____________________________________________________________________

Gathering Info on Remote Host: Essential Ingredient of Hacking into it. By Ankit Fadia [email protected] ______________________________________________________________________

I get a lot of emails from eo le asking me ho! they can break into their I"# or ho! they can break into a system etc etc. Infact$ s%ch &%estions are almost the most common ones$ from all the &%estions I get. 'ell$ after this o %lar demand$ I tho%ght that an entire man%al on breaking into systems !as needed. "o here goes..

(o% see$ breaking into systems or getting root on a system is not as diffic%lt as it seems. And it by no means re&%ires yo% to be an )berhacker. Getting into a system is &%ite easy and it re&%ires yo% to kno! at least one rogramming lang%age * referably +,$ and ha-e a more than an a-erage I.. Ho!e-er$ breaking into systems does re&%ire a bit of l%ck and also a bit of carelessness or st% idity on the art of the system administrator of the target system.

'hat I mean to say by all this is that$ breaking into systems is no big deal$ anyone co%ld do that$ e-en a scri t kiddie$ ho!e-er$ the art of the entire Hacking rocess !here more than most eo le falter is the remaining %ndetected art. Anonymity or remaining anonymo%s to the "er-er logs and re-enting detection of a break/in is the most diffic%lt art of Hacking into a system.

'hat se arates a good Hacker from a "cri t 0iddie or a 1amer is that the former has more than se-eral !ays of making s%re that no one e-en s%s ects that there has been a break in$ !hile on the other hand$ the later has no cl%e !hat so e-er as to !hat he is doing or !hat he needs to do to re-ent s%ch detection. 2here are so many ready to )se canned + rograms or Hacking %tilities a-ailable on the net$ that a h%ge n%mber of !annabe hackers$ do!nload them and %se them to Hack into systems. 'ell$ not only do they do not !ork ro erly and fla!lessly$ they also ro-ide no mechanism of remaining anonymo%s. 'hat is more$ say if yo% are not %sing a canned Hacking tool$ and are also not trying to remain anonymo%s$ then yo% stand a greater chance of remaining %ndetected than if yo% !ere %sing s%ch a tool. "o think before yo% %se s%ch tools$ yo% might be able

to get the #ass!ord file and become -ery ke!l$ ho!e-er$ yo% !ill certainly be ca%ght later if not sooner.

2he first ste that yo% need to take once yo% ha-e decided the target com %ter is to find o%t as m%ch information as yo% can abo%t it. (o% see$ to break into a system yo% need to e3 loit a -%lnerability e3isting in the ser-ices offered by it. Almost all systems ha-e certain o en orts$ !hich ha-e certain daemons or ser-ices r%nning on them.

4444444444444444444444 HA+0I5G 2R)2H: 2here are t!o ty es of orts. 2here are hard!are orts$ !hich are the slots e3isting behind the +#) cabinet of yo%r system$ into !hich yo% l%g/in or connect yo%r hard!are to. For E3am le$ +678$ +679$ #arallel #ort etc. Ho!e-er$ !e are not interested in s%ch orts. 'e are concerned !ith the other ty e of orts$ !hich are the -irt%al or the soft!are orts. "%ch a -irt%al ort is basically a -irt%al i e thro%gh !hich information goes in and o%t. And all o en orts ha-e a ser-ice or daemon r%nning on it. A ser-ice or a daemon is nothing b%t the soft!are r%nning on these orts$ !hich ro-ide a certain ser-ice to the %sers !ho connect to it. For E3am le$ #ort 9: is al!ays o en on a ser-er handling mails$ as it is ort !here the "endmail ser-ice is r%nning by defa%lt. 4444444444444444444444

"o basically the first ste in yo%r &%est to breaking into a system is to get as m%ch information on it$ as yo% can. 2ry to get$ the list of o en orts$ the list of ser-ices r%nning on the res ecti-e o en orts and !hole lots of other kind of information to !hich I !ill come later.

Any!ay$ so firstly$ get a good #ort "canner$ referably stealth and then do a ort scan on the target host. 5o! one thing that yo% m%st remember !hile doing a ort scan is the fact that there are -ario%s so called ;stealth; ort scanners aro%nd !hich claim to be %ndetectable$ ho!e-er most of them are detectable. "o instead of %sing s%ch; false claims; ort scanners$ I s%ggest yo% code one on yo%r o!n.

B%t !hy do I need to %se a stealth #ort "canner and ho! can I code my o!n #ort "canner< 'ell$ the reason as to !hy yo% need a stealth ort "canner is that many system

administrators log all ort scans and records the I# and other information on s%ch attem ts$ this makes yo% s%sce tible to getting ca%ght. In my o inion the best #ort "canners aro%nd are those$ !hich send "(5=FI5 ackets from a s oofed host$ making logging %seless. "%ch a ort "canner !o%ld be coded in +$ b%t !ill not r%n in 'indo!s. 2his !as >%st an idea$ no! it is % to yo% to code it yo%rself.

Any!ay$ let me ass%me that yo% ha-e got hold of a good ;im ossible to detect; #ort "canner$ no! scan the target system for all o en orts and record the o en lists:

5ote: In this man%al$ I ha-e taken % my I"# as an e3am le target system. It !o%ld be foo/barred thro%gho%t as 333.bol.net.in

In my case$ I fo%nd that the follo!ing orts !ere o en:

#ort 5%mber

"er-ice

98 9? 9: :? AB CD 88D 888

F2# 2elnet "72# @5" Finger H22# #6# 5ot )sef%l

"ystem r%nning and also the F2# daemon r%nning. 'ell$ act%ally it is the login rom t of the daemon banner !hich gi-es %s the 6 erating "ystem r%nning on it. 5ormally$ a ty ical daemon banner$ !o%ld ha-e the follo!ing 1ogin rom t:

99D 3339.bol.net.in F2# ser-er *@igital )5IE Fersion :.GD, ready. )ser *bol.net.in:*none,,:

5otice the "ystem name in the brackets on the first line. Ho!e-er$ normally almost all F2# daemons are better config%red *that is the case in the e3am le target system: 333.bol.net.in,and their login rom t is some!hat like the belo!:

99D ft 9.333.bol.net.in F2# ser-er ready. )ser *mail9.bol.net.in:*none,,:

"ee$ no 6 erating "ystem name. Ho!e-er$ !ith the hel of some ke!l commands$ s%ch systems too can be re-eal the 6" r%nning on them. Ho!e-er$ before !e go on$ there is one thing that yo% ha-e to be clear abo%t. 5o!$ !e had F2#;ed to 333.bol.net.in$ so yo% normally e3 ect to connect to #ort 98 of 333.bol.net.in$ ho!e-er that is not tr%e. *Atleast in this case., If yo% look at the daemon banner again$ then yo% !o%ld notice that the last line says:

99D ft 9.333.bol.net.in F2# ser-er ready.

5o! ho! did that ha en< 'ell$ is #ort 98 not o en on 333.bol.net.in < 'ell$ no and yes. 'hat act%ally ha ens is that$ #ort 98 of 333.bol.net.in is o en and a daemon there is listening for connections. As soon as a connection is established$ it transfers the control or connected the -isitor to ft 9.333.bol.net.in$ !hich is on the same net!ork as 333.bol.net.in. 5o! this$ ft .333.bol.net.in system is solely a F2# machine. It has no other ser-ices r%nning. "o !hate-er information$ !e gather from s%ch a F2# ort is not of 333.bol.net.in b%t of ft 9.bol.net.in. Get it<

Any!ay$ !hen yo% get the login rom t$ then login anonymo%sly !ith the anonymo%s as the )sername and a false email address as the ass!ord.

99D ft 9.333.bol.net.in F2# ser-er ready. )ser *ft 9.333.bol.net.in:*none,,: anonymo%s ??8 G%est login ok$ send yo%r com lete e/mail address as ass!ord. #ass!ord: 333@lin%3.net 9?D )ser anonymo%s logged in. Access restrictions a ly.

E-en if yo% ha-e an acco%nt at the F2# ser-er into !hich yo% lan to break in$ it is al!ays better not to %se that air of )sername and #ass!ord. 1ogging in anonymo%sly has many ad-antages. "ay if yo% did ca%se some harm to the target system and if yo% %se yo%r *5onanonymo%s, )sername and #ass!ord air$ then if yo% !ere not able to edit the ser-er logs yo% co%ld get into some serio%s tro%ble. H'ell act%ally not m%ch$ only say yo%r acco%nt might be disabled. Ho!e-er$ it co%ld be !orse.I

6k$ yo% are in$ no! let %s get the F2# client to tell %s !hich commands are a-ailable by ty ing the hel command.

