Vol. 3 Number 2
How to map the Internet. Dig! Whois! Nslookup! Traceroute! Netstat port 
is getting hard to use anymore, however...
______________________________________________________________
Why map the Internet?
* Because its fun -- like exploring unknown continents. The Internet is 
so huge, and it changes so fast, no one has a complete map.
* Because when you cant make contact with someone in a distant place, 
you can help your ISP trouble shoot broken links in the Internet. Yes, I 
did that once that when email failed to a friend in Northern Ireland. 
How will your ISP know that their communications provider is lying down 
on the job unless someone advises them of trouble?
* Because if you want to be a computer criminal, your map of the 
connections to your intended victim gives you valuable information.
Now since this is a lesson on *legal* hacking, were not going to help 
you out with how to determine the best box in which to install a sniffer 
or how to tell what IP address to spoof to get past a packet filter. 
Were just going to explore some of the best tools available for mapping 
the uncharted realms of the Internet. 
For this lesson, you can get some benefit even if all you have is 
Windows. But to take full advantage of this lesson, you should either 
have some sort of Unix on your personal computer, or a shell account! 
SHELL ACCOUNT! If you dont have one, you may find an ISP that will give 
you a shell account at http://www.celestin.com/pocia/.
****************************
Newbie note: A shell account is an account with your ISP that allows you 
to give commands on a computer running Unix. The shell is the program 
that translates your keystrokes into Unix commands. Trust me, if you are 
a beginner, you will find bash (for Bourne again shell) to be easiest to 
use. Ask tech support at your ISP for a shell account set up to use 
bash. Or, you may be able to get the bash shell by simply typing the 
word bash at the prompt. If your ISP doesnt offer shell accounts, get 
a new ISP that does offer it. A great book on using the bash shell is 
_Learning the Bash Shell_, by Cameron Newham and Bill Rosenblatt, 
published by OReilly.
****************************
So for our mapping expedition, lets start by visiting the Internet in 
Botswana! Wow, is Botswana even on the Internet? Its a lovely 
landlocked nation in the southern region of Africa, famous for cattle 
ranching, diamonds and abundant wildlife. The language of commerce in 
Botswana is English, so theres a good chance that we could understand 
messages from their computers.
Our first step in learning about Botswanas Internet hosts is to use the 
Unix program nslookup. 
****************************
Evil genius tip: Nslookup is one of the most powerful Internet mapping 
tools in existence. We can hardly do it justice here. If you want to 
learn how to explore to the max, get the book _DNS and BIND_ by Paul 
Albitz and Cricket Liu, published by OReilly, 1997 edition.
***************************
The first step may be to find where your ISP has hidden the program by 
using the command whereis nslookup. (Or your computer may use the 
find command.) Aha -- there it is! I give the command:
->/usr/etc/nslookup
Default Server: swcp.com
Address: 198.59.115.2
>
These two lines and the slightly different prompt (it isnt an arrow any 
more) tell me that my local ISP is running this program for me. (It is 
possible to run nslookup on another computer from yours.) Now we are in 
the program, so I have to remember that my bash commands dont work any 
more. Our next step is to tell the program that we would like to know 
what computers handle any given domain name.
> set type=ns 
Next we need to know the domain name for Botswana. To do that I look up 
the list of top level domain names on page 379 of the 1997 edition of 
_DNS and BIND_. For Botswana its bw. So I enter it at the prompt, 
remembering -- this is VERY important -- to put a period after the 
domain name:
> bw. 
Server: swcp.com
Address: 198.59.115.2
Non-authoritative answer:
This non-authoritative answer stuff tells me that this information has 
been stored for awhile, so it is possible, but unlikely, that the 
information below has changed.
bw nameserver = DAISY.EE.UND.AC.ZA
bw nameserver = RAIN.PSG.COM
bw nameserver = NS.UU.NET
bw nameserver = HIPPO.RU.AC.ZA
Authoritative answers can be found from:
DAISY.EE.UND.AC.ZA inet address = 146.230.192.18
RAIN.PSG.COM inet address = 147.28.0.34
NS.UU.NET inet address = 137.39.1.3
HIPPO.RU.AC.ZA inet address = 146.231.128.1
I look up the domain name za and discover it stands for South Africa. 
This tells me that the Internet is in its infancy in Botswana -- no 
nameservers there -- but must be well along in South Africa. Look at all 
those nameservers! 
***********************
Newbie note: a nameserver is a computer program that stores data on the 
Domain Name System. The Domain Name System makes sure that no two 
computers have the same name. It also stores information on how to find 
other computers. When various nameservers get to talking with each 
other, they eventually, usually within seconds, can figure out the 
routes to any one of the millions of computers on the Internet.
***********************
Well, what this tells me is that people who want to set up Internet host 
computers in Botswana usually rely on computers in South Africa to 
connect them. Lets learn more about South Africa. Since we are still in 
the nslookup program, I command it to tell me what computers are 
nameservers for South Africa:
> za.
Server: swcp.com
Address: 198.59.115.2
Non-authoritative answer:
za nameserver = DAISY.EE.UND.AC.za
za nameserver = UCTHPX.UCT.AC.za
za nameserver = HIPPO.RU.AC.za
za nameserver = RAIN.PSG.COM
za nameserver = MUNNARI.OZ.AU
za nameserver = NS.EU.NET
za nameserver = NS.UU.NET
za nameserver = UUCP-GW-1.PA.DEC.COM
za nameserver = APIES.FRD.AC.za
Authoritative answers can be found from:
DAISY.EE.UND.AC.za inet address = 146.230.192.18
UCTHPX.UCT.AC.za inet address = 137.158.128.1
HIPPO.RU.AC.za inet address = 146.231.128.1
RAIN.PSG.COM inet address = 147.28.0.34
MUNNARI.OZ.AU inet address = 128.250.22.2
MUNNARI.OZ.AU inet address = 128.250.1.21
NS.EU.NET inet address = 192.16.202.11
UUCP-GW-1.PA.DEC.COM inet address = 204.123.2.18
UUCP-GW-1.PA.DEC.COM inet address = 16.1.0.18
APIES.FRD.AC.za inet address = 137.214.80.1
***********************
Newbie note: What is inet address = 137.214.80.1 supposed to mean? 
Thats the name of a computer on the Internet (inet) -- in this case 
APIES.FRD.AC -- in octal. Octal is like regular numbers except in base 8 
rather than base 10. All computer names on the Internet must be changed 
into numbers so that other computers can understand them.
**********************
Aha! Some of those nameservers are located outside South Africa. We see 
computers in Australia (au) and the US (com domain). Next, we exit the 
nslookup program with the command ^D. Thats made by holding down the 
control key while hitting the small d key. It is VERY IMPORTANT to 
exit nslookup this way and not with ^C.
Next, we take one of the nameservers in South Africa and ask:
->whois HIPPO.RU.AC.ZA
[No name] (HIPPO)
Hostname: HIPPO.RU.AC.ZA
Address: 146.231.128.1
System: SUN running SUNOS
Domain Server
Record last updated on 24-Feb-92.
To see this host record with registered users, repeat the command with
a star ('*') before the name; or, use '%' to show JUST the registered 
users.
The InterNIC Registration Services Host contains ONLY Internet 
Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
Kewl! This tells us what kind of computer it is -- a Sun -- and the 
operating system, Sun OS.
Now, just for variety, I use the whois command with the numerical 
address of one of the nameservers. This doesnt always give back the 
text name, but sometimes it works. And, voila, we get:
->whois 146.230.192.18
[No name] (DAISY1)
Hostname: DAISY.EE.UND.AC.ZA
Address: 146.230.192.18
System: HP-9000 running HP-UX
Domain Server
Record last updated on 14-Sep-94.
Ah, but all this is doing so far is just telling us info about who is a 
nameserver for whom. Now how about directly mapping a route from my 
computer to South Africa? For that we will use the traceroute command.
************************
Netiquette tip: The traceroute program is intended for use in network 
testing, measurement and management. It should be used primarily for 
manual fault isolation, like the time I couldnt email my friend in 
Northern Ireland. Because of the load it could impose on the network, it 
is unwise to use traceroute from automated scripts which could cause 
that program to send out huge numbers of queries. Use it too much and 
your ISP may start asking you some sharp questions.
