Hacking - How its done & Tutorials

Hacking - How its done & Tutorials


Techniques Adopted By 'System
Crackers' When Attempting To Break Into Corporate or Sensitive Private Networks
Network Security Solutions Ltd.; 1998; ASCII
This white paper was written to help give systems administrators and network operations
staff an insight into the tactics and methodologies adopted by typical system crackers
when targeting large networks.Understanding Microsoft Proxy Server 2.0
NeonSurge - Rhino9; 1998; ASCII A paper on the MS Proxy Server features, architecture,
etc.Millenium Hacking (Hacking 2000)
CyberTech Security (UHF); 1998; ASCII A general HOWTO for hacking with a goal of showing
what hacking was like at the end of the millenium.Packets Found on an
Internet
Bellovin, Steven M.; 1993; Postscript A very interesting paper describing the various
attacks, probes, and miscellaneous packets floating past AT&T Bell Labs' net
connection.Security Problems in the
TCP/IP Protocol Suite
Bellovin, Steven M.; 1989; Postscript A broad overview of problems within TCP/IP itself,
as well as many common application layer protocols which rely on TCP/IP.There Be Dragons
Bellovin, Steven M.; 1992; Postscript Another Bellovin paper discussing the various
attacks made on att.research.com. This paper is also the source for this page's title.An Advanced 4.3BSD IPC Tutorial -
PDF Version
Berkeley CSRG; date unknown; Postscript This paper describes the IPC facilities new to
4.3BSD. It was written by the CSRG as a supplement to the manpages.NFS Tracing by Passive Network
Monitoring
Blaze, Matt; 1992; ASCII Blaze, now famous for cracking the Clipper chip while at Bell
Labs, wrote this paper while he was a PhD candidate at Princeton.Network (In)Security Through
IP Packet Filtering - PDF
Version
Chapman, D. Brent; 1992; Postscript Why packet filtering is a difficult to use and not
always a very secure method of securing a network.An Evening with Berferd
Cheswick, Bill; 1991; Postscript A cracker from Norway is "lured, endured, and
studied."Improving the Security of
your Unix System
Curry, David, SRI International; 1990; Postscript This is the somewhat well known SRI
Report on Unix Security. It's a good solid starting place for securing a Unix box.COPS and Robbers
Farmer, Dan; 1991; ASCII This paper discusses a bit of general security and then goes into
detail reguarding Unix system misconfigurations, specifically ones that COPS checks for.Improving The Security of Your
System by Breaking Into It
Farmer & Wietse; date unknown; ASCII An excellent text by Dan Farmer and Wietse
Venema. If you haven't read this before, here's your opportunity.A Simple Active Attack Against TCP -
PDF Version
Joncheray, Laurent; 1995; Postscript This paper describes an active attack against TCP
which allows re-direction (hijacking) of the TCP stream.Foiling the Cracker
Klein, Daniel; Postscript A Survey of, and Improvements to, Password Security. Basically a
treatise on how to select proper passwords.A Weakness in the
4.2BSD Unix TCP/IP Software
Morris, Robert T; 1985; Postscript This paper describes the much ballyhooed method by
which one may forge packets a stink about it!The Risks of Key Recovery, Key Escrow,
and Trusted 3rd Party Encryption
Various Authors; May 1996; ASCII This paper examines the technical risks, costs, and
implications of deploying systems that provide government access to encryption keys.Thinking About Firewalls - PDF Version
Ranum, Marcus; Postscript A general overview of firewalls, with tips on how to select one
to meet your needs.ALT2600.txt
Voyager; 1995; ASCII This is the FAQ from the internet news group Alt.2600. Deals with
various topics concerning hacking and phreaking.The Hacker's Handbook
Cornwall, Hugo; 1985; ASCII A book about hacking techniques, hacking intelligence,
Networks, etc.Crash Course in X-Windows Security
Unknown Author; Unknown Date; ASCII This document will help you learn about X-Windows
Security and how to make it more secure.Things that go Bump on the net
Unknown Author; Unknown Date; ASCII This is a brief look at some of the more colorful
characters in the menagerie of network security threats, with an emphasis on how they
relate to agent-based sytems.Securing X Windows
Fisher, John; 1995; ASCII This document talks about how X-windows works, Host
Authenticiation and Token Authenticiation, Xterm Vulnerablities and related security
information.A Unix Hacking Tutorial
Sir Hackalot; Unknown date; ASCII A Excellent hacking tutorial for the starting hacker or
hacker-wanna-be.The Neophyte's Guide to Hacking
Deicide; August 1993; ASCII Another guide for beginning hackers that talks about a wide
range of topics.Hacking Kit version 2.0 Beta
Invisible Evil; March 1997;ASCII A very detailed and well written guide for hackers. This
document is also fairly up to date and includes examples and source code.IP Hijacking
Laurant Joucheray; April 24, 1995; Postscript This paper discuesses the art of IP
hijacking.Linux security archives by date
Various Authors; March 1995 through October 1996; ASCII The Linux Security list-archives
from March 1995 through October 1996.Sockets Frequently Asked Questions
Vic Metcalfe; August 1996; ASCII (tarred and zipped) Socket Frequently Asked Questions
includes many examples and source code.Confidence Remains High Issues 1-6 + Summer
Issue
Various Authors; Various Dates; ASCII (tarred and zipped) An excellent magazine discussing
hacking, phone, radio, and more.Common Insecurities Fail Scrutiny
*Hobbit*; January 1997 ; ASCII An analysis of TCP/IP NetBIOS file-sharing protocols is
presented as well as the examination of protocol and administrative vulnerabilities.Firewall Papers and Performance
Issues - PDF Version
Various Authors; April 1997 ; Various Formats This is a small collection of Papers and
source concerning firewalls and their performace.Linux Stack OverFlows
Willy Tarreau; June 1997 ; HTML An HTML page with sample utilities describing stack
overruns on Linux.Hacking Unix Systems
Red Knight; October 1989 ; ASCII An Indepth Guide to Hacking UNIX and the Concept of Basic
Networking.Sequence Number Attacks
Rik Farrow; December 1994 ; ASCII A brief article that gives an overview of TCP sequence
number attacks. (Includes rfc1948 which shows how to protecte against TCP sequence no.
attacks.)Buffer OverWrites
Various Authors; June 1997 ; Various Formats A collection of papers and utilities
concerning the art of buffer overwriting.Introduction to Internet Protocols
Charles L. Hedrick; July 1987; ASCII An introduction to the Internet networking protocols
(TCP/IP).A Novice's Guide to Hacking
The Mentor; December 1988; ASCII Another good source of reading for beginners.Backdoors
Christopher Klaus; August 1997; ASCII A discussion of many common backdoors and ways to
check for them.Them and Us
Paul Taylor; June 1997; ASCII Chapter 6 of Paul Taylor's Hacker Book which talks about
some of the ethics and boundaries of hacking.The Design of a Secure Internet Gateway
Bill Cheswick; Unknown Date; Postscript This paper describes an internet gateway
configuration that helps protect the internal network even if an external machine is
compromised.Some Problems with the FTP Protocol
David Sacerdote; April 1996; ASCII Discusses problems with the File Transfer Protocol, a
failure of common implementations, and suggestions for repair.Psychotic's Unix Bible
Virtual Circuit; Unknown Date; Zipped An excellent Unix resource to have. The Unix Bible
contains and illustrates many Unix commands and their syntaxes.The interaction of SSH and X11
Ulrich Flegel; September 1997; Postscript Thoughts concerning the security of SSH in
conjunction with X11.Beginners Guide to Hacking
Phantom; October 1997; ASCII An excellent guide with examples and text discussing getting
access, hacking root, covering tracks, and much more


http://www.infosyssec.org/infosyssec/security/hackhow1.htm

How to Trace a hacker


Sometimes, it's just not enough to simply know that there's a Trojan or
Virus onboard. Sometimes you need to know exactly why that file is
onboard, how it got there - but most importantly, who put it there.

By enumerating the attacker in the same way that they have enumerated
the victim, you will be able to see the bigger picture and establish
what you're up against. But how can you do this? Read on...

## Connections make the world go round ##

The computer world, at any rate. Every single time you open up a
website, send an email or upload your webpages into cyberspace, you are
connecting to another machine in order to get the job done. This, of
course, presents a major problem, because this simple act is what
allows malicious users to target a machine in the first place.

# How do these people find their victim?

Well, first of all, they need to get hold of the victim's IP Address.
Your IP (Internet Protocol) address reveals your point of entry to the
Internet and can be used in many ways to cause your online activities
many, many problems. It may not reveal you by name, but it may be
uniquely identifiable and it represents your digital ID while you are
online (especially so if you're on a fixed IP / DSL etc).

With an IP address, a Hacker can find out all sorts of weird and
wonderful things about their victim (as well as causing all kinds of
other trouble, the biggest two being Portnukes/Trojans and the dreaded
DoS ((Denial of Service)) attack). Some Hackers like to collect IP
Addresses like badges, and like to go back to old targets, messing them
around every so often. An IP address is incredibly easy to obtain -
until recently, many realtime chat applications (such as MSN) were
goldmines of information. Your IP Address is contained as part of the
Header Code on all emails that you send and webpages that you visit can
store all kinds of information about you. A common trick is for the
Hacker to go into a Chatroom, paste his supposed website address all
over the place, and when the unsuspecting victim visits, everything
about your computer from the operating system to the screen resolution
can be logged...and, of course, the all important IP address. In
addition, a simple network-wide port scan will reveal vulnerable target
machines, and a war-dialler will scan thousands of lines for exposed
modems that the hacker can exploit.

So now that you know some of the basic dangers, you're probably wondering how these people connect to a victim's machine?

## Virtual and Physical Ports ##

Everything that you recieve over the Internet comes as a result of
other machines connecting to your computer's ports. You have two types;
Physical are the holes in the back of your machine, but the important
ones are Virtual. These allow transfer of data between your computer
and the outside world, some with allocated functions, some without, but
knowing how these work is the first step to discovering who is
attacking you; you simply MUST have a basic knowledge of this, or you
won't get much further.

# What the phrases TCP/UDP actually mean

TCP/IP stands for Transmission Control Protocol and Internet Protocol,
a TCP/IP packet is a block of data which is compressed, then a header
is put on it and it is sent to another computer (UDP stands for User
Datagram Protocol). This is how ALL internet transfers occur, by
sending packets. The header in a packet contains the IP address of the
one who originally sent you it. Now, your computer comes with an
excellent (and free) tool that allows you to see anything that is
connected (or is attempting to connect) to you, although bear in mind
that it offers no blocking protection; it simply tells you what is
going on, and that tool is NETSTAT


## Netstat: Your first line of defence ##

Netstat is a very fast and reliable method of seeing exactly who or
what is connected (or connecting) to your computer. Open up DOS
(Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS
Prompt, type:

netstat -a

(make sure you include the space inbetween the "t" and the "a").

If you're connected to the Internet when you do this, you should see something like:


Active Connections

Proto Local Address Foreign Address State
TCP macintosh: 20034 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING


Now, "Proto(col)" simply means what kind of data transmission is taking
place (TCP or UDP), "Local address" is your computer (and the number
next to it tells you what port you're connected on), "Foreign Address"
is the machine that is connected to you (and what port they're using),
and finally "State" is simply whether or not a connection is actually
established, or whether the machine in question is waiting for a
transmission, or timing out etc.

Now, you need to know all of Netstat's various commands, so type:

netstat ?

You will get something like this:


Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display per-protocol
statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown
for TCP, UDP and IP; the -p option may be used to specify a subset of
the default.


Have a play around with the various options, but the most important use
of these methods is when you combine them. The best command to use is

netstat -an

because this will list all connections in Numerical Form, which makes
it a lot easier to trace malicious users....Hostnames can be a little
confusing if you don't know what you're doing (although they're easily
understandable, as we shall see later). Also, by doing this, you can
also find out what your own IP address is, which is always useful.

Also,

netstat -b

will tell you what ports are open and what programs are connecting to the internet.

## Types of Port ##

It would be impossible to find out who was attacking you if computers
could just access any old port to perform an important function; how
could you tell a mail transfer from a Trojan Attack? Well, good news,
because your regular, normal connections are assigned to low, commonly
used ports, and in general, the higher the number used, the more you
should be suspicious. Here are the three main types of port:

# Well Known Ports These run from 0 to 1023, and are bound to the
common services that run on them (for example, mail runs on channel 25
tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find
one of these ports open (and you usually will), it's usually because of
an essential function.

# Registered Ports These run on 1024 to 49151. Although not bound to a
particular service, these are normally used by networking utilities
like FTP software, Email client and so on, and they do this by opening
on a random port within this range before communicating with the remote
server, so don't panic (just be wary, perhaps) if you see any of these
open, because they usually close automatically when the system that's
running on them terminates (for example, type in a common website name
in your browser with netstat open, and watch as it opens up a port at
random to act as a buffer for the remote servers). Services like MSN
Messenger and ICQ usually run on these Ports.

# Dynamic/Private Ports Ranging from 49152 to 65535, these things are
rarely used except with certain programs, and even then not very often.
This is indeed the usual range of the Trojan, so if you find any of
these open, be very suspicious. So, just to recap:


Well Known Ports 0 to 1023 Commonly used, little danger.
Registered Ports 1024 to 49151 Not as common, just be careful.
Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.


## The hunt is on ##

Now, it is essential that you know what you're looking for, and the
most common way someone will attack your machine is with a Trojan. This
is a program that is sent to you in an email, or attempts to bind
itself to one of your ports, and when activated, it can give the user
your passwords, access to your hard drive...they can even make your CD
Tray pop open and shut. At the end of this Document, you will find a
list of the most commonly used Trojans and the ports they operate on.
For now, let's take another look at that first example of Netstat....


Active Connections

Proto Local Address Foreign Address State
TCP macintosh: 27374 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING


Now, straight away, this should make more sense to you. Your computer
is connected on two ports, 80 and 27374. Port 80 is used for http/www
transmissions (ie for all intents and purposes, its how you connect to
the net, although of course it's a lot more complicated than that).
Port 27374, however, is distinctly suspicious; first of all, it is in
the registered port range, and although other services (like MSN) use
these, let's assume that you have nothing at all running like instant
messengers, webpages etc....you're simply connected to the net through
proxy. So, now this connection is looking even more troublesome, and
when you realise that 27374 is a common port for Netbus (a potentially
destructive Trojan), you can see that something is untoward here. So,
what you would do is:


1) run Netstat , and use:

Netstat -a

then

Netstat -an

So you have both Hostnames AND IP addresses.


## Tracerouting ##

Having the attacker's IP is all well and good, but what can you do with
it? The answer is, a lot more! It's not enough to have the address, you
also need to know where the attacker's connections are coming from. You
may have used automated tracerouting tools before, but do you jknow how
they work?

Go back to MSDOS and type


tracert *type IP address/Hostname here*


Now, what happens is, the Traceroute will show you all the computers
inbetween you and the target machine, including blockages, firewalls
etc. More often than not, the hostname address listed before the final
one will belong to the Hacker's ISP Company. It'll either say who the
ISP is somewhere in there, or else you run a second trace on the new
IP/hostname address to see who the ISP Company in question is. If the
Hostname that you get back doesn't actually seem to mention an actual
geographical location within its text, you may think all is lost. But
fear not! Suppose you get a hostname such as

http://www.somethingxyz.com

Well, that tells us nothing, right? Wrong....simply enter the hostname
in your browser, and though many times you will get nothing back,
sometimes it will resolve to an ISP, and from there you can easily find
out its location and in what areas they operate. This at least gives
you a firm geographical location to carry out your investigations in.

If you STILL have nothing, as a last resort you COULD try connecting to
your target's ISP's port 13 by Telnet, which will tell you how many
hours ahead or behind this ISP is of GMT, thus giving you a
geographical trace based on the time mentioned (although bear in mind,
the ISP may be doing something stupid like not having their clocks set
correctly, giving you a misleading trace. Similarly, a common tactic of
Hackers is to deliberately have their computer's clock set to a totally
wrong time, so as to throw you off the scent). Also, unless you know
what you're doing, I wouldn't advise using Telnet (which is outside the
parameters of this tutorial).

## Reverse DNS Query ##

This is probably the most effective way of running a trace on somebody.
If ever you're in a chatroom and you see someone saying that they've
"hacked into a satellite orbiting the Earth, and are taking pictures of
your house right now", ignore them because that's just bad movie
nonsense. THIS method is the way to go, with regard to finding out what
country (even maybe what State/City etc) someone resides, although it's
actually almost impossible to find an EXACT geographical location
without actually breaking into your ISP's Head Office and running off
with the safe.

To run an rDNS query, simply go back to MS-DOS and type

netstat

and hit return. Any active connections will resolve to hostnames rather than a numerical format.

# DNS

DNS stands for Domain Name Server. These are machines connected to the
Internet whose job it is to keep track of the IP Addresses and Domain
Names of other machines. When called upon, they take the ASCII Domain
Name and convert it to the relevant numeric IP Address. A DNS search
translates a hostname into an IP address....which is why we can enter
"www.Hotmail.com" and get the website to come up, instead of having to
actually remember Hotmail's IP address and enter that instead. Well,
Reverse DNS, of course, translates the IP Address into a Hostname (ie -
in letters and words instead of numbers, because sometimes the Hacker
will employ various methods to stop Netstat from picking up a correct
Hostname).

So, for example,

298.12.87.32 is NOT a Hostname.
mail6.bol.net.au IS a Hostname.

Anyway, see the section at the end? (au) means the target lives in
Australia. Most (if not all) hostnames end in a specific Country Code,
thus narrowing down your search even further. If you know your target's
Email Address (ie they foolishly sent you a hate mail, but were silly
enough to use a valid email address) but nothing else, then you can use
the Country codes to deduce where they're from as well. You can also
deduce the IP address of the sender by looking at the emails header (a
"hidden" line of code which contains information on the sender)...on
Hotmail for example, go to Preferences, and select the "Full Header's
Visible" option. Alternatively, you can run a "Finger" Trace on the
email address, at:

[url]http://www.somethingxyz.com[/url

Plus, some ISP's include their name in your Email Address with them too
(ie Wanadoo, Supanet etc), and your Hacker may be using an email
account that's been provided by a Website hosting company, meaning this
would probably have the website host's name in the email address (ie
Webspawners). So, you could use the information gleaned to maybe even
hunt down their website (then you could run a website check as
mentioned previously) or report abuse of that Website Provider's Email
account (and thus, the Website that it goes with) to

abuse@companynamegoeshere.com

If your Hacker happens to reside in the USA, go to:

www.usps.gov/ncsc/lookups/abbr_state.txt

for a complete list of US State abbreviatons.

## List of Ports commonly used by Trojans ##

Please note that this isn't a complete list by any means, but it will
give you an idea of what to look out for in Netstat. Be aware that some
of the lower Ports may well be running valid services.

UDP: 1349 Back Ofrice DLL
31337 BackOfrice 1.20
31338 DeepBO
54321 BackOfrice 2000


TCP: 21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
23 Tiny Telnet Server
25 Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30
31 Hackers Paradise
80 Executor
456 Hackers Paradise
555 Ini-Killer, Phase Zero, Stealth Spy
666 Satanz Backdoor
1001 Silencer, WebEx
1011 Doly Trojan
1170 Psyber Stream Server, Voice
1234 Ultors Trojan
1243 SubSeven 1.0 - 1.8
1245 VooDoo Doll
1492 FTP99CMP
1600 Shivka-Burka
1807 SpySender
1981 Shockrave
1999 BackDoor 1.00-1.03
2001 Trojan Cow
2023 Ripper
2115 Bugs
2140 Deep Throat, The Invasor
2801 Phineas Phucker
3024 WinCrash
3129 Masters Paradise
3150 Deep Throat, The Invasor
3700 Portal of Doom
4092 WinCrash
4567 File Nail 1
4590 ICQTrojan
5000 Bubbel
5000 Sockets de Troie
5001 Sockets de Troie
5321 Firehotcker
5400 Blade Runner 0.80 Alpha
5401 Blade Runner 0.80 Alpha
5402 Blade Runner 0.80 Alpha
5400 Blade Runner
5401 Blade Runner
5402 Blade Runner
5569 Robo-Hack
5742 WinCrash
6670 DeepThroat
6771 DeepThroat
6969 GateCrasher, Priority
7000 Remote Grab
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7789 ICKiller
8787 BackOfrice 2000
9872 Portal of Doom
9873 Portal of Doom
9874 Portal of Doom
9875 Portal of Doom
9989 iNi-Killer
10067 Portal of Doom
10167 Portal of Doom
10607 Coma 1.0.9
11000 Senna Spy
11223 Progenic trojan
12223 Hack´99 KeyLogger
12345 GabanBus, NetBus
12346 GabanBus, NetBus
12361 Whack-a-mole
12362 Whack-a-mole
16969 Priority
20001 Millennium
20034 NetBus 2.0, Beta-NetBus 2.01
21544 GirlFriend 1.0, Beta-1.35
22222 Prosiak
23456 Evil FTP, Ugly FTP
26274 Delta
30100 NetSphere 1.27a
30101 NetSphere 1.27a
30102 NetSphere 1.27a
31337 Back Orifice
31338 Back Orifice, DeepBO
31339 NetSpy DK
31666 BOWhack
33333 Prosiak
34324 BigGluck, TN
40412 The Spy
40421 Masters Paradise
40422 Masters Paradise
40423 Masters Paradise
40426 Masters Paradise
47262 Delta
50505 Sockets de Troie
50766 Fore
53001 Remote Windows Shutdown
54321 SchoolBus .69-1.11
61466 Telecommando
65000 Devil


## Summary ##

The Internet is by no means as anonymous as some people think it is,
and although this is to the detriment of people's security online, this
also works both ways....it IS possible to find and stop even the most
determined of attackers, you just have to be patient and keep hunting
for clues which will help you put an end to their exploits.


http://forums.techarena.in/guides-tutorials/443453.htm