FREQUENCY: INSIDE THE HACKER MIND DeCSSEMBER 2000 1) Introduction (A Prelude to the Madness) 2) Safe Hacking (Newbie Help), by: DamienAK 3) When The Man Comes Knockin' 4) 10 Questions With Screamer, by: D4sh 5) Anthrax Email, by: Anthrax 6) Intro to Port Scanning, by: Nitr0s 0x1DE 7) Closing Arguments 8) Crew 1) INTRODUCTION "A PRELUDE TO THE MADNESS" With the Digital Millenium Copyright Act (DMCA) now in full swing, one may wonder how long it will be before the average consumer's rights to fair use are suddenly disposed of by the US Government, and the far more powerful MPAA (MPA for the rest of the world). The Motion Picture Association of America, who has it's finger in almost every form of media out there. And that's why there's little hope of escaping the evils of the DMCA. Many may question it's intentions, and some may even say it's there to help the average person. But who may I ask benefits from facing prison time of up to 15 years for studying a piece of machinery? The answer to this are the money hungry corporations who want to rake in the biggest profit possible, given that the DMCA will (note: not MAY) make it illegal to record a program off of television in the near future...unless of course, you pay for it. The term fair use will fade off as corporations tighten their stranglehold on the already insanely preposterous copyright laws. Yes, the unbelievably greedy money makers will get richer and richer, while you and I suffer the consequences of trying to run our legally purchased DVD's on linux machines. Even though we're trying to play by the rules, they still want to shut us down. I beg all hackers, as well as common folk, to take a stand against the DMCA. In other news, I would like to give a big shoutout to the people at undergroundnews.com for hosting this zine and to the members of the message board for all their support. Without all of you this zine would never have existed, nevermind become as popular as it has. Some may be wondering how long the lifespan of this zine will be, and to that I say this: The hacker world will live as long as technology keeps advancing, and technology will keep advancing as long as hackers are around. And with hackers staying around for the long run, it's a safe bet this zine will too. But even after this zine has run it's course, which won't be for a long time if I have anything to say about it, the hacker message will continue to live on. Frequency will be here for a while, but it's vital that others get involved and start putting their own message out there. This is not a competition to see whose zine is more popular...it's a struggle against overwhelming odds to get a message out to the general public. I hope you all join me in this struggle. -screamer 2) SAFE HACKING (NEWBIE HELP) by: DamienAK Guidlines For Safe Hacking! There are a lot of text files on the web that talk about how to hack and give you instructions on penetrating security systems, but what they don't tell you is the things you should do before you start hacking. I'm talking about security, your personal security. You should always be paranoid about eveything you do when you are hacking, if you don't know what something is it is safer to leave it alone a learn something about it first. Here are some of the things you absoluty always should do before any illegal activities, hehe. 1. Never leave your name or handle on the system. This might sound logic but some people still choose to ignore it. If you hack a website and you put your handle all over the website so that people see who hacked it, you shouldn't be surprised when the Feds come knocking on your door. How, well... that's what they're paid for. Anybody in a chatroom or on a board could really be a FBI agent sittin in his office somewhere in D.C. roaming the underground for people dumb enough to say "Oh yeah, I hacked this site. Want proof, here's the root password." That's all it takes, stupidity and you have a prison cell guaranteed. 2. Never use your real ISP. Yes you heard me right, you should never use your Earthlink or Compuserve account when hacking. All these ISPs that you pay for keep track of who is using their connection at what time and what IP your computer is. So if you try to hack lets say topsecretmilitaryfiles.gov and they notice that somebody is poking around in their system they are able to see the IP that connected to their site and then trace it back to whome it belongs. You should always use a free ISP like NetZero and give them fake information about yourself. That way they can't trace the IP to you. 3. Don't hack from your room. Although this is not a rule it is a suggestion. If you have a laptop you should use it and connect it to some phonlines like a payphone or your neighbors phoneline that's hanging right there on the side of the house. Or just forget all that and go to your local library and hack from there. Hack from your schools library if your librarians aren't always checking up on you. Anyhere but your home is the best place to hack. 4. Never delete a file unless... One of the rules of hacking is that you never delete files or mess up the system you're on. The thing that is o.k. to delete is a log file that tracks the people that have been using the system. You should always deleted or modify these if you can. Remember, our only goal is knowledge, we do not destroy or vandalize systems. If you have to delete a file in order to keep yourself safe than do it. 5. Keep all your hacking material safe. If you have been a bad boy and ignored some of these safety rules you could be facing Feds breaking down your door with a search warrant. In that case you should have all your hacking material in a safe place where nobody can find it. I'm not talking about Hacking guides and books and that kind of stuff, that is just to which you have First Amendment right. When I say hacking material I am talking about any files you might have copied from a hacked system, any password file you might have saved, anything that is proof that you have hacked something. You should always keep these kind of files on a Floppy or CD and hide it somewhere impossible to find. Be creative on this one. Use a place nobody would ever think of lookin for. Don't store any files on your computer, they will be found very quickly. 6. Don't send Viruses, Trojans or start DOS attacks. This is why most kids out there are gettin busted. They find out how DOS attacks work and they pick the biggest website to try it out on and of course they get caught. Same thing goes for Viruses. Thoses kids that send the love bug got lucky that their country didn't have any laws against it, I'm not sure where they lived. Same thing goes for Trojans, although these can be quite usefull and should be used by the advanced Hacker that knows what he is doing. If you really want to be an script kiddie asshole and send a virus, try not getting caught. How you ask? Figure it out yourself if that is what you want to do. Well, if you follow these guidelines for safe hacking you should be able to evade any trails and convictions. Of course these are just guidelines that you should always follow, there are many more specific ways to keep yourself safe with different programs and systems. Also there are programs on the web that have stealthy features to hide the IP and make your computer invisble. As good as any program might be it is are never a substitution for the five guidelines above. I do suggest that you find out everything about wingates and how to use them. Safe Hacking! DamienAK p.s.: If you totally ignore all this and do get busted (go figure), don't go off snitchin on every other hackers that you know or have heard about to get a couple of years less. I know nobody is going to do pass up the chance of getting of easy but still, I had to say that. 3) WHEN THE MAN COMES KNOCKIN' The time is 3:27am. While the rest of the country is sleeping you're sitting at your laptop telnetting to some interesting ip addresses you found out there on the net. You know most of the systems, and are easily able to use a few exploits to gain access to them. Once inside, you're fascinated by how this particular sysadmin has chosen to set up his network. The file structure is brilliant, and the information you're able to obtain is priceless. Having satisfied your curiosity for the night, you log out of linux and shutdown your computer. With your head rested on the pillow, you drift off to sleep. Like watching a nightmare come to life, you open your eyes to find the barrel of an M-16 assault rifle inches from your forehead. You're ordered not to move, and immediately dragged from your bed and down the stairs. Your parents, scared out of their minds, are also being held at gunpoint. You frantically wonder to yourself what the hell is going on. You're not guilty of anything! You have no drugs, you haven't broken any laws, and as far as you're concerned you're the ideal person. Hard worker, well educated...why then are you being dragged from your house at gunpoint? Simple. You're a hacker. It took them a while, but the feds finally caught you. Apparently you entered a computer across state lines and didn't cover your tracks well enough. What is to follow will forever tarnish your life. You will be destroyed in court, and no one will listen to your pleas of innocence. You will labeled the worst of the worst, and while multiple murderers get parole...they want to throw you away for as long as they can. Congratulations, you are now societies greatest threat. What kind of world do we live in where the