Hi

MS-DOS Hacking

In this Guide you will learn how to:

* Use telnet from Windows

* Download web pages via telnet

* Get finger information via telnet

* Telnet from the DOS command-line

* Use netcat

* Break into Windows Computers from the Internet

Protecting Yourself

What can they do

The command-line approach

The GUI approach

Final Words

************************************************** **********

How to Use Telnet on a Windows Computer

Telnet is great little program for doing a couple of interesting things. In fact, if you
want to call yourself a hacker, you absolutely MUST be able to telnet! In this lesson
you will find out a few of the cool things a hacker can do with telnet.

If you are using Win95, you can find telnet in the c:\windows directory, and on NT, in
the c:\winnt\system32 directory. There isn't a lot of online help concerning the
usage of the program, so my goal is to provide some information for new users.

First off, telnet isn't so much an application as it is a protocol. Telnet is protocol that
runs over TCP/IP, and was used for connecting to remote computers. It provides a
login interface, and you can run command-line programs by typing the commands
on your keyboard, and the programs use the resources of the remote machine. The
results are displayed in the terminal window on your machine, but the memory and
CPU cycles consumed by the program are located on the remote machine.
Therefore, telnet functions as a terminal emulation program, emulating a terminal
on the remote machine.

Now, telnet runs on your Win95 box as a GUI application...that is to say that you can
type "telnet" at the command prompt (in Windows 95 this is the MS-DOS prompt),
and assuming that your PATH is set correctly, a window titled "telnet" will open. This
differs from your ftp program in that all commands are entered in the DOS window.

Let's begin by opening telnet. Simply open a DOS window by clicking "start", then
"programs", then "MS-DOS", and at the command prompt, type:

c:\telnet

The window for telnet will open, and you can browse the features of the program
from the menu bar.

************************************************** *

NEWBIE NOTE: In this text file, I am referring only to the telnet

program that ships with Win95/NT. If you type "telnet" at the

command prompt and you don't get the telnet window, make sure

that the program is on your hard drive using the Start -> Find ->

Files or Folders command. Also make sure that your path statement includes the
Windows directory. There are many other programs available that provide similar
functionality, with a lot of other bells and whistles, from any number of software
sites.

*************************************************

To learn a bit more about telnet, choose Help -> Contents, or

Help -> Search for help on... from the menu bar. Read through

the files in order to find more detailed explanations of things

you may wish to do. For example, in this explanation, I will

primarily be covering how to use the application and what it can

be used for, but now how to customize the colors for the application.

Now, if you choose Connect -> Remote System, you will be presented with a dialog
window that will ask you for the remote host, the port and the terminal type.

************************************************** **

NEWBIE NOTE: For most purposes, you can leave the terminal type on

VT100.

************************************************** **

In the Connect dialog box, you can enter in the host to which

you wish to connect, and there is a list box of several ports

you can connect to:

daytime: May give you the current time on the server.

echo: May echo back whatever you type in, and will tell you that the computer you
have connected to is alive nd running on the Internet. qotd: May provide you with a
quote of the day.

chargen: May display a continuous stream of characters, useful for spotting network
problems, but may crash your telnet program.

telnet: May present you with a login screen.

These will only work if the server to which you are trying to connect is running these
services. However, you are not limited to just those ports...you can type in any port
number you wish. (For more on fun ports, see the GTMHH, "Port Surf's Up.") You will
only successfully connect to the port if the service in question is available. What
occurs after you connect depends upon the protocol for that particular service.

When you are using telnet to connect to the telnet service on a server, you will (in
most cases) be presented with a banner and a login prompt.

[Note from Carolyn Meinel: Many people have written saying their telnet program
fails to connect no matter what host they try to reach. Here's a way to fix your
problem. First -- make sure you are already connected to the Internet. If your telnet
program still cannot connect to anything, here's how to fix your problem. Click
"start" then "settings" then "control panel." Then click "Internet" then "connection."
This screen will have two boxes that may or may not be checked. The top one says
"connect to the Internet as needed." If that box is checked, uncheck it -- but only
uncheck it if you already have been having problems connecting. The bottom box
says "connect through a proxy server." If that box is checked, you probably are on a
local area network and your systems administrator doesn't allow you to use telnet.]

*********************************************

NEWBIE NOTE: It's not a good idea to connect to a host on which you don't have a
valid account. In your attempts to guess a username and password, all you will do is
fill the log files on that host. From there, you can very easily be traced, and your
online service provider will probably cancel your account.

**********************************************

Now, you can also use telnet to connect to other ports, such as

ftp (21), smtp (25), pop3 (110), and even http (80). When you

connect to ftp, smtp, and pop3, you will be presented with a

banner, or a line of text that displays some information about the

service. This will give you a clue as to the operating system

running on the host computer, or it may come right out and tell

you what the operating system is...for instance, AIX, Linux,

Solaris, or NT. If you successfully connect to port 80, you will

see a blank screen. This indicates, again, that you have successfully completed the
TCP negotiation and you have a connection.

Now, what you do from there is up to you. You can simply disconnect with the
knowledge that, yes, there is a service running on port 80, or you can use your
knowledge of the HTTP protocol to retrieve the HTML source for web pages on the
server.
How to Download Web Pages Via Telnet

To retrieve a web page for a server using telnet, you need to connect to that server
on port 80, generally. Some servers may use a different port number, such as 8080,
but most web servers run on port 80. The first thing you need to do is click on
Terminal -> Preferences and make sure that there is a check in the Local Echo box.
Then, since most web pages will generally take up more than a single screen,
enable logging by clicking Terminal -> Start Logging... and select a location and
filename. Keep in mind that as long as logging is on, and the same file is being
logged to, all new information will be appended to the file, rather than overwriting
the

original file. This is useful if you want to record several sessions, and edit out the
extraneous information using Notepad.

Now, connect the remote host, and if your connection is successful, type in:

GET / HTTP/1.0

and hit enter twice.

**************************************************

NEWBIE NOTE: Make sure that you hit enter twice...this is part

of the HTTP protocol. The single / after GET tells the server

to return the default index file, which is generally "index.html".

However, you can enter other filenames, as well.

*************************************************

You should have seen a bunch of text scroll by on the screen. Now you can open the
log file in Notepad, and you will see the HTML

code for the page, just as though you had chosen the View Source

option from your web browser. You will also get some additional

information...the headers for the file will contain some information

about the server. For example:

HTTP/1.0 200 Document follows

Date: Thu, 04 Jun 1998 14:46:46 GMT

Server: NCSA/1.5.2

Last-modified: Thu, 19 Feb 1998 17:44:13 GMT

Content-type: text/html

Content-length: 3196

One particularly interesting piece of information is the server

name. This refers to the web server software that is running

and serving web pages. You may see other names in this field,

such as versions of Microsoft IIS, Purveyor, WebSite, etc.

This will give you a clue as to the underlying operating system

running on the server.

*************************************************

SYSADMIN NOTE: This technique, used in conjunction with a

database of exploits on web servers, can be particularly annoying.

Make sure you keep up on exploits and the appropriate security

patches from your web server and operating system vendors.

*************************************************

*************************************************

NEWBIE NOTE: This technique of gathering web pages is perfectly legal. You aren't
attempting to compromise the target system, you are simply doing by hand what
your web browser does for you automatically. Of course, this technique will not load
images and Java applets for you.

************************************************

Getting Finger Information Via Telnet

By now, you've probably heard or read a lot about finger. It doesn't seem like a very
useful service, and many sysadmins disable the service because it provides
information on a particular user, information an evil hacker can take advantage of.
Win95 doesn't ship with a finger client, but NT does. You can download finger clients
for Win95 from any number of software sites. But why do that when you have a
readily available client in telnet?

The finger daemon or server runs on port 79, so connect to a remote host on that
port. If the service is running, you will be presented with a blank screen.

************************************************** **

NEWBIE NOTE: NT doesn't ship with a finger daemon (A daemon is a program on the
remote computer which waits for people like you to connect to it), so generally
speaking, and server that you find running finger will be a Unix box. I say
"generally" because there are third-party finger daemons available and someone
may want to run one on their NT computer.

************************************************** **

The blank screen indicates that the finger daemon is waiting for input. If you have a
particular user that you are interested in, type in the username and hit enter. A
response will be provided, and the daemon will disconnect the client. If you don't
know a particular username, you can start by simply hitting enter. In some cases,
you may get a response such as "No one logged on." Or you may get information of
all currently logged on users. It all depends on whether or not the sysadmin has
chosen to enable certain features of the daemon. You can also try other names,
such as "root", "daemon", "ftp", "bin", etc.
Another neat trick to try out is something that I have seen referred to as "finger
forwarding". To try this out, you need two hosts that run finger. Connect to the first
host, host1.com, and enter the username that you are interested in. Then go to the
second host, and enter:

Code:

user@host1.comCode:

You should see the same information! Again, this all depends upon

the configuration of the finger daemon.

Using Telnet from the Command Line

Now, if you want to show your friends that you a "real man" because "real men
don't need no stinkin' GUIs", well just open up a DOS window and type:

c:\>telnet <host> <port>

and the program will automatically attempt to connect to the host

on the designated port for you.

Using Netcat

Let me start by giving a mighty big thanks to Weld Pond from L0pht for producing
the netcat program for Windows NT. To get a copy of this program, which comes
with source code, simply go to:

http://www.l0pht.com/~weld

NOTE: The first character of "l0pht: is the letter "l". The second character is a zero,
not an "o".

I know that the program is supposed to run on NT, but I have

seen it run on Win95. It's a great little program that can be used

to do some of the same things as telnet. However, there are

advantages to using netcat...for one, it's a command-line program,

and it can be included in a batch file. In fact, you can automate

multiple calls to netcat in a batch file, saving the results to

a text file.

**************************************************

NEWBIE NOTE: For more information on batch files, see previous versions of the
Guide To (mostly) Harmless Hacking, Getting Serious with Windows Fix ...one of
them dealt with basic batch file programming.

**************************************************

Before using netcat, take a look at the readme.txt file provided in

the zipped archive you downloaded. It goes over the instructions

on how to download web pages using netcat, similar to what I

described earlier using telnet.

There are two ways to go about getting finger information using

netcat. The first is in interactive mode. Simply type:

c:\>nc <host> 79

If the daemon is running, you won't get a command prompt back. If this is the case,
type in the username and hit enter. Or use the automatic mode by first creating a
text file containing the username of interest. For example, I typed:

c:\>edit root

and entered the username "root", without the quotes. Then from

the command prompt, type:

c:\>nc <host> 79 < root

and the response will appear on your screen. You can save the

output to a file by adding the appropriate redirection operator

to the end of the file:

c:\>nc <host> 79 < root > nc.log

to create the file nc.log, or:

c:\>nc <host> 79 < root >> nc.log

to append the response to the end of nc.log. NOTE: Make sure

that you use spaces between the redirection operators.

How to Break into a Windows 95 machine Connected to the Internet

Disclaimer

The intent of this file is NOT to provide a step-by-step guide to accessing a Win95
computer while it is connected to the Internet. The intent is show you how to
protect yourself.

There are no special tools needed to access a remote Win95 machine...everything

you need is right there on your Win95 system! Two methods will be described...the
command-line approach and the GUI approach.

Protecting Yourself

First, the method of protecting yourself needs to be made perfectly clear. DON'T
SHARE FILES!! I can't stress that enough. If you are a home user, and you are
connecting a Win95 computer to the Internet via some dial-up method, disable
sharing. If you must share, use a strong password...8 characters minimum, a mix of
upper and lower case letters and numbers, change the password every now and
again. If you need to transmit the

password to someone, do so over the phone or by written letter. To disable sharing,

click on My Computer -> Control Panel -> Network -> File and Print Sharing. In the
dialog box that appears, uncheck both boxes. It's that easy.

What Can They Do?

What can someone do? Well, lots of stuff, but it largely depends on what shares are
available. If someone is able to share a printer from your machine, they can send
you annoying letters and messages. This consumes time, your printer ink/toner, and
your paper. If they are able to share a disk share, what they can do largely depends
upon what's in that share. The share appears as another directory on the attacker's
machine, so any programs they run will be consuming their own
resources...memory, cpu cycles, etc. But if the attacker has read and write access to
those disk shares, then you're in trouble. If you take work home, your files may be
vulnerable. Initialization and configuration files can be searched for passwords. Files
can be modified and deleted. A particularly nasty thing to do is adding a line to your
autoexec.bat file so that the next time your computer is booted, the hard drive is
formatted without any prompting from the user. Bad ju-ju, indeed.

** The command-line approach **

Okay, now for the part that should probably be titled "How they do it". All that is
needed is the IP address of the remote machine. Now open up a DOS window, and
at the command prompt, type:

c:\>nbtstat -A [ip_addr]

If the remote machine is connected to the Internet and the ports used for sharing
are not blocked, you should see something like:

NetBIOS Remote Machine Name Table

Name Type Status

---------------------------------------------

NAME <00> UNIQUE Registered

DOMAIN <00> GROUP Registered

NAME <03> UNIQUE Registered

USERNAME <03> UNIQUE Registered

MAC Address = 00-00-00-00-00-00

This machine name table shows the machine and domain names, a logged-on
username, and the address of the Ethernet adapter (the information has been
obfuscated for instructional purposes).

**Note: This machine, if unpatched and not protected with a firewall or packet-filter
router, may be vulnerable to a range of denial of service attacks, which seem to be
fairly popular, largely because they require no skill or knowledge to perpetrate.

The Fix piece of information that you are looking for is in the Type column. A
machine that has sharing enabled will have a hex code of "<20>".

**Note: With the right tools, it is fairly simple for a sysadmin to write a batch file
that combs a subnet or her entire network, looking for client machines with sharing
enabled. This batch file can then be run at specific times...every day at 2:00 am,
only on Friday evenings or weekends, etc.

If you find a machine with sharing enabled, the next thing to do is type the following
command:

c:\>net view \\[ip_addr]

Now, your response may be varied. You may find that there are no shares on the
list, or that there are several shares available. Choose which share you would like to
connect to, and type the command:

c:\>net use g: \\[ip_addr]\[share_name]

You will likely get a response that the command was completed successfully. If that
is the case, type:

c:\>cd g:

or which ever device name you decided to use. You can now view what exists on
that share using the dir commands, etc.

Now, you may be presented with a password prompt when you ssue the above
command. If that is the case, typical "hacker" (I shudder at that term) methods may
be used.

** The GUI approach **

After issuing the nbtstat command, you can opt for the GUI approach to accessing
the shares on that machine. To do so, make sure that you leave the DOS window
open, or minimized...don't close it. Now, use Notepad to open this file:

c:\windows\lmhosts.sam

Read over the file, and then open create another file in Notepad, called simply
"Lmhosts", without an extension. The file should contain the IP address of the host,
the NetBIOS name of the host (from the nbtstat command), and #PRE, separated by
tabs. Once you have added this information, save it, and minimize the window. In
the DOS command window, type:

c:\>nbtstat -R

This command reloads the cache from the Lmhosts file you just created.

Now, click on Start -> Find -> Computer, and type in the NetBIOS name of the
computer...the same one you added to the lmhosts file. If your attempt to connect
to the machine is successful, you should be presented with a window containing the
available shares. You may be presented with a password prompt window, but again,
typical "hacker" (again, that term grates on me like fingernails on a chalk board, but
today, it seems that it's all folks understand) techniques may be used to break the
password.

************************************************

Note from Carolyn Meinel: Want to try this stuff without winding up in jail or getting
expelled from school? Get a friend to give you permission to try to break in.

First, you will need his or her IP address. Usually this will be different every time
your friend logs on. You friend can learn his or her IP address by going to the DOS
prompt while online and giving the command "netstat -r". Something like this should
show up:

C:\WINDOWS>netstat -r

Route Table

Active Routes:

Network Address Netmask Gateway Address Interface Metric

0.0.0.0 0.0.0.0 198.999.176.84 198.999.176.84 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

198.999.176.0 255.255.255.0 198.999.176.84 198.999.176.84 1

198.999.176.84 255.255.255.255 127.0.0.1 127.0.0.1 1

198.999.176.255 255.255.255.255 198.999.176.84 198.999.176.84 1

224.0.0.0 224.0.0.0 198.999.176.84 198.999.176.84 1

255.255.255.255 255.255.255.255 198.999.176.84 0.0.0.0 1

Your friend's IP address should be under "Gateway Address." Ignore the 127.0.0.1 as
this will show up for everyone and simply means "locahost" or "my own computer."
If in doubt, break the Internet connection and then get online again. The number
that changes is the IP address of your friend's computer.

************************************************** *

**************************************************
Evil Genius tip: Here is something really scary. In your shell account give the
"netstat" command. If your ISP allows you to use it, you might be able to get the
dynamically assigned IP addresses of people from all over the world -- everyone who
is browsing a Web site hosted by your ISP, everyone using ftp, spammers you might
catch red-handed in the act of forging email on your ISP, guys up at 2AM playing on
multiuser dungeons, IRC users, in fact you will see everyone who is connected to
your ISP!

************************************************** **

************************************************** *

YOU CAN GO TO JAIL WARNING: If you find a Windows 95 box on the Internet with
file sharing enabled and no password protection, you can still get in big trouble for
exploiting it. It's just like finding a house whose owner forgot to lock the door -- you
still are in trouble if someone catches you inside. Tell temptation to take a hike!