ch09.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,272 行 · 第 1/5 页

13  mae-east.agis.net (192.41.177.145)  391 ms  456 ms  444 ms
14  h0-0.losangeles1.agis.net (204.130.243.45)714 ms 556 ms714 ms
15  pbi10.losangeles.agis.net (206.62.12.10) 554 ms 543 ms 505 ms
16  lsan03-agis1.pbi.net (206.13.29.2)  536 ms  560 ms *
17  * * *
18  pm1.pacificnet.net (207.171.0.51)  556 ms  560 ms  561 ms
19  pm1-24.pacificnet.net (207.171.17.25)  687 ms  677 ms  714 ms
</FONT></PRE>
<P>From this, it is clear that I am located in Los Angeles, California:</P>
<PRE><FONT COLOR="#0066FF">pbi10.losangeles.agis.net (206.62.12.10)  554 ms  543 ms  505 ms
</FONT></PRE>
<P>and occupy a place at <TT>pacificnet.net</TT>:</P>
<PRE><FONT COLOR="#0066FF">pm1.pacificnet.net (207.171.0.51)  556 ms  560 ms  561 ms
</FONT></PRE>
<P>Traceroute can be used to determine the relative network location of a machine
in the void.</P>
<P>Note that you needn't have UNIX (or a UNIX variant) to run Traceroute queries.
There are Traceroute gateways all over the Internet. And, although these typically
trace the route only between the Traceroute gateway and your target, they can at
least be used to pin down the local host of an IP address.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Try the Traceroute gateway
	at <A HREF="http://www.beach.net/traceroute.html"><B>http://www.beach.net/traceroute.html</B></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><TT>rusers</TT><B> and </B><TT>finger</TT></FONT></H3>
<P><TT>rusers</TT> and <TT>finger</TT> can be used together to glean information
on individual users on a network. For example, a <TT>rusers</TT> query on the domain
<TT>wizard.com</TT> returns this:</P>
<PRE><FONT COLOR="#0066FF">gajake       snark.wizard.com:ttyp1  Nov 13 15:42  7:30 (remote)
root         snark.wizard.com:ttyp2  Nov 13 14:57  7:21 (remote)
robo         snark.wizard.com:ttyp3  Nov 15 01:04  01 (remote)
angel111     snark.wizard.com:ttyp4  Nov14 23:09       (remote)
pippen       snark.wizard.com:ttyp6 Nov 14 15:05         (remote)
root         snark.wizard.com:ttyp5 Nov 13 16:03    7:52 (remote)
gajake       snark.wizard.com:ttyp7 Nov 14 20:20    2:59 (remote)
dafr         snark.wizard.com:ttyp15Nov  3 20:09    4:55 (remote)
dafr         snark.wizard.com:ttyp1 Nov 14 06:12   19:12 (remote)
dafr         snark.wizard.com:ttyp19Nov 14 06:12   19:02 (remote)
</FONT></PRE>
<P>As an interesting exercise, compare this with <TT>finger</TT> information collected
immediately after:</P>
<PRE><FONT COLOR="#0066FF">user S00  PPP ppp-122-pm1.wiza  Thu Nov 14 21:29:30 - still logged in
user S15  PPP ppp-119-pm1.wiza  Thu Nov 14 22:16:35 - still logged in
user S04  PPP ppp-121-pm1.wiza  Fri Nov 15 00:03:22 - still logged in
user S03  PPP ppp-112-pm1.wiza  Thu Nov 14 22:20:23 - still logged in
user S26  PPP ppp-124-pm1.wiza  Fri Nov 15 01:26:49 - still logged in
user S25  PPP ppp-102-pm1.wiza  Thu Nov 14 23:18:00 - still logged in
user S17  PPP ppp-115-pm1.wiza  Thu Nov 14 07:45:00 - still logged in
user S-1  0.0.0.0           Sat Aug 10 15:50:03 - still logged in
user S23  PPP ppp-103-pm1.wiza  Fri Nov 15 00:13:53 - still logged in
user S12  PPP ppp-111-pm1.wiza  Wed Nov 13 16:58:12 - still logged in
</FONT></PRE>
<P>Initially, this information might not seem valuable. However, it is often through
these techniques that you can positively identify a user. For example, certain portions
of the Internet offer varying degrees of anonymity. Internet Relay Chat (IRC) is
one such system. A person connecting with a UNIX-based system can effectively obscure
his or her identity on IRC but cannot easily obscure the IP address of the machine
in use. Through sustained use of both the <TT>finger</TT> and <TT>rusers</TT> commands,
you can pin down who that user really is.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B><TT>finger</TT> and <TT>rusers</TT>
	are extensively discussed in Chapter 13, &quot;Techniques to Hide One's Identity.&quot;
	Nonetheless, I'd like to provide a brief introduction here: <TT>finger</TT> and <TT>rusers</TT>
	are used to both identify and check the current status of users logged on to a particular
	machine. For example, you can find out the user's real name (if available), his or
	her last time of login, and what command shell he or she uses. Not all sites support
	these functions. In fact, most PC-based operating systems do not without the installation
	of special server software. However, even many UNIX sites no longer support these
	functions because they are so revealing. <TT>finger</TT> and <TT>rusers</TT> are
	now considered security risks in themselves. 
<HR>


