With de spread of Hackers and Hackin’ incidents, de time has come, when not only system administrators of servers of big companies, but also people who connect to de Internet by dialin’ up into deir ISP, have to worry about securin’ deir system. It really does not make much difference wheder you have a static IP or a dynamic one, if your system is connected to de Internet, den dere is every chance of it bein’ attacked.

This manual is aimed at discussin’ methods of system security analysis and will shed light on as to how to secure your standalone (also a system connected to a LAN) system.

Open Ports: A Threat to Security?

In de Netstat Tutorial we had discussed how de netstat -a command showed de list of open ports on your system. Well, anyhow, before I move on, I would like to quickly recap de important part. So here goes, straight from de netstat tutorial:

Now, de ??a? option is used to display all open connections on de local machine. It also returns de remote system to which we are connected to, de port numbers of de remote system we are connected to (and de local machine) and also de type and state of connection we have with de remote system.

For Example,

C:windows>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1036 dwarf.box.sk:ftp-data TIME_WAIT
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1045 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1052 zztop.boxnetwork.net:80 ESTABLISHED
TCP ankit:1053 mail2.mtnl.net.in:pop3 TIME_WAIT
UDP ankit:1025 *:*
UDP ankit:nbdatagram *:*

Now, let us take a sin’le line from de above output and see what it stands for:

Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED

Now, de above can be arranged as below:

Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)

Local System Name: ankit (This is de name of de local system that you set durin’ de Windows setup.)

Local Port opened and bein’ used by this connection: 1031

Remote System: dwarf.box.sk (This is de non-numerical form of de system to which we are connected.)

Remote Port: ftp (This is de port number of de remote system dwarf.box.sk to which we are connected.)

State of Connection: ESTABLISHED

?Netstat? with de ??a? argument is normally used, to get a list of open ports on your own system i.e. on de local system. This can be particularly useful to check and see wheder your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect de presence of Trojans, but, we are hackers, and need to software to tell us, wheder we are infected or not. Besides, it is more fun to do somethin’ manually than to simply click on de ?Scan? button and let some software do it.

The followin’ is a list of Trojans and de port numbers which dey use, if you Netstat yourself and find any of de followin’ open, den you can be pretty sure, that you are infected.

Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice

For complete list, refer to de Tutorial on Trojans at: hackin’truths.box.sk/trojans.txt

Now, de above tutorial resulted in a number of people raisin’ questions like: If de ‘netstat -a’ command shows open ports on my system, does this mean that anyone can connect to them? Or, How can I close dese open ports? How do I know if an open port is a threat to my system’s security of not? Well, de answer to all dese question would be clear, once you read de below paragraph:

Now, de thin’ to understand here is that, Port numbers are divided into three ranges:

The Well Known Ports are those from 0 through 1023. This range or ports is bound to de services runnin’ on them. By this what I mean is that each port usually has a specific service runnin’ on it. You see dere is an internationally accepted Port Numbers to Services rule, (refer RFC 1700 Here) which specifies as to on what port number a particular service runs. For Example, By Default or normally FTP runs on Port 21. So if you find that Port 21 is open on a particular system, den it usually means that that particular system uses de FTP Protocol to transfer files. However, please note that some smart system administrators delibrately i.e. to fool lamers run fake services on popular ports. For Example, a system might be runnin’ a fake FTP daemon on Port 21. Although you get de same interface like de FTP daemon banner, response numbers etc, however, it actually might be a software loggin’ your prescence and sometimes even tracin’ you!!!

The Registered Ports are those from 1024 through 49151. This range of port numbers is not bound to any specific service. Actually, Networkin’ utlites like your Browser, Email Client, FTP software opens a random port within this range and starts a communication with de remote server. A port number within this range is de reason why you are able to surf de net or check your email etc.

If you find that when you give de netstat -a command, den a number of ports within this range are open, den you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to perform tasks. They act as a buffer transferin’ packets (data) received to de application and vis-a-versa. Once you close de application, den you find that dese ports are closed automatically. For Example, when you type www.hotmail.com in your browser, den your browser randomly chooses a Registered Port and uses it as a buffer to communicate with de various remote servers involved.

The Dynamic and/or Private Ports are those from 49152 through 65535. This range is rarely used, and is mostly used by trojans, however some application do tend to use such high range port numbers. For Example,Sun starts deir RPC ports at 32768.
So this basically brin’s us to what to do if you find that Netstat gives you a couple of open ports on your system:

1. Check de Trojan Port List and check if de open port matches with any of de popular ones. If it does den get a trojan Removal and remove de trojan.

2. If it doesn’t or if de Trojan Remover says: No trojan found, den see if de open port lies in de registered Ports range. If yes, den you have nothin’ to worry, so forget about it.

HACKING TRUTH: A common technique employed by a number of system administrators, is remappin’ ports. For example, normally de default port for HTTP is 80. However, de system administrator could also remap it to Port 8080. Now, if that is de case, den de homepage hosted at that server would be at:

domain.com:8080 instead of
domain.com:80

The idea behind Port Remappin’ is that instead of runnin’ a service on a well known port, where it can easily be exploited, it would be better to run it on a not so well known port, as de hacker, would find it more difficult to find that service. He would have to port scan high range of numbers to discover port remappin’.

The ports used for remappin’ are usually pretty easy to remember. They are choosen keepin’ in mind de default port number at which de service bein’ remapped should be runnin’. For Example, POP by default runs on Port 110. However, if you were to remap it, you would choose any of de followin’: 1010, 11000, 1111 etc etc

Some sysadmins also like to choose Port numbers in de followin’ manner: 1234,2345,3456,4567 and so on… Yet anoder reason as to why Port Remappin’ is done, is that on a Unix System to be able to listen to a port under 1024, you must have root previledges.

Firewalls

Use of Firewalls is no longer confined to servers or websites or commerical companies. Even if you simply dial up into your ISP or use PPP (Point to Point Protocol) to surf de net, you simply cannot do without a firewall. So what exactly is a firewall?

Well, in non-geek lan’uage, a firewall is basically a shield which protects your system from de untrusted non-reliable systems connected to de Internet. It is a software which listens to all ports on your system for any attempts to open a connection and when it detects such an attempt, den it reacts accordin’ to de predefined set of rules. So basically, a firewall is somethin’ that protects de network(or systen) from de Internet. It is derived from de concept of firewalls used in vehicles which is a barrier made of fire resistant material protectin’ de vehicle in case of fire.

Now, for a better ‘accordin’ to de bible’ defination of a firewall: A firewall is best described as a software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from de Internet to your private internal network. A firewall is a system or a group of systems which guard a trusted network( The Internal Private Network from de untrusted network (The Internet.)

NOTE: This was a very brief desciption of what a firewall is, I would not be goin’ into de details of deir workin’ in this manual.

Anyway,de term ‘Firewalls’, (which were generally used by companies for commerical purposes) has evolved into a new term called ‘Personal Firewalls’. Now this term is basically used to refer to firewalls installed on a standalone system which may or may not be networked i.e. It usually connects to an ISP. Or in oder words a personal firewall is a firewall used for personal use.

Now that you have a basic desciption as to what a firewall is, let us move on to why exactly you need to install a Firewall? Or, how can not installin’ a firewall pose a threat to de security of your system?

You see, when you are connected to de Internet, den you have millions of oder untrusted systems connected to it as well. If somehow someone found out your IP address, den dey could do probably anythin’ to your system. They could exploit any vulnerability existin’ in your system, damage your data, and even use your system to hack into oder computers.

Findin’ out someone’e IP Address is not very difficult. Anybody can find out your IP, through various Chat Services, Instant Messengers (ICQ, MSN, AOL etc), through a common ISP and numerous oder ways. Infact findin’ out de IP Address of a specific person is not always de priority of some hackers.

What I mean to say by that is that dere are a number of Scripts and utilities available which scan all IP addresses between a certain range for predefined common vulnerabilities. For Example, Systems with File Sharin’ Enabled or a system runnin’ an OS which is vulnerable to de Pin’ of Death attack etc etc As soon as a vulnerable system is found, den dey use de IP to carry out de attacks.

