PDA

View Full Version : file sharing vunerability



jes
06-08-2002, 10:38 PM
I would like Paleo Pete to answer this one so I don't break any rules and get thrown out.
Ghost Hacker said that my Windows computer is vulnerable to break-in because I have enabled file sharing. Why is that?

------------------
I’m not trying to do anything malicious…just curious.

Paleo Pete
06-08-2002, 10:58 PM
If you re-read and understand what G_H has already posted in the topic about telnet etc he has already answered that question.

Enabling file sharing sets your computer up to work as a networked machine, so that other computers on the network can see and therefore manipulate files on your computer. The Internet being essentially a huge network, once a remote computer manages to find out your IP address, file sharing has set certain communications ports to accept connections, so your computer becomes part of their network once they connect.

I'm sure G_H could explain it much better than I can, my weak spot is networking, all I know is generalities. Basically file sharing enables communications ports that can be accessed and exploited remotely if an individual has the tools, time and determination to locate those ports and connect to one.

------------------
If your nose runs and your feet smell...
You're built upside down!
Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.dreamwater.com/paleopete/computer.htm) has been moved, please update your bookmarks.

jes
06-09-2002, 12:55 AM
When I connected my two computers (could "nodes" be interchangably used there?), the ip addresses didn't make a difference until I had the computers on the same workgroup. So, wouldn't the attacker need my workgroup as well as my ip address?

------------------
I’m not trying to do anything malicious…just curious.

Gallaeglagh
06-09-2002, 01:13 AM
A workgroup has to do with a LAN [local area network} not a WAN [wide area network - as in the internet]

------------------
From the hallowed legends of railroad lore comes the Deep Fried Core.

jes
06-09-2002, 02:25 AM
Then, what would the attacker do to gain access? I use ip address in my lan and don't have access to any computers other than my own two.

------------------
I’m not trying to do anything malicious…just curious.

skhips
06-09-2002, 02:37 AM
If you only have two computers installed in a LAN with no other connections and you are using cables to link the two as opposed to wireless LAN then someone would need physical access to your machine or cabling to break in.

If you have an additional connection e.g phone, internet then someone can use these points to get into your network no matter what IP addresses or workgroup you are using.

Even if you only have two machines connected, unless you have secured filtered power to your machines and are using secure fibre optics someone could pick up signals and be able to find out what you are doing. Someone could even park outside your house and due to radiation from your monitor be able to pick up what is on your screen on their monitor, (This is refferred to TEMPEST).

But how far do you want to go.

http://www.PCGuide.com/ubb/smile.gif

old_kid
06-09-2002, 04:49 AM
if you are using a router - first line of defense you have a firewall

Plus Can set fire wall in each PC

further you have Network login name and password to access LAN

Then shared drives can be password protected both for read and full access rights

And further - in a shared password protected drive you can then password protect individual folders

Balance that against having to type in passwords everytime you go to do something -



------------------
Good Judgement comes from Experience - Experience comes from Bad Judgement - but bad judgement is more fun!!

Ghost_Hacker
06-09-2002, 09:12 AM
So, wouldn't the attacker need my workgroup as well as my ip address?


Ok, let me see if I can break this down for you.....

Let's take a computer with TCP/IP installed and file sharing enabled. File sharing with TCP/IP is Netbios over TCP or NETBT. This is important because netbios is the reason for "workgroup" and "computer" names.(called netbios names) Think of netbios as the poorman's DNS. A computer can use a "computer" name to get an IP address on a LAN just as your browser uses "www.pcguide.com" to get the IP address of the computer hosting this site. (there is one other "translation step"...IP address to MAC address that takes place on a local network segment. But it's not important in our talk today. http://www.PCGuide.com/ubb/biggrin.gif )

Now DNS queries use TCP/IP and can cross networks however Netbios uses broadcast queries and can not cross networks. Netbios was never designed for the internet but only for use within a local LAN. (I'm leaving out a discussion on "wins" and "node types" here for simplcity) This is why netbios over TCP was "invented" to enable a computer to use netbios methods to talk to another computer across networks.


Now remember I said Netbios is a poor man's version of DNS. In your browser you can type the IP address of "www.pcguide.com" and get to this site. You can do the same thing with NETBT. After all DNS and NETBT are used to translate "names" to IP addresses. IF you already know the IP address then you can skip either a DNS query or a Netbios query.

With me so far? Good http://www.PCGuide.com/ubb/smile.gif Now let's move on.


NetBT works over TCP/UDP ports 137-139. Each of these ports serves a different function. 139 for instances is the port used to access file shares in all versions of Windows with NETBT setup. 137 is used to do "netbios name lookup", this is another key point. A computer can send a "request" to port 137 of another Windows computer and get a list of "names" for that computer. This list will included computer name, workgroup/domain name,logged in user's name and any netbios service names. Using either 3rd party tools or just the built in Windows commands I can learn the name,workgroup and logged on user name of any Windows computer. (again there are some details I'm leaving out for simplicty. Let just say that file sharing is enabled on a 98 box directly connected to the internet with no security methods in place) With this information in hand I can then edit my "lmhost" file and If I wish connect to your computer using a Netbios name.

However as I said before once I know the IP address why bother with "names". I can simply use netbios methods with an IP address to open a connection to your file shares using port 139.

Now your proably asking yourself "then what's the big deal with Workgroups then?".

One answer " network neighborhood" this icon simply collects netbios names for all the computers on your LAN. ( in more "techie" terms it displays the browse list for a network) Making accessing those services easier for the non-techie public. Workgroups are used for peer to peer networking and help group computers togethere.
(networks without a central server is one way to look at "peer to peer" networking) Mismatched workgroup names cause problems with Net 'hood displaying the correct browse list however it has no effect on the abilty to connect to another computer if you already know the ip address.

That concludes our discussion for today http://www.PCGuide.com/ubb/biggrin.gif

Hope this helps you somewhat http://www.PCGuide.com/ubb/smile.gif



[This message has been edited by Ghost_Hacker (edited 06-09-2002).]

jes
06-09-2002, 06:35 PM
I think that I understand most of that. It is pretty technical.

In your browser you can type the IP address of "www.pcguide.com" and get to this site
So, assuming that my workgroup was "bob" and my computer was running a webserver, if you were to type "bob" in the url field of your browser, you would get the page that i was hosting?


A computer can send a "request" to port 137 of another Windows computer and get a list of "names" for that computer.
If I were to telnet to 137 on a Windows computer, could I get the name and all that cool stuff? Is that legal?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-10-2002, 09:52 AM
So, assuming that my workgroup was "bob" and my computer was running a webserver, if you were to type "bob" in the url field of your browser, you would get the page that i was hosting?

No, workgroups are Netbios names that don't point to a computer. Web browsers don't use netbios names they use domain names which is not the samething.

If you have a domain name and a DNS "A" record for the computer "bob". ("A" stands for address record there are several types of DNS records, but we'll just use the "A" one.) Then yes, you could just type "bob.domainname.namespace" to reach that computer. However your browser will by default use HTTP to "talk" to "bob". If there is no web server listening on port 80 of "bob". Then your connection will fail.

If I were to telnet to 137 on a Windows computer, could I get the name and all that cool stuff? Is that legal?

NO, most ISPs will not like it if you run around "probing" other folks computers. (some even block "netbios" traffic on their networks) Beside you never know when you may run into someone who knows more about hacking then you do. http://www.PCGuide.com/ubb/smile.gif

I suggest that if you want to stay out of trouble stick to hacking your own computers or get permission first in writing. (ALWAYS cover your rear end with a "get out of jail free" signature from the person who owns the computer your probing). Else you'll be just another "hacker" in jail with a cool nickname. http://www.PCGuide.com/ubb/biggrin.gif

Instead of Telnet (which won't work anyway) use the command nbtstat
at the command prompt. Details follow.....

"nbtstat checks the state of NetBIOS over TCP/IP connections and returns NetBIOS session and name resolution statistics. This tool can also be used to update the local NetBIOS name cache.


Displays protocol statistics and current TCP/IP connections using NBT(NetBIOS over TCP/IP).


NBTSTAT [-a RemoteName] [-A IP address]] [-n]
[-r] [-R] [-s] [S] [interval] ]
-a (adapter status) Lists the remote machine's name table given its name
-A (Adapter status) Lists the remote machine's name table given its
IP address.
-c (cache) Lists the remote name cache including the IP addresses
-n (names) Lists local NetBIOS names.
-r (resolved) Lists names resolved by broadcast and via WINS
-R (Reload) Purges and reloads the remote cache name table
-S (Sessions) Lists sessions table with the destination IP addresses
-s (sessions) Lists sessions table converting destination IP
addresses to host names via the hosts file.

RemoteName...Remote host machine name.



IP address...Dotted decimal representation of the IP address.


interval...Redisplays selected statistics, pausing interval seconds
between each display. Press Ctrl+C to stop redisplaying
statistics."

Have fun http://www.PCGuide.com/ubb/smile.gif



[This message has been edited by Ghost_Hacker (edited 06-10-2002).]

Ghost_Hacker
06-10-2002, 11:51 AM
EDIT

Web browsers don't use netbios names they use domain names which is not the samething.


Now that I think about it you can use "netbios" names with IE. As long as the computer is on your local network or has an entry in your LMhost file.
(Internet Explorer is really just an extension of Windows Explorer)

jes
06-11-2002, 01:18 PM
So, using this "nbtstat" would do this "probing" as you called it? If ISPs don't want a person doing these things, then why isn't it lost knowledge? I mean, what is the point of knowing this stuff? Ok, I just realized the answer. To ward of attackers it would be good to know how they are attacking.
As I have probably said before, I have an interest in computer security, even though most of it seems over my head.
In September, I will begin a two year program called Computer Systems Technology. The first year is mostely hardware. Such as repairing the electronics and replacing the boards, getting A+, ... The second year will get into advanced networking and programing. I would assume that it will be alot of the type of thing that you are telling me about.
I am already pretty good with hardware. But software usually stumps me.


------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-11-2002, 02:03 PM
So, using this "nbtstat" would do this "probing" as you called it? If ISPs don't want a person doing these things, then why isn't it lost knowledge? I mean, what is the point of knowing this stuff?

Well ISPs don't care really, but a ISP customer might not like anyone connecting or trying to connect to his computer. And might complain to your ISP about it. So it's best not to go around "probing" or scanning other computers. There is no law againest it as far as I know. But why take that chance when you you can learn the same thing by using your own computers. (in fact you can learn more because you can look at the logs of the target computer and setup a network sniffer to log the traffic.)


As far as the know how goes, just remember that these tools can be used on internal networks too. If your a network admin or network engineer knowing how Windows "talks" and being able to troubleshoot it can help you big time.

Your class might talk about some of the things I mentioned. But it will proably start off with the basics. Learning about the OSI model, what network devices map to that model, you learn the basics of IP subnetting and proably get a taste of network operating systems and how to setup user accounts.

You proably won't get into any security stuff until you at first learn how to setup users and access rights on a network. You've got a long road ahead but it should be fun.

Enjoy http://www.PCGuide.com/ubb/smile.gif



[This message has been edited by Ghost_Hacker (edited 06-11-2002).]

sea69
06-11-2002, 02:12 PM
http://www.PCGuide.com/ubb/tongue.gif

thanks for that GH!

excellent post(s)

http://www.PCGuide.com/ubb/wink.gif



------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/index.html)

jes
06-11-2002, 02:55 PM
You say that ISPs don't really care if you "probe" another computer but the owner of the other computer may mind. How would they even know that you have done it? Why would they care if a person does it? Does it harm them?

------------------
I’m not trying to do anything malicious…just curious.

sea69
06-11-2002, 03:05 PM
hehe- I can answer this one

How would they even know that you have done it?

if you were to probe me I would know it. If you were persistent I would take action, I would first contact your ISP and if that didn't work.............^$#!%# I may have to find a way to pull your plug personally.

hehe
http://www.PCGuide.com/ubb/wink.gif


Why would they care if a person does it? Does it harm them?

well, one would not know why you were scanning- what purpose would you have to scan (my) someones computer for open ports??

it is considered an offensive gesture.


------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/index.html)

[This message has been edited by sea69 (edited 06-11-2002).]

jes
06-11-2002, 03:20 PM
if you were to probe me I would know it



How would you know? What would happen?

------------------
I’m not trying to do anything malicious…just curious.

sea69
06-11-2002, 03:25 PM
one of several things would tell me-

I have Zone Alarm Pro configuered to alert me for one.

http://www.PCGuide.com/ubb/wink.gif

Ghost_Hacker
06-11-2002, 03:58 PM
Plus many sites run IDS software (Intrusion Detection Software) which logs traffic that matches a pattern in it's database. Firewalls like Zone alarm and others log connection attempts and scans. Plus some servers can log most all of their communications to other computers.


Most anyone who takes security seriously will have some sort of "logging" going on.

mjc
06-11-2002, 04:11 PM
jes, think about this way.....

It is about 11:30pm, you have had a long day, suddenly your phone rings....you grab it and there is some blithering idiot on the other totally wasted, who mistakes your number frot the local taxi service.

Annoying, right?

Now imagine that this happens 85 times in a row, with barely any stopping between attempts.....you want to reach right through the phone and "touch" someone.

One port scanned every so often is more or less a wrong number, a bunch in succession are most likely a deliberate attempt for someone or something to gain access...

Now the whole purpose of a firewall is to prevent all those attempts from reaching your system, and they (firewalls) all have some means of logging those attempts. Whatever action taken is then, usually, the decision of the owner of the machine the attempts were made against. And some are much less forgiving than others, try it against certain government or business sites and you will know what is meant by "response"...even if it is a nasty-gram email telling you that further attempts will be forwarded to the appropriate authorities.

Apply all that has been said in the various related security/hacking threads lately and you will see that there is one common theme,any network administrator worth the title has a multitude of tools and methods to detect, stop, track and report intrusions and many of those tools are available to a home user with a little skill and some fair amount of knowledge to do the same.

Most of the numbskulls that go around defacing websites, droppng backdoors, and other general mischief makers think that since they haven't been caught, they won't be...but it is more likely that someone somewhere has a log file full of stuff that will nail them.


------------------
mjc
Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.


[This message has been edited by mjc (edited 06-11-2002).]

jes
06-11-2002, 04:51 PM
I have read that 80% of daily computer attacks go unreported, simply because the victim company doesn't want to loose face. So there are alot more of these attacks than we know about. If you will just eventually get caught doing this, then why so much? There are some that don't get caught. Why?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-11-2002, 05:23 PM
There are some that don't get caught.


Don't confuse "getting caught" with being "sent to court".
If the case doesn't warrent it because of low monetary losses then it won't be proscuted.

