the chargen service, this program will react to this connection by sending a

string of characters which you will see being repeated across your telnet

screen. All you need to do is connect to the service.

Another example of a service is finger (port 79). If you run a finger

program to request information on a particular user from a specific host,

and the finger service (or 'fingerd') is running, and if the user has not

instructed the finger service to ignore requests about him or her, you will

get back information on that user.

*****************************************************************

What services are run from these ports, and how can we learn more about

them? Ports numbered from 1 to 1024 are called the 'well-known' ports.

These are listed in RFC 1700 (see

http://www.internetnorth.com.au/keith/networking/rfc.html). Many of the

well-known ports are also listed in a file on your computer called

'services'. On Win95, it's c:\windows\services; on NT, it's

c:\winnt\system32\drivers\etc\services; on many Unix type computers (your

shell account) it's /etc/services.

These ports are called 'well-known' because they are commonly used by

certain services. For example, the well-known port for sending email is the

SMTP port, or port 25. Because it is 'well-known', anyone can send email to

anyone else. Because port 110 is the well-known port for checking email,

all email clients know that they have to connect to a POP server on port 110

in order to retrieve email.

An excellent FAQ (frequently asked questions) on TCP/IP ports can be found

at http://www.technotronic.com/tcpudp.html

*************************************************************

You can get punched in the nose warning: There are many port scanning

tools, and wannabe hackers use them ... a lot. But for what purpose? In

most cases all that happens is that a sysadmin or firewall administrator

goes through the logs that computer keeps of who has tried to hack that

site. He or she then decides whether to ignore your scan or call the

sysadmin of the site that your scan came from. Even though (in the US at

least) port scanning is legal, it makes systems administrators really mad at

you! To avoid getting kicked off your Internet provider, get permission to

scan first!

*************************************************************

What Is a Vulnerability?

A 'vulnerability' is anything about a computer system that will allow

someone to either keep it from operating correctly, or that will let

unauthorized people take it over. There are many types of vulnerabilities.

They may be a misconfiguration in the setup of a service, or a flaw in the

programming of the service.

An example of a setup misconfiguration is leaving the 'wiz' or 'debug'

commands operational in older versions of sendmail, or incorrectly setting

directory permissions on your FTP server so people can download the password

file. In these cases, the vulnerability is not how the program was written,

but with how the program is configured. Allowing file sharing on your

Windows 95 or 98 computer when it is not necessary, or failing to put a

password on file sharing, is another example.

Examples of errors in the programming of services are the large number of

buffer overflow vulnerabilities in the programs that run services on port of

Internet host computers. Many of these buffer overflow problems allow

people to use the Internet to break into and take control of host computers

(check out "Smashing the Stack", by Aleph One, at:

http://www.happyhacker.org/docs/smash.txt).

What Is an Exploit?

An 'exploit' is a program or technique that takes advantage of a

vulnerability. For example, the FTP-Bounce vulnerability occurs when an FTP

server (used to allow people to upload and download files) is configured to

redirect FTP connections to other computers. There really is no good reason

to allow this feature. It has become a vulnerability because this 'bounce'

feature allows someone to use it to port scan other computers on the same

local area network (LAN) as that FTP server. So even though a firewall may

be keeping port scanners form directly scanning other computers on this LAN,

the FTP server would bounce a scan past the firewall.

So really an exploit is any technique that takes advantage of a

vulnerability to enable you to carry out your own schemes, despite the

wishes of the sysadmin of your target. Exploits depend on operating systems

and their configurations, the configurations of programs running on computer

systems, and of the LAN they are on.

Operating systems such as NT, VMS and Unix are very different, and the

various versions of Unix have their differences, as well. (Examples of Unix

operating systems include BSD, AIX, SCO, Irix, Sun OS, Solaris, and Linux).

Even the various versions of the Linux form of Unix are different.

This means exploits that will work against NT systems will probably not work

against Unix systems, and exploits for Unix systems will probably not work

against NT. NT services are run by different programs from what you may find

on Unix type computers. Further, different versions of the same service

running on any particular operating system will probably not be vulnerable

to the same exploit, because each version of a service is run by a

different program. Sometimes this different program may have the same name

but only have a different version number. For example sendmail 8.9.1a is

different from 8.8.2. Many of the differences are that 8.9.1a has been

fixed so that none of the old sendmail exploit programs will work on it.

For example, the "Leshka" exploit explained in the GTMHH on advanced shell

programming clearly explains that it only works on versions 8.7-8.8.2 of the

SMTP service program called 'sendmail.' We observed a number of people who

were playing the hacker wargame trying to run the Leshka exploit against a

later, fixed version of sendmail.

So remember, an exploit for one operating system or service is unlikely to

work against another operating system. This isn't to say that it definitely

won't...it's just not likely. However, you are pretty much guaranteed that

any Win95 or NT exploit will not work against any kind of Unix.

How to Look for Vulnerabilities

Now let's start someplace where you are unlikely to get punched in the nose

by looking at some ports on your own computer. You can do this by typing

'netstat -a' at the command prompt.

You should see something such as:

Active Connections

Proto Local Address Foreign Address State

TCP localhost:1027 0.0.0.0:0 LISTENING

TCP localhost:135 0.0.0.0:0 LISTENING

TCP localhost:135 0.0.0.0:0 LISTENING

TCP localhost:1026 0.0.0.0:0 LISTENING

TCP localhost:1026 localhost:1027 ESTABLISHED

TCP localhost:1027 localhost:1026 ESTABLISHED

TCP localhost:137 0.0.0.0:0 LISTENING

TCP localhost:138 0.0.0.0:0 LISTENING

TCP localhost:nbsession 0.0.0.0:0 LISTENING

UDP localhost:135 *:*

UDP localhost:nbname *:*

UDP localhost:nbdatagram *:*

Hhhmm...nothing much going on here. The 'Local Address' (ie, my local

machine) seem to be listening on ports 135, 137, 138, and 'nbsession' (which

translates to port 139...type 'netstat -an' to see just the port numbers,

not the names of the ports). This is okay...those ports are part of

Microsoft networking, and need to be active on the LAN my machine is

connected to.

Now we connect our Web browser to http://www.happyhacker.org and at the same

time run Windows telnet and connect to a shell account at example.com.

Let's see what happens. Here's the output of the 'netstat -a' command,

slightly abbreviated:

Active Connections

Proto Local Address Foreign Address State

TCP localhost:1027 0.0.0.0:0 LISTENING

TCP localhost:135 0.0.0.0:0 LISTENING

TCP localhost:135 0.0.0.0:0 LISTENING

TCP localhost:2508 0.0.0.0:0 LISTENING

TCP localhost:2509 0.0.0.0:0 LISTENING

TCP localhost:2510 0.0.0.0:0 LISTENING

TCP localhost:2511 0.0.0.0:0 LISTENING

TCP localhost:2514 0.0.0.0:0 LISTENING

TCP localhost:1026 0.0.0.0:0 LISTENING

TCP localhost:1026 localhost:1027 ESTABLISHED

TCP localhost:1027 localhost:1026 ESTABLISHED

TCP localhost:137 0.0.0.0:0 LISTENING

TCP localhost:138 0.0.0.0:0 LISTENING

TCP localhost:139 0.0.0.0:0 LISTENING

TCP localhost:2508 zlliks.505.ORG:80 ESTABLISHED

TCP localhost:2509 zlliks.505.ORG:80 ESTABLISHED

TCP localhost:2510 zlliks.505.ORG:80 ESTABLISHED

TCP localhost:2511 zlliks.505.ORG:80 ESTABLISHED

TCP localhost:2514 example.com:telnet ESTABLISHED

So what do we see now? Well, there are the ports listening for Microsoft

networking, just like in the first example. And there also are some new

ports listed. Four are connected to 'zlliks.505.org' on port 80, and one to

'example.com' on the telnet port. These correspond to the client

connections that I set up. See, this way you know the name of the computer

that was running the happy Hacker Web site at this time.

But what is with the really high port numbers? Well, remember the

'well-known' ports that we talked about above? Client applications, such as

browsers and telnet clients (clients are programs that connect to servers)

need to use a port to receive data on, so they randomly select ports from

outside the 'well-known' port range...above 1024. In this case, my browser

has opened up four ports...2508 through 2511.

Now suppose you want to scan your friend's ports. This is the best way to

scan, as you won't have to worry about your friend getting you kicked off

your ISP for suspicion of trying to break into computers. How do you know

what your friend's IP ad dress is? Ask him or her to run the command (from

the DOS prompt) 'netstat -r'. This shows something like this:

C:\WINDOWS>netstat -r

Route Table

Active Routes:

Network Address Netmask Gateway Address Interface Metric