The AntiOnline Newbie FAQ

Assembled by: Simon Templer

“I am still learning” – Michelangelo’s Motto

About This Paper: This document’s purpose is to provide new members of AntiOnline (AO) a source for answers to commonly asked questions on the AntiOnline Security Forum, as well a method for alleviating the amount redundant information posted on the forums. The information contained within this FAQ is an assemblage of posts from AntiOnline Members and original writing on my behalf.

Furthermore, this assemblage is not a “How-To”; this FAQ follows the teaching of an old Chinese Proverb:

“Give a man a fish, you have fed him for a day…Teach a man to fish and you have fed him for a lifetime.” - Chinese Proverb

Outline of Information:

Introduction (A post by AO Member: KapperDog)

>> General Security Questions

1. PORTS

A. What are Ports?

B. What are Common Ports?

C. What are ports commonly used by Trojans?

D. Where can I find more information on Ports

2. IP ADDRESSES

A. What are IP Addresses? And How do I find a person's IP Address?

B. Where can I find more information on IP Addresses?

3. SUBNETS

A. What is a Subnet?

4. IP SPOOFING

A. What is IP Spoofing?

B. Where can I find more information on IP Spoofing?

5. FIREWALL SOFTWARE

A. What is a Firewall?

B. Where do I get a Firewall?

C. What are some recommended Firewall Programs?

6. PROTOCOLS

A. What is a Protocol?

B. Where Can I find information on Common Protocols?

1. TCP/IP

2. IPX/SPX

3. UDP

4. HTTP

5. FTP

6. NETBIOS

7. TROJANS

A. What are Trojans?

B. Where do I get Trojans?

C. How do I remove Trojans from my computer?

D. How can I protect myself from Trojans?

8. EXPLOITS

A. What are Exploits?

B. Where can I find information on Exploits?

>> Security Questions Regarding Software and Tools

1. DOS COMMANDS

A. What is the NETSTAT Command and How do I use it?

B. What is the NET Command and How do I use it?

C. What is the NBTSTAT Command and How do I use it?

D. What is the FTP Command and How do I use it?

E. What is the TELNET Command and How do I use it?

F. What is the PING Command and How do I use it?

G. What is the TRACERT Command and How do I use it?

2. NETWORK TOOLS

A. Port Scanners

1. What is a Port Scanner?

2. Where can I get a Port Scanner?

B. IP Scanners

1. What is an IP Scanner?

2. Where can I get an IP Scanner?

C. Sniffers

1. What is a Network Sniffer?

2. Where can I get a Sniffer?

D. NetBios Scanners

1. What is a NetBios Scanner?

2. Where can I get a NetBios scanner?

E. Key Loggers

1. What is a KeyLogger?

2. Where can I get a KeyLogger?

F. Intrusion Detection Systems?

1. What is an IDS?

2. Where can I download IDS programs?

>> Programming Questions

1. How do I get started in Programming?

2. What Programming Language should I learn?

3. Where can I find online resources for Programming?

>> Available Online Resources

1. SECURITY RESOURCES

A. Advisory Sites

B. Hacker Sites

C. Exploit Information Sites

D. Trojan Information Sites

2. FIREWALL RESOURCES

3. ANTIVIRUS RESOURCES

4. ENCRYPTION RESOURCES

5. ANONYMITY RESOURCES

6. SPYWARE RESOURCES

7. OPERATING SYSTEM RESOURCES

A. MS-DOS

B. MS Windows

C. Linux

D. BSD

8. PROGRAMMING RESOURCES

INTRODUCTION: (A Post By AO Member: KapperDog)

First of all, welcome to AntiOnline.

AntiOnline is a forum for discussion of technical security issues.

Most of the regular contributors here concentrate on the practice of PREVENTING hackers from entering your system and doing damage, not hacking into others.

If you ask questions like, "How do I hack into my schools computer" or "How do I hack into Hotmail", you will most likely receive a "Negative" response.

If you came here to learn how to hurt other people or to engage in illegal activities, don't expect a lot of help.

If you must be malicious, go here (http://warex.box.sk/howto/netbioshack.htm) and follow the instructions. Then go here (http://www.bo2k.com/) and learn about Trojans. You'll be reformatting someone’s drive by nightfall.

That's it. Unless you are willing to spend a lot of time reading and learning, you’re hacking abilities are going to end there.

On the other hand, if you are willing to spend some time and put forth an effort to learn, you will find this a very helpful and friendly site.

For starters, here are a couple tutorials:

The Happy Hacker (http://www.happyhacker.org/gtmhh/index.shtml) provides some entertaining and easy to understand information.

Here is another nice tutorial called Digital Voodoo (http://home.cyberarmy.com/tcu/dv.html)

There have been some excellent posts made here by some of the members. If you have a specific question, go here (http://www.antionline.com/search.php?s=) to search the forums. Your question may have already been answered before.

Most of all, enjoy yourself and remember.... hacking is not about hurting other people or destroying someone’s data. It's about the computer, how it works and why it does the things that it does.

The computer is a miracle of the modern age. A blessing that should be treated as such. A hobby that will never end and can provide you with a lifetime of enjoyment.

Enter the computer with patience and understanding and it will return the same. Enter with evil and deception and you will eventually receive your just reward. If you don't feel this way, I believe you may be at the wrong site.

Anyway, welcome to AntiOnline and welcome to the world of computers. I hope they are both as rewarding to you as they have been for me.

SECTION 1: GENERAL SECURITY QUESTIONS

Part 1: PORTS

Q. - What are Ports?

A. - Ports are information pathways used for transferring data between two communicating devices. Ports provide an efficient means for delivering information not only to the destination, but also to a destination’s specific application. Ports are assigned a number ranging from 0 to 65,535. (Nortel Networks, 4-17)

Q. - What are Common Ports?

A. - Common Ports also known, as “Well Known Ports” are ports that have been reserved for use. Examples of well-known ports are as follows:

Echo (7)

Daytime (13)

FTP (21)

Telnet (23)

SMTP (25)

Time (37)

DNS (53)

TFTP (69)

FINGER (79)

HTTP/WWW (80)

POP3 (110)

NetBios (137-139)

IMAP (143)

SNMP (161)

Q. - What are ports commonly used by Trojans?

A. – There are numerous Trojans that plague computer users, each have their own port number they commonly use. A list of common ports used by Trojans can be found here:

http://www.simovits.com/nyheter9902.html

http://www.globalframe.f2s.com/html/port.htm

Q. - Where can I find more information on Ports?

A. - The Internet Assigned Numbers Authority (IANA) maintains a list of Ports and their uses, this information can be found here:

http://www.iana.org/assignments/port-numbers

Other Sources:

http://advice.networkice.com/Advice/Exploits/Ports/default.htm

http://grc.com/su-ports.htm (Contributed by AO Member: briareus)

http://www.globalframe.f2s.com/html/port.htm

Part 2: IP ADDRESSES

Q. What are IP Addresses?

A. Tutorial: IP Addresses: What are they and how do I find them?

(Contributed by AO Member: zxtech)

Over the last few days I have seen a lot of post saying how do I get a IP Address, well basically you can't just pull anybody’s IP address you want off the net. So I will explain what an IP address is and how to find them.

1) IP ADDRESS STRUCTURE:

Every station on a PSN (packet switched network) that is based on the TCP/IP protocol (your computer is one, for example. Yes, we're referring to a host that is connected to the net) must have an IP address, so it can be identified, and information can be relayed and routed to it in an orderly fashion.

An IP address consists of a 32 bit logical address. The address is divided into two fields:

1) The network address:

Assigned by InterNIC (Internet Network Information Center).

In fact most ISPs (internet service providers) purchase a number of addresses and assign them individually.

2) The host address:

An address that identifies a single node throughout the network, it can be assigned either by the network manager, by using protocols such as DHCP, or by the workstation itself.

[The IP networking protocol is a logically routed protocol, meaning that address 192.43.54.2 will be on the same physical wire as address 192.43.54.3 (Of course this is not always true. It depends on the subnet mask of the network, but all of that can fill a text of its own)

IP address structure:

---.---.---.---

^ ^

| |

network | host

Every " --- " = 8 bits.

The first bits ===> network address

The last bits ===> host address.

With 8 bits you can represent numbers ranging from 0-255. (Binary= (2 to the power of 8)-1)

Example:

11000010.01011010.00011111.01001010 (binary)

194.90.31.74 (decimal)

IP Address Classes:

We can classify IP addresses into 5 groups. You can distinguish them by comparing the "High Order" bits (the first four bits on the left of the address):

(N = Network, H = Host)

Notice the address range 127.X.X.X.

These addresses are assigned for internal use for the network device, and are used as an application tool only. For example: 127.0.0.1, the most common one, is called the loopback address (everything sent here goes directly back to you without even traveling out on the wire).

Also, some IPs are reserved for VPNs (Virtual Private Networks). These are local area networks over wide area networks that use the Internet Protocol to communicate, and each computer inside the network is assigned with an IP address. So, suppose a certain computer wants to send a data packet to another host on the network with the IP 'x', but there's also another host on the Internet that has the same IP - what happens now? So this is why you cannot use these and other forms of reserved IPs on the Internet.

Distinguishing different groups:

You have to compare the first byte on the left in the address as follows:

Type | First byte | MSB | in decimal |

----------------------------

A | 1-127 | 0

----------------------------

B | 128-191 | 10

----------------------------

C | 192-223 | 110

----------------------------

D | 224-239 | 1110

----------------------------

E | 240-254 | 1111

----------------------------

Multicast: (copied from RFC 1112)

IP multicasting is the transmission of an IP datagram to a "host group", a set of zero or more hosts identified by a single IP destination address. A multicast datagram is delivered to all members of its destination host group with the same "best-efforts" reliability as regular unicast IP datagrams, i.e., the datagram is not guaranteed to arrive intact at all members of the destination group or in the same order relative to other datagrams.

The membership of a host group is dynamic; that is, hosts may join and leave groups at any time. There is no restriction on the location or number of members in a host group. A host may be a member of more than one group at a time. A host need not be a member of a group to send datagrams to it.

A host group may be permanent or transient. A permanent group has a well-known administratively assigned IP address. It is the address, not the membership of the group that is permanent; at any time a permanent group may have any number of members, even zero. Those IP multicast addresses that are not reserved for permanent groups are available for dynamic assignment to transient groups which exist only as long as they have members.

InterNetwork forwarding of IP multicast datagrams (Ip packets) is handled by

"Multicast routers" which may be co-resident with, or separate from,

Internet gateways. A host transmits an IP multicast datagram as a local network multicast which reaches all immediately neighboring members of the destination host group. If the datagram has an IP time-to-live greater than 1, the multicast router(s) attached to the local network take responsibility for forwarding it towards all other networks that have members of the destination group. On those other member networks that are reachable within the IP time-to-live, an attached multicast router completes delivery by transmitting the datagram (Ip packet) as a local multicast.

*If you don’t understand the above do not worry, it is complicated and dry but reread it and read it again get a dictionary if it helps.

Hacking is not easy.

MSB: Most Significant Bit:

In set numbers the first number on the left is the most important because it holds the highest value as opposed to the LSB=> least significant bit, it always holds the smallest value.

2) IP and port Info using Netstat

Use of Netstat

- (To OPEN Netstat) - To open [Netstat] you must do the following: Click on the

- [Start] button-->Then click [Programs]--> Then look for [Ms-Dos Prompt].

Netstat is a very helpful tool that has many uses. I personally use Netstat to get IP addresses from other users I'm talking with on ICQ or AIM. Also you can use Netstat go monitor your port activity for attackers sending Syn requests (part of the TCP/IP 3 way handshake) or just to see what ports are listening/Established. Look at the example below for the average layout of a response to typing Netstat at the C:\windows\ prompt.

~~~~~~~~~~~~~~~~~~~~

C:\WINDOWS>netstat

Active Connections

Proto Local Address Foreign Address State

TCP pavilion: 25872 WARLOCK: 1045 ESTABLISHED

TCP pavilion: 25872 sy-as-09-112.free.net.au: 3925 ESTABLISHED

TCP pavilion: 31580 WARLOCK: 1046 ESTABLISHED

TCP pavilion: 2980 205.188.2.9:5190 ESTABLISHED

TCP pavilion: 3039 24.66.10.101.on.wave.home.com: 1031 ESTABLISHED

~~~~~~~~~~~~~~~~~~~

Now look above at the example. You will see [Proto] on the top left. This just tells you if the protocol is TCP/UDP etc. Next to the right you will see [Local Address] this just tells you the local IP/Hostname: Port open. Then to the right once again you will see [Foreign Address] this will give you the persons IP/Hostname and port in the format of IP: Port with ":" in between the port and IP.

And at last you will see [State] which simply states the STATE of the connection.

This can be established if it is connected or waiting connect if its listening.

Now with this knowledge we will dive into deeper on how to use this for monitoring and port activity and detecting open ports in use.

Detecting Open Ports:

Now so you are noticing something funny is going on with your computer? Your CD- ROM tray is going crazy...Opening and closing when your doing nothing. And you say, “What the phruck is going on” or you realize someone’s been messing with a Trojan on your computer.

So now your goal is to locate what Trojan it is so you can remove it right? Well your right. So you go to your ms-dos prompt. Now there are many ways to use Netstat and below is a help menu. Look through it.

~~~~~~~~~~~~~~~~~~~~

C:\WINDOWS>netstat ?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.

-e Displays Ethernet statistics. This may be combined with the -s option.

-n Displays addresses and port numbers in numerical form.

-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.

-r Displays the routing table.

-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.

Interval - Redisplays selected statistics, pausiing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

~~~~~~~~~~~~~~~~~~~~~

I personally like using (C:\Windows\Netstat -an) Which Displays all connections and listening ports in the form of IP instead of Hostname. See how I did the command:

Netstat (space)-a (Displays all connections and listening ports.) n (in numerical form)

Netstat -an -So doing that does TWO of the optiions at once no need for -a-n. So now that you know how to use netstat to view all your connections and listening you can search for common ports like 12345(old Netbus Trojan), 1243 (Sub Seven) etc.

SYN and ACK

When you here Syn and Ack (ACKnowledge) you do not think of the communication of packets on your system. Well let me tell you what SYN and ACK do.

[SYN] - SYN in common words, is a request for a connection used in the 3-way handshake in TCP/IP. Once you send a SYN out for a connection, the target computer will reply with a SYN and ACK. So basically when you see in [State] category Syn that means you are sending out a request to connect to something.

[ACK] - Now the ACK is a ACKnowledgement to the request made by a computer that is trying to connect to you. Once a Syn is sent to you need to ACK it, then Send back another syn to the computer requesting connection to confirm the packet sent was correct.

Using Netstat for ICQ and AIM

Have you ever wanted to get someone’s IP address or hostname using [Aol Instant Messenger] or [ICQ]? Well your in Luck.

[AIM] - With AIM you can not usually find the exact IP address without some trial and error because most of the time it seems to open up all online users on Port 5190. So Less users online easier it is. So go to Ms-Dos Prompt and type netstat -n here you will see under [Foreign Addresses] an IP with port 5190. Now one of those IP's connected to you with 5190 is going to be your target aim user. Just use trial and error to find out, it is usually the easiest way.

[ICQ] - To get a IP using netstat of a ICQ user is easy before talking to the person on ICQ you must open ms-dos prompt and do netstat -n to list all IP's and ports. Write them down or copy them somewhere you will remember to look back. Now it's time to find out his IP. Message the user with a single message now quickly do Netstat -n. And you will have a new added line of a IP address, just search for the new one on the list under foreign and once you find it you now have your buddies Ip.

Other Uses

Netstat can be used to get IPs of anything and anyone, as long as there's a direct connection between you and the target (i.e. direct messages, file transfers or ICQ chats in ICQ, DCC (Direct Client Connection) chat and file transfers in IRC etc').

[Edited by Simon Templer]

Q. - Where can I find more information on IP Addressing?

A. - If you are interested in learning more about IP Addressing, visit the following online sources:

http://www.rfc-editor.org/index.html

Other Sources:

http://www.geocities.com/pharmicomlabs (Security Library > Protocols)

Part 3: SUBNETS

Q. - What is a Subnet?

A. - Tutorial: Subnet Masks

(Contributed by AO Member: Terr)

I will assume people know about BINARY NOTATION, because I don't want to have to write that part all out again.

A subnet mask often looks curiously akin to an IP address, but they are different things. A subnet mask lets your computer figure out which addresses are local, or near you, in your office, for instance, and which ones are outside.

----------------------------Code------------------------------------------------

Common masks are:

255.255.0.0 and 255.255.255.0

Which, in binary, are:

11111111.11111111.00000000.00000000

And

11111111.11111111.11111111.00000000

Respectively.

--------------------------------------------------------------------------------

The computer compares the mask to the destination IP addresses, such as:

207.220.12.23 = 11001111.11011100.00001100.00010111

199.217.30.90 = 11000111.11011001.00011110.01011010

And you’re own IP, such as:

199.217.30.84 = 11000111.11011001.00011110.01010100

--------------------------------Code------------------------------------------

IP 1 11001111.11011100.00001100.00010111 (207.220.12.23)

IP 2 11000111.11011001.00011110.01011010 (199.217.30.90)

YOUR IP 11000111.11011001.00011110.01010100 (199.217.30.84)

Mask 11111111.11111111.11111111.00000000 (255.255.255.0)

--------------------------------------------------------------------------------

So it takes your IP, and takes away all the digits in your IP which correspond to digits that are 0's in the mask, and then does the same thing with the destination IP, leaving:

--------------------------------Code:------------------------------------------------

Yours:

11000111.11011001.00011110.-------

Destination 1:

11001111.11011100.00001100.-------

Destination 2:

11000111.11011001.00011110.-------

--------------------------------------------------------------------------------

It then compares yours and the destination. If they match, then it knows you are sending to a computer that is on your LAN, and if they don't, it knows that the destination could be halfway across the world. In the above example, IP #1 is not local, and IP #2 is local.

The tricky part comes when you have a subnet mask that is NOT just 255s and zeros, such as

-------------------------Code-------------------------------------------------------

MASK = 255.255.252.0 = 11111111.11111111.11111100.00000000

--------------------------------------------------------------------------------

Can you see the difference?

Lets whip up a new set of IP addresses.

-------------------------Code-------------------------------------------------------

IP 1 11000111.11011001.10101110.00000011 (199.217.174.3)

IP 2 11000111.11011001.00011011.01001010 (199.217.27.74)

IP 3 11000111.11011001.00011111.01001010 (199.217.31.74)

YOUR IP 11000111.11011001.00011110.01010100 (199.217.30.84)

MASK 11111111.11111111.11111100.00000000 (255.255.252.0)

--------------------------------------------------------------------------------

So, running all of these through the mask, we get:

------------------------Code--------------------------------------------------------

IP 1 11000111.11011001.101011--.-------- (199.217.174.3)

IP 2 11000111.11011001.000110--.-------- (199.217.27.74)

IP 3 11000111.11011001.000111--.-------- (199.217.31.74)

YOUR IP 11000111.11011001.000111--.-------- (199.217.30.84)

--------------------------------------------------------------------------------

As you can clearly see, only IP #3 is the same as your own IP, IP's #1 and #2 are *SLIGHTLY* different, but different enough to be non-local. As I hint, I'd say the most important thing to know about subnet masks is that 255.255.252.0 is ONLY shorthand for:

11111111.11111111.11111100.00000000

Just because the number has 252, doesn't mean you get ((255 - 0) * (255 - 252))=765 addresses that are local, you get 11111111.11111111.11111100.00000000 ten binary digits, or 1024 local addresses!

Some people may also have heard of or use CIDR, which shows addresses and their masks like this: (Using previous example)

199.217.30.84 / 22

Which means that the FIRST 22 DIGITS of the mask are 1s, and the last 10 are zeros. So it is like saying:

Address 199.217.30.84, subnet mask 11111111.11111111.11111100.00000000

(The first 22 digits are ones.)

Anyway, I hope that helps, and correct me if I made a mistake, I don't deal with this stuff for a living or anything. Shout outs to UltraEdit, for letting me actually write this thing out again without worrying about losing it on the web

[Edited by: Simon Templer]

Additional Information by AO Member: BOFH

That’s a great post on subnetting; here is a little snippet on Supernetting:

Officially, supernetting is the term used when multiple network addresses of the same Class are combined into blocks. If the IP networks are contiguous, you may be able to use a Supernet. If the IP networks are not contiguous, you will need to use sub-interfaces. These are not currently supported on Compatible Systems routers but are supported on routers from Cisco Systems.

A prerequisite for supernetting is that the network addresses be consecutive and that they fall on the correct boundaries. To combine two Class C networks, the first address' third octet must be evenly divisible by 2. If you would like to supernet 8 networks, the mask would be 255.255.248.0 and the first address' third octet needs to be evenly divisible by 8. For example, 198.41.15.0 and 198.41.16.0 could NOT be combined into a supernet, but you would be able to combine 198.41.18.0 and 198.41.19.0 into a supernet.

An IP address is a 32-bit number (4 bytes, called "octets", separated by periods, commonly called "dots.") Supernetting is most often used to combine Class C addresses (the first octet has values from 192 through 223). A single Class C IP network has 24 bits for the network portion of the IP address, and 8 bits for the host portion of the IP address. This gives a possibility of 256 hosts within a Class C IP network (2^8=256).

The subnet mask for a Class C IP network is normally 255.255.255.0. To use a supernet, the number of bits used for the subnet mask is REDUCED. For example, by using a 23-bit mask (255.255.254.0 -- 23 bits for the network portion of the IP network, and 9 bits for the host portion), you effectively create a single IP network with 512 addresses. Supernetting, or combining blocks of IP networks, is the basis for most routing protocols currently used on the Internet.

[Edited By: Simon Templer]

Additional Information by AO Member: Negative

Here is one of Terrs examples explained using logical operators...

1. Logical Operator AND

The logical expression X AND Y (X && Y) only is true (1) when X is true (1) AND Y is true (1).

--> X Y X AND Y

0 0 0

1 0 0

0 1 0

1 1 1

2. Logical Operator OR

The logical expression X OR Y (X || Y) is true if X is true OR Y is true.

--> X Y X OR Y

0 0 0

1 0 1

0 1 1

1 1 1

3. Logical Operator NOT (!)

--> X NOT X

0 1

1 0

Pretty easy, no?

And now, exclusively for AntiOnline! An exercise!

Is this true?

--> NOT ((8 > 6 AND 4 > 3) AND (2 < 4 OR 6 < 5))

Nope, it's not, because:

1. 2 < 4 OR 6 < 5: this one is true

1 0 1

2. 8 > 6 AND 4 > 3: this one is true

1 1 1

3. 1 (from 1.) AND 1 (from 2.): true

4. NOT 1 (from 4.): 0, or false.

Now, using this in Terr's examples, we'd get something like this:

(Sorry for editing, Terr)

Let's take this one:

IP 1 - 11000111.11011001.10101110.00000011 (199.217.174.3)

MASK - 11111111.11111111.11111100.00000000 (255.255.252.0)

---------------------Code----------------------------------------------------

11000111.11011001.10101110.00000011 (IP 1)

11111111.11111111.11111100.00000000 (MASK)

11000111.11011001.10101100.00000000 (Masked IP)

--------------------------------------------------------------------------------

Not as easy to understand as Terr's method, but this is how it actually is calculated...

[Edited By: Simon Templer]

Part 4: IP SPOOFING

Q. - What is IP Spoofing?

A. (Provided by AO Member: Jparker)

Network Security Misconceptions: Chapter 1: IP Spoofing

During the last few weeks of us chatting on irc.antionline.com, in #Antionline, there has been a lot of "debate" about IP Spoofing in today's Internet. Some less intelligent people boast about having "Spoofers" for mIRC and Windows in general, while other seasoned vets sit back and laugh at their expense.

So, tonight, I'm here going to set the record straight in my first in a series of posts I plan on disproving common Internet Misconceptions.

To begin, for those who are new to this, "Spoofing" is the slang term given to technique of changing's one's IP to another IP to "make believe" they are from a system they are not on.

This all started back, way back, probably in the early '90s was when it was big, when a vulnerable name service daemon was released on UNIX systems. With this version of BIND, it was possible to inject code into the memory space of a running name server with the fake authoritative record, and PTR record of a fake domain so that when a connection was made from this server, the fake IP would show up on the destination system up a query of the vulnerable name server. This was the most popular method of "spoofing".

You can't do it anymore.

The problem was fixed with later releases of the name server software. You also had to have root (super user) access to exec run the exploit code, and with all that, you ALSO had to be using a name server that had authoritative access AND control over the reverse resolution of their domain names.

The second most reliable method that people used to use was that of TCP Sequence number prediction. Every TCP connection makes a 3-way handshake when making the connection.

First, a SYN (synchronous) packet is sent from your machine to the destination, requesting a connection. Second, a SYN/ACK (acknowledgment) packet is sent from that system to yours requesting a connection, and acknowledging your attempt at a connection. Last, your machine returns an ACK packet to complete the connection between the machines.

The way this was exploited, was when a user, prior to attempting the connection, would scan the system and by the results of the scan, would know the sequence numbers that are used during a TCP connection. With this knowledge, a "spoofer" would then forge the source IP of the TCP SYN packet, and send it to the destination. Upon receipt of this forged packet, the destination would send it to the "fake" address. Thus you would think that the connection couldn't be established because it didn't receive that SYN/ACK packet, but, because of the prior scan, we could "guess" or predict what that packet's information was going to be, and thus, complete the connection on our own with the "fake" address, even though we didn't get that SYN/ACK packet back and it's lost in space somewhere.

So, basically, both of those methods are non-practiced because either they are no longer vulnerable, or measures have been taken to make them more difficult to obtain.

So, hopefully that clears up a little of the misconception of *most people* CANNOT IP spoof anymore.

[Edited By: Simon Templer]

Q. - Where can I find more information on IP Spoofing?

A. - To find more information on IP-Spoofing visit:

http://www.geocities.com/pharmicomlabs (Security Library > Misc)

Part 5: FIREWALL SOFTWARE

Q. - What is a Firewall?

A. - A Firewall is a piece of software that protects a users computer by blocking access to data ports. By blocking data ports, it prevents intruders from accessing and misusing services that may be available on your computer.

Q. - Where do I get a Firewall?

A. - There are many companies on the Internet that offer Firewall Software, listed are a few notable Firewall Software Products:

Agnitum – Outpost

http://www.tauscan.com

Tiny Software - Tiny Personal Firewall

http://tinysoftware.com

ZoneLabs - Zone Alarm

http://www.zonelabs.com

Sygate - Sygate Personal Firewall

http://www.sygate.com/products/

Network ICE – Black Ice Defender

http://www.networkice.com/products/blackice_defender.html

Symantec Desktop Firewall 2.0

http://www.symantec.com

McAfee Personal Firewall

http://www.mcafee.com/myapps/firewall/

ConSeal PC Firewall

http://www.consealfirewall.com/

Q. - What are some recommended Firewall Programs?

A. - Most members of AntiOnline’s forums recommend either Tiny Personal Firewall or Zone Alarm.

Part 6: PROTOCOLS

Q. - What is a Protocol?

A. - A Protocol is simply, a set of rules or procedures that devices follow to establish communication

Q. - Where Can I find information on Common Protocols?

A. - Online Resources

TCP/IP Reading:

ftp://ftp.isi.edu/in-notes/rfc793.txt (RFC 793 - TCP)

ftp://ftp.isi.edu/in-notes/rfc791.txt (RFC 791 - IP)

http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM

http://oac3.hsc.uth.tmc.edu/staff/snewton/tcp-tutorial/

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm

http://www.garykessler.net/library/tcpip.html

IPX/ SPX Reading:

http://www.mouse.demon.nl/ckp/lanwan/novell.htm

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/netwarep.htm

UDP Reading:

ftp://ftp.isi.edu/in-notes/rfc768.txt (RFC 768 - UDP)

http://www-net.cs.umass.edu/kurose/transport/UDP.html

http://www.freesoft.org/CIE/Topics/85.htm

HTTP Reading:

ftp://ftp.isi.edu/in-notes/rfc2616.txt (RFC 2616 - HTTP)

http://www.w3.org/Protocols/

FTP Reading:

ftp://ftp.isi.edu/in-notes/rfc959.txt (RFC 959 - FTP)

http://parsons.cs.colostate.edu/helpdocs/ftp.html

http://www.ualberta.ca/CNS/HELP/filetran/ftp-commands.html

http://www.mcsr.olemiss.edu/unixhelp/tasks/ftp2.1.1.html

NETBIOS Reading:

ftp://ftp.isi.edu/in-notes/rfc1001.txt (RFC 1001 - NetBios)

ftp://ftp.isi.edu/in-notes/rfc1002.txt (RFC 1002 - NetBios)

http://support.baynetworks.com/library/tpubs/html/router/soft1200/117358AA/B_39.HTM

http://members.tripod.com/~Gavin_Winston/NETBIOS.HTM

http://cable-dsl.home.att.net/netbios.htm

Part 7: TROJANS

Q. - What are Trojans?

A. - Trojans according to Symantec Antivirus is as follows:

“A program that neither replicates or copies itself but does damage or compromises the security of the computer. Typically it relies on someone emailing it to you, it does not email itself, it may arrive in the form of a joke program or software of some sort.”

Q. - Where do I get Trojans?

A. - Here are a few online sources to find information and executable forms of Trojan Horse Programs.

Author Note: Use these links at your own risk -- Remember -- when you go looking for trouble you find it.

http://www.ebcvg.com/

http://www.550m.com/usuarios/viriiar/home2.htm

http://www.bo2k.com/indexnews.html

http://netbus.nu/

http://www.astalavista.com/

http://www.tlsecurity.net/main.htm

Q. - How do I remove Trojans from my computer?

A. - Removing Trojans can be tricky to new computer users. It is best to use a Trojan Removal Utility. You can find Trojan Removal Utilities at the following places:

Tauscan Trojan Removal Utility:

http://www.tauscan.com/

MooSoft Trojan Removal Utility:

http://www.moosoft.com/

DiamondCS Trojan Removal Utility:

http://tds.diamondcs.com.au/

Panda Antivirus:

http://www.pandasoftware.com/

AVG Antivirus:

http://www.grisoft.com/html/us_index.cfm

McAfee Antivirus:

http://www.mcafee.com/

Kaspersky Antivirus:

http://www.kaspersky.com./

Sophos Antivirus:

http://www.sophos.com/

Symantec Antivirus:

http://www.symantec.com/

TrendMicro Antivirus:

http://www.antivirus.com/

Q. - How can I protect myself from Trojans?

A. - (A Post by AO Member: Simon Templer)

Ways to Help Protect your Comp from Trojans and Etc:

1. Invest in a good virus scanner (I recommend Norton, but someone might know a better one)

2. Don't download stuff you don’t need, also included in this rule is don’t open email attachments from people you don't know.

3. Check OS startup entries: (Registry, AutoExec, Startup Folder)

As mentioned you can use Sysedit, MsConfig, Regedit, etc

Here are a few places to look for suspicious entries:

Places to look in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr

entVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr

entVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr

entVersion\RunServices

Places to look in the Win.INI:

"load="

"run="

normally these are left empty

Note: Check the AutoExec.bat for odd entries

Part 8: EXPLOITS

Q. - What are Exploits?

A. - Exploits are vulnerabilities in programs (Operating Systems, Applications, Etc) that can be taken advantage of to bypass security or attack a computer system. (Exploits are usually the result of poor programming)

Q. - Where can I find information on Exploits?

A. – For more information and examples of exploits consult the following online resources:

http://www.securityfocus.com/

http://packetstormsecurity.org/

http://www.eeye.com/html/

http://www.cert.org/

http://www.infosyssec.net/

http://www.ntsecurity.net/

http://www.sans.org/newlook/home.htm

http://www.tlsecurity.net/main.htm