Identity Techniques

{LANG_NAVORIGIN} Exploits
Paul Gurgul 03/18/2005



When the network that is now the Internet was first designed, it was assumed that all users wanted to be found. No one had reason to hide, and it seemed sensible that researchers should be able to locate each other. Utilities were created to facilitate such finding. Since the early days, the rise of multiple protocols has made finding people even more convenient. The “old days” demanded a high level of networking knowledge from the user. Today, finding or identifying most individuals is trivial. Throughout this paper, I examine techniques, as well as some concepts about wholesale tracing (tracing many individuals at one time).

You may wonder why this is deemed a security issue. In truth, it really isn't--not yet. However, you will learn that the Internet is a powerful tool for domestic spying. Law-enforcement and intelligence agencies already conduct such practices on the Internet, and for them, the Network is a bonanza. No search warrant is needed to "study" the activity of someone on the Internet. Likewise, no warrant is needed to compile lists of individuals who law enforcement perceive to be involved in illegal (or even seditious) activity. If you harbor radical political views, you may elect to forever keep those views to yourself (or gain a decent education in cryptography).

I begin with the most fundamental aspects of the treated subject and progresses forward to more advanced information.

I need to make one statement regarding diagnostic network information contained within this paper. Certain methods of finding individuals demand the use of search engines. I will not publish an individual's e-mail address without his consent. Because of this, I cannot provide information of searches because they necessarily contain the e-mail addresses of users unknown. Therefore, I have to be described rather than illustrated. I do apologize for this. However, upon reflection, I would not want my e-mail address published, and I see no reason why anyone else would, either. The argument is often made that anyone who posts to newsgroups has at least given an implied form of consent.

What's in a Name?

There are two forms of user identification that apply to all platforms: your e-mail address and your IP address. It is often theorized that if one is obscured, the other can never be found. That is untrue. Without chaining messages through a series of trusted anonymous remailers (remailers that are purportedly secure), anonymity on the Internet is virtually impossible. It is possible, however, to make yourself relatively invisible, and that is probably what most individuals would like to do. Before I get more specific, however, there are some utilities you need to know about, as well as methods of tracing individuals. I'll start with finger.

finger

The finger service is a utility common to the UNIX platform. Its purpose is to provide information about users on a given system. In practical operation, finger works like most other services available in UNIX.

The finger service relies on the client/server model, which is a recurring theme in Internet applications. This model works as follows: machines running server applications distribute information to clients. Clients are programs designed to accept and interpret information from server applications. For example, you use a Web browser (or client) to read information forwarded by a Web server (the HTTP server).

In any event, the finger client-server relationship works as follows: On the targeted machine (almost always a UNIX system), there is a server running called fingerd. This is more commonly referred to as the finger daemon. Its purpose is to answer requests from finger clients from the void.

The finger daemon can return different information, depending largely on the configuration of the server and the user's personalized settings. For example, sometimes an "open" UNIX server (that is, one not running a firewall) will disallow finger access. This is done by disabling the finger daemon, removing it from the file /etc/inetd.conf. In this case, the finger service is never started. Any client-issued finger request forwarded to such a machine will meet with a blank response (or perhaps, Connection Refused.).

Many organizations, particularly ISPs, government sites, and private corporations, disable finger services. Each has an interest in preserving the privacy of its users, and that is usually the reason given for disabling the service. As you will learn later, however, their motivation may also be system security.

NOTE: Certain vital information about the system can be culled by fingering system IDs such as root, bin, FTP, and so on. On that account, some sites will disable finger services altogether. It is thought that by killing the finger and RPC services, one can restrict the amount of revealing information available to crackers in the void. To some extent, this is true.

Some sites do not disable finger services altogether, but instead put restrictions on what type of information can be accessed. For example, by default, the finger daemon allows a system wide finger. Anyone can be fingered, including special or privileged accounts. When system wide fingering is allowed, one can gather information on all users currently logged to the machine. This is done by issuing the following command at a UNIX command prompt:



The @ symbol has essentially the same effect as the asterisk does in regular expression searches. When it is used, the user is fingering all users currently logged to the target machine. This is most useful when targeting small providers that have few customers, or when conducting such a finger query late at night. Certainly, fingering a company as large as Netcom in this manner would be foolish. (The response forwarded by the server would likely be many pages in length. The only valid reason for doing this would be to generate a database of Netcom users.) At any rate, some organizations will disallow such a request, instead forcing the requesting party to specify a particular user.

Other sites make use of hacked finger daemons, either created in-house or available as distributions from other sites across the Internet. These are finger daemons that have enhanced features, including advanced configuration options.

At any rate, taking you through the process of a finger inquiry will take just a few moments, but in order for you to exploit the example, you need a finger client. UNIX users, however, have no need for a finger client, because this is included in the basic distribution. The same is true of Windows NT.

Providing the target is running a finger server, the return output should read something like this:



This tells you several things, including the directory where root@samshack resides (/), the shell he or she is using (/sbin/sh), and some details on last login and mail. (Hard-core hackers will know that it also tells you that root@samshack.com is using Solaris as an operating system. Note the 0000-Admin[0000] string.)

This information does not appear to be particularly revealing; however, in all cases, the field In real life is filled with a name. Worse still, at some universities, you can get the name, telephone number, dorm room number, and major of students enrolled there (not that the major matters particularly, but it provides some interesting background).

The information available on a finger query is controlled primarily by the system administrator of a given site, as well as what information you provide on your initial signup. Most new users are not aware of this and provide all the information they can. Most people have no reason to hide, and many provide their office telephone number or even their home address.

So the process of identification usually either starts or ends with a finger query. As noted previously, the finger query uses your e-mail address as an index. This leads us immediately into an area of some controversy. Some individuals believe that by changing their e-mail address in the Netscape Navigator or Microsoft Internet Explorer Options panels, they obscure their identity. This is not true. It simply makes your e-mail address more difficult to obtain. Years ago, the computer science department staff at Carnegie-Mellon University had a gripe about their Coke machine. Often, staffers would venture down to the basement, only to find an empty machine. To remedy this problem, they rigged the machine, connecting it to the Internet (apparently, they did this by wiring the machine to a DEC 3100). They could then issue a finger request and determine the following things:

• How many sodas were in each slot
• What those sodas were--Coke, Diet Coke, Sprite, and so on
• Whether the available sodas were cold

Today, you can still issue a finger request to the Coke machine at CMU. If you were to do so, you would receive output very similar to the following:



As you can see, there is no end to the information available with a finger query. At any rate, many administrators insist on supporting finger, and some have legitimate reasons. For example, a finger server allows easy distribution of information. In order for the finger server to support this functionality, the targeted user (or alias) must have a plan file. (The Coke machine at CMU certainly does!)

The Plan File (.plan)

On most UNIX servers, user directories are kept beneath the /home/ or /usr directory hierarchies. For example, a user with a username of cracker will have his home directory in /home/cracker. (This is not set in stone. System administrators are responsible for where such directories are kept. They could specify this location as anywhere on the drive, but the typical placement is /usr or /home.)

Typically, in that home directory are a series of special files that are created when the user accesses his account for the first time. For example, the first time he utilizes the mail program Pine, a series of files are established, including .pinerc, which is the configuration file for this mail client.

These files are referred to as dot files, because they are preceded by a period. Most dot files are created automatically. The .plan file, however, is not. The user must create this file himself, using any text editor (for example, vi or pico). This file can be closely correlated with the plan.txt file on a VAX system. Its purpose is to print user-specified information whenever that user becomes the target of a finger query. So, if the user saves into the .plan file a text recounting his life history, that text will be printed to the STDOUT of the party requesting finger information. The .plan file is one way that information can be distributed via the finger server.

There are other reasons that some administrators keep the finger service operational. Entire programs can be launched by specifying a particular address to be fingered. In other words, one could (although it is not recommended) distribute text files this way. For example, you could write an event handler to trap finger queries aimed at a particular user; if user A were fingered, the server would send a specified text file to the requesting party. I have seen more than one server configured this way, although it is more common to see mail lists designed in this manner.

For whatever reason, then, finger services may be running on the server at which you have an account. If you have never bothered to check what information is available there, you can check now by issuing a finger request to your own account. You can also examine this information (the majority of it, anyway) by issuing the following command at a shell prompt:



NOTE: This technique will only work on servers that use non-shadowed password files, or those that are not employing NIS. In those instances, you may have to issue a command more like this:



This command will print the information the server holds on you in the /etc/passwd file. Note that this information will be visible even if the server makes use of shadowed password entries.

So now you know: The names of the majority of Net citizens are there for the taking. If your system administrator insists on using finger, there are several things you can do to minimize your exposure:

• Use the popular utility chfn to alter the finger information available to outsiders
• If chfn is not available, request that the sysad change your information
• Cancel your current account and start a new one

NOTE: If you believe in harsh solutions and you want to discourage people from repeatedly fingering your account, write a .plan file that forwards a few megabytes of garbage. This is most useful if your sysad refuses to assist, chfn is unavailable, and some joker is trying to clock your movements using finger.

Of course, perhaps you are not concerned with being fingered as much as you are concerned with who is doing the fingering. If so, you need MasterPlan.

MasterPlan

MasterPlan is an excellent utility. Written by Laurion Burchall and released back in August 1994, this product takes an aggressive approach to protecting your privacy. First and foremost, MasterPlan identifies who is trying to finger you. Each time a finger query is detected, MasterPlan attempts to get the hostname and user ID of the fingering party. These variables are piped to an outfile called finger_log. MasterPlan will also determine how often you are fingered, so you can easily detect if someone is trying to clock you. (Clocking refers to the practice where user A attempts to discern the habits of user B using various network utilities, including finger and the r commands.)

Typically, a cracker writes a shell or Perl script to finger (or otherwise query) the target every specified number of minutes or hours. Reasons for such probing can be diverse. One is to build a profile of the target; for example, when does the user log in? How often does the user check mail? From where does the user usually log in? From these queries, a cracker (or other nosy party) can determine other possible points on the network where the user can be found.
















Your IP address will be sent with this e-mail

From e-mail to e-mail