A big chuck of that "80%" is attacks by worms,zombies and viruses. In this case the "writer" of the program must be found. If he or she resides in another country and if their laws don't cover the type of attack. He or she might get away with it.

Want the media chooses to report has very little to do with what's really going on. http://www.PCGuide.com/ubb/biggrin.gif

sea69
06-11-2002, 05:25 PM
There are some that don't get caught. Why?

cause they didn't piss-off the right person.

can you just imagine what GH could do if properly motivated??

(if you messed with his network)

http://www.PCGuide.com/ubb/wink.gif



[This message has been edited by sea69 (edited 06-11-2002).]

mjc
06-11-2002, 06:20 PM
Right....and I have a big imagination! http://www.PCGuide.com/ubb/biggrin.gif http://www.PCGuide.com/ubb/biggrin.gif

And it is sad, but true, most of the "real" news never makes it to the "media".

Many of those who don't "get caught" are constantly trying to find a new ISP because one too many complaints had been received at their current one. Plus "there are bigger fish to fry" holds true...most admins will be looking for a pattern or some serious scanning, but that doesn't mean a particular attempt hasn't been logged.

so basically what it boils down to...if you have your own network at home set up whatever way you want, you can do pretty much anything you want (I don't think you will be calling your ISP to complain about yourself), but don't try much of anything on another network without the previously mentioned (one of the other threads) golden butt shield....a signed hardcopy document giving the OK of the admin to do such activity. While the activity may not exactly be illegal, it is bad manners or worse (especially if you annoy the wrong person).

------------------
mjc
Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

jes
06-11-2002, 06:20 PM
Yes, I have realized that. Notice that I am being very nice to him?

------------------
I’m not trying to do anything malicious…just curious.

jes
06-11-2002, 07:19 PM
A big chuck of that "80%" is attacks by worms,zombies and viruses.



What are zomabies? And can you explain worms to me? I never really understood that.

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-11-2002, 09:55 PM
Yes, I have realized that. Notice that I am being very nice to him?

Hey, I'm a nice guy..wouldn't hurt a flea http://www.PCGuide.com/ubb/biggrin.gif

What are zomabies? And can you explain worms to me? I never really understood that.

Ok, a Zombie is a remote computer that is being used by a hacker for something. In most cases this "something" is a DDOS attack. DDOS stands for Distributed Denial Of Service. What a hacker will do is get a trojan installed on as many computers as possibly using some sort of automated method like an email attachement. Once the attachement is ran the trojan installs itself and (in one popular method)connects to an IRC server's chat room. The trojaned zombie will then sit in that room as long as the computer is connected to the internet. A hacker can then connect to that same IRC chat room and issue commands to all the trojaned computers waiting there. These guys will then use their zombies to take down web sites that offend them or attack any site that can get them some measure of fame. For some it can become a show of who controls the most zombies. http://www.PCGuide.com/ubb/rolleyes.gif

Note that not all zombies connect to IRC servers. But all will use some method to connect to a "master" or "handler" computer. Once the hacker orders an attack 100's maybe 1000's of computer will then flood the target with traffic that prevents other computers from connecting. Therefore denying that computer's service (web in most cases) to other remote clients.

Worms are programs that scan computers for a security hole. Once a computer is found with a certain security hole the program will use that hole to install a copy of itself on that remote computer. The copy will then start scanning for other host to infect. Each newly infected computer adds to the list of computers scanning for and compromising other computers.


This page explains how the newest worm out there ,which attacks SQL servers, copies itself from computer to computer.
http://www.eeye.com/html/Research/Advisories/AL20020522.html


It's detailed but you might get something out of it.

jes
06-11-2002, 11:43 PM
Nimda was a worm, right? I think code red was too.
So a zombie is just a collection of trojan-vulnerable computers?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-12-2002, 10:47 AM
Yes on both counts, Nimda and Code Red are both worms that attack IIS web servers and Zombies will have trojans running on them.

jes
06-12-2002, 01:59 PM
Wouldn't most of the "viruses" that you hear about in the media be worms?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-12-2002, 02:29 PM
Not really, viruses don't look for security holes in order to spread. They infect other files (word documents for instance) and then may take advantage of a security hole to spread but they still need someone to activate them.


Worms on the other hand can activate themselves and look for other computers to infect without the intervention of a user. They do not infect other files.


However there are some worms which have a virus like propagation method. They may use email as an additional way to spread into networks and wait for a user to activate them. The media may label user activated/email born worms "viruses".



[This message has been edited by Ghost_Hacker (edited 06-12-2002).]

jes
06-12-2002, 04:03 PM
How to Install a Telnet Server on your Windows Computer

Usually you can't telnet into a Windows home computer. The reason is, they aren't running telnet servers. Here's how to get a telnet server on your home Windows computers so your friends and you can telnet in and play.

For Windows NT, the Options Pack includes a primitive telnet server.

For Windows 95/98/NT and 2000, you also can install shareware or commercial telnet servers. Check out http://www.winfiles.com, or do a web search.

Of course installing a telnet server makes your computer vulnerable to all sorts of trouble from hackers. It's your funeral, don't come crying top me if a telnet visitor destroys your computer.
From http://www.happyhacker.org/gtmhh/begin11c.shtml#install

Does this mean that a Windows computer cannot be telneted too but you can telnet from it?


------------------
I’m not trying to do anything malicious…just curious.

jes
06-12-2002, 06:07 PM
gramar correction: "Does this mean that Windows cannot be telneted to [in a default installation] but can be telneted from?"
Whats the point of a telnet server then?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-12-2002, 09:49 PM
Well, Telnet is for accessing a command prompt from a remote computer. Windows 2000/XP does have a Telnet server. But 9x does not.


Just as a web browser connects to a web server, so does a telnet client program connect to a telnet server. (This is it's true use after all http://www.PCGuide.com/ubb/smile.gif ) All operating systems come with a telnet client, but not all come with the telnet server. And if a Telnet server isn't running on the remote computer you can not telnet into it.




[This message has been edited by Ghost_Hacker (edited 06-12-2002).]

jes
06-13-2002, 11:10 AM
How can I telnet to my home computer from work?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-13-2002, 11:35 AM
You would need 2 things. First an IP address that's reachable from the internet and second a Telnet server program running on your home box.

However telnet may be blocked by your network admin.(as may all "remote console" protocols.)So don't be surpised if all your efforts to access your home computer from work fail.

A more secure form of "remote console" is SSH. Which can be ran on Windows and Linux. It's not easy to setup but offers improved security by not transmitting passwords in cleartext. It can also be setup to accept loggins from only certain computers. Go here for details:
http://www.jfitz.com/tips/ssh_for_windows.html#SSH_Servers


Good Luck http://www.PCGuide.com/ubb/smile.gif

jes
06-13-2002, 11:43 AM
where did you learn all of this stuff?

------------------
I’m not trying to do anything malicious…just curious.

jes
06-13-2002, 11:48 AM
You would need 2 things. First an IP address that's reachable from the internet and second a Telnet server program running on your home box.

http://download.com.com/3000-2155-1553563.html?tag=lst-0-2 is a telnet server but how would I get an IP address that is rechable from the internet? My IP address is reachable from the other computer on my LAN but not the internet, not that I know of. How do I check?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-13-2002, 12:25 PM
where did you learn all of this stuff?

I have no life! http://www.PCGuide.com/ubb/biggrin.gif

Just kidding. I read all the information I can get my hands on and I have a testlab network at home and work. So I can "play" with all this stuff. http://www.PCGuide.com/ubb/smile.gif
It takes time but you'll learn it too, I'm sure.


My IP address is reachable from the other computer on my LAN but not the internet, not that I know of. How do I check?

Your ISP will assign IP addresses for use with the internet. If your not using one of their assigned IP adresses then it's not going to work. To be sure, just check with your ISP about how many "routable" IP address you've been assigned.

jes
06-13-2002, 02:17 PM
So I have to be dialed in for this to work. That will put a damper on this. I live in western canada in a very rural area where there is no high speed internet. I had it once, I moved to regina for 2 years. Was hard to loose it but I will have it again in sept. how long did it take for you to learn all this?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-13-2002, 03:30 PM
I've worked with networks for 7 years and with network security for about 2.

The learning process is always ongoing. http://www.PCGuide.com/ubb/smile.gif But you can get some decent know-how in about a year if you "apply" yourself.

[This message has been edited by Ghost_Hacker (edited 06-13-2002).]

jes
06-13-2002, 04:49 PM
Will likely get some knowhow at my program (http://www.assiniboine.net/public/programs/ctd.htm) in the fall.
Do you have a CS degree?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-13-2002, 05:06 PM
Yes, I have a CS degree, but my studies at that time centered on Mainframes not PCs. (this was the early '80s and PCs just where not worth studying for.)

Your program looks to be a good one. You should come out with a fair degree of "know-how". http://www.PCGuide.com/ubb/smile.gif

jes
06-13-2002, 05:32 PM
So you're an old guy, twice my age.

------------------
I’m not trying to do anything malicious…just curious.

jes
06-13-2002, 05:45 PM
NBTSTAT [-a RemoteName] [-A IP address]] [-n]
[-r] [-R] [-s] [S] [interval] ]
-a (adapter status) Lists the remote machine's name table given its name
-A (Adapter status) Lists the remote machine's name table given its
IP address.
-c (cache) Lists the remote name cache including the IP addresses
-n (names) Lists local NetBIOS names.
-r (resolved) Lists names resolved by broadcast and via WINS
-R (Reload) Purges and reloads the remote cache name table
-S (Sessions) Lists sessions table with the destination IP addresses
-s (sessions) Lists sessions table converting destination IP
addresses to host names via the hosts file.



OK. I would like to talk about this again. I didn't really understand it.
You told me that it was a method of getting these "names" as you called them, all that info about the computer.
c:\windows> NBTSTAT [-a P1] [-A 10.0.0.1]] [-n]
[-r] [-R] [-s] [S] [1000]

Would I type something like that (to access the computer on the other end of my LAN, P1)?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-14-2002, 09:23 AM
So you're an old guy, twice my age.

LOL...Hey, I'll have you know I still get carded http://www.PCGuide.com/ubb/biggrin.gif http://www.PCGuide.com/ubb/biggrin.gif http://www.PCGuide.com/ubb/biggrin.gif

OK. I would like to talk about this again. I didn't really understand it.
You told me that it was a method of getting these "names" as you called them, all that info about the computer.
c:\windows> NBTSTAT [-a P1] [-A 10.0.0.1]] [-n]
[-r] [-R] [-s] [S] [1000]

Would I type something like that (to access the computer on the other end of my LAN, P1)?

Start with nbtstat -A 10.0.0.1or nbtstat -a p1 this will show the remote netbios names. Most of the other switches are for local netbios information.

Ghost_Hacker
06-14-2002, 10:39 AM
This web page will help you to understand nbtstat's output.
http://www.microsoft.com/ntserver/techresources/commnet/WINS/WINSwp98/WINS10-12.asp

jes
06-14-2002, 01:32 PM
Early 40s right...anyway-

Start with nbtstat -A 10.0.0.1 or nbtstat -a p1 this will show the remote netbios names. Most of the other switches are for local netbios information

But doesn't the "-A" switch mean adaptor status?

------------------
I’m not trying to do anything malicious…just curious.

jes
06-14-2002, 01:34 PM
Early 40s right...anyway-

Start with nbtstat -A 10.0.0.1 or nbtstat -a p1 this will show the remote netbios names. Most of the other switches are for local netbios information

But doesn't the "-A" switch mean adaptor status?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-14-2002, 02:39 PM
Turn 40 this year..Youngster http://www.PCGuide.com/ubb/biggrin.gif

Your right it does mean Adapter status. Play around with the command and you'll see that requesting adapter status on a remote computer displays that computer's netbios names.



[This message has been edited by Ghost_Hacker (edited 06-14-2002).]

jes
06-14-2002, 07:15 PM
So you are less than twice my age. 21
What network do you run? What OSs does it have?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-14-2002, 09:28 PM
I run a 10BASET network with one linux server, one NT4 server, two Netware4 servers and one Netware5 server. My desktop machines run Linux,ME,2000,NT4 and my newest addition XP.

jes
06-14-2002, 11:41 PM
Yeah, Friday night. I have no life either. http://www.PCGuide.com/ubb/smile.gif
Why do you run ME instead of 98 SE? Is it more stable?
Is that a government LAN? You just seem like a government person.
What is ARP? Don't say Address Resolution Protocol.

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-17-2002, 09:54 AM
...Why do you run ME instead of 98 SE? ...

ME is worst than 98se. I only installed it to see what it was like.


Is that a government LAN?

No, just my home network. I don't work for the goverment ( however there are some juicy goverment contracts I liked to get in on) but I do read alot of goverment security stuff so I guess I'm starting to "sound" like them. http://www.PCGuide.com/ubb/biggrin.gif


What is ARP? Don't say Address Resolution Protocol

Well, that's what it is. http://www.PCGuide.com/ubb/biggrin.gif ARP is used to find MAC addresses. When a computer needs to talk to another computer on the same network segement that it's on. It will send an "ARP" broadcast. In the case of TCP/IP the broadcast will say "Who has ip address 222.333.444.555.". The computer that is assigned that IP address will answer with the Media Access Control address of the Nic card assigned that IP. (every NIC card is assigned an MAC address by it's manufacture. No two NICs can have the address so,because of this it's possibly to tell what manufacture made a ceratin NIC by it's MAC address.) Once a computer has it answer it will store that address in it's ARP cache so that it won't have to "ask" who has it again.

It is this MAC address which is used to send network packets from one network device to another.

jes
06-17-2002, 11:38 PM
For when a computer wants to send a message to a certain mac addres? Is that all it does?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-18-2002, 09:20 AM
When it wants to send a message to a certain network device which could be a printer, router, or another computer on the same network segment. If it already knows the MAC address then ARP is not used.

Yes, ARP is only used to find MAC addresses.


Go here for more details :
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html

jes
06-18-2002, 12:42 PM
So, on the 1995 movie "Hackers", Dade was using ARP to "hack" into OTV (new york tv station, don't think it actually exists) to change the boring documentary to an old episode of the outer limits. Complete bovine fecal matter?


------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-18-2002, 03:54 PM
ARP can be used as part of an attack. ARP poisoning is used to corrupt the cached ARP address of a network device and cause that device to send network traffic to the wrong designation. (You would pretend to be "someone" else by changing the MAC to IP address/name mapping held in the ARP cache. There by causing traffic that was supposed to go that "someone" to go to you instead.) By impersonating other computers you might be able to grap passswords or other data that could then be used to further a network intrusion.

