What is a carpenter without a hammer? “Hackers” require tools
in order to attempt to compromise a systems security. Some
tools are readily available and some are actually written by other
hackers, with the sole intent of being used for system break-ins.
Some “hackers’ use a little ingenuity with their attacks and don’t
necessarily rely on any particular tool. In the end however it
boils down to they need to infect your system in order to
compromise it.
To better understand the means by which “hackers” compromise
system security I feel it important to understand what tools they
use. This will give you as a user insight as to what exactly they
look for and how they obtain this information. In this section, I
also explain how these tools are used in conjunction with each
other.
Port Scanners
What is a port scanner?
A port scanner is a handy tool that scans a computer looking
for active ports. With this utility, a potential “hacker” can
figure out what services are available on a targeted computer
from the responses the port scanner receives. Take a look at
the list below for reference.
Starting Scan.
Target Host: www.yourcompany.com
TCP Port :7 (echo)
TCP Port :9 (discard)
TCP Port :13 (daytime)
TCP Port :19 (chargen)
TCP Port :21 (ftp)
TCP Port :23 (telnet)
TCP Port :25 (smtp)
TCP Port :37 (time)
TCP Port :53 (domain)
TCP Port :79 (finger)
TCP Port :80 (www)
TCP Port :110 (pop)
TCP Port :111 (sunrpc)
Finished.
Scanning for open ports is done in two ways. The first is to
scan a single IP address for open ports. The second is to scan
a range of IP address to find open ports.
Try to think about this like calling a single phone-number of
say 555-4321 and asking for every extension available. In
relation to scanning, the phone-number is equivalent to the IP
address and the extensions to open ports.
Scanning a range of IP address is like calling every number
between 555-0000 to 555-9999 and asking for every
extension available at every number.
Q. What does a port scanner look like?
Trojans
Trojans are definitely one of the tools that “hackers” use.
There are hundreds of Trojans. To list them all would make
this manual extremely long. For definition purposes we’ll focus
on a couple.
Sub Seven
The Sub Seven Trojan has many features and capabilities. It
is in my opinion by far the most advance Trojan I have seen.
Take a look at some of the features of Sub Seven.
• address book
• WWP Pager Retriever
• UIN2IP
• remote IP scanner
• host lookup
• get Windows CD-KEY
• update victim from URL
• ICQ takeover
• FTP root folder
• retrieve dial-up passwords along with phone numbers
and usernames
• port redirect
• IRC bot. for a list of commands
• File Manager bookmarks
• make folder, delete folder [empty or full]
• process manager
• text 2 speech
• Restart server
• Aol Instant Messenger Spy
• Yahoo Messenger Spy
• Microsoft Messenger Spy
• Retrieve list of ICQ uins and passwords
• Retrieve list of AIM users and passwords
• App Redirect
• Edit file
• Perform clicks on victim's desktop
• Set/Change Screen Saver settings [Scrolling Marquee]
• Restart Windows [see below]
• Ping server
• Compress/Decompress files before and after transfers
• The Matrix
• Ultra Fast IP scanner
• IP Tool [Resolve Host names/Ping IP addresses]
• Get victim's home info [not possible on all servers]:
- Address
- Bussiness name
- City
- Company
- Country
- Customer type
- E-Mail
- Real name
- State
- City code
- Country code
- Local Phone
- Zip code
And more…
I think you get the picture of just exactly what that Trojan
is capable of. Here is a picture of what SubSeven looks
like.
Netbus:
NetBus is an older Trojan however nonetheless is still used.
It consists of a server and a client-part. The serverpart
is the program which must be running on your
computer. This should give you an idea of what Netbus is
capable of.
Netbus Features:
• Open/close the CD-ROM once or in intervals (specified in
seconds).
• Show optional image. If no full path of the image is given it
will look for it in the Patch-directory. The supported imageformats
is BMP and JPG.
• Swap mouse buttons – the right mouse button gets the left
mouse button’s functions and vice versa.
• Start optional application.
• Play optional sound-file. If no full path of the sound-file is
given it will look for it in the Patch-directory. The supported
sound-format is WAV.
• Point the mouse to optional coordinates. You can even
navigate the mouse on the target computer with your own.
• Show a message dialog on the screen. The answer is always
sent back to you.
• Shutdown the system, logoff the user etc.
• Go to an optional URL within the default web-browser.
• Send keystrokes to the active application on the target
computer. The text in the field ”Message/text” will be
inserted in the application that has focus. (”|” represents
enter).
• Listen for keystrokes and send them back to you.
• Get a screendump (should not be used over slow
connections).
• Return information about the target computer.
• Upload any file from you to the target computer. With this
feature it will be possible to remotely update Patch with a
new version.
• Increase and decrease the sound-volume.
• Record sounds that the microphone catch. The sound is sent
back to you.
• Make click sounds every time a key is pressed.
• Download and deletion of any file from the target. You
choose which file you wish to download/delete in a view that
represents the harddisks on the target.
• Keys (letters) on the keyboard can be disabled.
• Password-protection management.
• Show, kill and focus windows on the system.
• Redirect data on a specified TCP-port to another host and
port.
• Redirect console applications I/O to a specified TCP-port
(telnet the host at the specified port to interact with the
application).
• Configure the server-exe with options like TCP-port and mail
notification.
This is what the Netbus client looks like.
Joiners
Earlier you saw me make references to utilities that
combine two executable files into one. That’s what these
programs are. These programs make it possible to hide the
Trojans in legitimate files.
ICQ
Though as itself is not a utility for hacking there are
program files written by Un-named programmers for it.
The more advance Trojans have the ability to notify the
“hacker” via ICQ of whether or not you are online. Given
that you are infected with a Trojan.
If you are not infected then ICQ can serve as a Utility to
give away your IP address. Currently there are
files/programs available on the net that allows you to
“patch” ICQ so it reveals the IP numbers of anyone on the
“hackers” list. There are also files that allow you add users
in ICQ without their authorization or notification.
For demonstration purposes let’s see how a hack would go
if a hacker with the above mentioned utilities were to
attempt to hack into a users machine.
Hack 1:
Objective: Obtain entry to the users machine.
Step1: Obtain user’s ICQ #
Step2: Add User to ICQ list
Step3: Use Get Info on user
Step4: Record User’s IP address
Step5: Start a dos prompt
Step6: nbtstat –A <ipaddress>
Step7: Look for hex code <20>
Step8: (Assuming a hex of <20> is there) net view
\\ip_address.
Step9: See what shares are available we’ll say “C” is being
shared.
Step10: net use x: \\ip_address\c
Access to the user’s machine has been achieved.
In the above scenario our “potential hacker” used the patch
programs available for ICQ to gain the IP address of the
“victim” and then launch his assault.
in order to attempt to compromise a systems security. Some
tools are readily available and some are actually written by other
hackers, with the sole intent of being used for system break-ins.
Some “hackers’ use a little ingenuity with their attacks and don’t
necessarily rely on any particular tool. In the end however it
boils down to they need to infect your system in order to
compromise it.
To better understand the means by which “hackers” compromise
system security I feel it important to understand what tools they
use. This will give you as a user insight as to what exactly they
look for and how they obtain this information. In this section, I
also explain how these tools are used in conjunction with each
other.
Port Scanners
What is a port scanner?
A port scanner is a handy tool that scans a computer looking
for active ports. With this utility, a potential “hacker” can
figure out what services are available on a targeted computer
from the responses the port scanner receives. Take a look at
the list below for reference.
Starting Scan.
Target Host: www.yourcompany.com
TCP Port :7 (echo)
TCP Port :9 (discard)
TCP Port :13 (daytime)
TCP Port :19 (chargen)
TCP Port :21 (ftp)
TCP Port :23 (telnet)
TCP Port :25 (smtp)
TCP Port :37 (time)
TCP Port :53 (domain)
TCP Port :79 (finger)
TCP Port :80 (www)
TCP Port :110 (pop)
TCP Port :111 (sunrpc)
Finished.
Scanning for open ports is done in two ways. The first is to
scan a single IP address for open ports. The second is to scan
a range of IP address to find open ports.
Try to think about this like calling a single phone-number of
say 555-4321 and asking for every extension available. In
relation to scanning, the phone-number is equivalent to the IP
address and the extensions to open ports.
Scanning a range of IP address is like calling every number
between 555-0000 to 555-9999 and asking for every
extension available at every number.
Q. What does a port scanner look like?
Trojans
Trojans are definitely one of the tools that “hackers” use.
There are hundreds of Trojans. To list them all would make
this manual extremely long. For definition purposes we’ll focus
on a couple.
Sub Seven
The Sub Seven Trojan has many features and capabilities. It
is in my opinion by far the most advance Trojan I have seen.
Take a look at some of the features of Sub Seven.
