GUIDE TO (MOSTLY) HARMLESS HACKING
____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Microsoft-only version Number 4
Hacking with Win95/NT: How to Telnet
How to Break into a Windows 95
Computers from the Internet
____________________________________________________________
by KeyDet89
************************************************************
In this
Guide you will learn how to:
* Use telnet from Windows
* Download web
pages via telnet
* Get finger information via telnet
* Telnet from the
DOS command-line
* Use netcat
* Break into Windows Computers from the
Internet
Protecting Yourself
What can they do
The command-line approach
The GUI approach
Final Words
************************************************************
How to Use Telnet on a Windows Computer
Telnet is great little program for doing a couple of interesting things. In
fact, if you want to call yourself a hacker, you absolutely MUST be able to
telnet! In this lesson you will find out a few of the cool things a hacker
can do with telnet.
If you are using Win95, you can find telnet in the
c:\windows directory,
and on NT, in the c:\winnt\system32
directory. There isn't a lot of
online help concerning
the usage of the program, so my goal is to provide
some
information for new users.
First off, telnet isn't so much an application as it is
a protocol.
Telnet is protocol that runs over TCP/IP, and
was used for connecting to
remote computers. It provides
a login interface, and you can run
command-line programs
by typing the commands on your keyboard, and the
programs
use the resources of the remote machine. The results are
displayed
in the terminal window on your machine, but the memory and CPU
cycles consumed by the program are located on the remote
machine.
Therefore, telnet functions as a terminal emulation
program, emulating a
terminal on the remote machine.
Now, telnet runs on your Win95 box as a GUI application...that is
to say
that you can type "telnet" at the command prompt (in Windows 95 this is the
MS-DOS prompt), and assuming that your PATH is set correctly, a window titled
"telnet" will open. This differs from your ftp program in that
all
commands are entered in the DOS window.
Let's begin by opening telnet. Simply open a DOS window by clicking
"start", then "programs", then "MS-DOS", and at the command prompt, type:
c:\telnet
The window for telnet will open, and you can browse the features of the
program from the menu bar.
***********************************************************
NEWBIE
NOTE: In this text file, I am referring only to the telnet
program
that ships with Win95/NT. If you type "telnet" at the
command prompt
and you don't get the telnet window, make sure
that the program is on your
hard drive using the Start -> Find ->
Files or Folders command.
Also make sure that your path statement
includes the Windows
directory. There are many other programs
available that provide
similar functionality, with a lot of other
bells and whistles, from any
number of software sites.
*************************************************************
To learn a bit more about telnet, choose Help -> Contents, or
Help
-> Search for help on... from the menu bar. Read through
the
files in order to find more detailed explanations of things
you may wish to
do. For example, in this explanation, I will
primarily be covering how
to use the application and what it can
be used for, but now how to customize
the colors for the application.
Now, if you choose Connect -> Remote System, you will be presented
with a dialog window that will ask you for the remote host, the
port and
the terminal type.
***************************************************************
NEWBIE
NOTE: For most purposes, you can leave the terminal type on
VT100.
***************************************************************
In the Connect dialog box, you can enter in the host to which
you wish to
connect, and there is a list box of several ports
you can connect to:
daytime: May give you the current time on the server.
echo:
May echo back whatever you type in, and will tell you that the computer you have
connected to is alive nd running on the Internet.
qotd: May provide
you with a quote of the day.
chargen: May display a continuous stream
of characters, useful for spotting network problems, but may crash your telnet
program.
telnet: May present you with a login screen.
These will only work if the server to which you are trying to connect is
running these services. However, you are not limited to just those
ports...you can type in any port number you wish. (For more on fun ports,
see the GTMHH, "Port Surf's Up.") You will only successfully connect to the port
if the service in question is available. What occurs after you connect
depends upon the protocol for that particular service.
When you are using telnet to connect to the telnet service on a server, you
will (in most cases) be presented with a banner and a login prompt.
[Note from Carolyn Meinel: Many people have written saying their telnet
program fails to connect no matter what host they try to reach. Here's a
way to fix your problem. First -- make sure you are already connected to
the Internet. If your telnet program still cannot connect to anything,
here's how to fix your problem. Click "start" then "settings" then
"control panel." Then click "Internet" then "connection." This
screen will have two boxes that may or may not be checked. The top one
says "connect to the Internet as needed." If that box is checked, uncheck
it -- but only uncheck it if you already have been having problems
connecting. The bottom box says "connect through a proxy server." If
that box is checked, you probably are on a local area network and your systems
administrator doesn't allow you to use telnet.]
********************************************************************
NEWBIE NOTE: It's not a good idea to connect to a host on which
you don't have a valid account. In your attempts to guess a username
and password, all you will do is fill the log files on that host.
From
there, you can very easily be traced, and your online service
provider will
probably cancel your account.
********************************************************************
Now, you can also use telnet to connect to other ports, such as
ftp (21),
smtp (25), pop3 (110), and even http (80). When you
connect to ftp,
smtp, and pop3, you will be presented with a
banner, or a line of text that
displays some information about the
service. This will give you a clue
as to the operating system
running on the host computer, or it may come
right out and tell
you what the operating system is...for instance, AIX,
Linux,
Solaris, or NT. If you successfully connect to port 80, you
will
see a blank screen. This indicates, again, that you have
successfully
completed the TCP negotiation and you have a connection.
Now, what you do from there is up to you. You can simply disconnect
with
the knowledge that, yes, there is a service running on port 80, or
you can use your knowledge of the HTTP protocol to retrieve the
HTML
source for web pages on the server.
Hpw to Download Web Pages Via Telnet
To retrieve a web page for a server using telnet, you need to connect
to
that server on port 80, generally. Some servers may use a
different
port number, such as 8080, but most web servers run on port
80. The
first thing you need to do is click on Terminal ->
Preferences and make
sure that there is a check in the Local Echo
box. Then, since most web
pages will generally take up more than a
single screen, enable logging by
clicking Terminal -> Start Logging...
and select a location and
filename. Keep in mind that as long as
logging is on, and the same
file is being logged to, all new
information will be appended to the file,
rather than overwriting the
original file. This is useful if you want
to record several sessions,
and edit out the extraneous information using
Notepad.
Now, connect the remote host, and if your connection is successful,
type
in:
GET / HTTP/1.0
and hit enter twice.
****************************************************************
NEWBIE
NOTE: Make sure that you hit enter twice...this is part
of the HTTP
protocol. The single / after GET tells the server
to return the
default index file, which is generally "index.html".
However, you can enter
other filenames, as well.
****************************************************************
You should have seen a bunch of text scroll by on the screen. Now
you can open the log file in Notepad, and you will see the HTML
code for
the page, just as though you had chosen the View Source
option from your web
browser. You will also get some additional
information...the headers
for the file will contain some information
about the server. For
example:
HTTP/1.0 200 Document follows
Date: Thu, 04 Jun 1998 14:46:46
GMT
Server: NCSA/1.5.2
Last-modified: Thu, 19 Feb 1998
17:44:13 GMT
Content-type:
text/html
Content-length: 3196
One particularly interesting piece of information is the server
name. This refers to the web server software that is running
and
serving web pages. You may see other names in this field,
such as
versions of Microsoft IIS, Purveyor, WebSite, etc.
This will give you a clue
as to the underlying operating system
running on the server.
**************************************************************
SYSADMIN
NOTE: This technique, used in conjunction with a
database of exploits
on web servers, can be particularly annoying.
Make sure you keep up on
exploits and the appropriate security
patches from your web server and
operating system vendors.
**************************************************************
**************************************************************
NEWBIE
NOTE: This technique of gathering web pages is perfectly
legal.
You aren't attempting to compromise the target system, you
are simply doing
by hand what your web browser does for you
automatically. Of course,
this technique will not load images and
Java applets for you.
