I've noticed while on this site that although there are plenty of tutorials on netstat, there's nothing on how to hack a system using it. This is one way which I rather like, as it is especially useful on systems using stuff like Kazaa which leave ports open on your system. This won't work on more secure systems, as they won't generally have foreign ports open. Oh and by the way, this is my first article so feel free to post below any and all problems with it!
Finding an open port
First we need to know the target's IP. There are lots of ways of doing this, which I'm not going to go into here. After all, I usually do this on ppl who I know and who give me their IPs (I'm a white hat hacker not some pathetic little script kiddie cracker). Once you know their' IP, open a DOS prompt. In Windows XP that's
Now type the following into the command prompt:
netstat [target's IP] -a and press
What this does is look at all open ports on the target system. This means that you'll be shown a list of all the open ports. We aren't interested in the local ports, so look straight at the second column and for a port number that looks promising. If the target has a trojan on their system, a port number of 49000-63000 roughly should be about right. If not, look for Kazaa or WinMX or whatever's open port.
Now open another command prompt and type:
open [target's IP] [Port number]
You've now got a connection to their machine! From here you can browse around and modify their file system using DOS. These commands are especially useful when doing this:
CD REMOTE-DIRECTORY Change Directory on a remote system. Type this and the directory you want to change to. you probably need to understand how the Windows filesystem is organised for this to work.
DIR Display directory. Shows all the files and folders in this directory.
PWD Prints the name of the current remote directory.
CD .. Go up one level in directory.
thx to Bloodvessel for the follwing commands:
get test Copies file "test" from remote to local host (from current remote directory to current local directory).
mget test.* data.dbf Copies files beginning with "test" and the file named data.dbf from remote to local host.
put test Copies file "test" from local to remote host. You musth have write access to the remove host for this to work.
mput test.* data.dbf Copies files beginning with "test" and the file named data.dbf from local to remote host.
quit Closes connection and terminates FTP session
If a file name contains spaces (e.g. on your Windows system) you should type the file name in quotation marks " ", but it is strongly recommended to rename such files before FTPing them.
get test "| more" - displays file "test"
To make sure you want a document, you can display it with the more command and see the file screen by screen (using the space bar) BEFORE you get a file. To exit out of more , type q.
prompt Turns off prompting for individual files when using the mget or mput commands.
If you have mistyped your username or password, use the user command to re-login.
For a list of all FTP commands type ? at the ftp> prompt.
For a brief explanation of a command, type help, leave a space,and type the command itself.
Why does this work?
When we use the netstat command on a machine, it searches for open ports. This means that if, for instance, the target machine is connected to Kazaa, there will be a port opened with Kazaa. There are different kinds of ports, the most common being TCP and UDP. Most things on a computer have their own port; for instance, a printer and a scanner have their own port, though these are generally unhackable as they are in local ports, not foreign ones.
So, supposing the target does have an open port, it is possible to connect to them using ftp, or File Transfer Protocol. This is what is used when downloading off people, and is another reason why file sharing desktops (running Kazaa,WinMX etc) are so easy to hack when using this method; they already have a port or more open, downloading, which means that the their firewalls must be pretty much non-existant.
By typing the ftp command, we make our system an ftp server. This operates the same way basically as a web server. Once we are an ftp server, we can open a link with another computer through an open port. This literally means that we are sharing files with this computer, so if the target was alert to the attack, it could do what it wanted back. Still, this is unlikely, so on with the article!
Once we've opened a file transfer protocol with the target, we can do what we want using DOS commands in the prompt. how about leaving a text file on the desktop saying 'Hacked by...' That's sure to get the target to update their security!
Well, I hope that this article was helpful. As I said at the top, feel free to post below modifications to whats in here, as it may not all be completely correct. This process seems to work for me, but tell me your own experiences with it.
Thanks, The Real Tim Shady
Finding target's IP
Did you know that you can find out people's IPs using netstat? If you're connected to them via ICQ, AIM and possibly MSN, then a quick Netstat check on your own system will show an open port to their machine along with their IP address! Simply use that IP address and you can hack their machine!
Another point that I have noticed is that it is possible to use a portscanner to check for open ports if the remote netstat command doesn't work. I'm not going to give you the addresses of where you can download them, but I reccomend Portscan Plus, because its easier to use. I know I say in the description that you shouldn't need to use any programs, but this one is optional, and I personally don't bother.
A little tip
Look for port 139 if you wanna ftp without netstat or a portscanner, as they may have a printer and file share.
Another way to find ports to go through
I find that a very useful way of finding ports to go through is to run a file like Kazaa on yourself and check netstat on your own machine. This will show you the ports Kazaa or whatever program you're using goes through, and the chances are that they'll be the same on your target's computer.
Now thats tuts good,but when i try and connect to them via windows ftp it dont work,so i tried using my ftp client and it says
Socket connected waiting for logon sequence...
And thats all it says.
Normally I don't bite - but after a 26hr stint at a downed exchange server, I'm a bit touchy...
quote: netstat [target's IP] -a
My versions (on Linux, XP, 2K, NT, AIX) of netstat are not capable of portscanning a remote machine... fine to show me what I have connected or listening though.
open [target's IP] [Port number]
You've now got a connection to their machine! From here you can browse around and modify their file system using DOS
Err, only if the port you pick has an unsecure ftp server listening on the other end - otherwise [as long as it's still an ftp server] you'll still need a username and password. And the command language is not DOS. It's ftp. It won't allow access to the whole file system - onyl what they've exposed. It won't allow you to run applications, but might let you copy [exposed] files off or even might let you out some files on their server.
quote: When we use the netstat command on a machine, it searches for open ports
No It shows you what your local machine has open.
quote: By typing the ftp command, we make our system an ftp server.
No by running an application like IIS, ftpd, Warftpd etc - we make our system into an ftp server. By typing ftp, you open up the ftp client.
quote: Once we've opened a file transfer protocol with the target, we can do what we want using DOS commands in the prompt. how about leaving a text file on the desktop saying 'Hacked by...'
No ftp clients don't use DOS, and I doubt very much that anyone would leave an unsecured ftp server on an unspecified port with full access to the whole system. If you 'owned' someone elses machine, would you leave it a a free-for all for all the script kiddes? or harden it leaving a secure encrypted back channel for your own personal use?