|
Ports - The Doorways to Your Computer
When thinking about securing your
machine from unauthorized access or use, considering using
the analogy of trying to keep burglars out of a warehouse.
Your first step would be to seal off those entrances that
are not essential to the operation of the warehouse,
thereby allowing you to focus your attention on specific
entrances, rather than the entire building.
Using the above analogy, substitute the
word "doorways" for "ports."
Ports are entrances to your machine. For instance,
whenever you go to a website, you are connecting to that
company's server on port 80 (unless remapped). Don't
believe me? Try these two links:
Now let's look at what "doors"
are open on your computer. In order to do this we
will be using a utility called Netstat. Netstat
provides its user with the network status of the computer
from which the command is being sent. Netstat is very
comprehensive; below you will find its usage stanza:
Displays protocol
statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with
the -s
option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by
proto; proto may be TCP or UDP. If used with the -s option
to display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default,
statistics are
shown for TCP, UDP and IP; the -p option may be used to
specify
a subset of the default.
interval Redisplays selected statistics, pausing interval
seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
There are a lot of options listed, but
we are only concerned with the first one:
-a Displays all connections and
listening ports.
Translation:
-a Shows you who's in the
"warehouse" and and which "doors" are
open.
Now let's do a little.....hacking?
Follow these steps.
STEP 1 - Launch DOS or Command Prompt
1. Click on the Start button on the
bottom left of your screen.
2. Next click on the Run.
3. You will be presented with the Run
window which allows you to type in commands. The
command we want to run is cmd to bring up the
command prompt or DOS. Type cmd in the window, and
click the OK button.
Go
Back to Top
STEP 2 - Execute netstat -a command
1. Now you should be looking at the
command prompt or DOS window. This where we can type
in our command: netstat -a After you type this
command, press Enter.
Go
Back to Top
STEP 3 - Reading the output
You should see fours columns on your
screen:
- Proto(col) - This is the protocol or
language being used by your system for a service.
Examples are:
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- Local Address - Your system name
otherwise known as hostname, and the port number/name.
The port number may be substituted for the name of the
service being used.
Example: localhost:http instead of localhost:80
- Foreign Address - The name or IP
address of the system you are connected to and the
port number/name. The IP address is the number
representation for a system name. try the
following link to see what I mean:
- State - This lets you know what is
happening on a particular port. The words we're
looking for are:
- LISTENING, an open door
- ESTABLISHED, a door which is
being used
- TIME_WAIT, a door was used, now
it's closed
Go
Back to Top
STEP 4 - Grouping, grouping, gone!
Let's group everything according to its
State. This will require opening up a blank/new
document in either Note Pad, Write Pad, Word, or any other
word professing software. Copy and paste the entire
Netstat-a output from your DOS/Command Prompt window into
your new document. Follow these steps:
- "Right-click" on the Title
Bar of the DOS/Command Prompt
- Select the Edit item and then select
the Select All item
- "Right-click" on the Title
Bar of the DOS/Command Prompt
- Select the Edit item and then select
the Copy item
- Go to your new document and Paste
Ok. Let's do some grouping by
State. Move all LISTENING lines together, all the
ESTABLISHED lines together, and all the TIME_WAIT lines
together.
NOTE: You can find out which
of these ports is opened to the general Internet public by
running the Probe
MY Ports test. If your results are
unsatisfactory and you don't have a firewall, you need to
get a firewall. A firewall should be a basic
component of your Internet security.
Go
Back to Top
STEP 5 - Let's go a-hunting!
We need to identify what is actually
running on these ports. First let's look in our
Windows services file. This document is used to
startup services on certain ports and contains a very
brief description of the service. Below is the
location of the files:
- Win 95/98 - C:\WINDOWS\SERVICES
- Win NT/2k-
C:\WINNT\SYSTEM32\DRIVERS\ETC\SERVICES
- Official
List
Tip: Create a shortcut of this
file on your desktop so that you don't have to hunt for it
again:
- Right-click on the file
- Click Send to...
- Select desktop
It's good to know what you actually have
running on your machine so that in case you do get hacked,
you know what ports you should see open. You
should make sure that you don't have any Internet
applications running when you compile the list. This
includes, but is not limited to :
- AOL Instant Messenger
- Yahoo Messenger
- ICQ
- Trillian
- Internet explorer
- Netscape Navigator
- Eudora E-mail client
- Outlook or Outlook Express clients
NOTE: Port 138 which is used
by the NetBios protocol has "well known"
exploits and vulnerabilities. If
you don't have a home network setup than turn off the
following services:
- File and Print Sharing for
Microsoft Networks
- Client Services for Microsoft
Networks
Instructions: Windows
95/98 Windows
NT
Go
Back to Top
STEP 6 - Now what?
Now you're ready to rid your machine of
the dreaded "script kiddies" should you get
hacked. Pay attention, grasshopper. You NEED a
firewall - whether it is a software firewall, a hardware
firewall, or both, you need a firewall! This will protect
you 99.99% of the time, unless someone has a personal
vendetta against you. So let's suppose your .01%
time happens before you leave this beautiful planet, then
here's what you need to do. You already have the
basics down - we're just going to put it all together.
- Check the Netstat-a output against
the following trojan
port list. If you find the port, then click
on the name of the trojan to get more information.
Copy this information in another text document by via
copy/paste. It will come in handy later.
- Run Netstat-n. This will give
you the IP address of the machine that is connected to
you on that port (the script kiddie). Write this
down as well so that you can nail them later by
turning them into their ISP.
- Disconnect from the Internet.
Easiest way to do this is remove the cable from your
modem, and and shutdown all Internet applications.
- Run anti-virus scan.
- Run anti-trojan scan.
- If the description of the trojan from
the trojan list noted any files in the registry, make
sure they are gone. Use the same method you used
to open the DOS/Command Prompt, but instead of typing
cmd, type regedit. Then do a
"Find" for the files listed in the
description. If you find them, delete them.
- Reconnect your modem cable and reboot
computer.
- Check Netstat-a against the
trojan
list again to verify a "script kiddie"
free machine.
- If you want to try and catch the
culprit, open up your DOS/command prompt window like
you did for Netstat and type: tracert ["script
kiddies" IP]. You should have copied
down the IP address from step 2. Now, before the
trace gets to the IP address of the perpetrator, it
will pass through the ISP first. So check the
two previous IP addresses before getting to the
destination. Type them into the browser the way
we did with Yahoo above, and see who to report the
incident to. Usually, it will be abuse@[ISP].com
Go
Back to Top
|
