Under supervision ... "or Vs Admin (LAN version)
What can Sis Admin do?
For example, to see a copy of your screen, completely intercept the control of the computer, ie even shut down Also to that bla bla to find out all the passwords you entered ... the latter is allowed to be made unnoticeable from the user All this is done with the help of special programs for remote administration, for example: Remote Administrator (Radmin), etc., Trojans also belong to remote control programs, and everything written below goes well with them . The data of the program work on the basis of the "Client-server" principle. The client share of the program is installed by the one who manages, and the server quietly works with the person who is controlled. Usually the server is registered in startup also starts together with Windows. At boot, the server starts "Play" a specific port, i.e. it waits for a connection on this port, but the one with whom the client connects the IP-address to the port (the one the servic listens) to connect to the victim then later presses "Connect" ... To find out which ports are open, you can just look at all the active connections using Internet Maniac for example, in the "SNMP"> "Active connections" menu, the Remote Administrator's server looks like this (default), it slows connections on the 4899 port, the settings allow changing the port: this " LISTENING "
You can use the standard Windows utilities, in the "Programs" menu, run "MS-DOS Seanas" also enter "netstat -a" without quotes;) Format of the output: " name of your computer: port name of the remote computer: port connection status " If It is necessary to see all established connections in a numerical form, but in any way as names, enter netstat -n.
If the customer connected to the server (installed by me), it will look like this:
As you can see, a user with IP address XXX.168.1.25 connected to my computer (the connection status is set to ESTABLISHED- association)
Note : At the time of verification, all network programs should be closed: Internet explorer, ICQ, email programs ...
Determine the moment of connection
If you want to know when to connect to you, the IP address is also the name of the computer on the network, use the Attacker program, it monitors the specified ports, also alienates the connection when the connection is dragged For example, if, among the active connections, you see that the application "Listens" port 4899 (Radmin), then you need to take an Attacker prog plus add this port (in TCP) to track it, when you connect to it, the program will notify you (connection while it is not installed). On the skin you can see that at 13:51:17 from IP-address: XXX.168.1.177 there was an attempt to connect to port 4899, the name of the remote computer on the network: YURI.
If someone from the local network users "climbed" to you on the hard drive, then among the connections will be on the 139th port ( nbsession ). On the skin, you can see that the user with the IP address XXX.168.1.25 connected to my computer through the network environment The program Internet Maniac instead of the port number can illustrate the name of the service assigned to this port, in this case it is nbsession-port 139.
Scanning a remote computer
When some network services are running on the computer, they open ports, i.e. having scanned the ports on the remote computer, it is allowed to see which ones are open, the result of scanning the computer on which the Radmin program server is installed (port default: 4899) is displayed on the skin. Those. If you saw the open port 80 on scanning, it means that there is a web server installed, if 3218, 8080 or 80 then this is most likely a proxy server ...
How to determine the installed prog, or not
If you have ports open (LISTEN or ESTABLISHED status), no network programs are running, then it's possible that this is a remote control server, try to see all the programs that are running (CTRL-ALT-DELETE) if you do not have anything found (often the programs are specially made so that they could not be seen at all), then it is allowed to use any task manager that will show all running applications such as Process Wiewer, Task Meneger ... now it is allowed to unload any program, If the association was installed, it would break I.
How to recognize passwords
In order to learn the passwords administrators can use several methods, the simplest is also the most common is the use of Keyloggers, i.e. programs that record all keystrokes, the most famous of them is hookdump95, usually such programs are caught by antiviruses, but who prevents you from writing your own?
PS: While I was making screenshots to the article, the admin cleaned my floppy disk, which it was time in the drive, but on it someone else's semester was ... also who he later ??