Error - View Single Post

**Anilrgowda** · 03-Jan-2006, 09:22 AM

## Types of Port ##

It would be impossible to find out who was attacking you if computers could just access any old port to perform an important function; how could you
tell a mail transfer from a Trojan Attack? Well, good news, because your regular, normal connections are assigned to low, commonly used ports, and in
general, the higher the number used, the more you should be suspicious. Here are the three main types of port:

# Well Known Ports These run from 0 to 1023, and are bound to the common services that run on them (for example, mail runs on channel 25 tcp/udp,
which is smtp (Simple Mail Transfer Protocol) so if you find one of these ports open (and you usually will), it's usually because of an essential function.

# Registered Ports These run on 1024 to 49151. Although not bound to a particular service, these are normally used by networking utilities like FTP
software, Email client and so on, and they do this by opening on a random port within this range before communicating with the remote server, so don't
panic (just be wary, perhaps) if you see any of these open, because they usually close automatically when the system that's running on them terminates
(for example, type in a common website name in your browser with netstat open, and watch as it opens up a port at random to act as a buffer for the remote
servers). Services like MSN Messenger and ICQ usually run on these Ports.

# Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is
indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap:

Well Known Ports 0 to 1023 Commonly used, little danger.
Registered Ports 1024 to 49151 Not as common, just be careful.
Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.

## The hunt is on ##

Now, it is essential that you know what you're looking for, and the most common way someone will attack your machine is with a Trojan.
This is a program that is sent to you in an email, or attempts to bind itself to one of your ports, and when activated, it can give the user your
passwords, access to your hard drive...they can even make your CD Tray pop open and shut. At the end of this Document, you will find a list
of the most commonly used Trojans and the ports they operate on. For now, let's take another look at that first example of Netstat....

Active Connections

Proto Local Address Foreign Address State
TCP macintosh: 27374 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING

Now, straight away, this should make more sense to you. Your computer is connected on two ports, 80 and 27374. Port 80 is used for
http/www transmissions (ie for all intents and purposes, its how you connect to the net, although of course it's a lot more complicated than that).
Port 27374, however, is distinctly suspicious; first of all, it is in the registered port range, and although other services (like MSN) use these, let's assume
that you have nothing at all running like instant messengers, webpages etc....you're simply connected to the net through proxy. So, now this connection
is looking even more troublesome, and when you realise that 27374 is a common port for Netbus (a potentially destructive Trojan), you can see that something
is untoward here. So, what you would do is:

1) run Netstat , and use:

Netstat -a

then

Netstat -an

So you have both Hostnames AND IP addresses.

## Tracerouting ##

Having the attacker's IP is all well and good, but what can you do with it? The answer is, a lot more! It's not enough to have the address, you also need to
know where the attacker's connections are coming from. You may have used automated tracerouting tools before, but do you jknow how they work?

Go back to MSDOS and type

tracert *type IP address/Hostname here*

Now, what happens is, the Traceroute will show you all the computers inbetween you and the target machine, including blockages, firewalls etc.
More often than not, the hostname address listed before the final one will belong to the Hacker's ISP Company. It'll either say who the ISP is somewhere
in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is. If the Hostname that you get back
doesn't actually seem to mention an actual geographical location within its text, you may think all is lost. But fear not! Suppose you get a hostname such as

CODE
http://www.haha.com

Well, that tells us nothing, right? Wrong....simply enter the hostname in your browser, and though many times you will get nothing back, sometimes it will
resolve to an ISP, and from there you can easily find out its location and in what areas they operate. This at least gives you a firm geographical location to
carry out your investigations in.

If you STILL have nothing, as a last resort you COULD try connecting to your target's ISP's port 13 by Telnet, which will tell you how many hours ahead or
behind this ISP is of GMT, thus giving you a geographical trace based on the time mentioned (although bear in mind, the ISP may be doing something stupid
like not having their clocks set correctly, giving you a misleading trace. Similarly, a common tactic of Hackers is to deliberately have their computer's clock set
to a totally wrong time, so as to throw you off the scent). Also, unless you know what you're doing, I wouldn't advise using Telnet (which is outside the
parameters of this tutorial).

## Reverse DNS Query ##

This is probably the most effective way of running a trace on somebody. If ever you're in a chatroom and you see someone saying that they've "hacked
into a satellite orbiting the Earth, and are taking pictures of your house right now", ignore them because that's just bad movie nonsense. THIS method is
the way to go, with regard to finding out what country (even maybe what State/City etc) someone resides, although it's actually almost impossible to find
an EXACT geographical location without actually breaking into your ISP's Head Office and running off with the safe.

To run an rDNS query, simply go back to MS-DOS and type

netstat

and hit return. Any active connections will resolve to hostnames rather than a numerical format.

.

03-Jan-2006, 09:22 AM	#2 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Re: Tracing A Hacker Options ## Types of Port ## It would be impossible to find out who was attacking you if computers could just access any old port to perform an important function; how could you tell a mail transfer from a Trojan Attack? Well, good news, because your regular, normal connections are assigned to low, commonly used ports, and in general, the higher the number used, the more you should be suspicious. Here are the three main types of port: # Well Known Ports These run from 0 to 1023, and are bound to the common services that run on them (for example, mail runs on channel 25 tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find one of these ports open (and you usually will), it's usually because of an essential function. # Registered Ports These run on 1024 to 49151. Although not bound to a particular service, these are normally used by networking utilities like FTP software, Email client and so on, and they do this by opening on a random port within this range before communicating with the remote server, so don't panic (just be wary, perhaps) if you see any of these open, because they usually close automatically when the system that's running on them terminates (for example, type in a common website name in your browser with netstat open, and watch as it opens up a port at random to act as a buffer for the remote servers). Services like MSN Messenger and ICQ usually run on these Ports. # Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap: Well Known Ports 0 to 1023 Commonly used, little danger. Registered Ports 1024 to 49151 Not as common, just be careful. Dynamic/Private Ports 49152 to 65535 Be extremely suspicious. ## The hunt is on ## Now, it is essential that you know what you're looking for, and the most common way someone will attack your machine is with a Trojan. This is a program that is sent to you in an email, or attempts to bind itself to one of your ports, and when activated, it can give the user your passwords, access to your hard drive...they can even make your CD Tray pop open and shut. At the end of this Document, you will find a list of the most commonly used Trojans and the ports they operate on. For now, let's take another look at that first example of Netstat.... Active Connections Proto Local Address Foreign Address State TCP macintosh: 27374 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT TCP macintosh MACINTOSH: 0 LISTENING TCP macintosh MACINTOSH: 0 LISTENING TCP macintosh MACINTOSH: 0 LISTENING Now, straight away, this should make more sense to you. Your computer is connected on two ports, 80 and 27374. Port 80 is used for http/www transmissions (ie for all intents and purposes, its how you connect to the net, although of course it's a lot more complicated than that). Port 27374, however, is distinctly suspicious; first of all, it is in the registered port range, and although other services (like MSN) use these, let's assume that you have nothing at all running like instant messengers, webpages etc....you're simply connected to the net through proxy. So, now this connection is looking even more troublesome, and when you realise that 27374 is a common port for Netbus (a potentially destructive Trojan), you can see that something is untoward here. So, what you would do is: 1) run Netstat , and use: Netstat -a then Netstat -an So you have both Hostnames AND IP addresses. ## Tracerouting ## Having the attacker's IP is all well and good, but what can you do with it? The answer is, a lot more! It's not enough to have the address, you also need to know where the attacker's connections are coming from. You may have used automated tracerouting tools before, but do you jknow how they work? Go back to MSDOS and type tracert type IP address/Hostname here Now, what happens is, the Traceroute will show you all the computers inbetween you and the target machine, including blockages, firewalls etc. More often than not, the hostname address listed before the final one will belong to the Hacker's ISP Company. It'll either say who the ISP is somewhere in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is. If the Hostname that you get back doesn't actually seem to mention an actual geographical location within its text, you may think all is lost. But fear not! Suppose you get a hostname such as CODE http://www.haha.com Well, that tells us nothing, right? Wrong....simply enter the hostname in your browser, and though many times you will get nothing back, sometimes it will resolve to an ISP, and from there you can easily find out its location and in what areas they operate. This at least gives you a firm geographical location to carry out your investigations in. If you STILL have nothing, as a last resort you COULD try connecting to your target's ISP's port 13 by Telnet, which will tell you how many hours ahead or behind this ISP is of GMT, thus giving you a geographical trace based on the time mentioned (although bear in mind, the ISP may be doing something stupid like not having their clocks set correctly, giving you a misleading trace. Similarly, a common tactic of Hackers is to deliberately have their computer's clock set to a totally wrong time, so as to throw you off the scent). Also, unless you know what you're doing, I wouldn't advise using Telnet (which is outside the parameters of this tutorial). ## Reverse DNS Query ## This is probably the most effective way of running a trace on somebody. If ever you're in a chatroom and you see someone saying that they've "hacked into a satellite orbiting the Earth, and are taking pictures of your house right now", ignore them because that's just bad movie nonsense. THIS method is the way to go, with regard to finding out what country (even maybe what State/City etc) someone resides, although it's actually almost impossible to find an EXACT geographical location without actually breaking into your ISP's Head Office and running off with the safe. To run an rDNS query, simply go back to MS-DOS and type netstat and hit return. Any active connections will resolve to hostnames rather than a numerical format. .