GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 4
More intro to TCP/IP: port surfing! Daemons!
How to get on almost any computer without logging in and without
breaking the law. Impress your clueless friends and actually discover
kewl, legal, safe stuph.
____________________________________________________________
A few days ago I had a lady friend visiting. She’s 42 and
doesn’t own a computer. However, she is taking a class on
personal computers at a community college. She wanted to know
what all this hacking stuph is about. So I decided to introduce
her to port surfing. And while doing it, we stumbled across something
kewl.
Port surfing takes advantage of the structure of TCP/IP. This
is the protocol (set of rules) used for computers to talk to each
other over the Internet. One of the basic principles of Unix (the
most popular operating system on the Internet) is to assign a
“port” to every function that one computer might command
another to perform. Common examples are to send and receive email,
read Usenet newsgroups, telnet, transfer files, and offer Web
pages.
************************
Newbie note #1: A computer port is a place where information goes
in or out of it. On your home computer, examples of ports are
your monitor, which sends information out, your keyboard and mouse,
which send information in, and your modem, which sends information
both out and in.
But an Internet host computer such as callisto.unm.edu has many
more ports than a typical home computer. These ports are identified
by numbers. Now these are not all physical ports, like a keyboard
or RS232 serial port (for your modem). They are virtual (software)
ports.
A “service” is a program running on a “port.”
When you telnet to a port, that program is up and running, just
waiting for your input. Happy hacking!
************************
So if you want to read a Web page, your browser contacts port
number 80 and tells the computer that manages that Web site to
let you in. And, sure enough, you get into that Web server computer
without a password.
OK, big deal. That’s pretty standard for the Internet. Many
-- most -- computers on the Internet will let you do some things
with them without needing a password,
However, the essence of hacking is doing things that aren’t
obvious. That don’t just jump out at you from the manuals.
One way you can move a step up from the run of the mill computer
user is to learn how to port surf.
The essence of port surfing is to pick out a target computer
and explore it to see what ports are open and what you can do
with them.
Now if you are a lazy hacker you can use canned hacker tools
such as Satan or Netcat. These are programs you can run from Linux,
FreeBSD or Solaris (all types of Unix) from your PC. They automatically
scan your target computers. They will tell you what ports are
in use. They will also probe these ports for presence of daemons
with know security flaws, and tell you what they are.
********************************
Newbie note # 2: A daemon is not some sort of grinch or gremlin
or 666 guy. It is a program that runs in the background on many
(but not all) Unix system ports. It waits for you to come along
and use it. If you find a daemon on a port, it’s probably
hackable. Some hacker tools will tell you what the hackable features
are of the daemons they detect.
********************************
However, there are several reasons to surf ports by hand instead
of automatically.
1) You will learn something. Probing manually you get a gut feel
for how the daemon running on that port behaves. It’s the
difference between watching an x-rated movie and (blush).
2) You can impress your friends. If you run a canned hacker tool
like Satan your friends will look at you and say, “Big deal.
I can run programs, too.” They will immediately catch on
to the dirty little secret of the hacker world. Most hacking exploits
are just lamerz running programs they picked up from some BBS
or ftp site. But if you enter commands keystroke by keystroke
they will see you using your brain. And you can help them play
with daemons, too, and give them a giant rush.
3) The truly elite hackers surf ports and play with daemons by
hand because it is the only way to discover something new. There
are only a few hundred hackers -- at most -- who discover new
stuph. The rest just run canned exploits over and over and over
again. Boring. But I am teaching you how to reach the pinnacle
of hackerdom.
(Note: This was written in 1996, when
scanning the prots of other people's computers was not common.
But nowadays there are many more malicious hackers breaking into
computers. And the first thing these bad guys do when they break
into a computer is to run a program that scans all the ports for
them. Because of this, if you run a port scanning program against
a computer without getting permission first from the owner, he
or she will assume you are a criminal. The result will be that
you get kicked off your Internet Service Provider. If you just
look at a prot or two by hand as shown in this Guide, you are
less likely to get into trouble.)
Now let me tell you what my middle aged friend and I discovered
just messing around. First, we decided we didn’t want to
waste our time messing with some minor little host computer. Hey,
let’s go for the big time!
So how do you find a big kahuna computer on the Internet? We
started with a domain which consisted of a LAN of PCs running
Linux that I happened to already know about, that is used by the
New Mexico Internet Access ISP: nmia.com.
*****************************
Newbie Note # 3: A domain is an Internet address. You can use
it to look up who runs the computers used by the domain, and also
to look up how that domain is connected to the rest of the Internet.
