==Phrack Inc.== Volume Four, Issue Forty, File 4 of 14 Network Miscellany ******************************************************* < How to Acquire Information on Internet Computers > ******************************************************* Compiled from Internet Sources by The Racketeer of The Hellfire Club Network Miscellany created by Taran King Generally speaking, information is everything. A lot of hacking any computer on a network is being able to gather information about the machine and its vulnerabilities. This file is about using the available resources on the Internet network in order to gain important information about any perspective sites. A large amount of information has been printed in Phrack recently about the Internet, most of it copied straight from manuals and in my opinion lacking hacking flair. Therefore, I'm going to take you straight into the heart of the heart of the matter with this file on acquiring information! Now, the Internet is notorious for not having an instruction manual. Most people who find out what the Internet is learn from their friends. It used to be that there was only one real landmark on the Internet, and that was the SIMTEL-20 FTP archive. Now, the Internet is probably the largest free network in existence. In fact, it's a hacker's paradise! Unfortunately, you have to know about "public" sites on the network before you can use them. Likewise, how are you going to hack an organization if you don't know any machines on it? Sort of like trying to complain to Packard-Bell about your computer equipment not working when the bastards don't supply their name, address, or phone number. You are going to have to find another way to get that information if you want to get anything done. There is not any one particular way to learn about a site. In fact, you'll have to combine several unusual methods of gathering information in order to obtain anything resembling a "complete picture." However, using the combinations of techniques described in this file, you can maneuver through any network on the Internet and learn about the machines within. The first stop on this journey is the ARPANet Network Information Center (frequently called "NIC" by experienced network users). NIC's purpose is simply to keep track of all the network connections, fields, domains, and hosts that people wish to be told about. To connect to NIC, you would issue a command from your Internet connected machine similar to this: .----------------------- command \/ [lycaeum][1]> telnet nic.ddn.mil This will (within a short period of time) route you to the Network Information Center and grant you access. There isn't a straight forward login/logout system on NIC like other Unix computers; it will just connect you to the Information System upon connection. The message you will get will be similar to this: * -- DDN Network Information Center -- * * For TAC news, type: TACNEWS * For user and host information, type: WHOIS * For NIC information, type: NIC * * For user assistance call (800) 235-3155 or (415) 859-3695 * Report system problems to ACTION@NIC.DDN.MIL or call (415) 859-5921 SRI-NIC, TOPS-20 Monitor 7(21245)-4 @ Great, now we are in. Essentially, since NIC is just a great big telephone book, we need to let our fingers to the walking. Let's demonstrate a few simple commands as I go after one of the government contract giants, the corporation known as UNISYS. Let's start by entering WHOIS. @WHOIS SRI-NIC WHOIS 3.5(1090)-1 on Tue, 22 Aug 91 15:49:35 PDT, load 9.64 Enter a handle, name, mailbox, or other field, optionally preceded by a keyword, like "host sri-nic". Type "?" for short, 2-page details, "HELP" for full documentation, or hit RETURN to exit. ---> Do ^E to show search progress, ^G to abort a search or output <--- Whois: Okay, now we are in the database. Since Unisys is our target, let's go ahead and ask it about "Unisys." Whois: unisys Cartee, Melissa (MC142) unisys@email.ncsc.navy.mil (904) 234-0451 Ebersberger, Eugen (EE35) UNISYS@HICKAM-EMH.AF.MIL (808) 836-2810 Lichtscheidl, Mark J. (MJL28) UNISYS@BUCKNER-EMH1.ARMY.MIL (DSN) 634-4390 Naval Warfare Assessment Center (UNISYS) UNISYS.NWAC.SEA06.NAVY.MIL 137.67.0.11 Navratil, Rich (RN74) UNISYS@COMISO-PIV.AF.MIL (ETS) 628-2250 There are 28 more matches. Show them? y --> of course Peterson, Randy A. (RP168) UNISYS@AVIANO-SBLC.AF.MIL (ETS) 632-7721 Przybylski, Joseph F. (JP280) UNISYS@AVIANO-SBLC.AF.MIL (ETS) 632-7721 UNISYS Corporation (BIGBURD) BIGBURD.PRC.UNISYS.COM 128.126.10.34 UNISYS Corporation (GVLV2) GVL.UNISYS.COM 128.126.220.102 UNISYS Corporation (MONTGOMERY-PIV-1) MONTGOMERY-PIV-1.AF.MIL 26.5.0.204 Unisys Corporation (NET-MRC-NET)MRC-NET 192.31.44.0 Unisys Corporation (NET-SDC-PRC-CR) UNISYS-ISF-11 192.26.24.0 Unisys Corporation (NET-SDC-PRC-LBS) UNISYS-ISF-9 192.26.22.0 UNISYS Corporation (NET-SDC-PRC-NET) UNISYS-ISF-7 192.12.195.0 Unisys Corporation (NET-SDC-PRC-SA) UNISYS-ISF-10 192.26.23.0 Unisys Corporation (NET-SDC-PRC-SW) UNISYS-ISF-8 192.26.21.0 Unisys Corporation (NET-UNISYS-CULV) UNISYS-CULV 192.67.92.0 Unisys Corporation (NET-UNISYS-PRC) UNISYS-PRC 128.126.0.0 Unisys Corporation (NET-UNISYS-RES1) UNISYS-RES1 192.39.11.0 Unisys Corporation (NET-UNISYS-RES2) UNISYS-RES2 192.39.12.0 Unisys Corporation (NET-UNISYS2)UNISYS-B2 129.221.0.0 Unisys Corporation (STARS) STARS.RESTON.UNISYS.COM 128.126.160.3 Unisys Corporation (UNISYS-DOM) UNISYS.COM Unisys Linc Development Centre (NET-LINC) LINC 143.96.0.0 UNISYS (ATC-SP) ATC.SP.UNISYS.COM 129.218.100.161 Unisys (FORMAL) FORMAL.CULV.UNISYS.COM 192.67.92.30 UNISYS (KAUAI-MCL) KAUAI.MCL.UNISYS.COM 128.126.180.2 UNISYS (MCLEAN-UNISYS) MCLEAN-UNISYS.ARMY.MIL 26.13.0.17 UNISYS (NET-UNISYS-RES3) UNISYS-RES3 192.67.128.0 Unisys (NET-UNISYS-SP) UNISYS-SP 129.218.0.0 UNISYS (SALTLCY-UNISYS) SALTLCY-UNISYS.ARMY.MIL 26.12.0.120 UNISYS (SYS-3) SYS3.SLC.UNISYS.COM 129.221.15.85 Wood, Roy (RW356) UNISYS@LAKENHEATH-SBLC.AF.MIL 0044-0638-522609 (DSN) 226-2609 As you can see, the details on these computers get fairly elaborate. The first "column" is the matching information, second column is the network name or title, then it is followed by a phone number or IP port address. If the phone number has an area code, then it is of a standard phone nature; however, if it is (DSN) then it's on the "Data Security Network," aka Autovon (the military phone system). Now, as you can tell from the above list, there are several UNISYS accounts at military machines -- including a military machine NAMED after Unisys (mclean- unisys.army.mil). This stands to reason since Unisys deals mostly in military computer equipment. Since it is a secretive military group, you'd figure an outsider shouldn't be able to gain much information about them. Here is what happens if you center on a specific person: Whois: cartee Cartee, Melissa (MC142) unisys@email.ncsc.navy.mil 7500 McElvey Road Panama City, FL 32408 (904) 234-0451 MILNET TAC user Record last updated on 18-Apr-91. Hmm.. Very interesting. This user obviously has access to military computers since she has a TAC card, and goes under the assumed identity as "Unisys" in general. Could this person be a vital link to the Unisys/U.S. Defense connection? Quite possibly. More likely she is a maintenance contact, since she can use her TAC card to contact multiple (confined) military networks. I've gone ahead and requested specific information about kauai.mcl.unisys.com, which as far as I know is a focal point for the Unisys Networks. Of course, the information on this machine is non-classified (or if it IS classified, Unisys will probably be chewed out by Uncle Sam). Notice all the great information it gives: Whois: kauai.mcl.unisys.com UNISYS (KAUAI-MCL) Building 8201, 10th Floor Computer Room 8201 Greensboro Drive McLean, VA 22102 Hostname: KAUAI.MCL.UNISYS.COM Nicknames: MCL.UNISYS.COM Address: 128.126.180.2 System: SUN-3/180 running SUNOS Coordinator: Meidinger, James W. (JWM3) jim@BURDVAX.PRC.UNISYS.COM (215) 648-2573 domain server Record last updated on 05-Aug-91. No registered users. Aha! The Coordinator on this machine doesn't use it! There are no registered users! Namely, if you wanted to hack it, you aren't screwing with the higher ups (this is good). Since when does Unisys buy computers from other companies? Can't they just grab a few off the assembly line or something? The computer is stationed in McLean, Virginia! That's where the CIA is! Could Unisys be developing computers for the international espionage scene? Obviously, there is a great deal of information to be sucked out of this machine. How? The answer was listed there. The machine is a DOMAIN SERVER. That means this computer holds the network information used to identify all the computer systems on its network and all we need to do right now is figure out a way to squeeze that information out! But first, let's see if our hunch was correct in assuming the bigwigs are far away by checking out the head honcho, "Mr. Meidinger." Whois: jim@burdvax.prc.unisys.com Meidinger, James W. (JWM3) jim@BURDVAX.PRC.UNISYS.COM Unisys Corporation Computer Resources Room g311 P.O. Box 517 Paoli, PA 19301-0517 (215) 648-2573 Record Last Updated on 04-Jul-90. Yup, Mr. Meidinger is far away -- Pennsylvania, to be exact. Not exactly keyboard's length away, is he? Besides, being in the "Computer Resources" department, I'd suspect he is just an accountant. Accountants are to computing as beavers are to trees (unless, of course, they actually like computers, which isn't a foregone conclusion in the business world). I'm going to skip the rest of the information on NIC, since it has been overkilled in this particular magazine anyway. The only hint I have is to read CERT's and DDN's news blurbs, since they give out some interesting information which would be useful and educational. Besides, messing around with the CIA's hired goons sounds much more fun. Now is the time for a little bit of a lesson in critical reasoning: the Internet isn't exactly a "free to the public" network, meaning you just can't attach your computer to a machine on the Internet and expect it to work all of a sudden. You need to configure your machine around the computers in the network domain you are linking into, and if you have their permission, then everything is cool. But once you're configured, and your router and/or server has been notified of your existence, does that mean anyone else has that information? The answer is yes, although that info won't be forwarded to a place like NIC -- it will have to be obtained another way. All packets of data on the Internet need to be routed to and from valid computer hosts. Therefore, all of this information is stored on the network's gateway. But the routing information stored is simply in numeric format, such as 128.126.160.3. At least, that is as understandable as it gets, since Ethernet addresses are even more elaborate and in binary. However, as Internet users know, there is more than a single way of describing a computer. "telnet 128.126.160.3" would be one way of connecting to a computer, or "telnet aviary.stars.reston.unisys.com" would be another way of connecting to the same computer. These names are chosen by the owner of the network, and are described through the use of "domain servers." As you recall, kauai.mcl.unisys.com was listed by NIC as a domain server. This means that the names of the computer systems on that network are stored on that particular host. Of course, that's not the only thing. The domain server presents the computer name and IP number to the connecting machine allowing you to connect to the computer by using a "domain style name." Ultimately, everything is converted to IP numbers. Most network software allows compatibility with domain servers, meaning if you want to connect to nic.ddn.mil, and you specify a command "telnet nic.ddn.mil" then you will connect to nic.ddn.mil. Sadly, this isn't true of all computers (which require IP numbers only), but at least it is true enough that the general user is likely to have such computer resources. Reaching back to the Dark Ages, there is a computer program that allows machines that don't directly interpret domain style addresses to IP addresses to still find out what the name of a machine is. This program is called "nslookup" and is usually found in the Unix operating system (at least, I haven't used it anywhere else -- it might only work on Unix). "nslookup" stands for Name Server Lookup (there has been some debate, it seems, if a domain server is really a name server, or visa versa; in fact, both describe what they do well enough to have conflict). Regardless, let's go ahead and work on learning how to use nslookup. [lycaeum][2]> nslookup Default Name Server: lycaeum.hfc.com Address: 66.6.66.6 Now, going back to that NIC information we got earlier, let's continue to hack on poor old Unisys, which is giving up its info every step we make. We determined that the kauai.mcl.unisys.com was a domain server, so let's jump ahead to that by changing our server to their server (after all, the computers we are after aren't on our machine). > server kauai.mcl.unisys.com Default Server: kauai.mcl.unisys.com Address: 128.126.180.2 Okay, now we have connected to the server. This isn't a constant connection, by the way. It will only establish a connection for the brief instant that it takes for it to execute commands. It doesn't require a password or an account to get this information off of a nameserver. Let's start off by having it give us a list of everything about Unisys that this server knows. "Everything" is pretty much a good place to start, since we can't go wrong. If we come up with nothing, then that's what's available. The basic command to list machines is "ls" like the Unix directory command. > ls unisys.com [kauai.mcl.unisys.com] Host of domain name Internet address unisys.com server = burdvax.prc.unisys.com 3600 burdvax.prc.unisys.com 128.126.10.33 3600 unisys.com server = kronos.nisd.cam.unisys.com 3600 kronos.nisd.cam.unisys.com 128.170.2.8 3600 unisys.com server = kauai.mcl.unisys.com 3600 kauai.mcl.unisys.com 128.126.180.2 43200 unisys.com server = io.isf.unisys.com 3600 io.isf.unisys.com 128.126.195.20 3600 reston.unisys.com server = aviary.stars.reston.unisys.com 3600 aviary.star.reston.unisys.com 128.126.160.3 3600 aviary.star.reston.unisys.com 128.126.162.1 3600 reston.unisys.com server = kauai.mcl.unisys.com 3600 kauai.mcl.unisys.com 128.126.180.2 43200 rosslyn.unisys.com server = aviary.stars.reston.unisys.com 3600 aviary.stars.reston.unisys.com 128.126.160.3 3600 aviary.stars.reston.unisys.com 128.126.162.1 3600 rosslyn.unisys.com server = kauai.mcl.unisys.com 3600 kauai.mcl.unisys.com 128.126.180.2 43200 rmtc.unisys.com server = rmtcf1.rmtc.unisys.com 3600 rmtcf1.rmtc.unisys.com 192.60.8.3 3600 rmtc.unisys.com server = gvlv2.gvl.unisys.com 3600 gvlv2.gvl.unisys.com 128.126.220.102 3600 sp.unisys.com server = dsslan.sp.unisys.com 3600 dsslan.sp.unisys.com 129.218.32.11 3600 sp.unisys.com server = sys3.slc.unisys.com 3600 sys3.slc.unisys.com 129.221.15.85 3600 cam.unisys.com server = kronos.nisd.cam.unisys.com 3600 kronos.nisd.cam.unisys.com 128.170.2.8 3600 cam.unisys.com server = burdvax.prc.unisys.com 3600 burdvax.prc.unisys.com 128.126.10.33 3600 prc.unisys.com server = burdvax.prc.unisys.com 3600 burdvax.prc.unisys.com 128.126.10.33 3600 prc.unisys.com server = kronos.prc.unisys.com 3600 kronos.prc.unisys.com 128.170.2.8 3600 prc.unisys.com server = walt.prc.unisys.com 3600 walt.prc.unisys.com 128.126.2.10 3600 walt.prc.unisys.com 128.126.10.44 3600 culv.unisys.com server = formal.culv.unisys.com 3600 formal.culv.unisys.com 192.67.92.30 3600 culv.unisys.com server = kronos.nisd.cam.unisys.com 3600 kronos.nisd.cam.unisys.com 128.170.2.8 3600 slc.unisys.com server = sys3.slc.unisys.com 3600 sys3.slc.unisys.com 129.221.15.85 3600 slc.unisys.com server = dsslan.sp.unisys.com 3600 dsslan.sp.unisys.com 129.218.32.11 3600 slc.unisys.com server = nemesis.slc.unisys.com 3600 nemesis.slc.unisys.com 128.221.8.2 3600 bb.unisys.com server = sunnc.wwt.bb.unisys.com 3600 sunnc.wwt.bbs.unisys.com 192.39.41.2 3600 bb.unisys.com server = burdvax.prc.unisys.com 3600 burdvax.prc.unisys.com 128.126.10.33 3600 isf.unisys.com server = orion.ISF.unisys.com 3600 orion.ISF.unisys.com 128.126.195.7 3600 isf.unisys.com 128.126.195.1 3600 isf.unisys.com server = burdvax.prc.unisys.com 3600 burdvax.prc.unisys.com 128.126.10.33 3600 isf.unisys.com server = io.isf.unisys.com 3600 io.isf.unisys.com 128.126.195.20 3600 gvl.unisys.com 128.126.220.102 172800 gvl.unisys.com server = gvlv2.gvl.unisys.com 3600 gvlv2.gvl.unisys.com 128.126.220.102 3600 gvl.unisys.com server = burdvax.prc.unisys.com 3600 burdvax.prc.unisys.com 128.126.10.33 3600 mcl.unisys.com 128.126.180.2 43200 mcl.unisys.com server = kauai.mcl.unisys.com 43200 kauai.mcl.unisys.com 128.126.180.2 43200 mcl.unisys.com server = burdvax.prc.unisys.com 43200 burdvax.prc.unisys.com 128.126.10.33 3600 mcl.unisys.com server = kronos.nisd.cam.unisys.com 43200 kronos.nisd.cam.unisys.com (dlen = 1152?) 4096 ListHosts: error receiving zone transfer: result: NOERROR, answers = 256, authority = 0, additional = 3. Bummer, an error. Funny, it claims there isn't an error, yet it screwed up the kronos address and knocked me out. Apparently, this domain server is screwed. Oh well, I guess that's really their problem because in the information it gave us, it was able to provide all the answers we needed to figure out the next step! Quick analysis of the above information shows that most of the servers were connected to at LEAST two other servers. Quite impressive: A fault-tolerant TCP/IP network. Since it is fault tolerant, we can go ahead and use a different machine to poke into the "mcl.unisys.com" domain. Since "mcl" stands for McLean, that's where we want to go. Remember that NIC told us that kauai.mcl.unisys.com had an alias? It was also called "mcl.unisys.com". Looking at the above list, we see toward the bottom that mcl.unisys.com is also domain served by the computers burdvax.prc.unisys.com and kronos.nisd.cam.unisys.com. Let's connect to one of them and see what we can gather! Whenever a server starts acting screwy like kauai was doing, I make it a habit of using IP numbers when they are available. I'm going to connect to burdvax.prc.unisys.com through its IP address of 128.126.10.33. > server 128.126.10.33 Default server: [128.126.10.33] Address: 128.126.10.33 Now that we are connected, let's see the network information again, but this time let's try something different and possibly more useful. This time we will use the -h command, which happens to describe the computer type (CPU) and the operating system it runs on (OS) which will give us a better idea of what we are dealing with. > ls -h mcl.unisys.com Host or domain name CPU OS maui.mcl.Unisys.COM SUN-2/120 UNIX 43200 cisco.mcl.Unisys.COM CISCO GATEWAY CISCO 43200 kauai.mcl.Unisys.COM SUN-3/180 UNIX 43200 voyager.mcl.Unisys.COM SUN-4/330 UNIX 43200 dial.mcl.Unisys.COM SUN-3/260 UNIX 43200 astro.mcl.Unisys.COM SUN-3/60 UNIX 43200 hotrod.mcl.Unisys.COM Unisys 386 SCO/UNIX 43200 oahu.mcl.Unisys.COM VAX-11/785 UNIX 43200 lanai.mcl.Unisys.COM SUN-3/160 UNIX 43200 mclean_is.mcl.Unisys.COM 386 NOVELL 43200 WOW! Look at all those Suns! I guess Unisys has no faith in their own computers or something! If only President Bush could see this display of a company backing their product! In fact, the only Unisys computer in this whole lot is a cheesy 386 clone which probably is some guy's desktop machine. Once again, there is some fascinating information here. Let's run through it really quick: Maui is a Sun 2, which is a really old RISC computer. You don't see many of these around but they still can be useful for storing stuff on. But then again, it probably is faster than a PC! Oahu is a Vax-11 which is apparently running Ultrix. This may be where Unisys hoards all their programmers since it isn't being used for serious networking (at least, as far as we can tell). Mclean_is happens to be the file server for a PC network. We can't really tell from this point how many computers are on this network, but it could be possible it is used for public information trade, where secretaries or receptionists use it to confirm trade and scheduling. Hotrod is also a 386, made by Unisys even! Oddly, it is running a copy of SCO Unix, which means it is, no doubt, a personal computer someone uses for Unix programming. If Unisys were itself a part of the government, I'd think this computer would have been a kludged bidding contract which they got stuck with because they were aiming for lowest bid and were unfortunately not very picky. Voyager is an interesting machine, which is apparently the most modern on this network. Since it is a Sun-4 computer (probably IPX) it would be a high-speed graphics workstation. This could be the machine where many CAD applications are stored and worked on. Another possibility is that Sun 4 computers were extremely expensive when they purchased this network of Suns, and they purchased this one machine to be the file server to the other Sun 3s and the Sun 2. If you were to gain access to one of the other machines, it's possible you would have access to all of them. Cisco is just a standard Cisco Router/Gateway box, linking that particular network to the Internet. Kauai is a messed up domain server, big deal. It might work on the same network as Astro and Lanai. Dial is a Sun-3. Is there something in a name? This could be the telecommunications dial-in for the network. Maybe the same computer system has a dialout attached to it. It might even be possible that "dial" has a guest account for people logging in so that they can easily connect to other computers on the same network (probably not). Astro and Lanai are also Sun 3 computers. It isn't quite obvious what their purpose is. Essentially, we have the impression that they were all purchased about the same time (explaining the large number of Sun-3 computers in this network) and it is quite possible they are just linked up to the Sun 4 in a file sharing network. It is also possible they are older and fundamental to the operation of Unisys's communication platform at this particular site. There is one flaw that makes using the -h switch somewhat unreliable: Sometimes people realize you can do this and take the time to remove or never include the information about the individual machines on the network. Therefore, it is always best for you to do a "ls " and check everything out in case a computer has been removed. Using "telnet" to connect to the computer is usually a foolproof method of finding out what computer it is they are talking about. > ls mcl.unisys.com [[128.126.10.33]] Host or domain name Internet address mcl.Unisys.COM server = kauai.mcl.unisys.com 3600 kauai.mcl.unisys.com 128.126.180.2 3600 mcl.Unisys.COM server = burdvax.prc.unisys.com 3600 burdvax.prc.unisys.com 128.126.10.33 3600 mcl.Unisys.COM server = kronos.nisd.cam.unisys.com 3600 kronos.nisd.cam.unisys.com 128.170.2.8 3600 mcl.Unisys.COM 128.126.180.2 43200 maui.mcl.Unisys.COM 128.126.180.3 43200 cisco.mcl.Unisys.COM 128.126.180.10 43200 kauai.mcl.Unisys.COM 128.126.180.2 3600 voyager.mcl.Unisys.COM 128.126.180.37 43200 dial.mcl.Unisys.COM 128.126.180.36 43200 LOCALHOST.mcl.Unisys.COM 127.0.0.1 43200 astro.mcl.Unisys.COM 128.126.180.7 43200 hotrod.mcl.Unisys.COM 128.126.180.125 43200 oahu.mcl.Unisys.COM 128.126.180.1 43200 lanai.mcl.Unisys.COM 128.126.180.6 43200 mclean_is.mcl.Unisys.COM 128.126.180.9 43200 Well, running down the list, it appears that there aren't any more computers important to this domain that we don't know already. LOCALHOST is just another way of saying connect to where you are, so that isn't a big deal. Hotrod being separate from the rest of the machines seems apparent since its IP address is x.x.x.125, which is quite separate from the others. Even though this doesn't have to be, it seems it is a wiring kludge -- probably for an office like I surmised. The next step? Go ahead and hack away! This is where all those system hacks people trade on the net and all those CERT Advisories become useful. If you become good hacking a single machine (Suns, for example), using nslookup will help you identify those machines and make it easier for you to hack. Looking for annex computers, libraries, guest machines, and other such computers also becomes easy when you use nslookup, because the names and computer types are there for your convenience. Checking on sites by selecting interesting "special purpose" machines with nslookup first can yield good results. People have called this "netrunning," and it sounds like as good a name as any. Of course, the other big problem when dealing with domain servers is trying to identify them. The largest list of domain servers can be found off of the Department of Defense Network Listing (usually called hosts.txt) which is available almost everywhere on the Internet through anonymous FTP. Here is a rundown on how to get the file: [lycaeum][3]> ftp wuarchive.wustl.edu 220 wuarchive.wustl.edu FTP server (Version 6.24 Fri May 8 07:26:32 CDT 1992) ready. Remote host connected. Username (wuarchive.wustl.edu:rack): anonymous 331 Guest login ok, send your complete e-mail address as password. Password (wuarchive.wustl.edu:anonymous): 230- This is an experimental FTP server. If your FTP client crashes or 230- hangs shortly after login please try using a dash (-) as the first 230- character of your password. This will turn off the informational 230- messages that may be confusing your FTP client. 230- 230- This system may be used 24 hours a day, 7 days a week. The local 230- time is Wed Jun 3 20:43:23 1992. 230- 230-Please read the file README 230- it was last modified on Mon Mar 2 08:29:25 1992 - 93 days ago 230-Please read the file README.NFS 230- it was last modified on Thu Feb 20 13:15:32 1992 - 104 days ago 230 Guest login ok, access restrictions apply. ftp> get /network_info/hosts.txt 200 PORT command successful. 150 Opening ASCII mode data connection for /network_info/hosts.txt (1088429 bytes). 226 Transfer complete. Transferred 1109255 bytes in 182.95 seconds (6063.29 bytes/sec, 5.92 KB/s). ftp> quit 221 Goodbye. Now let's convert it to a file we can use effectively: let's take out of that huge list of only the machines that are domain servers: [lycaeum][4]> grep -i domain hosts.txt > domains Okay, now that we have done that, let's prove that this is a way of finding a domain server without connecting to anyplace. Let's just use the grep command to search the file for a server in the mcl.unisys.com domain: [lycaeum][5]> grep -i mcl.unisys.com domains HOST : 128.126.180.2 : KAUAI.MCL.UNISYS.COM,MCL.UNISYS.COM : SUN-3/180 : SUNOS : TCP/TELNET,TCP/FTP,TCP/SMTP,UDP/DOMAIN : [lycaeum][6]> And there you have another way. Everything we looked at is here: IP number, the name, the "alias," the computer type, the operating system, and a brief list of network protocols it supports, including the domain server attribute. However, none of the other machines on the mcl.unisys.com network were displayed. The DoD isn't a complete list of network machines, only the network machines that are vital to the functioning of the Internet (in the last year, this list has grown from about 350K to 1.1 megabytes -- and this only reflects the "new" networks, not including the addition of new machines onto old networks; the Internet is definitely "in;" I believe it was estimated 25% growth per month!). Obviously, this is very effective when going after university sites. It seems they have too many machines to take good care of security on. Essentially, the DoD list contains much the same information as NIC does, and is about a million times more discreet. I'm not sure if NIC is fully logged, but it does have a staff Head of Security (*snicker*). Well, that will pretty much wrap it up for this file. Hope some of it was useful for you.