educated are punished for having learned too much? The FBI will say that you're a villain of society because you intrude on people's private property. Do you harm anything? No. Do you damage anything? No. Was any money lost due to your actions? Again, no. I'm sorry, maybe I missed something…why are you being arrested again? What were the M-16's for? Sure, they'll refer to you as "some hacker kid" for the rest of their lives (they being the feds) but they sure didn't think that's all you were when the broke into your house and held your whole family up at gunpoint. My point for writing this small anecdote? Only to inform, to give people an idea as to what it's like to be charged with being smarter than they want you to be. If you know all about computers then the government will happily welcome you into it's family of security experts, but if you use your knowledge for your own enjoyment…you're suddenly the scum of the earth. Well here you are…you only received a few months of jail time…they say you got off lucky (you fucking hacker). They say you can't use a computer (why?! Because you're just a fucking hacker!). And to add insult to injury, you're forbidden to use a cell phone for the next 3 years (well hey, you can hack with that you fucking hacker). So now go home, but don't you dare read a UNIX book…that could be a violation of your probation. We wouldn't want you using your mind would we? Unless of course you were working on making the newest bomb or weapon for the military. In that case, it's ok. Try to do good, and…well you know… …you're just a fucking hacker. -screamer 4) 20 QUESTIONS WITH SCREAMER by: D4sh 1. Why the name Screamer? A) Originally it was just a name that popped in my head while on a message board. While I've been using computers for 10 years, it was only recently that I acquired a handle. But I had first considered calling myself "Scream" Unfortunately, the horror movie of the same name had been released only a few weeks earlier, and I didn't want to copy. I changed it to Screamer, and to add to the coolness of it there was a film called "Arcade" which was about a video game that pulled you in and trapped you inside the game. Within this game was The Screamer, a dragon skeleton that came screaming through the halls if you stayed on one level too long. It seemed to symbolize me screaming through the wires of cyberspace, exploring all I could, so Screamer it was. Later I wanted to assure that no other "Screamer" out there would be confused with me, so I brought in the last name of Chaotix. 2. If you could choose a different handle, what would it be? A) There's nothing I would rather call myself, but if I had to choose I'd have a hell of a hard time deciding. There are so many different ways you can go with a handle. You can choose a small, cool sounding one like in The Matrix, or an actual name (ie: Emmanuel Goldstein). Or you can go my route and make a cool sounding name. I suppose if I had to choose, I would go with Freq (freak) because I've always loved radio and telephones. It may not be the coolest name, but hey I'm on the spot! 3. How did you first get involved with Hackermind/Frequency? A) Kind of a funny story actually. I had approached D4sh with the idea of making an ezine, and at first he seemed to love it. We tried to think up names, but couldn't get anything. In fact, he hated the idea of "Frequency." After a little while, my desire to start up this zine overwhelmed me and I started without him. I meant no offense, but I wanted to get it going and worry about the name later. I think (and you'll have to ask him for sure) that once he saw I was serious about the zine he thought it may be a good idea as well, and volunteered to be my webmaster for the site. He was kind enough to host my site and keep it updated, and for that I thank him. Later, I realized that the opinions I had could not wait a month to get out, after all the hacker/technological world advances far too quickly. For that reason I started up Hackermind, the online radio show companion to Frequency. D4sh gladly hopped on board as my cohost, and we set off making the shows. 