What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

GUIDE TO (mostly) HARMLESS HACKING

Vol. 2 Number 4

More intro to TCP/IP: port surfing! Daemons! How to get on almost any computer without logging in and without breaking the law. Impress your clueless friends and actually discover kewl, legal, safe stuph.
____________________________________________________________

A few days ago I had a lady friend visiting. She’s 42 and doesn’t own a computer. However, she is taking a class on personal computers at a community college. She wanted to know what all this hacking stuph is about. So I decided to introduce her to port surfing. And while doing it, we stumbled across something kewl.

Port surfing takes advantage of the structure of TCP/IP. This is the protocol (set of rules) used for computers to talk to each other over the Internet. One of the basic principles of Unix (the most popular operating system on the Internet) is to assign a “port” to every function that one computer might command another to perform. Common examples are to send and receive email, read Usenet newsgroups, telnet, transfer files, and offer Web pages.
 

************************
Newbie note #1: A computer port is a place where information goes in or out of it. On your home computer, examples of ports are your monitor, which sends information out, your keyboard and mouse, which send information in, and your modem, which sends information both out and in.

But an Internet host computer such as callisto.unm.edu has many more ports than a typical home computer. These ports are identified by numbers. Now these are not all physical ports, like a keyboard or RS232 serial port (for your modem). They are virtual (software) ports.

A “service” is a program running on a “port.” When you telnet to a port, that program is up and running, just waiting for your input. Happy hacking!
************************

So if you want to read a Web page, your browser contacts port number 80 and tells the computer that manages that Web site to let you in. And, sure enough, you get into that Web server computer without a password.

OK, big deal. That’s pretty standard for the Internet. Many -- most -- computers on the Internet will let you do some things with them without needing a password,

However, the essence of hacking is doing things that aren’t obvious. That don’t just jump out at you from the manuals. One way you can move a step up from the run of the mill computer user is to learn how to port surf.

The essence of port surfing is to pick out a target computer and explore it to see what ports are open and what you can do with them.

Now if you are a lazy hacker you can use canned hacker tools such as Satan or Netcat. These are programs you can run from Linux, FreeBSD or Solaris (all types of Unix) from your PC. They automatically scan your target computers. They will tell you what ports are in use. They will also probe these ports for presence of daemons with know security flaws, and tell you what they are.

********************************
Newbie note # 2: A daemon is not some sort of grinch or gremlin or 666 guy. It is a program that runs in the background on many (but not all) Unix system ports. It waits for you to come along and use it. If you find a daemon on a port, it’s probably hackable. Some hacker tools will tell you what the hackable features are of the daemons they detect.
********************************

However, there are several reasons to surf ports by hand instead of automatically.

1) You will learn something. Probing manually you get a gut feel for how the daemon running on that port behaves. It’s the difference between watching an x-rated movie and (blush).

2) You can impress your friends. If you run a canned hacker tool like Satan your friends will look at you and say, “Big deal. I can run programs, too.” They will immediately catch on to the dirty little secret of the hacker world. Most hacking exploits are just lamerz running programs they picked up from some BBS or ftp site. But if you enter commands keystroke by keystroke they will see you using your brain. And you can help them play with daemons, too, and give them a giant rush.

3) The truly elite hackers surf ports and play with daemons by hand because it is the only way to discover something new. There are only a few hundred hackers -- at most -- who discover new stuph. The rest just run canned exploits over and over and over again. Boring. But I am teaching you how to reach the pinnacle of hackerdom.

(Note: This was written in 1996, when scanning the prots of other people's computers was not common. But nowadays there are many more malicious hackers breaking into computers. And the first thing these bad guys do when they break into a computer is to run a program that scans all the ports for them. Because of this, if you run a port scanning program against a computer without getting permission first from the owner, he or she will assume you are a criminal. The result will be that you get kicked off your Internet Service Provider. If you just look at a prot or two by hand as shown in this Guide, you are less likely to get into trouble.)

Now let me tell you what my middle aged friend and I discovered just messing around. First, we decided we didn’t want to waste our time messing with some minor little host computer. Hey, let’s go for the big time!

So how do you find a big kahuna computer on the Internet? We started with a domain which consisted of a LAN of PCs running Linux that I happened to already know about, that is used by the New Mexico Internet Access ISP: nmia.com.

*****************************
Newbie Note # 3: A domain is an Internet address. You can use it to look up who runs the computers used by the domain, and also to look up how that domain is connected to the rest of the Internet.
*****************************

So to do this we first logged into my shell account with Southwest Cyberport. I gave the command:

<slug> [66] ->whois nmia.com
New Mexico Internet Access (NMIA-DOM)
   2201 Buena Vista SE
   Albuquerque, NM 87106

   Domain Name: NMIA.COM

   Administrative Contact, Technical Contact, Zone Contact:
      Orrell, Stan  (SO11)  SAO@NMIA.COM
      (505) 877-0617

   Record last updated on 11-Mar-94.
   Record created on 11-Mar-94.

   Domain servers in listed order:

   NS.NMIA.COM                  198.59.166.10
   GRANDE.NM.ORG                129.121.1.2

Now it’s a good bet that grande.nm.org is serving a lot of other Internet hosts beside nmia.com. Here’s how we port surf our way to find this out:

<slug> [67] ->telnet grande.nm.org 15
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
TGV MultiNet V3.5 Rev B, VAX 4000-400, OpenVMS VAX V6.1

Product              License    Authorization        Expiration Date
----------           -------    -------------        ---------------
MULTINET             Yes        A-137-1641            (none)
NFS-CLIENT           Yes        A-137-113237          (none)
 

*** Configuration for file "MULTINET:NETWORK_DEVICES.CONFIGURATION" ***

Device                                   Adapter     CSR Address    Flags/Vector

------                                   -------     -----------    ------------

se0      (Shared VMS Ethernet/FDDI)       -NONE-        -NONE-       -NONE-

MultiNet Active Connections, including servers:
Proto Rcv-Q Snd-Q  Local Address (Port)    Foreign Address (Port)  State
----- ----- -----  ------------------      ------------------      -----
TCP       0   822  GRANDE.NM.ORG(NETSTAT)  198.59.115.24(1569)     ESTABLISHED
TCP       0     0  GRANDE.NM.ORG(POP3)     164.64.201.67(1256)     ESTABLISHED
TCP       0     0  GRANDE.NM.ORG(4918)     129.121.254.5(TELNET)   ESTABLISHED
TCP       0     0  GRANDE.NM.ORG(TELNET)   AVATAR.NM.ORG(3141)     ESTABLISHED
TCP       0     0  *(NAMESERVICE)          *(*)                    LISTEN
TCP       0     0  *(TELNET)               *(*)                    LISTEN
TCP       0     0  *(FTP)                  *(*)                    LISTEN
TCP       0     0  *(FINGER)               *(*)                    LISTEN
TCP       0     0  *(NETSTAT)              *(*)                    LISTEN
TCP       0     0  *(SMTP)                 *(*)                    LISTEN
TCP       0     0  *(LOGIN)                *(*)                    LISTEN
TCP       0     0  *(SHELL)                *(*)                    LISTEN
TCP       0     0  *(EXEC)                 *(*)                    LISTEN
TCP       0     0  *(RPC)                  *(*)                    LISTEN
TCP       0     0  *(NETCONTROL)           *(*)                    LISTEN
TCP       0     0  *(SYSTAT)               *(*)                    LISTEN
TCP       0     0  *(CHARGEN)              *(*)                    LISTEN
TCP       0     0  *(DAYTIME)              *(*)                    LISTEN
TCP       0     0  *(TIME)                 *(*)                    LISTEN
TCP       0     0  *(ECHO)                 *(*)                    LISTEN
TCP       0     0  *(DISCARD)              *(*)                    LISTEN
TCP       0     0  *(PRINTER)              *(*)                    LISTEN
TCP       0     0  *(POP2)                 *(*)                    LISTEN
TCP       0     0  *(POP3)                 *(*)                    LISTEN
TCP       0     0  *(KERBEROS_MASTER)      *(*)                    LISTEN
TCP       0     0  *(KLOGIN)               *(*)                    LISTEN
TCP       0     0  *(KSHELL)               *(*)                    LISTEN
TCP       0     0  GRANDE.NM.ORG(4174)     OSO.NM.ORG(X11)         ESTABLISHED
TCP       0     0  GRANDE.NM.ORG(4172)     OSO.NM.ORG(X11)         ESTABLISHED
TCP       0     0  GRANDE.NM.ORG(4171)     OSO.NM.ORG(X11)         ESTABLISHED
TCP       0     0  *(FS)                   *(*)                    LISTEN
UDP       0     0  *(NAMESERVICE)          *(*)
UDP       0     0  127.0.0.1(NAMESERVICE)  *(*)
UDP       0     0  GRANDE.NM.OR(NAMESERV)  *(*)
UDP       0     0  *(TFTP)                 *(*)
UDP       0     0  *(BOOTPS)               *(*)
UDP       0     0  *(KERBEROS)             *(*)
UDP       0     0  127.0.0.1(KERBEROS)     *(*)
UDP       0     0  GRANDE.NM.OR(KERBEROS)  *(*)
UDP       0     0  *(*)                    *(*)
UDP       0     0  *(SNMP)                 *(*)
UDP       0     0  *(RPC)                  *(*)
UDP       0     0  *(DAYTIME)              *(*)
UDP       0     0  *(ECHO)                 *(*)
UDP       0     0  *(DISCARD)              *(*)
UDP       0     0  *(TIME)                 *(*)
UDP       0     0  *(CHARGEN)              *(*)
UDP       0     0  *(TALK)                 *(*)
UDP       0     0  *(NTALK)                *(*)
UDP       0     0  *(1023)                 *(*)
UDP       0     0  *(XDMCP)                *(*)

