IP Addresses? (complete newbie question)

[Katja]

Keep in mind that hackers aren't always trying to hack specific computers. All they need to know is a system that might be vulnerable. When you visit some website then the webserver will start logging all kinds of information about who visited the site, when, where from and some indication of the webbrowser used. Now, if you use Internet Explorer then the webserver will know that you have a Windows system for sure. If you use another webbrowser then it's still likely that your webbrowser starts information about your operating system as part of it's User-agent. (Some browsers allow you to fake this information, though!)

Now, once your visit to some website has been logged, the owner of this website can check this log and filter all visits from Windows systems out of this log. He then has a list of possible vulnerable systems that he can all try to hack. As mentioned before, this is quite easy because of all the available scripting tools.

Now, the trick for such hackers is of course trying to lure as many visitors as possible to their system. This can be whatever is most popular at that moment. But they also have to be aware that if there's a lot of pages that a visitor can view then a single visitor might fill up a lot of the logs. But it actually doesn't matter what page the visitor is viewing on the webserver as long as they visit it at least once. One trick would be a simple banner on the webserver and make this banner part of other sites by linking from those other sites. For example, by adding them as part of a signature on many forums. The more hits the server gets from different clients, the more systems the hacker can start to examinate.

One other problem is of course that this could also happen with other operating systems than Windows. Hackers might also decide to target e.g. Linux systems. However, Windows systems are still a large majority of all systems that are used for webbrowsing. So that makes Windows a very popular target for attacks. It's not that Linux has less vulnerabilities. Windows is just a lot easier target to shoot at. Think of it this way... You see a mouse and an elephant. You have a huge gun and need to bring home some meat. Which would you prefer to shoot?

[sandcraft]

Katja is exactly right, get them to come to you.

As for gore...

What the hell? Do you make prank phone calls without the phone number? You're computer broadcasts an IP or it's not online or network.

Incorrect. Your gateway needs to boradcast if you want to receive traffic. That is the extent of it. You could have an externally facing gateway device following the TCP/IP RFC (RFC 793) to a T. The internal side could be all SSH tunnels to a proxy or MAC based routing. No broadcasting needed for either. Although both of these would be a headache to admin, need custom written applications, and lose much of the robustness of TCP/IP.

Sorry for going so far off topic... what was the original question again?

[576869746568617]

Katja brings up an interesting point.

A hacker could have a website advertising Sony PSP games and the like. When you connect to the site, the webserver logs the IP and browser type, but then, it initiates a port scan and runs some OS detection scripts (just to make sure that you didn't change the browser header to masqurade as Windows with IE, when you are in fact running Fedora.

So now, the hacker has your IP, OS & Browser type & version, and a list of ports that you may be vulnerable on.

To make matters worse, you were browsing the site for a while, and found a game you liked. You click the buy button and enter your name, address, telephone number, and credit card information...

and you were required to register on the site before completing the order by creating an account with a user name and password (and of course provide an email address for verification). Consider that the average Windows user will use a variation of the same user name and password for everything.

When you place the order, the site gives you an error processing order, blah blah blah. Not only are you about to be hacked, but the hacker also phished enough information to do practically anything he/she wants to.

Now that's scary.

[Katja]

576869746568617 makes a good point too here. Especially when a site asks for a username and password, things can become a bit risky. Many people just can't remember dozens of different passwords so they tend to use the same one over and over again. So you give away your username and a password and the hacker just has to check if your password gives access to other things too.
Say, you're a member of this forum. You see a link to another site and follow it. You see a place where you can register yourself and you do so, using the same username and password as the one on AO. (Well, many here know that this is stupid, but newbies often make this mistake.) Now, the owner of this site can see his logs and read the forum that you came from and has a username and password. All he has to do is check if you used the same password on AO and if you did, he can take over your AO account!
And of course he also has the IP number of your computer and thus he can try if your password also works for the administrator account on your system.

This kind of hacking works best in large quantities. Maybe one in 500 visitors is this stupid but if your site attracts 10.000 visitors then you will have access to 20 systems! Phishing works in a similar way. Send a message to half a million people and if one in every 100.000 people take the bait, you will have 5 succesful attempts.

And security? Two guys were walking through the African savannah when a lion started to charge after them. One learned a valuable lesson there. You don't have to run faster than a lion in that case. You just have to run faster than the guy next to you.
The same is true about security. You don't need the ultimate protection. Your protection just has to be better than that of the others in your community. Use different passwords, use different account names and make sure you have at least some basic protection like an up-to-date virusscanner/anti-spyware kit and a good firewall.

And learn to ignore those messages like "Your computer may be broadcasting your IP address to attackers! Click here to correct this!". Basically, this is just another kind of scam where they try to scare you in using their product.

[catch]

*sigh*

What can someone do if they know your IP address?

They can attempt to connect to your computer more effectively than without your IP address.

Is it a bad thing for someone to know your IP address?

No.

It is something you need, but also something worth protecting because it's possible for someone to scan your system for vulnerabilities IF they have your IP address and that can be a very bad thing if you haven't updated Windows with all the patches and if you do not have a firewall.

You are more likely to be scanned at random than by someone specifically looking for your system, consequently any effort spent "protecting" your IP address is effort not spent on useful methods of protection.

I would recommend that you install a firewall other than the Windows Firewall that came with Windows XP as well.

Why? What functionality do you feel the Windows firewall is lacking? Seems like, unless he is running a more sophistocated network than just a workstation or two to jusitfy a different firewall.

The nice thing about the ShieldsUp site is the amount of easy to understand information available.

The bad thing about ShieldsUp is that it is complete and total garbage.

I'm not saying that's a bad idea, but can you give me a specific example of what would happen to someone that doesn't? Afaik, unless you're on a LAN, it makes no difference.

Disabling this functionality just saves hassle... and users beyond the LAN can connect if these shares are open to the world.

1.) Scan to find open ports.

This and all the subsequent steps can be done without all the WHOIS steps and completely at random.

Port 139 and others of NetBios are the ugly stepchild of vulnerabilites.

Um... I have no idea what this is supposed to mean, but you seem to think it is clever.

With common available tools even a secure network can be owned in half the time via these services.

I am not sure that a network which can be "owned in half the time" could be considered "secure." These services are no worse than any other services, they just tend to be more liberally configured by default.

Make sure you turn on Automatic Updates

Unless you have any custom software/configurations that might get broken.

Now at this point, my access is extremely limited, and it is read onlly, but I AM IN YOUR COMPUTER!

Oh my god! You mean like how right this very moment I am IN the Antionline computer?! Hell, I have have some write access here!

To make matters worse, I have a command prompt.

So how did you get access to cmd.exe on the system in question? Oh you mean you have a command prompt on your own system? So what.

Now I can attempt to spawn processes through application vulnerabilities

Like you could against the Antionline webserver or any other server...

Now, when I disconnect, I will have to do this all over again to regain root.

Or gain it for the first time, since Windows doesn't have a root account.

Bleh... why bother...

Don't worry about your IP address... just focus on keeping your computer secure with the Microsoft Baseline Security Analyzer or such.

cheers,

catch

[Raion]

In my opinion keezel put it in the most easy to understand for someone who is just beggining to use or understand how the internet works. My explination to you is as follows:

Your IP address is your Home Address, the hacker is the theif. What is stopping the theif from entering through the backdoor? The lock. What is stopping the theif from breaking a window? The gates this would be considered the firewall. But say you accidently leave your back door open one night...that's a vulnerability.

[576869746568617]

Alright Catch...

I appreciate what you are trying to do... answer the guys question as simply as you can. Something I did not do. I instead offered some security advise to make his machine a wee bit more secure, and hopefully ease his mind.

I was also answering a question. A theoretical "What If" scenario. I did not intend for it to hijack the thread. Perhaps what I should have done was start another thread and referred those who were curious to that thread.

The process I described is a classic NetBIOS/Privilege Escalation Hack. It is well documented, and works unless proper security measures have been taken.

If you think I went into too much detail, don't kill the messenger...full diclosure is a good thing. It's easier to defend against something if you inderstand how it will attack you.

It IS a big deal, because while I was "in the computer" (not able to do any damage yet, as you point out)...

I was spawning processes (Yes, just like on a webserver, or anything else...This is not requred to pull off the hack, I was just trying to find an easier way into a system account)...

than cracking the administrator account for your computer (using the command line on my computer, which aparently was no big deal to you)...

In order to remotely log in to your computer as the administrator, using the remote logon service on your machine, giving me administrative access to your computer.

I know it is running because you have file and printer sharing enabled. (unless you baselined your computer and disabled that service).

Then I can make a remote registry connection to insert the lines that will execute the root kit that I just installed on your hard drive the next time you restart... or anything else I want.

Oh, and Windows does indeed have a "root" account. It's just not named root. I am using root in the context of "generically refering to the administrative user account of an operating system".

As for the Windows Firewall, I was just stating my opinion...take it for a grain of salt. I just think it is way too granular.

And, the Microsoft Baseline Security Advisor is a tool to use to get a BASELINE security configuration. For a home user, this relatively low security setup may be sufficient, but in a corporate LAN, more hardening should be done.

I whole-heartedly agree that shields up sucks. And I can understand the sigh, as it seems that I have hijacked the thread with my what-if scenario...

For that, I apologise.

[catch]

I instead offered some security advise to make his machine a wee bit more secure, and hopefully ease his mind.

By telling him what? Some imaginary attack that has been way over dramatized and too simplified at the same time.

If you think I went into too much detail, don't kill the messenger...full diclosure is a good thing. It's easier to defend against something if you inderstand how it will attack you.

I don't think you went into too much detail... except that you really went into a lot of needless detail on an ancient attack. You didn't explain the themes of the attack, just the specifics... which are pretty useless against anything other than a system meeting a very specific (not to mention very bad) configuration.

I was spawning processes

Um... ok... I get the feeling by the context that you don't know exactly what this means.

(Yes, just like on a webserver, or anything else...This is not requred to pull off the hack, I was just trying to find an easier way into a system account)...

Actually... most exploits do require the spawning of a new process... since most exploits launch and bind a shell. Really not a whole lot of point in an exploit that doesn't do this or something similar.

than cracking the administrator account for your computer (using the command line on my computer, which aparently was no big deal to you)...

Wow... this has become totally asinine. Not sure what using a command line has to do with magically cracking the admin account.

Then I can make a remote registry connection to insert the lines that will execute the root kit that I just installed on your hard drive the next time you restart... or anything else I want.

I hardly think you need to bother with any of this, considering the system is so appallingly badly maintained.

Oh, and Windows does indeed have a "root" account. It's just not named root. I am using root in the context of "generically refering to the administrative user account of an operating system".

Actually, no. Windows does NOT have a root account. Root accounts are superuser accounts which are defined as "an account which exists outside of the security policy." Neither the Administrator or SYSTEM accounts meet this criteria.

And, the Microsoft Baseline Security Advisor is a tool to use to get a BASELINE security configuration. For a home user, this relatively low security setup may be sufficient, but in a corporate LAN, more hardening should be done.

This tool helps the administrator simply configure the system in line with the Microsoft security guidelines... it is clearly good enough for home users as well as small to medium-sized systems.

cheers,

catch

[576869746568617]

Ok...I'm trying not to take it personal here...but the part about me not knowing what I'm talking about was a little much. I admit, I don't know everything, and never have claimed that I did.

I realize that the attack is ancient, that I simplified it way to much, overdramatized it, blah blah.

I guess I'm old because I prefer to execute some of the needed tools to pull it off from the command line.

In retrospect, it was a really bad example to begin with, and the thread shouldn't have even gone there, nor should it have gone here.

And I will concede the root/admin thing...I

As for the Baseline Analyzer, I stand my ground. If I were to connect a laptop to a corporate network that was baselined using it, it would be ok as long as the perimeter firewall was properly configured. I guess I'm just paranoid. I also deal with computers that require far more stringent hardening than the analyzer provides.

I may not have as much experience as you, but don't assume that I don't know something, because if I didn't, I wouldn't have posted it in the first place. (I don't know, cause I don't know anything about you, havent read your profile, etc.), but do you have to nit pick the post to death? Unless you're just doing it to get me all frazzled cause it's funny (in which case, I'll be a good sport.)

Otherwise, this debate is pointless, because I don't like pissing contests.

Someone wanted an example, I gave them one. If you have a better example, then by all means, please post it (in another thread.)

Sorry about the defensiveness...I'm a Taurus!

[catch]

As for the Baseline Analyzer, I stand my ground. If I were to connect a laptop to a corporate network that was baselined using it, it would be ok as long as the perimeter firewall was properly configured. I guess I'm just paranoid. I also deal with computers that require far more stringent hardening than the analyzer provides.

I am curious what you think is lacking from the MBSA.

do you have to nit pick the post to death?

My original post was out of frusteration at the heaps and heaps of crap in this thread... I only nit picked a few of your points.

cheers,

catch