Netstat

I have been researching info on a utility called netstat. There is surprisingly not much said about it, other than the multiple options that it support. Netstat is short for network statistics. It is a command line program. It actually comprises of many tools rolled into one. The main and default usage is to show active TCP/IP network connections. It includes incoming and outgoing connections. It will tell you the local and remote IP addresses, the port, the protocol, state of the connection, and optionally the program that opened the connection.

Netstat can show both TCP and UDP traffic. It can show the routing table. It also can show statistics for network protocols like Ethernet. The program was written by Fred Baumgarten. It is widely available on operating systems like UNIX, Windows, and Macintosh. The netstat program is allegedly replaced by the ss program on Linux machines.

One thing that might require some explaining is the state of the connection that the program displays. Here are the types of states and a description of each:
  • listening - waiting for reply from host
  • established - connection has been made
  • close_wait - the foreign host closed the connection, but you are still waiting for data
  • time_wait - you closed the connection, but it is still in a waiting state
The netstate program might show weird results if the underlying socket is changing. A good way to see what is going on is to repeatedly run netstat, possibly from a scripting program. I had mentioned that netstat can show the program that opened the connection. You can do that with the "netstat -b" option. However on Windows that requires elevated privileges.

The Mighty Nmap

Today let's talk about nmap. The name stands for network mapper. It was written by Gordon Lyon and published in Phrack Magazine in 1997. The source code was provided at the time. It is a free program. The software is open sourced. The program was originally written in the C programming language and later ported to C++. Initially it was available on UNIX/Linux machines. But it has since been made available on Windows, Mac, and other platforms.

Nmap is a security scanner. It can do a ping scan and find hosts. It can determine the operating system on the host. It can scan for ports on a machine. When it is doing port scanning, it sorts the ports into there main categories:
  1. open - a program is listening on the port and will respond
  2. closed - there is no program listening on the port
  3. filtered - no reply from host
You can use nmap to audit your firewall security. You can also use it to inventory machines on your network. As an aside, nmap can spoof the source IP address you are running it from. There are many modes of scanning it supports. You can scan a single host, a range of IP addresses, or even the whole subnet.

There was a GUI version released called NmapFE. It has been replaced by Zenmap. There is a Windows GUI version called NMapWin. There is also a suite around nmap to include the following:
  • Zenmap - the GUI version of nmap
  • Ncat - redirect sockets
  • Ndiff - compare different nmap scans
  • Nping - packet generator
Nmap uses raw IP packets for its scanning. You can ask nmap to output in XML format as an option. Nmap can be used for Black Hat purposes. When performing nefarious scans, you can tell nmap to scan slowly to avoid detection. In some jurisdictions, it is illegal to run nmap scans on machines that are not your own. Nmap has a mailing list called Nmap-hackers. LOL.

Remote Desktop with GoToMyPC

It seems like it is a small world in the remote desktop arena. Today I want to look at and talk about GoToMyPC. It is a solution developed by ExpertCity in 1998. It behaves like the pioneer PCAnywhere. Originally it required you to have a Windows machine on both ends. But now you can access a host machine running Windows or Mac. And the machine you use for remote control could even be an iPad, iPhone, Android phone, or Kindle device.

There are still some function like chatting that require Windows on both ends. But all versions support cutting and pasting text from the control machine to and from the host machine. You can drag and drop files between the machines. You can print to a machine either on the host side or the control side.

Here is some funny business. ExpertCity, the company that originally created GoToMyPC, was acquired by Citrix Systems in 2004. But Citrix Systems spun the product off later. In 2016, LogMeIn acquired GoToMyPC.

There are three tiers to the pricing for the product. The personal edition costs you $12 per month and is for a single user. The pro package is $23 per month and supports 2 computers and 2+ users. Finally the corporate edition which costs an undisclosed amount of money per year. Luckily there is a trial version, which I might take advantage of myself.

Here is how GoToMyPC works under the hood. You set up the computer that will be the host. That computer has a server that is always in contact with Citrix Systems servers. When you need to do remote control, your computer connects with the Citrix System server. That server already has a link to your host. To the firewalls and such it seems like this is a connection initiated by the host system.

All the communications are done using 128-bit AES encryption. Other platforms choose 256-bit encryption. Speaking of the competitors, TeamViewer is a free option. Strangely enough, parent company LogMeIn has a competing product too. Who knew you had so many choices to do remote desktop?

Remote Desktop by LogMeIn

Right now I am starting to research solutions that provide a remote desktop style functionality. You are off somewhere in the world. And you need to take control of a computer somewhere else. What tool(s) do you use? One such solution is provided by LogMeIn.

LogMeIn is a company founded in 2003. It was previously named 3am Labs. They have a lot of offerings, one of which gives you access to remote computers. They use a proprietary protocol to do remote desktop. The communications run on SSL over TCP/UDP. The computers involved get SSL certificates. You can control computers remotely with their software program or via a web interface.

The LogMeIn solution is a commercial one. LogMeIn is a publicly traded company. They filed for an IPO back in 2009 and are traded on the NASDAQ stock exchange. They are located in Boston, MA. However the have data centers across the USA plus another one in Europe. the company is big. They did $1B of revenue this past year. The company is worth $5B.

The company initially tried to undercut Citrix's solution. But last year they actually merged with Citrix Online. They do a lot more than just remote desktop. They have software for backups and virtual meetings. They provide support and service (VPN). One of their new toys is a Platform as a Service for the Internet of Things. How is that for a buzzword-filled offering?

I wish I could just give LogMeIn a test drive. Maybe there is an option to check out their solution without having to shell out some big bucks. Next up I want to look into competitors in remote desktop such as GoToMyPC and GoToAccess.

Janus VM

I continue to research products that help protect your Internet activity. Next up is Janus VM. This one is not as much a newly developed product from scratch. It is a bundling of some other existing products. In fact, it is an open source VMware image. It is built on top of Linux 2.6.14 (Ubuntu). The image contains products such as TOR plus OpenVPN plus Squid plus Privoxy. TOR will hide your IP address and route your traffic anonymous through the TOR network. Squid/Privoxy filters out stuff that might be going in and out of your computer.

Janus VM can help protect you when you must use an unsecure WiFi connection. It can also protect you against man in the middle attacks. Then you can surf the Internet privately. A nice thing about it is that it is easy to setup on Windows platforms. It prevents all kinds of annoyances like advertisements, banners, and popups. Originally it was released to work on Windows XP/2000/2003 as well as Linux.

Since it relies on TOR, your IP address will be masked. Your TCP traffic gets encrypted. Also DNS requests will be encrypted. Unfortunately other protocols such as UDP and ICMP are not. another downside is that development on the product ceased in 2010. TOR has since been updated, but the latest versions of TOR are not incorporated into Janus VM.

You need a Virtual Machine to use Janus VM. The install file is 20MB large. On Windows, you can run a batch file to set it up. You should choose the anonymous privacy configuration. The product is free but they ask for a donation. It is not necessarily fast. But it might help you get past firewalls that block traffic to certain sites. Some competing products are Whonix and Qubes.

Hotspot Shield

I am thinking about signing up for Hotspot Shield protection. It is a software application and service provided by AnchorFree. They are a US-based company working out of California. Essentially they provide a VPN service through their worldwide servers. They will secure your network communications.

Hotspot Shield was first released for Windows and Macintosh back in 2008. They expanded to the iOS and Android mobile markets in 2012. The main features are free. But you may be subjected to ads, a slower connection, and might not be able to use Netflix. There are paid plans that bill monthly ($13) or lifetime ($139). Be warned that the monthly plan might cause you to be nagged to subscribe for the lifetime plan.

The security they provide is, like any VPN, encrypted data. They also hide your IP address from sites you visit. Those sites see AnchorFree's server IP addresses. Of course, using TOR would be a better move to remain anonymous. AnchorFree does have some extras like warning you about malware or arriving at phishing sites.

Although they used to use industry standards such as IKEv2, I hear that AnchorFree has moved to a proprietary protocol called Catapult Hydra. Nobody else uses proprietary protocols for important things like VPNs any more. I wonder what the heck AnchorFree is doing here.

There are plugins for popular browsers like Chrome or Firefox. You can set up your system to automatically connect through the VPN when you are on unsafe WiFi. That sounds really handy. AnchorFree boasts 500M downloads of their product. Strangely enough, I hear that many people actually get speed improvement when going through the VPN. Weird.

AnchorFree claims it does not do logging of your network traffic. But they have a highly suspicious Terms of Service contract that implies otherwise. More like they will not hold onto your info after your session ends. Or they will not store uniquely identifying information about you. That is at best sketchy.

One downside to the AnchorFree plan is their service. You cannot get real time support. You got to submit a ticket, and they will get back to you at some time in the future. Might be an hour. Might be a day. People have classified Hotspot Shield as a no frills or entry level service. So you pretty much get what you pay for. Being the frugal person that I am, might just need to stick with the free plan.

TOR

I have heard about TOR for some time. The acronym stands for The Onion Router. It is free software that is written in C, python, and JavaScript. The software lets you engage in anonymous communication. It does this by sending your network communication through a network of relays. These relays are chosen randomly. The relays are manned by volunteers. At each hop, your traffic is encrypted at the application (TCP Stream) layer.

TOR was developed by guys from the Naval Research Lab. Onion Routing in general was developed by DARPA. The point is that these were born out of the government. Funded initially by them too. TOR is not backed by a non-profit corporation. There are millions of users of TOR. It is mostly used to give privacy to Instant Messaging, Chat, and web browsing.

Some machines out there only accept TOR connections. These are called Hidden Services. You can use Tor2Web, which allows you to access TOR from a normal browser without setting up a TOR network connection. Or you could opt for the dedicated TOR Browser. It is a modified version of FireFox that starts TOR background processes automatically. Some downsides of this browser are that it blocks Flash and Quicktime.

Using TOR slows you network access. You do get a circuit established through the TOR network for your use. The circuit lasts for about 10 minutes. It also can paint a target on your back, as inquiring minds can know that you are using TOR. The EFF recommends that you use TOR. It is like a replacement for everyday VPNs. TOR is limited to TCP Streaming data.

NetBus

Okay today I want to talk about NetBus. It is the last of the remote control programs I am researching. The others were Back Orifice and SubSeven. NetBus is translated as Net Prank from the Swedish name. It was created back in 1998 by Carl-Fredrik Neikter of Sweden. He also goes by the handle "cd".

The program was distributed by Cult of the Dead Cow. Apparently it was distributed in a Trojan fashion as part of a whack-a-mole game. Some say NetBus is one of the most famous Trojans. The program is not a virus. The user needs to install the program. It installs to the Windows directory just like other Trojans that try to hide from sight.

NetBus was written in the Pascal programming language using the Delphi development tool. It had a relatively large 500kb footprint. Its release predated Back Orifice. The name of the server program is "patch.exe" or "sysedit.exe". Legit sounding names right? Communication is done over TCP/IP ports 12345, 12346, or 20034. The client is GUI based. The original version worked on Windows 95/98/ME/NT. Later updates ported it to Windows 2000 and XP. Further versions were actually sold as commercial products.

NetBus is a remote administration tool. It can log and/or inject keystrokes. It can do screen captures. It can launch other programs. It can take screen shots. With it, you can browse files. It can also play sounds, as well as change the volume levels. It runs using the rights/privileges of the logged on user. The program restarts on Windows startup. The name is hidden from the task manager list. You cannot delete or rename the server file.

There was a famous use of NetBus in 1999 to plant pornography on a university scholar's computer. It caused him to be fired. He was later exonerated when they discovered that the files were planted by someone else using NetBus.

Subseven

Today I want to talk about SubSeven. This is another Trojan horse brought to you by Mobman. Its name is a play on NetBus (spelled backwards, "ten" changed to "seven"). The program is also known as SubServer or Sub7Server. This program works on all flavors of Windows, including old ones like Win95, and newer versions such as Windows 8.

SubSeven has a lot of capabilities. You can log keystrokes. You can capture webcam images. You can edit the target computer registry. You can record from the microphone. And you can take screen shots. It has a computer style translator to speak on your behalf to the user. The server program will be relaunched in a unique way. It chains into Windows so that when any program is launched, SubSeven will also get restarted if it is down.

SubSeven comes as a couple programs: a server to install on the target machine, a client that allows you to take control of the target, and an editor to configure the server. The client has a graphical user interface. This client shows when targets are online. The server program installs in the Windows directory.

The name of the server is "server.exe". The client is "sub7.exe". And the server editor is "editserver.exe". The programs require and make use of "ICQMAPI.DLL" for comms. Communication between client and server is over ICQ, IRC, and email. It uses TCP ports 1243, 6711 through 6713, 6776, and 27374. Different operations go over different ports.

The official website is supposed to be www.subseven.org. Strangely enough, the site was no longer there. In fact, GoDaddy offered to sell me the domain for $69.99. Not sure if I believe GoDaddy. The server program was initially distributed by tricking users into thinking they were getting warez or some sexually explicit material. Thus the Trojan categorization.

Hype surrounding SubSeven compared it to Back Orifice. Rumors say SubSeven installs outnumber Back Orifice 100 to 1. Take that with a grain of salt. Trash talkers report that SubSeven makes Back Orifice look tame. Hah. There is a gold version of the program that lets you use different skins for the UI. On the other side of the coin, some say that SubSeven is a toy used by wanna be hackers. Who are you going to believe?

Back Orifice

I recall Back Orifice from the late 1990s. It sounded like a really ominous program. It was initially released at DEF CON 6 in 1998. It was hyped as a remote system administration tool. But make no doubt. This thing is a rootkit program. The author was Josh Buchbinder, who went by the handle Sir Dystic. He was from the crew called the Cult of the Dead Cow.

Back Orifice is actually works as a pair of two programs. There is a server that runs on the infected machine. Then there is a client. There are two versions of the client: a GUI version and a console version. The name is a spin on the Microsoft BackOffice Server. The goal of the program was to demonstrate how weak security was in Windows 98.

The original Back Orifice program could compromise Windows 95 or Windows 98 targets. It was written using Microsoft Visual C++. The program does not show up in the Windows task list. It will rerun when the computer is restarted. It has many uses. It can manage files, processes, and the registry of the target machine. It can log keystrokes. It can send/receive files.

There was a sequel program called Back Orifice 2000. It supported other versions of Windows like Windows 2000, Windows NT, Windows XP, and Windows Vista. Strange that Windows NT could so easily be owned. I was actually hesitant to put this program on my own machine. Maybe it is time to spin up a virtual machine that I don't care about to do my testing.