WELCOME TO MS DOS. DOS CAN BE A WAY OF GETTING MANY OF THE FEATURES OF UNIX WITHOUT GETTING A NEW OS (OPERATING SYSTEM). CHECK OUT THE THANKS TO SECTION FOR THE SOURCES OF THIS INFO IN THIS TEXT. THANKS A LOT TO THE GUIDE TO MOSTLY HARMLESS HACKING. BEFORE YOU STARTED, YOU SHOULD KNOW HOW TO OPEN MS DOS. BRING UP YOUR DOS WINDOW BY CLICKING START THEN PROGRAMS THEN MS-DOS.
CONFIGURING MSDOS
I'VE FOUND IT EASIER TO USE DOS IN A WINDOW WITH A TASK BAR WHICH YOU CAN COPY AND PASTE COMMANDS AND EASILY SWITCH BETWEEN WINDOWS AND
DOS PROGAMS. IF YOUR DOS COMES UP AS A FULL SCREEN, PRESS ALT AND ENTER TOGETHER. THEN IF YOU ARE MISSING YOUR TASK BAR, CLICK THE SYSTEM MENU ON THE LEFT SIDE OF THE DOS WINDOW CAPTION AND SELECT TOOLBAR. NOW YOU CAN USE 8 UTILITIES FOR HACKING. THEY ARE TELNET, ARP, FTP, NETSTAT, PING, ROUTE, AND TRACERT.
DOS COMMANDS
cd c:\ CHANGE DIRECTORY TO C:\
dir GET ALL FILES IN CURRENT FOLDER
telnet EXECUTE TELNET(U HAVE TO BE IN C:WINDOWS)
tracert 127.0.0.1 TRACE THE ROUTE FROM ONE COMPUTER TO THE NEXT
arp GET HELP ON HOW TO USE ARP
nbtstat GET HELP ON HOW TO USE NBSTAT
ping GET HELP ON HOW TO USE PING
route GET HELP ON HOW TO USE ROUTE
netstat? GET HELP ON NETSTAT
ftp FTP PROGRAM
? GET HELP ON HOW TO USE FTP(MUST ALLREADY BE IN FTP PROG)
TELNET
With the DOS telnet you can actually port surf almost as well as from a Unix
telnet program. But there are several tricks you need to learn in order to make
this work.
First, we'll try out logging on to a strange computer somewhere. This is a phun
thing to show your friends who don't have a clue because it can scare the heck
out them. Honest, I just tried this out on a neighbor. He got so worried that
when he got home he called my husband and begged him to keep me from hacking his
work computer!
To do this (I mean log on to a strange computer, not scare your neighbors) go to
the DOS prompt C:\WINDOWS> and give the command "telnet." This brings up a
telnet screen. Click on Connect, then click Remote System.
This brings up a box that asks you for "Host Name." Type "whois.internic.net"
into this box. Below that it asks for "Port" and has the default value of
"telnet." Leave in "telnet" for the port selection. Below that is a box for
"TermType." I recommend picking VT100 because, well, just because I like it
best.
The first thing you can do to frighten your neighbors and impress your friends
is a "whois." Click on Connect and you will soon get a prompt that looks like
this:
[vt100]InterNIC>
Then ask your friend or neighbor his or her email address. Then at this InterNIC
prompt, type in the last two parts of your friend's email address. For example,
if the address is "luser@aol.com," type in "aol.com."
Now I'm picking AOL for this lesson because it is really hard to hack. Almost
any other on-line service will be easier.
For AOL we get the answer:
[vt100] InterNIC > whois aol.com
Connecting to the rs Database . . . . . .
Connected to the rs Database
America Online (AOL-DOM)
12100 Sunrise Valley Drive
Reston, Virginia 22091
USA
Domain Name: AOL.COM
Administrative Contact:
O'Donnell, David B (DBO3) PMDAtropos@AOL.COM
703/453-4255 (FAX) 703/453-4102
Technical Contact, Zone Contact:
America Online (AOL-NOC) trouble@aol.net
703-453-5862
Billing Contact:
Barrett, Joe (JB4302) BarrettJG@AOL.COM
703-453-4160 (FAX) 703-453-4001
Record last updated on 13-Mar-97.
Record created on 22-Jun-95.
Domain servers in listed order:
DNS-01.AOL.COM 152.163.199.42
DNS-02.AOL.COM 152.163.199.56
DNS-AOL.ANS.NET 198.83.210.28
These last three lines give the names of some computers that work for America
Online (AOL). If we want to hack AOL, these are a good place to start.
*********************************
Newbie note: We just got info on three "domain name servers" for AOL. "Aol.com"
is the domain name for AOL, and the domain servers are the computers that hold
information that tells the rest of the Internet how to send messages to AOL
computers and email addresses.
*********************************
*********************************
Evil genius tip: Using your Win 95 and an Internet connection, you can run a
whois query from many other computers, as well. Telnet to your target computer's
port 43 and if it lets you get on it, give your query.
Example: telnet to nic.ddn.mil, port 43. Once connected type "whois
DNS-01.AOL.COM," or whatever name you want to check out. However, this only
works on computers that are running the whois service on port 43.
Warning: show this trick to your neighbors and they will really be terrified.
They just saw you accessing a US military computer! But it's OK, nic.ddn.mil is
open to the public on many of its ports. Check out its Web site www.nic.ddn.mil
and its ftp site, too -- they are a mother lode of information that is good for
hacking.
*********************************
Next I tried a little port surfing on DNS-01.AOL.COM but couldn't find any ports
open. So it's a safe bet this computer is behind the AOL firewall.
**********************************
Newbie note: port surfing means to attempt to access a computer through several
different ports. A port is any way you get information into or out of a
computer. For example, port 23 is the one you usually use to log into a shell
account. Port 25 is used to send email. Port 80 is for the Web. There are
thousands of designated ports, but any particular computer may be running only
three or four ports. On your home computer your ports include the monitor,
keyboard, and modem.
TRACERT
So what do we do next? We close the telnet program and go back to the DOS
window. At the DOS prompt we give the command "tracert 152.163.199.42." Or we
could give the command "tracert DNS-01.AOL.COM." Either way we'll get the same
result. This command will trace the route that a message takes, hopping from one
computer to another, as it travels from my computer to this AOL domain server
computer. Here's what we get:
C:\WINDOWS>tracert 152.163.199.42
Tracing route to dns-01.aol.com [152.163.199.42]
over a maximum of 30 hops:
1 * * * Request timed out.
2 150 ms 144 ms 138 ms 204.134.78.201
3 375 ms 299 ms 196 ms glory-cyberport.nm.westnet.net [204.134.78.33]
4 271 ms * 201 ms enss365.nm.org [129.121.1.3]
5 229 ms 216 ms 213 ms h4-0.cnss116.Albuquerque.t3.ans.net
[192.103.74.45]
6 223 ms 236 ms 229 ms f2.t112-0.Albuquerque.t3.ans.net
[140.222.112.221]
7 248 ms 269 ms 257 ms h14.t64-0.Houston.t3.ans.net [140.223.65.9]
8 178 ms 212 ms 196 ms h14.t80-1.St-Louis.t3.ans.net [140.223.65.14]
9 316 ms * 298 ms h12.t60-0.Reston.t3.ans.net [140.223.61.9]
10 315 ms 333 ms 331 ms 207.25.134.189
11 * * * Request timed out.
12 * * * Request timed out.
13 207.25.134.189 reports: Destination net unreachable.
What the heck is all this stuff? The number to the left is the number of
computers the route has been traced through. The "150 ms" stuff is how long, in
thousandths of a second, it takes to send a message to and from that computer.
Since a message can take a different length of time every time you send it,
tracert times the trip three times. The "*" means the trip was taking too long
so tracert said "forget it." After the timing info comes the name of the
computer the message reached, first in a form that is easy for a human to
remember, then in a form -- numbers -- that a computer prefers.
"Destination net unreachable" probably means tracert hit a firewall.
Let's try the second AOL domain server.
C:\WINDOWS>tracert 152.163.199.56
Tracing route to dns-02.aol.com [152.163.199.56]
over a maximum of 30 hops:
1 * * * Request timed out.
2 142 ms 140 ms 137 ms 204.134.78.201
3 246 ms 194 ms 241 ms glory-cyberport.nm.westnet.net [204.134.78.33]
4 154 ms 185 ms 247 ms enss365.nm.org [129.121.1.3]
5 475 ms 278 ms 325 ms h4-0.cnss116.Albuquerque.t3.ans.net [192.103.74.
45]
6 181 ms 187 ms 290 ms f2.t112-0.Albuquerque.t3.ans.net [140.222.112.22
1]
7 162 ms 217 ms 199 ms h14.t64-0.Houston.t3.ans.net [140.223.65.9]
8 210 ms 212 ms 248 ms h14.t80-1.St-Louis.t3.ans.net [140.223.65.14]
9 207 ms * 208 ms h12.t60-0.Reston.t3.ans.net [140.223.61.9]
10 338 ms 518 ms 381 ms 207.25.134.189
11 * * * Request timed out.
12 * * * Request timed out.
13 207.25.134.189 reports: Destination net unreachable.
Note that both tracerts ended at the same computer named
h12.t60-0.Reston.t3.ans.net. Since AOL is headquartered in Reston, Virginia,
it's a good bet this is a computer that directly feeds stuff into AOL. But we
notice that h12.t60-0.Reston.t3.ans.net , h14.t80-1.St-Louis.t3.ans.net,
h14.t64-0.Houston.t3.ans.net and Albuquerque.t3.ans.net all have numerical names
beginning with 140, and names that end with "ans.net." So it's a good guess that
they all belong to the same company. Also, that "t3" in each name suggests these
computers are routers on a T3 communications backbone for the Internet.
Next let's check out that final AOL domain server:
C:\WINDOWS>tracert 198.83.210.28
Tracing route to dns-aol.ans.net [198.83.210.28]
over a maximum of 30 hops:
1 * * * Request timed out.
2 138 ms 145 ms 135 ms 204.134.78.201
3 212 ms 191 ms 181 ms glory-cyberport.nm.westnet.net [204.134.78.33]
4 166 ms 228 ms 189 ms enss365.nm.org [129.121.1.3]
5 148 ms 138 ms 177 ms h4-0.cnss116.Albuquerque.t3.ans.net [192.103.74.
45]
6 284 ms 296 ms 178 ms f2.t112-0.Albuquerque.t3.ans.net [140.222.112.22
1]
7 298 ms 279 ms 277 ms h14.t64-0.Houston.t3.ans.net [140.223.65.9]
8 238 ms 234 ms 263 ms h14.t104-0.Atlanta.t3.ans.net [140.223.65.18]
9 301 ms 257 ms 250 ms dns-aol.ans.net [198.83.210.28]
Trace complete.
Hey, we finally got all the way through to something we can be pretty certain is
an AOL box, and it looks like it's outside the firewall! But look at how the
tracert took a different path this time, going through Atlanta instead of St.
Louis and Reston. But we are still looking at ans.net addresses with T3s, so
this last nameserver is using the same network as the others.
Now what can we do next to get luser@aol.com really wondering if you could
actually break into his account? We're going to do some port surfing on this
last AOL domain name server!
WHOIS
TELNET TO A WHO IS SERVER. LETS USE RESTON AS THE VITIM OF WHOIS. Now let's check out that Reston computer. I select Remote Host again and enter
the name h12.t60-0.Reston.t3.ans.net. I try some port surfing without success.
This is a seriously locked down box! What do we do next?
So first we remove that "local echo" feature, then we telnet back to
whois.internic. We ask about this ans.net outfit that offers links to AOL:
[vt100] InterNIC > whois ans.net
Connecting to the rs Database . . . . . .
Connected to the rs Database
ANS CO+RE Systems, Inc. (ANS-DOM)
100 Clearbrook Road
Elmsford, NY 10523
Domain Name: ANS.NET
Administrative Contact:
Hershman, Ittai (IH4) ittai@ANS.NET
(914) 789-5337
Technical Contact:
ANS Network Operations Center (ANS-NOC) noc@ans.net
1-800-456-6300
Zone Contact:
ANS Hostmaster (AH-ORG) hostmaster@ANS.NET
(800)456-6300 fax: (914)789-5310
Record last updated on 03-Jan-97.
Record created on 27-Sep-90.
Domain servers in listed order:
NS.ANS.NET 192.103.63.100
NIS.ANS.NET 147.225.1.2
Now if you wanted to be a really evil hacker you could call that 800 number and
try to social engineer a password out of somebody who works for this network.
OTHERS
USE THE HELP COMMANDS SHOWN IN DOS COMMANDS
EXAMPLE
This lesson will tell you how, armed with even the lamest of on-line services
such as America Online and the Windows 95 operating system, you can do some
fairly serious Internet hacking -- today!
In this lesson we will learn how to:
╖ Use secret Windows 95 DOS commands to track down and port surf computers used
by famous on-line service providers.
╖ Telnet to computers that will let you use the invaluable hacker tools of
whois, nslookup, and dig.
╖ Download hacker tools such as port scanners and password crackers designed for
use with Windows.
╖ Use Internet Explorer to evade restrictions on what programs you can run on
your school or work computers.
Yes, I can hear jericho and Rogue Agent and all the other Super Duper hackers on
this list laughing. I'll bet already they have quit reading this and are
furiously emailing me flames and making phun of me in 2600 meetings. Windows
hacking? Pooh!
Tell seasoned hackers that you use Windows and they will laugh at you. They'll
tell you to go away and don't come back until you're armed with a shell account
or some sort of Unix on your PC. Actually, I have long shared their opinion.
Shoot, most of the time hacking from Windoze is like using a 1969 Volkswagon to
race against a dragster using one of VP Racing's high-tech fuels.
But there actually is a good reason to learn to hack from Windows. Some of your
best tools for probing and manipulating Windows networks are found only on
Windows NT. Furthermore, with Win 95 you can practice the Registry hacking that
is central to working your will on Win NT servers and the networks they
administer.
In fact, if you want to become a serious hacker, you eventually will have to
learn Windows. This is because Windows NT is fast taking over the Internet from
Unix. An IDC report projects that the Unix-based Web server market share will
fall from the 65% of 1995 to only 25% by the year 2000. The Windows NT share is
projected to grow to 32%. This weak future for Unix Web servers is reinforced
by an IDC report reporting that market share of all Unix systems is now falling
at a compound annual rate of decline of -17% for the foreseeable future, while
Windows NT is growing in market share by 20% per year. (Mark Winther, "The
Global Market for Public and Private Internet Server Software," IDC #11202,
April 1996, 10, 11.)
So if you want to keep up your hacking skills, you're going to have to get wise
to Windows. One of these days we're going to be sniggering at all those
Unix-only hackers.
Besides, even poor, pitiful Windows 95 now can take advantage of lots of free
hacker tools that give it much of the power of Unix.
Since this is a beginners' lesson, we'll go straight to the Big Question: "All I
got is AOL and a Win 95 box. Can I still learn how to hack?"
Yes, yes, yes!
The secret to hacking from AOL/Win 95 -- or from any on-line service that gives
you access to the World Wide Web -- is hidden in Win 95's MS-DOS (DOS 7.0).
DOS 7.0 offers several Internet tools, none of which are documented in either
the standard Windows or DOS help features. But you're getting the chance to
learn these hidden features today.
So to get going with today's lesson, use AOL or whatever lame on-line service
you may have and make the kind of connection you use to get on the Web (this
will be a PPP or SLIP connection). Then minimize your Web browser and prepare to
hack! Next, bring up your DOS window by clicking Start, then Programs, then
MS-DOS.
For best hacking I've found it easier to use DOS in a window with a task bar
which allows me to cut and paste commands and easily switch between Windows and
DOS programs. If your DOS comes up as a full screen, hold down the Alt key while
hitting enter, and it will go into a window. Then if you are missing the task
bar, click the system menu on the left side of the DOS window caption and select
Toolbar.
Now you have the option of eight TCP/IP utilities to play with: telnet, arp,
ftp, nbtstat, netstat, ping, route, and tracert.
Telnet is the biggie. You can also access the telnet program directly from
Windows. But while hacking you may need the other utilities that can only be
used from DOS, so I like to call telnet from DOS.
With the DOS telnet you can actually port surf almost as well as from a Unix
telnet program. But there are several tricks you need to learn in order to make
this work.
First, we'll try out logging on to a strange computer somewhere. This is a phun
thing to show your friends who don't have a clue because it can scare the heck
out them. Honest, I just tried this out on a neighbor. He got so worried that
when he got home he called my husband and begged him to keep me from hacking his
work computer!
To do this (I mean log on to a strange computer, not scare your neighbors) go to
the DOS prompt C:\WINDOWS> and give the command "telnet." This brings up a
telnet screen. Click on Connect, then click Remote System.
This brings up a box that asks you for "Host Name." Type "whois.internic.net"
into this box. Below that it asks for "Port" and has the default value of
"telnet." Leave in "telnet" for the port selection. Below that is a box for
"TermType." I recommend picking VT100 because, well, just because I like it
best.
The first thing you can do to frighten your neighbors and impress your friends
is a "whois." Click on Connect and you will soon get a prompt that looks like
this:
[vt100]InterNIC>
Then ask your friend or neighbor his or her email address. Then at this InterNIC
prompt, type in the last two parts of your friend's email address. For example,
if the address is "luser@aol.com," type in "aol.com."
Now I'm picking AOL for this lesson because it is really hard to hack. Almost
any other on-line service will be easier.
For AOL we get the answer:
[vt100] InterNIC > whois aol.com
Connecting to the rs Database . . . . . .
Connected to the rs Database
America Online (AOL-DOM)
12100 Sunrise Valley Drive
Reston, Virginia 22091
USA
Domain Name: AOL.COM
Administrative Contact:
O'Donnell, David B (DBO3) PMDAtropos@AOL.COM
703/453-4255 (FAX) 703/453-4102
Technical Contact, Zone Contact:
America Online (AOL-NOC) trouble@aol.net
703-453-5862
Billing Contact:
Barrett, Joe (JB4302) BarrettJG@AOL.COM
703-453-4160 (FAX) 703-453-4001
Record last updated on 13-Mar-97.
Record created on 22-Jun-95.
Domain servers in listed order:
DNS-01.AOL.COM 152.163.199.42
DNS-02.AOL.COM 152.163.199.56
DNS-AOL.ANS.NET 198.83.210.28
These last three lines give the names of some computers that work for America
Online (AOL). If we want to hack AOL, these are a good place to start.
*********************************
Newbie note: We just got info on three "domain name servers" for AOL. "Aol.com"
is the domain name for AOL, and the domain servers are the computers that hold
information that tells the rest of the Internet how to send messages to AOL
computers and email addresses.
*********************************
*********************************
Evil genius tip: Using your Win 95 and an Internet connection, you can run a
whois query from many other computers, as well. Telnet to your target computer's
port 43 and if it lets you get on it, give your query.
Example: telnet to nic.ddn.mil, port 43. Once connected type "whois
DNS-01.AOL.COM," or whatever name you want to check out. However, this only
works on computers that are running the whois service on port 43.
Warning: show this trick to your neighbors and they will really be terrified.
They just saw you accessing a US military computer! But it's OK, nic.ddn.mil is
open to the public on many of its ports. Check out its Web site www.nic.ddn.mil
and its ftp site, too -- they are a mother lode of information that is good for
hacking.
*********************************
Next I tried a little port surfing on DNS-01.AOL.COM but couldn't find any ports
open. So it's a safe bet this computer is behind the AOL firewall.
**********************************
Newbie note: port surfing means to attempt to access a computer through several
different ports. A port is any way you get information into or out of a
computer. For example, port 23 is the one you usually use to log into a shell
account. Port 25 is used to send email. Port 80 is for the Web. There are
thousands of designated ports, but any particular computer may be running only
three or four ports. On your home computer your ports include the monitor,
keyboard, and modem.
**********************************
So what do we do next? We close the telnet program and go back to the DOS
window. At the DOS prompt we give the command "tracert 152.163.199.42." Or we
could give the command "tracert DNS-01.AOL.COM." Either way we'll get the same
result. This command will trace the route that a message takes, hopping from one
computer to another, as it travels from my computer to this AOL domain server
computer. Here's what we get:
C:\WINDOWS>tracert 152.163.199.42
Tracing route to dns-01.aol.com [152.163.199.42]
over a maximum of 30 hops:
1 * * * Request timed out.
2 150 ms 144 ms 138 ms 204.134.78.201
3 375 ms 299 ms 196 ms glory-cyberport.nm.westnet.net [204.134.78.33]
4 271 ms * 201 ms enss365.nm.org [129.121.1.3]
5 229 ms 216 ms 213 ms h4-0.cnss116.Albuquerque.t3.ans.net
[192.103.74.45]
6 223 ms 236 ms 229 ms f2.t112-0.Albuquerque.t3.ans.net
[140.222.112.221]
7 248 ms 269 ms 257 ms h14.t64-0.Houston.t3.ans.net [140.223.65.9]
8 178 ms 212 ms 196 ms h14.t80-1.St-Louis.t3.ans.net [140.223.65.14]
9 316 ms * 298 ms h12.t60-0.Reston.t3.ans.net [140.223.61.9]
10 315 ms 333 ms 331 ms 207.25.134.189
11 * * * Request timed out.
12 * * * Request timed out.
13 207.25.134.189 reports: Destination net unreachable.
What the heck is all this stuff? The number to the left is the number of
computers the route has been traced through. The "150 ms" stuff is how long, in
thousandths of a second, it takes to send a message to and from that computer.
Since a message can take a different length of time every time you send it,
tracert times the trip three times. The "*" means the trip was taking too long
so tracert said "forget it." After the timing info comes the name of the
computer the message reached, first in a form that is easy for a human to
remember, then in a form -- numbers -- that a computer prefers.
"Destination net unreachable" probably means tracert hit a firewall.
Let's try the second AOL domain server.
C:\WINDOWS>tracert 152.163.199.56
Tracing route to dns-02.aol.com [152.163.199.56]
over a maximum of 30 hops:
1 * * * Request timed out.
2 142 ms 140 ms 137 ms 204.134.78.201
3 246 ms 194 ms 241 ms glory-cyberport.nm.westnet.net [204.134.78.33]
4 154 ms 185 ms 247 ms enss365.nm.org [129.121.1.3]
5 475 ms 278 ms 325 ms h4-0.cnss116.Albuquerque.t3.ans.net [192.103.74.
45]
6 181 ms 187 ms 290 ms f2.t112-0.Albuquerque.t3.ans.net [140.222.112.22
1]
7 162 ms 217 ms 199 ms h14.t64-0.Houston.t3.ans.net [140.223.65.9]
8 210 ms 212 ms 248 ms h14.t80-1.St-Louis.t3.ans.net [140.223.65.14]
9 207 ms * 208 ms h12.t60-0.Reston.t3.ans.net [140.223.61.9]
10 338 ms 518 ms 381 ms 207.25.134.189
11 * * * Request timed out.
12 * * * Request timed out.
13 207.25.134.189 reports: Destination net unreachable.
Note that both tracerts ended at the same computer named
h12.t60-0.Reston.t3.ans.net. Since AOL is headquartered in Reston, Virginia,
it's a good bet this is a computer that directly feeds stuff into AOL. But we
notice that h12.t60-0.Reston.t3.ans.net , h14.t80-1.St-Louis.t3.ans.net,
h14.t64-0.Houston.t3.ans.net and Albuquerque.t3.ans.net all have numerical names
beginning with 140, and names that end with "ans.net." So it's a good guess that
they all belong to the same company. Also, that "t3" in each name suggests these
computers are routers on a T3 communications backbone for the Internet.
Next let's check out that final AOL domain server:
C:\WINDOWS>tracert 198.83.210.28
Tracing route to dns-aol.ans.net [198.83.210.28]
over a maximum of 30 hops:
1 * * * Request timed out.
2 138 ms 145 ms 135 ms 204.134.78.201
3 212 ms 191 ms 181 ms glory-cyberport.nm.westnet.net [204.134.78.33]
4 166 ms 228 ms 189 ms enss365.nm.org [129.121.1.3]
5 148 ms 138 ms 177 ms h4-0.cnss116.Albuquerque.t3.ans.net [192.103.74.
45]
6 284 ms 296 ms 178 ms f2.t112-0.Albuquerque.t3.ans.net [140.222.112.22
1]
7 298 ms 279 ms 277 ms h14.t64-0.Houston.t3.ans.net [140.223.65.9]
8 238 ms 234 ms 263 ms h14.t104-0.Atlanta.t3.ans.net [140.223.65.18]
9 301 ms 257 ms 250 ms dns-aol.ans.net [198.83.210.28]
Trace complete.
Hey, we finally got all the way through to something we can be pretty certain is
an AOL box, and it looks like it's outside the firewall! But look at how the
tracert took a different path this time, going through Atlanta instead of St.
Louis and Reston. But we are still looking at ans.net addresses with T3s, so
this last nameserver is using the same network as the others.
Now what can we do next to get luser@aol.com really wondering if you could
actually break into his account? We're going to do some port surfing on this
last AOL domain name server! But to do this we need to change our telnet
settings a bit.
Click on Terminal, then Preferences. In the preferences box you need to check
"Local echo." You must do this, or else you won't be able to see everything that
you get while port surfing. For some reason, some of the messages a remote
computer sends to you won't show up on your Win 95 telnet screen unless you
choose the local echo option. However, be warned, in some situations everything
you type in will be doubled. For example, if you type in "hello" the telnet
screen may show you "heh lelllo o. This doesn't mean you mistyped, it just means
your typing is getting echoed back at various intervals.
Now click on Connect, then Remote System. Then enter the name of that last AOL
domain server, dns-aol.ans.net. Below it, for Port choose Daytime. It will send
back to you the day of the week, date and time of day in its time zone.
Aha! We now know that dns-aol.ans.net is exposed to the world, with at least one
open port, heh, heh. It is definitely a prospect for further port surfing. And
now your friend is wondering, how did you get something out of that computer?
******************************
Clueless newbie alert: If everyone who reads this telnets to the daytime port of
this computer, the sysadmin will say "Whoa, I'm under heavy attack by hackers!!!
There must be some evil exploit for the daytime service! I'm going to close this
port pronto!" Then you'll all email me complaining the hack doesn't work.
Please, try this hack out on different computers and don't all beat up on AOL.
******************************
Now let's check out that Reston computer. I select Remote Host again and enter
the name h12.t60-0.Reston.t3.ans.net. I try some port surfing without success.
This is a seriously locked down box! What do we do next?
So first we remove that "local echo" feature, then we telnet back to
whois.internic. We ask about this ans.net outfit that offers links to AOL:
[vt100] InterNIC > whois ans.net
Connecting to the rs Database . . . . . .
Connected to the rs Database
ANS CO+RE Systems, Inc. (ANS-DOM)
100 Clearbrook Road
Elmsford, NY 10523
Domain Name: ANS.NET
Administrative Contact:
Hershman, Ittai (IH4) ittai@ANS.NET
(914) 789-5337
Technical Contact:
ANS Network Operations Center (ANS-NOC) noc@ans.net
1-800-456-6300
Zone Contact:
ANS Hostmaster (AH-ORG) hostmaster@ANS.NET
(800)456-6300 fax: (914)789-5310
Record last updated on 03-Jan-97.
Record created on 27-Sep-90.
Domain servers in listed order:
NS.ANS.NET 192.103.63.100
NIS.ANS.NET 147.225.1.2
Now if you wanted to be a really evil hacker you could call that 800 number and
try to social engineer a password out of somebody who works for this network.
But that wouldn't be nice and there is nothing legal you can do with ans.net
passwords. So I'm not telling you how to social engineer those passwords.
Anyhow, you get the idea of how you can hack around gathering info that leads to
the computer that handles anyone's email.
So what else can you do with your on-line connection and Win 95?
Well... should I tell you about killer ping? It's a good way to lose your job
and end up in jail. You do it from your Windows DOS prompt. Find the gory
details in the GTMHH Vol.2 Number 3, which is kept in one of our archives listed
at the end of this lesson. Fortunately most systems administrators have patched
things nowadays so that killer ping won't work. But just in case your ISP or LAN
at work or school isn't protected, don't test it without your sysadmin's
approval!
Then there's ordinary ping, also done from DOS. It's sort of like tracert, but
all it does is time how long a message takes from one computer to another,
without telling you anything about the computers between yours and the one you
ping.
Other TCP/IP commands hidden in DOS include:
╖ Arp IP-to-physical address translation tables
╖ Ftp File transfer protocol. This one is really lame. Don't use it. Get a
shareware Ftp program from one of the download sites listed below.
╖ Nbtstat Displays current network info -- super to use on your own ISP
╖ Netstat Similar to Nbstat
╖ Route Controls router tables -- router hacking is considered extra elite.
Since these are semi-secret commands, you can't get any details on how to use
them from the DOS help menu. But there are help files hidden away for these
commands.
THANKS TO
THE GUIDE TO MOSTLY HARMLESS HACKING. A LOT WAS LEARNED AND TAKEN FROM THOSE TEXTS. ALSO, DOCTA WHO HELPED ME OUT WITH THE CD C:\ COMMAND. IT CAN ALSO BE USED TO CHANGE TO OTHER DIRECTORIES OTHER THAN C:. MOST OF THIS TEXT WAS COPIED FROM HARMLESS. I GIVE THEM CREDIT.
