______________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Microsoft-only version Number 3
Hacking with Win95/NT: How to Telnet
How to Break into a Windows 95 Computers from the Internet
______________________________________________________
by KeyDet89
******************************************************
In this Guide you will learn how to:
* Use telnet from Windows
* Download web pages via telnet
* Get finger information via telnet
* Telnet from the DOS command-line
* Use netcat
* Break into Windows Computers from the Internet
Protecting Yourself
What can they do
The command-line approach
The GUI approach
Final Words
************************************************************
How to Use Telnet on a Windows Computer
Telnet is great little program for doing a couple of interesting
things. In fact, if you want to call yourself a hacker, you absolutely
MUST be able to telnet! In this lesson you will find out
a few of the cool things a hacker can do with telnet.
If you are using Win95, you can find telnet in the c:\windows
directory, and on NT, in the c:\winnt\system32 directory.
There isn't a lot of online help concerning the usage of the
program, so my goal is to provide some information for new users.
First off, telnet isn't so much an application as it is a
protocol. Telnet is protocol that runs over TCP/IP, and
was used for connecting to remote computers. It provides
a login interface, and you can run command-line programs by typing
the commands on your keyboard, and the programs use the resources
of the remote machine. The results are displayed in the
terminal window on your machine, but the memory and CPU cycles
consumed by the program are located on the remote machine.
Therefore, telnet functions as a terminal emulation program,
emulating a terminal on the remote machine.
Now, telnet runs on your Win95 box as a GUI application...that
is to say that you can type "telnet" at the command
prompt (in Windows 95 this is the MS-DOS prompt), and assuming
that your PATH is set correctly, a window titled "telnet"
will open. This differs from your ftp program in that all
commands are entered in the DOS window.
Let's begin by opening telnet. Simply open a DOS window
by clicking "start", then "programs", then
"MS-DOS", and at the command prompt, type:
c:\telnet
The window for telnet will open, and you can browse the features
of the program from the menu bar.
***************************************************
NEWBIE NOTE: In this text file, I am referring only to
the telnet
program that ships with Win95/NT. If you type "telnet"
at the
command prompt and you don't get the telnet window, make sure
that the program is on your hard drive using the Start ->
Find ->
Files or Folders command. Also make sure that your path
statement includes the Windows directory. There are many
other programs available that provide similar functionality,
with a lot of other bells and whistles, from any number of software
sites.
*************************************************
To learn a bit more about telnet, choose Help -> Contents,
or
Help -> Search for help on... from the menu bar.
Read through
the files in order to find more detailed explanations of things
you may wish to do. For example, in this explanation, I
will
primarily be covering how to use the application and what it
can
be used for, but now how to customize the colors for the application.
Now, if you choose Connect -> Remote System, you will be
presented with a dialog window that will ask you for the remote
host, the port and the terminal type.
****************************************************
NEWBIE NOTE: For most purposes, you can leave the terminal type
on
VT100.
****************************************************
In the Connect dialog box, you can enter in the host to which
you wish to connect, and there is a list box of several ports
you can connect to:
daytime: May give you the current time on the server.
echo: May echo back whatever you type in, and will tell
you that the computer you have connected to is alive nd running
on the Internet. qotd: May provide you with a quote of
the day.
chargen: May display a continuous stream of characters,
useful for spotting network problems, but may crash your telnet
program.
telnet: May present you with a login screen.
These will only work if the server to which you are trying
to connect is running these services. However, you are
not limited to just those ports...you can type in any port number
you wish. (For more on fun ports, see the GTMHH, "Port
Surf's Up.") You will only successfully connect to the port
if the service in question is available. What occurs after
you connect depends upon the protocol for that particular service.
When you are using telnet to connect to the telnet service
on a server, you will (in most cases) be presented with a banner
and a login prompt.
[Note from Carolyn Meinel: Many people have written
saying their telnet program fails to connect no matter what host
they try to reach. Here's a way to fix your problem.
First -- make sure you are already connected to the Internet.
If your telnet program still cannot connect to anything, here's
how to fix your problem. Click "start" then "settings"
then "control panel." Then click "Internet"
then "connection." This screen will have two
boxes that may or may not be checked. The top one says
"connect to the Internet as needed." If that
box is checked, uncheck it -- but only uncheck it if you already
have been having problems connecting. The bottom box says
"connect through a proxy server." If that box
is checked, you probably are on a local area network and your
systems administrator doesn't allow you to use telnet.]
*********************************************
NEWBIE NOTE: It's not a good idea to connect to a host
on which you don't have a valid account. In your attempts
to guess a username and password, all you will do is fill the
log files on that host. From there, you can very easily be traced,
and your online service provider will probably cancel your account.
**********************************************
Now, you can also use telnet to connect to other ports, such
as
ftp (21), smtp (25), pop3 (110), and even http (80). When
you
connect to ftp, smtp, and pop3, you will be presented with a
banner, or a line of text that displays some information about
the
service. This will give you a clue as to the operating
system
running on the host computer, or it may come right out and tell
you what the operating system is...for instance, AIX, Linux,
Solaris, or NT. If you successfully connect to port 80,
you will
see a blank screen. This indicates, again, that you have
successfully completed the TCP negotiation and you have a connection.
Now, what you do from there is up to you. You can simply
disconnect with the knowledge that, yes, there is a service running
on port 80, or you can use your knowledge of the HTTP protocol
to retrieve the HTML source for web pages on the server.
How to Download Web Pages Via Telnet
To retrieve a web page for a server using telnet, you need
to connect to that server on port 80, generally. Some servers
may use a different port number, such as 8080, but most web servers
run on port 80. The first thing you need to do is click
on Terminal -> Preferences and make sure that there is a check
in the Local Echo box. Then, since most web pages will
generally take up more than a single screen, enable logging by
clicking Terminal -> Start Logging... and select a location
and filename. Keep in mind that as long as logging is on,
and the same file is being logged to, all new information will
be appended to the file, rather than overwriting the
original file. This is useful if you want to record several
sessions, and edit out the extraneous information using Notepad.
Now, connect the remote host, and if your connection is successful,
type in:
GET / HTTP/1.0
and hit enter twice.
**************************************************
NEWBIE NOTE: Make sure that you hit enter twice...this
is part
of the HTTP protocol. The single / after GET tells the
server
to return the default index file, which is generally "index.html".
However, you can enter other filenames, as well.
*************************************************
You should have seen a bunch of text scroll by on the screen.
Now you can open the log file in Notepad, and you will see the
HTML
code for the page, just as though you had chosen the View Source
option from your web browser. You will also get some additional
information...the headers for the file will contain some information
about the server. For example:
HTTP/1.0 200 Document
follows
Date: Thu, 04 Jun
1998 14:46:46 GMT
Server: NCSA/1.5.2
Last-modified: Thu,
19 Feb 1998 17:44:13 GMT
Content-type: text/html
Content-length: 3196
One particularly interesting piece of information is the server
name. This refers to the web server software that is running
and serving web pages. You may see other names in this
field,
such as versions of Microsoft IIS, Purveyor, WebSite, etc.
This will give you a clue as to the underlying operating system
running on the server.
*************************************************
SYSADMIN NOTE: This technique, used in conjunction with
a
database of exploits on web servers, can be particularly annoying.
Make sure you keep up on exploits and the appropriate security
patches from your web server and operating system vendors.
*************************************************
*************************************************
NEWBIE NOTE: This technique of gathering web pages is perfectly
legal. You aren't attempting to compromise the target system,
you are simply doing by hand what your web browser does for you
automatically. Of course, this technique will not load
images and Java applets for you.
************************************************
Getting Finger Information Via Telnet
By now, you've probably heard or read a lot about finger.
It doesn't seem like a very useful service, and many sysadmins
disable the service because it provides information on a particular
user, information an evil hacker can take advantage of.
Win95 doesn't ship with a finger client, but NT does. You
can download finger clients for Win95 from any number of software
sites. But why do that when you have a readily available
client in telnet?
The finger daemon or server runs on port 79, so connect to
a remote host on that port. If the service is running,
you will be presented with a blank screen.
****************************************************
NEWBIE NOTE: NT doesn't ship with a finger daemon (A daemon
is a program on the remote computer which waits for people like
you to connect to it), so generally speaking, and server that
you find running finger will be a Unix box. I say "generally"
because there are third-party finger daemons available and someone
may want to run one on their NT computer.
****************************************************
The blank screen indicates that the finger daemon is waiting
for input. If you have a particular user that you are interested
in, type in the username and hit enter. A response will
be provided, and the daemon will disconnect the client.
If you don't know a particular username, you can start by simply
hitting enter. In some cases, you may get a response such
as "No one logged on." Or you may get information of
all currently logged on users. It all depends on whether
or not the sysadmin has chosen to enable certain features of
the daemon. You can also try other names, such as "root",
"daemon", "ftp", "bin", etc.
Another neat trick to try out is something that I have seen
referred to as "finger forwarding". To try this
out, you need two hosts that run finger. Connect to the
first host, host1.com, and enter the username that you are interested
in. Then go to the second host, and enter:
user@host1.com
You should see the same information! Again, this all
depends upon
the configuration of the finger daemon.
Using Telnet from the Command Line
Now, if you want to show your friends that you a "real
man" because "real men don't need no stinkin' GUIs",
well just open up a DOS window and type:
c:\>telnet <host> <port>
and the program will automatically attempt to connect to the
host
on the designated port for you.
Using Netcat
Let me start by giving a mighty big thanks to Weld Pond from
L0pht for producing the netcat program for Windows NT.
To get a copy of this program, which comes with source code,
simply go to:
http://www.l0pht.com/~weld
NOTE: The first character of "l0pht: is the letter
"l". The second character is a zero, not an "o".
I know that the program is supposed to run on NT, but I have
seen it run on Win95. It's a great little program that
can be used
to do some of the same things as telnet. However, there
are
advantages to using netcat...for one, it's a command-line program,
and it can be included in a batch file. In fact, you can
automate
multiple calls to netcat in a batch file, saving the results
to
a text file.
**************************************************
NEWBIE NOTE: For more information on batch files, see previous
versions of the Guide To (mostly) Harmless Hacking, Getting Serious
with Windows series ...one of them dealt with basic batch file
programming.
**************************************************
Before using netcat, take a look at the readme.txt file provided
in
the zipped archive you downloaded. It goes over the instructions
on how to download web pages using netcat, similar to what I
described earlier using telnet.
There are two ways to go about getting finger information
using
netcat. The first is in interactive mode. Simply
type:
c:\>nc <host> 79
If the daemon is running, you won't get a command prompt back.
If this is the case, type in the username and hit enter. Or use
the automatic mode by first creating a text file containing the
username of interest. For example, I typed:
c:\>edit root
and entered the username "root", without the quotes.
Then from
the command prompt, type:
c:\>nc <host> 79 < root
and the response will appear on your screen. You can
save the
output to a file by adding the appropriate redirection operator
to the end of the file:
c:\>nc <host> 79 < root > nc.log
to create the file nc.log, or:
c:\>nc <host> 79 < root >> nc.log
to append the response to the end of nc.log. NOTE:
Make sure
that you use spaces between the redirection operators.
How to Break into a Windows 95 machine Connected to the Internet
Disclaimer
The intent of this file is NOT to provide a step-by-step guide
to accessing a Win95 computer while it is connected to the Internet.
The intent is show you how to protect yourself.
There are no special tools needed to access a remote Win95
machine...everything you need is right there on your Win95 system!
Two methods will be described...the command-line approach and
the GUI approach.
Protecting Yourself
First, the method of protecting yourself needs to be made
perfectly clear. DON'T SHARE FILES!! I can't stress
that enough. If you are a home user, and you are connecting a
Win95 computer to the Internet via some dial-up method, disable
sharing. If you must share, use a strong password...8 characters
minimum, a mix of upper and lower case letters and numbers, change
the password every now and again. If you need to transmit
the
password to someone, do so over the phone or by written letter.
To disable sharing, click on My Computer -> Control Panel
-> Network -> File and Print Sharing. In the dialog
box that appears, uncheck both boxes. It's that easy.
What Can They Do?
What can someone do? Well, lots of stuff, but it largely
depends on what shares are available. If someone is able
to share a printer from your machine, they can send you annoying
letters and messages. This consumes time, your printer
ink/toner, and your paper. If they are able to share a
disk share, what they can do largely depends upon what's in that
share. The share appears as another directory on the attacker's
machine, so any programs they run will be consuming their own
resources...memory, cpu cycles, etc. But if the attacker has
read and write access to those disk shares, then you're in trouble.
If you take work home, your files may be vulnerable. Initialization
and configuration files can be searched for passwords.
Files can be modified and deleted. A particularly nasty thing
to do is adding a line to your autoexec.bat file so that the
next time your computer is booted, the hard drive is formatted
without any prompting from the user. Bad ju-ju, indeed.
** The command-line approach **
Okay, now for the part that should probably be titled "How
they do it". All that is needed is the IP address
of the remote machine. Now open up a DOS window, and at the command
prompt, type:
c:\>nbtstat -A [ip_addr]
If the remote machine is connected to the Internet and the
ports used for sharing are not blocked, you should see something
like:
NetBIOS Remote Machine
Name Table
Name
Type Status
---------------------------------------------
NAME
<00> UNIQUE Registered
DOMAIN <00>
GROUP Registered
NAME
<03> UNIQUE Registered
USERNAME <03>
UNIQUE Registered
MAC Address = 00-00-00-00-00-00
This machine name table shows the machine and domain names,
a logged-on username, and the address of the Ethernet adapter
(the information has been obfuscated for instructional purposes).
**Note: This machine, if unpatched and not protected
with a firewall or packet-filter router, may be vulnerable to
a range of denial of service attacks, which seem to be fairly
popular, largely because they require no skill or knowledge to
perpetrate.
The key piece of information that you are looking for is in
the Type column. A machine that has sharing enabled will
have a hex code of "<20>".
**Note: With the right tools, it is fairly simple for
a sysadmin to write a batch file that combs a subnet or her entire
network, looking for client machines with sharing enabled.
This batch file can then be run at specific times...every day
at 2:00 am, only on Friday evenings or weekends, etc.
If you find a machine with sharing enabled, the next thing
to do is type the following command:
c:\>net view \\[ip_addr]
Now, your response may be varied. You may find that
there are no shares on the list, or that there are several shares
available. Choose which share you would like to connect to, and
type the command:
c:\>net use g: \\[ip_addr]\[share_name]
You will likely get a response that the command was completed
successfully. If that is the case, type:
c:\>cd g:
or which ever device name you decided to use. You can
now view what exists on that share using the dir commands, etc.
Now, you may be presented with a password prompt when you
ssue the above command. If that is the case, typical "hacker"
(I shudder at that term) methods may be used.
** The GUI approach **
After issuing the nbtstat command, you can opt for the GUI
approach to accessing the shares on that machine. To do
so, make sure that you leave the DOS window open, or minimized...don't
close it. Now, use Notepad to open this file:
c:\windows\lmhosts.sam
Read over the file, and then open create another file in Notepad,
called simply "Lmhosts", without an extension.
The file should contain the IP address of the host, the NetBIOS
name of the host (from the nbtstat command), and #PRE, separated
by tabs. Once you have added this information, save it,
and minimize the window. In the DOS command window, type:
c:\>nbtstat -R
This command reloads the cache from the Lmhosts file you just
created.
Now, click on Start -> Find -> Computer, and type in
the NetBIOS name of the computer...the same one you added to
the lmhosts file. If your attempt to connect to the machine is
successful, you should be presented with a window containing
the available shares. You may be presented with a password
prompt window, but again, typical "hacker" (again,
that term grates on me like fingernails on a chalk board, but
today, it seems that it's all folks understand) techniques may
be used to break the password.
************************************************
Note from Carolyn Meinel: Want to try this stuff without winding
up in jail or getting expelled from school? Get a friend to give
you permission to try to break in.
First, you will need his or her IP address. Usually
this will be different every time your friend logs on.
You friend can learn his or her IP address by going to the DOS
prompt while online and giving the command "netstat -r".
Something like this should show up:
C:\WINDOWS>netstat -r
Route Table
Active Routes:
Network Address
Netmask Gateway Address
Interface Metric
0.0.0.0
0.0.0.0 198.999.176.84 198.999.176.84
1
127.0.0.0
255.0.0.0 127.0.0.1
127.0.0.1 1
198.999.176.0 255.255.255.0
198.999.176.84 198.999.176.84
1
198.999.176.84 255.255.255.255
127.0.0.1 127.0.0.1
1
198.999.176.255 255.255.255.255
198.999.176.84 198.999.176.84
1
224.0.0.0
224.0.0.0 198.999.176.84
198.999.176.84 1
255.255.255.255 255.255.255.255
198.999.176.84
0.0.0.0 1
Your friend's IP address should be under "Gateway Address."
Ignore the 127.0.0.1 as this will show up for everyone and simply
means "locahost" or "my own computer."
If in doubt, break the Internet connection and then get online
again. The number that changes is the IP address of your
friend's computer.
***************************************************
**************************************************
Evil Genius tip: Here is something really scary. In your
shell account give the "netstat" command. If
your ISP allows you to use it, you might be able to get the dynamically
assigned IP addresses of people from all over the world -- everyone
who is browsing a Web site hosted by your ISP, everyone using
ftp, spammers you might catch red-handed in the act of forging
email on your ISP, guys up at 2AM playing on multiuser dungeons,
IRC users, in fact you will see everyone who is connected to
your ISP!
****************************************************
***************************************************
YOU CAN GO TO JAIL WARNING: If you find a Windows 95 box on the
Internet with file sharing enabled and no password protection,
you can still get in big trouble for exploiting it. It's
just like finding a house whose owner forgot to lock the door
-- you still are in trouble if someone catches you inside.
Tell temptation to take a hike!
************************************************
Final Words
Please remember that this Guide is for instructional purposes
only and is meant to educate the sysadmin and user alike.
If someone uses this information to gain access to a system which
they have no permission or business messing with, I (keydet)
cannot be responsible for the outcome. If you are intending
to try this information out, do so with the consent and permission
of a friend.
If there are questions, comments, or corrections, please feel
free to email me at keydet89@yahoo.com.
____________________________________________________
© 1998 KeyDet89 <keydet89@yahoo.com>. You may forward
or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site
as long as you leave this notice at the end.