ft J hel +ommands may be abbre-iated. +ommands are:

K < a end asc 6 +'@

delete deb%g dir "2A2

literal ls mdelete ER7@ "ILE

rom t %t !d

REI54 76@E

7"5@4 RE"2

E+'@

HE1#

#'@

7@27

.)I2 RE2R 7"674 R5FR 1I"2 566# E#'@ I mean by that is that all remote F2# commands ha-e to be receded by the !ord ;literal;. For e3am le$ say yo% !ant to e3ec%te the remote F2# command: ;stat;$ then yo% !o%ld ty e:

ft J literal stat

444444444444444 HA+0I5G 2R)2H: According to F2# hel $ the literal command is described as: ft J hel literal literal send arbitrary ft command

444444444444444

Any!ay$ amongst the remote F2# commands$ the commands of interest to %s are/: ;stat; and ;syst;. 1et %s see !hat they ret%rn !hen e3ec%ted/:

ft Jliteral stat 988/ ft 9.333.bol.net.in F2# ser-er stat%s: Fersion :.GD +onnected to 9D?.33.9:8.8BC *9D?.33.9:8.8BC, 1ogged in anonymo%sly 2(#E: A"+II$ F6R7: 5on rintM "2R)ct%re: FileM transfer 76@E: "tream 988/ 5o data connection 988 End of stat%s

5ote: 2he I# address is of 333.bol.net.in and not yo%r machine.

ft J literal syst 98: )5IE 2y e: 1C Fersion: B"@/8BCB88

Foila$ !e get the 6 erating "ystem name r%nning on ft 9.333.bol.net.in. At last some %sef%l information.

Finger and H22# both failed$ !hat do !e do no!< 1et %s t%rn to the den of the B%ggiest daemon on Earth i.e. "endmail: #ort 9:$ the "72# ort.

"endmail is certainly the b%ggiest daemon on earthM it has the highest n%mber of kno!n e3 loits amongst all the daemons. "o this robably sho%ld get %s thro%gh. 1et %s telnet to #ort 9: and find o%t !hether an e3 loitable -ersion of "endmail is r%nning.

+:N!indo!sJ telnet 333.bol.net.in 9:

99D 333.bol.net.in E"72# "endmail C.B.8 *8.8.9D.?=9AO%nDD/D?PG#7, 2h%$ 9B O%n 9DDD 8P:8C:89 D:?D *I"2,

'hen yo% telnet to #ort 9:$ then the first thing that yo% come across !o%ld be a something like the abo-e !elcome daemon banner. A daemon banner is a Hacker;s best friend. It re-eals im ortant information abo%t the host$ !hich ro-es to be in-al%able in breaking into it. It basically tells yo% !hich daemon or ser-ice is r%nning on that ort and also the -ersion of that artic%lar ser-ice. 1ike for e3am le$ in this case$ the "endmail daemon banner tells %s that E"72# "endmail C.B.8 is r%nning and it also gi-es %s other information abo%t the host at !hich this ser-ice is r%nning.

Any!ay$ getting back to the to ic$ this banner re-eals a big -%lnerability e3isting in the host com %ter. It tells %s that 333.bol.net.in is r%nning an old$ -%lnerable -ersion of

"endmail. 2he latest -ersion is "endmail C.B.P *correct me if I am !rong.,$ so this artic%lar -ersion of "endmail !o%ldn;t be !itho%t any b%gs.

"o then !hat yo% do is -isit #acket"torm or search at yo%r fa-orite Hacking st%ff related search engine for a + rogram !hich demonstrates ho! to e3 loit -ersion C.B.P of "endmail. 5o!$ all this might so%nd a bit too sim le$ !ell it certainly isn;t$ read on for more info.

5o!$ there are a co% le of things that yo% need to kee in mind !hile getting this done. "ay$ yo% ha-e fo%nd o%t that the -ictim r%ns "endmail C.B.P$ no! yo% cannot sim ly break in by r%nning any e3 loit for this -ersion. By that !hat$ I mean to say is that$ an e3 loit$ !hich is coded to be e3ec%ted on a 1in%3 latform$ !ill not !ork if yo% try to com ile and r%n it on a 'indo!s latform. "o basically before yo% e3ec%te the ;ke!l; e3 loit rogram that yo% do!nloaded$ yo% sho%ld find o%t !hich latform it is meant for and if yo% are not r%nning that latform$ then yo% !ill need to get yo%r gray cells !orking.

2his is the stage !here real hackers are differentiated bet!een scri t kiddies$ this is !hen those eo le !ho really kno! something re-ail. 5ormally say if a e3 loit is designed to !ork on 1in%3$ then if yo% edit its code and change its header files *if necessary,$ then that artic%lar e3 loit can be made to r%n on 'indo!s too. Ho!e-er$ there are certain e3 loits$ !hich sim ly !o%ld not r%n on a different 6" than it is designed too.

Any!ay$ let %s get back to oint. (o% ha-e edited the e3 loit code and made it com atible !ith yo%r latform. 5o! !hat else< Another thing that yo% !ant to kee in mind is the 6 erating "ystem$ !hich the e3 loit can e3 loit. (o% see$ there are certain e3 loits$ !hich !ork only if the -ictim system is r%nning a s ecific 6 erating "ystem. For E3am le$

2here !as once a "endmail hole$ !hich !orked only if the target "ystem !as r%nning "%n 6" !itho%t !hich$ it sim ly ref%sed to e-en !ork.

"o in some cases it becomes necessary$ to find o%t the 6 erating "ystem r%nning at the target system. Altho%gh not all e3 loits re&%ire the target system to be r%nning a s ecific system$ b%t !hy take a chance. Right<

"o basically yo% sho%ld be a!are of the follo!ing things !hile getting a ready to %se e3 loit/:

8., 2he @aemon name and -ersion yo% are trying to e3 loit For E3am le$ "endmail C.B.P 9., ?., 2he 6 erating "ystem at !hich it is designed to r%n. *If necessary, 2he o erating "ystem it re&%ires the target system to be r%nning. *If necessary,

2hat brings %s to as to ho! to find o%t the 6 erating "ystem r%nning at the target system< 'ell$ the H22# ort holds the key. "im ly$ telnet to #ort CD of the target system.

+:N!indo!sJtelnet 333.bol.net.in CD

5o!$ once yo% get the in %t rom t$ then$ ty e an in-alid H22# command. For E3am le$ E or Iamgreat or abc etc. O%st ty e anything as long as it is not a -alid H22# command. 2hen ress enter t!ice.

44444444444 Hacking 2r%th: After each H22# command one has to ress Enter 2!ice to send the command to the ser-er or to bring abo%t a res onse from a ser-er. It is >%st ho! the H22# rotocol !orks. 4444444444

6n #ort CD of my e3am le target system$ I ty e sim ly ;ankit; and ress enter t!ice. 2his is the kind of res onse I get:

H22#=8.8 PDD Bad Re&%est "er-er: 5etsca e/Enter rise=?.:.8

2he ser-er re lies !ith the -ersion of H22# it is r%nning *not so im ortant,$ it gi-es %s an error message and the error code associated !ith it*again not so im ortant,$ b%t it also gi-es %s the 6" name and 6" -ersion$ it is r%nning. 'o!KKK It gi-es hackers !ho !ant to break into their ser-er the %ltimate iece of information$ !hich they re&%ire.

'ell$ these !ere the common !ays of finding o%t more information abo%t a host in yo%r &%est to break into it. I !ill soon be % dating this man%al$ ho e yo% en>oyed the first edition. 2ill the ne3t % date$ goodbye.

+67I5G "665: Finding o%t more Information abo%t the remote host. E3 loiting the R "er-ices *rlogin etc, or E3 loiting 2r%st Relationshi s E3 loiting Ro%ters 7ore F%n !ith Remote Hosts

Ankit Fadia [email protected]

htt :==!!!.ankitfadia.com

2o recei-e t%torials !ritten by Ankit Fadia on e-erything yo% e-er dreamt of in yo%r Inbo3$ >oin his mailing list by sending a blank email to: rogrammingforhackers/ s%bscribe@egro% s.com

'anna ask a &%estion< Got a comment to make< +riticiQe$ +omment and moreR..by sending me an Instant 7essage on 7"5 7essenger. 2he I@ that I %se is: [email protected]

'anna learn Hacking< 'anna attend monthly lect%res and disc%ssions on -ario%s 5et!orking=Hacking to ics< 1ect%res$ @ebates and @isc%ssions$ get it all by sim ly >oining 2he Hacking 2r%ths cl%b by clicking Here