[Free Dmitry Sklyarov] [Advertisement] [Free Dmitry Sklyarov]
___________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 No. 9, Part 1
War Tools! Scan, Sniff, Spoof and Hijack
____________________________________________________________
This Guide is excerpted from the Second Edition of “The Happy Hacker” book,
available Sept. 31 1998.
“Hello, I don’t mean to be rude, but I noticed you were examining
something, er... proprietary on our system. Would you mind explaining what
you were doing?”
Sigh. From time to time I get an email like that. Sometimes it is less
polite than this. In this case, I had been examining an intranet server.
For some reason it was directly accessible from the Internet instead of
being on a private internal network. I’ll bet you can’t reach that box from
the Internet any more:) I was just curious, not trying to break in!
The one thing that defines a hacker is curiosity: a blinding, insatiable
hunger for more, more, more information. If your objective is to fight
those who attack your computers, your curiosity will be your greatest asset.
This chapter covers some powerful war tools that can satisfy your curiosity
in a legal and constructive way -- and shows how to use them to battle
computer criminals.
Sysadmins tell me that it is far harder to keep people out of your computer
systems than it is to break in. In this chapter we will get a glimpse of
this war between sysadmins and computer intruders, and learn something about
the tools they both use.
*******************
In this chapter you will learn about:
IP address scanning
Port scanning
a beginner’s scanner
a stealth scanner
How to give intruders a hard time
Nuke Nabber (for casual users)
Port Dumper (for anyone with a sense of humor)
RotoRouter (drive the bad guys nuts)
Sniffit
TCPview
TTY-Watcher (great fun for casual users, great tool for sysadmins)
Industrial strength tools
Etherpeek
IP-Watcher
T-sight
****************
*********************************
You can get punched in the nose warning: Before you start playing with the
techniques of this chapter, beware. If you use what you learn here for
snooping on other people’s networks, you should expect them to suspect you
of being a computer criminal. For this reason, if you want to explore other
people’s systems, it helps to make friends with the staff of your ISP so
they won’t kick you off for suspicion of computer crime. Also, it helps to
get permission from the sysadmins of whatever network you are checking out.
If you find a problem, you should notify the responsible sysadmin so he or
she may fix the problem.
It also helps to maintain a good reputation. If you are known as a
troublemaker, you will get lots of grief for using the tools of this
chapter. If you have a good reputation, people will believe it when you say
you are exploring in order to learn network administration -- or simply for
the pure joy of discovery.
If your ISP is one of those big, anonymous places that would kick you off
at the least sign of trouble, switch to a local ISP where you can drop in
and offer to take the tech support staff out for pizza. Trust me on this,
if you try out what this chapter teaches, almost any large ISP will soon
give you the boot.
*********************************
*********************************
You can go to jail warning: If you live outside the United States, be sure
to check on what the local computer crime laws are. I can’t guarantee the
tactics of this chapter will be legal everywhere.
*********************************
IP Address and Port Scanning
Every day someone emails me to complains that some host name in an ancient
GTMHH won’t do cool stuff any more. Imagine that! When I wrote those first
GTMHHs I was just sending them to a few friends. I assumed these Guides
would soon fade out of existence in the vastness of the Internet. Little
did I suspect that eventually tens of thousands of newbies would be
fingering, telnetting, ftping, phfing and worse into those IP addresses. So
of course their sysadmins have buttoned them down. Strangers can’t play
with them any more.
What really saddens me is how many people ask me for good host names they
can use. It is so easy to find them yourself!
If you want to be primitive about it, you can scan for IP addresses by
hand. Find a tempting domain name while surfing the web, running traceroute
or tracert, or in the headers of email. Then try the techniques of the
“Port Surf’s Up!” chapter to see if there is anything interesting there.
This is a good way to start, because you know exactly what you are doing and
can get a gut feel for the process. Also, it’s quite a rush to discover
something rare like the Internet backbone VAX/VMS in the port surfing
chapter -- and discover that it is advertising the status of its huge
network to you from port 15!
There also are programs that will find live Internet host computers for you
automatically. Many of these tools will also map which ports are open.
They won’t always give you all the goodies you can get when you port surf by
hand, but they find out the basics for you fast.
********************************
You can get punched in the nose warning: The downside of the IP scanner and
port scanner tools of this chapter is that when you use them on other
people’s computers without permission, this practically shouts “I am a
criminal hacker.” Presumably this isn’t true, but way too many sysadmins
have discovered that a port scan is soon followed by a break-in attempt.
If you do insist on scanning without permission, it helps to scan Internet
hosts owned by other hackers. If people who are obviously hackers complain,
the sysadmins at your ISP or company LAN may not have much sympathy for
them. Hey, they are hackers, they can take care of themselves. However, if
you do this without the hackers’ permission, you just might incite a hacker
war against you, which may nevertheless lead to losing your Internet access.
********************************
So we’re ready to scan for Internet hosts and their ports. Let’s start
with how newbies can do it.
You can get a Windows 95/98 program that scans IP addresses and ports,
What’s Up Gold, from http://www.ipswitch.com. It’s free for a one month
trial. It’s a simple point and click program that does an excellent job.
Here’s what I get when I scan IP addresses from 198.987.999.1 through
198.987.999.254 looking for any open ports in the range of 1 through 600.
This scan is set to check each port by waiting only 100 milliseconds for a
response from each one:
198.987.999.033
198.987.999.036 80
198.987.999.044
198.987.999.048
198.987.999.049
198.987.999.066
198.987.999.067
198.987.999.074
198.987.999.080
198.987.999.113
198.987.999.115
198.987.999.118
198.987.999.167
I run the same scan again but with the time-out set to 1 second. This
reveals many more live IP addresses and ports:
198.987.999.033 7 9 11 13 15 19 21 23 25 37 53 79 80 110 111 113 139 143
198.987.999.034 139
198.987.999.035
198.987.999.036 80 139
198.987.999.041
198.987.999.042 139
198.987.999.043 139
198.987.999.044 139
198.987.999.045 139
198.987.999.048 139
198.987.999.049 139
198.987.999.050 80 139
198.987.999.051 21 22 23 25 37 70 79 109 110 111 113 143
198.987.999.055 139
198.987.999.056
198.987.999.058 139
198.987.999.059 139
198.987.999.060
198.987.999.061 139
198.987.999.061 139
198.987.999.065 139
198.987.999.066 21 23 80 139
198.987.999.067
198.987.999.068
198.987.999.069
198.987.999.072
198.987.999.073
198.987.999.074
198.987.999.075
198.987.999.077
198.987.999.078
198.987.999.079
198.987.999.080
198.987.999.082
198.987.999.083
198.987.999.084
198.987.999.085
198.987.999.086
198.987.999.088
198.987.999.092
198.987.999.093
198.987.999.098
198.987.999.099
198.987.999.101
198.987.999.103
198.987.999.105
198.987.999.108
198.987.999.110
198.987.999.111
198.987.999.112
198.987.999.113
198.987.999.115
198.987.999.118
198.987.999.119
198.987.999.120
198.987.999.121
198.987.999.122
198.987.999.123
198.987.999.124
198.987.999.125
198.987.999.126
198.987.999.131
198.987.999.133
198.987.999.136
198.987.999.137
198.987.999.139
198.987.999.146
198.987.999.156 80
198.987.999.158
198.987.999.162 139
198.987.999.163
198.987.999.165
198.987.999.166
198.987.999.167
198.987.999.169 7 9 13
198.987.999.173 13 15 21 23 25 79 513 514 515 540
198.987.999.177
198.987.999.178 135 389
198.987.999.180
198.987.999.182
198.987.999.183
198.987.999.184
198.987.999.186 139
198.987.999.188
198.987.999.189 139
198.987.999.194 139
198.987.999.195 7 9 13 17 19 135 139
198.987.999.198 110 119 139
OK, I admit it, to save space I was trying to accomplish two slightly
conflicting things with this particular set of IP addresses. These are
(foobarred) dynamically assigned IP addresses of an ISP. These are assigned
to dial-up customers. So some of these addresses will change or the users
of the same address may change from one scan to the next. However, these
two scans were done only a few minutes apart. So not many of the
connections would have changed in this period.
These scans show the importance of a long time-out setting in What’s Up.
One second (1000 ms) has given me better results.
Here, among these dynamically assigned IP addresses, is where I really get
my kicks. Dynamically assigned IP addresses are the Rick’s Cafe -- no, the
Star Wars Cantina -- of cyberspace. OK, most of these IP addresses reveal
no open ports. They are probably mere dialups for downloading email or
surfing the Web for people who wouldn’t know Unix from unicorns. However,
since I chose the dynamic IP addresses of an ISP well-known for attracting
hackers, this particular set of IP addresses is -- interesting.
Check out “198.987.999.036 80 139”, “198.987.999.050 80 139”, and
“198.987.999.156 80”. Those 80s represent ephemeral Web sites, in
existence only so long as their dialups last. Wonder what they hold? The
fact that almost all other services are turned off suggests sophisticated
users. Maybe those Web sites will be passworded, or maybe I can get in...
That “198.987.999.033 7 9 11 13 15 19 21 23 25 37 53 79 80 110 111 113 139
143” must be a Linux or other home Unix type box. It’s run by a real
novice, I’d say, judging from all those open ports. Look at that port 21
open. Wonder if he or she has an anonymous ftp server? Better check it out
before it winks out of existence. It also has a Web server...
Take a look at “198.987.999.051 21 22 23 25 37 70 79 109 110 111 113 143”.
That port 22 -- that means secure shell login. No webserver (80), no echo
(7), discard (8), daytime (13), netstat (15) etc. Since these are ports
that a cautious sysadmin would disable, these are signs this the box might
be owned by a hacker. If this is a dynamically assigned IP address from an
ISP on which you have a shell account, a quick look at netstat and/or the
“last” command will probably reveal the user name of this hacker.
Check out “198.987.999.198 110 119 139” and “198.987.999.178 135 389”.
Weird selection of ports. Wonder if the owners of those boxes would tell me
what they are up to? Hey, there’s a POP server (110). Maybe if I email
“root@198.987.999.198” I will get a message through. Sheesh, I don’t know,
I’m just playing around.
Hacking. It’s OK to make mistakes and hit dead ends, because real hackers
mess around, explore, and try out new things. If things don’t work, it’s no
big deal. If they do work, however...
If you have a Unix type computer, there are many other port scanners
available. SATAN (Security Analysis Tool for Auditing Networks) is famous,
free, and also will often identify ports that are vulnerable to attack. You
can get it at ftp://ftp.cs.ruu.nl:/pub/SECURITY/. Possession of the code
for SATAN is enough to get you kicked off some ISPs. Check out
http://www.rootshell.com for other Unix port scanner programs that may not
get people as suspicious at you.
If you are willing to pay lots of money for a port scanner, several
computer security companies sell them. Internet Security Systems (ISS) has
an exceptionally good one, Internet Scanner (at http://www.iss.net). Like
SATAN, Internet Scanner will identify security holes in the ports you scan.
There are versions for both Unix and Windows NT systems. Because their
software would be dangerous in the wrong hands, ISS will only sell you a
version to scan the IP addresses you own or that the company you work for
has given you permission to scan.
Stealth Port Scanning
You may have already heard that there are port scanners that are impossible
to detect. If true, that would solve the problem of getting kicked off your
ISP for running scans. One that I have tried out is Nmap, available for
free from http://dhp.com. It runs on Unix type operating systems, and has
options to do both normal port scanning and “stealth” port scanning.
Warning -- like What’s Up, Nmap is not always accurate. While What’s Up
misses open ports, Nmap often erroneously says closed ports are open.
****************************
Wizard tip: Here’s why Nmap is inaccurate in fin scan (stealth or half-open)
mode. It sends to each port on the victim computer a single packet with the
fin flag (end of transmission) set. If it gets back a packet with the rst
(reset) flag set, it reports the port as closed. If it doesn't get rst back,
it reports it as open. Of course a dropped packet can also account for the
missing rst. As a result, on a noisy connection Nmap shows many ports as
open that aren't. Try fin scanning a nonexistent host with Nmap and you
will see all ports reported open. On a theoretical basis, any scanner that
sends only a single packet to probe each port is vulnerable to false results.
***************************
There is another problem that afflicts all stealth scanners. They actually
can be detected, and the sender identified, if the target network is running
the right sniffer software. EtherPeek (discussed in detail below) is one we
have tested against Nmap on the Happy Hacker Wargame (see
http://www.happyhacker.org for details on how to play our Wargame). We
discovered that EtherPeek definitely detects and identifies the user of
stealth port scanners.
How to Tell What Ports are Open on your own Computer
It’s a good idea to regularly check what ports are open on your own
computer. If you discover a new port -- time to investigate. For example,
an open port 31337 is an almost sure sign that your computer has been taken
over by the Windows Back Orifice Trojan. (See the “How to Break into
Windows 95/98 Computers” chapter for removal instructions.)
It is possible to check all your ports with just the tools that are already
part of your Windows or Unix operating system. The “netstat -a” command
will show all the ports open on your computer. Here’s what I get on a home
Linux box:
~ > netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 134 fu.ml.org:telnet pma03.foo66.com:1030 ESTABLISHED
tcp 0 0 *:www *:* LISTEN
tcp 0 0 fu.ml.org:22 *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:2049 *:* LISTEN
tcp 0 0 *:660 *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:imap2 *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 *:login *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:time *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
udp 0 0 *:2049 *:*
udp 0 0 *:657 *:*
udp 0 0 *:ntalk *:*
udp 0 0 *:biff *:*
udp 0 0 *:time *:*
udp 0 0 *:syslog *:*
udp 0 0 *:sunrpc *:*
raw 0 0 *:1 *:*
Active UNIX domain sockets (including servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] STREAM 3870 /dev/log
unix 2 [ ] STREAM CONNECTED 3869
unix 2 [ ] STREAM 475 /dev/log
unix 2 [ ] STREAM CONNECTED 474
unix 2 [ ] STREAM 434 /dev/log
unix 2 [ ] STREAM CONNECTED 433
unix 2 [ ] STREAM 281 /dev/log
unix 2 [ ] STREAM CONNECTED 280
unix 2 [ ] STREAM 257 /dev/log
unix 2 [ ] STREAM CONNECTED 252
unix 1 [ ACC ] STREAM LISTENING 247 /dev/printer
unix 2 [ ] STREAM 246 /dev/log
unix 1 [ ACC ] STREAM LISTENING 207 /dev/log
unix 2 [ ] STREAM CONNECTED 198
How about seeing what ports are open on your Windows computer? If you are
not on a LAN, chances are there won’t be much to see. Here’s what my stand
alone Win98 computer (her name is Lovely_Lady) says when I am on America Online:
C:\WINDOWS>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP lovely-lady:137 LOVELY_LADY:0 LISTENING
TCP lovely-lady:138 LOVELY_LADY:0 LISTENING
TCP lovely-lady:nbsession LOVELY_LADY:0 LISTENING
UDP lovely-lady:nbname *:*
UDP lovely-lady:nbdatagram *:*
How to Give Computer Criminals a Hard Time
Now -- are you ready for war?
First, you need to know whether an intruder is on your system. How to do
that is worth at least another entire chapter that I haven’t written yet.
However, there are some hints for sysadmins I can give you on the basis of
first hand experience from our Happy Hacker Wargame. Don’t expect this to
be more than a tiny bit of all you should be doing to detect intruders, however.
· Look for unusual traffic patterns -- for example, many ftp sessions, or a
user who hasn’t logged into a shell account for months suddenly spending
hours at a time logged in.
· A new user name and account that no one remembers creating
· Watch the processes. A skilled hacker may replace the “ps” command with a
Trojan that hides his or her activities. However, you might see a high CPU
utilization when the processes running couldn’t account for it. Time to go
red alert!
· Check whether system configurations have changed, for example new ports
open. Or if your policy is to automatically kill all processes when a user
logs off (most ISPs do this), perhaps you will discover processes left
running after logoff.
· Look for an Ethernet card on your local area network that is in
promiscuous mode (meaning it is accepting all packets broadcast on the
network). That probably means an intruder is sniffing your network with a
program hidden on the computer with the promiscuous mode card.
· Look for suspiciously large files turning up. They may be secret sniffer
logs.
· Do you notice a hacked Web page or obscene Message of the Day -- OK, this
suggestion is lame, you knew those signs of hacker attack already!
Of course it’s far better to detect your attacker before he gets inside.
Signs that someone is trying to break in are basically activities that we
all like to do such as port scans and telnet connections to unusual ports.
Coming up in Part II: both free and commercial programs that help you fight
intruders!
# # #
Guess what? “The Happy Hacker Book” has almost sold out its First Edition,
published March 31, 1998. So American Eagle Publications is putting out a
Second Edition, due to come off the presses Sept. 31, 1998. It has several
all-new chapters as well as updates to cover Windows 98 and the major
changes that are happening in email forging and spam fighting.
How’s that -- only six months between editions? This is partly because
people were so quick to buy out the First Edition -- and partly because the
hacking scene is changing so fast. So instead of going to a second
printing, the publisher agreed to spend the extra money to create a Second
Edition so we could keep you as up to date as possible.
If you want to buy one of the few remaining copies of the First Edition of
“The Happy Hacker” (soon to be a collector’s item), you can order it from me
($34.95 for Priority mail shipping in the US; $35.95 airmail in Canada and
Mexico; email me for quotes outside the US) by sending a check or money
order to PO Box 1520, Cedar Crest NM 87008. Since I only have 18 copies
left today, if your order comes in too late, be sure to tell me whether I
should just return your money or if you want me to hold on to it and be
among the first to get a Second Edition. Oh, yes, I autograph all books
bought directly from me.
_______________________________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out
the official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned hacking of the
kind that led to the creation of the Internet and a new era of freedom of
information. So don’t email us about any crimes you have committed! And
don’t expect us to come to your rescue if you crash 100 million computers
with some new Java virus you just unleashed.
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless
Hacking, please email hacker@techbroker.com with message "subscribe
happy-hacker" in the body of your message.
Copyright 1998 Carolyn Meinel. You may forward, print out or post this
GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave
this notice at the end.
_______________________________________________________________________
Carolyn Meinel
M/B Research -- The Technology Brokers
http://techbroker.com
Receive all the latest articles by email!
Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.
