The blank screen indicates that the finger daemon is waiting for input. If you have a particular user that you are interested in, type in the username and hit enter. A response will be provided, and the daemon will disconnect the client. If you don't know a particular username, you can start by simply hitting enter. In some cases, you may get a response such as "No one logged on." Or you may get information of all currently logged on users. It all depends on whether or not the sysadmin has chosen to enable certain features of the daemon. You can also try other names, such as "root", "daemon", "ftp", "bin", etc.
Another neat trick to try out is something that I have seen referred to as "finger forwarding". To try this out, you need two hosts that run finger. Connect to the first host, host1.com, and enter the username that you are interested in. Then go to the second host, and enter:
user@host1.com
Now, if you want to show your friends that you a "real man" because "real men don't need no stinkin' GUIs", well just open up a DOS window and type:
c:\>telnet
and the program will automatically attempt to connect to the host
on the designated port for you.
Using Netcat
Let me start by giving a mighty big thanks to Weld Pond from L0pht for producing the netcat program for Windows NT. To get a copy of this program, which comes with source code, simply go to:
http://www.l0pht.com/~weld
NOTE: The first character of "l0pht: is the letter "l". The second character is a zero, not an "o".
I know that the program is supposed to run on NT, but I have
seen it run on Win95. It's a great little program that can be used
to do some of the same things as telnet. However, there are
advantages to using netcat...for one, it's a command-line program,
and it can be included in a batch file. In fact, you can automate
multiple calls to netcat in a batch file, saving the results to
a text file.
**************************************************
Before using netcat, take a look at the readme.txt file provided in
the zipped archive you downloaded. It goes over the instructions
on how to download web pages using netcat, similar to what I
described earlier using telnet.
There are two ways to go about getting finger information using
netcat. The first is in interactive mode. Simply type:
c:\>nc 79
If the daemon is running, you won't get a command prompt back. If this is the case, type in the username and hit enter. Or use the automatic mode by first creating a text file containing the username of interest. For example, I typed:
c:\>edit root
and entered the username "root", without the quotes. Then from
the command prompt, type:
c:\>nc 79 < root
and the response will appear on your screen. You can save the
output to a file by adding the appropriate redirection operator
to the end of the file:
c:\>nc 79 <> nc.log
to create the file nc.log, or:
c:\>nc 79 <>> nc.log
to append the response to the end of nc.log. NOTE: Make sure
that you use spaces between the redirection operators.
How to Break into a Windows machine Connected to the Internet
Protecting Yourself
First, the method of protecting yourself needs to be made perfectly clear. DON'T SHARE FILES!! I can't stress that enough. If you are a home user, and you are connecting a Win computer to the Internet via some dial-up method, disable sharing. If you must share, use a strong password...8 characters minimum, a mix of upper and lower case letters and numbers, change the password every now and again. If you need to transmit the
password to someone, do so over the phone or by written letter. To disable sharing, click on My Computer -> Control Panel -> Network -> File and Print Sharing. In the dialog box that appears, uncheck both boxes. It's that easy.
** The command-line approach **
Okay, now for the part that should probably be titled "How they do it". All that is needed is the IP address of the remote machine. Now open up a DOS window, and at the command prompt, type:
c:\>nbtstat -A [ip_addr]
If the remote machine is connected to the Internet and the ports used for sharing are not blocked, you should see something like:
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
NAME <00> UNIQUE Registered
DOMAIN <00> GROUP Registered
NAME <03> UNIQUE Registered
USERNAME <03> UNIQUE Registered
MAC Address = 00-00-00-00-00-00
This machine name table shows the machine and domain names, a logged-on username, and the address of the Ethernet adapter (the information has been obfuscated for instructional purposes).
**Note: This machine, if unpatched and not protected with a firewall or packet-filter router, may be vulnerable to a range of denial of service attacks, which seem to be fairly popular, largely because they require no skill or knowledge to perpetrate.
The key piece of information that you are looking for is in the Type column. A machine that has sharing enabled will have a hex code of "<20>".
If you find a machine with sharing enabled, the next thing to do is type the following command:
c:\>net view \\[ip_addr]
Now, your response may be varied. You may find that there are no shares on the list, or that there are several shares available. Choose which share you would like to connect to, and type the command:
c:\>net use g: \\[ip_addr]\[share_name]
You will likely get a response that the command was completed successfully. If that is the case, type:
c:\>cd g:
or which ever device name you decided to use. You can now view what exists on that share using the dir commands, etc.
Now, you may be presented with a password prompt when you ssue the above command. If that is the case, typical "hacker" (I shudder at that term) methods may be used.
c:\windows\lmhosts.sam
Read over the file, and then open create another file in Notepad, called simply "Lmhosts", without an extension. The file should contain the IP address of the host, the NetBIOS name of the host (from the nbtstat command), and #PRE, separated by tabs. Once you have added this information, save it, and minimize the window. In the DOS command window, type:
c:\>nbtstat -R
This command reloads the cache from the Lmhosts file you just created.
Now, click on Start -> Find -> Computer, and type in the NetBIOS name of the computer...the same one you added to the lmhosts file. If your attempt to connect to the machine is successful, you should be presented with a window containing the available shares. You may be presented with a password prompt window, but again, typical "hacker" (again, that term grates on me like fingernails on a chalk board, but today, it seems that it's all folks understand) techniques may be used to break the password.
************************************************
You friend can learn his or her IP address by going to the DOS prompt while online and giving the command "netstat -r". Something like this should show up:
C:\WINDOWS>netstat -r
Route Table
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 198.999.176.84 198.999.176.84 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
198.999.176.0 255.255.255.0 198.999.176.84 198.999.176.84 1
198.999.176.84 255.255.255.255 127.0.0.1 127.0.0.1 1
198.999.176.255 255.255.255.255 198.999.176.84 198.999.176.84 1
224.0.0.0 224.0.0.0 198.999.176.84 198.999.176.84 1
255.255.255.255 255.255.255.255 198.999.176.84 0.0.0.0 1
Your friend's IP address should be under "Gateway Address." Ignore the 127.0.0.1 as this will show up for everyone and simply means "locahost" or "my own computer." If in doubt, break the Internet connection and then get online again. The number that changes is the IP address of your friend's computer.
Another neat trick to try out is something that I have seen referred to as "finger forwarding". To try this out, you need two hosts that run finger. Connect to the first host, host1.com, and enter the username that you are interested in. Then go to the second host, and enter:
user@host1.com
Now, if you want to show your friends that you a "real man" because "real men don't need no stinkin' GUIs", well just open up a DOS window and type:
c:\>telnet
and the program will automatically attempt to connect to the host
on the designated port for you.
Using Netcat
Let me start by giving a mighty big thanks to Weld Pond from L0pht for producing the netcat program for Windows NT. To get a copy of this program, which comes with source code, simply go to:
http://www.l0pht.com/~weld
NOTE: The first character of "l0pht: is the letter "l". The second character is a zero, not an "o".
I know that the program is supposed to run on NT, but I have
seen it run on Win95. It's a great little program that can be used
to do some of the same things as telnet. However, there are
advantages to using netcat...for one, it's a command-line program,
and it can be included in a batch file. In fact, you can automate
multiple calls to netcat in a batch file, saving the results to
a text file.
**************************************************
Before using netcat, take a look at the readme.txt file provided in
the zipped archive you downloaded. It goes over the instructions
on how to download web pages using netcat, similar to what I
described earlier using telnet.
There are two ways to go about getting finger information using
netcat. The first is in interactive mode. Simply type:
c:\>nc 79
If the daemon is running, you won't get a command prompt back. If this is the case, type in the username and hit enter. Or use the automatic mode by first creating a text file containing the username of interest. For example, I typed:
c:\>edit root
and entered the username "root", without the quotes. Then from
the command prompt, type:
c:\>nc 79 < root
and the response will appear on your screen. You can save the
output to a file by adding the appropriate redirection operator
to the end of the file:
c:\>nc 79 <> nc.log
to create the file nc.log, or:
c:\>nc 79 <>> nc.log
to append the response to the end of nc.log. NOTE: Make sure
that you use spaces between the redirection operators.
