Under supervision ... "or Vs Admin (LAN version)
What can Sis Admin do ?
For example, to see a copy of your screen, completely intercept computer control, ie even shut down Also to that bla bla to find out all the passwords you entered ... the latter is allowed to be made unnoticeable from the user All this is done with the help of special programs for remote administration, for example: Remote Administrator (Radmin), etc., Trojans also belong to remote control programs, and everything written below goes well with them . The data of the program is working according to the principle of "Client-server". The client share of the program is installed by the one who manages, and the server quietly works with the person who is controlled. Usually the server is registered in startup also starts together with Windows. At boot, the server starts "Play" a specific port, i.e. It waits for a connection on this port, but the one with whom the client connects the IP address to the port (the one the servic listens) then connects the "Connect" to connect to the "victim" ... In order to find out which ports are open, you can Just look at all the active connections using Internet Maniac for example, in the "SNMP"> "Active connections" menu, the Remote Administrator's server looks like this (by default) it hangs up connections on the 4899 port, the settings allow changing the port: This " LISTENING "
You can use the standard Windows utilities, in the "Programs" menu, run "MS-DOS Seanas" also enter "netstat -a" without quotes;) Format of the output: " name of your computer: port name of the remote computer: port connection status " If It is necessary to see all established connections in numerical form, but in any way not as names, then enter netstat -n.
If the customer connected to the server (installed by me), it will look like this:
As you can see, a user with an IP address of XXX.168.1.25 connected to my computer (the connection status is set to ESTABLISHED- association)
Note : At the time of verification, all network programs should be closed: Internet explorer, ICQ, email programs ...
Determine the moment of connection
If you want to know when you will be connected, the IP address is also the name of the computer on the network, use the Attacker program, it monitors the specified ports, and, if the connection is dragged, alienates the know For example, if, among active connections, you see that the application "Listens" port 4899 (Radmin), then you need to take the Attacker prog plus add this port (in TCP) to track it, the connection will be notified to you by the connection (connection It is not installed at all). On the skin you can see that at 13:51:17 from the IP address: XXX.168.1.177 there was an attempt to connect to port 4899, the name of the remote computer on the network: YURI.
If someone from the local network users "climbed" to you on the hard drive, then among the connections will be on the 139th port ( nbsession ). On the skin, you can see that the user with the IP address XXX.168.1.25 connected to my computer through the network environment The program Internet Maniac instead of the port number can illustrate the name of the service assigned to this port, in this case it is nbsession-port 139.
Scanning a remote computer
When some network services are running on the computer, they open the ports, i.e. Having scanned the ports on the remote computer, it is allowed to see which ones are open, the result of scanning the computer on which the Radmin program server is installed (port default: 4899) is displayed on the skin. Those. If you saw the open port 80 on scanning, it means that there is a web server installed, if 3218, 8080 or 80 then this is most likely a proxy server ...
How to determine the installed prog, or not
If you have open ports (LISTEN or ESTABLISHED status), no network programs are running, then it's possible that this is a remote management server, try to see all the programs that are running (CTRL-ALT-DELETE) if you do not have anything Found (often the programs are specially made so that they could not be seen at all), then it is allowed to use any task manager that will show all running applications such as Process Wiewer, Task Meneger ... now it is allowed to unload any prog, If the union was installed, it would burst .
How to recognize passwords
In order to learn the passwords administrators can use several methods, the simplest is also the most common is the use of Keyloggers, i.e. Programs that record all keystrokes, the most famous of them is hookdump95, usually such programs are caught by antiviruses, but who will prevent you from writing your own?
PS: While I was making screenshots to the article, the admin cleaned my floppy disk, which was at that time in the drive, but on it someone else's semester was ... also who he later this ???
Comments
When commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.