TCP ports and scanning Do you got your stealth linux box connected to the internet (not aol)? Have you read the manual as i told you?
Then we shall start with the damn real thing.
First of all, you should know some things about the internet. It's based on the TPC/IP protocol, (and others)
It works like this: every box has 65k connection PORTS. some of them are opened and waiting for your data to be sent.
So you can open a connection and send data to any these ports. Those ports are associated with a service:
Every service is hosted by a DAEMON. Commonly, a daemon or a server is a program that runs on the box, opens its port and offers their damn service.
Example:
when you visit the website http://www.host.com/luser/index.html, your browser does this: -it connects to the TCP port 80 -it sends the string: "GET /HTTP/1.1 /luser/index.html" plus two 'intro' (it really sends a lot of things more, but that is the essential) -the host sends the html file
The cool thing of daemons is they have really serious security bugs.
That's why we want to know what daemons are running there, so...
We need to know what ports are opened in the box we want to hack.
How could we get that information?
We gotta use a scanner. A scanner is a program that tries to connect to every port on the box and tells which of them are opened.
The best scanner i can think of is nmap, created by Fyodor. You can get nmap from my site in tarball or rpm format.
Let's install nmap from an .rpm packet.
bash-2.03$ rpm -i nmap-2.53-1.i386.rpm
then we run it:
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on target.edu (xx.xx.xx.xx): (The 1518 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 80/tcp open http 110/tcp open pop3
Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds
Nmap has told us which ports are opened on target.edu and thus, what services it's offering.
I know, i said telnet is a service but is also a program (don't let this confuse you). This program can open a TCP connection to the port you specify.
So lets see what's on that ports.
On your linux console, type:
bash-2.03$ telnet target.edu 21 Trying xx.xx.xx.xx... Connected to target.edu. Escape character is '^]'. 220 target.edu FTP server (SunOS 5.6) ready. quit 221 Goodbye. Connection closed by foreign host.
You see? They speak out some valuable information: -their operating system is SunOS 5.6 -their FTP daemon is the standard provided by the OS.
bash-2.03$ telnet target.edu 25 Trying xx.xx.xx.xx... Connected to target.edu. Escape character is '^]'. 220 target.edu ESMTP Sendmail 8.11.0/8.9.3; Sun, 24 Sep 2000 09:18:14 -0 400 (EDT) quit 221 2.0.0 target.edu closing connection Connection closed by foreign host.
They like to tell us everything: -their SMTP daemon is sendmail -its version is 8.11.0/8.9.3
Experiment with other ports to discover other daemons.
Why is this information useful to us? cause the security bugs that can let us in depend on the OS and daemons they are running.
But there is a problem here... such information can be faked!
It's difficult to really know what daemons are they running, but we can know FOR SURE what's the operating system:
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on target.edu (xx.xx.xx.xx): (The 1518 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 80/tcp open http 110/tcp open pop3
TCP Sequence Prediction: Class=random positive increments Difficulty=937544 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds
Hey wasn't it SunOS 5.6? Damn they're a bunch of lame fakers! We know the host is running the Linux 2.x kernel. It'd be useful to know also the distribution, but the information we've already gathered should be enough.
This nmap feature is cool, isn't it? So even if they've tried to fool us, we can know what's the OS there and its very difficult to avoid it.
Also take a look to the TCP Sequence Prediction. If you scan a host and nmap tells you their difficulty is low, that means their TCP sequence is predictable and we can make spoofing attacks. This usually happens with windoze (9x or NT) boxes.
Ok, we've scanned the target. If the admins detect we've scanned them, they could get angry. And we don't want the admins to get angry with us, that's why we used the -sS option. This way (most) hosts don't detect ANYTHING from the portscan. Anyway, scanning is LEGAL so you shouldn't have any problems with it. If you want a better usage of nmap's features, read its main page: bash-2.03$ man nmap
