Professional Documents
Culture Documents
(黑客大曝光 (第6版) ) Hacking Exposed 6Th Ed
(黑客大曝光 (第6版) ) Hacking Exposed 6Th Ed
(黑客大曝光 (第6版) ) Hacking Exposed 6Th Ed
Google
Google
Spartan IPOGoogle IT
Google
Google
Linux Google
Google
Google
Google
Google
Google BotGoogle Google Bot
Google Bot
Joe Hacker
www.google.com
VNC Server
VNC Server
Joe Hacker
Google Microsoft FrontPage
filetype:pwd service
Results 1 - 10 of about 173 for filetype:pwd service. (0.28 seconds)
Joe Hacker
UNIX
# -FrontPageekendall:
bYld1Sr73NLKo
louisa:5zm94d7cdDFiQ
FrontPage
Joe Joe
Joe Hacker Web
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
Results 1 - 10 of about 59 for filetype:bak inurl:"htaccess|passwd|
shadow|htusers".(0.18 seconds)
Joe Hacker
shadow UNIX
Joe
Google Joe
filetype:properties inurl:db intext:password
Results 1 - 10 of about 854
intext:password. (0.21 seconds)
for
filetype:properties
inurl:db
Joe
drivers=sun.jdbc.odbc.JdbcOdbcDriver jdbc.idbDriver
logfile=D:\\user\\src\\java\\DBConnectionManager\\log.txt
idb.url=jdbc:idb:c:\\local\\javawebserver1.1\\db\\db.prp
idb.maxconn=2
access.url=jdbc:odbc:demo
access.user=demo
access.password=demopw
Joe
Joe .edu
Joe
100 PDF
Joe Hacker
Google
This file was generated by Nessus
Results 1 - 10 of about 75,300 for This file was generated by
Nessus. (0.20 seconds)
Nessus
Joe Hacker Nessuse
Joe Hacker
Joe Hacker Joe
Nessus
41
62
footprinting
footprint
/profile
footprinting
1.1
XYZ
IP
intranetextranet
1.1
41
IP
TCP UDP
SPARC X86
DNS
IPIPXDecNET
IP
TCP UDP
SPARC X86
access control listACL
intrusion detection systemIDS
SNMP
1.1
62
41
1.2
1.2.1 1
1.2.2 2
OSI 7
OSI 8
9
IP
1.2.3 3
Web
62
9
9
2
Web
Usenet
Web
Web
Web
Web
HTML <!
HTML Web
Web UNIX
Wget http://www.gnu.org/software/wget/wget.html Windows Teleport
Prohttp://www.tenmax.com
41
www
Web
Microsoft Outlook Web Access
Microsoft Exchange URL
http://owa.company.comhttp://outlook.company.com
AS/400
OpenConnecthttp:/www.openconnect.com Web
OpenConnect Java 3270
Web
/ AS/400
VPN
http://vpn.company.com http://www.company.com/vpn
company VPN
VPN VPN
VPN
Web
http://www.keyhole.com
Google
1-1 http://terraserver.microsoft.com
62
1-1 http://www.keyhole.com
http://www.phonenumber.comhttp://www.411.com http://www.yellowpages.com
John Smith
jsmithjohnsmithsmithj jsmith@company.com
http://www.crimetime.com/online.htm http://www.peoplesearch.com
41
IDSIPS
62
1-2 SEC
/
/
http://www.archive.org WayBack Machine 1-3
41
1-4
62
1
Google cached results
http://www.yahoo.com
http://www.f**ckedcompany.com
http://www.internalmemo.com
Google
link:www.company.com Google
Usenet
http://www.google.comhttp://search.yahoo.comhttp://www.altavista.com
http://www.dogpile.com
41
Google
http://johnny.ihackstuff.com Johnny Long
Google Hacking DatabaseGHDBGoogle
GHDB
http://www.foundstone.com
Wiktohttp://www.sensepost.com/research/wikto Roelof
Google
Web SiteDigger 1-5
GHDB Foundstone
SiteDigger
GHDB / Foundstone
62
Usenet
IT Usenet Google Usenet
Web Google
pix firewall config help
Cisco PIX 1-6
@company.com
1-6 Google
IT
41
IT
http://www.monster.com http://www.carearbuilder.com
62
9
9
5
IP
ICANN 1998 10
ICANN Internet Assigned Numbers
AuthorityIANAhttp://www.iana.org
IANA ICANN
ICANN
IP
DNS ICANN
41
ICANN
ICANN
ICANN
/CEO
ICANN
1-7 ICANN
ICANN
Address Supporting OrganizationASO
http://www.aso.icann.org
Generic Name Supporting OrganizationGNSO
http://www.gnso.icann.org
Country Code Domain Name Supporting OrganizationCNNSO
http://www.cnnso.icann.org
62
ASO IP ICANN
ASO IP
Regional Internet RegistryRIR 1-8
RIR IP Internet service
providerISP
National Internet RegistryNIR
Local Internet RegistryLIR
APNIChttp://www.apnic.net
ARINhttp://www.arin.net
LACNIChttp://www.lacnic.net
RIPEhttp://www.ripe.net
AfriNIChttp://www.afrinic.net
ARIN RIPE AfriNIC
41
ICANN 1-9
GNSO .com.net.edu.org .info
http://www.iana.org/gtld/gtld.htm
62
http://www.iana.org/assignments/ipv4-address-space IPv4
http://www.iana.org/ipaddress/ip-addresses.htm IP
http://www. rfc-editor.org/rfc/rfc3330.txt IP
http://www.iana.org/assignments/port-numbers
http://www.iana.org/assignments/protocol-numbers
WHOIS WHOIS
.mil .gov
IP
41
osborne.com IP IP BGP
keyhole.com
WHOIS
TLDtop-level domain
RegistryRegistrarRegistrant
R WHOIS
R
WHOIS
WHOIS
ICANN
ICANNIANA TLD WHOIS
62
WHOIS
TCP 43 Web WHOIS
Web
Web WHOIS
http://whois.iana.org .com 1-11
.com Verisign Global Registry Serviceshttp://www.verisigngrs.com Verisign Global Registry Services 1-12
keyhole.com http://www.markmonitor.com
1-13 Web
WHOIS keyhole.com
1-11 http://whois.iana.org
41
1-13 keyhole.com
keyhole.com
62
DNS IP
WHOIS
http://www.allwhois.com
http://www.uwhois.com
http://www.internic.net/whois.html
GUI
SamSpadehttp://www.samspade.com
