This is not the document you are looking for? Use the search form below to find more!

Report home > Manual & Guide

Breaking into Computer Networks from the Internet

0.00 (0 votes)
Document Description
ebook/guide on hacking: Breaking into Computer Networks from the Internet.pdf, contains very concise explanation on hacking via network. Here you will be presented with various tips on hacking, tools, gate, tcp ip, networking, linux hack, windows hack, server etc
File Details
  • Added: May, 10th 2010
  • Reads: 424
  • Downloads: 71
  • File size: 1.25mb
  • Pages: 82
  • Tags: hacking, network programming, security
  • content preview
Submitter
Embed Code:

Add New Comment




Related Documents

How Do I Make Income From The World wide web?

by: 2soccerbath, 2 pages

In flip you will get started constructing a

Trustworthy Assistance For Anyone From The Internet Affiliate Marketing Discipline

by: josephobrien766, 1 pages

Some people claim that the internet has taken the leisure industry's location, as the only economic depression-confirmation places in existence.

The Benefits Of Getting Soccer Terms From The Internet

by: Johan Bergen, 2 pages

Sports terms will not be the least of things you can find on the internet. Not when it is easy to access several websites at the same time.

What Not To Forget When Making Use Of Hip Hop Beats Or Rap Instrumentals From The Internet

by: jefferypayne12, 3 pages

A lot of people nowadays, especially teens and those in their 20s to 30s, like to listen and even make hip hop songs with rapping. With modern computer technology and the number and many types of ...

The Internet, the Law, and Privacy in New Zealand: Dignity with Liberty?

by: Sanjay Maru, 17 pages

Early participants in the Internet experienced very little legal or social pressure with respect to either data privacy or regulation. However, the innovations of Web 2.0 are symptomatic of a ...

notes from the book

by: 10x11atkinsonjason, 4 pages

notes from the book

MAENPO CIKALONG - Born From the Philosophy of Sufi Tradition

by: budiraspati, 3 pages

MAENPO CIKALONG - Born From the Philosophy of Sufi Tradition Djunaedi S, MM, MPd

Future of the Internet - National Geographic - Digital Capital Week

by: radenka, 39 pages

THE FUTURE OF THE INTERNET EXPERT-SURVEY RESULTS Lee Rainie Director – Pew Internet Project Digital Capital Week National Geographic 6.15.10 The internet is the change agent ...

Social Media Management Company Helps Local Businesses Profit Big from the Internet

by: donaldhood, 2 pages

(1888PressRelease) Automated Social Networking has found a way to help local businesses profit big from internet and social media marketing. Using an automated, multi-layered system to ensure maximum ...

Content Preview




Breaking into computer
networks from the Internet.


roelof@sensepost.com

2000/12/31 First run
2001/07/01 Updated a bit
2001/09/20 Added Trojans



© 2000,2001 Roelof Temmingh & SensePost (Pty) Ltd

- 1 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]



Chapter 0: What is this document about anyway?.........................................................4
Chapter 1: Setting the stage. ..........................................................................................5
Permanent connection (leased line, cable, fiber) .......................................................6
Dial-up .......................................................................................................................6
Mobile (GSM) dial-up ...............................................................................................6
How to........................................................................................................................7
Using the 'net .............................................................................................................8
Other techniques ........................................................................................................9
Chapter 2: Mapping your target...................................................................................10
Websites, MX records…DNS! ................................................................................10
RIPE, ARIN, APNIC and friends ............................................................................13
Routed or not?..........................................................................................................16
Traceroute & world domination...............................................................................16
Reverse DNS entries ................................................................................................17
Summary ..................................................................................................................18
Chapter 3: Alive & kicking ? .......................................................................................24
Unrouted nets, NAT.................................................................................................24
Ping - ICMP .............................................................................................................25
Ping -TCP (no service, wrappers, filters).................................................................26
Method1 (against stateful inspection FWs) .........................................................26
Method2 (against stateless Firewalls)..................................................................29
Summary ..................................................................................................................30
Before we go on .......................................................................................................30
Chapter 4 : Loading the weapons.................................................................................30
General scanners vs. custom tools ...........................................................................31
The hacker's view on it (quick kill example)...........................................................31
Hacker's view (no kill at all) ....................................................................................34
Chapter 5: Fire!............................................................................................................36
Telnet (23 TCP) .......................................................................................................36
HTTP (80 TCP)........................................................................................................38
HTTPS (SSL2) (443 TCP).......................................................................................40
HTTPS (SSL3) (443 TCP).......................................................................................41
HTTP + Basic authentication...................................................................................43
Data mining..............................................................................................................44
Web based authentication. .......................................................................................45
Tricks ...................................................................................................................47
ELZA & Brutus....................................................................................................48
IDS & webservers....................................................................................................48
Pudding ....................................................................................................................49
Now what? ...............................................................................................................50
What to execute?..................................................................................................53
SMTP (25 TCP) .......................................................................................................54
FTP (21 TCP + reverse)...........................................................................................55
DNS (53 TCP,UDP).................................................................................................57
Finger (79 TCP) .......................................................................................................59
NTP (123 UDP) .......................................................................................................61
RPC & portmapper (111 TCP + other UDP)...........................................................61
TFTP (69 UDP)........................................................................................................63
SSH (22 TCP) ..........................................................................................................64

- 2 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]


POP3 (110 TCP) ......................................................................................................64
SNMP (161 UDP) ....................................................................................................65
Proxies (80,1080,3128,8080 TCP)...........................................................................66
X11 (6000 TCP).......................................................................................................67
R-services (rshell, rlogin) (513,514 TCP)................................................................68
NetBIOS/SMB (139 TCP) .......................................................................................68
Chapter 6 : Now what? ................................................................................................70
Windows ..................................................................................................................70
Only port 139 open - administrator rights............................................................71
Port 21 open .........................................................................................................71
Port 80 open and can execute...............................................................................71
Port 80 and port 139 open....................................................................................74
What to execute?..................................................................................................74
Unix..........................................................................................................................76
What to execute?..................................................................................................76
Things that do not fit in anywhere - misc. ...............................................................76
Network level attack - Source port 20,53 ............................................................77
HTTP-redirects ....................................................................................................77
Other Topics.................................................................................................................78
Trojans (added 2001/09) ..........................................................................................78

- 3 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]


Chapter 0: What is this document about anyway?
While I was writing this document a book "Hack Proofing Your Network" was
released. I haven't been able to read it (dunno if its in print yet, and
besides - everything takes a while to get to South Africa). I did however
read the first chapter, as it is available to the public. In this chapter
the author writes about different views on IT security - hackers, crackers,
script kiddies and everything in between. I had some thoughts about this and
decided that it was a good starting point for this document.
I want to simplify the issue - let us forget motives at the moment, and
simply look at the different characters in this play. To do this we will
look at a real world analogy. Let us assume the ultimate goal is breaking
into a safe (the safe is a database, a password file, confidential records
or whatever). The safe is located inside of a physical building (the
computer that hosts the data). The building is located inside of a town (the
computer is connected to a network). There is a path/highway leading to the
town and the path connects the town to other towns and/or cities. (read
Internet/Intranet). The town/city is protected by a tollgate or an
inspection point (the network is protected by a firewall, screening router
etc.) There might be certain residents (the police) in the town looking for
suspicious activity, and reporting it to the town's mayor (the police being
an IDS, reporting attacks to the sysadmin). Buildings have their own
protection methods, locks chains, and access doors (on-host firewalling, TCP
wrappers, usernames and passwords). The analogy can be extended to very
detailed levels, but this is not the idea.
In this world there are the ones that specialize in building or safe
cracking. They are not concerned with the tollgates, or the police. They are
lock-picking experts - be that those of the house, or of the safe. They buy
a similar safe, put it in their labs and spend months analyzing it. At the
end of this period they write a report on this particular safe - they
contact the manufacturer, and might even build a tool that can assist in the
breaking of the safe. Maybe they don't even manage to crack into the safe -
they might just provide ways to determine the type of metal the safe is made
of - which might be interesting on its own. These people are the toolmakers,
the Bugtraq 0-day report writers, the people that other hackers consider to
be fellow hackers.
And the rest? The rest are considered to be tool users - a.k.a. script
kiddies. They are portrayed as those rushing into towns, looting and
throwing bricks through windows, bricks that were built by the toolmakers
mentioned in the previous paragraph. They don't have any idea of the inner
workings of these tools. They are portrayed as those that ring the doorbell
and then runs away, just to do it a trillion times a day - those that steals
liquor from the village restaurant to sell it in their own twisted village.
A scary and dangerous crowd.
Is there nothing in between these groups of people? Imagine a person with a
toolbox with over a thousand specialized tools in it. He knows how to use
every one of these tools - what tool to use in what situation. He can make
some changes to these tools - not major changes, but he can mold a tool for
a specific occasion. He knows exactly where to start looking for a safe - in
which town, in what building. He knows of ways to slip into the town totally
undetected, with no real ID. He knows how to inspect the safe, use the
correct tools, take the good stuff and be out of town before anyone detected
it. He has a X-ray machine to look inside a building, yet he does not know
the inner workings of the machine. He will use any means possible to get to
the safe - even if it means paying bribes to the mayor and police to turn a
blind eye. He has a network of friends that include tool builders,
connections in "script kiddie" gangs and those that build the road to the
town. He knows the fabric of the buildings, the roads, the safes and the
servants inside the buildings. He is very agile and can hop from village to
city to town. He has safe deposit boxes in every city and an ultra modern
house at the coast. He knows ways of getting remote control surveillance

