K thut Hack c bn - Phn I - 6/1/2004 8h:48

**** Foot Printing **** Thn cho tt c cc bn , nhm p ng nhu cu hc hi trong hacking v security, fantomas311 bin son mt b bi vit "Basic hacking" v cc bi vit lin quan n hacking h thng gii thiu n cc bn . Xin khuyn co vi nhng ai mun hc hack mt cch fast food l cc bn khng nn c bi vit ny ! V ti khng post nhng bi dy hack cho cc bn , m ti ch post bi theo phng chm "hack nh th no" . Hy c , suy ngh v lm bng i tay v khi c ca mnh !! Trc khi cc hacker thc s bt tay vo vic, h phi tin hnh 3 bc c bn l in du n (foot printing) , Qut (scanning) v im danh(enumeration). Bi vit ny cp n k thut in du n v nhng vn lin quan. **In du n l g ??** In du n l vic dng cc cng c v k thut ly thng tin c bn u tin v mt t chc hoc mt chuyn khu web mun tn cng ( trong bi vit ny tm gi l victim). Vic in du n c h thng mt t chc s cho php hacker thy r tnh hnh an ninh ( bo mt) ca t chc . **Ti sao cn in du n ??** Foot Printing gip c th nh danh tt c cc mu tin v nm nhng thng tin c bn (i khi kh quan trng) v victim ** K thut in du n ** C rt nhiu k thut in du n khc nhau, bi vit ny s m t cc bc gip bn hon thnh mt t phn tch du n k lng. *Bc 1: nh phm vi hot ng: Bc ny ni cho n gin l bn phi xc nh r ci m bn mun hack l g ( mt cng ty , mt server hay ch l mt web c nhn ... ) - i vi ngi mi bt u, bn nn c k v ghi li nhng thng tin m trang web cung cp cho bn ( nhng thng tin v n , nh s T , mail ca webmaster , a ch ....). C nhiu khi nhng thng tin ny li l "chic cha kho vng" cho bn :) Nhng mc ng quan tm bao gm : + Cc v tr + Cc cng ty hoc thc th lin quan + Cc kt ni hoc tin tc c c + Cc ngn ng bo mt nu r cc c ch bo mt thit t ( cu hnh fire wall chng hn )

+ Cc s in thoi , tn lin lc v Email ..... Ngoi ra, bn cng c th xem li m ngun HTML tm nhng s h trong lp trnh , bn cnh , nhng ch thch nm trong cc th HTML nh < ! v ~ cng l mt " ti nguyn" ng khai thc !! ( th d nh :D ) Sau khi nghin cu trang web , bn tm thm nhng thng tin cung cp cc manh mi b sung v tnh trng ca t chc v tnh hnh an ninh ca n ( trn bo ch , cc bn tin trn NET chng hn) . Nhng ng c tm kim l cha kho cho bn . Sau y l mt vi ng c tm kim : http://google.com :) http://sec.gov http://cyberarmy.com Http://deja.com http://networksolution.com http://dogpile.com http://astalavista.com http://ipswich.com http://arin.net/whois/ http://ferretsoft.com Okie, hy tin hnh bc u tin trong k thut Hack !! B) *Bc 2 : im danh mng Trong bc ny , vic u tin l nh danh cc domain v mng c lin quan n victim . Mun lm iu ny , hy truy xut d liu ca network solution ( www.networksolution.com ) v American Registry for Internet Number ( www.arin.net ) Mt s kiu truy vn : +Organizational : Tt c cc thng tin c lin quan n mt t chc c th +Domain:---------------------------------- domain ------+Network:-----------------------------------mng hoc IP +Point of contact:-------------------------1 c nhn c th ( admin ) *Bc 3 : Truy vn DNS Sau khi nh danh cc domain ca t chc ch (victim), bn c th bt u truy vn DNS . Nu DNS c cu hnh bp bnh, ta c th moi c thng tin tit l v t chc . Mt trong nhng cch cu hnh sai nghim trng nht m mt iu hnh vin c th mc phi l cho php ngi dng internet khng tin cy thc hin chuyn giao min DNS ( zone transfer). S c ny c th cho thy tn h ch, cc IP n .... ni chung l cc thng tin mun che du ! Vic cung cp a ch IP bn trong cho 1 ngi dng khng tin cy trn internet cng ging nh cung cp bn ngi nh mnh cho k trm vy !! n y, c l bn c mt cu hi " Zone transfer - how ??" . Xin tha l y l mt vn khc, c l ti s cp trong mt bi vit khc ca mnh trnh long bi vit :). Kt thc bc 3 ti y ! *Bc 4: trinh st mng

