SWAT MAGAZINE ISSUE SIXTEEN: APRIL 1999 ============================================ Everything You Wanted To Know About Wingates ============================================ Author : Netw0rk Bug E-Mail : bug@netw0rk.freeserve.co.uk Date : April 1998 ============================================ OK, lets get right down to the point, What is a Wingate? It is basically a piece of software that lets you split a connection, for example: you could use one modem with more than one computer. WinGate comes with several proxies which is where the possible threats are. What threats are there with wingate? The one threat which we are going to take a look at is the Port 23 Telnet Proxy. This proxy is setup and run as soon as you have installed WinGate, now what most system admins don't realise is that by default this has no password after install and doesn't even ask you for one. Well the WinGate is fairly simple to use. You just telnet to port 23 on the server that is running the WinGate telnet proxy and you get a prompt WinGate> At this prompt you type in the server then a space and the port you want to connect to. e.g. %prompt>telnet wingate.com connected to wingate.com Wingate>victim.com 23 Now what this does is basically stop victim.com from seeing your IP address, instead it just sees the WinGates IP address. Other ports are: Port 1080 SOCKS Proxy Port 6667 IRC Proxy How Do I Find and Use a WinGate? Cool you might be thinking, but how do i find and use one you might ask? Well its fairly simple really... If you would like to find static IP WinGates (IP never changes) go to a search engine such as infoseek and search for cable modems. The reason for searching for cable modems is because a lot of people with cable modems have WinGate so that they can split there cable modems large bandwidth and share it with the other computers that they might have. The easiest method is to use Port or Domain scanner and scan for Port 1080, which Identifies a SOCKS Proxy. To find a dynamic IP (IP changes each time you log on). Almost every ISP big and small has users with WinGate. You need to either know the format of an ISP's dynamic ppp addresses or you need to get on IRC (Internet Relay Chat) and see what they are that way. Say that you already have a ppp IP of armory-us832.javanet.com. Now you dns that IP and get 209.94.151.143 now you take the IP address and stick it into a domain scanner program. Ex: Domscan is a good one Ok so you have domscan now, if not then i recommend you get it. Run domscan and there is a box where you put in the IP address and the port to scan for. The WinGate telnet proxy by default runs on port 23. So we put in 209.94.151.143 in the first box in the domscan program and then 23 in the second box and then click start. The results we will get are: 209.94.151.2 209.94.151.4 209.94.151.6 209.94.151.10 209.94.151.8 209.94.151.73 209.94.151.118 209.94.151.132 Now what you need to do now is check each of these to see if they have a WinGate> prompt. So telnet to the first one on port 23 and if the prompt says WinGate> then yep you have found a wingate. If not then try the next one. I Have Found A WnGate, Now What Can I Do With It? Well there are a few things you can do with a WinGate, now i think the best one is the almighty WinGate bounce technique. So if you were an evil haxor and you were going to attack target.com then you can use this technique to stop yourself from getting caught. This is hpw we do it: We first of all find a collection of WinGates We then telnet to the first Wingate on our list and we should get the Wingate> prompt We type the second WinGate on our list then a space then 23 then hit enter. Then we get another WinGate prompt and at that prompt we type the third WinGate IP on our list then a space then 23 then hit enter We keep going through this process until we have bounced through all of our WinGates Then on the tenth WinGate we enter in the target 23 and hit enter and start to hack away at it. Now you might be thinking... well can't the target trace through all of those WinGates? Well this is what would happen: The target has an IP on there logs, the ip is 5.3.4.7. The target knows that the IP belongs to the an internet service provider called INTACCS or something. So the target will contact then and say that at such a time on such a day ip address of 5.3.4.7 hacked into there computer system. So the ISP (internet service provider) checks there logs and sees that there user Mr Blobby was on at that time at that day So the target has the swat team do a raid on Mr Blobby's house and find nothing. They then may spot that Mr Blobby has WinGate and then check his logs. Now the good thing for us is that most people don't even log the use of their WinGate. The idea is that if you go through 10 WinGates ten at least one of them will not bother to log the use of their WinGate or if they did then target.com would have to spend a lot of money and resources ( which they probably will not bother ) to go the 10 ISP's and check their logs. In otherwords if you bounce through 10 WinGate IP's you are a ghost. Cool eh! Please Note: You mayneed to do a control + enter at the WinGate> prompt