Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
0Activity
0 of .
Results for:
No results containing your search query
P. 1
Closing Open Holes, System Security How to Close Open Holes

Closing Open Holes, System Security How to Close Open Holes

Ratings: (0)|Views: 0|Likes:
Published by Josh Rathburn

More info:

Published by: Josh Rathburn on Dec 19, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as TXT, PDF, TXT or read online from Scribd
See more
See less

12/19/2012

pdf

text

original

 
Closing Open HolesSeptember 27, 2000By An
 
it FadiaWith the spread of Hac
 
ers and Hac
 
ing incidents, the time has come, when not only system administrators of servers of big companies, but also people who connect to the Internet by dialing up into their ISP, have to worry about securing their system. It really does not ma
 
e much difference whether you have a static IPor a dynamic one, if your system is connected to the Internet, then there is every chance of it being attac
 
ed.This manual is aimed at discussing methods of system security analysis and willshed light on as to how to secure your standalone (also a system connected to aLAN) system.Open Ports: A Threat to Security?In the Netstat Tutorial we had discussed how the netstat -a command showed the list of open ports on your system. Well, anyhow, before I move on, I would li
 
e to quic
 
ly recap the important part. So here goes, straight from the netstat tutorial:Now, the ??a? option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.For Example,C:\windows>netstat -aActive ConnectionsProto Local Address Foreign Address StateTCP an
 
it:1031 dwarf.box.s
 
:ftp ESTABLISHEDTCP an
 
it:1036 dwarf.box.s
 
:ftp-data TIME_WAITTCP an
 
it:1043 banners.egroups.com:80 FIN_WAIT_2TCP an
 
it:1045 mail2.mtnl.net.in:pop3 TIME_WAITTCP an
 
it:1052 zztop.boxnetwor
 
.net:80 ESTABLISHEDTCP an
 
it:1053 mail2.mtnl.net.in:pop3 TIME_WAITUDP an
 
it:1025 *:*UDP an
 
it:nbdatagram *:*Now, let us ta
 
e a single line from the above output and see what it stands for:Proto Local Address Foreign Address StateTCP an
 
it:1031 dwarf.box.s
 
:ftp ESTABLISHEDNow, the above can be arranged as below:Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)Local System Name: an
 
it (This is the name of the local system that you set duri
 
ng the Windows setup.)Local Port opened and being used by this connection: 1031Remote System: dwarf.box.s
 
(This is the non-numerical form of the system to which we are connected.)Remote Port: ftp (This is the port number of the remote system dwarf.box.s
 
to which we are connected.)State of Connection: ESTABLISHED?Netstat? with the ??a? argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to chec
 
and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hac
 
ers, and need to software to tell us, whether we are infected or not. Besides, itis more fun to do something manually than to simply clic
 
on the ?Scan? button and let some software do it.The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure,that you are infected.Port 12345(TCP) NetbusPort 31337(UDP) Bac
 
OrificeFor complete list, refer to the Tutorial on Trojans at: hac
 
ingtruths.box.s
 
/trojans.txt----Now, the above tutorial resulted in a number of people raising questions li
 
e: If the 'netstat -a' command shows open ports on my system, does this mean that anyone can connect to them? Or, How can I close these open ports? How do I
 
now ifan open port is a threat to my system's security of not? Well, the answer to all these question would be clear, once you read the below paragraph:Now, the thing to understand here is that, Port numbers are divided into three ranges:The Well Known Ports are those from 0 through 1023. This range or ports is boundto the services running on them. By this what I mean is that each port usuallyhas a specific service running on it. You see there is an internationally accepted Port Numbers to Services rule, (refer RFC 1700 Here) which specifies as to onwhat port number a particular service runs. For Example, By Default or normallyFTP runs on Port 21. So if you find that Port 21 is open on a particular system, then it usually means that that particular system uses the FTP Protocol to transfer files. However, please note that some smart system administrators delibrately i.e. to fool lamers run fa
 
e services on popular ports. For Example, a system might be running a fa
 
e FTP daemon on Port 21. Although you get the same interface li
 
e the FTP daemon banner, response numbers etc, however, it actually might be a software logging your prescence and sometimes even tracing you!!!The Registered Ports are those from 1024 through 49151. This range of port numbers is not bound to any specific service. Actually, Networ
 
ing utlites li
 
e yourBrowser, Email Client, FTP software opens a random port within this range and starts a communication with the remote server. A port number within this range isthe reason why you are able to surf the net or chec
 
your email etc.
 
If you find that when you give the netstat -a command, then a number of ports within this range are open, then you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to performtas
 
s. They act as a buffer transfering pac
 
ets (data) received to the application and vis-a-versa. Once you close the application, then you find that these ports are closed automatically. For Example, when you type www.hotmail.com in yourbrowser, then your browser randomly chooses a Registered Port and uses it as abuffer to communicate with the various remote servers involved.The Dynamic and/or Private Ports are those from 49152 through 65535. This rangeis rarely used, and is mostly used by trojans, however some application do tendto use such high range port numbers. For Example,Sun starts their RPC ports at 32768.So this basically brings us to what to do if you find that Netstat gives you a couple of open ports on your system:1. Chec
 
the Trojan Port List and chec
 
if the open port matches with any of thepopular ones. If it does then get a trojan Removal and remove the trojan.2. If it doesn't or if the Trojan Remover says: No trojan found, then see if theopen port lies in the registered Ports range. If yes, then you have nothing toworry, so forget about it.***********************HACKING TRUTH: A common technique employed by a number of system administrators,is remapping ports. For example, normally the default port for HTTP is 80. However, the system administrator could also remap it to Port 8080. Now, if that isthe case, then the homepage hosted at that server would be at:http://domain.com:8080 instead ofhttp://domain.com:80The idea behind Port Remapping is that instead of running a service on a well
 
nown port, where it can easily be exploited, it would be better to run it on a not so well
 
nown port, as the hac
 
er, would find it more difficult to find that service. He would have to port scan high range of numbers to discover port remapping.The ports used for remapping are usually pretty easy to remember. They are choosen
 
eeping in mind the default port number at which the service being remapped should be running. For Example, POP by default runs on Port 110. However, if youwere to remap it, you would choose any of the following: 1010, 11000, 1111 etc etcSome sysadmins also li
 
e to choose Port numbers in the following manner: 1234,2345,3456,4567 and so on... Yet another reason as to why Port Remapping is done, is that on a Unix System to be able to listen to a port under 1024, you must haveroot previledges.************************FirewallsUse of Firewalls is no longer confined to servers or websites or commerical companies. Even if you simply dial up into your ISP or use PPP (Point to Point Protocol) to surf the net, you simply cannot do without a firewall. So what exactly is a firewall?

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->