Hacking 101 from the September 2000 Actrix Newsletter

by Dean Moor

This month we are privileged to be able to include the second in a series of articles by one of our customers, Dean Moor.  Dean has a long-standing interest in computer security and has graciously agreed to share some of his knowledge.

Always remember - one of the best ways to protect your security online is to change your password on a regular basis. Haven't done that for a while? Do it now. Call our help desk (0800-228749) if you're not sure how. -Ed.
Well I hope you all found last month's article useful. This month, I have been asked to explain to just what a "Hacker" is looking for and how they go about finding it. Obviously, I am not about to give you a step-by-step guide to Hacking, but I do aim to give you a bit of basic knowledge on the process involved so that you can be more aware and hopefully safer.

Before I go too far ahead I need to ensure you have a basic knowledge of how the Internet works. I find the analogy of a city is the best to use. A city is made up of thousands of houses, connected to each other by roads. The Internet, in comparison, is made up of thousands of computers, connected by modems. Now, every house in a city has an address, which may look like this:

15 Somewhere St.
Atawhai
Nelson

On the Internet, every computer has an address, similar to that of a house somewhere in a city, the only difference is the way that address looks. An Internet Address consists of 4 numbers separated by a "." such as, 203.96.28.15

Knock, knock, anybody home?
Now to compare these two address types lets look at them side by side,
15
Somewhere St
Atawhai
Nelson		 =
=
=
=		 15
28.
96.
203.

Notice how the last number in the Internet Address is the equivalent of the house number, the second to last is the street, and so on. You may be wondering what the significance of this is. You shall see shortly.

Now that we have a basic understanding of the address scheme the Internet uses, lets look at one more thing you need to be aware of - Ports. I am sure most of you may have heard about ports, yet don't completely understand them. Most of my customers seem to think they are the things on the back of your machine box where your mouse, keyboard and various other peripherals are plugged in. This is true, but when talking about the Internet, ports are something completely different.

Let us take the analogy that we used before with the city.

Your Internet connected computer could now be referred to as your house. Now, almost all houses have doors and windows. There is a front door, back door, sometimes a door through to the garage, and so forth. Each room has windows that are most likely referred to by style or size. Well, now lets call these doors and windows, ports. Just as we have a way of describing the doors and windows there is a method of describing ports, and as with almost all computing related names, it a numerical method. For example, almost every one comes in through the front door so we shall refer to this as the port that the web pages come in on. This is port 80. Now, emails come in through the large opening windows in the lounge (Port 110) and out through the small window in the dining room (Port 25). Please remember that this is a very simple model.

To sum it all up, I would say ports are the entry/exit points to our computer that its programs use to interact with other computers. Certain types of program use certain ports, while others use other ports.

Ok, now to answer the question of how does someone find me? From my own experience, the majority of "Hackers" are not looking particularly for you. They are usually opportunistic, just after anyone online that they can "Hack." One way they find a computer is to run a domain scanner. You may be wondering what a domain scanner is? Well, lets go back to our city analogy. A domain in the city model would be the suburb in a city. For example, Atawhai, Nelson. If we were to place this in the Internet address scheme, we would end up with,

Nelson = 204.
Atawhai=96.

Therefore, the IP (Internet Protocol) address for Atawhai, Nelson would be 204.96.

Notice how the Internet seems to have the address back to front? Well this is because a computer generally processes things in a logical order, where as we humans process information completely back to front!

Saw your light on, thought I'd drop in! Anyway, if I wanted to find someone online in the Actrix domain, how would I go about it? Using the city analogy again, I find the city of New Zealand, and the suburb of Actrix to get the Domain Address of 203.96. Having already skipped a couple of steps I fire up my domain scanner and enter the address for the Actrix domain, and click Start. What happens now is my domain scanner searches for every online I.P. address starting with those numbers (pings every complete IP Address in the range). To return to our analogy, this is like it quickly running around every house in every street knocking on all doors and listening for a reply. It then returns to me with a list of people who are home (computers online).

Now I have a list of computers online, I need to find one I can get into. This is where the ports come in. I now run a port scanner, pick an IP address and scan certain or all ports on that computer. The analogy equivalent is like the burglar, having found a secluded house, looking around the house for an entry point. Now, to scan all ports will take a long time, mainly because there are 65535 ports in the TCP Protocol (the main language of the internet). Some "Hackers" scan the ports that various Trojan Virus Programs open, some scan for others. It all depends on what they are looking for, and what tools they have compared to what vulnerabilities they find.
Anyway, here we have an interesting situation. Almost all computers hear this scanner knocking on the doors or windows. They peer outside to see what is going on, and call out "No one's home!"

The hacker now has the IP Address of a computer online, and some doors or windows that are open.

Now, depending on what ports responded and how they responded (answered the port scan) the Hacker can use a Trojan client, or other methods to take control of your computer. For example, if you unwittingly had the Netbus Trojan virus on your machine, your computer would have responded to a knock on port 12345. This is the default port for the NetBus Trojan Virus and all the Hacker would need to do now is run the NetBus Client on his machine, and connect through port 12345 to the Trojan Server on yours. He would then have complete control of your machine.

I know that this may seem a bit hard to understand, but over the next couple of months I will try to explain the whole process in a bit more detail, and give you a few examples of "interesting" attacks that I have personally received. See you next time.

Dean Moor
www.startech.co.nz