_____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 2 Number 4 More intro to TCP/IP: port surfing! Daemons! How to get on almost any computer without logging in and without breaking the law. Impress your clueless friends and actually discover kewl, legal, safe stuph. I'll bet se7en doesn't know how to do all this... ______________________________________________________________ A few days ago I had a lady friend visiting. She's 42 and doesn't own a computer. However, she is taking a class on personal computers at a community college. She wanted to know what all this hacking stuph is about. So I decided to introduce her to port surfing. And while doing it, we stumbled across something kewl. Port surfing takes advantage of the structure of TCP/IP. This is the protocol (set of rules) used for computers to talk to each other over the Internet. One of the basic principles of Unix (the most popular operating system on the Internet) is to assign a "port" to every function that one computer might command another to perform. Common examples are to send and receive email, read Usenet newsgroups, telnet, transfer files, and offer Web pages. ************************ Newbie note #1: A computer port is a place where information goes in or out of it. On your home computer, examples of ports are your monitor, which sends information out, your keyboard and mouse, which send information in, and your modem, which sends information both out and in. But an Internet host computer such as callisto.unm.edu has many more ports than a typical home computer. These ports are identified by numbers. Now these are not all physical ports, like a keyboard or RS232 serial port (for your modem). They are virtual (software) ports. ************************ So if you want to read a Web page, your browser contacts port number 80 and tells the computer that manages that Web site to let you in. And, sure enough, you get into that Web server computer without a password. OK, big deal. That's pretty standard for the Internet. Many -- most -- computers on the Internet will let you do some things with them without needing a password. However, the essence of hacking is doing things that aren't obvious. That don't just jump out at you from the manuals. One way you can move a step up from the run of the mill computer user is to learn how to port surf. I'll bet you won't find port surfing in a Unix manual. The essence of port surfing is to pick out a target computer and explore it to see what ports are open and what you can do with them. Now if you are a lazy hacker you can use canned hacker tools such as Satan or Netcat. These are programs you can run from Linux, FreeBSD or Solaris (all types of Unix) from your PC. They automatically scan your target computers. They will tell you what ports are in use. They will also probe these ports for presence of daemons with known security flaws, and tell you what they are. ******************************** Newbie note # 2: A daemon is not some sort of grinch or gremlin or 666 guy. It is a program that runs in the background on many (but not all) Unix system ports. It waits for you to come along and use it. If you find a daemon on a port, it's probably hackable. Some hacker tools will tell you what the hackable features are of the daemons they detect. ******************************** However, there are several reasons to surf ports by hand instead of automatically. 1) You will learn something. Probing manually you get a gut feel for how the daemon running on that port behaves. It's the difference between watching an x-rated movie and (blush). 2) You can impress your friends. If you run a canned hacker tool like Satan your friends will look at you and say, "Big deal. I can run programs, too." They will immediately catch on to the dirty little secret of the hacker world. Most hacking exploits are just lamerz running programs they picked up from some BBS or ftp site. But if you enter commands keystroke by keystroke your friends will see you using your brain. And you can help them play with daemons, too, and give them a giant rush. 3) The truly elite hackers surf ports and play with daemons by hand because it is the only way to discover something new. There are only a few hundred hackers -- at most -- who discover new stuph. The rest just run canned exploits over and over and over again. Boring. But port surfing by hand is on the path to the pinnacle of hackerdom. Now let me tell you what my middle-aged friend and I discovered while just messing around. First, we decided we didn't want to waste our time messing with some minor little host computer. Hey, let's go for the big time! So how do you find a big kahuna computer on the Internet? We started with a domain which consisted of a LAN of PCs running Linux that I happened to already know about, that is used by the New Mexico Internet Access ISP: nmia.com. ***************************** Newbie Note # 3: A domain is an Internet address. You can use it to look up who runs the computers used by the domain, and also to look up how that domain is connected to the rest of the Internet. ***************************** So to do this we first logged into my shell account with Southwest Cyberport. I gave the command: [66] ->whois nmia.com New Mexico Internet Access (NMIA-DOM) 2201 Buena Vista SE Albuquerque, NM 87106 Domain Name: NMIA.COM Administrative Contact, Technical Contact, Zone Contact: Orrell, Stan (SO11) SAO@NMIA.COM (505) 877-0617 Record last updated on 11-Mar-94. Record created on 11-Mar-94. Domain servers in listed order: NS.NMIA.COM 198.59.166.10 GRANDE.NM.ORG 129.121.1.2 Now it's a good bet that grande.nm.org is serving a lot of other Internet hosts beside nmia.com. Here's how we port surfed our way to find this out: [67] ->telnet grande.nm.org 15 Trying 129.121.1.2 ... Connected to grande.nm.org. Escape character is '^]'. TGV MultiNet V3.5 Rev B, VAX 4000-400, OpenVMS VAX V6.1 Product License Authorization Expiration Date ---------- ------- ------------- --------------- MULTINET Yes A-137-1641 (none) NFS-CLIENT Yes A-137-113237 (none) *** Configuration for file "MULTINET:NETWORK_DEVICES.CONFIGURATION" *** Device Adapter CSR Address Flags/Vector ------ ------- ----------- ------------ se0 (Shared VMS Ethernet/FDDI) -NONE- -NONE- -NONE- MultiNet Active Connections, including servers: Proto Rcv-Q Snd-Q Local Address (Port) Foreign Address (Port) State ----- ----- ----- ------------------ ------------------ ----- TCP 0 822 GRANDE.NM.ORG(NETSTAT) 198.59.115.24(1569) ESTABLISHED TCP 0 0 GRANDE.NM.ORG(POP3) 164.64.201.67(1256) ESTABLISHED TCP 0 0 GRANDE.NM.ORG(4918) 129.121.254.5(TELNET) ESTABLISHED TCP 0 0 GRANDE.NM.ORG(TELNET) AVATAR.NM.ORG(3141) ESTABLISHED TCP 0 0 *(NAMESERVICE) *(*) LISTEN TCP 0 0 *(TELNET) *(*) LISTEN TCP 0 0 *(FTP) *(*) LISTEN TCP 0 0 *(FINGER) *(*) LISTEN TCP 0 0 *(NETSTAT) *(*) LISTEN TCP 0 0 *(SMTP) *(*) LISTEN TCP 0 0 *(LOGIN) *(*) LISTEN TCP 0 0 *(SHELL) *(*) LISTEN TCP 0 0 *(EXEC) *(*) LISTEN TCP 0 0 *(RPC) *(*) LISTEN TCP 0 0 *(NETCONTROL) *(*) LISTEN TCP 0 0 *(SYSTAT) *(*) LISTEN TCP 0 0 *(CHARGEN) *(*) LISTEN TCP 0 0 *(DAYTIME) *(*) LISTEN TCP 0 0 *(TIME) *(*) LISTEN TCP 0 0 *(ECHO) *(*) LISTEN TCP 0 0 *(DISCARD) *(*) LISTEN TCP 0 0 *(PRINTER) *(*) LISTEN TCP 0 0 *(POP2) *(*) LISTEN TCP 0 0 *(POP3) *(*) LISTEN TCP 0 0 *(KERBEROS_MASTER) *(*) LISTEN TCP 0 0 *(KLOGIN) *(*) LISTEN TCP 0 0 *(KSHELL) *(*) LISTEN TCP 0 0 GRANDE.NM.ORG(4174) OSO.NM.ORG(X11) ESTABLISHED TCP 0 0 GRANDE.NM.ORG(4172) OSO.NM.ORG(X11) ESTABLISHED TCP 0 0 GRANDE.NM.ORG(4171) OSO.NM.ORG(X11) ESTABLISHED TCP 0 0 *(FS) *(*) LISTEN UDP 0 0 *(NAMESERVICE) *(*) UDP 0 0 127.0.0.1(NAMESERVICE) *(*) UDP 0 0 GRANDE.NM.OR(NAMESERV) *(*) UDP 0 0 *(TFTP) *(*) UDP 0 0 *(BOOTPS) *(*) UDP 0 0 *(KERBEROS) *(*) UDP 0 0 127.0.0.1(KERBEROS) *(*) UDP 0 0 GRANDE.NM.OR(KERBEROS) *(*) UDP 0 0 *(*) *(*) UDP 0 0 *(SNMP) *(*) UDP 0 0 *(RPC) *(*) UDP 0 0 *(DAYTIME) *(*) UDP 0 0 *(ECHO) *(*) UDP 0 0 *(DISCARD) *(*) UDP 0 0 *(TIME) *(*) UDP 0 0 *(CHARGEN) *(*) UDP 0 0 *(TALK) *(*) UDP 0 0 *(NTALK) *(*) UDP 0 0 *(1023) *(*) UDP 0 0 *(XDMCP) *(*) MultiNet registered RPC programs: Program Version Protocol Port ------- ------- -------- ---- PORTMAP 2 TCP 111 PORTMAP 2 UDP 111 MultiNet IP Routing tables: Destination Gateway Flags Refcnt Use Interface MTU ---------- ---------- ----- ------ ----- --------- ---- 198.59.167.1 LAWRII.NM.ORG Up,Gateway,H 0 2 se0 1500 166.45.0.1 ENSS365.NM.ORG Up,Gateway,H 0 4162 se0 1500 205.138.138.1 ENSS365.NM.ORG Up,Gateway,H 0 71 se0 1500 204.127.160.1 ENSS365.NM.ORG Up,Gateway,H 0 298 se0 1500 127.0.0.1 127.0.0.1 Up,Host 5 1183513 lo0 4136 198.59.167.2 LAWRII.NM.ORG Up,Gateway,H 0 640 se0 1500 192.132.89.2 ENSS365.NM.ORG Up,Gateway,H 0 729 se0 1500 207.77.56.2 ENSS365.NM.ORG Up,Gateway,H 0 5 se0 1500 204.97.213.2 ENSS365.NM.ORG Up,Gateway,H 0 2641 se0 1500 194.90.74.66 ENSS365.NM.ORG Up,Gateway,H 0 1 se0 1500 204.252.102.2 ENSS365.NM.ORG Up,Gateway,H 0 109 se0 1500 205.160.243.2 ENSS365.NM.ORG Up,Gateway,H 0 78 se0 1500 202.213.4.2 ENSS365.NM.ORG Up,Gateway,H 0 4 se0 1500 202.216.224.66 ENSS365.NM.ORG Up,Gateway,H 0 113 se0 1500 192.132.89.3 ENSS365.NM.ORG Up,Gateway,H 0 1100 se0 1500 198.203.196.67 ENSS365.NM.ORG Up,Gateway,H 0 385 se0 1500 160.205.13.3 ENSS365.NM.ORG Up,Gateway,H 0 78 se0 1500 202.247.107.131 ENSS365.NM.ORG Up,Gateway,H 0 19 se0 1500 198.59.167.4 LAWRII.NM.ORG Up,Gateway,H 0 82 se0 1500 128.148.157.6 ENSS365.NM.ORG Up,Gateway,H 0 198 se0 1500 160.45.10.6 ENSS365.NM.ORG Up,Gateway,H 0 3 se0 1500 128.121.50.7 ENSS365.NM.ORG Up,Gateway,H 0 3052 se0 1500 206.170.113.8 ENSS365.NM.ORG Up,Gateway,H 0 1451 se0 1500 128.148.128.9 ENSS365.NM.ORG Up,Gateway,H 0 1122 se0 1500 203.7.132.9 ENSS365.NM.ORG Up,Gateway,H 0 14 se0 1500 204.216.57.10 ENSS365.NM.ORG Up,Gateway,H 0 180 se0 1500 130.74.1.75 ENSS365.NM.ORG Up,Gateway,H 0 10117 se0 1500 206.68.65.15 ENSS365.NM.ORG Up,Gateway,H 0 249 se0 1500 129.219.13.81 ENSS365.NM.ORG Up,Gateway,H 0 547 se0 1500 204.255.246.18 ENSS365.NM.ORG Up,Gateway,H 0 1125 se0 1500 160.45.24.21 ENSS365.NM.ORG Up,Gateway,H 0 97 se0 1500 206.28.168.21 ENSS365.NM.ORG Up,Gateway,H 0 2093 se0 1500 163.179.3.222 ENSS365.NM.ORG Up,Gateway,H 0 315 se0 1500 198.109.130.33 ENSS365.NM.ORG Up,Gateway,H 0 1825 se0 1500 199.224.108.33 ENSS365.NM.ORG Up,Gateway,H 0 11362 se0 1500 203.7.132.98 ENSS365.NM.ORG Up,Gateway,H 0 73 se0 1500 198.111.253.35 ENSS365.NM.ORG Up,Gateway,H 0 1134 se0 1500 206.149.24.100 ENSS365.NM.ORG Up,Gateway,H 0 3397 se0 1500 165.212.105.106 ENSS365.NM.ORG Up,Gateway,H 0 17 se0 1006 205.238.3.241 ENSS365.NM.ORG Up,Gateway,H 0 69 se0 1500 198.49.44.242 ENSS365.NM.ORG Up,Gateway,H 0 25 se0 1500 194.22.188.242 ENSS365.NM.ORG Up,Gateway,H 0 20 se0 1500 164.64.0 LAWRII.NM.ORG