- Home Page - PolyPhonic Indian Tones - PolyPhonic English Tones - Arabic Ring Tones - Pakistani Ring Tones - Indian Ring Tones - Punjabi Ring Tones - English Ring Tones - SMS to Pakistan - SMS to India - SMS to all over World - Funny SMS - Mobile Tricks - Email Tricks - Hotmail Hacking - Ip & Netstat - DOS - Window secret - Hacking Downloads - MIRC
___________________________________________________
Subnet Addressing Torn Apart
___________________________________________________
Till now we have learnt that the IP Address of all hosts
connected to the Internet are divided into two parts-:
The Network ID (netid)
The Host ID (hostid)
The number of octets or bits allocated to the netid and the hostid parts depends
on the class or the range to which the IP Address belongs. For Example,
If an IP Address belongs to Class A, then the first 8 bits are allocated to the
netid part, while the remaining 24 bits are allocated to the hostid part.
However, with the introduction of Subnet Addressing, a new division is
introduced which divides an IP Address into 3 parts-:
The Network ID (netid)
The Host ID (hostid)
The Subnet ID (subnetid)
The introduction of Subnet Addressing not only hides the organizational
structure of the internal network, but also prevents the wastage of IP
Addresses. Typically, an IP Address belonging to Class B will be divided in the
following manner:
First 16 bits -----Network ID
Last 16 bits -----Host ID
Such a division requires 216 -2 hosts to be attached to that particular network.
However, such a large number of hosts are seldom attached to the same network.
Thus the practice of not using Subnet addressing leads to the wastage of IP
Addresses.
********************
Note:> Please note that we subtract the 2 because a system with a Host ID of 0
or 255 is invalid i.e. a host ID value of 0 or 255 cannot be allocated to a
system, as both are reserved for special usage. For Example, a host ID value of
0 is usually used for routers.
********************
But, after subnetting it the IP Address would typically look as follows:
First 16 bits -------Network ID
Next 8 bits----------Subnet ID
Next 8 bits----------Host ID
This allows for the usage of 254 hosts per subnet of the 254 subnets possible.
NOTE: I have used 8 bits for the Subnet ID in this example. However, we can
easily allocate as many bits as we want to, to the Subnet ID part.
Netmask Values
A netmask value is a 32-bit value containing one bits (255’s) for the network ID
and zero bits (0’s) for the host ID. Using the netmask value one can easily
determine as to how many bits are reserved for the net ID and how many bits for
the host ID. In other words, thus, we can also say that by studying the netmask
value of an IP Address we can determine the Class to which an IP Address
belongs.
One can find out the netmask value of an IP Address by giving the following
command:
C:\WINDOWS>route PRINT
Active Routes:
Network Address Netmask Gateway Address Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
203.94.53.12 255.255.0.0 203.94.0.0 0.0.0.0 1
202.21.87.43 255.255.255.0 202.21.87.0 0.0.0.0 1
Let us examine the output line by line. The first line says:
Network Address Netmask Gateway Address Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
In this case the netmask has a value of 255.0.0.0, which means that the first
octet contains all one bits (255’s), while the last three octets contain all
zero bits (0’s). In other words, it signifies that the first octet is the
network ID (as it contains only one bits) while the last three octets are
reserved for the host ID (as it contains only zero bits). Hence, the IP Address
127.0.0.1 is a Class A Internet Protocol Address with 127 being the netid and
.0.0.0 being the host ID.
Coming to the second line, we have a netmask value of 255.555.0.0, which means
that the first two octets are the network ID parts (i.e. 203.94) while the last
two octets are the host ID parts (i.e. 53.12). It also tells us that the IP
Address belong to Class B of addresses. Similarly, in the last case the netmask
value of 255.255.255.0 means that the address 202.21.87.43 belongs to Class C of
addresses with the network ID being 202.21.87 and the host ID being 43.
******************
Note:>: If your prime aim is to find the Class of addresses to which an IP
belongs, you need not follow the above process. By simply knowing an IP Address
and comparing it with the Class-Range Chart below, we can easily determine the
Class to which it belongs:
Class Range
A 0.0.0.0 to 127.255.255.255
B 128.0.0.0 to 191.255.255.255
C 192.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255
E 240.0.0.0 to 247.255.255.255
*****************
To recapitulate we can say that the prime usage of netmask is to determine the
Class of addresses to which an IP Address belongs.
Subnet Mask Explained
Just like Netmask, Subnet Mask too is a 32-bit value containing one bits (255’s)
for network ID and subnet ID while zero bits (0’s) for the host ID. Subnet Mask
when together used with Netmask can be used to determine exactly how many bits
are allocated for the Network ID, Host ID and Subnet ID.
Let us take an example to make this clearer. Assume the following data for this
exercise:
IP Address: 202.12.34.77
Netmask: 255.255.0.0
Subnet Mask: 255.255.255.0
According to the netmask value, the first two octets are reserved for usage by
the network ID, while the last two octets are reserved for host ID. Thus, we can
now break down 202.12.34.77 into:
Net ID: 202.12
Host ID: 34.77
This particular IP Address has a subnet mask of 255.255.255.0, which means that
the first three octets are to be used for Net ID and the Subnet ID, while the
last octet by the Host ID. Using this information, we can break down
202.12.34.77 into:
Net ID and Subnet ID: 202.12.34
Host ID: 77
However, earlier we determined that the net ID is 202.12, thus combining all the
above information we can finally divide 202.12.34.77 into:
Net ID: 202.12
Subnet ID: 34
Host ID: 77
To recapitulate, we can say that Netmask gives us the boundary between Host ID
and Network ID, while Subnet Mask gives us the boundary between Network ID and
Subnet ID.
Whenever you connect to your ISP, you are allocated a static IP Address (almost
always), which changes each time you reconnect. In order to determine your IP
Address, Class of Addressing, host ID, network ID and Subnet ID, simply follow
the below process:
NOTE: I carried out this example on my system.
Firstly, in order to find the IP Address of my system, I first connect to my ISP
and use the Netstat command:
C:\WINDOWS>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 203.94.253.183:1025 64.4.13.56:1863 ESTABLISHED
TCP 203.94.253.183:1031 209.143.242.119:80 ESTABLISHED
This gives me my Dynamic IP Address, which is, 203.94.253.183. Using the
Class-Range chart I deduce that my IP Address is using Class B addressing, which
would mean that my netmask is probably 255.255.0.0.
All that I need to know now, in my quest to break apart my IP Address, is my
Subnet mask. In order to find the Subnet Mask of a Windows system, one need to
follow the below process:
Click on Start > Run
Type winipcfg in the space provided.
The IP Configuration Dialog Box pops up. This useful utility reveals your IP
Address, Subnet Mask along with other useful information.
When I tried this out on my system, it gave me a Subnet Mask of 255.255.255.0.
Combining this value with a Netmask value of 255.255.0.0, we come to the
following information:
IP Address: 203.94.253.183
Class of Addressing: Class B
Network ID: 203.94
Subnet ID: 253
Host ID: 183
A lot of times, I hear people asking questions like, how
to find out the IP of a friend? Or how to find out your own IP? How do I know,
which ports are open on my system? How do I make sure whether my system is
infected with a Trojan or not?
Well, for all above questions (and more) there is one simple answer: The Netstat
command.
Microsoft has this weird tendency of hiding or making sure that such ‘useful’
utilities are not easily accessible to the users. However, they fail to
understand that putting a utility in the Windows directory and not listing it
anywhere does not make it hidden.
The ‘Netstat’ command is accessible through the command line prompt. Simply
launch MSDOS and:
C:\cd windows
C:\windows>
NOTE: Normally, well, almost always, DOS opens by default in the Windows
directory, however, for those of you whose default DOS directory is not Windows,
the above would prove helpful.
Anyway, before we move on, we need to understand what exactly the Netstat
command is used for. This command is by default used to get information on the
open connections on your system (ports, protocols being used etc), incoming and
outgoing data and also the ports of remote systems to which we are connected.
‘Netstat’ gets all this networking information by reading the kernel routing
tables in the memory.
According to the RFC on Internet Tool Catalog, ‘Netstat’ is defined as:
‘Netstat is a program that accesses network related data structures within the
kernel, then provides an ASCII format at the terminal. Netstat can provide
reports on the routing table, TCP connections, TCP and UDP "listens", and
protocol memory management.’
Anyway, now that we know what Netstat is all about, we are in a position to
start using it. Once, you have launched MSDOS, you can read the MSDOS help on
Netstat by giving the following command:
C:\WINDOWS>netstat /?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports. (Server-side connections are
normally not shown).
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be tcp
or udp. If used with the
-s option to display per-protocol statistics, proto may be tcp, udp, or ip.
-r Displays the contents of the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP,
UDP and IP; the -p
option may be used to specify a subset of the default.
interval Redisplays selected statistics, pausing interval seconds between each
display. Press CTRL+C to
stop redisplaying statistics. If omitted, netstat will print the current
configuration information
once.
However, like always, the help provided by MSDOS, can be used only as a
reference, it is not at all sufficient for a complete newbie.
So, let us try out each command and see the result and also understand what
exactly happens when we execute it and what all the results displayed mean.
Firstly, we will start with the Netstat command with the –a argument.
Now, the ‘–a’ option is used to display all open connections on the local
machine. It also returns the remote system to which we are connected to, the
port numbers of the remote system we are connected to (and the local machine)
and also the type and state of connection we have with the remote system.
For Example,
C:\windows>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP nido:1031 dwarf.box.sk:ftp ESTABLISHED
TCP nido:1036 dwarf.box.sk:ftp-data TIME_WAIT
TCP nido:1043 banners.egroups.com:80 FIN_WAIT_2
TCP nido:1045 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP nido:1052 zztop.boxnetwork.net:80 ESTABLISHED
TCP nido:1053 mail2.mtnl.net.in:pop3 TIME_WAIT
UDP nido:1025 *:*
UDP nido:nbdatagram *:*
Now, let us take a single line from the above output and see what it stands for:
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
Now, the above can be arranged as below:
Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram
Protocol or UDP or sometimes even, IP or Internet Protocol.)
Local System Name: ankit (This is the name of the local system that you set
during the Windows setup.)
Local Port opened and being used by this connection: 1031
Remote System: dwarf.box.sk (This is the non-numerical form of the system to
which we are connected.)
Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to
which we are connected.)
State of Connection: ESTABLISHED
‘Netstat’ with the ‘–a’ argument is normally used, to get a list of open ports
on your own system i.e. on the local system. This can be particularly useful to
check and see whether your system has a Trojan installed or not. Yes, most good
Antiviral software are able to detect the presence of Trojans, but, we are
hackers, and need to software to tell us, whether we are infected or not.
Besides, it is more fun to do something manually than to simply click on the
‘Scan’ button and let some software do it.
The following is a list of Trojans and the port numbers which they use, if you
Netstat yourself and find any of the following open, then you can be pretty
sure, that you are infected.
Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice
For complete list, refer to the Tutorial on Trojans at: hackingtruths.box.sk/manuals.htm
***********************
Note >Some of you might me wondering, as to what the high port numbers after the
local machine’s name stand for?
Eg. nido:1052
Port Numbers upto 1024 normally have a specific kind of service running on it.
Infact there is a complete RFC on Assigned Port Numbers- RFC 1700.
However, port numbers over 1024 are used by your system to connect to remote
computers. For Example, say your browser wants to establish a connection with
http://www.hotmail.com/, then what it will do is, it will take up a random port
number above 1024, open it and use it to communicate with the Hotmail server.
***********************
OK, now let us move on further, to a variant of the above command, the Netstat
–n
The Netstat –n command is basically the numerical form of the Netstat –a
command. The main and probably the only difference between the two is that the
former shows the addresses of the local and remote systems in numerical form
(Hence –n) while the latter shows the addresses in non-numerical form.
Let us see an example to understand better:
C:\>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 203.xx.251.161:1031 194.1.129.227:21 ESTABLISHED
TCP 203.xx.251.161:1043 207.138.41.181:80 FIN_WAIT_2
TCP 203.xx.251.161:1053 203.94.243.71:110 TIME_WAIT
TCP 203.xx.251.161:1058 194.1.129.227:20 TIME_WAIT
TCP 203.xx.251.161:1069 203.94.243.71:110 TIME_WAIT
TCP 203.xx.251.161:1071 194.98.93.244:80 ESTABLISHED
TCP 203.xx.251.161:1078 203.94.243.71:110 TIME_WAIT
Although this too gives us similar results, but there are some differences,
mainly-:
Instead of the name of the local machine, the actual IP address of the local
machine is shown.
I am not sure, about this, but after testing repeatedly, Netstat –n seems to not
return information on non-TCP connections. So, it does not seem to consider UDP.
If you read the alt.2600 newsgroup regularly or any other newsgroup for that,
they you would probably have seems atleast 2-3 daily posting whose body read:
How do I find out my own IP?
Well, this option of Netstat is most commonly used to do just that, find out
your own IP. Also, some people somehow seem to feel more comfortable with
numbers, than with understandable hostnames.This form of Netstat does make life
easier for us, as the port numbers are displayed, which makes relating to
everything easier.
Getting the IP of a person is all, that one needs to be able to damage his
system. So, basically Hiding your IP from hackers and getting the IP of the
victim is some of the most important things that people are concerned with.
Using IP Hiding facilities has become increasingly popular. However, are these
so called IP Hiding totally anonymous services or software truly and perfectly
Anonymous? There is only one answer: they are nowhere near totally anonymous.
Consider the following example, to understand how lame some of such utilities
are.
I Seek You or ICQ is one of the most popular chatting software around. With it
not only comes easy pastime, but also security concerns. ICQ has an inbuilt IP
Address Hider, which when enabled is supposedly able to hide your IP from the
users you are chatting with. However, like most IP Hiding software, this too is
nowhere near good. You can find out the IP Address of any ICQ user, even if IP
Hiding has been enabled, by following the below process.
1.) Launch MSDOS and type Netstat –n to get a list of already open ports and the
IP’s of the machines with which a connection has been established. Note down
this list somewhere.
2.) Now, launch ICQ and send a message to the victim.
3.) While you are still chatting, go back to DOS and again give the Netstat –n
command. You will find that a new IP signifying a new connection. This would be
the IP Address of the victim. Get it?
Till now, both with the ‘-a’ and ‘-n’ argument, we saw that the connections
returned or displayed on the screen, were not of a particular protocol. This
means that connections of TCP, UDP or even IP were shown. However, say you want
to see only those connections which belong to UDP, then you make use of the ‘-p’
argument.
The general format of the Netstat command with the ‘-p’ argument is as followed:
Netstat –p xxx
Where xxx can be either UDP or TCP. The usage of this argument will become
clearer with the following example, which demonstrates how to view only TCP
connections.
C:\>netstat -p tcp
Active Connections
Proto Local Address Foreign Address State
TCP nido:1031 dwarf.box.sk:ftp ESTABLISHED
TCP nido:1043 banners.egroups.com:80 FIN_WAIT_2
TCP nido:1069 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP nido:1078 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP nido:1080 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP nido:1081 www.burstnet.com:80 FIN_WAIT_2
TCP nido:1083 zztop.boxnetwork.net:80 TIME_WAIT
This is basically nothing but a variation of the ‘-a’ and ‘-n’ commands.
Anyway, so let us move on to the arguments associated with ‘netstat’.
Now, we come to the ‘-e’ option of ‘netstat’. Let us set what DOS returns, when
this command is given:
C:\>netstat -e
Interface Statistics
Received Sent
Bytes 135121 123418
Unicast packets 419 476
Non-unicast packets 40 40
Discards 0 0
Errors 0 0
Unknown protocols 0
Well, sometimes the number of data packets sent and received is not shown
properly by some faulty or un-compatible modems. During, such cases, this
command comes handy. The output returned by it, is quite obvious. Also, it can
be used to check for faulty downloads, or errors, which might have occurred
during the TCP/IP, transfer process.
With this we come to the last argument associated with Netstat, the ‘-r’
argument. This is not commonly used, and is a bit difficult to understand. I
will simply give you an example of it in this manual. A proper and detailed
description would be provided in another manual. Hacking using Routing Tables is
considered to be very elite and not many people are comfortable using it.
However, like all things associated with computers, it is not as difficult as it
is projected to be.
C:\windows>netstat -r
Route Table
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 203.94.251.161 203.94.251.161 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
203.94.251.0 255.255.255.0 203.94.251.161 203.94.251.161 1
203.94.251.161 255.255.255.255 127.0.0.1 127.0.0.1 1
203.94.251.255 255.255.255.255 203.94.251.161 203.94.251.161 1
224.0.0.0 224.0.0.0 203.94.251.161 203.94.251.161 1
255.255.255.255 255.255.255.255 203.94.251.161 203.94.251.161 1
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 203.94.251.161 203.94.251.161 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
203.94.251.0 255.255.255.0 203.94.251.161 203.94.251.161 1
203.94.251.161 255.255.255.255 127.0.0.1 127.0.0.1 1
203.94.251.255 255.255.255.255 203.94.251.161 203.94.251.161 1
224.0.0.0 224.0.0.0 203.94.251.161 203.94.251.161 1
255.255.255.255 255.255.255.255 203.94.251.161 203.94.251.161 1
Active Connections
Proto Local Address Foreign Address State
TCP nido:1031 dwarf.box.sk:ftp ESTABLISHED
TCP nido:1043 banners.egroups.com:80 FIN_WAIT_2
TCP nido:1081 www.burstnet.com:80 FIN_WAIT_2
TCP nido:1093 zztop.boxnetwork.net:80 TIME_WAIT
TCP nido:1094 zztop.boxnetwork.net:80 TIME_WAIT
TCP nido:1095 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP nido:1096 zztop.boxnetwork.net:80 TIME_WAIT
TCP nido:1097 zztop.boxnetwork.net:80 TIME_WAIT
TCP nido:1098 colo88.acedsl.com:80 ESTABLISHED
TCP nido:1099 mail2.mtnl.net.in:pop3 TIME_WAIT
Well, I hope you liked this manual. Even if not, then you better do. ; ) Bye.