From vampi@shad0ws.deletehipcrimecom Sun Jul 15 05:48:16 2001
Newsgroups: alt.hackers.malicious
Subject: OFFICIAL ALT.HACKERS.MALICIOUS FAQ - PART 2
From: vampi@shad0ws.deletehipcrimecom (Vampi Fangs)
Date: Sun, 15 Jul 2001 12:48:16 GMT
This is one of the best texts on TCP Subnetting I've seen in a while.
Read it CAREFULLY and atleast a couple of times.
If you have any questions, come to alt.hackers.malicious .
All credits here go to LocoHost!
============================================================================
A subnet mask is the mechanism that defines how the host portion of
the IP address is divided into subnetwork addresses and local host
address portions. It has nothing to do with the uniqueness of an IP
address. It is not a prefix to, or suffix of and IP address. It does
nothing to modify the IP address.
Using your example, a subnet mask of 255.255.248.0 would look like
this in binary:
11111111. 255
11111111. 255
11111000. 248
00000000. 0
(this is hard to show because of the word wrapping)
Taking the IP address in your example:
156.15.15.15
and changing each of it's octets into it's binary representation:
10011100. 156
00001111. 15
00001111. 15
00001111. 15
THEN -
ANDing the first set of octets yields:
10011100. 156
AND
11111111. 255
=
10011100. 156
ANDing the second set of octets yields:
00001111. 15
AND
11111111. 255
=
00001111. 15
ANDing the third set of octets yields:
00001111. 15
AND
11111000. 248
=
00001000. 8
ANDing the last set of octets yields:
00001111. 15
AND
00000000. 0
=
00000000. 0
Yielding a subnet address of: 156.15.8.0
This subnet address is said to have eight bits in the subnet field,
which leaves six bits to define hosts. In the last octet, there are
zero binary bits set, yielding 256 possible values (0 through 255).
However, there are only 254 of these addresses that can be used for
hosts on each subnet. This is because the first and last values are
reserved for each subnet. The first is reserved as identifying the
subnet number itself and the last is the broadcast address for that
subnet.
RFCs 760, 791 and 1812 caution against the use of the first and last
subnet, and in some installations, either the last subnet, or the
first and last subnet are unavailable. Whether these subnets are
usable depends on the routing protocols in use on the network and the
IP implementation on the routing devices on the network.
.
On 28 Feb 1999 05:45:48 GMT, skroohead@aol.comFUCKSPAM (Skroohead)
wrote:
>
>well, what i never understood was subnetting, i mean i know how it works,
but
>when you enter an ip into a nuking program for example, how does it know
what
>subnet mask to use? Does it just use 255.255.255.0 as default? or what?
It, the "nuking" program, doesn't need to know. All it needs to do is
attempt a connection. Routers handle the passing of requests and
subsequent replies. Routers "know" the subnetting scheme being used by
the network.
> Are certain IP's routed to certain subnets by their binary translations?
Yes.
> And if so, could you have an IP on a network, lets say yer subnet mask is
>255.255.248.0, if you had an IP on that network that was (for example),
>156.15.15.15, could there be another IP on another subnet that is also
>156.15.15.15.,
Subnetting has nothing to do with the use of an IP address - it has an
effect on whether it is "usable" on a particular network (i.e., it
either belongs to the immediate subnet, or can be routed to the proper
network/subnet/node, or gets /dev/nulled because the network is not
reachable).
>and if so, could you (for example) send anonymous mail from an IP
>on a less commonly used subnet, and if the SMTP server doesn't log the
subnets,
>only IP's, could you blame it on somebody else in a different subnet?
As explained earlier, subnetting is the mechanism that defines how the
host portion of the IP address is divided into subnetwork addresses
and local host address portions. It doesn't have an effect on the
information in the packets - it affects where the packets are to be
sent.
EXPLOITING NFS SHARES
by l00py (l00py@[spamsux]beer.com
I get asked a lot, on how one can check and exploit open NFS shares,
or exports like they are more conveniently called.
First of all, upon scanning a host, the following TCP
ports will tell you of open NFS, or at least RPC stuff.
This is all on my linux box. First install nmap, and
knfsd ( client ). You should have the 'showmount' command at hand, I
believe it comes with the knfsd-clients. You also need nfs
support within the kernel, so cat /proc/filesystems and check if nfs
is there. If not, check for an nfs module. If not, recompile your
kernel.
I nmap -sTR -p 1-65535 localhost ( full TCP connect()
with RPC Null scan on all ports) and I get the following ports:
yadda yadda yadda...
host is up, yadda yadda...
111 open tcp sunrpc (portmapper V2)
602 open tcp (mountd V1-2)
607 open tcp nqs (mountd V1-2)
908 open tcp (status V1)
1024 open tcp unknown
Mountd is fun, that's a definite sign of NFS. Also note
sun rpc. Then we do the same with UDP.
nmap -sUR -p 1-65535, udp scan with rpc null req. scan
on all ports
111 open udp sunrpc (portmapper V2)
600 open udp ipcserver (mountd V1-2)
605 open udp (mountd V1-2)
906 open udp (status V1)
1014 open udp (rquotad V1-2)
1024 open udp unknown
1026 open udp (nlockmgr V1-3)
2049 open udp nfs (nfs V2)
Again I notice Sun RPC, the smart bastard that I am,
mountd, rquotad, and of course nfs itself. Now the fastest way, and a
bit more stealthier I suppose (the nmap announced itself like a rock
concert in my logs) is just to scan for the sun rpc port, because we
can dig all this info from portmapper that listens there.
So just nmap -sT, or -sS, or whatever you like and -p
111. When you hear someone listening on 111 / sun rpc, do an rpcinfo
-p: tontsa(2)aeonflux [tontsa] $ rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 906 status
100024 1 tcp 908 status
100011 1 udp 1014 rquotad
100011 2 udp 1014 rquotad
100005 1 udp 600 mountd
100005 1 tcp 602 mountd
100005 2 udp 605 mountd
100005 2 tcp 607 mountd
100003 2 udp 2049 nfs
100021 1 udp 1026 nlockmgr
100021 3 udp 1026 nlockmgr
100021 1 tcp 1024 nlockmgr
100021 3 tcp 1024 nlockmgr
Whee, all that info from one port. Joy, do I love
portmapper. Now we finally know that there IS running nfs. So the
smart fellas that we are, we can do it in two ways:
tontsa(2)aeonflux [tontsa] $ showmount --exports
localhost
Export list for localhost:
/altroot (everyone)
tontsa(2)aeonflux [tontsa] $ showmount -e localhost
Export list for localhost:
/altroot (everyone)
This doesn't mean that the export is writeable, or
anything, or that you can get to it. Then we simply mount it:
mount localhost:/altroot /mnt
(as root, silly) then we cd to /mnt, and leave a gentle
note saying your directory is open for all to see, dumbass.
Now if anyone would mind to tell on the joys of samba,
and how one can get all the interesting stuff like nbtstat -a, and
just list shares, computer names and mount smb filesystems...
--
"... the Mayo Clinic, named after its founder, Dr. Ted
Clinic ..." -- Dave Barry
===============================================================
Regmon for Windows NT/9x
Copyright (C) 1996-1998 Mark Russinovich and Bryce Cogswell
http://www.sysinternals.com
Introduction
------------
Regmon is an application that monitors and displays all Registry
activity on a system. It has advanced filtering and search
capabilities that make it a powerful tool for exploring the
way NT works, seeing how applications use the Registry, or
tracking down problems in system or application configurations.
Regmon works on NT 3.51, NT 4.0, Windows 2000 (NT 5.0),
Windows 95 and Windows 98.
Using Regmon
------------
Start Regmon.exe from its home directory. Complete usage
instructions are available in the on-line help file.
Building Regmon
----------------
Regmon consists of a device driver and a GUI. The NT driver was built with
the Windows NT DDK Build environment and the GUI was compiled with
Microsoft Visual C++ 6.0. The VxD was built using Vireo Software's
(now NuMega Labs) VtoolsD 2.0.
The help was entered with Microsoft Word 97 and Help Workshop
for Word 97.
To install, copy Regmon.exe, Regvxd.vxd and regsys.sys to the same
directory.
Terms of Use
------------
This software is provided "as is", without any guarantee made
as to its suitability or fitness for any particular use. It may
contain bugs, so use of this tool is at your own risk. We take
no responsilbity for any damage that may unintentionally be caused
through its use.
You may not use Regmon source code in a product, either free or
commercial, without the express written permission of Mark
Russinovich or Bryce Cogswell
You may not distribute Regmon in any form without express written
permission of Mark Russinovich or Bryce Cogswell.
Reporting Problems
------------------
If you encounter problems, please visit http://www.sysinternals.com
and download the latest version to see if the issue has been resolved.
If not, please send a bug report to:
mark@sysinternals.com and cogswell@winternals.com
--
V--V
If a nation values anything more than freedom, it will lose its freedom; and the
irony of it is that if it is comfort or money that it values more, it will lose that too.
- Somerset Maugham
Never go to bed mad. Stay up and fight.
- Phyllis Diller
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