*****************************
So to do this we first logged into my shell account with Southwest
Cyberport. I gave the command:
<slug> [66] ->whois nmia.com
New Mexico Internet Access (NMIA-DOM)
2201 Buena Vista SE
Albuquerque, NM 87106
Domain Name: NMIA.COM
Administrative Contact, Technical Contact, Zone
Contact:
Orrell, Stan (SO11)
SAO@NMIA.COM
(505) 877-0617
Record last updated on 11-Mar-94.
Record created on 11-Mar-94.
Domain servers in listed order:
NS.NMIA.COM
198.59.166.10
GRANDE.NM.ORG
129.121.1.2
Now it’s a good bet that grande.nm.org is serving a lot
of other Internet hosts beside nmia.com. Here’s how we port
surf our way to find this out:
<slug> [67] ->telnet grande.nm.org 15
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
TGV MultiNet V3.5 Rev B, VAX 4000-400, OpenVMS VAX V6.1
Product
License Authorization
Expiration Date
----------
------- -------------
---------------
MULTINET
Yes A-137-1641
(none)
NFS-CLIENT
Yes A-137-113237
(none)
*** Configuration for file "MULTINET:NETWORK_DEVICES.CONFIGURATION"
***
Device
Adapter CSR Address
Flags/Vector
------
------- -----------
------------
se0 (Shared VMS Ethernet/FDDI)
-NONE- -NONE-
-NONE-
MultiNet Active Connections, including servers:
Proto Rcv-Q Snd-Q Local Address (Port)
Foreign Address (Port) State
----- ----- ----- ------------------
------------------ -----
TCP 0 822
GRANDE.NM.ORG(NETSTAT) 198.59.115.24(1569)
ESTABLISHED
TCP 0
0 GRANDE.NM.ORG(POP3) 164.64.201.67(1256)
ESTABLISHED
TCP 0
0 GRANDE.NM.ORG(4918) 129.121.254.5(TELNET)
ESTABLISHED
TCP 0
0 GRANDE.NM.ORG(TELNET) AVATAR.NM.ORG(3141)
ESTABLISHED
TCP 0
0 *(NAMESERVICE)
*(*)
LISTEN
TCP 0
0 *(TELNET)
*(*)
LISTEN
TCP 0
0 *(FTP)
*(*)
LISTEN
TCP 0
0 *(FINGER)
*(*)
LISTEN
TCP 0
0 *(NETSTAT)
*(*)
LISTEN
TCP 0
0 *(SMTP)
*(*)
LISTEN
TCP 0
0 *(LOGIN)
*(*)
LISTEN
TCP 0
0 *(SHELL)
*(*)
LISTEN
TCP 0
0 *(EXEC)
*(*)
LISTEN
TCP 0
0 *(RPC)
*(*)
LISTEN
TCP 0
0 *(NETCONTROL)
*(*)
LISTEN
TCP 0
0 *(SYSTAT)
*(*)
LISTEN
TCP 0
0 *(CHARGEN)
*(*)
LISTEN
TCP 0
0 *(DAYTIME)
*(*)
LISTEN
TCP 0
0 *(TIME)
*(*)
LISTEN
TCP 0
0 *(ECHO)
*(*)
LISTEN
TCP 0
0 *(DISCARD)
*(*)
LISTEN
TCP 0
0 *(PRINTER)
*(*)
LISTEN
TCP 0
0 *(POP2)
*(*)
LISTEN
TCP 0
0 *(POP3)
*(*)
LISTEN
TCP 0
0 *(KERBEROS_MASTER) *(*)
LISTEN
TCP 0
0 *(KLOGIN)
*(*)
LISTEN
TCP 0
0 *(KSHELL)
*(*)
LISTEN
TCP 0
0 GRANDE.NM.ORG(4174) OSO.NM.ORG(X11)
ESTABLISHED
TCP 0
0 GRANDE.NM.ORG(4172) OSO.NM.ORG(X11)
ESTABLISHED
TCP 0
0 GRANDE.NM.ORG(4171) OSO.NM.ORG(X11)
ESTABLISHED
TCP 0
0 *(FS)
*(*)
LISTEN
UDP 0
0 *(NAMESERVICE)
*(*)
UDP 0
0 127.0.0.1(NAMESERVICE) *(*)
UDP 0
0 GRANDE.NM.OR(NAMESERV) *(*)
UDP 0
0 *(TFTP)
*(*)
UDP 0
0 *(BOOTPS)
*(*)
UDP 0
0 *(KERBEROS)
*(*)
UDP 0
0 127.0.0.1(KERBEROS) *(*)
UDP 0
0 GRANDE.NM.OR(KERBEROS) *(*)
UDP 0
0 *(*)
*(*)
UDP 0
0 *(SNMP)
*(*)
UDP 0
0 *(RPC)
*(*)
UDP 0
0 *(DAYTIME)
*(*)
UDP 0
0 *(ECHO)
*(*)
UDP 0
0 *(DISCARD)
*(*)
UDP 0
0 *(TIME)
*(*)
UDP 0
0 *(CHARGEN)
*(*)
UDP 0