Up,Gateway 1 40377 se0 1500 0.0.0 ENSS365.NM.ORG Up,Gateway 2 4728741 se0 1500 207.66.1 GLORY.NM.ORG Up,Gateway 0 51 se0 1500 205.166.1 GLORY.NM.ORG Up,Gateway 0 1978 se0 1500 204.134.1 LAWRII.NM.ORG Up,Gateway 0 54 se0 1500 204.134.2 GLORY.NM.ORG Up,Gateway 0 138 se0 1500 192.132.2 129.121.248.1 Up,Gateway 0 6345 se0 1500 204.134.67 GLORY.NM.ORG Up,Gateway 0 2022 se0 1500 206.206.67 GLORY.NM.ORG Up,Gateway 0 7778 se0 1500 206.206.68 LAWRII.NM.ORG Up,Gateway 0 3185 se0 1500 207.66.5 GLORY.NM.ORG Up,Gateway 0 626 se0 1500 204.134.69 GLORY.NM.ORG Up,Gateway 0 7990 se0 1500 207.66.6 GLORY.NM.ORG Up,Gateway 0 53 se0 1500 204.134.70 LAWRII.NM.ORG Up,Gateway 0 18011 se0 1500 192.188.135 GLORY.NM.ORG Up,Gateway 0 5 se0 1500 206.206.71 LAWRII.NM.ORG Up,Gateway 0 2 se0 1500 204.134.7 GLORY.NM.ORG Up,Gateway 0 38 se0 1500 199.89.135 GLORY.NM.ORG Up,Gateway 0 99 se0 1500 198.59.136 LAWRII.NM.ORG Up,Gateway 0 1293 se0 1500 204.134.9 GLORY.NM.ORG Up,Gateway 0 21 se0 1500 204.134.73 GLORY.NM.ORG Up,Gateway 0 59794 se0 1500 129.138.0 GLORY.NM.ORG Up,Gateway 0 5262 se0 1500 192.92.10 LAWRII.NM.ORG Up,Gateway 0 163 se0 1500 206.206.75 LAWRII.NM.ORG Up,Gateway 0 604 se0 1500 207.66.13 GLORY.NM.ORG Up,Gateway 0 1184 se0 1500 204.134.77 LAWRII.NM.ORG Up,Gateway 0 3649 se0 1500 207.66.14 GLORY.NM.ORG Up,Gateway 0 334 se0 1500 204.134.78 GLORY.NM.ORG Up,Gateway 0 239 se0 1500 204.52.207 GLORY.NM.ORG Up,Gateway 0 293 se0 1500 204.134.79 GLORY.NM.ORG Up,Gateway 0 1294 se0 1500 192.160.144 LAWRII.NM.ORG Up,Gateway 0 117 se0 1500 206.206.80 PENNY.NM.ORG Up,Gateway 0 4663 se0 1500 204.134.80 GLORY.NM.ORG Up,Gateway 0 91 se0 1500 198.99.209 LAWRII.NM.ORG Up,Gateway 0 1136 se0 1500 207.66.17 GLORY.NM.ORG Up,Gateway 0 24173 se0 1500 204.134.82 GLORY.NM.ORG Up,Gateway 0 29766 se0 1500 192.41.211 GLORY.NM.ORG Up,Gateway 0 155 se0 1500 192.189.147 LAWRII.NM.ORG Up,Gateway 0 3133 se0 1500 204.134.84 PENNY.NM.ORG Up,Gateway 0 189 se0 1500 204.134.87 LAWRII.NM.ORG Up,Gateway 0 94 se0 1500 146.88.0 GLORY.NM.ORG Up,Gateway 0 140 se0 1500 192.84.24 GLORY.NM.ORG Up,Gateway 0 3530 se0 1500 204.134.88 LAWRII.NM.ORG Up,Gateway 0 136 se0 1500 198.49.217 GLORY.NM.ORG Up,Gateway 0 303 se0 1500 192.132.89 GLORY.NM.ORG Up,Gateway 0 3513 se0 1500 198.176.219 GLORY.NM.ORG Up,Gateway 0 1278 se0 1500 206.206.92 LAWRII.NM.ORG Up,Gateway 0 1228 se0 1500 192.234.220 129.121.1.91 Up,Gateway 0 2337 se0 1500 204.134.92 LAWRII.NM.ORG Up,Gateway 0 13995 se0 1500 198.59.157 LAWRII.NM.ORG Up,Gateway 0 508 se0 1500 206.206.93 GLORY.NM.ORG Up,Gateway 0 635 se0 1500 204.134.93 GLORY.NM.ORG Up,Gateway 0 907 se0 1500 198.59.158 LAWRII.NM.ORG Up,Gateway 0 14214 se0 1500 198.59.159 LAWRII.NM.ORG Up,Gateway 0 1806 se0 1500 204.134.95 PENNY.NM.ORG Up,Gateway 0 3644 se0 1500 206.206.96 GLORY.NM.ORG Up,Gateway 0 990 se0 1500 206.206.161 LAWRII.NM.ORG Up,Gateway 0 528 se0 1500 198.59.97 PENNY.NM.ORG Up,Gateway 0 55 se0 1500 198.59.161 LAWRII.NM.ORG Up,Gateway 0 497 se0 1500 192.207.226 GLORY.NM.ORG Up,Gateway 0 93217 se0 1500 198.59.99 PENNY.NM.ORG Up,Gateway 0 2 se0 1500 198.59.163 GLORY.NM.ORG Up,Gateway 0 3379 se0 1500 192.133.100 LAWRII.NM.ORG Up,Gateway 0 3649 se0 1500 204.134.100 GLORY.NM.ORG Up,Gateway 0 8 se0 1500 128.165.0 PENNY.NM.ORG Up,Gateway 0 15851 se0 1500 198.59.165 GLORY.NM.ORG Up,Gateway 0 274 se0 1500 206.206.165 LAWRII.NM.ORG Up,Gateway 0 167 se0 1500 206.206.102 GLORY.NM.ORG Up,Gateway 0 5316 se0 1500 160.230.0 LAWRII.NM.ORG Up,Gateway 0 19408 se0 1500 206.206.166 LAWRII.NM.ORG Up,Gateway 0 1756 se0 1500 205.166.231 GLORY.NM.ORG Up,Gateway 0 324 se0 1500 198.59.167 GLORY.NM.ORG Up,Gateway 0 1568 se0 1500 206.206.103 GLORY.NM.ORG Up,Gateway 0 3629 se0 1500 198.59.168 GLORY.NM.ORG Up,Gateway 0 9063 se0 1500 206.206.104 GLORY.NM.ORG Up,Gateway 0 7333 se0 1500 206.206.168 GLORY.NM.ORG Up,Gateway 0 234 se0 1500 204.134.105 LAWRII.NM.ORG Up,Gateway 0 4826 se0 1500 206.206.105 LAWRII.NM.ORG Up,Gateway 0 422 se0 1500 204.134.41 LAWRII.NM.ORG Up,Gateway 0 41782 se0 1500 206.206.169 GLORY.NM.ORG Up,Gateway 0 5101 se0 1500 204.134.42 GLORY.NM.ORG Up,Gateway 0 10761 se0 1500 206.206.170 GLORY.NM.ORG Up,Gateway 0 916 se0 1500 198.49.44 GLORY.NM.ORG Up,Gateway 0 3 se0 1500 198.59.108 GLORY.NM.ORG Up,Gateway 0 2129 se0 1500 204.29.236 GLORY.NM.ORG Up,Gateway 0 125 se0 1500 206.206.172 GLORY.NM.ORG Up,Gateway 0 5839 se0 1500 204.134.108 GLORY.NM.ORG Up,Gateway 0 3216 se0 1500 206.206.173 GLORY.NM.ORG Up,Gateway 0 374 se0 1500 198.175.173 LAWRII.NM.ORG Up,Gateway 0 6227 se0 1500 198.59.110 GLORY.NM.ORG Up,Gateway 0 1797 se0 1500 198.51.238 GLORY.NM.ORG Up,Gateway 0 1356 se0 1500 192.136.110 GLORY.NM.ORG Up,Gateway 0 583 se0 1500 204.134.48 GLORY.NM.ORG Up,Gateway 0 42 se0 1500 198.175.176 LAWRII.NM.ORG Up,Gateway 0 32 se0 1500 206.206.114 LAWRII.NM.ORG Up,Gateway 0 44 se0 1500 206.206.179 LAWRII.NM.ORG Up,Gateway 0 14 se0 1500 198.59.179 PENNY.NM.ORG Up,Gateway 0 222 se0 1500 198.59.115 GLORY.NM.ORG Up,Gateway 1 132886 se0 1500 206.206.181 GLORY.NM.ORG Up,Gateway 0 1354 se0 1500 206.206.182 SIENNA.NM.ORG Up,Gateway 0 16 se0 1500 206.206.118 GLORY.NM.ORG Up,Gateway 0 3423 se0 1500 206.206.119 GLORY.NM.ORG Up,Gateway 0 282 se0 1500 206.206.183 SIENNA.NM.ORG Up,Gateway 0 2473 se0 1500 143.120.0 LAWRII.NM.ORG Up,Gateway 0 123533 se0 1500 206.206.184 GLORY.NM.ORG Up,Gateway 0 1114 se0 1500 205.167.120 GLORY.NM.ORG Up,Gateway 0 4202 se0 1500 206.206.121 GLORY.NM.ORG Up,Gateway 1 71 se0 1500 129.121.0 GRANDE.NM.ORG Up 12 21658599 se0 1500 204.134.122 GLORY.NM.ORG Up,Gateway 0 195 se0 1500 204.134.58 GLORY.NM.ORG Up,Gateway 0 7707 se0 1500 128.123.0 GLORY.NM.ORG Up,Gateway 0 34416 se0 1500 204.134.59 GLORY.NM.ORG Up,Gateway 0 1007 se0 1500 204.134.124 GLORY.NM.ORG Up,Gateway 0 37160 se0 1500 206.206.124 LAWRII.NM.ORG Up,Gateway 0 79 se0 1500 206.206.125 PENNY.NM.ORG Up,Gateway 0 233359 se0 1500 204.134.126 GLORY.NM.ORG Up,Gateway 0 497 se0 1500 206.206.126 LAWRII.NM.ORG Up,Gateway 0 13644 se0 1500 204.69.190 GLORY.NM.ORG Up,Gateway 0 4059 se0 1500 206.206.190 GLORY.NM.ORG Up,Gateway 0 1630 se0 1500 204.134.127 GLORY.NM.ORG Up,Gateway 0 45621 se0 1500 206.206.191 GLORY.NM.ORG Up,Gateway 0 3574 se0 1500 MultiNet IPX Routing tables: Destination Gateway Flags Refcnt Use Interface MTU ---------- ---------- ----- ------ ----- --------- ---- MultiNet ARP table: Host Network Address Ethernet Address Arp Flags -------------------------------------------- ---------------- --------- GLORY.NM.ORG (IP 129.121.1.4) AA:00:04:00:61:D0 Temporary [UNKNOWN] (IP 129.121.251.1) 00:C0:05:01:2C:D2 Temporary NARANJO.NM.ORG (IP 129.121.1.56) 08:00:87:04:9F:42 Temporary CHAMA.NM.ORG (IP 129.121.1.8) AA:00:04:00:0C:D0 Temporary [UNKNOWN] (IP 129.121.251.5) AA:00:04:00:D2:D0 Temporary LAWRII.NM.ORG (IP 129.121.254.10) AA:00:04:00:5C:D0 Temporary [UNKNOWN] (IP 129.121.1.91) 00:C0:05:01:2C:D2 Temporary BRAVO.NM.ORG (IP 129.121.1.6) AA:00:04:00:0B:D0 Temporary PENNY.NM.ORG (IP 129.121.1.10) AA:00:04:00:5F:D0 Temporary ARRIBA.NM.ORG (IP 129.121.1.14) 08:00:2B:BC:C1:A7 Temporary AZUL.NM.ORG (IP 129.121.1.51) 08:00:87:00:A1:D3 Temporary ENSS365.NM.ORG (IP 129.121.1.3) 00:00:0C:51:EF:58 Temporary AVATAR.NM.ORG (IP 129.121.254.1) 08:00:5A:1D:52:0D Temporary [UNKNOWN] (IP 129.121.253.2) 08:00:5A:47:4A:1D Temporary [UNKNOWN] (IP 129.121.254.5) 00:C0:7B:5F:5F:80 Temporary CONCHAS.NM.ORG (IP 129.121.1.11) 08:00:5A:47:4A:1D Temporary [UNKNOWN] (IP 129.121.253.10) AA:00:04:00:4B:D0 Temporary MultiNet Network Interface statistics: Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Collis ---- --- ------- -------------- ----- ----- ----- ----- ------ se0 1500 129.121.0 GRANDE.NM.ORG 68422948 0 53492833 1 0 lo0 4136 127.0.0 127.0.0.1 1188191 0 1188191 0 0 MultiNet Protocol statistics: 65264173 IP packets received 22 IP packets smaller than minimum size 6928 IP fragments received 4 IP fragments timed out 34 IP received for unreachable destinations 704140 ICMP error packets generated 9667 ICMP opcodes out of range 4170 Bad ICMP packet checksums 734363 ICMP responses 734363 ICMP "Echo" packets received 734363 ICMP "Echo Reply" packets sent 18339 ICMP "Echo Reply" packets received 704140 ICMP "Destination Unreachable" packets sent 451243 ICMP "Destination Unreachable" packets received 1488 ICMP "Source Quench" packets received 163911 ICMP "ReDirect" packets received 189732 ICMP "Time Exceeded" packets received 126966 TCP connections initiated 233998 TCP connections established 132611 TCP connections accepted 67972 TCP connections dropped 28182 embryonic TCP connections dropped 269399 TCP connections closed 10711838 TCP segments timed for RTT 10505140 TCP segments updated RTT 3927264 TCP delayed ACKs sent 666 TCP connections dropped due to retransmit timeouts 111040 TCP retransmit timeouts 3136 TCP persist timeouts 9 TCP persist connection drops 16850 TCP keepalive timeouts 1195 TCP keepalive probes sent 14392 TCP connections dropped due to keepalive timeouts 28842663 TCP packets sent 12714484 TCP data packets sent 1206060086 TCP data bytes sent 58321 TCP data packets retransmitted 22144036 TCP data bytes retransmitted 6802199 TCP ACK-only packets sent 1502 TCP window probes sent 483 TCP URG-only packets sent 8906175 TCP Window-Update-only packets sent 359509 TCP control packets sent 38675084 TCP packets received 28399363 TCP packets received in sequence 1929418386 TCP bytes received in sequence 25207 TCP packets with checksum errors 273374 TCP packets were duplicates 230525708 TCP bytes were duplicates 3748 TCP packets had some duplicate bytes 493214 TCP bytes were partial duplicates 2317156 TCP packets were out of order 3151204672 TCP bytes were out of order 1915 TCP packets had data after window 865443 TCP bytes were after window 5804 TCP packets for already closed connection 941 TCP packets were window probes 10847459 TCP packets had ACKs 222657 TCP packets had duplicate ACKs 1 TCP packet ACKed unsent data 1200274739 TCP bytes ACKed 141545 TCP packets had window updates 13 TCP segments dropped due to PAWS 4658158 TCP segments were predicted pure-ACKs 24033756 TCP segments were predicted pure-data 8087980 TCP PCB cache misses 305 Bad UDP header checksums 17 Bad UDP data length fields 23772272 UDP PCB cache misses MultiNet Buffer Statistics: 388 out of 608 buffers in use: 30 buffers allocated to Data. 10 buffers allocated to Packet Headers. 66 buffers allocated to Socket Structures. 57 buffers allocated to Protocol Control Blocks. 163 buffers allocated to Routing Table Entries. 2 buffers allocated to Socket Names and Addresses. 48 buffers allocated to Kernel Fork-Processes. 2 buffers allocated to Interface Addresses. 1 buffer allocated to Multicast Addresses. 1 buffer allocated to Timeout Callbacks. 6 buffers allocated to Memory Management. 2 buffers allocated to Network TTY Control Blocks. 11 out of 43 page clusters in use. 11 CXBs borrowed from VMS device drivers 2 CXBs waiting to return to the VMS device drivers 162 Kbytes allocated to MultiNet buffers (44% in use). 226 Kbytes of allocated buffer address space (0% of maximum). Connection closed by foreign host. [68] -> Whoa! What was all that? What we did was telnet to port 15 -- the netstat (network statistics) port-- which on some computers runs a daemon that tells anybody who cares to drop in just about everything about the connections made by all the computers linked to the Internet through this computer. So from this we learned two things: 1) Grande.nm.org is a very busy and important computer. 2) Even a very busy and important computer can let the random port surfer come and play. So my lady friend wanted to try out another port. I suggested the finger port, number 79. So she gave the command: [68] ->telnet grande.nm.org 79 Trying 129.121.1.2 ... Connected to grande.nm.org. Escape character is '^]'. finger ?Sorry, could not find "FINGER" Connection closed by foreign host. [69] ->telnet grande.nm.org 79 Trying 129.121.1.2 ... Connected to grande.nm.org. Escape character is '^]'. help ?Sorry, could not find "HELP" Connection closed by foreign host. [69] ->telnet grande.nm.org 79 Trying 129.121.1.2 ... Connected to grande.nm.org. Escape character is '^]'. ? ?Sorry, could not find "?" Connection closed by foreign host. [69] ->telnet grande.nm.org 79 Trying 129.121.1.2 ... Connected to grande.nm.org. Escape character is '^]'. man ?Sorry, could not find "MAN" Connection closed by foreign host. [69] -> At first this looks like just a bunch of failed commands. But actually this is pretty fascinating. The reason is that port 79 is, under IETF rules, supposed to run fingerd, the finger daemon. So when she gave the command "finger" and grande.nm.org said ?Sorry, could not find "FINGER," we knew this port was not following IETF rules. Now on may computers they don't run the finger daemon at all. This is because finger has so properties that can be used to gain total control of the computer that runs it. But if finger is shut down, and nothing else is running on port 79, we should get the answer: telnet: connect: Connection refused. But instead we got connected and grande.nm.org was waiting for a command. Now the normal thing a port surfer does when running an unfamiliar daemon is to coax it into revealing what commands it uses. "Help," "?" and "man" often work. But these didn't help us. But even though these commands didn't help us, they did tell us that the daemon is probably something sensitive. If it were a daemon that was meant for anybody and his brother to use, it would have given us instructions. So what did we do next? We decided to be good Internet citizens and also stay out of jail. We decided we'd beter log off. But there was one hack we decided to do first: leave our mark on the shell log file. The shell log file keeps a record of all operating system commands made on a computer. The administrator of an obviously important computer such as grande.nm.org is probably competent enough to scan the records of what commands are given by whom to his computer. Especially on a port important enough to be running a mystery, non-IETF daemon. So everything we typed while connected was probably saved on a log. So my friend giggled and left a few messages on port 79 before logging off. Oh, dear, I do believe she's hooked on hacking. What a good way to meet cute sysadmins... So, port surf's up! If you want to surf, here's the basics: 1) Get logged onto a shell account. That's an account with your ISP that lets you give Unix commands. Or -- run Linux or some other kind of Unix on your PC and hook up to the Internet. 