Preparing to Collect Information about People and Businesses

October 12, 2012 by Adrian Stolarski

Nowadays, a more and more serious crime is identity theft. While in Eastern European countries and former the Soviet block most people are suspicious, in Western Europe or America, the situation is different. There, people are very willing to give a potential attacker to all your data. However, in Eastern Europe, we are accustomed to a situation in which everyone wants to rob us.

Moreover, the opinion of us in the developed countries does not come out of nowhere. To this day, people like my friend from Germany, find that every Pole is a drunkard and a thief. While in the West the situation looks quite different. In many countries, people do not lock up cars and homes, and they are willing to give up data such as credit card number. Once, while staying in Germany, I was asked why I locked the house. What do I have that is so valuable and who would want to rob me? And this approach is then revenge. We get, for example, bills for services that we did not order, and suddenly it turns out that the police falls to us, as someone who has committed an offense, we handed out our social security number. Why is this happening?

Well, most of us have no idea how much information about us we can really find on the Internet. Identity thieves are very happy reading Internet forums, discussion groups, and even our home page, where, to be more credible, they are served with the light-heartedness of our personal data. In addition, an identity thief may use the information contained in the databases of contact details or CV databases. A lot of times I’ve seen ads in which were offered for sale the CV database or data of 15 million people, for a few dozen dollars. In this way thieves are going to get access to information that many of us would not like to disclose.

Where to start searching for information on a specific institution or person

Looking for information about a person or a company starts with one simple step. To determine swhat we have to do, just know the address of the home or office, or IP address. If you already have this information, it gives us a really great advantage. You definitely wanted to see what is simple?

Let’s start with a situation where we know the web address of the web page. Each address you enter into the web browser, is clear to us and not completely understood by the machine, which operates only on IP addresses. But to combine the two into a single logical unit, forms something like a DNS service that allows you to convert addresses from one side to the other and vice versa. With this exercise, we are always able to find the IP address of the server on which stands a website. Once we know, we can easily determine whether your site is on your own server, or simply just renting a virtual server. In terms of safety, it is much better rent a virtual server, but in terms of configuration, a better solution would be to use your own web server.

In most cases, I know you can already find out by analyzing the DNS server replies to your inquiries. If it happens so that we have to deal only with an alias that is connected to another domain, we make sure that the site is connected to your home page, which offers only a place for their virtual servers. However, at a time when the page does not contain any aliases or when they are almost identically similar to each other, then we have to deal with the company’s own web server. Sometimes, if the addresses are identical, there is nowhere to go except the web server mail server, SVN or other version control system or FTP server.

However, sometimes when we analyze the URL, we may not be able to identify what we are really dealing with. We do not know if this is actually an independent private address on a web server, or just a package of the company offering web hosting. Then we simply query the database of the company that assigns IP addresses.

It is required to store all data on your customers and make them available to anyone interested. In Europe is theauthoritative database of RIPE. Thanks to the database we are able to determine not only who we are really dealing with, but also to determine the complete address space to address our interest. For example, I have a domain and I would like it to be http://adrian-stolarski.pl. How do I check where it actually hosts? Here’s how we can achieve this. For Windows, issue the following command:

[plain][C: nslookup http://adrian-stolarski.pl

Or in Linux, issue the following command:

# host http://adrian-stolarski.pl[/plain]

Then we know the IP address of the holder of the domain. Now we can also determine the data and clearly define who he is. We’ll use the RIPE database company for help. Just enter the address http://www.ripe.net/ripencc/pub-services/db/whois. This database will give not only a pool of IP addresses that are available for a given URL, but also private data such as the name of the holder of the domain name or tax identification number or company registration number and social security number. These data are normally not given to anyone. In addition, when searhing this database, we can get the exact address of the person. Funny, is it not?

Now it’s time to consider another option. Imagine that we know both the name of the company and its exact address. Here we come to the Internet database of companies. Using one of them can find a website and several interesting pieces of information. For sure there will be the size of the business, marketing details, e-mail contacts , and phone numbers for important employees.

There is also another situation. It may happen that the company has neither a permanent nor a corporate site link, and its employees connect to the head office via modem. What can I do? Well, if they perform over only an Internet connection, you can not do too much. However, in the case when they use the corporate network, the situation is a little different. Then it starts to be really interesting. If you somehow know the phone number, then we can easily find it in one of the online book sites. Even simple address books available on the Internet include the name of the company, the city and the type of work that a company does.

However, if we are dealing with a registered company number, we have a chance to detect to whom the number belongs. Hackers from time to time publish directories containing even reserved numbers. In this way we have access to all the data of our subject, to which it is assigned a number, and by the way it does not cost that much. A phone book, containing all types of information, as such can be bought for a few bucks.

What help comes from USENET and newsgroups?

On all sides of the business are always e-mail addresses of certain employees. If we know the domain name of the organization or postal address and contact details, we can start the in-depth search for employees. Really there is nothing in the way to get quick information about employees or the business administrator. To start our little espionage we can use all kinds of news or news groups. In fact, to see who is working and to identify the internal structure of the company, the most useful for us may be just those two things.

Always, when I searched for information on data systems, I browsed the popular base of newsgroups, for example, whether it was the Polish GoldenLine or LinkedIn. For me it was always an interesting database of information on how the administrator takes care of the security, or how to configure their networks and network services. Several times I possessed the database, covering several popular news items in the world, and creating them has never been a major issue for me. Usually I have enough with a Linux operating system, a database, and a few simple scripts updating its contents when coming in for new messages. Thus within a few minutes I was able to determine who is the administrator of the network.

What’s better, very quickly I learned that if a person has some problems I do not understand, they will, however, be duly protected. And here I am saying to you to give some attention. Now, if we happen to describe some of their problems, we should never describe them in great detail, because who really reads this information are not only the people who want to help us, but also hackers who look only where we really are able to break. So with your own information, never expose yourself to attack. Do not give IP addresses, domain names, business names, etc. In addition, if everything is done well, we can also learn a lot about the same internal network topology, the company and the programs they use.

The simplest thing we can use in our search is email. Usually, each letter contains Received fields that are very happy to inform us. To view them, just see what is the source of the message. In many cases, it is just that it is a part of the description of the company’s internal network. It usually includes the name of the employee’s workstation, plus the name and address of the gateway, and if we’re lucky the internal and external mail server address. Each mailer also usually gives information about yourself, so calmly and without any problems, you can create a profile and specify what software is actually used in the company.

It looks to be pretty much the same thing with different types of news. Any reference to a newsgroup, publishing news, includes the X-NNTP-Posting-Host, which indicates who really sent the message. The system really does not matter, whether it hides under e-mail it will always give the name of the computer, just as you specify the email program you used to create the message.


The purpose of this article was not at all to show how to search for information on social networking sites. It has been shown how to find useful information, using the most ordinary of e-mail messages that we find. Sometimes it happens that this technique really disappoints. You may also find that your company uses an outside company, involved in the maintenance of the network. What then? We should call on the slightest pretext to the company and use social engineering, which also shows on the pages InfoSec Institute, try to get the name of the administrator. Then do not be afraid to use a search engine to get additional information on the administrator.

Each search engine is always able to find some useful information. Sometimes it is the old home page, other times a newsgroup archive, which contains the e-mail or a publication on the corporate website of the company. Now that you know the e-mail administrator, you can proceed with your task. We again modeled on the information contained in this article to start combing the network. Additionally, search the database for CVs, it may happen that our hapless administrator placed somewhere in it the application, which describes his experience and skills.

Now everyone can see, it really is very easy to steal identities or discover what is really going on in the company. In general, there are tools available to help us achieve this, and thanks to this collection of information, we are able to quickly identify weaknesses in any computer system. Consider what the attacker can learn about us, using the web.

Posted: October 12, 2012
Adrian Stolarski
View Profile

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.