4. What's the best thing about doing an online radio show? A) While it's a shame we can't take calls, I think what I enjoy the most is how I'm able to get my own opinions out to the public. People who tune in every Thursday can hear me speaking to them about things that are very important to myself, D4sh, and most likely many others in the hacker community. It's a wonderful oppurtunity to get some things off my chest, and the great thing is anyone with a bare bones computer and internet access can put on a show. All you need to do is get a freeware program that allows you to make mp3 files and stream them on www.live365.com. Personally, I would love to see everyone I know have their own show online. It's a wonderful service available to anyone with an internet connection, and should be taken advantage of. 5. If you could change one thing about Hackermind, what would it be? A) Listener participation definitely. It gets a little lonely doing the show by myself, and even with D4sh we always want to hear how people out there in the world feel about what we're saying. But as we say, people can always email their opinions, or better yet, make their own show! 6) What is the most important issue in the hacker world? A) In my opinion, it's NOT about convincing the media we aren't criminals. It's NOT about portraying hackers in a good light. The most important thing is that hackers today know what they are, and what they're meant to carry on. Hackers have been at the forefront of technology (and sometimes beyond) since the beginning of time. Hell, Alexander Graham Bell was a hacker! He worked and worked until he created a little device known as a telephone. Hackers nowadays need a swift kick in the ass to remind them that the art of hacking is not about kiddie scripts, but rather exploring systems to see how they work and how they can be made better. It's about learning, and my personal favorite, exploring. 7. What is your opinion of newbies? And do you think people should help them? A) I think my articles have said it all. "Newbie" is not a derogatory name, it's a name used to refer to someone who is just starting out in computers and computer hacking. But we mustn't give them too many handouts, for the only way they'll learn is by reading and studying themselves. It may be cruel to not give a newbie a simple piece of advice, but if you do where will it end? From that day forth he'll be asking you for help every step of the way, and that is not how a hacker works. And lastly, the biggest problem with newbies (and the reason why so many hackers hate them) is because they ask questions that can be easily answered by doing a typical web search. By going to google.com or your search engine of choice, and typing in what you're looking for you can easily find answers to millions of questions you may have. But if you just go to a hacker board and ask, most people become infuriated with your lack of effort. 8. With that in mind, what kind of advice would you give to a newbie if you had to? A) Go learn about computers and if that's what you love, you'll wind up realizing you're a hacker. 9. Do you feel newbies are treated fairly on message boards and in chat rooms? A) I think newbies get what they give. A newbie who acts respectable is treated in a likewise fashion. A newbie who acts like an asshole is treated that way in return. 10.What is your definition of the word "hacker"? A) A hacker is a person who has their own reasons for wanting to explore, study, and/or learn. They're a unique individual in that they have an unquenchable lust for technology that goes far beyond your typical software writer. They're a person with very dynamic views on both the real and cyber worlds, and no matter how many systems they enter they do no harm. 5) ANTHRAX EMAIL, by: Anthrax Hey, Well, First i have to say what a great job your doing and a great idea this was, i like reading these more than i do to listen but i like the choice so thanks. But anyway, I just started reading your e-zine about 2 days ago and I have to say i was really entrigued. So i read all three that were out, listening and reading what people had to say, but what people were elluding to the fact how basically no one like us... gee i wonder why??? but it isn't the fact of them liking us it's the fact of them having to deal with us... no matter what they do there will always be more "hackers" as the term is used. People don't understand the nessesity of people like us. without hackers there would be no updates no reasons to upgrade software. but we show poeple and companies how to make there product better. Your idea of the puplics thinking of us is somewhat true...... but i find it not quite fitting me.. I am anti-social and hell yeah i like porn! but it isn't like that is what i do all day. at day i am a normal waling around type person but at night I am home beating the shit out of windows. The press or media, it isn't the fact of them not likeing us. Like what ~mxd said they brainwash people into thinking that we are bad. But imagine what would happen if they liked us... then i don't think it would be as fun I like it being no one likeing what I do that is why i do it. To me if they have a problem with what I am doing Fuck them I don't hurt them and i don't damage whats the hurt so get off my back. thats my attitude when I do things. Maybe this can help in someways. And the last thing i have to say is that I totally agree with you on not damageing but to be learning... but if someone pisses me off man you better be ready because shit will hit the fan, and i think it takes a lot to get a real hacker mad. Anthrax --A REPLY- First off I'd like thank Anthrax for writing in to voice his opinion, as well as for his kind words. But I would like to offer up my opinion, as well as hear from everyone out there. In Anthrax's opinion, the fun part of hacking is the fact that the media doesn't like what we're doing. I think it's good to hear his honest opinion, and I can in no way say that he doesn't really feel this way. What I can say is that I don't agree with this statement personally. I do agree with a lot of things that he says, but to me it would not be a bad thing for the media to at least understand us. I doubt they will ever say how great we are, but where's the fun in being sent to prison just to piss them off? We need to continue to let the media and general public know that we mean no harm, and not take the "rebel without a care" attitude. This will only tarnish the hacker image further, and while this may be appealing to people like Anthrax, I think in the long run it will lead to the eventual demise of the hacker community. -screamer As always I invite readers to reply to this, as well as Anthrax himself. Please email me at screamer@hackermind.net . --END- 6) INTRO TO PORT SCANNING by: Nitr0s 0x1DE In my last [brief] article of enumeration i went over some basic ways of building up a profile of a remote system before approaching it as the stupid saying goes. [Know your Enemy] Anyway, i've been messing =o) around with some IP Stack emulators and passive OS fingerprinting tools since. Nmap --[ Nemesis --[ Snort --[ [NEEDED] Libnet --[ Libpcap --[ Other tools you might want to look at are. Hping -- SING -- ISIC -- Icmpush -- p0f --[ This article is a basic overview of what happens under the hood of a port scanner. This article is for newbies and people who want to understand how portscanning works. It's informative to some but not for the "experts" :P so go away if you are. =o) NO FLAMING! :D UDP Scanning ============== First of all i'm going to scan port 111 on my computer that is not firewalled or filtered in any way, using Nmap -sU option. slackware/# nmap -v -sU -P0 -g31337 127.0.0.1 -p111 The following is a UDP packet sent from Nmap to port 111[rpcinfo] captured using snort. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/05-13:15:57.165935 127.0.0.1:31337 -> 127.0.0.1:111 UDP TTL:49 TOS:0x0 ID:57588 Len: 8 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Nmap reports port 111 as open. As you can see, no packets were recieved back from my computer, so how does it know? Well, lets use nmap to scan port 112[nothing] udp and see what it says. slackware/# nmap -v -sU -P0 -g31337 127.0.0.1 -p112 Nmap reports port 112 as closed, this is how it knows. Port 112 is closed because it sends and ICMP packet back with PORT UNREACHABLE message. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/05-13:20:57.165935 127.0.0.1:31337 -> 127.0.0.1:112 UDP TTL:49 TOS:0x0 ID:57588 Len: 8 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/05-13:21:01.727920 127.0.0.1 -> 127.0.0.1 ICMP TTL:255 TOS:0xC0 ID:24 DESTINATION UNREACHABLE: PORT UNREACHABLE 00 00 00 00 45 00 00 1C B5 65 00 00 31 11 D6 69 ....E....e..1..i 7F 00 00 01 7F 00 00 01 C7 22 00 8B 00 08 3A 2E ........."....:. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ There are many other ICMP messages that can be sent back, PORT FILTERED or TTL EXCEEDED for example.If we recieve no response from the port, it is open, if we recieve ICMP PORT UNREACHABLE it is closed. TCP Scanning ============= TCP port scanning is used to identify listening ports on a computer the quick and easy way. The worst thing about multithreaded connect() port scanners is that they are too noisy. Many people use programs on windows and *nix that monitor and log all incoming connections to their computer.Using Nmap -T option is similar to what most win9x portscanners do. slackware/# nmap -v -sT localhost -p25 12/07-13:14:42.706934 127.0.0.1:1024 -> 127.0.0.1:25 TCP TTL:64 TOS:0x10 ID:19258 DF **S***** Seq: 0xF3A14E87 Ack: 0x0 Win: 0x3CB0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:14:42.707011 127.0.0.1:25 -> 127.0.0.1:1024 TCP TTL:64 TOS:0x0 ID:19259 DF **S***A* Seq: 0xF3F0170E Ack: 0xF3A14E88 Win: 0x3CB0 TCP Options => MSS: 3884 SackOK TS: 304533 304533 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:14:42.707046 127.0.0.1:1024 -> 127.0.0.1:25 TCP TTL:64 TOS:0x10 ID:19260 DF ******A* Seq: 0xF3A14E88 Ack: 0xF3F0170F Win: 0x3CB0 TCP Options => NOP NOP TS: 304533 304533 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:14:42.712326 127.0.0.1:25 -> 127.0.0.1:1024 TCP TTL:64 TOS:0x0 ID:19263 DF *****PA* Seq: 0xF3F0170F Ack: 0xF3A14E88 Win: 0x3CB0 TCP Options => NOP NOP TS: 304533 304533 32 32 30 20 64 61 72 6B 73 74 61 72 20 45 53 4D 220 darkstar ESM 54 50 20 53 65 6E 64 6D 61 69 6C 20 38 2E 39 2E TP Sendmail 8.9. 33 2F 38 2E 39 2E 33 3B 20 54 68 75 2C 20 37 20 3/8.9.3; Thu, 7 44 65 63 20 32 30 30 30 20 31 33 3A 31 34 3A 34 Dec 2000 13:14:4 32 20 47 4D 54 0D 0A 2 GMT.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:14:42.722279 127.0.0.1:1024 -> 127.0.0.1:25 TCP TTL:64 TOS:0x0 ID:33 DF ******A* Seq: 0x77411C81 Ack: 0x775935F6 Win: 0x3C69 TCP Options =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:14:42.722652 127.0.0.1:1024 -> 127.0.0.1:25 TCP TTL:64 TOS:0x0 ID:36 DF ****R*A* Seq: 0x77411C81 Ack: 0x775935F6 Win: 0x3CB0 TCP Options =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Nmap reports 25 as open. ======================== A SYN packet is sent to port 25. A SYN/ACK packet is sent back to Nmap, ACKnowleged request, waiting to connect. Nmap ACKnowleges connecting to 25 waiting for data to be sent. Port 25 sends PUSHes/ACK data packet. Nmap ACKnowleges data was recieved. Nmap closes the connection with RESET/ACK packet. That is just an idea of what happens when using win9x portscanners. Nmap has a better way of identifying whether it is open or not with -sS option. TCP SYN (Half Open Scan) ======================== slackware/# nmap -v -sS -P0 -g31337 -p25 127.0.0.1 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:15:24.124062 127.0.0.1:31337 -> 127.0.0.1:25 TCP TTL:46 TOS:0x0 ID:53502 **S***** Seq: 0x22647000 Ack: 0x0 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:15:24.124308 127.0.0.1:25 -> 127.0.0.1:31337 TCP TTL:64 TOS:0x0 ID:19 DF **S***A* Seq: 0x72C71D28 Ack: 0x22647001 Win: 0x3ED0 TCP Options => MSS: 536 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:15:24.124342 127.0.0.1:31337 -> 127.0.0.1:25 TCP TTL:255 TOS:0x0 ID:20 ****R*** Seq: 0x22647001 Ack: 0x0 Win: 0x0 Nmap reports 25 as open. ======================== A SYN packet is sent to port 25. A SYN/ACK packet responds to Nmap, ACKnowleged request, waiting to connect. Nmap sends a RESET packet closing the connection. 3 packets were all that was needed to verify whether the port was open or not. The full connection is not made, we know its open and thats all we want to know. This technique is more stealthier and un-detectable on some systems. How do we know if its closed? Identifying a port closed gets the same response using SYN or connect() Look at the following scan on my computer for port 23 which is closed and see what is sent back, a packet with the RST[reset] flag is sent to me. slackware/# nmap -v -sS -P0 localhost -p23 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:30:24.121736 127.0.0.1:31337 -> 127.0.0.1:23 TCP TTL:46 TOS:0x0 ID:18341 **S***** Seq: 0x22647000 Ack: 0x0 Win: 0xC00 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:30:24.121805 127.0.0.1:23 -> 127.0.0.1:31337 TCP TTL:255 TOS:0x0 ID:18 ****R*A* Seq: 0x0 Ack: 0x22647001 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ It ACKnowleges the request but also terminates it with R flag and no Seq #. Nmap reports 23 as closed. ======================= A SYN packet is sent to port 23. Port 23 responds with RESET/ACK packet. Assuming a remote host is not firewalled or configured to act differently we should get this response all the time. But what if it is opened, and its just filtered? tough shit, i'm not going into it. =o) PUSH scanning ============= Using nemesis against my computer. slackware/# nemesis-tcp -v -x31337 -y23 -fP -S127.0.0.1 -D127.0.0.1 Here, nemesis sends one packet with source port 31337 to port 23 with PUSH flag. This reports back nothing. Look at the packet sent. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-16:05:26.124062 127.0.0.1:31337 -> 127.0.0.1:23 TCP TTL:253 TOS:0x0 ID:53502 *****P** Seq: 0x22647000 Ack: 0x0 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Now trying with port 139 snort captures one packet sent back with R/A flags. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-16:07:14.1424063 127.0.0.1:31337 -> 127.0.0.1:139 TCP TTL:253 TOS:0x0 ID:53502 *****P** Seq: 0x22647000 Ack: 0x0 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/07-13:30:24.121805 127.0.0.1:23 -> 127.0.0.1:31337 TCP TTL:255 TOS:0x0 ID:18 ****R*A* Seq: 0x0 Ack: 0x22647001 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ We now know that port 23 is open and port 139 is closed. FIN scanning port 139 on Redhat 6.1 sent an R/A packet, port 23[telnet] doesn't respond, but is open as a SYN scan indicates from a SYN/ACK sent back. TTL:117 Here are some results of scanning NT-4 with Nemesis, 139 is open, 23 is closed. U[URGE] packet to port 23 & 139 sends R/A packets. R[RESET] packet to port 23 & 139 sent