2) Give the command "telnet " where is the internet address of the computer you wnat to visit and is whatever looks phun to you. 3) If you get the response "connected to ," then surf's up! Following are some of my favorite ports. It is legal and harmless to pay them visits so long as you don't figure out how to gain superuser status while playing with them. However, please note that if you do too much port surfing from your shell account, your sysadmin may notice this in his or her shell log file. Or, the sysadfmin of your target computer may report you to your sysadmin. Yau will be identifieable by the headers on the packets carrying your commands to the target computer. Then if your sysadmin is kicked off your ISP. So you may want to explain in advance that you are merely a harmless hacker looking to have a good time, er, um, learn about Unix. Yeh, that sounds good... Port number Service Why it's phun! 7 echo Whatever you type in, the host repeats back to you 9 discard Dev/null -- how fast can you figure out this one? 11 systat Lots of info on users 13 daytime Time and date at computer's location 15 netstat Tremendous info on networks 19 chargen Pours out a stream of ASCII characters. Use ^C to stop. 21 ftp Transfers files 23 telnet Where you log in. 25 smpt Forge email from Bill.Gates@Microsoft.org. 37 time Time 39 rlp Resource location 43 whois Info on hosts and networks 53 domain Nameserver 70 gopher Out-of-date info hunter 79 finger Lots of info on users 80 http Web server 110 pop Incoming email 119 nntp Usenet news groups -- forge posts, cancels 443 shttp Another web server 512 biff Mail notification 513 rlogin Remote login who Remote who and uptime 514 shell Remote command, no password used! syslog Remote system logging 520 route Routing information protocol ************************** Propeller head tip: Note that in most cases an Internet host will use these port number assignments for these services. More than one service may also be assigned simultaneously to the same port. This numbering system is voluntarily offered by the Internet Engineering Task Force (IETF). That means that an Internet host may use other ports for these services. Expect the unexpected! If you have a copy of Linux, you can get the list of all the IETF assignments of port numbers in the file /etc/services. *************************** _________________________________________________________ Want to see back issues of Guide to (mostly) Harmless Hacking? See http://www.feist.com/~tqdb/evis-unv.html. Want to subscribe to this list? Email majordomo@edm.net with the message "subscribe happyhacker." Want to share some kewl stuph with the Happy Hacker list? Send your messages to hh@edm.net. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com. Please direct flames to dev/null@techbroker.com. Happy hacking! Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end.. ________________________________________________________ -------------------------------------------------------------------- This message is from the HappyHacker mailing list. To unsubscribe, send mail to majordomo@edm.net saying "unsubscribe happyhacker". The HappyHacker page is at http://www.feist.com/~tqdb/evis-unv.html. This mailing list is provided by The EDM Network (http://www.edm.net/) as a public service and is not responsible for its content. --------------------------------------------------------------------