- 4 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]


devices into the very insides of security complexes, and yet he does not
know the intricacies of the device itself. He knows the environment, he
knows the principals of this world and everything that lives inside the
world. He is not focused on one device/safe/building/tollgate but
understands all the issues surrounding the objects. Such a person is not a
toolmaker, neither is he a script kiddie, yet he is regarded as a Script
Kiddie by those who calls themselves "hackers", and as such he has no real
reason for existence.
This document is written for the in-between group of people. Toolmakers will
frown upon this document and yet it may provide you with some useful insight
(even if it better the tools you manufacture). It attempts to provide a
methodology for hacking. It attempt to answers to "how to" question, not the
"why" or the "who". It completely sidesteps the moral issue of hacking; it
also does not address the issue of hackers/crackers/black hats/gray
hats/white hats. It assumes that you have been in this industry long enough
to be beyond the point of worrying about it. It does not try to make any
excuses for hacking - it does not try to pretend that hacking is a
interesting past-time. The document is written for the serious cyber
criminal. All of this sounds a bit hectic and harsh. The fact of the matter
is that sysadmins, security consultants, and IT managers will find this
document just as interesting as cyber criminals will. Looking at your
network and IT infrastructure from a different viewpoint could give you a
lot of insight into REAL security issues (this point has been made over and
over and over and I really don't to spend my time explaining it again [full
disclosure blah blah whadda whadda wat wat]).
A note to the authors of the book "Hack proofing your network" - I truly
respect the work that you have done and are doing (even though I have not
read your book - I see your work every now and again). This document will go
on the Internet free of charge - this document does NOT try to be a cheap
imitation of what you have done, it does not in any way try to be a
substitute (I am a tool user, where as you are tool writers...remember? :) )
Before we start, a few prerequisites for reading this document. Unless you
want to feel a bit left in the cold you should have knowledge of the
following:
1. Unix (the basics, scripting, AWK, PERL, etc.)
2. TCP/IP (routing, addressing, subnetting etc.)
3. The Internet (the services available on the 'net-e.g. DNS, FTP, HTTP,
SSH, telnet etc.)
4. Experience in IT security (packetfiltering, firewalling, proxies etc.)
I have written this document over a rather long period of time. Sites and
tools could be outdated by the time you read this. I wrote the document with
no prior knowledge about the "targets". You will find that in many cases I
make assumptions that are later found not to be true. Reading through the
text will thus provide you with an un-edited view of the thought processes
that I had.
Chances are very good that I am talking a load of bullshit at times - if you
are a terminology expert, and I have used your pet word in the wrong context
- I am really sorry - it won't ever happen again. Now please leave. In the
case that I totally go off track on technical issues - please let me know.
Also my English sucks, so if I loose track of the language please bear with
me - I tried to write it in simple words. This is not an academic paper!!
Chapter 1: Setting the stage.
Before you can start to hack systems you need a platform to work from. This
platform must be stable and not easily traceable. How does one become
anonymous on the Internet? It's is not that easy. Let us look at the