************************
************************
YOU COULD GO TO JAIL WARNING: If you just got an idea of how to use 
traceroute for a denial of service attack, dont call your favorite 
journalist and tell him or her that you are plotting a denial of service 
attack against the ISPs that serve famous people like Bill Clinton and 
Carolyn Meinel!:-) Dont write that script. Dont use it. If you do, 
Ill give another interview to PC World magazine 
(http://www.pcworld.com/news/newsradio/meinel/index.html) about how a 
three-year-old could run the attack. And if you get caught well all 
laugh at you as you get hustled off in chains while your journalist 
friend gets a $250K advance on his or her book deal about you.
************************
I give the command:
->whereis traceroute
traceroute: /usr/local/bin/traceroute
OK, now were ready to map in earnest. I give the command:
->/usr/local/bin/traceroute DAISY.EE.UND.AC.ZA
And the answer is:
traceroute to DAISY.EE.UND.AC.ZA (146.230.192.18), 30 hops max, 40 byte 
packets
1 sisko (198.59.115.1) 3 ms 4 ms 4 ms
2 glory-cyberport.nm.westnet.net (204.134.78.33) 47 ms 8 ms 4 ms
3 ENSS365.NM.ORG (129.121.1.3) 5 ms 10 ms 7 ms
4 h4-0.cnss116.Albuquerque.t3.ans.net (192.103.74.45) 17 ms 41 ms 28 ms
5 f2.t112-0.Albuquerque.t3.ans.net (140.222.112.221) 7 ms 6 ms 5 ms
6 h14.t16-0.Los-Angeles.t3.ans.net (140.223.17.9) 31 ms 39 ms 84 ms
7 h14.t8-0.San-Francisco.t3.ans.net (140.223.9.13) 67 ms 43 ms 68 ms
8 enss220.t3.ans.net (140.223.9.22) 73 ms 58 ms 54 ms
9 sl-mae-w-F0/0.sprintlink.net (198.32.136.11) 97 ms 319 ms 110 ms
10 sl-stk-1-H11/0-T3.sprintlink.net (144.228.10.109) 313 ms 479 ms 473 
ms
11 sl-stk-2-F/T.sprintlink.net (198.67.6.2) 179 ms * *
12 sl-dc-7-H4/0-T3.sprintlink.net (144.228.10.106) 164 ms * 176 ms
13 sl-dc-7-F/T.sprintlink.net (198.67.0.1) 143 ms 129 ms 134 ms
14 gsl-dc-3-Fddi0/0.gsl.net (204.59.144.197) 135 ms 152 ms 130 ms
15 204.59.225.66 (204.59.225.66) 583 ms 545 ms 565 ms
16 * * *
17 e0.csir00.uni.net.za (155.232.249.1) 516 ms 436 ms 400 ms
18 s1.und00.uni.net.za (155.232.70.1) 424 ms 485 ms 492 ms
19 e0.und01.uni.net.za (155.232.190.2) 509 ms 530 ms 459 ms
20 s0.und02.uni.net.za (155.232.82.2) 650 ms * 548 ms
21 Gw-Uninet1.CC.und.ac.za (146.230.196.1) 881 ms 517 ms 478 ms
22 cisco-unp.und.ac.za (146.230.128.8) 498 ms 545 ms *
23 IN.ee.und.ac.za (146.230.192.18) 573 ms 585 ms 493 ms
So what does all this stuff mean?
The number in front of each line is the number of hops since leaving the 
computer that has the shell account I am using.
The second entry is the name of the computer through which this route 
passes, first in text, and then in parentheses its numerical 
representation.
The numbers after that are the time in milliseconds it takes for each of 
three probe packets in a row to make that hop. When an * appears, the 
time for the hop timed out. In the case of this traceroute command, any 
time greater than 3 seconds causes an * to be printed out. 
How about hop 16? It gave us no info whatsoever. That silent gateway may 
be the result of a bug in the 4.1, 4.2 or 4.3BSD Unix network code. A 
computer running one of these operating systems sends an unreachable 
message. Or it could be something else. Sorry, Im not enough of a 
genius yet to figure out this one for sure. Are we having phun yet?
************************
Evil genius tip: If you want to get really, truly excruciating detail on 
the traceroute command, while in your shell account type in the command:
->man traceroute
I promise, on-line manual stuff is often written in a witty, 
entertaining fashion. Especially the Sun OS manual. Honest!
************************
************************
Note for the shell-account-challenged: If you have Windows 95, you can 
get the same results -- I mean, for mapping the Internet, not going to 
jail -- using the tracert command. Heres how it works:
1. Open a PPP connection. For example, if you use Compuserve or AOL, 
make a connection, then minimize your on-line access program.
2. Click on the Start menu. 
3. Open a DOS window.
4. At the DOS prompt type in tracert where distant.computer.com is 
replaced by the name of the computer to which you want to trace a route. 
Press the Enter key.
5. Be patient. Especially if your are tracing a route to a distant 
computer, it takes awhile to make all the connections. Every time your 
computer connects to another computer on the Internet, it first has to 
trace a route to the other computer. Thats why it sometimes take a long 
while for your browser to start downloading a Web page.
6. If you decide to use Windows for this hacking lesson, Damien Sorder 
has a message for us: DON'T ENCOURAGE THEM TO USE WIN95!@#$!@#! Hes 
right, but since most of you reading this are consenting adults, I 
figure its your funeral if you stoop to Windows hacking on an AOL PPP 
connection!
***********************
Now this is getting interesting. We know that Daisy is directly 
connected to at least one other computer, and that computer in turn is 
connected to cisco-unp.und.ac.za. Lets learn a little something about 
this cisco-unp.und.ac.za, OK? 
First, we can guess from the name that is it a Cisco router. In fact, 
the first hop in this route is to a computer named sisco, which is 
also probably a Cisco router. Since 85% of the routers in the world are 
Ciscos, thats a pretty safe bet. But we are going to not only make sure 
cisco-unp.und.ac.za is a Cisco. We are also going to find out the model 
number, and a few other goodies.
First we try out whois:
->whois cisco-unp.und.ac.za
No match for "CISCO-UNP.UND.AC.ZA".
The InterNIC Registration Services Host contains ONLY Internet 
Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
Huh? Traceroute tells us cisco-unp.und.ac.za exists, but whois cant 
find it! Actually this is a common problem, especially trying to use 
whois on distant computers. What do we do next? Well, if you are lucky, 
the whereis command will turn up another incredibly cool program: dig! 
**********************
Newbie note: Dig stands for domain information groper. It does a lot 
of the same things as nslookup. But dig is a much older program, in many 
ways harder to use than nslookup. For details on dig, use the command 
from your shell account man dig.
**********************
In fact, on my shell account I found I could run dig straight from my 
bash prompt:
->dig CISCO-UNP.UND.AC.ZA
; <<>> DiG 2.0 <<>> CISCO-UNP.UND.AC.ZA
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; Ques: 1, Ans: 4, Auth: 5, Addit: 5
;; QUESTIONS:
;; CISCO-UNP.UND.AC.ZA, type = A, class = IN
;; ANSWERS:
CISCO-UNP.UND.AC.ZA. 86400 A 146.230.248.1
CISCO-UNP.UND.AC.ZA. 86400 A 146.230.12.1
CISCO-UNP.UND.AC.ZA. 86400 A 146.230.60.1
CISCO-UNP.UND.AC.ZA. 86400 A 146.230.128.8
;; AUTHORITY RECORDS:
und.ac.za. 86400 NS Eagle.und.ac.za.
und.ac.za. 86400 NS Shrike.und.ac.za.
und.ac.za. 86400 NS ucthpx.uct.ac.za.
und.ac.za. 86400 NS hiPPo.ru.ac.za.
und.ac.za. 86400 NS Rain.psg.com.
;; ADDITIONAL RECORDS:
Eagle.und.ac.za. 86400 A 146.230.128.15
Shrike.und.ac.za. 86400 A 146.230.128.13
ucthpx.uct.ac.za. 86400 A 137.158.128.1
hiPPo.ru.ac.za. 86400 A 146.231.128.1
Rain.psg.com. 14400 A 147.28.0.34
;; Total query time: 516 msec
;; FROM: llama to SERVER: default -- 198.59.115.2
;; WHEN: Fri Jan 17 13:03:49 1997
;; MSG SIZE sent: 37 rcvd: 305
Ahhh, nice. The first few lines, the ones preceded by the ;; marks, 
mostly tell what the default settings of the command are and what we 
asked it. The line Ques: 1, Ans: 4, Auth: 5, Addit: 5 tells us how 
many items well get under each topic of questions, answers, authority 
records, and additional records. (You will get different numbers on that 
line with different queries.) This records stuff refers to information 
stored under the domain name system.
We learn from dig is that CLASS=IN, meaning CISCO-UNP.UND.AC.ZA is a 
domain name within the Internet. But we already knew that . The first 
really *new* thing we learn is that four routers all share the same 
domain name. We can tell that because their numerical Internet numbers 
are different. The reverse can also happen: several domain names can all 
belong to the same numerical address. If you use the dig command on each 
link in the route to DAISY.EE.UND.AC.ZA, youll find a tremendous 
variation in whether the routers map to same or different domain names. 
As hackers, we want to get wise to all these variations in how domain 
names are associated with boxes.
But we can still learn even more about that Cisco router named 
CISCO-UNP.UND.AC.ZA. We go back to nslookup and run it in interactive 
mode:
->/usr/etc/nslookup
Default Server: swcp.com
Address: 198.59.115.2
>
Now lets do something new with nslookup. This is a command that comes 
in really, really handy when were playing vigilante and need to 
persecute a spammer or bust a child porn Web site or two. Heres how we 
can get the email address for the sysadmin of an Internet host computer.
> set type=soa
Then I enter the name of the computer about which I am curious. Note 
that I put a period after the end of the host name. It often helps to do 
this with nslookup:
> CISCO-UNP.UND.AC.ZA.
Server: swcp.com
Address: 198.59.115.2
*** No start of authority zone information is available for 
CISCO-UNP.UND.AC.ZA.
Now what do I do? Give up? No, Im a hacker wannabe, right? So I try 
entering just part of the domain name, again remembering to put a period 
at the end:
> und.ac.za.
Server: swcp.com
Address: 198.59.115.2
und.ac.za origin = Eagle.und.ac.za
mail addr = postmaster.und.ac.za
serial=199610255, refresh=10800, retry=3600, expire=3000000, min=86400
Eagle.und.ac.za inet address = 146.230.128.15
Shrike.und.ac.za inet address = 146.230.128.13
ucthpx.uct.ac.za inet address = 137.158.128.1
hiPPo.ru.ac.za inet address = 146.231.128.1
Rain.psg.com inet address = 147.28.0.34
Bingo!!! I got the email address of a sysadmin whose domain includes 
that Cisco router, AND the IP addresses of some other boxes he or she 
administers. But notice it doesnt list any of those routers which the 
sysadmin undoubtedly knows a thing or two about.
But we arent done yet with cisco-unp.und.ac.za (146.230.128.8). Of 
course we have a pretty good guess that it is a Cisco router. But why 
stop with a mere guess when we can port surf? So we fall back on our 
friend the telnet program and head for port 2001:
->telnet 146.230.128.8 2001
Trying 146.230.128.8 ...
Connected to 146.230.128.8.
Escape character is '^]'.
C
****************************************************
*** Welcome to the University of Natal ***
*** ***
*** Model : Cisco 4500 with ATM and 8 BRI ports ***
*** ***
*** Dimension Data Durban - 031-838333 ***
*** ***
***************************************************
Hey, we know now that this is a Cisco model 4500 owned by the University 
of Natal, and we even got a phone number for the sysadmin. From this we 
also can infer that this router handles a subnet which serves the U of 
Natal and includes daisy.
But why did I telnet to port 2001? Its in common use among routers as 
the administrative port. How do I know that? From the RFC (request for 
comments) that covers all commonly used port assignments. You can find a 
copy of this RFC at http://ds2.internic.net/rfc/rfc1700.txt. Read it and 
youll be in for some happy port surfing!
************************
Evil Genius tip: there are a bunch of ports used by Cisco routers:
cisco-fna 130/tcp cisco FNATIVE
cisco-tna 131/tcp cisco TNATIVE
cisco-sys 132/tcp cisco SYSMAINT
licensedaemon 1986/tcp cisco license management
tr-rsrb-p1 1987/tcp cisco RSRB Priority 1 port
tr-rsrb-p2 1988/tcp cisco RSRB Priority 2 port
tr-rsrb-p3 1989/tcp cisco RSRB Priority 3 port
stun-p1 1990/tcp cisco STUN Priority 1 port
stun-p2 1991/tcp cisco STUN Priority 2 port
stun-p3 1992/tcp cisco STUN Priority 3 port
snmp-tcp-port 1993/tcp cisco SNMP TCP port
stun-port 1994/tcp cisco serial tunnel port
perf-port 1995/tcp cisco perf port
tr-rsrb-port 1996/tcp cisco Remote SRB port
gdp-port 1997/tcp cisco Gateway Discovery Protocol
x25-svc-port 1998/tcp cisco X.25 service (XOT)
tcp-id-port 1999/tcp cisco identification port
************************
But what about the normal telnet port, which is 23? Since it is the 
normal port, the one you usually go to when you want to log in, we 
dont need to put the 23 after the host name:
->telnet 146.230.128.8
Trying 146.230.128.8 ...
