IP Addresses: Your Identity on the Internet

IP ADDRESSES TORN APART

Every system connected to the Internet or connected to a particular network has a unique Internet Protocol Address of an IP Address. Just as in the real world every person has his or her own Home Contact Address, similarly every system connected to the Internet has its own unique IP Address. Your IP Address is the address to which data should be sent to ensure that it reaches your system. The IP Address of a system acts as the systems unique identity on the net. One of my earlier manuals described an IP Address in the following words: .Like in the real world everyone has got an individual Home Address or telephone number so that, that particular individual can be contacted on that number or address, similarly all computers connected to the Internet are given a unique Internet Protocol or IP address which can be used to contact that particular computer.. Now that we know what exactly an IP Address is, let us move on to the structure of IP Addresses. IP Addresses: Their Structures An Internet Address (IP Address) is a 32-bit address or number, which is normally written as four decimal numbers (of 8 bits each), each separated from the other by a decimal. This standard is known as the dotteddecimal notation. For Example, A Typical IP Address would be as follows: 202.34.12.23 It can be further broken down as: 203 representing the first 8-bits. 34 representing the next 8-bits. 12 representing the third 8-bits. 23 representing the fourth 8-bits. Thus when considered together 202.34.12.23 represents 32-bits. So basically we can conclude that each decimal in an IP Address represents 1 byte or 8 bits. It is important to note than an IP Address can contain numbers from 0-255. There are a huge number of IP Addresses in use in the present day wired age. All these IP Addresses have some sort of relation with each other and each individual IP Address can reveal a lot of secrets about the Network, of which it is a part. Before we move on to that, we need to understand the fact that all IP Addresses being used are divided into a number of ranges, which are as follows: Class A B C D E Range 0.0.0.0 to 127.255.255.255 128.0.0.0 to 191.255.255.255 192.0.0.0 to 223.255.255.255 224.0.0.0 to 239.255.255.255 240.0.0.0 to 247.255.255.255

We can easily conclude that one can find out the Class to which an IP Address belongs to simply by comparing the numeral before the first decimal of the IP Address with the above table. For Example,

In The IP Address 203.43.21.12, the number before the first decimal is 203 and the above table tells us that it belongs to Class C of the range of IP addresses. The various IP Addresses are divided into the different classes on the basis of the structure of their Network or in other words on the basis of what the various numbers separated by decimals actually stand for. To understand this, let us refer to the following: Class A B C D E Information It has the first 8-Bits for Netid and the last 24-bits for Hostid It has the first 16-Bits for Netid and the last 16-bits for Hostid It has the first 24-Bits for Netid and the last 8-bits for Hostid It represents a 32-bit multicast Group ID. Currently not being used.

The above table will be clearer after reading the following examples: Examples: An IP Address 203.45.12.34 belonging to Class A means that the network ID is 203 and the host ID is 45.12.34 If the Same IP Address belonged to Class B, then the network ID would become 203.45 and the host ID would become 12.34 And if it belonged to Class C then the network ID would become 203.45.12 and the host ID would become 34. Almost all ISPs prefer to use a Class B Network. If that is the case then each time you login to your ISP, then the first 2 octets of your IP Address would not change, while the last two are likely to change. However, even if only the last octet changes, and the remaining three remain constant, it is likely that the ISP uses Class B addressing. (In such cases a concept called Subnetting comes in, which is explained later in this book) ***************** HACKING TRUTH: How do you find out the IP Address of your own system? In order to get your own IP Address all you have do is, follow the below process: 1. 2. 3. Connect to the Internet. Launch MSDOS. Type: netstat n at the prompt.

You will get an output similar to the below: C:\WINDOWS>netstat -n Active Connections Proto Local Address Foreign Address State TCP 203.94.253.183:1025 64.4.13.56:1863 ESTABLISHED TCP 203.94.253.183:1031 209.143.242.119:80 ESTABLISHED The IP Address shown under the Local Address Field denotes the IP address of your system. *****************

An IP Address, which belongs to the Class-A addressing system having a network ID equal to 127, is referred to as the special address. It is actually known as the Loopback Interface. It allows clients and servers on the same system to communicate with each other. The loopback address, which is commonly used, is 127.0.0.1. Almost all systems have also given the loopback address the special name localhost. Till now we learnt that an IP Address is a decimal notation of a computers address in the wired world. However, the address of a computer does not have to necessarily be in the decimal notation form. We will learn about the various forms of an IP Address in the following section. IP Addresses: Their Various Forms An IP Address does not necessarily have to be represented in the dotted decimal form. There is more than a single way in which one can represent an IP Address. Some of there are as follows-:

1. Decimal System: If an IP Address is being represented in the Decimal system, then it means that
it is being represented in the Base 10 system. The normal IP Addresses are represented in the Decimal System. Example: 216.115.108.245

2. Domain Name System: If an IP Address is being represented in the form of human recognizable
characters and names then it is said to be in the form of DNS system. Example: www.yahoo.com

3. DWORD Format: DWORD is short for double word. It basically consists of two binary
"words" (or lengths) of 16 bits. However, it is almost always represented in the decimal number system i.e. having a base 10. Example: D8736CF5, which when represented in the form of a decimal number system with a Base 10 becomes 3631443189

4. Octal System: If an IP Address is represented in the octal system, then it means that it is being
represented in the Base 8. Example: 33034666365

5. Hexadecimal System: If an IP Address is represented in the Hexadecimal System, then it is

actually being represented in the Base 16 system.

6. A Cross Breed: If an IP Address is being represented in the mixture of any of the above two
systems, then it is said to be a Cross Breed. All the examples portrayed above are some form or the other of the same address of the same system. What I mean to say by this is that typing any of the following in your browser will take you to the same site: www.yahoo.com, 3631443189, 33034666365 and 216.115.108.245. The Binary form of this address, which is 11011000011100110110110011110101 may also work with certain applications. NOTE: Please note that not all of the above work in all browsers. And if you or your ISP has a Proxy or a firewall installed then some of the above may not work. The author does not hold any responsibility for failure of working on any of the above. Now, that you have seen the various forms in which an IP Address can be represented let us move on to as to how one can convert the domain name into the above different forms. To understand how the conversion works, let us take www.yahoo.com as the example domain. The first step in our quest to represent www.yahoo.com in various forms of IPs is to get its normal decimal-dotted IP Address. One can easily get the IP Address of a domain by various methods like WHOIS, netstat, ping, traceroute etc.

In this manual, I have used ping to get the IP: C:\WINDOWS>ping yahoo.com Pinging yahoo.com [216.115.108.245] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. The above screenshot clearly shows that the IP Address of our example target system is 216.115.108.245. Now that we have the IP Address, let us move on to converting it into other forms. In order to convert a decimal dotted IP Address into its DWORD equivalent, one has to consider each number separated from the other number by a decimal separately. So, in effect, 216.115.108.245 is broken down into: 216.115.108.245= 216 115 108 245 First, one has to convert the above decimals into their hexadecimal equivalents. This can easily be done by referring to the below Decimal into Hexadecimal chart (or vice-a-versa): 0 000 016 032 048 064 080 096 112 128 144 160 176 192 208 224 240 1 001 017 033 049 065 081 097 113 129 145 161 177 193 209 225 241 2 002 018 034 050 066 082 098 114 130 146 162 178 194 210 226 242 3 003 019 035 051 067 083 099 115 131 147 163 179 195 211 227 243 4 004 020 036 052 068 084 100 116 132 148 164 180 196 212 228 244 5 005 021 037 053 069 085 101 117 133 149 165 181 197 213 229 245 6 006 022 038 054 070 086 102 118 134 150 166 182 198 214 230 246 7 007 023 039 055 071 087 103 119 135 151 167 183 199 215 231 247 8 008 024 040 056 072 088 104 120 136 152 168 184 200 216 232 248 9 009 025 041 057 073 089 105 121 137 153 169 185 201 217 233 249 A 010 026 042 058 074 090 106 122 138 154 170 186 202 218 234 250 B 011 027 043 059 075 091 107 123 139 155 171 187 203 219 235 251 C 012 028 044 060 076 092 108 124 140 156 172 188 204 220 236 252 D 013 029 045 061 077 093 109 125 141 157 173 189 205 221 237 253 E 014 030 046 062 078 094 110 126 142 158 174 190 206 222 238 254 F. 015 031 047 063 079 095 111 127 143 159 175 191 207 223 239 255

0 1 2 3 4 5 6 7 8 9 A B C D E F

Thus we get: 216=D8 115=73 108=6C 245=F5 As a result, 216.115.108.245 = D8736CF5

It is important to note that D8736CF5 is the Hex equivalent of our IP and would always be an eight character long representation, however, as a DWORD value is represented in the base-10 system, we also need to convert in into the Decimal form. In order to do so, we need to follow the below process: 1. 2. 3. 4. Click on Start > Programs > Accessories > Calculator. Click on View > Scientific Now, select Hex from the right top corner and type in D8736CF5 in the field. Then click on Dec (Decimal). You will find that the value that you typed in would have changed to: 3631443189.

Thus you now have the DWORD value represented in the Base-10 system. Typing www.yahoo.com or 3631443189 or 216.115.108.245 in your browser would all take you to the same site. For all those of you to whom the above process seems to be extremely cumbersome, the following PERL Script too would do the same process, however, with less calculations: _____________________________ #!/usr/bin/perl # By Ben H. Originally by neeko. # Usage: dword.pl [ -q | --quiet ] host/ip # use Socket; use Math::BigInt; my $quiet, $host, @ip; # for gethostbyname() # so it fits.. # get some vars started.

if ( $#ARGV < 0 ) { print "$0"; print "Usage: $0 [-q | --quiet] host \n"; exit; } if ( $ARGV[0] =~ /-q|--quiet/ ) { $quiet=1; $name = $ARGV[1]; } else { $name = $ARGV[0]; } @host = gethostbyname( $name ); # get the ip, if a hostname is used $foo = $host[4]; # This parses the result of the gethostbyname into numbers for $n (1..4) { $ip[$n] = ord( substr( $foo , ($n-1) , 1 ) ); } if ($quiet != 1) { print "$name = $ip[1].$ip[2].$ip[3].$ip[4] = "; } for $n (1..4) { $ip[$n] = ( $ip[$n] * ( 2 ** ( ( 3 - ($n-1)) * 8 ) ) ); } print ($ip[1] + $ip[2] + $ip[3] + $ip[4]); print "\n"; exit;

____________________________ ******************* HACKING TRUTH: One can arrive at the DWORD in the base-10 value by the following mathematical formula too: IP Address= 216.115.108.245 (Found out Above) Value of DWORD in Base-10 system: 3631443189 (Calculated) 216 115 108 245 * * * * (256)3 (256)2 (256)1 (256)0 = 216 = 115 = 108 = 245 * * * * 16777216 65536 256 1 = 3623878656 = 7536640 = 27648 = 245

Adding the last column we get: 3631443189; which is equal to the DWORD value that we calculated earlier. ***************** Without closing the Windows Calculator, one can get the various other forms of the same IP Address (216.115.108.245) by simply selecting the corresponding number system. To get the Binary form of the IP Address, one needs to follow the below process: 1. 2. 3. 4. Click on Start > Programs > Accessories > Calculator. Click on View > Scientific. Now, select Hex from the right top corner and type in D8736CF5 in the field. Then click on Bin (Binary). You will find that the value that you typed in would have changed to: 11011000011100110110110011110101.

Please note that most browsers do not accept IP Addresses in Binary. The only way to use them would be by converting them to their Decimal form, which would actually be nothing but the DWORD form represented in the base-10 system. To get the Binary form of the IP Address (216.115.108.245), one needs to follow the below process: 1. 2. 3. 4. 5. Click on Start > Programs > Accessories > Calculator. Click on View > Scientific. Now, select Dec and type in the first part of the IP Address i.e. 216. Now, select Oct, this will give you the octal equivalent (i.e. 324) of the first part of the IP Address. Note this down somewhere and follow the process for all parts of the IP Address.

Thus 216.115.108.245, would become: 216= 330 115=163 108=154 245=365 When you type the Octal equivalent of the IP Address in your browser then you have preceded each field with a 0. Thus in our example: http://216.115.108.245 becomes http://0330.0163.0154.0365 One could also have used the below chart for the conversion process:

0 1 2 3 4 5 6 7 8 9 A B C D E F

0 000 020 040 060 100 120 140 160 200 220 240 260 300 320 340 360

1 001 021 041 061 101 121 141 161 201 221 241 261 301 321 341 361

2 002 022 042 062 102 122 142 162 202 222 242 262 302 322 342 362

3 003 023 043 063 103 123 143 163 203 223 243 263 303 323 343 363

4 004 024 044 064 104 134 144 164 204 224 244 264 304 324 344 364

5 005 025 045 065 105 125 145 165 205 225 245 265 305 325 345 365

6 006 026 046 066 106 126 146 166 206 226 246 266 306 326 346 366

7 007 027 047 067 107 127 147 167 207 227 247 267 307 327 347 367

8 010 030 050 070 110 130 150 170 210 230 250 270 310 330 350 370

9 011 031 051 071 111 131 151 171 211 231 251 271 311 331 351 371

A 012 032 052 072 112 132 152 172 212 232 252 272 312 332 352 372

B 013 033 053 073 113 133 153 173 213 233 253 273 313 333 353 373

C 014 034 054 074 114 134 154 174 214 234 254 274 314 334 354 374

D 015 035 055 075 115 135 155 175 215 235 255 275 315 335 355 375

E 016 036 056 076 116 136 156 176 216 236 256 276 316 336 356 376

F. 017 037 057 077 117 137 157 177 217 237 257 277 317 337 357 377

******************** HACKING TRUTH: In an Octal IP Address there can be any number of zeros preceding the numbers, without resulting in a change in the address of the remote system. This means that http://0330.0163.0154.0365 can also be written as http://000330.000163.000154.000365 ******************* Typing www.yahoo.com or 3631443189 or 216.115.108.245 or http://0330.0163.0154.0365 in your browser would all take you to the same site. One could also represent an IP address in its Hexadecimal form. Remember the Hex value that we obtained while converting 216.115.108.245 into its DWORD equivalent? Well, in this case we make use of that same value. We had calculated that: 216.115.108.245 = D8736CF5 Now, when we write an IP Address in Hexadecimal form, then we do so by writing the following (Preceding each value with a 0x which denotes that the following value is in Hexadecimal): http://0xD8.0x73.0x6C.0xF5 The above could also be written as: http://0xD8736CF5 NOTE: Most versions of Netscape do not Support Hexadecimal IP Addresses. Thus, typing www.yahoo.com or 3631443189 or 216.115.108.245 or http://0330.0163.0154.0365 or http://0xD8.0x73.0x6C.0xF5 or http://0xD8736CF5 in your browser would all take you to the same site. You can create a cross breed by combining any one or more of the above formats. However, one has to keep in mind the browser compatibility while doing so. Subnet Addressing Torn Apart Till now we have learnt that the IP Address of all hosts connected to the Internet are divided into two parts-: 1. The Network ID (netid) 2. The Host ID (hostid)

The number of octets or bits allocated to the netid and the hostid parts depends on the class or the range to which the IP Address belongs. For Example, If an IP Address belongs to Class A, then the first 8 bits are allocated to the netid part, while the remaining 24 bits are allocated to the hostid part. However, with the introduction of Subnet Addressing, a new division is introduced which divides an IP Address into 3 parts-: 1. 2. 3. The Network ID (netid) The Host ID (hostid) The Subnet ID (subnetid)

The introduction of Subnet Addressing not only hides the organizational structure of the internal network, but also prevents the wastage of IP Addresses. Typically, an IP Address belonging to Class B will be divided in the following manner: First 16 bits -----Network ID Last 16 bits -----Host ID Such a division requires 216 -2 hosts to be attached to that particular network. However, such a large number of hosts are seldom attached to the same network. Thus the practice of not using Subnet addressing leads to the wastage of IP Addresses. ******************** HACKING TRUTH: Please note that we subtract the 2 because a system with a Host ID of 0 or 255 is invalid i.e. a host ID value of 0 or 255 cannot be allocated to a system, as both are reserved for special usage. For Example, a host ID value of 0 is usually used for routers. ******************** But, after subnetting it the IP Address would typically look as follows: First 16 bits -------Network ID Next 8 bits----------Subnet ID Next 8 bits----------Host ID This allows for the usage of 254 hosts per subnet of the 254 subnets possible. NOTE: I have used 8 bits for the Subnet ID in this example. However, we can easily allocate as many bits as we want to, to the Subnet ID part. Netmask Values A netmask value is a 32-bit value containing one bits (255s) for the network ID and zero bits (0s) for the host ID. Using the netmask value one can easily determine as to how many bits are reserved for the net ID and how many bits for the host ID. In other words, thus, we can also say that by studying the netmask value of an IP Address we can determine the Class to which an IP Address belongs. One can find out the netmask value of an IP Address by giving the following command: NOTE: For Information on the route command and its working, read the section on Routing Principles Made Easy C:\WINDOWS>route PRINT Active Routes:

Network Address 127.0.0.0 203.94.53.12 202.21.87.43

Netmask 255.0.0.0 255.255.0.0 255.255.255.0

Gateway Address 127.0.0.1 203.94.0.0 202.21.87.0

Interface 127.0.0.1 0.0.0.0 0.0.0.0

Metric 1 1 1

Let us examine the output line by line. The first line says: Network Address 127.0.0.0 Netmask 255.0.0.0 Gateway Address 127.0.0.1 Interface Metric 127.0.0.1 1

In this case the netmask has a value of 255.0.0.0, which means that the first octet contains all one bits (255s), while the last three octets contain all zero bits (0s). In other words, it signifies that the first octet is the network ID (as it contains only one bits) while the last three octets are reserved for the host ID (as it contains only zero bits). Hence, the IP Address 127.0.0.1 is a Class A Internet Protocol Address with 127 being the netid and .0.0.0 being the host ID. Coming to the second line, we have a netmask value of 255.555.0.0, which means that the first two octets are the network ID parts (i.e. 203.94) while the last two octets are the host ID parts (i.e. 53.12). It also tells us that the IP Address belong to Class B of addresses. Similarly, in the last case the netmask value of 255.255.255.0 means that the address 202.21.87.43 belongs to Class C of addresses with the network ID being 202.21.87 and the host ID being 43. ****************** HACKING TRUTH: If your prime aim is to find the Class of addresses to which an IP belongs, you need not follow the above process. By simply knowing an IP Address and comparing it with the Class-Range Chart below, we can easily determine the Class to which it belongs: Class A B C D E ***************** To recapitulate we can say that the prime usage of netmask is to determine the Class of addresses to which an IP Address belongs. Subnet Mask Explained Just like Netmask, Subnet Mask too is a 32-bit value containing one bits (255s) for network ID and subnet ID while zero bits (0s) for the host ID. Subnet Mask when together used with Netmask can be used to determine exactly how many bits are allocated for the Network ID, Host ID and Subnet ID. Let us take an example to make this clearer. Assume the following data for this exercise: IP Address: 202.12.34.77 Netmask: 255.255.0.0 Subnet Mask: 255.255.255.0 According to the netmask value, the first two octets are reserved for usage by the network ID, while the last two octets are reserved for host ID. Thus, we can now break down 202.12.34.77 into: Net ID: 202.12 Range 0.0.0.0 to 127.255.255.255 128.0.0.0 to 191.255.255.255 192.0.0.0 to 223.255.255.255 224.0.0.0 to 239.255.255.255 240.0.0.0 to 247.255.255.255

Host ID: 34.77 This particular IP Address has a subnet mask of 255.255.255.0, which means that the first three octets are to be used for Net ID and the Subnet ID, while the last octet by the Host ID. Using this information, we can break down 202.12.34.77 into: Net ID and Subnet ID: 202.12.34 Host ID: 77 However, earlier we determined that the net ID is 202.12, thus combining all the above information we can finally divide 202.12.34.77 into: Net ID: 202.12 Subnet ID: 34 Host ID: 77 To recapitulate, we can say that Netmask gives us the boundary between Host ID and Network ID, while Subnet Mask gives us the boundary between Network ID and Subnet ID. Whenever you connect to your ISP, you are allocated a dynamic IP Address (almost always), which changes each time you reconnect. In order to determine your IP Address, Class of Addressing, host ID, network ID and Subnet ID, simply follow the below process: Firstly, in order to find the IP Address of my system, I first connect to my ISP and use the Netstat command: C:\WINDOWS>netstat -n Active Connections Proto Local Address Foreign Address State TCP 203.94.253.183:1025 64.4.13.56:1863 ESTABLISHED TCP 203.94.253.183:1031 209.143.242.119:80 ESTABLISHED This gives me my Dynamic IP Address, which is, 203.94.253.183. Using the Class-Range chart I deduce that my IP Address is using Class B addressing, which would mean that my netmask is probably 255.255.0.0. All that I need to know now, in my quest to break apart my IP Address, is my Subnet mask. In order to find the Subnet Mask of a Windows system, one need to follow the below process: 1. 2. 3. Click on Start > Run Type winipcfg in the space provided. The IP Configuration Dialog Box pops up. This useful utility reveals your IP Address, Subnet Mask along with other useful information.

When I tried this out on my system, it gave me a Subnet Mask of 255.255.255.0. Combining this value with a Netmask value of 255.255.0.0, we come to the following information: IP Address: 203.94.253.183 Class of Addressing: Class B Network ID: 203.94 Subnet ID: 253 Host ID: 183

Special Case IP Addresses There are several special IP Addresses, which are used only in certain special cases. It is in this section, that we discuss them all briefly.

1. The Limited Broadcast IP Address: This special IP Address is most commonly used during
setting up a system, when the system has little idea about its own IP Address and its own Subnet Address. Keeping in mind IP routing, packets addressed to this address are never forwarded by routers under any condition at all. The Limited Broadcast IP Address is: 255.255.255.255. It is also seen quite often in the routing tables of various systems. For more information on routing tables, read the section titled: Routing Principles Explained.

2. The Network-Directed Broadcast IP Address: This special IP Address has the host part made
up of all 255s, while its network part is same as that of the network to which it is applicable. A typical example is: 203.255.255.255, where the network part of the IP Address is 203, while the remaining part is the host address part. Almost all routers, usually forward packets addressed to a Network-directed Broadcast address.

3. The Subnet-Directed Broadcast IP Address: In such an IP Address, the host part of the address
is represented by 255s, while the subnet part of the address, stands for an actual subnet.

4. All-Subnets-Directed Broadcast IP Addresses: In such a special IP Address, both the host and
the subnet part of the address are represented by 255s. The subnet mask of the network, must be known, wherever such an address is being used.

5. The Loopback IP Address: This Special IP Address stands for the local host system. A packet
addressed to the loopback address is actually addressed to the same local machine, where it originated. In effect, both the source and destination IP Addresses, point to the same system, however, their values might be different. All loopback addresses, must have the network part is 127. The most commonly used loopback address is: 127.0.0.1.

6. The Zeros IP Address: Typically the 0.0.0.0 IP Address is used as the Zeros IP Address.
Mostly such an IP Address is seen in a systems log files. If you see packets, being sent from the Zeros IP Address, then it means that the attacker is trying to fingerprint the target system i.e. the system where the log files were examined. Now that we know everything about IP Addresses, let us move onto more interesting stuff.

Obtaining the IP Address of a remote system

An attacker can obtain the IP Address of a remote system, in a number of ways. Here we discuss some of the most popular techniques employed by attackers to do so and what countermeasures one could employ to foil their attempts. Some of the most popular methods are: 1. 2. 3. 4. Obtaining the IP Address of the remote system through Instant Messaging Software. Obtaining the IP Address of the remote system through HTTP and scripting methods. Obtaining the IP Address of the remote system through Internet Relay Chat or IRC. Obtaining the IP Address of the remote system through email headers.

The following is a detailed description of all the above methods and the countermeasures that one can employ against them.

Obtaining the IP Address of a person through Messaging Software The most common method of getting the IP Address of other systems is through Instant Messaging Software like ICQ, MSN Messenger, Yahoo Messenger, and AIM etc. In this manual we briefly discuss them all. I Seek You or ICQ is one of the most popular chatting software around. With it not only comes easy pastime, but also security concerns. ICQ has an inbuilt IP Address Hider, which when enabled is supposedly able to hide your IP from the users you are chatting with. However, like most IP Hiding software, this too is nowhere near good. You can find out the IP Address of any ICQ user, even if IP Hiding has been enabled, by following the below process. 1.) Launch MSDOS and type Netstat n to get a list of already open ports and the IPs of the machines with which a connection has been established. Note down this list somewhere. 2.) Now, launch ICQ and send a message to the victim. 3.) While you are still chatting, go back to DOS and again give the Netstat n command. You will find that a new IP signifying a new connection. This would be the IP Address of the victim. This method of obtaining the IP Address of the person with whom you are chatting to is quite common. However, it works only with ICQ and other select Instant Messengers. It certainly does not work with MSN Messenger and Yahoo Messenger etc. The main reason behind this is the difference in the working of ICQ and MSN Messenger. Let us assume that your IP Address is xx.xx.xx.xx and your friends IP Address is yy.yy.yy.yy Case I (ICQ): Whenever you start a chat session with your friend in ICQ a direct connection between you and your friend is opened by the ICQ software with the help of the ICQ server. Thus all messages that you type are sent in the following manner: xx.xx.xx.xx ------------------ yy.yy.yy.yy (you) (friend) And all the messages that your friend types, reach you in the following manner: yy.yy.yy.yy----------------- xx.xx.xx.xx (friend) (you) Thus a direct connection has been established between your system (xx.xx.xx.xx) and your friends system (yy.yy.yy.yy) As a result when you give the netstat n command, you can obtain his IP Address. Case II (MSN Messenger): Whenever you start a chat session with your friend in MSN Messenger an indirect connection between you and your friend is opened via the MSN Server. Thus all messages that you type first go the MSN server which then forwards them to your friend and vice-a-versa. Communication takes place in the following manner: xx.xx.xx.xx ------------------ MSN Server---------------yy.yy.yy.yy (you) (friend) And all the messages that your friend types, reach you in the following manner: yy.yy.yy.yy-----------------MSN Server----------------- xx.xx.xx.xx

(friend)

(you)

Thus as an indirect connection has been established between your system (xx.xx.xx.xx) and your friends system (yy.yy.yy.yy) giving the netstat n command does not give you your friends IP, but instead displays the IP address of the MSN server. Figure 9: The MSN messenger establishes an Indirect connection between you and your friend, via the MSN server. The same is the case for Yahoo Messenger and also some other Messaging Software. However, even such utilities are vulnerable to giving away the IP Address of the target system on issuing the Netstat n command. All one has to do is (Please note that I am using MSN Messenger as an example): 1. 2. 3. Get the victim to come online. Then use the inbuilt File Transfer Facility to send a file to the victim. When he accepts the file transfer and the transfer starts launch MSDOS and give the netstat n command. This will reveal his IP because when files are being transferred, a direct connection exists between you and the victim. That is, there is no mediator MSN Server between you and the victim.

