VBOK #10 - Ports/WinNuke ______________________________________________________________________ TOC 1. Ports 2. Security Issues (New section) 3. Software you can't live without 4. Cool Sites If the columns in the below articles appear misaligned, it's because you are using a non-fixed width font. If you would like to see them nice and straight, change your E-mail font to Times New Roman. ______________________________________________________________________ 1. Ports ------ What is a port? Well, a port is used by TCP (Transmission Control Protocol) to provide a connection for commonly occurring or standard traffic. An example would be e-mail. Before I explain this and show you how it works, I want to make clear that these port numbers are not carved in stone. If you have a fairly configurable piece of software, you can change these port numbers to anything you want. For purposes of explanation, I will be using the default/common port numbers. Ok, back to the explanation. You open up your e-mail program and check your mail (Ok, another explanation. There are a few ways you can check your e-mail. Some examples are POP, Kerberos and IMAP. They vary in degrees of security for the authentication procedure and options that the server will allow you to use to control your e-mail. For now, I'm just going to stick with straight POP3 ident and auth.) Ok, where were we? Oh yeah, you open up your e-mail and check for new mail. Well, you use port 113 to do the identification and authorization for your account info and password, you receive your e-mail on port 110, and you send your outgoing mail on port 25. Why all the different ports? Well, they mainly serve to help sort out all the traffic coming into/out of your computer. If you're anything like me, I download files, browse internet sites (I really dislike the term "Surfing the Net"), chat in ICQ, and upload files to my web page server, all at the same time. That's a lot of data to keep track of. Ports help to keep all that data separate and going to the right places. I've listed below some standard port numbers for the common types of activities. In addition to the basic usage ports which are numbered 0 - 1023 called Well Known Ports (BTW, these are assigned by IANA (Internet Assigned Numbers Authority)), there are two more categories of ports. Registered Ports which are 1024 - 49151, and Dynamic/Private Ports numbered 49152 - 65535. ftp-data 20 File Transfer [Default Data] ftp 21 File Transfer [Control] telnet 23 Telnet smtp 25 Simple Mail Transfer Protocol domain 53 Domain Name Server whois++ 63 whois++ gopher 70 Gopher finger 79 Finger http 80 WWW/http (Internet connection) kerberos 88 pop2 109 Post Office Protocol 2 pop3 110 Post Office Protocol 3 ident 113 auth 113 sftp 115 Simple File Transfer Protocol nntp 119 Network News Transfer Protocol ntp 123 Network Time Protocol imap 143 Internet Message Access Protocol irc 194 Internet Relay Chat qmtp 209 Quick Mail Transfer Protocol softpc 215 Insignia Solutions imap3 220 Internet Mil Access Protocol 3 openport 260 Openport ldap 389 Lightweight Directory Access Protocol genie 402 imsp 406 Interactive Mail Support Protocol infoseek 414 snpp 444 Simple Network Paging Protocol appleqtc 458 Apple Quick time ph 481 mynet 511 mynet-as who 513 Who is logged on irc-serv 529 klogin 543 whoami 565 eudora-set 592 doom 666 Doom Id software kerberos-adm 749 kerberos administration ______________________________________________________________________ 2. Security Issues by The NMI ------ Hey, all you VBOK readers - I'm The NMI. I'd like to be your guide into the exciting and ever changing world of computer security! This is the first in what will hopefully be a series of articles describing various vulnerabilities with many different types of OS's, like NT, 95, and UNIX, to name a few. In this article, I'll be discussing some recent security concerns that affect most all of us using the internet today. For those Mac users out there, I am slowly learning about the system, and I hope to include Mac specific information later on. So you're an NT user, sittin' at your computer, nice and cozy, a can of Jolt within reach, just cruisin' 'round the internet, maybe in a chat room, maybe talking on ICQ... All of a sudden, THE BLUE SCREEN OF DEATH appears! You're thinking "what the heck?!?" Guess what - You've just been Nuked! Nuking is a nifty procedure that hackers have known about for a while, It affects most all MS windows systems, from 3.11 to 95 to NT. A lurking meanie gets your IP from just about anywhere you are going on the internet i.e. mIRC , ICQ, many web sites, and, armed with this info, a program called Nuke95 or WinNuke, and a malicious intent, the attacker can effectively shut down your PC, until you reboot. So why should you care too much? After all, there's no permanent damage... But you might have been finishing that 25 meg demo game download - Know what? You have the neat option of giving up... or starting all over again! (As the curses fly.) How it works is this: (If you don't care, skip this bit ;) A program specifies "Out of Band" (OOB) data to a port on your system, usually 139, by setting a thing called an "URGENT" flag (A flag is kinda like an on/off indicator in a program - when we talk about setting a flag, that means we are turning it on, in this case, saying that to yes, there is URGENT data present) in the TCP header, (a header is part of a "data packet", information used by computers to communicate with each other over the internet ) Your system uses an URGENT pointer (A pointer is just a type of marker that programs use to locate information, kinda like an "X" on a map) to determine where in the data packet the urgent data ends. Your system, either NT or 95, will bomb when the URGENT pointer points to the end of the data packet and no normal data follows. (Windows NT/95 expects normal data to follow). I know, I know, after all that, you just want to know what can you do about this, right? Well, fortunately, there are several files to patch up that leaky raft of an operating system: For NT 4.0 (must have service pack 2 already installed) ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP2/oob-fix For NT 3.51 (must have service pack 5 already installed) ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/hotfixes-postSP5/oob-fix Now, for all the Win95 users: http://support.microsoft.com/download/support/mslfiles/VTCPUPD.EXE Also, type and save this as a file called oob_fix.reg : ' REGEDIT4 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP] "BSDUrgent"="0" ' and double click on the file afterwards. If you feel particularly brave, use regedit and enter it by hand, although you might need to create the key. (Only for EXPERIENCED users.) Note: Although the hotfix and SP3 prevent the OOB attack caused by WinNuke ran from a 'NIX or windows system, the Mac version of the Nuke program is still capable of downing an NT 4.0 Workstation/Server even after applying the hotfix and/or service pack 3. The obvious conclusion is that Apple's Open Transport somehow sends a different packet than most other TCP/IP implementations. I, as well as many other hackers are studying this problem, and hopefully a final fix will be forthcoming. Well, folks, enjoy, and I hope to entertain and enlighten you at a later time with more nifty exploit news. Feel free to send any gripes, complaints, news, or money my way :) Have Phun! The NMI ______________________________________________________________________ 3. Software you can't live without ------ Microsoft's Powertoys These are utilities Microsoft should have included in the OS, but didn't. They aren't officially supported by Microsoft, but I haven't heard of anyone having problems with them. These utilities include QuickRES (On the fly resolution swapping), CABView (Look into those .CAB files), TweakUI (The greatest power freak control panel to exist) etc... ----- Hardware Diags A great program to really sniff out your system specs. BTW, if you delete the hwdiag.zip portion from the end of the URL, you'll find a site run by a Win95L Listserv member. He has tons of really cool stuff collected there. ----- Kernel Toys More power-user, take control type stuff. ----- Memphis Sliding Menus Cool sliding menu effects for Win95 ______________________________________________________________________ 4. Cool Sites ------ If it's hardware and goes in a computer, this man knows about it. There are tons of reviews, in-depth tech notes and lot's of great info here. ------ Here's a place that has everything you ever wanted to know about graphics cards. They have how-tos on over-clocking your graphics cards as well as the software to do it. They have tons of reviews on different graphics cards as well as some very in-depth technical info. ------ If you like this newsletter, then you'll like Neat Net Tricks (NNT). It's a newsletter put out by a guy named Jack Teems who I ran across a few months back. It's a bimonthly newsletter, and has lots of really good info in there. You can subscribe by sending an E-mail to: with just the words in the message body: subscribe neatnettricks Jack, if this doesn't get me those free back issues, nothing will :) ------ Just in case somebody didn't read the software section, here's a really good site for cool Win95 software. Well, that concludes this issue. Have fun. Leif Gregory Copyright (c) 1998 by Leif Gregory. All rights reserved. You may share this copy of the VBOK newsletter with others as long as it is reprinted/resent in it's entirety to include this copyright notice. If you've received this edition of the VBOK newsletter from a friend or colleague and wish to start receiving your own copies, then click the below link and send the generated e-mail message. Virtual Book Of Knowledge (VBOK) VBOK Editor VBOK Homepage Unsubscribe Back-Edition Titles