Sau khi c bn trong tay, th y l giai on "xm nhp thc t" xc nh l trnh truy cp tim nng mng ( tm hiu nh l vic do thm xc nh cc con ng trc khi tin hnh nh cp m ! ) thc hin cng vic ny , xin gii hiu cc bn chng trnh trace route ( ftp://ftp.ec.lbl/traceroute.tar.z ) c trong hu ht phin bn ca Unix & WinNT . Trong WinNT , n c tn l tracert. Trace route l mt cng c chn on do Van Jacobson vit cho php xem tuyn ng m mt gi tin IP s theo t server ny sang server khc Nu bn khng rnh cc lnh trong Unix , c th dng VIsual Route ( http://www.visualroute.com ) thc hin tin trnh trinh st(tracerouting) ny . Giao din ca visual route trng rt bt mt & d s dng. Nhng khng c tc dng tt vi cc mng c quy m ln . Ngoi ra , bn cn c th thc hin mt k thut phc tp hn gi l "tin trnh qut giao thc firewall" (s cp Basic hacking II - Scanning ca fantomas311 ) Vy l cng on u tin ca vic hack vo mt h thng xong . By gi, sau khi thc hin hon tt cc bc trn, bn ( ti ch ni nhng ngi lm ng cc bc trn) c th t hi : "vy c tc dng g ??" Lm g tip theo??" "nhng thng tin thu c c tc dng g?" " C nht thit phi thc hin bc ny khng ?? " :) Nhiu cu hi qu ! Nhng xin cc bn t tr li vy ! Ti ch tr li 1 cu thi ! Bc tip theo ca qu trnh hack - theo l thuyt - l Scanning . Qu trnh Scanning s c cp trong bi vit tip theo ca fantomas311 : " Basic Hacking part II Scanning" :) Hy vng bi vit ny lm bn hi lng S Lc Trace Route Trong bi vit trn ti cp n traceroute. Vy Traceroute l g ?? Mi cc bn xem bi vit sau: Traceroute l g? Traceroute l mt chng trnh cho php bn xc nh c ng i ca cc gi packets t my bn n h thng ch trn mng Internet. Mt v d v Traceroute! Traceroute c th lm c g? Bn hy xem v d sau s r! C:\windows>tracert 203.94.12.54 Tracing route to 203.94.12.54 over a maximum of 30 hops 1 abc.netzero.com (232.61.41.251) 2 ms 1 ms 1 ms

2 xyz.Netzero.com (232.61.41.0) 5 ms 5 ms 5 ms 3 232.61.41.10 (232.61.41.251) 9 ms 11 ms 13 ms 4 we21.spectranet.com (196.01.83.12) 535 ms 549 ms 513 ms 5 isp.net.ny (196.23.0.0) 562 ms 596 ms 600 ms 6 196.23.0.25 (196.23.0.25) 1195 ms1204 ms 7 backbone.isp.ny (198.87.12.11) 1208 ms1216 ms1233 ms 8 asianet.com (202.12.32.10) 1210 ms1239 ms1211 ms 9 south.asinet.com (202.10.10.10) 1069 ms1087 ms1122 ms 10 backbone.vsnl.net.in (203.98.46.01) 1064 ms1109 ms1061 ms 11 newdelhi-01.backbone.vsnl.net.in (203.102.46.01) 1185 ms1146 ms1203 ms 12 newdelhi-00.backbone.vsnl.net.in (203.102.46.02) ms1159 ms1073 ms 13 mtnl.net.in (203.194.56.00) 1052 ms 642 ms 658 ms Ti cn bit ng i t my ti n mt host trn mng Internet c a ch ip l 203.94.12.54. Ti cn phi tracert n n! Nh bn thy trn, cc gi packets t my ti mun n c 203.94.12.54 phi i qua 13 hops(mt xch) trn mng. y l ng i ca cc gi packets: Netzero(ISP gi d liu i) -> Spectranet (mt nh cng cp mng xng sng Backbone Provider) -> New York ISP -> New York Backbone -> Asia -> South Asia -> India Backbone -> New Delhi Backbone -> mt router khc trong New Delhi Backbone -> New Delhi ISP Nh vy, host c a ch ip 203.94.12.54 nm New Delhi, India, South Asia! Bn cng c th telnet n 203.94.12.54 trn cng 13(datetime) xc nh gi GMT qua bn c th bit c v tr ca host ny(yu cu l host 203.94.12.54 phi chy daemon datetime v c nh cu hnh ng v thi gian)! Traceroute hot ng nh th no? Trc ht, bn cn bit v ICMP, TTL v cch lm vic ca cc routers(b nh tuyn)! Nhng kin thc c bn ICMP - Internet Control Message Protocol. ICMP c dng thng bo cc li xy ra trong qu trnh truyn i ca cc gi d liu trn mng. ICMP thuc tng vn huyn Transpoort Layer! Tng ng dng HTTP FTP Telnet Finger SSH DNS POP3/IMAP SMTP Gopher BGP Time/NTP Whois TACACS+ SSL DNS SNMP RIP RADIUS Archie Traceroute tftp Ping Tng vn chuyn TCP UDP

ICMP OSPF Tng Internet IP ARP Tng vt l Ethernet/802.3 Token Ring (802.5) SNAP/802.2 X.25 FDDI ISDN Frame Relay SMDS ATM Wireless (WAP, CDPD, 802.11) Fibre Channel DDS/DS0/T-carrier/E-carrier SONET/SDH DWDM PPP HDLC SLIP/CSLIP xDSL Cable Modem (DOCSIS) Tt c cc ICMP messages u c chuyn i cng vi cc IP datagrams. Mi ICMP message c gi trong IP datagram s c dng nh sau: +---------------------+-------------------------+ | IP Header(20 bytes) | ICMP message (32 bytes) | +---------------------+-------------------------+ Sau y l cu trc ca mt IMCP message: (tham kho RFC792 bit thm!) 0 7 8 15 16 31 +-----------------+-----------------+-----------------+ | Type (0 or 8) | Code (0) | 16-bit Checksum | +-----------------+-----------------+-----------------+ | Indentifier | sequence number | +-----------------+-----------------+-----------------+ || | Optional Data (ni dung ty thuc vo Type v Code) | || +-----------------------------------------------------+ trng type c 15 gi tr khc nhau, ty thuc vo tng loi ICMP error message c th. V d type=3 ch nh cho thng bo li "Khng n c ch" - "Destination unreachable" error message! trng code = sub-error dng xc nh chnh xc li xy ra. V d, type=3 v code=0 ngha l "Network Unreachable"(khng n c mng); nu type=3, code=1 ngha l "Host Unreachable"(khng n c host)... TTL - Time to Live. TTL l mt trng 8 bit trong IP header(bn hy xem li cu trc ca IP header!). TTL l thi gian gi d liu tn ti trn mng trc khi n b b qua. Ngi gi d liu i s xc nh mt gi tr TTL trc, thng l t 32 -> 64. Gi tr ny s c gim i mt khi mt khi c chuyn qua mt b nh tuyn trn mng. Khi gi tr ny bng 0, datagram ny s b b qua v giao thc ICMP s bo li v cho ngi gi. iu ny s trnh cho datagram ny i vo mt vng lp v tn qua cc b nh tuyn.

Mi b nh tuyn khi nhn c IP datagram s gim gi tr TTL ca datagram ny i mt. Hu ht cc b nh tuyn u khng gi li datagram ny trong thi gian qu 1 giy trc khi chuyn datagram ny i. Nn gi tr TTL c th coi bng hop(counter) = s b nh tuyn m datagram ny va vt qua. Khi b nh tuyn nhn c mt datagram c trng TTL bng 0 hoc 1, n s khng chuyn datagram ny i tip. Thay vo , n s b qua datagram ny v gi mt ICMP message "Time Exceeded"(qu thi gian) tr li cho ngi gi datagram ny! V ICMP message m b nh tuyn gi tr li cho ngi gi c a ch ngun - source address l a ch ip ca b nh tuyn ny nn ngi gi c th bit c a ch ip ca router ny! Cch lm vic ca traceroute! Traceroute gi mt IP datagram c TTL=1 n h thng ch. Router u tin nhn c datagram ny s gim gi tr TTL i mt -> TTL=0 v router ny s b qua datagram ny(khng gi n i tip!) v gi mt ICMP error message vi a ch ip ngun l a ch ca n n my bn. Nh vy router c th xc nh a ch ip ca router th nht! Sau , traceroute s gi mt datagram mi i vi gi tr TTL=2(1+1=2) n h thng ch. Router u tin s gim gi tr ca TTL i mt -> TTL=1(2-1=1) v chuyn datagram ny sang router th 2. Router th 2 nhn c datagram c TTL=1 s gim TTL=0. Rounter 2 nhn thy TTL=0 nn n s khng chuyn datagram ny i tip. Router 2 s gi tr li my bn mt ICMP error message vi a ch ip ngun l a ch ip ca n(router 2). Nh vy trnh traceroute trn my bn s bit c router th 2 m datagram i qua. Traceroute s tip tc gi mt datagram khc c TTL=3(2+1=3) i v lp li qu trnh trn cho n khi datagram n c h thng ch! Nu by gi IP datagram n c ch, TTL=1. Host ch s b qua datagram ny v n cng s khng gi "Time Exceeded" ICMP error message. Nh vy th bn s khng th no bit c l mnh n ch cha?! Traceroute dng mt c ch khc nh sau: Traceroute gi UDP datagrams n host ch trn cc cng UDP c s hiu ln(>30000). S d n chn cc cng c gi tr ln v thng khng c ng dng no ang lng nghe cc cng ny. Khi host ch nhn c UDP datagram ny, n s gi tr li mt ICMP error message "Port Unreachable"(khng n c cng) cho traceroute. By gi th traceroute c th phn bit c s khc nhau gia ICMP error message "Time Exceeded" vi "Port Unreachable" bit c n c ch hay cha?! Ghi ch: ICMP error message "Time Exceeded" c type=1 v code=0; ICMP eror message "Port Unreachable" c type=3 v code=3 Tng kt: traceroute gi UDP datagrams n host ch vi gi tr TTL=1 v c tng sau mi ln xc nh cc routers m datagrams i qua. Mi router s gi tr v mt ICMP message "Time Exceeded". Ring h thng ch s gi tr li cho traceroute mt ICMP message "Port Unreachable". Traceroute da vo s khc bit ny xc nh xem

 n c ch cha?! V d cui cng! host2 # traceroute xyz.com traceroute to xyz.com (202.xx.12.34), 30 hops max, 40 byte packets 1 isp.net (202.xy.34.12) 20ms 10ms 10ms 2 xyz.com (202.xx.12.34) 130ms 130ms 130ms Dng u tin cho bit hostname v a ch IP ca h thng ch. Dng ny cn cho chng ta bit thm gi tr TTL<=30 v kch thc ca datagram l 40 bytes(20-bytes IP Header + 8-bytes UDP Header + 12-bytes user data). Dng th 2 cho bit router u tin nhn c datagram l 202.xy.34.12, gi tr ca TTL khi gi n router ny l 1. Router ny s gi tr li cho chng trnh traceroute mt ICMP message error "Time Exceeded". Traceroute s gi tip mt datagram n h thng ch. Dng th 3, xyz.com(202.xx.12.34) nhn c datagram c TTL=1(router th nht gim mt trc - TTL=2-1=1). Tuy nhin, xyz.com khng phi l mt router, n s gi tr li cho traceroute mt ICMP error message "Port Unreachable". Khi nhn c ICMP message ny, traceroute s bit c n c h thng ch xyz.com v kt thc nhim v ti y. Trong trng hp router khng tr li sau 5 giy, traceroute s in ra mt du sao "*"(khng bit) v tip tc gi datagram khc n host ch!