0 *(TALK)
*(*)
UDP 0
0 *(NTALK)
*(*)
UDP 0
0 *(1023)
*(*)
UDP 0
0 *(XDMCP)
*(*)
MultiNet registered RPC programs:
Program Version Protocol
Port
------- ------- --------
----
PORTMAP 2
TCP 111
PORTMAP 2
UDP 111
MultiNet IP Routing tables:
Destination Gateway
Flags Refcnt Use
Interface MTU
---------- ----------
----- ------ -----
--------- ----
198.59.167.1 LAWRII.NM.ORG
Up,Gateway,H 0 2
se0 1500
166.45.0.1 ENSS365.NM.ORG
Up,Gateway,H 0 4162
se0 1500
205.138.138.1 ENSS365.NM.ORG Up,Gateway,H
0 71
se0 1500
204.127.160.1 ENSS365.NM.ORG Up,Gateway,H
0 298
se0 1500
127.0.0.1 127.0.0.1
Up,Host 5
1183513 lo0 4136
198.59.167.2 LAWRII.NM.ORG
Up,Gateway,H 0 640
se0 1500
192.132.89.2 ENSS365.NM.ORG
Up,Gateway,H 0 729
se0 1500
207.77.56.2 ENSS365.NM.ORG
Up,Gateway,H 0 5
se0 1500
204.97.213.2 ENSS365.NM.ORG
Up,Gateway,H 0 2641
se0 1500
194.90.74.66 ENSS365.NM.ORG
Up,Gateway,H 0 1
se0 1500
204.252.102.2 ENSS365.NM.ORG Up,Gateway,H
0 109
se0 1500
205.160.243.2 ENSS365.NM.ORG Up,Gateway,H
0 78
se0 1500
202.213.4.2 ENSS365.NM.ORG
Up,Gateway,H 0 4
se0 1500
202.216.224.66 ENSS365.NM.ORG Up,Gateway,H
0 113
se0 1500
192.132.89.3 ENSS365.NM.ORG
Up,Gateway,H 0 1100
se0 1500
198.203.196.67 ENSS365.NM.ORG Up,Gateway,H
0 385
se0 1500
160.205.13.3 ENSS365.NM.ORG
Up,Gateway,H 0 78
se0 1500
202.247.107.131 ENSS365.NM.ORG Up,Gateway,H
0 19
se0 1500
198.59.167.4 LAWRII.NM.ORG
Up,Gateway,H 0 82
se0 1500
128.148.157.6 ENSS365.NM.ORG Up,Gateway,H
0 198
se0 1500
160.45.10.6 ENSS365.NM.ORG
Up,Gateway,H 0 3
se0 1500
128.121.50.7 ENSS365.NM.ORG
Up,Gateway,H 0 3052
se0 1500
206.170.113.8 ENSS365.NM.ORG Up,Gateway,H
0 1451 se0
1500
128.148.128.9 ENSS365.NM.ORG Up,Gateway,H
0 1122 se0
1500
203.7.132.9 ENSS365.NM.ORG
Up,Gateway,H 0 14
se0 1500
204.216.57.10 ENSS365.NM.ORG Up,Gateway,H
0 180
se0 1500
130.74.1.75 ENSS365.NM.ORG
Up,Gateway,H 0 10117
se0 1500
206.68.65.15 ENSS365.NM.ORG
Up,Gateway,H 0 249
se0 1500
129.219.13.81 ENSS365.NM.ORG Up,Gateway,H
0 547
se0 1500
204.255.246.18 ENSS365.NM.ORG Up,Gateway,H
0 1125 se0
1500
160.45.24.21 ENSS365.NM.ORG
Up,Gateway,H 0 97
se0 1500
206.28.168.21 ENSS365.NM.ORG Up,Gateway,H
0 2093 se0
1500
163.179.3.222 ENSS365.NM.ORG Up,Gateway,H
0 315
se0 1500
198.109.130.33 ENSS365.NM.ORG Up,Gateway,H
0 1825 se0
1500
199.224.108.33 ENSS365.NM.ORG Up,Gateway,H
0 11362 se0
1500
203.7.132.98 ENSS365.NM.ORG
Up,Gateway,H 0 73
se0 1500
198.111.253.35 ENSS365.NM.ORG Up,Gateway,H
0 1134 se0
1500
206.149.24.100 ENSS365.NM.ORG Up,Gateway,H
0 3397 se0
1500
165.212.105.106 ENSS365.NM.ORG Up,Gateway,H
0 17
se0 1006
205.238.3.241 ENSS365.NM.ORG Up,Gateway,H
0 69
se0 1500
198.49.44.242 ENSS365.NM.ORG Up,Gateway,H
0 25
se0 1500
194.22.188.242 ENSS365.NM.ORG Up,Gateway,H
0 20
se0 1500
164.64.0 LAWRII.NM.ORG
Up,Gateway 1 40377
se0 1500
0.0.0
ENSS365.NM.ORG Up,Gateway 2
4728741 se0 1500
207.66.1 GLORY.NM.ORG
Up,Gateway 0 51
se0 1500
205.166.1 GLORY.NM.ORG
Up,Gateway 0 1978
se0 1500
204.134.1 LAWRII.NM.ORG
Up,Gateway 0 54
se0 1500
204.134.2 GLORY.NM.ORG
Up,Gateway 0 138
se0 1500
192.132.2 129.121.248.1
Up,Gateway 0 6345
se0 1500
204.134.67 GLORY.NM.ORG
Up,Gateway 0 2022
se0 1500
206.206.67 GLORY.NM.ORG
Up,Gateway 0 7778
se0 1500
206.206.68 LAWRII.NM.ORG
Up,Gateway 0 3185
se0 1500
207.66.5 GLORY.NM.ORG
Up,Gateway 0 626
se0 1500
204.134.69 GLORY.NM.ORG
Up,Gateway 0 7990
se0 1500
207.66.6 GLORY.NM.ORG
Up,Gateway 0 53
se0 1500
204.134.70 LAWRII.NM.ORG
Up,Gateway 0 18011
se0 1500
192.188.135 GLORY.NM.ORG
Up,Gateway 0 5
se0 1500
206.206.71 LAWRII.NM.ORG
Up,Gateway 0 2
se0 1500
204.134.7 GLORY.NM.ORG
Up,Gateway 0 38
se0 1500
199.89.135 GLORY.NM.ORG
Up,Gateway 0 99
se0 1500
198.59.136 LAWRII.NM.ORG
Up,Gateway 0 1293
se0 1500
204.134.9 GLORY.NM.ORG
Up,Gateway 0 21
se0 1500
204.134.73 GLORY.NM.ORG
Up,Gateway 0 59794
se0 1500
129.138.0 GLORY.NM.ORG
Up,Gateway 0 5262
se0 1500
192.92.10 LAWRII.NM.ORG
Up,Gateway 0 163
se0 1500
206.206.75 LAWRII.NM.ORG
Up,Gateway 0 604
se0 1500
207.66.13 GLORY.NM.ORG
Up,Gateway 0 1184
se0 1500
204.134.77 LAWRII.NM.ORG
Up,Gateway 0 3649
se0 1500
207.66.14 GLORY.NM.ORG
Up,Gateway 0 334
se0 1500
204.134.78 GLORY.NM.ORG
Up,Gateway 0 239
se0 1500
204.52.207 GLORY.NM.ORG
Up,Gateway 0 293
se0 1500
204.134.79 GLORY.NM.ORG
Up,Gateway 0 1294
se0 1500
192.160.144 LAWRII.NM.ORG
Up,Gateway 0 117
se0 1500
206.206.80 PENNY.NM.ORG
Up,Gateway 0 4663
se0 1500
204.134.80 GLORY.NM.ORG
Up,Gateway 0 91
se0 1500
198.99.209 LAWRII.NM.ORG
Up,Gateway 0 1136
se0 1500
207.66.17 GLORY.NM.ORG
Up,Gateway 0 24173
se0 1500
204.134.82 GLORY.NM.ORG
Up,Gateway 0 29766
se0 1500
192.41.211 GLORY.NM.ORG
Up,Gateway 0 155
se0 1500
192.189.147 LAWRII.NM.ORG
Up,Gateway 0 3133
se0 1500
204.134.84 PENNY.NM.ORG
Up,Gateway 0 189
se0 1500
204.134.87 LAWRII.NM.ORG
Up,Gateway 0 94
se0 1500
146.88.0 GLORY.NM.ORG
Up,Gateway 0 140
se0 1500
192.84.24 GLORY.NM.ORG
Up,Gateway 0 3530
se0 1500
204.134.88 LAWRII.NM.ORG
Up,Gateway 0 136
se0 1500
198.49.217 GLORY.NM.ORG
Up,Gateway 0 303
se0 1500
192.132.89 GLORY.NM.ORG
Up,Gateway 0 3513
se0 1500
198.176.219 GLORY.NM.ORG
Up,Gateway 0 1278
se0 1500
206.206.92 LAWRII.NM.ORG
Up,Gateway 0 1228
se0 1500
192.234.220 129.121.1.91
Up,Gateway 0 2337
se0 1500
204.134.92 LAWRII.NM.ORG
Up,Gateway 0 13995
se0 1500
198.59.157 LAWRII.NM.ORG
Up,Gateway 0 508
se0 1500
206.206.93 GLORY.NM.ORG
Up,Gateway 0 635
se0 1500
204.134.93 GLORY.NM.ORG
Up,Gateway 0 907
se0 1500
198.59.158 LAWRII.NM.ORG
Up,Gateway 0 14214
se0 1500
198.59.159 LAWRII.NM.ORG
Up,Gateway 0 1806
se0 1500
204.134.95 PENNY.NM.ORG
Up,Gateway 0 3644
se0 1500
206.206.96 GLORY.NM.ORG
Up,Gateway 0 990
se0 1500
206.206.161 LAWRII.NM.ORG
Up,Gateway 0 528
se0 1500
198.59.97 PENNY.NM.ORG
Up,Gateway 0 55
se0 1500
198.59.161 LAWRII.NM.ORG
Up,Gateway 0 497
se0 1500
192.207.226 GLORY.NM.ORG
Up,Gateway 0 93217
se0 1500
198.59.99 PENNY.NM.ORG
Up,Gateway 0 2
se0 1500
198.59.163 GLORY.NM.ORG
Up,Gateway 0 3379
se0 1500
192.133.100 LAWRII.NM.ORG
Up,Gateway 0 3649
se0 1500
204.134.100 GLORY.NM.ORG
Up,Gateway 0 8
se0 1500
128.165.0 PENNY.NM.ORG
Up,Gateway 0 15851
se0 1500
198.59.165 GLORY.NM.ORG
Up,Gateway 0 274
se0 1500
206.206.165 LAWRII.NM.ORG
Up,Gateway 0 167
se0 1500
206.206.102 GLORY.NM.ORG
Up,Gateway 0 5316
se0 1500
160.230.0 LAWRII.NM.ORG
Up,Gateway 0 19408
se0 1500
206.206.166 LAWRII.NM.ORG
Up,Gateway 0 1756
se0 1500
205.166.231 GLORY.NM.ORG
Up,Gateway 0 324
se0 1500
198.59.167 GLORY.NM.ORG
Up,Gateway 0 1568
se0 1500
206.206.103 GLORY.NM.ORG
Up,Gateway 0 3629
se0 1500
198.59.168 GLORY.NM.ORG
Up,Gateway 0 9063
se0 1500
206.206.104 GLORY.NM.ORG
Up,Gateway 0 7333
se0 1500
206.206.168 GLORY.NM.ORG
Up,Gateway 0 234
se0 1500
204.134.105 LAWRII.NM.ORG
Up,Gateway 0 4826
se0 1500
206.206.105 LAWRII.NM.ORG
Up,Gateway 0 422
se0 1500
204.134.41 LAWRII.NM.ORG
Up,Gateway 0 41782
se0 1500
206.206.169 GLORY.NM.ORG
Up,Gateway 0 5101
se0 1500
204.134.42 GLORY.NM.ORG
Up,Gateway 0 10761
se0 1500
206.206.170 GLORY.NM.ORG
Up,Gateway 0 916
se0 1500
198.49.44 GLORY.NM.ORG
Up,Gateway 0 3
se0 1500
198.59.108 GLORY.NM.ORG
Up,Gateway 0 2129
se0 1500
204.29.236 GLORY.NM.ORG
Up,Gateway 0 125
se0 1500
206.206.172 GLORY.NM.ORG
Up,Gateway 0 5839
se0 1500
204.134.108 GLORY.NM.ORG
Up,Gateway 0 3216
se0 1500
206.206.173 GLORY.NM.ORG
Up,Gateway 0 374
se0 1500
198.175.173 LAWRII.NM.ORG
Up,Gateway 0 6227
se0 1500
198.59.110 GLORY.NM.ORG
Up,Gateway 0 1797
se0 1500
198.51.238 GLORY.NM.ORG
Up,Gateway 0 1356
se0 1500
192.136.110 GLORY.NM.ORG
Up,Gateway 0 583
se0 1500
204.134.48 GLORY.NM.ORG
Up,Gateway 0 42
se0 1500
198.175.176 LAWRII.NM.ORG
Up,Gateway 0 32
se0 1500
206.206.114 LAWRII.NM.ORG
Up,Gateway 0 44
se0 1500
206.206.179 LAWRII.NM.ORG
Up,Gateway 0 14
se0 1500
198.59.179 PENNY.NM.ORG
Up,Gateway 0 222
se0 1500
198.59.115 GLORY.NM.ORG
Up,Gateway 1 132886
se0 1500
206.206.181 GLORY.NM.ORG
Up,Gateway 0 1354
se0 1500
206.206.182 SIENNA.NM.ORG
Up,Gateway 0 16
se0 1500
206.206.118 GLORY.NM.ORG
Up,Gateway 0 3423
se0 1500
206.206.119 GLORY.NM.ORG
Up,Gateway 0 282
se0 1500
206.206.183 SIENNA.NM.ORG
Up,Gateway 0 2473
se0 1500
143.120.0 LAWRII.NM.ORG
Up,Gateway 0 123533
se0 1500
206.206.184 GLORY.NM.ORG
Up,Gateway 0 1114
se0 1500
205.167.120 GLORY.NM.ORG
Up,Gateway 0 4202
se0 1500
206.206.121 GLORY.NM.ORG
Up,Gateway 1 71
se0 1500
129.121.0 GRANDE.NM.ORG
Up
12 21658599 se0
1500
204.134.122 GLORY.NM.ORG
Up,Gateway 0 195
se0 1500
204.134.58 GLORY.NM.ORG
Up,Gateway 0 7707
se0 1500
128.123.0 GLORY.NM.ORG
Up,Gateway 0 34416
se0 1500
204.134.59 GLORY.NM.ORG
Up,Gateway 0 1007
se0 1500
204.134.124 GLORY.NM.ORG
Up,Gateway 0 37160
se0 1500
206.206.124 LAWRII.NM.ORG
Up,Gateway 0 79
se0 1500
206.206.125 PENNY.NM.ORG
Up,Gateway 0 233359
se0 1500
204.134.126 GLORY.NM.ORG
Up,Gateway 0 497
se0 1500
206.206.126 LAWRII.NM.ORG
Up,Gateway 0 13644
se0 1500
204.69.190 GLORY.NM.ORG
Up,Gateway 0 4059
se0 1500
206.206.190 GLORY.NM.ORG
Up,Gateway 0 1630
se0 1500
204.134.127 GLORY.NM.ORG
Up,Gateway 0 45621
se0 1500
206.206.191 GLORY.NM.ORG
Up,Gateway 0 3574
se0 1500
MultiNet IPX Routing tables:
Destination Gateway
Flags Refcnt Use
Interface MTU
---------- ----------
----- ------ -----
--------- ----
MultiNet ARP table:
Host Network Address
Ethernet Address Arp Flags
--------------------------------------------
---------------- ---------
GLORY.NM.ORG (IP 129.121.1.4)
AA:00:04:00:61:D0 Temporary
[UNKNOWN] (IP 129.121.251.1)
00:C0:05:01:2C:D2 Temporary
NARANJO.NM.ORG (IP 129.121.1.56)
08:00:87:04:9F:42 Temporary
CHAMA.NM.ORG (IP 129.121.1.8)
AA:00:04:00:0C:D0 Temporary
[UNKNOWN] (IP 129.121.251.5)
AA:00:04:00:D2:D0 Temporary
LAWRII.NM.ORG (IP 129.121.254.10)
AA:00:04:00:5C:D0 Temporary
[UNKNOWN] (IP 129.121.1.91)
00:C0:05:01:2C:D2 Temporary
BRAVO.NM.ORG (IP 129.121.1.6)
AA:00:04:00:0B:D0 Temporary
PENNY.NM.ORG (IP 129.121.1.10)
AA:00:04:00:5F:D0 Temporary
ARRIBA.NM.ORG (IP 129.121.1.14)
08:00:2B:BC:C1:A7 Temporary
AZUL.NM.ORG (IP 129.121.1.51)
08:00:87:00:A1:D3 Temporary
ENSS365.NM.ORG (IP 129.121.1.3)
00:00:0C:51:EF:58 Temporary
AVATAR.NM.ORG (IP 129.121.254.1)
08:00:5A:1D:52:0D Temporary
[UNKNOWN] (IP 129.121.253.2)
08:00:5A:47:4A:1D Temporary
[UNKNOWN] (IP 129.121.254.5)
00:C0:7B:5F:5F:80 Temporary
CONCHAS.NM.ORG (IP 129.121.1.11)
08:00:5A:47:4A:1D Temporary
[UNKNOWN] (IP 129.121.253.10)
AA:00:04:00:4B:D0 Temporary
MultiNet Network Interface statistics:
Name Mtu Network Address
Ipkts Ierrs Opkts Oerrs Collis
---- --- ------- --------------
----- ----- ----- ----- ------
se0 1500 129.121.0 GRANDE.NM.ORG
68422948 0 53492833 1
0
lo0 4136 127.0.0 127.0.0.1
1188191 0 1188191 0
0
MultiNet Protocol statistics:
65264173
IP packets received
22 IP packets smaller than minimum size
6928 IP fragments received
4 IP fragments timed out
34 IP received for unreachable destinations
704140 ICMP error packets generated
9667 ICMP opcodes out of range
4170 Bad ICMP packet checksums
734363 ICMP responses
734363 ICMP "Echo" packets received
734363 ICMP "Echo Reply" packets sent
18339 ICMP "Echo Reply" packets received
704140 ICMP "Destination Unreachable" packets sent
451243 ICMP "Destination Unreachable" packets received
1488 ICMP "Source Quench" packets received
163911 ICMP "ReDirect" packets received
189732 ICMP "Time Exceeded" packets received
126966 TCP connections initiated
233998 TCP connections established
132611 TCP connections accepted
67972 TCP connections dropped
28182 embryonic TCP connections dropped
269399 TCP connections closed
10711838
TCP segments timed for RTT
10505140
TCP segments updated RTT
3927264
TCP delayed ACKs sent
666 TCP connections dropped due to retransmit timeouts
111040 TCP retransmit timeouts
3136 TCP persist timeouts
9 TCP persist connection drops
16850 TCP keepalive timeouts
1195 TCP keepalive probes sent