Connected to 146.230.128.8.
Escape character is '^]'.
C
************************************************************************
*
*** Welcome to the University of Natal ***
*** ***
*** Model : Cisco 4500 with ATM and 8 BRI ports ***
*** ***
*** Dimension Data Durban - 031-838333 ***
*** ***
************************************************************************
*
User Access Verification
Password:
Hey, this is interesting, no username requested, just a password. If I 
were the sysadmin, Id make it a little harder to log in. Hmmm, what 
happens if I try to port surf finger that site? That means telnet to the 
finger port, which is 79:
->telnet 146.230.128.8 79
Trying 146.230.128.8 ...
Connected to 146.230.128.8.
Escape character is '^]'.
C
************************************************************************
*
*** Welcome to the University of Natal ***
*** ***
*** Model : Cisco 4500 with ATM and 8 BRI ports ***
*** ***
*** Dimension Data Durban - 031-838333 ***
*** ***
************************************************************************
*
Line User Host(s) Idle Location
* 2 vty 0 idle 0 kitsune.swcp.com
BR0:2 Sync PPP 00:00:00
BR0:1 Sync PPP 00:00:00
BR1:2 Sync PPP 00:00:00
BR1:1 Sync PPP 00:00:00
BR2:2 Sync PPP 00:00:01
BR2:1 Sync PPP 00:00:00
BR5:1 Sync PPP 00:00:00
Connection closed by foreign host.
Notice that finger lists the connection to the computer I was port 
surfing from: kitsune. But no one else seems to be on line just now. 
Please remember, when you port surf, unless you know how to do IP 
spoofing, your target computer knows where you came from. Of course I 
will be a polite guest.
Now lets try the obvious. Lets telnet to the login port of daisy. I 
use the numerical address just for the heck of it:
->telnet 146.230.192.18
Trying 146.230.192.18 ...
Connected to 146.230.192.18.
Escape character is '^]'.
NetBSD/i386 (daisy.ee.und.ac.za) (ttyp0)
login:
Hey, this is interesting. Since we now know this is a university, thats 
probably the electrical engineering (EE) department. And NetBSD is a 
freeware Unix that runs on a PC! Probably a 80386 box. 
Getting this info makes me almost feel like Ive been hanging out at the 
University of Natal EE computer lab. It sounds like a friendly place. 
Judging from their router, security is somewhat lax, they use cheap 
computers, and messages are friendly. Lets finger and see whos logged 
in just now:
Since I am already in the telnet program (I can tell by the prompt 
telnet>), I go to daisy using the open command:
telnet> open daisy.ee.und.ac.za 79
Trying 146.230.192.18 ...
telnet: connect: Connection refused
telnet> quit
Well, that didnt work, so I exit telnet and try the finger program on 
my shell account computer:
->finger @daisy.ee.und.ac.za
[daisy.ee.und.ac.za]
finger: daisy.ee.und.ac.za: Connection refused
Sigh. Its hard to find open finger ports any more. But its a good 
security practice to close finger. Damien Sorder points out, If you 
install the new Linux distributions, it comes with Cfingerd. Why would I 
(and others) want to shut it down? Not because of hackers and abuse or 
some STUPID S*** like that. Because it gives out way too much 
information when you finger a single user. You get machine load and all 
the user information.
I manage to pull up a little more info on how to map the 
interconnections of University of Natal computers with an search of the 
Web using http://digital.altavista.com. It links me to the site 
http://www.frd.ac.za/uninet/sprint.html, which is titled Traffic on the 
UNINET-SPRINTLINK Link. However, all the links to netwrok traffic 
statistics from that site are dead.
Next, lets look into number 20 on that traceroute that led us to the 
University of Natal. You can pretty much expect that links in the middle 
of a long traceroute will be big computers owned by the bigger companies 
that form the backbone of the Internet.
->telnet 155.232.82.2 2001
Trying 155.232.82.2 ...
Connected to 155.232.82.2.
Escape character is '^]'.
Id: und02
Authorised Users Only!
------------------------
User Access Verification
Username:
Yup, were out of friendly territory now. And since port 2001 works, it 
may be a router. Just for laughs, though, lets go back to the default 
telnet port:
->telnet 155.232.82.2
Trying 155.232.82.2 ...
Connected to 155.232.82.2.
Escape character is '^]'.
Id: und02
Authorised Users Only!
------------------------
User Access Verification
Username:
Now just maybe this backbone-type computer will tell us gobs of stuff 
about all the computers it is connected to. We try telneting to the 
netstat port, 15. This, if it happens to be open to the public, will 
tell us all about the computers that connect through it:
->telnet 155.232.82.2 15
Trying 155.232.82.2 ...
telnet: connect: Connection refused
Sigh. I gave an example of the incredible wealth of information you can 
get from netstat on the GTMHH on port surfing. But every day it is 
harder to find a public netstat port. Thats because the information 
netstat gives is so useful to computer criminals. In fact, port 15 is no 
longer reserved as the netstat port (as of 1994, according to the RFC). 
So you will find few boxes using it. 
******************************
Newbie note: want to know what port assignments your ISP uses? Sorder 
points out  /etc/services on most machines will [tell you this].
How can you can read that information? Try this:
First, change to the /etc/ directory:
->cd /etc
Then command it to print it out to your screen with:
->more services
#
# @(#)services 1.16 90/01/03 SMI
#
# Network services, Internet style
# This file is never consulted when the NIS are running
#
tcpmux 1/tcp # rfc-1078
echo 7/tcp
... and so on...
Alas, just because your shell account has a list of port assignments 
doesnt mean they are actually in use. It also probably wont list 
specialized services like all those Cisco router port assignments.
*************************
In fact, after surfing about two dozen somewhat randomly chosen netstat 
ports, the only answer I get other than Connection refused is:
->telnet ns.nmia.com 15
Trying 198.59.166.10 ...
Connected to ns.nmia.com.
Escape character is '^]'.
Yes, but will I see the EASTER BUNNY in skintight leather
at an IRON MAIDEN concert?
Now what about all those Sprintlink routers in that traceroute? Thats a 
major Internet backbone based in the US provided by Sprint. You can get 
some information on the topology of the Sprintlink backbone at 
http://www.sprintlink.net/SPLK/HB21.html#2.2. Alas, Sprintlink used to 
give out much more information than they do today. All I can pick up on 
their Web site today is pretty vague. 
Sigh. The Internet is getting less friendly, but more secure. Some day 
when were really ancient, say five years from now, well be telling 
people, Why, I remember when we could port surf! Why, there used to be 
zillions of open ports and people could choose ANY password they wanted. 
Hmph! Today its just firewalls everywhere you look! Adds Sorder, Gee. 
How do you think people like me feel.. port surfing over 6 years ago.
Our thanks to Damien Sorder (jericho@dimensional.com) for assistance in 
reviewing and contributing to this GTMHH.
_________________________________________________________
Want to see back issues of Guide to (mostly) Harmless Hacking? See 
either http://www.tacd.com/zines/gtmhh/ or 
http://ra.nilenet.com/~mjl/hacks/codez.htm or
http://www3.ns.sympatico.ca/loukas.halo8/HappyHacker/
Subscribe to our email list by emailing to hacker@techbroker.com with 
message "subscribe" or join our Hacker forum at 
http://www.infowar.com/cgi-shl/login.exe.
Want to share some kewl stuph with the Happy Hacker list? Correct 
mistakes? Send your messages to hacker@techbroker.com. To send me 
confidential email (please, no discussions of illegal activities) use 
cmeinel@techbroker.com and be sure to state in your message that you 
want me to keep this confidential. If you wish your message posted 
anonymously, please say so! Please direct flames to 
dev/null@techbroker.com. Happy hacking! 
Copyright 1997 Carolyn P. Meinel. You may forward or post on your Web 
site this GUIDE TO (mostly) HARMLESS HACKING as long as you leave this 
notice at the end..
________________________________________________________