We're not interested in teaching you the stuff, that won't do us no good. Besides; you'll only be able to linger along a little while in the fast-moving underworld. Best is to harvest knowledge yourself. That way you'll know what you'll be doing and you'll kick in with your own unique style. Teaching someone would virtually be making a clone of yourself. Better to give a kid some hints and let him figure it out himself.
Nevertheless, we don't want you to get into any trouble, so the word "proxy" is what you probably already understand, but in case you don't, you should.
So you're hooked and doing stuff of which the offline world says it shouldn't be done. Does the ideology of outsiders bother you? Of course not... unless it can get you into trouble. There are 2 peeps who can see what you're doing: First of all: The remote SYSOP (SYStem OPerator; the guy who owns the system or network that you're messing with). He can see the IP of the aggressor (that is you). We'll get back on that...
Second dude? Your very own ISP (Internet Service Provider; the asses at AOL, Skynet....). They might not be so found of your actions either, but usually, they don't give a flying faq as long as no one's complaining. So here's how the info's flowing:
YOU <=> your ISP <=> Remote 'puter
What can happen? The ISP can see your actions, but usually doesn't monitor them because it's too much work. They'll probably only log it, so as long as no one seems to have a reason to dive into the log files there's no problem.
The remote SYSOP notices he's being attacked (or he notices he was attacked some time ago in case he's a lazy overpaid slacker). He'll be able to see your IP-address, a unique number designated to all 'puters hooked to the 'net, or he'll find it in the logs which he certainly has.
Does this mean trouble? Well, there's not much he can do with no more than that IP. The worst he can do (if he can't rehack you :P) is find out who your ISP is (any kid can do that), find the email address of the complaint department and lay down some lines containing your IP and the time of the action. That's it. He doesn't know your name, address, etc. Just that IP. Your ISP has a name and address to which they send the bill. Bugger.
Haha, I've got myself a dynamic IP, sucker! No way of telling who had that IP when the shit went down! Tééééh, sorry, you lose. Why do you think your ISP keeps those logs.
They check 'em out and see that the mentioned IP was taken by YOUR ACCOUNT at the moment. Usually, they'll log all the stuff you did to, so they can check your victim's story. So the link is made.
What will this mean? Common courtesy is: first time busted: A mail in which they confront you with the events, and ask to explain yourself. They might add that if your explanation stinks, they'll take legal action (yeah right). Your reply: "huh? porthack? Internet? Computer?" To wipe them off their feet with the legal stuff, n00bly add that a computerdjini friend of yours advised a thorough virus scan. The scan found & kicked a virus called Backdoor0, or Trojan Horse to be less specific. Will they know you made it up? Yep. Will they be able to do something about it? Nope. They might advice you to try 'n keep your box infection-free. Lay low for a while, 'cuz from this point on, you may in fact be monitored if your ISP sucks ass and has a lot of cash to spend on employees.
Second time busted: 48 hours off-line
Third time busted: bye bye account! Time to pay up and get yourself another ISP.
As said, this is common courtesy. I'm not saying you won't be convicted without a trial if you go faq up FBI servers, or disappear from the face of the earth after messing with KGB info...
Now to get to where we wanna go in the first place: a remedy. Wouldn't it be sweet if you could convince another sucka's computer to take all the action you just took, like you told your ISP someone did to you in your first reply? Of course it would, and it's easy. First of all, a view of what happens now. Here's how the info is flowing now:
YOU <=> your ISP <=> A proxy <=> Remote 'puter you wanna get busy with
So, the Remote SYSOP can still see stuff's going down (unless you're good of course), but he'll see the proxy's IP. This is where the chain breaks. If the proxy's any good, the remote SYSOP will not be able to retrieve your IP, so he doesn't know who to complaint to nor does he have any idea about whom (don't send this guy your name and address, even if he seems to plan to send you money. This may sound stupid, but many were busted this way). In fact, let's take this option out of the brackets and see what the results could be before I get to the point.
Unlike your ISP, the Remote SYSOP IS likely to want to spend some time in filing complaints etc.
You were stupid enough to give him your address. The victim will kindly send this info to the FBI and the fuzzy muff (cops). If you live in a non-US country, the alien cops can't touch you. Nor can the Feds, but US-friendly countries tend to take legal action when the FBI asks them nicely. So, surprise surprise, in stead of a check, your own police department lands at your doorstep. At this point you peek through your window. If you can see a house search warranty, take a last look at your stack of warez, MP3's and DivX movies. Next move: you jump out of that window and hope to die. In conclusion, giving your real name/address to your victim is not advised. So let's proxify ourselves, shall we? First thing you need to do is find one of those proxyservers. Again, we can identify this server by an IP, like any server. 1337357 thing to do is scan (this means: checking IPs one by one automatically for proxy-capabilities). Download a scanner (available from the 'net. May I advise searching with google?) The proxyscanner will need a range. This basically means a set of IPs to check. An IP consists of 4 numbers. Give your scanner 3 numbers (e.g. 12.2.140, just making something up here.)
BTW, ranges starting with a 12. are usually quite fast). Sometimes the scanner will kick in with this info, sometimes you'll need to actually type the start- and end IP (12.2.140.1 - 12.2.140.254 if you wanna scan the whole range). What'll happen?The scanner will check if 12.2.140.1 can be used as a proxy. Then it'll try 12.2.140.2 etc. until all 254 servers are checked. Put in 12.2.140.1 - 12.2.150.254 to check 12.2.140.*, 12.2.141.*, ... , 12.2.150.*. You get it, right?
The replies you can get out of this are: #0, #404, #403, #402, and, well, basically anything with a 4. This means your 'puter asked "Hey! Can I use you as a proxy", the remote server's reply was "get bent". Not useful.
The most annoying one is 'timed out'. Your puter said "Hey! HEY!!! Hellow?". The remote computer says nothing. This doesn't necessary mean the remote 'puter wasn't online or doesn't exist. Some people have their ports on 'stealth' in stead of 'closed', causing them not to reply at all. Why? Well, a #4** comes in pretty fast. Result: server useless, on to the next one. If the server doesn't respond, the scanner will keep waiting for an answer since it might be far away. After a certain time, the scanner gives up all hope of getting an answer and moves on to the next IP. This takes a lot longer then receiving a #4**.
The final, kickass reply is a #2**. If it isn't fake, your scanner will display the word 'GOOD' or 'OK', depends on what scanning program you found.
You can just guess a range together, like I just did, but chances are the range is bought by a company/organization that isn't using 'em. 254 packets sent, 254 time-outs. Better is to find yourself a range which is likely to have some proxies on it. Most university networks use proxy, so do those or big companies, etc. These people have one or more ranges at their disposal. What I advise you to do: get the URL of a university's website (preferable a Korean or Eastern-European one or something like that), resolve the IP from the host name (can usually be done by your scanner), and scan the range in which the IP was found. If you've got a lot of time, scan a few hundred of them ranges :].
You can't get started yet, there's one thing you need to know. If your scanner's a bit universal and can handle more than one kind of proxy, or more than proxies in general, you'll need to specify a port for your targets. See, a connection to a 'puter takes place on a port. There are more than 65000 ports that can be used. A SYSOP wanting to turn one of his devices into a proxy can do this on any of these ports. Fortunately, there are some ports most SYSOPS prefer. In fact, every type of proxy sort of has its own common port. The kinds of proxy's you'll need are socks4, socks4a, socks5 and http (maybe some wingates too, but do they count as proxies?). All the socks are usually found on port 1080, HTTP proxies will mostly be located on 80, 3124, 8000 or 8080. If you can have your scanner check the IP's on several ports, these should certainly be in them. You'll mostly find HTTP-proxies. They aren't as eagerly wanted as socks proxies, but you can still do a lot of nice stuff with them. First of all, HTTP-actions (IIS scanning, brute-force hacking login
asses for a certain type of site), but some of them can be used for FTP (so you can use them as a proxy while pubscanning, -filling or -leeching), others for IRC, etc. These functions can be checked by the better scanning program, but in most cases you'll need an external proxy checker/analyser. Make sure it supports these options:
- verify: You've found some proxies which replied 'OK'. Nice. Next day. How do you know if your proxies still work? Verify 'em. Is it necessary? Well, servers can go offline or change. Several proxy servers are infected (and unaware) clients. Once they go offline, they might receive a different IP, or a virus scanner could remove the infection, who knows. But these dynamic IPs aren't what we're after in most cases. Nevertheless, before you fill in your proxy in your whateverthehellyouareusingitfor, you might want to know if the proxy's still working. So verify.
- Anonymity check: It's not because you're behind a proxy that your worries are over. Never forget the ISP, and the proxy itself. If it allows the command sender (you) and the receiver (your victim) to request each others IP, a SYSOP with a brain might get your IP anyway. Hence, you'll need to connect to the proxy and try to retrieve your IP from it via a connect back to a port on your machine; an anonymity check.
- Delay: This has nothing to do with the speed with which a file will be sent through the proxy. This merely indicates how long it'll take to send commands to your victim (and kinda shows you how far the proxy is located from you). So if you're gonna do a lot of communicating with the remote machine, but not much file transfer and/or the files aren't that big, your preference should go to a proxy with a low delay time (also known as ping time) earlier than to a proxy with a great speed.
- Speed: This let's you know how much data the proxy can send to your machine each second. As said, this doesn't mean interactions will go faster, this means transferring large files will kick ass. If you wanna compare all this with a highway on which all cars drive exactly as fast as each other: The delay is directly linked to the distance from you to the other person. The speed is linked to the width of the highway (does "bandwidth"ring a bell), and the wider the highway, the more lanes it has. If you're gonna send a lot of messages to a friend (e.g. chat), you'll want to keep the highway as short as possible. That way, a car will arrive soon and return soon. In this strange landscape, a car drives just as fast on a 2 lane highway as it would on a 20 lane highway. If you want to move a big cargo, you'll need a load of cars. If you need to pour them into one lane, you'll get an endless stream of cars.
The distance they need to travel is a lot shorter than the size of the line of cars. Better would be to get yourself a highway with a lot of lanes, even if it doesn't head directly for your target. With 20 lanes, you can send out 20 times more cars per second than with one lane. The extra time they need to get there can be ignored because there are so many cars. Get it? So lot of chatter: low delay time, Big files: High speed.
- FTP-able: Can the proxy be used for FTP? Socks usually can, but they're quite uncommon. HTTP-proxies can rarely be used for FTP, but there are loads of them... I think it's sort of balanced out.
Was there anything else?.. O yeah, scanning is illegal, so use a proxy when scanning. How can I use a proxy for scanning for proxies when I don't have one yet? Sometimes scans get posted on sites, get one from there. Most of these proxies that are on websites become heavily used, causing them to be slow, and due to the heavy traffic all of a sudden, the proxy's SYSOP might find out about the (unwanted) use of his/her box faster. So they're hardly as useful as the ones you scan yourself. Just get yourself a list, verify, check for anonymity and make sure there's a low ping to it (speed is
irrelevant) and if you have a good one in there, use it to scan. The ones you scan yourself will be lesser known, hence lesser used, hence remain standing longer and have a lot of bandwidth available (speed=good)...
You can fool your ISP while scanning by randomizing your queue. The ISP can easily detect (automated) that you connect to IPs which miraculously seem to follow in order. Randomizing turns X.X.X.1, X.X.X.2,... into X.X.X.145, X.X.X.73,... It's random, baby! Enjoy, get working to proxify yourself. If you have any comment or leftover proxies, mail to
frank@isdronken.com. Since I'm low on inspiration, you get to choose the subject yourself