- Posts: 1700
- Thank you received: 0
Hacked
20 years 2 months ago #2747
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Hacked
A variety of ways.. on windows machines, the most common method would be through someone not having disabled file sharing and the hidden file shares. Other possible ways of breaking into a system would involve using an exploit -- which is code that takes advantage of some vulnerability in the operating system or a program running on the machine -- exploits take advantages of bugs in software programming such as buffer overflows, format string vulnerabilities etc etc.
You might want to read our Introduction to Security paper found here:
www.firewall.cx/articles-network-security.php
if you visit my blog at tftfotw.blogspot.com and go through the archives, you'll find some links to papers on buffer overflows, since these are one of the most common attacks on the net, it makes sense to understand them (at least at a conceptual level).
To be a bit more direct, an IP address is important information to an attacker because exploiting a system remotely is only possible if its on a network.. since the Internet runs on IP (the protocol), the attacker uses IP as the vehicle for his attack.. his attack can attack a program running on the victims machine (for example a webserver), it can attack a bug in the operating system itself (such as what the Blaster worm recently did), or it can attack the TCP/IP stack of the remote machine (such as a denial of service attack like synflooding, ping-of-death, land attacks, smurf attacks etc).
Did I confuse you even more ?
If you have any questions, fire away... this is a good way to sort out issues that a lot of people wonder about.
Perhaps a full demonstration of successfully attacking a target machine might be helpful ?
You might want to read our Introduction to Security paper found here:
www.firewall.cx/articles-network-security.php
if you visit my blog at tftfotw.blogspot.com and go through the archives, you'll find some links to papers on buffer overflows, since these are one of the most common attacks on the net, it makes sense to understand them (at least at a conceptual level).
To be a bit more direct, an IP address is important information to an attacker because exploiting a system remotely is only possible if its on a network.. since the Internet runs on IP (the protocol), the attacker uses IP as the vehicle for his attack.. his attack can attack a program running on the victims machine (for example a webserver), it can attack a bug in the operating system itself (such as what the Blaster worm recently did), or it can attack the TCP/IP stack of the remote machine (such as a denial of service attack like synflooding, ping-of-death, land attacks, smurf attacks etc).
Did I confuse you even more ?
If you have any questions, fire away... this is a good way to sort out issues that a lot of people wonder about.
Perhaps a full demonstration of successfully attacking a target machine might be helpful ?
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 2 months ago #2752
by indebluez
i dont noe..
yeap i read ur aarticle on netwk sec...read it 2ice for it to sink...
2)so with jus a remote ip address, i can actually check to see whter any of his ports like...dns, ftp is open so that i can enter?
3)but dns has to be open all the time right? otherwise we wont be able to translate our pages...isit theres a firewall present there or...so as to deny entry?
4)but how does a person manage to keep a connection witht theremote host to do enough damage...using a trojan?
5)and with connection how does it look? like i cant see the overall picture...how will he be able to mess up the system?how does he do it...
6)i would really like to see the pkt movemt on my pc as well...any packet sniffer u receommed tts easy to use?
7)when i did a ipconfig on my comp i get two ip addresses...
one is autoconfig ip add for netwk bridge...the other is ip add is for my cable modem. why do i have 2? i am using cable modem...isit one is nic ip the other..is for modem int on my comp
thanx!!! so sorry to bug u with so many qn:)
Replied by indebluez on topic Re: Hacked
1)that would be so cool!! can it be shown?maybe a webcast:PPerhaps a full demonstration of successfully attacking a target machine might be helpful ?
i dont noe..
yeap i read ur aarticle on netwk sec...read it 2ice for it to sink...
2)so with jus a remote ip address, i can actually check to see whter any of his ports like...dns, ftp is open so that i can enter?
3)but dns has to be open all the time right? otherwise we wont be able to translate our pages...isit theres a firewall present there or...so as to deny entry?
4)but how does a person manage to keep a connection witht theremote host to do enough damage...using a trojan?
5)and with connection how does it look? like i cant see the overall picture...how will he be able to mess up the system?how does he do it...
6)i would really like to see the pkt movemt on my pc as well...any packet sniffer u receommed tts easy to use?
7)when i did a ipconfig on my comp i get two ip addresses...
one is autoconfig ip add for netwk bridge...the other is ip add is for my cable modem. why do i have 2? i am using cable modem...isit one is nic ip the other..is for modem int on my comp
thanx!!! so sorry to bug u with so many qn:)
20 years 2 months ago #2755
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Hacked
1. Hehe webcast --- on my dial up connection not likely !! Pity though, that would've been fun. You read my article twice... why thank you.. most people would've stopped halfway hehe. Realistically when I said full demo I was thinking of something like a sample attack with screenshots from my machine and a network sniffer. Its a bit difficult for me to do it as I don't have a network at home.. maybe if I can borrow some time on a friends LAN or something. We'll do a visual version of the walkthrough in my article. With full details.
2. Yes, its called portscanning.. and my lazy self has been working on a paper on the subject for a month now.. its one of my pet topics. Each open port represents some service that is 'listening' for a connection.. for example a webserver will listen on port 80, ftp server on 21.. etc etc
3. Well this is an interesting question.. I think that when you type www.hotmail.com , your machine will open a DNS daemon temporarily just till it gets a response from your DNS server. I tested this with my browser.. when it needs to resolve and address it sends the request from a random port between 1400 - 1500 to port 53 of the DNS server.. and the server replies to that port.. but then the 'listener' on your machine shuts down after the transaction. Don't forget that DNS works over UDP, so a session is never established (connectionless protocol).
4. When you say connection do you mean how do they keep the box '0wn3d' so to speak? Well there are a number of ways.. most of the time it involves a backdoor that will 'phone home' to the attacker every so often so he continues to have access.
5. Depending on the type of attack it can 'look' very different. Most of the time the attacker tries to get a command shell on the remote host (like when you open a dos box). So once he has access he will have all the access you would have from a command line. Basically he will literally start a DOS box, but tell it to take input from the network rather than the keyboard.. and send output over the network rather than to the screen. However an attacker can also install tools such as VNC which would let him open the full GUI of his victims machine.. in other words he will see the whole system as if he was in front of the keyboard.. he can then use it just so..
6. I recommend ethereal.. its free.. is a snap to setup, works awesomely, and is very simple.. I also like Iris alot. you can find Iris in the downloads section.. ethereal from www.ethereal.com
7. You see two IP addresses because you technically have two network interfaces one is your LAN bridge and the other your cable connection.. (i assume). You can post the output of your ipconfig command here and I'll help you read it.
Don't worry about firing away the questions.. we enjoy answering
. I always appreciate people who think about how and why something happens rather than just taking information at face value !
Ahhh.. I haven't posted such a long post in a while... feels good !
not likely !! Pity though, that would've been fun. You read my article twice... why thank you.. most people would've stopped halfway hehe. Realistically when I said full demo I was thinking of something like a sample attack with screenshots from my machine and a network sniffer. Its a bit difficult for me to do it as I don't have a network at home.. maybe if I can borrow some time on a friends LAN or something. We'll do a visual version of the walkthrough in my article. With full details.2. Yes, its called portscanning.. and my lazy self has been working on a paper on the subject for a month now.. its one of my pet topics. Each open port represents some service that is 'listening' for a connection.. for example a webserver will listen on port 80, ftp server on 21.. etc etc
3. Well this is an interesting question.. I think that when you type www.hotmail.com , your machine will open a DNS daemon temporarily just till it gets a response from your DNS server. I tested this with my browser.. when it needs to resolve and address it sends the request from a random port between 1400 - 1500 to port 53 of the DNS server.. and the server replies to that port.. but then the 'listener' on your machine shuts down after the transaction. Don't forget that DNS works over UDP, so a session is never established (connectionless protocol).
4. When you say connection do you mean how do they keep the box '0wn3d' so to speak
? Well there are a number of ways.. most of the time it involves a backdoor that will 'phone home' to the attacker every so often so he continues to have access.5. Depending on the type of attack it can 'look' very different. Most of the time the attacker tries to get a command shell on the remote host (like when you open a dos box). So once he has access he will have all the access you would have from a command line. Basically he will literally start a DOS box, but tell it to take input from the network rather than the keyboard.. and send output over the network rather than to the screen. However an attacker can also install tools such as VNC which would let him open the full GUI of his victims machine.. in other words he will see the whole system as if he was in front of the keyboard.. he can then use it just so..
6. I recommend ethereal.. its free.. is a snap to setup, works awesomely, and is very simple.. I also like Iris alot. you can find Iris in the downloads section.. ethereal from www.ethereal.com
7. You see two IP addresses because you technically have two network interfaces one is your LAN bridge and the other your cable connection.. (i assume). You can post the output of your ipconfig command here and I'll help you read it.
Don't worry about firing away the questions.. we enjoy answering
. I always appreciate people who think about how and why something happens rather than just taking information at face value !Ahhh.. I haven't posted such a long post in a while... feels good !
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.151 seconds