Professional Documents
Culture Documents
Tai Lieu Huong Dan Su Dung BackTrack 5
Tai Lieu Huong Dan Su Dung BackTrack 5
Trang 1
Mc lc
Li ni u ................................................................................................................................................... 3
Phn I : Thu thp thng tin v gii thiu v cc cng c VA ................................................................. 4
1.
2.
nh gi l hng : ........................................................................................................................... 6
2.
3.
4.
2.
3.
4.
5.
6.
2.
3.
4.
2.
3.
4.
Xa b du vt : .............................................................................................................................. 26
5.
Trang 2
Li ni u
Ti liu hng dn ny cutynhangheo dnh tng cho anh em HCEGroup v TheGioiMang.OrG nhn
ngy reopen ca 2 din n thn yu ni trn .V cutynhangheo c i li tm s vi anh em mi vo
chi tr ngh thut ny ci nh .Trong ngh thut hack khng c ci gi l s li bing v chy , anh
em nn quan nim 1 iu khi ta cm thy tha mn vi nhng g ta ang c tc l lc ta bt u lc
hu vi th gii .Trong ngh thut hack kin thc, k nng, t duy, s ranh ma v thm mt cht may mn
lun lun i chung vi nhau .V vy nu ta cm thy mnh c c nhng g mnh mun th lc
mnh bt u mt tt c .Cutynhangheo cng xin ni rng ti liu ny ch dng tham kho v s dng
thc nghim tn cng ( pentest ) trong mi trng lab hoc c quan, t chc c nhu cu tn cng thc
nghim trn h thng ca chnh h .Kin thc trong cun sch hng dn ny do cutynhangheo thu thp
v tham kho nhiu ngun trn Internet, chn thnh cm n cc tc gi v ngun ti liu m
cutynhangheo tham kho qua .
Ln na cutynhangheo xin nhc li ti liu ny cutynhangheo bin dch li v cung cp cho anh em
ch nhm mc ch hc tp v nghin cu, cutynhangheo khng chu trch nhim vic anh em s dng
kin thc, k thut v t duy trong cun ti liu ny dng vi phm php lut nc Cng Ha X Hi
Ch Ngha Vit Nam .Mi hnh vi mo danh hay s dng cc kin thc ni trn cutynhangheo khng chu
trch nhim trc php lut .
Trang 3
Trang 4
Cc ch scan ca Zenmap s cung cp cho ta thng tin v mc tiu nh dch v ang chy
trn tng cng, phin bn h iu hnh ca mc tiu, ng i n mc tiu, workgroups v ti
khon ngi dng .Cc thng tin ny thc s hu ch vi phng php white box testing ( tt
nhin cng hu ch vi attacker ) .
Mt cng c thu thp thng tin khc trong BackTrack 5 l CMS identification v IDS IPS
identification dng thu thp thng tin v phn tch cho ng dng web .CMS identification s cung
cp cc thng tin s b v h thng CMS mc tiu, b cng c ny c th c dng nh gi cc
l hng trn h thng CMS v iu thun tin nht l b cng c ny cung cp cc exploit ( khai thc
) c sn pentester v attacker c th kim tra trn h thng mc tiu .Cc cng c nh joomscan (
CMS Joomla ) s c ni sau trong phn hng dn ny .
Mt cng c th v v cc k mnh khc na l Maltego, cng c ny thng dng phn tch
v SMTP .Hnh 3 bn di cho thy Maltego ang hot ng .
Trang 5
Trn bng Palette ca Maltego cho ta thy cc thng tin nh DNS Name, Domain, Location,
URL, email v cc thng tin chi tit khc v website .Maltego s dng cc ty bin khc nhau trn
cc entities cung cp cho pentester v attacker cc thng tin chi tit cn thit v mc tiu .Maltego
cung cp mt kt qu trc quan bng giao din ha v cc thng tin thu thp c ca mc tiu .
2. nh gi l hng :
Bc th 2 trong tn cng thc nghim pentest l nh gi cc l hng ( nu c ) .Sau khi
thc hin bc u tin thnh cng .
Thng tin v s t chc ca mc tiu c c thng qua footprinting ( nh hi xa
cutynhangheo c n y c nh nh l in du n ), lc ny chng ta s tin hnh nh gi phn
tch cc im yu hoc cc l hng trong h thng cn tn cng .Trn internet hin nay c rt nhiu
trang web v bo mt cung cp danh sch cc l hng c th s dng khai thc, nhng chng ta s
ch tp trung vo nhng g BackTrack 5 cung cp trong series hng dn ny nh .
Web application scans c s dng nh gi v tm cc l hng ca ng dng web .Hnh 4
bn di y gii thiu v cng c joomscan trong BackTrack 5 .Joomscan c tnh nng l s dng
cc l hng c cung cp trong ti nguyn tm kim l hng ca website chy trn nn Joomla .
Trang 6
Phn <string> chnh l Website chy Joomla cn tn cng .Joomscan c cc ty chn km theo
nh sau kim tra phin bn ca Joomla, kim tra Server, kim tra Firewall ang hot ng Nh
hnh 4 trn Website Joomla mc tiu ang chy trn my ch web Apache Server v phin bn PHP
ang s dng l 5.5.16 .
OpenVAS ( Open Vulnerability Assessment System ) trong BackTrack 5 : M Application
Backtrack Vulnerability scanners OpenVAS s cung cp cho bn mt danh sch cc ty chn
nh hnh 5 bn di .
Trang 7
Trang 8
Trang 9
Vi phn hng dn khai thc ny, anh em cn 1 website b li cross-site scripting ( XSS ) vi l
hng l URL redirection ( chuyn hng URL ) .Khi victim nhp chut vo 1 URL c th no trn
trnh duyt, h thng ca victim s to ra mt meterpreter shell .on code URL redirection s c
dng nh sau :
Trang 10
Trang 11
Hnh 10 : D liu POST b thu thp bi b cng c Social-Engineer Toolkit framework t 1 trang ng
nhp gi mo Facebook .
Trang 12
Hnh 11 : Cc phn loi trong b cng c leo thang c quyn trong BackTrack 5 .
Nh trn hnh 11 chng ta thy, BackTrack 5 cung cp 4 phn loi trong b cng c leo thang
c quyn, mi loi u c cch lm vic khc nhau ( hiu ht cc phn loi ny, cutynhangheo
ngh anh em s dng cm nhn ) .
4. B cng c John the Ripper :
Mt khi victim b xm nhp ( cutynhangheo ngh anh em cha bit lm sao xm nhp xin
c li cun hng dn s dng SET v MSF ca cutynhangheo bit thm chi tit nh, khng gii
thch trong phn hng dn ny mt lm ), cc cracker thng s dng b cng c John the Ripper
crack cc Password Windows hashes t s dng leo thang c quyn v c c quyn
qun tr h thng .
Sau khi khai thc qua l hng, cc pass hashes ny s c dump li thnh 1 file text v cung cp
cho John the Ripper .John the Ripper l b cng c rt mnh v vic crack cc password hashes
.Hnh 12 v 13 bn di th hin qu trnh crack password hashes lin quan n vic leo thang c
quyn trn h thng Windows .Cuc tn cng nh demo c th s dng 2 b cng c Metasploit
Framework hay Social-Engineer Toolkit .
Hnh 12 : y l qu trnh dump password hashes bng b cng c hashdump, kt qu ny s xut ra file
text cung cp cho John the Ripper thc hin crack pass .
H thng victim theo nh hnh bn di s c lit k danh sch cc ti khon v mt khu theo
cch ca John the Ripper .
Trang 13
Vi mt khu c trn th vic leo thang c quyn trn h thng victim lc ny qu tht qu n
gin anh em nh .Trong phn h b cng c phn tch cc giao thc, chng ta c 1 b cng c l
WireShark, b cng c ny c xp u bng trong cc cng c phn tch lung cc traffic trn h
thng mng .Cutynhangheo s c gng hon thin cun sch ni v b cng c WireShark ny trong
thi gian sm nht cho anh em.
y l bng chng cho vic BackTrack 5 pht trin rt rt nhiu .Mt attacker thng minh v
ranh ma c th tn dng v s dng ti a cc b cng c ny, v attacker c th kt hp chng li
a dng ha v ti a ha cho li ch ca attacker .Trong phn hng dn ny, cutynhangheo xin
nhn mnh li vic quan trng nht trong mt cuc tn cng gi nh l s dng cc cng c leo
thang c quyn .Trong phn hng dn tip theo cutynhangheo s cung cp thm cho anh em mt s
k thut leo thang c quyn khc na ( bit c nhiu hn ch c chm ch, cn c ngi c v
search gio s Google nh ) .
Trang 14
Trang 15
Trang 16
Trang 17
Trong phn hng dn ny, nh trn hnh 17 anh em c th thy c c php s dng
Hashcat vi li ch thch r rng cho mi ty chn .Cc ty chn ny c phn loi nh sau :
3.1.
3.2.
3.3.
3.4.
Trang 18
B cng c ny s scan ton b website victim, bng cch s dng cu lnh trn trong console
.ng dn y ca b cng c trn trong BackTrack 5 l /pentest/web/DarkMySQLi .
6. S tht bt ng ng sau cc cng c mang tn khai thc t ng :
Hin nay c rt nhiu nh cung cp bn cc sn phm pentest t ng vi li mi cho nh R
hn, Nhanh hn v Chnh xc hn .Vi vic chi ph v thi gian b hn ch, tt nhin cc nh
cung cp ny s l la chn hng u .Nhng chng ta cn c ci nhn tng quan v cc cng c
pentest t ng nh sau n s lm mi ngi c ci nhn sai v bo mt, n thu hp khong cch,
khng cn bn phi c kin thc v IT v chnh sch bo mt .Mi ngi cn c nh gi khch quan
v u v khuyt im ca mt trong hai phng php m cutynhangheo gii thiu trn, v cng
cn da trn nhu cu thc t ca c quan, t chc .
Trong phn hng dn ny, chng ta c gii thiu s qua v Web exploitation framework,
nh cp thng tin trnh duyt bng cc b cng c ca nh cung cp th 3, v ti chng ln h
thng ca victim .Trong phn hng dn sp ti cutynhangheo s gii thiu cc kha cnh khc ca
lnh vc an ton thng tin, forensics v reverse engineering .
Trang 19
Phn IV : Lm th no n mnh
Trong phn hng dn trc, chng ta c gii thiu s qua v cc phng php thu thp thng
tin v nh gi l hng ca h thng mc tiu, phn tch h thng mng, scan v truy cp vo mc tiu,
v mt s cng c v leo thang c quyn .Trong phn ny chng ta s xem xt qua vn lm th no
n mnh .
1. Ti sao phi n mnh ?
Mc ch ca vic pentest l lp li cc hnh ng ca nhng attacker c s dng m c
.Khng mt attacker no mun mnh b pht hin khi xm nhp tri php vo mt h thng mng, v
vy k thut n mnh lun lun c attacker s dng n .Khi pentester thc hin qu trnh xm
nhp cng phi s dng k thut n mnh ging nh vy, nh gi h thng mt cch trung thc
nht .
Trang 20
Hnh 19 : Trn y l qu trnh chy Cymothoa vi pid 1484 v lng nghe port 100
Khi chng ta thc hin qu trnh chn shell code vo, chng ta c th s dng lnh netstat l
hin th cc port 100 no ang c lng nghe, vi hnh 21 y l kt qu sau khi chng ta chn
shell code numbered 0 vo tin trnh 1484 .V vy chng ta c th thy rng, chng ta c th chy
Cymothoa trn bt k h thng no v c th ly nhim vo bt k mt cng dch v no ca h thng
v chng ta c th maintaining access vo h thng bt k lc no .Victim s khng h hay bit
s tn ti ca backdoor, ngoi tr victim pht hin hay nghi ng mt iu bt thng no trn h
thng ca h .
c c id ca tin trnh trong BackTrack 5 chng ta s dng cu lnh ps aux trong mi
trng Cymothoa shell .
Trang 21
Trang 22
Trang 23
Nh hnh 25 th Autoscan Network 1.5 l mt b cng c c tnh nng scan cu trc h thng
mng, n s lit k tt c cc a ch IP ang c s dng, chi tit v hostname, users v cc h iu
hnh ang hot ng trn h thng mng .
Nh cc phn hng dn trn, anh em c th s dng Nmap lm vic ny cng c .Trc
khi thc hin tn cng, chng ta s thc hin bc phn tch l hng trn mc tiu cn tn cng .
Gi s mc tiu ca chng ta c a ch IP l 192.168.13.129, ang s dng h iu hnh
Windows 2000 server, chng ta c th s dng Nessus hay OpenVAS kim tra l hng ca h iu
hnh ny .Tuy nhin trong phn hng dn ny, cutynhangheo mun anh em nn s dng phng
php kim tra l hng bng tay nh .
2. Ti nguyn l hng trc tuyn :
Trang 24
3. Pentest mc tiu :
Trong phn hng dn ny, cutynhangheo s s dng l hng trong Windows 2000 Server l
l hng RPC DCOM port cho php thc thi m t xa, dn n vic lm trn b m ca h thng
.Trong phn hng dn Metasploit, chng ta bit cch lm th no khai thc cc l hng trn
mc tiu .N s khi to 1 meterpreter shell trn h thng Windows 2000 Server c IP l
192.168.13.129, nh hnh 27 bn di .BackTrack 5 cn cung cp b cng c nh SET, c th c
s dng xm nhp h thng .
Mt khi chng ta xm nhp vo bn trong h thng c, thng tin chi tit v h thng ta c
th thu thp c .Sau y l mt s lnh quan trong thc hin vic :
3.1. Hashdump : y l cu lnh dng dump password hashes ( NT/LM ) ca h thng mc
tiu, thng tin ny c dng crack password v sau leo thang c quyn trn h thng
mc tiu .
3.2. Sysinfo : y l cu lnh dng thu thp thng tin chi tit v h thng mc tiu nh l h
iu hnh, nh cung cp, tn admin v nhiu th khc .
Trang 25
4. Xa b du vt :
Phn ny s c ng vn xa b du vt ca cuc tn cng trn h thng mc tiu .Mt cch
n gin cu lnh clearev dng xa cc event logs trong h thng, khng li bt k du vt no
th hin s truy cp tri php .
Hnh 28 : Clearev
Trang 26
Trang 27