HOw to use a worm?

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

HOw to use a worm?

Post by Lyecdevf »

Is it possible to slip in a worm through an open port? I am not really sure how these worms and troyans work because every time I try to download one my anti-virus program allerts me of a possible malware. Since I am downloading a malware in fact does the anti-virus recognize it as a threat or is it that some of these downloads are laced with rootkits, and other malware them selves!?

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

quick primer - virii, trojans, and worms

Post by DNR »

I cut this from my notes:

The stupf that you are talking about is malware to me, here are some examles:

Logic Bombs

Just like a real bomb, a logic bomb will lie dormant until triggered by some event. The trigger can be a specific date, the number of times executed, a random number, or even a specific event such as deletion of an employee's payroll record. When the logic bomb is triggered it will usually do something unpleasant. This can range from changing a random byte of data somewhere on your disk to making the entire disk unreadable. The changing of random data on disk may be the most insidious attack since it would do a lot of damage before it would be detected.

Trojans

These are named after the Trojan horse which delivered soldiers into the city of Troy. Likewise, a trojan program is a delivery vehicle for some destructive code (such as a logic bomb or a virus) onto a computer. The trojan program appears to be a useful program, but when a certain event occurs, it will attack your PC in some way.

Worms

A worm is a self-reproducing program which does not infect other programs as a virus will, but instead creates copies of itself, which create even more copies. These are usually seen on networks and on multi-processing operating systems, where the worm will create copies of itself which are also executed. Each new copy will create more copies quickly clogging the system. The so called Morris ARPANET/INTERNET "virus" was actually a worm. It created copies of itself through the ARPA network, eventually bringing the network to its knees. It did not infect other programs as a virus would, but simply kept creating copies of itself which would then execute and try to spread to other machines.

Virii:

A virus is a program which reproduces its own code by attaching itself to other programs in such a way that the virus code is executed when the infected program is executed. The difference between a worm and virii is the virii depends on a infected program to be excuted. When you send a virii infected MS Word document via email, the MS Word document is the actual replication method of the virii.

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

Thanks for that. All thought I was aware of most of these threat I have not heard of a logical bomb yet. I have heared about some nukePhP bomb and some stuff like that but I am still not sure exactlly what it does.

Actually I was wondering about how to slip a troyan through an open port and if that is possible, if that is legal or illegal and where to get a download that is safe? My anti-virus always allerts me when I try to download a troyan for my use.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

well, an open port only means that there is a service available behind the port. right now you are connected to port 80 of the server which enables you to view this site because port 80 is used by http-servers.
you can´t install a trojan trough an open port, all you can do is to find out if the service which uses the port is vulnerable in some way. of course you would have to identify the service first, superscan4 offers basic fingerprinting for beginners, for more advanced scans nmap is the best choice, you can find both in the networking downloads.
and of course your virus scanner picks up trojan files, because the files contain the server-part too (which is the actual "trojan"), the client-part which is used by the attacker to connect to the infected box is also picked up by most scanners as "hacktool".
I would recommend to get away from the trojans and get more into the scanning, because you can learn much about networking when you have the will to spend some time and read a little... :wink:

p.s. you can find a very good&complete portlist named Port Reference in the downloads>textfiles>misc.

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

I thought that there was an easy way to set a keyloger on the target via an open port. I guess it is not so easy.

I have read a little bit about Ethernet and how you can with one of these programs for scaning do some thing. I do not know.

There is so much that you can read on the subject. I have the port scanners, the webserver vulnerabilitie detection programs. That is not the problem for me really. I can find the sniffers, port scanner or what ever and download them. I have also scaned a lot of targets and I found many vulnerabilities.

This is where I am lost now. What do you do when you find a vulnerabilitie? Wether that is an old appache version or some thing else. How do you seet a proxy in your putty? Thousands of questions.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

become proficent one thing at a time

Post by DNR »

Hacking also means having a certain level of skill. Some of the things you say you have already learned should be practised over and over again. The difference between a skipt kiddie and a hacker, is the other can explain the chain of events, cause, and effect.

I have a slight disagreement with B_B, I think you should study trojans and virii, this will help you understand how to protect yourself.
Your ethics will color your hat...

B_B is correct, you need to understand the ports that are open have a daemon running. You can upload certain files on certain ports, if you had admin rights to it, or an exploit that allows uploading and execution of programs (exploiting the daemon running the port).
The upload process and execution of a trojan depends on what trojan you are using..

You mention a keylogger, several ways an attacker will try to install a keylogger on your box:

1. send you a trojan via email, perhaps disguised as a active script picture, game, or even malicious weblink. (thats why its called a 'trojan')

2.You have physical access to the target computer, i.e. upload via cd-rom, floppy, or download from the internet.

You will _never_ know everything related to hacking. Hacking is OS/NOS specific, the MS group hangs out together, but they'll have a few friends that belong to the NIX/NUX group.

Hacking is a personality/character trait, you learn to disassemble everything in your life, and recode it to be better, stronger, and more defensible..

Boo-yah!

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

I liked your reply. It was very insightfull.

I would love to scan more targets. I am looking for potentially very vulenrable targets. I am not looking for a chalange. You said that Korea has vulnerable routers. Where else in the world do you think I could find other possible exploits. I was looking towards Africa. I figure if they are poor they do not have enough money to protect their computers with a lot of sophistication.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

how to find computers in other countries

Post by DNR »

Here is a link to URL that other countries use:

http://c0vertl.tripod.com/ref/weburldef.htm

Example:
MN Mongolia
MS Montserrat
MA Morocco
MZ Mozambique
MM Myanmar

NA Namibia
NR Nauru
NP Nepal
NL Netherlands
AN Netherlands Antilles
NC New Caledonia
NZ New Zealand

i.e. www.theregister.co.uk

Search for co.NA came up with:
http://www.omadhina.co.na/
http://www.ondis.co.na/
<in english too!>

Get copernic search agent to help you out.

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

probably belongs under topic "Fingerprinting IPs"

Post by DNR »

How to fingerprint deja vu:

here is a partial tut on how to get started...

http://www.ondis.co.na/

You searched and found a internet company in nambia..

<<< a new internet company, hmm I bet they have a couple servers,http, pop, SMTP, DB???>>>>

04/03/06 11:11:25 dns http://www.ondis.co.na/
Canonical name: warlock.ondis.co.na
Aliases:
www.ondis.co.na
Addresses:
196.44.137.135

You contact the regions internet registration company (ARIN,APNIC, RIPE)
to find the block of IP assigned..

Trying 196.44.137 at ARIN

OrgName: African Network Information Center
OrgID: AFRINIC
Address: 03B3 - 3rd Floor - Ebene Cyber Tower
Address: Cyber City
Address: Ebene
Address: Mauritius
City: Ebene
StateProv: Gauteng
PostalCode: 0001
Country: MU

>>>>NetRange: 196.44.128.0 - 196.44.207.255<<< Important part n00b <<<
CIDR: 196.44.128.0/18, 196.44.192.0/20
NetName: AFRINIC-196-44-128-0
NetHandle: NET-196-44-128-0-1
Parent: NET-196-0-0-0-0
NetType: Transferred to AfriNIC
Comment: This IP address range is under AFRINIC responsibility.
Comment: Please see http://www.afrinic.net/ for further details,
Comment: or check the WHOIS server located at whois.afrinic.net.
RegDate: 2005-02-21
Updated: 2005-02-21

OrgAbuseHandle: GENER11-ARIN
OrgAbuseName: Generic POC
OrgAbusePhone: +230 4666616
OrgAbuseEmail: abusepoc@afrinic.net

OrgTechHandle: GENER11-ARIN
OrgTechName: Generic POC
OrgTechPhone: +230 4666616
OrgTechEmail: abusepoc@afrinic.net

Note tech phone # gives you a wardialing tip too

NetRange: 196.44.128.0 - 196.44.207.255 if you missed it above, the NETRANGE is what you

need to start a IP/Port scan

You begin with your favorite tool..

ping .. Received packet from 196.44.128.1 Time : 517
ping .. Received packet from 196.44.128.1 Time : 482
ping .. Received packet from 196.44.128.2 Time : 482
ping .. Received packet from 196.44.128.2 Time : 492
ping .. Received packet from 196.44.128.6 Time : 523
ping .. Received packet from 196.44.128.7 Time : 518
ping .. Received packet from 196.44.128.7 Time : 507
ping .. Received packet from 196.44.128.8 Time : 523
ping .. Received packet from 196.44.128.8 Time : 487
ping .. Received packet from 196.44.128.10 Time : 517
ping .. Received packet from 196.44.128.10 Time : 502
ping .. Received packet from 196.44.128.11 Time : 493
ping .. Received packet from 196.44.128.11 Time : 485
ping .. Received packet from 196.44.128.12 Time : 489
ping .. Received packet from 196.44.128.12 Time : 489
ping .. Received packet from 196.44.128.13 Time : 484
ping .. Received packet from 196.44.128.13 Time : 482
ping .. Received packet from 196.44.128.14 Time : 1245
ping .. Received packet from 196.44.128.16 Time : 480
ping .. Received packet from 196.44.128.26 Time : 1264
ping .. Received packet from 196.44.128.27 Time : 531
ping .. Received packet from 196.44.128.28 Time : 498
ping .. Received packet from 196.44.128.29 Time : 587
ping .. Received packet from 196.44.128.29 Time : 650
ping .. Received packet from 196.44.128.30 Time : 916
ping .. Received packet from 196.44.128.31 Time : 608
ping .. Error: Request timed out
ping 196.44.128.35 ...
ping .. Error: Request timed out
ping .. Error: Request timed out
ping 196.44.128.36 ...
ping ..

waiting patiently... Not! < I have no patience >

ping .. Received packet from 196.44.128.40 Time : 508
ping .. Received packet from 196.44.128.40 Time : 497
ping .. Received packet from 196.44.128.42 Time : 625
ping .. Received packet from 196.44.128.42 Time : 887
ping .. Received packet from 196.44.128.43 Time : 501
ping .. Received packet from 196.44.128.43 Time : 690
ping .. Received packet from 196.44.128.44 Time : 543
ping .. Received packet from 196.44.128.44 Time : 521
ping .. Received packet from 196.44.128.47 Time : 547

Blah, so we'll check a few of these IPs, break out your other favorite tool..

I'll pick 196.44.128.1
Address : 196.44.128.1
Name : Earthstation-rt1.ipb.na (.NA | Namibia)
Port 1996 (tr-rsrb-port) ... Connection refused (port 1996 - cisco Remote SRB port)
Port 1998 (x25-svc-port) ... Connection refused (port 1998 - cisco X.25 service (XOT))
Port 1997 (gdp-port) ... Connection refused (port 1997 - cisco Gateway Discovery

Protocol)
Port 156 (sqlsrv) ... Connection refused (port 156 - SQL Service)
Port 118 (sqlserv) ... Connection refused (port 118 - SQL Services)
Port 111 (sunrpc) ... Connection refused (port 111 - SUN Remote Procedure Call)
Port 110 (pop3) ... Connection refused (port 110 - Post Office Protocol -

Version 3)
Port 80 (http-www) ... Connection refused (port 80 - World Wide Web HTTP)
Port 25 (smtp) ... Connection refused (port 25 - Simple Mail Transfer)
Port 24 (any) ... Connection refused (port 24 - private mail system any

private mail system)
Port 23 (telnet) ... Connection refused (port 23 - Telnet)
Port 22 (ssh) ... Connection refused (port 22 - SSH Remote Login Protocol)
Port 21 (ftp) ... Connection refused (port 21 - File Transfer [Control])
Port 11 (systat) ... Connection refused (port 11 - Active Users)
Port 995 (pop3s) ... Connection refused (port 995 - pop3 protocol over TLS/SSL

(was spop3))
Port 994 (ircs) ... Connection refused (port 994 - irc protocol over TLS/SSL)
Port 993 (imaps) ... Connection refused (port 993 - imap4 protocol over TLS/SSL)
Port 990 (ftps) ... Connection refused (port 990 - ftp protocol, control, over

TLS/SSL)
Port 780 (wpgs) ... Connection refused (port 780 - )
Port 443 (https) ... Connection timed out (port 443 - http protocol over

TLS/SSL)
Port 776 (wpages) ... Connection timed out (port 776 - )
no open ports found.

Done

I scan a few other IPs looking for something that is open..

Address : 196.44.128.15
Name : KHP-1720-1-HB.ipb.na (.NA | Namibia)
Port 780 (wpgs) ... Connection refused (port 780 - )
Port 24 (any) ... Connection refused (port 24 - private mail system any

private mail system)
Port 11 (systat) ... Connection timed out (port 11 - Active Users)
Port 1998 (x25-svc-port) ... Connection timed out (port 1998 - cisco X.25 service

(XOT))
Port 1997 (gdp-port) ... Connection timed out (port 1997 - cisco Gateway Discovery

Protocol)
Port 1996 (tr-rsrb-port) ... Connection timed out (port 1996 - cisco Remote SRB port)
Port 995 (pop3s) ... Connection timed out (port 995 - pop3 protocol over TLS/SSL

(was spop3))
Port 994 (ircs) ... Connection timed out (port 994 - irc protocol over TLS/SSL)
Port 993 (imaps) ... Connection timed out (port 993 - imap4 protocol over

TLS/SSL)
Port 990 (ftps) ... Connection timed out (port 990 - ftp protocol, control,

over TLS/SSL)
Port 776 (wpages) ... Connection timed out (port 776 - )
Port 443 (https) ... Connection timed out (port 443 - http protocol over

TLS/SSL)
Port 156 (sqlsrv) ... Connection timed out (port 156 - SQL Service)
Port 118 (sqlserv) ... Connection timed out (port 118 - SQL Services)
Port 111 (sunrpc) ... Connection timed out (port 111 - SUN Remote Procedure Call)
Port 110 (pop3) ... Connection timed out (port 110 - Post Office Protocol -

Version 3)
Port 80 (http-www) ... Connection timed out (port 80 - World Wide Web HTTP)
Port 25 (smtp) ... Connection timed out (port 25 - Simple Mail Transfer)
Port 23 (telnet) ... Connection timed out (port 23 - Telnet)
Port 22 (ssh) ... Connection timed out (port 22 - SSH Remote Login Protocol)
Port 21 (ftp) ... Connection timed out (port 21 - File Transfer [Control])
no open ports found.

The sysadmin is pretty smart, the machines do not have names that tell what they are for,

like SMTP.server., etc.
Name : KHP-1720-1-HB.ipb.na
although Name : Earthstation-rt1.ipb.na is probably a pretty good tip that its a

sysadmin console..
You hope to find labels like mail.server, db01, etc

To make port scans quick, pick a single port like port 80 to scan the IP range, later, try

port 21,25, etc..

Address : 196.44.128.213
Name : WNK-2620-3-AOL-fe0-0.ipb.na (.NA | Namibia)
Port 80 (http-www) ... Connection refused (port 80 - World Wide Web HTTP)
no open ports found.


Address : 196.44.128.214
Name : supernova.datasolutions.web.na (.NA | Namibia)
Port 80 (http-www) ... Ok ! Send data. Wait incoming data .. no data.


Address : 196.44.128.215
Name : sun.web.na (.NA | Namibia)
Port 80 (http-www) ... Ok ! Send data. Wait incoming data .. no data.


So we find a computer with port 80 open,


Fetching http://196.44.128.215/ ...
GET / HTTP/1.1Host: 196.44.128.215Connection: closeReferer: http://www.suck-o.comUser-

Agent: Quarterdeck Mosaic Version 2.02.012 (Mar 23 1996/Mozilla-Spoofer Mozilla/1.22

(compatible; Quarterdeck Mosaic Version 2.02.012 (Mar 23 1996)/Windows/Export)HTTP/1.1 200

OKContent-Length: 1433Content-Type: text/htmlContent-Location:

http://196.44.128.215/iisstart.htmLast-Modified: Fri, 21 Feb 2003 16:48:30 GMTAccept-

Ranges: bytesETag: "0c3110c9d9c21:9de"Server: Microsoft-IIS/6.0Date: Mon, 03 Apr 2006

15:44:52 GMTConnection: close

Http://196.44.128.214

<webpage retrieved>

Under Construction


The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured.

Please try this site again later. If you still experience the problem, try contacting the Web site administrator.


--------------------------------------------------------------------------------

If you are the Web site administrator and feel you have received this message in error, please see "Enabling and Disabling Dynamic Content" in IIS Help.

To access IIS Help
Click Start, and then click Run.
In the Open text box, type inetmgr. IIS Manager appears.
From the Help menu, click Help Topics.
Click Internet Information Services.

<< end webpage >>


Two things tell us we have a MS IIS network:
Server: Microsoft-IIS/6.0 in the banner response to our HTTP GET request, and the webpage is a default page telling the sysadmin to go to IIS help...

Since I am out of time, I must go...
More later???
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

Wow! Thanks a lot for that.

Because I am a noob I really do not know some times where to look for information. So this does a lot of help.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

Post by DNR »

The search engine is your best friend because you need it to locate articles on the network software/applications that you need to learn. You have to learn about stupf before you break it.

The search engine can drill down to specific keywords:
"Microsoft IIS 6.0" "Exploits"
The links will take you to active vulnerability websites that keep a database of known vulnerabilities. Keep a list of those websites handy.

Yes, sysadmins should know about recent vulnerabilities too, but they do not always patch their network, its work and it could confilict with old servers, or applications, or just plain old redtape of company policies.
Or is the sysadmin really an idiot...

You might get lucky and get a Zero Day exploit, thats a vulnerability that hasn't been announced yet..That comes from hanging out in chat groups.

You have to have reading skillz to pick out the important commands and details of the network OS you want to crack. If you are familiar with linux, that might be more comfortable for you to learn to hack. Mico$oft people tend to sniff microsoft networks..Your understanding of the basics of your OS and networking tells you what important detail you need to grep to get you where you want to go today...

Once you start trying to exploit a computer or network, you risk violating the federal/state laws prohibiting 'unauthorized access to a computer or network' Your crack attempts will likely be obvious and a clear intent to ass-rape the machine you connexed to. Your voice of reason will be lost in the sneers of those legal eagles that don't use a computer anyways.

Build your own network or go to school, get a teacher to build a computer lab. I did much of my experimentation in school, on networks that contained any violence digital bits could wreak upon society. lol.

Back in the good old days I used to be able to sniff and rattle networks without fear - there were no real laws or computer crime taskforces. Thats the big difference between you n00bs growing up.

Anyways, I leave off with you searching for your own IPs
1. IP/port scan to find a complete network.
2. identify all the machines connected and their software/version
3.determine weaknesses in the system by researching the data you have.
4. don't bother to report your vulnerabilities to the sysadmin, either the email link is old or they don't care.

Learn to use proxies.
learn to write or disassemble and read code

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

I chose some sites in Namibia and did some vulenrability assesments. Found mostlly old apache servers.

I have not yet chosen a specific target. I am still looking around.

Thanks for your insight into the legality of hacking. I am not afraid to be caught. I mean I am not trying to steal like money or even info. I am just doing this for the heck of it. Trying to find the weakest and least secured spots. So if they bust me for that I really do not care. This is just fun for me and I am taking all the security measures possible using proxies and deleating logs.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

obsession / compulsion

Post by DNR »

A long time ago I was surfing military websites for text files. I came across a study on hackers they did. A psychologist defined the personality of a hacker, a profile;

"The hacker will likely be a young male, disorganized, messy, antisocial in public, have an obsessive-compulsion behavior with computers, _and very intelligent_."

It is a process. With experience I can tell you that the hassle of getting caught will not only cost you money and time, but even the prospect of a legitimate job. You are better off going to school and developing other parts of your life. I got married 5 years ago, sure I miss those long days, steady hours on the console, surfing for text and software, and talking up new friends all over the world.

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Stavros
ΜΟΛΩΝ ΛΑΒΕ
ΜΟΛΩΝ ΛΑΒΕ
Posts: 1098
Joined: 02 Jan 2006, 17:00
18
Location: Mississippi, U.S.A.

Post by Stavros »

Wow, that describes me to a tee (although I claim to not be a hacker, which I'm not). Kind of scary. Right off the bat I said I wasn't going to get into any script kiddie stuff because I know what a nusaince script kiddies are (and I'm about to go to college, so that strenghtens my reason) and I haven't really messed with any of that stuff to date although tempation is strong.

Post Reply