Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reconnaissance In Virtual Space

Posted by ryuzaki0 on from the weekend-project dept.

An anonymous reader writes "Whitedust Security have released an interesting article discussing online reconnaissance techniques. From the article: 'Sometimes thirty-two bits are all you need. This is a guide to Internet reconnaissance - a guide to finding out as much as you can concerning a target via the Internet'."

59 of 89 comments (clear)

  1. Virtual Space by ciroknight · · Score: 3, Funny

    What.. is Cyberspace no longer a valid buzzword???

    --
    "Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
    1. Re: Virtual Space by lightyear4 · · Score: 2, Funny

      Oh no, far from it. Cyberspace, however, is the world of yesterday. You see, in Virtual Space, reconnaissance is done in person, in the computer's world itself. Amidst towering circuitry, glowing with an eerie light, you race about upon futuristic wire-frame motorcycles, intent on bringing combat to the all-powerful Master Control Program which rules all. Good luck.

  2. Goodbye AMD by Nom+du+Keyboard · · Score: 4, Funny
    thirty-two bits are all you need.

    Well, there goes my need for AMD64.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
    1. Re:Goodbye AMD by IdleTime · · Score: 2, Informative

      I, for one, is happy to have a 64-bit, twice as difficult ;-)

      The article is moronic and only discusses the ip-address, the easiest thing to hide if you really want to. I guess this would be a life-changing article if you don't know anything about networks, other than that, it's not worth the click.

      --
      If you mod me down, I *will* introduce you to my sister!
  3. 32 bits is all you need... by sokoban · · Score: 4, Funny

    if you want to catch a 2-bit crook

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is the magic number.
    1. Re:32 bits is all you need... by Slashdot_Gandhi · · Score: 1

      Is this article saying something that noone knew before? Comeon guys! BTW who uses visuaroute here?

  4. Using your personal website to pick up women by pHatidic · · Score: 4, Funny

    1) Enable webstats
    2) Look at who has been going to your website
    3) If someone from a college you have a (hot girl) friend at visits your site, use facebook to see if the hit is from the dormroom they are in
    4) If so, shoot them an email saying that you were thinking of them and asking how they are
    5) Wait until they write back and say, "what a coincidence, I was thinking of you too!"
    6) ????
    7) Profit!

    And the best thing is technically they're the one stalking you

    (exercepted from an article to be published on kuro5hin in the mysterious future on using your personal website to get pick up women)

    1. Re:Using your personal website to pick up women by Ex+Machina · · Score: 1

      Ha, ha ha! Back when everyone at my college used pione to read email, I used to correlate hits on my server with hostnames from the "last -a" command. Very useful!

    2. Re:Using your personal website to pick up women by pHatidic · · Score: 1

      Yes, email is an excellent way to get hostnames. Helpful hint: At the start of each school year send out a mass email to everyone you know with your address, and ask people to reply with theirs so you can update your rolodex.

      I should be charging (or perhaps getting charged) for this.

    3. Re:Using your personal website to pick up women by i.r.id10t · · Score: 2, Funny

      To heck with email... I remember the shouts of "finger me!" across the halls... of course, it was typically a couple of guys, but there was the occasional hottie...

      --
      Don't blame me, I voted for Kodos
    4. Re:Using your personal website to pick up women by usv · · Score: 1

      "last" is indeed a very useful command; I use it mainly to pinpoint the physical location of a person I might want to make contact with on campus area :) Goes well with IRC:
      1. <LeetGirl> joins a channel from a university computer
      2. Get her username and host and ssh in to the same machine.
      3. last | grep -i username | head -n 5
      4. Check remote host for her connection; if it represents a machine in a computer classroom, hop in and say "hi" to start a conversation :) Or just sit quietly in the back row and occasionally get a glimpse of her beauty *sigh*

    5. Re:Using your personal website to pick up women by D4C5CE · · Score: 1
      hint [for collecting IP addresses]: At the start of each school year send out a mass email to everyone you know with your address, and ask people to reply with theirs so you can update your rolodex. I should be charging (or perhaps getting charged) for this.
      Try software patents.

      Oh, and the fame and fortune they (purportedly) bring... should help you with women, too.

      Too bad by the time you get to use your "amazing discoveries" (made the hard way by using the "insights" from TFA -with anonymous<gasp>submission adding to the "mystery"- rather than going the easy route through Geektools or some such), DHCP may have reassigned your "target address" from Sorority House to Astrophysics Lab...;-)

    6. Re:Using your personal website to pick up women by Ex+Machina · · Score: 1

      Now I use cookies, this technique and aim "%n" links to track people. :D

  5. And this would be reconnaissance? by giorgiofr · · Score: 4, Informative

    A guide to internet reconnaissance? WHERE? This is just an overview of the whois command! And it made the frontpage on /.
    How sad.

    --
    Global warming is a cube.
    1. Re:And this would be reconnaissance? by MaxwellStreet · · Score: 1

      to be fair, there was tracert info too.

      Nothing - nothing! - to see here.

    2. Re:And this would be reconnaissance? by CyricZ · · Score: 1

      Well, it must've been a real revelation for Zonk to learn such commands existed. Perhaps that is why it made the front page. I mean, it's not completely unreasonable. Many Windows users are not aware that they have such tools at their disposal. I think it's better to make such users aware of these utilities rather than leave them in the dark.

      Perhaps they could use such tools to run a whois on NBC.com. You know, to find out that they're owned and run by General Electric. The same General Electric who is involved with the war industry. Imagine that! The owners of TV stations which run news programs being involved in the manufacturing of weapons. Now, they wouldn't want to promote war on their news broadcasts in order to increase profits for their war-making interests, would they?!

      --
      Cyric Zndovzny at your service.
    3. Re:And this would be reconnaissance? by abandonment · · Score: 1

      is not this site considered to be a 'step above' the average windows user? seriously i couldn't believe it when i got to the bottom of the article - i expected it to be one of a number of pages that actually got into some detail.

      finding out who owns the IP address of someone is near useless - it's the steps beyond that are the 'grey area' for most people. trying to get the attention of some random ISP in taiwan is going to be rather difficult at best, and completely useless for the most part.

      Not sure what the point of the article is - if someone is smart enough to even know that they are being attacked and can figure out the attackers IP address, then the contents of this article are going to be useless to them.

      I mean seriously - if you are able to run an FTP server AND check the logs to even figure out what a 'potential compromise' of said server is - what are the odds you don't know what a tracert or nslookup is?

      hell i have firefox extensions installed that let me do nslookups & tracert's to any IP address I visit just for fun - this isn't exactly rocket science and it sure as hell isn't 'virtual reconnaisance'

      --
      Gekido's Lair
    4. Re:And this would be reconnaissance? by CyricZ · · Score: 1

      "News for Nerds" does not suggest that everyone here is a network security expert, nor does it suggest that all the readers here are legal experts, nor does it suggest that everyone here is a physics expert.

      "Nerds" often have a high degree of understanding of one particular field. But that does not suggest that they're proficient in each and very topic. Somebody might be a supreme physics "nerd", yet know very little about basic networking utilities like whois or traceroute or nslookup. Likewise, a networking expert might not know everything about the most recent understanding concerning multidimensional trans-deltonic pseudostring theory.

      There's nothing wrong with posting an article that appeals to nerds who do not have knowledge of some other field of nerdery. It's better that they learn than remain in the dark, even if as a network specialist the existence of such tools is the most basic of knowledge to you.

      --
      Cyric Zndovzny at your service.
    5. Re:And this would be reconnaissance? by jacksonj04 · · Score: 1

      Just out of interest, which extension?

      --
      How many people can read hex if only you and dead people can read hex?
    6. Re:And this would be reconnaissance? by abandonment · · Score: 1

      it's called 'showip', pretty useful

      https://addons.mozilla.org/extensions/moreinfo.php ?application=firefox&category=Popular&numpg=10&id= 590

      --
      Gekido's Lair
  6. little content by MJArrison · · Score: 5, Insightful

    There is very little here besides:

    man nslookup
    man whois

    Try those commands for a more complete understanding of what's going on.

  7. Reconnaissance!? by david+duncan+scott · · Score: 4, Insightful
    nslookup and whois? My God, is it legal to disseminate such critical information as this?

    Jeez, I was hoping for something vaguely Kevin Mitnick, and instead I get Sam Spade. This may not be Intarweb 101, but it's maybe 102.

    --

    This next song is very sad. Please clap along. -- Robin Zander

  8. Who is/are Whitedust Security? by CyricZ · · Score: 4, Interesting

    I haven't heard of Whitedust Security before. Who exactly are they? What are some notable accomplishments of this group in the field of computer security? Have they performed any other notable studies, or written any revolutionary papers?

    --
    Cyric Zndovzny at your service.
    1. Re:Who is/are Whitedust Security? by aster_ken · · Score: 3, Insightful

      Given that their current poll concerns a recent browser security controversy instead of an actual security issue, I would guess they are a company that was recently started by an amateur computer security consultant.

      Actually, why does a security site even have a poll?

    2. Re:Who is/are Whitedust Security? by slavemowgli · · Score: 1

      I have never seen them publish any information that's actually interesting/informative/insightful, or - for that matter - NEW, but they often get coverage on Slashdot for some reason. Makes you wonder...

      --
      quidquid latine dictum sit altum videtur.
    3. Re:Who is/are Whitedust Security? by twiddlingbits · · Score: 3, Funny

      These were the guys who used to be the heat for the Columbian Cocaine Cartel. Since the Columbian Goverment busted the cartel they branched out into the Internet security area. Why not, they are as qualifed as most of the consultants out there!

    4. Re:Who is/are Whitedust Security? by linzeal · · Score: 1

      Anyone want to chip in and send Zonk to a community college to bone up on technology?

      --
      An Education is the Font of All Liberty
    5. Re:Who is/are Whitedust Security? by slavemowgli · · Score: 1

      I don't know, but sometimes, the articles posted on Slashdot are so blatantly sensationalist that you can't help but wonder. Of course, Hanlon's razor dictates that it probably really is just the editors posting everything that looks vaguely interesting without bothering to even look at the actual stories linked, but... who knows. I wouldn't be terribly surprised, at least.

      --
      quidquid latine dictum sit altum videtur.
  9. Personify? by Red+Flayer · · Score: 1

    "Still, you'll gain a much better footing once you have the means to personify your target."

    In context, I know what he means. But if I am trying to get a person's IP address, does that mean I'm trying to "computerfy" them?

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  10. DNS and whois? by slavemowgli · · Score: 3, Informative

    To sum up the article:

    1) You can use the DNS system to resolve IP addresses to hostnames, which may tell you something about the organisation they belong to.
    2) For more information, perform a whois query.

    That's news? Seriously, people, that's like saying that you can control your car with the help of this "steering wheel"...

    --
    quidquid latine dictum sit altum videtur.
    1. Re:DNS and whois? by kevmo · · Score: 1

      you can control your car with the help of this "steering wheel"...

      I KNEW I was doing something wrong!

    2. Re:DNS and whois? by CanadianBoy · · Score: 1

      Maybe someone was trying to slashdot this guy to death?

  11. What a waste of time by Anonymous Coward · · Score: 1, Informative

    TTL based routing analysis (traceroute), whois retrieval and plain DNS lookups, is that all? And not even a rundown of the nmap commandline, just nslookup(.exe) and tracert(.exe).

    Where is all the other TTL based stuff like, oh I don`t know figuring out what packet filters ("firewalls" for the mysticism fans) are dropping along the way? What about OS fingerprinting, simple googleing, what about DNS zone transfers, how about looking for published traffic graphs? How about simply connecting and letting something (mail, or webserver) give you its information?

    kids these days can`t stalk a mainframe walking down a shopping mall.

    1. Re:What a waste of time by Fred_A · · Score: 1

      Well, say what you want, it must be some pretty high end stuff, I know I can't get it to work on my machine :

      7 fred@ix ~ > tracert 68.57.30.45
      bash: tracert: command not found

      --

      May contain traces of nut.
      Made from the freshest electrons.
  12. Junk article. by mindstrm · · Score: 2, Insightful

    This is junk.

