Having read the internetworking primers in Chapter 1, "Understanding Communication Protocols," and Chapter 3, ''Understanding Communication Mediums," hopefully you are beginning to think, speak, and, possibly, act like a hacker, because now it's time to apply that knowledge and hack your way to a secure network. We begin this part with an in-depth look at what makes common ports and their services so vulnerable to hack attacks. Then, in Chapter 5, you will learn about the software, techniques, and knowledge used by the hackers, crackers, phreaks, and cyberpunks defined in Act I Intermission.
A Review of Ports
The input/output ports on a computer are the channels through which data is transferred between an input or output device and the processor. They are also what hackers scan to find open, or "listening," and therefore potentially susceptible to an attack. Hacking tools such as port scanners (discussed in Chapter 5) can, within minutes, easily scan every one of the more than 65,000 ports on a computer; however, they specifically scrutinize the first 1,024, those identified as the well-known ports. These first 1,024 ports are reserved for system services; as such, outgoing connections will have port numbers higher than 1023. This means that all incoming packets that com municate via ports higher than 1023 are replies to connections initiated by internal requests.
When a port scanner scans computer ports, essentially, it asks one by one if a port is open or closed. The computer, which doesn't know any better, automatically sends a response, giving the attacker the requested information. This can and does go on without anyone ever knowing anything about it.
The next few sections review these well-known ports and the corresponding vulnerable services they provide. From there we move on to discuss the hacking techniques used to exploit security weaknesses.
Hacker's The material in these next sections comprises a discussion of the most vulnerable Not**"' ports from the universal well-known list. But because many of these ports and related services are considered to be safe or free from common penetration attack (their services may be minimally exploitable), for conciseness we will pass over safer ports and concentrate on those in real jeopardy.
TCP and UDP Ports
TCP and UDP ports, which are elucidated in RFC793 and RFC768 respectively, name the ends of logical connections that mandate service conversations on and between systems. Mainly, these lists specify the port used by the service daemon process as its contact port. The contact port is the acknowledged "well-known port."
Recall that a TCP connection is initialized through a three-way handshake, whose purpose is to synchronize the sequence number and acknowledgment numbers of both sides of the connection, while exchanging TCP window sizes. This is referred to as a connection-oriented, reliable service.
On the other side of the spectrum, UDP provides a connectionless datagram service that offers unreliable, best-effort delivery of data. This means that there is no guarantee of datagram arrival or of the correct sequencing of delivered packets. Tables 4.1 and 4.2 give abbreviated listings, respectively, of TCP and UDP ports and their services (for complete listings, refer to Appendix C in the back of this book).
Well-Known Port Vulnerabilities
Though entire books have been written on the specifics of some of the ports and services defined in this section, for the purposes of this book, the following services are addressed from the perspective of an attacker, or, more specifically, as part of the "hacker's strategy."
X400-snd
csnet-ns
pop/2
pop3
portmap
auth
Table 4.2 Well-Known UDP Ports and Services PORT NUMBER UDP SERVICE
echo
discard
daytime
qotd
chargen
time
rlp
name
whols
dns
bootp
tftp
portmap ntp
nbname nbdatagram
540 543 544 556 600 601 602 750 751 754 888
PORT NUMBER
514 515 517 518 520 525 531 533 550 560 561 700 701 702 703 704 uucp klogin
kshell
remotefs
garcon
maitrd
busboy
kerberos
kerberosmast
krb_prop
erlogin
UDP SERVICE
syslog printer talk
ntalk route timed
rvd-control
netwall
new-rwho
rmonitor
monitor
acctmaster
acctslave
acct
153
sgmp
705
acctinfo
161
snmp
706
acctslave2
162
snmp-trap
707
acctdisk
315
load
750
kerberos
500
sytek
751
kerberosmast
512
biff
752
passwd_server
513
who
753
userreg_serve
Port: 7
Service: echo
acctlogin acctprimter
Hacker's Strategy: This port is associated with a module in communications or a signal transmitted (echoed) back to the sender that is distinct from the original signal. Echoing a message back to the main computer can help test network connections. The primary message-generation utility executed is termed PING, which is an acronym for Packet Internet Groper. The crucial issue with port 7's echo service pertains to systems that attempt to process oversized packets. One variation of a susceptible echo overload is performed by sending a fragmented packet larger than 65,536 bytes in length, causing the system to process the packet incorrectly, resulting in a potential system halt or reboot. This problem is commonly referred to as the ''Ping of Death" attack. Another common deviant to port 7 is known as "Ping Flooding." It, too, takes advantage of the computer's responsiveness, using a continual bombardment of pings or ICMP Echo Requests to overload and congest system resources and network segments. (Later in the book, we will cover these techniques and associated software in detail.) An illustration of an ICMP Echo Request is shown in Figure 4.1.
Reply from 207.155.252.9 Reply from 207.155.252.9 Reply from 207.155.252.9 Reply from 207.155-252.9 by1es=32 1ime=17Enns TTL=245 by1es=321ime=17Ems TTL=2J5 by1es=32 lime=176ms TT|_=2J5 byles=32 |ime=176ms TTL=2J5
Ping statistic$10/207.155.262.9:
Parcels: Sent = 4, Received = J, Losl = D (D% loss), Approximate round Irip times in millhseconds:
Minimum = 113ms, Maximum = 176ms, Average = 135ms
Figure 4.1 ICMP Echo Request. Port: 11
Service: systat
Hacker's Strategy: This service was designed to display the status of a machine's current operating processes. Essentially, the daemon associated with this service bestows insight into what types of software are currently running, and gives an idea of who the users on the target host are.
Port: 15 Service: netstat
Hacker's Strategy: Similar in operation to port 11, this service was designed to display the machine's active network connections and other useful informa tion about the network's subsystem, such as protocols, addresses, connected sockets, and MTU sizes. Common output from a standard Windows system would display what is shown in Figure 4.2.
Prolo
Local Addiess
Foreign Address
Stale
TCP
pavilion: 135
PAVILION:0
LISTENING
TCP
pavilion: 1025
PAV1LION:C
LISTENING
TCP
pavilion:1Q36
PAVILIONS
LISTENING
TCP
p ^ lion 1D7J
PAVILIONfl
LISTENING
TCP
pawlion: 13B
PAVILION:!]
LISTENING
TCP
pavilion ;nbsession
PAVILION*
LISTENING
TCP
pavilirjn:137
PAVILION0
LISTENING
TCP
pavilion;138
PAV1LION;0
LISTENING
TCP
pavilionmbseSsion
PAVILION;!]
LISTENING
TCP
pav.lian 137
PAVILION:!]
LISTENING
TCP
pavilion:13S
PAVILION:!]
USTENING
TCP
pavilion:nbte$sion
PAVILION:!]
LISTENING
TCP
pavilion:l035
TCP
pavilion: 1D74
TCP
pavilion nbnarne
TCP
pavilion.nbdala gram
• •
TCP
pav)lion:nbname
TCP
pavilion rib data gram
TCP
pavilion:nbname
TCP
pavilion:nbdata gram
Figure 4.2 Netstat output from a standard Windows system. Port: 19
Service: chargen
Hacker's Strategy: Port 19, and chargen, its corresponding service daemon, seem harmless enough. The fundamental operation of this service can be easily deduced from its role as a character stream generator. Unfortunately, this service is vulnerable to a telnet connection that can generate a string of characters with the output redirected to a telnet connection to, for example, port 53 (domain name service (DNS)). In this example, the flood of characters causes an access violation fault in the DNS service, which is then terminated, which, as a result, disrupts name resolution services.
Port: 20, 21
Service: FTP-data, FTP respectively
Hacker's Strategy: The services inherent to ports 20 and 21 provide operability for the File Transfer Protocol (FTP). For a file to be stored on or be received from an FTP server, a separate data
76
connection must be utilized simultaneously. This data connection is normally initiated through port 20 FTP-data. In standard operating procedures, the file transfer control terms are mandated through port 21. This port is commonly known as the control connection, and is basically used for sending commands and receiving the coupled replies. Attributes associated with FTP include the capability to copy, change, and delete files and directories. Chapter 5 covers vulnerability exploit techniques and stealth software that are used to covertly control system files and directories.
Port: 23
Service: telnet
Hacker's Strategy: The service that corresponds with port 23 is commonly known as the Internet standard protocol for remote login. Running on top of TCP/IP, telnet acts as a terminal emulator for remote login sessions. Depending on preconfigured security settings, this daemon can and does typically allow for some way of controlling accessibility to an operating system. Uploading specific hacking script entries to certain Telnet variants can cause buffer overflows, and, in some cases, render administrative or root access. An example includes the TigerBreach Penetrator (illustrated in Figure 4.3) that is part of TigerSuite, which is included on the CD bundled with this book and is more fully introduced in Chapter 12.
Port: 25
Service: SMTP
Hacker's Strategy: The Simple Mail Transfer Protocol (SMTP) is most commonly used by the Internet to define how email is transferred. SMTP daemons listen for incoming mail on port 25 by default, and then copy messages into appropriate mailboxes. If a message cannot be delivered, an error report containing the first part of the undeliverable message is returned to the sender. After establishing the TCP connection to port 25, the sending machine, operating as the client, waits for the receiving machine, operating as the server, to send a line of text giving its identity and telling whether it is prepared to receive mail. Checksums are not generally needed due to TCP's reliable byte stream (as covered in previous chapters). When all the email has been exchanged, the connection is released. The most common vulnerabilities related with SMTP include mail bombing, mail spamming, and numerous denial of service (DoS) attacks. These exploits are described in detail later in the book.
Port: 43 Service: Whois
Hacker's Strategy: The Whois service (http://rs.Internic.net/whois.html) is a TCP port 43 transaction-based query/response daemon, running on a few specific central machines. It provides networkwide directory services to local and/or Internet users. Many sites maintain local Whois directory servers with information about individuals, departments, and services at that specific domain. This service is an element in one the core steps of the discovery phase of a security analysis, and is performed by hackers, crackers, phreaks, and cyberpunks, as well as tiger teams. The most popular Whois databases can be queried from the InterNIC, as shown in Figure 4.4.
Submit
Note thai Ihe resulls of a successful search will contain only technical information about the registered domain name and referral information for the registrar of the domain name. In the Shared Registration System model, registrars are responsible tor maintaining Whois domain name conlacl information. Please refer to the registrar's Whois service for additional information.
Figure 4.4 The most popular Whois database can be queried.
Port: 53
Service: domain
Hacker's Strategy: A domain name is a character-based handle that identifies one or more IP addresses. This service exists simply because alphabetic domain names are easier to remember than IP addresses. The domain name service (DNS) translates these domain names back into their respective IP addresses. As explained in previous chapters, datagrams that travel through the Internet use addresses, therefore every time a domain name is specified, a DNS service daemon must translate the name into the corresponding IP address. Basically, by entering a domain name into a browser, say, TigerTools.net, a DNS server maps this alphabetic domain name into an IP address, which is where the user is forwarded to view the Web site. Recently, there has been extensive investigation into DNS spoofing. Spoofing DNS caching servers give the attacker the means to forward visitors to some location other than the intended Web site. Another popular attack on DNS server daemons derives from DoS overflows, rendering the resources inoperable. An illustration of a standard DNS query is AnivJ« List
Resource name is: tigeitooJs.net
Type is: A Class is: IN
IP Address is: 207.155.252.47
rrie:oi.Mce name is hger>oor: r.et Type is: A Class is: IN IP Address is: 207.155 252.14
Pi e source name is: tigettooJs. net Type is : A Class is: IN IP Address is: 207.155.2437
Figure 4.5 Output from a standard DNS query. Port: 67 Service: bootp
Hacker's Strategy: The bootp Internet protocol enables a diskless workstation to discover its own IP address. This process is controlled by the bootp server on the network in response to the workstation's hardware or MAC address. The primary weakness of bootp has to do with a kernel module that is prone to buffer overflow attacks, causing the system to crash. Although most occurrences have been reported as local or internal attempts, many older systems still in operation and accessible from the Internet remain vulnerable.
Port: 69
Service: tftp
Hacker's Strategy: Often used to load Internetworking Operating Systems (IOS) into various routers and switches, port 69 Trivial File Transfer Protocol (tftp) services operate as a less complicated form of FTP. In a nutshell, tftp is a very simple protocol used to transfer files. tftp is also designed to fit into read-only memory, and is used during the bootstrap process of diskless systems. tftp packets have no provision for authentication; because tftp was designed for use during the bootstrap process, it was impossible to provide a username and password. With these glitches in numerous variations of daemons, simple techniques have made it possible for anyone on the Internet to retrieve copies of world-readable files, such as /etc/passwd (password files), for decryption.
Hacker's Strategy: When an email account is "fingered," it returns useful discovery information about that account. Although the information returned varies from daemon to daemon and account to account, on some systems, finger reports whether the user is currently in session. Other systems return information including the user's full name, address, and/or telephone number. The finger process is relatively simple: A finger client issues an active open to this port, and sends a one-line query with login data. The server processes the query, returns the output, and closes the connection. The output received from port 79 is considered highly sensitive, as it can reveal detailed information on users. Sample output from the Discovery: finger phase of an analysis is shown in Figure 4.6. The actual data is masked for user anonymity.
Port: 80
Service: http
Hacker's Strategy: An acronym for the Hypertext Transfer Protocol, HTTP is the underlying protocol for the Internet's World Wide Web. The protocol defines how messages are formatted and transmitted, and operates as a stateless protocol because each command is executed independently, without any knowledge of the previous commands. The best example of this daemon in action occurs when a Web site address (URL) is entered in a browser. Underneath, this actually sends an HTTP command to a Web server, directing it to serve or transmit the requested Web page to the Web browser. The primary vulnerability with specific variations of this daemon is the Web page hack. An example from the infamous hacker Web site, www.2600.com/hacked_pages, shows the "hacked" United States Army home page (see Figure 4.7).
Port: 109, 110
Service: pop2, pop3, respectively
Hacker's Strategy: The Post Office Protocol (POP) is used to retrieve email from a mail server daemon. Historically, there are two well-known versions of POP: the first POP2 (from the 1980s) and the more recent, POP3. The primary difference between these two flavors is that POP2 requires an SMTP server daemon, whereas POP3 can be used unaccompanied. POP is based on client/server topology in which email is received and held by the mail server until the client software logs in and extracts the messages. Most Web browsers have integrated the POP3 protocol in their software design, such as in Netscape and Microsoft browsers. Glitches in POP design integration have allowed remote attackers to log in, as well as to direct telnet (via port 110) into these daemons' operating systems even after the particular POP3 account password has been modified. Another common vulnerability opens during the Discovery phase of a hacking analysis, by direct telnet to port 110 of a target mail system, to reveal critical information, as shown in Figure 4.8.
Port: 111, 135
Service: portmap, loc-serv, respectively
Hacker's Strategy: The portmap daemon converts RPC program numbers into port numbers. When an RPC server starts up, it registers with the portmap daemon. The server tells the daemon to which port number it is listening and which RPC program numbers it serves. Therefore, the portmap daemon knows the location of every registered port on the host, as well as which programs are available on each of these ports. Loc-serv is NT's RPC service. Without filtering portmap, if an intruder uses specific parameters and provides the address of the client, he or she will get its NIS domain name back. Basically, if an attacker knows the NIS domain name, it may be possible to get a copy of the password file.
Figure 4.9 Sample output from the netstat -a command. Port: 137, 138, 139
Service: nbname, nbdatagram, nbsession, respectively
Hacker's Strategy: Port 137 nbname is used as an alternative name resolution to DNS, and is sometimes called WINS or the NetBIOS name service. Nodes running the NetBIOS protocol over TCP/IP use UDP packets sent from and to UDP port 137 for name resolution. The vulnerability of this protocol is attributed to its lack of authentication. Any machine can respond to broadcast queries for any name for which it sees queries, even spoofing, by beating legitimate name holders to the response. Basically, nbname is used for broadcast resolution, nbdatagram interacts with similar broadcast discovery of other NBT information, and nbsession is where all the point-to-point communication occurs. A sample netstat -a command execution on a Windows station (see Figure 4.9) would confirm these activities and reveal potential Trojan infection as well.
Port: 144
Service: news
Hacker's Strategy: Port 144 is the Network-extensible Window System (news), which, in essence, is an old PostScript-based window system developed by Sun Microsystems. It's a multithreaded PostScript interpreter with extensions for drawing on the screen and handling input events, including an object-oriented programming element. As there are limitations in the development of a standard windows system for UNIX, the word from the Under ground indicates that hackers are currently working on exploiting fundamental flaws of this service.
Port: 161, 162
Service: snmp, snmp-trap, respectively
Hacker's Strategy: In a nutshell, the Simple Network Management Protocol (snmp) directs network device management and monitoring. snmp operation consists of messages, called protocol data units (PDUs), that are sent to different parts of a network. snmp devices are called agents. These components store information about themselves in management information bases (MIBs) and return this data to the snmp requesters. UDP port 162 is specified as the port notification receivers should listen to for snmp notification messages. For all intents and purposes, this port is used to send and receive snmp event reports. The interactive communication governed by these ports makes them juicy targets for probing and reconfiguration.
Port: 512
Service: exec
Hacker's Strategy: Port 512 exec is used by rexec() for remote process execution. When this port is active, or listening, more often than not the remote execution server is configured to start automatically. As a rule, this suggests that X-Windows is currently running. Without appropriate protection, window displays can be captured or watched, and user keystrokes can be stolen and programs remotely executed. As a side note, if the target is running this service daemon, and accepts telnets to port 6000, the ingredients are present for a DoS attack, with intent to freeze the system.
Port: 513, 514
Service: login, shell, respectively
Hacker's Strategy: These ports are considered "privileged," and as such have become a target for address spoofing attacks on numerous UNIX flavors. Port 514 is also used by rsh, acting as an interactive shell without any logging. Together, these services substantiate the presence of an active X-Windows daemon, as just described. Using traditional methods, a simple telnet could verify connection establishment, as in the attempt shown in Figure 4.10. The actual data is masked for target anonymity.
Trying XXX XXX XXX XXX Connected to XXX.XXX.XXX.XXX
Escape character is '*]'
1
Figure 4.10 Successful verification of open ports with telnet. Port: 514 Service: syslog
Hacker's Strategy: As part of the internal logging system, port 514 (remote accessibility through front-end protection barriers) is an open invitation to various types of DoS attacks. An effortless UDP scanning module could validate the potential vulnerability of this port.
Port: 517, 518
Service: talk, ntalk, respectively
Hacker's Strategy: Talk daemons are interactive communication programs that abide to both the old and new talk protocols (ports 517 and 518) that support real-time text conversations with another UNIX station. The daemons typically consist of a talk client and server, and for all practical purposes, can be active together on the same system. In most cases, new talk daemons that initiate from port 518 are not backward-compatible with the older versions. Although this seems harmless, many times it's not. Aside from the obvious—knowing that this connection establishment sets up a TCP connection via random ports—exposes these services to a number of remote attacks.
Port: 520 Service: route
Hacker's Strategy: A routing process, termed dynamic routing occurs when routers talk to adjacent or neighboring routers, informing one another of which networks each router currently is acquainted with. These routers communicate using a routing protocol whose service derives from a routing daemon. Depending on the protocol, updates passed back and forth from router to router are initiated from specific ports. Probably the most popular routing protocol, Routing Information Protocol (RIP), communicates from UDP port 520. Many proprietary routing daemons have inherited communications from this port as well. To aid in target discovery, trickling critical topology information can be easily captured with virtually any sniffer.
Port: 540 Service: uucp
Hacker's Strategy: UNIX-to-UNIX Copy Protocol (UUCP) involves a suite of UNIX programs used for transferring files between different UNIX systems, but more importantly, for transmitting commands to be executed on another system. Although UUCP has been superseded by other protocols, such as FTP and SMTP, many systems still allocate active UUCP services in day-to-day system management. In numerous UNIX flavors of various service daemons, vulnerabilities exist that allow controlled users to upgrade UUCP privileges.
Port: 543, 544, 750
Service: klogin, kshell, kerberos
Hacker's Strategy: The services initiated by these ports represent an authentication system called Kerberos. The principal idea behind this service pertains to enabling two parties to exchange private information across an open or insecure network path. Essentially, this method works by assigning unique keys or tickets to each user. The ticket is then embedded in messages for identification and authentication. Without the necessary filtration techniques throughout the network span, these ports are vulnerable to several remote attacks, including buffer overflows, spoofs, masked sessions, and ticket hijacking.
Unidentified Ports and Services
Penetration hacking programs are typically designed to deliberately integrate a backdoor, or hole, in the security of a system. Although the intentions of these service daemons are not always menacing, attackers can and do manipulate these programs for malicious purposes. The software outlined in this section is classified into three interrelated categories: viruses, worms, and Trojan horses. They are defined briefly in turn here and discussed more fully later in the book.
• A virus is a computer program that makes copies of itself by using, and therefore requiring, a host program.
• A worm does not require a host, as it is self-preserved. The worm compiles and distributes complete copies of itself upon infection at some predetermined high rate.
• A Trojan horse, or just Trojan, is a program that contains destructive code that appears as a normal, useful program, such as a network utility.
Most of the daemons described in this section are available on this book's CD or through the Tiger Tools Repository of underground links and resources, also found on the CD.
