staltec1.htm: Enemy investigation: email stalking techniques

G O T C H A !	Fravia's anonymity pages Enemy tracking EMAIL STALKING TECHNIQUES AND DYNAMIC IPs Fravia's Nofrill Web design (1998)	updated September 1998	Fravia's Anonymity Academy Enemy tracking Email stalking techniques (Fravia shows you what you can do - or try - and where you can learn some advanced stalking techniques) ~ Enemy tracking, a very difficult art, can be divided into stalking, "logical reversing" and luring. In order to stalk you need a deep knowledge of Usenet spamming (and war) techniques like flaming, trolling and crossposting. Here you'll learn some simple tricks in order to gather information about your target WITHOUT contacting directly his website.

[1) scan the http server port for your target domain]
[1.1) a port scanning Perl script]
[1.2) get da relevant RFC]
[2) get servers list and operator names for your target domain]
[3) importance of a dynamic ip chain]

There are a couple of useful stalking tricks (in fact this approach is MUCH more anonymous than directly browsing onto your target domains :-)...

1) TRICK TO SCAN THE HTTP SERVER PORT FOR YOUR TARGET DOMAIN

This trick is useful to scan port 80 (or whatever :-) of your target (I'll use here fortunecity.com). Just use your email program - of course one of your "free webaddresses" aliases (like yahoo.com) accessed through a dynamic IP provider - onto an agora server in the following way:

TO: 		agora@ictp.trieste.it  (or any other agora)
SUBJECT:	nutting
-----------------------
BODY:		send http://www.netcraft.com/cgi-bin/Survey/whats?\
                host=www.fortunecity.com&port=80

Netcraft (not you) will scan the HTTP server port of your target domain, and you'll get the following answer emailed to your alias:

www.fortunecity.com is running Apache/1.2.5.

Substitute a domain name of your choice to the www.fortunecity.com using the following schema (note the \ linebreak sign, because most email apps will else break your line arbitrarly)...:
send http://www.netcraft.com/cgi-bin/Survey/whats?\
host=XXXXXX.XXX&port=80
...and you'r done.
This will tell you the name of the server that is running your target web site, a very useful kind of information for your anti-smut attacks and/or for your general stalking activities... as you'll understand elsewhere on my pages.
Of course if you prefer to use your full Internet access you can use a port scanner. This will scan a domain IP for all available ports and report the protocols they serve.

1.1) a little scanning Perl script

For those among you that don't know much about ports, here's a little Perl script:

#!/usr/local/bin/perl -w
# findport - find a server running at an unknown TCP port
# <title>findport.pl</title>
# Copyright (C) 1996 by John J. Chew

unshift(@INC, "$ENV{HOME}/lib/perl");
require 'getopts.pl';
require 'sys/socket.ph';

sub Usage {
  die "Usage: $0 [-m] [-O] [-q] host [start-port]\n".
    "-m  allow multiple matches\n".
    "-O  try `obvious' ports\n".
    "-q  be quiet\n".
    "";
  }

&Getopts('mOq') || &Usage;
$#ARGV < $[ && &Usage;
$#ARGV > $[ + 1 && &Usage;
$#ARGV > $[ && $opt_O && &Usage;

($serverhostname, $serverportname) = @ARGV;
$serverportname = 7777 unless defined $serverportname;

@gObvious = (
  # popular port numbers for MOOs
  7777, 8888, 6666, 6969, 1234, 1701, 4444, 2112, 2499, 4000, 8000, 9595,
  1138, 1359, 1709, 1848, 1961, 1975, 1996, 2000, 2001, 2029, 2345, 3000,
  3175, 4201, 4242, 5000, 5678, 6464, 7000, 7007, 7200, 7700, 7878, 8080,
  8889, 9000, 9020, 9030, 9040, 9999, 3434,

  # other `obvious' numbers
  1111, 1112, 1113, 1996, 1997, 1998, 1999, 2222, 2223, 2224, 3001, 3333,
  3334, 3335, 3456, 4001, 4445, 4446, 4567, 5001, 5556, 5557, 6000, 6001,
  6667, 6668, 6789, 7001, 7778, 7779, 7890, 8001, 9001,
  );

sub die { die $_[0] unless $opt_q; exit 1; }

sub lint { $opt_m; }

$sockaddr_t = 'S n a4 x8';