The most common scanners look for systems with RAT’s or Remote Administration Tools installed. They send a packet to common Trojan ports and display wheder de victim’s system has that Trojan installed or not. The ‘Scan Range of IP Addresses’ that dese programs accept are quite wide and one can easily find a vulnerable system in de matter of minutes or even seconds.

Trojan Horses like Back Orifice provide remote access to your system and can set up a password sniffer. The combination of a back door and a sniffer is a dangerous one: The back door provides future remote access, while de sniffer may reveal important information about you like your oder Passwords, Bank Details, Credit Card Numbers, Social Security Number etc If your home system is connected to a local LAN and de attacker manages to install a backdoor on it, den you probably have given de attacker de same access level to your internal network, as you have. This wouls also mean that you will have created a back door into your network that bypasses any firewall that may be guardin’ de front door.

You may argue with me that as you are usin’ a dial up link to your ISP via PPP, de attacker would be able to access your machine only when you are online. Well, yes that is true, however, not completely true. Yes, it does make access to your system when you reconnect, difficult, as you have a dynamic Internet Protocol Address. But, although this provides a faint hope of protection, routine scannin’ of de range of IP’s in which your IP lies, will more often than not reveal your current Dynamic IP and de back door will provide access to your system.

HACKING TRUTH: Microsoft Says: War Dialer programs automatically scan for mothems by tryin’ every phone number within an exchange. If de mothem can only be used for dial-out connections, a War Dialer won’t discover it. However, PPP changes de equation, as it provides bidirectional transportmakin’ any connected system visible to scanners?and attackers.

So how do I protect myself from such Scans and unsolicitated attacks? Well, this is where Personal Firewalls come in. They just like deir name suggests, protect you from unsolicitated connection probes, scans, attacks.

They listen to all ports for any connection requests received (from both legitimate and fake hosts) and sent (by applications like Browser, Email Client etc.) As soon as such an instance is recorded, it pops up a warnin’ askin’ you what to do or wheder to allow de connection to initiate or not. This warnin’ message also contains de IP which is tryin’ to initiate de connection and also de Port Number to which it is tryin’ to connect i.e. de Port to which de packet was sent. It also protects your system from Port Scans, DOS Attacks, Vulnerability attacks etc. So basically it acts as a shield or a buffer which does not allow your system to communicate with de untrusted systems directly.

Most Personal Firewalls have extensive loggin’ facilities which allows you to track down de attackers. Some popular firewalls are:

1.BlackICE Defender : An IDS for PC’s. It’s available at www.networkice.com.

2. ZoneAlarm: The easiest to setup and manage firewall. Get it for free at: www.zonelabs.com

Once you have installed a firewall on your system, you will often get a number of Warnin’s which might seem to be as if someone is tryin’ to break into your system, however, dey are actually bogus messages, which are caused by eider your OS itself or due to de process called Allocation of Dynamic IP’s. For a details description of dese two, read on.

Many people complain that as soon as dey dial into deir ISP, deir firewall says that such and such IP is probin’ Port X. What causes them?
Well, this is quite common. The cause is that somebody hun’ up just before you dialed in and your ISP assigned you de same IP address. You are now seein’ de remains of communication with de previous person. This is most common when de person to which de IP was assigned earlier was usin’ ICQ or chat programs, was connected to a Game Server or simply turned off his mothem before his communication with remote servers was complete.

You might even get a message like: Such and Such IP is tryin’ to initaite a Netbios Session on Port X. This again is extrememly common. The followin’ is an explanation as to why it happens, which I picked up a couple of days ago: NetBIOS requests to UDP port 137 are de most common item you will see in your firewall reject logs. This comes about from a feature in Microsoft’s Windows: when a program resolves an IP address into a name, it may send a NetBIOS query to IP address. This is part of de background radiation of de Internet, and is nothin’ to be concerned about.

