CHAPTER 3

GUIDE TO (mostly) HARMLESS HACKING
Beginners' Series Number 9

Hacking with Windows XP
by Carolyn Meinel. Edited by ThelordCrew(to make it up to date)

Part I: The Magic of DOS

In this guide you will learn how to telnet <beginninea.shtml>, forge email, <beginnineb.shtml> use
nslookup <beginninec.shtml> and netcat <beginnined.shtml> with Windows XP.

So you have the newest, glitziest, "Fisher Price" version of Windows: XP. How can you use XP in a way that sets you apart from the boring millions of ordinary users?

****************
Luser Alert: Anyone who thinks this GTMHH will reveal how to blow up people's TV sets and steal Sandra Bullock's email is going to find out that I won't tell them how.
****************

The key to doing amazing things with XP is as simple as D O S. Yes, that's right, DOS as in MS-DOS, as in MicroSoft Disk Operating System. Windows XP (as well as NT and 2000) comes with two versions of DOS. Command.com is an old DOS version. Various versions of command.com come with Windows 95, 98, SE, ME, Window 3, and DOS only operating systems.

The other DOS, which comes only with the XP, 2000 and NT operating systems, is cmd.exe. Usually cmd.exe is better than command.com because it is easier to use, has more commands, and in some ways resembles the bash shell in Linux and other Unix-type operating systems. For example, you can repeat a command by using the up arrow until you back up to the desired command. Unlike bash, however, your DOS command history is erased whenever you shut down cmd.exe. The reason XP has both versions of DOS is that sometimes a program that won?t run right in cmd.exe will work in command.com

****************
Flame Alert: Some readers are throwing fits because I dared to compare DOS to bash. I can compare cmd.exe to bash if I want to. Nanny nanny nah nah.
****************

DOS is your number one Windows gateway to the Internet, and the open sesame to local area networks. From DOS, without needing to download a single hacker program, you can do amazingly sophisticated explorations and even break into poorly defended computers.

****************
You can go to jail warning: Breaking into computers is against the law if you do not have permission to do so from the owner of that computer. For example, if your friend gives you permission to break into her Hotmail account, that won't protect you because Microsoft owns Hotmail and they will never give you permission.
****************
****************
You can get expelled warning: Some kids have been kicked out of school just for bringing up a DOS prompt on a computer. Be sure to get a teacher's WRITTEN permission before demonstrating that you can hack on a school computer.
****************

So how do you turn on DOS?
Click All Programs -> Accessories -> Command Prompt
That runs cmd.exe. You should see a black screen with white text on it, saying something like this:

C:\>

Your first step is to find out what commands you can run in DOS. If you type "help" at the DOS prompt, it gives you a long list of commands. However, this list leaves out all the commands hackers love to use. Here are some of those left out hacker commands.

TCP/IP commands:
telnet
netstat
nslookup
tracert
ping
ftp

NetBIOS commands (just some examples):
nbtstat
net use
net view
net localgroup

TCP/IP stands for transmission control protocol/Internet protocol. As you can guess by the name, TCP/IP is the protocol under which the Internet runs. along with user datagram protocol (UDP). So when you are connected to the Internet, you can try these commands against other Internet computers. Most local area networks also use TCP/IP.

NetBIOS (Net Basic Input/Output System) protocol is another way to communicate between computers. This is often used by Windows computers, and by Unix/Linux type computers running Samba. You can often use NetBIOS commands over the Internet (being carried inside of, so to speak, TCP/IP). In many cases, however, NetBIOS commands will be blocked by firewalls. Also, not many Internet computers run NetBIOS because it is so easy to break in using them. We will cover NetBIOS commands in the next Guide to XP Hacking.

GUIDE TO (mostly) HARMLESS HACKING

Beginners' Series Number 9

Hacking with Windows XP

Part 2: The Magic of NetBIOS

In this guide you will learn how to explore the Internet using Windows XP and NetBIOS:

· How to Install NetBIOS <beginnine2a.shtml>

· How to Use Nbtstat <beginnine2b.shtml>

· The Net View Command <beginnine2c.shtml>

· What to Do Once You Are Connected <beginnine2c.shtml>

· How to Break in Using the XP GUI <beginnine2d.shtml>

· More on the Net Commands <beginnine2e.shtml>

· How Crackers Break in as Administrator <beginnine2f.shtml>

· How to Scan for Computers that Use NetBIOS <beginnine2g.shtml>

· How to Play NetBIOS Wargames <beginnine2h.shtml>

· An Evil Genius Tip for Win NT Server Users <beginnine2h.shtml>

· Help for Windows 95, 98, SE and ME Users <beginnine2h.shtml>

Not many computers are reachable over the Internet using NetBIOS commands - maybe only a few million. But what the heck, a few million is enough to keep a hacker from getting bored. And if you know what to look for, you will discover that there are a lot of very busy hackers and Internet worms searching for computers they can break into by using NetBIOS commands. By learning the dangers of NetBIOS, you can get an appreciation for why it is a really, truly BAD!!! idea to use it.

*****************
Newbie note: a worm is a program that reproduces itself. For example, Code Red automatically searched over the Internet for vulnerable Windows computers and broke into them. So if you see an attempt to break into your computer, it may be either a human or a worm.
*****************

If you run an intrusion detection system (IDS) on your computer, you are certain to get a lot of alerts of NetBIOS attacks. Here's an example:

The firewall has blocked Internet access to your computer (NetBIOS Session) from 10.0.0.2 (TCP Port 1032) [TCP Flags: S].

Occurred: 2 times between 10/29/2002 7:38:20 AM and 10/29/2002 7:46:18 AM

A Windows NT server on my home network, which has addresses that all start with 10.0.0, caused these alerts. In this case the server was just doing its innocent thing, looking for other Windows computers on my LAN (local area network) that might need to network with it. Every now and then, however, an attacker might pretend to have an address from your internal network even though it is attacking from outside.

If a computer from out on the Internet tries to open a NetBIOS session with one of mine, I'll be mighty suspicious. Here's one example of what an outside attack may look like:

The firewall has blocked Internet access to your computer (NetBIOS Name) from 999.209.116.123 (UDP Port 1028).

Time: 10/30/2002 11:10:02 AM
(The attacker's IP address has been altered to protect the innocent or the guilty, as the case may be.)

Want to see how intensely crackers and worms are scanning the Internet for potential NetBIOS targets? A really great and free IDS for Windows that is also a firewall is Zone Alarm. You can download it for free from http://www.zonelabs.com . You can set it to pop up a warning on your screen whenever someone or some worm attacks your computer. You will almost certainly get a NetBIOS attack the first day you use your IDS.

Do you need to worry when a NetBIOS attack hits? Only if you have enabled NetBIOS and Shares on your computer. Unfortunately, in order to explore other computers using NetBIOS, you increase the danger to your own computer from attack by NetBIOS. But, hey, to paraphrase a famous carpenter from Galilee, he who lives by the NetBIOS gets hacked by the NetBIOS.

********************
Newbie note: NetBEUI (NetBIOS Extended User Interface) is an out-of-date, crummy, not terribly secure way for Windows computers to communicate with each other in a peer-to-peer mode. NetBIOS stands for network basic input/output system.

Newbie note: Shares are when you make it so other computers can access files and directories on your computer. If you set up your computer to use NetBIOS, in Win XP using the NTFS (new technology file system) you can share files and directories by bringing up My Computer. Click on a directory - which in XP is called a "folder". In the left-hand column a task will appear called "Share this folder". By clicking this you can set who can access this folder, how many people at a time can access it, and what they can do with the folder.
********************

There are a number of network exploration commands that only NetBIOS uses. We will show how to use nbtstat and several versions of the net command.

How to Install NetBIOS

You might have to make changes on your system in order to use these commands. Here's how to enable NetBIOS for Windows XP. (If you are stuck with Windows 95, 98, SE or ME, see the end of this Guide for how to enable NetBIOS.) Click:

Control Panel -> Network Connections

There are two types of network connections that may appear here: "Dial-up" and "LAN or High-Speed Internet".

**************
Newbie note: A dial-up connection uses a modem to reach the Internet. LAN stands for local area network. It's what you have if two or more computers are linked to each other with a cable instead of modems. Most schools and businesses have LANs, as well as homes with Internet connection sharing. A DSL or cable modem connection will also typically show up as a LAN connection.
**************

To configure your connections for hacking, double click on the connection you plan to use. That brings up a box that has a button labeled "Properties". Clicking it brings up a box that says "This connection uses the following items:"

You need to have both TCP/IP and NWLink NetBIOS showing. If NWLink NetBIOS is missing, here's how to add it. Click Install -> Protocol -> Add NWlink/IPX/SPX/NetBIOS Compatible Transport Protocol.

**************
Newbie note: NWLink refers to Novell's Netware protocol for running a LAN.
**************

How to Use Nbtstat

To get started, bring up the cmd.exe command. Click Start -> Run and type cmd.exe in the command line box. This brings up a black screen with white letters. Once it is up, we will play with the nbtstat command. To get help for this command, just type:

C:\>nbtstat help

One way to use the nbtstat command is to try to get information from another computer using either its domain name (for example test.target.com), its numerical Internet address (for example, happyhacker.org's numerical address is 206.61.52.30), or its NetBIOS name (if you are on the same LAN).

C:\>nbtstat -a 10.0.0.2

Local Area Connection:
Node IpAddress: [10.0.0.1] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
OLDGUY <00> UNIQUE Registered
OLDGUY <20> UNIQUE Registered
WARGAME <00> GROUP Registered
INet~Services <1C> GROUP Registered
IS~OLDGUY......<00> UNIQUE Registered
OLDGUY <03> UNIQUE Registered
WARGAME <1E> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered

MAC Address = 52-54-00-E4-6F-40

What do these things tell us about this computer? Following is a table explaining the codes you may see with an nbtstat command (taken from the MH Desk Reference, written by the Rhino9 team).

Name Number Type Usage =========================================================
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
<compname> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services>1C G Internet Information Server
<IS~Computer_name>00 U Internet Information Server

To keep this Guide from being ridiculously long, we'll just explain a few of the things what we learned when we ran nbtstat -a against 10.0.0.2:

* it uses NetBIOS
* its NetBIOS name is Oldguy
* one of the users is named Administrator
* it runs a web site with Internet Information Server, and maybe an ftp - file transfer protocol -- server
* it is a member of the domain Wargame
* it is connected on a local area network and we accessed it through an Ethernet network interface card (NIC) with a MAC Address of 52-54-00-E4-6F-40.

When using nbtstat over the Internet, in most cases it will not find the correct MAC address. However, sometimes you get lucky. That is part of the thrill of legal hacker exploration. OK, OK, maybe getting a thrill out of a MAC address means I'm some kind of a freak. But if you are reading this, you probably are freaky enough to be a hacker, too.

**************
Newbie note: MAC stands for media access control. In theory every NIC ever made has a unique MAC address, one that no other NIC has. In practice, however, some manufacturers make NICs that allow you to change the MAC address.
**************

**************
Evil Genius tip: sneak your computer onto a LAN and use it to find the MAC address of a very interesting computer. Crash it, then give yours the same MAC, NetBIOS name and Internet address as the very interesting computer. Then see what you can do while faking being that computer. That's why I get a charge out of discovering a MAC address, so stop laughing at me already.
**************

**************
You can get fired, expelled, busted and catch cooties warning: Faking all that stuff is something you would be better off doing only on your own test network, or with written permission from the owner of the very interesting computer.
**************

Now that we know some basic things about computer 10.0.0.2, also known as Oldguy, we can do some simple things to learn more. We can connect to it with a web browser to see what's on the web site, and with ftp to see if it allows anonymous users to download or upload files. In the case of Oldguy, anyone can browse the web site. However, when we try to connect to its ftp server with Netscape by giving the location ftp://10.0.0.2, it returns the message "User Mozilla@ cannot log in.

**************
Newbie note: The people who programmed Netscape have always called it Mozilla, after a famous old movie monster. As a joke they have stuck obscure mentions of Mozilla into the operations of Netscape. Mozilla lovers recently spun off a pure Mozilla browser project that has the web site http://www.mozilla.org.
**************

The Net View Command

Now let's have some serious fun. Netscape (or any browser or ftp program) uses TCP/IP to connect. What happens if we use NetBIOS instead to try to download files from Oldguy's ftp server?

Let's try some more NetBIOS commands:

C:\>net view \\10.0.0.2
System error 53 has occurred.

The network path was not found.

I got this message because my firewall blocked access to Oldguy, giving the message:

The firewall has blocked Internet access to 10.0.0.2 (TCP Port 445) from your computer [TCP Flags: S].

There's a good reason for this. My firewall/IDS is trying to keep me from carelessly making my computer a part of some stranger's LAN. Keep in mind that NetBIOS is a two-way street. However, I want to run this command, so I shut down Zone Alarm and give the command again:

C:\>net view \\10.0.0.2
Shared resources at \\10.0.0.2

Share name Type Used as Comment

--------------------------------------------------------
ftproot Disk
InetPub Disk
wwwroot Disk
The command completed successfully.

This is a list of shared directories. Oooh, look at that, the ftp server is shared. Does this mean I can get in? When setting shares on a Windows NT server, the default choice is to allow access to read, write and delete files to everyone. So sometimes a sysadmin carelessly fails to restrict access to a share.

What is really important is that we didn't need a user name or password to get this potentially compromising information.

Let's establish an anonymous connection to Oldguy, meaning we connect without giving it a user name or password:

C:\>net use \\10.0.0.2\ipc$
Local name
Remote name \\10.0.0.2\IPC$
Resource type IPC
Status OK
# Opens 0
# Connections 1
The command completed successfully.

We are connected!

**********************
Newbie note: IPC (ipc$) stands for "Inter Process Connector", used to set up connections across a network between Windows computers using NetBIOS.
**********************

What to Do Once you Are Connected

So far we haven't quite been breaking the law, although we have been getting pretty rude if the owner of that target computer hasn't given us permission to explore. What if we want to stop pushing our luck and decide to disconnect? Just give the message:

C:\>net session \\10.0.0.2 /delete

Of course you would substitute the name or number of the computer to which you are connected for 10.0.0.2.

What if you want to stay connected? Oldguy will let you stay connected even if you do nothing more. By contrast, a login to a Unix/Linux type computer will normally time out and disconnect you if you go too long without doing anything

How to Break in Using the XP GUI

You could try out the other net commands on Oldguy. Or you can go to the graphical user interface (GUI) of XP. After running the above commands I click My Computer, then My Network Places and there you'll find the victim, er, I mean, target computer. By clicking on it, I discover that ftproot has been shared to - everyone!

Let's say you were to get this far investigating some random computer you found on the Internet. Let's say you had already determined that the ftp server isn't open to the public. At this moment you would have a little angel sitting one shoulder whispering "You can be a hero. Email the owner of that computer to tell him or her about that misconfigured ftproot."

On the other shoulder a little devil is sneering, "Show the luser no mercy. Information should be free. Because I said so, that's why. Hot darn, are those spreadsheets from the accounting department? You could make a lot of bucks selling those files to a competitor, muhahaha! Besides, you're so ugly that future cellmate Spike won't make you be his girlfriend."

Some hackers might think that because ftproot is shared to the world that it is OK to download stuff from it. However, if someone were to log in properly to that ftp server, he or she would get the message "Welcome to Oldguy on Carolyn Meinel's LAN. Use is restricted to only those for whom Meinel has assigned a user name and password." This warning logon banner is all a computer owner needs to legally establish that no one is allowed to just break in. It won't impress a judge if a cracker says "The owner was so lame that her computer deserved to get broken into" or "I'm so lame that I forgot to try to use the ftp server the normal way."

More on the Net Commands

Let's get back to the net commands. There are many forms of this command. In XP you can learn about them with the command:

C:\>net help
The syntax of this command is:

NET HELP
command
-or-
NET command /HELP

Commands available are:

· NET ACCOUNTS

· NET HELP

· NET SHARE
NET COMPUTER

· NET HELPMSG

· NET START

· NET CONFIG

· NET LOCALGROUP

· NET STATISTICS

· NET CONFIG SERVER

· NET NAME

· NET STOP

· NET CONFIG WORKSTATION

· NET PAUSE

· NET TIME

· NET CONTINUE

· NET PRINT

· NET USE

· NET FILE

· NET SEND

· NET USER

· NET GROUP

· NET SESSION

· NET VIEW

· NET HELP SERVICES lists some of the services you can start.

· NET HELP SYNTAX explains how to read NET HELP syntax lines.

· NET HELP command | MORE displays Help one screen at a time.

How Crackers Break in as Administrator

As we look around Oldguy further, we see that there's not much else an anonymous user can do to it. We know that there is a user named Administrator. What can we do if we can convince Oldguy that we are Administrator?

******************
Newbie note: in Windows NT, 2000 and XP, the Administrator user has total power over its computer, just as root has total power over a Unix/Linux type computer. However, it is possible to change the name of Administrator so an attacker has to guess which user has all the power.
******************

Let's try to log in as Administrator by guessing the password. Give the command:

C:\>net use \\10.0.0.2\ipc$ * /user:Administrator
Type the password for \\10.0.0.2\ipc$:
System error 1219 has occurred.

Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.

This means that someone else is currently logged onto this server who has Administrator rights. Furthermore, this person is probably watching me on an IDS and thinking up terrible things to do to me. Eeep! Actually this is all going on inside my hacker lab - but you get the idea of what it could be like when trying to invade a computer without permission.

I discover that whether I guess the password correctly or not, I always get the same error message. This is a good safety feature. On the other hand, one of the users is named Administrator. This is a bad thing for the defender. When you first set up a Windows NT or 2000 server, there is always a user called Administrator, and he or she has total power over that computer. If you know the all-powerful user is named Administrator, you can try guessing the password whenever no one is logged on with Administrator powers.

Computer criminals don't waste time guessing by hand. They use a program such as NAT or Legion to get passwords. These programs are why smart NT administrators rename their Administrator accounts and choose hard passwords. Also, this kind of persistent attack will be detected by an intrusion detection system, making it easy to catch criminals at work.

********************
You can get expelled warning: What if you are a student and you want to save your school from malicious code kiddies who steal tests and change grades? It is important to get permission *in writing* before you test the school's network. Even then, you still must be careful to be a model student. If you act up, cut classes - you know what I mean - the first time a cracker messes up the network, who do you think they will suspect? Yes, it's unfair, and yes, that is the way the world works.
********************

How to Scan for Computers that Use NetBIOS

Your tool of choice is a port scanner. Any computer that is running something on port 139 is likely (but not certain) to be using NetBIOS. Most crackers use nmap to port scan. This tool runs on Unix/Linux type computers. You can get it at <http://www.insecurity.org/>. There is also a Windows version of nmap, but it isn't very good. A better choice for Windows is Whats Up from <http://www.ipswitch.com/>. You can get a one month free trial of it.

Here's an example of an nmap scan of Oldguy:

test-box:/home/cmeinel # nmap -sTU 10.0.0.2

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (10.0.0.2):
(The 3060 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
70/tcp open gopher
80/tcp open http
135/tcp open loc-srv
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
500/udp open isakmp

Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds

As you can see from this scan, three ports are identified with NetBIOS. This tells us that we could set nmap to scan a large number of Internet addresses, only looking for port 139 on each. To learn how to set up nmap to run this way, in your Unix or Linux shell give the command "man nmap".

For more on what crackers do once they break into a computer using NetBIOS (like installing back doors), see http://happyhacker.org/gtmhh/vol3no10.shtml <vol3no10.shtml>.

********************
You can get punched in the nose warning: if you use a port scanner against networks that haven't given you permission to scan, you will be waving a red flag that says "Whaddaya wanna bet I'm a computer criminal?" You can't get arrested for merely port scanning, but people who don't like being scanned might get you kicked off your Internet service provider.

You can get really, big time, punched in the nose warning: If you visit the same computer or LAN really often to see what's new and to try different things, even if you don't break the law you'd better be doing it with the permission of the owner. Otherwise you may make enemies who might crash or destroy your operating system. And that is only what they may do when feeling mellow. After a night of hard drinking - well, you don't want to find out.
********************

How to Play NetBIOS Wargames

What if you want to challenge your friends to a hacker wargame using NetBIOS? The first thing to do is *don't* email me asking me to break in for you. Sheesh. Seriously, almost every day I get emails from people claiming to have permission from their girlfriend/boyfriend and begging me to help them break in. You can read their hilarious pleas for help at http://happyhacker.org/sucks/ <../sucks/index.shtml>.

The way to run a hacker wargame over the Internet is first, get permission from your Internet provider so they don't kick you off for hacking. They probably run an IDS that scans users for suspicious activity. They probably hate malicious hackers. Enough said.

Second, you and your friends are likely to be at a different Internet address every time you log on. Your safest way to play over the Internet is for each player to get an Internet address that is the same every time he or she logs on: a "static" address. This way you won't accidentally break into someone else's computer.

You have to arrange with your Internet provider to get a static address. Normally only a local provider can do this for you. A big advantage of using a local provider is you can make friends with the people who work there - and they are probably hackers.

If you live in an apartment building or dormitory with other hackers, you can play break-in games without using the Internet. Set up a LAN where you can play together. For example, you can string Ethernet cable from window to window. To learn how to set up a Windows Ethernet LAN, see http://happyhacker.org/gtmhh/winlan.shtml .

Or you could set up a wireless LAN. With wireless you never know who might come cruising with a laptop down the street by your home or business and break in. That can make a wargame lots more fun. For help on how to break into wireless LANs (it's pathetically easy), see <http://www.wardriving.com/>.

**************
Evil genius tip: Attack using a Win NT server with the Microsoft Resource Kit installed. Heh, heh. With it you can give the command:

C:\>Local Administrators \\<targetbox.com>

This should show all user accounts with administrator rights on targetbox.com.

C:\>Global Administrators \\<targetbox.com >

This should show all user accounts with Domain administrative rights. These are exceptionally worth compromising, because with one Domain administrative password you will be able to control many resources among NT servers, workstations, and Win 95/98 computers.

I've tried to install the Resource Kit on XP Professional, but it wasn't compatible.

Another option is to install hacker tools such as Red Button and DumpACL, which extract information on user names, hashes, and which services are running on a given machine.
**************

Help for users of Windows 95, 98, SE or ME

To enable NetBIOS, click

Control Panel -> Network -> Protocols

If you see both NetBEUI and TCP/IP, you are already using NetBIOS. If not, add NetBEUI.

To bring up the command screen, click Start -> Run and type in command.com.
__________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org.

We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you may have committed!

How to Telnet with Windows XP

The queen of hacker commands is telnet. To get Windows help for
telnet, in the cmd.exe window give the command:

C:\>telnet /?

Here's what you will get:

telnet [-a][-e escape char][-f log file][-l user][-t term][host
[port]]
-a Attempt automatic logon. Same as -l option except uses
the currently logged on user's name.
-e Escape character to enter telnet client prompt.
-f File name for client side logging
-l Specifies the user name to log in with on the remote system.
Requires that the remote system support the TELNET ENVIRON
option.
-t Specifies terminal type.
Supported term types are vt100, vt52, ansi and vtnt only.
host Specifies the hostname or IP address of the remote computer
to connect to.

port Specifies a port number or service name.

****************
Newbie note: what is a port on a computer? A computer port is sort of like a seaport. It's where things can go in and/or out of a computer. Some ports are easy to understand, like keyboard, monitor, printer and modem. Other ports are virtual, meaning that they are created by software. When that modem port of yours (or LAN or ISDN or DSL) is connected to the Internet, your computer has the ability to open or close any of over 65,000 different virtual ports, and has the ability to connect to any of these on another computer - if it is running that port, and if a firewall doesn?t block it.
****************
****************
Newbie note: How do you address a computer over the Internet? There are two ways: by number or by name.
****************

The simplest use of telnet is to log into a remote computer. Give the
command:

C:/>telnet targetcomputer.com (substituting the name of the computer you want to telnet into for targetcomputer.com)

If this computer is set up to let people log into accounts, you may
get the message:

Type your user name here, making sure to be exact. You can't swap between lower case and capital letters. For example, user name Guest is not the same as guest.

****************
Newbie note: Lots of people email me asking how to learn what their user name and password are. Stop laughing, darn it, they really do. If you don't know your user name and password, that means whoever runs that computer didn't give you an account and doesn't want you to log on.
****************

Then comes the message:

Password:

Again, be exact in typing in your password.

What if this doesn't work?

Every day people write to me complaining they can't telnet. That is
usually because they try to telnet into a computer, or a port on a
computer that is set up to refuse telnet connections. Here's what it
might look like when a computer refuses a telnet connection:

C:\ >telnet 10.0.0.3
Connecting To 10.0.0.3...Could not open connection to the host, on port 23. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Or you might see:

C:\ >telnet techbroker.com
Connecting To techbroker.com...Could not open connection to the host, on port 23.
No connection could be made because the target machine actively
refused it.

If you just give the telnet command without giving a port number, it
will automatically try to connect on port 23, which sometimes runs a
telnet server.

**************
Newbie note: your Windows computer has a telnet client program,
meaning it will let you telnet out of it. However you have to install
a telnet server before anyone can telnet into port 23 on your
computer.
*************

If telnet failed to connect, possibly the computer you were trying to
telnet into was down or just plain no longer in existence. Maybe the
people who run that computer don't want you to telnet into it.

How to Telnet into a Shell Account

Even though you can't telnet into an account inside some computer, often you can get some information back or get that computer to do something interesting for you. Yes, you can get a telnet connection to succeed -without doing anything illegal --against almost any computer, even if you don't have permission to log in. There are many legal things you can do to many randomly chosen computers with telnet. For example:

C:/telnet freeshell.org 22

SSH-1.99-OpenSSH_3.4p1

That tells us the target computer is running an SSH server, which enables encrypted connections between computers. If you want to SSH into an account there, you can get a shell account for free at
<http://freeshell.org/> . You can get a free SSH client program from
<http://winfiles.com/> .

One reason most hackers have shell accounts on Internet servers is because you can meet the real hackers there. When you've logged in, give the command w or who. That gives a list of user names. You can talk to other users with tht talk command. Another fun thing, if your shell account allows it, is to give the command

ps -auxww

It might tell you what commands and processes other users are running. Ask other users what they are doing and they might teach you something. Just be careful not to be a pest!

***************
You can get punched in the nose warning: Your online provider might kick you off for making telnet probes of other computers. The solution is to get a local online provider and make friends with the people who run it, and convince them you are just doing harmless, legal explorations.
*************

Sometimes a port is running an interesting program, but a firewall won't let you in. For example, 10.0.0.3, a computer on my local area network, runs an email sending program, (sendmail working together with Postfix, and using Kmail to compose emails). I can use it from an account inside 10.0.0.3 to send emails with headers that hide from where I send things.

If I try to telnet to this email program from outside this computer,
here's what happens:

C:\>telnet 10.0.0.3 25
Connecting To 10.0.0.3...Could not open connection to the host, on
port 25.
No connection could be made because the target machine actively
refused it.

However, if I log into an account on 10.0.0.3 and then telnet from
inside to port 25, here's what I get:

Last login: Fri Oct 18 13:56:58 2002 from 10.0.0.1
Have a lot of fun...
cmeinel@test-box:~> telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1... [Carolyn's note: 127.0.0.1 is the numerical
address meaning localhost, the same computer you are logged into]
Connected to localhost.
Escape character is '^]'.
220 test-box.local ESMTP Postfix

The reason I keep this port 25 hidden behind a firewall is to keep
people from using it to try to break in or to forge email. Now the
ubergeniuses reading this will start to make fun of me because no
Internet address that begins with 10. is reachable from the Internet.
However, sometimes I place this "test-box" computer online with a
static Internet address, meaning whenever it is on the Internet, it
always has the same numerical address. I'm not going to tell you what its Internet address is because I don't want anyone messing with it. I just want to mess with other people's computers with it, muhahaha. That's also why I always keep my Internet address from showing up in the headers of my emails.

***************
Newbie note: What is all this about headers? It's stuff at the
beginning of an email that may - or may not - tell you a lot about
where it came from and when. To see full headers, in Outlook click
view -> full headers. In Eudora, click the "Blah blah blah" icon.
****************