($name, $aliases, $protocol) = getprotobyname('tcp');
socket(S, &PF_INET, &SOCK_STREAM, $protocol) || &die("socket() failed:
$!");

chop($clienthostname = `hostname`);
(($name, $aliases, $type, $length, $clientaddress)
  = gethostbyname($clienthostname))
  || &die("gethostbyname($clienthostname) failed: $!");
$clientname = pack($sockaddr_t, &AF_INET,     0, $clientaddress);
bind(S, $clientname) || &die("bind() failed: $!");

(($name, $aliases, $port) = getservbyname($serverportname, 'tcp'))
  || ($port = $serverportname);
(($name, $aliases, $type, $length, $serveraddress)
  = gethostbyname($serverhostname))
  || &die("gethostbyname($ARGV[0]) failed: $!");

$| = 1;
$port = shift @gObvious if $opt_O;
while (1) {
  $servername = pack($sockaddr_t, &AF_INET, $port, $serveraddress);
  print "$port" unless $opt_q;
  if (connect(S, $servername)) {
    print "\n\a" unless $opt_q;
    print "$port is active.\n";
    exit 0 unless $opt_m;
    }
  else {
    print " ";
    $opt_O ? (($port = shift @gObvious) || exit) : $port++;
    close(S);
    socket(S, &PF_INET, &SOCK_STREAM, $protocol) || &die("socket()
failed: $!");
    bind(S, $clientname) || &die("bind() failed: $!");
    }
  }

1.2) Retrieve your relevant RFC!

If you want to know even more about ports, just retrieve RFC1060 to get a list of the assigned numbers. And don't ask how d'you retrieve a RFC... you should already know it...
No? Well, per email, of course here is it:

To: 			RFC-INFO@ISI.EDU
Subject: 		[nutting: leave blank]
----------------------------------------------
Body:			Retrieve: RFC
			Doc-Id: RFC1060

The RFC1060 above is the "alfa and omega" of any good commercial_porn_sites buster, this report on the parameters (i.e., numbers and keywords) used in protocols in the Internet community belongs among your most coveted study materials! :-)
Retrieve it as I told you and, in the mean time, have a look at its contents.

RFC 1060: Table of Contents

INTRODUCTION.................................................... 2
Data Notations.................................................. 3
Special Addresses............................................... 4
VERSION NUMBERS................................................. 6
PROTOCOL NUMBERS................................................ 7
PORT NUMBERS.................................................... 9
UNIX PORTS......................................................13
INTERNET MULTICAST ADDRESSES....................................19
IANA ETHERNET ADDRESS BLOCK.....................................20
IP TOS PARAMETERS...............................................21
IP TIME TO LIVE PARAMETER.......................................23
DOMAIN SYSTEM PARAMETERS........................................24
BOOTP PARAMETERS................................................25
NETWORK MANAGEMENT PARAMETERS...................................26
ARPANET AND MILNET LOGICAL ADDRESSES............................30
ARPANET AND MILNET LINK NUMBERS.................................31
ARPANET AND MILNET X. 25 ADDRESS MAPPINGS.......................32
IEEE 802 NUMBERS OF INTEREST....................................34
ETHERNET NUMBERS OF INTEREST....................................35
ETHERNET VENDOR ADDRESS COMPONENTS..............................38
ETHERNET MULTICAST ADDRESSES....................................41
XNS PROTOCOL TYPES..............................................43
PROTOCOL/TYPE FIELD ASSIGNMENTS.................................44
PRONET 80 TYPE NUMBERS..........................................45
ADDRESS RESOLUTION PROTOCOL PARAMETERS..........................46
REVERSE ADDRESS RESOLUTION PROTOCOL OPERATION CODES.............47
DYNAMIC REVERSE ARP.............................................47
X.25 TYPE NUMBERS...............................................48
PUBLIC DATA NETWORK NUMBERS.....................................49
TELNET OPTIONS..................................................51
MAIL ENCRYPTION TYPES...........................................52

2) TRICK TO GET SERVERS LIST AND OPERATOR NAMES FOR YOUR TARGET DOMAIN

Now let's say you want some more info about WHO ARE the people that have registered your target server, then simply use once more an agora and query with:

send  http://www.switch.ch/cgi-bin/info/whois?Query=fortunecity.com\
&Server=whois.internic.net

And thou shall get the following:

Results from WHOIS server whois.internic.net for query: fortunecity.com

--------------------------------------------------------------

FortuneCity.Com Ltd (ASKRIGG-DOM)		   ASKRIGG.COM
FortuneCity.Com Ltd (FORTUNECITY4-DOM)	       FORTUNECITY.NET
FortuneCity.Com Ltd (FCMAIL-DOM)	            FCMAIL.COM
Software Direct (FORTUNECITY-DOM)	       FORTUNECITY.COM

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

Now, as you have read, you must be patient (the foremost quality of a good stalker): let's go on with what they asked:

send  http://www.switch.ch/cgi-bin/info/whois?Query=!FCMAIL-DOM\
&Server=whois.internic.net

And now we'll get a wealth of stalking information:

Registrant:
FortuneCity.Com Ltd (FCMAIL-DOM)
   140 Offord Road,
   Islington London., N1 1PF
   UK

   Domain Name: FCMAIL.COM

   Administrative Contact:
      Metcalfe, Dan  (DM10032)  dan@FORTUNECITY.COM
      0171 700 1617 (FAX) 0171 609 2815
   Technical Contact, Zone Contact:
      Donnahoo, Lee  (LD2352)  lee@COMMTOUCH.COM
      408-245-8682 (FAX) 408-245-3466
   Billing Contact:
      Metcalfe, Dan  (DM10032)  dan@FORTUNECITY.COM
      0171 700 1617 (FAX) 0171 609 2815

   Record last updated on 29-Apr-98.
   Record created on 24-Feb-98.
   Database last updated on 16-Sep-98 04:13:51 EDT.

   Domain servers in listed order:

   PRONTODNS.PRONTOMAIL.COM	209.185.72.9
   NS1.INFORMAIL.COM		207.135.122.6
   NS3.EXODUS.NET		206.79.240.13

Of course you should perform the same query for all other addresses you got (ASKRIGG.COM etcetera...)

3) IMPORTANCE OF A DYNAMIC IP CHAIN

And the really funny thing is that you have NOT directly connected neither netcraft.com nor internic.net from your real net-access provider. You went through a "tier" procedure like this:

YOUR_FREE_DYNAMIC IP -> YOUR_FREE_EMAIL_WEB_PROVIDER -> INTERNIC -> TARGET_SERVER

Hope you understand what a dynamic IP is: it is the Web_access offered by AOL, Compuserve, whatever.
Of course it is de facto You'll find plenty of 2 months trial for free. You'll find plenty of 'trial' offers on every magazines' CD-Rom, and of course you'll bnever confirm the contract at the end of the trial period: just discard and begin (a week before the trial end) another free-trial with another dynamic provider. (Ask for permission and then use your friends/colleagues/parents/grocers name and addresses if needed, you can carry on 50 years like that :-) Now, the point is that all great providers will connect you to the web through ONE of their many servers. This specific IP (for instance 212.211.27.146 for compuserve) will change EVERY TIME you access your provider, and it is very difficult to track down. Add to this the fact that the free email address hosting services (like yahoo.com, hotmail.com etcetera) use a plethora of different servers as well, and you'll udnerstand that tracking back your own stalking activities (especially if you have followed my advices and done them through an agora server) will be a nightmare even for a determined government agency! Not that it couldn't be done at all, mind you, yet it would require the collaboration of so many different entities (and it would violate so many privacy rules) that I consider it extremely unlikely that your average targeted smut-side will ever be able to understand what's going on under his nose :-)

For added security yuou can of course configure A CHAIN of free web_email_providers that you have instructed to resend automatically everything they get to the next one, where the last one has been instructed to query ALWAYS an agora server with the content it gets.

Hope you understand the possibilities this open to your stalking activities in general (remember that agoras accept only THREE commands: SEND, DEEP and SOURCE (for an explanation see Fravia's how to search lessons. Here the main agoras you'll use:
[british agora] ~ [italian agora] ~ [nippon agora]

This section of my site, under perennial construction, was started on 23 september 1998