MultiNet registered RPC programs:
Program     Version   Protocol    Port
-------     -------   --------    ----
PORTMAP       2        TCP        111
PORTMAP       2        UDP        111
 

MultiNet IP Routing tables:
Destination      Gateway          Flags        Refcnt Use      Interface  MTU
----------       ----------       -----        ------ -----    ---------  ----
198.59.167.1     LAWRII.NM.ORG    Up,Gateway,H 0      2        se0        1500
166.45.0.1       ENSS365.NM.ORG   Up,Gateway,H 0      4162     se0        1500
205.138.138.1    ENSS365.NM.ORG   Up,Gateway,H 0      71       se0        1500
204.127.160.1    ENSS365.NM.ORG   Up,Gateway,H 0      298      se0        1500
127.0.0.1        127.0.0.1        Up,Host      5      1183513  lo0        4136
198.59.167.2     LAWRII.NM.ORG    Up,Gateway,H 0      640      se0        1500
192.132.89.2     ENSS365.NM.ORG   Up,Gateway,H 0      729      se0        1500
207.77.56.2      ENSS365.NM.ORG   Up,Gateway,H 0      5        se0        1500
204.97.213.2     ENSS365.NM.ORG   Up,Gateway,H 0      2641     se0        1500
194.90.74.66     ENSS365.NM.ORG   Up,Gateway,H 0      1        se0        1500
204.252.102.2    ENSS365.NM.ORG   Up,Gateway,H 0      109      se0        1500
205.160.243.2    ENSS365.NM.ORG   Up,Gateway,H 0      78       se0        1500
202.213.4.2      ENSS365.NM.ORG   Up,Gateway,H 0      4        se0        1500
202.216.224.66   ENSS365.NM.ORG   Up,Gateway,H 0      113      se0        1500
192.132.89.3     ENSS365.NM.ORG   Up,Gateway,H 0      1100     se0        1500
198.203.196.67   ENSS365.NM.ORG   Up,Gateway,H 0      385      se0        1500
160.205.13.3     ENSS365.NM.ORG   Up,Gateway,H 0      78       se0        1500
202.247.107.131  ENSS365.NM.ORG   Up,Gateway,H 0      19       se0        1500
198.59.167.4     LAWRII.NM.ORG    Up,Gateway,H 0      82       se0        1500
128.148.157.6    ENSS365.NM.ORG   Up,Gateway,H 0      198      se0        1500
160.45.10.6      ENSS365.NM.ORG   Up,Gateway,H 0      3        se0        1500
128.121.50.7     ENSS365.NM.ORG   Up,Gateway,H 0      3052     se0        1500
206.170.113.8    ENSS365.NM.ORG   Up,Gateway,H 0      1451     se0        1500
128.148.128.9    ENSS365.NM.ORG   Up,Gateway,H 0      1122     se0        1500
203.7.132.9      ENSS365.NM.ORG   Up,Gateway,H 0      14       se0        1500
204.216.57.10    ENSS365.NM.ORG   Up,Gateway,H 0      180      se0        1500
130.74.1.75      ENSS365.NM.ORG   Up,Gateway,H 0      10117    se0        1500
206.68.65.15     ENSS365.NM.ORG   Up,Gateway,H 0      249      se0        1500
129.219.13.81    ENSS365.NM.ORG   Up,Gateway,H 0      547      se0        1500
204.255.246.18   ENSS365.NM.ORG   Up,Gateway,H 0      1125     se0        1500
160.45.24.21     ENSS365.NM.ORG   Up,Gateway,H 0      97       se0        1500
206.28.168.21    ENSS365.NM.ORG   Up,Gateway,H 0      2093     se0        1500
163.179.3.222    ENSS365.NM.ORG   Up,Gateway,H 0      315      se0        1500
198.109.130.33   ENSS365.NM.ORG   Up,Gateway,H 0      1825     se0        1500
199.224.108.33   ENSS365.NM.ORG   Up,Gateway,H 0      11362    se0        1500
203.7.132.98     ENSS365.NM.ORG   Up,Gateway,H 0      73       se0        1500
198.111.253.35   ENSS365.NM.ORG   Up,Gateway,H 0      1134     se0        1500
206.149.24.100   ENSS365.NM.ORG   Up,Gateway,H 0      3397     se0        1500
165.212.105.106  ENSS365.NM.ORG   Up,Gateway,H 0      17       se0        1006
205.238.3.241    ENSS365.NM.ORG   Up,Gateway,H 0      69       se0        1500
198.49.44.242    ENSS365.NM.ORG   Up,Gateway,H 0      25       se0        1500
194.22.188.242   ENSS365.NM.ORG   Up,Gateway,H 0      20       se0        1500
164.64.0         LAWRII.NM.ORG    Up,Gateway   1      40377    se0        1500
0.0.0            ENSS365.NM.ORG   Up,Gateway   2      4728741  se0        1500
207.66.1         GLORY.NM.ORG     Up,Gateway   0      51       se0        1500
205.166.1        GLORY.NM.ORG     Up,Gateway   0      1978     se0        1500
204.134.1        LAWRII.NM.ORG    Up,Gateway   0      54       se0        1500
204.134.2        GLORY.NM.ORG     Up,Gateway   0      138      se0        1500
192.132.2        129.121.248.1    Up,Gateway   0      6345     se0        1500
204.134.67       GLORY.NM.ORG     Up,Gateway   0      2022     se0        1500
206.206.67       GLORY.NM.ORG     Up,Gateway   0      7778     se0        1500
206.206.68       LAWRII.NM.ORG    Up,Gateway   0      3185     se0        1500
207.66.5         GLORY.NM.ORG     Up,Gateway   0      626      se0        1500
204.134.69       GLORY.NM.ORG     Up,Gateway   0      7990     se0        1500
207.66.6         GLORY.NM.ORG     Up,Gateway   0      53       se0        1500
204.134.70       LAWRII.NM.ORG    Up,Gateway   0      18011    se0        1500
192.188.135      GLORY.NM.ORG     Up,Gateway   0      5        se0        1500
206.206.71       LAWRII.NM.ORG    Up,Gateway   0      2        se0        1500
204.134.7        GLORY.NM.ORG     Up,Gateway   0      38       se0        1500
199.89.135       GLORY.NM.ORG     Up,Gateway   0      99       se0        1500
198.59.136       LAWRII.NM.ORG    Up,Gateway   0      1293     se0        1500
204.134.9        GLORY.NM.ORG     Up,Gateway   0      21       se0        1500
204.134.73       GLORY.NM.ORG     Up,Gateway   0      59794    se0        1500
129.138.0        GLORY.NM.ORG     Up,Gateway   0      5262     se0        1500
192.92.10        LAWRII.NM.ORG    Up,Gateway   0      163      se0        1500
206.206.75       LAWRII.NM.ORG    Up,Gateway   0      604      se0        1500
207.66.13        GLORY.NM.ORG     Up,Gateway   0      1184     se0        1500
204.134.77       LAWRII.NM.ORG    Up,Gateway   0      3649     se0        1500
207.66.14        GLORY.NM.ORG     Up,Gateway   0      334      se0        1500
204.134.78       GLORY.NM.ORG     Up,Gateway   0      239      se0        1500
204.52.207       GLORY.NM.ORG     Up,Gateway   0      293      se0        1500
204.134.79       GLORY.NM.ORG     Up,Gateway   0      1294     se0        1500
192.160.144      LAWRII.NM.ORG    Up,Gateway   0      117      se0        1500
206.206.80       PENNY.NM.ORG     Up,Gateway   0      4663     se0        1500
204.134.80       GLORY.NM.ORG     Up,Gateway   0      91       se0        1500
198.99.209       LAWRII.NM.ORG    Up,Gateway   0      1136     se0        1500
207.66.17        GLORY.NM.ORG     Up,Gateway   0      24173    se0        1500
204.134.82       GLORY.NM.ORG     Up,Gateway   0      29766    se0        1500
192.41.211       GLORY.NM.ORG     Up,Gateway   0      155      se0        1500
192.189.147      LAWRII.NM.ORG    Up,Gateway   0      3133     se0        1500
204.134.84       PENNY.NM.ORG     Up,Gateway   0      189      se0        1500
204.134.87       LAWRII.NM.ORG    Up,Gateway   0      94       se0        1500
146.88.0         GLORY.NM.ORG     Up,Gateway   0      140      se0        1500
192.84.24        GLORY.NM.ORG     Up,Gateway   0      3530     se0        1500
204.134.88       LAWRII.NM.ORG    Up,Gateway   0      136      se0        1500
198.49.217       GLORY.NM.ORG     Up,Gateway   0      303      se0        1500
192.132.89       GLORY.NM.ORG     Up,Gateway   0      3513     se0        1500
198.176.219      GLORY.NM.ORG     Up,Gateway   0      1278     se0        1500
206.206.92       LAWRII.NM.ORG    Up,Gateway   0      1228     se0        1500
192.234.220      129.121.1.91     Up,Gateway   0      2337     se0        1500
204.134.92       LAWRII.NM.ORG    Up,Gateway   0      13995    se0        1500
198.59.157       LAWRII.NM.ORG    Up,Gateway   0      508      se0        1500
206.206.93       GLORY.NM.ORG     Up,Gateway   0      635      se0        1500
204.134.93       GLORY.NM.ORG     Up,Gateway   0      907      se0        1500
198.59.158       LAWRII.NM.ORG    Up,Gateway   0      14214    se0        1500
198.59.159       LAWRII.NM.ORG    Up,Gateway   0      1806     se0        1500
204.134.95       PENNY.NM.ORG     Up,Gateway   0      3644     se0        1500
206.206.96       GLORY.NM.ORG     Up,Gateway   0      990      se0        1500
206.206.161      LAWRII.NM.ORG    Up,Gateway   0      528      se0        1500
198.59.97        PENNY.NM.ORG     Up,Gateway   0      55       se0        1500
198.59.161       LAWRII.NM.ORG    Up,Gateway   0      497      se0        1500
192.207.226      GLORY.NM.ORG     Up,Gateway   0      93217    se0        1500
198.59.99        PENNY.NM.ORG     Up,Gateway   0      2        se0        1500
198.59.163       GLORY.NM.ORG     Up,Gateway   0      3379     se0        1500
192.133.100      LAWRII.NM.ORG    Up,Gateway   0      3649     se0        1500
204.134.100      GLORY.NM.ORG     Up,Gateway   0      8        se0        1500
128.165.0        PENNY.NM.ORG     Up,Gateway   0      15851    se0        1500
198.59.165       GLORY.NM.ORG     Up,Gateway   0      274      se0        1500
206.206.165      LAWRII.NM.ORG    Up,Gateway   0      167      se0        1500
206.206.102      GLORY.NM.ORG     Up,Gateway   0      5316     se0        1500
160.230.0        LAWRII.NM.ORG    Up,Gateway   0      19408    se0        1500
206.206.166      LAWRII.NM.ORG    Up,Gateway   0      1756     se0        1500
205.166.231      GLORY.NM.ORG     Up,Gateway   0      324      se0        1500
198.59.167       GLORY.NM.ORG     Up,Gateway   0      1568     se0        1500
206.206.103      GLORY.NM.ORG     Up,Gateway   0      3629     se0        1500
198.59.168       GLORY.NM.ORG     Up,Gateway   0      9063     se0        1500
206.206.104      GLORY.NM.ORG     Up,Gateway   0      7333     se0        1500
206.206.168      GLORY.NM.ORG     Up,Gateway   0      234      se0        1500
204.134.105      LAWRII.NM.ORG    Up,Gateway   0      4826     se0        1500
206.206.105      LAWRII.NM.ORG    Up,Gateway   0      422      se0        1500
204.134.41       LAWRII.NM.ORG    Up,Gateway   0      41782    se0        1500
206.206.169      GLORY.NM.ORG     Up,Gateway   0      5101     se0        1500
204.134.42       GLORY.NM.ORG     Up,Gateway   0      10761    se0        1500
206.206.170      GLORY.NM.ORG     Up,Gateway   0      916      se0        1500
198.49.44        GLORY.NM.ORG     Up,Gateway   0      3        se0        1500
198.59.108       GLORY.NM.ORG     Up,Gateway   0      2129     se0        1500
204.29.236       GLORY.NM.ORG     Up,Gateway   0      125      se0        1500
206.206.172      GLORY.NM.ORG     Up,Gateway   0      5839     se0        1500
204.134.108      GLORY.NM.ORG     Up,Gateway   0      3216     se0        1500
206.206.173      GLORY.NM.ORG     Up,Gateway   0      374      se0        1500
198.175.173      LAWRII.NM.ORG    Up,Gateway   0      6227     se0        1500
198.59.110       GLORY.NM.ORG     Up,Gateway   0      1797     se0        1500
198.51.238       GLORY.NM.ORG     Up,Gateway   0      1356     se0        1500
192.136.110      GLORY.NM.ORG     Up,Gateway   0      583      se0        1500
204.134.48       GLORY.NM.ORG     Up,Gateway   0      42       se0        1500
198.175.176      LAWRII.NM.ORG    Up,Gateway   0      32       se0        1500
206.206.114      LAWRII.NM.ORG    Up,Gateway   0      44       se0        1500
206.206.179      LAWRII.NM.ORG    Up,Gateway   0      14       se0        1500
198.59.179       PENNY.NM.ORG     Up,Gateway   0      222      se0        1500
198.59.115       GLORY.NM.ORG     Up,Gateway   1      132886   se0        1500
206.206.181      GLORY.NM.ORG     Up,Gateway   0      1354     se0        1500
206.206.182      SIENNA.NM.ORG    Up,Gateway   0      16       se0        1500
206.206.118      GLORY.NM.ORG     Up,Gateway   0      3423     se0        1500
206.206.119      GLORY.NM.ORG     Up,Gateway   0      282      se0        1500
206.206.183      SIENNA.NM.ORG    Up,Gateway   0      2473     se0        1500
143.120.0        LAWRII.NM.ORG    Up,Gateway   0      123533   se0        1500
206.206.184      GLORY.NM.ORG     Up,Gateway   0      1114     se0        1500
205.167.120      GLORY.NM.ORG     Up,Gateway   0      4202     se0        1500
206.206.121      GLORY.NM.ORG     Up,Gateway   1      71       se0        1500
129.121.0        GRANDE.NM.ORG    Up           12     21658599 se0        1500
204.134.122      GLORY.NM.ORG     Up,Gateway   0      195      se0        1500
204.134.58       GLORY.NM.ORG     Up,Gateway   0      7707     se0        1500
128.123.0        GLORY.NM.ORG     Up,Gateway   0      34416    se0        1500
204.134.59       GLORY.NM.ORG     Up,Gateway   0      1007     se0        1500
204.134.124      GLORY.NM.ORG     Up,Gateway   0      37160    se0        1500
206.206.124      LAWRII.NM.ORG    Up,Gateway   0      79       se0        1500
206.206.125      PENNY.NM.ORG     Up,Gateway   0      233359   se0        1500
204.134.126      GLORY.NM.ORG     Up,Gateway   0      497      se0        1500
206.206.126      LAWRII.NM.ORG    Up,Gateway   0      13644    se0        1500
204.69.190       GLORY.NM.ORG     Up,Gateway   0      4059     se0        1500
206.206.190      GLORY.NM.ORG     Up,Gateway   0      1630     se0        1500
204.134.127      GLORY.NM.ORG     Up,Gateway   0      45621    se0        1500
206.206.191      GLORY.NM.ORG     Up,Gateway   0      3574     se0        1500