- 5 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]


different options (BTW if this chapter does not seem relevant you might want
to skip it):
Permanent connection (leased line, cable, fiber)
The problem with these connections is that it needs to be installed by your
local Telecom at a premise where you are physically located. Most ISPs wants
you to sign a contract when you install a permanent line, and ask for
identification papers. So, unless you can produce false identification
papers, company papers etc., and have access to a building that cannot be
directly tied to your name, this is not a good idea.
Dial-up
Many ISPs provides "free dial-up" accounts. The problem is that logs are
kept either at the ISP, or at Telecom of calls that were made. At the ISP
side this is normally done using RADIUS or TACACS. The RADIUS server will
record the time that you dialed in, the connection speed, the reason for
disconnecting, the time that you disconnected and the userID that you used.
Armed with his information the Telecom can usually provide the source number
of the call (YOUR number). For the Telecom to pinpoint the source of the
call they need the destination number (the number you called), the time the
call was placed and the duration of the call. In many cases, the Telecom
need not be involved at all, as the ISP records the source number themselves
via Caller Line Identification (CLI).
Let us assume that we find the DNS name "c1-pta-25.dial-up.net" in our logs
and we want to trace the attacker. We also assume that the ISP does not
support caller line identification, and the attacker was using a compromised
account. We contact the ISP to find out what the destination number would be
with a DNS name like that. The ISP provides the number - e.g. +27 12 664
5555. It's a hunting line - meaning that there is one number with many phone
lines connected to it. We also tell the ISP the time and date the attack
took place (from our logs files). Let us assume the attack took place
2000/8/2 at 17h17. The RADIUS server tells us what userID was used, as well
as the time it was connected: (these are the typical logs)
6774138 2000-08-02 17:05:00.0 2000-08-02 17:25:00.0 demo1 icon.co.za
168.209.4.61 2 Async 196.34.158.25 52000 1248 00010 B6B 87369 617378 null 11
These logs tell us that user "demo1" was connected from 17h05 to 17h25 on
the date the attack took place. It was dialing in at a speed of 52kbps, it
send 87369 bytes, and received 617378 bytes. We now have the start time of
the call, the destination number and the duration of the call (20 minutes).
Telecom will supply us with source number as well as account details - e.g.
physical location. As you can see, phoning from your house to an ISP (even
using a compromised or free ID) is not making any sense.
Mobile (GSM) dial-up
Maybe using a GSM mobile phone will help? What can the GSM mobile service
providers extract from their logs? What is logged? A lot it seems. GSM
switches send raw logging information to systems that crunch the data into
what is called Call Data Records (CDRs). More systems crush CDRs in SCDRs
(Simple CDR). The SCDRs is sent to the various providers for billing. How
does a CDR look like? Hereby an example of a broken down CDR:
99042300000123000004018927000000005216003
27834486997
9903220753571830
834544204
000001MOBILE000
0000001000000000000000000

- 6 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]


AIRTIME1:24
20377
UON0000T11L
MTL420121414652470
This tells us that date and time the call was placed (1st string), the
source number (+27 83 448 6997), the destination number (834544204), that it
was made from a mobile phone, the duration of the call (1 minute 24
seconds), the cellID (20377), the three letter code for the service provider
(MTL = Mtel in this case), and the unique mobile device number (IMEI number)
420121414652470. Another database can quickly identify the location
(long/lat) of the cell. This database typically looks like this:
20377
25731
-26.043059
28.011393
120
32
103
"Didata Oval uCell","Sandton"
From this database we can see that the exact longitude and latitude of the
cell (in this case in the middle of Sandton, Johannesburg) and the
description of the cell. The call was thus placed from the Dimension Data
Oval in Sandton. Other databases provide the account information for the
specific source number. It is important to note that the IMEI number is also
logged - using your phone to phone your mother, switching SIM cards, moving
to a different location and hacking the NSA is not a good idea using the
same device is not bright - the IMEI number stays the same, and links you to
all other calls that you have made. Building a profile is very easy and
you'll be nailed in no time.
Using time advances and additional tracking cells, it is theoretically
possible to track you up to a resolution of 100 meters, but as the switches
only keep these logs for 24 hours, it is usually done in real time with
other tracking devices - and only in extreme situations. Bottom line - even
if you use a GSM mobile phone as modem device, the GSM service providers
knows a lot more about you than you might suspect.
How to
So how do we use dial in accounts? It seems that having a compromised dial
in account does not help at all, but common sense goes a long way. Suppose
you used a landline, and they track you down to someone that does not even
owns a computer? Or to the PABX of a business? Or to a payphone? Keeping all
of above in mind - hereby a list of notes: (all kinda common sense)
Landlines:
1. Tag your notebook computer, modem and croc-clips along to a DP
(distribution point). These are found all around - it is not discussed
in detail here as it differs from country to country. Choose a random
line and phone.
2. In many cases one can walk into a large corporation with a notebook
and a suit with no questions asked. Find any empty office, sit down,
plug in and dial.
3. etc...use your imagination
GSM:
1. Remember that the device number (IMEI) is logged (and it can be
blocked). Keep this in mind! The ultimate would be to use a single
device only once. - never use the device in a location that is linked
to you (e.g. a microcell inside your office)