**************************************************************
Getting Finger Information Via Telnet
By now, you've probably heard or read a lot about finger. It
doesn't seem like a very useful service, and many sysadmins
disable the
service because it provides information on a particular
user, information an
evil hacker can take advantage of. Win95
doesn't ship with a finger
client, but NT does. You can download
finger clients for Win95 from
any number of software sites. But
why do that when you have a readily
available client in telnet?
The finger daemon or server runs on port 79, so connect to a
remote host
on that port. If the service is running, you will be
presented with a
blank screen.
******************************************************************
NEWBIE
NOTE: NT doesn't ship with a finger daemon (A daemon is a program on the
remote computer which waits for people like you to connect to it), so generally
speaking, and server that you find running finger will be a Unix box. I
say "generally" because there are third-party finger daemons available and
someone may want to run one on their NT computer.
******************************************************************
The blank screen indicates that the finger daemon is waiting for
input. If you have a particular user that you are interested in,
type in the username and hit enter. A response will be provided, and
the daemon will disconnect the client. If you don't know a particular
username, you can start by simply hitting enter. In some cases, you
may get a response such as "No one logged on." Or you may get
information of all currently logged on users. It all depends on
whether or not the sysadmin has chosen to enable certain features
of the
daemon. You can also try other names, such as "root", "daemon",
"ftp",
"bin", etc.
Another neat trick to try out is something that I have seen referred to
as "finger forwarding". To try this out, you need two hosts that run
finger. Connect to the first host, host1.com, and enter the username
that you are interested in. Then go to the second host, and enter:
user@host1.com
You should see the same information! Again, this all depends upon
the configuration of the finger daemon.
Using Telnet from the Command Line
Now, if you want to show your friends that you a "real man" because
"real
men don't need no stinkin' GUIs", well just open up a DOS
window and type:
c:\>telnet <host> <port>
and the program will automatically attempt to connect to the host
on the
designated port for you.
Using Netcat
Let me start by giving a mighty big thanks to Weld Pond from L0pht for
producing the netcat program for Windows NT. To get a copy of this
program, which comes with source code, simply go to:
http://www.l0pht.com/~weld
NOTE: The first character of "l0pht: is the letter "l". The
second character is a zero, not an "o".
I know that the program is supposed to run on NT, but I have
seen it run
on Win95. It's a great little program that can be used
to do some of
the same things as telnet. However, there are
advantages to using
netcat...for one, it's a command-line program,
and it can be included in a
batch file. In fact, you can automate
multiple calls to netcat in a
batch file, saving the results to
a text file.
************************************************************
NEWBIE
NOTE: For more information on batch files, see previous versions of the
Guide To (mostly) Harmless Hacking, Getting Serious with Windows series ...one
of them dealt with basic batch file programming.
************************************************************
Before using netcat, take a look at the readme.txt file provided in
the
zipped archive you downloaded. It goes over the instructions
on how to
download web pages using netcat, similar to what I
described earlier using
telnet.
There are two ways to go about getting finger information using
netcat. The first is in interactive mode. Simply type:
c:\>nc <host> 79
If the daemon is running, you won't get a command prompt back. If
this is the case, type in the username and hit enter.
Or use the automatic mode by first creating a text file containing
the
username of interest. For example, I typed:
c:\>edit root
and entered the username "root", without the quotes. Then from
the
command prompt, type:
c:\>nc <host> 79 < root
and the response will appear on your screen. You can save the
output to a file by adding the appropriate redirection operator
to the
end of the file:
c:\>nc <host> 79 < root > nc.log
to create the file nc.log, or:
c:\>nc <host> 79 < root >> nc.log
to append the response to the end of nc.log. NOTE: Make sure
that you use spaces between the redirection operators.
How to Break into a Windows 95 machine Connected to the Internet
Disclaimer
The intent of this file is NOT to provide
a step-by-step guide to
accessing a Win95 computer while
it is connected to the Internet. The
intent is show you how to
protect yourself.
There are no special tools needed to access a remote Win95
machine...everything you need is right there on your Win95
system!
Two methods will be described...the command-line
approach and the GUI
approach.
Protecting Yourself
First, the method of protecting yourself needs to be made
perfectly
clear. DON'T SHARE FILES!! I can't stress that enough.
If you
are a home user, and you are connecting a Win95 computer
to the Internet via
some dial-up method, disable sharing. If
you must share, use a strong
password...8 characters minimum, a
mix of upper and lower case letters and
numbers, change the
password every now and again. If you need to
transmit the
password to someone, do so over the phone or by written letter.
To
disable sharing, click on My Computer -> Control Panel ->
Network
-> File and Print Sharing. In the dialog box that
appears, uncheck
both boxes. It's that easy.
What Can They Do?
What can someone do? Well, lots of stuff, but it largely
depends on
what shares are available. If someone is able
to share a printer from
your machine, they can send you
annoying letters and messages. This
consumes time, your
printer ink/toner, and your paper. If they are
able to
share a disk share, what they can do largely depends upon
what's
in that share. The share appears as another directory
on the
attacker's machine, so any programs they run will be
consuming their own
resources...memory, cpu cycles, etc.
But if the attacker has read and write
access to those disk
shares, then you're in trouble. If you take work
home, your
files may be vulnerable. Initialization and configuration
files
can be searched for passwords. Files can be modified and
deleted.
A particularly nasty thing to do is adding a line to your
autoexec.bat file so that the next time your computer is booted,
the
hard drive is formatted without any prompting from the user.
Bad ju-ju,
indeed.
** The command-line approach **
Okay, now for the part that should probably be titled "How they
do
it". All that is needed is the IP address of the remote machine.
Now
open up a DOS window, and at the command prompt, type:
c:\>nbtstat -A [ip_addr]
If the remote machine is connected to the Internet and the ports
used for
sharing are not blocked, you should see something like:
NetBIOS Remote Machine Name Table
Name
Type Status
---------------------------------------------
NAME
<00> UNIQUE Registered
DOMAIN <00>
GROUP Registered
NAME
<03> UNIQUE Registered
USERNAME <03>
UNIQUE Registered
MAC Address = 00-00-00-00-00-00
This machine name table shows the machine and domain names,
a logged-on
username, and the address of the Ethernet adapter
(the information has been
obfuscated for instructional purposes).
**Note: This machine, if unpatched and not protected with a
firewall or packet-filter router, may be vulnerable to a range
of denial
of service attacks, which seem to be fairly popular,
largely because they
require no skill or knowledge to perpetrate.
The key piece of information that you are looking for is in the
Type
column. A machine that has sharing enabled will have a hex
code of
"<20>".
**Note: With the right tools, it is fairly simple for a sysadmin
to
write a batch file that combs a subnet or her entire network,
looking for
client machines with sharing enabled. This batch file
can then be run
at specific times...every day at 2:00 am, only on
Friday evenings or
weekends, etc.
If you find a machine with sharing enabled, the next thing to
do is type
the following command:
c:\>net view \\[ip_addr]
Now, your response may be varied. You may find that there are
no
shares on the list, or that there are several shares available.
Choose which
share you would like to connect to, and type the
command:
c:\>net use g: \\[ip_addr]\[share_name]
You will likely get a response that the command was completed
successfully. If that is the case, type:
c:\>cd g:
or which ever device name you decided to use. You can now view
what
exists on that share using the dir commands, etc.
Now, you may be presented with a password prompt when you issue the
above
command. If that is the case, typical "hacker" (I shudder
at that
term) methods may be used.
** The GUI approach **
After issuing the nbtstat command, you can opt for the GUI approach
to
accessing the shares on that machine. To do so, make sure that
you
leave the DOS window open, or minimized...don't close it. Now,
use
Notepad to open this file:
c:\windows\lmhosts.sam
Read over the file, and then open create another file in Notepad,
called
simply "Lmhosts", without an extension. The file should
contain the IP
address of the host, the NetBIOS name of the host
(from the nbtstat
command), and #PRE, separated by tabs. Once you
have added this
information, save it, and minimize the window. In
the DOS command
window, type:
c:\>nbtstat -R
This command reloads the cache from the Lmhosts file you just
created.
Now, click on Start -> Find -> Computer, and type in the NetBIOS
name of the computer...the same one you added to the lmhosts file.
If
your attempt to connect to the machine is successful, you should
be
presented with a window containing the available shares. You
may be
presented with a password prompt window, but again, typical
"hacker" (again,
that term grates on me like fingernails on a chalk
board, but today, it
seems that it's all folks understand) techniques may be used to break the
password.
*************************************************************************
Note from Carolyn Meinel: Want to try this stuff without winding up in jail
or getting expelled from school? Get a friend to give you permission to try to
break in.
First, you will need his or her IP address. Usually this will be
different every time your friend logs on. You friend can learn his or her
IP address by going to the DOS prompt while online and giving the command
"netstat -r". Something like this should show up:
C:\WINDOWS>netstat -r
Route Table
Active Routes:
Network Address
Netmask Gateway Address
Interface Metric
0.0.0.0
0.0.0.0 198.999.176.84
198.999.176.84 1
127.0.0.0
255.0.0.0
127.0.0.1
127.0.0.1 1
198.999.176.0 255.255.255.0
198.999.176.84 198.999.176.84 1
198.999.176.84
255.255.255.255
127.0.0.1
127.0.0.1 1
198.999.176.255
255.255.255.255 198.999.176.84
198.999.176.84 1
224.0.0.0 224.0.0.0
198.999.176.84 198.999.176.84 1
255.255.255.255 255.255.255.255
198.999.176.84
0.0.0.0 1
Your friend's IP address should be under "Gateway Address." Ignore the
127.0.0.1 as this will show up for everyone and simply means "locahost" or "my
own computer." If in doubt, break the Internet connection and then get
online again. The number that changes is the IP address of your friend's
computer.
*********************************************************************
*********************************************************************
Evil Genius tip: Here is something really scary. In your shell account
give the "netstat" command. If your ISP allows you to use it, you might be
able to get the dynamically assigned IP addresses of people from all over the
world -- everyone who is browsing a Web site hosted by your ISP, everyone using
ftp, spammers you might catch red-handed in the act of forging email on your
ISP, guys up at 2AM playing on multiuser dungeons, IRC users, in fact you will
see everyone who is connected to your ISP!
********************************************************************
********************************************************************
YOU
CAN GO TO JAIL WARNING: If you find a Windows 95 box on the Internet with file
sharing enabled and no password protection, you can still get in big trouble for
exploiting it. It's just like finding a house whose owner forgot to lock
the door -- you still are in trouble if someone catches you inside. Tell
temptation to take a hike!
********************************************************************
Final Words
Please remember that this Guide is for instructional purposes only
and is
meant to educate the sysadmin and user alike. If someone
uses this
information to gain access to a system which they have
no permission or
business messing with, I (keydet) cannot be responsible
for the
outcome. If you are intending to try this information out,
do so with
the consent and permission of a friend.
If there are questions, comments, or corrections, please feel free
to
email me at keydet89@yahoo.com
Note from Carolyn Meinel: If you are unable to get enough free help on telnet
from KeyDet89, The Happy Hacker book has detailed instructions, including screen
shots. To get an autographed copy of The Happy Hacker Book sent to you
fast via airmail or second day mail, send a check made out to "Happy Hacker" for
$29.95 (plus $5 shipping and handling in the US, $8 shipping and handling in
Canada and Mexico, ) to P.O. Box 1520, Cedar Crest NM 87008. These orders
will be handled personally by the author, Carolyn Meinel. For other
countries, use the Internet commerce site at
http://www.infowar.com/cgi-shl/infowar.exe. However, books bought from
InfoWar will not be autographed.
___________________________________________________________
To subscribe
to Happy Hacker and receive the Guides to (mostly) Harmless
Hacking, please
email hacker@techbroker.com with message "subscribe
happy-hacker" in the
body of your message.
Copyright 1998 KeyDet89 <keydet89@yahoo.com>.
You may forward or post this
GUIDE TO (mostly) HARMLESS HACKING on your Web
site as long as you leave
this notice at the end.
___________________________________________________________