-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= H a c k e r s I n f o r m a t i o n R e s o u r c e PPPPPP OOOO RRRRRR TTTTTTT ZZZZZZZZ PP PP OO OO RR RR TT ZZ PPPPPP OO OO RRRRR TT ZZ PP OO OO RR RR TT ZZ PP OO OO RR RR TT ZZ PP OOOO RR RR TT ZZZZZZZZ A L i s t o v h o s t p o r t z a n d t h e i r s e r v i c e By Axon -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This article will cover ports. What are ports? Well, on most internetted computers, especially in the UN*X world, there are MANY programs running at once. Many of them are servers, or daemons (pronounced "demons") as we shall call them. When you telnet to a host, usually you connect via TCP (Transmiss- ion Control Protocol) to port 23, which usually services Telnet connections. Typically, a program on the remote computer is running called "telnetd", or telnet daemon, a program serving telnet connections. To make this simple, I will just list TCP functions of the ports. (there is also a UDP function that is specified for most ports as well. I won't mess with these, because most of them are the same). I fought with myself on exactly how to put this thing together. "Do I make it short, showing only the really nessecary ports, or do i list all of them i have?" I kind of made this a compromise between the two. This is a list of some of the most popular ports, and most of them are all you'll need to either find out more info from the server, obtain superuser status on the server, or bring it to its knees. Labels marked with a * will be discussed after the list, because they offer some interesting points of hacking interest. Port # Label What it does ------ ------------- ------------------------------------------------------ 1 tcpmux TCP Multiplexer 7 echo repeats whatever you type back to your terminal 9 discard /dev/null it does nothing but absorb your input 13 daytime displays the systems date and time...fun! 15 *netstat find info about networking structure of remote host 19 chargen scrolls a really trippy pattern of characters 20 ftpdata ftp data. it's hard to explain 21 *ftp file transfers 23 *telnet remote terminal connection 25 *smtp Simple Mail Transfer. Perfect for faking e-mail! 43 nicname whois server 53 domain Domain Name Service (DNS) Lookup 70 gopher Outdated way to find infos on the net. 79 *finger Find who is on remote system (other things listed l8r) 80 http Web Stuff (web browsers use this port to get HTML) 110 pop3 Post Office Protocol-Incoming mail 113 auth authorization service Some of these ports are really worth mentioning twice (some of them have 2 or more uses!) I guess I'll start from the top, but first, "How do i connect to these ports?!" As I mentioned earlier, these are all ports that use TCP. It just so happens that Telnet is almost a raw TCP connection, so what better to use than telnet. I'll assume we're dealing with a standard UNiX system here. Typically, when we type "telnet somewhere.yermom.com" the telnet client will default to port 23. (how fitting, that's the "telnet" port!) Well if you want to connect to a different port on the same server you can simply type "telnet somewhere.yermom.com" followed by a space, and port number such as 25 if we wanted to mess around with SMTP. I don't really want to go into the "how do i haxor r00t with this inph0?" kind of data in here. If you are a true hacker (that is defined as "not a malicous cracking leech giving the people who know what they are doing a bad name" if you care), you will want to play with what I have given you. It isn't really hard to find out what makes the box in the back office tick once you find open ports (and possibly a good port scanner is in order...search the net, for there are tons of these pearls swimming around in the ether out there). On with the show... Netstat- This port, if the connection is accepted, will give you multitudes of information about network connections being made to and from the host. It shows where people are coming from, and what is going on on the network in general. Be patient with the data here, as it can get very cryptic at times. try running netstat on any unix machine and looking at the results, if you can't find a host that supports this externally. FTP- It's a great thing to be able to snag files off of a remote host. It is amazing to me how many hosts allow a user to connect with anonymous FTP, and allow them to download /etc/passwd...sometimes not even shadowed! This has often gotten me that little extra bit of data that I want so that I can finish off a good hack. Navigate as much of the system as you can, and look at ANYTHING you run across that you can get. This is a HUGE payoff. Telnet- This is about as close to the front door of a host as you will ever get without setting foot inside the server room (which would be AWESOME!). Typically, telnetting to the "Telnet" port gets you some sort of a logon screen, where you are prompted for a user name and password (hrm I wonder what THAT can be used for...) It's almost always the place you make your first attack, and it's usually also the place you go to do your nasties after you have some usernames (but not always) SMTP- This is where we can do some really fun things that aren't that messy. there are various vulnerabilities in SMTP that allow one to execute arbitrary commands as if one were root, but I will not get into that. I think there are half a quintillion cookbook hacks for this out on the net, but if you aren't lame, you'll just try to figure it out yerself. I will however, cover how to write some pretty kick-ass fake e-mail. this requires a "friends" email address, or an enemy, or someone you don't know. Try it on your own email address if you have one, just to test it out first. 1) telnet to a host, and make sure you go to port 25 (telnet host 25) 2) if you get a message like "220 hostname SMTP Solarisx.x; Wed, 1 Aug \ 1997 10:19" or something like that you are in! 3) Try this step first: type "MAIL FROM:" and then the e-mail address that you want this to look like it's coming from. It doesn't have to be a real E-mail address either! Just make it something phun. (please make sure there is a space between MAIL and TO, but not after the : example MAIL TO:god@heaven.org). 4) If you get some complaint about no HELO command, type "HELO " and then the host you are telnetting from. if not, go to step 5. 5) Type "RCPT TO:" and then the email address you want this fake mail to go to. Maybe yours if you are testing it. Follow the same rules as with the MAIL FROM command. 6) It should say "Sender is Valid" and "Recipient is valid" after you do these commands. if this happens, you are ready to spoof mail! 7) type "DATA" alone on a line and hit enter. It'll give you a shpeel on how to enter the message. just remember to hit enter at the end of each line and you're okay. When you are done typing, hit enter, type a period (.), and hit enter again. It will then send the e-mail along its way, even if it's on a different host, it will eventually find its way. type "QUIT" to close the connection. If you mailed yourself from god or bill gates or something, check your mail in 5 minutes or so...there it should be. Some versions of SMTP allow you to type "VRFY " and a username, to see if such a user exists on that host. In example: VRFY Jsmith 250 had Jsmith NOT existed on the system, it would have gone like this: VRFY Jsmith 550 Jsmith... User unknown This is a good way to see if a user exists on a system before you attempt to try cracking their password (like if you found some usernames and no passwords somewhere and wanted to know if maybe those users existed on this specific system.) This brings us to our next phun port... Finger- this is very similar. it is often used for gathering names of users on a remote host. By opening this port and hitting enter, if finger is enabled, you get a list of who is logged on, and some other stats about their connection. If you type in a user's name after you connect to port 79, and then hit enter, if the username is valid and finger is supported on the host, you get some more detailed info on them, including a plan and project, if they created one. This is fairly self explanatory. Rumor has it, that as well, with a finger connection, by confusing the fingerd (daemon) program, it is also possible to execute commands as root. I'm only working on some of the lighter duty aspects of hacking. Like I said earlier, figure it out. Some extra stuff: some of you may wonder why i don't openly publish cookbook hacks for how to swipe root access out from under the nose of unwary sysadmins. This is a simple answer. if you spend a ton of time figuring it out, you will be more careful with using it, knowing that if it is abused and the admin knows about it, it will be fixed. In order to keep all these hacker wanna-be's out of the way, i figure I'll just let people know what all's out there, and if they want to spend time messing with it, they will learn more and be careful. I've been on both sides of the security issue, and I love a nice equilibrium between the two sides.