Basics to hacking
Hi, I am currently a computer tech who fixes computers and networks and stuff like that. I recently have found my self up against hackers and realized to stop them I am going to have to understand how they work and how to hack.
I have set up two computers connected by a simple hub/switch, they have basicly no security and firewalls (I guessed I would need to know how to do the basics before tackling security and stuff like that). I have put a textfile in My Documents on computer 1 and my goal is to be able to get to that textfile and read it on computer 2, so what do I do now?
Thanks
RedX
At last! Somebody who requires help who is not a complete and utter dimwit. Awesome post, giving us exactly what you need to know. Wow, i wish we had people like this on everyday.
Anyway, to answer your question, i cant. You'll have to speak to someone more experienced in this field. Im sure metsoc, jake or newtype will be more than willing to point you in the right direction.
Will.
The first step to hacking a computer is finding it. Basic Scans of given IP Range will get you information you need to find the computer. Then look for open ports and try to look into those open ports (Most likely since no FW they will all be open ;) ) then you need to look into getting the NetBIOS name (I am assuming theses are Windows machines seeing as you are talking about My Documents) then you should see if you can connect the the base hard drive with a NET USE command. This will allow you access to the said computers Hard Drive and you will be able to browse around for the said files. If you want any more information PM me and I can give you a few small pointers. (I am a Network Engineer at a company and Security IS a large part of our jobs.)
Hope this helped.
redx wrote: Hi, I am currently a computer tech who fixes computers and networks and stuff like that.
Ah, cool. You a CCNA? (I'm currently considering getting it, through a few classes at my school)
So, you want to access the text file huh… What OSs are on these boxen? If its something simple, or has a NetBIOS share, it could be as easy as connecting to it… Or, it could get a bit more complicated…
Do these boxen have any special services or daemons running? Or are they just standard end-user PCs?
Anyways, I'd be more than happy to help you, feel free to contact me by email (its in my profile), or on AIM (my nick is n3w7yp3).
Oh yea, if you have a *nix box, you can have some fun with that switch. :)
Right, so I think I get the idea if I was using two XP machines and the over all general idea of hacking now, thanks a lot guys.
I should have been a bit more persific, I am actually using an Apple MAC OS X to hack into windows. The idea is that I will be able to plug my laptop into a troubled network (Laptop = MAC) and do my stuff from it because it will have all my software on it. Computer 1 = MS Windows XP Computer 2 = Apple MAC On my Mac it has some software which comes with it called Network Utility, using it I have pinged Computer 2 and have successfuly sent and recieved 10 packets. Network Utility also allows you scan the ports of an specified IP address and you can specify which ports to scan also or otherwise if you leave the field blank it will scan all the ports. Should I scan only obvious ports (if there is any) or all of them (takes ages… or maybe it is because I am impatient:))
I also, I just want to conferm this: Depending on what you firewall is depends on what ports it blocks - Is this true? For example: If you have a Standard Windows XP Pro firewall on your PC does it block the same ports as Nortan firewall?
CCNA - Getting There :)
Thanks for your coments
RedX
Well, any good firewall will have a deafult deny. Not sure about Windows built in firewall, nor am I sure about Nortan. I'm a Linux user, and to be honest don't have a PC running Windows ATM.
Ah, Mac OSX excellent choice. Its actually derived from FreeBSD, so its a pretty cool OS. For portscaning, I'd recommend you use nmap (avalible from http://www.insecure.org).
BTW, you mentioned that you have several devices on this network. Do they have SNMP enabled (UDP port 161)? If so, you can use the snmpset' and
snmpget' commands to return info about the device. Probably won't help much as they're your devices, but you can actually reconfiguer them via `snmpset'.
I'll reply more tomorrow when I'm not so tired, its late and I can't think right now.
But, if I were you, I get some alternatives to apple's Network Utility. It's quite nice and easy to use, but it doesn't give you many options. For instance, the port scan can only scan TCP ports, using a simple TCP connect() scan - no stealth (though stealth is not necessary in this situation). Get nmap, its great, and you're gonna need it if you wanna scan UDP like n3w7yp3 said.
n3w7yp3 wrote: Ah, Mac OSX excellent choice. Its actually derived from FreeBSD, so its a pretty cool OS. For portscaning, I'd recommend you use nmap (avalible from http://www.insecure.org).
MAC OSX derived from FreeBSD, really! Never new that. Interesting. I have heard of FreeBSD but havn't looked into it much, is it worth looking at? I am thinking of daul booting MAC OSX and UBUNTU (Linux). Also I just download Nmap before reading your post and i have also seen a lot of different people recommend Nmap is I am going see what it is like.
Thanks for all your help guys, also any more information you think I should know or software that would help me in my field please let me know.
Thanks Again
RedX
*nix == Any UNIX varient (Linux, FreeBSD, OpenBSD, AIX, etc).
Well, break out nmap, and see if SNMP is enabled on the devices (nmap -vvv -sU -sV -p161,67,69,777 target_host). In that scan, we're looking for port 161, and 69 (TFTP). 67 is enabled on many Cisco devices (at least according to the unrealible `show ip sockets' command), but I'm not sure what its for. 777 is just a control port, as nothing should be on it. -sV is for version detction, and -sU sepcifys a UDP scan.
If you have access to 161, its possible to actualyl re-configre the device, provided you have the RW community string. Even if you only have a RO string, its still possible to grab configuration files, etc. If you have access to TFTP, you can grab the configs that way as well.
If you have an intrest in auditing network devices, I highly recommend you read the Excellent Hacking Exposed: Cisco Networks. It was poublished in 2006 (and thus is very recent), and has lots of good info.
Okay, everything set up and running. I am currently not connected to my other PC at the moment though I am connected to my server. I have run a port scan and this is what it has found:
PORT STATE SERVICE 2/tcp open compressnet 3/tcp open compressnet 13/tcp open daytime 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 37/tcp open time 53/tcp open domain 79/tcp open finger 80/tcp open http 110/tcp open pop3 139/tcp open netbios-ssn 143/tcp open imap 389/tcp open ldap 515/tcp open printer 617/tcp open sco-dtmgr 963/tcp open unknown
Right, now: 2 - I am not sure what this is… (compressnet) 3 - The same as above… (compressnet) 13 - Daytime? (daytime) 21 is for uploading and download (ftp), 23 this must obviously be the internet service provider (telnet), 25 is for receiving email (smtp), 37 time? does this keep the server up to standard time so if you want it to do a certain task at a certain time? (time), 53 is for the domain name which I have registered for the server www.xxxxxxxx.com.au (domain), 79 finger? hmmm… (finger), 80 is connected to the web (duh!) (http), 110 is for all outgoing email (pop3), 143 imap? (imap), 389 ldap? (idap), 139 netbois, yes I have got a small idea of what this is, but please just explain it again (netbios-ssn), 515 is for all the printers connected (printer), 617 sco-dtmgr? (sco-dtmgr), 963 unknown - right, does this mean there is nothing there and I can just walk right into the server through this little port unhindered? lol I guess it is not the easy (unknown).
Would you guys please go over this list and clarify, check and correct anything that I have got wrong or don't know what it is.
Also what is the next step, or what is the weakest port that I should be looking at?
Thanks
RedX
Finger is pretty good place to start. See who is logged in by typing:
$ finger -l @[IP address or hostname]
You can also finger specific users, by appending thier login name before the @ symbol. This is a gold mine for enumeration.
Daytime returns the time. Telnet to the port and see what I mean.
SMTP is for ending email, POP3 or IMAP is for recieving it ;)
IMAP is like a more advanced version of POP3.
LDAP is the Lightweight Directory Access Protocol. It usualyl stores some kind of data. Many versions of Novell ZENworks store the logon info in an LDAP tree. This service can provide you with all sorts of goodies.
NetBIOS is windows file sharing, and is notoriously buggy (especially if you're able to initate a NULL session).
To view more info about the ports, give nmap the -sV argument. That does a version fingerprint (similar to a banner grab).
As far as what to look at next, examin whats going on with finger, and then try some logical passwords gainst the accounts you've discovered with TELNET. Probably won't get you anywhere though…
Oh yea, one last thing about the DNS server. Its possible to grab all the hosts via a zone transfer (this usually doesn't work, but it may be worth a shot). Type:
$ host -l [site] [server]
So, if my site was example.com and the server's IP was 192.168.1.119, I'd type:
$ host -l exmaple.com 192.168.1.119
Like I said, most DNS server will not allow zone transfers any more, but its worth a shot. You may also try pushing it into TCP mode (-T) as DNS is over UDP.
Here's my personal guess on this thread-
It's bullshit. I'm just guessing that's a portscan of his school's main server, given that those are the services enabled, (at least on the firewall level,) and that he would know well in advance what those all were if he ran them himself.
If you want to ask how to do stuff, FINE, don't lie about it.
This is speculation, so don't whine.
Right, I am not going to rant and rave on about you because it will be a waste of forum space and my time but I will say this:
First: This server is mine. A tech friend set it all up for me at the start of last year beause back then I new about as much as a teaspoon about networking. I have not been using it much at all (only to test my skills at programming in javascript, SQL and PHP). Now I will admit that I am only a junior tech trying to learn but I am not getting much experience in network security where I am currently working at now so I thought I would try to teach myself.
Second: The local school has a network set up so bad that a 12 year old could bring down in day.
Anyway, Fair enough to question me…
RedX