[ Pobierz całość w formacie PDF ]

you get practice using pico editor commands. If you want to be a real hacker, you will be using the pico
editor (or another editor that uses similar commands) someday when you are writing programs in a Unix
To bring up Pine, at the cursor in your Unix shell simply type in  pine.
In Pine, while viewing an email message, you may be able to see full headers by simply hitting the  h key. If
this doesn t work, you will have to go into the Setup menu to enable this command. To do this, go to the
main menu and give the command  s for Setup. Then in the Setup menu choose  c for Config. On the
second page of the Config menu you will see something like this:
[ ] compose-rejects-unqualified-addrs
[ ] compose-sets-newsgroup-without-confirm
[ ] delete-skips-deleted
[ ] enable -aggregate-command-set
[ ] enable -alternate-editor-cmd
[ ] enable -alternate-editor-implicitly
[ ] enable -bounce-cmd
[ ] enable -flag-cmd
[X] enable-full-header-cmd
[ ] enable -incoming-folders
[ ] enable -jump-shortcut
[ ] enable -mail-check-cue
[ ] enable -suspend
[ ] enable -tab-completion
[ ] enable -unix-pipe-cmd
[ ] expanded-view-of-addressbooks
[ ] expanded-view-of-folders
[ ] expunge-without-confirm
[ ] include-attachments-in-reply
? Help E Exit Config P Prev - PrevPage
X [Set/Unset] N Next Spc NextPage W WhereIs
You first highlight the line that says  enable-full-header-command and then press the  x key. The give  e
to exit saving the change. Once you have done this, when you are reading your email you will be able to see
full headers by giving the  h command.
Elm is another Unix email reading program. It actually gives slightly more detailed headers than Pine, and
automatically shows full headers.
We ll start by taking a look at a mildly interesting full header. Then we ll examine two headers that reveal
some interesting shenanigans. Finally we will look at a forged header.
OK, let us return to that fairly ordinary full header we looked at above. We will decipher it piece by piece.
First we look at the simple version:
From: Vegbar Fubar
Date: Fri, 11 Apr 1997 18:09:53 GMT
To: hacker@techbroker.com
The information within any header consists of a series of fields separated from each other by a  newline
character. Each field consists of two parts: a field name, which includes no spaces and is terminated by a
colon; and the contents of the field. In this case the only fields that show are  From:,  Date:, and  To: .
In every header there are two classes of fields: the  envelope, which contains only the sender and recipient
fields; and everything else, which is information specific to the handling of the message. In this case the
only field that shows which gives information on the handling of the message is the Date field.
When we expand to a full header, we are able to see all the fields of the header. We will now go through this
information line by line.
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for techbr@fooway.net id OAA07210; Fri, 11
Apr 1997 14:10:06 -0400
This line tells us that I downloaded this email from the POP server at a computer named o200.fooway.net.
This was done on behalf of my account with email address of techbr@fooway.net. The
(950413.SGI.8.6.12/951211.SGI) part identifies the software name and version running that POP server.
Newbie note: POP stands for Post Office Protocol. Your POP server is the computer that holds your email
until you want to read it. Usually your the email program on your home computer or shell account computer
will connect to port 110 on your POP server to get your email.
A similar, but more general protocol is IMAP, for Interactive Mail Access Protocol. Trust me, you will be a
big hit at parties if you can hold forth on the differences between POP and IMAP, you big hunk of a hacker,
you! (Hint: for more info, RTFRFCs.)
Now we examine the second line of the header:
Received: from ifi.foobar.no by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI)for
id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Well, gee, I didn t promise that this header would be *totally* ordinary. This line tells us that a computer
named ifi.foobar.no passed this email to the POP server on o200.fooway.net for someone with the email
address of hacker@techbroker.com. This is because I am piping all email to hacker@techbroker.com into the
account techbr@fooway.net. Under Unix this is done by setting up a file in your home directory named
 .forward with the address to which you want your email sent. Now there is a lot more behind this, but I m
not telling you. Heh, heh. Can any of you evil geniuses out there figure out the whole story?
 ESMTP stands for  extended simple mail transfer protocol. The  950413.SGI.8.6.12/951211.SGI
designates the program that is handling my email.
Now for the next line in the header:
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230]) by ifi.foobar.no with ESMTP
(8.6.11/ifi2.4) id for ; Fri, 11 Apr 1997 20:09:56 +0200
This line tells us that the computer ifi.foobar.no got this email message from the computer gyllir.ifi.foobar.no.
These two computers appear to be on the same LAN. In fact, note something interesting. The computer
name gyllir.ifi.foobar.no has a number after it, 129.xxx.64.230. This is the numerical representation of its name.
(I substituted  .xxx. for three numbers in order to fubar the IP address.) But the computer ifi.foobar.no
didn t have a number after its name. How come?
Now if you are working with Windows 95 or a Mac you probably can t figure out this little mystery. But
trust me, hacking is all about noticing these little mysteries and probing them (until you find something to
break, muhahaha -- only kidding, OK?)
But since I am trying to be a real hacker, I go to my trusty Unix shell account and give the command:
>nslookup ifi.foobar.no
Server: Fubarino.com
Non-authoritative answer:
Name: ifi.foobar.no
Address: 129.xxx.64.2
Notice the different numerical IP addresses between ifi.foobar.no and gyllir.ifi.foobar.no. Hmmm, I begin to
think that the domain ifi.foobar.no may be a pretty big deal. Probing around with dig and traceroute leads me
to discover lots more computers in that domain. Probing with nslookup in the mode  set type=any tells me
yet more.
Say, what does that  .no mean, anyhow? A quick look at the International Standards Organization (ISO)
records of country abbreviations, I see  no stands for Norway. Aha, it looks like Norway is an arctic land
of fjords, mountains, reindeer, and lots and lots of Internet hosts. A quick search of the mailing list for
Happy Hacker reveals that some 5% of its almost 4,000 email addresses have the .no domain. So now we
know that this land of the midnight sun is also a hotbed of hackers! Who said headers are boring?
On to the next line, which has the name and email address of the sender:
From: Vegbar Fubar
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri, 11 Apr 1997 18:09:53 GMT
I m going to do some guessing here. This line says the computer gyllir.ifi.foobar.no got this email message
from Vegbar Fubar on the computer  localhost. Now  localhost is what a Unix computer calls itself. While [ Pobierz całość w formacie PDF ]