Ti liu hng dn s dng BackTrack 5 Ting Vit Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 2
Mc lc Li ni u ................................................................................................................................................... 3 Phn I : Thu thp thng tin v gii thiu v cc cng c VA ................................................................. 4 1. Thu thp thng tin : ......................................................................................................................... 4 2. nh gi l hng : ........................................................................................................................... 6 Phn II : Cc b cng c khai thc ( exploit tools ) v frameworks ..................................................... 10 1. B cng c Metasploit Armitage : ................................................................................................. 10 2. B cng c Social-Engineer Tookit : ............................................................................................ 11 3. B cng c leo thang c quyn (Privilege escalation tools ) : .................................................... 12 4. B cng c J ohn the Ripper : ........................................................................................................ 13 Phn III : Cc b cng c khai thc v frameworks tip theo ........................................................... 15 1. nh cp cc thng tin t trnh duyt : ....................................................................................... 15 2. Thc nghim k thut nh cp thng tin : ................................................................................ 15 3. B cng c Hashcat trong BackTrack 5 : ..................................................................................... 17 4. Thc nghim k thut leo thang c quyn : .............................................................................. 18 5. Khai thc SQL I njection trong BackTrack 5 : .............................................................................. 18 6. S tht bt ng ng sau cc cng c mang tn khai thc t ng : .......................................... 19 Phn IV : Lm th no n mnh ......................................................................................................... 20 1. Ti sao phi n mnh ? .................................................................................................................. 20 2. OS backdoor Cymothoa : .......................................................................................................... 20 3. Meterpreter c phi l backdoor : ................................................................................................. 22 4. Li dng l hng c backdoor : ................................................................................................ 23 Phn V : Chi tit mt cuc tn cng gi nh ......................................................................................... 24 1. B cng c Autoscan Network trong BackTrack 5 : .................................................................... 24 2. Ti nguyn l hng trc tuyn : .................................................................................................... 24 3. Pentest mc tiu : ........................................................................................................................... 25 4. Xa b du vt : .............................................................................................................................. 26 5. Tng quan v m hnh bo mt Windows :................................................................................... 26
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 3
Li ni u Ti liu hng dn ny cutynhangheo dnh tng cho anh em HCEGroup v TheGioiMang.OrG nhn ngy reopen ca 2 din n thn yu ni trn .V cutynhangheo c i li tm s vi anh em mi vo chi tr ngh thut ny ci nh .Trong ngh thut hack khng c ci gi l s li bing v chy , anh em nn quan nim 1 iu khi ta cm thy tha mn vi nhng g ta ang c tc l lc ta bt u lc hu vi th gii .Trong ngh thut hack kin thc, k nng, t duy, s ranh ma v thm mt cht may mn lun lun i chung vi nhau .V vy nu ta cm thy mnh c c nhng g mnh mun th lc mnh bt u mt tt c .Cutynhangheo cng xin ni rng ti liu ny ch dng tham kho v s dng thc nghim tn cng ( pentest ) trong mi trng lab hoc c quan, t chc c nhu cu tn cng thc nghim trn h thng ca chnh h .Kin thc trong cun sch hng dn ny do cutynhangheo thu thp v tham kho nhiu ngun trn Internet, chn thnh cm n cc tc gi v ngun ti liu m cutynhangheo tham kho qua . Ln na cutynhangheo xin nhc li ti liu ny cutynhangheo bin dch li v cung cp cho anh em ch nhm mc ch hc tp v nghin cu, cutynhangheo khng chu trch nhim vic anh em s dng kin thc, k thut v t duy trong cun ti liu ny dng vi phm php lut nc Cng Ha X Hi Ch Ngha Vit Nam .Mi hnh vi mo danh hay s dng cc kin thc ni trn cutynhangheo khng chu trch nhim trc php lut .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 4
Phn I : Thu thp thng tin v gii thiu v cc cng c VA Phin bn BackTrack 5 c tn m l Revolution ( tm dch l Ci tin ), phin bn ny rt c gii bo mt (nht l gii Hack) mong i; phin bn ny c pht hnh vo thng 05 nm 2011 .So vi phin bn BackTrack 4 R2 th phin bn ny c nhiu s pht trin mnh m hn rt nhiu .Phin bn BackTrack 5 ny c cho rng cc nh pht trin xy dng li t u, cung cp cho chng ta nhng ci tin tt hn v cng nh fix cc li so vi phin bn BackTrack 4 R2 trc . BackTrack 5 c t tn theo mt thut ton c gi l backtracking .BackTrack 5 cung cp mt b cc cng c t crack password, pentest v scan ports .BackTrack 5 c 12 b cc cng c c th hin nh hnh 1 bn di .
Hnh 1 : Cc b cng c trong BackTrack 5 Ngi kim tra bo mt ( tm gi l Pentester vi nhng ngi nh anh em chng ta tm gi l sript kiddies, ni dn d 1 t l dn i hack, cutynhangheo xin nhc li l chng ta cha phi l hacker thc th OK ! ) thng thc hin cc qu trnh tn cng thc nghim theo 5 bc ( ty vo tng mi trng v trng hp c th c th nhiu hn 5 bc ) nh sau : 1. Bc 1 l thu thp thng tin ca h thng cn tn cng thc nghim . 2. Bc 2 l scan bugs ( qut li ) v nh gi cc im yu c th c ca h thng cn tn cng thc nghim . 3. Bc 3 l tip cn vi h thng cn tn cng thc nghim thng qua cc im yu c th c ca h thng . 4. Bc 4 l duy tr truy cp vi h thng cn tn cng thc nghim ( ni c v khn khn nhng cutynhangheo ngh y l bc to 1 backdoor cho ln truy cp sau vo h thng ) . 5. Bc 5 l xa b tt c cc du vt ( trong phim th gi l phi tang, dit chng; hehehe ) . Trong phn hng dn tn cng thc nghim ( pentest ) vi BackTrack 5 ny, chng ta s cng xem xt qua phn thu thp thng tin v b cng c nh gi cc l hng ( nu c ) c cung cp trong phin bn BackTrack 5 ny nh . 1. Thu thp thng tin : Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 5
Thu thp thng tin l bc tin hnh u tin v cc k quan trng trong qu trnh tn cng thc nghim .Trong bc ny, pentester v attacker s thu thp v c c cc thng tin s b ca mc tiu cn tn cng nh h thng mng mc tiu, cc cng ang m, h thng my ang live v cc dch v ang chy trn tng cng .Theo bn ta thu thp c g ? Rt n gin ta s c c 1 bng thng tin v s cu trc ca mc tiu, bn cnh ta cn c thng tin v cc h thng v h thng mng ang c s dng ca mc tiu .Hnh 2 bn di y l hnh chp ca cng c Zenmap, BackTrack cung cp cng c ny gip pentester v attacker c th thu thp c thng tin v phn tch h thng mng ca mc tiu .
Hnh 2 : Cng c Zenmap UI trong BackTrack 5
Cc ch scan ca Zenmap s cung cp cho ta thng tin v mc tiu nh dch v ang chy trn tng cng, phin bn h iu hnh ca mc tiu, ng i n mc tiu, workgroups v ti khon ngi dng .Cc thng tin ny thc s hu ch vi phng php white box testing ( tt nhin cng hu ch vi attacker ) . Mt cng c thu thp thng tin khc trong BackTrack 5 l CMS identification v IDS IPS identification dng thu thp thng tin v phn tch cho ng dng web .CMS identification s cung cp cc thng tin s b v h thng CMS mc tiu, b cng c ny c th c dng nh gi cc l hng trn h thng CMS v iu thun tin nht l b cng c ny cung cp cc exploit ( khai thc ) c sn pentester v attacker c th kim tra trn h thng mc tiu .Cc cng c nh joomscan ( CMS Joomla ) s c ni sau trong phn hng dn ny . Mt cng c th v v cc k mnh khc na l Maltego, cng c ny thng dng phn tch v SMTP .Hnh 3 bn di cho thy Maltego ang hot ng . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 6
Hnh 3 : Cng c Maltego UI trong BackTrack 5
Trn bng Palette ca Maltego cho ta thy cc thng tin nh DNS Name, Domain, Location, URL, email v cc thng tin chi tit khc v website .Maltego s dng cc ty bin khc nhau trn cc entities cung cp cho pentester v attacker cc thng tin chi tit cn thit v mc tiu .Maltego cung cp mt kt qu trc quan bng giao din ha v cc thng tin thu thp c ca mc tiu .
2. nh gi l hng : Bc th 2 trong tn cng thc nghim pentest l nh gi cc l hng ( nu c ) .Sau khi thc hin bc u tin thnh cng . Thng tin v s t chc ca mc tiu c c thng qua footprinting ( nh hi xa cutynhangheo c n y c nh nh l in du n ), lc ny chng ta s tin hnh nh gi phn tch cc im yu hoc cc l hng trong h thng cn tn cng .Trn internet hin nay c rt nhiu trang web v bo mt cung cp danh sch cc l hng c th s dng khai thc, nhng chng ta s ch tp trung vo nhng g BackTrack 5 cung cp trong series hng dn ny nh . Web application scans c s dng nh gi v tm cc l hng ca ng dng web .Hnh 4 bn di y gii thiu v cng c joomscan trong BackTrack 5 .Joomscan c tnh nng l s dng cc l hng c cung cp trong ti nguyn tm kim l hng ca website chy trn nn Joomla . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 7
Hnh 4 : Cng c Joomscan
Joomscan s dng cu lnh nh sau :
./joomscan.pl u <string> -x proxy:port
Phn <string> chnh l Website chy Joomla cn tn cng .Joomscan c cc ty chn km theo nh sau kim tra phin bn ca Joomla, kim tra Server, kim tra Firewall ang hot ng Nh hnh 4 trn Website Joomla mc tiu ang chy trn my ch web Apache Server v phin bn PHP ang s dng l 5.5.16 . OpenVAS ( Open Vulnerability Assessment System ) trong BackTrack 5 : M Application Backtrack Vulnerability scanners OpenVAS s cung cp cho bn mt danh sch cc ty chn nh hnh 5 bn di .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 8
Hnh 5 : Cc ty chn ca OpenVAS trong BackTrack 5 .
OpenVAS l mt cng c mnh trong vic phn tch v nh gi l hng i vi mc tiu cn tn cng .Nhng trc khi s dng b cng c ny nh cung cp khuyn co bn cn thit lp chng thc vi ty chn OpenVAS MkCert .Sau , chng ta cn to mt ti khon ngi dng mi t trnh menu nh trong hng dn ny . Ngi dng c th ty chnh p dng cc rule ca mnh, hoc s c cung cp mt tp hp rng bng cch nhn t hp phm Ctrl + D .Khi mt ngi dng mi c thm vo vi cc thng tin ng nhp, chng ta c th bt u s dng b cng c ny . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 9
Hnh 6 : Qu trnh thm ti khon ca OpenVAS
OpenVAS hot ng nh gi l hng trn m hnh Client/Server .Bn nn cp nht thng xuyn danh sch cc l hng mi cho th vin ca OpenVAS c th thc hin cc bc kim tra c hiu qu nht . OpenVAS v Nessus Scanner : Nessus Scanner l b cng c phn tch v nh gi l hng t ng .Chng ta hy lt qua xem s khc bit gia 2 b cng c ny . Nessus Scanner c 2 phin bn, min ph v tr tin ( ci v ny lm nhiu dn i hack nh chng ta v cng i ngi nh ! Cha hack m tn tin ri ), trong khi OpenVAS th li hon ton min ph ( ci ny c h nghen, ng bao gi c suy ngh free l ci anh em nh, c nhng free m cht lng ngon hn hn tr tin ng hong, m xi free th cc bc mun nh bn quyn cng chng c c g xi c anh em ta ) .Theo nh gi gn y cho bit th cc ti nguyn cung cp cc plugins cho 2 b cng c ny c s khc nhau ng k, v ty thuc vo nhn nh ca mi ngi s a ra nhn xt l s c 1 b cng c c khuyn khng nn s dng, tt nhin 1 chng trnh scan t ng s c th a ra nhng nh gi sai lm, iu ny l khng th trnh khi ( anh em s hi cutynhangheo ti sao sai lm cn gii thiu, cutynhangheo xin tr li v bn cht chng trnh do con ngi lp trnh ra, n ch bit lm theo ch n khng c suy ngh nh con ngi nh ). Trn internet c rt nhiu nhm c lp ra hng dn cho nhau cch s dng cc b cng c h tr khc, tt nhin c c cc b cng c scan t ng, nhng cutynhangheo xin khuyn co vi anh em nh sau ta ch s dng cc b cng c scan t ng nh gi ton din cc l hng ca cc mc tiu cn tn cng .BackTrack 5 cng cung cp cc b cng c khc cng th loi nh cc b cng c CISCO, ngha l cc b cng c ny c s dng tm l hng trn h thng mng chy phn cng CISCO .Cc Fuzzer cng c cung cp, c phn thnh 2 loi Network Fuzzers v VOIP Fuzzers . l iu gii thch ti sao BackTrack 5 c cung cp rt nhiu b cng c thu thp thng tin v nh gi l hng .Trong phn hng dn ny cutynhangheo s c gng gii thiu mt hoc hai b cng c m cutynhangheo cm thy hu dng cho anh em nh ( cn li nu anh em mun nng cao skill th lm n t ln Google Search dm ci h, c 1 cu ngn ng Ti ch cho ci cn cu ch ti khng cho con c ) . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 10
Phn II : Cc b cng c khai thc ( exploit tools ) v frameworks Trong phn u ca cun hng dn v BackTrack 5 ny, chng ta i qua 2 bc l thu thp thng tin v nh gi l hng vi cc b cng c c gii thiu trn .Trong phn hai ny, chng ta s c gii thiu v cc b cng c khai thc cc l hng t xa v tm hiu lm th no s dng cc exploitation frameworks leo thang c quyn v d nh s dng John the Ripper crack mt khu v truy cp vo mt h thng Windows t xa nh . 1. B cng c Metasploit Armitage : Metasploit Armitage l phin bn giao din ha ca b cng c khai thc l hng ni ting Metasploit Framework .Cutynhangheo s vit mt series v hng dn s dng Metasploit trong thi gian sp ti v s cung cp sm cho anh em .Trong cun sch hng dn v BackTrack 5 ny, chng ta s c gii thiu cch s dng autopwn khai thc l hng trnh duyt trn h thng Windows XP bng b cng c Metasploit Armitage .
Hnh 7 : B cng c Metasploit Armitage ; h thng Windows b xm nhp t xa c th hin bng mu .Giao din console bn di cho thy qu trnh s dng autopwn khai thc l hng trnh duyt trn h thng Armitage cng thu thp c thng tin v h iu hnh ca mc tiu tn cng .
Vi phn hng dn khai thc ny, anh em cn 1 website b li cross-site scripting ( XSS ) vi l hng l URL redirection ( chuyn hng URL ) .Khi victim nhp chut vo 1 URL c th no trn trnh duyt, h thng ca victim s to ra mt meterpreter shell .on code URL redirection s c dng nh sau :
Tnh nng auto-migration c s dng khai thc s to ra mt tin trnh mi trn h thng victim, bi v nu nh chng ta s dng phng php khai thc l hng khng s dng migration, th cuc tn cng s b hy b hoc kt thc khi ngi dng ng trnh duyt .V vy Migration s gip chng ta duy tr trng thi kt ni lin tc vi h thng victim cho d victim c ng trnh duyt i chng na .
Hnh 8 : Mt minh ha v URL redirection t 1 website b li XSS , xyz.com, n 192.168.13.132 attacker
2. B cng c Social-Engineer Tookit : B cng c Social- Engineer Tookit ( SET ) s c cutynhangheo gii thiu chi tit trong mt cun sch hng dn khc trong thi gian sp ti .Trong phn hng dn BackTrack 5 ny, chng ta s tp trung vo kiu tn cng c gi l tab nabbing .Trong mt cuc tn cng gi nh, victim m 1 lin kt trn trnh duyt, ngay sau khi victim chuyn sang 1 tab khc, trang web ban u s c thay th bng 1 trang web gi mo, kiu tn cng ny cho php cc attacker c c cc thng tin ng nhp ca victim .Victim s b nh la nhp tn ti khon v mt khu ca anh ta vo trang gi mo ny . Trong kiu tn cng social engineer ny, chng ta s chn 1 website tn cng vector v clone trang web .Chng ta cn xc nh nhng trang web no chng ta cn clone, c cc form ng nhp thng tin m chng ta mong mun .Cutynhangheo clone 1 trang ca Facebook cho phn hng dn BackTrack 5 ny vi mc ch ch l trnh din ( cutynhangheo khng khuyn khch anh em lm iu tng t ) .Xin lu anh em rng qu trnh clone s khng c tc dng khi chng ta khng c kt ni internet nh . Hnh 9 bn di cho thy trang ng nhp Facebook gi mo, v hnh 10 bn di cc d liu gi qua phng thc POST b SET bt li . Phng php tn cng ny c th m rng vi cc URL m anh em d tnh clone, cc trang web s dng phng thc POST y d liu, thng tin s lun b thu thp li bi HTTP hoc HTTPS .SET h tr tt 2 giao thc trn, v cho kt qu tt khi sniffs thng tin ng nhp . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 12
Hnh 9 : Mt trang ng nhp gi mo Facebook c to ra bi b cng c Social-Engineer Toolkit vi cc ty chn c cu hnh bi attacker .
Hnh 10 : D liu POST b thu thp bi b cng c Social-Engineer Toolkit framework t 1 trang ng nhp gi mo Facebook .
3. B cng c leo thang c quyn (Privilege escalation tools ) : Chng ta bit rng khng phi lc no chng ta cng c quyn administrator hay superuser c th xm nhp vo mt h thng t xa c ( d n qu th khng cn g l th v OK ! ) .Ging nh 1 attacker, chng ta cn mt quyn ti a trn h thng victim c th thc thi cc payloads v thc hin cc hnh ng chng ta mong mun ( v d leo ln quyn administrator hay get root g ) .BackTrack 5 cung cp cho chng ta 1 lot cc b cng c leo thang c quyn p ng nhng nhu cu thc tin ny, ging hnh 11 bn di . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 13
Hnh 11 : Cc phn loi trong b cng c leo thang c quyn trong BackTrack 5 .
Nh trn hnh 11 chng ta thy, BackTrack 5 cung cp 4 phn loi trong b cng c leo thang c quyn, mi loi u c cch lm vic khc nhau ( hiu ht cc phn loi ny, cutynhangheo ngh anh em s dng cm nhn ) .
4. B cng c J ohn the Ripper : Mt khi victim b xm nhp ( cutynhangheo ngh anh em cha bit lm sao xm nhp xin c li cun hng dn s dng SET v MSF ca cutynhangheo bit thm chi tit nh, khng gii thch trong phn hng dn ny mt lm ), cc cracker thng s dng b cng c John the Ripper crack cc Password Windows hashes t s dng leo thang c quyn v c c quyn qun tr h thng . Sau khi khai thc qua l hng, cc pass hashes ny s c dump li thnh 1 file text v cung cp cho John the Ripper .John the Ripper l b cng c rt mnh v vic crack cc password hashes .Hnh 12 v 13 bn di th hin qu trnh crack password hashes lin quan n vic leo thang c quyn trn h thng Windows .Cuc tn cng nh demo c th s dng 2 b cng c Metasploit Framework hay Social-Engineer Toolkit .
Hnh 12 : y l qu trnh dump password hashes bng b cng c hashdump, kt qu ny s xut ra file text cung cp cho John the Ripper thc hin crack pass .
H thng victim theo nh hnh bn di s c lit k danh sch cc ti khon v mt khu theo cch ca John the Ripper . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 14
Hnh 13 : Danh sch c sp xp theo Username:Password
Vi mt khu c trn th vic leo thang c quyn trn h thng victim lc ny qu tht qu n gin anh em nh .Trong phn h b cng c phn tch cc giao thc, chng ta c 1 b cng c l WireShark, b cng c ny c xp u bng trong cc cng c phn tch lung cc traffic trn h thng mng .Cutynhangheo s c gng hon thin cun sch ni v b cng c WireShark ny trong thi gian sm nht cho anh em. y l bng chng cho vic BackTrack 5 pht trin rt rt nhiu .Mt attacker thng minh v ranh ma c th tn dng v s dng ti a cc b cng c ny, v attacker c th kt hp chng li a dng ha v ti a ha cho li ch ca attacker .Trong phn hng dn ny, cutynhangheo xin nhn mnh li vic quan trng nht trong mt cuc tn cng gi nh l s dng cc cng c leo thang c quyn .Trong phn hng dn tip theo cutynhangheo s cung cp thm cho anh em mt s k thut leo thang c quyn khc na ( bit c nhiu hn ch c chm ch, cn c ngi c v search gio s Google nh ) .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 15
Phn III : Cc b cng c khai thc v frameworks tip theo Khi BackTrack 5 pht hnh vo thng 05 nm 2011, c rt nhiu b cng c pentest frameworks c ch i .Chnh i ny khin cutynhangheo quyt tm vit phn hng dn s dng BackTrack 5 phn th 3 ny cng anh em tm hiu v khm ph cc b cng c khai thc cc li ca trnh duyt chng hn nh nh cp thng tin quan trng, leo thang c quyn Website v khi phc mt khu .y l mt phn trong cun sch hng dn s dng BackTrack 5 ny, cutynhangheo s cung cp cho anh em ci nhn tng quan v khai thc t ng vi li SQL Injection bng cch s dng b cng c DarkMySQLi .
1. nh cp cc thng tin t trnh duyt : Phn hng dn trc cutynhangheo c gii thiu qua v cch khai thc mc tiu victim bng cch s dng cc payloads .Trong phn ny cutynhangheo s s dng cc modules ca Metasploit Framework tn cng h thng Windows, nh cp cc thng tin trnh duyt lu tr trong Mozilla Firefox chy trn h thng Windows XP .Mt b cng c ca nh cung cp th 3 c tn gi l Firepassword s ly tt c thng tin mt khu c lu tr trn trnh duyt Mozilla Firefox trn h thng victim . Chng ta s s dng l hng ph bin l WinXP RPC DCOM khai thc v xm nhp h thng victim, khi to 1 Metasploit Shell v thc hin cc bc khai thc thng tin .Nu victim c s dng tnh nng Master Password trong Mozilla Firefox, y l thng tin quan trng nht ta cn phi ly u tin, v nu ta c Master Password ta c th xem c cc mt khu khc trong Mozilla Firefox 1 cch cc k d dng .Thng thng th Master Password rt t khi c s dng, chnh v th iu ny cho php chng ta c th d dng ly cc thng tin c lu tr trong trnh duyt .
2. Thc nghim k thut nh cp thng tin : Mc tiu cn t n ca pentester v hacker m en l ging nhau v phng thc thc hin, c th l xm nhp vo h thng mng v nh cp thng tin d liu .Tuy nhin, vi hacker m en h s em thng tin em bn cho nhng ai cn n hoc s dng cho mc ch khc, th pentester s thng bo cc d liu b nh cp cho c quan, t chc yu cu anh ta thc hin qu trnh pentest, vi tnh ton vn, bo mt v trch nhim . Cc thng tin thng b nh cp nht bao gm thng tin c nhn v thng tin ny c th s dng cho kiu tn cng social engineering, th tn dng hoc cc thng tin chi tit v ti chnh; v c th c c bin lai v ha n hoc cc thng tin nhy cm ca cng ty trong hp th email .Ni chung mi th nhy cm th hacker m en h u mun nh cp . V vy, kim tra bt k cc d liu c th s b nh cp l mt bc rt quan trng trong qu trnh pentest, n chnh l mt bo co y v trung thc nht cho c quan, t chc .Hnh 14 bn di cho thy s thit hi s c ca victim . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 16
Hnh 14 : Qu trnh xm nhp thnh cng trn h thng Windows XP .
Ti y, nh phn ni trn, chng ta s thc hin ti firepassword.exe ln h thng ca victim thc hin qu trnh nh cp mt khu c lu tr trn Firefox . S dng cu lnh upload thc hin qu trnh ti file ln trong mi trng meterpreter shell . Mt file Firepassword c ti ln ( Hnh 15 ) .V d liu s c nhn thy nh hnh 16 .
Hnh 15 : File Firepassword.exe c ti ln thnh cng trn h thng victim .
By gi chng ta ch cn chy file Firepassword.exe thy c cc mt khu c trong h thng .Nhng ( h h anh em nn nh khng c ci g c gi l n gin trong tr chi c, nht l trong ngh thut hack nh, nu n gin v d lm th c khi ngi lm c khng n phin chng ta nh ) c mt iu cn phi ch y .iu ny s hu ch cho t duy ca anh em ( nu anh em xem hack l mt nim am m nh ), l chng ta cn kim tra cp ngi dng ca victim mt khi anh em xm nhp vo h thng ca victim .V d di y s gii thch cho anh em d hiu hn nh, khi ta xm nhp vo h thng Windows XP vi quyn System, nhng cho file Firepassword.exe chy c ta cn phi c quyn Administrator .Do , thay i cp ngi dng chng ta c th s dng phng php sau .
2.1. S dng cu lnh ps trong mi trng meterpreter lit k tt c cc tin trnh ang thc hin trn h thng victim theo PIDs, tm tin trnh explorer.exe hoc bt k mt tin trnh no ang thc hin vi quyn Administrator . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 17
2.2. By gi chng ta sao chp PID ny v s dng cu lnh steal_token thay i cp quyn ca user thnh quyn Administrator . 2.3. kim tra quyn user hin ti m anh em ang truy cp, s dng cu lnh getuid trong mi trng meterpreter shell . Mt khi tr thnh Administrator, anh em chy file Firepassword.exe m Windows shell trong mi trng meterpreter v kim tra cc mt khu c lu tr nh trong hnh 16 bn di y.
Hnh 16 : Cc ti khon v mt khu c lu tr c hin th khi s dng Firepassword.exe
i vi hng dn trn, anh em cn lu mt iu l tin trnh ch c thc hin thnh cng khi anh em bit c Master password trong trnh duyt Mozilla Firefox .Chn trong s mi ln thc hin th cutynhangheo nhn thy tnh nng Master password t c ngi s dng lu tm m thit lp n, v cc thng tin c th s b nh cp .V vy, trong tr chi ny lun lun km theo tnh may mn nh anh em . Ngoi ra cng c mt s b cng c khc c cung cp bi bn th 3 dng nh cp cc mt khu trn cc trnh duyt khc na .
3. B cng c Hashcat trong BackTrack 5 : Hashcat l b cng c min ph, c nhiu ci tin, a nn tng, cng c phc hi mt khu trn nhiu h iu hnh .Cc nn tng c h tr bao gm CUDA, OpenCL v CPU, v mt s khc Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 18
Hnh 17 : Cc cu lnh ca Hashcat trong BackTrack 5 Trong phn hng dn ny, nh trn hnh 17 anh em c th thy c c php s dng Hashcat vi li ch thch r rng cho mi ty chn .Cc ty chn ny c phn loi nh sau :
3.1. Khi ng chng trnh . 3.2. ng nhp v cc file ca chng trnh . 3.3. Qun l ti nguyn h thng . 3.4. Cc kiu tn cng, bao gm brute force, table lookups v permutations .
4. Thc nghim k thut leo thang c quyn : Mt cuc tn cng thng theo cc cch ch yu nh sau ngha l khi xm nhp vo h thng victim anh em thng s c quyn hn user rt thp hoc c th ni l bnh thng .Bc sau , l cn kim tra cc l hng local ta c th t leo thang ln quyn cao nht ca h thng victim .iu ny cc k quan trng, ta c c cc quyn nh mong mun, yu cu chng ta cn thc hin qu trnh nh gi mc an ninh ca h thng victim .Cc b cng c nh Backtrack Privilege escalation Online attacks / Offline attacks c pht trin lm nhng vic ny. Hu ht cc tin trnh trong h thng Windows u c th c thc thi vi quyn Administrator, nhng mt s t, quyn system li c thc thi .BackTrack 5 c cc b cng c nh meterpreter to iu kin thun li leo thang c quyn .
5. Khai thc SQL Injection trong BackTrack 5 : SQL Injection c xp hng s 1 trong OWASP Top 10 l hng v bo mt trong ng dng web .N c th c thc hin khai thc bng tay hoc bng cc b cng c khai thc t ng .Phng php khai thc bng tay th cc k nhm chn v mt thi gian ca anh em ta ( ci ny ng vi cc ng ch chi UG nh ), trong khi phng php khai thc t ng th nhanh hn, thn thin vi ngi s dng v c nhiu hiu qu hn ( chun khng cn chnh ) .Havij l mt trong nhng cng c khai thc SQL Injection t ng nh ni trn . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 19
Trong phn hng dn ny chng ta ch cp n b cng c DarkMySqli dng SQL Injection t ng vo website victim . Cu trc cu lnh nh sau :
python DarkMySQLi.py u http://target
B cng c ny s scan ton b website victim, bng cch s dng cu lnh trn trong console .ng dn y ca b cng c trn trong BackTrack 5 l /pentest/web/DarkMySQLi .
6. S tht bt ng ng sau cc cng c mang tn khai thc t ng : Hin nay c rt nhiu nh cung cp bn cc sn phm pentest t ng vi li mi cho nh R hn, Nhanh hn v Chnh xc hn .Vi vic chi ph v thi gian b hn ch, tt nhin cc nh cung cp ny s l la chn hng u .Nhng chng ta cn c ci nhn tng quan v cc cng c pentest t ng nh sau n s lm mi ngi c ci nhn sai v bo mt, n thu hp khong cch, khng cn bn phi c kin thc v IT v chnh sch bo mt .Mi ngi cn c nh gi khch quan v u v khuyt im ca mt trong hai phng php m cutynhangheo gii thiu trn, v cng cn da trn nhu cu thc t ca c quan, t chc . Trong phn hng dn ny, chng ta c gii thiu s qua v Web exploitation framework, nh cp thng tin trnh duyt bng cc b cng c ca nh cung cp th 3, v ti chng ln h thng ca victim .Trong phn hng dn sp ti cutynhangheo s gii thiu cc kha cnh khc ca lnh vc an ton thng tin, forensics v reverse engineering .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 20
Phn IV : Lm th no n mnh Trong phn hng dn trc, chng ta c gii thiu s qua v cc phng php thu thp thng tin v nh gi l hng ca h thng mc tiu, phn tch h thng mng, scan v truy cp vo mc tiu, v mt s cng c v leo thang c quyn .Trong phn ny chng ta s xem xt qua vn lm th no n mnh .
1. Ti sao phi n mnh ? Mc ch ca vic pentest l lp li cc hnh ng ca nhng attacker c s dng m c .Khng mt attacker no mun mnh b pht hin khi xm nhp tri php vo mt h thng mng, v vy k thut n mnh lun lun c attacker s dng n .Khi pentester thc hin qu trnh xm nhp cng phi s dng k thut n mnh ging nh vy, nh gi h thng mt cch trung thc nht .
Hnh 18 : B cng c Maintainning Access trong BackTrack 5, chng ta tp trung vo phn OS Backdoors .
Trong phn ny s hng dn anh em lm th no s dng tnh nng Maintainning Access, trong s c cc ty chn nh OS Backdoors, Tunneling v Web Backdoors nh hnh 18 .
2. OS backdoor Cymothoa : Cymothoa l b cng c dng n backdoor trong BackTrack 5, c ngha l backdoor shell code s c chn vo trong mt tin trnh ang tn ti .B cng c ny c pht trin bi codewizard v crossbrowser ca ElectronicSouls . Cc ty chn ca b cng c c s dng nh sau :
Cymothoa p <pid> -s <shellcode number> [options]
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 21
Cymothoa c cung cp bao gm cc payloads c sn .Chng c nh s t 0 14 .B cng c ny c rt nhiu ty chn bao gm nh ty chn chnh, ty chn inject v cc ty chn v payloads .
Hnh 19 : Trn y l qu trnh chy Cymothoa vi pid 1484 v lng nghe port 100
Nh hnh 19 bn trn, th hin cc hnh ng ca Cymothoa, cc kt qu vi port 100 ti tin trnh 1484 .
Hnh 20 : Trc khi chy Cymothoa .
Hnh 21 : Sau khi chy Cymothoa .
Khi chng ta thc hin qu trnh chn shell code vo, chng ta c th s dng lnh netstat l hin th cc port 100 no ang c lng nghe, vi hnh 21 y l kt qu sau khi chng ta chn shell code numbered 0 vo tin trnh 1484 .V vy chng ta c th thy rng, chng ta c th chy Cymothoa trn bt k h thng no v c th ly nhim vo bt k mt cng dch v no ca h thng v chng ta c th maintaining access vo h thng bt k lc no .Victim s khng h hay bit s tn ti ca backdoor, ngoi tr victim pht hin hay nghi ng mt iu bt thng no trn h thng ca h . c c id ca tin trnh trong BackTrack 5 chng ta s dng cu lnh ps aux trong mi trng Cymothoa shell .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 22
3. Meterpreter c phi l backdoor : Trong phn trc chng ta c gii thiu s qua v meterpreter nh l mt phn khng th thiu ca b cng c Metasploit Framework, n c dng thu thp thng tin v to 1 phin lm vic trong mi trng shell ca h thng victim .Trong phn ny chng ta s c gii thiu s dng meterpreter nh mt backdoor trong BackTrack 5 . Cu lnh s dng :
y l cch m cc attacker mun quay tr li h thng ca victim nhiu ln, m khng cn victim phi click hay thc thi mt m c no c .Anh em cn phi hiu thc s v Metasploit v Meterpreter, c th tham kho cun hng dn s dng Metasploit ( s c cung cp trong thi gian sm nht ) v cc phn hng dn trc v BackTrack 5 ca cutynhangheo .
Hnh 22 : To mt backdoor exe s dng msfpayload .
Trong hnh 22 anh em c th thy c file exploit.exe, y l m c ca msf meterpreter payload c to ra bng cu lnh msfpayload .Tip tc trong phn hng dn ny, chng ta s to ra 1 backdoor lun lun lng nghe cng 4444 vi phng php payloads, h thng ca victim s lun lun kt ni v a ch ca attacker 192.168.13.132 trn cng 4444 .
Hnh 23 : Handler c to ra trong Metasploit lng nghe backdoor .
S dng Metasploit, to ra mt handler v thit lp cc ty chn LHOST v LPORT trong msfpayload console .Sau khi thc hin xong, ch cn chy exploit .Exploit ny c th chy trn bt c mt mc tiu no .Bt c khi no victim click ln file ny anh em c th gi cho victim bng cch s dng k thut social engineering hay bt k mt phng php tr hnh no cng c n s lng nghe LHOST v kt ni ngc v attacker thng qua LPORT .Ngay lp tc khi victim thc thi Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 23
file ny trn h thng ca h, meterpreter shell s khi to ngay lp tc mt kt ni tc th .Lc ny anh em cng c th hnh dung ra attacker c th lm iu g ri hen .
Hnh 24 : H thng victim b truy cp bi BT5 thng qua backdoor .
4. Li dng l hng c backdoor : Backdoor l mt knh kt ni b mt vo h thng .Cc attacker c th truy cp khng b hn ch vo h thng victim bng cch s dng cc backdoor, phng php ny s tit kim thi gian v cc n lc ca k thut tn cng ban u .iu quan trng pentester l cn phi thc nghim xm nhp h thng v tin hnh nh gi xem h thng c d dng b chim quyn iu khin bi backdoor hay khng, ngn nga vic truy cp tri php ny pentester c th s dng cc bn v li ph hp cho h thng . Cc l hng ph bin nht hin nay to iu kin cho vic tn cng v chim quyn iu khin ca backdoor l li trn b m, cross-site scripting ( XSS ) v qun tr t xa .Phng php phng v ph bin nht bao gm thng xuyn thay i chnh sch bo mt da trn cc kch bn c th xy ra gim thiu mi e doa c th gy thit hi cho c quan, t chc, thc hin phng php kim sot s an ton ca phn mm thng xuyn v phi ng theo tiu chun bo mt trong lp trnh, cn phi m bo chc chn kim tra mc bo mt v mt ng dng v phi thc hin sa i cc vn mt cch thng xuyn . Trong phn hng dn ny, chng ta bit c lm th no s dng k thut n mnh trong cc cuc tn cng v xm nhp .Trong phn hng dn k tip cng l phn kt thc trong series hng dn s dng BackTrack 5, cutynhangheo s trnh by mt cuc tn cng da trn mt kch bn gi nh v s s dng BackTrack 5 thc hin, cuc tn cng gi nh ny s s dng tt c cc phng php v k thut c gii thiu cc phn trn .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 24
Phn V : Chi tit mt cuc tn cng gi nh Trong bn phn trc ca cun hng dn s dng BackTrack 5, cutynhangheo gii thch chi tit tng giai on ca qu trnh thc nghim xm nhp .Phn cui cng ny chng ta s c ng li tt c t trc cho n by gi, v chng ta s c ci nhn nhn khch quan v cc kha cnh khc nhau ca o c hacking v thc nghim xm nhp . i vi phn hng dn ny, chng ta cn thit lp mt h thng lab nh sau : 1 my o chy Windows 7, 1 my o chy BackTrack 5 v 1 s my o chy cc Windows khc .Chng ta s i qua tng bc ca qu trnh tn cng v c gng xm nhp vo h thng mng ny nh . 1. B cng c Autoscan Network trong BackTrack 5 : Sau khi kt ni vo h thng mng, bc u tin chng ta cn scan cu trc h thng mng v kim tra xem cc h thng ang live trong h thng mng . thc hin vic ny, chng ta s dng b cng c Autoscan Network trong BackTrack 5 .ng dn n b cng c nh sau :
Application Backtrack Information gathering Network analys Network scanners Autoscan .
Hnh 25 : Autoscan Network 1.5 .
Nh hnh 25 th Autoscan Network 1.5 l mt b cng c c tnh nng scan cu trc h thng mng, n s lit k tt c cc a ch IP ang c s dng, chi tit v hostname, users v cc h iu hnh ang hot ng trn h thng mng . Nh cc phn hng dn trn, anh em c th s dng Nmap lm vic ny cng c .Trc khi thc hin tn cng, chng ta s thc hin bc phn tch l hng trn mc tiu cn tn cng . Gi s mc tiu ca chng ta c a ch IP l 192.168.13.129, ang s dng h iu hnh Windows 2000 server, chng ta c th s dng Nessus hay OpenVAS kim tra l hng ca h iu hnh ny .Tuy nhin trong phn hng dn ny, cutynhangheo mun anh em nn s dng phng php kim tra l hng bng tay nh .
2. Ti nguyn l hng trc tuyn : Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 25
Website cung cp cc thng tin v l hng ph bin nht nh National Vulnerability Database ti a ch http://web.nvd.nist.gov/view/vuln/search cung cp cc thng tin v cc l hng khc nhau cho mt h thng c th .
Hnh 26 : National Vulnerability Database Search .
3. Pentest mc tiu : Trong phn hng dn ny, cutynhangheo s s dng l hng trong Windows 2000 Server l l hng RPC DCOM port cho php thc thi m t xa, dn n vic lm trn b m ca h thng .Trong phn hng dn Metasploit, chng ta bit cch lm th no khai thc cc l hng trn mc tiu .N s khi to 1 meterpreter shell trn h thng Windows 2000 Server c IP l 192.168.13.129, nh hnh 27 bn di .BackTrack 5 cn cung cp b cng c nh SET, c th c s dng xm nhp h thng .
Hnh 27 : Bn trong h thng Windows 2000 Server .
Mt khi chng ta xm nhp vo bn trong h thng c, thng tin chi tit v h thng ta c th thu thp c .Sau y l mt s lnh quan trong thc hin vic :
3.1. Hashdump : y l cu lnh dng dump password hashes ( NT/LM ) ca h thng mc tiu, thng tin ny c dng crack password v sau leo thang c quyn trn h thng mc tiu . 3.2. Sysinfo : y l cu lnh dng thu thp thng tin chi tit v h thng mc tiu nh l h iu hnh, nh cung cp, tn admin v nhiu th khc . Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 26
3.3. Execute : y l cu lnh cc k mnh, dng thc thi chng trnh hay file trn h thng mc tiu . 3.4. Portfwd : y l cu lnh rt mnh, dng thc thi mt dch v trn mt port ch nh trn h thng mc tiu .N c th s dng to ra backdoor trong tng lai .
4. Xa b du vt : Phn ny s c ng vn xa b du vt ca cuc tn cng trn h thng mc tiu .Mt cch n gin cu lnh clearev dng xa cc event logs trong h thng, khng li bt k du vt no th hin s truy cp tri php .
Hnh 28 : Clearev
Phn qun l logs trn h thng mc tiu .
Hnh 29 : Event logs trong Windows 2000 Server .
Lnh clearev s xa b cc logs v khng li bt k mt du vt xm nhp tri php no trn h thng .Tuy nhin, vi mt admin sc so v c nhiu kinh nghim th h ngay lp tc s nghi ng v c ci g bt n khi ton b logs u b xa sch .V vy, chng ta nn ci bookdoor hoc rootkit c th quay li victim bt k lc no .
5. Tng quan v m hnh bo mt Windows : M hnh bo mt ca Windows kh n gin .Mi ngi dng c 1 SID duy nht .SID s c dng nh sau :
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012
Ngi bin dch : cutynhangheo@gmail.com Trang 27
S-1-5-21-9867453210-2389765341-23768956-1023
Red - Revision level Green Identified Authority Value Orange Domain or local ID Peach Relative ID