- 7 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]


2. Try to use either a very densely populated cell (shopping malls) or a
location where there is only one tracking cell (like close to the
highway) as it makes it very hard to do spot positioning. Moving
around while you are online also makes it much harder to track you
down.
3. Use prepaid cards! For obvious reasons you do not want the source
number to point directly to you. Prepaid cards are readily available
without any form of identification. (note: some prepaid cards does not
have data facilities, so find out first)
4. GSM has data limitations - currently the maximum data rate is 9600bps.
Using the 'net
All of this seems like a lot of trouble. Is there not an easier way of
becoming anonymous on the Internet? Indeed there are many ways to skin a
cat. It really depends on what type of connectivity you need. Lets assume
all you want to do is sending anonymous email (I look at email specifically
because many of the techniques involved can be used for other services such
as HTTP, FTP etc.). How difficult could it be?
For many individuals it seems that registering a fake Hotmail, Yahoo etc.
account and popping a flame email to a unsuspected recipient is the way to
go. Doing this could land you in a lot of trouble. Lets look at a header of
email that originating from Yahoo:
Return-Path: <r_h@yahoo.com>
Received: from web111.yahoomail.com (web111.yahoomail.com [205.180.60.81])
by wips.sensepost.com (8.9.3/1.0.0) with SMTP id MAA04124
for <roelof@sensepost.com>; Sat, 15 Jul 2000 12:35:55 +0200 (SAST)
(envelope-from r_h@yahoo.com)
Received: (qmail 636 invoked by uid 60001); 15 Jul 2000 10:37:15 -0000
Message-ID: <20000715103715.635.qmail@web111.yahoomail.com>
Received: from [196.34.250.7] by web111.yahoomail.com; Sat,
15 Jul 2000 03:37:15 PDT
Date: Sat, 15 Jul 2000 03:37:15 -0700 (PDT)
From: RH <r_h@yahoo.com>
Subject: Hello
To: roelof@sensepost.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
The mail header tells us that our mailserver (wips.sensepost.com) received
email via SMTP from the web-enabled mailserver (web111.yahoomail.com). It
also tells us that the web-enabled mailserver received the mail via HTTP
(the web) from the IP number 196.34.250.7. It is thus possible to trace the
email to the originator. Given the fact that we have the time the webserver
received the mail (over the web) and the source IP, we can use techniques
explained earlier to find the person who was sending the email. Most free
web enabled email services includes the client source IP (list of free email
providers at www.fepg.net).
How to overcome this? There are some people that think that one should be
allowed to surf the Internet totally anonymous. An example of these people
is Anonymizer.com (www.anonymizer.com). Anonymizer.com allows you to enter a
URL into a text box. It then proxy all connections to the specified
destination. Anonymizer claims that they only keep hashes (one way
encryption, cannot be reversed) of logs. According to documentation on the
Anonymizer website there is no way that even they can determine your source
IP. Surfing to Hotmail via Anonymizer thus change the IP address in the mail
header.
But beware. Many ISPs make use of technology called transparent proxy
servers. These servers is normally located between the ISP's clients and
their main feed to the Internet. These servers pick up on HTTP requests,
change the source IP to their own IP and does the reverse upon receiving the
return packet. All of this is totally transparent to the end user - therefor

- 8 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]


the name. And the servers keep logs. Typically the servers cannot keep logs
forever, but the ISP could be backing up logs for analyses. Would I be
tasked to find a person that sent mail via Hotmail and Anonymizer I would
ask for the transparent proxy logs for the time the user was connected to
the web-enabled mailserver, and search for connections to Anonymizer. With
any luck it would be the only connections to the Anonymizer in that time
frame. Although I won't be able to prove it, I would find the source IP
involved.
Another way of tackling the problem is anonymous remailers. These
mailservers will change your source IP, your <from> field and might relay
the mail with a random delay. In many cases these remailers are daisy
chained together in a random pattern. The problem with remailers is that
many of them do keep logs of incoming connections. Choosing the initial
remailer can be become an art. Remailers usually have to provide logfiles at
the request of the local government. The country of origin of the remailer
is thus very important as cyberlaw differs from country to country. A good
summary of remailers (complete with listings of remailers can be found at
www.cs.berkeley.edu/~raph/remailer-list.html).
Yet another way is to make use of servers that provide free Unix shell
accounts. You can telnet directly to these servers (some provide SSH
(encrypted shells) access as well). Most of the free shell providers also
provide email facilities, but limit shell capabilities -e.g. you can't
telnet from the free shell server to another server. In 99% of the cases
connections are logged, and logs are kept in backup. A website that list
most free shell providers are to be found at
www.leftfoot.com/freeshells.html. Some freeshell servers provider more shell
functionality than others - consult the list for detailed descriptions.
How do we combine all of the above to send email anonymously? Consider this
- I SSH to a freeshell server. I therefor bypass the transparent proxies,
and my communication to the server is encrypted and thus invisible to people
that might be sniffing my network (locally or anywhere). I use lynx (a text
based web browser) to connect to an Anonymizer service. From the Anonymizer
I connect to a free email service. I might also consider a remailer located
somewhere in Finland. 100% safe?
Even when using all of above measures I cannot be 100% sure that I cannot be
traced. In most cases logs are kept of every move you make. Daisy chaining
and hopping between sites and servers does make it hard to be traced, but
not impossible.
Other techniques
1. The cybercafe is your friend! Although cybercafes are stepping up
their security measures it is still relatively easy to walk into a
cybercafe without any form of identification. Sit down, and surf to
hotmail.com - no one would notice as everyone else is doing exactly
the same thing. Compose your email and walk out. Do not become a
regular! Never visit the scene of the crime again. When indulging in
other activities such as telnetting to servers or doing a full blast
hack cybercafes should be avoided as your activity can raise suspicion
with the administrators.
2. Search for proxy like services. Here I am referring to things like
WinGate servers. WinGate server runs on a Microsoft platform and is
used as a proxy server for a small network (read SOHO environment with
a dial-up link). In many cases these servers are not configured
correctly and will allow anyone to proxy/relay via them. These servers
do not keep any logs by default. Hoping via WinGate servers is so
popular that lists of active WinGates are published
(www.cyberarmy.com/lists/wingate/).
3. With some experience you can hop via open routers. Finding open
routers are very easy - many routers on the Internet is configured
with default passwords (list of default passwords to be found at

- 9 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]


www.nerdnet.com/security/index.php )Doing a host scan with port 23
(later more on this) in a "router subnet" would quickly reveal valid
candidates. In most of the cases these routers are not configured to
log incoming connections, and provides excellent stepping-stones to
freeshell servers. You might also consider daisy chaining them
together for maximum protection.
4. Change the communication medium. Connect to a X.25 pad via a XXX
service. Find the DTE of a dial-out X.25 PAD. Dial back to your local
service provider. Your telephone call now originates from e.g. Sweden.
Confused? See the section on X.25 hacking later in the document. The
exact same principle can be applied using open routers (see point 3)
Some open routers listens on high ports (typically 2001,3001,X001) and
drops you directly into the AT command set of a dial-out modems. Get
creative.
The best way to stay anonymous and untraceable on the Internet would be a
creative mix of all of the above-mentioned techniques. There is no easy way
to be 100% sure all of the time that you are not traceable. The nature of
the "hack" should determine how many "stealth" techniques should be used.
Doing a simple portscan to a university in Mexico should not dictate that
you use 15 hops and 5 different mediums.
Chapter 2: Mapping your target
Once you have your platform in good working order, you will need to know as
much as possible about your target. In this chapter we look at "passive"
ways to find information about the target. The target might be a company, a
organization or a government. Where do you start your attack? This first
step is gaining as much as possible information about the target - without
them knowing that you are focussing your sniper scope on them. All these
methods involve tools, web sites and programs that are used by the normal
law abiding netizen.
Websites, MX records…DNS!
For the purpose of this document, let us assume that we want to attack
CitiBank. (no hard feelings CitiBank). We begin by looking at the very
obvious - www.citibank.com. You would be amazed by the amount one can learn
from an official webpage. From the website we learn that Citibank has
presence in many countries. Checking that Citibank have offices in Belgium
we check the address of www.citibank.be and the Malaysian office
www.citibank.com.my. The IP addresses are different - which means that each
country' Citibank website is hosted inside the specific country. The website
lists all the countries that Citibank operate in. We take the HTML source
code, and try to find the websites in each country. Having a look around
leaves us with 8 distinct countries. Maybe XXX.citybank.XXX is registered in
the other countries? Doing a simple "host www.citibank.XXX" (scripted with
all country codes and with .com and .co sub extensions of course) reveals
that following sites:
www.citibank.as
www.citibank.co.kr
www.citibank.at
www.citibank.co.nz
www.citibank.be
www.citibank.co.pl
www.citibank.ca
www.citibank.co.pt
www.citibank.cc
www.citibank.co.th
www.citibank.ch
www.citibank.co.tv
www.citibank.cl
www.citibank.co.tw
www.citibank.co.at
www.citibank.co.uk
www.citibank.co.cc
www.citibank.co.vi
www.citibank.co.cx
www.citibank.co.ws
www.citibank.co.dk
www.citibank.com
www.citibank.co.id
www.citibank.com.ar
www.citibank.co.in
www.citibank.com.au
www.citibank.co.io
www.citibank.com.bh
www.citibank.co.jp
www.citibank.com.bi
www.citibank.co.ke
www.citibank.com.br

