Vulnerability | Looking | Exploiting | Links

How to Look for Vulnerabilities

Now let's start someplace where you are unlikely to get punched in the nose by looking at some ports on your own computer. You can do this by typing 'netstat -a' at the command prompt.

You should see something such as:

Active Connections

Proto Local Address       Foreign Address     State
TCP   localhost:1027      0.0.0.0:0           LISTENING
TCP   localhost:135       0.0.0.0:0           LISTENING
TCP   localhost:135       0.0.0.0:0           LISTENING
TCP   localhost:1026      0.0.0.0:0           LISTENING
TCP   localhost:1026      localhost:1027      ESTABLISHED
TCP   localhost:1027      localhost:1026      ESTABLISHED
TCP   localhost:137       0.0.0.0:0           LISTENING
TCP   localhost:138       0.0.0.0:0           LISTENING
TCP   localhost:nbsession 0.0.0.0:0           LISTENING
UDP   localhost:135       *:*
UDP   localhost:nbname    *:*
UDP   localhost:nbdatagram *:*

Hhhmm...nothing much going on here. The 'Local Address' (ie, my local machine) seem to be listening on ports 135, 137, 138, and 'nbsession' (which translates to port 139...type 'netstat -an' to see just the port numbers, not the names of the ports). This is okay...those ports are part of Microsoft networking, and need to be active on the LAN my machine is connected to.

Now we connect our Web browser to ttp://www.happyhacker.org and at the same time run Windows telnet and connect to a shell account at example.com. Let's see what happens. Here's the output of the 'netstat -a' command, slightly abbreviated:

Active Connections

Proto Local Address     Foreign Address     State
TCP   localhost:1027    0.0.0.0:0           LISTENING
TCP   localhost:135     0.0.0.0:0           LISTENING
TCP   localhost:135     0.0.0.0:0           LISTENING
TCP   localhost:2508    0.0.0.0:0           LISTENING
TCP   localhost:2509    0.0.0.0:0           LISTENING
TCP   localhost:2510    0.0.0.0:0           LISTENING
TCP   localhost:2511    0.0.0.0:0           LISTENING
TCP   localhost:2514    0.0.0.0:0           LISTENING
TCP   localhost:1026    0.0.0.0:0           LISTENING
TCP   localhost:1026    localhost:1027      ESTABLISHED
TCP   localhost:1027    localhost:1026      ESTABLISHED
TCP   localhost:137     0.0.0.0:0           LISTENING
TCP   localhost:138     0.0.0.0:0           LISTENING
TCP   localhost:139  0.0.0.0:0           LISTENING
TCP   localhost:2508    zlliks.505.ORG:80   ESTABLISHED
TCP   localhost:2509    zlliks.505.ORG:80   ESTABLISHED
TCP   localhost:2510    zlliks.505.ORG:80   ESTABLISHED
TCP   localhost:2511    zlliks.505.ORG:80   ESTABLISHED
TCP   localhost:2514    example.com:telnet  ESTABLISHED

So what do we see now? Well, there are the ports listening for Microsoft networking, just like in the first example. And there also are some new ports listed. Four are connected to 'zlliks.505.org' on port 80, and one to 'example.com' on the telnet port. These correspond to the client connections that I set up. See, this way you know the name of the computer that was running the happy Hacker Web site at this time.

But what is with the really high port numbers? Well, remember the
'well-known' ports that we talked about above? Client pplications, such as browsers and telnet clients (clients are programs that connect to servers) need to use a port to receive data on, so they randomly select ports from outside the 'well-known' port range... above 1024. In this case, my browser has opened up four ports...2508 through 2511.