14392 TCP connections dropped due to keepalive timeouts
28842663
TCP packets sent
12714484
TCP data packets sent
1206060086 TCP data
bytes sent
58321 TCP data packets retransmitted
22144036
TCP data bytes retransmitted
6802199
TCP ACK-only packets sent
1502 TCP window probes sent
483 TCP URG-only packets sent
8906175
TCP Window-Update-only packets sent
359509 TCP control packets sent
38675084
TCP packets received
28399363
TCP packets received in sequence
1929418386 TCP bytes
received in sequence
25207 TCP packets with checksum errors
273374 TCP packets were duplicates
230525708 TCP
bytes were duplicates
3748 TCP packets had some duplicate bytes
493214 TCP bytes were partial duplicates
2317156
TCP packets were out of order
3151204672 TCP bytes
were out of order
1915 TCP packets had data after window
865443 TCP bytes were after window
5804 TCP packets for already closed connection
941 TCP packets were window probes
10847459
TCP packets had ACKs
222657 TCP packets had duplicate ACKs
1 TCP packet ACKed unsent data
1200274739 TCP bytes
ACKed
141545 TCP packets had window updates
13 TCP segments dropped due to PAWS
4658158
TCP segments were predicted pure-ACKs
24033756
TCP segments were predicted pure-data
8087980
TCP PCB cache misses
305 Bad UDP header checksums
17 Bad UDP data length fields
23772272
UDP PCB cache misses
MultiNet Buffer Statistics:
388 out of 608 buffers
in use:
30 buffers allocated to Data.
10 buffers allocated to Packet Headers.
66 buffers allocated to Socket Structures.
57 buffers allocated to Protocol Control Blocks.
163 buffers allocated to Routing Table Entries.
2 buffers allocated to Socket Names and Addresses.
48 buffers allocated to Kernel Fork-Processes.
2 buffers allocated to Interface Addresses.
1 buffer allocated to Multicast Addresses.
1 buffer allocated to Timeout Callbacks.
6 buffers allocated to Memory Management.
2 buffers allocated to Network TTY Control Blocks.
11 out of 43 page clusters
in use.
11 CXBs borrowed from
VMS device drivers
2 CXBs waiting to return
to the VMS device drivers
162 Kbytes allocated
to MultiNet buffers (44% in use).
226 Kbytes of allocated
buffer address space (0% of maximum).
Connection closed by foreign host.
<slug> [68] ->
Whoa! What was all that?
What we did was telnet to port 15 -- the netstat port--
which on some computers runs a daemon that tells anybody who cares
to drop in just about everything about the connection made by
all the computers linked to the Internet through this computer.
So from this we learned two things:
1) Grande.nm.org is a very busy and important computer.
2) Even a very busy and important computer can let the random
port surfer come and play.
So my lady friend wanted to try out another port. I suggested
the finger port, number 79. So she gave the command:
<slug> [68] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
finger
?Sorry, could not find "FINGER"
Connection closed by foreign host.
<slug> [69] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
help
?Sorry, could not find "HELP"
Connection closed by foreign host.
<slug> [69] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
?
?Sorry, could not find "?"
Connection closed by foreign host.
<slug> [69] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
man
?Sorry, could not find "MAN"
Connection closed by foreign host.
<slug> [69] ->
At first this looks like just a bunch of failed commands. But
actually this is pretty fascinating. The reason is that port 79
is, under IETF rules, supposed to run fingerd, the finger daemon.
So when she gave the command “finger” and grande.nm.org
said ?Sorry, could not find "FINGER,” we knew this port
was not following IETF rules.
Now on may computers they don’t run the finger daemon at
all. This is because finger has so properties that can be used
to gain total control of the computer that runs it.
But if finger is shut down, and nothing else is running on port
79, we would get the answer:
telnet: connect: Connection refused.
But instead we got connected and grande.nm.org was waiting for
a command.
Now the normal thing a port surfer does when running an unfmiliar
daemon is to coax it into revealing what commands it uses. “Help,”
“?” and “man” often work. But it didn’t
help us.
But even though these commands didn’t help us, they did
tell us that the daemon is probably something sensitive. If it
were a daemon that was meant for anybody and his brother to use,
it would have given us instructions.
So what did we do next? We decided to be good Internet citizens
and also stay out of jail We decided we’d beter log off.
But there was one hack we decided to do first: leave our mark
on the shell log file.
The shell log file keeps a record of all operating system commands
made on a computer. The adminsitrator of an obviously important
computer such as grande.nm.org is probably competent enough to
scan the records of what commands are given by whom to his computer.
Especially on a port important enough to be running a mystery,
non-IETF daemon. So everything we types while connected was saved
on a log.
So my friend giggled with glee and left a few messages on port
79 before logging off. Oh, dear, I do believe she’s hooked
on hacking. Hmmm, it could be a good way to meet cute sysadmins...
So, port surf’s up! If you want to surf, here’s the
basics:
1) Get logged on to a shell account. That’s an account with
your ISP that lets you give Unix commands. Or -- run Linux or
some other kind of Unix on your PC and hook up to the Internet.
2) Give the command “telnet <hostname> <pot number>“
where <hostname> is the internet address of the computer
you wnat to visit and <port number> is whatever looks phun
to you.
3) If you get the response “connected to <hostname>,”
then surf’s up!
Following are some of my favorite ports. It is legal and harmless
to pay them visits so long as you don’t figure out how to
gain superuser status while playing with them. However, please
note that if you do too much port surfing from your shell account,
your sysadmin may notice this in his or her shell log file. If
he or she is prejudiced against hacking , you may get kicked off
your ISP. So you may want to explain in advance that you are merely
a harmless hacker looking to have a good time, er, um, learn about
Unix. Yeh, that sounds good...
Port number Service Why it’s phun!
7 echo Whatever you type in, the host repeats back
to you, used for ping
9 discard Dev/null -- how fast can you figure out this
one?
11 systat Lots of info on users
13 daytime Time and date at computer’s location
15 netstat Tremendous info on networks but rarely used
any more
19 chargen Pours out a stream of ASCII characters. Use
^C to stop.
21 ftp Transfers files
22 ssh secure shell login -- encrypted tunnel
23 telnet Where you log in if you don’t use ssh:)
25 smpt Forge email from Bill.Gates@Microsoft.org.
37 time Time
39 rlp Resource location
43 whois Info on hosts and networks
53 domain Nameserver
70 gopher Out-of-date info hunter
79 finger Lots of info on users
80 http Web server
110 pop Incoming email
119 nntp Usenet news groups -- forge posts, cancels
443 shttp Another web server
512 biff Mail notification
513 rlogin Remote login
who Remote who and uptime
514 shell Remote command, no password used!
syslog Remote system logging -- how we bust hackers
520 route Routing information protocol
**************************
Propeller head tip: Note that in most cases an Internet host will
use these port number assignments for these services. More than
one service may also be assigned simultaneously to the same port.
This numbering system is voluntarily offered by the Internet Engineering
Task Force (IETF). That means that an Internet host may use other
ports for these services. Expect the unexpected!
If you have a copy of Linux, you can get the list of all the
IETF assignments of port numbers in the file /etc/services.
********************************
_________________________________________________________
Send me confidential email (please, no discussions of illegal
activities) use . Please direct flames to
dev/null@cmeinel.com. Happy hacking!
© 1996 Carolyn P. Meinel. You may forward the GUIDE TO
(mostly) HARMLESS HACKING as long as you leave this notice at
the end..