    "You can do a traceroute, a dns lookup, and read public whois data!"

    Then this stuff about how IP addresses are broken up into "classes" to ease routing.. err, no, they aren't.. though they used to be many, many years ago.

    Also... * * * in a traceroute may indicate ICMP filtering, but more often indicates that rfc1518 private addresses were used on the links, which are then blocked elsewhere. Perfectly normal, and quite common.

    1. Re:Junk article. by Fred+Foobar · · Score: 1
      Then this stuff about how IP addresses are broken up into "classes" to ease routing.. err, no, they aren't.. though they used to be many, many years ago.
      Actually, it does say "IP addresses are traditionally broken into several distinct classes, which were used to manage routing tables in the early years of the Internet".

      Besides that, you are correct about this article being junk.

      --
      It was a really good paper.
  13. Oh, how perfect! by AutopsyReport · · Score: 2, Funny

    An article on how to hunt someone down on the Internet. A picture of a beautiful woman on top of the article with a transparent crosshair on her face. The article is submitted to a community of mostly-lonely geeks. God only know's what will happen now.

    --

    For he today that sheds his blood with me shall be my brother.

  14. Dear Zonk by rincebrain · · Score: 1, Insightful

    Please stop posting articles which the majority of the Slashdot community find insulting to their intelligence.

    Thank you.

    --
    It's only an insult if it's not true.
    1. Re:Dear Zonk by rincebrain · · Score: 1

      And your post was modded offtopic, too. I love Slashdot sometimes...it's +5 Insightful if you post how useful an article is, but -1 Flamebait if you deride it for being unworthy.

      --
      It's only an insult if it's not true.
  15. Nothing new - way old rehash. by brennz · · Score: 1

    This article covers whois. Nothing more exciting right? *rolls eyes*

    It is nothing new or particularly insightful. This does bring up 3 questions though

    1 - Is the slashdot crowd so amazed by something so old as whois?
    2 - How much will IP geolocation amaze then?
    3 - Who let this even get posted?

  16. Amazing Article... by bitfoo · · Score: 1

    Wow what an amazing article! Might I suggest to the WhiteDust "gurus" that their next article explore netstat and the wonders of null session connections on Windows?

    WhiteDust...what a joke.

  17. Um try 'anon coward' / 'anon spammer'. by leoofborg · · Score: 1

    This 'tip' was marketing spam. Gee. This article reminds me of the 'informative email' I get from Spamis with spoofed headers to and from me. Can slashdot STOP these 'anonymous reader' tips before we start getting not only comment spam, but article spam?

    --
    --- See you at the Tannhäuser Gate.
  18. stupid. by generalbeard · · Score: 1

    anyone who has a half brain on how to use whois, dig, host or nslookup has already done these.

  19. Ok, put your tips below; here are mine by postbigbang · · Score: 2, Informative

    Yeah, the post was about as lame as they get. But here are a sample of some of my tricks:

    1) probe port 80 on the last few addresses you find, and if you get a web page out of there, look at the page source to see if there are other IPs to look up. Nothing like a badly configured chain to cough some more info from. Probe for other common ports at the end of the chain to see if there's a mail server there; maybe you can make it cough more data.

    2) do google or dogpile searches of the IP address, and both the dns names and reverse names; follow each hit until it ends somewhere. Always take notes.

    3) try to find email addresses through index engines using the various domain names, and also its NS records, MX records and anything else in DNS that might point to hidden servers in the route(s). Take notes.

    4) check various rbls, spamhaus, and so on to see if there are other complaints. Sometimes you can have fun.

    5) check any phone numbers; search on those, too. Heaven loves a toll-free # in a spam.

    And now, your tips?

    --
    ---- Teach Peace. It's Cheaper Than War.
  20. Whitedust? by Pupp3tM · · Score: 1

    Wonder who Whitedust is? Read their mission statement:

    Within six months of launch, the Whitedust Portal will overtake the existing portals as the leading source of comprehensive, trusted and unbiased security information. This will be achieved through a dedicated approach to reporting security events as they happen. So far in our live period Whitedust have placed an un-mistakable and firm emphasis on fair, unbiased and above all honest news comment on up to the minute security issues - a strategy fundamental to Whitedust's own work ethic.

    Sure, it was written in February - a mere 7 months ago - but cut them some slack. They're trying.

    --
    "Time is an illusion.
    Lunchtime doubly so."
    -Douglas Adams

    David Borowitz
  21. A Request by Skudd · · Score: 1

    One of the hostnames in the article points to a project server of mine. Please don't muck with it.

  22. Nmap? by hagrin · · Score: 1

    What? No mention of nmap? I mean, sure I see the writer might be Windows literate only, but come on now - nmap is ported to Win32 as well. At least with nmap, we could have seen some port scanning techniques or something.

    Maybe next time, we'll get an Ethereal treat ... this article was useless.

    --
    Hagrin.com
  23. Nevermind by Skudd · · Score: 1

    I forgot that the IP changed since he wrote that. :P

  24. Re:This maybe a simple article by sgt_doom · · Score: 1

    If CEOs don't know this stuff it's because they shipped all those network programmer/network admin jobs off to India, China, Africa, Eastern Europe and now South America - GEEZ!!!!

  25. Google by connah0047 · · Score: 1

    Just don't learn too much about Eric Schmidt. He'll blacklist you.

  26. Re:Let's mix some metaphors and roll! by robfoo · · Score: 1

    I can think of several people who are adequately summed up in a four letter word..

  27. Up Your Gorilla by fire-eyes · · Score: 1

    Okay even for a Saturday Night slashdot story, that was weak as hell. I learned this shit YEARS ago, this is BASIC information gathering!

    This might be news to my mom and dad. Well maybe not my dad, he has a clue.

    --
    -- Note: If you don't agree with me, don't bother replying. I won't read it.
  28. Welcome to 5 years ago by Anonymous Coward · · Score: 2, Insightful

    I don't see how this made it to the front page of Slashdot? This is pretty much a "diet" version of "Tracking Spammers 101" from 5 years ago. In fact, I wonder if this is a txt file someone got from a BBS in 1993. This "paper" has pleanty of flaws. Let's list them:

    1. A practical guide to Internet reconnaissance.

    Wrong. This isn't practical because it doesn't provide the investigator any useful information.

    2. This is a guide to Internet reconnaissance - a guide to finding out as much as you can concerning a target via the Internet. Utilizing publicly available resources, we can quickly learn a good deal about a suspicious host, such as its service provider and originating country.

    Wrong. This paper doesn't even mention the use of a certain wildly-popular search engine to see if other people are talking about the same host. This paper doesn't talk about using RadB, looking glasses, route servers or any other public resource that allows you to do a "fly-over" of your target.

    3. Coupled with real-world knowledge, we can assess the threat posed by a would-be attacker and react accordingly.

    What real world knowledge would that be? You can assess the threat by the source IP? Really? It's common knowledge that many times the attack source IP isn't really where the attacker is sitting. So that pretty much kills the point of this "paper" now doesn't it.

    4. Along with a good idea of where to start, this requires some basic working knowledge of the Internet and the communication for which it provides.

    Good. Basic working knowledge. So my mom is all primed to get started in a career in internet investigations. Super.

    5. The Internet is a cloud.

    Yeah I have Visio too. Nice.

    6. Not literally, of course, but it is often pictured this way due to its vague nature. From the outside, it appears as a single entity, but from within it is impossible to determine its boundaries.

    Oh dude, you like totally had me there for a second. Then you started sounding like Carl Sagan and I knew that you didn't REALLY mean cloud. Billions and billions of hosts....

    7. The Internet is constantly changing, and there is no giant map to help us get a bearing on where we are. Instead, we rely on routed protocols - specifically IP - for transportation over and between networks.
    IP? Ok thanks for letting all us Slashdotters know that the internet uses IP. This is breakthrough.

    8. C:\>tracert 68.57.30.45

    Jackass. Windows tracert uses ICMP. Welcome to the town of "Blocked Protocol" Population: You. Tracerouting from my linux box sure makes a better read:

    traceroute to pcp04991434pcs.benslm01.pa.comcast.net (68.57.30.45), 30 hops max, 40 byte packets
    1 69.64.35.253 (69.64.35.253) 0.499 ms 0.403 ms 0.411 ms
    2 ge-5-1.513.hsa1.StLouis1.Level3.net (63.208.32.161) 0.481 ms 0.511 ms 0.482 ms
    3 so-6-1-0.mp2.StLouis1.Level3.net (64.159.4.141) 0.623 ms 0.585 ms 0.558 ms
    4 ae-0-0.bbr1.Chicago1.Level3.net (64.159.1.33) 5.757 ms so-6-1-0.bbr2.Chicago1.Level3.net (64.159.0.58) 5.717 ms ae-0-0.bbr1.Chicago1.Level3.net (64.159.1.33) 5.901 ms
    5 so-7-0-0.edge1.Chicago1.Level3.net (209.244.8.14) 5.893 ms 5.846 ms so-6-0-0.edge1.Chicago1.Level3.net (209.244.8.10) 5.892 ms
    6 att-level3-oc48.Chicago1.Level3.net (209.0.227.78) 6.195 ms att-level3-oc48.Chicago1.Level3.net (4.68.127.166) 6.172 ms 6.180 ms
    7 tbr1-p014001.cgcil.ip.att.net (12.123.6.34) 26.366 ms 26.389 ms 26.147 ms
    8 tbr1-cl1.n54ny.ip.att.net (12.122.10.1) 26.708 ms 28.535 ms 26.476 ms
    9 gar5-p300.n54ny.ip.att.net (12.123.3.9) 25.555 ms 25.656 ms 25.570 ms
    10 12.118.149.10 (12.118.149.10) 26.228 ms 26.277 ms 26.293 ms
    11 te-8-1-ar01.plainfield.nj.panjde.comcast.net (68.86.211.1) 26.560 ms 26.508 ms 26.629 ms
    12 po80-ar01.audubon.nj.panjde.comcast.net (68.86.208.2) 29.842 ms 30.083 ms 29.921 ms
    13 po10-ar01.wallingford.pa.panjde

  29. For people who want high-tech, a fascinating book by Beryllium+Sphere(tm) · · Score: 3, Informative
    >And now, your tips?

    To triangulate the source of spoofed IP packets, to (theoretically) sniff a keyboard by recording TCP sequence numbers, and even how to build a distributed computer out of covert channels, see Michal Zalewski's Silence On The Wire. It's less practical than nslookup and whois but it's a glorious romp through the fun parts of information security. Read it for inspiration and to jar you into thinking outside the box.

    (Disclosure: I got a free review copy.)

  30. Re:Let's mix some metaphors and roll! by bclark · · Score: 1

    Dead?

  31. Wow by coolMikeUSC · · Score: 1

    Since when did Slashdot become "h4x0r for beginners"? This is such common knowledge that I'm not sure you can call "using WHOIS" a technique...

    --
    Ever notice how fast Windows runs? Neither do I - get Mac OS
  32. who is whitedust? by chaos777b · · Score: 1

    You have to under stand who actually built white dust to understand the content of the site. (note they dont actually have their own content) Most of the founding members are made up from friends that came to gether while on IRC in white wolf role playing channels. (they like to advertise whitedust, it makes them feel important) while granted they have web design skills, that about there limit of what they can actually do. The whole point of the website is for something they can put in there protfolio when they are trying to arrange jobs for them selfs. (see look how good I am, I was this projects director on this fake web site see see, hire me please)

  33. Maybe the Internet just arrived in Ireland... by h0tr0d · · Score: 1

    and discovering, tracing, and whois'ing an ip address is the hippest thing for the kiddies to do on a Saturday night.

  34. A practical guide to Internet reconnaissance. by shrey · · Score: 1

    Is this all you can do???
    Well the net is a safer place than I thought.