Ky thut hack c ban - Phn II - 17/2/2004 3h:38

***** Scanning ***** === Author : Fantomas311 === Nu Foot Printing l thu thp tt c thng tin c lin quan n t chc ch th Scan l mt bc xc nh xem trong m bng bong kia th ci no l "xi c" bng cc t qut ping, qut cng v cc cng c pht hin t ng Nu k thut zone transfer cho ta 1 a ch IP th scan s gip ta xc nh xem n port no v n c phi l mt IP thc hay khng. C mt s server hin th c cc IP ca mng t ( th d nh 10.10.10.0 ). Mt a ch IP nh th khng th nh tuyn ( xem http://www.ietf.org/rfc/rfc1918.txt bit thm chi tit) ++ Qut Ping mng : Ngai qut ping truyn thng bng cch m ca s DOS v tyoe lnh Ping nh chng ta u bit, cn mt s kiu qut ping khc nh : + Fping: dng trong Unix ( http://ftp.tamu.edu/pub/Unix/src ) fping l mt trnh tin ch gi i cc yu cu mass ping theo kiu song song v th fping qut c nhiu a ch IP hn so vi ping

+ Nmap ( http://insecure.org/nmap ) : C l khng cn ni nhiu v trnh tin ch ny , c kh nhiu hng dn y cch s dng v chc nng ca nmap trn mng. Nmap cung cp kh nng qut ping vi ty chn -sP + Pinger : dng cho Windows, sn phm min ph ca Rhino9 ( http://207.98.195.250/software/ ) l mt trong cc trnh tin ch nhanh nht sn c + Ping Sweep : Sn phm ca Solarwinds, chy kh nhanh, nhng cng c ny c th lm bo ha mt mng c tuyn ni kt chm ( Ci ny xi VN ko n nn ko gii thiu chi tit ) + WS Ping Proback ( http://www.ipswich.com ) v cc cng c netscan ( http://www.nwpsw.com ) qut mt mng nh, tin dng v giao din n gin , tuy nhien kh chm so vi pinger v ping sweep . Ngi mi bt u nn s dng lai ny ! V c bn th ping l qu trnh gi v nhn cc gi tin ICMP (Internet Control Messaging Protocol ) . Vy nu ICMP b phong ta bi qun tr mng ca chuyn khu ch th sao ? Trng hp in hnh l khi type lnh ping mt domain m khng nhn c hi m no , lc ICMP ti b nh tuyn bin b phong ta hoc c mt fire wall c thit lp . Trong trng hp ny ta c hai la chn : + B qua qut ping m thc hin qut cng (port Scan) : S cp phn sau ca bi vit ny . + Thc hin ping TCP: - Dng Nmap vi ty chn -PT . Ty chn ny s gi cc gi tin TCP SYN n mng ch v i p ng, cc h ch "cn sng" s p ng bng mt gi tin TCP SYN/ACK. Phng php ny kh hiu qu xc nh xem h ch c cn sng hay khng cho d chuyn khu phong ta ICMP .Bn nn lp li kiu qut ny vi ln trn cc cng chung nh SMTP (25) , POP (110) , IMAD ( 143 ) , hoc cc cng c th l duy nht i vi cc chuyn khu nht nh - HPing ( http://www.kyuzz.org/antirez/ ) l mt trnh tin ch ping TCP khc c cng nng b sung TCP qua mt c Nmap . Hping cho php ngi dng iu khin cc ty chn c th v gi tin TCP c th cho php n i qua mt s thit b kim sat truy cp nht nh. Nh n nh cng ch vi ty chn -P , bn c th ph v vi thit b kim sat truy cp tng t nh k thut trace route nu Part I c th dng Hping thc hin cc t qut ICMP v c th phn mnh [ fragment ] cc gi tin c tim nng pht l mt s thit b kim sot truy cp .Hping s c cp chi tit hn phn sau Tm li , bc ny cho php xc nh mt cch chnh xc cc h thng cn sng hay khng thng qua ICMP hoc thng qua cng qut chn lc . Lm nh vy, ta gim bt ng k tin trnh n nh ch, tit kim thi gian trc nghim v thu hp trng tm ca cc hot ng . ++ Truy vn ICMP : Bn c th thu thp tt c cc kiu thng tin qu gi v mt h thng bng cch n gin gi mt gi tin ICMP cho n , cc cng c c th down load ti http://securityfocus.com ++ Qut cng (port scan): n lc ny , ta nh danh cc h thng cn sng bng cch dng cc t qut ping ICMP hoc TCP v thu thp c mt t thng tin ICMP . Gi y ta sn sng tin trnh qut cng tng h thng. Qut cng l tin trnh ni vi cc

cng TCP v UDP trn h ch xc nh cc dch v ang chy hoc ang trng thi LISTENNING . Ta phi nh danh cc cng ang lng ch nu nh mun xc nh kiu h iu hnh v cc ng dng ang dng. Cc dch v hot ng ang lng ch (listenning) c th cho php mt ngi dng tri php ginh c quyn truy cp cc h thng b cu hnh sai. Sau y,ta coi nh cc h thng m ta nh danh bc trn l cn sng ( alive ) , mc tiu ca vic qut cng l : + nh danh cc dch v TCP v UDP ang chy trn h ch + nh danh kiu h iu hnh ca h ch + nh danh cc ng dng c th hoc cc phin bn ca mt dch v c th ** Cc kiu qut : trc khi gii thiu cc cng c qut cng ch yu, ta phi xt qua cc k thut qut cng sn dng : * Qut ni TCP : kiu qut ny ni vi cng ch v han thnh mt t bt tay ba chiu y ( SYN , SYN/ACK , ACK ) h ch c th d dng pht hin n . Tin trnh bt tay ba chiu TCP gm : = Gi gi tin SYN n h phc v = Nhn gi tin SYN/ACK t h phc v = Gi gi tin ACK n h phc v * Qut TCP SYN : k thut ny l vic thc hin mt tuyn ni TCP y , ngha l : gi gi tin SYN n cng ch , ta c th suy ra n nm trong trng thi listenning. Nu nhn c mt RST/ACK n thng cho thy cng ang khng lng ch: mt RST/ACK s c gi bi h thng thc hin qut cng mt tuyn ni y khng bao gi c thit lp.K thut ny c u im l mang tnh ln lt hn mt tuyn ni TCP y * Qut TCP FIN : k thut ny gi mt gi tin FIN cho cng ch. Da trn RFC 793 ( http://www.ietf.org/rfc/rfc0793.txt ) h ch s gi tr mt RTS cho tt c cc cng ng.K thut ny thng ch lm vic trn cc ngn xp TCP/IP gc Unix * Qut TCP Xmas Tree : K thut ny gi mt gi tin FIN , URG v PUSH cho cng ch da trn RFC 793, h ch s gi tr mt RST ca tt c cc cng ng. * Qut TCP Null : ging TCP Xmas Tree * Qut UDP : K thut ny gi mt gi tin UDP cho cng ch. Nu cng ch p ng bng mt thng ip "ICMP port unreachable ", cng ng. Ngc li, nu khng nhn c thng ip trn, ta c th suy ra cng m ! chnh xc ca k thut ny ty thuc nhiu vo yu t c lin quan n vic s dng cc ti nguyn mng v h thng. Khi thc hin cc t qut cng UDP, c th s cho kt qu khc nhau . Mt s thc thi IP s gi tr tt c cc RTS ca tt c cc cng qut du chng c ang lng ch hay khng * nh danh cc dch v TCP v UDP ang chy : trnh tin ch ca mt cng c qut cng tt nht l mt thnh phn quan trng ca tin trnh in du n. Tuy c nhiu b qut

cng sn dng cho c Unix v NT , nhng ti s cp n mt s b qut cng thng dng v nhanh : - Strobe :strobe l mt trong nhng b qut TCP nhanh v ng tin cy sn dng , c vit bi Julian Arrange ( ftp.win.or.jp/pup/network/misc/strobe-105.ta.gz ) Mt s tnh nng chnh ca Strobe bao gm kh nng ti u ha cc ti nguyn mng, h thng v qut h ch mt cch c hiu qu . Ngai tnh hiu qu , phin bn 1.04 ca strobe v sau s nm gi cc banner kt hp ca tng cng m chng ni vi . iu ny c th gip nh danh h iu hnh ln dch v ang chy . Tnh nng nm gi banner s c ni nhiu hn Part III Tuy nhin Strobe cng c mt s nhc im l khng cung cp kh nng qut UDP v h ch c th d dng pht hin - Up_Scan : Nu Strobe cung cp kh nng qut TCP th Up_Scan l mt trong nhng b qut UDP tin cy nht ( http://wwdsilx.wwdsi.com ) Nhc im : d b pht hin - Netcat : trnh tin ch ny c th thc hin rt nhiu cng vic , cng nh nmap, np l cng c khng th thiu trong hacking cng nh security. qut TCP v UDP , ta s dng cc ty chn -v v -vv , -z, -wz, -u - PortPro v PortScan: trong WinNT th portPro v PortScan l hai trnh tin ch qut cng nhanh nht.PortPro ca StOrM ( http://securityfocus.com )v portScan l sn phm ca Rhad. PortScan cung cp mt min cc cng qut trong khi portpro n gin gia s cc cng ca n, nhng c hai u khng cung cp cc min a ch IP .Portpro l mt trong nhng cng c qut cng nhanh nht sn dng , tuy nhin cc ty chn ca n cn hn ch ! - Ngai ra, cng c qut cng mnh nht vn l nmap ( gii thiu phn trc ) ** Cc cng c pht hin t ng: + Cheops ( http://www.marko.net/cheops/ ) cung cp kh nng qut ping, trace route , kh nng qut cng v tnh nng pht hin h iu hnh + Tkined l mt phn ca b Scotty c ti http://wwwhome.cs.wtwente.nl/~choenw/Scotty/ l mt b san tho mng c vit trong TCL tch hp cc cng c qun l mng khc nhau ,cho php bn pht hin cc mng IP

TRANG CH ::>> HACKER

Ky thut hack c ban - im danh - Phn II - 17/2/2004 3h:39

******Enumeration******* === Author: Fantomas311 === Gi s vic thc hin cc bc I v II u khng thnh cng hoc nhng thng tin thu c khng th pht ng mt cuc tn cng tc thi no,hacker s chuyn sang phng php nh danh cc ti khon ngi dng hp l hoc cc ti nguyn dng chung khng c bo v k Enumeration (im danh) l mt cch trch cc ti khon hp l hoc cc ti nguyn t h thng. Part III ny, ti s nu chi tit cc phng php thng dng nht, v cc cng c c bn ca k thut im danh - buc th ba trong basic hacking S khc bit chnh gia cc k thut thu thp thng tin part I ( Foot Printing) v part II ( scanning) v k thut enumeration di y nm cp xm nhp ca hacker . im danh lin quan n cc tuyn ni tch cc vi cc h thng v cc truy vn c nh hng. Phn ln thng tin thu thp c qua k thut im danh thot nhn c v nh v hi.Tuy nhin, nhng thng tin r r t l thng theo sau n c th gy tai hi. Ni chung, sau khi im danh mt tn ngi dng hoc mt phn dng chung hp l, vn cn li l thi gian trc khi hacker on c mt hiu tng ng hoc tm ra cc im yu kt hp vi cc giao thc chia s ti nguyn. Nhng thng tin m k thut im danh thu c c th tm thu gn thnh cc phm tr sau : ++ Cc ti nguyn mng v cc phn dng chung ++ User v cc group ++ Cc ng dng v biu ng (banner) K thut im danh cng c th theo tng h iu hnh ca server, v do ,n cng ph thuc vo cc thng tin thu thp c t part I v part II . Trong phn ny, ti s ln lt cp n k thut im danh trong cc h iu hnh : WinNT , Novell v Unix *******Windows NT******** Ti sao li l WinNT ?? i vi k thut im danh th WinNT c th xem l mt ngi bn thn thit ! Cn ti sao th.....h hi phn gii nh ! +++ im danh khu y ( domain ) ca winNT bng netview : Windows l h iu hnh c thit k to thun li cho tnh nng duyt cc ti nguyn mng, do tin trnh im danh cc domain NT l cc k n gin so vi cc h iu hnh khc. Trong hu ht cc trng hp, ch cn dng cc cng c ci sn trong OS ( Operating System ). Lnh netview l mt th d in hnh. N s lit k cc domain sn dng trn mng, ri phi by thng tin ca tt c cc my tnh trong mt domain (ta cng c th dng thng tin t cc t qut ping trong cc phn trc tm hiu cc tn domain t cc my ring l ch vic dng a ch IP thay cho server name . Sau y l th d :

Trc ht l im dang cc domain trn mng : C:\> netview /domain Lit k cc my tnh trong 1 domain c th : C:\> netview /domain:tndomain +++im danh cc h iu khin domain NT : o su hn mt cht vo cu trc mng NT , ta cn dng mt cng c t NT Resource Kit ( NTRK - lu : t ny dng kh nhiu trong bi vit ny !) , cng c xem l Windows NT Hacking Kit bi bn cht dao hai li ca nhiu trnh tin ch iu hnh mnh m n cung cp ! Trc tin, xin gii thiu s lc v ci gi l NTRK ny : - NTRK l mt b ti liu b tr cho WinNT c km CD cha cc trnh tin ch qun l mng.NTRK cha mt tp hp cc trnh tin ch mnh, a dng t ngn ng Perl ph dng n cc cng ca nhiu trnh tin ch Unix , n cc cng c iu hnh t xa khng c trong cc phin bn l ca WinNT.N l mt b ngh khng th thiu cho cc iu hnh vin mng NT v cng l cng c hu ch cho cc hacker mun khai thc winNT. Cng c l v m gi bn l ca NTRK vo khong ... 200 USD. H, nhng khng sao, vn cn mt gii php free cho bn ti ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/ Tr li vn im danh cc h iu khin domain NT: thc hin cng vic ny, ta dng cng c c tn l nltest trong NTRK nh danh cc PDC (Primary Domain Controllers ) v BDC ( Backup Domain Controllers ) Cu lnh : C:\> nltest /delist:[domain name] Thm ch, tin xa hn, ta cn dng Holy Grail ca tnh nng im danh NT, tuyn ni rng , hoc nc danh ( s gii thiu sau y ). Sau khi xc lp mt phin lm vic rng cho mt trong cc my trn khu y im danh, ta c th dng c php nltest /server:[server name] v /trusted_domain tm hiu thm cc domain NT c lin quan n domain u tin ! ** Phng php NT ton cc ** Hu ht cc k thut thu thp thng tin m ti m t trong phn ny u vn dng mt thiu st v bo mt ca winNT l cho php cc ngi dng nc danh( anonymous user ) kt ni v im danh mt s ti nguyn nht nh m khng cn s "cho php" . Ch yu ny c bit n vi ci tn "Red Button"( hiii, chc l nt login hay submit qu ), tuyn ni phin lm vic rng hay ng nhp nc danh.....v n vn l ch ng c tim nng tn ph nht trn mng m hacker tm kim. Ti nh c mt bi vit lu truyn kh rng ri trn mng vi tiu rt "gh" l " hng dn deface mt trang web" trong hng dn cch d tm ch yu anonymous user v khai thc n ! thc hin mt tuyn ni phin lm vic rng, ta dng c php: C:\> net use \\IP\IPC$ ''''''' /user:''''' C php trn ni "phn dng chung" truyn thng tin x l n (IPC$) ti a ch IP m ta cung cp di dng ngi dng nc danh l [user:''''] v mt mt hiu rng [''''''']. Nu thnh cng, ta c th c mt lnh m s dng nhng k thut khc nhau nhm "thu gom" cng nhiu thng tin cng tt : thng tin mng , cc phn dng chung, cc ngi

