PORT SCANNERS
(A HACKERS REVIEW)

This post will deal with basic workability of various port scanners, and how a system administrator can protect his network against such a hack attempt, which uses port scanners.
First of lets know " what a port scanner is? " ;
so, lets discuss the type of ports
PORTS:
Ports are of two types-
1. Hardware Ports
2. Software Ports
1. Hardware Ports :-
These ports are slots existing behind the CPU cabinet of your system, for example COM 1, COM2,PARALLEL PORTS etc.
2. Software Ports :-
Software ports are the virtual ports, these are much like a pipe through which information transfer takes place. All the open ports have services or daemons(Demons are nothing but, Softwares) running on these ports, which provides services to the connected users; for example Port 25 is always associated with handling mails.
In our discussion of port scanners we are concerned with Software Ports
only.
PORT SCANNERS:-
A port scanner is a program that automatically detects the security weaknesses of a Remote or Local hosts.
Though, port scanners are discovered everyday. A few well useful Port scanners are:-

• NMAP : A different version of NMAP is available for LINUX and WINDOWS platforms, and can be downloaded from www.nmap.org/download.html
  
• NETCAT : NETCAT is also available in LINUX and WINDOWS versions and can be downloaded from www.netcat.li/download.html
• HPING :- It is available at www.wiki.hping.org.

NMAP and HPING is free, while one can download trial version of NETCAT free of cost.

When you run a Port scanner such as one-of-these against a forign ip-address, it will reveals the open services on a given network, for example, result of running a port scan on a system may reveal this information -
PORT NUMBER SERVICES
21 FTP
23 TELNET
25 SMTP
53 DNS
79 FINGER
80 HTTP
110 POP
etc.
Port scanners were earlier written mostly for UNIX, but today most of them are also available for windows platform.

THREAT OF PORT-SCANNERS TO SYSTEM ADMINISTRATORS:-

• Some of the port scanners particularly SYN/FIN scanners are undetectable(called stealth), thus system or network Administrator cannot find the hackers IP-ADDRESS in the security logs.
• The above fact makes deadly combination if, attacker uses a ip-address hiding utility or software like one available on www.anonymizer.com
  
• New and advanced Port scanners are developed everyday, either by hackers or by system Administrators.
• LEGAL PROSPECTS: Running a port scanner against a ip-address is not a crime at all. Actually most of them are meant to help network Administrators, telling them about "BACK DOORS" of their networks. But, one wonder that there is no point in running a port scan against a foreign ip unless you are about to hack.
  

So, you need a full proof of hack attempt and merely running a port scan does not proof anything.

SYN/FIN PORT SCANNERS:
INTERNET TRANSMISSIONS follow certain rigid
protocols. Normally the sender first transmits an
introductory message packet containing a SYN flag
to synchronize the upcoming communication (top).
The receiver then returns an ACK, which
acknowledges the request, and a SYN. After
obtaining this information, the sender transmits an
ACK, which completes the necessary three-way
handshake. Only then can the sender dispatch the
message itself. When finished, he issues a FIN flag,
and the receiver returns an ACK, which officially
closes the correspondence. A hacker can circumvent
the process by sending just a premature FIN, from
which the hapless receiver might return an RST, or
reset, packet (bottom). The response—or lack of
one—reveals certain information about the receiver,
but because no three-way hand shake was ever
completed, the transmission is not recorded in the
receiver’s logs. The hacker can thus probe an
unwitting computer in relative secrecy.
If a port is closed, however, the computer will return
an RST (reset) packet. But because this computer
does not truly recognize a connection until it has
completed the opening three-way handshake, it does
not record the transmission in its logs. Thus, a FIN
scanner can probe a computer in relative secrecy
without ever having opened any official connections.
PREVENTIVE MEASURES FOR SYSTEM/NETWORK ADMINISTRATORS :-
1. Administrator should check for his/her networks security flaws, by running latest port scanners against their own network, and close all " backdoor" if at all opened.

2. Keep careful watch on the sites that provides anonymity services and check yourself "what services they really provide?" or " if they keep a log of their original ip addresses?"
You can ask them to provide you original ip-addresses (of visitors at least even if it is encrypted) and knowing the exact time of hack attempt, you can probably figure out the attackers original ip-address.
3. Always use a strong Firewalls for your network.