The same will work if you send a Request for a Call and the victim accepts it. For more information regarding the Netstat command, read the section titled Netstat Torn apart found in the latter part of this chapter. Figure 10: When you send a file to your friend using MSN messenger, then a direct connection is established, which reveals either systems IP Address to the other. Countermeasures 1. If you are using MSN Messenger to chat, then do not accept any File Transfers or Request a Call from people whom you do not trust. This will prevent people with malicious intend from getting a look at your IP Address. Another thing that one could do is, which is more effective, is to install a firewall on your system, which does not respond to external packets coming from un-trusted sources. However, the problem with such a setup is that it simply does not work and the attacker can still make use of the netstat command to get your IP Address. Also, such a firewall configured in such a manner, would filter out even normal chat conversations, thus nullifying the use of Instant Messengers. Thus, instead of making use of a firewall, it is advisable to try and connect to the chat server through a proxy server. If you are looking for a foolproof countermeasure and if you are really particular about remaining anonymous while Instant Messaging, then you should probably stop chatting!!! The best countermeasure against attackers trying to get your IP Address via Instant Messengers is to chat through a proxy server like Wingate. A proxy server acts as a buffer between you and the system on the other end. This means that all communication between you and the destination system, takes place through this proxy server, that you use to connect to the destination system. As a result, if someone on the destination system tries to get your IP Address, then he would only be able to get the IP Address of the proxy server and not that of your system. For more information read the Proxies Torn Apart section, later in this chapter. Almost all Instant Messaging software, allow the user to chat connecting via a proxy server. For Example,

2.

3. 4.

If you are using MSN messenger to chat with your friends, then, you can connect via a proxy server, by simply following the below steps: a) b) c) d) Click on Tools > Options. Click on the Connection tab. Check the I use a Proxy Server option. Enter the details of your proxy server in the space provided below and click on OK. (For more details as to what one should fill in these details fields, kindly read the proxies section, found later in this chapter.

Getting the IP Address of a person visiting your website Besides Instant Messengers, there are some others ways in which one can get someone elses IP Address. Say you have a site and want to get the IP Addresses of all the people who visit your site then the following script can be modified to create a file which records them all: NOTE: The following will show the IP Address only for Netscape browsers with Java Enabled. <HTML> <BODY> <SCRIPT> var ip = new java.net.InetAddress.getLocalHost(); var ipStr = new java.lang.String(ip); document.writeln(ipStr.substring(ipStr.indexOf("/")+1)); </SCRIPT> </body> </HTML> Various scripting languages like PERL and JavaScript can be used to get not only the IP Address, but various other kinds of information on the client system who visits your website. Everything from the Operating System, browser name and version, ISP, country, city, screen resolution etc can be found out using simple scripts. The following script demonstrates, as to what all information one can get about the visitor who visits your website: _________________________ <HTML> <head> <TITLE>Hacking Truths---What They Don't Teach in Manuals: COPYRIGHT Ankit Fadia 2001</TITLE> <SCRIPT LANGUAGE="JavaScript"> <!-function getwindowsize() { if (navigator.userAgent.indexOf("MSIE") > 0) { var sSize = (document.body.clientWidth * document.body.clientHeight); return sSize; } else { var sSize = (window.outerWidth * window.outerHeight); return sSize; } return; } --> </script>

<SCRIPT LANGUAGE="JavaScript"> <!-JavaScriptVersionNumber = "1.0"; --> </SCRIPT> <SCRIPT LANGUAGE="JavaScript1.1"> <!-JavaScriptVersionNumber = "1.1"; --> </SCRIPT> <SCRIPT Language="JavaScript1.2"> <!-JavaScriptVersionNumber = "1.2"; --> </SCRIPT> <SCRIPT Language="JavaScript1.3"> <!-JavaScriptVersionNumber = "1.3"; --> </SCRIPT> <NOSCRIPT> <B>Your browser does not currently support JavaScript.</B> </NOSCRIPT> </HEAD> <body> <SCRIPT LANGUAGE="JavaScript"> <!-var NavigatorApplicationVersion = navigator.appVersion; var NavigatorVersionNumber = NavigatorApplicationVersion.substring(0,4); var NavigatorAppCodeName = navigator. appCodeName; var NavigatorUserAgent = navigator. userAgent; var NavigatorPlatform = navigator. platform; var NavigatorHistoryLength = history.length; var WindowScreenWidth = window.screen.width; var WindowScreenHeight = window.screen.height; var WindowScreenAvailableWidth = window.screen.availWidth; var WindowScreenAvailableHeight = window.screen.availHeight; var BrowserName = navigator.appName; colors = window.screen.colorDepth; var ColorMath = Math.pow (2, colors); var ScreenPercentUsed = Math.round((getwindowsize()/(screen.width * screen.height)*100) * Math.pow(10, 0)); numPlugins = navigator.plugins.length; document.write("<B>Full Name of Browser is: " + BrowserName + " " + NavigatorApplicationVersion + ".</B><BR>"); document.write("<B>Name of Browser Code is: " + NavigatorAppCodeName + ".</B><BR>"); document.write("<B>Browser Agent is " + NavigatorUserAgent + ".</B><BR>"); document.write("<B>Browser Version is " + NavigatorVersionNumber + ".</B><BR>"); document.write("<B>Platform of client is " + NavigatorPlatform + ".</B><BR>");

document.write("<B>History Length is " + NavigatorHistoryLength + ".</B><BR>"); document.write("<B>Colors value is " + ColorMath + ".</B><BR>"); document.write("<B>Color Depth is " + colors + ".</B><BR>"); document.write("<B>Screen Width is " + WindowScreenWidth + ".</B><BR>"); document.write("<B>Screen Height is " + WindowScreenHeight + ".</B><BR>"); document.write("<B>Screen Maximum Width is " + WindowScreenAvailableWidth + ".</B><BR>"); document.write("<B>Screen Maximum Height is " + WindowScreenAvailableHeight + ".</B><BR>"); document.write("<B>Percentage of total screen used currently is " + ScreenPercentUsed +"%" +".</B><BR>"); document.write("<B>JavaScript version is: " + JavaScriptVersionNumber + ".</B><BR>") if (document.referrer) { document.write("<B>Referring Document is: "); document.write(document.referrer+"</B><BR>"); } if (window.screen.fontSmoothingEnabled == true) document.write("<B>Browser Font Smothing is " + "Yes" + ".</B><BR>"); else document.write("<B>Browser Font Smothing is " + "No" + ".</B><BR>"); if (navigator.javaEnabled() < 1) document.write("<B>Java Enabled is " + " No" + ".</B><BR>"); if (navigator.javaEnabled() == 1) document.write("<B>Java Enabled is " + " Yes" + ".</B><BR>"); if(navigator.javaEnabled() && (navigator.appVersion.indexOf("4.") != 0) && (navigator.appName != "Microsoft Internet Explorer")) { vartool=java.awt.Toolkit.getDefaultToolkit(); addr=java.net.InetAddress.getLocalHost(); document.write("<B>Your Host Name is " + addr.getHostName() + ".</B>"); document.writeln("<br>"); document.write("<B>Your IP Address is " + addr.getHostAddress() + ".</B>"); document.writeln("<br>"); } if ((navigator.appVersion.indexOf("4.") != -1) && (navigator.appName != "Microsoft Internet Explorer") && (navigator.appName.indexOf("Netscape") != -1)){ ip = "" + java.net.InetAddress.getLocalHost().getHostAddress(); document.write("<B>Your IP address is " + ip + ".</B><BR>"); hostname = "" + java.net.InetAddress.getLocalHost().getHostName(); document.write("<B>Your Host Name is " + hostname + ".</B><BR>"); } else { document.write("<B>IP Address is shown only for Netscape browsers with Java Enabled" + ".</B><BR>"); } document.writeln("</LEFT>"); if (numPlugins > 0) document.writeln("<CENTER><b><font size=+3>Installed plug-ins are</font></b></CENTER><br>"); else document.writeln("<CENTER><b><font size=2><br><BR>No plug-ins </font></b></CENTER><br>"); for (i = 0; i < numPlugins; i++) { plugin = navigator.plugins[i]; document.write("<center><font size=+1><b>");

document.write(plugin.name); document.writeln("</b></font></center><br>"); document.writeln("<dl>"); document.writeln("<dd>File name:"); document.write(plugin.filename); document.write("<dd><br>"); document.write(plugin.description); document.writeln("</dl>"); document.writeln("<p>"); document.writeln("<table width=100% border=2 cellpadding=5>"); document.writeln("<tr>"); document.writeln("<th width=20%><font size=-1>Mime Type</font></th>"); document.writeln("<th width=50%><font size=-1>Description</font></th>"); document.writeln("<th width=20%><font size=-1>Suffixes</font></th>"); document.writeln("<th><font size=-1>Enabled</th>"); document.writeln("</tr>"); numTypes = plugin.length; for (j = 0; j < numTypes; j++) { mimetype = plugin[j]; if (mimetype) { enabled = "No"; enabledPlugin = mimetype.enabledPlugin; if (enabledPlugin && (enabledPlugin.name == plugin.name)) enabled = "Yes"; document.writeln("<tr align=center>"); document.writeln("<td>"); document.write(mimetype.type); document.writeln("</td>"); document.writeln("<td>"); document.write(mimetype.description); document.writeln("</td>"); document.writeln("<td>"); document.write(mimetype.suffixes); document.writeln("</td>"); document.writeln("<td>"); document.writeln(enabled); document.writeln("</td>"); document.writeln("</tr>"); } } document.write("</table>"); } --> </SCRIPT> </BODY> </HTML> __________________________ When I run the above script on my system, then the following is the information that I get about myself: Full Name of Browser is: Microsoft Internet Explorer 4.0 (compatible; MSIE 5.5; Windows 95; digit_062001). Name of Browser Code is: Mozilla. Browser Agent is Mozilla/4.0 (compatible; MSIE 5.5; Windows 95; digit_062001). Browser Version is 4.0 . Platform of client is Win32.

History Length is 7. Colors value is 16777216. Color Depth is 24. Screen Width is 800. Screen Height is 600. Screen Maximum Width is 800. Screen Maximum Height is 572. Percentage of total screen used currently is 71%. JavaScript version is: 1.3. Browser Font Smoothing is No. Java Enabled is Yes. IP Address is shown only for Netscape browsers with Java Enabled. No plug-ins Figure 11: One can easily get a lot of information about a client visiting your website, by using simply Javascript code. This goes to prove that even while surfing your favorite sites, your privacy is definitely at stake. The question that arises is, how exactly does a site that you are connected to, able to get so much information about you? The answer to this question lies in the Hypertext Transfer Protocol or HTTP. The HTTP Protocol Quoting straight from the The Unofficial Guide to Ethical Hacking: What exactly happens when you type a URL (Uniform Resource Locator) in the location bar of the browser? Well firstly the browser performs a DNS query and converts the human readable domain name (like hotmail.com) into a machine-readable IP address. Once the browser gets the IP address of the host, it connects to Port 80(The HTTP daemon by default runs on Port 80) of the remote host and asks the host for a particular document or page with the help of HTTP commands. HTTP is the protocol used by browsers to communicate with hosts i.e. to ask for a particular file at a specific URL or to send or post data to the server. We are never aware of this process, which occurs in the background. *********** HACKING TRUTH: Since the HTTP port is port 80, one has to first telnet to Port 80 of the server which stores the page or document that you want to request, and then type in the commands when you get the prompt. After each HTTP command one has to press Enter Twice to send the command to the server or to bring about a response from a server. Why do we have to do so? Actually, for no reason, but as it is just the way the HTTP protocol works. ********** In this section we will learn to do manually, what the browser does automatically. When the browser asks for a file at a specific URL it is said to 'request' for information. A typical HTTP request would be something like the below: get url HTTP/1.1 For Example, Thus, in order to request the about.htm file at hackingtruths.box.sk, simply telnet to port 80 of hackingtruths.box.sk and type in the below commands: C:\windows>telnet hackingtruths.box.sk 80 get /about.htm HTTP/1.1

The above command requests the about.htm file, which is stored in the root directory (specified by the /) on the server hackingtruths.box.sk. This command can be broken down into the following parts: get: This specifies the HTTP method to be used in this particular case. /about.htm: Specifies that this request be for the file about.htm, which is stored in the root directory. HTTP/1.1: Specifies the version of the HTTP protocol to be used. The Get method The 'get' method is the most common method, which is widely used. It is with the 'get' method that the browsers request for pages or documents. In this kind of method you are the client (i.e. the client is the browser) and request for a page from the server, which is the host you are connected to. The Post Method The 'post' method is used to upload files to the server. This kind of method is used say when you upload your website by using not the FTP service but by straightaway uploading files through a HTML page. In this method there is a reversal of roles and now you become the server and the host you are connected to becomes the client. The Head Method The 'head' method is the least popular method and not many people know about it. Although not widely used, it is still a part of HTTP methods. You would use the 'head' method when you want to make sure that a particular file exists at a particular URL without downloading the entire file. This method just downloads the header info of a particular file and not the entire file. The HTTP protocol in all of its methods and replies gives away a lot of information regarding the sender of that particular HTTP message. A sniffed out HTTP get request for the about.htm file located at hackingtruths.box.sk server is given below: SRC DEST E J @ 6^ j P e.q8P"8/ GET /about.htm HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*Referer: http://hackingtruths.box.sk/Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 95; digit_062001)Host: hackingtruths.box.skConnection: Keep-Alive This Captured gibberish can be written as (with comments in bold): GET /about.htm HTTP/1.1 (The HTTP get request command) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, (plugins and data types accepted by client) Referer: http://hackingtruths.box.sk/ (The page that referred the client to the page requested) Accept-Language: en-us (The language accepted by the client) Accept-Encoding: gzip (The coding accepted) deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 95; digit_062001) (Browser Info) Host: 194.23.12.34: 8561 (IP Address and port number of client) Connection: Keep-Alive (Connection Status) Fig 15: A captured frame of a HTTP request. This goes to show what all information about you is given to the host to which you are connected, just by the HTTP protocol. The captured data of the reply sent by the server hackingtruths.box.sk to the above request is as below:

DEST SRC E @ )> ^ Pjq8 fP X HTTP/1.1 200 OKDate: Fri, 26 Oct 2001 02:28:17 GMTServer: Apache/1.3.20 (Unix) PHP/4.0.5Last-Modified: Fri, 21 Sep 2001 14:43:55 GMTETag: "1383f-2fcb-3bab522b"Accept-Ranges: bytesContent-Length: 12235Connection: closeContent-Type: text/html This can be rewritten as below: HTTP/1.1 200 OK Date: Fri, 26 Oct 2001 02:28:17 GMT Server: Apache/1.3.20 (Unix) PHP/4.0.5 Last-Modified: Fri, 21 Sep 2001 14:43:55 GMT ETag: "1383f-2fcb-3bab522b" Accept-Ranges: bytes Content-Length: 12235 Connection: closeContent-Type: text/html This is followed by the source code of the request document i.e. about.htm However, the line that is of interest to us is the line which says: Server: Apache/1.3.20 (Unix) PHP/4.0.5. Thus, by simply studying the sniffer logs, one can get valuable information on the remote system, to which we are connected. Countermeasures 1. The easiest way to protect your privacy while surfing the Internet is by connecting to various websites through an anonymous surfing service like anonymizer.com or antionline.com. Such services will not only hide your IP Address, from the host that you visit, but they will also hide all other information about you, like your browser name, Operating System etc Another thing that one could do to protect ones identity on the Internet, is to surf via an anonymous web proxy server. A Proxy server is basically a server, which acts as a buffer between the client (you) and the host to which you are connected. Thus, all requests that you send to the host are sent through this proxy server, as a result if the host has any malicious scripts running, then the information that these scripts will extract will be not yours, but that of the proxy server that you are connected to. Visit proxys4all.cgi.net for a list of proxy servers. However, one thing to note here is that proxy servers will hide only your IP Address and not the other information about your browser and Operating system. The diagram depicting a typical situation wherein the client is connected to the host via a proxy server or an anonymous surfing service is as follows: Client --------------- Anonymous Service/Proxy Server---------------- Host Host----------------- Anonymous Service/Proxy Server----------------- Client As a result, we can see that there is never a direct connection between the client and the host, as all communication takes place through the proxy server in between. Please note that, in the case of Proxy Server, unlike in the case of anonymous surfing services, the other client information like the browser and operating system information is not filtered out. Read the Proxy Servers Torn Apart section, found later in this chapter. ******************* HACKING TRUTH: An Increased security scenario is when instead of connecting to the remote host via a single proxy server, the client connects to the host via numerous proxies.

2.

******************* Getting IP Addresses by Studying Email Headers Another popular way of getting the IP Address of a remote system is my examining the email headers of an email sent by the target system. Many web based and also POP email service providers have a flaw, which gives away the IP Address of the person who used their service to send an email, in the email headers of the corresponding email. The example that straightaway comes to mind is Hotmail. Hotmail adds the IP Address of the sender to all outgoing emails and receiver of the email can easily find out the senders IP by some easy email headers examination. A typical email header of an email sent using a Hotmail account is as follows: Return-Path: <namita_8@hotmail.com> Received: from hotmail.com by delhi1.mtnl.net.in (8.9.1/1.1.20.3/26Oct99-0620AM) id TAA0000032714; Sun, 23 Jan 2000 19:02:21 +0530 (IST) Received: (qmail 34532 invoked by uid 0); 23 Jan 2000 13:30:14 -0000 Message-ID: <20000123133014.34531.qmail@hotmail.com> Received: from 202.54.109.174 by www.hotmail.com with HTTP; Sun, 23 Jan 2000 05:30:14 PST X-Originating-IP: [202.xx.109.174] From: "Namita Mullick" <namita_8@hotmail.com> To: ankit@bol.net.in Date: Sun, 23 Jan 2000 19:00:14 IST Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-UIDL: 5c296dd2b5265c76e117ae1390e229ab The line that gives away the victim away is as follows: X-Originating-IP: [202.xx.109.174] Although most people connect to the Internet using a dynamic IP Address, sometimes knowing someones dynamic IP too could be very useful. Hotmail, is one mail server which reveals the actual IP of the system, which connected to their mail server to send email, however, most email service providers, only reveal the mail server address, which was used to send that particular email. If you use your ISPs mail server to send a particular email, then the person who receives the email or anyone who is able to intercept the email in between, would more often than not, at least be able to deduce the country, city and ISP that you use. The following example will make this clearer: Return-Path: <sender@bol.net.in> Received: from sender by delhi1.mtnl.net.in (8.9.1/1.1.20.3/07Jul00-0916AM) id XAA0000018925; Fri, 19 Oct 2001 23:10:15 +0530 (IST) Message-ID: <000001c158c5$b183efe0$dffd5ecb@sender> From: "Sender" <sender@bol.net.in> To: "Ankit Fadia" <ankit@bol.net.in> Subject: Re: Hi. PLease read..... Date: Fri, 19 Oct 2001 23:13:08 +0530 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003D_01C158F3.9DA94D20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1

X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 X-UIDL: 7826ce29c3f2aa56d304b53a6ac678eb The part of the above email headers that are of interest to us are those in bold. This particular lines means that the sender whose email address is sender@bol.net.in used the mail server whose hostname is: delhi1.mtnl.net.in to send the email. The hostname of the mail server used to send the email can be broken into the following: delhi1.mtnl.net.in= delhi= New Delhi (This gives us the name of the city, where the mail server is located) mtnl= The ISP Name in= Indias Country Code. Thus, we can say that the sender is located in New Delhi, which is a city in India and has MTNL as his ISP. However, this method is far from being foolproof, coz anyone from absolutely anywhere in the world can telnet to Port 25 of the mail server, delhi1.mtnl.net.in and type in some SMTP Commands and send the above email. Why did I then go through this entire thing of explaining the headers and so on, on the first place? Just so that we can understand and explore various possibilities. Countermeasures 1. If you want to remain truly anonymous while sending email, then your best bet would be to use Anonymous Re-mailers to send the email. They will provide you complete anonymity, while it comes to sending the email. One should be particular while choosing the email service to open an account with. Try and look for those services, which provide you some sort of security of your identity, if not complete anonymity. Connect to the mail server, using an anonymous proxy server. Read the Proxy Servers torn apart, found in the later in this chapter.

2.

3.

Getting the IP Address of a person through IRC If you are an Internet Relay Channel or IRC fanatic, then you probably would be spending hours and hours together on your favorite IRC channels, however, did you know that by simply chatting on IRC, you would be putting your privacy at stake? Absolutely anyone who is logged into the same IRC channel as you are, can easily get to know your IP Address and with it, a lot more information about you. You can get the IP Address or hostname of absolutely anyone by simply typing the following command, in your favorite IRC software, command prompt-: /whois nicknameofvictim The following is the output generated when I whois myself. Please note that my nickname is ankit. /whois ankit ankit is ankit@203.xx.254.71 *Ankit Fadia ankit on #chatterz ankit using irc.net Global NAPs Quincy, MA ankit has been idle since 1min 12sec, signed on Sun Oct 21 20:30:12 ankit End of /WHOIS list

Let us analyze the output that is generated by a simply whois command above. The first line, contains my nickname i.e. the part before the @ sign, followed by my dynamic IP Address, which can be used for various malicious purposes. Finally in the first line, even my real full name in printed, which is actually the name that I keyed in, in the options dialog box of my IRC software. The other lines basically give the information regarding the server to which I am connected, the current date and time etc I am sure this exercise was successful to the extent of making you believe that a lot of personal information can be derived through simply commands used on Internet Relay Chat. Another common method of getting the IP address of someone on IRC is by initializing a Direct Client Connection (DCC) with the target system for a chat session or for transferring a file and then using the ever so friendly netstat command, to get his IP. One can initiate DCC sessions by using the following commands: /dcc send nickname full_file_path The above command initiates a DCC with nickname and sends the file whose full path is full_file_path /dcc chat nickname The above command initiates a DCC with nickname for a chat session. Once either of the above DCC sessions has been initialized, typing the Netstat command in the command prompt (not of the IRC software, but of the operating system) will reveal the IP Address of the person with whom the DCC session has been established. ******************* HACKING TRUTH: If you are on IRC, not only your IP Address, but also your email address, host name, ISP hostname etc are at risk of getting into the wrong hands. One malicious IRC command, which reveals tons of information about a person, is: /finger. ******************* Once the attacker gets the IP Address of the target system, it can easily be resolved into the corresponding hostname. This hostname can reveal important geographical information about the target system. For Example, Say the IP Address of the target system is 203.xx.45.33 and you resolved it into the following hostname: 34r.delhi.mtnl.net.in, which can further be broken down into: .in = India (The Country code of the country where the target system resides in) mtnl.net.in = The ISP Of the target computer delhi = The City of the target system 34r= The Modem to which the target system is connected For a more detailed look into tracing an IP Address to a geographical place, read the Getting Geographical Information using IP Addresses section. Countermeasures 1. Not all, but most IRC servers allow you to hide your IP Address. Any of the following commands, (depending upon the server) would work to hide your identity: /mode your_nickname +x or /mode your_nickname +z DCC Requests: Never accept DCC Requests from people you do not know. Such requests are mostly either from malicious attackers or from people promoting pornography. Even if you have

2.

followed the first countermeasure and are in IP Hiding Mode, the attacker would be able to find out your IP Address, as in a DCC session a direct connection is established between the two computers. 3. Another precaution that one could take it to choose only those IRC servers which either hide your IP Address or who provide some kind of security in regards to your identity. One such secure IRC network is suid.net. Also, one should not reveal ones real full name and real email address in the options of the IRC software. Another thing that one can to do protect ones own identity is to bounce off a Wingate or a Firewall, so that all packet transfer between you and the IRC server takes place via this particular proxy server or firewall. Typically the data transfer would be as below: Your System----------- Proxy/Firewall------------- IRC Server As a result when the attacker tries to get information about you, then he would actually get the IP Address, hostname etc of the proxy or firewall in between and not your system. Read the Proxy Servers Torn Apart section, found later in this chapter. So what is all this fuss about IP Addresses? All along this chapter, we have talked about methods employed by attackers to get the victims IP Address and what countermeasures the user at the target systems end can employ. Why are IP Addresses so important? Why is it that the first step that an attacker takes in his quest to do what he wants to, involve obtaining the IP Address of the target system? Why do we need to be so protective of our IP Address? Or in other words, what all can a user with malicious intend do, once he obtains your IP Address? An IP Address is your identity on the Internet. It is the address to which all data has to be sent, so as to ensure that your system receives it. It is your identity, which stands for which network you belong to, which part of the world you reside in and at which address does information have to be sent, so that you can receive it. Thus, just like in the real world if someone obtains your home address, then he knows where to attack, similarly, on the Internet, if the attacker knows your IP Address, then he knows as to where exactly to direct the attacks, that he wishes to conduct. What all can the attacker do, if he is successfully able to obtain your IP Address? 1. DOS Attacks: Your system can be subjected to DOS Attacks like Ping of death, Smurf, UDP Flooding, Modem Disconnection Strings etc, thus resulting in excessive hogging of memory on your system and hence forcing your system to hang up, reboot or crash. Some common DOS Attacks, which your system is likely to encounter quite frequently are as follows:

4.

a.) Ping Of Death:

In this attack, the target system is pinged with a data packet that exceeds the maximum bytes allowed by TCP/IP, which is 65 536. This would have almost always caused the remote system to hang, reboot or crash. This DOS attack could be carried out even through the command line, in the following manner: The following Ping command creates a giant datagram of the size 65540 for Ping. It might hang the victim's computer: C:\windows>ping -l 65540

Countermeasure The Ping of Death no longer affects the newer Operating Systems. Unless you have some ancient version of an equally ancient Operating System running on your machine, then you are more or less safe from such attacks. b.) The Modem Disconnection Attack (+++ATH0):

Once you know the IP Address of a remote system, then you can easily disconnect the modem this remote system by simply by sending the Disconnect string to it. For more information regarding this attack, read the Controlling Modems Remotely section. Countermeasure To protect your system from such attacks i.e. to protect your system from being disconnected remotely by malicious users, just make sure that you are running a new model modem and your modem drivers are updated. Refer to your Modem manufactures website for more details regarding version numbers and updates. c.) More Similar DOS Attacks:

Once the attacker knows your IP Address, then, your system can easily become the victim of various such similar attacks. For a complete description of various DOS Attacks and their countermeasures, read the DOS Attacked section. d.) IRC Getting a user out of IRC attacks If you are chatting on IRC and the attacker gets to know your IP Address, then he can download any one of the million nuking programs freely available on almost all Hacking websites and type in your IP in the required field and flood a particular predefined port on your system with so many packets, that you will be forced to get off the IRC channel you are connected to. NOTE: An effective countermeasure against almost all DOS attacks is a well-configured Firewall and filtering utility. However, in most cases, it is pretty tough to configure a firewall to protect the system against a particular DOS attack and not affect other normal traffic. Thus, there are both upsides and downsides to using firewalls to fight against DOS attacks. 2. Trojans Once the attackers gets to know your IP Address, then by simply following the below steps, he could control complete control over your system, however, there is a catch: 1. 2. 3. 4. Get the IP Address of the target system. Use a Stealth Port Scanner to port scan the target system. In the open ports list returned by the port scanner, look for an open port, which is normally associated with a Trojan. For reference purposes, see the complete Trojan Ports list at the end of the book. Once you know that the target system has a Trojan installed then it is literally childs play to control the remote target system. However, what you do need to do is to find out the dynamic IP Address of the target system, each time the user reconnects to his or her ISP.

Countermeasure

One should regularly perform a security audit of ones own system and check to see whether or not a Trojan has been installed in the ports or not. To perform a security audit to recognize and detect a Trojan follow the below steps-: NOTE: One could also simply download an Antiviral Software, which would automatically perform the below steps, both more effectively and quickly. 1 2 3 4 Launch MS DOS and give the Netstat a command. Look for open ports and note the open port numbers somewhere. Check the Trojan list available at the end of this book and check if the open port number matches with any of the popular ones and if it does then get a Trojan Removal and remove the Trojan. If it doesn't or if the Trojan Remover says: No Trojan found, then see if the open port lies in the registered Ports range. If yes, then you have nothing to worry, so forget about it.

A more effective countermeasure against Trojan activity is to install a firewall, which monitors and logs all port traffic, hence enabling you to detect and trace Trojan-exploiting attempts. 3. Geographical Information on the User Using just your IP Address, anyone can trace you geographically on the world map and trace you down to the exact continent, country, city and even ISP. For more information, read the Getting Geographical Information Using an IP Address section. Another thing that one can do using an IP Address, is exploiting File Sharing enabled systems. If you have Wingate installed on your system, then there are all the more reasons for an attacker to try and get your IP Address. You can obtain the IP Address of a remote host in a lot many more ways and there are numerous other malicious things that one can do using the IP Address of a remote system, however the most common and the most successful way of getting someones IP Address is through Instant Messengers, IRC, websites and the Netstat command. The Netstat command is indeed a very interesting and useful command:

Netstat Made Easy

A lot of times, I hear people asking questions like, how to find out the IP of a friend? Or how to find out your own IP? How do I know, which ports are open on my system? How do I make sure whether my system is infected with a Trojan or not? For all above questions (and more) there is one simple answer: The Netstat command. Microsoft has this weird tendency of hiding or making sure that such useful utilities are not easily accessible to the users. However, they fail to understand that putting a utility in the Windows directory and not listing it anywhere does not make it hidden. The Netstat command is accessible through the command line prompt. Simply launch MSDOS and: C:\cd windows C:\windows> NOTE: Normally, almost always, DOS opens by default in the Windows directory, however, for those of you whose default DOS directory is not Windows, the above would prove helpful. Before we move on, we need to understand as to what exactly the Netstat command is used for. This command is by default used to get information on the open connections on your system (ports, protocols being used etc), incoming and outgoing data and also the ports of remote systems to which we are

connected. Netstat gets all this networking information by reading the kernel routing tables in the memory. According to the RFC on Internet Tool Catalog, Netstat is defined as: Netstat is a program that accesses network related data structures within the kernel, then provides an ASCII format at the terminal. Netstat can provide reports on the routing table, TCP connections, TCP and UDP "listens", and protocol memory management.. Now that we know what Netstat is all about, we are in a position to start using it. Once, you have launched MSDOS, you can read the MSDOS help on Netstat by giving the following command: C:\WINDOWS>netstat /? Displays protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] Displays all connections and listening ports. (Server-side connections are normally not shown). Displays Ethernet statistics. This may be combined with the -s option. Displays addresses and port numbers in numerical form. Shows connections for the protocol specified by proto; proto may be tcp or udp. If used with the -s option to display per-protocol statistics, proto may be tcp, udp, or ip. -r Displays the contents of the routing table. -s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. However, like always, the help provided by MSDOS, can be used only as a reference, it is not at all sufficient for a complete newbie. Let us try out each command and see the result and also understand what exactly happens when we execute it and what all the results displayed mean. To get our hands wet with the Netstat command, we will start with the Netstat command with the "a" argument. The a option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system. For Example, C:\windows>netstat -a Active Connections Proto TCP TCP TCP TCP Local Address ankit:1031 ankit:1036 ankit:1043 ankit:1045 Foreign Address dwarf.box.sk:ftp dwarf.box.sk:ftp-data banners.egroups.com:80 mail2.mtnl.net.in:pop3 State ESTABLISHED TIME_WAIT FIN_WAIT_2 TIME_WAIT -a -e -n -p proto

TCP ankit:1052 zztop.boxnetwork.net:80 ESTABLISHED TCP ankit:1053 mail2.mtnl.net.in:pop3 TIME_WAIT UDP ankit:1025 *:* UDP ankit:nbdatagram *:* Let us take a single line from the above output and see what it stands for: Proto Local Address TCP ankit:1031 Foreign Address dwarf.box.sk:ftp State ESTABLISHED

The above output can be rearranged as shown below: Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.) Local System Name: ankit (This is the name of the local system that you set during the Windows setup.) Local Port opened and being used by this connection: 1031 Remote System: dwarf.box.sk (This is the non-numerical form of the system to which we are connected.) Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to which we are connected.) State of Connection: ESTABLISHED Netstat with the a argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and do not need any software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the Scan button and let some software do it. The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected. Port 12345(TCP) Port 31337(UDP) Netbus Back Orifice

For complete list, refer to the Trojan Lists at the end of the book. *********************** HACKING TRUTH: Some of you might me wondering, as to what the high port numbers after the local machines name stand for? E.g. ankit:1052 Port Numbers up to 1024 normally have a specific kind of service running on it. In fact there is a complete RFC on Assigned Port Numbers- RFC 1700. However, port numbers over 1024 are used by your system to connect to remote computers. For Example, say your browser wants to establish a connection with www.hotmail.com, then what it will do is, it will take up a random port number above 1024, open it and use it to communicate with the Hotmail server. *********************** Let us move on further, to a variant of the above command, the Netstat n The Netstat n command is basically the numerical form of the Netstat a command. The main and probably the only difference between the two is that the former shows the addresses of the local and remote systems in numerical form (Hence n) while the latter shows the addresses in non-numerical form.

Let us see an example to understand better: C:\>netstat -n Active Connections Proto TCP TCP TCP TCP TCP TCP TCP Local Address Foreign Address State 203.xx.251.161:1031 194.1.129.227:21 ESTABLISHED 203.xx.251.161:1043 207.138.41.181:80 FIN_WAIT_2 203.xx.251.161:1053 203.94.243.71:110 TIME_WAIT 203.xx.251.161:1058 194.1.129.227:20 TIME_WAIT 203.xx.251.161:1069 203.94.243.71:110 TIME_WAIT 203.xx.251.161:1071 194.98.93.244:80 ESTABLISHED 203.xx.251.161:1078 203.94.243.71:110 TIME_WAIT

Although this too gives us similar results, but there are some differences, mainly-: 1. 2. Instead of the name of the local machine, the actual IP address of the local machine is shown. I am not sure, about this, but after testing repeatedly, Netstat n seems to not return information on non-TCP connections. So, it does not seem to consider UDP.

Figure 8: The implementation of the netstat n command. If you read the alt.2600 newsgroup regularly or any other newsgroup for that, they you would probably have seems at least 2-3 daily posting whose body read: How do I find out my own IP? This option of Netstat is most commonly used to do just that, find out your own IP. Also, some people somehow seem to feel more comfortable with numbers, than with understandable hostnames. This form of Netstat does make life easier for us, as the port numbers are displayed, which makes relating to everything easier. Getting the IP of a person is all, that one needs to be able to damage his system. Thus, basically Hiding your IP from hackers and getting the IP of the victim is some of the most important things that people are concerned with. Using IP Hiding facilities has become increasingly popular. However, are these so called IP Hiding totally anonymous services or software truly and perfectly Anonymous? There is only one answer: They are nowhere near being totally anonymous, as already demonstrated earlier. Till now, both with the -a and -n argument, we saw that the connections returned or displayed on the screen, were not of a particular protocol. This means that connections of TCP, UDP or even IP were shown. However, say you want to see only those connections, which belong to UDP, and then you make use of the -p argument. The general format of the Netstat command with the -p argument is as follows: netstat p xxx Where xxx can be either UDP or TCP. The usage of this argument will become clearer with the following example, which demonstrates how to view only TCP connections. C:\>netstat -p tcp Active Connections Proto Local Address TCP ankit:1031 TCP ankit:1043 Foreign Address State dwarf.box.sk:ftp ESTABLISHED banners.egroups.com:80 FIN_WAIT_2

TCP TCP TCP TCP TCP

ankit:1069 ankit:1078 ankit:1080 ankit:1081 ankit:1083

mail2.mtnl.net.in:pop3 TIME_WAIT mail2.mtnl.net.in:pop3 TIME_WAIT mail2.mtnl.net.in:pop3 TIME_WAIT www.burstnet.com:80 FIN_WAIT_2 zztop.boxnetwork.net:80 TIME_WAIT

This is basically nothing but a variation of the -a and -n commands. Let us move on to the arguments associated with netstat. We now come to the -e option of netstat. Let us set what DOS returns, when this command is given: C:\>netstat -e Interface Statistics Received Bytes 135121 Unicast packets 419 Non-unicast packets 40 Discards 0 Errors 0 Unknown protocols 0 Sent 123418 476 40 0 0

Sometimes the number of data packets sent and received is not shown properly by some faulty or uncompatible modems. During, such cases, this command comes handy. The output returned by it, is quite obvious. Also, it can be used to check for faulty downloads, or errors, which might have occurred during the TCP/IP, transfer process. With this we come to the last argument associated with Netstat, the -r argument. This is not commonly used, and is a bit difficult to understand. I will simply give you an example of it in this manual. For a proper and detailed explanation, read the section titled Routing Principles Explained. Hacking using Routing Tables is considered to be very elite and not many people are comfortable using it. However, like all things associated with computers, it is not as difficult as it is projected to be. C:\windows>netstat r Route Table Active Routes: Network Address 0.0.0.0 127.0.0.0 203.94.251.0 203.94.251.161 203.94.251.255 224.0.0.0 255.255.255.255 Network Address 0.0.0.0 127.0.0.0 203.94.251.0 203.94.251.161 Netmask 0.0.0.0 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 224.0.0.0 255.255.255.255 Netmask 0.0.0.0 255.0.0.0 255.255.255.0 255.255.255.255 Gateway Address 203.94.251.161 127.0.0.1 203.94.251.161 127.0.0.1 203.94.251.161 203.94.251.161 203.94.251.161 Gateway Address 203.94.251.161 127.0.0.1 203.94.251.161 127.0.0.1 Interface Metric 203.94.251.161 127.0.0.1 1 203.94.251.161 127.0.0.1 1 203.94.251.161 203.94.251.161 203.94.251.161 1 1 1 1 1

Interface Metric 203.94.251.161 1 127.0.0.1 203.94.251.161 1 127.0.0.1 1

203.94.251.255 224.0.0.0 255.255.255.255 Active Connections Proto TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP Local Address ankit:1031 ankit:1043 ankit:1081 ankit:1093 ankit:1094 ankit:1095 ankit:1096 ankit:1097 ankit:1098 ankit:1099

255.255.255.255 224.0.0.0 255.255.255.255

203.94.251.161 203.94.251.161 203.94.251.161

203.94.251.161 203.94.251.161 203.94.251.161

1 1 1

Foreign Address State dwarf.box.sk:ftp ESTABLISHED banners.egroups.com:80 FIN_WAIT_2 www.burstnet.com:80 FIN_WAIT_2 zztop.boxnetwork.net:80 TIME_WAIT zztop.boxnetwork.net:80 TIME_WAIT mail2.mtnl.net.in:pop3 TIME_WAIT zztop.boxnetwork.net:80 TIME_WAIT zztop.boxnetwork.net:80 TIME_WAIT colo88.acedsl.com:80 ESTABLISHED mail2.mtnl.net.in:pop3 TIME_WAIT

Closing Open Holes

With the spread of Hackers and Hacking incidents, the time has come, when not only system administrators of servers of big companies, but also people who connect to the Internet by dialing up into their ISP, have to worry about securing their system. It really does not make much difference whether you have a static IP or a dynamic one, if your system is connected to the Internet, then there is every chance of it being attacked. This section is aimed at discussing methods of system security analysis and will shed light on as to how to secure your standalone (also a system connected to a LAN) system. Open Ports: A Threat to Security? In the Netstat section we had discussed how the netstat -a command showed the list of open ports on your system. The Netstat section raises a number of questions in the minds of the people like: If the 'netstat -a' command shows open ports on my system, does this mean that anyone can connect to them? Or, How can I close these open ports? How do I know if an open port is a threat to my system's security of not? Well, the answer to all these question would be clear, once you read the below paragraph: The thing to understand here is that, Port numbers are divided into three ranges: The Well Known Port Numbers The Well Known Ports are those from 0 through 1023. This range or ports is bound to the services running on them. By this what I mean is that each port usually has a specific service running on it. You see there is an internationally accepted Port Numbers to Services rule, (refer RFC 1700) which specifies as to on what port number a particular service runs. For Example, By Default or normally FTP runs on Port 21. So if you find that Port 21 is open on a particular system, then it usually means that that particular system uses the FTP Protocol to transfer files. However, please note that some smart system administrators deliberately i.e. to fool lamers run fake services on popular ports. For Example, a system might be running a fake FTP daemon on Port 21. Although you get the same interface like the FTP daemon banner, response numbers etc, however, it actually might be some software logging your presence and sometimes even tracing you!!! The Registered Port Numbers The Registered Ports are those from 1024 through 49151. This range of port numbers is not bound to any

specific service. Actually, Networking utilities like your Browser, Email Client, FTP software opens a random port within this range and starts a communication with the remote server. A port number within this range is the reason why you are able to surf the net or check your email etc. If you find that when you give the netstat -a command, then a number of ports within this range are open, then you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to perform tasks. They act as a buffer transferring packets (data) received to the application and vice-a-versa. Once you close the application, then you find that these ports are closed automatically. For Example, when you type www.hotmail.com in your browser, then your browser randomly chooses a Registered Port and uses it as a buffer to communicate with the various remote servers involved. The Dynamic/Private Port Numbers The Dynamic and/or Private Ports are those from 49152 through 65535. This range is rarely used, and is mostly used by Trojans, however some applications do tend to use such high range port numbers. For Example: Sun starts their RPC ports at 32768. This basically brings us to what to do if you find that Netstat gives you a couple of open ports on your system: 1. Check the Trojan list available at the end of this book and check if the open port number matches with any of the popular ones and if it does then get a Trojan Removal and remove the Trojan. 2. If it doesn't or if the Trojan Remover says: No Trojan found, then see if the open port lies in the registered Ports range. If yes, then you have nothing to worry, so forget about it. *********************** HACKING TRUTH: A common technique employed by a number of system administrators, is remapping ports. For example, normally the default port for HTTP is 80. However, the system administrator could also remap it to Port 8080. Now, if that is the case, then the homepage hosted at that server would be at: http://domain.com:8080 instead of http://domain.com:80 The idea behind Port Re-mapping is that instead of running a service on a well known port, where it can easily be exploited, it would be better to run it on a not so well known port, as the hacker, would find it more difficult to find that service. He would have to port scan high range of numbers to discover port remapping. The ports used for re-mapping are usually pretty easy to remember. They are chosen keeping in mind the default port number at which the service being remapped should be running. For Example, POP by default runs on Port 110. However, if you were to re-map it, you would choose any of the following: 1010, 11000, 1111 etc. Some system administrators also like to choose Port numbers in the following manner: 1234,2345,3456,4567 and so on... Yet another reason as to why Port Re-mapping is done is that on a Unix System to be able to listen to a port under 1024, you must have root privileges. ************************ Firewalls Use of Firewalls is no longer confined to servers or websites or commercial companies. Even if you simply

dial up into your ISP or use PPP (Point to Point Protocol) to surf the net, you simply cannot do without a firewall. So what exactly is a firewall? In non-geek language, a firewall is basically a shield, which protects your system from the un-trusted nonreliable systems connected to the Internet. It is a utility, which listens to all ports on your system for any attempts to open a connection and when it detects such an attempt, then it reacts according to the predefined set of rules. So basically, a firewall is something that protects the network (or system) from the Internet. It is derived from the concept of firewalls used in vehicles which is a barrier made of fire resistant material protecting the vehicle in case of fire. For a better 'according to the bible' definition of a firewall: A firewall is best described as a software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from the Internet to your private internal network. A firewall is a system or a group of systems, which guard a trusted, network (The Internal Private Network from the un-trusted network (The Internet.) NOTE: This was a very brief description of what a firewall is. I would not be going into the details of their working in this chapter. The term Firewalls (which were generally used by companies for commercial purposes) has evolved into a new term called 'Personal Firewalls'. Now this term is basically used to refer to firewalls installed on a standalone system, which may or may not be networked i.e. it usually connects to an ISP. Or in other words a personal firewall is a firewall used for personal use. Now that you have a basic description as to what a firewall is, let us move on to why exactly you need to install a Firewall? Or, how cannot installing a firewall pose a threat to the security of your system? You see, when you are connected to the Internet, then you have millions of other un-trusted systems connected to it as well. If somehow someone found out your IP address, then they could do probably anything to your system. They could exploit any vulnerability existing in your system, damage your data, and even use your system to hack into other computers. Finding out someones IP Address is not very difficult. Anybody can find out your IP, through various Chat Services, Instant Messengers (ICQ, MSN, AOL etc), through a common ISP and numerous other ways. In fact finding out the IP Address of a specific person is not always the priority of some hackers. What I mean to say by that is that there are a number of Scripts and utilities available which scan all IP addresses between certain ranges for predefined common vulnerabilities. For Example, Systems with File Sharing Enabled or a system running an OS which is vulnerable to the Ping of Death attack etc. As soon as a vulnerable system is found, then they use the IP to carry out the attacks. The most common scanners look for systems with Rats or Remote Administration Tools installed. They send a packet to common Trojan ports and display whether the victim's system has that Trojan installed or not. The 'Scan Range of IP Addresses' that these programs accept are quite wide and one can easily find a vulnerable system in the matter of minutes or even seconds. Trojan Horses like Back Orifice provide remote access to your system and can set up a password sniffer. The combination of a back door and a sniffer is a dangerous one: The back door provides future remote access, while the sniffer may reveal important information about you like your other Passwords, Bank Details, Credit Card Numbers, Social Security Number etc If your home system is connected to a local LAN and the attacker manages to install a backdoor on it, then you probably have given the attacker the same access level to your internal network, as you have. This would also mean that you would have created a back door into your network that bypasses any firewall that may be guarding the front door. You may argue with me that as you are using a dial up link to your ISP via PPP, the attacker would be able to access your machine only when you are online. Well, yes that is true, however, not completely true. Yes, it does make access to your system when you reconnect, difficult, as you have a dynamic Internet Protocol

Address. But, although this provides a faint hope of protection, routine scanning of the range of IP's in which your IP lies, will more often than not reveal your current Dynamic IP and the back door will provide access to your system. ******************* HACKING TRUTH: Microsoft Says: War Dialer programs automatically scan for modems by trying every phone number within an exchange. If the modem can only be used for dial-out connections, a War Dialer won't discover it. However, PPP changes the equation, as it provides bi-directional transport making any connected system visible to scannersand attackers. ******************* So how do I protect myself from such Scans and unsolicited attacks? Well, this is where Personal Firewalls come in. They just like their name suggests, protect you from unsolicited connection probes, scans, and attacks. They listen to all ports for any connection requests received (from both legitimate and fake hosts) and sent (by applications like Browser, Email Client etc.) As soon as such an instance is recorded, it pops up a warning asking you what to do or whether to allow the connection to initiate or not. This warning message also contains the IP, which is trying to initiate the connection, and also the Port Number to which it is trying to connect i.e. the Port to which the packet was sent. It also protects your system from Port Scans, DOS Attacks, Vulnerability attacks etc. So basically it acts as a shield or a buffer, which does not allow your system to communicate with the un-trusted systems directly. Most Personal Firewalls have extensive logging facilities, which allows you to track down the attackers. Some popular firewalls are: 1.BlackICE Defender: An IDS for PC's. It's available at http://www.networkice.com. 2. Zone Alarm: The easiest to setup and manage firewall. Get it for free at: www.zonelabs.com Once you have installed a firewall on your system, you will often get a number of Warnings which might seem to be as if someone is trying to break into your system, however, they are actually bogus messages, which are caused by either your OS itself or due to the process called Allocation of Dynamic IP's. For a detailed description of these two, read further on. Many people complain that as soon as they dial into their ISP, their firewall says that such and such IP is probing Port X. What causes them? Well, this is quite common. The cause is that somebody hung up just before you dialed in and your ISP assigned you the same IP address. You are now seeing the remains of communication with the previous person. This is most common when the person to which the IP was assigned earlier was using ICQ or chat programs, was connected to a Game Server or simply turned off his modem before his communication with remote servers was complete. You might even get a message like: Such and Such IP is trying to initiate a Net bios Session on Port X. This again is extremely common. The following is an explanation as to why it happens, which I picked up a couple of days ago: Net BIOS requests to UDP port 137 are the most common item you will see in your firewall reject logs. This comes about from a feature in Microsoft's Windows: when a program resolves an IP address into a name, it may send a Net BIOS query to IP address. This is part of the background radiation of the Internet, and is nothing to be concerned about. What causes them? On virtually all systems (UNIX, Macintosh, Windows), programs call the function 'gethostbyaddr()' with the desired address. This function will then do the appropriate lookup, and return the name. This function is part of the sockets API. The key thing to remember about gethostbyaddr() is that it is virtual. It doesn't specify how it resolves an address into a name. In practice, it will use all available mechanisms. If we look at UNIX, Windows, and Macintosh systems, we see the following techniques:

DNS in-addr.arpa PTR queries sent to the DNS server NetBIOS NodeStatus queries sent to the IP address lookups in the /etc/hosts file AppleTalk over IP name query sent to the IP address RPC query sent to the UNIX NIS server NetBIOS lookup sent to the WINS server Windows systems do the /etc/hosts, DNS, WINS, and NodeStatus techniques. In more excruciating detail, Microsoft has a generic system component called a naming service. All the protocol stacks in the system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.) register the kinds of name resolutions they can perform. Some RPC products will likewise register an NIS naming service. When a program requests to resolve an address, this address gets passed onto the generic naming service. Windows will try each registered name resolution subsystem sequentially until it gets an answer. The order in which it performs these resolution steps for IP addresses can be configured under the Windows registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider. Breaking Through Firewalls Although Firewalls are meant to provide your complete protection from Port Scan probes etc there are several holes existing in popular firewalls, waiting to be exploited. In this issue, I will discuss a hole in ZoneAlarm Version 2.1.10 to 2.0.26, which allows the attacker to port scan the target system (Although normally it should stop such scans.) If one uses port 67 as the source port, of a TCP or UDP scan; Zone Alarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a Zone Alarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets. Exploit: UDP Scan: You can use Nmap to port scan the host with the following command line: nmap -g67 -P0 -p130-140 -sU 192.168.128.88 (Notice the -g67 which specifies source port). TCP Scan: You can use Nmap to port scan the host with the following command line: nmap -g67 -P0 -p130-140 -sS 192.168.128.88 (Notice the -g67 which specifies source port).

Proxy Servers Torn Apart

In the earlier sections, we have already learnt that an attacker can get the target systems IP Address utilizing various different techniques and methods. Although, each of these techniques employed by attackers to obtain the target systems IP Address, can be counter attacked using several countermeasures. However, the common to all and the most comprehensive solution, (which can be used to foil an attackers attempt) is to connect to the concerned Internet/Chat Server/Mail server through a proxy server.

A proxy server basically acts as a shield, which protects the identity of your system from the wilderness of the Internet. It acts as your very own personal secretary and a buffer between you and the host to which you are connected. The reason behind the fact that proxy servers are able to protect your true identity from an attacker, can be summarized as below: A proxy server removes the need of your system to receive or send messages directly to the remote host, to which you are connected. When your system wants to send a message to the remote host, then it actually sends the message to the proxy server, which in turn passes it on to the remote host. Also, when the remote host wants to send a message to your system, then it actually sends the message to the proxy server, which in turn passes this message onto your system. During this entire time, your system is never in direct contact with the remote host. In other words, proxy servers remove the need for your system to establish a proper, three-way connection with the remote host. Thus, when a Proxy server is in operation or when you connect to the remote host through a proxy server, then the following two connections are being established: 1. 2. Your system establishes a full, proper connection with the proxy server. The proxy server in turn, then establishes a connection with the remote host that you want to connect to, depending upon the commands that you send to this proxy server.

This means that, since your system is connected only to the proxy server and not the remote host, your identity is protected from the remote host. However, anyone on the system where the proxy server has been installed can easily find out your identity. Thus, when you connect to a remote host via a proxy server, your identity is hidden. Also, all communication between your system and the remote host is conducted indirectly, via the proxy server. Such a scenario, can be depicted in the following manner: Your system----------- Proxy Server--------- Remote Host Remote Host--------- Proxy Server------------- Your system Thus, since there is never direct communication between your system and the remote host, the remote host is not able to deduce your identity, however, the proxy server to which you are connected, knows your identity and the remote host knows the identity of the proxy server. The use of connecting through proxy servers, can be implemented in protecting your IP Address from getting into malicious hands, whether you may be on ICQ, IRC, Instant Messaging software, surfing web pages, sending email etc. Some popular proxy servers are Squid (for linux users), Wingates, Winproxy, Microsoft Proxy Server etc Fadias Hot Picks for Proxy Servers 1. Utility Name: Squid Features: A great proxy server for Linux platforms. (My personal favorite.) Download URL: It comes along with various popular Linux distributions.

2. Utility Name: Wingate

Features: It acts almost as the Windows equivalent of Squid. Download URL:

Wingates Torn Apart Although Wingates are most commonly used to share a single Internet connection amongst more than a single system, they are essentially nothing but, proxy servers. Wingates run on the Windows platform and are probably the most popular proxy servers, for the Windows operating system. They allow for several systems to establish connections with each other, making use of the telnet daemon or Port 23 and thus act as a Proxy server. This feature of Wingate, allows it to be used to hide the identity of the client, connected to the remote host, via it. Wingates once installed on a Windows machine, install three daemons on the following three ports: Port Number 23 1080 6667 Service Telnet Proxy Server SOCKS Server IRC Server

Thus, a system with Wingate installed on it, would likely have the above ports open of it. These open ports do not behave like normal ports, but instead, allow absolutely everyone on the Internet to connect to them and use them as a proxy, to connect to a third server. On top of this, in most cases, by default, these daemons do not even ask for a password from the user who tries to connect to them and use them. Thus, this shows how absolutely anyone can easily use a proxy server to hide his real identity from the target system. Once an open Wingate is found, then the next part is relative easy. Locating open Wingates 1. 2. The easiest method of locating open Wingates is to use a Wingate Scanner. Some common examples of Wingate scanners are Wingate.zip, wgatescan etc. Another method that one can employ is to use a Port Scanner and look for systems with the 1080 port open. A system with the 1080 port open essentially means a system with the SOCKS server installed.

Using Open Wingates to hide ones identity As discussed earlier, we know that a system with Wingate installed has three ports open. Each of these ports can be exploited by absolutely anyone on the Internet in one way or the other. The Telnet Proxy Server (Port 23) The Telnet Proxy Server by default runs on Port 23 and accepts connections, without even bothering to ask the connection initiator for any password. This daemon can be misused the bounce attack to hide ones identity from the target system. To perform the Bounce Attack one has to simply follow the below steps: 1. 2. Use telnet to connect to Port 23 of the system where the Wingate is installed. Once you are successfully connected to the Telnet proxy server by following Step 1, one will be greeted by the Wingates command prompt, which is somewhat as follows: Wingate> 3. At this prompt one can easily use normal telnet commands, to connect to the target system. This is demonstrated by the following:

Wingate>telnet target_system 23 Once you have following the above, then your identity is protected from the target system as your system has not established any connection with it, but instead, it has asked the system running the Wingate proxy server to connect to the target system, thus in this manner, established an indirect connection with the target system. The following depict the connections established-: NOTE: Your system is A, the Wingate server is P and the target system is T 1. A--------------------Establishes connection with--------------------- P

Your identity is not a secret to the proxy server P, as you have established a direct connection with it. This means that the log files on the system P will reveal your identity. 2. A-------------------Asks P to establish an indirect, proxy connection with T----------- P

In this step, at the Wingate prompt, A types the telnet command, asking P to establish a connection with T.

P-----------------Establishes connection with--------------------------T

In this step the proxy server connects to the target system (T). This means that the identity of the proxy server is not a secret to the target system. Thus in the log files of the target system, the identity of the proxy server, P would be mentioned. This means that your identity is hidden from T. However, since Ps identity is not hidden from T and your identity is not hidden from P, as a result, if the system administrator at T checks the log files at P, then he could probably trace you. One precaution that one could take to make the job of the system administrator of the target system of tracing you, tougher is to bounce off a large number of proxy servers and eventually connecting to the target system. Not all Wingates maintain log files and bouncing off numerous systems, increases your chances of bouncing off a system, which does not maintain any log files. Also, it makes the job of the system administrator of the target system tougher. The following will make you understand as to how one can bounce off, more than a single proxy server: (In this example, we bounce off three proxy servers, running Wingate, which are: proxy1.net, proxy2.net and proxy3 and finally after bouncing off these three servers we connect to the target system.) Step 1: C:\windows>telnet proxy1.net 23 Connecting to proxy1.net Wingate1> Step 2: Wingate1>telnet proxy2.net 23 Connecting to proxy2.net Wingate2> Step 3: Wingate2>telnet proxy3.net 23 Connecting to proxy3.net

Wingate3> Step 4: Wingate3>telnet target.net 23 Connecting to target.net target.net> The SOCKS Server (Port 1080) The SOCKS server by default runs on Port 1080 and allows anyone on the Internet to establish a connection with it, without even asking for a password. They too like the Telnet Proxy Server (Port 23), allow for the bouncing technique, using which an attacker can hide his identity from the actual target system. The IRC Server (Port 6667) It allows you to bounce to a Proxy Server and runs on Port 6667. Countermeasures against Bouncing off Wingates 1. 2. One should disable access to all three daemons from outside the local system, by changing the settings in the Properties option. One could also easily disable those individual services that are not needed.

Transparent Proxies with Squid With the uncontrollable growth in the number of Hackers, not only system administrators of servers have to worry about the security of their system, but also even if you are running a standalone PPP Linux box, you simply cannot afford to ignore your system's security. If your system is the main server, which communicates with the external un-trusted network called the Internet, or even if you simply use your linux box to connect to your ISP and surf the net through PPP, then you should definitely think about installing a firewall on your system. The preferable and the best option in this case would be to install a commercial firewall. However, this option is not always possible and is more often than not unnecessary. Buying, installing and configuring a good commercial firewall is not only expensive but most beginners find it pretty formidable. A better and a cheaper option is to make use of something known as 'ipchains'. Since the release of Kernel 2.2, various new utilities and features have been added to it. Amongst these improvements there is a kewl new feature called 'ipchains', which is primarily used for configuring the firewall rules and other such related details. ************************* HACKING TRUTH: The usage of ipchains is very much similar to that of ipfwadm. For more information (like, help on setting rules.) refer to the following wrapper script: /sbin/ipfwadm_wrapper ************************** In this section, we will learn as to how to use ipchains to configure a transparent proxy on your linux box. Before we move on, we must understand as to what exactly we mean by a transparent proxy server. Transparent proxies are completely different from normal proxies, however, their workings is basically the

same. A transparent proxy acts as a mechanism, which fools the client (i.e. the systems who connect to your system, where the transparent proxy is configured to run.) into believing that they are directly connected to the web server (and not indirectly, via a proxy.) A transparent proxy works in the following manner: 1. 2. It listens to a specific port (for example, the HTTP port i.e. 80) for any connections. As soon as it gets a request for a connection (in this case a HTTP request for a file.) then it redirects the user i.e. it redirects the connection to another port on the same machine. This new port, to which the connection is transferred, is actually running a Proxy.

This, in affect means that, the client i.e. the user who connects to the server where the transparent proxy installed assumes that it is directly connected to the HTTP daemon and is communicating with it. However, the truth of the matter is that all communication is being carried out via the proxy running on the server. All this would be clearer, when you see the below picture of what happens: Client --------> Server (Port 80 or HTTP) following the rules of the ipchains, the client gets transferred to the port, where the proxy server has been installed. Once this happens, the communication takes place in the following manner: Client --------> Server(Port of Proxy) --------> Server (Port 80 or HTTP) This means that the connection to the HTTP daemon or Port 80 is indirect and it first passes through the Proxy server running on a particular port and then reaches the daemon. However, the client has absolutely no or very little idea about this. Before one gets down to the actual process of configuring ones linux box, one needs to check whether this is possible on that particular system or not. To check this, one has to simply check for the existence of the following file: /proct/net/ip_fwchains Although almost all systems would have this file, however, on the other hand if your system does not have this particular file, then it probably means that you will have to recompile your Kernel. Configuring Squid In this section, we learn to configure Squid by using an example configuration requirement, which in this case is to transfer all connections received at Port 80 to Port 8080. Please note that Port 8080 is the default port, on which Squid runs. Also, for this example, we could also have used any other proxy, instead of Squid; however, Squid is the most common and popular one. In order to transfer all connections from Port 80 to Port 8080, add the following lines to your startup script, so that they are executed each time you boot up. NOTE: The server IP is xxx.xx.xx.xx ipchains -A input -p TCP -d 127.0.0.1/32 www-j ACCEPT ipchains -A input -p TCP -d xxx.xx.xx.xx/32 www-j ACCEPT ipchains -A input -p TCP -d 0/0 www-j REDIRECT 8080 NOTE: If you are using ipfwadm, then add the following lines to the startup script:

ipfwadm -I -a-a -P tcp-s any/0 -D 127.0.0.1 ipfwadm -I -a-a -P tcp-s any/0 -D xxx.xx.xx.xx ipfwadm -I -a-a -P tcp-s any/0 -D any/0 80 -r 8080 Once this is done, then comes the time to configure Squid. Please note that you need at least Squid 2.x to be able to make use of Transparent Proxies. To configure Squid, edit the, /etc/squid/squid.conf file and make the following changes to it: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Once this is done, then in order to enforce the new settings, you need to restart Squid: /etc/rc.d/init.d/squid.init restart The above was a very basic example of configuring Squid to run a transparent proxy. Squid can be configured and run for a variety of other stuff. For more details on it all, read the documentation pages.

Getting Geographical Information using an IP Address

Getting the Internet Protocol or the IP Address of a remote system is said to the most important step in hacking of a system. Sometimes, however we get an IP in order to get more information on someone or some host. But, how can an IP Address be used to get more information on the location etc of a system? This section aims at throwing light on just these topics and more. The structure of an IP address (Actually the entire TCP/IP Protocol) is designed in such a manner that there is simply no way that one can tell as to which country does the given IP Address belong to. An IP Address is made up of four fields, each consisting of eight bytes. However, none of these four fields stands for the country to which the given IP Address belongs. What this means that there is no mechanism whereby a particular field of an IP Address represents the country in which the system having that IP Address resides. Thus, one can safely conclude that all myths like The Second or the third field of an IP stands for the country in which the system using it resides are definitely false and untrue. However, tracing the geographical location of an IP Address is definitely possible. In fact, with a bit of luck an attacker can get a lot of information on the target system, if he gets to know just the target systems IP Address. Some of the information that can be deduced, once the IP Address of the target system is known is as follows: 1. 2. 3. 4. 5. 6. 7. Continent Country City ISPs name Phone Number & Home Address (This requires a lot of luck and expertise.) Office Phone Number and Address (This requires a lot of luck and expertise.) Full Name of the target individual. (This requires a lot of luck and expertise.)

In this section, we discuss some of the methods, which can be employed by attackers to trace the geographical location of a system, by simply knowing its IP Address.

Random Trial and Error Method Although this method is very cumbersome, inefficient and requires a lot of research and luck, however, sometimes attackers do indeed find success by following this method. Before we actually move onto the method of Random Trial and Error Method, we need to learn as to how are ISPs awarded IP Addresses. Every ISP registers at a particular central authority and gets a particular range of IP addresses between which the various customers (people who dial into their servers) can be awarded IP addresses. Most ISPs are given a Class C network Address. A Class C Network address contains a 24-bit Network Prefix (the first three fields) and an 8-bit Host number (the last field). It is referred to as "24's" and is commonly used by most ISP's. For Example, If say an ISP xyz is given the IP: 203.98.12.xx Network address then you can be awarded any IP, whose first three fields are 203.98.12. This means that each ISP has a particular range in which to allocate all its subscribers and every ISP has to limit the allocation of IP Addresses to stand within this range. Or in other words, all subscribers or all people connected to the Internet using the same ISP will have their IP Addresses as being only within this range. Also almost all ISPs use dynamic allocation of IP Addresses, where each time a system connects to the Internet, it is allotted a new dynamic IP Address. This means that if a system connects to its ISP and is allotted the IP Address A, the first time. Then if that particular system disconnects and reconnects to the same ISP, then he would be given a new dynamic IP Address. Let us assume this new IP Address to be B. Please note that when you reconnect to the ISP, you could also be allotted the same IP Address as earlier i.e. A, but that is very rare. What one needs to remember is the fact that when you reconnect to the same ISP as earlier, then you are allotted a vacant IP Address, within a fixed range. (That is the range of IP Addresses allotted to your ISP.) Although A and B are two different IP Addresses, but since they belong to the same ISP, they must also be within the same range of IP Addresses. (Which has been allotted to that particular ISP.) Thus, this means that as long as you use the same ISP to connect to the Internet, the IP Address that your system is allotted, remains within the same range of addresses. In other words, your IP Address has the same first three fields (We are assuming that the ISP belongs to a Class C network) as long as you are connecting to the same ISP. For Example, If your ISP has been allotted the network address: 202.34.12.xx, then your IP Address would always have the first three fields as 202.34.12, while the last field will be the variable field, whose value may or may not change each time you reconnect to the ISP. This means that if you are lucky enough and if you have the patience, then you could somehow find out the network address allotted to each ISP in your country (by random experiments and assumptions carried out on your friends.). Once you have the network address of each ISP i.e. once you know the range of IP Addresses allotted to each ISP, then you can use these deduced addresses to compare it with the target systems IP Address and hence find out the ISP to which the target system belongs. For Example, in my country say there are three main ISPs and I deduce the network address that they have been allotted and write it down as below: ISP Name ISP I ISP II Network Address Allotted 203.94.47.xx 202.92.12.xx

ISP III

203.91.35.xx

If I get to know the IP of an e-pal of mine, and it reads: 203.91.35.12, then I can pretty easily figure out that he uses ISP III to connect to the internet. You might say that any idiot would be able to do this. The answer to this would be both a yes and a no. The above method of finding out the ISP of a person was successful only because we already had the ISP and Network Address Allotted list with us. Thus, what my point is that the above method can be successful only after a lot of research and experimentation. However, since there are better methods of tracing an IP Address geographically and since this method is obviously too cumbersome and inefficient to implement, almost always it is avoided. Also, this method would not work if it had to be implemented on a larger scale. What if the IP that you have belongs to someone living in a remote igloo in the North Pole? You could not possibly get the Network Addresses of all the ISPs in the world, could you? NOTE: In the above case, you also get to know the city of the system using the given IP, as most ISPs use different network addresses in different cities. Also, some ISPs are operational in a single city. How to Really Trace an IP Address Geographically? The Random Trial and Error method described earlier was quite cumbersome and useless. The best methods of tracing an IP Address to its geographical location is by using the below methods: 1. 2. 3. Reverse DNS Lookup WHOIS Query Traceroute

Let us now discuss all these methods in detail: Reverse DNS Lookup Each time you type in the address of your favorite website in the URL box on your browser, then a DNS lookup is performed by the browser, with the help of Domain Name Servers or DNS servers. A DNS lookup is nothing but the process of converting the human understandable form of a remote server i.e. easy to remember hostnames like hackingtruths.box.sk into the machine understandable and difficult to remember IP Addresses. Thus, we can say that a DNS lookup converts a hostname into an IP Address. The advantage of having hostnames is that the user can easily and efficiently use them and remember them. Please note that a hostname means nothing but the human understandable address of a remote server, having characters, numbers and decimals. On the other hand, a reverse DNS lookup performs nothing but the reverse of a DNS lookup. What a reverse DNS lookup does is, to convert a machine understandable IP Address into its corresponding human understandable hostname. For Example, The conversion of the IP Address: 203.45.67.98 into its corresponding hostname: mail2.bol.net.in. Thus, to recapitulate we can say that: IP Address------------- Hostname is called Reverse DNS lookup. Hostname--------------- IP Address is called DNS Lookup.

Nslookup The popular and wonderful Unix utility nslookup can be used for performing Reverse DNS lookups. Thus, if you using a *nix box or if you have access to a shell account, then the first this to do is to locate where the nslookup command is hidden by issuing the following command: ' whereis nslookup '. Once you locate where the utility is hidden, you could easily use it to perform both normal and reverse DNS lookups. If you are using Windows, then you could download a tool named SamSpade from http://www.samspade.org, which has a collection of useful utilities including nslookup. As this is not a section on using the nslookup command, we would be only discussing what is relevant to our topic. For a detailed documentation of nslookup, kindly read the *nix man pages or the documentation pages. We can use nslookup to perform a reverse DNS lookup by mentioning the IP Address of the target host at the prompt. The syntax of the command would be as follows: $>nslookup IP Address To better understand the concept of Reverse DNS lookups and nslookup, let us consider an example. Say the target systems IP Address is: 203.94.243.71 and one wants to trace its geographical location (without knowing even a bit of anything else, about this system) by simply using nslookup then the following command, would do the trick: $>nslookup 203.94.243.71 203.94.243.71 has valid reverse DNS of mail2.mtnl.net.in The above nslookup query resolved the supplied IP Address i.e. 203.94.243.71 into its corresponding hostname, which is mail2.mtnl.net.in. The last part of the hostname returned by the nslookup tool is the part in which we are interested. If you carefully look at the hostname that the Reverse DNS lookup gave us, then you will notice that the last part of the hostname reveals the country in which system resides in. Every country, which has the Internet, has been assigned a particular unique country code, which is normally added at the end of the hostnames belonging to that country. Adding the country code at the end of the hostname, helps in recognizing as to which country does a particular system belong. Some countries and their country codes are given below: Country Australia Indonesia India Japan Israel Britain India Code .au .id .in .jp .il .uk .in

For a complete list, refer to the country code list, at the end of the book. Since every country has its own unique country code, which is attached at the end of only those hostnames, which belong to that particular country, we can thus indeed, use this country code attached to the hostname of the target system, to deduce as to which country the target system belongs.

For Example, A hostname of isp.co.uk would mean that this particular system resides in UK. A hostname of isp.au would mean that this particular system resides in Australia. Coming back to our example, we find that nslookup resolved the target IP Address (203.94.243.71) into the hostname mail2.mtnl.net.in. If we look at the last part of this hostname, we find that it is .in. This .in means nothing but the fact that this particular system has been registered in a domain registration service based in India and it most probably resides in India. The .in part signifies that the system is located in India. All countries have been allotted country codes, which more often than not are the last part of the hostnames of all the systems located and registered in that particular country. Sometimes the third or the second field of an hostname specifies the company name to which that particular hostname belongs. In our case, the hostname is: mail2.mtnl.net.in and the second part of the hostname i.e. MTNL specifies the company name, to which this particular host belongs. However, this is not always the case. This method of studying the country code at the end of hostnames can also be used to figure out as to which country a person lives in, if you know his email address. For Example, if a person has an email address ending in .ph then he probably lives in Philippines and if it ends in .il then he lives in Israel and so on. Take my own email address as an example. It is: ankit@bol.net.in. The last part of the hostname of my email address acts as a tell tale and gives away the fact that I reside in India. ***************** HACKING TRUTH: To get the complete list of US State Abbreviation codes, visit: http://www.usps.gov/ncsc/lookups/abbr_state.txt **************** If you are the one who believes in using only your own code and not be dependent on third party canned software, then the following Java program is just for you. It demonstrates as to how to convert an IP Address into its hostname form: ---------String hostname = InetAddress.getByName("Enter IP to be converted here").getHostName() ---------One has to simply replace the text within the quotes with the IP Address to be converted into its corresponding hostname form. Pros and Cons +Traces IP to Country and Continent +Sometimes traces IP to city too, but not always. +Easy to Implement -Does not work always. -Does not display as much information as other methods WHOIS Queries Another method of getting the exact geographical location of a system on the globe is by making use of the WHOIS database. The WHOIS database is nothing but a database maintained by various domain registration companies, containing all the listings of all the domains registered at their company or country.

If you supply the WHOIS database with a hostname or IP Address, you want to perform a query on, then it will return an output, displaying all kinds of information on this supplied address. (Like owners name, address, phone number, designation, email address, name servers, company name etc.) Thus, a typical WHOIS query is performed in the following manner: 1. 2. 3. Send hostname or IP Address or rather the domain name to the WHOIS daemon. WHOIS daemon searches the database of registered addresses, looking for a matching address. Once a matching address is found, then the daemon displays all kinds of information on the owner of the queried domain name.

This method can be used to get some pretty accurate information on a particular IP or hostname; however, it is probably of no use if you are trying to point out the exact location of a dynamic IP. But, again this can be used to get at least the city in which the ISP used by the victim is situated. You can carry out WHOIS queries at: http://www.allwhois.com. Or one could download an utility called Samspade and use it to perform WHOIS queries. You could also directly enter the following in the location bar of your Browser and perform a WHOIS enquiry. To do so, simply enter the following in the location bar of your browser: http://205.177.25.9/cgi-bin/whois?abc.com NOTE: Replace abc.com with the domain name on which you want to perform a WHOIS query. Coming back to tracing our example host, whose IP Address is 203.94.243.71 and hostname is mail2.mtnl.net.in. When we perform a WHOIS query on our example host, then the following is the response: ############################################################################### There is 1 match on your request. Domain Name : BOL.NET.IN Mahanagar Telephone Nigam Ltd. Jeevan Bharti Tower-I, 12th Floor Connaught Circus New Delhi 110 001 Administrative Contact : Deepak Chanduka, mtnlco@vsnl.net.in Ph: 91-11-3310735 Technical Contact : Same As above Domain Nameservers : ns1.mtnl.net.in. 203.94.227.70 ns2.mtnl.net.in. 203.94.243.70 Record Last Updated :Dec 10, 1998 For more information try 'whois help'. Domain_Name :bol.net.in:

############################################################################### Voila!!! This goes to prove that a simply WHOIS query can reveal so much information on the target system. However, this method cannot be used to get the contact address of a person, if the IP that you use to trace him, belongs to his ISP. (As a WHOIS query of a dynamic IP, would bring up information on the ISPs domain and not the target individuals domain.) Thus, for the WHOIS method to be successful in tracing an IP Address to the contact address of a person, the attacker either would need to know the domain name (which is registered in the victims name) or the attacker has to remain satisfied knowing only the city (and ISP) used by the person. Let us assume that the victim has registered a domain name and the attacker wants to use it to find out the city in which he resides. One thing to remember in this case is that, if the victim has registered the domain name using any of the various free .com registration services like Namezero.com etc, then the domain name would probably be registered in the companys name and not the victims name. Thus, a WHOIS query will give information on the ISP\Company and not the victim. ***************** HACKING TRUTH: The WHOIS service by default runs on Port 43 of a system. Try performing a WHOIS query by telnetting to Port 43 and manually typing out the query. I have never tried it, however, it might be fun. *************** Pros and Cons +Gives most detailed Information of the three methods. -It is Inaccurate if the target system has a dynamic IP Address. Traceroute Yet another and probably the second most efficient method (after Reverse DNS queries) of tracing an IP to its exact geographical location, is to carry out a traceroute on it. The traceroute commands give you the names and IP Addresses of all the routers through which a data packet has to pass through, on its way from the source IP Address to the destination IP Address. One can perform a traceroute of an IP, by simply typing the following at the command line or the shell prompt: #>tracert IP or Hostname For a detailed description of the traceroute or tracert command, read the Traceroute Torn Apart section in the Information Gathering chapter. Let us now see as to what is the result, when I do a traceroute on my IP. Remember I live in New Delhi, which is a city in India. Watch the names of the hostnames closely, as you will find that they reveal the cities through which the packet passes. C:\windows>tracert 203.94.12.54 Tracing route to 203.94.12.54 over a maximum of 30 hops 1 abc.netzero.com (232.61.41.251) 2 ms 1 ms 1 ms 2 xyz.Netzero.com (232.61.41.0) 5 ms 5 ms 5 ms 3 232.61.41.10 (232.61.41.251) 9 ms 11 ms 13 ms 4 we21.spectranet.com (196.01.83.12) 535 ms 549 ms 513 ms 5 isp.net.ny (196.23.0.0) 562 ms 596 ms 600 ms 6 196.23.0.25 (196.23.0.25) 1195 ms1204 ms 7 backbone.isp.ny (198.87.12.11) 1208 ms1216 ms1233 ms

8 asianet.com (202.12.32.10) 1210 ms1239 ms1211 ms 9 south.asinet.com (202.10.10.10) 1069 ms1087 ms1122 ms 10 backbone.vsnl.net.in (203.98.46.01) 1064 ms1109 ms1061 ms 11 newdelhi-01.backbone.vsnl.net.in (203.102.46.01) 1185 ms1146 ms1203 ms 12 newdelhi-00.backbone.vsnl.net.in (203.102.46.02) ms1159 ms1073 ms 13 mtnl.net.in (203.194.56.00) 1052 ms 642 ms 658 ms The above shows us that the route taken by a data to reach the supplied IP is somewhat like this: Netzero (ISP from which the data is sent) --- Spectranet (A Backbone Provider) ----- New York ISP ---New York Backbone - Asia -- South Asia - India Backbone -- New Delhi Backbone -- Another router in New Delhi Backbone --- New Delhi ISP. This proves that the traceroute command does indeed reveal my real location, which is: New Delhi, India, South Asia. Coming back to tracing our example host, whose IP Address is 203.94.243.71 and hostname is mail2.mtnl.net.in. When we perform a traceroute on our example host, then the following is the response that we receive: #>traceroute 203.94.243.71 3 198.172.117.161 3.300 ms DNS error [AS2914] Verio 4 129.250.29.126 3.152 ms ge-6-2-0.r00.lsanca01.us.bb.verio.net [AS2914] Verio 5 129.250.5.97 13.512 ms p16-5-0-0.r01.mlpsca01.us.bb.verio.net [AS2914] Verio 6 129.250.4.93 13.912 ms p16-7-0-0.r00.mlpsca01.us.bb.verio.net [AS2914] Verio 7 129.250.5.68 14.819 ms p16-4-0-0.r06.plalca01.us.bb.verio.net [AS2914] Verio 8 208.50.13.97 14.936 ms so0-0-0-622M.br2.PAO2.gblx.net [AS3549] Globalcrossing 9 207.136.163.125 15.122 ms so6-0-0-2488M.cr2.PAO2.gblx.net [AS3549] Globalcrossing 10 206.132.249.158 88.153 ms pos0-0-622M.cr2.NYC2.gblx.net [AS3549] Globalcrossing 11 208.48.234.214 88.212 ms pos1-0-2488M.br2.NYC2.gblx.net [AS3549] Globalcrossing 12 64.211.60.50 289.938 ms TelecomItaliaMumbi1.so-2-3-0.ar2.NYC2.gblx.net (DNS error)[AS3549] Globalcrossing 13 202.54.2.242 310.829 ms delhi-vsb-stm1.Bbone.vsnl.net.in (DNS error) [AS4755] VSNL 14 203.200.87.1 310.911 ms DNS error [AS4755] VSNL. Autonomous System 15 203.200.87.67 310.539 ms DNS error [AS4755] VSNL Autonomous System 16 203.197.221.242 387.30 ms DNS error [AS4755] VSNL Autonomous System 17 203.94.243.71 329.566 ms mail2.mtnl.net.in [AS4755] VSNL Autonomous System The last entry in bold i.e. mail2.bol.net.in tells us that our example server is registered in and is located in India. In this example, we saw that traceroute outputs are not always as helpful as in the first example. However, sometimes doing a traceroute on an IP Address, does not give useful information. In the above examples, the traceroute program returned and printed hostnames in the output. These hostnames were fairly useful and gave us important geographical information on the residence of that particular system. Although more often than not you will get such helpful hostnames, however, sometimes the hostnames returned are very vague and unhelpful. That is when it becomes difficult to trace an IP Address geographically. It is important to note that if we perform a traceroute on a dynamic IP Address, then the last entry would end at an IP Address belonging to the ISP of the target dynamic IP Address. Using the IP Address and hostname of the target IP Addresss ISP, we can trace the city, country etc.

********************** HACKING TRUTH: If you have an IP Address and wish to find out the latitude, longitude and country/State in which the system is located them visit the following page and simply fill the IP in: http://cello.cs.uiuc.edu/cgi-bin/slamm/ip2ll/ ********************* That is when the Visual Route utility and the visiting the last hostnames website process come in handy. Let us say that the trace ends at the hostname abc.com. This is very vague and gives absolutely no clue as to where the system is located. At this moment, you might think that you are at a dead end. However, that is not true and what you could do is, launch your browser and visit: http://www.abc.com. This particular site i.e. abc.com is probably an ISP and an ISP will definitely give its location and the cities in which it operates. Thus, by visiting their website and looking at the contact us section, one can indeed get the geographical information on the IP Address. A very interesting utility is the Visual Route utility, (http://www.visualroute.com) which traces a hostname or IP and shows the path taken by the packet to reach the destination on a world map. It is very useful and reveals some excellent information. However, it sometimes does tend to be inaccurate. Pros and Cons +Fairly Accurate -Does not work if hostnames do not display useful information. -Can be easily filtered out. ********************** HACKING TRUTH: Say you have found out the ISP of a person and want to learn as to in which country the person resides in. However, visiting the ISP website doesnt help. Nor does the hostname help. So, what do you do? One thing that you could do is, try connecting to Port 13 (The Daytime Port) of the ISP. This is the port, which simply displays the system time. It will tell you how many hours ahead or behind the system is from GMT time. Thus, it will also tell you the time zone in which that particular resides. ********************** This basically brings us to the end of this manual. Before we move onto the next chapter, I would like to make it clear that it is extremely difficult and surprising if someone is able to get the exact contact address of a person by simply knowing his IP. (Without taking help or breaking into the persons ISP) Fadias Hot Pick for the traceroute Utility

1. Utility Name: Visual Route

Features: Traces the geographical location of an IP Address, by drawing lines on the world map. Download URL: http://www.visualroute.com Changing ones own IP Address: The Art of IP Spoofing The technique of changing ones own original IP Address to a fake, made-up one is known as IP Spoofing. In this method, the attacker fools the target system to which he is connected, into believing that his identity is some other IP Address other than his own. This will be clearer, after the following example: Say there are three systems: A, B and C. If A were to connect to B normally, then B would easily come to know that system A is connected to it. However, if A was somehow able to change its own identity and

make it seem to be C, then it means that A was able to spoof his own identity and make B believe that he is actually C, which is actually the spoofed or fake address. IP Spoofing involves the guessing of sequence numbers and is very difficult to carry out. However, it is still very much possible. For a clear and detailed description of this technique, kindly read the IP Spoofing Torn Apart section.