dng , cc nhm , cc kha Registry..... Phng php chng NT ton cc s c nu trong "basic security" ca fantomas311 - mi bn n xem *** Cc phn dng chung NetBIOS *** Sau khi thit lp mt phin lm vic rng, ta cng c th dng li lnh net view im danh cc phn dng chung trn h thng t xa. Ba cng c im danh cc phn dng chung khc trong NTRK l rmtshare , srvcheck v srvinfo Mt trong cc cng c thch hp nht im danh cc tp dng chung NT( v cc ni dung khc l Dump ACL .Download free ti http://38.15.19.115 Dump ACL kim ton mi th, t giy php h tp tin n cc dch v sn dng trn cc h thng t xa. Thm ch n cn c th ly thng tin ngi dng c bn qua mt tuyn ni rng v hi, v c th chy t dng lnh, to thun li cho vic lp k m v t ng ha. Vic m cc tuyn ni rng v dng cc cng c trn y theo th cng l mt phng php tuyt vi cho cc cuc tn cng c nh hng, nhng hu ht cc hacker thng s dng mt b qut NetBIOS nhanh chng kim tra nguyn c mng tm cc tp dng chung phi by. Mt trong cc cng c ph dng l Legion ( c th tm thy trn nhiu kho tng tr internet ). Legion c th nghin ngm qua mt mng IP Class C v tit l tt c cc tp dng chung sn dng trong giao din ha ca n. Phin bn 2.1 c gp mt "cng c cng bc", cng c ny s c gng ni kt vi mt tp dng chung nht nh thng qua mt danh sch cc mt hiu do ngi dng cung cp. Cch b kha cng bc i vi Win9x v WinNT s c nu c th cc phn sau Mt b qut tp dng chung windows ph dng khc l NetBIOS Auditing Tool (NAT) c th tm thy trn cc kho tng tr internet ****Cc kiu im danh NT khc **** Ngoi ra cn c mt s b im danh thng tin mng NT khc nh : epdump ca Microsoft ( http://www.ntshop.net/security/tools/def.htm ), getmac v netdom trong NTRK v netviewx ( http://www.ibt.ku.dk/jesper/NTtools/ ) epdump truy vn b nh x im cui RPC v nu cc dch v kt gn vi cc a ch IP v cc s hiu cng. Dng phin lm vic rng, get mac hin th cc a ch MAC v cc thit b ca cc card giao tip mng trn cc my t xa. iu ny cung cp cc thng tin hu ch gip hacker nh hnh mt h thng c nhiu giao din trn mng . netdom cn hu ch hn im danh cc thng tin chnh v cc domain NT trn tuyn, bao gm t cch thnh vin domain v cc danh xng ca Backup Domain Controllers . netviewx thng c dng d tm NT Remote Access Services ( RAS ) thu c khi nim v s lng cc h phc v quay s tn ti trn mng Cui cng, qu tht ng trch nu khng cp n SNMP ( Simple Network Management Protocol ) nh mt ngun thng tin NT tuyt vi.SNMP s c cp chi tit hn trong phn tip theo: k thut im danh ngi dng ( user ) trong WinNT +++ im danh ngi dng v nhm ( user and group ) trong WinNT

Trc khi cp n im danh ngi dng nh th no , hy ni n cng c cn dng cho k thut ny .Sau khi nh danh mt danh sch user , hacker c th s dng cc cng c on pass t ng ( brute force ). Cng nh trng hp ca cc tp dng chung, cc my NT config sai d dng phun ra cc thng tin user Mt ln na, ta s dng tuyn ni rng cung cp kh nng truy cp ban u chy cc cng c hacking bit . cch u tin v n gin nht nh danh cc user trn mt h thng windows t xa l dng lnh nbstat C:\> nbstat -A [IP] K thut ny cho ta ni dung bng tn NetBIOS ca h thng t xa, nu tn h thng, domai m n ang trong , v nhng user ng nhp . C vi cng c NTRK khc c th cung cp thng tin v cc user ( d c tuyn ni rng hay khng ) chng hn nh cc trnh tin ch usrstat , showgrps, local, global nhng cng c thng dng ly thng tin ca user nht vn l DumpACL. DumpACL c th ko mt danh sch cc ngi dng, cc nhm, v cc quyn user ca h thng NT. Ngoi ra, hai cng c im danh NT khc cng kh mnh l user2sid v sid2user ca Evgenii Rudnyi ( xem http://www.chem.msu.sn:8080~rudnyi/NT/sid.txt ) mun s dng tt hai cng c ny cn phi c thi gian tm hiu. Ti ch c th ni l n c th lm vic ngay c khi cc qun tr mng kch hot RestrictAnonymous , ch cn c th truy cp port 139 ! ****SNMP (Simple Network Management Protocol )**** Mt h thng NT ang chy cc tc nhn NT SNMP c th truy cp bng cc chui cng ng ngm nh nh "public".Vic im danh cc user NT thng qua SNMP l mt iu d dng khi dng trnh duyt SNMP snmputil trong NTRK.Tuy nhin, cng c ny li cung cp rt nhiu s liu c coi l "lng bng, kh nh, kh hiu".Do , trnh rc ri ( hacking c qu nhiu rc ri phi gii quyt ri !!!) bn c th s dng trnh duyt SNMP ca solar wind tn l IP network browser ti http://solarwinds.net . Trn y l phn trnh by ca fantomas311 v im danh WinNT , tip theo l im danh vi Novell ********* NOVELL ********* Tuy ni WinNT l bn ca cc "phin lm vic rng" nhng netware ca Novell cng gp s c tng t : +++ Network Neighborhood :Dng Network Neighborhood tm hiu v cc h phc v v cc "cy" sn dng trn ng truyn .Bc ny khng e da trc tip thng tin, n ch nh mt bc khi ng n gin m thi, lm c g th hay ci ny !! +++ Cc tuyn ni Novell Client32 Chng trnh Netware Services ca Novell chy trong khay h thng v cho php qun

l cc tuyn ni Netware ca bn thng qua ty chn Netware Connections kh nng ny c th cc k qu gi trong vic qun l cc gn kt v cc t ng nhp .Tuy nhin, quan trng hn l sau khi to mt mi gn kt (attachment ), bn c th truy lc cy NDS cha h phc v, s hiu tuyn ni, v a ch mng hon chnh.iu ny c th hu ch cho vic ni vi h phc v v sau v ginh quyn u tin cp iu hnh (admin) +++On-site Admin : Xem cc h phc v Novell Nu khng c tin trnh thm nh quyn theo mt h phc v n l, bn c th dng sn phm On-site Admin ca Novell ( ftp://ftp.cdrom.com ) xem tnh trng ca mi h phc v trn ng truyn.Thay v gi cc yu cu qung b ring, On-Site Admin dng nh hin th cc h phc v c Network Neighborhood lp cache, gi cc t qung b nh k ring v cc h phc v Novell trn mng +++On-site Admin duyt cy : Ta c th duyt hu ht cc cy Novell bng On-site Admin. Trong trng hp ny , Client32 thc t gn kt vi h phc v la bn trong cy. L do l theo ngm nh, Netware 4.x cho php mi ngi duyt cy.Bn c th gim thiu iu ny bng cch b sung tnh nng lc cc quyn tha k vo gc cy. Nhng thng tin thu c quan On-Site Admin c th gip ta chuyn sang cuc t nhp h thng ch ng. im danh NT kt thc y !!!! ******* UNIX ******* Hu ht cc thc th Unix hin i u da trn cc tnh nng ni mng TCP/IP chun v do khng d g cng khai thng tin thoi mi nh NT thng qua cc giao din NetBIOS hoc NetWare .Tt nhin, iu khng c ngha l Unix khng b cc k thut im danh tn cng, nhng k thut no s cho ra cc kt qu tt nht ??? iu cn ty thuc vo cch cu hnh h thng. V d nh Remote Procedure Call (RPC) , Network Information System (NIS) v Network File System (NFS) ca Sun Microsystem nhm n trong nhiu nm qua. Ta s cp n mt s k thut c in ngay sau y. Trc khi i tip, bn nn nh rng hu ht cc k thut m t trong part III ny u dng cc thng tin thu thp c t cc k t qut cng v k thut im danh OS nu trong "basic hacking Part I v II" +++im danh tp dng chung v ti nguyn mng Unix Ngun thng tin mng Unix tt nht l nhng k thut TCP/IP m t trong Part II, nhng mt cng c tuyt vi hn o su chnh l trnh tin ch Unix showmount rt hu ch trong vic im danh cc h tp tin xut khu NFS trn mt mng. V d : gi s mt t qut trc cho bit cng 2049 (NFS) ang lng ch trn mt ch tim nng . Nh vy, ta c th dng showmount xem mt cch chnh xc cc th mc ang c share ra sao :

showmount -e 192.168.202.34 export list for 192.168.202.34 /pub (everyone) /var (everyone) /usr (user) Kha chuyn -e nu danh sch xut khu ca h phc v NFS, ng tic cho cc nh bo mt ,v mng cho hacker l l r r thng tin ny khng th n bt kn c , bi y l cch ng x ngm nh ca NFS NFS khng l phn mm chia s tp tin duy nht m bn tm thy trn Unix , nh tnh ph dng ngy cng tng ca b phn mm sampa ngun m, cung cp cc dch v tp tin v in tri chy cho cc h khch SMB (Server Message Block )to thnh nn mng ca tnh nng ni mng windows .Samba c th download ti http://samba.org v c phn phi cng vi nhiu b Linux.Mc d tp tin cu hnh h phc v Samba (/etc/smb.conf) c mt s tham s bo mt d hiu, vic cu hnh sai vn c th dn n cc tp tin dng chung mng khng c bo v. Mt ngun tim nng khc v thng tin mng ca Unix l NIS.S c chnh vi NIS l mt khi bit c tn domain NIS ca mt h phc v, bn c th dng mt t truy vn RPC n gin thu thp bt k bn nh x NIS no ca n. Cc bn nh x NIS l nhng php nh x phn phi thng tin quan trng ca tng h ch domain chng hn nh ni dung tp tin passwd . Kiu tn cng NIS truyn thng thng dng cc cng c khch NIS c gng on tn domain. Ngoi ra, cn mt s cng c khai thc cng kh hu ch l psean v snmpwalk +++im danh ngi dng v cc nhm Unix :K thut ny khng thu c nhng thng tin tht qu gi, n ch c th cho bn bit user no l root trong h phc v ch. Cng c : finger , rusers , rwho ****** Basic hacking Part III tm dng y, sau ba bc c bn, bn c kh nhiu thng tin v cng c, khai thc c th s hng dn sau .... Hy vng qua ba bi vit, fantomas311 em li cho bn khi nim c bn v hacking ! Chc vui ! Mi chi tit v bi vit xin lin h fantomas311@yahoo.com *