The Exploit Files
____________________________________________________________
by keydet89@yahoo.com and Carolyn Meinel
How many times have you read hacker newsgroups or email lists and seen posts that begged "teach me to hack," or asked "how do I hack this"? It often
looks as though the person asking the question just doesn't understand the
basics of vulnerabilities and their exploits. The purpose of this Guide is
to explain what vulnerabilities and exploits are, and how they relate to
computer security.
Let's start with an example. Suppose that you are trying to sell something
by phone. So you start by calling phone numbers, and you keep calling until
you get someone to answer, not an answering machine, but a real live person.
Then if the person who answers the phone speaks the same language as you and can understand you, you try to sell your product. Lots of people will hang
up on you, but eventually, someone will buy something...bang! You've scored!
*****************************************************************
In this Guide you will learn:
* What is a vulnerability
* What is an exploit
* How to look for vulnerabilities
*****************************************************************
So what does this have to do with 'hacking'? Look at your dialing of phone
numbers as port scanning IP (Internet protocol) addresses on the Internet.
Some Internet host computers won't answer. Maybe a firewall is blocking the
ports that you're scanning. Some hosts will answer, and at that point
maybe, just maybe, you've found a vulnerable computer.
********************************************************************
Newbie note: What are these 'ports' we are talking about? This kind of
'port' is a number used to identify a service on an Internet host. For
this reason they are often called 'TCP/IP' (transfer control
protocol/Internet protocol) ports, to distinguish them from other kinds of
computer ports such as modems, ports to printers, etc. Each host computer
connected to the Internet is identified by an IP address such as
'victim.fooisp.com.' Since each host may have many services running, each
service uses a different port. To contact any of these ports across the
Internet, you use the host's IP address and port number -- it's kind of like
dialing a phone number.
********************************************************************
Now maybe you have connected to telnet, port 23. You get a login prompt,
but you don't know any valid username/password combinations. So the host
"hangs up" on you. After many hours of trying, you connect to a host on the
right port, and Shazam!! You're greeted with a login prompt, and you quickly
guess a valid username and password combination. The next thing you know,
you have a command prompt. You have discovered a vulnerability -- an easily
guessed password! So being the 'white hat hacker' that you are, you send an
email to the sysadmin of the site and leave quietly.
*****************************************************************
Newbie note: A 'host' is a computer connected to the Internet. A 'service'
is a program that is running on a port of an Internet host. Each service is
a program that will respond to certain commands. If you give it the right
command, you will get it to do something for you.
The simplest example of a service is 'chargen', or character generator (port 19). If you make a telnet connection on the chargen port to a server running the chargen service, this program will react to this connection by sending a string of characters which you will see being repeated across your telnet screen. All you need to do is connect to the service.
Another example of a service is finger (port 79). If you run a finger
program to request information on a particular user from a specific host,
and the finger service (or 'fingerd') is running, and if the user has not
instructed the finger service to ignore requests about him or her, you will
get back information on that user.
*****************************************************************
What services are run from these ports, and how can we learn more about
them? Ports numbered from 1 to 1024 are called the 'well-known' ports.
These are listed in RFC 1700 (see http://www.internetnorth.com.au/keith/networking/rfc.html). Many of the
well-known ports are also listed in a file on your computer called
'services'. On Win95, it's c:\windows\services; on NT, it's
c:\winnt\system32\drivers\etc\services; on many Unix type computers (your shell account) it's /etc/services.
These ports are called 'well-known' because they are commonly used by
certain services. For example, the well-known port for sending email is the
SMTP port, or port 25. Because it is 'well-known', anyone can send email to anyone else. Because port 110 is the well-known port for checking email, all email clients know that they have to connect to a POP server on port 110 in order to retrieve email.
An excellent FAQ (frequently asked questions) on TCP/IP ports can be found at http://www.technotronic.com/tcpudp.html
*************************************************************
You can get punched in the nose warning: There are many port scanning
tools, and wannabe hackers use them ... a lot. But for what purpose? In
most cases all that happens is that a sysadmin or firewall administrator
goes through the logs that computer keeps of who has tried to hack that
site. He or she then decides whether to ignore your scan or call the
sysadmin of the site that your scan came from. Even though (in the US at
least) port scanning is legal, it makes systems administrators really mad at
you! To avoid getting kicked off your Internet provider, get permission to
scan first!
What Is a Vulnerability?
A 'vulnerability' is anything about a computer system that will allow someone to either keep it from operating correctly, or that will let unauthorized people take it over. There are many types of vulnerabilities. They may be a misconfiguration in the setup of a service, or a flaw in the programming of the service.
An example of a setup misconfiguration is leaving the 'wiz' or 'debug' commands operational in older versions of sendmail, or incorrectly setting directory permissions on your FTP server so people can download the password file. In these cases, the vulnerability is not how the program was written, but with how the program is configured. Allowing file sharing on your Windows 95 or 98 computer when it is not necessary, or failing to put a
password on file sharing, is another example.
Examples of errors in the programming of services are the large number of buffer overflow vulnerabilities in the programs that run services on port of Internet host computers. Many of these buffer overflow problems allow people to use the Internet to break into and take control of host computers
What Is an Exploit?
An 'exploit' is a program or technique that takes advantage of a
vulnerability. For example, the FTP-Bounce vulnerability occurs when an FTP server (used to allow people to upload and download files) is configured to redirect FTP connections to other computers. There really is no good reason to allow this feature. It has become a vulnerability because this 'bounce' feature allows someone to use it to port scan other computers on the same
local area network (LAN) as that FTP server. So even though a firewall may be keeping port scanners form directly scanning other computers on this LAN, the FTP server would bounce a scan past the firewall.
So really an exploit is any technique that takes advantage of a
vulnerability to enable you to carry out your own schemes, despite the wishes of the sysadmin of your target. Exploits depend on operating systems and their configurations, the configurations of programs running on computer systems, and of the LAN they are on.
Operating systems such as NT, VMS and Unix are very different, and the various versions of Unix have their differences, as well. (Examples of Unix operating systems include BSD, AIX, SCO, Irix, Sun OS, Solaris, and Linux). Even the various versions of the Linux form of Unix are different.
This means exploits that will work against NT systems will probably not work against Unix systems, and exploits for Unix systems will probably not work against NT. NT services are run by different programs from what you may find on Unix type computers. Further, different versions of the same service
running on any particular operating system will probably not be vulnerable to the same exploit, because each version of a service is run by a different program. Sometimes this different program may have the same name but only have a different version number. For example sendmail 8.9.1a is different from 8.8.2. Many of the differences are that 8.9.1a has been fixed so that none of the old sendmail exploit programs will work on it.
For example, the "Leshka" exploit explained in the GTMHH on advanced shell programming clearly explains that it only works on versions 8.7-8.8.2 of the SMTP service program called 'sendmail.' We observed a number of people who were playing the hacker wargame trying to run the Leshka exploit against a later, fixed version of sendmail.
So remember, an exploit for one operating system or service is unlikely to work against another operating system. This isn't to say that it definitely won't...it's just not likely. However, you are pretty much guaranteed that any Win95 or NT exploit will not work against any kind of Unix.
How to Look for Vulnerabilities
Now let's start someplace where you are unlikely to get punched in the nose by looking at some ports on your own computer. You can do this by typing 'netstat -a' at the command prompt.
You should see something such as:
Active Connections
Proto Local Address Foreign Address State
TCP localhost:1027 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:1026 0.0.0.0:0 LISTENING
TCP localhost:1026 localhost:1027 ESTABLISHED
TCP localhost:1027 localhost:1026 ESTABLISHED
TCP localhost:137 0.0.0.0:0 LISTENING
TCP localhost:138 0.0.0.0:0 LISTENING
TCP localhost:nbsession 0.0.0.0:0 LISTENING
UDP localhost:135 *:*
UDP localhost:nbname *:*
UDP localhost:nbdatagram *:*
Hhhmm...nothing much going on here. The 'Local Address' (ie, my local machine) seem to be listening on ports 135, 137, 138, and 'nbsession' (which translates to port 139...type 'netstat -an' to see just the port numbers, not the names of the ports). This is okay...those ports are part of Microsoft networking, and need to be active on the LAN my machine is connected to.
Now we connect our Web browser to ttp://www.happyhacker.org and at the same time run Windows telnet and connect to a shell account at example.com. Let's see what happens. Here's the output of the 'netstat -a' command, slightly abbreviated:
Active Connections
Proto Local Address Foreign Address State
TCP localhost:1027 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:2508 0.0.0.0:0 LISTENING
TCP localhost:2509 0.0.0.0:0 LISTENING
TCP localhost:2510 0.0.0.0:0 LISTENING
TCP localhost:2511 0.0.0.0:0 LISTENING
TCP localhost:2514 0.0.0.0:0 LISTENING
TCP localhost:1026 0.0.0.0:0 LISTENING
TCP localhost:1026 localhost:1027 ESTABLISHED
TCP localhost:1027 localhost:1026 ESTABLISHED
TCP localhost:137 0.0.0.0:0 LISTENING
TCP localhost:138 0.0.0.0:0 LISTENING
TCP localhost:139 0.0.0.0:0 LISTENING
TCP localhost:2508 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2509 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2510 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2511 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2514 example.com:telnet ESTABLISHED
So what do we see now? Well, there are the ports listening for Microsoft networking, just like in the first example. And there also are some new ports listed. Four are connected to 'zlliks.505.org' on port 80, and one to 'example.com' on the telnet port. These correspond to the client connections that I set up. See, this way you know the name of the computer that was running the happy Hacker Web site at this time.
But what is with the really high port numbers? Well, remember the
'well-known' ports that we talked about above? Client pplications, such as browsers and telnet clients (clients are programs that connect to servers) need to use a port to receive data on, so they randomly select ports from outside the 'well-known' port range... above 1024. In this case, my browser has opened up four ports...2508 through 2511.
Now suppose you want to scan your friend's ports. This is the best way to scan, as you won't have to worry about your friend getting you kicked off your ISP for suspicion of trying to break into computers. How do you know what your friend's IP address is? Ask him or her to run the command (from the DOS prompt) 'netstat -r'. This shows something like this:
C:\WINDOWS>netstat -r
Route Table
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 198.59.999.200 198.59.999.200 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
198.59.999.0 255.255.255.0 198.59.999.200 198.59.999.200 1
198.59.999.200 255.255.255.255 127.0.0.1 127.0.0.1 1
198.59.999.255 255.255.255.255 198.59.999.200 198.59.999.200 1
224.0.0.0 224.0.0.0 198.59.999.200 198.59.999.200 1
255.255.255.255 255.255.255.255 198.59.999.200 0.0.0.0 1
Active Connections
Proto Local Address Foreign Address State
TCP lovely-lady:1093 mack.foo66.com:smtp ESTABLISHED
That 'gateway address' and 'interface' both give the current IP address of your computer. If you are on a LAN, the gateway should be different from your own computer's IP address. If you or your friend are on a LAN, however, you should think twice before port scanning each other, or the LAN's sysadmin may notice your activity. Warning, sysadmins have quite an arsenal of larts to use on suspicious-acting users.
************************************************************
Newbie note: Lart? What the heck is a lart? It is a "luser attitude
readjustment tool." This is a generic class of techniques used by sysadmins to punish lusers. What is a luser? A wayward user. To get a sampling of popular larts, see http://mrjolly.cc.waikato.ac.nz. You want your sysadmins to be your FRIENDS, right? Never forget this!
************************************************************
What are some of the vulnerabilities to win95 and NT, you ask? Check previous GTMHHs for this information. Perhaps the most important thing to remember about Windows is equal to root in Unix), can run a program that uses any port it wants, even a well-known port. This vulnerability is demonstrated by a program from Weld Pond of L0pht fame called 'netcat'. The program can be obtained from:
http://www.l0pht.com/~weld/netcat
Read the documentation that ships with the program, or the Guides on (a) win95 and telnet from:
http://www.happyhacker.org/gtmhh.html
or (b) NT security from:
http://www.infowar.com/hacker/hacker.html-ssi
...for information on uses of netcat.
Of course, various Windows applications, such as Internet Explorer, have their own vulnerabilities.
By now, you're probably wondering where you can learn more about various vulnerabilities and exploits for just about any computer you might find on the Internet. Here is a list of sites:
ISS X-Force
http://www.iss.net/xforce
RootShell
http://www.rootshell.com
TechnoTronic
http://www.technotronic.com
Packet Storm Security Site
http://packetsorm.securify.com
Bugtraq archives:
http://www.securityfocus.com
NTBugTraq
http://www.ntbugtraq.com
Aelita Software
http://www.ntsecurity.com
**This site has the RedButton program, which demonstrates the capability to connect to an NT machine via a null session and retrieve registry information. This is a relatively simple problem to fix...see the NT security Guides at: http://www.infowar.com/hacker/hacker.html-ssi
NTSecurity
http://www.ntsecurity.net
Active Matrix's HideAway
http://www.hideaway.net/exploits.html
CERT
http://www.cert.org
Exploits that have been tested and won't harm your computer:
http://www.anticode.com
____________________________________________________________
by keydet89@yahoo.com and Carolyn Meinel
How many times have you read hacker newsgroups or email lists and seen posts that begged "teach me to hack," or asked "how do I hack this"? It often
looks as though the person asking the question just doesn't understand the
basics of vulnerabilities and their exploits. The purpose of this Guide is
to explain what vulnerabilities and exploits are, and how they relate to
computer security.
Let's start with an example. Suppose that you are trying to sell something
by phone. So you start by calling phone numbers, and you keep calling until
you get someone to answer, not an answering machine, but a real live person.
Then if the person who answers the phone speaks the same language as you and can understand you, you try to sell your product. Lots of people will hang
up on you, but eventually, someone will buy something...bang! You've scored!
*****************************************************************
In this Guide you will learn:
* What is a vulnerability
* What is an exploit
* How to look for vulnerabilities
*****************************************************************
So what does this have to do with 'hacking'? Look at your dialing of phone
numbers as port scanning IP (Internet protocol) addresses on the Internet.
Some Internet host computers won't answer. Maybe a firewall is blocking the
ports that you're scanning. Some hosts will answer, and at that point
maybe, just maybe, you've found a vulnerable computer.
********************************************************************
Newbie note: What are these 'ports' we are talking about? This kind of
'port' is a number used to identify a service on an Internet host. For
this reason they are often called 'TCP/IP' (transfer control
protocol/Internet protocol) ports, to distinguish them from other kinds of
computer ports such as modems, ports to printers, etc. Each host computer
connected to the Internet is identified by an IP address such as
'victim.fooisp.com.' Since each host may have many services running, each
service uses a different port. To contact any of these ports across the
Internet, you use the host's IP address and port number -- it's kind of like
dialing a phone number.
********************************************************************
Now maybe you have connected to telnet, port 23. You get a login prompt,
but you don't know any valid username/password combinations. So the host
"hangs up" on you. After many hours of trying, you connect to a host on the
right port, and Shazam!! You're greeted with a login prompt, and you quickly
guess a valid username and password combination. The next thing you know,
you have a command prompt. You have discovered a vulnerability -- an easily
guessed password! So being the 'white hat hacker' that you are, you send an
email to the sysadmin of the site and leave quietly.
*****************************************************************
Newbie note: A 'host' is a computer connected to the Internet. A 'service'
is a program that is running on a port of an Internet host. Each service is
a program that will respond to certain commands. If you give it the right
command, you will get it to do something for you.
The simplest example of a service is 'chargen', or character generator (port 19). If you make a telnet connection on the chargen port to a server running the chargen service, this program will react to this connection by sending a string of characters which you will see being repeated across your telnet screen. All you need to do is connect to the service.
Another example of a service is finger (port 79). If you run a finger
program to request information on a particular user from a specific host,
and the finger service (or 'fingerd') is running, and if the user has not
instructed the finger service to ignore requests about him or her, you will
get back information on that user.
*****************************************************************
What services are run from these ports, and how can we learn more about
them? Ports numbered from 1 to 1024 are called the 'well-known' ports.
These are listed in RFC 1700 (see http://www.internetnorth.com.au/keith/networking/rfc.html). Many of the
well-known ports are also listed in a file on your computer called
'services'. On Win95, it's c:\windows\services; on NT, it's
c:\winnt\system32\drivers\etc\services; on many Unix type computers (your shell account) it's /etc/services.
These ports are called 'well-known' because they are commonly used by
certain services. For example, the well-known port for sending email is the
SMTP port, or port 25. Because it is 'well-known', anyone can send email to anyone else. Because port 110 is the well-known port for checking email, all email clients know that they have to connect to a POP server on port 110 in order to retrieve email.
An excellent FAQ (frequently asked questions) on TCP/IP ports can be found at http://www.technotronic.com/tcpudp.html
*************************************************************
You can get punched in the nose warning: There are many port scanning
tools, and wannabe hackers use them ... a lot. But for what purpose? In
most cases all that happens is that a sysadmin or firewall administrator
goes through the logs that computer keeps of who has tried to hack that
site. He or she then decides whether to ignore your scan or call the
sysadmin of the site that your scan came from. Even though (in the US at
least) port scanning is legal, it makes systems administrators really mad at
you! To avoid getting kicked off your Internet provider, get permission to
scan first!
What Is a Vulnerability?
A 'vulnerability' is anything about a computer system that will allow someone to either keep it from operating correctly, or that will let unauthorized people take it over. There are many types of vulnerabilities. They may be a misconfiguration in the setup of a service, or a flaw in the programming of the service.
An example of a setup misconfiguration is leaving the 'wiz' or 'debug' commands operational in older versions of sendmail, or incorrectly setting directory permissions on your FTP server so people can download the password file. In these cases, the vulnerability is not how the program was written, but with how the program is configured. Allowing file sharing on your Windows 95 or 98 computer when it is not necessary, or failing to put a
password on file sharing, is another example.
Examples of errors in the programming of services are the large number of buffer overflow vulnerabilities in the programs that run services on port of Internet host computers. Many of these buffer overflow problems allow people to use the Internet to break into and take control of host computers
What Is an Exploit?
An 'exploit' is a program or technique that takes advantage of a
vulnerability. For example, the FTP-Bounce vulnerability occurs when an FTP server (used to allow people to upload and download files) is configured to redirect FTP connections to other computers. There really is no good reason to allow this feature. It has become a vulnerability because this 'bounce' feature allows someone to use it to port scan other computers on the same
local area network (LAN) as that FTP server. So even though a firewall may be keeping port scanners form directly scanning other computers on this LAN, the FTP server would bounce a scan past the firewall.
So really an exploit is any technique that takes advantage of a
vulnerability to enable you to carry out your own schemes, despite the wishes of the sysadmin of your target. Exploits depend on operating systems and their configurations, the configurations of programs running on computer systems, and of the LAN they are on.
Operating systems such as NT, VMS and Unix are very different, and the various versions of Unix have their differences, as well. (Examples of Unix operating systems include BSD, AIX, SCO, Irix, Sun OS, Solaris, and Linux). Even the various versions of the Linux form of Unix are different.
This means exploits that will work against NT systems will probably not work against Unix systems, and exploits for Unix systems will probably not work against NT. NT services are run by different programs from what you may find on Unix type computers. Further, different versions of the same service
running on any particular operating system will probably not be vulnerable to the same exploit, because each version of a service is run by a different program. Sometimes this different program may have the same name but only have a different version number. For example sendmail 8.9.1a is different from 8.8.2. Many of the differences are that 8.9.1a has been fixed so that none of the old sendmail exploit programs will work on it.
For example, the "Leshka" exploit explained in the GTMHH on advanced shell programming clearly explains that it only works on versions 8.7-8.8.2 of the SMTP service program called 'sendmail.' We observed a number of people who were playing the hacker wargame trying to run the Leshka exploit against a later, fixed version of sendmail.
So remember, an exploit for one operating system or service is unlikely to work against another operating system. This isn't to say that it definitely won't...it's just not likely. However, you are pretty much guaranteed that any Win95 or NT exploit will not work against any kind of Unix.
How to Look for Vulnerabilities
Now let's start someplace where you are unlikely to get punched in the nose by looking at some ports on your own computer. You can do this by typing 'netstat -a' at the command prompt.
You should see something such as:
Active Connections
Proto Local Address Foreign Address State
TCP localhost:1027 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:1026 0.0.0.0:0 LISTENING
TCP localhost:1026 localhost:1027 ESTABLISHED
TCP localhost:1027 localhost:1026 ESTABLISHED
TCP localhost:137 0.0.0.0:0 LISTENING
TCP localhost:138 0.0.0.0:0 LISTENING
TCP localhost:nbsession 0.0.0.0:0 LISTENING
UDP localhost:135 *:*
UDP localhost:nbname *:*
UDP localhost:nbdatagram *:*
Hhhmm...nothing much going on here. The 'Local Address' (ie, my local machine) seem to be listening on ports 135, 137, 138, and 'nbsession' (which translates to port 139...type 'netstat -an' to see just the port numbers, not the names of the ports). This is okay...those ports are part of Microsoft networking, and need to be active on the LAN my machine is connected to.
Now we connect our Web browser to ttp://www.happyhacker.org and at the same time run Windows telnet and connect to a shell account at example.com. Let's see what happens. Here's the output of the 'netstat -a' command, slightly abbreviated:
Active Connections
Proto Local Address Foreign Address State
TCP localhost:1027 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:2508 0.0.0.0:0 LISTENING
TCP localhost:2509 0.0.0.0:0 LISTENING
TCP localhost:2510 0.0.0.0:0 LISTENING
TCP localhost:2511 0.0.0.0:0 LISTENING
TCP localhost:2514 0.0.0.0:0 LISTENING
TCP localhost:1026 0.0.0.0:0 LISTENING
TCP localhost:1026 localhost:1027 ESTABLISHED
TCP localhost:1027 localhost:1026 ESTABLISHED
TCP localhost:137 0.0.0.0:0 LISTENING
TCP localhost:138 0.0.0.0:0 LISTENING
TCP localhost:139 0.0.0.0:0 LISTENING
TCP localhost:2508 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2509 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2510 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2511 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2514 example.com:telnet ESTABLISHED
So what do we see now? Well, there are the ports listening for Microsoft networking, just like in the first example. And there also are some new ports listed. Four are connected to 'zlliks.505.org' on port 80, and one to 'example.com' on the telnet port. These correspond to the client connections that I set up. See, this way you know the name of the computer that was running the happy Hacker Web site at this time.
But what is with the really high port numbers? Well, remember the
'well-known' ports that we talked about above? Client pplications, such as browsers and telnet clients (clients are programs that connect to servers) need to use a port to receive data on, so they randomly select ports from outside the 'well-known' port range... above 1024. In this case, my browser has opened up four ports...2508 through 2511.
Now suppose you want to scan your friend's ports. This is the best way to scan, as you won't have to worry about your friend getting you kicked off your ISP for suspicion of trying to break into computers. How do you know what your friend's IP address is? Ask him or her to run the command (from the DOS prompt) 'netstat -r'. This shows something like this:
C:\WINDOWS>netstat -r
Route Table
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 198.59.999.200 198.59.999.200 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
198.59.999.0 255.255.255.0 198.59.999.200 198.59.999.200 1
198.59.999.200 255.255.255.255 127.0.0.1 127.0.0.1 1
198.59.999.255 255.255.255.255 198.59.999.200 198.59.999.200 1
224.0.0.0 224.0.0.0 198.59.999.200 198.59.999.200 1
255.255.255.255 255.255.255.255 198.59.999.200 0.0.0.0 1
Active Connections
Proto Local Address Foreign Address State
TCP lovely-lady:1093 mack.foo66.com:smtp ESTABLISHED
That 'gateway address' and 'interface' both give the current IP address of your computer. If you are on a LAN, the gateway should be different from your own computer's IP address. If you or your friend are on a LAN, however, you should think twice before port scanning each other, or the LAN's sysadmin may notice your activity. Warning, sysadmins have quite an arsenal of larts to use on suspicious-acting users.
************************************************************
Newbie note: Lart? What the heck is a lart? It is a "luser attitude
readjustment tool." This is a generic class of techniques used by sysadmins to punish lusers. What is a luser? A wayward user. To get a sampling of popular larts, see http://mrjolly.cc.waikato.ac.nz. You want your sysadmins to be your FRIENDS, right? Never forget this!
************************************************************
What are some of the vulnerabilities to win95 and NT, you ask? Check previous GTMHHs for this information. Perhaps the most important thing to remember about Windows is equal to root in Unix), can run a program that uses any port it wants, even a well-known port. This vulnerability is demonstrated by a program from Weld Pond of L0pht fame called 'netcat'. The program can be obtained from:
http://www.l0pht.com/~weld/netcat
Read the documentation that ships with the program, or the Guides on (a) win95 and telnet from:
http://www.happyhacker.org/gtmhh.html
or (b) NT security from:
http://www.infowar.com/hacker/hacker.html-ssi
...for information on uses of netcat.
Of course, various Windows applications, such as Internet Explorer, have their own vulnerabilities.
By now, you're probably wondering where you can learn more about various vulnerabilities and exploits for just about any computer you might find on the Internet. Here is a list of sites:
ISS X-Force
http://www.iss.net/xforce
RootShell
http://www.rootshell.com
TechnoTronic
http://www.technotronic.com
Packet Storm Security Site
http://packetsorm.securify.com
Bugtraq archives:
http://www.securityfocus.com
NTBugTraq
http://www.ntbugtraq.com
Aelita Software
http://www.ntsecurity.com
**This site has the RedButton program, which demonstrates the capability to connect to an NT machine via a null session and retrieve registry information. This is a relatively simple problem to fix...see the NT security Guides at: http://www.infowar.com/hacker/hacker.html-ssi
NTSecurity
http://www.ntsecurity.net
Active Matrix's HideAway
http://www.hideaway.net/exploits.html
CERT
http://www.cert.org
Exploits that have been tested and won't harm your computer:
http://www.anticode.com
