Now what can we do next to get luser@aol.com really wondering if you could actually break into his account? We're going to do some port surfing on this last AOL domain name server! But to do this we need to change our telnet settings a bit.

Click on Terminal, then Preferences. In the preferences box you need to check "Local echo." You must do this, or else you won't be able to see everything that you get while port surfing. For some reason, some of the messages a remote computer sends to you won't show up on your Win 95 telnet screen unless you choose the local echo option. However, be warned, in some situations everything you type in will be doubled. For example, if you type in "hello" the telnet screen may show you "heh lelllo o. This doesn't mean you mistyped, it just means your typing is getting echoed back at various intervals.

Now click on Connect, then Remote System. Then enter the name of that last AOL domain server, dns-aol.ans.net. Below it, for Port choose Daytime. It will send back to you the day of the week, date and time of day in its time zone.

Aha! We now know that dns-aol.ans.net is exposed to the world, with at least one open port, heh, heh. It is definitely a prospect for further port surfing. And now your friend is wondering, how did you get something out of that computer?

******************************
Clueless newbie alert: If everyone who reads this telnets to the daytime port of this computer, the sysadmin will say "Whoa, I'm under heavy attack by hackers!!! There must be some evil exploit for the daytime service! I'm going to close this port pronto!" Then you'll all email me complaining the hack doesn't work. Please, try this hack out on different computers and don't all beat up on AOL.
******************************

Now let's check out that Reston computer. I select Remote Host again and enter the name h12.t60-0.Reston.t3.ans.net. I try some port surfing without success. This is a seriously locked down box! What do we do next?

So first we remove that "local echo" feature, then we telnet back to whois.internic. We ask about this ans.net outfit that offers links to AOL:

[vt100] InterNIC > whois ans.net

Connecting to the rs Database . . . . . .
Connected to the rs Database
ANS CO+RE Systems, Inc. (ANS-DOM)
  100 Clearbrook Road
  Elmsford, NY 10523

  Domain Name: ANS.NET

  Administrative Contact:
     Hershman, Ittai (IH4) ittai@ANS.NET
     (914) 789-5337
  Technical Contact:
     ANS Network Operations Center (ANS-NOC) noc@ans.net
     1-800-456-6300
  Zone Contact:
     ANS Hostmaster (AH-ORG) hostmaster@ANS.NET
     (800)456-6300 fax: (914)789-5310
 

  Record last updated on 03-Jan-97.
  Record created on 27-Sep-90.

  Domain servers in listed order:

  NS.ANS.NET                  192.103.63.100
  NIS.ANS.NET                 147.225.1.2

Now if you wanted to be a really evil hacker you could call that 800 number and try to social engineer a password out of somebody who works for this network. But that wouldn't be nice and there is nothing legal you can do with ans.net passwords. So I'm not telling you how to social engineer those passwords.