SWAT MAGAZINE ISSUE SIXTEEN: APRIL 1999 ============================================ GATHERING INFO FOR REMOTE ATTACKS ============================================ Author : Netw0rk Bug E-Mail : bug@netw0rk.freeserve.co.uk Date : February 1999 ============================================ The first steps should not envolve much contact with the target (if you're smart!) Your first problem (after identifying the type of network, target machines etc.) is to determine with whom you're dealing. Much of this info can be acquired without disturbing the target. 1. Running a host query. This may map out the machines and IPs within the domain 2. A WHOIS query may identify techinal contacts. This persons email address may have some value. Also, between this and the host query, you can determine whether the target is a reak box, a leaf node, a virtual domain hosted by another service and so on. 3. Running some usenet and web searches. Run the technical contacts name through a search engine. See if the guy posts much on usenet. Try to gather info about your (target) host. Finger, showmount and rpcinfo are good starting points. You should also utilise DNS, WHOIS, sendmail (smtp), ftp, uucp and as many other services as u can find. Collecting info about the sysadmn is paramount. A sysadmn is responsible for maintaining the security of the site. There are instances where they may run into problems, and many of them cannot resist the urge to post to usenet or mailing lists. By taking the time to search out these mails, you may get an insight into his personality, network and security. Admins who make such posts typically specify their architecture, a bit about their network topology and their stated problem. Even evidence of a match of their email address can be enlightening. For example, if a sysadmn is in a security mailing list or forum each day, their is evidence of knowledge. In other words, this type of person knows security well and is therefore likely to be prepared for an attack. Analysing their posts closely will tell you a bit about his stance on security and how he implements it. Conversely, if the majority of his questions are rudimentary, it might be evidence of his inexperience. Because r00t isn't normally invoked directly, the sysadmns ID could be anything. Lets presume you know that ID. Lets suppose it is 'walrus'. Lets further suppose that on the hosts query that u conducted, there are about 150 machines. Each of those machines have a seperate name. Examples could be mail.victim.com, news.victim.com, shell.victim.com etc. You should try the sysadmns address at each machine. ie walrus@shell.victim.com, walrus@new.victim.com etc. In other words, try this on each box on the network, as well as run the general diagnostic stuff on each machine. If the target is a provider, you can also gain loads of info about the sysadmn by watching what machine he is coming from. This can be done from the outside, primarily by using finger and rusers. To avoid the possiblity of finger queries raising any flags, use a finger gateway. Find a site that runs a fingerd servive - the cgi-bin/finger program, and use that for any finger queries to obscure your address.