- 10 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]

Document Outline

  • Chapter 0: What is this document about anyway?
  • Chapter 1: Setting the stage.
    • Permanent connection (leased line, cable, fiber)
    • Dial-up
    • Mobile (GSM) dial-up
    • How to
    • Using the 'net
    • Other techniques
  • Chapter 2: Mapping your target
    • RIPE, ARIN, APNIC and friends
    • Routed or not?
    • Traceroute & world domination
    • Reverse DNS entries
    • Summary
  • Chapter 3: Alive & kicking ?
    • Unrouted nets, NAT
    • Ping - ICMP
    • Ping -TCP (no service, wrappers, filters)
      • Method1 (against stateful inspection FWs)
      • Method2 (against stateless Firewalls)
    • Summary
    • Before we go on
  • Chapter 4 : Loading the weapons
    • General scanners vs. custom tools
    • The hacker's view on it (quick kill example)
    • Hacker's view (no kill at all)
  • Chapter 5: Fire!
    • Telnet (23 TCP)
    • HTTP (80 TCP)
    • HTTPS (SSL2) (443 TCP)
    • HTTPS (SSL3) (443 TCP)
    • HTTP + Basic authentication
    • Data mining
    • Web based authentication.
      • Tricks
      • ELZA & Brutus
    • IDS & webservers
    • Pudding
    • Now what?
      • What to execute?
    • SMTP (25 TCP)
    • FTP (21 TCP + reverse)
    • DNS (53 TCP,UDP)
    • Finger (79 TCP)
    • NTP (123 UDP)
    • RPC & portmapper (111 TCP + other UDP)
    • TFTP (69 UDP)
    • SSH (22 TCP)
    • POP3 (110 TCP)
    • SNMP (161 UDP)
    • Proxies (80,1080,3128,8080 TCP)
    • X11 (6000 TCP)
    • R-services (rshell, rlogin) (513,514 TCP)
    • NetBIOS/SMB (139 TCP)
  • Chapter 6 : Now what?
    • Windows
      • Only port 139 open - administrator rights.
      • Port 21 open
      • Port 80 open and can execute
      • Port 80 and port 139 open.
      • What to execute?
    • Unix
      • What to execute?
    • Things that do not fit in anywhere - misc.
      • Network level attack - Source port 20,53
      • HTTP-redirects
  • Other Topics
    • Trojans (added 2001/09)

Download
Breaking into Computer Networks from the Internet

 

 

Your download will begin in a moment.
If it doesn't, click here to try again.

Share Breaking into Computer Networks from the Internet to:

Insert your wordpress URL:

example:

http://myblog.wordpress.com/
or
http://myblog.com/

Share Breaking into Computer Networks from the Internet as:

From:

To:

Share Breaking into Computer Networks from the Internet.

Enter two words as shown below. If you cannot read the words, click the refresh icon.

loading

Share Breaking into Computer Networks from the Internet as:

Copy html code above and paste to your web page.

loading