" NetSpy is TCP monitor.It will enumerate all sockets and connections on the
computer.It will also save the established connections to a log file.
Here are some examples of the various uses of NetSpy:
1. Getting one's IP is a valid operation with NetSpy.
Point-To-Point operations like DCC chat,ICQ chat or file transfer
opens new connection between the 2 computers (meaning no irc/icq servers
in the middle). Once this PTP connection is established, NetSpy
will print out the info (RemoteIP and Hostname, RemotePort and LocalPort).
IP. One's IP is the most important information on the net , especially
if you have a static IP. If someone has your IP, its a situation prone
for troubles. For a little example , if you want to disconnect someone
from the net ping him with large packets: ping.exe -t -l 99999999
There are many mean things one can do to you with your IP , the most
dangerous one is connecting with a net-trojan (note #2).
Hostname.Usually one's hostname will give out his place of living, and ,
assuming you are resourceful, you can get the number of his ISP and
phone-line provider.With some more work you can get the phone records
of the ISP. Date and time crossed with those records and you have
that person's home phone number , and full name. NO MORE SECRETS!
If you want to protect your-self from such situations , use bouncers,
firewalls and other such services that will mask your IP and minimize
the number of valid sockets and port numbers.
2. Locate and identify any ports in 'listen' mode. Trojans like NetBus, BO
and various viruses open a socket in the target computer.
This socket will bind a specific port and will be on listen mode,
waiting for an attack via this port.
With NetSpy you can catch those ports, and prevent the attack before
its too late.
3. Like with assembly language , a low-level view can give better understanding
of "high-level" protocols like HTTP and FTP.
Try this for example: connect to a FTP site, and download a file.
Look carefully whats going on. There's a "carrier" socket connection
for 'dir' command - this will transfer filenames and directories. This
connection is always open.
Once a 'get' command is sent, a new connection is established (same
remote IP , different ports). This connection transfers the file itself.
Using win-coding language , you can say the file is sent in a different
thread. The "carrier" socket is still open. This means that theoretically
you can still browse the ftp , while d/l a file.
Another example: Connect to hotmail, and enter user/pass.
look at NetSpy.. hotmail password server is right there;)
4. Server authentication shareware protections are less threatening when spied
at. You can see when and where the shareware connects to the user/name
authentication server. A generic crack for those protections is very
possible - a program like DynamicIP can redirect the authentication
server to an un-reachable location. API patching is also a solution (hi
Lucifer48:)
Bottom line, be creative .. there are many things you can do with a Net-Spy.
NetSpy tips:
Double-click an entry in Net-Spy to add it to the log.
Use the pop-up menu in Net-Log to copy IP & hostname to clipboard.
Click the small,white rectangle at the corner to clear the log.
If you see a port on listening , and you suspect its a trojan, and can
kill it with ProcDump - Check in running modules , and see which have links
to wsock32.dll .. terminate it's process, and see in NetSpy weather the
listening port is closed (it could take a few seconds before the port is
closed).
How NetSpy works:
NetSpy uses SNMP (Simple Network Management Protocol) extension agent
services. Its APIs were un-documented in windows 95, and in windows 98 SDK
the information is very minimal. I debugged netstat.exe and arp.exe to
study how to work out the agent. I reached a good understanding of how it
works, but still there was some piece missing.. the logic behind it was
fuzzy. Thankfully I found Mark Russinovich's (http://www.sysinternals.com)
TCP-monitor source which completed the picture (tcpidentifiers[] =
{ 1,3,6,1,2,1,6,13,1,1}; .. who would have guessed!)
This work would not have been completed without Russinovich's sourcecode.
Last words:
You can reach me at [email protected]
Greetings to all PC members , and all the crackers in the world =)
The+Q "
|