Invertarizatsiyu network. Part 2

################################################## ###############################
@ @
@ :: LwB Security Team :: @
@ @
################################################## ###############################
# -written By Gotius #
# -e-Mail: [email protected] #
# -http: //www.lwbteam.org #
# -date: 31/01/2004 #
# -comments: No #
################################################## ###############################

- = Invertarizatsiyu network. Part 2 = -
***************************************

So, today, I will continue the theme Network Inventory. I'll start with what will bring
list of WHOIS servers, which will be very useful to you in case of burglary "serious"
networks. Servers that contain information about the government, military and
just public networks.
---
http://whois.ripe.net (Europe)
http://whois.apnic.net (Asia Pacific region)
http://whois.nic.mil (the US military)
http://whois.nic.gov (US government agency).
---
This can be called a small addition to the previous article. Now, if you
We learned that you need to collect as much information about that network, you
going to crack, then I want to give you is not very difficult, but very useful
way to gather information.

As is known to all of us, there are commercial companies, from time to time
merge together. Especially, some only provide an opportunity to inject a
small, so they are just happy to commit it! Most ingenious already understood what
I am. In addition, they also merge their network. Thus there are disadvantages clouds
for them the same, but for us there are two main, which is so pleasant to use.
The first - is that a small business network itself can be a leaky sieve, so that
if we are to penetrate, we will have access to the network, which manages the
most giant. Another minus: when networks are combined, there is a giant
mess with all addresses, servers, domains, not to mention the security,
so if they are in a hurry, they do so much holes that the network can log in as
at the parade.
So, to find any information, we need to take advantage of this
wonderful server as the www.sec.gov (unfortunately only applies to "zabugru"
but I believe we can learn from the news). There's a search engine company's name and hammering
We start to analyze everything that we halt. Oh yes, do not try to score Name
First same shape, we need the EDGAR database, so either themselves go through the main
page, which I recommend, because You can and should be read by all wasps
capabilities of the server, if lazy, then:
http://www.sec.gov/edgar/searchedgar/webusers.htm. Here we will be presented
Search for all types of events in companies, even the sale of shares. But we begin with
Companies & Other Filers.
I'm all about melkomyagkih ...
************************************************** *******************************
Form | Formats | Description | Filing Date | File Number
************************************************** *******************************
4 | [html] [text] 30 KB | Statement of changes in | 2004-01-30 |
| | beneficial ownership of | |
| | securities | |
-------------------------------------------------- -------------------------------
4 | [html] [text] 4 KB | Statement of changes in | 2004-01-29 |
| | beneficial ownership of | |
| | securities | |
-------------------------------------------------- -------------------------------
4 | [html] [text] 39 KB | Statement of changes in | 2004-01-29 |
| | beneficial ownership of | |
| | securities | |
-------------------------------------------------- -------------------------------
4 | [html] [text] 5 KB | Statement of changes in | 2004-01-28 |
| | beneficial ownership of | |
| | securities | |
-------------------------------------------------- -------------------------------
4 | [html] [text] 32 KB | Statement of changes in | 2004-01-28 |
| | beneficial ownership of | |
| | securities | |
-------------------------------------------------- -------------------------------
8-K | [html] [text] 225 KB | Current report, item 12 | 2004-01-22 | 000-142784
-------------------------------------------------- -------------------------------
4 | [html] [text] 4 KB | Statement of changes in | 2004-01-13 |
| | beneficial ownership of | |
| | securities | |
-------------------------------------------------- -------------------------------
4 | [html] [text] 4 KB | Statement of changes in | 2004-01-12 |
| | beneficial ownership of | |
| | securities | |
-------------------------------------------------- -------------------------------
4 | [html] [text] 6 KB | Statement of changes in | |
| | beneficial ownership of | |
| | securities | |
************************************************** *******************************
There's still a thousand "foundling", so I do not bring them, and brought only new. how
we see in the first lines, melkomyakgie took over a lot, so that's their
we will see. For example, the latest news was:
-------------------------------------------------- --------------------------------
0000902012-04-000004-index.html: 20040130
0000902012-04-000004.hdr.sgml: 20040130
20040130121756
ACCESSION NUMBER: 0000902012-04-000004
CONFORMED SUBMISSION TYPE: 4
PUBLIC DOCUMENT COUNT: 1
CONFORMED PERIOD OF REPORT: 20040128
FILED AS OF DATE: 20040130

ISSUER:

COMPANY DATA:
COMPANY CONFORMED NAME: MICROSOFT CORP
CENTRAL INDEX KEY: 0000789019
STANDARD INDUSTRIAL CLASSIFICATION: SERVICES-PREPACKAGED
SOFTWARE [7372]
IRS NUMBER: 911144442
STATE OF INCORPORATION: WA
FISCAL YEAR END: 0630

BUSINESS ADDRESS:
STREET 1: ONE MICROSOFT WAY #BLDG 8
STREET 2: NORTH OFFICE 2211
CITY: REDMOND
STATE: WA
ZIP: 98052
BUSINESS PHONE: 4258828080

MAIL ADDRESS:
STREET 1: ONE MICROSOFT WAY - BLDG 8
STREET 2: NORTH OFFICE 2211
CITY: REDMOND
STATE: WA
ZIP: 98052-6399

REPORTING-OWNER:

OWNER DATA:
COMPANY CONFORMED NAME: GATES WILLIAM H III
CENTRAL INDEX KEY: 0000902012

FILING VALUES:
FORM TYPE: 4
SEC ACT: 1934 Act
SEC FILE NUMBER: 000-14278
FILM NUMBER: 04554865

BUSINESS ADDRESS:
STREET 1: ONE MICROSOFT WAY
CITY: REDMOND
STATE: WA
ZIP: 98052
BUSINESS PHONE: 4258828080

MAIL ADDRESS:
STREET 1: ONE MICROSOFT WAY
CITY: REDMOND
STATE: WA
ZIP: 98052


4
1
edgar.xml
PRIMARY DOCUMENT

Document 1 - file: edgar.html
Document 1 - RAW XML: edgar.xml



-------------------------------------------------- --------------------------------
Come on and see the document can credit. If the editor will cut it, look it up yourself.
I cut the file.
-------------------------------------------------- --------------------------------
1. Name and Address of Reporting Person *
GATES WILLIAM H III
(Last) (First) (Middle)
---
ONE MICROSOFT WAY
(Street)
---
REDMOND WA 98052
(City) (State) (Zip)
---------------------
2. Issuer Name and Ticker or Trading Symbol
MICROSOFT CORP [MSFT]
---------------------
3. Date of Earliest Transaction (Month / Day / Year)
01/28/2004
---------------------
4. If Amendment, Date of Original Filed (Month / Day / Year)

---------------------
5. Relationship of Reporting Person (s) to Issuer
(Check all applicable)
-------------------------------------------------- -----
| X | Director | X | 10% Owner |
-------------------------------------------------- -----
| X | Officer (give | | Other (specify below) |
| | title below) | | |
-------------------------------------------------- -----
| Chairman of the Board |
-------------------------------------------------- -----
6. Individual or Joint / Group Filing (Check Applicable Line)
-------------------------------------------------- ---------
| X | Form filed by One Reporting Person |
-------------------------------------------------- ---------
| | Form filed by More than One Reporting Person |
-------------------------------------------------- ---------

Table I - Non-Derivative Securities Acquired, Disposed of, or Beneficially Owned

1. Title of Security (Instr. 3)
2. Transaction Date (Month / Day / Year)
2A. Deemed Execution Date, if any (Month / Day / Year)
3. Transaction Code (Instr. 8)
4. Securities Acquired (A) or Disposed Of (D) (Instr. 3, 4 and 5)
5. Amount of Securities Beneficially Owned Following Reported Transaction (s)
(Instr. 3 and 4)
6. Ownership Form: Direct (D) or Indirect (I) (Instr 4.)
7. Nature of Indirect Beneficial Ownership (Instr. 4)
3a - Code 3b - V 4a - Amount 4b - (A) or (D) 4c - Price
************************************************** *******************************
| 1 | 2 | 2a | 3 | 4 | 5 | 6 | 7
| | | | -------- | -------------------- | | |
| | | | 3a | 3b | 4a | 4b | 4c | | |
************************************************** *******************************
Common Stock | 01/28/2004 | | S | | 10,000 | D | $ 28.4 | 1,156,489,336 | D |
Common Stock | 01/28/2004 | | S | | 65,000 | D | $ 28.35 | 1,156,424,336 | D |
Common Stock | 01/28/2004 | | S | | 25,000 | D | $ 28.34 | 1,156,399,336 | D |
Common Stock | 01/28/2004 | | S | | 25,000 | D | $ 28.28 | 1,156,374,336 | D |
Common Stock | 01/28/2004 | | S | | 25,000 | D | $ 28.25 | 1,156,349,336 | D |
Common Stock | 01/28/2004 | | S | | 25,000 | D | $ 28.24 | 1,156,324,336 | D |
Common Stock | 01/28/2004 | | S | | 25,000 | D | $ 28.23 | 1,156,299,336 | D |
Common Stock | 01/28/2004 | | S | | 25,000 | D | $ 28.2 | 1,156,274,336 | D |
Common Stock | 01/28/2004 | | S | | 25,000 | D | $ 28.15 | 1,156,249,336 | D |
Common Stock | 01/28/2004 | | S | | 78,600 | D | $ 28.09 | 1,156,170,736 | D |
Common Stock | 01/28/2004 | | S | | 223,150 | D | $ 28.08 | 1,155,947,586 | D |
Common Stock | 01/28/2004 | | S | | 103,000 | D | $ 28.07 | 1,155,844,586 | D |
Common Stock | 01/28/2004 | | S | | 78,300 | D | $ 28.06 | 1,155,766,286 | D |
Common Stock | 01/28/2004 | | S | | 80,400 | D | $ 28.05 | 1,155,685,886 | D |
Common Stock | 01/28/2004 | | S | | 50,000 | D | $ 28.04 | 1,155,635,886 | D |
Common Stock | 01/28/2004 | | S | | 50,000 | D | $ 28.03 | 1,155,585,886 | D |
Common Stock | 01/28/2004 | | S | | 25,000 | D | $ 28.02 | 1,155,560,886 | D |
Common Stock | 01/28/2004 | | S | | 61,550 | D | $ 28.01 | 1,155,499,336 | D |
| | | | | | | | (1) | |
************************************************** *******************************

That's just such a simple way, we got something - some information about their accounts and
transactions. Look at the rest of the docks on the server and you will learn a lot for yourself
interesting about the structure of the company, and therefore on the possible features of the network, not
Remember to look subsidiary (subsidiary), so you can learn about the mergers.

Now I still come back to the themes that are close to the theme itself and hacking
inventory. And the first thing that we need is to find out what the "Transfer Zone
DNS ». As a rule, companies that have their own DNS server, there is a secondary
CSN. They thus need to secondary operation assumed in case
if the first falls. To do this, they need to implement the DNS zone transfer between
is that the secondary knew all about the network. Fortunately, many server configured
so that they provide such a service to all the case, including And to us.
So we're all on the same network will know that we are investigating. Typically, if
large network, we can shake a lot of this information, and to break it, we will
long and hard. But I'll show you the shortest way.

First, just to dot the "i" for those who are adherent Windows. C under
this axis, you will never have to spend serious hacking. If you script-Kiddis, then,
Please use, but I'm trying to teach a serious hack, so something that I
it has already managed to write only a hundredth part of what you have yet to read in
my articles. So, if you decide to still become a hacker, then go to the Knicks and
read on, if you say that tomorrow run to the store for the distribution,
it seems «Sam Spade» is able to transfer the zone, so that today you can still
nowhere to run. But now I'm going to write for the Knicks, as never
vynem used to hack, so «Sam Spade» also seen once or twice in a lifetime.

First, we need such a tool that should be in all the Knicks on
Default (I sit on FreeBSD, and there it is, in RedHat also available). This thing
called nslookup (because, well, someone did not suspect that it can be
use?).
Here's how ...
-------------------------------------------------- --------------------------------
# nslookup
Default Server: (but will not say where I am)
Address: xxxx
>> Serv 213.199.144.151 (IP DNS, which we found in a previous article, or the
same method)
>> Ls -d microsoft.com >> / tmp / dns_zone
-------------------------------------------------- --------------------------------
This is so easy! True melkomyagkih this area is that you can hang with
anticipation, but when it bleed over, so train on small networks.
I also did not wait until it bleed over completely, so I will give
Only a small portion of the file, but it could not be better reflects the essence.
---------------------------------------------
| ID | IN | | 213,199,144,153
| acct26 | | A | Hinfo #Gateway, WIN2K
| | | MX | 0 andromeda
| | | RP | sat.hfols
| | | TXT | Location: room15
---------------------------------------------
You yourself then look at what we got excellent information! You see IP
themselves, in the "A" we see the car characteristics, it Geyvey based Vynya 2000 in
the "MX" softiny characteristic, the "the RP" gives us imechko, but the "TXT" is
tidbit, if we want to present the network location of the building. This field
It may not be filled. It is filled with the people themselves, to know where to go if
that it monitors. Generally, the best softina for this purpose, AXFR! It is still compressed
and in the best way.

Now we will begin to slowly creep to the network itself and begin its probe.
For this we need traceroute. We are trying to 213,199,144,153
************************************************** ********************************
Hop Time 1 Time 2 Time 3 IP Hostname
Return TTL Country Time
************************************************** ********************************
January 25 ms 30 ms 29 ms 216.26.128.225 kenny.fe-0-0-0.sdf.xodiax.net.
252 UNITED STATES Unix: 10: 56: 23,203
-------------------------------------------------- --------------------------------
February 31 ms 36 ms 35 ms 65.117.168.137 chi-edge-09.inet.qwest.net.
251 UNITED STATES Unix: 10: 56: 23,247
-------------------------------------------------- --------------------------------
3 of 40 ms to 350 ms to 350 ms 205.171.20.125 chi-core-03.inet.qwest.net.
250 UNITED STATES Unix: 10: 56: 23,296
-------------------------------------------------- --------------------------------
April 28 ms 32 ms 39 ms 205.171.20.142 chi-brdr-03.inet.qwest.net.
250 UNITED STATES Unix: 10: 56: 23,648
-------------------------------------------------- --------------------------------
5 to 50 ms 54 ms 54 ms 205.171.1.162 [Missing reverse DNS entry]
249 UNITED STATES
-------------------------------------------------- --------------------------------
June 31 ms 35 ms 35 ms 144.232.26.2 sl-bb21-chi-15-0.sprintlink.net.
248 UNITED STATES
-------------------------------------------------- --------------------------------
7 40 ms 50 ms 59 ms 144.232.9.148 sl-bb22-nyc-15-0.sprintlink.net.
244 UNITED STATES
-------------------------------------------------- --------------------------------
8 40 ms 50 ms 59 ms 144.232.7.105 sl-bb20-nyc-14-0.sprintlink.net.
245 UNITED STATES
-------------------------------------------------- --------------------------------
9120 ms 130 ms 139 ms 144.232.9.162 sl-bb22-lon-12-0.sprintlink.net.
244 UNITED STATES
-------------------------------------------------- --------------------------------
10 100 ms 109 ms 119 ms 213.206.128.102 sl-gw21-lon-1-1.sprintlink.net.
242 UNITED KINGDOM Unix: 10: 56: 24,208
-------------------------------------------------- --------------------------------
eleven * * *
-------------------------------------------------- --------------------------------
12 * * *
-------------------------------------------------- --------------------------------
13 * * *
************************************************** ********************************

That is the case, after the 10th step, we are no longer allowed. Because we sent a request
by default, and it is perfectly simple filters is eliminated. I forgot to say that under the
take out, you can use Visual Route.
And here is another zaprosik!
-------------------------------------------------- --------------------------------
# Traceroute -S -p53 213.199.144.151
1 213.59.90.237 (213.59.90.237) 1.468 ms 0.684 ms 0.771 ms (0% loss)
2 spb-81-211-103-81.sovintel.ru (81.211.103.81) 2.481 ms 2.180 ms 2.527 ms (0%
loss)
3 17.spb.sovintel.ru (213.221.63.17) 12.813 ms 16.669 ms 33.814 ms (0% loss)
4 cisco02.Moscow.gldn.net (194.186.157.249) 36.987 ms 31.865 ms 33.341 ms (0%
loss)
5 cisco03.Moscow.gldn.net (194.186.157.222) 45.598 ms 55.444 ms 42.085 ms (0%
loss)
6 sl-gw10-sto-3-0.sprintlink.net (80.77.97.125) 56.038 ms 55.907 ms 55.813 ms
(0% loss)
7 sl-bb21-sto-8-0.sprintlink.net (80.77.96.41) 56.066 ms 55.598 ms 56.348 ms
(0% loss)
8 sl-bb21-cop-12-0.sprintlink.net (213.206.129.33) 56.495 ms 56.527 ms 60.234
ms (0% loss)
9 sl-bb20-lon-14-0.sprintlink.net (213.206.129.37) 84.759 ms 73.822 ms 73.762
ms (0% loss)
10 sl-gw21-lon-1-1.sprintlink.net (213.206.128.102) 73.313 ms 87.128 ms 88.978
ms (0% loss)
11 sle-micro22-6-0.sprintlink.net (213.206.158.146) 74.170 ms 75.901 ms 74.832
ms (0% loss)
12 * * igbaihsssc7504-f1-00.msft.net (213.199.144.77) 84.178 ms (66% loss)
13 igbaihsssc7504-f1-00.msft.net (213.199.144.77) 74.668 ms! X * * (66% loss)
14 * igbaihsssc7504-f1-00.msft.net (213.199.144.77) 200.715 ms! X * (66% loss)
15 * * * (100% loss)
16 * * igbaihsssc7504-f1-00.msft.net (213.199.144.77) 91.999 ms! X (66% loss)
17 * igbaihsssc7504-f1-00.msft.net (213.199.144.77) 93.588 ms! X * (66% loss)
18 igbaihsssc7504-f1-00.msft.net (213.199.144.77) 73.655 ms! X * 75.182 ms
! X (33% loss)
-------------------------------------------------- --------------------------------
I'm not a complete journey has led since you get it themselves (in any case, we have
melkomyagkih hit the network), but on the face of the fact that our packages are broke !!! AT
What trick, and that there is -S key (not available in all versions, if not, then swing
new). This Key says, if I'm not mistaken allow TTL +1 (time to live)
After each mileage host. But the key -p specifies a certain port on
we we send, so we were sent to the port that is used for DNS queries, so
it would be rude not to respond to him.

So we have to see each computer on the network, and we know what and where is.
From these files, we learned that we were in a network through 213.199.144.77
(On going with disassembling packets why they lost, but then loss
stopped, it can be understood by 100% -> 66% -> 33%).


Copyright 2002-2004 by LwB Security Team. All rights reserved.