNP.UND.AC.ZA. 86400 A 146.230.60.1 CISCO-UNP.UND.AC.ZA. 86400 A 146.230.128.8

;; AUTHORITY RECORDS: und.ac.za. 86400 NS Eagle.und.ac.za. und.ac.za. 86400 NS Shrike.und.ac.za. und.ac.za. 86400 NS ucthpx.uct.ac.za. und.ac.za. 86400 NS hiPPo.ru.ac.za. und.ac.za. 86400 NS Rain.psg.com.

;; ADDITIONAL RECORDS: Eagle.und.ac.za. 86400 A 146.230.128.15 Shrike.und.ac.za. 86400 A 146.230.128.13 ucthpx.uct.ac.za. 86400 A 137.158.128.1 hiPPo.ru.ac.za. 86400 A 146.231.128.1 Rain.psg.com. 14400 A 147.28.0.34

;; Total query time: 516 msec ;; FROM: llama to SERVER: default -- 198.59.115.2 ;; WHEN: Fri Jan 17 13:03:49 1997 ;; MSG SIZE sent: 37 rcvd: 305

Ahhh, nice. The first few lines, the ones preceded by the ;; marks, mostly tell what the default settings of the command are and what we asked it. The line “Ques: 1, Ans: 4, Auth: 5, Addit: 5” tells us how many items we’ll get under each topic of questions, answers, authority records, and additional records. (You will get different numbers on that line with different queries.) This “records” stuff refers to information stored under the domain name system.

We learn from dig is that CLASS=IN, meaning CISCO-UNP.UND.AC.ZA is a domain name within the Internet. But we already knew that . The first really *new* thing we learn is that four routers all share the same domain name. We can tell that because their numerical Internet numbers are different. The reverse can also happen: several domain names can all belong to the same numerical address. If you use the dig command on each link in the route to DAISY.EE.UND.AC.ZA, you’ll find a tremendous variation in whether the routers map to same or different domain names. As hackers, we want to get wise to all these variations in how domain names are associated with boxes.

But we can still learn even more about that Cisco router named CISCO-UNP.UND.AC.ZA. We go back to nslookup and run it in interactive mode:

->/usr/etc/nslookup Default Server: swcp.com Address: 198.59.115.2 >

Now let’s do something new with nslookup. This is a command that comes in really, really handy when we’re playing vigilante and need to persecute a spammer or bust a child porn Web site or two. Here’s how we can get the email address for the sysadmin of an Internet host computer.

> set type=soa

Then I enter the name of the computer about which I am curious. Note that I put a period after the end of the host name. It often helps to do this with nslookup:

> CISCO-UNP.UND.AC.ZA. Server: swcp.com Address: 198.59.115.2

*** No start of authority zone information is available for CISCO-UNP.UND.AC.ZA.

Now what do I do? Give up? No, I’m a hacker wannabe, right? So I try entering just part of the domain name, again remembering to put a period at the end:

> und.ac.za. Server: swcp.com Address: 198.59.115.2 und.ac.za origin = Eagle.und.ac.za mail addr = postmaster.und.ac.za serial=199610255, refresh=10800, retry=3600, expire=3000000, min=86400 Eagle.und.ac.za inet address = 146.230.128.15 Shrike.und.ac.za inet address = 146.230.128.13 ucthpx.uct.ac.za inet address = 137.158.128.1 hiPPo.ru.ac.za inet address = 146.231.128.1 Rain.psg.com inet address = 147.28.0.34

Bingo!!! I got the email address of a sysadmin whose domain includes that Cisco router, AND the IP addresses of some other boxes he or she administers. But notice it doesn’t list any of those routers which the sysadmin undoubtedly knows a thing or two about.

But we aren’t done yet with cisco-unp.und.ac.za (146.230.128.8). Of course we have a pretty good guess that it is a Cisco router. But why stop with a mere guess when we can port surf? So we fall back on our friend the telnet program and head for port 2001:

->telnet 146.230.128.8 2001 Trying 146.230.128.8 ... Connected to 146.230.128.8. Escape character is '^]'. C **************************************************** *** Welcome to the University of Natal *** *** *** *** Model : Cisco 4500 with ATM and 8 BRI ports *** *** *** *** Dimension Data Durban - 031-838333 *** *** *** ***************************************************

Hey, we know now that this is a Cisco model 4500 owned by the University of Natal, and we even got a phone number for the sysadmin. From this we also can infer that this router handles a subnet which serves the U of Natal and includes daisy.

But why did I telnet to port 2001? It’s in common use among routers as the administrative port. How do I know that? From the RFC (request for comments) that covers all commonly used port assignments. You can find a copy of this RFC at http://ds2.internic.net/rfc/rfc1700.txt. Read it and you’ll be in for some happy port surfing!

************************ Evil Genius tip: there are a bunch of ports used by Cisco routers: cisco-fna 130/tcp cisco FNATIVE cisco-tna 131/tcp cisco TNATIVE cisco-sys 132/tcp cisco SYSMAINT licensedaemon 1986/tcp cisco license management tr-rsrb-p1 1987/tcp cisco RSRB Priority 1 port tr-rsrb-p2 1988/tcp cisco RSRB Priority 2 port tr-rsrb-p3 1989/tcp cisco RSRB Priority 3 port stun-p1 1990/tcp cisco STUN Priority 1 port stun-p2 1991/tcp cisco STUN Priority 2 port stun-p3 1992/tcp cisco STUN Priority 3 port snmp -tcp-port 1993/tcp cisco SNMP TCP port stun-port 1994/tcp cisco serial tunnel port perf-port 1995/tcp cisco perf port tr-rsrb-port 1996/tcp cisco Remote SRB port gdp-port 1997/tcp cisco Gateway Discovery Protocol x25-svc-port 1998/tcp cisco X.25 service (XOT) tcp-id-port 1999/tcp cisco identification port ************************

But what about the “normal” telnet port, which is 23? Since it is the “normal” port, the one you usually go to when you want to log in, we don’t need to put the 23 after the host name:

->telnet 146.230.128.8 Trying 146.230.128.8 ... Connected to 146.230.128.8. Escape character is '^]'. C ************************************************************************* *** Welcome to the University of Natal ***

*** *** *** Model : Cisco 4500 with ATM and 8 BRI ports *** *** *** *** Dimension Data Durban - 031-838333 ***

*** *** *************************************************************************

User Access Verification

Password:

Hey, this is interesting, no username requested, just a password. If I were the sysadmin, I’d make it a little harder to log in. Hmmm, what happens if I try to port surf finger that site? That means telnet to the finger port, which is 79:

->telnet 146.230.128.8 79 Trying 146.230.128.8 ... Connected to 146.230.128.8. Escape character is '^]'. C ************************************************************************* *** Welcome to the University of Natal *** *** *** *** Model : Cisco 4500 with ATM and 8 BRI ports *** *** *** *** Dimension Data Durban - 031-838333 ***

*** *** ************************************************************************* Line User Host(s) Idle Location * 2 vty 0 idle 0 kitsune.swcp.com BR0:2 Sync PPP 00:00:00 BR0:1 Sync PPP 00:00:00 BR1:2 Sync PPP 00:00:00 BR1:1 Sync PPP 00:00:00 BR2:2 Sync PPP 00:00:01 BR2:1 Sync PPP 00:00:00 BR5:1 Sync PPP 00:00:00 Connection closed by foreign host.

Notice that finger lists the connection to the computer I was port surfing from: kitsune. But no one else seems to be on line just now. Please remember, when you port surf, unless you know how to do IP spoofing, your target computer knows where you came from. Of course I will be a polite guest.

Now let’s try the obvious. Let’s telnet to the login port of daisy. I use the numerical address just for the heck of it:

->telnet 146.230.192.18 Trying 146.230.192.18 ... Connected to 146.230.192.18. Escape character is '^]'.

NetBSD/i386 (daisy.ee.und.ac.za) (ttyp0)

Hey, this is interesting. Since we now know this is a university, that’s probably the electrical engineering (EE) department. And NetBSD is a freeware Unix that runs on a PC! Probably a 80386 box.

Getting this info makes me almost feel like I’ve been hanging out at the University of Natal EE computer lab. It sounds like a friendly place. Judging from their router, security is somewhat lax, they use cheap computers, and messages are friendly. Let’s finger and see who’s logged in just now:

Since I am already in the telnet program (I can tell by the prompt “telnet>“), I go to daisy using the “open” command:

telnet> open daisy.ee.und.ac.za 79 Trying 146.230.192.18 ... telnet: connect: Connection refused telnet> quit

Well, that didn’t work, so I exit telnet and try the finger program on my shell account computer:

->finger @daisy.ee.und.ac.za [daisy.ee.und.ac.za] finger: daisy.ee.und.ac.za: Connection refused

Sigh. It’s hard to find open finger ports any more. But it’s a good security practice to close finger. Damien Sorder points out, “If you install the new Linux distributions, it comes with Cfingerd. Why would I (and others) want to shut it down? Not because of hackers and abuse or some STUPID S*** like that. Because it gives out way too much information when you finger a single user. You get machine load and all the user information.”

I manage to pull up a little more info on how to map the interconnections of University of Natal computers with an search of the Web using http://digital.altavista.com. It links me to the site http://www.frd.ac.za/uninet/sprint.html, which is titled “Traffic on the UNINET-SPRINTLINK Link.” However, all the links to netwrok traffic statistics from that site are dead.

Next, let’s look into number 20 on that traceroute that led us to the University of Natal. You can pretty much expect that links in the middle of a long traceroute will be big computers owned by the bigger companies that form the backbone of the Internet.

->telnet 155.232.82.2 2001 Trying 155.232.82.2 ... Connected to 155.232.82.2. Escape character is '^]'.

Id: und02 Authorised Users Only! ------------------------

User Access Verification

Username:

Yup, we’re out of friendly territory now. And since port 2001 works, it may be a router. Just for laughs, though, let’s go back to the default telnet port:

->telnet 155.232.82.2 Trying 155.232.82.2 ... Connected to 155.232.82.2. Escape character is '^]'.

Id: und02 Authorised Users Only! ------------------------

User Access Verification

Username:

Now just maybe this backbone-type computer will tell us gobs of stuff about all the computers it is connected to. We try telneting to the netstat port, 15. This, if it happens to be open to the public, will tell us all about the computers that connect through it:

->telnet 155.232.82.2 15 Trying 155.232.82.2 ... telnet: connect: Connection refused

Sigh. I gave an example of the incredible wealth of information you can get from netstat on the GTMHH on port surfing. But every day it is harder to find a public netstat port. That’s because the information netstat gives is so useful to computer criminals. In fact, port 15 is no longer reserved as the netstat port (as of 1994, according to the RFC). So you will find few boxes using it.

****************************** Newbie note: want to know what port assignments your ISP uses? Sorder points out “ /etc/services on most machines will [tell you this].”

How can you can read that information? Try this:

First, change to the /etc/ directory:

->cd /etc

Then command it to print it out to your screen with:

->more services # # @(#)services 1.16 90/01/03 SMI # # Network services, Internet style # This file is never consulted when the NIS are running # tcpmux 1/tcp # rfc-1078 echo 7/tcp

... and so on...

Alas, just because your shell account has a list of port assignments doesn’t mean they are actually in use. It also probably won’t list specialized services like all those Cisco router port assignments. *************************

In fact, after surfing about two dozen somewhat randomly chosen netstat ports, the only answer I get other than “Connection refused” is:

->telnet ns.nmia.com 15 Trying 198.59.166.10 ... Connected to ns.nmia.com. Escape character is '^]'. Yes, but will I see the EASTER BUNNY in skintight leather at an IRON MAIDEN concert?

Now what about all those Sprintlink routers in that traceroute? That’s a major Internet backbone based in the US provided by Sprint. You can get some information on the topology of the Sprintlink backbone at http://www.sprintlink.net/SPLK/HB21.html#2.2. Alas, Sprintlink used to give out much more information than they do today. All I can pick up on their Web site today is pretty vague.

Sigh. The Internet is getting less friendly, but more secure. Some day when we’re really ancient, say five years from now, we’ll be telling people, “Why, I remember when we could port surf! Why, there used to be zillions of open ports and people could choose ANY password they wanted. Hmph! Today it’s just firewalls everywhere you look!” Adds Sorder, “Gee. How do you think people like me feel.. port surfing over 6 years ago.”

Our thanks to Damien Sorder (jericho@dimensional.com) for assistance in reviewing and contributing to this GTMHH. ___________________________________________________________

GUIDE TO (mostly) HARMLESS HACKING

Vol. 3 Number 3

How to keep from getting kicked off IRC! ____________________________________________________________

Our thanks to Patrick Rutledge, Warbeast, Meltdown and k1neTiK, who all provided invaluable information on the burning question of the IRC world: help, they’re nuking meee...

What’s the big deal about IRC and hackers? Sheesh, IRC is sooo easy to use... until you get on a server where hacker wars reign. What the heck do you do to keep from getting clobbered over and over again?

Of course you could just decide your enemies can go to heck. But let’s say you’d rather hang in there. You may want to hang in there because if you want to make friends quickly in the hacker world, one of the best ways is over Internet Relay Chat (IRC).

On IRC a group of people type messages back and forth on a screen in almost real time. It can be more fun than Usenet where it can take from minutes to hours for people’s replies to turn up. And unlike Usenet, if you say something you regret, it’s soon gone from the screen. Ahem. That is, it will soon be gone if no one is logging the session.

In some ways IRC is like CB radio, with lots of folks flaming and making fools of themselves in unique and irritating ways. So don’t expect to see timeless wisdom and wit scrolling down your computer screen. But because IRC is such an inexpensive way for people from all over the world to quickly exchange ideas, it is widely used by hackers. Also, given the wars you can fight for control of IRC channels, it can give you a good hacker workout.

To get on IRC you need both an IRC client program and you need to connect to a Web site or Internet Service Provider (ISP) that is running an IRC server program.

*********************** Newbie note: Any program that uses a resource is called a “client.” Any program that offers a resource is a “server.” Your IRC client program runs on either your home computer or shell account computer and connects you to an IRC server program which runs on a remote computer somewhere on the Internet. ***********************

You may already have an IRC server running on your ISP. Customer service at your ISP should be able to help you with instructions on how to use it. Even easier yet, if your Web browser is set up to use Java, you can run IRC straight from your browser once you have surfed into a Web-based IRC server.

Where are good IRC servers for meeting other hackers?

There are several IRC servers that usually offer hacker channels. EFNet (Eris-Free Network)links many IRC servers. It was originally started by the Eris FreeNet (ef.net). It is reputed to be a “war ground” where you might get a chance to really practice the IRC techniques we cover below.

Undernet is one of the largest networks of IRC servers. The main purpose of Undernet is to be a friendly place with IRC wars under control. But this means, yes, lots of IRC cops! The operators of these IRC servers have permission to kill you not only from a channel but also from a server. Heck, they can ban you for good. They can even ban your whole domain.

************************************ Newbie note: A domain is the last two (or sometimes three or four) parts of your email address. For example, aol.com is the domain name for America Online. If an IRC network were to ban the aol.com domain, that would mean every single person on America Online would be banned from it. ************************************

************************************ You can get punched in the nose warning: If the sysadmins at your ISP were to find out that you had managed to get their entire domain banned from an IRC net on account of committing ICMP bombing or whatever, they will be truly mad at you! You will be lucky if the worst that happens is that you lose your account. You’d better hope that word doesn’t get out to all the IRC addicts on your ISP that you were the dude that got you guys all kicked out. ************************************

IRCNet is probably the same size if not larger than Undernet. IRCNet is basically the European/Australian split off from the old EFNet.

Yes, IRC is a world-wide phenomenon. Get on the right IRC network and you can be making friends with hackers on any continent of the planet. There are at least 80 IRC networks in existence. To learn how to contact them, surf over to: http://www.irchelp.org/. You can locate additional IRC servers by surfing over to http://hotbot.com or http://digital.altavista.com and searching for “IRC server.” Some IRC servers are ideal for the elite hacker, for example the l0pht server. Note that is a “zero” not an “O” in l0pht.

**************************************** Evil genius tip: Get on an IRC server by telneting straight in through port 6667 at the domain name for that server. ****************************************

But before you get too excited over trying out IRC, let us warn you. IRC is not so much phun any more because some d00dz aren’t satisfied with using it to merely say naughty words and cast aspersions on people’s ancestry and grooming habits. They get their laughs by kicking other people off IRC entirely. This is because they are too chicken to start brawls in bars. So they beat up on people in cyberspace where they don’t have to fret over getting ouchies.

But we’re going to show some simple, effective ways to keep these lusers from ruining your IRC sessions. However, first you’ll need to know some of the ways you can get kicked off IRC by these bullies.

The simplest way to get in trouble is to accidentally give control of your IRC channel to an impostor whose goal is to kick you and your friends off.

You see, the first person to start up a channel on an IRC server is automatically the operator (OP). The operator has the power to kick people off or invite people in. Also, if the operator wants to, he or she may pass operator status on to someone else.

Ideally, when you leave the channel you would pass this status on to a friend your trust. Also, maybe someone who you think is your good buddy is begging you to please, please give him a turn being the operator. You may decide to hand over the OP to him or her in order to demonstrate friendship. But if you mess up and accidentally OP a bad guy who is pretending to be someone you know and trust, your fun chat can become history.

One way to keep this all this obnoxious stuff from happening is to simply not OP people you do not know. But this is easier said than done. It is a friendly thing to give OP to your buddies. You may not want to appear stuck up by refusing to OP anyone. So if you are going to OP a friend, how can you really tell that IRC dude is your friend?

Just because you recognize the nick (nickname), don’t assume it’s who you think it is! Check the host address associated with the nick by giving the command "/whois IRCnick" where “IRCnick” is the nickname of the person you want to check.

This “/whois” command will give back to you the email address belonging to the person using that nick. If you see, for example, “d***@wannabe.net” instead of the address you expected, say friend@cool.com, then DO NOT OP him. Make the person explain who he or she is and why the email address is different.

But entering a fake nick when entering an IRC server is only the simplest of ways someone can sabotage an IRC session. Your real trouble comes when people deploy “nukes” and “ICBMs” against you.

“Nuking” is also known as “ICMP Bombing.” This includes forged messages such as EOF (end of file), dead socket, redirect, etc.

************************************** Newbie note: ICMP stands for Internet Control Message Protocol. This is an class of IRC attacks that go beyond exploiting quirks in the IRC server program to take advantage of major league hacking techniques based upon the way the Internet works. ************************************** ************************************** You can go to jail warning: ICMP attacks constitute illegal denial of service attacks. They are not just harmless harassment of a single person on IRC, but may affect an entire Internet host computer, disputing service to all who are using it. ***************************************

For example, ICMP redirect messages are used by routers to tell other computers “Hey, quit sending me that stuff. Send it to routerx.foobar.net instead!” So an ICMP redirect message could cause your IRC messages to go to bit heaven instead of your chat channel.

EOF stands for “end of file.” “Dead socket” refers to connections such as your PPP session that you would be using with many IRC clients to connect to the Internet. If your IRC enemy spoofs a message that your socket is dead, your IRC chat session can’t get any more input from you. That’s what the program “ICMP Host Unreachable Bomber for Windows” does.

Probably the most devastating IRC weapon is the flood ping, known as “ICBM flood or ICMPing.” The idea is that a bully will find out what Internet host you are using, and then give the command “ping-f” to your host computer. Or even to your home computer. Yes, on IRC it is possible to identify the dynamically assigned IP address of your home computer and send stuff directly to your modem! If the bully has a decent computer, he or she may be able to ping yours badly enough to briefly knock you out of IRC. Then this character can take over your IRC session and may masquerade as you.

********************** Newbie note: When you connect to the Internet with a point-to-point (PPP) connection, your ISP’s host computer assigns you an Internet Protocol (IP) address which may be different every time you log on. This is called a “dynamically assigned IP address.” In some cases, however, the ISP has arranged to assign the uses the same IP address each time. **********************

Now let’s consider in more detail the various types of flooding attacks on IRC.

The purpose of flooding is to send so much garbage to a client that its connection to the IRC server either becomes useless or gets cut off.

Text flooding is the simplest attack. For example, you could just hold down the “x” key and hit enter from time to time. This would keep the IRC screen filled with your junk and scroll the others’ comments quickly off the screen. However, text flooding is almost always unsuccessful because almost any IRC client (the program you run on your computer) has text flood control. Even if it doesn’t, text must pass through an IRC server. Most IRC servers also have text flood filters.

Because text flooding is basically harmless, you are unlikely to suffer anything worse than getting banned or possibly K:lined for doing it.

****************************************** Newbie note: “K:line” means to ban not just you, but anyone who is in your domain from an IRC server. For example, if you are a student at Giant State University with an email address of IRCd00d@giantstate.edu, then every person whose email address ends with “giantstate.edu” will also be banned. *******************************************

Client to Client Protocol (CTCP) echo flooding is the most effective type of flood. This is sort of like the ping you send to determine whether a host computer is alive. It is a command used within IRC to check to see if someone is still on your IRC channel.

How does the echo command work? To check whether someone is still on your IRC channel, give the command “/ctcp nick ECHO hello out there!” If “nick” (where “nick” is the IRC nickname of the person you are checking out) is still there, you get back “nick HELLO OUT THERE.”

What has happened is that your victim’s IRC client program has automatically echoed whatever message you sent.

But someone who wants to boot you off IRC can use the CTCP echo command to trick your IRC server into thinking you are hogging the channel with too much talking. This is because most IRC servers will automatically cut you off if you try text flooding.

So CTCP echo flooding spoofs the IRC into falsely cutting someone off by causing the victim’s IRC client to automatically keep on responding to a whole bunch of echo requests.

Of course your attacker could also get booted off for making all those CTCP echo requests. But a knowledgeable attacker will either be working in league with some friends who will be doing the same thing to you or else be connected with several different nicks to that same IRC server. So by having different versions of him or herself in the form of software bots making those CTCP echo requests, the attacker stays on while the victim gets booted off.

This attack is also fairly harmless, so people who get caught doing this will only get banned or maybe K:lined for their misbehavior.

****************************** Newbie note: A “bot” is a computer program that acts kind of like a robot to go around and do things for you. Some bots are hard to tell from real people. For example, some IRC bots wait for someone to use bad language and respond to these naughty words in annoying ways. *************************************

************************************* You can get punched in the nose warning: Bots are not permitted on the servers of the large networks. The IRC Cops who control hacker wars on these networks love nothing more than killing bots and banning the botrunners that they catch. **************************************

A similar attack is CATCH ping. You can give the command “/ping nick” and the IRC client of the guy using that nick would respond to the IRC server with a message to be passed on to the guy who made the ping request saying “nick” is alive, and telling you how long it took for nick’s IRC client program to respond. It’s useful to know the response time because sometimes the Internet can be so slow it might take ten seconds or more to send an IRC message to other people on that IRC channel. So if someone seems to be taking a long time to reply to you, it may just be a slow Internet.

Your attacker can also easily get the dynamically assigned IP (Internet protocol) address of your home computer and directly flood your modem. But just about every Unix IRC program has at least some CATCH flood protection in it. Again, we are looking at a fairly harmless kind of attack.

So how do you handle IRC attacks? There are several programs that you can run with your Unix IRC program. Examples are the programs LiCe and Phoenix. These scripts will run in the background of your Unix IRC session and will automatically kick in some sort of protection (ignore, ban, kick) against attackers.

If you are running a Windows-based IRC client, you may assume that like usual you are out of luck. In fact, when I first got on an IRC channel recently using Netscape 3.01 running on Win 95, the *first* thing the denizens of #hackers did was make fun of my operating system. Yeah, thanks. But in fact there are great IRC war programs for both Windows 95 and Unix.

For Windows 95 you may wish to use the mIRC client program. You can download it from http://www.super-highway.net/users/govil/mirc40.html. It includes protection from ICMP ping flood. But this program isn’t enough to handle all the IRC wars you may encounter. So you may wish to add the protection of the most user -friendly, powerful Windows 95 war script around: 7th Sphere. You can get it from http://www.localnet.com/~marcraz/.

If you surf IRC from a Unix box, you’ll want to try out IRCII. You can download it from ftp.undernet.org , in the directory /pub/irc/clients/unix, or http://www.irchelp.org/, or ftp://cs-ftp.bu.edu/irc/. For added protection, you may download LiCe from ftp://ftp.cibola.net/pub/irc/scripts. Ahem, at this same site you can also download the attack program Tick from /pub/irc/tick. But if you get Tick, just remember our “You can get punched in the nose” warning!

********************************* Newbie note: For detailed instructions on how to run these IRC programs, see At http://www.irchelp.org/. Or go to Usenet and check out alt.irc.questions

*********************************

********************************* Evil genius tip: Want to know every excruciating technical detail about IRC? Check out RFC 1459 (The IRC protocol). You can find many copies of this ever popular RFC (Request for Comments) by doing a Web search. ********************************

Now let’s suppose you are all set up with an industrial strength IRC client program and war scripts. Does this mean you are ready to go to war on IRC?

Us Happy Hacker folks don’t recommend attacking people who take over OP status by force on IRC. Even if the other guys start it, remember this. If they were able to sneak into the channel and get OPs just like that, then chances are they are much more experienced and dangerous than you are. Until you become an IRC master yourself, we suggest you do no more than ask politely for OPs back.

Better yet, "/ignore nick" the l00zer and join another channel. For instance, if #evilhaxorchat is taken over, just create #evilhaxorchat2 and "/invite IRCfriend" all your friends there. And remember to use what you learned in this Guide about the IRC whois command so that you DON’T OP people unless you know who they are.

As Patrick Rutledge says, this might sound like a wimp move, but if you don't have a fighting chance, don't try - it might be more embarrassing for you in the long run. And if you start IRC warrioring and get K:lined off the system, just think about that purple nose and black eye you could get when all the other IRC dudes at your ISP or school find out who was the luser who got everyone banned.

That’s it for now. Now don’t try any funny stuff, OK? Oh, no, they’re nuking meee...

____________________________________________________________

Bhat Aasim

___________________________________________________________

Subscribe Our Newsletter

Social

How to protect yourself from email bombs! How to map the Internet. How to keep from getting kicked off IRC! How to Read Email Headers and Find Internet Hosts The Dread GTMHH on Cracking How to Be a Hero in Computer Lab

How to protect yourself from email bombs!

How to map the Internet.

How to keep from getting kicked off IRC!

How to Read Email Headers and Find Internet Hosts

The Dread GTMHH on Cracking

How to Be a Hero in Computer Lab

Related Posts

sosmed footer