What Causes them? On virtually all systems (UNIX, Macintosh, Windows), programs call de function ‘gethostbyaddr()’ with de desired address. This function will den do de appropriate lookup, and return de name. This function is part of de sockets API. The key thin’ to remember about gethostbyaddr() is that it is virtual. It doesn’t specify how it resolves an address into a name. In practice, it will use all available mechanisms. If we look at UNIX, Windows, and Macintosh systems, we see de followin’ techniques:

DNS in-addr.arpa PTR queries sent to de DNS server
NetBIOS NodeStatus queries sent to de IP address
lookups in de /etc/hosts file
AppleTalk over IP name query sent to de IP address
RPC query sent to de UNIX NIS server
NetBIOS lookup sent to de WINS server

Windows systems do de /etc/hosts, DNS, WINS, and NodeStatus techniques. In more excruciatin’ detail, Microsoft has a generic system component called a namin’ service. All de protocol stacks in de system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.) register de kinds of name resolutions dey can perform. Some RPC products will likewise register an NIS namin’ service. When a program requests to resolve an address, this address gets passed onto de generic namin’ service. Windows will try each registered name resolution subsystem sequentially until it gets an answer.

(Side note: User’s sometimes complained that accessin’ Windows servers is slow. This is caused by installin’ unneeded protocol stacks that must timeout first before de real protocol stack is queried for de server name.).

The order in which it performs dese resolution steps for IP addresses can be configured under de Windows registry key

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipServiceProvider.

Breakin’ Through Firewalls

Although Firewalls are meant to provide your complete protection from Port Scan probes etc dere are several holes existin’ in popular firewalls, waitin’ to be exploited. In this issue, I will discuss a hole in ZoneAlarm Version 2.1.10 to 2.0.26, which allows de attacker to port scan de target system (Although normally it should stop such scans.)

If one uses port 67 as de source port of a TCP or UDP scan, ZoneAlarm will let de packet through and will not notify de user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if dere were no firewall dere IF one uses port 67 as de source port on de packets.

Exploit:
UDP Scan:
You can use NMap to port scan de host with de followin’ command line:

nmap -g67 -P0 -p130-140 -sU 192.168.128.88

(Notice de -g67 which specifies source port).

TCP Scan:
You can use NMap to port scan de host with de followin’ command line:

nmap -g67 -P0 -p130-140 -sS 192.168.128.88

(Notice de -g67 which specifies source port).

The Internet is a computer network made up of thousands of networks worldwide. No one knows exactly how many computers are connected to de Internet. It is certain, however, that dese number in de millions.

No one is in charge of de Internet. There are organizations which develop technical aspects of this network and set standards for creatin’ applications on it, but no governin’ body is in control. The Internet backbone, through which Internet traffic flows, is owned by private companies.

All computers on de Internet communicate with one anoder usin’ de Transmission Control Protocol/Internet Protocol suite, abbreviated to TCP/IP. Computers on de Internet use a client/server architecture. This means that de remote server machine provides files and services to de user’s local client machine. Software can be installed on a client computer to take advantage of de latest access technology.

An Internet user has access to a wide variety of services: electronic mail, file transfer, vast information resources, interest group membership, interactive collaboration, multimedia displays, real-time broadcastin’, shoppin’ opportunities, breakin’ news, and much more.

The Internet consists primarily of a variety of access protocols. Many of dese protocols feature programs that allow users to search for and retrieve material made available by de protocol.

COMPONENTS OF THE INTERNET

WORLD WIDE WEB
The World Wide Web (abbreviated as de Web or WWW) is a system of Internet servers that supports hypertext to access several Internet protocols on a sin’le interface. Almost every protocol type available on de Internet is accessible on de Web. This includes e-mail, FTP, Telnet, and Usenet News. In addition to dese, de World Wide Web has its own protocol: HyperText Transfer Protocol, or HTTP. These protocols will be explained later in this document.

The World Wide Web provides a sin’le interface for accessin’ all dese protocols. This creates a convenient and user-friendly environment. It is no longer necessary to be conversant in dese protocols within separate, command-level environments. The Web gaders togeder dese protocols into a sin’le system. Because of this feature, and because of de Web’s ability to work with multimedia and advanced programmin’ lan’uages, de Web is de fastest-growin’ component of de Internet.

The operation of de Web relies primarily on hypertext as its means of information retrieval. HyperText is a document containin’ words that connect to oder documents. These words are called links and are selectable by de user. A sin’le hypertext document can contain links to many documents. In de context of de Web, words or graphics may serve as links to oder documents, images, video, and sound. Links may or may not follow a logical path, as each connection is programmed by de creator of de source document. Overall, de Web contains a complex virtual web of connections amon’ a vast number of documents, graphics, videos, and sounds.

Producin’ hypertext for de Web is accomplished by creatin’ documents with a lan’uage called HyperText Markup Lan’uage, or HTML. With HTML, tags are placed within de text to accomplish document formattin’, visual features such as font size, italics and bold, and de creation of hypertext links. Graphics and multimedia may also be incorporated into an HTML document. HTML is an evolvin’ lan’uage, with new tags bein’ added as each upgrade of de lan’uage is developed and released. The World Wide Web Consortium (W3C), led by Web founder Tim Berners-Lee, coordinates de efforts of standardizin’ HTML. The W3C now calls de lan’uage XHTML and considers it to be an application of de XML lan’uage standard.

The World Wide Web consists of files, called pages or home pages, containin’ links to documents and resources throughout de Internet.

The Web provides a vast array of experiences includin’ multimedia presentations, real-time collaboration, interactive pages, radio and television broadcasts, and de automatic “push” of information to a client computer. Programmin’ lan’uages such as Java, JavaScript, Visual Basic, Cold Fusion and XML are extendin’ de capabilities of de Web. A growin’ amount of information on de Web is served dynamically from content stored in databases. The Web is derefore not a fixed entity, but one that is in a constant state of development and flux.

For more complete information about de World Wide Web, see Understandin’ The World Wide Web.

E-MAIL
Electronic mail, or e-mail, allows computer users locally and worldwide to exchange messages. Each user of e-mail has a mailbox address to which messages are sent. Messages sent through e-mail can arrive within a matter of seconds.

A powerful aspect of e-mail is de option to send electronic files to a person’s e-mail address. Non-ASCII files, known as binary files, may be attached to e-mail messages. These files are referred to as MIME attachments.MIME stands for Multimedia Internet Mail Extension, and was developed to help e-mail software handle a variety of file types. For example, a document created in Microsoft Word can be attached to an e-mail message and retrieved by de recipient with de appropriate e-mail program. Many e-mail programs, includin’ Eudora, Netscape Messenger, and Microsoft Outlook, offer de ability to read files written in HTML, which is itself a MIME type.

TELNET
Telnet is a program that allows you to log into computers on de Internet and use online databases, library catalogs, chat services, and more. There are no graphics in Telnet sessions, just text. To Telnet to a computer, you must know its address. This can consist of words (locis.loc.gov) or numbers (140.147.254.3). Some services require you to connect to a specific port on de remote computer. In this case, type de port number after de Internet address. Example: telnet nri.reston.va.us 185.

Telnet is available on de World Wide Web. Probably de most common Web-based resources available through Telnet have been library catalogs, though most catalogs have since migrated to de Web. A link to a Telnet resource may look like any oder link, but it will launch a Telnet session to make de connection. A Telnet program must be installed on your local computer and configured to your Web browser in order to work.

With de increasin’ popularity of de Web, Telnet has become less frequently used as a means of access to information on de Internet.

FTP
FTP stands for File Transfer Protocol. This is both a program and de method used to transfer files between computers. Anonymous FTP is an option that allows users to transfer files from thousands of host computers on de Internet to deir personal computer account. FTP sites contain books, articles, software, games, images, sounds, multimedia, course work, data sets, and more.

If your computer is directly connected to de Internet via an Edernet cable, you can use one of several PC software programs, such as WS_FTP for Windows, to conduct a file transfer.

FTP transfers can be performed on de World Wide Web without de need for special software. In this case, de Web browser will suffice. Whenever you download software from a Web site to your local machine, you are usin’ FTP. You can also retrieve FTP files via search en’ines such as FtpFind, located at /http://www.ftpfind.com/. This option is easiest because you do not need to know FTP program commands.

E-MAIL DISCUSSION GROUPS
One of de benefits of de Internet is de opportunity it offers to people worldwide to communicate via e-mail. The Internet is home to a large community of individuals who carry out active discussions organized around topic-oriented forums distributed by e-mail. These are administered by software programs. Probably de most common program is de listserv.

A great variety of topics are covered by listservs, many of them acathemic in nature. When you subscribe to a listserv, messages from oder subscribers are automatically sent to your electronic mailbox. You subscribe to a listserv by sendin’ an e-mail message to a computer program called a listserver. Listservers are located on computer networks throughout de world. This program handles subscription information and distributes messages to and from subscribers. You must have a e-mail account to participate in a listserv discussion group. Visit Tile.net at /http://tile.net/ to see an example of a site that offers a searchablecollection of e-mail discussion groups.

Majordomo and Listproc are two oder programs that administer e-mail discussion groups. The commands for subscribin’ to and managin’ your list memberships are similar to those of listserv.

USENET NEWS
Usenet News is a global electronic bulletin board system in which millions of computer users exchange information on a vast range of topics. The major difference between Usenet News and e-mail discussion groups is de fact that Usenet messages are stored on central computers, and users must connect to dese computers to read or download de messages posted to dese groups. This is distinct from e-mail distribution, in which messages arrive in de electronic mailboxes of each list member.

Usenet itself is a set of machines that exchanges messages, or articles, from Usenet discussion forums, called newsgroups. Usenet administrators control deir own sites, and decide which (if any) newsgroups to sponsor and which remote newsgroups to allow into de system.

There are thousands of Usenet newsgroups in existence. While many are acathemic in nature, numerous newsgroups are organized around recreational topics. Much serious computer-related work takes place in Usenet discussions. A small number of e-mail discussion groups also exist as Usenet newsgroups.

The Usenet newsfeed can be read by a variety of newsreader software programs. For example, de Netscape suite comes with a newsreader program called Messenger. Newsreaders are also available as standalone products.

FAQ, RFC, FYI
FAQ stands for Frequently Asked Questions. These are periodic postin’s to Usenet newsgroups that contain a wealth of information related to de topic of de newsgroup. Many FAQs are quite extensive. FAQs are available by subscribin’ to individual Usenet newsgroups. A Web-based collection of FAQ resources has been collected by The Internet FAQ Consortium and is available at /http://www.faqs.org/.

RFC stands for Request for Comments. These are documents created by and distributed to de Internet community to help define de nuts and bolts of de Internet. They contain both technical specifications and general information.

FYI stands for For Your Information. These notes are a subset of RFCs and contain information of interest to new Internet users.

Links to indexes of all three of dese information resources are available on de University Libraries Web site at /http://library.albany.edu/reference/faqs.html.

CHAT & INSTANT MESSENGING
Chat programs allow users on de Internet to communicate with each oder by typin’ in real time. They are sometimes included as a feature of a Web site, where users can log into de “chat room” to exchange comments and information about de topics addressed on de site. Chat may take oder, more wide-ran’in’ forms. For example, America Online is well known for sponsorin’ a number of topical chat rooms.

Internet Relay Chat (IRC) is a service through which participants can communicate to each oder on hundreds of channels. These channels are usually based on specific topics. While many topics are frivolous, substantive conversations are also takin’ place. To access IRC, you must use an IRC software program.

A variation of chat is de phenomenon of instant messen’in’. With instant messen’in’, a user on de Web can contact anoder user currently logged in and type a conversation. Most famous is America Online’s Instant Messenger. ICQ, MSN and Yahoo are oder commonly-used chat programs.

Oder types of real-time communication are addressed in de tutorial Understandin’ de World Wide Web.

MUD/MUSH/MOO/MUCK/DUM/MUSE
MUD stands for Multi User Dimension. MUDs, and deir variations listed above, are multi-user virtual reality games based on simulated worlds. Traditionally text based, graphical MUDs now exist. There are MUDs of all kinds on de Internet, and many can be joined free of charge. For more information, read one of de FAQs devoted to MUDs available at de FAQ site at