Hack 100 Find the Owner of a Network

Previous page
Table of content
Next page

figs/moderate.gif figs/hack100.gif

Track down network contacts using WHOIS databases.

Looking through your IDS logs, you've seen some strange traffic coming from another network across the Internet. When you look up the IP address in DNS, it resolves as something like dhcp-103.badguydomain.com. Who do you contact to help track down the person who sent this traffic? You're probably already aware that you can use the whois command to find out contact information for owners of Internet domain names. If you haven't used whois, it's as simple as typing, well, "whois":

$ whois badguydomain.com Registrant:    Dewey Cheatum    Registered through: GoDaddy.com    Domain Name: BADGUYDOMAIN.COM    Domain servers in listed order:       PARK13.SECURESERVER.NET       PARK14.SECURESERVER.NET    For complete domain details go to:    http://whois.godaddy.com

Unfortunately, this whois entry isn't as helpful as it might be. Normally, administrative and technical contacts are listed, complete with a phone number and email and snail mail addresses. Evidently, godaddy.com has a policy of releasing this information only through their web interface, apparently to cut down on spam harvesters. But if the registrant's name is listed as "Dewey Cheatum," how accurate do you think the rest of this domain record is likely to be? Although domain registrants are "required" to give legitimate information when setting up a domain, I can tell you from experience that using whois in this way is a great tool for tracking down honest people.

Since this approach doesn't get you anywhere, what other options do you have? You can use the whois command again, this time using it to query the number registry for the IP address block of the offending address.

Number registries are entities that owners of large blocks of IP addresses must register with, and are split up according to geographic region. The main difficulty is picking the correct registry to query, but the WHOIS server for ARIN (American Registry for Internet Numbers) is generally the best bet it will tell you the correct registry to query if the IP address is not found in its own database.

With that in mind, let's try out a query using the offending IP address:

# whois -h whois.arin.net 208.201.239.103 [Querying whois.arin.net] [whois.arin.net] Final results obtained from whois.arin.net. Results: UUNET Technologies, Inc. UUNET1996B (NET-208-192-0-0-1)                                   208.192.0.0 - 208.255.255.255 SONIC.NET, INC. UU-208-201-224 (NET-208-201-224-0-1)                                   208.201.224.0 - 208.201.255.255 # ARIN WHOIS database, last updated 2004-01-18 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.

Our query returned multiple results, which will happen sometimes when an owner of a larger IP block has delegated a subblock to another party. In this case, UUNET has delegated a subblock to Sonic.net.

Now we'll run a query with Sonic.net's handle:

# whois -h whois.arin.net NET-208-201-224-0-1 Checking server [whois.arin.net] Results: OrgName:    SONIC.NET, INC. OrgID:      SNIC Address:    2260 Apollo Way City:       Santa Rosa StateProv:  CA PostalCode: 95407 Country:    US ReferralServer: rwhois://whois.sonic.net:43 NetRange:   208.201.224.0 - 208.201.255.255 CIDR:       208.201.224.0/19 NetName:    UU-208-201-224 NetHandle:  NET-208-201-224-0-1 Parent:     NET-208-192-0-0-1 NetType:    Reallocated Comment: RegDate:    1996-09-12 Updated:    2002-08-23 OrgTechHandle: NETWO144-ARIN OrgTechName:   Network Operations OrgTechPhone:  +1-707-522-1000 OrgTechEmail:  noc@sonic.net # ARIN WHOIS database, last updated 2004-01-18 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.

From the output, you can see that we have a contact listed with a phone number and email. This is most likely the ISP who serves the miscreant who is causing the trouble. Now you have a solid contact who should know exactly who is behind badguydomain.com. You can let them know about the suspicious traffic you're seeing, and get the situation resolved.

Incidentally, you may have trouble using whois if you are querying some of the new TLDs (such as .us, .biz, .info, etc.). One great shortcut for automatically finding the proper whois server is to use the whois proxy at geektools.com . It automatically forwards your request to the proper whois server, based on the TLD you are requesting. I specify an alias such as this in my .profile to always use the geektools proxy:

alias whois='whois -h whois.geektools.com'

Now when I run whois from the command line, I don't need to remember the address of a single whois server. The folks at geektools have a bunch of other nifty tools to make sysadmin tasks easier. Check them out at http://geektools.com .

Rob Flickenger


Previous page
Table of content
Next page
Network Security Hacks
Network Security Hacks: Tips & Tools for Protecting Your Privacy
ISBN: 0596527632
EAN: 2147483647
Year: 2006
Pages: 158
Authors: Andrew Lockhart
BUY ON AMAZON
C++ GUI Programming with Qt 3
SQL Hacks
C & Data Structures (Charles River Media Computer Engineering)
GO! with Microsoft Office 2003 Brief (2nd Edition)
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy