TUCoPS :: General Information :: ahmfaq-2.txt

alt.hackers.malicious FAQ 2/3

From vampi@shad0ws.deletehipcrimecom Sun Jul 15 05:48:16 2001
Newsgroups: alt.hackers.malicious
From: vampi@shad0ws.deletehipcrimecom (Vampi Fangs)
Date: Sun, 15 Jul 2001 12:48:16 GMT

This is one of the best texts on TCP Subnetting I've seen in a while.
Read it CAREFULLY and atleast a couple of times.
If you have any questions, come to alt.hackers.malicious .
All credits here go to LocoHost!


A subnet mask is the mechanism that defines how the host portion of
the IP address is divided into subnetwork addresses and local host
address portions. It has nothing to do with the uniqueness of an IP
address. It is not a prefix to, or suffix of and IP address. It does
nothing to modify the IP address.

Using your example, a subnet mask of would look like
this in binary:

11111111. 255
11111111. 255
11111000. 248
00000000. 0

(this is hard to show because of the word wrapping)

Taking the IP address in your example:

and changing each of it's octets into it's binary representation:

10011100. 156
00001111. 15
00001111. 15
00001111. 15


ANDing the first set of octets yields:

10011100. 156
11111111. 255
10011100. 156

ANDing the second set of octets yields:

00001111. 15
11111111. 255
00001111. 15

ANDing the third set of octets yields:

00001111. 15
11111000. 248
00001000. 8

ANDing the last set of octets yields:
00001111. 15
00000000. 0
00000000. 0

Yielding a subnet address of:

This subnet address is said to have eight bits in the subnet field,
which leaves six bits to define hosts. In the last octet, there are
zero binary bits set, yielding 256 possible values (0 through 255).
However, there are only 254 of these addresses that can be used for
hosts on each subnet. This is because the first and last values are
reserved for each subnet. The first is reserved as identifying the
subnet number itself and the last is the broadcast address for that

RFCs 760, 791 and 1812 caution against the use of the first and last
subnet, and in some installations, either the last subnet, or the
first and last subnet are unavailable. Whether these subnets are
usable depends on the routing protocols in use on the network and the
IP implementation on the routing devices on the network.


On 28 Feb 1999 05:45:48 GMT, skroohead@aol.comFUCKSPAM (Skroohead)

>well, what i never understood was subnetting, i mean i know how it works,
>when you enter an ip into a nuking program for example, how does it know
>subnet mask to use? Does it just use as default? or what?

It, the "nuking" program, doesn't need to know. All it needs to do is
attempt a connection. Routers handle the passing of requests and
subsequent replies. Routers "know" the subnetting scheme being used by
the network.

> Are certain IP's  routed to certain subnets by their binary translations?


> And if so, could you have an IP on a network, lets say yer subnet mask is
>, if you had an IP on that network that was (for example),
>, could there be another  IP on another subnet that is also

Subnetting has nothing to do with the use of an IP address - it has an
effect on whether it is "usable" on a particular network (i.e., it
either belongs to the immediate subnet, or can be routed to the proper
network/subnet/node, or gets /dev/nulled because the network is not

>and if so, could you (for example) send anonymous mail from an IP
>on a less commonly used subnet, and if the SMTP server doesn't log the
>only IP's, could you blame it on somebody else in a different subnet?

As explained earlier, subnetting is the mechanism that defines how the
host portion of the IP address is divided into subnetwork addresses
and local host address portions. It doesn't have an effect on the
information in the packets - it affects where the packets are to be


by l00py (l00py@[spamsux]beer.com

I get asked a lot, on how one can check and exploit open NFS shares,
or exports like they are more conveniently called.

              First of all, upon scanning a host, the following TCP
ports will tell you of open NFS, or at least RPC stuff.

              This is all on my linux box. First install nmap, and
knfsd ( client ). You should have the  'showmount' command at hand, I
believe it comes with the knfsd-clients. You also need nfs
support within the kernel, so cat /proc/filesystems and check if nfs
is there. If not, check for an  nfs module. If not, recompile your

              I nmap -sTR -p 1-65535 localhost ( full TCP connect()
with RPC Null scan on all ports) and I get  the following ports:

              yadda yadda yadda...
              host is up, yadda yadda...
              111     open        tcp       sunrpc (portmapper V2)
              602     open        tcp       (mountd V1-2)
              607     open        tcp       nqs (mountd V1-2)
              908     open        tcp       (status V1)
              1024    open        tcp       unknown

              Mountd is fun, that's a definite sign of NFS. Also note
sun rpc. Then we do the same with UDP.

              nmap -sUR -p 1-65535, udp scan with rpc null req. scan
on all ports

              111     open        udp       sunrpc (portmapper V2)
              600     open        udp       ipcserver (mountd V1-2)
              605     open        udp       (mountd V1-2)
              906     open        udp       (status V1)
              1014    open        udp       (rquotad V1-2)
              1024    open        udp       unknown
              1026    open        udp       (nlockmgr V1-3)
              2049    open        udp       nfs (nfs V2)

              Again I notice Sun RPC, the smart bastard that I am,
mountd, rquotad, and of course nfs itself. Now the fastest way, and a
bit more stealthier I suppose (the nmap announced itself like a rock
 concert in my logs) is just to scan for the sun rpc port, because we
can dig all this info from  portmapper that listens there.

              So just nmap -sT, or -sS, or whatever you like and -p
111. When you hear someone listening on 111 / sun rpc, do an rpcinfo
-p: tontsa(2)aeonflux [tontsa] $ rpcinfo -p localhost

              program vers proto   port
              100000    2   tcp    111  portmapper
              100000    2   udp    111  portmapper
              100024    1   udp    906  status
              100024    1   tcp    908  status
              100011    1   udp   1014  rquotad
              100011    2   udp   1014  rquotad
              100005    1   udp    600  mountd
              100005    1   tcp    602  mountd
              100005    2   udp    605  mountd
              100005    2   tcp    607  mountd
              100003    2   udp   2049  nfs
              100021    1   udp   1026  nlockmgr
              100021    3   udp   1026  nlockmgr
              100021    1   tcp   1024  nlockmgr
              100021    3   tcp   1024  nlockmgr

              Whee, all that info from one port. Joy, do I love
portmapper. Now we finally know that there IS running nfs. So the
smart fellas that we are, we can do it in two ways:

              tontsa(2)aeonflux [tontsa] $ showmount --exports
              Export list for localhost:
              /altroot (everyone)
              tontsa(2)aeonflux [tontsa] $ showmount -e localhost
              Export list for localhost:
              /altroot (everyone)

              This doesn't mean that the export is writeable, or
anything, or that you can get to it. Then we simply mount it:

              mount localhost:/altroot /mnt

              (as root, silly) then we cd to /mnt, and leave a gentle
note saying your directory is open for all to see, dumbass.

              Now if anyone would mind to tell on the joys of samba,
and how one can get all the interesting stuff like nbtstat -a, and
just list shares, computer names and mount smb filesystems...

              "... the Mayo Clinic, named after its founder, Dr. Ted
Clinic ..." -- Dave Barry


Regmon for Windows NT/9x
Copyright (C) 1996-1998 Mark Russinovich and Bryce Cogswell

Regmon is an application that monitors and displays all Registry 
activity on a system. It has advanced filtering and search 
capabilities that make it a powerful tool for exploring the 
way NT works, seeing how applications use the Registry, or 
tracking down problems in system or application configurations. 

Regmon works on NT 3.51, NT 4.0, Windows 2000 (NT 5.0), 
Windows 95 and Windows 98.

Using Regmon

Start Regmon.exe from its home directory. Complete usage 
instructions are available in the on-line help file.

Building Regmon

Regmon consists of a device driver and a GUI. The NT driver was built with
the Windows NT DDK Build environment and the GUI was compiled with 
Microsoft Visual C++ 6.0. The VxD was built using Vireo Software's
(now NuMega Labs) VtoolsD 2.0. 

The help was entered with Microsoft Word 97 and Help Workshop 
for Word 97.

To install, copy Regmon.exe, Regvxd.vxd and regsys.sys to the same 

Terms of Use

This software is provided "as is", without any guarantee made
as to its suitability or fitness for any particular use. It may
contain bugs, so use of this tool is at your own risk. We take
no responsilbity for any damage that may unintentionally be caused
through its use.

You may not use Regmon source code in a product, either free or
commercial, without the express written permission of Mark 
Russinovich or Bryce Cogswell

You may not distribute Regmon in any form without express written
permission of Mark Russinovich or Bryce Cogswell.

Reporting Problems

If you encounter problems, please visit http://www.sysinternals.com
and download the latest version to see if the issue has been resolved.
If not, please send a bug report to:

        mark@sysinternals.com and cogswell@winternals.com


If a nation values anything more than freedom, it will lose its freedom; and the
irony of it is that if it is comfort or money that it values more, it will lose that too.
- Somerset Maugham

Never go to bed mad. Stay up and fight. 
- Phyllis Diller

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH