Anti-Hacker Tool Kit, Third Edition
| < Day Day Up > |
|
Before they can do any real harm to you, your computers, or your network, hackers have to do their homework. As we point out several times in this book, information gathering is an essential first step of a hacker’s attack plan. Although many of the tools throughout this book can be used to gather important information about a system or network, the tools in this chapter are fundamental and lay the groundwork for more sophisticated tools.
Whois/Fwhois
Whois and fwhois are extremely simple but useful tools that query particular “whois” databases for information about a domain name or an IP address.
Whois servers are databases that are maintained by domain name authorities around the world. A whois database can contain a plethora of information, but typically it contains such information as location, contact information, and IP address ranges for every domain name under its authority.
Whois tools are usually installed by default on most Unix distributions. For Windows systems, many of the port scanning tools discussed in Chapter 4 include whois querying capabilities, such as NetScanTools and SuperScan.
Implementation
The whois command itself is simple. The command takes the hostname of a whois server on the command line using a –h flag. The rest of the command indicates the query we wish to send. The fwhois command (found on Linux systems) has the query specified first, with the optional @whois_server specified at the end.
The following two commands are the same:
bash% whois –h whois.alldomains.com yahoo.com
is the same as
bash% fwhois yahoo.com@whois.alldomains.com
The default whois server is usually whois.internic.net or whois.crsnic.net. We can run a whois without specifying a whois server to get basic information about the domain:
bash-2.03$ whois yahoo.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. YAHOO.COM.TW YAHOO.COM.SG YAHOO.COM.BR YAHOO.COM.AU YAHOO.COM To single out one record, look it up with "xxx", where xxx is one of the of the records displayed above. If the records are the same, look them up with "=xxx" to receive a full display for each record.
In this example, we’ve discovered several matches for “yahoo.com.” To obtain further information, we need to put an equal sign in front of our target.
bash-2.03$ whois "=YAHOO.COM" Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: YAHOO.COM Registrar: ALLDOMAINS.COM INC. Whois Server: whois.alldomains.com Referral URL: http://www.alldomains.com Name Server: NS1.YAHOO.COM Name Server: NS5.YAHOO.COM Name Server: NS2.YAHOO.COM Name Server: NS3.YAHOO.COM Name Server: NS4.YAHOO.COM Status: REGISTRAR-LOCK Updated Date: 13-may-2003 Creation Date: 18-jan-1995 Expiration Date: 19-jan-2012
This tells us the name servers authoritative for the domain and when the record was last updated, but it doesn’t give us information such as location or contacts. Thankfully, there’s a referral to another whois server that should have this information. So if we try whois –h whois.alldomains.com yahoo.com, we should receive the same information we received here, as well as contact and location information.
Registrant: Yahoo! Inc. (DOM-272993) 701 First Avenue Sunnyvale CA 94089 US Domain Name: yahoo.com Registrar Name: Alldomains.com Registrar Whois: whois.alldomains.com Registrar Homepage: http://www.alldomains.com Administrative Contact: Domain Administrator (NIC-1382062) Yahoo! Inc. 701 First Avenue Sunnyvale CA 94089 US domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301 Technical Contact, Zone Contact: Domain Administrator (NIC-1372925) Yahoo! Inc. 701 First Avenue Sunnyvale CA 94089 US domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301 Created on..............: 1995-Jan-18. Expires on..............: 2012-Jan-19. Record last updated on..: 2003-Apr-07 10:42:46. Domain servers in listed order: NS4.YAHOO.COM 63.250.206.138 NS5.YAHOO.COM 216.109.116.17 NS1.YAHOO.COM 66.218.71.63 NS2.YAHOO.COM 66.163.169.170 NS3.YAHOO.COM 217.12.4.104
There’s a lot of information here! And we have e-mail addresses for both the technical and administrative contacts. Notice, however, that Yahoo! has been clever and has not put any real people’s names in its list of contacts. This makes it more difficult for hackers to use social engineering tactics against them. If a hacker knows the name and address of an organization’s administrator, he might be able to use that information to coax other members of the organization into revealing information they normally wouldn’t, either by masquerading as the administrator or claiming that he’s working for the administrator.
Is it a good idea to have all this information publicly available? Well, much of it is necessary to keep the Internet running. And from an administrative standpoint, if we’re being port scanned or attacked by “somesystem.some_loser.org,” this information allows us to contact the SomeLoser organization and complain. But what if we don’t have a hostname in our logs? What if we have only an IP address? Thankfully, there’s a whois server that handles IP-based queries.
We want to know who owns the IP address 64.58.76.229. So we send a whois request to whois.arin.net.
bash-2.03$ whois -h whois.arin.net 64.58.76.229 Cable & Wireless DC2-1 (NET-64-58-64-0-1) 64.58.64.0 - 64.58.95.255 Yahoo EC17-1-YAHOO1 (NET-64-58-76-0-1) 64.58.76.0 - 64.58.79.255
The entire network block containing this address is owned by Cable & Wireless, but the network this IP belongs to is owned by Yahoo!. We can use the contact in parentheses (in this case NET-64-58-76-0-1) to obtain information about the organization that owns this IP. To do this, we use the command whois –h whois.arin.net NET-64-58-76-0-1.
OrgName: Yahoo OrgID: YHOO Address: 701 First Avenue City: Sunnyvale StateProv: CA PostalCode: 94089 Country: US NetRange: 64.58.76.0 - 64.58.79.255 CIDR: 64.58.76.0/22 NetName: EC17-1-YAHOO1 NetHandle: NET-64-58-76-0-1 Parent: NET-64-58-64-0-1 NetType: Reallocated NameServer: NS1.YAHOO.COM NameServer: NS2.YAHOO.COM NameServer: NS3.YAHOO.COM NameServer: NS4.YAHOO.COM NameServer: NS5.YAHOO.COM Comment: RegDate: 2000-12-13 Updated: 2002-03-29 TechHandle: NA258-ARIN TechName: Netblock Admin, Netblock TechPhone: +1-408-349-7183 TechEmail: netblockadmin@yahoo-inc.com OrgTechHandle: NA258-ARIN OrgTechName: Netblock Admin, Netblock OrgTechPhone: +1-408-349-7183 OrgTechEmail: netblockadmin@yahoo-inc.com
Following is a list of popular whois servers and their purposes. Chances are that if these servers don’t know about your domain name or IP, one of them will be able to tell you who does.
Server | Purpose |
---|---|
whois.internic.netwhois.crsnic.net | Default whois servers—launching point for many other whois queries |
whois.publicinterestregistry.net | New whois authority for .org domain names |
whois.networksolutions.com | Server for customers who registered their domain names with Network Solutions |
whois.opensrs.net | Another popular domain name registration service |
whois.alldomains.com | Yet another popular registrar |
whois.arin.net | Server from the American Registry for Internet Numbers—does IP-based whois queries |
whois.apnic.net | Server for Asia Pacific Network Information Center Whois Database |
whois.ripe.net | Réseaux IP Européens—handles most of Europe |
whois.ripn.net | Russian Network Information Center (for .ru and .su) |
whois.nic.gov | US Government whois server (for .gov) |
whois.nic.mil | Military (DOD) whois server (for .mil) |
More recent versions of whois are much more sophisticated than older versions. For one, whois will now try to identify the proper whois server depending on the target you provide. It does this by using the special whois-servers.net domain. The DNS entries for this domain are actually pointers to whois servers. For example, com.whois-servers.net points to whois.crsnic.net, and org.whois-servers.net points to whois.publicinterestregistry.net. Each top-level domain (.com, .org, .net, and so on) has an alias that points to the proper authoritative whois server. This keeps users from having to remember all of the specific whois server information we just discussed! Additionally, whois will scan the output it receives from the default whois server looking for a referral (such as whois.alldomains.com in our yahoo.com example) and automatically perform the same whois query with the referral server. Whois on FreeBSD even has command-line arguments to save typing (such as using –a as a shortcut for –h whois.arin.net).
| < Day Day Up > |
|