4. Never reveal anyone the type or version of operating system you are using for networking, and keep your operating system always up-dated because once hacker knew " What he/she is dealing with ? ", this will make their attack easier. Moreover, you should note that a older version has always few " vulnerabilities".






2AddLink Web Link Directory



Computers Directory

ANTIVIRUS CAPABILITY AND PRECAUTIONARY MEASURES

1. ANTIVIRUSES:
   As already been discussed most of the updates information comes from common up-stream, so there are chances that a virus remain unknown for long( for example, few virus discussed in "little-black book of computer virus" by M. LUDWIG is undetacted even today).
   But, "something is better than nothing" , so you can choose any of the antiviruses among- Avast at www.avast.com/free-antivirus-download

kaspersky at www.kaspersky.com/downloads,

mcafee at www.home.mcafee.com/store/download.aspx ,

avira at http://www.free-av.com/ etc.
If i have to suggest i rather put more emphasis on use of a combination of these programs, i.e.
one antivirus+ one antispyware+ one firewall program=maximum security;

Among anti-spyware program i found ,1. MICROSOFT SECURITY ESSENTIALS(from microsoft),at www.microsoft.com/security/products/mse.aspx

2. SPY-BOT-SEARCH & DESTROY, at www.safer-networking.org/en/download/index.html

3. SPYWARE DOCTOR(from pc-tools) at www.pctools.com/spyware-doctor/download/

much more useful.Among these first two are free-of-cost,while you will have pay for "SPYWARRE DOCTOR".
FIREWALL PROGRAMS:
Among firewall programs i suggest

• BLACK ICE DEFENDER- at http://www.networkice.com/
  




• LOCKDOWN 2000- at http://www.lockdown2000.com/

PRECAUTIONARY MEASURES:

1. If you are a dial-up user and use external modem, the rate of blinking of light(which is in the front of modem) gives the rate of data transfer.When system is idle the blinking rate may be once or twice i 15-20 minutes. If suppose you are not doing anything which require huge data transfer for example, you are reading mails but even then blinking rate is quite high then definately, some data transfer is taking place without your knowledge.
   

In case of internal modem, one can rely on two-t.v. like looking screen near the clock, here also blinking of light represent data transfer.

2. Whenever you have doubt that your system's security is compormised(as in above case) take the following steps:

• Click start>Run
  




• Type "CMD" over there and click "ok"
  
  




• On the DOS-PROMPT ,thus appeared type the command "Netstat -a", this command will give you a list of everything your computer is communicating online currently with as:

ACTIVE CONNECTIONS

PROTOCOL LOCAL ADDRESS FOREIGN ADDRESS STATE

TCP COMP:0000 10.0.0.1:0000 ESTABLISHED

TCP COMP:2020 10.0.0.5:1010 ESTABLISHED

TCP COMP:9090 10.0.0.3:1918 ESTABLISHED

First column gives the protocol used for connection, second column holds your computer's address, third is foreign address to which your computer is connected, and forth column tells that connection is established or suspended.

A software for same purpose called " Xnetstat" can be downloaded from www.arez.com/fs/xns

3. File with suspecious extention should not be accepted(specially if it is from some chatline or freeware sites.) ,for example, picture files generally comes in jpg, jpeg, bmp, tiff and, gif format any other format say "picture.exe" is un acceptable. There is no reason for having a single file with more than one-extension.If you are uncertain about what type of file is here go to

• http://www.altavista.com/, or
  




• http://www.metacrawler.com/

and in search field type

*Doc file type (for document files)

*Exe file type (for exe files)

This will give you a more detailed explanation on the possible formats of particular file type.

4. REPORTING OF HACK ATTEMPTS:

Consistent attempt to break into your system (if any), must be reported. So obtain a copy a copy of " Netlab" from www.filedudes.lvdi.net/win95/dns/netlab95.html and install it. Consult your firewall program documentation for instruction and identify how many time a individual ip-address attempted to gain access and at what time recent attack was, and follow the following steps:

• Write down the ip-address you have got by your firewall program(black ice or lockdown2000)
  




• Click start> Run
  




• type "CMD"

and "Netstat -a" on the dos-screen thus appeared.Look whether your attacker is connected ,once the hacker is unsucessfull you can proceed to gather information to report about attack. To do this:

• Start Netlab and type ip-address of attacker and click on "ping" button. If you see a response then, attacker is online.
  




• Next step is to check whose ip is it, by using "whois.arin.net " on the person's ip-address. After typing ip-address click "who-is " button. You will then see who the ip-address belongs to.

This will reveal who the "hackers internet service provider is" . This is very important if you can figure out where your attack is coming from, you can forward the appropriate information to right people.

5. SOCIAL ENGINEERING:

Social engineering term is often used among "hackers" for technique that rely upon weakness of people.

Even today one of every twenty user keep their user-id as password.So don't do such mistakes.

REMMEMBER: YOU ARE YOUR SYSTEM'S WORST ENEMY.

AT last, though the antivirus serves our purpose a little, but we can add our intelligence to improve our personal security.

FURTHER REFRENCES:

1.FIREWALL FUNDAMENTALS: www.amazon.com/Firewall-Fundamentals-Wes-Noonan/dp/1587052210

2.MICROSOFT BETA ANTIVIRUS AND ANTISPYWARE SOLUTIONS: www.amazon.com/Microsoft-Announces-Antivirus-Antispyware-Solution/dp/B0007N4BWI

3. C. Dalton and D. Clarke. Secure partitioned access to local network resources over internet, Technical report, H.P. lab. 1998.

VIRUSES AND TROJANS

WHAT A VIRUS IS?

Viruses are the programs(simple codes written mainly in assembly level language) ,to compromise your system's security in some or other way.

The term "virus" was first introduced in year 1985, by fred cohen in his graduate thesis,later these programs were called as "living programs",living because they have ability to ride over and exploit other programs.Moreover, their ability to fight for their survival by changing forms made it resemble a "unicellular organism" thus named "virus".

One more notable point is that not all viruses are harmful infact, some of the found to be very useful ,for example, a virus called "cruncher" compresses the executable files thus saves the disk space for you.

VIRUS PROBLEM:

Though, a few of the are useful but, most of them are often programmed to harm your system; once your system is compromised...

Now, one can say that "I use a antivirus ,so why should i worry?",then let me tell you my friend, most of the updates of these programs are configured from virus information received from you only, moreover, whenever a new virus is found antivirus communities does research work on them and then the information comes to you as a update. But, my friend this process takes time(one or more month) there are chance that u got infected before the update information reaches you.

Now,again a user can say "I just do check my mails and a few similar sort of things so such things cannot happen to me!". so, lets do a test, tell me "How many of you have ever downloaded a attachment file(or a game), on which when you clicked they appears to do nothing?". Probably, most of you. So here follows a discussion....

TROJAN HORSE:

Trojan horses are the most compromising software ever-seen.The history reveals their usefulness to Greeks, to win a impossible (to won otherwise) war....

Even today, these are found to be responsible for almost all windows based machine being compromised. They give hackers a remote-control over your machine.

Utilities commonly associated with a Trojan horse program are:

• Opening your CD-ROM drive.





• Capture screen-shots of your computer.





• Record your key-strokes and send them to hacker.





• Full access to all your drives and files.





• Ability to use your computer as a bridge for other hacking related activities.





• Disable your key-board\mouse and much more.....

For among most common Trojans(for example,sub7,net bus,pro rat, etc.), all have two parts:-

1. SERVER:- server should be installed on your computer in order to , so that your computer is compromised.

2. CLINT:-Clint is used by hacker to control your system.

The next target of a hacker would be install server on your computer by fooling you.

Method-1:

Send "server file" directly to you through email, of course, by renaming it as something else say "cricket.exe", once you downloaded the attachment and clicked on it ,nothing at all seems to hap pend(suspicious,but u ignored it). The server is now silently installed and your system's security is compromised.

As method-1, may create suspicion so method-2 ,

Method-2:

Hackers camouflage the server with some legitimate "executable file".

for example,

Cricket.exe + Serve.exe=A.exe (say)

SIZE: 6,239kb + 365kb = 6,604kb

The server in our example is attached with cricket(game), which is a legitimate file, to form a new file called "A.exe"; now the hacker will rename it as "Cricket.exe". As one can see that the only difference between binded(with server) and unbinded "Cricket.exe" is a little increment in size which ,largely remain un noticed.Once you downloaded the file and installed the "Server.exe" file is also installed along-with "Cricket.exe", so no chance of suspicion even.

GRAPEVINE:

Once you received such a infected file, say you send a copy of the "Cricket.exe" to your friend (though, un-knowingly), virus is also transmitted.

The matter of compensation of arose particularly when:

1. You do some kind of online transaction-even if your bank uses say a 128-bit security system, what is the use when your password and id is already sent(by keylogger) with a screen-shot of bank you are dealing with.

2.Tell me how many of you have your resumes stored in your system, probably they contain all the informations, your name,how you look like, your family background, with whome you are working and worked etc.

3.Not all but, some Trojans can send your pictures taken using your own web-camera and can be sent to hacker.No need to tell what security threat they impose on you an and your family. so,"How many of you use web-cams?"

In light of the above given facts, surely you don't want your system to be compromised.....

For further reference,

1. MAXIMUM SECURITY at, www.amazon.com/Maximumsecurity-Hackers-Protecting-Internet/dp/1575212684

2.THE HAPPY HACKERS at, www.amazon.com/Happy-Hackers-Harmless-Computer-Hacking/dp/0929408349

3. LITTLE BLACK BOOK OF COMPUTER VIRUS: www.amazon.com/Little-Black-Book-Computer-Viruses/dp/0929408020

4. GIANT BLACK BOOK OF COMPUTER VIRUSES: www.amazon.com/Giant-Black-Book-Computer-Viruses/dp/0929408233

Promote your blog

HACKING

Hacking in simple terms is unauthorized and unlawful access to a network or a computer,with a goal to steal information(s).

Basically,there are two ways to hack in to a system, for example, if one has to access some kind of safe(suppose for a while) we hav possibly 2-way of doing that-

• steal the key-deals with ignorance and knowledgelessnesss of your(the users), this method require enough knowledge,talent and a little-bit of luck.




• use dynamite to burst the lock-deals with use of viruses,trojans,spyware programs etc.;This method doesn't require much talent,as these tools are freely available on diffrent sites which even a "kiddle hacker" (mostly highschool students with little or no knowledge of the subject)can easily excess easily,this arose the situation even more dangerous..
  
  Now,one can say that "i don't do anything except reading my mail suchthings are not likely to happen to me?"

Then,my friend you are mistaken...

ok,tell me how many of you have file\printer sharing turned on ?,i will tell you how can u be hacked in even less the 15sec...,

Proceeds as the steps below:

• click start>run
  



• click run and type "winipcfg"




• hit the enter key

a window will appear..

choose PPP Adapter,if you are dial-up user ;OR

PCI Busmaster or SMC Adapter etc if you have dedicated access.

• Note down your IP-ADDRESS and close the window.




• Again click start>run
  



• Type "cmd".
  

a black screen(dos-screen) will appear.

• Type the following "Netstat -A IP-ADDRESS" over there.

IP-ADDRESS:Type the ip-address you got from above step.

• This will give you a "NET-BIOS" remote machine name table:

NAME TYPE STATUS

J-1 <00> UNIQUE registered
WORK <00> UNIQUE registered

J-1 <20> UNIQUE registered

• look for 20hex in the 2nd column ,in between angular braces(as we have last one in above table).The value 20hex means your file\printer sharing is turned on and any-one (even a kiddle hacker) can hack into your computer as follows:





• They will scan on a range of ip-addresses for the system with "file and printer sharing" turned on. Once found what has been shared.





• "Netuse X:\\\temp" command is used for example, if "temp" directory of yours is found to be shared.If every-thing is alright ,hacker can access your computer through this directory.

This type of attack is called"NETBIOS ATTACK".

Now,tell me how much time is needed for such a attack?

PREVENTION STEPS:

• Look for any shared directory-
  

.click start and scroll for shared programs(shared files look like someone holding a folder in hand)

• Open the folder in specific drive .
  



• At right click of mouse button you will find a option "share with" and click on it.





• Now, mark it as read only and give a password if you share file or printer otherwise,directly turn off the sharing by clicking on "not shared" option and then click on "ok" button.

NOW,you are protected to "NET-BIOS" attack.

Conclusion: With the development of sophisticated tools and advanced technique hacking became so easy that even a kid can accompnish it.No software or antivirus can keep the pace with the development in the field of hacking.perhaps, a awre user(you) can tackle.

REFRENCES BOOKS:

1. THE WATCHMAN at, www.amazon.com/Watchman-Twisted-Crimes-Serial-Poulse/dp/0316528579

2. TAKEDOWN at, www.amazon.com/Takedown-pursuit-Americas-Computer-Outlaw/dp/078689136