MultiNet IPX Routing tables:
Destination      Gateway          Flags        Refcnt Use      Interface  MTU
----------       ----------       -----        ------ -----    ---------  ----

MultiNet ARP table:
Host Network Address                              Ethernet Address    Arp Flags
--------------------------------------------      ----------------    ---------
GLORY.NM.ORG (IP 129.121.1.4)                     AA:00:04:00:61:D0   Temporary
[UNKNOWN] (IP 129.121.251.1)                      00:C0:05:01:2C:D2   Temporary
NARANJO.NM.ORG (IP 129.121.1.56)                  08:00:87:04:9F:42   Temporary
CHAMA.NM.ORG (IP 129.121.1.8)                     AA:00:04:00:0C:D0   Temporary
[UNKNOWN] (IP 129.121.251.5)                      AA:00:04:00:D2:D0   Temporary
LAWRII.NM.ORG (IP 129.121.254.10)                 AA:00:04:00:5C:D0   Temporary
[UNKNOWN] (IP 129.121.1.91)                       00:C0:05:01:2C:D2   Temporary
BRAVO.NM.ORG (IP 129.121.1.6)                     AA:00:04:00:0B:D0   Temporary
PENNY.NM.ORG (IP 129.121.1.10)                    AA:00:04:00:5F:D0   Temporary
ARRIBA.NM.ORG (IP 129.121.1.14)                   08:00:2B:BC:C1:A7   Temporary
AZUL.NM.ORG (IP 129.121.1.51)                     08:00:87:00:A1:D3   Temporary
ENSS365.NM.ORG (IP 129.121.1.3)                   00:00:0C:51:EF:58   Temporary
AVATAR.NM.ORG (IP 129.121.254.1)                  08:00:5A:1D:52:0D   Temporary
[UNKNOWN] (IP 129.121.253.2)                      08:00:5A:47:4A:1D   Temporary
[UNKNOWN] (IP 129.121.254.5)                      00:C0:7B:5F:5F:80   Temporary
CONCHAS.NM.ORG (IP 129.121.1.11)                  08:00:5A:47:4A:1D   Temporary
[UNKNOWN] (IP 129.121.253.10)                     AA:00:04:00:4B:D0   Temporary
 

