Riding and Spoofing, an extremely detailed explaination. BinaryZer0 BinaryZer0@box.sk WinGates, spoofing, riding, proxies, spoof, SOCKS **************************************************************** Preface: The documentation here-in is categorized, for more legibility. The categorization is listed below in an outlined-table. **************************************************************** /ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\ [==========================\_________/==========================] [--------------------------[ TABLE ]--------------------------] [==========================/ŻŻŻŻŻŻŻŻŻ\==========================] [| |] [| Preface |] [| Table |] [| |] [| I. Introduction - About this document |] [| II. To readers - Who should read this document? |] [|III. Riding |] [| A. WinGates |] [| 1. Scanning |] [| 2. Connecting |] [| B. SOCKS |] [| 1. Scanning |] [| 2. Connecting |] [| C. Proxies |] [| 1. Scanning |] [| 2. Connecting |] [| IV. Spoofing |] \ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ/ ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ /ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\ [=======================\______________/========================] [-----------------------[ Introduction ]------------------------] [=======================/ŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\========================] ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ The information out-lined in this document should be used for legal purposes. If the reader chooses to do otherwise, the consequences are to be dealt with personally, and should not be taken to the author or affiliates. Basically, the ones who should read this documentation are those seeking information on the subject. Because I will get into details further into the document, I can not use some words which explain my thoughts on the subject. This is because I pretend that the reader knows exactly nothing about the subject of this document. I will try to explain this with out the use of this subject's "vocabulary" words. Onto the point: The information in this document can be used generally to stop from antogonizing Denial of Service attacks, and other critera. It can also be used to "cloak" one-self, for other purposes. For example, to "cover" one-self's "tracks" and Identity, from other Internet users, systems, programs, et cetera. All of this will be in greater detail beginning with the next section -- section III, Riding. Please note that all "vocabulary" words will be acknowledged with the use of asterisks (*), surrounding the words. /ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\ [=======================\______________/========================] [-----------------------[ Riding ]------------------------] [=======================/ŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\========================] ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ When people talk about WinGates, Proxies, and SOCKS, they almost always include the word "spoofing". This is erroneous on their part, because the use of WinGates, Proxies, and SOCKS, is not spoofing, but rather, *riding*. Riding is different than spoofing, because riding involves the use of real IPs. When one rides, the person takes on an actual IP, and uses it as his own. Spoofing, on the other end, can use completely bogus IPs, even those which can never exist. For example, in spoofing, it is possible to have an IP that looks something like the following: hello.my.name.is.sam In riding, it is possible to have an IP that looks like the one I showed above, with some minor changes. It must be a hostname which actually resolves to an actual IP. Meaning it must have an existant domain name, and country name. Hence, the IP, while riding, can look like this: hello.my.name.is.sam.muel.com providing that muel.com is an actual, existant, domain name, and it has .com as the country name. Looking back at the spoofed IP, it has neither the domain name, nor the country name. Because a spoofed IP can be made up, it can use both existant and none-existant hostnames / IPs. Hence, it is possible to spoof "hello.my.name.is.sam.muel.com" as well. /ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\ [=======================\______________/========================] [-----------------------[ WinGates ]------------------------] [=======================/ŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\========================] ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ *WinGates* are the actual IPs which are used to "ride". Remember that since WinGates are used in riding, and not spoofing, they must be actual, or real, IPs or hostnames. One can not take just any hostname or IP that is real, and use it as a WinGate, the IP / hostname must actually be running the WinGate server. WinGates can be used to connect to IRC servers, and other servers via telnet. \____________/ [ Connecting ] /ŻŻŻŻŻŻŻŻŻŻŻŻ\ Generally, as explained above, connecting to a WinGate only calls for one thing. A telnet program. Using a telnet program, you can connect to the WinGate host with port 23. Usage: On Windows: 1. Go to 'Start', and then click 'Run'. Type "telnet". 2. Once the program opens, click on 'Connect'. 3. A small window pops up. For 'Host Name:', type the hostname / IP of the WinGate. 4. For the 'Port:', insert "23" or "telnet". 5. Then click on the "Connect" button. UN*X / etc: 1. $ /bin/telnet or on BSD systems $ /usr/bin/telnet You should then be connected and see the "WinGate>" string. Once you see the "WinGate>" string, use the following: WinGate> destination port Where "destination" is the hostname / IP you want to connect through the WinGate and the port is the port you want to use to connect to the remote system (or local, even). \__________/ [ Scanning ] /ŻŻŻŻŻŻŻŻŻŻ\ Scanning for WinGates takes no brain. It is extremely easy as long as you know what you are looking for and where to find it. In this section we will be looking at the scanning approaches needed to find WinGates. Finding a WinGate is very easy. The only thing one needs to do, to find out whether a hostname / IP is a WinGate is connect to the hostname / IP using a program, such as telnet (telnet.exe under Windows 9x / NT, and `telnet` under System V, BSD [and Minix-based (linux)]. Using such a program connect to the hostname / IP using port 23, or "telnet" port. Once connected, your termial should print a string, which reads, "WinGate>". If you see this string, this means you are connected to a WinGate. Let me make something very important, clear: WinGates do NOT run on anything but Windows Operating Systems. This means that there is no point in scanning an IP / hostname belonging to UNIX, VAX/VMS, et cetera; just Windows. Also, there are programs available for scanning many hostnames / IPs once to find WinGates A program you could use to scan for WinGates is: Program for linux / bsd: /ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\ [=======================\_____________/========================] [-----------------------[ SOCKS ]------------------------] [=======================/ŻŻŻŻŻŻŻŻŻŻŻŻŻ\========================] ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ *SOCKS* are a lot like WinGates. They are also used to ride, and they must also be real hostnames / IPs, and configured to be SOCKS servers. I have never witnessed SOCKS being used for anything but IRC connections. \__________/ [ Scanning ] /ŻŻŻŻŻŻŻŻŻŻ\ Basically, the only way to know whether a certain IP / hostname is a SOCKS IP / hostname, is to port scan it. If the scan of the IP / hostname comes up with the port "1080" opened, this means that you have found a SOCKS server. \____________/ [ Connecting ] /ŻŻŻŻŻŻŻŻŻŻŻŻ\ All SOCKS servers operate on port 1080. Hence, to connect to such a server, you must connect to port 1080. Once connected, you are able to connect to the destination server, as well as designate the destination server's port. Usage: IRCii / BitchX / etc: irc: /server 1080 irc: /server mIRC: 1) Go to the Setup folder 2) Click on the "Firewall" tab 3) Check the box reading "Use SOCKS Firewall" 4) Go down to "Hostname:" and enter the SOCKS IP / hostname 5) click on the "IRC servers" tab, and click on "Connect" /ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\ [=======================\_____________/=======================] [-----------------------[ Proxies ]-----------------------] [=======================/ŻŻŻŻŻŻŻŻŻŻŻŻŻ\=======================] ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ *Proxies* are very much like WinGates and SOCKS. Companies with many machines and one ISP account use Proxies to bring the Internet about to all machines on the network. \__________/ [ Scanning ] /ŻŻŻŻŻŻŻŻŻŻ\ Proxy servers can be found the same way as SOCKS servers. Proxies use various ports, but mostly, and by default, ports 8080 and 3128. Hence, scanning these ports may reveal proxies. \____________/ [ Connecting ] /ŻŻŻŻŻŻŻŻŻŻŻŻ\ Usually, Proxies can be used for connecting to Hyper Text Transfer Protocol (HTTP) and, technically, File Transfer Protocol (FTP). Under Windows, the usage is the following: Internet Explorer 5: 1) Click on "Tools", then "Internet Options" 2) On the pop-up window, click on the "Connection" tab 3) In the bottom, click on the "LAN settings" button 4) Go down to "Proxy server" and check the box entitled "Use proxy server" 5) For the "Address:", enter the IP / hostname of the Proxy server, and for the "Port:" enter the port number (usually 8080) 6) Click "OK" Netscape: 1) Click on "Edit", and then "Preferences" 2) In the left column, select "Advanced" 3) You should now have a few options in the right column. 4) Select the "Manual proxy configuration" 5) click on "View" 6) Fill out the appropriate information under the "HTTP" field 7) Click "OK" /ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\ [=======================\______________/========================] [-----------------------[ Spoofing ]------------------------] [=======================/ŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\========================] ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ *Spoofing* is a way of covering your IP with any kind of other IP / hostname / bogus IP / bogus hostname. I do not know much about spoofing, but you can get a program which will let you do it on linux. A friend tried compiling it and had no luck. The program is: