Black SUn Research Facility - Info Gathering Tutorial



                        :::::::::   ::::::::  :::::::::  :::::::::: 
                        :+:    :+: :+:    :+: :+:    :+: :+:        
                        +:+    +:+ +:+        +:+    +:+ +:+        
                        +#++:++#+  +#++:++#++ +#++:++#:  :#::+::#   
                        +#+    +#+        +#+ +#+    +#+ +#+        
                        #+#    #+# #+#    #+# #+#    #+# #+#        
                        #########   ########  ###    ### ###  
                         
              	             http://blacksun.box.sk
                           _____________________________
    ______________________I          Topic:             I_____________________
   \                      I                             I                    /
    \     HTML by:        I   Possible Information      I   Written by:     /
    /                     I    leaks on servers         I                   \ 
   /   Digital Fallout    I_____________________________I  Digital Fallout   \
  /___________________________>Version 2.0, 10/13/2001<________________________\



What's New In This Version -

This is a near-complete re-write of Raven's original "info gathering tutorial" 
previously hosted on BSRF. It contains some of the original text from version
  1.8 I hope to make it more up to date, more accurate, and generally more 
useful to both computer novices and experienced server administrators.  
Although the original (before this version) was based on how to gather 
information about a specific user, this version will be focused on a server 
based platform. 

Opining Notes -

This paper is so you (the reader) is aware if some of the possible ways that 
you can learn about a server, what operating system it is running along with
 services (daemons), and possibly more importantly, so you cam be aware of 
possible security risks so you may take measures to fix them. 


Section 1 - The Port Scan

The port scanner, one of the most basic network tools out there. You as the 
admin should have one (preferable nmap, the de facto port scanner) because 
you can be sure that your possible attackers have them  The port scanner 
works by connection to every port (or selected ports) on your server to see 
wither or not it is accepting connections.  Depending what port is 
accepting the connection, it can be reasonably assumed that a specific 
service is running. For example, if you run a port scan on a server and 
find that port 80 is open, you can assume that this particular server is 
running an HTTP server. Please note that these are only default ports. It 
is quite possible to have an HTTP server running on port 91 or even 4503! 
But for the purpose of this paper, we will assume that the default ports 
are being used.

The Following is a list of common ports for specific services. For a 
complete list you may look at any number of other references or look at 
the "services" file in your /etc directory on a UNIX based system. 



Port

21     FTP
22     SSH
23     Telnet
25     SMTP
79     Finger
80     HTTP
110    POP3



Section 2- Default Banners

What is a banner? A banner is that thing you see when you try to telnet 
into a computer. For example this is the default banner to a  Linux Mandrake
version 6.1 computer

Linux Mandrake release 6.1 (Helios)
Kernel 2.2.13-4mdksmp on an i686
login:
          

What information do we see here? Well it is rather obvious. First off we 
know that this is a Linux operating system running the 2.2.13 kernel. We 
know that it is running the Mandrake Linux distribution, and we also know 
the architecture of the server (i686i). This is way more information that 
you would want any attacker to know. At this point the user could simply go 
to one of possibly hundreds of exploit sites and simply download a pre-made 
program and hack into your computer with little skill at all. 

Some other things you may wish to change on your computer to further hide 
information are the MOTD files in your /etc directory, and one of the most
overlooked file, is the COPYRIGHT files that got installed with your 
system, they to usually contain information about your server. Keep in 
mind that by using the uname command, allot of this can be bypassed but 
restrictions to that command should also be set. 




Section 3- Error Messages

Finally one of the major things you need to watch out for are error 
messages. By purposely not following expected procedure, a potential 
attacker can gain information. One of the most common errors  is the 
404 error. This error message is generated when an HTTP server is given a 
request for a file that does not exist.  However in the default page 
displayed when you get the error, you can look to the bottom of the page 
and find the version number of the server. This is usually harmless 
information by itself but it is still information that could assist a 
possible attacker. 



Closing Notes-

I hope this basic paper gave you some information on the possible ways 
you may accidentally broadcasting information about your server. Please 
note that this is by far not a complete list but it does show the three 
main ways information is gained about servers. Please visit 
Http://blacksun.box.sk for more information about computers and the 
internet

Useful links

http://blacksun.box.sk   <-- BSRF Homepage