Hacking 101.2 from the October 2000 Actrix Newsletter

by Dean Moor

Ok, Last month I briefly covered how an Internet bad guy finds computers to break into. I am about to go into a bit more depth on this process. Please feel free to refer to the information covered last month if you need to, as I shall endeavour to add to it, not cover it again.

I am grateful to Dean Moor for the third article in his series on hacking. To many it is a fascinating topic. It really would be a good idea for those interested but new to computers or the net to read over Dean's previous articles at:
http://editor.actrix.co.nz/0008.htm and
http://editor.actrix.co.nz/0009.htm.     -Ed
Anyway, remember I mentioned the domain scan and port probe? Well, just what exactly can a hacker see when these tools are run?

Firstly, the domain scans: This is when the attacker scans all IP addresses in a certain range to determine just who is online. In this example I have chosen to scan my own network, mainly because running these programs on computers you do not own is considered offensive and can carry SERIOUS consequences. My network runs with IP Addresses of 192.168.2.255. One thing I forgot to mention is that at present the IP Address Scheme allows for numbers up 254. E.g. 254.254.254.254 is a legal address, 265.265.265.265 is not. A number of 255 generally means all numbers from 0-254. Therefore, I am scanning all IP Addresses from 192.168.2.1 through to 192.168.2.254. (If you're not quite following, read on, and you should at least get my general drift.)

Innocent looking hacking program

I open up my scanner (you may notice I have removed the name of this program. That is because I am not encouraging nor teaching you how to hack. I am simply trying to educate you as to the ease of hacking) and enter the address range as in the diagram. I also enter the port I wish to probe. Now, if I were looking to attack a computer running Windows, I would look for port 139 as this is the NetBios port, the one most often overlooked by security programs. If I were looking for a Linux Computer, port 113 would be my target. Anyway, I will be going into these particulars next time. However, I shall be scanning for port 80 (the Http or world wide web access port) for this demonstration.

Once the information has been entered I simply run the scan (and go make a cup of coffee depending on the size of the range I am scanning). When I return I have a list looking very similar to that below.

This is a complete list of all computers in my network running a web server. Should this have been the Internet there would have most likely been a greater gap between IP Addresses. Either way, this scan took approximately one second to complete. That's One Second to scan 255 IP Addresses!
Imagine how easy it would be to scan say 1000 or even 100,000 online computers. Let's put it this way, to scan all computers in the range of 192.168.1.1 through to 192.168.254.254 took only 3 minutes! Now times may vary due to Internet Usage and Bandwidth, but I am sure you get the idea, and I am starting to digress.

I now have a list of all computers online within my selected range of IP addresses. Let's say I pick the first one to attempt a port scan on. I go back to my scanner and re-enter the information, this time just a single address rather than a Domain range, and I enter a selected port range rather that just one. I simply choose any IP Address from the above list and scan away. The process is shown below.

Step One: Enter Information.
Notice I am scanning ports 1 through to 5000. This is so I can see most common services and the temporary ports (ports the computer has opened temporarily to connect to something).

Step Two: Examine the Scan Results:

 

You can see here what this machine is running:
Ftp Server (Port 21)
Email server (Ports 25,110,143)
Microsoft Windows (Port 139)
Microsoft SQL Server (Port 1433)
And is also online using several applications due to the open temporary ports (1024-5000) and the possibility of another server running on port 443.

Now, assuming I have favourable results (by this I mean ports I know how to exploit) I can decide to attack this machine or move on. To attack this machine I pick a particular port which indicates a service with a known exploit, and attack it by either using another program, or by sending custom designed packets to that port to carry out my chosen attack.
I'll go into more details on exploits and attack types next time, but until then I strongly suggest that you take some simple steps to protect yourself now. A default install of Windows 98 Second Edition has approximately 40 - 100 possible vulnerabilities (ways attackers can exploit a machine) and a Default Install of Windows NT4.0 running IIS3 has around 200-400. These range from Internet based attacks to local, and DO NOT include Trojan Viruses or Backdoors in programs and games. Yes even some games can be possible entry points. A good way to protect yourself is to use the Microsoft Windows Update Page. For more details on this please refer to my first article here.

Now, I am aware that I may have lost a few of you with some of the terms I have used, but as this series progresses I aim to cover as many of these terms as possible. Until next time, enjoy safe surfing.

Dean Moor
StarTech
www.startech.co.nz