How to Break into a Windows machine Connected to the Internet
Protecting Yourself
First, the method of protecting yourself needs to be made perfectly clear. DON'T SHARE FILES!! I can't stress that enough. If you are a home user, and you are connecting a Win computer to the Internet via some dial-up method, disable sharing. If you must share, use a strong password...8 characters minimum, a mix of upper and lower case letters and numbers, change the password every now and again. If you need to transmit the
password to someone, do so over the phone or by written letter. To disable sharing, click on My Computer -> Control Panel -> Network -> File and Print Sharing. In the dialog box that appears, uncheck both boxes. It's that easy.
** The command-line approach **
Okay, now for the part that should probably be titled "How they do it". All that is needed is the IP address of the remote machine. Now open up a DOS window, and at the command prompt, type:
c:\>nbtstat -A [ip_addr]
If the remote machine is connected to the Internet and the ports used for sharing are not blocked, you should see something like:
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
NAME <00> UNIQUE Registered
DOMAIN <00> GROUP Registered
NAME <03> UNIQUE Registered
USERNAME <03> UNIQUE Registered
MAC Address = 00-00-00-00-00-00
This machine name table shows the machine and domain names, a logged-on username, and the address of the Ethernet adapter (the information has been obfuscated for instructional purposes).
**Note: This machine, if unpatched and not protected with a firewall or packet-filter router, may be vulnerable to a range of denial of service attacks, which seem to be fairly popular, largely because they require no skill or knowledge to perpetrate.
The key piece of information that you are looking for is in the Type column. A machine that has sharing enabled will have a hex code of "<20>".
If you find a machine with sharing enabled, the next thing to do is type the following command:
c:\>net view \\[ip_addr]
Now, your response may be varied. You may find that there are no shares on the list, or that there are several shares available. Choose which share you would like to connect to, and type the command:
c:\>net use g: \\[ip_addr]\[share_name]
You will likely get a response that the command was completed successfully. If that is the case, type:
c:\>cd g:
or which ever device name you decided to use. You can now view what exists on that share using the dir commands, etc.
Now, you may be presented with a password prompt when you ssue the above command. If that is the case, typical "hacker" (I shudder at that term) methods may be used.
c:\windows\lmhosts.sam
Read over the file, and then open create another file in Notepad, called simply "Lmhosts", without an extension. The file should contain the IP address of the host, the NetBIOS name of the host (from the nbtstat command), and #PRE, separated by tabs. Once you have added this information, save it, and minimize the window. In the DOS command window, type:
c:\>nbtstat -R
This command reloads the cache from the Lmhosts file you just created.
Now, click on Start -> Find -> Computer, and type in the NetBIOS name of the computer...the same one you added to the lmhosts file. If your attempt to connect to the machine is successful, you should be presented with a window containing the available shares. You may be presented with a password prompt window, but again, typical "hacker" (again, that term grates on me like fingernails on a chalk board, but today, it seems that it's all folks understand) techniques may be used to break the password.
************************************************
You friend can learn his or her IP address by going to the DOS prompt while online and giving the command "netstat -r". Something like this should show up:
C:\WINDOWS>netstat -r
Route Table
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 198.999.176.84 198.999.176.84 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
198.999.176.0 255.255.255.0 198.999.176.84 198.999.176.84 1
198.999.176.84 255.255.255.255 127.0.0.1 127.0.0.1 1
198.999.176.255 255.255.255.255 198.999.176.84 198.999.176.84 1
224.0.0.0 224.0.0.0 198.999.176.84 198.999.176.84 1
255.255.255.255 255.255.255.255 198.999.176.84 0.0.0.0 1
Your friend's IP address should be under "Gateway Address." Ignore the 127.0.0.1 as this will show up for everyone and simply means "locahost" or "my own computer." If in doubt, break the Internet connection and then get online again. The number that changes is the IP address of your friend's computer.