We all know now how to find the website for any hacking target; for example if I said “can you find the website for Microsoft?” :)
I’m sure you will be laughing and saying “HAHAHA, hey man, that’s a piece of cake, I’m the best penetration tester, remember?” :)
Now, we are going to get some more information that is so much valuable for any tester, it is information the target put it himself on the internet for you to use!!!
Can you believe that? Yes, the target put this information himself.
But, what kind of information is it? It might not be that important. Let’s see, and I will let you judge it yourself.
Our tool (or let’s call it Protocol) is Whois!!
You would say: “Oh ya, I heard about this tool before, I think there are websites that has a service called “Whois”, where you type the name of the target, and you get some information about it, right?”
So I would answer: “Ok, your answer includes a right part, but it’s not all right, let’s see why”
First, we will see what “Whois” exactly is :), and then analyze how it works, and then we can see one of these sites that afford the “Whois” service.
“Whois” is a TCP-based protocol that uses the Server/Client model, and this “Whois” is used to query databases to get us information about our target (Domain, IP, Networks, etc.)
I know that some of what I said is Chinese :), so let’s translate it.
Protocol: Originated from the Greek word “Protocollon” and this is a leaf of paper that is glued to a manuscript that describes its contents. So, for computers to communicate with each other they need a way to talk, this way of talking is described by the “Protocollon” which tells us what the rules that enable them to communicate and talk are.
TCP-based protocol: TCP is one of the protocols that provide reliable communication between computers. For example, imagine that you and I are computers, I want to teach you hacking, so I use a way of communication that makes me SURE that you understood what I am saying.
So I would say: “Hey you, here’s the lesson of today, it’s about Whois. Did you get it?
You would answer: “Yes, I did get it, it’s easy.”
So I would say: “Are you sure you understood it ALL?
If you say “Yes”, that I made SURE that my lesson got to you and that you have no problems, but if you said “NO” then I have to teach you again the missing part. This is how TCP (in an extremely simple way) works.
So, did you get my definition? :)
Are you sure? :)
Port: I will give you an analogy first, and then we will say the technical definition for port.
If I want to tell you something, how can I tell you? Phone, Email, Letter, Meeting you...
There are so many ways to reach you, but if I want to send you a letter, then the only way to send it is through the mail system that will deliver it to your mailbox (in this case, your mailbox acts like a port), but if I want to hear your voice then I would call you by phone (in this case, your phone acts like a port), but is it possible to hear you voice in a mail that will be delivered to your mailbox? NO, because the phone port is special for voice communication, while the mail system is used for writing communication.
This is the same with computers, if they want to communicate; they have to choose the right port for their communication, for example if my website located on a web server that is designed to let people access the website through port 80. Can you say “No, I want to access this website through port 81”? No you can’t, coz at this moment the server will not get your request. Got it?
Flag: Do you the “Punctuations” we use in writing? Yes, the “Commas”, “Fullstops”, “Question marks”…
If I want to “START” a sentence, I start with capital letters
If I want to add a small pause, I will put a comma, and then I will complete talking
If I want to finish my sentence, I will put a fullstop.
Flags are like that exactly, for computers to communicate, how does your computer know when my computer wants to transfer you a file? How does your computer know if my computer finished sending the file? Through flags, let’s look at this figure to understand how a TCP connection starts and ends
Here, we are discussing how the “Whois client” communicates with the “Whois server” to ask about a domain called “Cisco.com”.
1- My computer (Whois client) send a message from RANDOM PORT NUMBER flagged “SYN” or “Synchronize” to PORT 43 meaning “I want to Start a communication with you”
2- The (Whois server) replies from PORT 43 with a message flagged “SYN / ACK” or “Synchronize / Acknowledgment” meaning “OK, I Got your message. And I would like to make a communication with you as well on the RANDOM PORT you chose”
3- My machine (Whois client) send a message flagged “ACK” meaning “OK, I Got your approval”
At this moment, the TCP connection between the client and the server is established
4- My computer “Whois client” pushes its request flagged “PSH” or “Push” meaning “I have a question that is high Priority and deserves care”
5- The (Whois server) replies with an “ACK” confirming the receiving.
6- Then it starts pushing the answer of my request “PSH”, and using the PSH flag to show me priority.
7- After the (Whois server) finishes sending the answer, there is no need to keep the connection opened, so it sends a “FIN” flag meaning “I finished now, and I want to END”
8- My computer agrees for the termination in 2 steps, 1st is an “ACK” saying “OK, I got your request for terminating”, then the 2nd “FIN / ACK” says “I would like to terminate as well”
9- The “Whois server” confirms terminating the connection through an “ACK” flag.
By now, we know exactly what is going behind the scenes when we use the “Whois” query.
Now, let’s talk a little bit about something else; you decided to have your own company, and you want to have your own domain my-own-company.com, what are the steps to do that?
1- First, you have to see if this name is available or not, as it might be registered already for someone else
2- If you find it available, then you start the registration process, by paying the annual fees and registering your personal details (in case of any communication between you and the registries) with the registry you belong to, there are 5 international registries, and each one of them is responsible for IP Regions:
- American Registry for Internet Numbers (ARIN) – responsible for the North America region
- Réseaux IP Européens Network Coordination Centre (RIPE NCC) – responsible for the EMEA and Central Asia region
- Asia-Pacific Network Information Centre (APNIC) – responsible for Asia and Pacific region
- Latin American and Caribbean Internet Addresses Registry (LACNIC) – responsible for Latin America and Caribbean region
- African Network Information Centre (AfriNIC) – responsible for Africa region.
3- Now, you get your domain name and you can start using it, while the registry adds your info to a database (exactly, this is what we extract when we use Whois)
I know, I know, you are burning to start playing with the tools, right?
OK, Whois tools are 3 types:
1- DOS-Like interfaces (for Windows users), or Konsole (for Linux users)
2- Graphical interfaces (such as Smart Whois, or Sam Spade)
3- Web sites that provide the online Whois service (my favorite is “Domaintools.com”)
Let’s see the results of each one
From the command prompt (using the Whois tool from Sysinternals)
From the GUI of “Smart Whois”
Note1: When I was installing “Smart Whois” I got this message:
Have you noticed that the port used is TCP 43?
From the Web Site “domaintools”
From the Linux Konsole
Please compare the results, to see how much important we can get from just 1 tool (Whois)
IP addresses (can be used in almost every attack)
Email addresses (can be used for example in Social Engineering attacks, delivering viruses or Rootkits…)
Phone and Fax Numbers (can be used for example in Social Engineering attacks, Wardriving…)
Contact persons (can be used in Social Engineering, retrieving username naming methodology
Location Address (can be used for example in Physical Attacks, dumpster diving, Social Engineering…)
Naming Servers (can be used for example in DNS Flooding, IP Attacks…)
The more you search, the more information you would get to start the perfect attack :)
I created 2 videos, that represent the usage of Whois (as a Whois query tool) and Wireshark (as a protocol analyzing tool) to see in details what happens behind the scenes
For Linux users:
Download an AVI version here: http://www.megaupload.com/
Download a Flash version here: http://www.4shared.com/
For Windows users:
Download an AVI version here: http://www.megaupload.com/
Download a Flash version here: http://www.4shared.com/
Sorry for making it a long article, but I wanted to clarify every single bit.
Till next article,
Please take care.
Whois
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment