Slashdot Mirror
Reconnaissance In Virtual Space
An anonymous reader writes "Whitedust Security have released an interesting article discussing online reconnaissance techniques. From the article: 'Sometimes thirty-two bits are all you need. This is a guide to Internet reconnaissance - a guide to finding out as much as you can concerning a target via the Internet'."
What.. is Cyberspace no longer a valid buzzword???
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
"Sometimes 32 bits is all you need"
Of course 32 bits would actually be, like, four letters, since on the internet a single character is usually eight bits. I'm not really sure how much you could find out about someone if there were only four letters in which to describe them. But, hey, Mr. security company press release department, don't let me stop you from thinking that you sound clever.
Well, there goes my need for AMD64.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
if you want to catch a 2-bit crook
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is the magic number.
1) Enable webstats
2) Look at who has been going to your website
3) If someone from a college you have a (hot girl) friend at visits your site, use facebook to see if the hit is from the dormroom they are in
4) If so, shoot them an email saying that you were thinking of them and asking how they are
5) Wait until they write back and say, "what a coincidence, I was thinking of you too!"
6) ????
7) Profit!
And the best thing is technically they're the one stalking you
(exercepted from an article to be published on kuro5hin in the mysterious future on using your personal website to get pick up women)
A guide to internet reconnaissance? WHERE? This is just an overview of the whois command! And it made the frontpage on /.
How sad.
Global warming is a cube.
There is very little here besides:
man nslookup
man whois
Try those commands for a more complete understanding of what's going on.
Jeez, I was hoping for something vaguely Kevin Mitnick, and instead I get Sam Spade. This may not be Intarweb 101, but it's maybe 102.
This next song is very sad. Please clap along. -- Robin Zander
I haven't heard of Whitedust Security before. Who exactly are they? What are some notable accomplishments of this group in the field of computer security? Have they performed any other notable studies, or written any revolutionary papers?
Cyric Zndovzny at your service.
"Still, you'll gain a much better footing once you have the means to personify your target."
In context, I know what he means. But if I am trying to get a person's IP address, does that mean I'm trying to "computerfy" them?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
To sum up the article:
1) You can use the DNS system to resolve IP addresses to hostnames, which may tell you something about the organisation they belong to.
2) For more information, perform a whois query.
That's news? Seriously, people, that's like saying that you can control your car with the help of this "steering wheel"...
quidquid latine dictum sit altum videtur.
TTL based routing analysis (traceroute), whois retrieval and plain DNS lookups, is that all? And not even a rundown of the nmap commandline, just nslookup(.exe) and tracert(.exe).
Where is all the other TTL based stuff like, oh I don`t know figuring out what packet filters ("firewalls" for the mysticism fans) are dropping along the way? What about OS fingerprinting, simple googleing, what about DNS zone transfers, how about looking for published traffic graphs? How about simply connecting and letting something (mail, or webserver) give you its information?
kids these days can`t stalk a mainframe walking down a shopping mall.
This is junk.
"You can do a traceroute, a dns lookup, and read public whois data!"
Then this stuff about how IP addresses are broken up into "classes" to ease routing.. err, no, they aren't.. though they used to be many, many years ago.
Also... * * * in a traceroute may indicate ICMP filtering, but more often indicates that rfc1518 private addresses were used on the links, which are then blocked elsewhere. Perfectly normal, and quite common.
An article on how to hunt someone down on the Internet. A picture of a beautiful woman on top of the article with a transparent crosshair on her face. The article is submitted to a community of mostly-lonely geeks. God only know's what will happen now.
For he today that sheds his blood with me shall be my brother.
Please stop posting articles which the majority of the Slashdot community find insulting to their intelligence.
Thank you.
It's only an insult if it's not true.
...nothing to see here.
The older I get, the less I like everyone else.
This article covers whois. Nothing more exciting right? *rolls eyes*
It is nothing new or particularly insightful. This does bring up 3 questions though
1 - Is the slashdot crowd so amazed by something so old as whois?
2 - How much will IP geolocation amaze then?
3 - Who let this even get posted?
Wow what an amazing article! Might I suggest to the WhiteDust "gurus" that their next article explore netstat and the wonders of null session connections on Windows?
WhiteDust...what a joke.
But Whitedust targets CEOs as well as techies, Most CEOs may or may not know this stuff and may, just on the off chance, be intrested in what their techies do. Just because you know something doesn't make mean the whole fucking world knows too.
Maybe get off your high horse and contribute something to this world insted of whining about what others write about.
This 'tip' was marketing spam. Gee. This article reminds me of the 'informative email' I get from Spamis with spoofed headers to and from me. Can slashdot STOP these 'anonymous reader' tips before we start getting not only comment spam, but article spam?
--- See you at the Tannhäuser Gate.
anyone who has a half brain on how to use whois, dig, host or nslookup has already done these.
...also called "Zonkism" in slashdot-speak.
Step 1: Lack of interesting stories, hence initiate random story search
Step 2: yep, headline looks good 'nuff, let's post the fooker!
Step 3: Rinse and repeat!
p.s. Sarcasm can sometimes be a wake-up call.
Yeah, the post was about as lame as they get. But here are a sample of some of my tricks:
1) probe port 80 on the last few addresses you find, and if you get a web page out of there, look at the page source to see if there are other IPs to look up. Nothing like a badly configured chain to cough some more info from. Probe for other common ports at the end of the chain to see if there's a mail server there; maybe you can make it cough more data.
2) do google or dogpile searches of the IP address, and both the dns names and reverse names; follow each hit until it ends somewhere. Always take notes.
3) try to find email addresses through index engines using the various domain names, and also its NS records, MX records and anything else in DNS that might point to hidden servers in the route(s). Take notes.
4) check various rbls, spamhaus, and so on to see if there are other complaints. Sometimes you can have fun.
5) check any phone numbers; search on those, too. Heaven loves a toll-free # in a spam.
And now, your tips?
---- Teach Peace. It's Cheaper Than War.
Wonder who Whitedust is? Read their mission statement:
Within six months of launch, the Whitedust Portal will overtake the existing portals as the leading source of comprehensive, trusted and unbiased security information. This will be achieved through a dedicated approach to reporting security events as they happen. So far in our live period Whitedust have placed an un-mistakable and firm emphasis on fair, unbiased and above all honest news comment on up to the minute security issues - a strategy fundamental to Whitedust's own work ethic.
Sure, it was written in February - a mere 7 months ago - but cut them some slack. They're trying.
"Time is an illusion.
Lunchtime doubly so."
-Douglas Adams
David Borowitz
Bullshit.
One of the hostnames in the article points to a project server of mine. Please don't muck with it.
What? No mention of nmap? I mean, sure I see the writer might be Windows literate only, but come on now - nmap is ported to Win32 as well. At least with nmap, we could have seen some port scanning techniques or something.
... this article was useless.
Maybe next time, we'll get an Ethereal treat
Hagrin.com
I forgot that the IP changed since he wrote that. :P
Just don't learn too much about Eric Schmidt. He'll blacklist you.
Okay even for a Saturday Night slashdot story, that was weak as hell. I learned this shit YEARS ago, this is BASIC information gathering!
This might be news to my mom and dad. Well maybe not my dad, he has a clue.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
For a minute I thought I was back in 1995 on my Packard Bell P133 screaming through the internet at a blazing 26.4Kbps on my 28.8K modem!
I don't see how this made it to the front page of Slashdot? This is pretty much a "diet" version of "Tracking Spammers 101" from 5 years ago. In fact, I wonder if this is a txt file someone got from a BBS in 1993. This "paper" has pleanty of flaws. Let's list them:
1. A practical guide to Internet reconnaissance.
Wrong. This isn't practical because it doesn't provide the investigator any useful information.
2. This is a guide to Internet reconnaissance - a guide to finding out as much as you can concerning a target via the Internet. Utilizing publicly available resources, we can quickly learn a good deal about a suspicious host, such as its service provider and originating country.
Wrong. This paper doesn't even mention the use of a certain wildly-popular search engine to see if other people are talking about the same host. This paper doesn't talk about using RadB, looking glasses, route servers or any other public resource that allows you to do a "fly-over" of your target.
3. Coupled with real-world knowledge, we can assess the threat posed by a would-be attacker and react accordingly.
What real world knowledge would that be? You can assess the threat by the source IP? Really? It's common knowledge that many times the attack source IP isn't really where the attacker is sitting. So that pretty much kills the point of this "paper" now doesn't it.
4. Along with a good idea of where to start, this requires some basic working knowledge of the Internet and the communication for which it provides.
Good. Basic working knowledge. So my mom is all primed to get started in a career in internet investigations. Super.
5. The Internet is a cloud.
Yeah I have Visio too. Nice.
6. Not literally, of course, but it is often pictured this way due to its vague nature. From the outside, it appears as a single entity, but from within it is impossible to determine its boundaries.
Oh dude, you like totally had me there for a second. Then you started sounding like Carl Sagan and I knew that you didn't REALLY mean cloud. Billions and billions of hosts....
7. The Internet is constantly changing, and there is no giant map to help us get a bearing on where we are. Instead, we rely on routed protocols - specifically IP - for transportation over and between networks.
IP? Ok thanks for letting all us Slashdotters know that the internet uses IP. This is breakthrough.
8. C:\>tracert 68.57.30.45
Jackass. Windows tracert uses ICMP. Welcome to the town of "Blocked Protocol" Population: You. Tracerouting from my linux box sure makes a better read:
traceroute to pcp04991434pcs.benslm01.pa.comcast.net (68.57.30.45), 30 hops max, 40 byte packets
1 69.64.35.253 (69.64.35.253) 0.499 ms 0.403 ms 0.411 ms
2 ge-5-1.513.hsa1.StLouis1.Level3.net (63.208.32.161) 0.481 ms 0.511 ms 0.482 ms
3 so-6-1-0.mp2.StLouis1.Level3.net (64.159.4.141) 0.623 ms 0.585 ms 0.558 ms
4 ae-0-0.bbr1.Chicago1.Level3.net (64.159.1.33) 5.757 ms so-6-1-0.bbr2.Chicago1.Level3.net (64.159.0.58) 5.717 ms ae-0-0.bbr1.Chicago1.Level3.net (64.159.1.33) 5.901 ms
5 so-7-0-0.edge1.Chicago1.Level3.net (209.244.8.14) 5.893 ms 5.846 ms so-6-0-0.edge1.Chicago1.Level3.net (209.244.8.10) 5.892 ms
6 att-level3-oc48.Chicago1.Level3.net (209.0.227.78) 6.195 ms att-level3-oc48.Chicago1.Level3.net (4.68.127.166) 6.172 ms 6.180 ms
7 tbr1-p014001.cgcil.ip.att.net (12.123.6.34) 26.366 ms 26.389 ms 26.147 ms
8 tbr1-cl1.n54ny.ip.att.net (12.122.10.1) 26.708 ms 28.535 ms 26.476 ms
9 gar5-p300.n54ny.ip.att.net (12.123.3.9) 25.555 ms 25.656 ms 25.570 ms
10 12.118.149.10 (12.118.149.10) 26.228 ms 26.277 ms 26.293 ms
11 te-8-1-ar01.plainfield.nj.panjde.comcast.net (68.86.211.1) 26.560 ms 26.508 ms 26.629 ms
12 po80-ar01.audubon.nj.panjde.comcast.net (68.86.208.2) 29.842 ms 30.083 ms 29.921 ms
13 po10-ar01.wallingford.pa.panjde
It's rather odd that all of the pro article comments I've seen are posted by anonymous cowards.
To triangulate the source of spoofed IP packets, to (theoretically) sniff a keyboard by recording TCP sequence numbers, and even how to build a distributed computer out of covert channels, see Michal Zalewski's Silence On The Wire. It's less practical than nslookup and whois but it's a glorious romp through the fun parts of information security. Read it for inspiration and to jar you into thinking outside the box.
(Disclosure: I got a free review copy.)
Since when did Slashdot become "h4x0r for beginners"? This is such common knowledge that I'm not sure you can call "using WHOIS" a technique...
Ever notice how fast Windows runs? Neither do I - get Mac OS
You have to under stand who actually built white dust to understand the content of the site. (note they dont actually have their own content) Most of the founding members are made up from friends that came to gether while on IRC in white wolf role playing channels. (they like to advertise whitedust, it makes them feel important) while granted they have web design skills, that about there limit of what they can actually do. The whole point of the website is for something they can put in there protfolio when they are trying to arrange jobs for them selfs. (see look how good I am, I was this projects director on this fake web site see see, hire me please)
and discovering, tracing, and whois'ing an ip address is the hippest thing for the kiddies to do on a Saturday night.
Is this all you can do???
Well the net is a safer place than I thought.