The following ports and connected services, typically unnoticed by target victims, are most commonly implemented during penetration hack attacks. Let's explore these penetrators by active port, service or software daemon, and hacker implementation strategy:
Port: 21, 5400-5402
Service: Back Construction, Blade Runner, Fore, FTP Trojan, Invisible FTP, Larva, WebEx, WinCrash
Hacker's Strategy: These programs (illustrated in Figure 4.11) share port 21, and typically model malicious variations of the FTP, primarily to enable unseen file upload and download functionality. Some of these programs include both client and server modules, and most associate themselves with particular Registry keys. For example, common variations of Blade Runner install under:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Port: 23
Service: Tiny Telnet Server (TTS)
Hacker's Strategy: TTS is a terminal emulation program that runs on an infected system in stealth mode. The daemon accepts standard telnet connectivity, thus allowing command execution, as if the command had been entered directly on the station itself. The associated command entries derive from privileged or administrative accessibility. The program is installed with migration to the following file: c:\windows\Windll.exe. The current associated Registry key can be found under:
Service: Ajan, Antigen, Email Password Sender, Haebu Coceda, Happy 99, Kuang2, ProMail Trojan, Shtrilitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
Hacker's Strategy: Masquerading as a fireworks display or joke, these daemons arm an attacker with system passwords, mail spamming, key logging, DoS control, and remote or local backdoor entry. Each program has evolved using numerous filenames, memory address space, and Registry keys. Fortunately, the only common constant remains the attempt to control TCP port 25.
Port: 31, 456, 3129, 40421-40426
Service: Agent 31, Hackers Paradise, Masters Paradise
Hacker's Strategy: The malicious software typically utilizing port 31 encompasses remote administration, such as application redirect and file and Registry management and manipulation ( Figure 4.12 is an example of remote system administration with target service browsing). Once under malevolent control, these situations can prove to be unrecoverable.
Ejle Language Info
Hacker's Strategy: This daemon (shown in Figure 4.13) has many features, including a stealth FTP file server for file upload, download, and deletion. Other options allow a remote attacker to capture and view the screen, steal passwords, open Web browsers, reboot, and even control other running programs and processes.
Port: 59
Service: DMSetup
Hacker's Strategy: DMSetup was designed to affect the mIRC Chat client by anonymous distribution. Once executed, DMSetup is installed in several locations, causing havoc on startup files, and ultimately corrupting the mIRC settings. As a result, the program will effectively pass itself on to any user communicating with the infected target.
Port: 79, 5321
Service: Firehotker
Hacker's Strategy: This program is an alias for Firehotker Backdoorz. The software is supposed to implement itself as a remote control administration backdoor, but is known to be unstable in design. More often than not, the daemon simply utilizes resources, causing internal congestion. Currently, there is no Registry manipulation, only the file server.exe.
Port: 80
Service: Executor
Hacker's Strategy: This is an extremely dangerous remote command executer, mainly intended to destroy system files and settings (see Figure 4.14). The daemon is commonly installed with the file, sexec.exe, under the following Registry key:
The program was designed to corrupt mIRC settings and to pass itself on to any user communicating with an infected target.
Hacker's Strategy: Distributed primarily throughout corporate America, this program masquerades as a nice fireworks display (see Figure 4.15), but in the background, this daemon variation arms an attacker with system passwords, mail spamming, key logging, DoS control, and backdoor entry.
Port: 121
Service: JammerKillah
Hacker's Strategy: JammerKillah is a Trojan developed and compiled to kill the Jammer program. Upon execution, the daemon auto-detects Back Orifice and NetBus, then drops a Back Orifice server.
Port: 531, 1045
Service: Rasmin
Hacker's Strategy: This virus was developed in Visual C++, and uses TCP port 531 (normally used as a conference port). Rumors say that the daemon is intended for a specific action, remaining dormant until it receives a command from its ''master." Research indictates that the program has been concealed under the following filenames:
• RASMIN.EXE
• WSPOOL.EXE
• WINSRVC.EXE
• INIPX.EXE
• UPGRADE.EXE
Port: 555, 9989
Service: Ini-Killer, NeTAdmin, phAse Zero (shown in Figure 4.16), Stealth Spy
Hacker's Strategy: Aside from providing spy features and file transfer, the most important purpose of these Trojans is to destroy the target system. The only safeguard is that these daemons can infect a system only upon execution of setup programs that need to be run on the host.
Please hear in mind (ha( since this program is not an automatic password stealer, the target may take time to complete entering his information.
00 NOT DISCONNECT BEFORE YOU GET A RESPONSE □R THE TARGET WILL GET AN ERROR MESSAGE, MAKING HIM/HER SUSPICIOUS.
There is no "button piessing" effect on the buttons, but action does occur when you press theiti.
Figure 4.17 Satanz Backdoor front end. Port: 666
Service: Attack FTP, Back Construction, Cain & Abel, Satanz Backdoor (front end shown in Figure 4.17), ServeU, Shadow Phyre
Hacker's Strategy: Attack FTP simply installs a stealth FTP server for full-permission file upload/download at port 666. For Back Construction details, see the Hacker's Strategy for port 21. Cain was written to steal passwords, while Abel is the remote server used for stealth file transfer. To date, this daemon has not been known to self-replicate. Satanz Backdoor, ServeU, and Shadow Phyre have become infamous for nasty hidden remote-access daemons that require very few system resources.
Port: 999
Service: WinSatan
Hacker's Strategy: WinSatan is another daemon that connects to various IRC servers, where the connection remains even when the program is closed.
With some minor investigation, this program will remain running in the background without a trace on the task manager or as current processes. It seems the software's only objective is to spread itself, causing internal congestion and mayhem.
Port: 1001
Service: Silencer, WebEx
Hacker's Strategy: For WebEx details, see the Hacker's Strategy documentation for port 21. Silencer is primarily for resource control, as it has very few features (see Figure 4.18).