</BLOCKQUOTE>

<P>Nevertheless, this explanation doesn't reveal the value of these utilities in
relation to cracking. In the same way that one can <TT>finger</TT> a user, one can
also <TT>finger</TT> several key processes. Table 9.2 contains some examples.
<H4><FONT COLOR="#000077"><B>Table 9.2. Processes that can be <TT>finger</TT>ed.</B></FONT></H4>
<P>
<TABLE BORDER="1">
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Process</I></TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Purpose</I></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><TT>lp</TT></TD>
		<TD ALIGN="LEFT" VALIGN="TOP">The Line Printer daemon</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">UUCP</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">UNIX to UNIX copy</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><TT>root</TT></TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Root operator</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><TT>mail</TT></TD>
		<TD ALIGN="LEFT" VALIGN="TOP">The Mail System daemon</TD>
	</TR>
</TABLE>
</P>
<P>By directing <TT>finger</TT> inquiries on these accounts, you can glean valuable
information about them, such as their base directory as well as the last time they
were used or logged in.</P>
<P>Thus, <TT>rusers</TT>, when coupled with <TT>finger</TT>, can produce interesting
and often revealing results. I realize, of course, that you might trivialize this
information. For, what value is there in knowing when and where logins take place?</P>
<P>In fact, there are many instances in which such information has value. For example,
if you are truly engaged in cracking a specific system, this information can help
you build a strong database of knowledge about your target. By watching logins, you
can effectively identify trust relationships between machines. You can also reliably
determine the habits of the local users. All these factors could have significant
value.
<H3><FONT COLOR="#000077"><B>Showmount</B></FONT></H3>
<P>Showmount reveals some very interesting information about remote hosts. Most importantly,
invoked with the <TT>-e</TT> command line option, showmount can provide a list of
all exported directories on a given target. These directories might or might not
be mountable from anywhere on the Internet.
<H3><FONT COLOR="#000077"><B>On Other Platforms</B></FONT></H3>
<P>None of the mentioned UNIX utilities are scanners. However, they do reveal important
information about the target machine. And not surprisingly, the computing community
has ported quite a few of these utilities to other platforms (not everyone has a
UNIX workstation in their living room). It wouldn't be fair to continue without briefly
covering those ported utilities here.
<H4><FONT COLOR="#000077"><B>On Windows 95</B></FONT></H4>
<P>Windows 95 now supports many network analysis utilities. Some of these are straight
ports from UNIX commands, and others are programs built from the ground up. In both
cases, the majority of these tools are shareware or freeware. You can use these tools
to learn much about networking.</P>
<P><B>NetScan Tools</B> The NetScan Tools suite contains a series of UNIX utilities
ported to Windows 95. Its development team claims that by utilizing ping, network
administrators can identity unauthorized machines utilizing IP addresses on their
subnets. The program also contains ports of WHOIS, finger, ping, and Traceroute.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The Netscan Tools suite
	is shareware and is available at <A HREF="http://www.eskimo.com/~nwps/index.html"><B>http://www.eskimo.com/~nwps/index.html</B></A>.
	
<HR>


</BLOCKQUOTE>

<P><B>Network Toolbox</B> Network Toolbox is very similar to the Netscan Tools suite.
It consists of a port of nine separate UNIX utilities. This utility has an interesting
feature called <I>IP Address Search</I>, which allows the user to search for machines
within a given range of IP addresses. Otherwise, it has the usual fare: finger, DNS,
WHOIS, and so on. One special amenity of this suite is that it is exceedingly fast.
This utility is discussed in greater detail later in this chapter.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find Network
	Toolbox at <A HREF="http://www.jriver.com/netbox.html"><B>http://www.jriver.com/netbox.html</B></A>.
	
<HR>


</BLOCKQUOTE>

<P><B>TCP/IP Surveyor</B> This tool is quite impressive; not only does it gather
information about networks and reachable machines, it formats it into a graphical
representation that maps routers, workstations, and servers.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>TCP/IP Surveyor is shareware
	and can be found at <A HREF="ftp://wuarchive.wustl.edu/systems/ibmpc/win95/netutil/wssrv32n.zip"><B>ftp://wuarchive.wustl.edu/systems/ibmpc/win95/netutil/wssrv32n.zip</B></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>On Macintosh</B></FONT></H4>
<P>There has been a sharp increase in development of network analysis tools on the
Macintosh platform. Many of these applications are first rate and, in traditional
Mac platform style, are extremely easy to use.</P>
<P><B>MacTCP Watcher</B> This utility provides ping, DNS lookups, and general monitoring
of connections initiated by protocols within the TCP/IP suite.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>As of version 1.12, this
	utility has been designated freeware. However, by the time this book is printed,
	that situation might change. Get it at <A HREF="http://www.share.com/share/peterlewis/mtcpw/"><B>http://www.share.com/share/peterlewis/mtcpw/</B></A>.
	
<HR>


</BLOCKQUOTE>

<P><B>Query It!</B> Query It! is a solid utility that performs basic <TT>nslookup</TT>
inquiries. It generates information that is very similar to that generated using
the <TT>host</TT> command.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Get Query It! at <A HREF="http://www.cyberatl.net/~mphillip/index.html#Query It!"><B>http://www.cyberatl.net/~mphillip/index.html#Query
	It!</B></A>. 
<HR>


</BLOCKQUOTE>

<P><B>WhatRoute</B> WhatRoute is a port of the popular UNIX utility Traceroute.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>WhatRoute is a freeware
	program and is available at various locations on the Internet, including <A HREF="http://homepages.ihug.co.nz/~bryanc/"><B>http://homepages.ihug.co.nz/~bryanc/</B></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>On AS/400</B></FONT></H4>
<P>The AS/400 platform, as of AS/400 V3R1 (and Client Access/400), has excellent
internal support for most TCP/IP utilities, including ping and netstat.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For those interested
	in studying the fine points of TCP/IP implementation on AS/400, I highly recommend