Well-Known Ports and Their Services
Having read the internetworking primers in Chapter 1, “Understanding Communication Protocols,”
and Chapter 3, ‘‘Understanding Communication Mediums,” hopefully you are beginning to think,
speak, and, possibly, act like a hacker, because now it’s time to apply that knowledge and hack your
way to a secure network. We begin this part with an in-depth look at what makes common ports and
their services so vulnerable to hack attacks. Then, in Chapter 5, you will learn about the software,
techniques, and knowledge used by the hackers, crackers, phreaks, and cyberpunks defined in Act I
Intermission.
A Review of Ports
The input/output ports on a computer are the channels through which data is transferred between an
input or output device and the processor. They are also what hackers scan to find open, or
“listening,” and therefore potentially susceptible to an attack. Hacking tools such as port scanners
(discussed in Chapter 5) can, within minutes, easily scan every one of the more than 65,000 ports on
a computer; however, they specifically scrutinize the first 1,024, those identified as the well-known
ports. These first 1,024 ports are reserved for system services; as such, outgoing connections will
have port numbers higher than 1023. This means that all incoming packets that com municate via
ports higher than 1023 are replies to connections initiated by internal requests.
When a port scanner scans computer ports, essentially, it asks one by one if a port is open or closed.
The computer, which doesn’t know any better, automatically sends a response, giving the attacker
the requested information. This can and does go on without anyone ever knowing anything about it.
The next few sections review these well-known ports and the corresponding vulnerable services they
provide. From there we move on to discuss the hacking techniques used to exploit security
weaknesses.
The material in these next sections comprises a discussion of the most vulnerable
ports from the universal well-known list. But because many of these ports and
related services are considered to be safe or free from common penetration attack
(their services may be minimally exploitable), for conciseness we will pass over safer
ports and concentrate on those in real jeopardy.
TCP and UDP Ports
TCP and UDP ports, which are elucidated in RFC793 and RFC768 respectively, name the ends of
logical connections that mandate service conversations on and between systems. Mainly, these lists
specify the port used by the service daemon process as its contact port. The contact port is the
acknowledged “well-known port.”
Recall that a TCP connection is initialized through a three-way handshake, whose purpose is to
synchronize the sequence number and acknowledgment numbers of both sides of the connection,
while exchanging TCP window sizes. This is referred to as a connection-oriented, reliable service.
On the other side of the spectrum, UDP provides a connectionless datagram service that offers
unreliable, best-effort delivery of data. This means that there is no guarantee of datagram arrival or
of the correct sequencing of delivered packets. Tables 4.1 and 4.2 give abbreviated listings,
respectively, of TCP and UDP ports and their services (for complete listings, refer to Appendix C in
the back of this book).
Well-Known Port Vulnerabilities
Though entire books have been written on the specifics of some of the ports and services defined in
this section, for the purposes of this book, the following services are addressed from the perspective
of an attacker, or, more specifically, as part of the “hacker’s strategy.”
Port: 7
Service: echo
Hacker’s Strategy: This port is associated with a module in communications or a signal transmitted
(echoed) back to the sender that is distinct from the original signal. Echoing a message back to the
main computer can help test network connections. The primary message-generation utility executed
is termed PING, which is an acronym for Packet Internet Groper. The crucial issue with port 7’s
echo service pertains to systems that attempt to process oversized packets. One variation of a
susceptible echo overload is performed by send ing a fragmented packet larger than 65,536 bytes in
length, causing the system to process the packet incorrectly, resulting in a potential system halt or
reboot. This problem is commonly referred to as the ‘‘Ping of Death” attack. Another common
deviant to port 7 is known as “Ping Flooding.” It, too, takes advantage of the computer’s
responsiveness, using a continual bombardment of pings or ICMP Echo Requests to overload and
congest system resources and network segments.
Port: 11
Service: systat
Hacker’s Strategy: This service was designed to display the status of a machine’s current operating
processes. Essentially, the daemon associated with this service bestows insight into what types of
software are currently running, and gives an idea of who the users on the target host are.
Port: 15
Service: netstat
Hacker’s Strategy: Similar in operation to port 11, this service was designed to display the
machine’s active network connections and other useful informa tion about the network’s subsystem,
such as protocols, addresses, connected sockets, and MTU sizes. Common output from a standard
Windows system would display what is shown in Figure 4.2.
Figure 4.2 Netstat output from a standard Windows system.
Port: 19
Service: chargen
Hacker’s Strategy: Port 19, and chargen, its corresponding service daemon, seem harmless enough.
The fundamental operation of this service can be easily deduced from its role as a character stream
generator. Unfortunately, this service is vulnerable to a telnet connection that can generate a string of
characters with the output redirected to a telnet connection to, for example, port 53 (domain name
service (DNS)). In this example, the flood of characters causes an access violation fault in the DNS
service, which is then terminated, which, as a result, disrupts name resolution services.
Port: 20, 21
Service: FTP-data, FTP respectively
Hacker’s Strategy: The services inherent to ports 20 and 21 provide operability for the File Transfer
Protocol (FTP). For a file to be stored on or be received from an FTP server, a separate data
77
connection must be utilized simultaneously. This data connection is normally initiated through port
20 FTP-data. In standard operating procedures, the file transfer control terms are mandated through
port 21. This port is commonly known as the control connection, and is basically used for sending
commands and receiving the coupled replies. Attributes associated with FTP include the capability to
copy, change, and delete files and directories. Chapter 5 covers vulnerability exploit techniques and
stealth software that are used to covertly control system files and directories.
Port: 23
Service: telnet
Hacker’s Strategy: The service that corresponds with port 23 is commonly known as the Internet
standard protocol for remote login. Running on top of TCP/IP, telnet acts as a terminal emulator for
remote login sessions. Depending on preconfigured security settings, this daemon can and does
typically allow for some way of controlling accessibility to an operating system. Uploading specific
hacking script entries to certain Telnet variants can cause buffer overflows, and, in some cases,
render administrative or root access. An example includes the TigerBreach Penetrator (illustrated in
Figure 4.3) that is part of TigerSuite, which is included on the CD bundled with this book and is
more fully introduced in Chapter 12.
Port: 25
Service: SMTP
Hacker’s Strategy: The Simple Mail Transfer Protocol (SMTP) is most commonly used by the
Internet to define how email is transferred. SMTP daemons listen for incoming mail on port 25 by
default, and then copy messages into appropriate mailboxes. If a message cannot be delivered, an
error report containing the first part of the undeliverable message is returned to the sender. After
establishing the TCP connection to port 25, the sending machine, operating as the client, waits for
the receiving machine, operating as the server, to send a line of text giving its identity and telling
whether it is prepared to receive mail. Checksums are not generally needed due to TCP’s reliable
byte stream (as covered in previous chapters). When all the email has been exchanged, the
connection is released. The most common vulnerabilities related with SMTP include mail bombing,
mail spamming, and numerous denial of service (DoS) attacks. These exploits are described in detail
later in the book.
78
Figure 4.3 The TigerBreach Penetrator in action.
Port: 43
Service: Whois
Hacker’s Strategy: The Whois service (http://rs.Internic.net/whois.html) is a TCP port 43
transaction-based query/response daemon, running on a few specific central machines. It provides
networkwide directory services to local and/or Internet users. Many sites maintain local Whois
directory servers with information about individuals, departments, and services at that specific
domain. This service is an element in one the core steps of the discovery phase of a security analysis,
and is performed by hackers, crackers, phreaks, and cyberpunks, as well as tiger teams. The most
popular Whois databases can be queried from the InterNIC, as shown in Figure 4.4.
Figure 4.4 The most popular Whois database can be queried.
79
Port: 53
Service: domain
Hacker’s Strategy: A domain name is a character-based handle that identifies one or more IP
addresses. This service exists simply because alphabetic domain names are easier to remember than
IP addresses. The domain name service (DNS) translates these domain names back into their
respective IP addresses. As explained in previous chapters, datagrams that travel through the Internet
use addresses, therefore every time a domain name is specified, a DNS service daemon must
translate the name into the corresponding IP address. Basically, by entering a domain name into a
browser, say, TigerTools.net, a DNS server maps this alphabetic domain name into an IP address,
which is where the user is forwarded to view the Web site. Recently, there has been extensive
investigation into DNS spoofing. Spoofing DNS caching servers give the attacker the means to
forward visitors to some location other than the intended Web site. Another popular attack on DNS
server daemons derives from DoS overflows, rendering the resources inoperable. An illustration of a
standard DNS query is shown in Figure 4.5.
Figure 4.5 Output from a standard DNS query.
Port: 67
Service: bootp
Hacker’s Strategy: The bootp Internet protocol enables a diskless workstation to discover its own
IP address. This process is controlled by the bootp server on the network in response to the
workstation’s hardware or MAC address. The primary weakness of bootp has to do with a kernel
module that is prone to buffer overflow attacks, causing the system to crash. Although most
occurrences have been reported as local or internal attempts, many older systems still in operation
and accessible from the Internet remain vulnerable.
Port: 69
80
Service: tftp
Hacker’s Strategy: Often used to load Internetworking Operating Systems (IOS) into various
routers and switches, port 69 Trivial File Transfer Protocol (tftp) services operate as a less
complicated form of FTP. In a nutshell, tftp is a very simple protocol used to transfer files. tftp is
also designed to fit into read-only memory, and is used during the bootstrap process of diskless
systems. tftp packets have no provision for authentication; because tftp was designed for use during
the bootstrap process, it was impossible to provide a username and password. With these glitches in
numerous variations of daemons, simple techniques have made it possible for anyone on the Internet
to retrieve copies of world-readable files, such as /etc/passwd (password files), for decryption.
Figure 4.6 Output from a successful finger query.
Port: 79
Service: finger
Hacker’s Strategy: When an email account is “fingered,” it returns useful discovery information
about that account. Although the information returned varies from daemon to daemon and account to
account, on some systems, finger reports whether the user is currently in session. Other systems
return information including the user’s full name, address, and/or telephone number. The finger
process is relatively simple: A finger client issues an active open to this port, and sends a one-line
query with login data. The server processes the query, returns the output, and closes the connection.
The output received from port 79 is considered highly sensitive, as it can reveal detailed information
on users. Sample output from the Discovery: finger phase of an analysis is shown in Figure 4.6. The
actual data is masked for user anonymity.
Port: 80
Service: http
Hacker’s Strategy: An acronym for the Hypertext Transfer Protocol, HTTP is the underlying
protocol for the Internet’s World Wide Web. The protocol defines how messages are formatted and
transmitted, and operates as a stateless protocol because each command is executed independently,
without any knowledge of the previous commands. The best example of this daemon in action occurs
when a Web site address (URL) is entered in a browser. Underneath, this actually sends an HTTP
command to a Web server, directing it to serve or transmit the requested Web page to the Web
browser. The primary vulnerability with specific variations of this daemon is the Web page hack. An
81
example from the infamous hacker Web site, www.2600.com/hacked_pages, shows the “hacked”
United States Army home page (see Figure 4.7).
Port: 109, 110
Service: pop2, pop3, respectively
Hacker’s Strategy: The Post Office Protocol (POP) is used to retrieve email from a mail server
daemon. Historically, there are two well-known versions of POP: the first POP2 (from the 1980s)
and the more recent, POP3. The primary difference between these two flavors is that POP2 requires
an SMTP server daemon, whereas POP3 can be used unaccompanied. POP is based on client/server
topology in which email is received and held by the mail server until the client software logs in and
extracts the messages. Most Web browsers have integrated the POP3 protocol in their software
design, such as in Netscape and Microsoft browsers. Glitches in POP design integration have
allowed remote attackers to log in, as well as to direct telnet (via port 110) into these daemons’
operating systems even after the particular POP3 account password has been modified. Another
common vulnerability opens during the Discovery phase of a hacking analysis, by direct telnet to
port 110 of a target mail system, to reveal critical information, as shown in Figure 4.8.
Port: 111, 135
Service: portmap, loc-serv, respectively
Hacker’s Strategy: The portmap daemon converts RPC program numbers into port numbers. When
an RPC server starts up, it registers with the portmap daemon. The server tells the daemon to which
port number it is listening and which RPC program numbers it serves. Therefore, the portmap
daemon knows the location of every registered port on the host, as well as which programs are
available on each of these ports. Loc-serv is NT’s RPC service. Without filtering portmap, if an
intruder uses specific parameters and provides the address of the client, he or she will get its NIS
domain name back. Basically, if an attacker knows the NIS domain name, it may be possible to get a
copy of the password file.
82
Figure 4.7 The “hacked’’ United States Army home page.
Figure 4.8 Telnetting can reveal critical system discovery information.
83
Figure 4.9 Sample output from the netstat -a command.
Port: 137, 138, 139
Service: nbname, nbdatagram, nbsession, respectively
Hacker’s Strategy: Port 137 nbname is used as an alternative name resolution to DNS, and is
sometimes called WINS or the NetBIOS name service. Nodes running the NetBIOS protocol over
TCP/IP use UDP packets sent from and to UDP port 137 for name resolution. The vulnerability of
this protocol is attributed to its lack of authentication. Any machine can respond to broadcast queries
for any name for which it sees queries, even spoofing, by beating legitimate name holders to the
response. Basically, nbname is used for broadcast resolution, nbdatagram interacts with similar
broadcast discovery of other NBT information, and nbsession is where all the point-to-point
communication occurs. A sample netstat –a command execution on a Windows station (see Figure
4.9) would confirm these activities and reveal potential Trojan infection as well.
Port: 144
Service: news
Hacker’s Strategy: Port 144 is the Network-extensible Window System (news), which, in essence,
is an old PostScript-based window system developed by Sun Microsystems. It’s a multithreaded
PostScript interpreter with extensions for drawing on the screen and handling input events, including
an object-oriented programming element. As there are limitations in the development of a standard
windows system for UNIX, the word from the Under ground indicates that hackers are currently
working on exploiting fundamental flaws of this service.
Port: 161, 162
Service: snmp, snmp-trap, respectively
Hacker’s Strategy: In a nutshell, the Simple Network Management Protocol (snmp) directs network
device management and monitoring. snmp operation consists of messages, called protocol data units
(PDUs), that are sent to different parts of a network. snmp devices are called agents. These
components store information about themselves in management information bases (MIBs) and return
this data to the snmp requesters. UDP port 162 is specified as the port notification receivers should
listen to for snmp notification messages. For all intents and purposes, this port is used to send and
receive snmp event reports. The interactive communication governed by these ports makes them
juicy targets for probing and reconfiguration.
Port: 512
84
Service: exec
Hacker’s Strategy: Port 512 exec is used by rexec() for remote process execution. When this port is
active, or listening, more often than not the remote execution server is configured to start
automatically. As a rule, this suggests that X-Windows is currently running. Without appropriate
protection, window displays can be captured or watched, and user keystrokes can be stolen and
programs remotely executed. As a side note, if the target is running this service daemon, and accepts
telnets to port 6000, the ingredients are present for a DoS attack, with intent to freeze the system.
Port: 513, 514
Service: login, shell, respectively
Hacker’s Strategy: These ports are considered “privileged,” and as such have become a target for
address spoofing attacks on numerous UNIX flavors. Port 514 is also used by rsh, acting as an
interactive shell without any logging. Together, these services substantiate the presence of an active
X-Windows daemon, as just described. Using traditional methods, a simple telnet could verify
connection establishment, as in the attempt shown in Figure 4.10. The actual data is masked for
target anonymity.
Figure 4.10 Successful verification of open ports with telnet.
Port: 514
Service: syslog
Hacker’s Strategy: As part of the internal logging system, port 514 (remote accessibility through
front-end protection barriers) is an open invitation to various types of DoS attacks. An effortless
UDP scanning module could validate the potential vulnerability of this port.
Port: 517, 518
Service: talk, ntalk, respectively
Hacker’s Strategy: Talk daemons are interactive communication programs that abide to both the
old and new talk protocols (ports 517 and 518) that support real-time text conversations with another
UNIX station. The daemons typically consist of a talk client and server, and for all practical
purposes, can be active together on the same system. In most cases, new talk daemons that initiate
from port 518 are not backward-compatible with the older versions. Although this seems harmless,
many times it’s not. Aside from the obvious—knowing that this connection establishment sets up a
TCP connection via random ports—exposes these services to a number of remote attacks.
Port: 520
Service: route
85
Hacker’s Strategy: A routing process, termed dynamic routing occurs when routers talk to adjacent
or neighboring routers, informing one another of which networks each router currently is acquainted
with. These routers communicate using a routing protocol whose service derives from a routing
daemon. Depending on the protocol, updates passed back and forth from router to router are initiated
from specific ports. Probably the most popular routing protocol, Routing Information Protocol (RIP),
communicates from UDP port 520. Many proprietary routing daemons have inherited
communications from this port as well. To aid in target discovery, trickling critical topology
information can be easily captured with virtually any sniffer.
Port: 540
Service: uucp
Hacker’s Strategy: UNIX-to-UNIX Copy Protocol (UUCP) involves a suite of UNIX programs
used for transferring files between different UNIX systems, but more importantly, for transmitting
commands to be executed on another system. Although UUCP has been superseded by other
protocols, such as FTP and SMTP, many systems still allocate active UUCP services in day-to-day
system management. In numerous UNIX flavors of various service daemons, vulnerabilities exist
that allow controlled users to upgrade UUCP privileges.
Port: 543, 544, 750
Service: klogin, kshell, kerberos
Hacker’s Strategy: The services initiated by these ports represent an authentication system called
Kerberos. The principal idea behind this service pertains to enabling two parties to exchange private
information across an open or insecure network path. Essentially, this method works by assigning
unique keys or tickets to each user. The ticket is the n embedded in messages for identification and
authentication. Without the necessary filtration techniques throughout the network span, these ports
are vulnerable to several remote attacks, including buffer overflows, spoofs, masked sessions, and
ticket hijacking.
Unidentified Ports and Services
Penetration hacking programs are typically designed to deliberately integrate a backdoor, or hole, in
the security of a system. Although the intentions of these service daemons are not always menacing,
attackers can and do manipulate these programs for malicious purposes. The software outlined in this
section is classified into three interrelated categories: viruses, worms, and Trojan horses. They are
defined briefly in turn here and discussed more fully later in the book.
· A virus is a computer program that makes copies of itself by using, and therefore requiring, a
host program.
· A worm does not require a host, as it is self-preserved. The worm compiles and distributes
complete copies of itself upon infection at some predetermined high rate.
· A Trojan horse, or just Trojan, is a program that contains destructive code that appears as a
normal, useful program, such as a network utility.
Most of the daemons described in this section are available on this book’s CD or
through the Tiger Tools Repository of underground links and resources, also found
on the CD.
86
The following ports and connected services, typically unnoticed by target victims, are most
commonly implemented during penetration hack attacks. Let’s explore these penetrators by active
port, service or software daemon, and hacker implementation strategy:
Port: 21, 5400-5402
Service: Back Construction, Blade Runner, Fore, FTP Trojan, Invisible FTP, Larva, WebEx,
WinCrash
Hacker’s Strategy: These programs (illustrated in Figure 4.11) share port 21, and typically model
malicious variations of the FTP, primarily to enable unseen file upload and download functionality.
Some of these programs include both client and server modules, and most associate themselves with
particular Registry keys. For example, common variations of Blade Runner install under:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Port: 23
Service: Tiny Telnet Server (TTS)
Hacker’s Strategy: TTS is a terminal emulation program that runs on an infected system in stealth
mode. The daemon accepts standard telnet connectivity, thus allowing command execution, as if the
command had been entered directly on the station itself. The associated command entries derive
from privileged or administrative accessibility. The program is installed with migration to the
following file: c:\windows\Windll.exe. The current associated Re gistry key can be found under:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Windll.exe = "C:\\WINDOWS\\Windll.exe"
Figure 4.11 Back Construction, Blade Runner, and WebEx Trojans.
87
Port: 25, 110
Service: Ajan, Antigen, Email Password Sender, Haebu Coceda, Happy 99, Kuang2, ProMail
Trojan, Shtrilitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
Hacker’s Strategy: Masquerading as a fireworks display or joke, these daemons arm an attacker
with system passwords, mail spamming, key logging, DoS control, and remote or local backdoor
entry. Each program has evolved using numerous filenames, memory address space, and Registry
keys. Fortunately, the only common constant remains the attempt to control TCP port 25.
Port: 31, 456, 3129, 40421-40426
Service: Agent 31, Hackers Paradise, Masters Paradise
Hacker’s Strategy: The malicious software typically utilizing port 31 encompasses remote
administration, such as application redirect and file and Registry management and manipulation (
Figure 4.12 is an example of remote system administration with target service browsing). Once under
malevolent control, these situations can prove to be unrecoverable.
Figure 4.12 Falling victim to port 31 control can be detrimental.
Port: 41, 999, 2140, 3150, 6670-6771, 60000
Service: Deep Throat
Hacker’s Strategy: This daemon (shown in Figure 4.13) has many features, including a stealth FTP
file server for file upload, download, and deletion. Other options allow a remote attacker to capture
and view the screen, steal passwords, open Web browsers, reboot, and even control other running
programs and processes.
Port: 59
88
Service: DMSetup
Hacker’s Strategy: DMSetup was designed to affect the mIRC Chat client by anonymous
distribution. Once executed, DMSetup is installed in several locations, causing havoc on startup files,
and ultimately corrupting the mIRC settings. As a result, the program will effectively pass itself on to
any user communicating with the infected target.
Figure 4.13 Deep Throat Remote control panel.
Port: 79, 5321
Service: Firehotker
Hacker’s Strategy: This program is an alias for Firehotker Backdoorz. The software is supposed to
implement itself as a remote control administration backdoor, but is known to be unstable in design.
More often than not, the daemon simply utilizes resources, causing internal congestion. Currently,
there is no Registry manipulation, only the file server.exe.
Port: 80
Service: Executor
Hacker’s Strategy: This is an extremely dangerous remote command executer, mainly intended to
destroy system files and settings (see Figure 4.14). The daemon is commonly installed with the file,
sexec.exe, under the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
<>Executer1="C:\windows\sexec.exe"
89
Figure 4.14 The Executor is always ready to destroy system files.
Port: 113
Service: Kazimas
Hacker’s Strategy: This is an IRC worm that spreads itself on mIRC channels. It appears as a
milbug_a.exe file, approximately 10 KB in size, and copies itself into the following directories:
· C:\WINDOWS\KAZIMAS.EXE
· C:\WINDOWS\SYSTEM\PSYS.EXE
· C:\ICQPATCH.EXE
· C:\MIRC\NUKER.EXE
· C:\MIRC\DOWNLOAD\MIRC60.EXE
· C:\MIRC\LOGS\LOGGING.EXE
· C:\MIRC\SOUNDS\PLAYER.EXE
· C:\GAMES\SPIDER.EXE
· C:\WINDOWS\FREEMEM.EXE
The program was designed to corrupt mIRC settings and to pass itself on to any user communicating
with an infected target.
90
Figure 4.15 The Happy 99 fireworks masquerade.
Port: 119
Service: Happy 99
Hacker’s Strategy: Distributed primarily throughout corporate America, this program masquerades
as a nice fireworks display (see Figure 4.15), but in the background, this daemon variation arms an
attacker with system passwords, mail spamming, key logging, DoS control, and backdoor entry.
Port: 121
Service: JammerKillah
Hacker’s Strategy: JammerKillah is a Trojan developed and compiled to kill the Jammer program.
Upon execution, the daemon auto-detects Back Orifice and NetBus, then drops a Back Orifice
server.
Port: 531, 1045
Service: Rasmin
Hacker’s Strategy: This virus was developed in Visual C++, and uses TCP port 531 (normally used
as a conference port). Rumors say that the daemon is intended for a specific action, remaining
dormant until it receives a command from its ‘‘master.” Research indictates that the program has
been concealed under the following filenames:
91
· RASMIN.EXE
· WSPOOL.EXE
· WINSRVC.EXE
· INIPX.EXE
· UPGRADE.EXE
Port: 555, 9989
Service: Ini-Killer, NeTAdmin, phAse Zero (shown in Figure 4.16), Stealth Spy
Hacker’s Strategy: Aside from providing spy features and file transfer, the most important purpose
of these Trojans is to destroy the target system. The only safeguard is that these daemons can infect a
system only upon execution of setup programs that need to be run on the host.
Figure 4.16 Some of the features of the Trojan phAse Zero.
92
Figure 4.17 Satanz Backdoor front end.
Port: 666
Service: Attack FTP, Back Construction, Cain & Abel, Satanz Backdoor (front end shown in Figure
4.17), ServeU, Shadow Phyre
Hacker’s Strategy: Attack FTP simply installs a stealth FTP server for full-permission file
upload/download at port 666. For Back Construction details, see the Hacker’s Strategy for port 21.
Cain was written to steal passwords, while Abel is the remote server used for stealth file transfer. To
date, this daemon has not been known to self-replicate. Satanz Backdoor, ServeU, and Shadow Phyre
have become infamous for nasty hidden remote-access daemons that require very few system
resources.
Port: 999
Service: WinSatan
Hacker’s Strategy: WinSatan is another daemon that connects to various IRC servers, where the
connection remains even when the program is closed.
93
Figure 4.18 Silencer was coded for remote resource control.
With some minor investigation, this program will remain running in the background without a trace
on the task manager or as current processes. It seems the software’s only objective is to spread itself,
causing internal congestion and mayhem.
Port: 1001
Service: Silencer, WebEx
Hacker’s Strategy: For WebEx details, see the Hacker’s Strategy documentation for port 21.
Silencer is primarily for resource control, as it has very few features (see Figure 4.18).
Port: 1010-1015
Service: Doly Trojan
Hacker’s Strategy: This Trojan is notorious for gaining complete target remote control (see Figure
4.19), and is therefore an extremely dangerous daemon. The software has been reported to use
several different ports, and rumors indicate that the filename can be modified. Current Registry keys
include the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run fo
r
file tesk.exe.
94
Figure 4.19 The Doly Trojan control option panel.
Port: 1024, 31338-31339
Service: NetSpy
Hacker’s Strategy: NetSpy (Figure 4.20) is another daemon designed for internal technological
espionage. The software will allow an attacker to spy locally or remotely on 1 to 100 stations.
Remote control features have been added to execute commands, with the following results:
· Shows a list of visible and invisible windows
· Changes directories
· Enables server control
· Lists files and subdirectories
· Provides system information gathering
95
Figure 4.20 The NetSpy client program.
· Initiates messaging
· Hides the Start button
· Hides the task bar
· Displays an ASCII file
· Executes any Windows or DOS command in stealth mode
Port: 1042
Service: BLA
Hacker’s Strategy: BLA is a remote control daemon with features that include sending ICMP
echoes, target system reboot, and direct messaging (see Figure 4.21). Currently, BLA has been
compiled to instantiate the following Registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\System = "C:\WINDOWS\System\mprdll.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\SystemDoor = "C:\WINDOWS\System\rundll argp1"
96
Figure 4.21 The BLA Trojan is used to wreak havoc on victims.
Port: 1170, 1509
Service: Psyber Stream Server, Streaming Audio Trojan
Hacker’s Strategy: These daemons were designed for a unique particular purpose: to send
streaming audio to the victim. An attacker with a successful implementation and connection can,
essentially, say or play anything through the target’s speakers.
Port: 1234
Service: Ultors Trojan
Hacker’s Strategy: Ultors is another telnet daemon designed to remotely execute programs and
shell commands, to control running processes, and to reboot or halt the target system. Over time,
features have been added that give the attacker the ability to send messages and display common
error notices.
97
Figure 4.22 The SubSevenApocalypse.
Port: 1243, 6776
Service: BackDoor-G, SubSeven, SubSevenApocalypse
Hacker’s Strategy: These are all variations of the infamous Sub7 backdoor daemon, shown in
Figure 4.22. Upon infection, they give unlimited access of the target system over the Internet to the
attacker running the client software. They have many features. The installation program has been
spoofed as jokes and utilities, primarily as an executable email attachment. The software generally
consists of the following files, whose names can also be modified:
\WINDOWS\NODLL.EXE
\WINDOWS\ SERVER.EXE or KERNEL16.DL or WINDOW.EXE
\WINDOWS\SYSTEM\WATCHING.DLL or LMDRK_33.DLL
Port: 1245
Service: VooDoo Doll
Hacker’s Strategy: The daemon associated with port 1245 is known as VooDoo Doll. This program
is a feature compilation of limited remote control predecessors, with the intent to cause havoc (see
Figure 4.23). The word from the Underground is that malicious groups have been distributing this
Trojan with destructive companion programs, which, upon execution from VooDoo
98
Figure 4.23 The VooDoo Doll feature set.
Doll, have been known to wipe—that is, copy over the target files numerous times, thus making
them unrecoverable—entire hard disks, and in some cases corrupt operating system program files.
Port: 1492
Service: FTP99CMP
Hacker’s Strategy: FTP99cmp is another simple remote FTP server daemon that uses the following
Registry key:
HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion
\Run – WinDLL_16
Port: 1600
Service: Shivka-Burka
Hacker’s Strategy: This remote-control Trojan provides simple features, such as file transfer and
control, and therefore has been sparsely distributed.
Currently, this daemon does not utilize the system Registry, but is notorious for favoring port 1600.
Port: 1981
Service: Shockrave
Hacker’s Strategy: This remote-control daemon is another uncommon telnet stealth suite with only
one known compilation that mandates port 1981. During configuration, the following Registry entry
is utilized:
99
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – NetworkPopup
Port: 1999
Service: BackDoor
Hacker’s Strategy: Among the first of the remote backdoor Trojans, BackDoor (shown in Figure
4.24) has a worldwide distribution. Although developed in Visual Basic, this daemon has feature-rich
control modules, including:
Figure 4.24 BackDoor is one of the first remote Trojans.
· CD-ROM control
· CTRL-ALT-DEL and CTRL-ESC control
· Messaging
· Chat
· Task viewing
· File management
· Windows controls
· Mouse freeze
During configuration, the following Registry entry is utilized:
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ –
notpa
Port: 1999-2005, 9878
100
Service: Transmission Scout
Hacker’s Strategy: A German remote-control Trojan, Transmission Scout includes numerous nasty
features. During configuration, the following Registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run — kernel16
Although this program is sparsely distributed, it has been updated to accommodate the following
controls:
· Target shutdown and reboot
· System and drive information retrieval
· ICQ/email alert
· Password retrieval
· Audio control
· Mouse control
· Task bar control
· File management
· Window control
· Messaging
· Registry editor
· Junk desktop
· Screenshot dump
Port: 2001
Service: Trojan Cow
Hacker’s Strategy: Trojan Cow is another remote backdoor Trojan, with many new features,
including:
· Open/close CD
· Monitor off/on
· Remove/restore desktop icons
· Remove/restore Start button
· Remove/restore Start bar
· Remove/restore system tray
· Remove/restore clock
· Swap/restore mouse buttons
· Change background
· Trap mouse in corner
· Delete files
· Run programs
· Run programs invisibly
· Shut down victims’ PC
· Reboot victims’ PC
· Log off windows
· Power off
During configuration, the following Registry entry is utilized:
101
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run — SysWindow
Port: 2023
Service: Ripper
Hacker’s Strategy: Ripper is an older remote key- logging Trojan, designed to record keystrokes.
Generally, the intent is to copy passwords, login names, and so on. Ripper has been downgraded as
having limited threat potential due to its inability to restart after a shutdown or station reboot.
Figure 4.25 The Bugs graphical user interface.
Port: 2115
Service: Bugs
Hacker’s Strategy: This daemon (shown in Figure 4.25) is another simple remote-access program,
with features including file management and window control via limited GUI. During configuration,
the following Registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run — SysTray
Port: 2140, 3150
Service: The Invasor
Hacker’s Strategy: The Invasor is another simple remote-access program, with features including
password retrieval, messaging, sound control, formatting, and screen capture (see Figure 4.26).
Port: 2155, 5512
Service: Illusion Mailer
102
Hacker’s Strategy: Illusion Mailer is an email spammer that enables the attacker to masquerade as
the victim and send mail from a target station. The email header will contain the target IP address, as
opposed to the address of
Figure 4.26 The Invasor feature set.
the attacker, who is actually sending the message. During configuration, the following Registry entry
is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – Sysmem
Port: 2565
Service: Striker
Hacker’s Strategy: Upon execution, the objective of this Trojan is to destroy Windows. Fortunately,
the daemon does not stay resident after a target system restart, and therefore has been downgraded to
minimal alert status.
103
Figure 4.27 WinCrash tools.
Port: 2583, 3024, 4092, 5742
Service: WinCrash
Hacker’s Strategy: This backdoor Trojan lets an attacker gain full remote-access to the target
system. It has been updated to include flooding options, and now has a very high threat rating (see
Figure 4.27).
Port: 2600
Service: Digital RootBeer
Hacker’s Strategy: This remote-access backdoor Trojan is another annoyance generator, with
features including:
· Messaging
· Monitor control
· Window control
· System freeze
· Modem control
· Chat
· Audio control
During configuration, the following Registry entry is utilized:
104
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – ActiveX Console
Port: 2801
Service: Phineas Phucker
Hacker’s Strategy: This remote-access backdoor Trojan, shown in Figure 4.28, is yet another
annoyance generator, featuring browser, window, and audio control.
Port: 2989
Service: RAT
Hacker’s Strategy: This is an extremely dangerous remote-access backdoor Trojan. RAT was
designed to destroy hard disk drives. During configuration, the following Registry entries are
utilized:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\Explorer=
"C:\WINDOWS\system\MSGSVR16.EXE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\ RunServices\Default=" "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\ RunServices\Explorer=" "
Port: 3459-3801
Service: Eclipse
Hacker’s Strategy: This Trojan is essentially another stealth FTP daemon. Once executed, an
attacker has full-permission FTP access to all files, includ-
Page 131
105
Figure 4.28 The Phineas Phucker Trojan.
ing file execution, deletion, reading, and writing. During configuration, the following Registry entry
is utilized:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\Rnaapp="C:\WINDOWS\SYSTEM\rmaapp.exe"
Port: 3700, 9872-9875, 10067, 10167
Service: Portal of Doom
Hacker’s Strategy: This is another popular remote-control Trojan whose features are shown in
Figure 4.29, and include:
· CD-ROM control
· Audio control
106
Figure 4.29 Portal of Doom features.
· File explorer
· Task bar control
· Desktop control
· Key logger
· Password retrieval
· File management
Port: 4567
Service: File Nail
Hacker’s Strategy: Another remote ICQ backdoor, File Nail wreaks havoc throughout ICQ
communities (see Figure 4.30).
Port: 5000
Service: Bubbel
Hacker’s Strategy: This is yet another remote backdoor Trojan with the similar features as the new
Trojan Cow including:
· Messaging
· Monitor control
107
Figure 4.30 File Nail was coded to crash ICQ daemons.
· Window control
· System freeze
· Modem control
· Chat
· Audio control
· Key logging
· Printing
· Browser control
Port: 5001, 30303, 50505
Service: Sockets de Troie
Hacker’s Strategy: The Sockets de Troie is a virus that spreads itself along with a remote
administration backdoor. Once executed the virus shows a simple DLL error as it copies itself to the
Windows\System\directory as MSCHV32.EXE and modifies the Windows registry. During
configuration, the following registry entries are typically utilized:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\RunLoadMSchv32 Drv = C:\WINDOWS\SYSTEM\MSchv32.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
Mgadeskdll = C:\WINDOWS\SYSTEM\Mgadeskdll.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunLoa
d
Rsrcload = C:\WINDOWS\Rsrcload.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServicesLoad Csmctrl32 = C:\WINDOWS\SYSTEM\Csmctrl32.exe
108
Figure 4.31 Robo-Hack limited feature base.
Port: 5569
Service: Robo-Hack
Hacker’s Strategy: Robo-Hack is an older remote-access backdoor written in Visual Basic. The
daemon does not spread itself nor does it stay resident after system restart. The limited feature base,
depicted in Figure 4.31, includes:
· System monitoring
· File editing
· System restart/shutdown
· Messaging
· Browser control
· CD-ROM control
109
Figure 4.32 The tHing can upload and execute programs remotely.
Port: 6400
Service: The tHing
Hacker’s Strategy: The tHing is a nasty little daemon designed to upload and execute programs
remotely (see Figure 4.32). This daemon’s claim to fame pertains to its ability to spread viruses and
other remote controllers. During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – Default
Port: 6912
Service: Shit Heep
Hacker’s Strategy: This is a fairly common Trojan that attempts to hide as your recycle bin. Upon
infection, the system Recycle Bin will be updated (see Figure 4.33). The limited feature modules
compiled with this Visual Basic daemon include:
Figure 4.33 System message generated after being infected by Shit Heep.
· Desktop control
· Mouse control
· Messaging
· Window killer
110
· CD-ROM control
Port: 6969, 16969
Service: Priority
Hacker’s Strategy: Priority (illustrated in Figure 4.34) is a feature-rich Visual Basic remote control
daemon that includes:
· CD-ROM control
· Audio control
· File explorer
· Taskbar control
· Desktop control
· Key logger
· Password retrieval
· File management
· Application control
· Browser control
· System shutdown/restart
· Audio control
· Port scanning
Figure 4.34 The feature-rich capabilities of Priority.
Port: 6970
Service GateCrasher
Hacker’s Strategy: GateCrasher is another dangerous remote control daemon as it masquerades as a
Y2K fixer. The software contains almost every feature available in remote backdoor Trojans (see
Figure 4.35). During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – Inet
111
Port: 7000
Service Remote Grab
Hacker’s Strategy: This daemon acts as a screen grabber designed for remote spying. During
configuration, the following file is copied:
\Windows\System\mprexe.exe
Figure 4.35 GateCrasher contains the most common backdoor features.
Port: 7789
Service: ICKiller
Hacker’s Strategy: This daemon was designed to deliver Internet account passwords to the attacker.
With a deceptive front-end, the program has swindled many novice hackers, masquerading as a
simple ICQ-bomber (see Figure 4.36).
Port: 9400
Service: InCommand
112
Hacker’s Strategy: This daemon was designed after the original Sub7 series that includes a preconfigurable
server module.
Figure 4.36 ICKiller is a password Stealer that masquerades as an ICQ Trojan.
Port: 10101
Service: BrainSpy
Hacker’s Strategy: This remote control Trojan has features similar to the most typical file-control
daemons; however, upon execution, the program has the ability to remove all virus scan files. During
configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – Dualji
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – Gbubuzhnw
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\RunServices – Fexhqcux
Port: 10520
Service: Acid Shivers
Hacker’s Strategy: This remote control Trojan is based on the telnet service for command execution
and has the ability to send an email alert to the attacker when the target system is active (see Figure
4.37).
Figure 4.37 Acid Shivers can send alerts to the attacker.
113
Port: 10607
Service: Coma
Hacker’s Strategy: This is another remote control backdoor that was written in Visual Basic. The
limited features can be deduced from the following illustration, Figure 4.38.
Figure 4.38 The limited features of Coma.
Figure 4.39 Hack ’99 can send keystrokes in real- time.
Port: 12223
114
Service: Hack '99 KeyLogger
Hacker’s Strategy: This daemon acts as a standard key logger with one exception; it has the ability
to send the attacker the target system keystrokes in real-time (see Figure 4.39).
Port: 12345-12346
Service: NetBus/2/Pro
Hacker’s Strategy: The infamous remote administration and monitoring tool, NetBus, now owned
by UltraAccess.net currently includes telnet, http, and real-time chat with the server. For more
details, visit www.UltraAccess.net.
Port: 17300
Service: Kuang
Hacker’s Strategy: This is a Trojan/virus mutation of a simple password retriever via SMTP.
Port: 20000-20001
Service: Millennium
Hacker’s Strategy: Millennium is another very simple Visual Basic Trojan with remote control
features that have been recently updated to include:
· CD-ROM control
· Audio control
· File explorer
· Taskbar control
· Desktop control
· Key logger
· Password retrieval
· File management
· Application control
· Browser control
· System shutdown/restart
· Audio control
· Port scanning
During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – millennium
Port: 21544
Service: GirlFriend
Hacker’s Strategy: This is another very common remote password retrieval Trojan. Recent
compilations include messaging and FTP file access. During configuration, the following registry
entry is utilized:
115
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – Windll.exe
Port: 22222, 33333
Service: Prosiak
Hacker’s Strategy: Again, another common remote control Trojan with standard features including:
CD-ROM control
Audio control
File explorer
Taskbar control
· Desktop control
· Key logger
· Password retrieval
· File management
· Application control
· Browser control
· System shutdown/restart
· Audio control
· Port scanning
During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – Microsoft DLL Loader
Port: 30029
Service: AOL Trojan
Hacker’s Strategy: Basically, the AOL Trojan infects DOS .EXE files. This Trojan can spread
through local LANs, WANs, the Internet, or through email. When the program is executed, it
immediately infects other programs.
Port: 30100-30102
Service: NetSphere
Hacker’s Strategy: This is a powerful and extremely dange rous remote control Trojan with features
such as:
· Screen capture
· Messaging
· File explorer
· Taskbar control
· Desktop control
Chat
File management
116
Application control
Mouse control
System shutdown/restart
Audio control
Complete system information
During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – nssx
Port: 1349, 31337-31338, 54320-54321
Service: Back Orifice
Hacker’s Strategy: This is the infamous and extremely dangerous Back Orifice daemon whose
worldwide distribution inspired the development of many Windows Trojans. What’s unique with this
software is its communication process with encrypted UDP packets as an alternative to TCP—this
makes it much more difficult to detect. What’s more, the daemon also supports plug- ins to include
many more features. During configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – bo
Port: 31785-31792
Service: Hack’a’Tack
Hacker’s Strategy: This is yet another disreputable remote control daemon with wide distribution.
As illustrated in Figure 4.40, Hack’a’Tack contains all the typical features. During configuration, the
following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – Explorer32
Port: 33911
Service: Spirit
Hacker’s Strategy: This well-known remote backdoor daemon includes a very unique destructive
feature, monitor burn. It constantly resets the
117
Figure 4.40 Hack‘a’Tack features.
screen’s resolution and rumors indicate an update that changes the refresh rates as well. During
configuration, the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – SystemTray = "c:\windows\windown.exe "
Port: 40412
Service: The Spy
Hacker’s Strategy: This daemon was designed as a limited key logger. The Spy only captures
keystrokes in real time and as such, does not save logged keys while offline. During configuration,
the following registry entry is utilized:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – systray
Port: 47262
Service: Delta Source
Hacker’s Strategy: This daemon was designed in Visual Basic and was inspired by Back Orifice.
As a result, Delta Source retains the same features as BO. During configuration, the following
registry entry is utilized:
118
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices – Ds admin tool
Port: 65000
Service: Devil
Hacker’s Strategy: Devil is an older French Visual Basic remote control daemon that does not
remain active after a target station restart. The limited feature base, as shown in Figure 4.41, consists
of messaging, system reboot, CD-ROM control, and an application killer.
