Net Surfing Techniques
by Sonic Life
Boredom can lead to some interesting things.
A friend and I used to work at a computer lab where we were supposed to help people, but everyone already knew what they were doing. This left us with a lot of time on our hands to find other things to do.
After spending many hours on the Internet, I became fascinated with the fact that all these machines were interconnected and began to wonder how to find what machines were out there in netspace. It was around this time that we discovered the UNIX command nslookup.
This was nice because it allowed us to connect to any name server and get a listing of all the machines that server knew about. The process of searching the listing for names which looked interesting was a very tedious one, though, and the format wasn't the nicest. But, being that it was all we had (and not knowing enough about socket programming to write a better one) we were content.
Using nslookup I could find machines with names like dialout, annex, and gw, most of which weren't all that interesting, but there were some exceptions. The problem was that many machines had cryptic names giving you no clue as to what they were.
After fooling around with nslookup for a while, we came across a program called host.c written at Rutgers.
host allows you to query a name server without knowing the actual name server's name. All you need to know is the domain!
This means that instead of having to find Blahserver.blah_u.edu, all you need to know is blah.edu (the domain is usually made up of the last two fields in a host name).
The listing also includes, in many cases, a description of the exact machine type and operating system. And, as if that isn't enough, the output can easily be redirected to a file which you can sort through later.
Here is how I normally go about finding interesting sites, assuming, of course, that you have already FTP'd host.c (available at gumby.dsd.trw.com in pub/networking last time I checked) and compiled it.
1.) Find some domain names of people using IRC or posting to USENET and write them down (i.e., colorado.edu, compuserve.com, af.mil, etc.).
2.) Use host with the -a -I -v options with the domain name and redirect it to a file: host -a -I -v colorado.edu > colorado.list
3.) After you have a listing, use grep to find the obvious ones. The names to look for are phone, pacx, rolm, dialout, modem, gw, and annex.
I usually also use sgi, iris, and irix to look for Silicon Graphics machines since fifty percent of the SGI machines I come across can be logged into as guest or lp (line printer). If there are machines or operating systems that you know back doors for, grep for those also. Remember to try it in upper and lowercase since grep is case sensitive or else use the -i option of grep to ignore case. You can also take a look at the file to see if there is anything else you might have missed.
4.) Telnet or FTP to these machines and see what you find. Many will ask for some sort of authorization but I usually skip these and move on. With enough patience, you'll find something good.
Here is a typical session (the names have been changed to protect the ignorant):
$ host -a -l -v bubba.edu > bubba.list $ grep -i DIALOUT bubba.list DIALOUT.BUBBA.EDU 345600 IN HINFO UB-ASY-100 NET-ONE $ telnet dialout.bubba.edu Operating in line-by-line mode. Escape character is '^]'. OK at OK # wow, a modem! telnet> quitThe process is simple, but it takes time to find something good.
Just try not to draw too much attention to yourself with unsuccessful logins unless you're using an account where it doesn't matter.
Surf on!