The first step of crack is always clollecting information

Higher Level


> The First Step <

The Attack Level & Response

The Attacker & Victim's OS

Some Forms

Your system may contain all the following vulnerabilities:

  • host

    The host command provides roughly the same information as nsloopup and dig combined. However host output has the added advantage of incorporating that information in an easier readable format suitable for lexical scanning.

    Running a “host” query was always the basic work in the previous time. Such query may produce volumes of information. In some optional circumstances, the “host” query will map out the machines and IPs in the domain and gives a very comprehensive result.

    host -l -v -t any victim.com

  • whois

    The WHOIS service is maintained at internic.net, the Network Information Center. This database contains the

    • Host names for all non-military U.S. domains
    • The names of domain owners
    • The technical contact for each domain
    • The name server addresses for each domain

    Running the WHOIS query will identify the technical contacts. Such information may seem innocuous. It isn't. The technical contact is generally the person at least partially responsible for the day-to-day administration of the system. The person's e-mail address may have some value. And between this and the host query, you can determine whether the target is a real box, a leaf node, a virtual domain hosted by another service, and so on.

  • finger

    Finger is one of the most dangerous services in UNIX. You can guess a common name such as "root", "ftp", "guest", "manager", "administrator", etc. and do the finger. To add to this information, you can use "rusers" to get all information about the logged-in users.

  • showmount and rpcinfo Both are good start points. With these help, you might find some surprise in the target machine for your future use. You may find some ID named as "guest", "ftp", etc. That may be the hole in the net. rpcinfo sometimes is more useful to reveal the server information.

  • tftp This is a program vaguely similar to ftp. Tftp means the trivial file transfer program. It doesn't require any password for authentication. If a host provide such tftp without restricting the access, the attacker can easily get the password file.


Recently there are some new features to mask the trace of crackers. To avoid the possibilty of their finger and whois queries raising and flags, most crackers use finger gateways and whois gateways. They are web pages, and they usually sport a single input field that points to a CGI program on the drive of a remote server that performs finger lookup functions.

By using the finger gateway and whois gateway, the cracker can obscure his source address.