Which port to hack?

No explicit questions like "how do I hack xxx.com" please!
User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Which port to hack?

Post by Lyecdevf »

I have been playing around a bit with a port scanner. I understand that one can not hack via #21 or #80 TCP ports. However, I have noticed that usually port #110 and #25 are open if not any other like #35.

So through what port is it possible to hack? WHat program is there for one to use?

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

port scan and hacks

Post by DNR »

Remember that 'hack' is a broadly defined term.

Ports are open depending on what the computer is set up for, for example a mail server may not have port 80 open, but it will have port 25 (SMTP) open. A web server will certainly have port 80 (HTTP) open, but a smart sysadmin will turn off the other ports.

Different ports have different hacks:
http://c0vertl.tripod.com/ref/portref.html

You can use telnet to communicate with ports 21 and 25. There are other software that can assist you. Use a port reference or port scan reply to figure out what software is running the port and what its exploits are.

read more here :
http://c0vertl.tripod.com/dntext.htm

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

Thanks! I have downloaded telnet.

I am going to look through all of that. I know of a lot of interesting sites but not this one.

User avatar
Nerdz
The Architect
The Architect
Posts: 1127
Joined: 15 Jun 2005, 16:00
18
Location: #db_error in: select usr.location from sucko_member where usr.id=63;
Contact:

Post by Nerdz »

Lyecdevf wrote:Thanks! I have downloaded telnet.
You don't really need to download it... simply do: Start ->Run-> cmd->telnet


If you want to dl a good client try putty, it Raw mode is good
Give a man a fish, you feed him for one day.
Learn a man to fish, you feed him for life.

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

I meant putty. I downloaded putty.

I connceted to a webserver. A black box appeared that demanded login info. From there on I do not know what to do.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

fingerprinting

Post by DNR »

port scanning is only a part of the process called Fingerprinting. What you should be doing is scanning that IP subnet to determine the size of the network you are 'intruding' on. You will also analyze the machines you locate based on ports open, services running, NOS/OS versions. You cannot begin to search for an 'exploit' until you find the machine that holds the prize, like a db server, the webserver or sysadmin console. Trying to hack a webserver maybe useless when the personal nfo you are after is stored on another server. Exploits are specific to types of machines, software, and its version. You can't use a hack on IIs version 2.4 that only works on the unpatched 2.3 version. A cisco hack aint going to work on a brick router.

Harmless hacking is port scanning and scanning subnet IP ranges to identify all the machines in the network. You read the banners and ports to determine the machine's use. When you encounter a password required login, thats usually best to stop there. Trying to crack the system or otherwise DoS it will piss off the sysadmin and perhaps get lawyers sicc'ed on you.

more later?
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

Hey, thanks DNR for that insightfull post. I am very much concerned where does the breach of legality occure. I guess if you are just scaning for ports and/or conecting to the webserver with out any thing else is completlly legal.

That is what I have been doing so far and I doubt really that I would go any further than that. I realize that the biger the company the harder and more dangerous it is to hack into. So I have been scaning small bookstores and the likes.

I do not know how to scan the IP subnet. I am using Nscan from Necrosoft.

I also did not understand what you meant by:

"You can't use a hack on IIs version 2.4 that only works on the unpatched 2.3 version. A cisco hack aint going to work on a brick router."

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

fingerprint 2

Post by DNR »

get the IP of your target,
do a whois on the IP to find out who owns the network and it will also tell you what IP range is assigned to that company usually like 198.78.38.255
198.78.38 of the IP range is fixed, but they can have 198.78.38.0 to 198.78.38.255. So thats the range you want to scan for their network devices, you'll find routers, servers, printers, and desktop machines.

Port scanning can be a challenge, you'll find some cute sysadmin that will name their servers, or some that are smart and have ports closed or hide port daemon banners so you'll have to guess what OS and version is running. I have scanned military networks and others, the only problem I had was running HTTP script to check for vulnerabilities open on the Bank of Jamaica network lol. Use Proxies on sensitive networks, or just dont do them from home.

You basically want to be good at mapping out a network (fingerprinting). I save some SMTP servers that allow spoofing email off their port 25 (hard to find these days due to spammers using them)

Go overseas to try cracking servers to stay off the Fed lists. Korea lately has paxcomm routers handling their internet that are still using default admin logins (let me know if ya find one..)

More l8t3r

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

fingerprinting, part three

Post by DNR »

You want to keep a list of websites that keep upto date vulnerabilities and exploits, my favorite is packetstorm. But research other sites like antionline, the antivirus sites, and even good old microsoft tech site.

I am good at microsoft product hacking, but I can work a AS400, Novell, and some nix server OS. You'll have to pick an area to start, you either want to be good at cracking nix or MS.

I use Sam spade, GFI, Nmap, and some times just plain old telnet to grep banners off port 21 and 25. Read about the daemons that control those ports so you know what to do at the prompts.

I like to spoof email off port 25, but many sysadmins restrict it to users that belong to that network.

To use your telnet program:

Click on START, and Select RUN...

Type TELNET in the dialog box and press Enter

The TELNET program starts....

At the top, Select TERMINAL, a menu opens....

Choose PREFERENCES, a dialog box opens, you see Terminal Options, Emulation, etc

Make sure there is a Check Mark in the box for ENABLE LOCAL ECHO, buffer should be 25, and Emulation should be VT-100/ANSI

Click on the OK button, the dialog box closes..

At the top, Select CONNECT, a menu drops down, Select REMOTE SYSTEM, a dialog box opens...

You see a box with HOST NAME, PORT, TERMTYPE...

In the HOST NAME, you can enter any web server that allows Mail Relay,* (www.whateverworks.com) you can use IP number

>>> In the PORT, clear the box, and enter the numbers 25, <<<<<
Default is port 21 FTP.

The TERMTYPE should be VT100...

Click on the button CONNECT


OK! If you Connected to a Server , you should see something like :

220 gnr.u2me3.com ESMTP Sendmail 8.9.3/8.9.3; Mon, 31 Jan 2000 01:45:38 -0500

>>gnr.u2me3.com is the server you connected to, ESMTP Sendmail is the >>daemon Mail program..8.9.3 is the version of the software. Search for >>exploits like "ESMTP Sendmail 8.9.3"



TYPE IN THE LINES AS SHOWN, except use what ever you like as the fake sender, and who you want to send the mail to. I used President/Whitehouse.gov and my E-mail address for this example..


MAIL FROM: President@whitehouse.gov, hit enter

you might see :

250 President@Whitehouse.gov... Sender ok

RCPT TO: C0VERTl@Excite.com, hit enter

you might see:

250 C0VERTl@excite.com... Recipient ok

>>> If you make it this far, this usually means you got in!!!<<<

type DATA, hit enter

you might see:

354 Enter mail, end with "." on a line by itself

>>> Some will not say anything...<<<

TYPE IN YOUR MESSAGE, its ok to hit enter for the next line

I wrote:

I want to appoint you to be the Supreme Being of the Internet, I will Pay you
$2,000,000,000.00 a Year, plus all the free internet time you want
please reply to this offer soon
President GW Pussy



When Finished, put a "." period on a line by itself, hit enter..

you might see:

250 BAA07042 Message accepted for delivery



Exit from the Telnet program, or to send another mail, start at the top again.

>>>Note, avoid errors because you cannot use back space to go back and type over. Also, some servers may not show you the greeting, or the stuff ' you might see ' above.

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

Thanks again! One thing that I think that I need to mention is that you probablly think that I am from America and that I am going to target big Government and millitary facilities.

Well first of all I am from a central European country called Slovenia. I hope it is not going to hurt me some time in the future of telling you that. I am not 16 year old looking to hack into Pentagon but a 25 year old trying to learn more about the places that I go to. For instance I have been scaning a local movie theater in order to try and learn more about it's computer networks and stuff. THat is what is exciting to me because in a way you can go where they wont allow a visitor to go to.

I am going to look into this and I am going to tell you what I found out. I have been using putty but I will try telnet now.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

very good posts DNR... :)
just one comment:
what IP range is assigned to that company usually like 198.78.38.255
198.78.38 of the IP range is fixed, but they can have 198.78.38.0 to 198.78.38.255
what part of the adress is the fixed network ID depends on the the IP class.
the "xxx" displays the host adress-part for the computers in the network:
Class A: -127.xxx.xxx.xxx //24 bit for the network adresses
Class B: 128-191.yyy.xxx.xxx //16 bit for the network adress
Class C: 192-223.yyy.yyy.xxx //8 bit for the network adress
in a personal network the part which displays the network-adresses can be set by using the submask: 255.255.255.0 for example means only 8 bit is the adress range within the network (16bit for 255.255.0.0 and so on).
the submask divides the IP into the network adress-part and the part which identifies the hosts within this network, for example:
192.222.222.101 /255.255.255.0 means 192.222.222 is the network adress and 101 is the ID of the host,
192.222.222.101 /255.255.0.0 means 192.222 is the network adress and 222.101 is the host ID.

in any kind of network the 255 for the last 8 bit (192.224.244.255 for example) is not the adress of a specific host, it´s the so-called broadcast adress, when you send a request to 192.222.222.255 it will not contact a specific host, it will send the request to all hosts in the network.

:wink:

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

Thanks for that in detali post about IP adresses. I had no idea. Is there a site with all of this sort of information because I would love to look at it.

I would probablly want to get good at hacking MS since I use it and do not know much about Linux. However, before I get there does any one know any free resource where I could learn to use Ethereal and Sam Spade?

User avatar
FrankB
Ph. D. in Sucko'logics
Ph. D. in Sucko'logics
Posts: 315
Joined: 06 Mar 2006, 17:00
18
Location: Belgistahn
Contact:

Post by FrankB »

Hello,
1) IP stuff :
http://en.wikipedia.org/wiki/IPv6
http://en.wikipedia.org/wiki/IPv4

2) www.samspade.org , geektools.com

3) goOgle : "search lores" , that will occupy you a couple of years in reading :-)

HTH!
--
FrankB
the n00b of that other n00b.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

check also "TCP/IP Illustrated" in downloads>textfiles>networking, it´s a very good ressource (for beginners too).... :wink:

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

The wikipedia links really did clarify a lot for me. I am not so sure about the lores. I am not so sure if that was not meant as a joke.

I have been playing around a little bit with whois and I would like to understand better how to "read" my results. Well, maybe a bit later with that.

Post Reply