Open ports, hackers heaven?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Open ports, hackers heaven?

  1. #1
    Member
    Join Date
    May 2002
    Posts
    34

    Open ports, hackers heaven?

    okay so from last post i came to know that if one knows my ip address he could break in my system using netbios ports. I want to ask but i m afraid that people here might take my curiosity as an attempt to gain hacking knowledge. what ever i want to ask i've an open netbios port(not a trojan port of course). In case when i've no trojan like subseven installed on my systemHow hacker can use this open port to connect to my system, and what would be his tools using which he will connect to my system(like in case of subseven, subseven client is the tool to connect to victim system). Again i explain i m asking all this just for information. i hope for some good response.

  2. #2
    Member
    Join Date
    May 2002
    Posts
    34

    Open ports, hackers heaven?

    okay so from last post i came to know that if one knows my ip address he could break in my system using netbios ports. I want to ask but i m afraid that people here might take my curiosity as an attempt to gain hacking knowledge. what ever i want to ask i've an open netbios port(not a trojan port of course). In case when i've no trojan like subseven installed on my systemHow hacker can use this open port to connect to my system, and what would be his tools using which he will connect to my system(like in case of subseven, subseven client is the tool to connect to victim system). Again i explain i m asking all this just for information. i hope for some good response.

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    117
    Depending on what version of Windows you are using there are several ways to connect. There is a nebios connection that uses IPC$, basically this is a system share that can be connected via Netbios without using a user name or password. There are many tools that will use some netbios commands and the nice little netbios services will tell the user all sorts of information about the computer.

    There is a good article, that I can't seem to locate. Go to the SANS institue and look up netbios or IPC$ there is some good information there. Best way to prevent this is to upgrade to the latest service packs and / or releases of M$ Windows. The XP and 2000 versions have improved greatly over the NT, ME, 98 & 95.

    OR you can disable Netbios this will close ports 137, 138, 139. You can still connect to shares using IP addresses and it uses port 445 once connected. I may not be 100% correct here, but there is some good references on SANS and google.
    Luck--TSM
    Atlanta, GA


  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    117
    Depending on what version of Windows you are using there are several ways to connect. There is a nebios connection that uses IPC$, basically this is a system share that can be connected via Netbios without using a user name or password. There are many tools that will use some netbios commands and the nice little netbios services will tell the user all sorts of information about the computer.

    There is a good article, that I can't seem to locate. Go to the SANS institue and look up netbios or IPC$ there is some good information there. Best way to prevent this is to upgrade to the latest service packs and / or releases of M$ Windows. The XP and 2000 versions have improved greatly over the NT, ME, 98 & 95.

    OR you can disable Netbios this will close ports 137, 138, 139. You can still connect to shares using IP addresses and it uses port 445 once connected. I may not be 100% correct here, but there is some good references on SANS and google.
    Luck--TSM
    Atlanta, GA


  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    109
    The exploitation is that of a misconfigured system. No default install of windows should have any public file/print shares. On the victom's side, someone would have had to allow print and file sharing and set up a directory or more to be shared.

    Normally if you must share files or printers you would want to have configured a password, and set it up to restrict access to only the systems which require access. That of course doesn't make it fool proof. You may still be left vulnerable by a spoofing attack, social engineering and any vulnerabilities that might exist in the file/print sharing server (which in this case is built into the OS).

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    109
    The exploitation is that of a misconfigured system. No default install of windows should have any public file/print shares. On the victom's side, someone would have had to allow print and file sharing and set up a directory or more to be shared.

    Normally if you must share files or printers you would want to have configured a password, and set it up to restrict access to only the systems which require access. That of course doesn't make it fool proof. You may still be left vulnerable by a spoofing attack, social engineering and any vulnerabilities that might exist in the file/print sharing server (which in this case is built into the OS).

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If all ports on your computer were closed you could not network the computer with others.

    bear with me on this and if I'm teaching you to suck eggs then skip the whole thing.....Consider your computer as a Post Office, it has a physical address in the world, (192.168.157.87 for example). But your Post Office serves many hundreds if not thousands of people. So if you sent a message to Bill Smith at My Post Office in My Town what are the chances it'd get to him? Practically zero. So you add a P.O. Box number to that address and Bingo it goes in his PO Box and he comes and picks it up.

    Well, your computer is much the same but it's PO Boxes are called ports. To make life simple for us simple humans.... we only have to type www.yahoo.com and miraculously Yahoo appears. That's not the command that is eventually issued though. The real command would look more like 192.168.157.87:80. What that is saying is go to www.yahoo.com and get me their web page because the web server "lives" at port 80. Same if you wanted to FTP something you the command would be 192.168.157.87:21 because 21 is where FTP "lives".

    Ok... Now we have that outta the way.... If two computers want to talk on a network they have to use the services of the other computer to get information about it. On a windows 9X machine this is typically done using port 137, or NetBios.... There are commands that can be sent to a receptive port 137 that will reveal information about the computer and will actually allow a connection to be made that will allow file transfers to take place, commands to be issued etc. If I can upload or download files from your computer or issue some commands on it it's my computer not yours......

    That is really oversimplifying it but apply that process to any port that is open on your machine and there are 65535 ports on your machine, (though probably not all open..... I hope.... ), and you can see that there are a lot of ways a computer _could_ be exploited simply by having services hold ports open.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If all ports on your computer were closed you could not network the computer with others.

    bear with me on this and if I'm teaching you to suck eggs then skip the whole thing.....Consider your computer as a Post Office, it has a physical address in the world, (192.168.157.87 for example). But your Post Office serves many hundreds if not thousands of people. So if you sent a message to Bill Smith at My Post Office in My Town what are the chances it'd get to him? Practically zero. So you add a P.O. Box number to that address and Bingo it goes in his PO Box and he comes and picks it up.

    Well, your computer is much the same but it's PO Boxes are called ports. To make life simple for us simple humans.... we only have to type www.yahoo.com and miraculously Yahoo appears. That's not the command that is eventually issued though. The real command would look more like 192.168.157.87:80. What that is saying is go to www.yahoo.com and get me their web page because the web server "lives" at port 80. Same if you wanted to FTP something you the command would be 192.168.157.87:21 because 21 is where FTP "lives".

    Ok... Now we have that outta the way.... If two computers want to talk on a network they have to use the services of the other computer to get information about it. On a windows 9X machine this is typically done using port 137, or NetBios.... There are commands that can be sent to a receptive port 137 that will reveal information about the computer and will actually allow a connection to be made that will allow file transfers to take place, commands to be issued etc. If I can upload or download files from your computer or issue some commands on it it's my computer not yours......

    That is really oversimplifying it but apply that process to any port that is open on your machine and there are 65535 ports on your machine, (though probably not all open..... I hope.... ), and you can see that there are a lot of ways a computer _could_ be exploited simply by having services hold ports open.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    By Default Most Windows OS's will install hidden shares for any drives that exist (e.g. if you have a c: drive you have a c$ share, there will also be an IPC$ share, and an Admin$ share). Now, I believe that Windows NT, 2000, and XP all have NetBios activated by default, so if you connect to the Internet and don`t have the Netbios ports blocked (or have netbios disabled) then there is a danger that someone can connect to them (I`m not going to explain it all here but you can find it out easily enough, check out some of the 'Windows hacking' tutorials that exist,I think there was one by Rhino 9, they all assume that NetBios is accessible.)

    The IPC$ share is used for Null session connections, these allow the attacker to see the users that exist on the system and what other shares there are. Often tagged onto this will be remote access to the registry, from which your attacker will try and gain the SAM file and then run it through L0pht crack and find your password. If remote registry accessible is not possible then there are still ways to increase what is accessible to the attacker and then he has your password.

    Now, going back to the hidden shares, these have to be manually removed (and it's open to discussion how much this ever works), using your username/pword an attacker can connect to your C$ share and then has access to whatever they want, and from there can do what they like to your machine, including installing trojans.

    Oh, and the hidden shares are often required by virus scanners that are sent updates from a central server.

    And as for the tools needed, Windows will suffice, the network commands are all you need.

    Hope this helps.
    Quis custodiet ipsos custodes

  10. #10
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    By Default Most Windows OS's will install hidden shares for any drives that exist (e.g. if you have a c: drive you have a c$ share, there will also be an IPC$ share, and an Admin$ share). Now, I believe that Windows NT, 2000, and XP all have NetBios activated by default, so if you connect to the Internet and don`t have the Netbios ports blocked (or have netbios disabled) then there is a danger that someone can connect to them (I`m not going to explain it all here but you can find it out easily enough, check out some of the 'Windows hacking' tutorials that exist,I think there was one by Rhino 9, they all assume that NetBios is accessible.)

    The IPC$ share is used for Null session connections, these allow the attacker to see the users that exist on the system and what other shares there are. Often tagged onto this will be remote access to the registry, from which your attacker will try and gain the SAM file and then run it through L0pht crack and find your password. If remote registry accessible is not possible then there are still ways to increase what is accessible to the attacker and then he has your password.

    Now, going back to the hidden shares, these have to be manually removed (and it's open to discussion how much this ever works), using your username/pword an attacker can connect to your C$ share and then has access to whatever they want, and from there can do what they like to your machine, including installing trojans.

    Oh, and the hidden shares are often required by virus scanners that are sent updates from a central server.

    And as for the tools needed, Windows will suffice, the network commands are all you need.

    Hope this helps.
    Quis custodiet ipsos custodes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides