Vic phng chng xm nhp ca hacker i vi nhng ngi qun tr mng, theo seamoun th nhng ngi qun tr mng

phi ng vai tr l ngi tn cng vo chnh h thng mnh. t mnh vo v tr ca ngi tn cng v suy ngh nu mnh l ngi tn cng mnh s lm g, lm nh th no, cc bc tin hnh ra sao ???... Xm nhp bng mt cch th bo v phi ngh ra 10 cch hoc hn Thng th ph d hn lm m. .

Sau y l cc bc thng thng m hacker thc hin i vi mt h thng: Thu tp thng tin v h thng --> Scanning ---> Xm nhp v c quyn iu khin trn h thng --> Duy tr quyn iu khin trn h thng ---> Xo du vt. (<-- Bit ri kh lm ni mi !!! ). Bi u tin seamoun s cp trc tip n cc cch thc thu tp h thng v demo s dng nhng cng c m seamoun rt thch khi thc hin thu tp h thng (Cng c cho mi phn rt rt nhiu, nhng cng c seamoun demo l nhng cng c seamoun cho l d s dng v hiu qu. nh vit dng m thy n vit hay qu nn dng ca n cho ri, vit lm g cho mt !!!! thi gian code ci khc kim money !!!).

1. Thu tp thng tin h thng c th phn ra lm hai loi

+ Th ng (Passive Reconnaissance): theo seamoun th c th gi bng mt ci tn mc mt l "ci nga xem hoa h thng". Vic thu tp thng tin loi ny l kho st s b t chc nh l thng tin chung, v tr a l, in thoi, email ca cc c nhn, ngi iu hnh, ... trong t chc. Cc bn hi ti sao phi thu tp nhng thng tin nh in thoi, email ca nhng ngi trong t chc ny lm ci qui g ? N s rt hu ch khi thc hin social engineering attack (seamoun s cp sau ny). + Ch ng (Active Reconnaissance) loi ny th thu tp trc tip nhng thng tin st vi h thng hn nh l (dy) a ch IP, domain, DNS. Lu : Tt c vic thu tp thng tin ny rt quan trng i vi hacker v gip hacker xc nh nhng con ng no m d tn cng vo h thng nht. Ging nh i tn gi vy, tn trc tip "em gi" th ch c b u . Phi kho st nh em u, c bao nhiu anh em, cha m nh th no, tm hiu s thch em n qua nhng ngi bn thn ca em gi ... (Ni sai ch , ch ny cho my T ng min Nam v Bc ni chc siu hn seamoun ).

Qu trnh thu tp thng tin c th m t thnh 7 bc. (PHn loi ch mang tnh cht tng i). B1: Thu tp thng tin ban u

B2: B3: B4: B5: B6: B7:

Xc nh phm vi ca mng. Kim tra my c "sng" khng ? Khm ph nhng cng m . Nhn din h iu hnh. Lit k nhng dch v da trn cc cng m kim tra. Xy dng mt s mng

Trong 7 bc trn th bc 1, 2 c gp li v c tn gi l footprinting. 1.1 Cng c u tin mnh gii thiu phc v cho vic thu tp thng tin l Google. Ni n Google th khng cn ni g nhiu v kh nng tm kim ca n v nu cp chi tit v Google Hacking th ni c ngy khng ht. y seamoun ch ni nhng phn chnh m lin quan n hacking. Mt s k thut khi s dng google: s dng cc k thut tm kim nng cao gip bn xc nh r hn v nhng thng tin mnh cn quan tm. V d: + site:<domain>: tm kim vi vic ch nh r website hoc domain. Website m mun tm kim phi c ch nh r sau du :. V d text tm kim g : site:vickigroup.com. v tip n l t kha bn mun tm, th Google n s tm kim nhng thng tin c cha t kha v ch trong phm vi domain vickigroup.com + filetype:<phn m rng>: Tm kim thng tin trong kiu file m mnh mong mun. V khi thc hin khng km theo du ".". Bn ch cn g filetype:txt nu nh kiu file mun tm kim c phn m rng l .txt. V d filetype:txt l ch tm trong file c phn m rng . + link:<domain>: Tm kim nhng site no c cha lin kt n domain m mnh ch nh. V d link:vickigroup.com. Th n s ra nhng site c cha lin kt n vickigroup.com. + cache:<domain>: Tm kim trong cache ca google. Ci ny rt hay khi c cc tutorial ca cc site m khi ng k thnh vin n bt tr tin. H h. C th xem trong cache khi tn money. + intitle: N s tm kim phn Title ca document. + inurl: N s tm kim trong phm vi url. Vic kim hp gia cc yu t tm kim trn rt quan trng, gip hacker xc nh r nhng thng tin v phm vi m mnh quan tm. Demo nh s dng cng c tm kim Google.com. Seamoun s s dng google tm kim nhng site no t con backdoor web r57.php. Nh cc bn thy trong demo th thy rt nhiu site b t backdoor r57.php qu !.

p tay !!! . Tng t cc bn c th tm li khc bng cch kt hp cc k thut tm kim nh mnh nu trn. 1.2 Giai on ny tip cn gn hn h thng m mnh cn quan tm. V d trong tay mnh c ch tn cng l domain abc.com. Vy cng vic ca hacker s lm g tip theo ?. C th thc hin cc hnh ng sau + Whois tm ra ngi ch domain v cc thng tin lin quan + Thm vn DNS. + Xc nh phm vi ca mng vi domain . Nhng khi nim WHois l g, DNS l g, ... Seamoun ngh cc bn c thm bit, y seamoun khng trnh by nhng khi nim ny. Nhng cng c lin quan n n vn trn l rt rt nhiu tools. y Seamoun chia phn cng c ny lm 2 phn: phn 1 s dng nhng cng c n gin v phn 2 l s dng nhng cng c chuyn dng.

Demo 1 s dng cc cng c

1. Trang web samspade.org 2. nslookup ca Windows 3. S dng http://arin.net/whois v http://ws.arin.net/whois/ <-- Thc cht th cng chng cn vo arin.net lm g nu cc bn nm r range ca IP c cp pht cho tng vng. v d sau IP l 210.245.31.22 th c th s dng ngay http://ws.arin.net/whois/ khng cn n http://arin.net/whois. Nhng mnh demo khi cc bn khng bit n nm vng no th c xut pht t http://arin.net/whois

Demo 2 S dng cc cng c

1. Smart Whois 2. Necrosoft Advanced DIG

Demo 3. S dng NeoTracePro. 2. Social Engineering

L phng thc tn cng n gin da trn yu t con ngi xm nhp vo h thng. Hnh thc ca Social Engineering c chia thnh hai loi 1. Humman-based: Tc l da trn kh nng giao tip ca hacker i vi victim. V d nh hacker c th ng gi mt ngi ch ti khon v gi in n ngn hng yu cu nhn vin ngn hng cung cp thng tin v ti khon m hacker c nh chim ot. 2. Computer-based: Tc l s dng phng tin l my tnh c c thng tin m hacker mong i. N khc vi hnh thc trn l :

Hnh thc Humman-based c th hacker i thoi trc tip vi victim hoc cc help desk ... c c thng tin mnh cn (ph thuc vo ngh thut giao tip, ni ngt ngi ta d tin ). Hnh thc computer-based l s dng nhng phng tin nh l email, scam page la victim. V d ca hnh thc Computer-based l hacker c th to mt email c ng link n cc scam page v bankaccount chng hn, v khi victim c th c th b dn n nhng scam page v cung cp nhng thng tin quan trng cho hacker. Ngoi ra n cn c mt tn gi cho hnh thc ny l phishing 2.1 Humman-based n c th thuc mt trong nhng dng sau + ng gi l mt nhn vin hp l trong mt t chc: Hacker c th ng gi mt nhn vin hp l trong t chc t moi thng tin khi ang ng vai tr l nhn vin . + ng gi l mt ngi quan trng trong t chc (V d nh sp chng hn). V d hacker ng gi gim c mt cng ty A v gi mt message n th k "Ti l sp ... Hong y ! Ti b qun in thoi in nh nn ti dng s ny, c c th gi ...<thng tin quan trng> ... n s my ny !!!". Ni chung l trm phng nghn k ngh ra cch gi mo. Chc seamoun ngha b la ri mi bit ch 1001 kiu la khng c kiu la no ging nhau c. + ng gi client gi n customer support: V d hacker mun chim ot mt domain no n c th dng email phishing victim gi thng tin quan trng l hnh thc social engineering computer-based. Hacker c th ng gi l ngi ch domain gi n customer support v a ra nhng thng tin ca victim m hacker tm c qua qu trnh footprinting xc nhn vi ngi customer support sau c th yu cu gi password v email ca hacker ... + Shoulder surfing : Hnh thc ny c ngha l hacker "dm" user hoc admin ang g phm. V d nh th k cho gim c lm ni gin chng hn. Kh kh :-> + Dumpster diving: Hnh thc ny c ngha l lc loi thng tin t trash, ... c c nhng thng tin quan trng. Do vy trn my tnh nn delete vnh vin nhng ti liu quan trng. Nu nh backup ti liu quan trng th cng nn encrypt nhng ti liu . Nh cp ban u Social Engineering ph thuc vo yu t con ngi do vy theo seamoun social engineering l con ng d nht, n gin nht m hacker c th s dng c c nhng thng tin quan trng. Hnh thc tn cng ny n lun tn ti v n ph thuc vo yu t con ngi, nu nh mt customer support hay l nhn vin trong t chc khng c cp n kiu tn cng ny, v trainning cho nhn vin cch cch phng chng th rt rt d b tn cng bi hnh thc ny. Nhn th n gin khng cn k thut nhng seamoun ngh nhng thng hacker no m hack thnh cng nh social engineering th n l cao th v ngh thut giao tip cng nhng gii v my tr vit th d victim. Chc cng tn gi gii .

Khng bit c ai trong HVA b hnh thc ny tn cng khng ? Ch seamoun th b ri, ng gi anh JAL ni chuyn vi mnh ngon , cch y cng phi 2 nm. on chat mt tiu ch khng gi ln y cho mi ngi xem cho vui. Khi thng mi in t ph bin Vit Nam th hnh thc tn cng ny chc l s dng nhiu y ! Cch phng chng hu hiu nht ch c trainning v trainning ... cho customer v staff bit

v hiu v social engineering attack. V d mt email m hacker d victim c c bank account. Seamoun ly t trang web http://www.millersmiles.co.uk/). Cng nhn la my thng nc ngoi vit th d c ngh thut d s. Hng bit c ai b my ci email ting vit vit d cha gi ln y anh em bit m lng trc c s vic. "We regret to inform you, that we had to lock your PayPal Access because we have reasons to believe that your account may have been compromised by outside parties." Dear member , We regret to inform you, that we had to lock your PayPal Access because we have reasons to believe that your account may have been compromised by outside parties. In order to protect your sensitive information, we temporaly suspended your account. To reactivate your account, click on the link below and confirm your identity by completing the secure form what will appear. https://www.paypal.com/us/cgi-bin/ webscr?cmd=_login-submit We have seen unusual attempts for logging in regarding your personal account, therefore this confirmation regarding your account its only for security reasons.

Scanning & Enumeration

Qu trnh Scanning cng thc cht l tip tc qu trnh thu tp thng tin v h thng nhng lc ny hacker tc ng trc tip n my ch m hacker cn tn cng. Vi kt qu c c t footprinting h thng hacker xc nh c hai thng tin quan trng nht l a ch (hoc dy a ch) IP v hostname (a ch IP v hostname l g th cc bn t tm hiu !!!). Qu trnh Scanning c th c chia thnh cc bc sau: Xc nh h thng c ang "sng" hay khng ? ---> Kim tra cc port no ang m ---> Xc nh nhng dch v no ang chy tng ng vi cng ang m ---> Xc nh banner ca tng dch v v h iu hnh v phin bn ca n --> Kim tra li ca nhng dch v ang chy --> Xy dng s nhng host b li ---> Chun b mt proxy tt v tn cng.

1) Ping Sweep
Xc nh h thng ang "sng" hay khng rt quan trng v c th hacker ngng ngay tn cng khi xc nh h thng "cht". Vic xc nh h thng c "sng" hay khng c th s dng k thut Ping Scan hay cn gi vi tn l Ping Sweep. Bn cht ca qu trnh Ping Sweep l g ? Bn cht ca qu trnh ny l gi mt ICMP

Echo Request n my ch m hacker ang mun tn cng v mong i mt ICMP Reply. (Giao thc ICMP l g ? V n c tc dng nh th no ? Cc bn t tm hiu nh !). a s cc firewall th lun lun chn Ping do vy vic phng chng Ping Sweep rt d dng. L do chn ICMP ngoi vic chng Ping Sweep ra th theo seamoun cng nn chn ICMP nu nh c firewall no m cha chn bi v hacker cng c th li dng ICMP a backdoor trn giao thc ny. Cng c c sn l s dng lnh ping c sn trn Windows hoc Linux hoc s dng nhng chng trnh chuyn dng sau : Pinger, Friendly Pinger, v WS Ping Pro , Hping2. Trong nhng cng c Pinger, WS Ping Pro th mnh thch nht l Hping2 v n c nhiu ty chn cng nh n c th detect c host cn "sng" hay "cht" cho d firewall c chn ICMP

2) Scan Port
Nh cp trn cng vic tip theo sau khi Ping Sweep l Scan Port v xc nh nhng cng ang m v t xc nh dch v ang chy l g ? Phin bn no ? ... Thng thng th cc chng trnh Scan Port c sn nhng ty chn kt hp sn vic scan cng v xc nh dch v ang chy cng nh phin bn tng ng. Nhng cng c Scan Port th rt nhiu v mi cng c c mt th mnh ring ca n. Cng c Scan Port ni ting m nhiu bi vit trong HVA cng cp l Nmap. Trong phn ny seamoun s cp nhng phn chnh lin quan n Nmap, nhng ty chn hoc nhng tnh nng khc ca Nmap th cc bn t tm hiu ! Yu cu ca phn ny l bn phi hiu c cc giao thc TCP, UDP v cu trc ca mt packet khi mt my tnh gi n my tnh khc trn mng. S d Nmap c s dng rng ri bi v n cc phin bn tng ng vi cc OS khc nhau (Unix, Linux, Windows). Nmap h tr nhiu k thut scan port bao gm cc k thut nh : TCP, XMAS, SYN, Null Scan, Windows Scan, ACK Scan a) TCP Scan K thut TCP Scan tc l Nmap s kim tra cng trn h thng ch c m hay ng bng cch thc hin kt ni TCP y . Thc hin kt ni TCP y tc l sao ?. Tc l khi mt my tnh A kt ni v gi d liu n my B qua giao thc TCP th my tnh A v B phi thc hin c ch "bt tay" 3 bc trc khi truyn d liu. Gi sa my A c IP = 192.168.1.2 v my tnh B c IP = 192.168.1.3. My tnh A mun kt ni my tnh B qua giao thc TCP th s thc hin qua cc bc sau 1) A (192.168.1.2)--- gi SYN packet -----> B (192.168.1.3) 2) A (192.168.1.2)<-- gi SYN/ACK packet ---B (192.168.1.3) 3) A (192.168.1.2)--- gi ACK packet ------>B (192.168.1.3) Demo sau s cho bn thy r c ch ny. Trong v d ny my tnh A c IP 192.168.1.2 v my tnh B c IP 192.168.1.8

Demo th 2 S dng Nmap thc hin Port Scan vi k thut TCP Scan. a ch IP ch: 192.168.1.8. M cng TCP 7799 a ch IP ngun: 192.168.1.6 (S dng nmap scan). Ty chn ca nmap thc hin TCP Scan l : -sT. V d bn mun Port Scan mt my tnh c a ch IP 192.168.1.8 vi k thut TCP Scan : nmap -sT 192.168.1.8 hoc nmap 192.168.1.8 -sT. Trong demo ny Seamoun s dng netcat listen TCP vi port 7799 v s dng nmap kim tra port c open hay close. Nu trong v d sau m port 7799 close th khi thc hin qut bng Nmap th sau khi nmap gi SYN packet n IP:192.168.1.8. V IP=192.168.1.8 khng m port 7799 nn n s gi Packet vi c TCP (ACK v RST c bt) n IP 192.168.1.6 (ang s dng nmap scan). b) SYN, XMAS, FIN, NULL, IDLE Scan + SYN hoc cn gi l Stealth c gi l k thut qut bn m bi v n khng hon tt bt tay ba bc ca TCP (3 bc xc lp kt ni gii thiu trn). Mt hacker gi mt SYN n ch, nu mt SYN/ACK c nhn tr li th n hon tt vic scan v xc ch port ang m. Nu mt RST c nhn tr li t ch ngha l cng ng. Nhng c nh SYN, ACK, RST m seamoun cp cho n thi im ny, vy n l g ? N c tc dng g trong kt ni ? y seamoun ch gii thiu chc nng ca nhng c ny trong packet TCP. Bi v TCP l mt giao thc kt ni, do vy n cn nhng c xc lp qu trnh thit lp cho mt kt ni, vic khi ng li mt kt ni tht bi v hon tt mt kt ni l mt phn ca giao thc. Nhng cnh bo ca giao thc ny l c gi l cc c (flags). TCP c cc c l ACK, RST, SYN, URG, PSH v FIN. V ngha ca n nh sau: 1) SYN-Synchronize. Khi to mt kt ni gia cc host. 2) ACK-Acknowledge. Thit lp kt ni gia cc host. 3) PSH-Push. H thng ang chuyn tip d liu t b nh m. 4) URG-Urgent. D liu trong packet cn phi c s l nhanh. 5) FIN-Finish. Khng c s trao i no na. 6) RST-Reset. Reset li kt ni. Cc bn c th xem thm ti http://www.faqs.org/rfcs/rfc793.html) thc hin k thut scan SYN th lm nh sau: nmap -sS 192.168.1.3 hoc nmap 192.168.1.3 -sS Tr li vn v cc k thut Scan. K thut tip theo m seamoun gii thiu c trong Nmap Scan l + XMAS Scan l gi gi tin vi ba c c thit lp FIN, URG, PSH. Nu cng m th khng c s phn hi no, nhng nu cng ng th n phn hi vi RST/ACK. XMAS ch lm vic Unix khng lm vic trn Windows. thc hin k thut scan XMAS th lm nh sau: nmap -sX 192.168.1.3 hoc nmap

192.168.1.3 -sX + FIN Scan ging nh XMAS Scan nhng ch vi c FIN c thit lp. FIN cng nhn phn hi nh XMAS Scan, nu khng c phn hi th tc cng m, m c phn hi RST/Ack th cng ng thc hin k thut scan FIN th lm nh sau: nmap -sF 192.168.1.3 hoc nmap 192.168.1.3 -sF + NULL Scan cng nh XMAS v FIN n send vi tt c cc c l tt. thc hin k thut scan NULL th lm nh sau: nmap -sN 192.168.1.3 hoc nmap 192.168.1.3 -sN + IDLE scan l s dng a ch IP gi gi SYN n h thng ch. Ph thuc vo s phn hi , cng c xc nh l m hoc ng. IDLE scan xc nh cng scan da trn vic quan st gi tin IP sequence numbers thc hin k thut scan IDLE th lm nh sau: nmap -sI 192.168.1.3 hoc nmap 192.168.1.3 -sI Demo 3 a ch IP ch: 192.168.1.3 a ch IP s dng Nmap: 192.168.1.6 Trong phn demo ny mnh s dng my ch chy Linux v listen port 7799. S d seamoun chn Linux v mt s k thut scan ch c th thc hin trn Linux khng th thc hin trn Windows. Do vy chy Linux demo tt c trng hp. Cc bn s thy trong demo khi port 7799 m (ng) th vi k thut scan SYN, FIN, XMAS, NULL cc c s bt (tt) khc nhau v phn hi khc nhau.

c) Gii thiu IDLE Scan Mi IP packet c gi trn mng c mt s duy nht c gi l fragment identification (gi l IPID). K thut thut scan IDLE da vo c im ca IPID ny m xc nh mt cng ng hay m. V li dng mt my th 3 lm trung gian thc hin. Vy k thut IDLE Scan c thc hin nh th no ? Cc bc thc hin IDLE Scan lm sao ? Nhc li phng thc kt ni TCP Nh seamoun gii thiu v demo phn TCP vi kt ni y th mt cng c gi "open" khi mt client gi n ch vi SYN packet trn cng thch hp. Nu cng m th n s gi tr li vi packet SYN/ACK v nu cng ng n s gi li RST. Gi s ta c mt my ch abc.com v ch m hacker cn scan l server.com.

Bc 1: Hacker thc hin mt kt ni SYN/ACK packet n abc.com v quan st IPID V hin nhin my ch abc.com s gi li RST packet v ta cng bit c IPID . V d IPID cho trng hp ny l 33668. Bc 2: Sau hacker s thc hin gi packet n server.com vi a ch IP gi l my ch abc.com. V hin nhin my ch server.com s gi li cho my ch abc.com vi SYN/ACK c bt v my ch abc.com s gi RST packet trong trng hp server.com m cng m hacker ang cn kim tra. Gi s trong trng hp ny cng m th khi abc.com gi RST packet i th n s tng IPID ln 1. Vy lc ny IPID c gi tr 33669. V s khng tng IPID nu nh cng cn kim tra ng. Bc 3: Hacker thc hin gi SYN/ACK n abc.com v kim tra th IPID lc ny l bao nhiu. Nu nh IPID mi bng IPID c + 2 tc l cng m v ngc li th cng cn kim tra ng. M hnh minh ha Bc 1: Thm d IPID K tn cng ---- >gi packet (SYN/ACK) --------------------------> abc.com K tn cng <--- gi packet (RST. Gi s c IPID=33668)< --------abc.com Bc 2: Thc hin gi packet n ch cn kim tra port vi IP ngun gi a ch abc.com K tn cng ----> gi packet (SYN c a ch IP ngun l abc.com v cng cn kim tra) ---> server.com Trng hp cng m n thc hin nh sau: abc.com <---- gi packet (SYN/ACK)<----------------------------------------------------------server.com abc.com -----> gi packet (RST c IPID=33669)---------------------------------------------->server.com Trng hp cng ng n thc hin nh sau abc.com <---- gi packet (RST)------------------------------------------------------------------server.com Bc 3: Thm d li IPID Trong trng hp cng cn kim tra l m th K tn cng ---> gi packet (SYN/ACK)---------------------------->abc.com K tn cng <---- gi packet (RST c IPID=33670)-----------------abc.com Trong trng hp cng cn kim tra ng th s IPID ch tng ln 1 Kt lun: Ct li ca IDLE Scan tc l da vo s quan st IPID m tng khng ngu nhin kt lun cng ng hay m

Demo IDLE Scan i vi IDLE Scan trong nmap th ta s dng ty chn : sI v la chn mt my th 3 lm trung gian nh cp trn. Mc nh th chng trnh scan ni vi my trung gian trn port 80, cc bn c th sa i chng bng cch s dng <ip>:<ch nh port>. Trong demo my chy nmap thc hin scan c IP l : 192.168.1.6, my trung gian c a ch IP: 192.168.1.2, my cn qut cng (my ch) c a ch IP l 192.168.1.8. Gi s cn kim tra port 7799 c m hay khng ? Thc hin lnh sau: nmap.exe -sI 192.168.1.2 192.168.1.8 -p 7799 Mc nh th nmap s ni n my trung gian port 80, c th thay i cng nh sau: nmap.exe -sI 192.168.1.2:456 192.168.1.8 -p 7799. Trong on demo cc bn s thy nmap s gi nhiu SYN/ACK, mc ch ca n ch l kim tra xem th IPID c tng tun t hay khng ? Do vy nhiu packet cc bn kh theo di nn seamoun tch ra nhng packet lin quan cc bn d nhn.

ti C:\WINDOWS\system32\drivers\etc\services c gii thiu v tn v loi dch v tng ng). Cch thng thng nht l telnet n dch v vi cng m mnh cn kim tra xc nh banner ca n. V d s dng netcat xem th banner trn port 80 ca host matbao.com Code:
D:\Hacking>nx -vv matbao.com 80 (<-- S dng ty chn -vv ca netcat xem thm thng tin v matbao.com) DNS fwd/rev mismatch: matbao.com != smb57.vdrs.net matbao.com [203.162.163.57] 80 (http) open HEAD / HTTP/1.0 HTTP/1.1 200 OK Content-Length: 5118 Content-Type: text/html Content-Location: http://203.162.163.57/index.htm Last-Modified: Tue, 27 Sep 2005 07:20:00 GMT Accept-Ranges: bytes ETag: "2c739df33c3c51:5ea" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Wed, 26 Mar 2008 10:57:01 GMT Connection: close sent 17, rcvd 319: NOTSOCK

Nh trong v d th ta bit c Server Web l IIS 6.0, ... Hin nhin y l cch "c in" nht m s dng kim tra banner ca port 80. C th Admin

thay i cu hnh cc thng tin server phn hi n chng ta, khi chng ta thc hin kt ni n n trn port 80.Phn sau Seamoun s trnh by mt s k thut kim tra khc khi m admin c tnh thay i s phn hi t my ch web !!! Mt h thng c th b tha hip bi nhng dch v b li m ngi qun tr mng khng bit(khng r sot ht tt c dch v m my ch ang chy), do vy vic nhn nh nhng dch v no cn thit th mi open port, cn khng cn thit th nn closed, gim nguy c b tn cng trn nhng dch v ny. Ging nh mt nh c nhiu ca ra vo, ch nhng ca no cn thit th m cn li ng ht cho chc n ), ch khng hng bit v sao li c thng m vo

. Thng thng th cc cng c Scan Port, n bao gm lun c xc nh dch v v phin bn ca dch v . V d nh Nmap Scan bn s dng ty chn -sV. nmap.exe -sV 192.168.1.3 N s scan tt c nhng dch v ph bin ng thi hin th lun phin bn ca dch v . C c dch v v phin bn tng ng, cng vic tip theo l xc nh xem dch v vi phin bn c b li hay khng ? Vic xc nh li c th s dng search trn Internet ti nhng trang bo mt nh http://securityfocus.com, http://securiteam.com, http://secunia.com... hoc s dng nhng chng trnh pentest nh Metasploit, Acunetix Scan, App Scan, Core Impact ... Demo Trong phn demo. Seamoun s gii thiu 2 phn. Phn 1 s thc hin vic banner grabbing vi nhng cng c n gin. Phn 2 s s dng nmap thc hin scan port kt hp vi banner grabbing. Tip n s thc hin tm kim thng tin v service ng vi version m mnh c c khi scan vi nmap, n c li g ti thi im mnh ang kim tra ? Trong demo ny mnh ch thc hin vi SMTP (25).

4) OS Fingerprinting Khi thc hin tn cng vo my ch m hacker li khng bit my ch chy h iu hnh g ? phin bn no ? Nghe c v rt l bun ci, ng khng cc bn ? Do vy vic xc nh h iu hnh v phin bn ang chy trn h thng ch cc k quan trng. Ti sao n li quan trng ? Bi v hin ti cc my ch khng phi u chy cc h iu hnh ging nhau, c rt nhiu loi nh Windows, Linux, Sun, FreeBSD, ... Vic pht hin mt my ch chy mt trong nhng h iu hnh nh Windows, Linux, ... cng thy "oi" ri, tip n phi xc nh phin bn ca h iu hnh ? Bn thn WIndows nh cc bn bit n cng c rt nhiu phin bn khc nhau, t

ngn ng n nm a ra v d nh Windows 2000, WIndows 2000 Server, Windows XP, WIndows Server 2003, Windows Vista, ... Nu nh xc nh cng r h iu hnh m my ch ang chy l g v phin bn tng ng gip hacker bit r hn v h thng v thc hin cc pentest khng lung tung m s tp trung vo phin bn v h iu hnh m n ang chy. V d gi s mt h thng ch ta bit c n chnh xc l ang chy Windows th chc chn chng ta khng test li g m lin quan bn cc OS khc nh Linux, SUn, .... Tip n bit c h thng ch chy Windows ri th xc nh xem n chy WIndows 2000, 2003, hay Vista, nu gi s n ang chy Windows Server 2003 th n thuc dng no Windows Server 2003 no ? v liu n ang Service Pack no ? SP0, SP1, SP3, ... Bi v nhiu li khng phi nh hng ht tt c dng sn phm WIndows hoc mt phin bn Windows c nh no ? Mt li c th n nm SP0 m n li khng c SP1, SP2 hoc li xut hin khi upgrade ln SP1, SP2, ... Tm li l xc nh cng r h iu hnh, phin bn th phi lang man trong vic kim tra li Phng thc m xc nh h iu hnh ang chy trn h thng ch c tn gi l OS Fingerprinting. C 2 kiu xc nh OS Fingerprinting khc nhau + Active stack fingerprinting + Passive fingerprinting. Active stack fingerprinting l da vo h iu hnh khi to TCP khc nhau xc nh h iu hnh l g Nhng cng c s to nhng gi tin v gi n my nh v da vo s phn hi ca my ch v so snh vi database xc nh OS. Tuy nhin vic kim tra ny c th b Firewall log. Passive fingerprinting khng trc tip scan h thng ly thng tin v h iu hnh m n s dng k thut sniffing thay v k thut scanning. Phng php ny th t chnh xc hn l active stack fingerprinting. Tm li vic thc hin Active Stack Fingerprinting hay l Passive Fingerprinting tt c u da vo s khi to TCP stack v nhng cch m OS phn hi khc nhau xc nh h iu hnh v phin bn. Mt s cng c thc hin Active Stack Fingerprinting nh XPROBE2, RING v2 v Nmap. Seamoun thng dng nmap v tt c nhng ci cn thit nht cho vic scan, detect, bypass u

c c trong nmap !!!! thc hin nhn bit h iu hnh vi nmap thc hin vi ty chn -O. V d D:\Hacking\scanning\nmap>nmap -O 192.168.1.17 Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-08 10:27 SE Asia Standard Time Interesting ports on 192.168.1.17: Not shown: 1707 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3389/tcp open ms-term-serv 5101/tcp open admdog MAC Address: 00:E0:4D:08:67:AD (Internet Initiative Japan) Device type: general purpose Running: Microsoft Windows XP OS details: Microsoft Windows XP SP2 Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 4.235 seconds 5) Nhn bit my ch Web Server S d seamoun tch ring phn nhn bit my ch Web Server thnh mt ch bi v ngy nay web tr nn rt ph bin v cch tn cng my ch t web cng vy do n phi lun lun c duy tr (tr khi server web b DOS nn down thi ! ). Thc cht vic tn cng mt my ch web tc l tn cng h thng ch trn cng 80. Hin nhin n c nhiu k thut v s khc bit so vi nhng dch v khc , iu ny seamoun khng cn phi gii thiu v web cng thnh phn lin quan n web, do n qu ph bin v ai cng bit. Cc bc tin hnh xc nh banner ca my ch web cng tng t nh cc dch v khc. Do n cng l mt dch v chy trn TCP port 80 do vy vic xc nh n cng kt ni n my ch web trn port 80 V d D:\Hacking>nx -vv matbao.com 80 DNS fwd/rev mismatch: matbao.com != smb57.vdrs.net

matbao.com [203.162.163.57] 80 (http) open HEAD / HTTP/1.0 HTTP/1.1 200 OK Content-Length: 5118 Content-Type: text/html Content-Location: http://203.162.163.57/index.htm Last-Modified: Tue, 27 Sep 2005 07:20:00 GMT Accept-Ranges: bytes ETag: "2c739df33c3c51:5ea" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 08 Apr 2008 08:20:43 GMT Connection: close sent 17, rcvd 319: NOTSOCK Cch trn l cch n gin nht xc nh my ch Web ang chy l g, v s dng cng ngh g. v d trn th Web Server l IIS/6.0 chy ASP.NET hoc ASP. Nu mt my ch Web c tnh s dng mt s phn mm nh IIS Lockdown, Server Mask i vi IIS hoc thay i tn my ch trn cu hnh Apache nhm mc ch chng hacker xc nh dch v web server l g ? Hacker c th s dng k thut http fingerprinting cao cp hn nh sau : a) Cch 1 Cng kt ni n my ch web trn cng 80 nh li s dng mt lnh khc (khng phi phng thc GET, POST thng thng) v ch s phn hi li t pha my ch web v t xc nh my ch web ang chy l g V d i vi my ch Sun One Web Server nu thc hin: $ nc sun.site.com 80 PUT / HTTP/1.0 Host: sun.site.com th n s phn hi nh sau: HTTP/1.1 401 Unauthorized Server: Sun-ONE-Web-Server/6.1 i vi my ch IIS 6.0 nu thc hin: $ nc iis6.site.com 80 PUT / HTTP/1.0

Host: iis6.site.com th n s phn hi nh sau: HTTP/1.1 411 Length Required Server: Microsoft-IIS/6.0 Content-Type: text/html i vi my ch l IIS 5.x nu thc hin $ nc iis5.site.com 80 PUT / HTTP/1.0 Host: iis5.site.com th n s phn hi nh sau: HTTP/1.1 403 Forbidden Server: Microsoft-IIS/5.1 i vi my ch l Apache 2.0.x nu thc hin: $ nc apache.site.com 80 PUT / HTTP/1.0 Host: apache.site.com n s phn hi nh sau: HTTP/1.1 405 Method Not Allowed Server: Apache/2.0.54 Nh cc bn thy trn i vi my ch khc nhau th n s c cch phn hi khi gi lnh PUT khc nhau v t ta xc nh c dch v my ch web ang chy l g ? Cch 2) Da vo c im phn hi ca my ch sau khi gi lnh HEAD Cng kt ni n my ch ch trn port 80 v s dng HEAD ging nh trng hp ban u nh phn tch k hn phn phn hi ca my ch web nhn nh. HTTP/1.1 200 OK Date: Mon, 22 Aug 2005 20:22:16 GMT Server: Apache/2.0.54 Last-Modified: Wed, 10 Aug 2005 04:05:47 GMT ETag: "20095-2de2-3fdf365353cc0"

Accept-Ranges: bytes Content-Length: 11746 Cache-Control: max-age=86400 Expires: Tue, 23 Aug 2005 20:22:16 GMT Connection: close Content-Type: text/html; charset=ISO-8859-1 HTTP/1.1 200 OK Server: Microsoft-IIS/5.1 Date: Mon, 22 Aug 2005 20:24:07 GMT Connection: Keep-Alive Content-Length: 6278 Content-Type: text/html Cache-control: private HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Mon, 22 Aug 2005 20:23:36 GMT Content-length: 2628 Content-type: text/html Last-modified: Tue, 01 Apr 2003 20:47:57 GMT Accept-ranges: bytes Connection: close HTTP/1.1 200 OK Connection: close Date: Mon, 22 Aug 2005 20:39:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 23756 Nhng phn m seamoun lm m ln cc bn s thy s khc bit gia nhng my ch web. Nu n l Apache th Date trc Server ngc li so vi IIS 5.1. Cn i vi Sun th lengh v type n vit thng khng ging nh Apache v IIS. Cn IIS 6.0 th n c thm dng Connection: close

Tt cc cch thc hin trn u da trn vic kt ni n my ch v s dng lnh v ch i s phn hi t my ch web, sau phn tch s phn hi ca my ch web v a ra kt lun v my ch web. Mt cng c mnh dng thc hin http fingerprinting l httprint Tool. N cho

php xc nh dch v web ang chy l g ? L mt i th nng k i vi nhng cng c chng banner grabbing nh Server Mask , IIS Lockdown Demo Trong phn demo ca mnh, seamoun s thc hin nhng k thut trn v tip n l s dng cng c httprint trong vic xc nh my ch web.