nothing. F[FIN] packet to port 23 & 139 sends R/A packets. P[PUSH] packet to both 23 & 139 sends R/A packets. S[SYN] packet to 23 sends R/A packet. S[SYN] packet to 139 sends S/A packet. A[ACK] packet to both 23 & 139 sends R packets. NULL packet to 23 sent R/A packet & nothing for port 139 TTL:52 Here are some results of scanning OpenBSD 2.4, port 80 is open, 800 is closed. U[URGE] packet to port 80 & 800 sent nothing. R[RESET] packet to port 80 & 800 sent nothing. F[FIN] packet to port 80 & 800 sent nothing. P[PUSH] packet to port 80 & 800 sent nothing. S[SYN] packet to port 80 sends S/A packet, 800 sends R/A packet. A[ACK] packet to port 80 & 800 sent R packet. NULL packet to port 80 & 800 sent nothing. TTL:239 Here are some results of scanning Solaris 2.6, port 80 is filtered, 800 is closed. U[URGE] packet to port 80 & 800 sent nothing. R[RESET] packet to port 80 & 800 sent nothing. F[FIN] packet to port 80 & 800 sent nothing. P[PUSH] packet to port 80 & 800 sent nothing. S[SYN] packet to port 80 sent ICMP:PORT FILTERED message and the same with port 800. A[ACK] packet to port 80 & 800 sent R packets. NULL packet to port 80 sends nothing back, port 800 sends R packet. From these results we can build up a very basic profile of the characteristics between each operating system.It is not accurate and very minimal, i know, its just to give you an idea of how to identify a remote operating system, to be more accurate, udp,icmp,arp,rip protocols along with Sequence prediction,TTL length..etc should also be used. Ofir Arkin has done some excellent articles on scanning techniques, check out the website for version 1 and 2. This article of mine is not as accurate as it could be, Ofir has a more in depth discussion on using the icmp protocol to identify remote operating systems. If you really want to see real time results, download the necessary programs and experiment with them to find out your own. I hope this article has been informative however short and un-interesting it may have been, anyway, adios amigos, Merry new year! =o) .nitr0s (nitr0s@hotmail.com ) 7) CLOSING ARGUMENTS Many readers out there have submitted articles dealing solely with "how-to" information. I would like to take this opportunity to say that if you send in a how-to article, I will post it if you also include an opinion or argument within. By this I mean if you submit an article dealing with how to start hacking, be sure to include a paragraph or two saying what you think about this information, why it's good or bad, how it can be used to help others, etc etc…. Of course I will never turn anyone away, especially my most dedicated authors, but as Editor-in-Chief it's my job to keep Frequency on track. I've received numerous emails from fans saying how they enjoy this ezine over others because it actually gives people a place to voice their opinions rather than just being another zine telling newbies what to do. And since this is an ezine made by hackers for hackers, I want to make sure the majority is heard. For that reason, I will print technical articles only if they have some sort of argument included. This is your chance to tell people how you feel, make sure to take advantage of that. You may find others share your opinion. Thanks to all my dedicated authors for keeping those articles rolling, I can't wait to see what you have in store for freq5. This brings me to my next point. From now on, I am going to drop the "Volume 1 Issue 3" title, as I would much rather call whatever issue comes next "freqX" as V1I3 may be a bit more confusing. The issues on www.hackermind.net will remain the same, as I am not one to change the past. But from now on if I make reference to a previous issue all I will say is "freq1" or "freq2" etc. This will only be a reference of course, as I am now including the month at the top of each issue. Lastly, as you can see above we've gotten rid of the ascii text. IceDog, who was kind enough to submit it, insists it didn't look right, and frankly to save space I figured I'd get rid of it. Plus, now that there is a mailing list for Frequency I'm not sure it would look as good in an email text. Thanks for sending it in Ice, and it will live forever in freq1-3. I hope you agree with me that saving space for more information is the lesser of the two evils. -Shoutouts- To D4sh, I hope your recovery is quick and painless man. We miss you on the show, and wish you the best of luck. 8) CREW Editor-in-Chief - Screamer Chaotix Webmasta - D4sh Contributing Writers - DamienAK, Anthrax, Nitr0s 0x1DE Tune into "Hackermind" the online radio companion to Frequency! Every Thursday, every half hour (give or take) at location 166.90.148.114:9474 And remember, articles for freq5 are due by January 8, 2001! www.hackermind.net Dedicated to D4sh