MultiNet Network Interface statistics:
Name  Mtu   Network     Address            Ipkts    Ierrs Opkts    Oerrs Collis
----  ---   -------     --------------     -----    ----- -----    ----- ------
se0   1500  129.121.0   GRANDE.NM.ORG      68422948 0     53492833 1     0
lo0   4136  127.0.0     127.0.0.1          1188191  0     1188191  0     0

MultiNet Protocol statistics:
          65264173 IP packets received
                22 IP packets smaller than minimum size
              6928 IP fragments received
                 4 IP fragments timed out
                34 IP received for unreachable destinations
            704140 ICMP error packets generated
              9667 ICMP opcodes out of range
              4170 Bad ICMP packet checksums
            734363 ICMP responses
            734363 ICMP "Echo" packets received
            734363 ICMP "Echo Reply" packets sent
             18339 ICMP "Echo Reply" packets received
            704140 ICMP "Destination Unreachable" packets sent
            451243 ICMP "Destination Unreachable" packets received
              1488 ICMP "Source Quench" packets received
            163911 ICMP "ReDirect" packets received
            189732 ICMP "Time Exceeded" packets received
            126966 TCP connections initiated
            233998 TCP connections established
            132611 TCP connections accepted
             67972 TCP connections dropped
             28182 embryonic TCP connections dropped
            269399 TCP connections closed
          10711838 TCP segments timed for RTT
          10505140 TCP segments updated RTT
           3927264 TCP delayed ACKs sent
               666 TCP connections dropped due to retransmit timeouts
            111040 TCP retransmit timeouts
              3136 TCP persist timeouts
                 9 TCP persist connection drops
             16850 TCP keepalive timeouts
              1195 TCP keepalive probes sent
             14392 TCP connections dropped due to keepalive timeouts
          28842663 TCP packets sent
          12714484 TCP data packets sent
        1206060086 TCP data bytes sent
             58321 TCP data packets retransmitted
          22144036 TCP data bytes retransmitted
           6802199 TCP ACK-only packets sent
              1502 TCP window probes sent
               483 TCP URG-only packets sent
           8906175 TCP Window-Update-only packets sent
            359509 TCP control packets sent
          38675084 TCP packets received
          28399363 TCP packets received in sequence
        1929418386 TCP bytes received in sequence
             25207 TCP packets with checksum errors
            273374 TCP packets were duplicates
         230525708 TCP bytes were duplicates
              3748 TCP packets had some duplicate bytes
            493214 TCP bytes were partial duplicates
           2317156 TCP packets were out of order
        3151204672 TCP bytes were out of order
              1915 TCP packets had data after window
            865443 TCP bytes were after window
              5804 TCP packets for already closed connection
               941 TCP packets were window probes
          10847459 TCP packets had ACKs
            222657 TCP packets had duplicate ACKs
                 1 TCP packet ACKed unsent data
        1200274739 TCP bytes ACKed
            141545 TCP packets had window updates
                13 TCP segments dropped due to PAWS
           4658158 TCP segments were predicted pure-ACKs
          24033756 TCP segments were predicted pure-data
           8087980 TCP PCB cache misses
               305 Bad UDP header checksums
                17 Bad UDP data length fields
          23772272 UDP PCB cache misses

MultiNet Buffer Statistics:
        388 out of 608 buffers in use:
                30 buffers allocated to Data.
                10 buffers allocated to Packet Headers.
                66 buffers allocated to Socket Structures.
                57 buffers allocated to Protocol Control Blocks.
                163 buffers allocated to Routing Table Entries.
                2 buffers allocated to Socket Names and Addresses.
                48 buffers allocated to Kernel Fork-Processes.
                2 buffers allocated to Interface Addresses.
                1 buffer allocated to Multicast Addresses.
                1 buffer allocated to Timeout Callbacks.
                6 buffers allocated to Memory Management.
                2 buffers allocated to Network TTY Control Blocks.
        11 out of 43 page clusters in use.
        11 CXBs borrowed from VMS device drivers
        2 CXBs waiting to return to the VMS device drivers
        162 Kbytes allocated to MultiNet buffers (44% in use).
        226 Kbytes of allocated buffer address space (0% of    maximum).
Connection closed by foreign host.
<slug> [68] ->

Whoa! What was all that?

What we did was telnet to port 15 -- the netstat port--  which on some computers runs a daemon that tells anybody who cares to drop in just about everything about the connection made by all the computers linked to the Internet through this computer.

So from this we learned two things:

1) Grande.nm.org is a very busy and important computer.

2) Even a very busy and important computer can let the random port surfer come and play.

