> Beginners' Series Number 7
> The Exploit Files
> by keydet89@yahoo.com and Carolyn Meinel

> Let's start with an example. Suppose that you are trying to sell something
> by phone. So you start by calling phone numbers, and you keep calling until
> you get someone to answer, not an answering machine, but a real live person.
> Then if the person who answers the phone speaks the same language as you and
> can understand you, you try to sell your product.  Lots of people will hang
> up on you, but eventually, someone will buy something...bang!  You've scored!

[Comparing it to phone spamming.. good example.]

> Newbie note: What are these 'ports' we are talking about?  This kind of
> 'port'  is a number used to identify a service on an Internet host.  For
> this reason they are often called 'TCP/IP' (transfer control
> protocol/Internet protocol) ports, to distinguish them from other kinds of
> computer ports such as modems, ports to printers, etc. Each  host computer

[Why did she change her definition and explicity state TCP/IP vs physical
port? She maintained that ports were ports a year ago. When challenged,
she strongly argued that she was right. Yet, she changes her definition to
something more along the lines of what was suggested to her..]

> right port, and Shazam!! You're greeted with a login prompt, and you quickly
> guess a valid username and password combination.  The next thing you know,
> you have a command prompt. You have discovered a vulnerability -- an easily
> guessed password! So being the 'white hat hacker' that you are, you send an
> email to the sysadmin of the site and leave quietly.

[This action is illegal. Gaining any illicit access is strictly against
Title 18 law dealing with computer crime. So much for "Guide to LEGAL
hacking". Whether or not you report it or go further is semantics.]

> These ports are called 'well-known' because they are commonly used by
> certain  services. For example, the well-known port for sending email is the
> SMTP port, or port 25.  Because it is 'well-known', anyone can send email to
> anyone else.  Because port 110 is the well-known port for checking email,
> all email clients know that they have to connect to a POP server on port 110
> in order to retrieve email.

["well-known" defines how things work? "All email clients know that they
have to connect to a POP server on port 110.." yet my Pine session doesn't
connect to any port to check email. In fact, at no point does my mail go
through port 110, or does any program I use to read email check port 110.]

> A 'vulnerability' is anything about a computer system that will allow
> someone to either keep it from operating correctly, or that will let
> unauthorized people take it over.  There are many types of vulnerabilities.

[Once again, these are the far ends of the spectrums. A vulnerability can
be anything that gives ANY access that was not implicity allowed. Being
able to read /etc/passwd with no encrypted passwords strings is a
vulnerability, yet it doesn't allow you to take over the machine.]

> Examples of errors in the programming of services are the large number of
> buffer overflow vulnerabilities in the programs that run services on port of
> Internet host computers.  Many of these buffer overflow problems allow
> people to use the Internet to break into and take control of host computers

[Such a well written and clear paragraph.]

> An 'exploit' is a program or technique that takes advantage of a
> vulnerability.  For example, the FTP-Bounce vulnerability occurs when an FTP
> server (used to allow people to upload and download files) is configured to
> redirect FTP connections to other computers.  There really is no good reason
> to allow this feature.  It has become a vulnerability because this 'bounce'
> feature allows someone to use it to port scan other computers on the same
> local area network (LAN) as that FTP server.  So even though a firewall may
> be keeping port scanners form directly scanning other computers on this LAN,
> the FTP server would bounce a scan past the firewall.

[Only one portscanner allows this by default, and I can't imagine why it
would be referenced here after the public harassment of the utility.
Posting to Infowar, Ms. Meinel claimed it did not operate properly. Yet
here she plugs one of its features without giving credit to the author or
the name of the utility.]

> For example, the "Leshka" exploit explained in the GTMHH on advanced shell
> programming clearly explains that it only works on versions 8.7-8.8.2 of the
> SMTP service program called 'sendmail.'  We observed a number of people who
> were playing the hacker wargame trying to run the Leshka exploit against a
> later, fixed version of sendmail.

[Much like Ms. Meinel running exploits against the wrong version of
binaries as detailed in her shell history.]

> Now suppose you want to scan your friend's ports.  This is the best way to
> scan, as you won't have to worry about your friend getting you kicked off

[Using a portscanner is the best way to portscan your friend's computer. It
doesn't rely on them being there to type commands for you.]

> What are some of the vulnerabilities to win95 and NT, you ask? Check
> previous GTMHHs for this information. Perhaps the most important thing to
> remember about Windows is equal to root in Unix), can run a program that
> uses any port it wants, even a well-known port.  This vulnerability is

[Good grammar.]

> demonstrated by a program from Weld Pond of L0pht fame called 'netcat'.  The
> program can be obtained from:
> http://www.l0pht.com/~weld/netcat

[Which is a Windows port of Hobbit's program 'netcat'.]