ch13.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,153 行 · 第 1/5 页

<PRE><FONT COLOR="#0066FF">Login name: root                        In real life: 0000-Admin(0000)
Directory: /                            Shell: /sbin/sh
Last login Tue Feb 18 19:53 on pts/22
New mail received Wed Feb 19 04:05:58 1997;
  unread since Wed Feb 19 03:20:43 1997
No Plan.
</FONT></PRE>
<P>This tells you several things, including the directory where <TT>root@samshack</TT>
resides (<TT>/</TT>), the shell he or she is using (<TT>/sbin/sh</TT>), and some
details on last login and mail. (Hard-core hackers will know that it also tells you
that <TT>root@samshack.com</TT> is using Solaris as an operating system. Note the
<TT>0000-Admin[0000]</TT> string.)</P>
<P>This information does not appear to be particularly revealing; however, in 70%
of all cases, the field <TT>In real life</TT> is filled with a name. Worse still,
at some universities, you can get the name, telephone number, dorm room number, and
major of students enrolled there (not that the major matters particularly, but it
provides some interesting background).</P>
<P>The information available on a finger query is controlled primarily by the system
administrator of a given site, as well as what information you provide on your initial
signup. Most new users are not aware of this and provide all the information they
can. Most people have no reason to hide, and many provide their office telephone
number or even their home address. It is human nature to be mostly honest, especially
when the entity they are providing information to seems benign.</P>
<P>So the process of identification usually either starts or ends with a finger query.
As noted previously, the finger query uses your e-mail address as an index. This
leads us immediately into an area of some controversy. Some individuals believe that
by changing their e-mail address in the Netscape Navigator or Microsoft Internet
Explorer Options panels, they obscure their identity. This is not true. It simply
makes your e-mail address more difficult to obtain. I will get to this subject momentarily.
For now, I want to continue with finger, offering a little folklore. The following
is a classic Internet story. (If you've ever fingered <TT>coke@cs.cmu.edu</TT>, skip
these next few paragraphs.)</P>
<P>Years ago, the computer science department staff at Carnegie-Mellon University
had a gripe about their Coke machine. Often, staffers would venture down to the basement,
only to find an empty machine. To remedy this problem, they rigged the machine, connecting
it to the Internet (apparently, they did this by wiring the machine to a DEC 3100).
They could then issue a finger request and determine the following things:

<UL>
	<LI>How many sodas were in each slot<BR>
	<BR>
	
	<LI>What those sodas were--Coke, Diet Coke, Sprite, and so on<BR>
	<BR>
	
	<LI>Whether the available sodas were cold
</UL>

<P>Today, you can still issue a finger request to the Coke machine at CMU. If you
were to do so, you would receive output very similar to the following:</P>
<PRE><FONT COLOR="#0066FF">[ Forwarding coke as &quot;coke@l.gp.cs.cmu.edu&quot; ]
[L.GP.CS.CMU.EDU]
Login: coke                             Name: Drink Coke
Directory: /usr/coke                    Shell: /usr/local/bin/tcsh
Last login Sun Feb 16 18:17 (EST) on ttyp1 from GS84.SP.CS.CMU.EDU
Mail came on Tue Feb 18 14:25, last read on Tue Feb 18 14:25
Plan:
    M &amp; M                   Coke Buttons
   /----\           C: CCCCCCCCCCC.............
   |?????|       C: CCCCCCCC....   D: CCCCCCCCCC..
   |?????|       C: CCCCCCCCCCCC   D: CCCCCCCC....
   |?????|       C: CCCCCCCC....   D: CCCCCCCCC...
   |?????|                         C: C...........
   \----/                          S: C...........
      |        Key:
      |          0 = warm;  9 = 90% cold;  C = cold;  . = empty
      |          Beverages: C = Coke, D = Diet Coke, S = Sprite
      |          Leftmost soda/pop will be dispensed next
    --^--        M&amp;M status guessed.
                 Coke status heuristics fit data.
Status last updated Wed Feb 19 00:20:17 1997
</FONT></PRE>
<P>As you can see, there is no end to the information available with a finger query.
The story of this Coke machine was told by Terence Parr, President and Lead Mage
of MageLang Institute (<A HREF="http://www.magelang.com/"><TT>http://www.magelang.com/</TT></A>),
at the 1996 Netscape Developer's Conference at Moscone Center in San Francisco. Reportedly,
Parr was demonstrating a Java application that could emulate this Coke machine hack
when suddenly, a former CMU student, Michael Adler, rose to the occasion. Adler explained
the hack in detail, having firsthand knowledge of the Coke machine in question. In
fact, Adler was largely responsible for adding the temperature index function.</P>
<P>At any rate, many administrators insist on supporting finger, and some have legitimate
reasons. For example, a finger server allows easy distribution of information. In
order for the finger server to support this functionality, the targeted user (or
alias) must have a plan file. (The Coke machine at CMU certainly does!) This file
is discussed in the next section.
<H3><FONT COLOR="#000077"><B>The Plan File (</B><TT>.plan</TT><B>)</B></FONT></H3>
<P>On most UNIX servers, user directories are kept beneath the <TT>/home/</TT> or<TT>
/usr </TT>directory hierarchies. For example, a user with a username of <TT>cracker</TT>
will have his home directory in <TT>/home/cracker</TT>. (This is not set in stone.
System administrators are responsible for where such directories are kept. They could
specify this location as anywhere on the drive, but the typical placement is <TT>/usr</TT>
or <TT>/home</TT>.)</P>
<P>Typically, in that home directory are a series of special files that are created
when the user accesses his account for the first time. For example, the first time
he utilizes the mail program Pine, a series of files are established, including <TT>.pinerc</TT>,
which is the configuration file for this mail client.</P>
<P>These files are referred to as <I>dot files</I>, because they are preceded by
a period. Most dot files are created automatically. The <TT>.plan</TT> file, however,
is not. The user must create this file himself, using any text editor (for example,
vi or pico). This file can be closely correlated with the <TT>plan.txt</TT> file
on a VAX system. Its purpose is to print user-specified information whenever that
user becomes the target of a finger query. So, if the user saves into the <TT>.plan</TT>
file a text recounting his life history, that text will be printed to the <TT>STDOUT</TT>
of the party requesting finger information. The <TT>.plan</TT> file is one way that
information can be distributed via the finger server. (Note that you, the user, must
create that <TT>.plan</TT> file. This is not automatically generated by anyone else.)
If you examine Figure 13.1 again, this will seem a bit clearer.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>You may have encountered servers
	or users that suggest that you <TT>Finger for more info</TT>. Usually, this entails
	issuing a finger request to an address like <TT>info@targethost.com</TT>. Most often,
	the information you receive (which could be pages of plain text) comes from the <TT>.plan</TT>
	file. 
<HR>


</BLOCKQUOTE>

<P>There are other reasons that some administrators keep the finger service operational.
Entire programs can be launched by specifying a particular address to be fingered.
In other words, one could (although it is not recommended) distribute text files
this way. For example, you could write an event handler to trap finger queries aimed
at a particular user; if user A were fingered, the server would send a specified
text file to the requesting party. I have seen more than one server configured this
way, although it is more common to see mail lists designed in this manner.</P>
<P>For whatever reason, then, finger services may be running on the server at which
you have an account. If you have never bothered to check what information is available
there, you can check now by issuing a finger request to your own account. You can
also examine this information (the majority of it, anyway) by issuing the following
command at a shell prompt:</P>
<PRE><FONT COLOR="#0066FF">grep your_username /etc/passwd
</FONT></PRE>


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>This technique will only work on
	servers that use non-shadowed password files, or those that are not employing NIS.
	In those instances, you may have to issue a command more like this: </P>
	<P><FONT COLOR="#0066FF"><TT>ypcat passwd || cat /etc/passwd | grep user_name</TT></FONT>
	
<HR>


</BLOCKQUOTE>

<PRE></PRE>
<P>This command will print the information the server holds on you in the <TT>/etc/passwd</TT>
file. Note that this information will be visible even if the server makes use of
shadowed password entries.</P>
<P>So now you know: The names of the majority of Net citizens are there for the taking.
If your system administrator insists on using finger, there are several things you
can do to minimize your exposure:

<UL>
	<LI>Use the popular utility chfn to alter the finger information available to outsiders<BR>
	<BR>
	
	<LI>If chfn is not available, request that the sysad change your information<BR>
	<BR>
	
	<LI>Cancel your current account and start a new one
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>If you believe in harsh solutions
	and you want to discourage people from repeatedly fingering your account, write a
	<TT>.plan</TT> file that forwards a few megabytes of garbage. This is most useful
	if your sysad refuses to assist, chfn is unavailable, and some joker is trying to
	clock your movements using finger. 
<HR>


</BLOCKQUOTE>

<P>Of course, perhaps you are not concerned with being fingered as much as you are
concerned with who is doing the fingering. If so, you need MasterPlan.
<H3><FONT COLOR="#000077"><B>MasterPlan</B></FONT></H3>
<P>MasterPlan is an excellent utility. Written by Laurion Burchall and released in
August 1994, this product takes an aggressive approach to protecting your privacy.
First and foremost, MasterPlan identifies who is trying to finger you. Each time
a finger query is detected, MasterPlan attempts to get the hostname and user ID of
the fingering party. These variables are piped to an outfile called <TT>finger_log</TT>.
MasterPlan will also determine how often you are fingered, so you can easily detect
if someone is trying to clock you. (<I>Clocking</I> refers to the practice where
user A attempts to discern the habits of user B using various network utilities,
including finger and the <TT>r</TT> commands.)


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>The <TT>r</TT> commands consist of
	a suite of network utilities that can glean information about users on remote hosts.
	I will discuss one of these, a utility called rusers, in a moment. 
<HR>


</BLOCKQUOTE>

<P>Typically, a cracker writes a shell or Perl script to finger (or otherwise query)
the target every specified number of minutes or hours. Reasons for such probing can
be diverse. One is to build a profile of the target; for example, when does the user
log in? How often does the user check mail? From where does the user usually log
in? From these queries, a cracker (or other nosy party) can determine other possible
points on the network where the user can be found.</P>
<P>Consider this example: A cracker I know was attempting to intercept e-mail trafficked
by a nationally renowned female journalist who covers hacking stories. This journalist
had more than one account and frequently logged into one from another. (In other
words, rather than directly logging in, she would chain her connections.) This is
a common practice by individuals in the public eye. They may want to hide from overly
enthusiastic fans (or perhaps even legitimate foes). Thus, they preserve at least
one account to receive public mail and another to receive private mail.</P>
<P>By running a probing script on the journalist, the cracker was able to identify
her private e-mail address. He was also able to compromise that network and ultimately
capture all the journalist's mail. The mail was primarily discussions between the
journalist and a software engineer in England. The subject matter concerned a high-profile
cracking case in the news. (That mail was later distributed to crackers' groups across
the Internet.)</P>
<P>In any event, MasterPlan can help to identify these patterns, at least with respect
to finger queries. The utility is small, and easily unpacked and configured. The
C source is included, and the distribution is known to compile cleanly on most UNIX