• address book
• WWP Pager Retriever
• UIN2IP
• remote IP scanner
• host lookup
• get Windows CD-KEY
• update victim from URL
• ICQ takeover
• FTP root folder
• retrieve dial-up passwords along with phone numbers
and usernames
• port redirect
• IRC bot. for a list of commands
• File Manager bookmarks
• make folder, delete folder [empty or full]
• process manager
• text 2 speech
• Restart server
• Aol Instant Messenger Spy
• Yahoo Messenger Spy
• Microsoft Messenger Spy
• Retrieve list of ICQ uins and passwords
• Retrieve list of AIM users and passwords
• App Redirect
• Edit file
• Perform clicks on victim's desktop
• Set/Change Screen Saver settings [Scrolling Marquee]
• Restart Windows [see below]
• Ping server
• Compress/Decompress files before and after transfers
• The Matrix
• Ultra Fast IP scanner
• IP Tool [Resolve Host names/Ping IP addresses]
• Get victim's home info [not possible on all servers]:
- Address
- Bussiness name
- City
- Company
- Country
- Customer type
- Real name
- State
- City code
- Country code
- Local Phone
- Zip code
And more…
I think you get the picture of just exactly what that Trojan
is capable of. Here is a picture of what SubSeven looks
like.
Netbus:
NetBus is an older Trojan however nonetheless is still used.
It consists of a server and a client-part. The serverpart
is the program which must be running on your
computer. This should give you an idea of what Netbus is
capable of.
Netbus Features:
• Open/close the CD-ROM once or in intervals (specified in
seconds).
• Show optional image. If no full path of the image is given it
will look for it in the Patch-directory. The supported imageformats
is BMP and JPG.
• Swap mouse buttons – the right mouse button gets the left
mouse button’s functions and vice versa.
• Start optional application.
• Play optional sound-file. If no full path of the sound-file is
given it will look for it in the Patch-directory. The supported
sound-format is WAV.
• Point the mouse to optional coordinates. You can even
navigate the mouse on the target computer with your own.
• Show a message dialog on the screen. The answer is always
sent back to you.
• Shutdown the system, logoff the user etc.
• Go to an optional URL within the default web-browser.
• Send keystrokes to the active application on the target
computer. The text in the field ”Message/text” will be
inserted in the application that has focus. (”|” represents
enter).
• Listen for keystrokes and send them back to you.
• Get a screendump (should not be used over slow
connections).
• Return information about the target computer.
• Upload any file from you to the target computer. With this
feature it will be possible to remotely update Patch with a
new version.
• Increase and decrease the sound-volume.
• Record sounds that the microphone catch. The sound is sent
back to you.
• Make click sounds every time a key is pressed.
• Download and deletion of any file from the target. You
choose which file you wish to download/delete in a view that
represents the harddisks on the target.
• Keys (letters) on the keyboard can be disabled.
• Password-protection management.
• Show, kill and focus windows on the system.
• Redirect data on a specified TCP-port to another host and
port.
• Redirect console applications I/O to a specified TCP-port
(telnet the host at the specified port to interact with the
application).
• Configure the server-exe with options like TCP-port and mail
notification.
This is what the Netbus client looks like.
Earlier you saw me make references to utilities that
combine two executable files into one. That’s what these
programs are. These programs make it possible to hide the
Trojans in legitimate files.
ICQ
Though as itself is not a utility for hacking there are
program files written by Un-named programmers for it.
The more advance Trojans have the ability to notify the
“hacker” via ICQ of whether or not you are online. Given
that you are infected with a Trojan.
If you are not infected then ICQ can serve as a Utility to
give away your IP address. Currently there are
files/programs available on the net that allows you to
“patch” ICQ so it reveals the IP numbers of anyone on the
“hackers” list. There are also files that allow you add users
in ICQ without their authorization or notification.
For demonstration purposes let’s see how a hack would go
if a hacker with the above mentioned utilities were to
attempt to hack into a users machine.
Hack 1:
Objective: Obtain entry to the users machine.
Step1: Obtain user’s ICQ #
Step2: Add User to ICQ list
Step3: Use Get Info on user
Step4: Record User’s IP address
Step5: Start a dos prompt
Step6: nbtstat –A <ipaddress>
Step7: Look for hex code <20>
Step8: (Assuming a hex of <20> is there) net view
\\ip_address.
Step9: See what shares are available we’ll say “C” is being
shared.
Step10: net use x: \\ip_address\c
Access to the user’s machine has been achieved.
In the above scenario our “potential hacker” used the patch
programs available for ICQ to gain the IP address of the
“victim” and then launch his assault.
Comments