SuperScanhttp://www.foundstone.com
NetScan Tools Prohttp://www.nwpsw.com
WHOIS WHOIS
DNS
WHOIS
WHOIS
WHOIS
IP
IP
IP ICANN ASO RIR
41
IP 61.0.0.2 IP
ARINhttp://www.arin.net IP ARIN
WHOIS 1-14 IP
APNIC APNIC 1-15
IP National Internet Backbone
62
IP
IP IP
IP
RIR WHOIS
IP BGP http://www.arin.net
Google Google IP AS AS 15169
1-16
Web
Whois
http://whois.iana.org
http://www.arin.net
http://www.allwhois.com
UNIX whois
Chris
Web
UNIX
41
Cappuccioccappuc@santefe.edu
Fwhois
WS_Ping
ProPack
Sam Spade
Sam Spade
Web
Netscan
Xwhois
Jwhois
http://www.ipswitch.com/
Windows 95/NT/2000/XP
http://www.samspade.org/ssw
http://www.samspade.org/
Windows 95/NT/2000/XP
Web
http://www.netscantools.com/nstpromain.h
tml
http://c64.org/<126>nr/xwhois/
Windows 95/NT/2000/XP
http://www.gnu.org/software/jwhois/jwhoi
s.html
X GTK+GUI
UNIX
UNIX
1-2 WHOIS
administrative contact
WHOIS WHOIS
5
WHOIS DNS
DNS DNS
62
Network Solutions
Network Solutions Guardian
FROM
PGPPretty Good Privacy FROM
domain
hijacking1998 10
16 AOL AOL
AOL AOL autonete.net
AOL
PGP
Network Solutions
Contact Form
41
1.2.5 5DNS
DNS DNS IP
IP DNS
62
9
9
3
DNS zone
transfer
zone
DNS
DNS
DNS DNS
zone
/ DNS
DNS DNS IP
IP
nslookup nslookup
DNS ISP DNS
41
DNS 10.10.20.2 IP
DNS DNS
nslookup DNS
Tellurian Networks DNS 216.182.1.1 whois
any DNS
man nslookup
ls-d
.
/tmp/zone_out
Tellurian Network
A IP
HINFO RFC952HINFO
grepsed awk UNIX Perl
62
388 Solaris
96 test
Tellurian.net greenhouse.Tellurian.net
DNS
DNS
hostSam Spadeaxfr dig
UNIX host host
host -l tellurian.net
IP shell IP
host
host -l tellurian.net |cut -f 4 -d" " >> /tmp/ip_out
41
Gaius axfr
http://packetstormsecurity.nl/groups/ADM/axfr-0.5.2.tar.gz
axfr
[bash]$ axfr tellurian.net
axfr: Using default directory: /root/axfrdb
Found 2 name servers for domain tellurian.net.:
Text deleted.
Received XXX answers (XXX records).
axfr
[bash] $ axfrcat tellurian.net
MX
host
DNS
DNS
62
http://www.microsoft.com/technet
/prodtechnol/windows2000serv/maintain/optimize/c19w2kad.mspx
53 TCP UDP
TCP RFC
RFC 512 DNS
TCP DNS 512
transaction signatureTSIG DNS
Bind 9 TSIG
http://www.linux-mag.com/2001-11/bind9_01.html
IP
IP
16,000 IP
HINFO
HINFO
1.2.6 6
traceroute
9
9
2
UNIX Windows NT
traceroute ftp://ftp.ee.lbl.gov/traceroute.tar.gz Windows
8.3 tracert
41
10 10
Cisco 7500
ACL
traceroute ACL traceroute
traceroute
62
traceroute
traceroute traceroute
UDP
UDP 53 DNS traceroute
41
4
UDP 53
UDP 53 ICMP
IP
traceroute
62
1.3
63
62
1 whois ARIN IP
IP
IP DNS
ping
DNS IP
10.10.10.0 IP IP
2.1
IP
ping
ping ICMP ECHO 8
ICMP ECHO_REPLY 0
ping
A
63
ping
10
9
3
ping
ping ICMP Internet Control
Message Protocol ICMP
ICMP TCP
UDP
UNIX Windows ICMP ping
fpinghttp://packetstorm.securify.com/ Exploit_Code__Archive/ fping.tar.gz UNIX
ping ping
fping
ping fping IP ping
fping stdin IP
fping
IP
192.168.51.1
192.168.51.2
192.168.51.3
...
192.168.51.253
192.168.51.254
-f
[root]$ fping a f in.txt
192.168.1.254 is alive
192.168.1.227 is alive
192.168.1.224 is alive
...
192.168.1.3 is alive
192.168.1.2 is alive
192.168.1.1 is alive
192.168.1.190 is alive
62
fping -a
-d fping -a
shell -d ping
-f fping fping
fping -h Fyodor nmap
http://www.insecure.org/nmap ping
nmap -sP
ping
[root] nmap sP 192.168.1.0/24
Starting
nmap
V.
( www.insecure.org/nmap/ )
3.70
by
fyodor@insecure.org
63
4 - Source Quench
5 - Redirect
8 - Echo
11 - Times Exceeded
12 - Parameter Problem
13 - Timestamp
14 - Timestamp Reply
15 - Information Request
16 - Information Reply
ICMP
ICMP ICMP
62
ICMP
ICMP ICMP
ping
IP
Windows SuperScan
SuperScan ICMP TCP/UDP
TCP/UDP
ICMP 2-2
63
62
1
Host (192.168.1.101) appears to
Host (192.168.1.102) appears to
Host (192.168.1.255) appears to
Nmap run completed (10 hosts up)
be up.
be up.
be up.
scanned in 5 seconds
ICMP
SMTP 25POP 110IMAP 143AUTH
113
http://www.hping.org hping2 UNIX TCP
ping nmap TCP hping2 UDPTCP
Raw IP hping2
hping2
flags=SA hping2
TCP SYNS TCP ACKAhping2 cN shell -cN hping2
N hping2
ICMP ping
hping2 9 hping2
Simple Nomad icmpenum http://www.nmrc.org/files/sunix
63
icmpenum -s-p
ICMP
C 255
IP
ping
ping
ping
ping
ping
ping Snortwww.snort.org
IDSintrusion detection system
UNIX ping
ICMP ECHO
62
Cisco Check
PointMicrosoft McAfee Symantec ISS ICMPTCP
UDP ping ping
Scanlogd
Courtney
Ippl
Protolog
http://www.openwall.com/scanlogd
http://packetstormsecurity.org/UNIX/audit/courtney-1.3.tar.Z
http://pltplp.net/ippl
http://packetstormsecurity.org/UNIX/loggers/protolog-1.0.8.tar.gz
ping
ICMP ICMP
ECHO ECHO_REPLY
ICMP
ICMP
ICMP
ICMP ICMP
ECHO_REPLYHOST_UNREACHABLE TIME_EXCEEDED DMZ
access control listACL
ICMP ISP IP
ISP
ICMP
ICMP
ICMP
63
denial of service
loki
ICMP EHO loki Phrack
Magazine 1997 9 1 7 51 06 http://phrack.org /show.php?
p=51&a=6
Tom Ptacek Mike Schiffman Linux pingd
pingd ICMP ECHO ICMP ECHO_REPLY
ICMP ECHO
ICMP pingd
ping Linux pingd
http://packetstormsecurity.org/UNIX/misc/pingd-0.5.1tgz
ICMP
2
9
5
icmpquery
icmpquery <-query> [-B] [-f fromhost] [-d delay] [-T time] targets
where <query> is one of:
-t : icmp timestamp request (default)
-m : icmp address mask request
The delay is in microseconds to sleep between packets.
targets is a list of hostnames or addresses
62
1
-T specifi es the number of seconds to wait for a host to
respond. The default is 5.
-B specifi es 'broadcast' mode. icmpquery will wait
for timeout seconds and print all responses.
If you're on a modem, you may wish to use a larger -d and T
icmpquery
[root] icmpquery -t 192.168.1.1
192.168.1.1
: 11:36:19
icmpquery
[root] icmpquery -m 192.168.1.1
192.168.1.1
: 0xFFFFFFE0
2.2
ICMP TCP ping
ICMP
63
10
9
9
TCP UDP
LISTENING
TCP UDP
2.2.1
Fyodor nmap
Fyodor
TCP
SYNSYN/ACK ACK TCP RFCRequest for Comment
2-3 TCP
62
TCP
1 SYN
2 SYN/ACK
3 ACK
63
UDP UDP
ICMP port unreachable ICMP
UDP
UDP UDP
IP
RSTreset
TCP SYN TCP
strobe
Julian Assange strobe ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/
strobe-1.06.tgz TCP
TCP strobe
strobe 1.04
3
strobe TCP
[root] strobe 192.168.1.10
strobe 1.03 (c) 1995 Julian Assange (proff@suburbia.net).
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
[96,JBP]
echo
discard
sunrpc
daytime
chargen
ftp
[Control]
62
1
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
exec
login
cmd
ssh
telnet
smtp
nfs
lockd
unknown
unknown
unknown
unknown
unknown
udp_scan
udp_scan strobe TCP udp_scan
Dan Farmer Wietse Venema 1995 SATANSecurity
Administrator Tool for Analyzing Networks
SATAN
http://wwdsilx.wwdsi.com SATAN SAINT
UDP udp_scan UDP
udp_scan
IDS
udp_scan 1024
1024
[root] udp_scan 192.168.1.1 1-1024
42:UNKNOWN:
53:UNKNOWN:
123:UNKNOWN:
135:UNKNOWN:
netcat
Hobbithobbit@avian.org netcat nc
63
nc TCP UDP
nc -v-vv
-z I/Ozero mode I/O-w2
nc TCP UDP
-u
[root] nc -v -z -w2 192.168.1.1 1-140
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
Network Mappernmap
UNIX
nmaphttp://www.insecure.org/nmap Fyodor nmap
TCP UDP
[root]# nmap h
nmap V. 3.70 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
-sT TCP connect() port scan (default)
* -sS TCP SYN stealth port scan (best all-around TCP scan)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sR/-I RPC/Identd scan (use with other scan types)
62
1
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fi ngerprinting to guess remote operating system
-p <range> ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-T
<Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
General
timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes
resolve]
-oN/-oM <logfi le> Output normal/machine parsable scan logs to
<logfi le>
-iL <inputfi le> Get targets from fi le; Use '-' for stdin
* -S <your_P>/-e <devicename> Specify source address or network
interface
--interactive Go into interactive mode (then press h for help)
[root] nmap sS 192.168.1.1
Starting nmap V. 3.70 by fyodor@insecure.org
Interesting ports on (192.168.1.11):
(The 1504 ports scanned but not shown below are in state: closed)
Port
State
Protocol Service
21
open
tcp
ftp
25
open
tcp
smtp
42
open
tcp
nameserver
53
open
tcp
domain
79
open
tcp
fi nger
80
open
tcp
http
81
open
tcp
hosts2-ns
106
open
tcp
pop3pw
110
open
tcp
pop-3
135
open
tcp
loc-srv
139
open
tcp
netbios-ssn
443
open
tcp
https
nmap nmap
nmap
CIDR Classless Inter-Domain Routing
http://www.ietf.org/rfc/rfc1519.txt RFC 1519
192.168.1.1~ 192.168.1.254 -o
-oN
2
[root]#
63
tab
-oM
-oN-oM
nmap -f TCP
IDS
IP
nmap -D
SYN
-D
[root] nmap -sS 192.168.1.1 D 10.1.1.1
www.target_web.com,ME -p25,139,443
Starting nmap V. 3.70 by fyodor@insecure.org
Interesting ports on (192.168.1.1):
Port
25
443
State
open
open
Protocol
tcp
tcp
Service
smtp
https
nmap
62
1
[root] nmap -I 192.168.1.10
Starting nmap V. 3.70 by fyodor@insecure.org
Port
State
Protocol
Service
Owner
22
open
tcp
ssh
root
25
open
tcp
smtp
root
80
open
tcp
http
root
110
open
tcp
pop-3
root
113
open
tcp
auth
root
6000
open
tcp
X11
root
Web rootnobody
ident HTTP
root
FTP FTP bounce scanningFTP
Hobbit 1995 Bugtraq
http://www.securityfocus.com/templates/archive.pike?list=1&msg=199507120620.CAA18176
@narq.avian.orgHobbit FTP http://www.ietf.org/rfc/ rfc0959.txt
RFC 959 FTP FTP
proxyFTP Hobbit
FTP
FTP
nmap -bFTP
/incomingFTP nmap PORT
FTP
FTP
63
UNIX UNIX
Solaris Solaris RPC 3277X
Solaris
TCP UDP
Windows NT 139
4 Windows NT 139
UNIX
RPCNFS
UNIX 5
2.2.3 Windows
UNIX Windows
SuperScan
Foundstone
SuperScanhttp://www.foundstone.com
Windows
SuperScan TCP UDP
2-4
ping TCP UDP
62
2-4 SuperScan
SuperScan Echo Requests Timestamp Requests
Address Mask Requests Information Requests ICMP
DataData+ICMP
UDP SYN TCP
TCP
UDP Data UDP
UDP
Data+ICMP Data
UDP SuperScan
Data+ICMP UDP
ICMP
SuperScan 4 CPU/
IP
SuperScan 4 Tool 2-5
/IP PingICMP HTTP HEAD
RequestHTTP GET RequestHTTPS GET Request WhoisCRSNIC Whois IPARIN
63
2-5 SuperScan
WinScan
Prosolve Sean Mathias WinScanhttp://www.prosolve.com
TCP winscan.exescan.exe
C
Mortice Kern Systems http://www.mks.com stringstee tr
Win32 Windows 0~1023
IP
scan.exe -n 192.168.7.0 -s 0 -e 1023 -f | strings |
/c:"/tcp" | tr \011\040 : | tr -s : : | tee -ia results.txt
findstr
scan.exe -f
192.168.22.5:nbsession:139/tcp
192.168.22.16:nbsession:139/tcp
62
1
192.168.22.32:nbsession:139/tcp
ipEye
Linux nmap
Arne Vidstrom ipEye http://ntsecurity.nu Windows
SYNFIN Xmas Windows
2000 ipEye SYN
TCP 20 nmap
-g
C:\>ipeye.exe 192.168.234.110 -syn -p 1 1023 -sp 20
ipEye 1.1 - (c) 2000, Arne Vidstrom (arne.vidstrom@ntsecurity.nu)
- http://ntsecurity.nu/toolbox/ipeye/
1-52 [closed or reject]
53 [open]
54-87 [closed or reject]
88 [open]
89-134 [closed or reject]
135 [open]
136-138 [closed or reject]
139 [open]
...
636 [open]
637-1023 [closed or reject]
1024-65535 [not scanned]
IP
NATNetwork Address Translation
WUPS
WUPSWindows UDP Port ScannerWindows UDP Arne
Vidstrom http://ntsecurity.nuWUPS
UDP WUPS
63
2-6
ScanLine
62
1
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
sl [-?bhijnprsTUvz]
[-cdgmq ]
[-fl LoO <fi le>]
[-tu [, - ]]
IP[,IP-IP]
-? - Shows this help text
-b - Get port banners
-c - Timeout for TCP and UDP attempts (ms). Default is 4000
-d - Delay between scans (ms). Default is 0
-f - Read IPs from file. Use "stdin" for stdin
-g - Bind to given local port
-h - Hide results for systems with no open ports
-i - For pinging use ICMP Timestamp Requests in addition to Echo
Requests
-j - Don't output "-----..." separator between IPs
-l - Read TCP ports from file
-L - Read UDP ports from file
-m - Bind to given local interface IP
-n - No port scanning - only pinging (unless you use -p)
-o - Output file (overwrite)
-O - Output file (append)
-p - Do not ping hosts before scanning
-q - Timeout for pings (ms). Default is 2000
-r - Resolve IP addresses to hostnames
-s - Output in comma separated format (csv)
-t - TCP port(s) to scan (a comma separated list of ports/ranges)
-T - Use internal list of TCP ports
-u - UDP port(s) to scan (a comma separated list of ports/ranges)
-U - Use internal list of UDP ports
-v - Verbose mode
-z - Randomize IP and port scan order
Example: sl -bht 80,100-200,443 10.0.0.1-200
This example would scan TCP ports 80, 100, 101...200 and 443 on all
IP
addresses from 10.0.0.1 to 10.0.1.200 inclusive, grabbing banners
from those ports and hiding hosts that had no open ports.
63
2.2.4
2-2
TC
P
UNIX
strobe
tcp_scan
udp_scan
nmap
netcat
X
X
X
X
UD
P
X
X
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/strob
e-1.06.tgz
http://wwdsilx.wwdsi.com/saint
http://wwdsilx.wwdsi.com/saint
http://www.inscure.org/nmap
http://packetstorm.securify.com/UNIX/utilities/nc110.tg
z
Windows
netcat
X
X*
http://www.atstake.com/research/tools/nc11nt.zip
SuperSca X
http://members.home.com/rkeir/software.html
n
WinScan
X
http://www.prosolve.com
ipEye
X
http://ntsecurity.nu
WUPS
X
http://ntsecurity.nu
ScanLine X
X
http://www.foundstone.com
* Windows netcat UDP
2-2
TCP UDP
Snort IDS
Snortwww.snort.org IDS Snort
NIDS
Snort 1.x Snort
62
PortSentry
Linux 2.2.x portsentry.conf
IP Solar Designer
http://www.openwall.com/scanlogd /P53-13.gz
SYN FIN
63
Lance
Spitznerhttp://www.enteract.com/<126>lspitz/intrusion.html Firewall-1
alert.sh Firewall-1
IP DNS
UNIX
/etc/inetd.conf
UNIX 5
Windows Windows
Windows TCP 139 445
Control Panel | Services |
4 Windows
2.3
62
TCP UDP
63
10
8
4
IT
3
FTPtelnetSMTPHTTPPOP
nmap
queso
2.3.1
nmap queso
stack fingerprinting
IP
RFC
nmap
Fyodor Phrack Magazine
http://www.insecure.org/nmap/nmapfingerprinting-article.html
62
TCP
TCP/IP
ACK IP ACK
1
ICMP
RFC 1812
http://www.ietf.org/rfc /rfc1812.txt ICMP
UDP
UDP
ICMP ICMP
ICMP
ICMP / ICMP
IP IP
63
TCP
nmap -OICMP
nmap -O
nmap
62
1
No ports open for host (10.10.10.10)
Remote OS guesses: Linux 2.0.27 - 2.0.30, Linux 2.0.32-34, Linux
2.0.35-36,
Linux 2.1.24 PowerPC, Linux 2.1.76, Linux 2.1.91 - 2.1.103,
Linux 2.1.122 - 2.1.132; 2.2.0-pre1 - 2.2.2, Linux 2.2.0-pre6 2.2.2-ac5
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
nmap
Linux
nmap nmap-os-fingerprints
nmap
nmap TCP
nmap
Fyodor nmap
queso
http://packetstormsecurity.org /UNIX/scanners/queso-980922.tar.gz queso
80 80
queso 25
[root] queso 10.10.10.20:25
10.10.10.20:25
* Windoze 95/98/NT
nmap queso
SYN
FreeBSD 4.x
63
TCP_DROP_SYNFIN nmap
SYN+FIN OS
RFC 1644 TCP Extension for Transtractions TCP
5
6
4
nmap queso
IDS
2.3.2
TCP/IP
Lance Spitzner
http://project.honeynet.oryMarshall Beddoe Chris
Abad siphon
http://packetstormsecurity.org/UNIX /utilities/siphon-v.666.tar.gz
62
TCP/IP
TTL TTLTime-To-Live
Windows size
DF Don't Fragment TCP/IP
siphon
shadow 192.168.1.10
quake192.168.1.11 telnet siphon
Snort telnet
06/04-11:23:48.297976 192.168.1.11:23 -> 192.168.1.10:2295
TCP TTL:255 TOS:0x0 ID:58934 DF
**S***A* Seq: 0xD3B709A4 Ack: 0xBE09B2B7 Win: 0x2798
TCP Options => NOP NOP TS: 9688775 9682347 NOP WS: 0 MSS: 1460
TCP/IP
TTL = 225
Window Size = Ox2798
Dont fragmentDF = Yes
siphon osprints.conf
[shadow]# grep -i solaris osprints.conf
# Window:TTL:DF:Operating System DF = 1 for ON, 0 for OFF.
2328:255:1:Solaris 2.6 - 2.7
2238:255:1:Solaris 2.6 - 2.7
2400:255:1:Solaris 2.6 - 2.7
2798:255:1:Solaris 2.6 - 2.7
FE88:255:1:Solaris 2.6 - 2.7
87C0:255:1:Solaris 2.6 - 2.7
63
snort 2798TTL
255DF 1 siphon
siphon
nmap
10
9
9
cheopshttp://www.marko.net/cheops
2-7 pingtraceroute queso
62
cheops
2-7 cheops
tkined Scotty http://wwwhome.cs.utwente.nl/schoenw/scotty
tkined Tcl
IP tkined
1 tkined Scotty
Scottytkined cheops
2.4
ping TCPUDP ICMP
ping
TCP/UDP
63
62
133
enumeration
web
2 SuperScan
banner
4
5
62
NT New
Technology NT Window NT 3.x
4.x Windows 2000Windows XP Windows Server 2003 NT
3.1
2
telnet netcat
5
9
1
telnet
telnet
telnet
C:\>telnet www.corleone.com 80
HTTP/1.0 400 Bad Request
Server: Netscape-Commerce/1.12
Your browser sent a non-HTTP compliant message.
133
TCP/IP
C:\>nc v www.corleone.com 80
www.corleone.com [192.168.45.7] 80 (?) open
netcat readme
netcat nudge.txt
GET / HTTP/1.0
[root$]nc -nvv -o banners.txt 192.168.202.34 80 < nudge.txt
HTTP/1.0 200 OK
Server: Sun_WebServer/2.0
Date: Sat, 10 Apr 1999 07:42:59 GMT
Content-Type: text/html
Last-Modifi ed: Wed, 07 Apr 1999 15:54:18 GMT
ETag: "370a7fbb-2188-4"
Content-Length: 8584
<HTML>
<HEAD>
<META NAME="keywords" CONTENT"=igCorp, hacking, security">
<META NAME="description" CONTENT="Welcome to igCorps Web site. ">
=BigCorp is a leading manufacturer of security holes.
<TITLE>BigCorp Corporate Home Page</TITLE>
</HEAD
</HTML>
62
IP netcat -n
netcat
netcat
3.2
FTP TCP 21
1
10
1
133
FTP
Web FTP Web
12
FTP
FTP
Windows FTP
FTP anonymous
C:\>ftp ftp.tnrcc.state.tx.us
Connected to www.tnrcc.state.tx.us.
220 www FTP server (Version 1.1.214.4(PHNE_29461) Thu Nov 20
06:40:06 GMT 2003)
ready.
User (www.tnrcc.state.tx.us:(none)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
lost+found
etc
incoming
pub
usr
226 Transfer complete.
ftp: 37 bytes received in 0.00Seconds 37000.00Kbytes/sec.
ftp>
FTP Web
FTP FTP
FTP http://www.bpftp.com
BulletProof FTP http://www.ftp-sites.org FTP
FTP FTP
FTP wu-ftp
62
FTP
FTP FTP
SMTP TCP 25
5
9
1
Internet
Simple Mail Transfer Protocol SMTP TCP 25
SMTP VRFY
EXPN
telnet SMTP
[root$]telnet 192.168.202.34 25
Trying 192.168.202.34...
Connected to 192.168.202.34.
Escape character is '^]'.
220 mail.bigcorp.com ESMTP Sendmail 8.8.7/8.8.7; 11 Apr 2002
vrfy root
250 root <root@bigcorp.com>
expn adm
250 adm <adm@bigcorp.com>
quit
221 mail.bigcorp.com closing connection
SMTP
SMTP
sendmail http://www.sendmail.org SMTP
8 mail.cf VRFY EXPN
133
Exchange Server
EXPN VRFY SMTP
DNS TCP 53
5
9
2
62
1
_kpasswd._tcp SRV priority=0, weight=100, port=464, corp-dc.labfarce.org
_ldap._tcp SRV priority=0, weight=100, port=389, corp-dc.labfarce.org
Global Catalog
_gc._tcp Kerberos _kerberos._tcpLDAP
_ldap._tcp TCP
DNS
DNS
Window NT4 DNS Computer
Management MMCMicrosoft Management Console
forward lookup damain labfarce.org
Properties
\Services and Applications\DNS\ [server_name] \Forward Lookup Zones\ [zone_name]
| Properties
133
Windows 2000
Allow Zone Transfers
DNS
TFTP TCP/UDP 69
1
3
7
UNIX/Linux
/etc/passwd 7
62
passwd
TFTP
TFTP
ACL
TFTP
TCP Wrappers /tftpboot
TFTP
133
FingerTCP/UDP 79
7
10
1
UNIX/Linux finger
Internet Finger
finger
finger 79
[root$]finger l @target.hackme.com
[target.hackme.com]
Login: root
Name: root
Directory: /root
Shell: /bin/bash
On since Sun Mar 28 11:01 (PST) on tty1
11 minutes idle
(messages off)
On since Sun Mar 28 11:01 (PST) on ttyp0 from :0.0
3 minutes 6 seconds idle
No mail.
Plan:
John Smith
Security Guru
Telnet password is my birthdate.
finger 0@hostname
[root$]finger 0@192.168.202.34
[192.168.202.34]
Line
* 2 vty 0
Se0
User
Host(s)
idle
Sync PPP
Idle Location
0 192.168.202.14
00:00:02
finger /etc/passwd
finger
62
14 home
.plan .project
finger
Finger
finger inetd.conf
killall -HUP inetd 79 finger
TCP Wrappers 7 finger
HTTP TCP 80
5
9
1
web
web Code Red Nimda ida/idq
Internet
C:\>nc v www.corleone.com 80
www.corleone.com [192.168.45.7] 80 (?) open
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 08 May 2001 00:52:25 GMT
Connection: Keep-Alive
Content-Length: 1270
Content-Type: text/html
133
HTTP HEAD
HEAD
SSL netcat SSL
SSL openssl sslproxy
HTML
Blighty Designhttp://samspade.org/ssw
Sam Spade 3-1 Sam Spade
password
HTML Web
12
Web Hacking
Exposed: Web Applications McGraw-Hill/Osborne 2002
http://www.web- hackingexposed.com
62
HTTP
web web
Internet Information
ServicesIISIIS
Microsoft Data Access ComponentsMDACUnicode Internet Printing Protocol
12 IIS Code Red Nimda
IIS IIS
7
8
1
133
IP 216.154.242.126
192.168.1.2 MSRPC IP RFC
1918
ncacn_ip_tcp TCP
ncacn_ip_udp
UDP Jean-Baptiste Marchand Windows
http//www.hsc.fr/ressources/articles/win_net_srv
MSRPC
MSRPC TCP 135
Microsoft Exchange Server Internet Outlook MAPI
Exchange
Outlook/Exchange TCP 135
62
TCP 135
IP ACL
HTTPS Microsoft
Outlook Web AccessOWA Outlook OWA Exchange
web HTTPS OWA
[two-factor authentication
mechanisms] Windows Server 2003 Exchange 2003 RPC over
HTTP HTTP RPC OWA
Outlook http://support.microsoft.com
/default.aspx?kbid=833401
http://msdn.microsoft.com/library/library/enus/rpc/rpc/rpc_over_http_security.asp
MSRPC RPC
Writing a Secure RPC Client or
Server RPC
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_
client_or_server.asp
7
5
3
133
net view
C:\>net view /domain
Domain
-------------------------------------------------------_
CORLEONE
BARZINI_DOMAIN
TATAGGLIA_DOMAIN
BRAZZI
DHCP
Ping 2 IP
NetBIOS IP NetBIOS
\\192.168.202.5 \\server_name
#PRE%systemroot%\system32\drivers\etc\LMHOSTS
nbtstat R
NetBIOS NetBIOS
LMHOSTS IP
Windows
Windows Windows Resource Kit
RK Reskit nltest RK
62
C:\>nltest /dclist:corleone
List of DCs in Domain corleone
\\VITO (PDC)
\\MICHAEL
\\SONNY
The command completed successfully
%
Netviewx
nbtstat nbtscan NetBIOS
Nbtstat
NetBIOS
C:\>nbtstat -A 192.168.202.33
NetBIOS Remote Machine Name Table
Name
Type
Status
-----------------------------------------------SERVR9
<00> UNIQUE
Registered
SERVR9
<20> UNIQUE
Registered
9DOMAN
<00> GROUP
Registered
3
9DOMAN
SERVR9
INet<126>Services
IS<126>SERVR9......
9DOMAN
..__MSBROWSE__.
ADMINISTRATOR
<1E> GROUP
<03> UNIQUE
<1C> GROUP
<00> UNIQUE
<1> UNIQUE
<01> GROUP
<03> UNIQUE
133
Registered
Registered
Registered
Registered
Registered
Registered
Registered
nbtstat SERVR9
9DOMANADMINISTRATORINet <126>
Services MACMedia Access Control
NetBIOS service code 3-1
NetBIOS
NetBIOS
computer
name>[00]
domain name>[00]
computer
name>[03]
user name>[03]
computer
name>[20]
domain
name>[1D]
domain
name>[1E]
domain
name>[1B]
Workstation
Messenger Service
Messenger
Server
Master Browser
Browser
Domain Master Browser
3-1 NetBIOS
nbtstat Alla
Bezroutchko nbtscan
62
nbtscan Windows
C
NBNS
UDP 137 NBNSNetBIOS Name
ServiceNetBIOS UDP 137
NetBIOS Alerter
Messenger Windows Services
Windows 2000 TCP/IP
NetBIOS NBNS
8
10
8
Windows NT
Windows null session/anonymous connection
133
Windows
Server Message BlockSMBFile
and Print SharingLinux SMB Samba
API SMB Windows
SMB Windows
SMB
SMB null session
C:\> net use \\192.168.202.33\IPC$ "" /u:""
net use
" "/u : " "
IP 192.168.202.33 IPC$
62
1
The command completed successfully.
srvinfo -s
Windows DumpSec
DumpAcl 3-2
Somarsofthttp://www.somarsoft.com NT
DumpSec
3-2
DumpSec
3-2 DumpSec
NetBIOS Legion
Internet
133
Legion C 2.1
Windows 4 5
Windows NetBIOS Auditing ToolNAT Andrew
Tridgell NAT Hacking Exposed
http://www.osborne.com/he5Rhino9 Security Team Neon Surge
Chameleon NAT 3-3 NAT
62
1
3-3 NetBIOS Auditing ToolNAT
NT Windows
NT
Windows
HKLM\System
\CurrentControlSet\ Control\SecurePipeServer\Winreg\AllowedPaths
HKLM\Software\Microsoft\WindowsNT
\Current Version
RK regdmp
Somarsoft DumpSecRegdmp
Windows
NetBus 5 14
C:\>regdmp -m \\192.168.202.33 HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemTray = SysTray.Exe
BrowserWebCheck = loadwc.exe
133
3-4 DumpSec
Windows
DumpSec
NT
DumpSecDumpSec
62
1
godzilla
domain
Guest
lucca
mike
Administrator
Lucca Brazzi
Michael Corleone
Built-in
account
for
administering
the
DumpSec GUI
Comments
Windows sid2user user2sid Evgenii Rudnyi
http:// www.chem.msu.su:8080/<126>rudnyi/NT/sid.txt
NT SIDSID
NT SID SID
Mark Russinovich http://www.win2000mag.com/Articles /Index.cfm?
ArticleID=3143 user2sid SID SID
SID S-1
RID Windows
Administrator GuestAdministrator RID 500 Guest
RID 501 sid2user SID 500
RID
C:\>sid2user \\192.168.2.33 5 21 8915387 1645822062 18198280005 500
Name is godzilla
Domain is WINDOWSNT
Type of SID is SidTypeUser
S-1 NT
RID 1000 RID
100110021003 RID NT
133
SID
user2sid/sid2user
user2sid
SIDNT 1000 RID NT
shell FOR sid2user
50
C:\>for /L %i IN (1000,1,1050) DO
1915163094
1258472701648912389 %I >> users.txt
C:\>cat users.txt
sid2user
\\acmepdc1
21
Name is IUSR_ACMEPDC1
Domain is ACME
Type of SID is SidTypeUser
Name is MTS Trusted Impersonators
Domain is ACME
Type of SID is SidTypeAlias
. . .
NT shellPerlVBScript
139 445
RestrictAnonymous 1
C:\>enum
62
1
usage: enum [switches] [hostname|ip]
-U: get userlist
-M: get machine list
-N: get namelist dump (different from -U|-M)
-S: get sharelist
-P: get password policy information
-G: get group and member list
-L: get LSA policy information
-D: dictionary crack, needs -u and -f
-d: be detailed, applies to -U and -S
-c: don't cancel sessions
-u: specify username to use (default "")
-p: specify password to use (default "")
-f: specify dictfi le to use (wants -D)
enum -P
-D-u-f
enum
C:\>enum -U -d -P -L -c 172.16.41.10
server: 172.16.41.10
setting up session... success.
password policy:
min length: none
. . .
lockout threshold: none
opening lsa policy... success.
names:
netbios: LABFARCE.COM
domain: LABFARCE.COM
. . .
trusted domains:
SYSOPS
PDC: CORP-DC
netlogon done by a PDC server
getting user list (pass 1, index 0)... success, got 11.
Administrator
(Built-in
account
for
administering
the
computer/domain)
attributes:
chris attributes:
Guest (Built-in account for guest access to the computer/domain)
attributes: disabled
. . .
133
keith attributes:
Michelle attributes:
. .
C:\>nete
NetE v.96 Questions, comments, etc. to sirdystic@cultdeadcow.com
Usage: NetE [Options] \\MachinenameOrIP
Options:
/0 - All NULL session operations
/A - All operations
/B - Get PDC name
/C - Connections
/D - Date and time
/E - Exports
/F - Files
/G - Groups
/I - Statistics
/J - Scheduled jobs
/K - Disks
/L - Local groups
/M - Machines
/N - Message names
/Q - Platform specific info
/P - Printer ports and info
/R - Replicated directories
/S - Sessions
/T - Transports
/U - Users
/V - Services
/W - RAS ports
/X - Uses
/Y - Remote registry trees
/Z - Trusted domains
62
NT getmac
MAC
RestrictAnonymous 1getmac
Reskits usrstatshowgrpslocal global
1. regedt32 HKLM\SYSTEM\CurrentControlSet\Control\LSA
2. Edit | Add Value
Value Name:
Data Type:
Value:
RestrictAnonymous
REG_DWORD
1 Windows 2000 2
3.
Windows 2000
MMC Security Policies
RestrictAnonymous NT 4
Organizational Unit
Windows 2000 Active Directory
133
Group Policy 5
RestrictAnonymous 1
RestrictAnonymous 1
RestrictAnonymous 2 Everyone
/ Windows
Windows 2000 dsclient
Windows 95 Microsoft
Q246261
62
RestrictAnonymous=1
RestrictAnonymous NetUserGetInfo
API Level 3 RestrictAnonymous = 1
RestrictAnonymous 1http://www.HammerofGod.com/download.htm UserInfo
Windows 2000 RestrictAnonymous
2 UserInfo
RestrictAnonymous=1 Administrator
C:\>userinfo \\victom.com Administrator
UserInfo v1.5 - thor@HammerofGod.com
Querying Controller \\mgmgrand
USER INFO
Username:
Administrator
Full Name:
Comment:
Built-in account for administering the computer/domain
User Comment:
User ID:
500
Primary Grp: 513
Privs:
Admin Privs
OperatorPrivs:
No explicit OP Privs
SYSTEM FLAGS (Flag dword is 66049)
User's pwd never expires.
MISC INFO
Password age:
Mon Apr 09 01:41:34 2001
LastLogon:
Mon Apr 23 09:27:42 2001
LastLogoff:
Thu Jan 01 00:00:00 1970
Acct Expires:
Never
Max Storage: Unlimited
Worvkstations:
UnitsperWeek:
168
Bad pw Count:
0
Num logons:
5
Country code:
0
Code page:
0
Profi le:
ScriptPath:
Homedir drive:
Home Dir:
PasswordExp: 0
133
HammerofGod.com UserDump
SID RID UserDump
RID 1001 SID UserDump
RID 500 RID 1001
MaxQueries 0 SID 500 1001
UserDump
C:\>userdump \\mgmgrand guest 10
UserDump v1.11 - thor@HammerofGod.com
Querying Controller \\mgmgrand
USER INFO
Username:
Administrator
Full Name:
Comment:
Built-in account for administering the computer/domain
User Comment:
User ID:
500
Primary Grp:
513
Privs:
Admin Privs
OperatorPrivs:
No explicit OP Privs
[snip]
LookupAccountSid failed: 1007 does not exist...
LookupAccountSid failed: 1008 does not exist...
LookupAccountSid failed: 1009 does not exist...
Get hammered at HammerofGod.com!
62
RestrictAnonymous 1
Microsoft
3-2
XP/Server 2003
Network access: Allow anonymous SID/
Name translation
Network access: Do not allow anonymous
enumeration of SAM accounts
Disabled user2sid
Enabled RestrictAnonymous = 1
3
Network access: Do not allow anonymous
enumeration of SAM accounts and shares
Network access: Let Everyone permissions
apply to
anonymous users
Network access: Named pipes that can be
accessed
anonymously
Network access: Remotely accessible
Registry paths
Network access: Shares that can be accessed
anonymously
133
Enabled RestrictAnonymous = 1
Disabled
RestrictAnonymous = 2
SQL\QUERY EPMAPPER SQL
MSRPC
COMCFGDFS$
62
9
3
Security Not My
Problem
SNMP /
SNMP SNMP
SNMP
public SNMP
SNMP
Management Information Base MIB MIB
Microsoft MIB Windows
TCP 139 445 SMB NT
SNMP public
RK SNMP snmputil SNMP
Windows
C:\>snmputil walk 192.168.202.33 public .1.3.6.1.4.1.77.1.2.25
Variable
= .iso.org.dod.internet.private.enterprises.lanmanager.
lanmgr-2.server.svUserTable.svUserEntry.svUserName.5.
71.117.101.115.116
Value
= OCTET STRING - Guest
Variable
= .iso.org.dod.internet.private.enterprises.lanmanager.
lanmgr-2.server.
svUserTable.svUserEntry.svUserName.13.
65.100.109.105.110.105.115.116.114.97.116.111.114
Value
= OCTET STRING - Administrator
End of MIB subtree.
snmputil .1.3.6.1.4.1.77.1.2.25OID
Microsoft Microsoft MIB MIB
.1.3.6.1.4.1.77
133
MIB
SNMP MIB
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr2
.server.svSvcTable.svSvcEntry.svSvcName
.server.svShareTable.svShareEntry.svShareName
.server.svShareTable.svShareEntry.svSharePath
.server.svShareTable.svShareEntry.svShareComment
.server.svUserTable.svUserEntry.svUserName
.domain.domPrimaryDomain
SNMP
UNIX
Linux
Linux
2.4.3
Mandrakemdk
Intel 686
private
http://www.solarwinds.net
62
SNMP
SNMP
agent
133
SNMP
SNMP agent SNMP
"public""private" SNMP
SNMP
TCP UDP 161 SNMP GET/SET IP
SNMP agentMicrosoft SNMP agent IP
SNMP IP
SNMP V3 RFC 2571~2575SNMP V3 V1
V2 V3
V1
Windows NT
SNMP Microsoft MIB regedt32
HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities
Security | Permissions
HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
LANManagerMIB2Agent
1 2 1
2 2 1
SNMP
SNMP http://www.rfc-editor.org SNMP
RFC
2
6
2
62
BGP
BGP
1. ASN Autonomous System Number
2. ASN AS
BGP IP ASN ASN 16
ARIN ASN IP
ASN
route-views.routeviews.org AAA
rviews http://www..routeviews.org/aaa.html
133
C:>telnet route-views.oregon-ix.net
User Access Verifi cation
Username: rviews
route-views.oregon-ix.net>show ip bgp 63.79.158.1
BGP routing table entry for 63.79.158.0/24, version 7215687
Paths: (29 available, best #14)
Not advertised to any peer
8918 701 16394 16394
212.4.193.253 from 212.4.193.253 (212.4.193.253)
Origin IGP, localpref 100, valid, external
_$
AS AS
63.79.158.0/24 KPE
BGP
ARIN ASN ASN
BGP ASN ARIN ASN
BGP
BGP
BGP ARIN
ASN BGP BGP
62
2
2
5
NT Windows 2000
Lightweight Directory Access ProtocolMicrosoft
Active DirectoryAD AD
Windows
Support Tools CD Support\Tools
LDAP Active Directory Administration Toolldp.exe
AD
1999 Windows 2000 Release Candidates
ldp Windows 2000 DC LDAP
LDAP
NetBIOS
LDAP
ldp
Windows 2000 bigdc.labfarce.orgDC=labfarce,
DC=org BIGDC Guest guest
133
3. LDAP View |
Treedc=labfarce,
dc=org
4.
5. CN=Users CN=Builtin
Users 3-7
guest NT 4 Remote
Access Service SQL Server AD Windows 2000
62
dcpromo
3-8 LDAP
389 3268
Windows
Pre-Windows 2000 Comptible Access Pre-Windows Comptible
Access 3-3
User
Group
User
Group
133
Q240855http://search.support.microsoft.com
Pre-Windows 2000 Compatible Access
NetBIOS enum
Windows 2000 Advanced Server enum
Everyone Pre-Windows 2000 Compatible Access
C:\>enum -U corp-dc
server: corp-dc
setting up session... success.
getting user list (pass 1, index 0)... success, got 7.
Administrator Guest IUSR_CORP-DC IWAM_CORP-DC krbtgt
NetShowServices TsInternetUser
cleaning up... success.
Compatible Everyone
enum
C:\>enum -U corp-dc
server: corp-dc
setting up session... success.
getting user list (pass 1, index 0)... fail
return 5, Access is denied.
cleaning up... success.
NT4
RASRouting and Remote
Access ServiceRRAS SQL
62
133
7
6
1
NetWare
Novell NDS
Windows
Novell NDS 3-9
NetWare IPX TCP/IP NetWare
IPX IP TCP 524 NetWare 5
NetWare Core ProtocolNCPTCP 524 NDS
Novell NDS
62
NDS
3-10
7
On-Site Admin Novell
Novell On-Site Admin
On-Site
Novell 3-11
On-Site Admin
133
62
133
Browse NDS
http://support.novell.com
7
10
1
[root$]rpcinfo p 192.168.202.34
program vers proto port
100000
2
tcp
111
rpcbind
100002
3
udp
712
rusersd
100011
2
udp
754
rquotad
100005
1
udp
635
mountd
100003
2
udp
2049
nfs
100004
2
tcp
778
ypserv
Name
Version Protocol
Port
62
(100000)
(100000)
(100001)
(100021)
portmapper
portmapper
rstatd
nlockmgr
4
3
2
1
TCP
TCP
UDP
UDP
111
222
32774
4045
2.53
by
fyodor@insecure.org
133
RPC
RPC
RPC RPC
Sun Secure RPC 111
32771rpcbind RPC
UNIX/Linux
3
8
1
Apr 11 09:21
Apr 10 15:01
Apr 10 17:40
rusers -l rwho
rpc.rusersd RPC
Sun RPC portmapper
TCP/UDP 111 TCP/UDP 32771 rusers
UNIX
[root$]rusers l 192.168.202.34
root
192.168.202.34:tty1
Apr 10 18:58
root
192.168.202.34:ttyp0
Apr 10 18:59
:51
:02 (:0.0)
rwho rusers
finger inetd
/etc/init.d//etc/rc*.d rpc.rwhod rpc.rusersd
#
62
3
8
1
NIS
NIS DNS
5
8
2
133
http://www.nextgenss.com/advisories/mssql-udp.txt
http://www.microsoft.com/technet /security/bulletin/MS02-039.mspx
SQL
Chip Andrews http://www.sqlsecurity.com
SQLPing
62
7
10
1
-e NFS
NFS
NFS
/
NFS 2049Showmount
NFS UNIX/Linux Samba
SMB SMBServer
Message Block Windows Samba http://www.samba.org
Linux Samba /etc/smb.conf
133
3.3
Windows NT SMB
SNMP SNMP
SNMP agentpublic
Finger rpcbind
WEB
http://www.linux-sec.net/Audit
/nmap.test.gwif.html C nmap
TCP/UDP http://www.iana.org
/assignments/port-numbers