However ARP itself isn't a protocol used to actually do any "hacking".(Besides remember that ARP only works on a local segment, so as a remote attack method ARP wouldn't work.)

Can't say anything about "hackers" since I never saw the movie, but my guess is they didn't do a good job of showing how ARP would be used during an attack. (proably had the the guy start his "ARP" program which gained him magically access to the networks servers. http://www.PCGuide.com/ubb/biggrin.gif http://www.PCGuide.com/ubb/biggrin.gif )



[This message has been edited by Ghost_Hacker (edited 06-18-2002).]

jes
06-18-2002, 05:10 PM
Actually, it wasn't even that clear. It just said "Opening ARPnet" and then showed a switch on the monitor that slowly came into place. I have posted about that movie in the after hours club and was told that it was mostely hollywood bs. Just wondered what you thougt.

How do I "stealth" my ports so that it appears that they are all closed?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-18-2002, 05:27 PM
They proably where trying to reference arpanet which is the old school internet. There arn't many good hacking movies out there. A good book on a hacking attack is The Cockoo's Egg by Cliff Stoll. It's a true story about a group of hackers using UC Berkeley's computers to hack into the Military's networks. It show's how it was done back in the early days of the internet and most of the methods used are still used today. It's not full of as much flash as a movie but then again it's all real. http://www.PCGuide.com/ubb/biggrin.gif

To "stealth" your ports you need to run a firewall that drops packets.
Most firewalls will do this, but the 2 most often used to protect home computers are Zonealarm and Tiny firewall.

jes
06-18-2002, 06:06 PM
I have/use ZoneAlarm. How do I configure it to "drop packets"?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-18-2002, 08:58 PM
You don't need to, it drops packets by design. Anything that you don't allow gets dropped.

jes
06-19-2002, 11:20 AM
I have heard lots of good things about Zone Alarm. You can circumvent most firewall programs (send a file through by just renaming the file) but not other firewalls (except the symantec one). Does that mean that Zone Alarm in infalable?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-19-2002, 12:26 PM
No, Zonealarm and most "host" based firewalls like it can be defeated from the inside by a program that uses it's own TCP stack. Some of the vendors of these firewalls are working to fix that problem.


There are also other ways to defeat Zonealarm because it does not do "bulletproof" packet filtering. However it will protect againest anyone trying to connect to your computer and as of yet there are no trojans or other programs that install and use their own protocol stack or exploit any of these flaws.


Anyone with the know how to defeat Zonealarm will be hacking into computers protected by more robust firewalls anyway. So I wouldn't worry about it http://www.PCGuide.com/ubb/biggrin.gif


Some details can be found here: http://www.securiteam.com/securitynews/6V00E0K3FQ.html

jes
06-19-2002, 12:41 PM
What do you mean by "can be defeated from the inside"? Do you mean that physical access is needed?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-19-2002, 12:56 PM
Any program running on your computer is considered "inside" the firewall.
A remote user trying to connect would be considered "outside" the firewall.


So any program running on your computer that uses it's own protocol stack will not be blocked or even noticed by Zonealarm. However there are no such programs as of yet.

jes
06-19-2002, 01:06 PM
How can a program that is already on your computer be a problem, unless it was made by MS. http://www.PCGuide.com/ubb/smile.gif

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-19-2002, 01:22 PM
Trojans, Spyware, realplayer.


For me the big reason I run Zonealarm is because it tells me what programs on my computer are trying to connect to the internet. (including Windows http://www.PCGuide.com/ubb/smile.gif ) For instance Zonealarm let's me stop Realplayer from connecting to the internet everytime my connection is established. I use Zonealarm in conjuction with other "anti-hacking" methods. (anti-virus software, services turned off, IE set to be very restrictive,email and IE programs patched.)

I simply do not want or like any program "talking" behind my back. http://www.PCGuide.com/ubb/biggrin.gif

[This message has been edited by Ghost_Hacker (edited 06-19-2002).]

jes
06-19-2002, 01:41 PM
Isabob told me that IE is very insecure and got me onto Opera. I really like Opera, there is so many more options for everything. He said that hackers usually go after the ms products and there are better security featurs in Opera such as the text only email and there are better ways to block the cookies that you don't want. This is my favorite feature. I block all cookies except ebay, paypal and pcguide so when I have to login, my username is already filled in. Makes it easier. Im the only person that uses my computer anyway.
What do you think about IE?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-19-2002, 01:54 PM
It's OK. I use what's called "defense in depth" to secure my computer so one programs "holes" will be covered by one or more settings or security programs. I agree that Opera is a better browser. For instance to get the same functionality that Opera gives you, I would need to install a few 3rd party programs. But Windows as a whole is very insecure by default because Microsoft belives in "turning on" most services/funtionality by default. So since I have to secure Windows anyway, I might as well secure IE too.

jes
06-19-2002, 02:03 PM
Never really been clear on this: What is a 3rd party program? Is there 1st and 2nd? What of freeware and shareware? Is that all there is?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-19-2002, 05:03 PM
Any addon program that adds functionality to another program but isn't made by the same company is a 3rd party program.

A 2nd party program is an addon program that's made by a partner of the company who made the orginal program.

And a 1st party program is an addon that is made by the same company.


Most often you will only hear about "3rd" party programs.

[This message has been edited by Ghost_Hacker (edited 06-19-2002).]

jes
06-19-2002, 05:23 PM
Freeware is self explanitory. Sharware is the one that is free to try but you have to pay to keep?

I have read a zillion times that email is not secure and you should never put anything in an email message that you wouldn't put on a poste card. Is that true?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-20-2002, 10:27 AM
Yes, Email is transmitted in plain text. So anyone can read it. Plus email can be left behind on any number of mail relays, you have no way of knowing for sure if a copy of an email you sent last month isn't still out there some where.

jes
06-20-2002, 11:17 AM
anyone can read it
That is what I am wondering about. I have never read anyone's email.

It can be left behind on any number of relays
When I was in University (2 years--no completion), I took one CS class and the prof. told me that when you send an email, it is split up into several peices and sent on various routs, all of those pieces collese (i think that is spelled wrong) and form the email message. That is why you get different results from tracert every time. Not true? Or is that what you mean? Parts of it can be left at relays.

I am going through the Happy Hacker and Uberhacker and asking you what I don't understand. You seem to know all of this. http://www.PCGuide.com/ubb/smile.gif

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-20-2002, 11:54 AM
Well, what he's talking about works for all communications on the internet not just email. Internet communications are sent across the wire in packets, these packets don't always follow the same route or arrive in the order that they where sent. (it's up to the designation computer to put the packets back in order before sending the date up to the application that uses it.) However packets have a time to live value that keeps them from "floating" around for very long. The only way packets "last" is if someone sniffs them off the wire and saves them to a file (called a "trace" or "packet capture"... by the way this is how someone would read your email) otherwise their gone.


But this isn't what I'm talking about. A Mail Transfer Agent (email server at your ISP for instance) will hold a copy of your email till it can hand it off to the next mail server. (a mail exchanger or mail gateway) This "exchanger" in turn also holds a copy of your email till it can hand it off to the designation email server. The designation email server holds a copy till it can hand it off to your email program. All these copies can be deleted after the "hand off" or they could be archived. You would have no way of knowing.


Combined with the dangers of sniffing (We here in the states have all heard of a famous FBI program that does just that) and a Postcard is far more secure then email. http://www.PCGuide.com/ubb/biggrin.gif

jes
06-20-2002, 12:11 PM
How can a poste card be more secure than email? A poste card holds back nothing.

Im looking at a section in Uberhacker right now entitled "Arp Spoofing". Would that be the same as the ARP poisoning that you were talking about? Im not sure because the next section is "MAC address Spoofing".

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-20-2002, 12:57 PM
How can a poste card be more secure than email? A poste card holds back nothing

Your email always goes thur the same email server for your ISP account ,it always has your return address on it and it is always tracked between relays. Plus computers have no problem sorting thur and looking at 100's or 1000's of emails and then storing the good ones for latter analazing.


But a Postcard can be dropped off anywhere, sent anywhere, picked up anywhere, addressed to anyone real or not, doesn't have to have a return adddress, isn't copied or stored and for the most part isn't tracked. Add in that humans do have problems sorting thur and looking at 100's or 1000's of letters. Plus the rules ,if not laws, that prevent anyone from reading it. (unless you send a letter to a prison).

I'll always say real mail (postcard or not) is always more secure than email.


Im looking at a section in Uberhacker right now entitled "Arp Spoofing". Would that be the same as the ARP poisoning that you were talking about? Im not sure because the next section is "MAC address Spoofing".


Yes, ARP spoofing is used to poison another computer's ARP cache.
MAC spoofing isn't ARP poisoning but it has the same effect. Your computer would be pretending it's someother network device..

jes
06-20-2002, 01:58 PM
so MAC spoofing would be like your poisoning your own ARP cache.
I read through Uberhacker when I got it two years ago. It is subtitled "How to Break into Computers" and I thought "this doesn't really tell you anything. I am realizing, just now, how much it is saying. I find this stuf very interesting. I hope to join the Canadian Navy after my Computer Systems Technology course where I would be administrating computers and computer networks.
What is telnet for? I mean, what is it commonly used for? Just the stuff that I have been asking you about?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-20-2002, 03:18 PM
No, not really since your own ARP cache only holds remote computer MAC address to IP mappings. MAC spoofing just changes a NIC's local MAC address. (not all NIC's support this feature.) These "attacks" only work locally, so you must already be physicaly attached to the network your interested in.


What is telnet for? I mean, what is it commonly used for?


It's most common use is for remote access to a computer's command line. For instance you might use it to connect to a router to make configuration changes. But it can also be used to get service banners, web page's source code and connect to email servers.

jes
06-22-2002, 06:22 PM
I have installed a telnet server on my computer but I'm not sure how to get it working. I would assume that I would have to "add a user" so that I could go to another computer and logon to this one but I can't find a place to do that.

------------------
I’m not trying to do anything malicious…just curious.

jes
06-22-2002, 06:24 PM
Can I email you some screenshots?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-23-2002, 12:07 PM
Sorry, I don't display my email addresses so as to avoid spam. But if you can tell me the name of your telnet server program. I'll be able to find out how to add users.

jes
06-23-2002, 04:06 PM
I have a Hotmail account that is set on exclusive. No email that is from an address that I don't have is allowed through, so I never get spam unless it goes through my custom filters where I allow messages with certain words in the subject line to be filtered into my inbox. For example, I have the word "question" custom filtered so that replies to "question for ebay seller" are not blocked. I think it's a great system.

My telnet server is called SouthWest. (http://download.com.com/3000-2165-914891.html?tag=lst-0-5)
I think that you have to click file and then edit config script and then edit the config script.

------------------
I’m not trying to do anything malicious…just curious.

Matt
06-23-2002, 04:33 PM
Wow, that was a lot of posts on networking PCs and the level of security that is given up. But I have a question about fileshare and WAN.

After visiting the grc.com site and finding that my computer's port 139 (I think that is the right port) was open I immediatly read up on ways to close it. I ended up messing with the bindings on my Win98 networking adapters/protocals/services to either close or somewhat mask the open port. I am not sure if I have explained what I did in enough detail, but, how much safer (or harder to hack) is a computer when this method (just messing with the bindings) is used? Does it even keep out the script kiddies?

------------------
Number of fans killed: 6 (4 CPU fans, 1 Vid card fan, and 1 chipset fan)

jes
06-23-2002, 05:46 PM
I have run nbtstat -n 10.0.0.1 (on my p1 computer). I got some information back, I am wondering what it all means.
I got a Yahoo Briefcase and created a public folder. If I have to send you screenshots, i'll just put them there. That way you don't have to show your email address. I have a screenshot of the information in question. (http://us.f1.yahoofs.com/users/99a0ef80/bc/public/nbtstat.bmp?bcUNkF9A53SYY53c)

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-24-2002, 11:05 AM
Southwest isn't a telnet server it's a telnet talker server which is just a "chat" hosting program. It runs on port 5000 so that's where you would need to connect to. I have to install it to see how to use it but this is not a telnet server (by the way it's also has a bug that allows for a DOS attack that would shut down the server).

Here's a example of it's interface:

Room: Hallway

You are in the hallway. The large front door leads out to the
drive whilst
another smaller door leads into the wizards room. A corridor
leads deeper
into the mansion.

Exits are: Drive Wizroom Corridor
Netlinks are: Cyber City

You are all alone here

Access is fixed to PUBLIC and there are 0 messages on the board.
Current topic: Topic has not been set
You say: Hello!

Also your yahoo link doesn't work for me.

Matt "unbinding" is a good way to secure your computer and is another way to disable a service. Unbinding is often used when you have more than one adapter such as on a proxy server and you do not wish to disable the service but simply disable it's use on one network interface. If you have only one network interface then "unbinding" offers another small layer of "defense in depth".

jes
06-24-2002, 11:34 AM
It would be like a bbs server then? Where can I get an actuall telnet server?
What happens when you go to my yahoo likk?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-24-2002, 11:53 AM
Yes, it's more like a BBS sevrver. Anyway,your link just shows the "can't display page" error.


I can not find any freeware telnet servers however here's a link to a demo of a low cost telnet server for Windows.
http://www.freedownloadscenter.com/Network_a nd_Internet/ (http://www.freedownloadscenter.com/Network_and_Internet/Terminals_and_Telnet_Clients/Goodtech_Telnet_Server_for_Windows_95_98.html) Terminals_and_Telnet_Clients/Goodtech_Telnet_Server_for_Windows_95_98.html



[This message has been edited by mjc (edited 06-25-2002).]

jes
06-24-2002, 12:45 PM
Good thing that I can read:


*Please note: If you are a member of the free Yahoo! Briefcase service, public access to your uploaded files will no longer be available.


I can set up an extra page of my website that i can put screenshots on. By the way, my main page is here. (http://www3.sympatico.ca/ajohn) I like to do these "hacks" to my computer. Any suggestions?

------------------
I’m not trying to do anything malicious…just curious.

jes
06-24-2002, 10:03 PM
Why use nbtstat? Yeah, It tells you the MAC address for a computer. So what? Why does a networked computer need an IP address then?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-25-2002, 10:11 AM
...Why does a networked computer need an IP address then?


It has to do with the OSI model which you'll learn more about in school. The OSI model contains 7 layers. Application, presentation, session,transport, network, data link, and physical. Simply put not all network devices or programs work at the same level.


For instance Telnet works at the application layer and cares nothing about how it's data stream actually gets to the telnet server. That is the job of some other layer. So the IP address you type in is passed to the network layer which controls network routing and where packets are sent across networks. The network layer takes the IP address and decides how the packet should be sent to the Telnet server. Now remember that there are many types of protocols not all of them use IP addresses but they might all use the same network. So the network layer can not actually move a packet to the telnet server. That is the job of the NIC which operates at the data link and physical layers.It is these layers which care about how the packet is moved across the wire. (however they care nothing about data streams or telnet) So the NIC card which actually moves frames across the network from one device to another must now convert whatever addressing convention is used by the higher levels into the addressing used at the data link layer. For the NIC to move that packet to the other computer it must know the MAC address of whatever network device the network layer has decided must be used next to route the packet. Then the packet is put into a frame and sent down the wire.


Hope this helps you http://www.PCGuide.com/ubb/smile.gif


By the way I can still not access you web pages. Oh well I tried.... http://www.PCGuide.com/ubb/smile.gif



[This message has been edited by Ghost_Hacker (edited 06-25-2002).]

jes
06-25-2002, 12:31 PM
OSI layers - All People Seem To Need Data Proccessing

Screenshots here. (http://www3.sk.sympatico.ca/ajohn/screenshots.htm)

What is a network sniffer?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-25-2002, 01:35 PM
You got it. When I was in Novell networking classes I heard another one that had to do with Pizza, sure wish I could remember it. http://www.PCGuide.com/ubb/biggrin.gif


A sniffer does just that, it "sniffs" network traffic off the wire. By placing a network card in promiscuous mode it will read all network packets that it is sent. This allow the sniffer to save that traffic to a file or display it in real time. Better sniffers will also do other types of network analzying based on the traffic they "sniff".

Now the nbtstat output....

The numbers between the < > are the most important and tell you what netbios service or name your looking at, but you should also pay attention to the "type".

The 00 are computer names. So Jesse is the computers name and Jesnet is the workgroup or domain name.

<20> is file sharing on Jesse.

<1E> is used by the browser on Jesse for communicating with other browsers that are part of the Jesnet group.

<03> are names used for sending messages between computers. So both the computer's name and the users name will show up. Unless you put in the wrong information your full name is Jesse Johnston.

jes
06-27-2002, 12:23 PM
So a sniffer (http://www.sniff-em.com/download.shtml) is a piece of software? Good for practical jokes.
Tell me about firewalls. I have been told that a firewall could be a computer, but isn't Zone Alarm(software) a firewall?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-28-2002, 06:49 AM
So a sniffer is a piece of software? Good for practical jokes


hehehe....hmmmmm I guess you could use them for practical jokes.


I have been told that a firewall could be a computer, but isn't Zone Alarm(software) a firewall?


There are software firewalls and hardware firewalls, poeple will also sometimes spit up these groups further. (you'll hear talk of Proxies,gateways,network or application level firewalls) But for now these 2 types are enough. A software firewall is installed on a network device but a hardware firewall is embedded in a network device's hardware. ZoneAlarm is a host based software firewall, which protects only the comnputer it's running on.


Firewalls offer 2 main types of protection packet filtering and stateful inspection.

Packet filtering is when a firewall filters each packet that crosses it's interfaces and compares that packet to it's packet/protocol rules. Those rules might deny a packet based on IP address,port number or protocol type.

Stateful inspection opens each packet and keeps track of already established connections. It inspects incoming packets to see if they are part of an already established link. If not they may be denied.(The free version of Zonealarm does Stateful inspection as it keeps track of connections.)

Some Firewall manufactures will combine these types of protection into one product.

jes
06-28-2002, 11:12 AM
If you have a firewall, do you still need an intrusion detection system?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-28-2002, 02:59 PM
I would recommend using one. You should never rely on just one security measure. Of course you must balance this againest what you are trying to protect

jes
06-28-2002, 07:25 PM
What is a "listen" port? I mentioned several ports that my portscan on my computer came up with and you said that they were listen ports.

How do you tell the difference between ABC and D (address class) IP addresses?

------------------
I’m not trying to do anything malicious…just curious.

Ghost_Hacker
06-29-2002, 10:04 AM
"listen" ports are ports that are open and will accept connections.


Ok now to understand "classful" addressing you must first know that all ip numbers are 32 bit binary numbers so 129.128.128.130 really looks like this:


10000001.1000000.10000000.10000010

Now take a look at the first "set" of eight bits that's in bold. This is where you can tell what class an address belongs to.


Class A will always have the first digit as an O.
Class B will always have the first 2 digits as 10.
Class C will always have the first 3 digits as 110.
Class D will always have the first digits as 1110.


So the example given is a class B network. I leave it to you to translate these binary ranges to decimal ones.

Also note that a network class is not the same thing as a subnet class. Classful subnetting though helpful to learn is not used anymore. Instead Classless subnetting is now used on the Internet and the classless notation for subnets is now used everywhere.
Fo example you might see something like 128.128.128.130 /25. Where "25" represents the number of "bits" the subnet uses.)

mjc
06-29-2002, 11:39 AM
OK, guys I couldn't resist....jes, you now have 100 post in this topic! http://www.PCGuide.com/ubb/biggrin.gif

------------------
mjc
Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.


Please Post Questions in the forums, not my email. Thanks

jes
06-29-2002, 12:54 PM
Is there a limit to the # of posts?

------------------
I’m not trying to do anything malicious…just curious.

mjc
07-01-2002, 12:02 AM
No, you have just set the record for holding the longest continuous topic.....most of the other really long ones are broken up into several pieces.

jes
07-01-2002, 03:57 AM
I really like the new modifications to the forums. Especially the way that the long threads (such as this one) are split up as it allows for faster downloading for my (sigh) dial up modem.

jes
07-01-2002, 12:44 PM
I think that you just touched on my next question: what is a subnet?

So, a listen port can be telneted into but you can't do anything from there?

Ghost_Hacker
07-01-2002, 01:20 PM
So, a listen port can be telneted into but you can't do anything from there?

It depends on what's listening. Is it a web server,a telnet server, a SSH server, etc,etc?? Most scanning tools will tell you what service is listening on a given port. From that you can tell what you can do next.



what is a subnet?

Subnets are a "partitioning" of an IP address block. It's just part of the process of designing an IP network and allows you to divide your network up into smaller networks.

jes
07-01-2002, 02:14 PM
What is a netmask? Well, I know what it is, but what does it do? Why do you need it?

And what is that picture under your name? It's hard to see but I think it is a staircase, or maybe a roach.:)

Ghost_Hacker
07-01-2002, 02:45 PM
And what is that picture under your name? It's hard to see but I think it is a staircase, or maybe a roach.


A roach!!!! :D :D :D It's a ghost decending a staircase. The real image is mush bigger but I had to shrink it down to 150x150, so it losses a bit of detail. hmmmmmm...The image I really want I'll proably have to build in Photoshop.





What is a netmask


A netmask is a "mask" that a network device uses to seperate the network address from the host address in an IP addy. Remember that IP addresses are 32 bit numbers. So 129.128.128.130/26 is really 10000001.1000000.10000000.10000010.


Now the "26" is the netmask 255.255.255.192 which is the 32 bit number 11111111.11111111.11111111.11000000. Now if you place the IP address and the netmask together like this:



10000001.1000000.10000000.10000010
11111111.1111111.11111111.11000000



You'll notice that the ones of the netmask show us the network address, which in this case is 10000001.1000000.10000000.10 and the zeros show us the host address, which is 000010. With this information a network device knows if another device is on the same network segment as it is. So that it can send out broadcast on that segment for the other device's MAC address or if it must send the packets to it's default gateway to be routed to another network.

jes
07-01-2002, 07:13 PM
It looks like a roach with a spotlight on it (because a roach has the segmented abdomen):)
Anyway... The netmask deal. Yikes! Can you dumb that down for me?
Hey, it's a work-day down in Yankeville, isn't it?:)
It's Canada Day here!

Ghost_Hacker
07-01-2002, 09:29 PM
hmmmmm..... OK take the IP 129.128.128.130/26 the "26" tells you how many bits of the IP address make up the network address. Now you must covert both the IP address and the netmask into 32 bit numbers. (take each octet and one at a time covert them to binary. For the computer's IP address use the Windows calculator set to "scientific",type in the "dec" number than click "bin" to convert. For the netmask simply type out 26 "ones" in groups of 8)



10000001.1000000.10000000.10000010 ip address
11111111.1111111.11111111.11000000 netmask



The netmask will "mask" out the network address portion of the computer's ip address. What it doesn't mask out is the host address.


Now the reason a computer does this has to do with ARP. ARP is a broadcast method of finding a remote computer's MAC address. However ARP doesn't work across networks. So the computer must first compare the remote computer's IP address againest it's netmask to see if the network address matches it's own. If it does then it can use ARP, if it doesn't then the computer will send the "data stream" off to it's default gataway. The default gateway ( a router in most cases) will then route the packet off to it's final designation.


So any remote computer who's IP is between 129.128.128.129 and 129.128.128.190 will be on the same network segment as our example computer.



edit Hey, it's a work-day down in Yankeville, isn't it?


Yeap, just another day at the grind :D
Canada day is that like our 4th of July?
Anyway Happy Canada Day :)

jes
07-01-2002, 10:58 PM
Ok. Gotcha.

Canada day isn't really like th 4th of July. I think the 4th of July was Washingtons birthday or something.

By the way, like the picture. It is alot clearer. Doesn't look like a roach n' stuff.:)

jes
07-01-2002, 10:59 PM
What is session hijacking?

Ghost_Hacker
07-02-2002, 12:12 PM
Session hijacking is when a computer sends IP packets with a spoofed IP address. The goal being to issue commands on a remote computer and have that computer belive the commands orginated from an already logged in host/user.

You would need to watch the communications between the remote server and the other "trusted" host first because you can't hijack the session till after the "trusted" host has logged in. (this also means you must be on the same network as either the remote server or the trusted host.)
To highjack you would then need to either force the trusted host to close it's connection to the remote server and then take over where it left off or "inject" you phoney packets into the communications between the two. This second method is the hardest because you must keep track of sequence numbers for both ends of the connection vs only one end with the first method. (sequence numbers are how tcp packets are tracked and they must be correct or the connection will fail.)




Session hijacking is only ran againest non-encrypted connections and only used long enough to enable an attaker to set up some other method of entry.

sea69
07-03-2002, 01:47 AM
july 4th is Independance day, the day the united states of america came into existence by declaring us Independant from Great Britian, before that- we were known as "The Colonies".

just wanted to clear that up-

interesting thread.. of course I love watching GH get to it!


;)

jes
07-03-2002, 02:52 PM
I knew that July 4th was Independance day. I just forgot. It was the day that Bill Pulman told the world to fight back against the e.t.s.:)

So session hijacking is just pretending that you are part of a network?

Ghost_Hacker
07-03-2002, 03:46 PM
You would be pretending to be part of a trust relationship. So if computer A trust computer B and computer B has logged in, you would "take over" computer B's connection and pretend to be him.

mjc
07-03-2002, 04:13 PM
And it has the potential for ending up something like this:

I take over this thread by pretending to be G_H and we all end up very confused!! :D

I am continually amazed at how much I am learning from this thread.

Jes, you sure know how to pick the topics.

G_H, can I mind meld sometime, if not just keep up what you have been doing...it will all eventualy sink in anyway!

jes
07-03-2002, 04:33 PM
What is it with these pictures? Is that a lizard-eagle?:)

What is a vax compter? Is vax just another os?
What is a trust computer?

Ghost_Hacker
07-03-2002, 09:55 PM
What is a trust computer?


Unix authentication can be done based on a host name or IP addresses. The computer which matches either the host name or IP is sometimes called a "trusted" computer. (note that this is not the same as a "trusted computer system" )



What is a vax compter?


heheheheh...Too bad my pops can't answer that one. He knows all about "vaxs" and the history behind them.( in fact I have one of his old books on the PDP-8/I the graddad of "VAX".) Anyway VAX was an OS (really a computer architecture) put out by Digital Equipment corp ,or DEC for short, which is now part of Compaq. The "gods" of VAX never thought PCs would displace them. :) but in the end a PC maker bought their company.


What is it with these pictures? Is that a lizard-eagle


OK confess you just like making fun of our avatars huh??? :D :D :D

jes
07-05-2002, 01:03 AM
Of coarse I like making fun of them.:)

So a vax computer was kind of an all in one system, like the mac., but they are no longer made?

Ghost_Hacker
07-05-2002, 07:19 AM
No, the VAX was not an all in one system. (the closest they came was proably the VAX 2100 or 2000??)


This is what a VAX System looks like (the picture is of a VAX 6000)


http://www.stmarks.pp.catholic.edu.au/icon/stmarks/thevax.jpg



The VAXs are still sold but aren't being made anymore. Compaq phased them out in favor of alpha systems.

jes
07-05-2002, 11:14 AM
So the vax systems where all mini computers?

What is an alpha computer? A mini computer as well?

Whyzman
07-05-2002, 01:03 PM
G_H,

The Vax 6000 looks a bit heavy to tote into the repair shop! :rolleyes: :D

Ghost_Hacker
07-05-2002, 06:27 PM
Yes, the VAX was a minicomputer, but during the '80s there was the MacroVAX (http://anacin.nsc.vcu.edu/~jim/mvax/mvaxpic.html) Which was a "workstation" class computer for it's time.


The Alpha is a 64 bit processor which is used in some servers and workstations. The VAX is a 32 bit architecture which is one reason they where phased out of production. But their still in use around the world and Compaq will support them for a few more years at least.

jes
07-07-2002, 01:12 AM
If the internet is just a big network, then why don't thousands of computers show up in my network neiborhood in windows?

Ghost_Hacker
07-07-2002, 12:09 PM
Because the Internet is not one big network. It is many "sub-networks" connected together.

Netbios name broadcasts, on most networks, are not transmitted outside their own subnets (IE: routers won't forward them) and many ISPs will block Netbios broadcast traffic altogether.

jes
07-07-2002, 02:59 PM
So, my subnet would be anyone on my ISP? Why don't those people appear on my network neiborhood?

Ghost_Hacker
07-08-2002, 11:33 AM
My last post already mentions two reasons why you might not see anything in net 'hood, but the thing to remember is that ISP networks are not like LANS. (ISP connections don't behave like Ethernet "LAN" connections because they aren't. :) )


Go here for a free Sniffer (http://www.ethereal.com/) and take a look at your traffic. You'll then have a better idea of the type of traffic that is coming across your Internet connection.

jes
07-11-2002, 02:03 PM
Well, I am running out of questions, for now. You have alleviated many of my curiosities. Thank you for answering my questions.

Ghost_Hacker
07-11-2002, 02:07 PM
No,problem :)