::::::::::::::::::::::::::::::::::::::::::::::::::::::::May/99
::: The Discordant Opposition Journal ::: Issue 5 - File 6 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:The Ancient Art of Port Surfing:
 cronus

You Wha ?

What, you might ask, the fuck is Port Surfing ? And that would be a
very good question. As you might have guessed from previous articles
from me, I like to think myself a bit of a hacker, thus we can conclude
that Port Surfing is of grave importance to the humble hacker.

Port Surfing is the art of moving your attentions from one port to
another on a certain system gaining as much information as possible.
With the ultimate goal of finding software that is exploitable.

Hows tha then ?

The most basic tool for Port Surfing is the portscanner. A portscanner
is a piece of code or script that scans a range of port numbers on a
certain system looking for open services. Portscanners are easily coded
containing no more than a little code to connect to sequential ports
and log the results.

Since portscanning is such an easy operation, you may ask why then, am
I rabbiting on about Port Surfing... Port Surfing is an intimite 
and personal action that has the effect of getting you closer to the
system under inspection.

The principle first off...

A portscan can only tell you what ports are actually open and running
services. It would take allot of programming to create a Port Surfer.
Port Surfing involves sending commands at the open service, noting its
version and program information and also even trying to use the service
manually to get a feel for it.

Remember that for each service (mail, web server, etc) there are dozens
of varients and upgrades. Each varient and upgrade has specific flaws
and weakness's. It is the art of Port Scanning that makes these flaws
apparent.

Who me ?

Its necessary as in most hacking techniques to hide your presence and
activity. The simple art of portscanning a server CAN put its defenses
on gaurd and force it to reject ALL your further incoming connections.

Portscanning can just be a loop that attempts to connect to a port
number and log if it can, then move to the next port. But all these
connections will be logged in the system logs. So on later inspection
your attention will be noticed. The answer is the SYN scan. The TCP
three-way handshake consists of an initial data packet from your 
computer, a reply from the server and a final packet from you, the 
connection is then open. A program could be made that simply started 
the connection routine, but didn't actually send the final packet. 
This would still have to result of discovering if the port is open
without leaving a trace of the connection in the logs.

Once you physically intend to connect to the port, you should take 
some small efforts at hiding your presence. Hiding your real connection
is also part of Port Surfing. All of the basic ideas of boucing your
connection are applicable. Bouncing off vulnerable Wingate systems,
setting up 'Back Orific' redirects or even just using an 'aquired' ISP
account. I have also done an article on this whole topic for this
issue, read that for a more detailed look.

Vers and stuff...

Connecting to the port number will most likely give you a text output
something along the lines of "SSH ver 1.2" or "HTTP/1.2". The basic
introductionary text is unnecessary, it is merely advertising for a
specific piece of software. The version of the running software is
vital if weaknesses are to be found, but the problem is that these
outputs can be altered to give false information. I know of a server
running Qmail mail software but the port outputs the text "Sendmail 
5.0.5" which is a non-existant version of the buggy sendmail daemon.

Once you've received all the text information you could try to throw
arbitary commands at the server. See if you can get a list of commands
and try to work out its real specifications. 'Version', 'info' or even
'help' might all retrieve information. There is no hard and fast rules
at this point. This is where Port Sufing becomes an art. You must ad-
lib and learn from your attempts. If you find that 'help' gives you an
error message, see if the message gives any clues with which to procede.

I'm sorry I have to be so vague here, but the art of Port Surfing is
not a step-by-step routine, more a hunt guided by gut feeling.

Manual (Ab)use !

If you can get a basic outline of how the service works, you might try
manually using the service by hand. A HTTP server specifically outputs
HTML coded text that is readable by a Web Browser. The specifications 
of the HTTP commands is fairly basic. Easily typed and understood.

I'm not going to go the specifics of server software commands because
there are literally dozens of different protocols. The sheer number of
possibilities makes the idea undigestable.

I be sorry...

I realise that this article is getting less and less technical. And for
that I apologise. You must see hacking as I do. In the past I have 
refered to it as a hunt. Trying to find the pray (weakness) before
it escapes (patched). You must use gut instinct on the hunt and make
decisions at the time, not before hand. If you feel a server that you
are 'probing' is somewhat sluggish and yet a Ping on the server shows
decent connection times, you might figure out that the server is running
out of resources internally - such as CPU processes and Hard Drive 
space.

All of this detecting is an intregral part of Port Surfing. You are 
trying to get closer to the server. Get to understand its workings. If
you find it has peak times of connection speeds you may find that at 
these times the office is closed. These discoveries help you plan an 
attack. 

A traceroute command might show that for some strange reason your 
connections always bounce through another specific server, this kind
of information would seem to point to a router at an ISP or head
office. The logical conclusion now would follow that this server
acts as a firewall. A firewall usually has a trust based relationship
with the protected server. This trust could possibly be exploited.

Again another example of what I call theoretical hacking...

   ... intoxicated with the madness ...
         cronus (at) iol (dot) ie
  ___________  ____   ____  __ __  ______
_/ ___\_  __ \/  _ \ /    \|  |  \/  ___/
\  \___|  | \(  <_> )   |  \  |  /\___ \ 
 \___  >__|   \____/|___|  /____//____  >
     \/                  \/           \/ 
      http://homepages.iol.ie/~cronus