COMPUTER ELECTRONIC MAIL AND PRIVACY

                    COMPUTER ELECTRONIC MAIL AND PRIVACY
                    ====================================

                                     by

                             Ruel T. Hernandez

                             801 Cedarbend Way
                       Chula Vista, California 92010
                           (619) 421-6517 (voice)
                          (CompuServe: 71450,3341)
                         (GEnie Mail: R.HERNANDEZ)

                              January 11, 1987

               Copyright (c) 1986, 1987 by Ruel T. Hernandez


     (This is an edited version of a law school seminar paper I wrote at
California Western School of Law.  A another version of the paper, entitled
"Electronic Mail - Your Right to Privacy," by Ruel T. Hernandez as told to
Dan Gookin, was published as the cover story in The Byte Buyer, San Diego's
Microcomputer Magazine, volume 4, number 24, December 5, 1986.  That version
may also be found on their BBS at 619/226-3304 or 619/573-0359.  Note,
citations to the Electronic Communications Privacy Act of 1986 refer to the
final version passed by the House of Representatives on October 2, 1986,
which was passed by the Senate the day before, as listed in the
Congressional Record.)


                                INTRODUCTION

     Two years ago, legislation was introduced into Congress that sought to
provide federal statutory guidelines for privacy protection of computer
communications, such as electronic mail found on commercial computer systems
and on remote computer systems, commonly known as bulletin board systems
(BBS).  Old federal wiretap law only gave protection to normal audio
telephonic communications.  There was no contemplation of computers or their
operators using telephone lines to communicate.  The old federal wiretap law
regulated police interceptions of communications while they are being
transmitted on a telephone line.  Before the Electronic Communications
Privacy Act of 1976, the law did not provide guidelines for protecting the
transmitted message once it was stored within a computer system.


                                 QUESTIONS

     (1) Whether electronic mail and other intended private material stored
within an electronic computer communication system have Fourth Amendment
privacy protection?

     (2) Should private electronic mail and other such material be accorded
the protection guidelines as with telephone communication and the U.S. Mail?


                                  PROBLEM

     Law enforcement seeks criminal evidence stored as E-Mail on either a
local, user-supported BBS, or on a commercial computer service, such as
CompuServe, GEnie or The Source.  (Note, this situation is equally
applicable to personal, private data stored on a remote system for later
retrieval, as with CompuServe's online disk storage capabilities.)

     For instance, a computer user calls up a computer communication system.
Using the electronic mail function, he leaves a private message that can
only be read by an intended recipient.  The message is to inform the
recipient of a conspiracy plan to violate a federal or state criminal
statute.  Law enforcement gets a tip about the criminal activity and learn
that incriminating evidence may be found on the computer system.

     In 1982, such a situation occurred.  (Meeks, Brock, "Life at 300 Baud:
Crime on the BBS Network," Profiles, August, 1986, 12-13.)  A Detroit
federal grand jury, investigating a million-dollar cocaine ring, issued a
subpoena ordering a commercial service, The Source, to hand over private
subscriber data files.  The files were routinely backed up to guard against
system crashes.  The grand jury was looking for evidence to show that the
cocaine ring was using The Source as communication base to send messages to
members of the ring.  With such evidence, the grand jury could implicate or
indict those suspected to be a part of the cocaine ring.  The Source refused
to obey the subpoena.  The prosecution argued The Source could not
vicariously assert a subscriber's privacy rights.  Constitutional rights are
personal and could only be asserted by the person whose rights are invaded.
Additionally, if the files containing messages were duplicated, any
reasonable expectation of privacy by users would be extinguished.  A court
battle ensued.  However, before a ruling could be made, the kingpin of the
cocaine ring entered a surprise guilty plea to federal drug trafficking
charges.  The case against the Source was discontinued.

     Publicly posted messages and other public material may be easily
retrieved by law enforcement.  It is the private material, such as E-Mail,
that poses the problem.

     Law enforcement's task is then to gather enough evidence to
substantiate a criminal case.  Specifically, they would want the E-Mail, or
other private files, transmitted by suspected criminals.  A computer
communications service, as keeper and transmitter of private electronic
messages, would not want to turn over the private data.


                           INADEQUACY OF OLD LAW

     Brock Meeks of Profiles magazine noted that as of August, 1986, "no ...
protection exist[ed] for electronic communications.  Any law enforcement
agency can, for example, confiscate a local BBS and examine all the message
traffic," including and private files and E-Mail.  (Ibid.)

     In the next section, case law will be examined and statutory law prior
to the Electronic Communications Privacy Act of 1986 (ECPA) will be noted.
Seemingly applicable statutes, as they stood, provided no guidelines for
privacy protection of electronic computer communication systems, such as
CompuServe, GEnie, and local, user-operated BBSs.

CASE LAW

     There is little case law available on computer communications and
Fourth Amendment constitutional problems.  (M.D. Scott, Computer Law, 9-9
(1984 & Special Update, August 1, 1984).)  If not for the surprise
preemptive guilty plea, the above described Detroit case may have provided
guidance on computer communications and privacy issues.

     Of the available cases, Scott noted those that primarily dealt with
financial information found in bank and consumer credit organization
computers.   In U.S. v. Davey, 426 F.2d 842, 845 (2 Cir. 1970), the
government had the right to require the production of relevant information
wherever it may be lodged and regardless of the form in which it is kept and
the manner in which it may be retrieved, so long as it pays the reasonable
costs of retrieval.  In a California case, Burrows v. Superior Court, 13
Cal. 3d 238, 243, 118 Cal. Rptr. 166, 169 (1974), a depositor was found to
have a reasonable expectation that a bank would maintain the confidentiality
of both those papers in check form originating from the depositor and the
depositor's bank statements and records of those same checks.  However, in
U.S. v. Miller, 425 U.S. 435, 440 (1976), customer account records on a
banks' computer were held to not be private papers of the bank customer,
and, hence, there is no Fourth Amendment problem when they are subpoenaed
directly from the bank.

     The computer data and information in these cases have more of a
business character in contrast to personal E-Mail found on remote computer
systems such as CompuServe or a local BBS.  Under the old law, a prosecutor,
as in the Detroit case, may try to analogize duplicated and backed up E-Mail
to business situations where data on business computer databases are also
backed up.  Both types of computer data are stored on a system and then
later retrieved.  The provider of the remote computing service or the sysop
would counterargue that the nature of computers always require the
duplication and backup of any computer data, whether the data files are E-
Mail or centrally-based financial or credit data.  Duplication does not
necessarily make E-Mail the same as financial or credit data stored in
business computers.  Centrally-based business information is more concerned
with the data processing.  That information is generally stored and
retrieved by the same operator.  E-Mail is more concerned with personal
communications between individuals where the sender transmits a private
message to be retrieved only by an intended recipient.  The sender and the
recipient have subjective expectations of privacy that when viewed
objectively is reasonable.  Therefore, there is a constitutionally protected
expectation of privacy under Katz v. U.S., 389 U.S. 347, 19 L.Ed. 88 S.Ct.
507 (1967).  However, the prosecution would note under California v.
Ciraolo, -- U.S. --, 106 S.Ct. 1809 (1984), the users would have to protect
their electronic mail from any privacy intrusion.  The provider or operator
of the remote system has ultimate control of his system.  He has complete
access to all areas of the system.  He could easily examine the material.
The prosecution would note the user could not reasonably protect his private
data from provider or operator invasion.  This "knot-hole" would exclude any
idea of privacy.  If there is no privacy, there can be no search and
therefore no Fourth Amendment constitutional violation.  Law enforcement can
retrieve the material.

FEDERAL WIRETAP STATUTES

     The federal wiretap statutes, before the Electronic Communication
Privacy Act of 1986, protected oral telephone communications from police
interceptions.  This protection was made in 1968 in response to electronic
eavesdropping by government.  (Cohodas, Nadine, "Congress Races to stay
Ahead of Technology," Congressional Quarterly Weekly Report, May 31, 1986,
1235.)  Although E-Mail appears to come under the statute's definition of
"wire communication," under the old law, it was limited to audio
transmissions by wire or cable and does not mention stored computer data.
(18 U.S.C. sec. 2510(1).)  The old law required that an interception of a
wire communication be an aural acquisition of the communication.  (18 U.S.C.
sec. 2510(4).)  Being "aural," the communication must be "heard."
Therefore, a computer communication may come under the old law while being
transmitted.  After a caller's message is "sent" on a remote computer
system, the message is then stored within the computer's system.  The
communication's conversion into computer stored data, thus no longer in
transmission until retrieved, takes the communication out of the old
statutory protection.

     "Eighteen years ago ... Congress could not appreciate - or in some
cases even contemplate - [today's] telecommunications and computer
technology...."  (132 Cong. Rec. S7992 (daily ed. June 19, 1986) (statement
of Sen. Leahy).)

CALIFORNIA'S INVASION OF PRIVACY AND WIRETAP STATUTE

     California's "invasion of privacy" and wiretap statutes (Cal. Penal
Code sec. 630 et seq.), appears to provide state protection for BBSs.
California Penal Code sec. 637 reads as:

     Every person not a party to a telegraphic or telephonic
     communication who willfully discloses the contents of a
     telegraphic or telephonic message, or any part thereof, addressed
     to another person, without the permission of such person, unless
     directed so to do by the lawful order of a court, is punishable
     by imprisonment in the state prison, or in the count jail not
     exceeding one year, or by fine not exceeding five thousand
     dollars ($5000), or by both fine and imprisonment.

     Again, the question here would be whether "telegraphic or telephonic
messages" include computer communications via modem where a transmitted
message is subsequently stored within a computer awaiting retrieval by its
intended recipient.  Again, the storage of the data takes the computer
communications out of the statute.  When the statute was passed, the
California legislature, much like the Congress, could not foresee the
technological advances in computer communications.

     It should be noted that Assemblywoman Moore introduced legislation in
1985 that would amend have the California state constitution to explicitly
provide state constitutional privacy protection for remote computing
services and their stored information.  However, nothing has come out of
this.  Aside from political reasons for the lack of further action is one
possible legal consequential argument against the amendment may be if
computer privacy protection is specified in the state constitution, more
litigation may result to tie up the courts in cases deciding whether or not
there is privacy protection for other unspecified matters.  Although,
overall, the California state constitution is much more specific than the
United States Constitution, it may be best to not be any more specific with
regard to privacy.

PROTECTION FOR U.S. MAIL

     Statutory U.S. Mail protection provides a suggestion for statutory
provisions of privacy protection for E-Mail deposited in electronic
communication systems.  The unauthorized taking out of and examining of the
contents of mail held in a "depository for mail matter" before it is
delivered to the mail's intended recipient is punishable by fine,
imprisonment, or both.  (18 U.S.C. sec. 1702.)


                           SOLUTION - THE NEW LAW

     There are two methods towards a solution:  (1) court decisions; and (2)
new legislated privacy protection.

COURT DECISIONS

     Courts may have chosen to read computer communications protection into
the old federal wiretap statute or into existing state law.  However, they
were reluctant to do so.  Courts "are in no hurry to [revise or make new law
in this area] and some judges are openly asking Congress for help....
[F]ederal Appeals Court Judge Richard Posner in Chicago said Congress needed
to revise current law, adding that 'judges are not authorized to amend
statutes even to bring them up-to-date.'"  (Cohodas, Nadine, "Congress Races
to Stay Ahead of Technology," Congressional Quarterly Weekly Report, May 31,
1986, p. 1233.)

NEW STATUTE

     Last October 21, 1986, President Reagan signed the Electronic
Communications Privacy Act of 1986 amending the federal wiretap law.  The
new Act (P.L. 99-508) would not take immediate effect until three months
after the signing - presumably January 21, 1986.  (18 U.S.C. secs. 111 and
202.)

     When the new law does take effect, it would first provide privacy
protection for any

     'electronic communication' ... [by] any transfer of signs,
     signals, writing, images, sounds, data or intelligence of any
     nature transmitted in whole or in part by a wire, radio,
     electromagnetic, photoelectronic or photooptical system that
     affects interstate or foreign commerce...."

(18 U.S.C. sec. 2510(10).)

     Second, and more importantly for this discussion, ECPA would protect
"stored wire and electronic communications," i.e. E-Mail stored and backed
up on disk or tape on an electronic computer communication system.  (18
U.S.C. sec. 2701(a)(1) and (2).)  The legislation makes it a federal
criminal offense to break into any electronic system holding copies of
messages or to exceed authorized access to alter or obtain the stored
messages.  (Ibid.)

     The legislation would protect electronic computer communication systems
from law enforcement invasion of user E-Mail without a court order.  (18
U.S.C. sec. 2703.)  Although the burden of preventing invasion of the E-Mail
is placed on the subscriber or user of the system, the government must give
him notice allowing him fourteen days to file a motion to quash a subpoena
or to vacate a court order seeking disclosure of his computer data.  (18
U.S.C. sec. 2704(b).)  However, the government may give delayed notice when
there are exigent circumstances as listed by the Act (18 U.S.C. sec. 2705.)

     The legislation gives a civil cause of action to the provider or
operator, subscriber, customer or user of the system aggrieved by an
invasion of private material stored in the system in violation of ECPA.  (18
U.S.C. sec. 2702; see also 18 U.S.C. sec. 2520.)  If the provider or
operator has to disclose information stored on his system due to a court
order, warrant, subpoena, or certification under ECPA, there can be no cause
of action against him by any person aggrieved by such disclosure.  (18
U.S.C. sec. 2703(e); see also sec. 2702(b).)

     The electronic communications, under this new Act, must be sent by a
system that "affects interstate or foreign commerce."  (18 U.S.C. sec.
2510(12).)  The "electronic communications" may practically be limited to
electronic communications sent by common carrier telephone lines.

     There may be some question as to whether or not ECPA is confined to
commercial systems and does not cover user-operated bulletin board systems.
That would be similar to arguing the old federal wiretap law was confined to
long distance communications and not to local telephone calls.  The House
report (H.R. No. 647, 99th Cong. (1986)), indicates user-operated BBSs are
intended to be covered by the Act.  The House noted a difference between
commercial subscription systems and user-operated BBSs readily accessible by
the public.  However, it also noted the different levels of security found
on user-operated BBSs, i.e. the difference between system areas containing
private electronic mail and other areas containing public information.
Electronic communications that the operator attempts to keep confidential
would be protected by ECPA, while there would be no liability for access to
features configured to be readily accessible by the general public.
Language in the Act also refers to "the person or entity providing the wire
or electronic communication service."  Such language may be seen to indicate
the inclusion of individuals who operate a BBS.  (18 U.S. secs. 2701(c)(1)
and 2702(a)(1) and (b).)  Additionally, a remote computing service was
defined in the Act as an electronic communications system that provides
computer storage or processing services to the public.  (18 U.S.C. sec.
2710(2).)  This would certainly be applicable to a user-operated BBS that
is easily accessible to public with the simple dialing of a telephone number
by a modem-equipped computer.  On the political side, Senator Leahy, a
principal sponsor of the Act was reported to have been "soliciting [users
and operators' of BBSs] comments and encourage sensitivity to the needs of
BBS's in the legislation....  They are ... willing to listen to our side of
things."  (BBSLAW02.MSG, dated 07/24/85, information from Chip Berlet,
Secretary, National Lawyers Guild Civil Liberties Committee, transmitted by
Paul Bernstein, SYSOP, LAW MUG, Chicago, Illinois 312/280-8180, regarding
Federal Legislation Affecting Computer Bulletin Boards, deposited on The
Legacy Network 213/553-1473.)


                                 CONCLUSION

     Electronic mail stored on computer communication systems have Fourth
Amendment constitutional privacy protection.  Unfortunately, before the
Electronic Communications Privacy Act of 1986, such protection was not
articulated by federal or state statutory guidelines.  Case law also did
not provide any helpful guidance.  The peculiarities of computers and
computer storage posed problems which were not addressed by the old wiretap
laws.  They were also problems overwhelmed by constitutional privacy law as
defined by the United States Supreme Court.  A legislative solution was
required and was provided for by ECPA.

     [For more information on ECPA, see 132 Cong. Rec. H8977 (daily ed.
October 2, 1986) or "Major Provisions of 1986 Electronic Privacy Act,"
Congressional Quarterly Weekly Report, October 11, 1986, 2558.]

The Magic of NetBIOS

The Magic of NetBIOS

In this guide you will learn how to explore the Internet using Windows XP and NetBIOS:

·         How to Install NetBIOS <beginnine2a.shtml>

·         How to Use Nbtstat <beginnine2b.shtml>

·         The Net View Command <beginnine2c.shtml>

·         What to Do Once You Are Connected <beginnine2c.shtml>

·         How to Break in Using the XP GUI <beginnine2d.shtml>

·         More on the Net Commands <beginnine2e.shtml>

·         How Crackers Break in as Administrator <beginnine2f.shtml>

·         How to Scan for Computers that Use NetBIOS <beginnine2g.shtml>

·         How to Play NetBIOS Wargames <beginnine2h.shtml>

·         An Evil Genius Tip for Win NT Server Users <beginnine2h.shtml>

·         Help for Windows 95, 98, SE and ME Users <beginnine2h.shtml>

Not many computers are reachable over the Internet using NetBIOS commands - maybe only a few million. But what the heck, a few million is enough to keep a hacker from getting bored. And if you know what to look for, you will discover that there are a lot of very busy hackers and Internet worms searching for computers they can break into by using NetBIOS commands. By learning the dangers of NetBIOS, you can get an appreciation for why it is a really, truly BAD!!! idea to use it.

*****************
Newbie note: a worm is a program that reproduces itself. For example, Code Red automatically searched over the Internet for vulnerable Windows computers and broke into them. So if you see an attempt to break into your computer, it may be either a human or a worm.
*****************

If you run an intrusion detection system (IDS) on your computer, you are certain to get a lot of alerts of NetBIOS attacks. Here's an example:

The firewall has blocked Internet access to your computer (NetBIOS Session) from 10.0.0.2 (TCP Port 1032) [TCP Flags: S].

Occurred: 2 times between 10/29/2002 7:38:20 AM and 10/29/2002 7:46:18 AM

A Windows NT server on my home network, which has addresses that all start with 10.0.0, caused these alerts. In this case the server was just doing its innocent thing, looking for other Windows computers on my LAN (local area network) that might need to network with it. Every now and then, however, an attacker might pretend to have an address from your internal network even though it is attacking from outside.

If a computer from out on the Internet tries to open a NetBIOS session with one of mine, I'll be mighty suspicious. Here's one example of what an outside attack may look like:

The firewall has blocked Internet access to your computer (NetBIOS Name) from 999.209.116.123 (UDP Port 1028).

Time: 10/30/2002 11:10:02 AM
(The attacker's IP address has been altered to protect the innocent or the guilty, as the case may be.)

Want to see how intensely crackers and worms are scanning the Internet for potential NetBIOS targets? A really great and free IDS for Windows that is also a firewall is Zone Alarm. You can download it for free from http://www.zonelabs.com . You can set it to pop up a warning on your screen whenever someone or some worm attacks your computer. You will almost certainly get a NetBIOS attack the first day you use your IDS.

Do you need to worry when a NetBIOS attack hits? Only if you have enabled NetBIOS and Shares on your computer. Unfortunately, in order to explore other computers using NetBIOS, you increase the danger to your own computer from attack by NetBIOS. But, hey, to paraphrase a famous carpenter from Galilee, he who lives by the NetBIOS gets hacked by the NetBIOS.

********************
Newbie note: NetBEUI (NetBIOS Extended User Interface) is an out-of-date, crummy, not terribly secure way for Windows computers to communicate with each other in a peer-to-peer mode. NetBIOS stands for network basic input/output system.

Newbie note: Shares are when you make it so other computers can access files and directories on your computer. If you set up your computer to use NetBIOS, in Win XP using the NTFS (new technology file system) you can share files and directories by bringing up My Computer. Click on a directory - which in XP is called a "folder". In the left-hand column a task will appear called "Share this folder". By clicking this you can set who can access this folder, how many people at a time can access it, and what they can do with the folder.
********************

There are a number of network exploration commands that only NetBIOS uses. We will show how to use nbtstat and several versions of the net command.

How to Install NetBIOS

You might have to make changes on your system in order to use these commands. Here's how to enable NetBIOS for Windows XP. (If you are stuck with Windows 95, 98, SE or ME, see the end of this Guide for how to enable NetBIOS.) Click:

Control Panel -> Network Connections

There are two types of network connections that may appear here: "Dial-up" and "LAN or High-Speed Internet".

**************
Newbie note: A dial-up connection uses a modem to reach the Internet. LAN stands for local area network. It's what you have if two or more computers are linked to each other with a cable instead of modems. Most schools and businesses have LANs, as well as homes with Internet connection sharing. A DSL or cable modem connection will also typically show up as a LAN connection.
**************

To configure your connections for hacking, double click on the connection you plan to use. That brings up a box that has a button labeled "Properties". Clicking it brings up a box that says "This connection uses the following items:"

You need to have both TCP/IP and NWLink NetBIOS showing. If NWLink NetBIOS is missing, here's how to add it. Click Install -> Protocol -> Add NWlink/IPX/SPX/NetBIOS Compatible Transport Protocol.

**************
Newbie note: NWLink refers to Novell's Netware protocol for running a LAN.
**************

How to Use Nbtstat

To get started, bring up the cmd.exe command. Click Start -> Run and type cmd.exe in the command line box. This brings up a black screen with white letters. Once it is up, we will play with the nbtstat command. To get help for this command, just type:

C:\>nbtstat help

One way to use the nbtstat command is to try to get information from another computer using either its domain name (for example test.target.com), its numerical Internet address (for example, happyhacker.org's numerical address is 206.61.52.30), or its NetBIOS name (if you are on the same LAN).

C:\>nbtstat -a 10.0.0.2

Local Area Connection:
Node IpAddress: [10.0.0.1] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
OLDGUY <00> UNIQUE Registered
OLDGUY <20> UNIQUE Registered
WARGAME <00> GROUP Registered
INet~Services <1C> GROUP Registered
IS~OLDGUY......<00> UNIQUE Registered
OLDGUY <03> UNIQUE Registered
WARGAME <1E> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered

MAC Address = 52-54-00-E4-6F-40

What do these things tell us about this computer? Following is a table explaining the codes you may see with an nbtstat command (taken from the MH Desk Reference, written by the Rhino9 team).

Name Number Type Usage =========================================================
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
<compname> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services>1C G Internet Information Server
<IS~Computer_name>00 U Internet Information Server

To keep this Guide from being ridiculously long, we'll just explain a few of the things what we learned when we ran nbtstat -a against 10.0.0.2:

* it uses NetBIOS
* its NetBIOS name is Oldguy
* one of the users is named Administrator
* it runs a web site with Internet Information Server, and maybe an ftp - file transfer protocol -- server
* it is a member of the domain Wargame
* it is connected on a local area network and we accessed it through an Ethernet network interface card (NIC) with a MAC Address of 52-54-00-E4-6F-40.

When using nbtstat over the Internet, in most cases it will not find the correct MAC address. However, sometimes you get lucky. That is part of the thrill of legal hacker exploration. OK, OK, maybe getting a thrill out of a MAC address means I'm some kind of a freak. But if you are reading this, you probably are freaky enough to be a hacker, too.

**************
Newbie note: MAC stands for media access control. In theory every NIC ever made has a unique MAC address, one that no other NIC has. In practice, however, some manufacturers make NICs that allow you to change the MAC address.
**************

**************
Evil Genius tip: sneak your computer onto a LAN and use it to find the MAC address of a very interesting computer. Crash it, then give yours the same MAC, NetBIOS name and Internet address as the very interesting computer. Then see what you can do while faking being that computer. That's why I get a charge out of discovering a MAC address, so stop laughing at me already.
**************

**************
You can get fired, expelled, busted and catch cooties warning: Faking all that stuff is something you would be better off doing only on your own test network, or with written permission from the owner of the very interesting computer.
**************

Now that we know some basic things about computer 10.0.0.2, also known as Oldguy, we can do some simple things to learn more. We can connect to it with a web browser to see what's on the web site, and with ftp to see if it allows anonymous users to download or upload files. In the case of Oldguy, anyone can browse the web site. However, when we try to connect to its ftp server with Netscape by giving the location ftp://10.0.0.2, it returns the message "User Mozilla@ cannot log in.

**************
Newbie note: The people who programmed Netscape have always called it Mozilla, after a famous old movie monster. As a joke they have stuck obscure mentions of Mozilla into the operations of Netscape. Mozilla lovers recently spun off a pure Mozilla browser project that has the web site http://www.mozilla.org.
**************

The Net View Command

Now let's have some serious fun. Netscape (or any browser or ftp program) uses TCP/IP to connect. What happens if we use NetBIOS instead to try to download files from Oldguy's ftp server?

Let's try some more NetBIOS commands:

C:\>net view \\10.0.0.2
System error 53 has occurred.

The network path was not found.

I got this message because my firewall blocked access to Oldguy, giving the message:

The firewall has blocked Internet access to 10.0.0.2 (TCP Port 445) from your computer [TCP Flags: S].

There's a good reason for this. My firewall/IDS is trying to keep me from carelessly making my computer a part of some stranger's LAN. Keep in mind that NetBIOS is a two-way street. However, I want to run this command, so I shut down Zone Alarm and give the command again:

C:\>net view \\10.0.0.2
Shared resources at \\10.0.0.2

Share name Type Used as Comment

--------------------------------------------------------
ftproot Disk
InetPub Disk
wwwroot Disk
The command completed successfully.

This is a list of shared directories. Oooh, look at that, the ftp server is shared. Does this mean I can get in? When setting shares on a Windows NT server, the default choice is to allow access to read, write and delete files to everyone. So sometimes a sysadmin carelessly fails to restrict access to a share.

What is really important is that we didn't need a user name or password to get this potentially compromising information.

Let's establish an anonymous connection to Oldguy, meaning we connect without giving it a user name or password:

C:\>net use \\10.0.0.2\ipc$
Local name
Remote name \\10.0.0.2\IPC$
Resource type IPC
Status OK
# Opens 0
# Connections 1
The command completed successfully.

We are connected!

**********************
Newbie note: IPC (ipc$) stands for "Inter Process Connector", used to set up connections across a network between Windows computers using NetBIOS.
**********************

What to Do Once you Are Connected

So far we haven't quite been breaking the law, although we have been getting pretty rude if the owner of that target computer hasn't given us permission to explore. What if we want to stop pushing our luck and decide to disconnect? Just give the message:

C:\>net session \\10.0.0.2 /delete

Of course you would substitute the name or number of the computer to which you are connected for 10.0.0.2.

What if you want to stay connected? Oldguy will let you stay connected even if you do nothing more. By contrast, a login to a Unix/Linux type computer will normally time out and disconnect you if you go too long without doing anything.

How to Break in Using the XP GUI

You could try out the other net commands on Oldguy. Or you can go to the graphical user interface (GUI) of XP. After running the above commands I click My Computer, then My Network Places and there you'll find the victim, er, I mean, target computer. By clicking on it, I discover that ftproot has been shared to - everyone!

Let's say you were to get this far investigating some random computer you found on the Internet. Let's say you had already determined that the ftp server isn't open to the public. At this moment you would have a little angel sitting one shoulder whispering "You can be a hero. Email the owner of that computer to tell him or her about that misconfigured ftproot."

On the other shoulder a little devil is sneering, "Show the luser no mercy. Information should be free. Because I said so, that's why. Hot darn, are those spreadsheets from the accounting department? You could make a lot of bucks selling those files to a competitor, muhahaha! Besides, you're so ugly that future cellmate Spike won't make you be his girlfriend."

Some hackers might think that because ftproot is shared to the world that it is OK to download stuff from it. However, if someone were to log in properly to that ftp server, he or she would get the message "Welcome to Oldguy on Carolyn Meinel's LAN. Use is restricted to only those for whom Meinel has assigned a user name and password." This warning logon banner is all a computer owner needs to legally establish that no one is allowed to just break in. It won't impress a judge if a cracker says "The owner was so lame that her computer deserved to get broken into" or "I'm so lame that I forgot to try to use the ftp server the normal way."

More on the Net Commands

Let's get back to the net commands. There are many forms of this command. In XP you can learn about them with the command:

C:\>net help
The syntax of this command is:

NET HELP
command
-or-
NET command /HELP

Commands available are:

·         NET ACCOUNTS

·         NET HELP

·         NET SHARE
NET COMPUTER

·         NET HELPMSG

·         NET START

·         NET CONFIG

·         NET LOCALGROUP

·         NET STATISTICS

·         NET CONFIG SERVER

·         NET NAME

·         NET STOP

·         NET CONFIG WORKSTATION

·         NET PAUSE

·         NET TIME

·         NET CONTINUE

·         NET PRINT

·         NET USE

·         NET FILE

·         NET SEND

·         NET USER

·         NET GROUP

·         NET SESSION

·         NET VIEW

·         NET HELP SERVICES lists some of the services you can start.

·         NET HELP SYNTAX explains how to read NET HELP syntax lines.

·         NET HELP command | MORE displays Help one screen at a time.

How Crackers Break in as Administrator

As we look around Oldguy further, we see that there's not much else an anonymous user can do to it. We know that there is a user named Administrator. What can we do if we can convince Oldguy that we are Administrator?

******************
Newbie note: in Windows NT, 2000 and XP, the Administrator user has total power over its computer, just as root has total power over a Unix/Linux type computer. However, it is possible to change the name of Administrator so an attacker has to guess which user has all the power.
******************

Let's try to log in as Administrator by guessing the password. Give the command:

C:\>net use \\10.0.0.2\ipc$ * /user:Administrator
Type the password for \\10.0.0.2\ipc$:
System error 1219 has occurred.

Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.

This means that someone else is currently logged onto this server who has Administrator rights. Furthermore, this person is probably watching me on an IDS and thinking up terrible things to do to me. Eeep! Actually this is all going on inside my hacker lab - but you get the idea of what it could be like when trying to invade a computer without permission.

I discover that whether I guess the password correctly or not, I always get the same error message. This is a good safety feature. On the other hand, one of the users is named Administrator. This is a bad thing for the defender. When you first set up a Windows NT or 2000 server, there is always a user called Administrator, and he or she has total power over that computer. If you know the all-powerful user is named Administrator, you can try guessing the password whenever no one is logged on with Administrator powers.

Computer criminals don't waste time guessing by hand. They use a program such as NAT or Legion to get passwords. These programs are why smart NT administrators rename their Administrator accounts and choose hard passwords. Also, this kind of persistent attack will be detected by an intrusion detection system, making it easy to catch criminals at work.

********************
You can get expelled warning: What if you are a student and you want to save your school from malicious code kiddies who steal tests and change grades? It is important to get permission *in writing* before you test the school's network. Even then, you still must be careful to be a model student. If you act up, cut classes - you know what I mean - the first time a cracker messes up the network, who do you think they will suspect? Yes, it's unfair, and yes, that is the way the world works.
********************

How to Scan for Computers that Use NetBIOS

Your tool of choice is a port scanner. Any computer that is running something on port 139 is likely (but not certain) to be using NetBIOS. Most crackers use nmap to port scan. This tool runs on Unix/Linux type computers. You can get it at <http://www.insecurity.org/>. There is also a Windows version of nmap, but it isn't very good. A better choice for Windows is Whats Up from <http://www.ipswitch.com/>. You can get a one month free trial of it.

Here's an example of an nmap scan of Oldguy:

test-box:/home/cmeinel # nmap -sTU 10.0.0.2

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (10.0.0.2):
(The 3060 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
70/tcp open gopher
80/tcp open http
135/tcp open loc-srv
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
500/udp open isakmp

Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds

As you can see from this scan, three ports are identified with NetBIOS. This tells us that we could set nmap to scan a large number of Internet addresses, only looking for port 139 on each. To learn how to set up nmap to run this way, in your Unix or Linux shell give the command "man nmap".

For more on what crackers do once they break into a computer using NetBIOS (like installing back doors), see http://happyhacker.org/gtmhh/vol3no10.shtml <vol3no10.shtml>.

********************
You can get punched in the nose warning: if you use a port scanner against networks that haven't given you permission to scan, you will be waving a red flag that says "Whaddaya wanna bet I'm a computer criminal?" You can't get arrested for merely port scanning, but people who don't like being scanned might get you kicked off your Internet service provider.

You can get really, big time, punched in the nose warning: If you visit the same computer or LAN really often to see what's new and to try different things, even if you don't break the law you'd better be doing it with the permission of the owner. Otherwise you may make enemies who might crash or destroy your operating system. And that is only what they may do when feeling mellow. After a night of hard drinking - well, you don't want to find out.
********************

How to Play NetBIOS Wargames

What if you want to challenge your friends to a hacker wargame using NetBIOS? The first thing to do is *don't* email me asking me to break in for you. Sheesh. Seriously, almost every day I get emails from people claiming to have permission from their girlfriend/boyfriend and begging me to help them break in. You can read their hilarious pleas for help at http://happyhacker.org/sucks/ <../sucks/index.shtml> .

The way to run a hacker wargame over the Internet is first, get permission from your Internet provider so they don't kick you off for hacking. They probably run an IDS that scans users for suspicious activity. They probably hate malicious hackers. Enough said.

Second, you and your friends are likely to be at a different Internet address every time you log on. Your safest way to play over the Internet is for each player to get an Internet address that is the same every time he or she logs on: a "static" address. This way you won't accidentally break into someone else's computer.

You have to arrange with your Internet provider to get a static address. Normally only a local provider can do this for you. A big advantage of using a local provider is you can make friends with the people who work there - and they are probably hackers.

If you live in an apartment building or dormitory with other hackers, you can play break-in games without using the Internet. Set up a LAN where you can play together. For example, you can string Ethernet cable from window to window. To learn how to set up a Windows Ethernet LAN, see http://happyhacker.org/gtmhh/winlan.shtml .

Or you could set up a wireless LAN. With wireless you never know who might come cruising with a laptop down the street by your home or business and break in. That can make a wargame lots more fun. For help on how to break into wireless LANs (it's pathetically easy), see <http://www.wardriving.com/>.

**************
Evil genius tip: Attack using a Win NT server with the Microsoft Resource Kit installed. Heh, heh. With it you can give the command:

C:\>Local Administrators \\<targetbox.com>

This should show all user accounts with administrator rights on targetbox.com.

C:\>Global Administrators \\<targetbox.com >

This should show all user accounts with Domain administrative rights. These are exceptionally worth compromising, because with one Domain administrative password you will be able to control many resources among NT servers, workstations, and Win 95/98 computers.

I've tried to install the Resource Kit on XP Professional, but it wasn't compatible.

Another option is to install hacker tools such as Red Button and DumpACL, which extract information on user names, hashes, and which services are running on a given machine.
**************

Help for users of Windows 95, 98, SE or ME

To enable NetBIOS, click

Control Panel -> Network -> Protocols

If you see both NetBEUI and TCP/IP, you are already using NetBIOS. If not, add NetBEUI.

To bring up the command screen, click Start -> Run and type in command.com.