More exploit files ...
How to Look for Vulnerabilities
Now let's start someplace where you are unlikely to get punched
in the nose by looking at some ports on your own computer. You
can do this by typing 'netstat -a' at the command prompt.
You should see something such as:
Active Connections
Proto Local Address Foreign
Address State
TCP localhost:1027 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:1026 0.0.0.0:0 LISTENING
TCP localhost:1026 localhost:1027 ESTABLISHED
TCP localhost:1027 localhost:1026 ESTABLISHED
TCP localhost:137 0.0.0.0:0 LISTENING
TCP localhost:138 0.0.0.0:0 LISTENING
TCP localhost:nbsession 0.0.0.0:0 LISTENING
UDP localhost:135 *:*
UDP localhost:nbname *:*
UDP localhost:nbdatagram *:*
Hhhmm...nothing much going on here. The 'Local Address'
(ie, my local machine) seem to be listening on ports 135, 137,
138, and 'nbsession' (which translates to port 139...type 'netstat
-an' to see just the port numbers, not the names of the ports).
This is okay...those ports are part of Microsoft networking,
and need to be active on the LAN my machine is connected to.
Now we connect our Web browser to ttp://www.happyhacker.org
and at the same time run Windows telnet and connect to a shell
account at example.com. Let's see what happens. Here's the
output of the 'netstat -a' command, slightly abbreviated:
Active Connections
Proto Local Address Foreign
Address State
TCP localhost:1027 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:135 0.0.0.0:0 LISTENING
TCP localhost:2508 0.0.0.0:0 LISTENING
TCP localhost:2509 0.0.0.0:0 LISTENING
TCP localhost:2510 0.0.0.0:0 LISTENING
TCP localhost:2511 0.0.0.0:0 LISTENING
TCP localhost:2514 0.0.0.0:0 LISTENING
TCP localhost:1026 0.0.0.0:0 LISTENING
TCP localhost:1026 localhost:1027 ESTABLISHED
TCP localhost:1027 localhost:1026 ESTABLISHED
TCP localhost:137 0.0.0.0:0 LISTENING
TCP localhost:138 0.0.0.0:0 LISTENING
TCP localhost:139 0.0.0.0:0 LISTENING
TCP localhost:2508 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2509 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2510 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2511 zlliks.505.ORG:80 ESTABLISHED
TCP localhost:2514 example.com:telnet ESTABLISHED
So what do we see now? Well, there are the ports listening
for Microsoft networking, just like in the first example. And
there also are some new ports listed. Four are connected to 'zlliks.505.org'
on port 80, and one to 'example.com' on the telnet port. These
correspond to the client connections that I set up. See,
this way you know the name of the computer that was running the
happy Hacker Web site at this time.
But what is with the really high port numbers? Well,
remember the
'well-known' ports that we talked about above? Client pplications,
such as browsers and telnet clients (clients are programs that
connect to servers) need to use a port to receive data on, so
they randomly select ports from outside the 'well-known' port
range... above 1024. In this case, my browser has opened
up four ports...2508 through 2511.
More exploit files-->>