So my lady friend wanted to try out another port. I suggested the finger port, number 79. So she gave the command:

<slug> [68] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
finger
?Sorry, could not find "FINGER"
Connection closed by foreign host.
<slug> [69] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
help
?Sorry, could not find "HELP"
Connection closed by foreign host.
<slug> [69] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
?
?Sorry, could not find "?"
Connection closed by foreign host.
<slug> [69] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
man
?Sorry, could not find "MAN"
Connection closed by foreign host.
<slug> [69] ->

At first this looks like just a bunch of failed commands. But actually this is pretty fascinating. The reason is that port 79 is, under IETF rules, supposed to run fingerd, the finger daemon. So when she gave the command “finger” and grande.nm.org said ?Sorry, could not find "FINGER,” we knew this port was not following IETF rules.

Now on may computers they don’t run the finger daemon at all. This is because finger has so properties that can be used to gain total control of the computer that runs it.

But if finger is shut down, and nothing else is running on port 79, we would get the answer:

telnet: connect: Connection refused.

But instead we got connected and grande.nm.org was waiting for a command.

Now the normal thing a port surfer does when running an unfmiliar daemon is to coax it into revealing what commands it uses. “Help,” “?” and “man” often work. But it didn’t help us.

But even though these commands didn’t help us, they did tell us that the daemon is probably something sensitive. If it were a daemon that was meant for anybody and his brother to use, it would have given us instructions.

So what did we do next? We decided to be good Internet citizens and also stay out of jail We decided we’d beter log off.

But there was one hack we decided to do first: leave our mark on the shell log file.

The shell log file keeps a record of all operating system commands made on a computer. The adminsitrator of an obviously important computer such as grande.nm.org is probably competent enough to scan the records of what commands are given by whom to his computer. Especially on a port important enough to be running a mystery, non-IETF daemon. So everything we types while connected was saved on a log.

So my friend giggled with glee and left a few messages on port 79 before logging off. Oh, dear, I do believe she’s hooked on hacking. Hmmm, it could be a good way to meet cute sysadmins...

So, port surf’s up! If you want to surf, here’s the basics:

1) Get logged on to a shell account. That’s an account with your ISP that lets you give Unix commands. Or -- run Linux or some other kind of Unix on your PC and hook up to the Internet.

2) Give the command “telnet <hostname> <pot number>“ where <hostname> is the internet address of the computer you wnat to visit and <port number> is whatever looks phun to you.

3) If you get the response “connected to <hostname>,” then surf’s up!

Following are some of my favorite ports. It is legal and harmless to pay them visits so long as you don’t figure out how to gain superuser status while playing with them. However, please note that if you do too much port surfing from your shell account, your sysadmin may notice this in his or her shell log file. If he or she is prejudiced against hacking , you may get kicked off your ISP. So you may want to explain in advance that you are merely a harmless hacker looking to have a good time, er, um, learn about Unix. Yeh, that sounds good...

Port number Service  Why it’s phun!

7  echo  Whatever you type in, the host repeats back to      you, used for ping

9  discard Dev/null -- how fast can you figure out this      one?

11  systat Lots of info on users

13  daytime Time and date at computer’s location

15  netstat Tremendous info on networks but rarely used any     more

19  chargen Pours out a stream of ASCII characters. Use ^C      to stop.

21  ftp  Transfers files

22  ssh  secure shell login -- encrypted tunnel

23  telnet Where you log in if you don’t use ssh:)

25  smpt  Forge email from Bill.Gates@Microsoft.org.

37  time  Time

39  rlp  Resource location

43  whois  Info on hosts and networks

53  domain Nameserver

70  gopher Out-of-date info hunter

79  finger Lots of info on users

80  http  Web server

110  pop  Incoming email

119  nntp  Usenet news groups -- forge posts, cancels

443   shttp  Another web server

512   biff  Mail notification

513  rlogin Remote login
  who  Remote who and uptime

514  shell  Remote command, no password used!
  syslog Remote system logging -- how we bust hackers

520  route  Routing information protocol

**************************
Propeller head tip: Note that in most cases an Internet host will use these port number assignments for these services. More than one service may also be assigned simultaneously to the same port. This numbering system is voluntarily offered by the Internet Engineering Task Force (IETF). That means that an Internet host may use other ports for these services. Expect the unexpected!

If you have a copy of Linux, you can get the list of all the IETF assignments of port numbers in the file /etc/services.
********************************
_________________________________________________________
Send me confidential email (please, no discussions of illegal activities) use . Please direct flames to dev/null@cmeinel.com. Happy hacking!

© 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end..


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

Return to the index of Guides to (mostly) Harmless Hacking!

 © 2013 Happy Hacker All rights reserved.