ch13.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,153 行 · 第 1/5 页

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 13 -- Techniques to Hide One's Identity</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch12/ch12.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch14/ch14.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">13</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Techniques to Hide One's Identity</FONT></H1>
</CENTER>
<P>When the network that is now the Internet was first designed, it was assumed that
all users wanted to be found. No one had reason to hide, and it seemed sensible that
researchers should be able to locate each other. Utilities were therefore created
to facilitate such finding.</P>
<P>Since those early days, the rise of multiple protocols has made finding people
even more convenient. As you will see later in this chapter, the old days demanded
a high level of networking knowledge from the user. Today, finding or identifying
most individuals is trivial. Throughout this chapter, I examine those techniques,
as well as some concepts about wholesale tracing (tracing many individuals at one
time).</P>
<P>You may wonder why this is deemed a security issue. In truth, it really isn't--not
yet. As you read this chapter, however, you will learn that the Internet is a powerful
tool for domestic spying. Law-enforcement and intelligence agencies already conduct
such practices on the Internet, and for them, the Network is a bonanza. No search
warrant is needed to &quot;study&quot; the activity of someone on the Internet. Likewise,
no warrant is needed to compile lists of individuals who law enforcement perceive
to be involved in illegal (or even seditious) activity. This is not a joke. If you
harbor radical political views, by the end of this chapter, you may elect to forever
keep those views to yourself (or gain a decent education in cryptography).</P>
<P>Like all chapters, this one begins with the most fundamental aspects of the treated
subject and progresses forward to more advanced information. Experienced users should
shoot ahead several pages.</P>
<P>Before I begin, I need to make one statement regarding screenshots and diagnostic
network information contained within this chapter. Certain methods of finding individuals
demand the use of search engines. Unfortunately, to my knowledge, the law has not
been adequately settled regarding the reprinting of an individual's e-mail address
without his consent. Because of this, I cannot provide screenshots of searches because
they necessarily contain the e-mail addresses of users unknown.</P>
<P>Therefore, the searches have to be described rather than illustrated. I do apologize
for this. However, upon reflection, I would not want my e-mail address published,
and I see no reason why anyone else would, either. The argument is often made that
anyone who posts to a Usenet newsgroups has at least given an implied form of consent.
I do not support that view. So, I am afraid that we shall have to get along as best
we can by description as opposed to screenshot. I have taken pains to explain each
step carefully to provide the utmost clarity. I hope that will suffice.</P>
<P>So, let us begin at the beginning, at the heart of your server. We will start
at home base and work our way outward.
<H2><FONT COLOR="#000077"><B>What's in a Name?</B></FONT></H2>
<P>There are two forms of user identification that apply to all platforms: your e-mail
address and your IP address. It is often theorized that if one is obscured, the other
can never be found. That is untrue. Without chaining messages through a series of
<I>trusted</I> anonymous remailers (remailers that are purportedly secure), anonymity
on the Internet is virtually impossible. Anonymous remailers are discussed in Chapter
7, &quot;Birth of a Network: The Internet.&quot;</P>
<P>It is possible, however, to make yourself relatively invisible, and that is probably
what most individuals would like to do. Before I get more specific, however, there
are some utilities you need to know about, as well as methods of tracing individuals.
I'll start with finger.
<H3><FONT COLOR="#000077"><B>finger</B></FONT></H3>
<P>The <I>finger</I> service is a utility common to the UNIX platform. Its purpose
is to provide information about users on a given system. In practical operation,
finger works like most other services available in UNIX. Figure 13.1 demonstrates
the use of Finger32, a popular finger client for the Microsoft Windows platform.</P>
<P><A NAME="01"></A><A HREF="01.htm"><B>Figure 13.1.</B></A><B><BR>
</B><I>The finger query process.</I></P>


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Finger32 is a small application
	port of the UNIX utility finger. It is available here: <A HREF="ftp://hyper.net.au/Win95nt-apps/Finger/Wsfinger/Wsfngr32.zip"><TT>ftp://hyper.net.au/Win95nt-apps/Finger/Wsfinger/Wsfngr32.zip</TT></A>
	
