Netstat

I have been researching info on a utility called netstat. There is surprisingly not much said about it, other than the multiple options that it support. Netstat is short for network statistics. It is a command line program. It actually comprises of many tools rolled into one. The main and default usage is to show active TCP/IP network connections. It includes incoming and outgoing connections. It will tell you the local and remote IP addresses, the port, the protocol, state of the connection, and optionally the program that opened the connection.

Netstat can show both TCP and UDP traffic. It can show the routing table. It also can show statistics for network protocols like Ethernet. The program was written by Fred Baumgarten. It is widely available on operating systems like UNIX, Windows, and Macintosh. The netstat program is allegedly replaced by the ss program on Linux machines.

One thing that might require some explaining is the state of the connection that the program displays. Here are the types of states and a description of each:
  • listening - waiting for reply from host
  • established - connection has been made
  • close_wait - the foreign host closed the connection, but you are still waiting for data
  • time_wait - you closed the connection, but it is still in a waiting state
The netstate program might show weird results if the underlying socket is changing. A good way to see what is going on is to repeatedly run netstat, possibly from a scripting program. I had mentioned that netstat can show the program that opened the connection. You can do that with the "netstat -b" option. However on Windows that requires elevated privileges.

The Mighty Nmap

Today let's talk about nmap. The name stands for network mapper. It was written by Gordon Lyon and published in Phrack Magazine in 1997. The source code was provided at the time. It is a free program. The software is open sourced. The program was originally written in the C programming language and later ported to C++. Initially it was available on UNIX/Linux machines. But it has since been made available on Windows, Mac, and other platforms.

Nmap is a security scanner. It can do a ping scan and find hosts. It can determine the operating system on the host. It can scan for ports on a machine. When it is doing port scanning, it sorts the ports into there main categories:
  1. open - a program is listening on the port and will respond
  2. closed - there is no program listening on the port
  3. filtered - no reply from host
You can use nmap to audit your firewall security. You can also use it to inventory machines on your network. As an aside, nmap can spoof the source IP address you are running it from. There are many modes of scanning it supports. You can scan a single host, a range of IP addresses, or even the whole subnet.

There was a GUI version released called NmapFE. It has been replaced by Zenmap. There is a Windows GUI version called NMapWin. There is also a suite around nmap to include the following:
  • Zenmap - the GUI version of nmap
  • Ncat - redirect sockets
  • Ndiff - compare different nmap scans
  • Nping - packet generator
Nmap uses raw IP packets for its scanning. You can ask nmap to output in XML format as an option. Nmap can be used for Black Hat purposes. When performing nefarious scans, you can tell nmap to scan slowly to avoid detection. In some jurisdictions, it is illegal to run nmap scans on machines that are not your own. Nmap has a mailing list called Nmap-hackers. LOL.

Remote Desktop with GoToMyPC

It seems like it is a small world in the remote desktop arena. Today I want to look at and talk about GoToMyPC. It is a solution developed by ExpertCity in 1998. It behaves like the pioneer PCAnywhere. Originally it required you to have a Windows machine on both ends. But now you can access a host machine running Windows or Mac. And the machine you use for remote control could even be an iPad, iPhone, Android phone, or Kindle device.

There are still some function like chatting that require Windows on both ends. But all versions support cutting and pasting text from the control machine to and from the host machine. You can drag and drop files between the machines. You can print to a machine either on the host side or the control side.

Here is some funny business. ExpertCity, the company that originally created GoToMyPC, was acquired by Citrix Systems in 2004. But Citrix Systems spun the product off later. In 2016, LogMeIn acquired GoToMyPC.

There are three tiers to the pricing for the product. The personal edition costs you $12 per month and is for a single user. The pro package is $23 per month and supports 2 computers and 2+ users. Finally the corporate edition which costs an undisclosed amount of money per year. Luckily there is a trial version, which I might take advantage of myself.

Here is how GoToMyPC works under the hood. You set up the computer that will be the host. That computer has a server that is always in contact with Citrix Systems servers. When you need to do remote control, your computer connects with the Citrix System server. That server already has a link to your host. To the firewalls and such it seems like this is a connection initiated by the host system.

All the communications are done using 128-bit AES encryption. Other platforms choose 256-bit encryption. Speaking of the competitors, TeamViewer is a free option. Strangely enough, parent company LogMeIn has a competing product too. Who knew you had so many choices to do remote desktop?

Remote Desktop by LogMeIn

Right now I am starting to research solutions that provide a remote desktop style functionality. You are off somewhere in the world. And you need to take control of a computer somewhere else. What tool(s) do you use? One such solution is provided by LogMeIn.

LogMeIn is a company founded in 2003. It was previously named 3am Labs. They have a lot of offerings, one of which gives you access to remote computers. They use a proprietary protocol to do remote desktop. The communications run on SSL over TCP/UDP. The computers involved get SSL certificates. You can control computers remotely with their software program or via a web interface.

The LogMeIn solution is a commercial one. LogMeIn is a publicly traded company. They filed for an IPO back in 2009 and are traded on the NASDAQ stock exchange. They are located in Boston, MA. However the have data centers across the USA plus another one in Europe. the company is big. They did $1B of revenue this past year. The company is worth $5B.

The company initially tried to undercut Citrix's solution. But last year they actually merged with Citrix Online. They do a lot more than just remote desktop. They have software for backups and virtual meetings. They provide support and service (VPN). One of their new toys is a Platform as a Service for the Internet of Things. How is that for a buzzword-filled offering?

I wish I could just give LogMeIn a test drive. Maybe there is an option to check out their solution without having to shell out some big bucks. Next up I want to look into competitors in remote desktop such as GoToMyPC and GoToAccess.

Janus VM

I continue to research products that help protect your Internet activity. Next up is Janus VM. This one is not as much a newly developed product from scratch. It is a bundling of some other existing products. In fact, it is an open source VMware image. It is built on top of Linux 2.6.14 (Ubuntu). The image contains products such as TOR plus OpenVPN plus Squid plus Privoxy. TOR will hide your IP address and route your traffic anonymous through the TOR network. Squid/Privoxy filters out stuff that might be going in and out of your computer.

Janus VM can help protect you when you must use an unsecure WiFi connection. It can also protect you against man in the middle attacks. Then you can surf the Internet privately. A nice thing about it is that it is easy to setup on Windows platforms. It prevents all kinds of annoyances like advertisements, banners, and popups. Originally it was released to work on Windows XP/2000/2003 as well as Linux.

Since it relies on TOR, your IP address will be masked. Your TCP traffic gets encrypted. Also DNS requests will be encrypted. Unfortunately other protocols such as UDP and ICMP are not. another downside is that development on the product ceased in 2010. TOR has since been updated, but the latest versions of TOR are not incorporated into Janus VM.

You need a Virtual Machine to use Janus VM. The install file is 20MB large. On Windows, you can run a batch file to set it up. You should choose the anonymous privacy configuration. The product is free but they ask for a donation. It is not necessarily fast. But it might help you get past firewalls that block traffic to certain sites. Some competing products are Whonix and Qubes.

Hotspot Shield

I am thinking about signing up for Hotspot Shield protection. It is a software application and service provided by AnchorFree. They are a US-based company working out of California. Essentially they provide a VPN service through their worldwide servers. They will secure your network communications.

Hotspot Shield was first released for Windows and Macintosh back in 2008. They expanded to the iOS and Android mobile markets in 2012. The main features are free. But you may be subjected to ads, a slower connection, and might not be able to use Netflix. There are paid plans that bill monthly ($13) or lifetime ($139). Be warned that the monthly plan might cause you to be nagged to subscribe for the lifetime plan.

The security they provide is, like any VPN, encrypted data. They also hide your IP address from sites you visit. Those sites see AnchorFree's server IP addresses. Of course, using TOR would be a better move to remain anonymous. AnchorFree does have some extras like warning you about malware or arriving at phishing sites.

Although they used to use industry standards such as IKEv2, I hear that AnchorFree has moved to a proprietary protocol called Catapult Hydra. Nobody else uses proprietary protocols for important things like VPNs any more. I wonder what the heck AnchorFree is doing here.

There are plugins for popular browsers like Chrome or Firefox. You can set up your system to automatically connect through the VPN when you are on unsafe WiFi. That sounds really handy. AnchorFree boasts 500M downloads of their product. Strangely enough, I hear that many people actually get speed improvement when going through the VPN. Weird.

AnchorFree claims it does not do logging of your network traffic. But they have a highly suspicious Terms of Service contract that implies otherwise. More like they will not hold onto your info after your session ends. Or they will not store uniquely identifying information about you. That is at best sketchy.

One downside to the AnchorFree plan is their service. You cannot get real time support. You got to submit a ticket, and they will get back to you at some time in the future. Might be an hour. Might be a day. People have classified Hotspot Shield as a no frills or entry level service. So you pretty much get what you pay for. Being the frugal person that I am, might just need to stick with the free plan.

TOR

I have heard about TOR for some time. The acronym stands for The Onion Router. It is free software that is written in C, python, and JavaScript. The software lets you engage in anonymous communication. It does this by sending your network communication through a network of relays. These relays are chosen randomly. The relays are manned by volunteers. At each hop, your traffic is encrypted at the application (TCP Stream) layer.

TOR was developed by guys from the Naval Research Lab. Onion Routing in general was developed by DARPA. The point is that these were born out of the government. Funded initially by them too. TOR is not backed by a non-profit corporation. There are millions of users of TOR. It is mostly used to give privacy to Instant Messaging, Chat, and web browsing.

Some machines out there only accept TOR connections. These are called Hidden Services. You can use Tor2Web, which allows you to access TOR from a normal browser without setting up a TOR network connection. Or you could opt for the dedicated TOR Browser. It is a modified version of FireFox that starts TOR background processes automatically. Some downsides of this browser are that it blocks Flash and Quicktime.

Using TOR slows you network access. You do get a circuit established through the TOR network for your use. The circuit lasts for about 10 minutes. It also can paint a target on your back, as inquiring minds can know that you are using TOR. The EFF recommends that you use TOR. It is like a replacement for everyday VPNs. TOR is limited to TCP Streaming data.

NetBus

Okay today I want to talk about NetBus. It is the last of the remote control programs I am researching. The others were Back Orifice and SubSeven. NetBus is translated as Net Prank from the Swedish name. It was created back in 1998 by Carl-Fredrik Neikter of Sweden. He also goes by the handle "cd".

The program was distributed by Cult of the Dead Cow. Apparently it was distributed in a Trojan fashion as part of a whack-a-mole game. Some say NetBus is one of the most famous Trojans. The program is not a virus. The user needs to install the program. It installs to the Windows directory just like other Trojans that try to hide from sight.

NetBus was written in the Pascal programming language using the Delphi development tool. It had a relatively large 500kb footprint. Its release predated Back Orifice. The name of the server program is "patch.exe" or "sysedit.exe". Legit sounding names right? Communication is done over TCP/IP ports 12345, 12346, or 20034. The client is GUI based. The original version worked on Windows 95/98/ME/NT. Later updates ported it to Windows 2000 and XP. Further versions were actually sold as commercial products.

NetBus is a remote administration tool. It can log and/or inject keystrokes. It can do screen captures. It can launch other programs. It can take screen shots. With it, you can browse files. It can also play sounds, as well as change the volume levels. It runs using the rights/privileges of the logged on user. The program restarts on Windows startup. The name is hidden from the task manager list. You cannot delete or rename the server file.

There was a famous use of NetBus in 1999 to plant pornography on a university scholar's computer. It caused him to be fired. He was later exonerated when they discovered that the files were planted by someone else using NetBus.

Subseven

Today I want to talk about SubSeven. This is another Trojan horse brought to you by Mobman. Its name is a play on NetBus (spelled backwards, "ten" changed to "seven"). The program is also known as SubServer or Sub7Server. This program works on all flavors of Windows, including old ones like Win95, and newer versions such as Windows 8.

SubSeven has a lot of capabilities. You can log keystrokes. You can capture webcam images. You can edit the target computer registry. You can record from the microphone. And you can take screen shots. It has a computer style translator to speak on your behalf to the user. The server program will be relaunched in a unique way. It chains into Windows so that when any program is launched, SubSeven will also get restarted if it is down.

SubSeven comes as a couple programs: a server to install on the target machine, a client that allows you to take control of the target, and an editor to configure the server. The client has a graphical user interface. This client shows when targets are online. The server program installs in the Windows directory.

The name of the server is "server.exe". The client is "sub7.exe". And the server editor is "editserver.exe". The programs require and make use of "ICQMAPI.DLL" for comms. Communication between client and server is over ICQ, IRC, and email. It uses TCP ports 1243, 6711 through 6713, 6776, and 27374. Different operations go over different ports.

The official website is supposed to be www.subseven.org. Strangely enough, the site was no longer there. In fact, GoDaddy offered to sell me the domain for $69.99. Not sure if I believe GoDaddy. The server program was initially distributed by tricking users into thinking they were getting warez or some sexually explicit material. Thus the Trojan categorization.

Hype surrounding SubSeven compared it to Back Orifice. Rumors say SubSeven installs outnumber Back Orifice 100 to 1. Take that with a grain of salt. Trash talkers report that SubSeven makes Back Orifice look tame. Hah. There is a gold version of the program that lets you use different skins for the UI. On the other side of the coin, some say that SubSeven is a toy used by wanna be hackers. Who are you going to believe?

Back Orifice

I recall Back Orifice from the late 1990s. It sounded like a really ominous program. It was initially released at DEF CON 6 in 1998. It was hyped as a remote system administration tool. But make no doubt. This thing is a rootkit program. The author was Josh Buchbinder, who went by the handle Sir Dystic. He was from the crew called the Cult of the Dead Cow.

Back Orifice is actually works as a pair of two programs. There is a server that runs on the infected machine. Then there is a client. There are two versions of the client: a GUI version and a console version. The name is a spin on the Microsoft BackOffice Server. The goal of the program was to demonstrate how weak security was in Windows 98.

The original Back Orifice program could compromise Windows 95 or Windows 98 targets. It was written using Microsoft Visual C++. The program does not show up in the Windows task list. It will rerun when the computer is restarted. It has many uses. It can manage files, processes, and the registry of the target machine. It can log keystrokes. It can send/receive files.

There was a sequel program called Back Orifice 2000. It supported other versions of Windows like Windows 2000, Windows NT, Windows XP, and Windows Vista. Strange that Windows NT could so easily be owned. I was actually hesitant to put this program on my own machine. Maybe it is time to spin up a virtual machine that I don't care about to do my testing.

Using ncat as a Telnet Client

Next up on the tools I am trying to lean is netcat. They call it the Swiss army knife of networking tools. It is described as being like UNIX cat. But of course it runs over the network. Specifically it allows you to read and write to network connections. You can use any ports. You can use either the TCP or UDP protocols.

There are apparently multiple applications for netcat. It can do a rudimentary port scan. It can do file transfer. It can also act as a backdoor. Originally it was developed by "Hobbit" in 1995 for UNIX. There is a more modern implementation called ncat. Ncat adds things like support for IPv6 and SSL.

I downloaded ncat. Initially I could not figure out how to use it. Then I figured I would test it out as a client for telnet. Had to install a telnet server on my machine first. Ended up installing the free KpyM Telnet Server. Here is a hint for KpyM: they give you a registration key for free to remove the nag screen.

Initially I got ncat to connect to my telnet server. But it was displaying a bunch of strange characters. Was not sure if this was an ncat issue or a telnet server issue. So I got another dedicated telnet client installed. That client worked fine with my telnet server. Damn. I guess ncat will take some getting used to. Maybe a bunch of configuration to do.

So far I have not found much use for this ncat. Maybe as I get into network programming some more, I will find the need.

Sockets for Network Programming

I am finishing up my initial work on writing my own version of the Loki program. Have learned a bit about network programming, specifically dealing with sockets. Thought I would record some of that knowledge here for future reference.

Start out with the network protocols. There is UDP and there is TCP.

UDP is simple. It has less overhead. There is no guarantee that the data gets delivered. Also the order of data sent may not be kept. If your data is not delivered, it does not get automatically retransmitted by UDP. There is no concept of a connection with UDP. You just blast data to its destination. The recipient of the data has to take all of the data at once. Popular other protocols that employ UDP are DNS and SNMP.

TCP is a reliable transport protocol. If some data does not make it to the destination, TCP will handle retransmission. It will also make sure that the order of the data you send is preserved on the other end. You can think of TCP as a byte stream. The destination at the other end can read the bytes in any chunks they want. They don't have to read the message all at once.

When doing UDP and TCP network programming, you will be using sockets. Socket programming is old. It has been around since before the times of the World Wide Web. One popular old library is Berkeley Sockets, which have been around since 1982. There is also Windows sockets (AKA WinSock), that have been around since 1993. These sockets are point to point and are bidirectional.

With sockets, there is a client and a server side. The calls are somewhat similar for UDP and TCP. Generally you have to do less with UDP as it is connectionless. From the client, with UDP you call socket(), sendto() and/or recvfrom(), and finally close. On the server, with UDP you call socket(), optionally setsockopt(), bind(), sendto() and/or recvfrom(), and close().

For TCP, the client calls socket(), connect(), send() and/or recv(), and close(). On the server, TCP calls include socket(), optionally setsockopt(), bind(), listen(), accept(), send() and/or recv(), and close().

The socket() call returns a file descriptor. The bind call associates the socket with an IP address and port number. The listen() call will cause the server to wait for connections from clients. Then accept() gets the first connection, creating a new socket that is connected on both ends. You should have a multithreaded server to deal with multiple connections at the same time.

For data types larger than 8 bits, you need to worry about the order in which those bytes are stored and transmitted. There is a Big Endian and Little Endian convention for this byte order. Big Endian means higher order bytes are at the start. You got to worry about the order on the machines at both ends, as well as the order of the bytes in transit.

OSI Layer Headers in Network Programming

I am getting down to the details in my implementation of the Loki program. To review, Loki sends messages through firewalls using the ICMP protocol. I built a Loki client and a server (that I call Logan). Initially I just sent some test data through. Now it was time to start putting meaningful messages in the data.

For debugging purposes, I just created user interfaces so I could type in the messages on the Loki client. I also added the user interface to Logan, so you could view the messages coming through. At first my server program received the messages. But it could not extract out the text I was passing through. What gives?

Well I am just using old C strings. I it character data buried in the datagram. I even put a unique string of characters to help me easily locate the beginning of my message. The only problem was that I was using C strings to parse the contents of the message. Wouldn't you know it? There were a bunch of zeros buried in the headers.

Fine. So I skip over the ICMP header. The thing still does not work. Wait a minute. By the time the transmission gets to the server, it also has an IP header as well. Duh. Once I skip over all layers of the header, I am in business. I can transfer messages to and from my programs at will.

I might run one more test so see how far apart these programs can be and still operate. Same LAN? Anywhere on the Internet? I guess it all depends on if the middlemen pass the ICMP messages through. At this point, it should be a trivial exercise to replace my "hello" messages with commands to do stuff on the server computer.

ICMP Server Called Logan

I had previously struggled to code up a client program similar to Loki. It sends out data using the ICMP protocol. The idea is to sneak past firewalls that do not block ICMP. Now I needed a server to listen for ICMP messages from my client. I will call this server program Logan.

Started off with some lessons learned from coding up Loki. Must run this program as Windows administrator to prevent the raw socket usage from being blocked. I was a bit confused about needing a call to bind() before I recvfrom(). However when I skipped the bind() call, I got error code 10022, also known as WSAEINVAL.

Okay. So I need to do a bind(). I want to get ICMP packets from anywhere. Therefore I specify an address of INADDR_ANY. But I need to set the port parameter too. The only problem is that, unlike TCP and UDP, ICMP does not use ports. It does not make sense. For now I am using port 7, also known by IPPORT_ECHO. Who knows? Maybe the port number is a don't care.

All I do know is that I can detect and capture packets sent by my Loki program. So the next step is to put intelligent messages in my ICMP packets to "do things" on the target computer. Let's maybe start with some cool but harmless actions and see where it leads. Eventually I will need to figure out how to distribute my server program and run it as Windows administrator.

Baby steps. One thing at a time first.




 

Rolling my own ICMP client

I searched around on the Internet for a program named Loki. It was supposed to send traffic using ICMP. The idea is to hide stuff in there that firewalls would not detect/block. I did find rumors of this program. But could not find the program or even the code for it. Damn.

What is a programmer to do? Write my own version I say. I broke out Microsoft Visual Studio and wrote some C++ code. There were surprisingly few lines of code in my program. Essentially I am making a socket() call to set up the communications, and a sendto() call to push out the data.

Unfortunately the socket() call kept failing with an error of 10013, which is also called WSAEACCES. This is some kind of permission denial on Windows. I tried overriding this by setting a value in the Windows registry. No luck. I am logged on as an administrator on my machine. So I should be able to open up a raw socket.

A couple web site gave me some other ideas. In the end, I had to start my Visual Studio IDE, running it as an administrator. So to begin I just was sending myself some ICMP packets. At least I thought I was. Downloaded Wireshark to record the output and prove the thing was working.

Initially Wireshark did not pick anything up. I broke out the Windows ping program to test Wireshark. It captured that data, but not my own program's messages. Then I modified my program to send some ICMP packet to Google instead of myself. Bam. We are rocking and rolling.

Right now I just send a bunch of garbage in my ICMP packets (sorry Google). And this is just the client end that sends messages. I need to write a server end that runs on another machine. And instead of sending garbage data, I might just have to send some commands over ICMP that "take control" so to say.

This has been an exciting start to researching programs of interest that bypass firewalls. There were some rough patches. But I am learning to power through adversity, like not being able to find my programs. Also broke out an old but good book "UNIX Network Programming" by Richard Stevens. Good stuff.

Covert ICMP using Loki

I have recently been made aware of lots of software. This is in the context of things that might compromise or help you punch through a firewall. So I have decided to go find said software and play with it. I figure the experience will be good.

First up on the list is Loki. This is a server on UNIX that lets you covertly communicate by hiding messages in ICMP packets. It is an old trick. Phrack magazine issue 49 from way back in 1996 introduced the idea. But it did not release the code or program.

Strangely enough, I was never able to locate the Loki program. Damn. How is a brother supposed to learn about this stuff? I know. I can roll my own version. I can write code. How hard could it be? Just got to study up a bit on ICMP, which I hope is fully documented. Then I am off to the races.

I think I am going to have to spin up a Linux instance somewhere to play with the software I find. Loki was for UNIX. And next I want to investigate netcat, which I presume is also a UNIX program. For now I can write my own Loki for Windows. But I can't write all the software. Who has time for that?

Cisco Packet Tracer

I downloaded this software for free from Cisco. From the name "Packet Tracer", you would think this is some type of packet capture/analysis tool similar to Wireshark. Nope. This is actually a network simulator and trainer. Of course all the components will be Cisco devices. But hey. It is free.

I went through an exercise in this tracer. My head is still reeling from all the terms. Basically I was setting up a virtual security appliance called the Cisco ASA 5505. Sure I could buy a physical box for $250 used. But this simulation made learning a lot easier. Plus the module gave me hints all throughout.

So far I configured some network interfaces, address translation, a DHCP server, authentication, a DMZ, static NAT to my server, and some ACLs. And that was just in the first hour. My head is definitely still spinning. This tool can definitely help you learn the Cisco operating system command line, as well as network security topics in general.