Hack into your Friends Computer

Introduction

1

shared (You’d be amazed at some peoples stupidity!!!), this shows up as a result such as

\\80.5.7.2\C or similar. Simply copy & paste this link into the address bar of Windows Explorer, and hit enter! This is a screenshot of Netbrute in operation: For more comprehensive information, use a utility such as Languard Network Scanner. This returns a wealth of information such as domain names, login names, and more. Here is a shot of this in use:

2

Need I say more? If you find a system where the root directory of C: is shared, then on Windows 9.X systems, you’ll be able to access the whole of the hard drive. On Windows NT/2000 systems, you will have only access as according to NTFS file access permissions. Here is a screenshot of Windows Explorer pointed at the root directory:

3

You can even map it to a network drive (use tools > map network drive), it’s as easy as that!

For best results, I recommend choosing systems with ‘better than modem’ connections. If you don’t know where to start, try your own IP address. To get this, do the following:

•

For Windows 9.X, go to start > Run and type ‘Winipcfg’ to get your IP address.

•

For Windows NT/2000, got to start > programs > accessories > commend prompt, and type ‘ipconfig’.

This will return your IP address. If you are using a dialup connection, you will need to connect first. For ‘always on’ cable connection, omit this step. Then run your scan over the subnet; e.g. if your IP address is 164.99.34.212 then try a scan from 164.99.34.1 to 164.99.34.254. This should be enough to get you started. Have fun…

IP Scanning

This simple scan simply pings a range of IP addresses to find which machines are alive. Note that more sophisticated scanners will use other protocols (such as an SNMP sweep) to do the same thing. This is a very simple technique which requires little explanation. It is however, useful for the domain name to be returned also.

4

Port Scanning

This section introduces many of the techniques used to determine what ports (or similar protocol abstraction) of a host are listening for connections. These ports represent potential communication channels. Mapping their existence facilitates the exchange of information with the host, and thus it is quite useful for anyone wishing to explore their networked environment, including hackers. Despite what you have heard from the media, the Internet is NOT exclusively reliant on TCP port 80, used by hypertext transfer protocol (HTTP). Anyone who relies exclusively on the WWW for information gathering is likely to gain the same level of proficiency as your average casual surfer. This section is also meant to serve as an introduction to the art of port scanning, in which a host system can be persuaded to yield up it’s secrets. To accomplish this, you need to obtain a port scanner. There are many available both for free or for a small fee.

It should have all these features:

•

dynamic delay time calculations: Some scanners require that you supply a delay time between sending packets. Well how should I know what to use? You can always ping them, but that is a pain, and plus the response time of many hosts changes dramatically when they are being flooded with requests. For root users, the primary technique for finding an initial delay is to time the internal ping function. For non-root users, it times an attempted connect() to a closed port on the target. It can also pick a reasonable default value. Again, people who want to specify a delay themselves can do so with -w (wait), but you shouldn’t have to.

•

Retransmission: Some scanners just send out all the query packets, and collect the responses. But this can lead to false positives or negatives in the case where packets are dropped.

This is especially important for negative style scans like UDP and FIN, where what you are looking for is a port that does NOT respond.

•

Parallel port scanning: Some scanners simply scan ports linearly, one at a time, until they do all 65535. This actually works for TCP on a very fast local network, but the speed of this is not 5

at all acceptable on a wide area network like the Internet. It is best to use non-blocking i/o and parallel scanning in all TCP and UDP modes. Flexible port specification: You don’t always want to scan all 65535 ports! Also, the scanners which only allow you to scan ports 1 - N often fall short of my need. The scanner should allow you to specify an arbitrary number of ports and ranges for scanning. For example, ‘21-25,80-113’ is often useful if you are only probing the most frequently running services.

•

Flexible target specification: You may often want to scan more then one host, and you certainly don’t want to list every single host on a large network! It is useful to scan, say a subnet at once, e.g. 131.111.11.0 – 131.111.11.254.

•

Detection of down hosts: Some scanners allow you to scan large networks, but they waste a huge amount of time scanning 65535 ports of a dead host! Annoying! You are advised to choose a scanner which allows timeout intervals to be adjusted.

•

Detection of your IP address: For some reason, a lot of scanners ask you to type in your IP address as one of the parameters. You don’t want to have to ‘ifconfig’ and figure out your current IP address every time you connect. Of course, this is better then the scanners I’ve seen which require recompilation every time you change