<HR>


</BLOCKQUOTE>

<P>The finger service relies on the client/server model, which is a recurring theme
in Internet applications. This model works as follows: machines running server applications
distribute information to clients. Clients are programs designed to accept and interpret
information from server applications. For example, you use a Web browser (or client)
to read information forwarded by a Web server (the HTTP server).</P>
<P>In any event, the finger client-server relationship works as follows: On the targeted
machine (almost always a UNIX system), there is a server running called <TT>fingerd</TT>.
This is more commonly referred to as the <I>finger daemon</I>. Its purpose is to
answer requests from finger clients from the void.</P>
<P>The finger daemon can return different information, depending largely on the configuration
of the server and the user's personalized settings. For example, sometimes an &quot;open&quot;
UNIX server (that is, one not running a firewall) will disallow finger access. This
is done by disabling the finger daemon, removing it from the file <TT>/etc/inetd.conf</TT>.
In this case, the finger service is never started. Any client-issued finger request
forwarded to such a machine will meet with a blank response (or perhaps, <TT>Connection
Refused.</TT>).</P>
<P>Many organizations, particularly ISPs, government sites, and private corporations,
disable finger services. Each has an interest in preserving the privacy of its users,
and that is usually the reason given for disabling the service. As you will learn
later, however, their motivation may also be system security.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>Certain vital information about the
	system can be culled by fingering system IDs such as root, bin, FTP, and so on. On
	that account, some sites will disable finger services altogether. It is thought that
	by killing the finger and RPC services, one can restrict the amount of revealing
	information available to crackers in the void. To some extent, this is true. 
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>An excellent paper written
	by Dan Farmer and Wietse Venema addresses this issue: &quot;Improving the Security
	of Your Site by Breaking Into It.&quot; The paper is so widely distributed on the
	Internet. Here is a very reliable source: <A HREF="http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html"><TT>http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html</TT></A>.
	(This is a government site, so with all probability, this link will be good for many
	years to come.) 
<HR>


</BLOCKQUOTE>

<P>Some sites do not disable finger services altogether, but instead put restrictions
on what type of information can be accessed. For example, by default, the finger
daemon allows a systemwide finger. Anyone can be fingered, including special or privileged
accounts. When systemwide fingering is allowed, one can gather information on all
users currently logged to the machine. This is done by issuing the following command
at a UNIX command prompt:</P>
<PRE><FONT COLOR="#0066FF">finger @my_target_host.com
</FONT></PRE>
<P>The <TT>@</TT> symbol has essentially the same effect as the asterisk does in
regular expression searches. When it is used, the user is fingering all users currently
logged to the target machine. This is most useful when targeting small providers
that have few customers, or when conducting such a finger query late at night. Certainly,
fingering a company as large as Netcom in this manner would be foolish. (The response
forwarded by the server would likely be many pages in length. The only valid reason
for doing this would be to generate a database of Netcom users.) At any rate, some
organizations will disallow such a request, instead forcing the requesting party
to specify a particular user.</P>
<P>Other sites make use of <I>hacked</I> finger daemons, either created in-house
or available as distributions from other sites across the Internet. These are finger
daemons that have enhanced features, including advanced configuration options.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>One such hacked finger
	daemon is the Configurable Finger Daemon, or <TT>cfingerd</TT>. Written by Ken Hollis,
	<TT>cfingerd</TT> provides security functions not available in garden-variety finger
	servers. It is considered to be an excellent replacement to the standard distribution
	of finger. It is available free of charge at <A HREF="ftp://ftp.bitgate.com/pub/cfingerd/"><TT>ftp://ftp.bitgate.com/pub/cfingerd/</TT></A>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For more generalized
	understanding of the finger daemon process, I suggest viewing the source for any
	public-domain finger client. There is a nice online resource for this at <A HREF="http://araneus.york.ac.uk/owtwaww/finger.htm"><TT>http://araneus.york.ac.uk/owtwaww/finger.htm</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>At any rate, taking you through the process of a finger inquiry will take just
a few moments, but in order for you to exploit the example, you need a finger client.
UNIX users, however, have no need for a finger client, because this is included in
the basic distribution. The same is true of Windows NT. So this little section is
primarily for Windows, Mac, and OS/2 users. The finger clients are listed in Table
13.1.
<H4><FONT COLOR="#000077"><B>Table 13.1. Finger clients for non-UNIX, non-NT users.</B></FONT></H4>
<P>
<TABLE BORDER="1">
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Platform</I></TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Client</I></TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Location</I></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Windows (All)</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">WSFinger</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="ftp://papa.indstate.edu/winsock-l/finger/wsfngr14.zip"><TT>ftp://papa.indstate.edu/winsock-l/finger/wsfngr14.zip</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Macintosh</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Macfinger</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="ftp://ftp.global.net.id/pub/mac/internet/finger-15.hqx"><TT>ftp://ftp.global.net.id/pub/mac/internet/finger-15.hqx</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">OS/2</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">FFEU</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="http://www.musthave.com/OS2/ftp/ffeu101.zip"><TT>http://www.musthave.com/OS2/ftp/ffeu101.zip</TT></A></TD>
	</TR>
</TABLE>
</P>
<P>For demonstration purposes, I will use Finger32, a popular finger application
for Windows 95. The application is simple to use; it presents the user with a self-explanatory
screen from which you choose your host. (See Figure 13.2.)</P>
<P><A NAME="02"></A><A HREF="02.htm"><B>Figure 13.2.</B></A><B><BR>
</B><I>The Finger32 opening screen--choosing a host.</I></P>
<P>When you choose this option, a dialog box appears, requesting a host and username.
(See Figure 13.3.)</P>
<P><A NAME="03"></A><A HREF="03.htm"><B>Figure 13.3.</B></A><B><BR>
</B><I>Specifying your target.</I></P>
<P>Providing the target is running a finger server, the return output should read
something like this:</P>