Port: 1010-1015
Service: Doly Trojan
Hacker's Strategy: This Trojan is notorious for gaining complete target remote control (see Figure 4.19), and is therefore an extremely dangerous daemon. The software has been reported to use several different ports, and rumors indicate that the filename can be modified. Current Registry keys include the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run fo r
file tesk.exe.
Hacker's Strategy: NetSpy (Figure 4.20) is another daemon designed for internal technological espionage. The software will allow an attacker to spy locally or remotely on 1 to 100 stations. Remote control features have been added to execute commands, with the following results:
• Shows a list of visible and invisible windows
• Changes directories
• Enables server control
• Lists files and subdirectories
• Provides system information gathering
• Initiates messaging
• Hides the Start button
• Hides the task bar
• Displays an ASCII file
• Executes any Windows or DOS command in stealth mode
Port: 1042
Service: BLA
Hacker's Strategy: BLA is a remote control daemon with features that include sending ICMP echoes, target system reboot, and direct messaging (see Figure 4.21). Currently, BLA has been compiled to instantiate the following Registry keys:
Service: Psyber Stream Server, Streaming Audio Trojan
Hacker's Strategy: These daemons were designed for a unique particular purpose: to send streaming audio to the victim. An attacker with a successful implementation and connection can, essentially, say or play anything through the target's speakers.
Port: 1234
Service: Ultors Trojan
Hacker's Strategy: Ultors s another telnet daemon designed to remotely execute programs and shell commands, to control running processes, and to reboot or halt the target system. Over time, features have been added that give the attacker the ability to send messages and display common error notices.
Service: BackDoor-G, SubSeven, SubSevenApocalypse
Hacker's Strategy: These are all variations of the infamous Sub7 backdoor daemon, shown in Figure 4.22. Upon infection, they give unlimited access of the target system over the Internet to the attacker running the client software. They have many features. The installation program has been spoofed as jokes and utilities, primarily as an executable email attachment. The software generally consists of the following files, whose names can also be modified:
\WINDOWS\NODLL.EXE
\WINDOWS\ SERVER.EXE or KERNEL16.DL or WINDOW.EXE \WINDOWS\SYSTEM\WATCHING.DLL or LMDRK_33.DLL
Port: 1245
Service: VooDoo Doll
Hacker's Strategy: The daemon associated with port 1245 is known as VooDoo Doll. This program is a feature compilation of limited remote control predecessors, with the intent to cause havoc (see Figure 4.23). The word from the Underground is that malicious groups have been distributing this Trojan with destructive companion programs, which, upon execution from VooDoo
Figure 4.23 The VooDoo Doll feature set.
Doll, have been known to wipe—that is, copy over the target files numerous times, thus making them unrecoverable—entire hard disks, and in some cases corrupt operating system program files.
Port: 1492
Service: FTP99CMP
Hacker's Strategy: FTP99cmp is another simple remote FTP server daemon that uses the following Registry key:
HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion \Run - WinDLL_16
Port: 1600
Service: Shivka-Burka
Hacker's Strategy: This remote-control Trojan provides simple features, such as file transfer and control, and therefore has been sparsely distributed.
Currently, this daemon does not utilize the system Registry, but is notorious for favoring port 1600. Port: 1981 Service: Shockrave
Hacker's Strategy: This remote-control daemon is another uncommon telnet stealth suite with only one known compilation that mandates port 1981. During configuration, the following Registry entry is utilized:
Port: 1999 Service: BackDoor
Hacker's Strategy: Among the first of the remote backdoor Trojans, BackDoor (shown in Figure 4.24) has a worldwide distribution. Although developed in Visual Basic, this daemon has feature-rich control modules, including:
• CD-ROM control
• CTRL-ALT-DEL and CTRL-ESC control
• Messaging
• Chat
• Task viewing
• File management
• Windows controls
• Mouse freeze
During configuration, the following Registry entry is utilized:
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ -notpa
Port: 1999-2005, 9878
Service: Transmission Scout
Hacker's Strategy: A German remote-control Trojan, Transmission Scout includes numerous nasty features. During configuration, the following Registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run — kernel16
Although this program is sparsely distributed, it has been updated to accommodate the following controls:
• Target shutdown and reboot
• System and drive information retrieval
• ICQ/email alert
• Password retrieval
• Audio control
• Mouse control
• Task bar control
• File management
• Window control
• Messaging
• Registry editor
• Junk desktop
• Screenshot dump
Port: 2001
Service: Trojan Cow
Hacker's Strategy: Trojan Cow is another remote backdoor Trojan, with many new features, including:
• Open/close CD
• Monitor off/on
• Remove/restore desktop icons
• Remove/restore Start button
• Remove/restore Start bar
• Remove/restore system tray
• Remove/restore clock
• Swap/restore mouse buttons
• Change background
• Trap mouse in corner
• Delete files
• Run programs
• Run programs invisibly
• Shut down victims' PC
• Reboot victims' PC
• Log off windows
• Power off
During configuration, the following Registry entry is utilized:
Port: 2023
Service: Ripper
Hacker's Strategy: Ripper is an older remote key-logging Trojan, designed to record keystrokes. Generally, the intent is to copy passwords, login names, and so on. Ripper has been downgraded as having limited threat potential due to its inability to restart after a shutdown or station reboot.
Port: 2115
Service: Bugs
Hacker's Strategy: This daemon (shown in Figure 4.25) is another simple remote-access program, with features including file management and window control via limited GUI. During configuration, the following Registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run — SysTray
Port: 2140, 3150
Service: The Invasor
Hacker's Strategy: The Invasor is another simple remote-access program, with features including password retrieval, messaging, sound control, formatting, and screen capture (see Figure 4.26).
Port: 2155, 5512
Service: Illusion Mailer
Hacker's Strategy: Illusion Mailer is an email spammer that enables the attacker to masquerade as the victim and send mail from a target station. The email header will contain the target IP address, as opposed to the address of
Figure 4.26 The Invasor feature set.
the attacker, who is actually sending the message. During configuration, the following Registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - Sysmem
Port: 2565 Service: Striker
Hacker's Strategy: Upon execution, the objective of this Trojan is to destroy Windows. Fortunately, the daemon does not stay resident after a target system restart, and therefore has been downgraded to minimal alert status.
Port: 2583, 3024, 4092, 5742
Service: WinCrash
Hacker's Strategy: This backdoor Trojan lets an attacker gain full remote-access to the target system. It has been updated to include flooding options, and now has a very high threat rating (see Figure 4.27).
Port: 2600
Service: Digital RootBeer
Hacker's Strategy: This remote-access backdoor Trojan is another annoyance generator, with features including:
• Messaging
• Monitor control
• Window control
• System freeze
• Modem control
• Chat
• Audio control
During configuration, the following Registry entry is utilized:
Port: 2801
Service: Phineas Phucker
Hacker's Strategy: This remote-access backdoor Trojan, shown in Figure 4.28, is yet another annoyance generator, featuring browser, window, and audio control.
Port: 2989
Service: RAT
Hacker's Strategy: This is an extremely dangerous remote-access backdoor Trojan. RAT was designed to destroy hard disk drives. During configuration, the following Registry entries are utilized:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\Explorer= "C:\WINDOWS\system\MSGSVR16.EXE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\ RunServices\Default=" " HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\ RunServices\Explorer=" "
Port: 3459-3801 Service: Eclipse
Hacker's Strategy: This Trojan is essentially another stealth FTP daemon. Once executed, an attacker has full-permission FTP access to all files, includ-
Page 131
ing file execution, deletion, reading, and writing. During configuration, the following Registry entry is utilized:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \Rnaapp="C:\WINDOWS\SYSTEM\rmaapp.exe"
Port: 3700, 9872-9875, 10067, 10167
Service: Portal of Doom
Hacker's Strategy: This is another popular remote-control Trojan whose features are shown in Figure 4.29, and include:
CD-ROM control Audio control
• File explorer
• Task bar control
• Desktop control
• Key logger
• Password retrieval
• File management
Port: 4567 Service: File Nail
Hacker's Strategy: Another remote ICQ backdoor, File Nail wreaks havoc throughout ICQ communities (see Figure 4.30).
Port: 5000
Service: Bubbel
Hacker's Strategy: This is yet another remote backdoor Trojan with the similar features as the new Trojan Cow including:
• Messaging
• Monitor control
Figure 4.30 File Nail was coded to crash ICQ daemons.
• Window control
• System freeze
• Modem control
• Chat
• Audio control
• Key logging
• Printing
• Browser control
Port: 5001, 30303, 50505
Service: Sockets de Troie
Hacker's Strategy: The Sockets de Troie is a virus that spreads itself along with a remote administration backdoor. Once executed the virus shows a simple DLL error as it copies itself to the Windows\System\directory as MSCHV32.EXE and modifies the Windows registry. During configuration, the following registry entries are typically utilized:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \RunLoadMSchv32 Drv = C:\WINDOWS\SYSTEM\MSchv32.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad Mgadeskdll = C:\WINDOWS\SYSTEM\Mgadeskdll.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunLoa
d
Rsrcload = C:\WINDOWS\Rsrcload.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServicesLoad Csmctrl32 = C:\WINDOWS\SYSTEM\Csmctrl32.exe
Hacker's Strategy: Robo-Hack is an older remote-access backdoor written in Visual Basic. The daemon does not spread itself nor does it stay resident after system restart. The limited feature base, depicted in Figure 4.31, includes:
• System monitoring
• File editing
• System restart/shutdown
• Messaging
• Browser control
• CD-ROM control
Service: The tHing
Hacker's Strategy: The tHing is a nasty little daemon designed to upload and execute programs remotely (see Figure 4.32). This daemon's claim to fame pertains to its ability to spread viruses and other remote controllers. During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - Default
Port: 6912 Service: Shit Heep
Hacker's Strategy: This is a fairly common Trojan that attempts to hide as your recycle bin. Upon infection, the system Recycle Bin will be updated (see Figure 4.33). The limited feature modules compiled with this Visual Basic daemon include:
Figure 4.33 System message generated after being infected by Shit Heep.
• Desktop control
• Mouse control
• Messaging
• Window killer
• CD-ROM control
Port: 6969, 16969
Service: Priority
Hacker's Strategy: Priority (illustrated in Figure 4.34) is a feature-rich Visual Basic remote control daemon that includes:
CD-ROM control
Audio control File explorer Taskbar control Desktop control Key logger Password retrieval File management Application control Browser control System shutdown/restart Audio control Port scanning
Port: 6970
Service GateCrasher
Hacker's Strategy: GateCrasher is another dangerous remote control daemon as it masquerades as a Y2K fixer. The software contains almost every feature available in remote backdoor Trojans (see Figure 4.35). During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - Inet
Port: 7000
Service Remote Grab
Hacker's Strategy: This daemon acts as a screen grabber designed for remote spying. During configuration, the following file is copied:
Hacker's Strategy: This daemon was designed to deliver Internet account passwords to the attacker. With a deceptive front-end, the program has swindled many novice hackers, masquerading as a simple ICQ-bomber (see Figure 4.36).
Port: 9400
Hacker's Strategy: This daemon was designed after the original configurable server module.
Sub7 series that includes a pre-
Figure 4.36 ICKiller is a password Stealer that masquerades as an ICQ Trojan. Port: 10101 Service: BrainSpy
Hacker's Strategy: This remote control Trojan has features similar to the most typical file-control daemons; however, upon execution, the program has the ability to remove all virus scan files. During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices - Dualji HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices - Gbubuzhnw HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\RunServices - Fexhqcux
Port: 10520 Service: Acid Shivers
Hacker's Strategy: This remote control Trojan is based on the telnet service for command execution and has the ability to send an email alert to the attacker when the target system is active (see Figure 4.37).
Port: 10607
Service: Coma
Hacker's Strategy: This is another remote control backdoor that was written in Visual Basic. The limited features can be deduced from the following illustration, Figure 4.38.
Service: Hack '99 KeyLogger
Hacker's Strategy: This daemon acts as a standard key logger with one exception; it has the ability to send the attacker the target system keystrokes in real-time (see Figure 4.39).
Port: 12345-12346 Service: NetBus/2/Pro
Hacker's Strategy: The infamous remote administration and monitoring tool, NetBus, now owned by UltraAccess.net currently includes telnet, http, and real-time chat with the server. For more details, visit www.UltraAccess.net.
Port: 17300
Service: Kuang
Hacker's Strategy: This is a Trojan/virus mutation of a simple password retriever via SMTP.
Port: 20000-20001
Service: Millennium
Hacker's Strategy: Millennium is another very simple Visual Basic Trojan with remote control features that have been recently updated to include:
• CD-ROM control
• Audio control
• File explorer
• Taskbar control
• Desktop control
• Key logger
• Password retrieval
• File management
• Application control
• Browser control
• System shutdown/restart
• Audio control
• Port scanning
During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - millennium
Port: 21544 Service: GirlFriend
Hacker's Strategy: This is another very common remote password retrieval Trojan. Recent compilations include messaging and FTP file access. During configuration, the following registry entry is utilized:
Port: 22222, 33333 Service: Prosiak
Hacker's Strategy: Again, another common remote control Trojan with standard features including:
CD-ROM control Audio control File explorer Taskbar control
• Desktop control
• Key logger
• Password retrieval
• File management
• Application control
• Browser control
• System shutdown/restart
• Audio control
• Port scanning
During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - Microsoft DLL Loader
Port: 30029 Service: AOL Trojan
Hacker's Strategy: Basically, the AOL Trojan infects DOS .EXE files. This Trojan can spread through local LANs, WANs, the Internet, or through email. When the program is executed, it immediately infects other programs.
Port: 30100-30102
Service: NetSphere
Hacker's Strategy: This is a powerful and extremely dangerous remote control Trojan with features such as:
• Screen capture
• Messaging
• File explorer
• Taskbar control
• Desktop control
Chat
File management
Application control Mouse control System shutdown/restart Audio control
Complete system information
During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - nssx
Port: 1349, 31337-31338, 54320-54321
Service: Back Orifice
Hacker's Strategy: This is the infamous and extremely dangerous Back Orifice daemon whose worldwide distribution inspired the development of many Windows Trojans. What's unique with this software is its communication process with encrypted UDP packets as an alternative to TCP—this makes it much more difficult to detect. What's more, the daemon also supports plug-ins to include many more features. During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - bo
Port: 31785-31792
Service: Hack'a'Tack
Hacker's Strategy: This is yet another disreputable remote control daemon with wide distribution. As illustrated in Figure 4.40, Hack'a'Tack contains all the typical features. During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - Explorer32
Port: 33911
Service: Spirit
Hacker's Strategy: This well-known remote backdoor daemon includes a very unique destructive feature, monitor burn. It constantly resets the
screen's resolution and rumors indicate an update that changes the refresh rates as well. During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - SystemTray = "c:\windows\windown.exe "
Port: 40412 Service: The Spy
Hacker's Strategy: This daemon was designed as a limited key logger. The Spy only captures keystrokes in real time and as such, does not save logged keys while offline. During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices - systray
Port: 47262
Service: Delta Source
Hacker's Strategy: This daemon was designed in Visual Basic and was inspired by Back Orifice. As a result, Delta Source retains the same features as BO. During configuration, the following registry entry is utilized:
Port: 65000 Service: Devil
Hacker's Strategy: Devil is an older French Visual Basic remote control daemon that does not remain active after a target station restart. The limited feature base, as shown in Figure 4.41, consists of messaging, system reboot, CD-ROM control, and an application killer.
Armed and familiar with the liabilities pertaining to common and concealed system ports and services, let's move right into unraveling the secrets of security and hacking. The knowledge gained from the next chapter and those to follow will become pertinent in building a solid security hacking foundation, to aid in developing a superlative security intuition. Before we begin, it is important to express the serious legal issues regarding techniques in this book. Without written consent from the target company, most of these procedures are illegal in the United States and many other countries also. Neither the author nor the publisher will be held accountable for the use or misuse of the information contained in this book.
What's Next
The intention of this chapter was to establish a fundamental understanding of input/output computer ports and their associated services. It is important to identify with the potential vulnerabilities of these ports as we venture forth into the next chapter. At that juncture, we will learn how to scan computers for any vulnerable ports and ascertain pre-hack attack information of a target network.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment