Copy Link
Add to Bookmark
Report

The Exploit Files: Basics of Breaking into Computers

____________________________________ 
GUIDE TO (mostly) HARMLESS HACKING

Beginners' Series Number 7

The Exploit Files
____________________________________

by keydet89@yahoo.com and Carolyn Meinel

How many times have you read hacker newsgroups or email lists and seen posts that begged "teach me to hack", or asked "how do I hack this"? It often looks as though the person asking the question just doesn't understand the basics of vulnerabilities and their exploits. The purpose of this Guide is to explain what vulnerabilities and exploits are, and how they relate to computer security.

Let's start with an example. Suppose that you are trying to sell something by phone. So you start by calling phone numbers, and you keep calling until you get someone to answer, not an answering machine, but a real live person. Then if the person who answers the phone speaks the same language as you and can understand you, you try to sell your product. Lots of people will hang up on you, but eventually, someone will buy something... bang! You've scored!

In this Guide you will learn:

  • What is a vulnerability
  • What is an exploit
  • How to look for vulnerabilities

So what does this have to do with 'hacking'? Look at your dialing of phone numbers as port scanning IP (Internet protocol) addresses on the Internet. Some Internet host computers won't answer. Maybe a firewall is blocking the ports that you're scanning. Some hosts will answer, and at that point maybe, just maybe, you've found a vulnerable computer.


********************************************************************
Newbie note: What are these 'ports' we are talking about? This kind of 'port' is a number used to identify a service on an Internet host. For this reason they are often called 'TCP/IP' (transfer control protocol/Internet protocol) ports, to distinguish them from other kinds of computer ports such as modems, ports to printers, etc. Each host computer connected to the Internet is identified by an IP address such as 'victim.fooisp.com.' Since each host may have many services running, each service uses a different port. To contact any of these ports across the Internet, you use the host's IP address and port number -- it's kind of like dialing a phone number.
********************************************************************

Now maybe you have connected to telnet, port 23. You get a login prompt, but you don't know any valid username/password combinations. So the host "hangs up" on you. After many hours of trying, you connect to a host on the right port, and Shazam!! You're greeted with a login prompt, and you quickly guess a valid username and password combination. The next thing you know, you have a command prompt. You have discovered a vulnerability -- an easily guessed password! So being the 'white hat hacker' that you are, you send an email to the sysadmin of the site and leave quietly.

*****************************************************************
Newbie note: A 'host' is a computer connected to the Internet. A 'service' is a program that is running on a port of an Internet host. Each service is a program that will respond to certain commands. If you give it the right command, you will get it to do something for you.

The simplest example of a service is 'chargen', or character generator (port 19). If you make a telnet connection on the chargen port to a server running the chargen service, this program will react to this connection by sending a string of characters which you will see being repeated across your telnet screen. All you need to do is connect to the service.

Another example of a service is finger (port 79). If you run a finger program to request information on a particular user from a specific host, and the finger service (or 'fingerd') is running, and if the user has not instructed the finger service to ignore requests about him or her, you will get back information on that user.
*****************************************************************

What services are run from these ports, and how can we learn more about them? Ports numbered from 1 to 1024 are called the 'well-known' ports.
These are listed in RFC 1700 (see http://www.internetnorth.com.au/keith/networking/rfc.html). Many of the well-known ports are also listed in a file on your computer called 'services'. On Win95, it's c:\windows\services; on NT, it's c:\winnt\system32\drivers\etc\services; on many Unix type computers (your shell account) it's /etc/services.

These ports are called 'well-known' because they are commonly used by certain services. For example, the well-known port for sending email is the SMTP port, or port 25. Because it is 'well-known', anyone can send email to anyone else. Because port 110 is the well-known port for checking email, all email clients know that they have to connect to a POP server on port 110 in order to retrieve email.

An excellent FAQ (frequently asked questions) on TCP/IP ports can be found at http://www.technotronic.com/tcpudp.html

*************************************************************
You can get punched in the nose warning: There are many port scanning tools, and wannabe hackers use them ... a lot. But for what purpose? In most cases all that happens is that a sysadmin or firewall administrator goes through the logs that computer keeps of who has tried to hack that site. He or she then decides whether to ignore your scan or call the sysadmin of the site that your scan came from. Even though (in the US at least) port scanning is legal, it makes systems administrators really mad at you! To avoid getting kicked off your Internet provider, get permission to scan first!
*************************************************************

What Is a Vulnerability?

A 'vulnerability' is anything about a computer system that will allow someone to either keep it from operating correctly, or that will let unauthorized people take it over. There are many types of vulnerabilities. They may be a misconfiguration in the setup of a service, or a flaw in the programming of the service.

An example of a setup misconfiguration is leaving the 'wiz' or 'debug' commands operational in older versions of sendmail, or incorrectly setting directory permissions on your FTP server so people can download the password file. In these cases, the vulnerability is not how the program was written, but with how the program is configured. Allowing file sharing on your Windows 95 or 98 computer when it is not necessary, or failing to put a password on file sharing, is another example.

Examples of errors in the programming of services are the large number of buffer overflow vulnerabilities in the programs that run services on port of Internet host computers. Many of these buffer overflow problems allow people to use the Internet to break into and take control of host computers (check out "Smashing the Stack", by Aleph One, at: http://www.happyhacker.org/docs/smash.txt).

What Is an Exploit?

An 'exploit' is a program or technique that takes advantage of a vulnerability. For example, the FTP-Bounce vulnerability occurs when an FTP server (used to allow people to upload and download files) is configured to redirect FTP connections to other computers. There really is no good reason to allow this feature. It has become a vulnerability because this 'bounce' feature allows someone to use it to port scan other computers on the same local area network (LAN) as that FTP server. So even though a firewall may be keeping port scanners form directly scanning other computers on this LAN, the FTP server would bounce a scan past the firewall.

So really an exploit is any technique that takes advantage of a vulnerability to enable you to carry out your own schemes, despite the wishes of the sysadmin of your target. Exploits depend on operating systems and their configurations, the configurations of programs running on computer systems, and of the LAN they are on.

Operating systems such as NT, VMS and Unix are very different, and the various versions of Unix have their differences, as well. (Examples of Unix operating systems include BSD, AIX, SCO, Irix, Sun OS, Solaris, and Linux). Even the various versions of the Linux form of Unix are different.

This means exploits that will work against NT systems will probably not work against Unix systems, and exploits for Unix systems will probably not work against NT. NT services are run by different programs from what you may find on Unix type computers. Further, different versions of the same service running on any particular operating system will probably not be vulnerable to the same exploit, because each version of a service is run by a different program. Sometimes this different program may have the same name but only have a different version number. For example sendmail 8.9.1a is different from 8.8.2. Many of the differences are that 8.9.1a has been fixed so that none of the old sendmail exploit programs will work on it.

For example, the "Leshka" exploit explained in the GTMHH on advanced shell programming clearly explains that it only works on versions 8.7-8.8.2 of the SMTP service program called 'sendmail.' We observed a number of people who were playing the hacker wargame trying to run the Leshka exploit against a later, fixed version of sendmail.

So remember, an exploit for one operating system or service is unlikely to work against another operating system. This isn't to say that it definitely won't...it's just not likely. However, you are pretty much guaranteed that any Win95 or NT exploit will not work against any kind of Unix.

How to Look for Vulnerabilities

Now let's start someplace where you are unlikely to get punched in the nose by looking at some ports on your own computer. You can do this by typing 'netstat -a' at the command prompt.

You should see something such as:

Active Connections 

Proto Local Address Foreign Address State
TCP localhost:1027 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:1026 0.0.0.0:0 LISTENING
TCP localhost:1026 localhost:1027 ESTABLISHED
TCP localhost:1027 localhost:1026 ESTABLISHED
TCP localhost:137 0.0.0.0:0 LISTENING
TCP localhost:138 0.0.0.0:0 LISTENING
TCP localhost:nbsession 0.0.0.0:0 LISTENING
UDP localhost:135 *:*
UDP localhost:nbname *:*
UDP localhost:nbdatagram *:*

Hhhmm... nothing much going on here. The 'Local Address' (ie, my local machine) seem to be listening on ports 135, 137, 138, and 'nbsession' (which translates to port 139...type 'netstat -an' to see just the port numbers, not the names of the ports). This is okay...those ports are part of Microsoft networking, and need to be active on the LAN my machine is connected to.

Now we connect our Web browser to http://www.happyhacker.org and at the same time run Windows telnet and connect to a shell account at example.com. Let's see what happens. Here's the output of the 'netstat -a' command, slightly abbreviated:

Active Connections 

Proto Local Address Foreign Address State
TCP localhost:1027 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:2508 0.0.0.0:0 LISTENING
TCP localhost:2509 0.0.0.0:0 LISTENING
TCP localhost:2510 0.0.0.0:0 LISTENING
TCP localhost:2511 0.0.0.0:0 LISTENING
TCP localhost:2514 0.0.0.0:0 LISTENING
TCP localhost:1026 0.0.0.0:0 LISTENING
TCP localhost:1026 localhost:1027 ESTABLISHED
TCP localhost:1027 localhost:1026 ESTABLISHED
TCP localhost:137 0.0.0.0:0 LISTENING
TCP localhost:138 0.0.0.0:0 LISTENING
TCP localhost:139 0.0.0.0:0 LISTENING
TCP localhost:2508 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2509 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2510 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2511 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2514 example.com:telnet ESTABLISHED

So what do we see now? Well, there are the ports listening for Microsoft networking, just like in the first example. And there also are some new ports listed. Four are connected to 'zlliks.505.org' on port 80, and one to 'example.com' on the telnet port. These correspond to the client connections that I set up. See, this way you know the name of the computer that was running the happy Hacker Web site at this time.

But what is with the really high port numbers? Well, remember the 'well-known' ports that we talked about above? Client applications, such as browsers and telnet clients (clients are programs that connect to servers) need to use a port to receive data on, so they randomly select ports from outside the 'well-known' port range...above 1024. In this case, my browser has opened up four ports... 2508 through 2511.

Now suppose you want to scan your friend's ports. This is the best way to scan, as you won't have to worry about your friend getting you kicked off your ISP for suspicion of trying to break into computers. How do you know what your friend's IP address is? Ask him or her to run the command (from the DOS prompt) 'netstat -r'. This shows something like this:

C:\WINDOWS>netstat -r 

Route Table

Active Routes:

Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 198.59.999.200 198.59.999.200 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
198.59.999.0 255.255.255.0 198.59.999.200 198.59.999.200 1
198.59.999.200 255.255.255.255 127.0.0.1 127.0.0.1 1
198.59.999.255 255.255.255.255 198.59.999.200 198.59.999.200 1
224.0.0.0 224.0.0.0 198.59.999.200 198.59.999.200 1
255.255.255.255 255.255.255.255 198.59.999.200 0.0.0.0 1

Active Connections

Proto Local Address Foreign Address State
TCP lovely-lady:1093 mack.foo66.com:smtp ESTABLISHED

That 'gateway address' and 'interface' both give the current IP address of your computer. If you are on a LAN, the gateway should be different from your own computer's IP address. If you or your friend are on a LAN, however, you should think twice before port scanning each other, or the LAN's sysadmin may notice your activity. Warning, sysadmins have quite an arsenal of larts to use on suspicious-acting users.

************************************************************
Newbie note: Lart? What the heck is a lart? It is a "luser attitude readjustment tool." This is a generic class of techniques used by sysadmins to punish lusers. What is a luser? A wayward user. To get a sampling of popular larts, see http://mrjolly.cc.waikato.ac.nz. You want your sysadmins to be your FRIENDS, right? Never forget this!
************************************************************

What are some of the vulnerabilities to win95 and NT, you ask? Check previous GTMHHs for this information. Perhaps the most important thing to remember about Windows is equal to root in Unix), can run a program that uses any port it wants, even a well-known port. This vulnerability is demonstrated by a program from Weld Pond of L0pht fame called 'netcat'.

The program can be obtained from:

http://www.l0pht.com/~weld/netcat

Read the documentation that ships with the program, or the Guides on (a) win95 and telnet from:

http://www.happyhacker.org/gtmhh.shtml

or (b) NT security from:

http://www.infowar.com/hacker/hacker.html-ssi

...for information on uses of netcat.

Of course, various Windows applications, such as Internet Explorer, have their own vulnerabilities.

By now, you're probably wondering where you can learn more about various vulnerabilities and exploits for just about any computer you might find on the Internet. Here is a list of sites:

Aelita Software: http://www.ntsecurity.com **This site has the RedButton program, which demonstrates the capability to connect to an NT machine via a null session and retrieve registry information. This is a relatively simple problem to fix...see the NT security Guides at: http://www.infowar.com/hacker/hacker.html-ssi


NTSecurity: http://www.ntsecurity.net

Active Matrix's HideAway: http://www.hideaway.net/exploits.html

CERT: http://www.cert.org

________________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you may have committed!
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message.
Copyright 1998 keydet89 and Carolyn Meinel. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leavethis notice at the end.
_________________________________________________________
Carolyn Meinel
M/B Research -- The Technology Brokers

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT