(黑客大曝光 (第6版) ) Hacking Exposed 6Th Ed

1
Google
Google
Spartan IPOGoogle IT
Google
Google
Linux Google
Google
Google
Google
Google
Google
Google BotGoogle Google Bot
Google Bot
Google
Google
Joe Hacker
Joe Hacker Google

Google Windows

www.google.com
intitle:"Welcom to IIS 4.0"

Results 1 - 10 of about 63 for intitle:"Welcome to IIS 4.0". (0.10
seconds)
Windows IIS 4.0

IIS 4.0
Joe Hacker
Web VNC Server
"VNC Desktop" inurl:5800
Results 1 - 10 of about 112 for "VNC Desktop" inurl:5800. (0.27
seconds)
VNC Server
VNC Server
Joe Hacker
Google Microsoft FrontPage
filetype:pwd service
Results 1 - 10 of about 173 for filetype:pwd service. (0.28 seconds)
Joe Hacker
UNIX
# -FrontPageekendall:
bYld1Sr73NLKo
louisa:5zm94d7cdDFiQ
Joe Hacker John the Ripper Louisa

trumpetJoe FrontPage
FrontPage
Joe Joe

Joe Hacker Web
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
Results 1 - 10 of about 59 for filetype:bak inurl:"htaccess|passwd|
shadow|htusers".(0.18 seconds)
Joe Hacker
shadow UNIX
Joe
Google Joe
filetype:properties inurl:db intext:password
Results 1 - 10 of about 854
intext:password. (0.21 seconds)
for
filetype:properties
inurl:db
Joe
drivers=sun.jdbc.odbc.JdbcOdbcDriver jdbc.idbDriver
logfile=D:\\user\\src\\java\\DBConnectionManager\\log.txt
idb.url=jdbc:idb:c:\\local\\javawebserver1.1\\db\\db.prp
idb.maxconn=2
access.url=jdbc:odbc:demo
access.user=demo
access.password=demopw
Joe
Joe .edu
"not for distribution" confidential site:edu

Results 1 - 10 of about 138 for "not for distribution" confidential
site:edu. (0.21 seconds)
Joe
100 PDF
Joe Hacker
Google
This file was generated by Nessus
Results 1 - 10 of about 75,300 for This file was generated by
Nessus. (0.20 seconds)
Nessus
Joe Hacker Nessuse
Joe Hacker
Joe Hacker Joe
Nessus
Google
41
62
footprinting
footprint
/profile
footprinting
1.1
XYZ
IP
intranetextranet
1.1
41
IP
TCP UDP
SPARC X86
access control listACL

intrusion detection systemIDS
SNMP
DNS
IPIPXDecNET
IP
TCP UDP
SPARC X86
intrusion detection systemIDS
SNMP
VPN IPSec PPTP
1.1
62
41
1.2
1.2.1 1
1.2.2 2
OSI 7
OSI 8
9
IP
1.2.3 3
Web
62
9
9
2
Web
Usenet
Web
Web
Web
Web
HTML <!
HTML Web
Web UNIX
Wget http://www.gnu.org/software/wget/wget.html Windows Teleport
Prohttp://www.tenmax.com
41
www
Web
Microsoft Outlook Web Access
Microsoft Exchange URL
http://owa.company.comhttp://outlook.company.com
AS/400
OpenConnecthttp:/www.openconnect.com Web
OpenConnect Java 3270
Web
/ AS/400
VPN
http://vpn.company.com http://www.company.com/vpn
company VPN
VPN VPN
VPN
Web
http://www.keyhole.com
Google
1-1 http://terraserver.microsoft.com
62
1-1 http://www.keyhole.com

http://www.phonenumber.comhttp://www.411.com http://www.yellowpages.com
John Smith
jsmithjohnsmithsmithj jsmith@company.com
http://www.crimetime.com/online.htm http://www.peoplesearch.com
41
IDSIPS
Security and Exchange

CommissionSEC 10-Q
10-K http://www.sec.gov EDGAR
1-2 merger
acquisitionacquire subsequent event
62
1-2 SEC
/
/

http://www.archive.org WayBack Machine 1-3
41
http://www.thememoryhole.com Google cached results

1-4
1-3 http://www.archive.org http://www.yahoo.com
1-4
62
1
Google cached results
http://www.yahoo.com
http://www.f**ckedcompany.com
http://www.internalmemo.com
Google
link:www.company.com Google
Usenet
http://www.google.comhttp://search.yahoo.comhttp://www.altavista.com
http://www.dogpile.com
Johnny Long Google Hacking for Penetration

TestersSyngress 2004
Google
allinurl:tsweb/default.htmGoogle Remote Desktop Web Connection
Web Microsoft Windows
Google Remote Desktop
ProtocolRDP Windows Windows
Internet Explorer ActiveX RDP RDP
41
Google
http://johnny.ihackstuff.com Johnny Long
Google Hacking DatabaseGHDBGoogle
GHDB
Athena snakeoillabs Steven

SiteDigger
http://www.foundstone.com
Wiktohttp://www.sensepost.com/research/wikto Roelof
Google
Web SiteDigger 1-5
GHDB Foundstone
SiteDigger
GHDB / Foundstone
1-5 Foundstone SiteDigger Google Hacking DatabaseGHDB

Google
62
Usenet
IT Usenet Google Usenet
Web Google
pix firewall config help
Cisco PIX 1-6
IP ACL NATnetwork address translation
@company.com
1-6 Google
IT
41
IT
CheckPoint Snort IDS 5

IDS
IR
Google company resume firewallcompany

/
http://www.monster.com http://www.carearbuilder.com
62
The Site Security Handbook RFC 2196

http://www.faqs.org/rfcs/rfc2196.html
1.2.4 4WHOIS DNS
9
9
5
IP
Internet Corporation for Assigned Names and NumbersICANNhttp://www.icann.org
ICANN 1998 10
ICANN Internet Assigned Numbers
AuthorityIANAhttp://www.iana.org
IANA ICANN
ICANN

IP

DNS ICANN
41
ICANN
ICANN
ICANN 2002 Evolution and Reform Process

1-7 ICANN ICANN
2002 2 15 ICANN
ICANN
/CEO
ICANN
1-7 ICANN
ICANN
Address Supporting OrganizationASO
http://www.aso.icann.org
Generic Name Supporting OrganizationGNSO
http://www.gnso.icann.org
Country Code Domain Name Supporting OrganizationCNNSO
http://www.cnnso.icann.org
62
ASO IP ICANN
ASO IP
Regional Internet RegistryRIR 1-8
RIR IP Internet service
providerISP
National Internet RegistryNIR
Local Internet RegistryLIR
APNIChttp://www.apnic.net
ARINhttp://www.arin.net
LACNIChttp://www.lacnic.net
RIPEhttp://www.ripe.net
AfriNIChttp://www.afrinic.net
ARIN RIPE AfriNIC
1-8 5 Regional Internet RegistryRIR

4
GNSO generic top-level domaingTLD
41
ICANN 1-9
GNSO .com.net.edu.org .info
http://www.iana.org/gtld/gtld.htm
1-9 GNSO generic top-level domaingTLD

CCNSO country-code top-level domainccTLD
ICANN
CCNSO
http://www.iana.org/cctld/cctld-whois.htm 1-10
62
1-10 CCNSO country-code top-level domainccTLD
http://www.iana.org/assignments/ipv4-address-space IPv4
http://www.iana.org/ipaddress/ip-addresses.htm IP
http://www. rfc-editor.org/rfc/rfc3330.txt IP
http://www.iana.org/assignments/port-numbers
http://www.iana.org/assignments/protocol-numbers
WHOIS WHOIS
.mil .gov
IP
41
osborne.com IP IP BGP
keyhole.com
WHOIS
TLDtop-level domain
RegistryRegistrarRegistrant
R WHOIS
R
WHOIS
WHOIS
ICANN
ICANNIANA TLD WHOIS
62
WHOIS
TCP 43 Web WHOIS
Web
Web WHOIS
http://whois.iana.org .com 1-11
.com Verisign Global Registry Serviceshttp://www.verisigngrs.com Verisign Global Registry Services 1-12
keyhole.com http://www.markmonitor.com
1-13 Web
WHOIS keyhole.com
1-11 http://whois.iana.org
41
1-12 Verisign Global Registry Services keyhole.com
1-13 keyhole.com
keyhole.com
62
DNS IP
.gov .mil WHOIS

WHOIS
[bash]$ whois com h whois.iana.org
[bash]$ whois keyhole.com h whois.verisign-grs.com
[bash]$ whois keyhole.com h whois.omnis.com
WHOIS
http://www.allwhois.com
http://www.uwhois.com
http://www.internic.net/whois.html
GUI
SamSpadehttp://www.samspade.com
SuperScanhttp://www.foundstone.com
NetScan Tools Prohttp://www.nwpsw.com
WHOIS WHOIS
DNS
WHOIS
WHOIS
WHOIS
IP
IP
IP ICANN ASO RIR
TLD ICANNIANA WHOIS RIR

RIR IP
IP RIR
41
IP 61.0.0.2 IP
ARINhttp://www.arin.net IP ARIN
WHOIS 1-14 IP
APNIC APNIC 1-15
IP National Internet Backbone
1-14 ARIN RIR
1-15 IP National Internet Backbone
62
IP
IP IP
IP
RIR WHOIS
IP BGP http://www.arin.net
Google Google IP AS AS 15169
1-16
1-16 Google IP BGP AS

1-2 WHOIS /
Web
Whois
http://whois.iana.org
http://www.arin.net
http://www.allwhois.com
UNIX whois
Chris
Web
UNIX
41
Cappuccioccappuc@santefe.edu
Fwhois
WS_Ping
ProPack
Sam Spade
Sam Spade
Web
Netscan
Xwhois
Jwhois
http://www.ipswitch.com/
Windows 95/NT/2000/XP
http://www.samspade.org/ssw
http://www.samspade.org/
Web
http://www.netscantools.com/nstpromain.h
tml
http://c64.org/<126>nr/xwhois/
http://www.gnu.org/software/jwhois/jwhoi
s.html
X GTK+GUI
UNIX
UNIX
1-2 WHOIS
administrative contact
WHOIS WHOIS
5
WHOIS DNS
DNS DNS
62
DNS DNS DNS

WHOIS
ARIN
Network Solutions
Network Solutions Guardian
FROM
PGPPretty Good Privacy FROM
domain
hijacking1998 10
16 AOL AOL
AOL AOL autonete.net
AOL
PGP
Network Solutions
Contact Form
41
1.2.5 5DNS
DNS DNS IP
IP DNS
62
9
9
3
DNS zone
transfer
zone
DNS
DNS
DNS DNS
zone
/ DNS
DNS DNS IP
IP
UNIX Windows nslookup

nslookup
[bash]$ nslookup
Default Server: ns1.example.net
Address: 10.10.20.2
> 216.182.1.1
Server: ns1.example.net
Address: 10.10.20.2
Name: gate.tellurian.net
Address: 216.182.1.1
> set type=any
> ls -d Tellurian.net. >\> /tmp/zone_out
nslookup nslookup
DNS ISP DNS
41
DNS 10.10.20.2 IP
DNS DNS
nslookup DNS
Tellurian Networks DNS 216.182.1.1 whois
any DNS
man nslookup
ls-d
.
/tmp/zone_out
Tellurian Network
[bash]$ more zone_out

acct18
1D IN A 192.168.230.3
1D IN HINFO "Gateway2000" "WinWKGRPS"
1D IN MX 0 tellurianadmin-smtp
1D IN RP bsmith.rci bsmith.who
1D IN TXT "Location:Telephone Room"
ce
1D IN CNAME aesop
au
1D IN A 192.168.230.4
1D IN HINFO "Aspect" "MS-DOS"
1D IN MX 0 andromeda
1D IN RP jcoy.erebus jcoy.who
1D IN TXT "Location: Library"
acct21
1D IN A 192.168.230.5
1D IN HINFO "Gateway2000" "WinWKGRPS"
1D IN MX 0 tellurianadmin-smtp
1D IN RP bsmith.rci bsmith.who
1D IN TXT "Location:Accounting"
A IP
HINFO RFC952HINFO
grepsed awk UNIX Perl
62
SunOS Solaris HINFO SparcSun

Solaris IP
[bash]$ grep -i solaris zone_out |wc l
388
388 Solaris
[bash]$ grep -i test /tmp/zone_out |wc-l

96
96 test
Tellurian.net greenhouse.Tellurian.net
DNS
DNS
hostSam Spadeaxfr dig
UNIX host host
host -l tellurian.net
host -l -v -t any tellurian.net
IP shell IP
host
host -l tellurian.net |cut -f 4 -d" " >> /tmp/ip_out
41
UNIX Sam Spade Windows
UNIX dig DNS

DNS DNS
man
Gaius axfr
http://packetstormsecurity.nl/groups/ADM/axfr-0.5.2.tar.gz
com edu com edu
axfr
[bash]$ axfr tellurian.net
axfr: Using default directory: /root/axfrdb
Found 2 name servers for domain tellurian.net.:
Text deleted.
Received XXX answers (XXX records).
axfr
[bash] $ axfrcat tellurian.net
MX
host
[bash]$ host tellurian.net

tellurian.net has address 216.182.1.7
tellurian.net mail is handled (pri=10) by mail.tellurian.net
tellurian.net mail is handled (pri=20) by smtp-forward.tellurian.net
DNS
DNS
BIND named.conf allow-transfer

Microsoft DNS Notify
62
http://www.microsoft.com/technet
/prodtechnol/windows2000serv/maintain/optimize/c19w2kad.mspx
53 TCP UDP
TCP RFC
RFC 512 DNS
TCP DNS 512
transaction signatureTSIG DNS
Bind 9 TSIG
http://www.linux-mag.com/2001-11/bind9_01.html
IP
IP
16,000 IP
HINFO
HINFO
1.2.6 6
traceroute
9
9
2
UNIX Windows NT
traceroute ftp://ftp.ee.lbl.gov/traceroute.tar.gz Windows
8.3 tracert
41
traceroute Van Jacobson IP

traceroute IP
time-to-live TTL IP ICMP
TIME_EXCEEDEDIP TTL
1 TTL
traceroute IP
traceroute
[bash]$ traceroute tellurian.net

traceroute to tellurian.net (216.182.1.7), 30 hops max, 38 byte
packets
1 (205.243.210.33) 4.264 ms 4.245 ms 4.226 ms
2 (66.192.251.0) 9.155 ms 9.181 ms 9.180 ms
3 (168.215.54.90) 9.224 ms 9.183 ms 9.145 ms
4 (144.232.192.33) 9.660 ms 9.771 ms 9.737 ms
5 (144.232.1.217) 12.654 ms 10.145 ms 9.945 ms
6 (144.232.1.173) 10.235 ms 9.968 ms 10.024 ms
7 (144.232.8.97) 133.128 ms 77.520 ms 218.464 ms
8 (144.232.18.78) 65.065 ms 65.189 ms 65.168 ms
9 (144.232.16.252) 64.998 ms 65.021 ms 65.301 ms
10 (144.223.15.130) 82.511 ms 66.022 ms 66.170
11 www.tellurian.net (216.182.1.7) 82.355 ms 81.644 ms 84.238 ms
10 10
Cisco 7500
ACL
traceroute ACL traceroute
traceroute
62
traceroute
access path diagram

UNIX traceroute
UDP -I ICMP
Windows traceroute ICMP ECHO
traceroute UDP ICMP traceroute
loose source
routing-g
-g UNIX man traceroute

traceroute
traceroute -p n UDP
n 1 traceroute
Michael Schiffman traceroute 1.4a5
ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/traceroute/old/
http://www.packetfactory.net/Projects/firewall/traceroute.diff
-S
UDP 53
DNS DNS
UDP 53 traceroute
[bash]$ traceroute 10.10.10.2

traceroute to (10.10.10.2), 30 hops max, 40 byte packets
1 gate (192.168.10.1) 11.993 ms 10.217 ms 9.023 ms
2 rtr1.bigisp.net (10.10.12.13)37.442 ms 35.183 ms 38.202 ms
3 rtr2.bigisp.net (10.10.12.14) 73.945 ms 36.336 ms 40.146 ms
4 hssitrt.bigisp.net (10.11.31.14) 54.094 ms 66.162 ms 50.873 ms
5 * * *
6 * * *
traceroute traceroute
UDP
UDP 53 DNS traceroute
41
[bash]$ traceroute -S -p53 10.10.10.2

traceroute to (10.10.10.2), 30 hops max, 40 byte packets
1 gate (192.168.10.1) 10.029 ms 10.027 ms 8.494 ms
4 hssitrt.bigisp.net (10.11.31.14)47.352 ms 47.363 ms 45.914 ms
5 10.10.10.2 (10.10.10.2) 50.449 ms 56.213 ms 65.627 ms
4
UDP 53
UDP 53 ICMP
IP
traceroute
VisualRoute http://www.visualroute.com NeoTrace http://www.neotrace.com

Trouthttp://www.foundstone.comVisualRoute NeoTrace
WHOIS
Trout traceroute
VisualRoute
traceroute TTL IP
UDP ICMP
IP UDP ICMP
tcptraceroutehttp://michael.toren.net/code
/tcptraceroute Cain & Abelhttp://www.oxid.it TCP
ACL firewall protocal scanning

firewalk 11
network intrusion detection systemNIDSintrusion

prevention systemIPS NIDS
62
Marty Roesch Snortwww.snort.org

traceroute Rhino9
Humble RotoRouter http://www.usrsback.com/UNIX/loggers /rr.c.tgz
traceroute
ICMP UDP
1.3
shell expect Perl
63
62
1 whois ARIN IP
IP
IP DNS
ping
DNS IP
10.10.10.0 IP IP
IP 10.0.0.0/8172.16.0.0/12 192.168.0.0/16RFC 1918

IP http://www.ietf.org/rfc
/rfc1918.txt
2.1
IP
ping
ping ICMP ECHO 8
ICMP ECHO_REPLY 0
ping
A
63
ping
10
9
3
ping
ping ICMP Internet Control
Message Protocol ICMP
ICMP TCP
UDP
UNIX Windows ICMP ping
fpinghttp://packetstorm.securify.com/ Exploit_Code__Archive/ fping.tar.gz UNIX
ping ping
fping
ping fping IP ping
fping stdin IP
fping
IP
192.168.51.1
192.168.51.2
192.168.51.3
...
192.168.51.253
192.168.51.254
-f
[root]$ fping a f in.txt
192.168.1.254 is alive
192.168.1.227 is alive
192.168.1.224 is alive
...
192.168.1.3 is alive
192.168.1.2 is alive
192.168.1.1 is alive
192.168.1.190 is alive
62
fping -a
-d fping -a
shell -d ping
-f fping fping
fping -h Fyodor nmap
http://www.insecure.org/nmap ping
nmap -sP
ping
[root] nmap sP 192.168.1.0/24
Starting
nmap
V.
( www.insecure.org/nmap/ )
3.70
by
fyodor@insecure.org
Host (192.168.1.0) seems to be a subnet broadcast

address (returned 3 extra pings).
Host (192.168.1.1) appears to be up.
Host (192.168.1.255) seems to be a subnet broadcast
address (returned 3 extra pings).
Nmap run completed -- 256 IP addresses (10 hosts up) scanned in 21
seconds
Windows Foundstone http://www.foundstone.com

SuperScan 2-1 ping
fping SuperScan ICMP ECHO
fping SuperScan ping
HTML
ICMP ping RFC 792
ICMP
0 - Echo Reply
3 - Destination Unrechable
63
2-1 Foundstone SuperScan ping
4 - Source Quench
5 - Redirect
8 - Echo
11 - Times Exceeded
12 - Parameter Problem
13 - Timestamp
14 - Timestamp Reply
15 - Information Request
16 - Information Reply
ICMP
ICMP ICMP
62
SolarWinds http://www.solarwinds.net Ping Sweep

ping Ping Sweep
0 1 Ping
Sweep 7 C
128K ISDN Frame Relay
ping
IR
Windows ping WS_Ping ProPackwww.ipswitch.com
NetScanToolswww.nwpsw.com
SuperScan Ping Sweep
GUI ping ping
ICMP
ICMP ICMP
ping
ICMP port scanning
IP
Windows SuperScan
SuperScan ICMP TCP/UDP
TCP/UDP
ICMP 2-2
63
2-2 Foundstone SuperScan

UNXI/Windows nmap
ICMP nmap TCP ping
nmap -PT 80 TCP ping
80 80
demilitarized zoneDMZ
-PT nmap TCP ACK
RST ACK
TCP ping non-stateful Cisco IOS
[root] nmap -sP -PT80 192.168.1.0/24

TCP probe port is 80
Starting nmap V. 3.70
Host shadow (192.168.1.10) appears to be up.
62
1
Host (192.168.1.101) appears to
Nmap run completed (10 hosts up)
be up.
be up.
be up.
scanned in 5 seconds
ICMP
SMTP 25POP 110IMAP 143AUTH
113
http://www.hping.org hping2 UNIX TCP
ping nmap TCP hping2 UDPTCP
Raw IP hping2
hping2 -p TCP TCP ping

hping2 1 traceroute
TCP UDP ping hping2
[root]# hping2 192.168.0.2 -S -p 80 -f

HPING 192.168.0.2 (eth0 192.168.0.2): S set, 40 data bytes
60 bytes from 192.168.0.2: fl ags=SA seq=0 ttl=64 id=418 win=5840
time=3.2 ms
time=2.1 ms
time=2.0 ms
--- 192.168.0.2 hping statistic --3 packets tramitted, 3 packets received, 0% packet loss
hping2
flags=SA hping2
TCP SYNS TCP ACKAhping2 cN shell -cN hping2
N hping2
ICMP ping
hping2 9 hping2
Simple Nomad icmpenum http://www.nmrc.org/files/sunix
63
/icmpenum-1.1.1.tgz TCP ping UNIX

ICMP
ICMP ECHO ICMP TIME STAMP
REQUEST ICMP INFO SuperScan ICMP ECHO
icmpenum
ICMP
[shadow] icmpenum -i2 -c 192.168.1.0
192.168.1.1 is up
192.168.1.10 is up
192.168.1.11 is up
192.168.1.15 is up
192.168.1.20 is up
192.168.1.103 is up
ICMP TIME STAMP REQUEST C

192.168.1.0 icmpenum
icmpenum -s-p
ICMP
C 255
IP
ping
ping
ping
ping
ping
ping Snortwww.snort.org
IDSintrusion detection system
UNIX ping
ICMP ECHO
62
Cisco Check
PointMicrosoft McAfee Symantec ISS ICMPTCP
UDP ping ping
Windows ping Genius

/ Genius 3.1
http://www.indiesoft.com Genius ICMP
ECHOping TCP ping 2.1
UNIX ping
Scanlogd
Courtney
Ippl
Protolog
http://www.openwall.com/scanlogd
http://packetstormsecurity.org/UNIX/audit/courtney-1.3.tar.Z
http://pltplp.net/ippl
http://packetstormsecurity.org/UNIX/loggers/protolog-1.0.8.tar.gz
2-1 UNIX ping
ping
ICMP ICMP
ECHO ECHO_REPLY
ICMP
ICMP
ICMP
ICMP ICMP
ECHO_REPLYHOST_UNREACHABLE TIME_EXCEEDED DMZ
ICMP ISP IP
ISP
ICMP
ICMP
ICMP
63
denial of service
loki
ICMP EHO loki Phrack
Magazine 1997 9 1 7 51 06 http://phrack.org /show.php?
p=51&a=6
Tom Ptacek Mike Schiffman Linux pingd
pingd ICMP ECHO ICMP ECHO_REPLY
ICMP ECHO
ICMP pingd
ping Linux pingd
http://packetstormsecurity.org/UNIX/misc/pingd-0.5.1tgz
ICMP
2
9
5
ICMP ping ICMP ECHO

ICMP
UNIX icmpquery http://packetstormsecurity.org
/UNIX/scanners/icmpquery.c icmpush http://packetstormsecurity.org/UNIX/scanners
/icmpush22.tgz ICMP TIMESTAMPICMP 13
ICMP ADDRESS MASK REQUESTICMP 17

netmask
icmpquery
icmpquery <-query> [-B] [-f fromhost] [-d delay] [-T time] targets
where <query> is one of:
-t : icmp timestamp request (default)
-m : icmp address mask request
The delay is in microseconds to sleep between packets.
targets is a list of hostnames or addresses
62
1
-T specifi es the number of seconds to wait for a host to
respond. The default is 5.
-B specifi es 'broadcast' mode. icmpquery will wait
for timeout seconds and print all responses.
If you're on a modem, you may wish to use a larger -d and T
icmpquery
[root] icmpquery -t 192.168.1.1
192.168.1.1
: 11:36:19
icmpquery
[root] icmpquery -m 192.168.1.1
192.168.1.1
: 0xFFFFFFE0
ICMP TIMESTAMP NETMASK

icmpquery icmpush
ICMP
ICMP
TIMESTAMPICMP 13 ADDRESS MASKICMP
17 Cisco
ACL ICMP
access-list 101 deny icmp any any 13 ! timestamp request
access-list 101 deny icmp any any 17 ! address mask request
Snort network intrusion detection systemNIDS

Snort
[**] PING-ICMP Timestamp [**]
05/29-12:04:40.535502 192.168.1.10 -> 192.168.1.1
ICMP TTL:255 TOS:0x0 ID:4321
TIMESTAMP REQUEST
2.2
ICMP TCP ping
ICMP
63
10
9
9
TCP UDP
LISTENING
TCP UDP

2.2.1
Fyodor nmap
Fyodor
TCP
SYNSYN/ACK ACK TCP RFCRequest for Comment
2-3 TCP
62
TCP
1 SYN
2 SYN/ACK
3 ACK
2-3 1 SYN 2 SYN/ACK 3

ACK
TCP SYN half-open scanning
TCP SYN
SYN/ACK
RST/ACK
RST/ACK
TCP
TCP FIN FIN RFC 793

http://www.ietf.org /rfc/rfc0793.txt
RST UNIX TCP/IP
TCP FINURG PUSH
RFC 793 RST
TCP RFC 793
RST
TCP ACK
ACK
stateful
TCP AIX FreeBSD
TCP TCP windows

TCP RPC UNIX
RPC RPC
63
UDP UDP
ICMP port unreachable ICMP
UDP
UDP UDP
IP
RSTreset
TCP SYN TCP
2.2.2 TCP UDP

UNIX Windows
strobe
Julian Assange strobe ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/
strobe-1.06.tgz TCP
TCP strobe
strobe 1.04
3
strobe TCP
[root] strobe 192.168.1.10
strobe 1.03 (c) 1995 Julian Assange (proff@suburbia.net).
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
[96,JBP]
echo
discard
sunrpc
daytime
chargen
ftp
7/tcp Echo [95,JBP]

9/tcp Discard [94,JBP]
111/tcp rpcbind SUN RPC
13/tcp Daytime [93,JBP]
19/tcp ttytst source
21/tcp File Transfer
[Control]
62
1
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
192.168.1.10
exec
login
cmd
ssh
telnet
smtp
nfs
lockd
unknown
unknown
unknown
unknown
unknown
512/tcp remote process execution;

513/tcp remote login a la telnet;
514/tcp shell like exec, but automatic
22/tcp Secure Shell
23/tcp Telnet [112,JBP]
25/tcp Simple Mail Transfer [102,JBP]
2049/tcp networked fi le system
4045/tcp
32772/tcp unassigned
strobe strobe TCP

UDP strobe
udp_scan
udp_scan strobe TCP udp_scan
Dan Farmer Wietse Venema 1995 SATANSecurity
Administrator Tool for Analyzing Networks
SATAN
http://wwdsilx.wwdsi.com SATAN SAINT
UDP udp_scan UDP
udp_scan
IDS
udp_scan 1024
1024
[root] udp_scan 192.168.1.1 1-1024
42:UNKNOWN:
53:UNKNOWN:
123:UNKNOWN:
135:UNKNOWN:
netcat
Hobbithobbit@avian.org netcat nc
63
nc TCP UDP
nc -v-vv
-z I/Ozero mode I/O-w2
nc TCP UDP
-u
[root] nc -v -z -w2 192.168.1.1 1-140
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
[192.168.1.1]
139 (?) open

135 (?) open
110 (pop-3) open
106 (?) open
81 (?) open
80 (http) open
79 (fi nger) open
53 (domain) open
42 (?) open
25 (smtp) open
21 (ftp) open
[root] nc -u -v -z -w2 192.168.1.1 1-140

[192.168.1.1] 135 (ntportmap) open
[192.168.1.1] 123 (ntp) open
[192.168.1.1] 53 (domain) open
[192.168.1.1] 42 (name) open
Network Mappernmap
UNIX
nmaphttp://www.insecure.org/nmap Fyodor nmap
TCP UDP
[root]# nmap h
nmap V. 3.70 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
-sT TCP connect() port scan (default)
* -sS TCP SYN stealth port scan (best all-around TCP scan)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sR/-I RPC/Identd scan (use with other scan types)
62
1
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fi ngerprinting to guess remote operating system
-p <range> ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-T
<Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
General
timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes
resolve]
-oN/-oM <logfi le> Output normal/machine parsable scan logs to
<logfi le>
-iL <inputfi le> Get targets from fi le; Use '-' for stdin
* -S <your_P>/-e <devicename> Specify source address or network
interface
--interactive Go into interactive mode (then press h for help)
[root] nmap sS 192.168.1.1
Starting nmap V. 3.70 by fyodor@insecure.org
Interesting ports on (192.168.1.11):
(The 1504 ports scanned but not shown below are in state: closed)
Port
State
Protocol Service
21
open
tcp
ftp
25
open
tcp
smtp
42
open
tcp
nameserver
53
open
tcp
domain
79
open
tcp
fi nger
80
open
tcp
http
81
open
tcp
hosts2-ns
106
open
tcp
pop3pw
110
open
tcp
pop-3
135
open
tcp
loc-srv
139
open
tcp
netbios-ssn
443
open
tcp
https
nmap nmap
nmap
CIDR Classless Inter-Domain Routing
http://www.ietf.org/rfc/rfc1519.txt RFC 1519
192.168.1.1~ 192.168.1.254 -o
-oN
2
[root]#
63
nmap -sF 192.168.1.0/24 -oN outfile
tab
-oM
-oN-oM
nmap -f TCP
IDS
IP
nmap -D
SYN
-D
[root] nmap -sS 192.168.1.1 D 10.1.1.1
www.target_web.com,ME -p25,139,443
Port
25
443
State
open
open
Protocol
tcp
tcp
Service
smtp
https
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
nmap
ident ident RFC 1413

http://www.ietf.org/rfc/rfc1413.txt TCP
113 ident
UNIX
62
1
[root] nmap -I 192.168.1.10
Port
State
Protocol
Service
Owner
22
open
tcp
ssh
root
25
open
tcp
smtp
root
80
open
tcp
http
root
110
open
tcp
pop-3
root
113
open
tcp
auth
root
6000
open
tcp
X11
root
Web rootnobody
ident HTTP
root
FTP FTP bounce scanningFTP
Hobbit 1995 Bugtraq
http://www.securityfocus.com/templates/archive.pike?list=1&msg=199507120620.CAA18176
@narq.avian.orgHobbit FTP http://www.ietf.org/rfc/ rfc0959.txt
RFC 959 FTP FTP
proxyFTP Hobbit
FTP
FTP
nmap -bFTP
/incomingFTP nmap PORT
FTP
FTP
139 135 Windows

NT Windows NT 135 139 139
Windows 95/98
strobe
UNIX portmapper111Berkeley R
512~514NFS20493277X
63
UNIX UNIX
Solaris Solaris RPC 3277X
Solaris
TCP UDP
Windows NT 139
4 Windows NT 139
UNIX
RPCNFS
UNIX 5
2.2.3 Windows
UNIX Windows
SuperScan
Foundstone
SuperScanhttp://www.foundstone.com
Windows
SuperScan TCP UDP
2-4
ping TCP UDP
62
2-4 SuperScan
SuperScan Echo Requests Timestamp Requests
Address Mask Requests Information Requests ICMP
DataData+ICMP
UDP SYN TCP
TCP
UDP Data UDP
UDP
Data+ICMP Data
UDP SuperScan
Data+ICMP UDP
ICMP
SuperScan 4 CPU/
IP
SuperScan 4 Tool 2-5
/IP PingICMP HTTP HEAD
RequestHTTP GET RequestHTTPS GET Request WhoisCRSNIC Whois IPARIN
63
Whois IPRIPE Whois IP APNIC Whois IP
2-5 SuperScan
WinScan
Prosolve Sean Mathias WinScanhttp://www.prosolve.com
TCP winscan.exescan.exe
C
Mortice Kern Systems http://www.mks.com stringstee tr
Win32 Windows 0~1023
IP
scan.exe -n 192.168.7.0 -s 0 -e 1023 -f | strings |
/c:"/tcp" | tr \011\040 : | tr -s : : | tee -ia results.txt
findstr
scan.exe -f
192.168.22.5:nbsession:139/tcp
192.168.22.16:nbsession:139/tcp
62
1
192.168.22.32:nbsession:139/tcp
ipEye
Linux nmap
Arne Vidstrom ipEye http://ntsecurity.nu Windows
SYNFIN Xmas Windows
2000 ipEye SYN
TCP 20 nmap
-g
C:\>ipeye.exe 192.168.234.110 -syn -p 1 1023 -sp 20
ipEye 1.1 - (c) 2000, Arne Vidstrom (arne.vidstrom@ntsecurity.nu)
- http://ntsecurity.nu/toolbox/ipeye/
1-52 [closed or reject]
53 [open]
88 [open]
135 [open]
139 [open]
...
636 [open]
1024-65535 [not scanned]
ACL DNSUDP 53FTP

TCP 20SMTPTCP 25 HTTPTCP 80
IP
NATNetwork Address Translation
WUPS
WUPSWindows UDP Port ScannerWindows UDP Arne
Vidstrom http://ntsecurity.nuWUPS
UDP WUPS
63
2-6
2-6 WUPS SNMP UDP 161

ScanLine
Windows ScanLine
Foundstone ScanLine
TCP UDP
C:\ >sl -t 21,22,23,25 -u 53,137,138 192.168.0.1

ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
Scan of 1 IP started at Fri Nov 22 23:09:34 2002
-----------------------------------------------------------192.168.0.1
Responded in 0 ms.
1 hop away
Responds with ICMP unreachable: No
TCP ports: 21 23
UDP ports:
-------------------------------------------------------------Scan finished at Fri Nov 22 23:09:46 2002
1 IP and 7 ports scanned in 0 hours 0 mins 12.07 secs
ScanLine
62
1
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
sl [-?bhijnprsTUvz]
[-cdgmq ]
[-fl LoO <fi le>]
[-tu [, - ]]
IP[,IP-IP]
-? - Shows this help text
-b - Get port banners
-c - Timeout for TCP and UDP attempts (ms). Default is 4000
-d - Delay between scans (ms). Default is 0
-f - Read IPs from file. Use "stdin" for stdin
-g - Bind to given local port
-h - Hide results for systems with no open ports
-i - For pinging use ICMP Timestamp Requests in addition to Echo
Requests
-j - Don't output "-----..." separator between IPs
-l - Read TCP ports from file
-L - Read UDP ports from file
-m - Bind to given local interface IP
-n - No port scanning - only pinging (unless you use -p)
-o - Output file (overwrite)
-O - Output file (append)
-p - Do not ping hosts before scanning
-q - Timeout for pings (ms). Default is 2000
-r - Resolve IP addresses to hostnames
-s - Output in comma separated format (csv)
-t - TCP port(s) to scan (a comma separated list of ports/ranges)
-T - Use internal list of TCP ports
-u - UDP port(s) to scan (a comma separated list of ports/ranges)
-U - Use internal list of UDP ports
-v - Verbose mode
-z - Randomize IP and port scan order
Example: sl -bht 80,100-200,443 10.0.0.1-200
This example would scan TCP ports 80, 100, 101...200 and 443 on all
IP
addresses from 10.0.0.1 to 10.0.1.200 inclusive, grabbing banners
from those ports and hiding hosts that had no open ports.
63
2.2.4
2-2
TC
P
UNIX
strobe
tcp_scan
udp_scan
nmap
netcat
X
X
X
X
UD
P
X
X
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/strob
e-1.06.tgz
http://wwdsilx.wwdsi.com/saint
http://wwdsilx.wwdsi.com/saint
http://www.inscure.org/nmap
http://packetstorm.securify.com/UNIX/utilities/nc110.tg
z
Windows
netcat
X
X*
http://www.atstake.com/research/tools/nc11nt.zip
SuperSca X
http://members.home.com/rkeir/software.html
n
WinScan
X
http://www.prosolve.com
ipEye
X
http://ntsecurity.nu
WUPS
X
http://ntsecurity.nu
ScanLine X
X
* Windows netcat UDP
2-2
TCP UDP
Snort IDS
Snortwww.snort.org IDS Snort
NIDS
Snort 1.x Snort
62
[**] spp_portscan: PORTSCAN DETECTED from 192.168.1.10 [**]

05/22-18:48:53.681227
[**] spp_portscan: portscan status from 192.168.1.10: 4 connections
across
1 hosts: TCP(0), UDP(4) [**]
05/22-18:49:14.180505
[**] spp_portscan: End of portscan from 192.168.1.10 [**]
05/22-18:49:34.180236
UNIX Solar Designer scanlogd http://www.openwall.com

/scanlogdAbacus
http://www.psionic.com/abacus Psionic PortSentry
PortSentry
Linux 2.2.x portsentry.conf
# New ipchain support for Linux kernel version 2.102+

KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
PortSentry Solaris UNIX
IP Solar Designer
http://www.openwall.com/scanlogd /P53-13.gz
SYN FIN
Psionic Logcheck http://www.psionic.com/abacus

/logcheck/
threshold logging
63
Lance
Spitznerhttp://www.enteract.com/<126>lspitz/intrusion.html Firewall-1
alert.sh Firewall-1
Windows Independent Software Genius 2.0

http://www.indiesoft.com Genius 3.2.2
Windows 95/98 Windows NT/2000/2003
TCP Genius
IP DNS
Genius TCP SYN
UNIX
/etc/inetd.conf
UNIX 5
Windows Windows
Windows TCP 139 445
Control Panel | Services |
4 Windows
2.3
62
TCP UDP
63
10
8
4
IT
3
FTPtelnetSMTPHTTPPOP
nmap
queso
2.3.1
nmap queso
stack fingerprinting
IP
RFC
nmap
Fyodor Phrack Magazine
http://www.insecure.org/nmap/nmapfingerprinting-article.html
FIN FIN RFC 793
Windows NT/2000/2003 FIN/ACK
62
SYN TCP TCP

Linux
ISNInitial Sequence Number TCP
DF DF Don't fragment bit TCP/IP

DF
TCP
TCP/IP
ACK IP ACK
1
ICMP
RFC 1812
http://www.ietf.org/rfc /rfc1812.txt ICMP
UDP
UDP
ICMP ICMP
ICMP
ICMP / ICMP
IP IP
TOSType of Service ICMP port

unreachable ICMP TOS
0
Thomas Ptacek Tim Newsham
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
http://www.clark.net/<126>roesch
/idspaper.html
63
TCP RFC 793 RFC 1323 http://www.ietf.org/rfc

/rfc1323.txt TCP RFC 1323 TCP
TCP
nmap -OICMP
[root] nmap -O 192.168.1.10

Interesting ports on shadow (192.168.1.10):
Port
State
Protocol
Service
7
open
tcp
echo
9
open
tcp
discard
13
open
tcp
daytime
19
open
tcp
chargen
21
open
tcp
ftp
22
open
tcp
ssh
23
open
tcp
telnet
25
open
tcp
smtp
37
open
tcp
time
111
open
tcp
sunrpc
512
open
tcp
exec
513
open
tcp
login
514
open
tcp
shell
2049
open
tcp
nfs
4045
open
tcp
lockd
TCP Sequence Prediction: Class=random positive increments
Diffi culty=26590 (Worthy challenge)
Remote operating system guess: Solaris 2.5, 2.51
nmap -O
nmap
[root]# nmap -p80 -O 10.10.10.10

Warning: No ports found open on this machine, OS detection will be
MUCH less
reliable
62
1
No ports open for host (10.10.10.10)
Remote OS guesses: Linux 2.0.27 - 2.0.30, Linux 2.0.32-34, Linux
2.0.35-36,
Linux 2.1.24 PowerPC, Linux 2.1.76, Linux 2.1.91 - 2.1.103,
Linux 2.1.122 - 2.1.132; 2.2.0-pre1 - 2.2.2, Linux 2.2.0-pre6 2.2.2-ac5
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
nmap
Linux
nmap nmap-os-fingerprints
nmap
nmap TCP
nmap
Fyodor nmap
queso
http://packetstormsecurity.org /UNIX/scanners/queso-980922.tar.gz queso
80 80
queso 25
[root] queso 10.10.10.20:25
10.10.10.20:25
* Windoze 95/98/NT
nmap queso
SYN
FreeBSD 4.x
63
TCP_DROP_SYNFIN nmap
SYN+FIN OS
RFC 1644 TCP Extension for Transtractions TCP
5
6
4
nmap queso
IDS
2.3.2
TCP/IP
Lance Spitzner
http://project.honeynet.oryMarshall Beddoe Chris
Abad siphon
http://packetstormsecurity.org/UNIX /utilities/siphon-v.666.tar.gz
62
TCP/IP
TTL TTLTime-To-Live
Windows size
DF Don't Fragment TCP/IP
siphon
shadow 192.168.1.10
quake192.168.1.11 telnet siphon
[shadow] # telnet 192.168.1.11
Snort telnet
06/04-11:23:48.297976 192.168.1.11:23 -> 192.168.1.10:2295
TCP TTL:255 TOS:0x0 ID:58934 DF
**S***A* Seq: 0xD3B709A4 Ack: 0xBE09B2B7 Win: 0x2798
TCP Options => NOP NOP TS: 9688775 9682347 NOP WS: 0 MSS: 1460
TCP/IP
TTL = 225
Window Size = Ox2798
Dont fragmentDF = Yes
siphon osprints.conf
[shadow]# grep -i solaris osprints.conf
# Window:TTL:DF:Operating System DF = 1 for ON, 0 for OFF.
2328:255:1:Solaris 2.6 - 2.7
2238:255:1:Solaris 2.6 - 2.7
2400:255:1:Solaris 2.6 - 2.7
2798:255:1:Solaris 2.6 - 2.7
FE88:255:1:Solaris 2.6 - 2.7
87C0:255:1:Solaris 2.6 - 2.7
63
FAF0:255:0:Solaris 2.6 - 2.7

FFFF:255:1:Solaris 2.6 - 2.7
snort 2798TTL
255DF 1 siphon
[crush]# siphon -v -i xl0 -o fi ngerprint.out

Running on: 'crush' running FreeBSD 4.0-RELEASE on a(n) i386
Using Device: xl0
Host
Port
TTL
DF
Operating System
192.168.1.11
23
255
ON
Solaris 2.6 - 2.7
Solaris 2.6 192.168.1.11

IP
siphon
nmap
10
9
9
cheopshttp://www.marko.net/cheops
2-7 pingtraceroute queso
62
cheops
2-7 cheops
tkined Scotty http://wwwhome.cs.utwente.nl/schoenw/scotty
tkined Tcl
IP tkined
1 tkined Scotty
Scottytkined cheops
2.4
ping TCPUDP ICMP
ping
TCP/UDP
63
62
133
enumeration
web
2 SuperScan
banner
4
5
TCP UDP TCP 25

SMTP UDP 69 TFTP TCP 79 finger
TCP UDP
65,535
62
NT New
Technology NT Window NT 3.x
4.x Windows 2000Windows XP Windows Server 2003 NT
DOS/Windows 1.x/3.x/9x/Me DOS
3.1
2
telnet netcat
5
9
1
telnet
telnet
telnet
C:\>telnet www.corleone.com 80
HTTP/1.0 400 Bad Request
Server: Netscape-Commerce/1.12
Your browser sent a non-HTTP compliant message.
HTTP80 SMTP25 FTP21

TCP/IP netcat
133
Hobbithobbit@atstake.comWeld Pond L0pht

Windows NT Windows NT Windows 2000XP 2003
Server http://www.atstake.com/research/tools/network_utilities netcat
netcat
TCP/IP
C:\>nc v www.corleone.com 80
www.corleone.com [192.168.45.7] 80 (?) open
HTTP/1.1 400 Bad Request

Server: Microsoft-IIS/4.0
Date: Sat, 03 Apr 1999 08:42:40 GMT
Content-Type: text/html
Content-Length: 87
<html><head><title>Error</title></head>
<body>The parameter is incorrect.</body>
</html>
netcat readme
netcat nudge.txt
GET / HTTP/1.0
[root$]nc -nvv -o banners.txt 192.168.202.34 80 < nudge.txt
HTTP/1.0 200 OK
Server: Sun_WebServer/2.0
Date: Sat, 10 Apr 1999 07:42:59 GMT
Last-Modifi ed: Wed, 07 Apr 1999 15:54:18 GMT
ETag: "370a7fbb-2188-4"
Content-Length: 8584
<HTML>
<HEAD>
<META NAME="keywords" CONTENT"=igCorp, hacking, security">
<META NAME="description" CONTENT="Welcome to igCorps Web site. ">
=BigCorp is a leading manufacturer of security holes.
<TITLE>BigCorp Corporate Home Page</TITLE>
</HEAD
</HTML>
62
IP netcat -n
Sun WebServer 2.0

nudge.txt HEAD / HTTP/1.0 <cr><cr>QUIT
<cr>HELP <cr>ECHO <cr><cr>
netcat
netcat
3.2
FTP TCP 21
1
10
1
FTPFile Transfer Protocol
133
FTP
Web FTP Web
12
FTP
FTP
Windows FTP
FTP anonymous
C:\>ftp ftp.tnrcc.state.tx.us
Connected to www.tnrcc.state.tx.us.
220 www FTP server (Version 1.1.214.4(PHNE_29461) Thu Nov 20
06:40:06 GMT 2003)
ready.
User (www.tnrcc.state.tx.us:(none)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
lost+found
etc
incoming
pub
usr
226 Transfer complete.
ftp: 37 bytes received in 0.00Seconds 37000.00Kbytes/sec.
ftp>
FTP Web
FTP FTP
FTP http://www.bpftp.com
BulletProof FTP http://www.ftp-sites.org FTP
FTP FTP
FTP wu-ftp
62
FTP
FTP FTP
SMTP TCP 25
5
9
1
Internet
Simple Mail Transfer Protocol SMTP TCP 25
SMTP VRFY
EXPN
telnet SMTP
[root$]telnet 192.168.202.34 25
Trying 192.168.202.34...
Connected to 192.168.202.34.
Escape character is '^]'.
220 mail.bigcorp.com ESMTP Sendmail 8.8.7/8.8.7; 11 Apr 2002
vrfy root
250 root <root@bigcorp.com>
expn adm
250 adm <adm@bigcorp.com>
quit
221 mail.bigcorp.com closing connection
SMTP
SMTP
sendmail http://www.sendmail.org SMTP
8 mail.cf VRFY EXPN
133
Exchange Server
EXPN VRFY SMTP
DNS TCP 53
5
9
2
1 DNSDomain Name System

DNS
IP Amazon.com DNS
TCP 53 DNS
zone
IP HINFOHost Information Record
1
Microsoft DNS Active DirectoryAD
NT4
AD DNS DNS DNS SRV
RFC 2052 AD Kerberos
LDAPFTP WWW TCP
nslookup ls - d <
domainname>
labfarce.org
C:\>nslookup
Default Server: corp-dc.labfarce.org
Address: 192.168.234.110
> ls -d labfarce.org
[[192.168.234.110]]
labfarce.org. SOA corp-dc.labfarce.org admin.
labfarce.org.
A 192.168.234.110
labfarce.org.
NS corp-dc.labfarce.org
. . .
_gc._tcp SRV priority=0, weight=100, port=3268, corp-dc.labfarce.org
_kerberos._tcp SRV priority=0, weight=100, port=88, corp-dc.labfarce.org
62
1
_kpasswd._tcp SRV priority=0, weight=100, port=464, corp-dc.labfarce.org
_ldap._tcp SRV priority=0, weight=100, port=389, corp-dc.labfarce.org
RFC 2052 SRV

Service.Proto.Name TTL Class SRV Priority Weight Port Target
Global Catalog
_gc._tcp Kerberos _kerberos._tcpLDAP
_ldap._tcp TCP
DNS
DNS
Window NT4 DNS Computer
Management MMCMicrosoft Management Console
forward lookup damain labfarce.org
Properties
\Services and Applications\DNS\ [server_name] \Forward Lookup Zones\ [zone_name]
| Properties
133
Windows 2000
Allow Zone Transfers
DNS
Windows 2003 Server DNS
TFTP TCP/UDP 69
1
3
7
UNIX/Linux
/etc/passwd 7
62
passwd TFTPTrivial File Transfer Protocol

UDP 69 TFTP
/etc/passwd
[root$]tftp 192.168.202.34
tftp> connect 192.168.202.34
tftp> get /etc/passwd /tmp/passwd.cracklater
tftp> quit
passwd
TFTP
TFTP
ACL
TFTP
TCP Wrappers /tftpboot
TFTP
133
FingerTCP/UDP 79
7
10
1
UNIX/Linux finger
Internet Finger
finger
finger 79
[root$]finger l @target.hackme.com
[target.hackme.com]
Login: root
Name: root
Directory: /root
Shell: /bin/bash
On since Sun Mar 28 11:01 (PST) on tty1
11 minutes idle
(messages off)
On since Sun Mar 28 11:01 (PST) on ttyp0 from :0.0
3 minutes 6 seconds idle
No mail.
Plan:
John Smith
Security Guru
Telnet password is my birthdate.
finger 0@hostname
[root$]finger 0@192.168.202.34
[192.168.202.34]
Line
* 2 vty 0
Se0
User
Host(s)
idle
Sync PPP
Idle Location
0 192.168.202.14
00:00:02
finger /etc/passwd
finger
62
14 home
.plan .project
finger
Finger
finger inetd.conf
killall -HUP inetd 79 finger
TCP Wrappers 7 finger
HTTP TCP 80
5
9
1
web
web Code Red Nimda ida/idq
Internet
telnet netcat HTTP

netcat HTTP TCP 80
web HTTP HEAD
netcat
HEAD
C:\>nc v www.corleone.com 80
www.corleone.com [192.168.45.7] 80 (?) open
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 08 May 2001 00:52:25 GMT
Connection: Keep-Alive
Content-Length: 1270
133
Set-Cookie: ASPSESSIONIDGGQGQLAO=IPGFKBKDGDPOOHCOHIKOAKHI; path=/

Cache-control: private
HTTP HEAD
HEAD
SSL netcat SSL
SSL openssl sslproxy
HTML
Blighty Designhttp://samspade.org/ssw
Sam Spade 3-1 Sam Spade
password
3-1 Sam Spade Crawl Websit
HTML Web
12
Web Hacking
Exposed: Web Applications McGraw-Hill/Osborne 2002
http://www.web- hackingexposed.com
62
HTTP
web web
Internet Information
ServicesIISIIS
Microsoft Data Access ComponentsMDACUnicode Internet Printing Protocol
12 IIS Code Red Nimda
IIS IIS
IIS IIS DLL %systemroot

%\system32 \inetsrv\w3svc.dll Windows 2000
DLL Windows System File ProtectionSFP
SFP
IIS ISAPI SetHeader
Knowledge BaseKB
http://support.microsoft.com/default.aspx?scid=kb;en-us;
Q294735 URLScan IIS Lockdown
http://www.microsoft.com/technet/security/tools/locktool.mspxURLScan
ISAPI IIS web
URLScan
Hacking Exposed:Web Applications McGrawHill/Osborne2002
IIS Lockdown Windows Server 2003/IIS 6 IIS

6 IIS Lockdown
IIS 6 URLScan
IIS 6
Microsoft RPC MSRPCTCP 135
7
8
1
Microsoft Windows TCP 135 Remote
133
Procedure Call RPCendpoint mapper

Reskit
epdump MSRPC IP
TCP 135
MSRPC
C:\>epdump mail.victim.com
binding is 'ncacn_ip_tcp:mail.victim.com'
int 82ad4280-036b-11cf-972c-00aa006887b0 v2.0
binding 00000000-etc.@ncalrpc:[INETINFO_LPC]
annot ''
int 82ad4280-036b-11cf-972c-00aa006887b0 v2.0
binding 00000000-etc.@ncacn_ip_tcp: 216.154.242.126[1051]
annot ''
int 82ad4280-036b-11cf-972c-00aa006887b0 v2.0
binding 00000000-etc.@ncacn_ip_tcp:192.168.10.2[1051]
annot ''
no more entries
IP 216.154.242.126
192.168.1.2 MSRPC IP RFC
1918
ncacn_ip_tcp TCP
ncacn_ip_udp
UDP Jean-Baptiste Marchand Windows
http//www.hsc.fr/ressources/articles/win_net_srv
MSRPC rpcdump Microsoft Reskits

rpcdump
http://www.bindview.com
/Support/Razor/Utilitis/Windows/rpctools1.0readme.cfm
MSRPC
MSRPC TCP 135
Microsoft Exchange Server Internet Outlook MAPI
Exchange
Outlook/Exchange TCP 135
62
TCP 135
IP ACL
HTTPS Microsoft
Outlook Web AccessOWA Outlook OWA Exchange
web HTTPS OWA
[two-factor authentication
mechanisms] Windows Server 2003 Exchange 2003 RPC over
HTTP HTTP RPC OWA
Outlook http://support.microsoft.com
/default.aspx?kbid=833401
http://msdn.microsoft.com/library/library/enus/rpc/rpc/rpc_over_http_security.asp
MSRPC RPC
Writing a Secure RPC Client or
Server RPC
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_
client_or_server.asp
NBNS UDP 137
7
5
3
NBNS NetBIOS Name Service NetBIOS Microsoft

Windows Windows 2000 NBNS
Internet DNS Windows
NBNS TCP/IP
NBNS Windows
NBNS
NBNS NetBIOS
NBNS NBNS
UDP 137 Windows
133
net view Windows

net view Windows NT
net view
C:\>net view /domain
Domain
-------------------------------------------------------_
CORLEONE
BARZINI_DOMAIN
TATAGGLIA_DOMAIN
BRAZZI
C:\>net view /domain:corleone

Server Name Remark
-------------------------------------------------------\\VITO Make him an offer he can't refuse
\\MICHAEL Nothing personal
\\SONNY Badda bing badda boom
\\FREDO I'm smart
\\CONNIE Don't forget the cannoli
net view NBNS

NBNS TCP/IP net view Windows
DHCP
Ping 2 IP
NetBIOS IP NetBIOS
\\192.168.202.5 \\server_name
#PRE%systemroot%\system32\drivers\etc\LMHOSTS
nbtstat R
NetBIOS NetBIOS
LMHOSTS IP
Windows
Windows Windows Resource Kit
RK Reskit nltest RK
62
net view Windows
C:\>nltest /dclist:corleone
List of DCs in Domain corleone
\\VITO (PDC)
\\MICHAEL
\\SONNY
The command completed successfully
Reskit Netdom Windows

BDC
netviewx
Jesper Lauritsen netviewx http://www.ibt.ku.dk/jesper/ NTtools
net view
netviewx NT Remote Access ServiceRAS
-D -T
C:\>netviewx -D CORLEONE -T dialin_server

VITO,4,0,500,nt%workstation%server%domain_ctrl%time_
source%dialin_server%
backup_browser%master_browser," Make him an offer he can't refuse "
%
Netviewx
nbtstat nbtscan NetBIOS
Nbtstat
NetBIOS
C:\>nbtstat -A 192.168.202.33
NetBIOS Remote Machine Name Table
Name
Type
Status
-----------------------------------------------SERVR9
<00> UNIQUE
Registered
SERVR9
<20> UNIQUE
Registered
9DOMAN
<00> GROUP
Registered
3
9DOMAN
SERVR9
INet<126>Services
IS<126>SERVR9......
9DOMAN
..__MSBROWSE__.
ADMINISTRATOR
<1E> GROUP
<03> UNIQUE
<1C> GROUP
<00> UNIQUE
<1> UNIQUE
<01> GROUP
<03> UNIQUE
133
Registered
Registered
Registered
Registered
Registered
Registered
Registered
MAC Address = 00-A0-CC-57-8C-8A
nbtstat SERVR9
9DOMANADMINISTRATORINet <126>
Services MACMedia Access Control
NetBIOS service code 3-1
NetBIOS
NetBIOS
computer
name>[00]
domain name>[00]
computer
name>[03]
user name>[03]
computer
name>[20]
domain
name>[1D]
domain
name>[1E]
domain
name>[1B]
Workstation
Messenger Service
Messenger
Server
Master Browser
Browser
Domain Master Browser
3-1 NetBIOS
nbtstat Alla
Bezroutchko nbtscan
62
http://www.inetcat.org /software/nbtscan.html Nbtscan

nbtstat
C:\>nbtscan 192.168.234.0/24
Doing NBT name scan for addresses from 192.168.234.0/24
IP address
NetBIOS Name
Server
User
MAC address
----------------------------------------------------------------------192.168.234.36
WORKSTN12
<server> RSMITH
00-00-86-16-47-d6
192.168.234.110
CORP-DC
<server> CORP-DC 00-c0-4f-86-80-05
192.168.234.112
WORKSTN15
<server> ADMIN
00-80-c7-0f-a5-6d
192.168.234.200
SERVR9
<server> ADMIN
00-a0-cc-57-8c-8a
nbtscan Windows
C
NBNS
UDP 137 NBNSNetBIOS Name
ServiceNetBIOS UDP 137
NetBIOS Alerter
Messenger Windows Services
Windows 2000 TCP/IP
NetBIOS NBNS
UDP 137 Windows

NBNS
NetBIOS TCP 139
8
10
8
Windows NT
Windows null session/anonymous connection
133
Windows
Server Message BlockSMBFile
and Print SharingLinux SMB Samba
API SMB Windows
SMB Windows
SMB
SMB null session
C:\> net use \\192.168.202.33\IPC$ "" /u:""
net use
" "/u : " "
IP 192.168.202.33 IPC$
Red Buttonnull session connections anonymous logon
SMB TCP 139 NetBIOS TCP 445

TCP/IP SMBDirect Host
TCP 445
Windows null session

Windows
net view
C:\>net view \\vito
Shared resources at \\192.168.7.45
VITO
Share name
Type
Used as Comment
----------------------------------------------------------NETLOGON
Disk
Logon server share
Test
Disk
Public access
62
1
The command completed successfully.
Resource Kit rmtsharesrvcheck srvinfosrmtshare net view srvcheck
srvinfo -s
Windows DumpSec
DumpAcl 3-2
Somarsofthttp://www.somarsoft.com NT
DumpSec
3-2
DumpSec
3-2 DumpSec
NetBIOS Legion
Internet
133
Legion C 2.1
Windows 4 5
Windows NetBIOS Auditing ToolNAT Andrew
Tridgell NAT Hacking Exposed
http://www.osborne.com/he5Rhino9 Security Team Neon Surge
Chameleon NAT 3-3 NAT
62
1
3-3 NetBIOS Auditing ToolNAT
NT Windows
NT
Windows
HKLM\System
\CurrentControlSet\ Control\SecurePipeServer\Winreg\AllowedPaths
HKLM\Software\Microsoft\WindowsNT
\Current Version
RK regdmp
Somarsoft DumpSecRegdmp
Windows
NetBus 5 14
C:\>regdmp -m \\192.168.202.33 HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemTray = SysTray.Exe
BrowserWebCheck = loadwc.exe
DumpSec regdmp 3-4 Dump

Services Win32
133
3-4 DumpSec
nltest NetBIOS Name Service

nltest /server:<server_name>
/trusted_domains Windows
Windows
DumpSec
NT
DumpSecDumpSec
C:\>dumpsec /computer=\\192.168.202.33 /rpt=usersonly

/saveas=tsv /outfi le=c:\temp\users.txt
C:\>cat c:\temp\users.txt
4/3/99 8:15 PM - Somarsoft DumpSec - \\192.168.202.33
UserName
FullName
Comment
barzini
Enrico Barzini
Rival mob chieftain
godfather
Vito Corleone
Capo
62
1
godzilla
domain
Guest
lucca
mike
Administrator
Lucca Brazzi
Michael Corleone
Built-in
account
for
administering
the
Built-in account for guest access

Hit man
Son of Godfather
DumpSec GUI
Comments
Windows sid2user user2sid Evgenii Rudnyi
http:// www.chem.msu.su:8080/<126>rudnyi/NT/sid.txt
NT SIDSID
NT SID SID
Mark Russinovich http://www.win2000mag.com/Articles /Index.cfm?
ArticleID=3143 user2sid SID SID
C:\>user2sid \\192.168.202.33 "domain users"

S-1-5-21-8915387-1645822062-1819828000-513
Number of subauthorities is 5
Domain is WINDOWSNT
Length of SID in memory is 28 bytes
Type of SID is SidTypeGroup
SID S-1
RID Windows
Administrator GuestAdministrator RID 500 Guest
RID 501 sid2user SID 500
RID
C:\>sid2user \\192.168.2.33 5 21 8915387 1645822062 18198280005 500
Name is godzilla
Domain is WINDOWSNT
Type of SID is SidTypeUser
S-1 NT
RID 1000 RID
100110021003 RID NT
133
SID
RestrictAnonymous 1 139 445

Sid2user/user2sid
user2sid/sid2user
user2sid
SIDNT 1000 RID NT
shell FOR sid2user
50
C:\>for /L %i IN (1000,1,1050) DO
1915163094
1258472701648912389 %I >> users.txt
C:\>cat users.txt
sid2user
\\acmepdc1
21
Name is IUSR_ACMEPDC1
Domain is ACME
Type of SID is SidTypeUser
Name is MTS Trusted Impersonators
Domain is ACME
Type of SID is SidTypeAlias
. . .
NT shellPerlVBScript
139 445
RestrictAnonymous 1
UserDump TCP 445

SID
BindView Razor enum SMB

http://www.bindview.com/support/Razor/utilities
C:\>enum
62
1
usage: enum [switches] [hostname|ip]
-U: get userlist
-M: get machine list
-N: get namelist dump (different from -U|-M)
-S: get sharelist
-P: get password policy information
-G: get group and member list
-L: get LSA policy information
-D: dictionary crack, needs -u and -f
-d: be detailed, applies to -U and -S
-c: don't cancel sessions
-u: specify username to use (default "")
-p: specify password to use (default "")
-f: specify dictfi le to use (wants -D)
enum -P
-D-u-f
enum
C:\>enum -U -d -P -L -c 172.16.41.10
server: 172.16.41.10
setting up session... success.
password policy:
min length: none
. . .
lockout threshold: none
opening lsa policy... success.
names:
netbios: LABFARCE.COM
domain: LABFARCE.COM
. . .
trusted domains:
SYSOPS
PDC: CORP-DC
netlogon done by a PDC server
getting user list (pass 1, index 0)... success, got 11.
Administrator
(Built-in
account
for
administering
the
computer/domain)
attributes:
chris attributes:
Guest (Built-in account for guest access to the computer/domain)
attributes: disabled
. . .
133
keith attributes:
Michelle attributes:
. .
enum -D -u <username> -f < dictfile>

Nete enum Cult of the Dead Cow Sir
Dystic /O
nete nete
C:\>nete
NetE v.96 Questions, comments, etc. to sirdystic@cultdeadcow.com
Usage: NetE [Options] \\MachinenameOrIP
Options:
/0 - All NULL session operations
/A - All operations
/B - Get PDC name
/C - Connections
/D - Date and time
/E - Exports
/F - Files
/G - Groups
/I - Statistics
/J - Scheduled jobs
/K - Disks
/L - Local groups
/M - Machines
/N - Message names
/Q - Platform specific info
/P - Printer ports and info
/R - Replicated directories
/S - Sessions
/T - Transports
/U - Users
/V - Services
/W - RAS ports
/X - Uses
/Y - Remote registry trees
/Z - Trusted domains
62
NT getmac
MAC
RestrictAnonymous 1getmac
Reskits usrstatshowgrpslocal global
Arne Vidstrom Winfo http://www.ntsecurity.nu

-n
Next Generation Security Software Ltd. NGSS David Litchfield
Nbtdump
THML Nbtdump http://www.atslake.com/research/tools/info_gathing
SMB
Windows 2000 TCP 139 445
TCP UDP 139 445
NT 3~4.x SMB Network Control Panel
Bindings WINS ClientTCP/IP
NT 4 Service Pack 3 SMB
SMB
RestrictAnonymous
1. regedt32 HKLM\SYSTEM\CurrentControlSet\Control\LSA
2. Edit | Add Value
Value Name:
Data Type:
Value:
RestrictAnonymous
REG_DWORD
1 Windows 2000 2
3.
Windows 2000
MMC Security Policies
RestrictAnonymous NT 4
Organizational Unit
Windows 2000 Active Directory
133
Group Policy 5
RestrictAnonymous 1
RestrictAnonymous 1
Windows 2000 CIFS/SMB

Additional Restrictions For Anonymous Connections No Access Without Explicit
Anonymous Permissions Windows 2000
RestrictAnonymous 2
RestrictAnonymous 2 Everyone
C:\>net use \\mgmgrand\ipc$ "" /u:""

System error 5 has occurred.
Access is denied.
/ Windows
Windows 2000 dsclient
Windows 95 Microsoft
Q246261
62
RestrictAnonymous=1
RestrictAnonymous NetUserGetInfo
API Level 3 RestrictAnonymous = 1
RestrictAnonymous 1http://www.HammerofGod.com/download.htm UserInfo
Windows 2000 RestrictAnonymous
2 UserInfo
RestrictAnonymous=1 Administrator
C:\>userinfo \\victom.com Administrator
UserInfo v1.5 - thor@HammerofGod.com
Querying Controller \\mgmgrand
USER INFO
Username:
Administrator
Full Name:
Comment:
Built-in account for administering the computer/domain
User Comment:
User ID:
500
Primary Grp: 513
Privs:
Admin Privs
OperatorPrivs:
No explicit OP Privs
SYSTEM FLAGS (Flag dword is 66049)
User's pwd never expires.
MISC INFO
Password age:
Mon Apr 09 01:41:34 2001
LastLogon:
Mon Apr 23 09:27:42 2001
LastLogoff:
Thu Jan 01 00:00:00 1970
Acct Expires:
Never
Max Storage: Unlimited
Worvkstations:
UnitsperWeek:
168
Bad pw Count:
0
Num logons:
5
Country code:
0
Code page:
0
Profi le:
ScriptPath:
Homedir drive:
Home Dir:
PasswordExp: 0
133
Logon hours at controller, GMT:

Hours12345678901N12345678901M
Sunday
111111111111111111111111
Monday
111111111111111111111111
Tuesday
111111111111111111111111
Wednesday
111111111111111111111111
Thursday 111111111111111111111111
Friday
111111111111111111111111
Saturday 111111111111111111111111
Get hammered at HammerofGod.com!
HammerofGod.com UserDump
SID RID UserDump
RID 1001 SID UserDump
RID 500 RID 1001
MaxQueries 0 SID 500 1001
UserDump
C:\>userdump \\mgmgrand guest 10
UserDump v1.11 - thor@HammerofGod.com
Querying Controller \\mgmgrand
USER INFO
Username:
Administrator
Full Name:
Comment:
Built-in account for administering the computer/domain
User Comment:
User ID:
500
Primary Grp:
513
Privs:
Admin Privs
OperatorPrivs:
No explicit OP Privs
[snip]
LookupAccountSid failed: 1007 does not exist...
Get hammered at HammerofGod.com!
http://www.securityfriday.com Urity GetAcct

GetAcct
Administrator Guest GetAcct
62
RestrictAnonymous 1
Windows XP/Server 2003 RestrictAnonymous

Windows 2000 RestrictAnonymous 2
IPC$ Windows 2000
Windows 95 dsclient
Microsoft Q246261 Windows XP/Server 2003
RestrictAnonymous
Security Policy Security Options No Access
Without Explicit Anonymous Permissions Windows 2000 RestrictAnonymous
2 XP/.NET Server 2003 Security Options
Network Access : 3-2
XP/Server 2003
3-2 Windows XP/Server 2003
Windows 2000 RestrictAnonymous = 2
Microsoft
3-2
XP/Server 2003
Network access: Allow anonymous SID/
Name translation
Network access: Do not allow anonymous
enumeration of SAM accounts
Disabled user2sid
Enabled RestrictAnonymous = 1
3
Network access: Do not allow anonymous
enumeration of SAM accounts and shares
Network access: Let Everyone permissions
apply to
anonymous users
Network access: Named pipes that can be
accessed
anonymously
Network access: Remotely accessible
Registry paths
Network access: Shares that can be accessed
anonymously
133
Enabled RestrictAnonymous = 1
Disabled
RestrictAnonymous = 2

SQL\QUERY EPMAPPER SQL
MSRPC
COMCFGDFS$
3-2 Windows XP/Server 2003 Windows 2000
SecurityFriday.com Urity 2004 8

Windows XP SP2 \pipe\browser
lanmanserver lanmanworkstation
NetSessionEnum NetrWkstaUserEnum MSRPC
Windows Server 2003
Windows XP/.NET Server

Security Policy
HKLM\System\CurrentControlSet\Control
\SecurePipeServer\Winreg
Windows NT
AllowedPaths
Winreg
Q153183http://search.support.microsoft.com
DumpSec
SNMP UDP 161
62
9
3
Simple Network Management ProtocolSNMP
Security Not My
Problem
SNMP /
SNMP SNMP
SNMP
public SNMP
SNMP
Management Information Base MIB MIB
Microsoft MIB Windows
TCP 139 445 SMB NT
SNMP public
RK SNMP snmputil SNMP
Windows
C:\>snmputil walk 192.168.202.33 public .1.3.6.1.4.1.77.1.2.25
Variable
= .iso.org.dod.internet.private.enterprises.lanmanager.
lanmgr-2.server.svUserTable.svUserEntry.svUserName.5.
71.117.101.115.116
Value
= OCTET STRING - Guest
Variable
= .iso.org.dod.internet.private.enterprises.lanmanager.
lanmgr-2.server.
svUserTable.svUserEntry.svUserName.13.
65.100.109.105.110.105.115.116.114.97.116.111.114
Value
= OCTET STRING - Administrator
End of MIB subtree.
snmputil .1.3.6.1.4.1.77.1.2.25OID
Microsoft Microsoft MIB MIB
.1.3.6.1.4.1.77
133
MIB
SNMP MIB
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr2
.server.svSvcTable.svSvcEntry.svSvcName
.server.svShareTable.svShareEntry.svShareName
.server.svShareTable.svShareEntry.svSharePath
.server.svShareTable.svShareEntry.svShareComment
.server.svUserTable.svUserEntry.svUserName
.domain.domPrimaryDomain
UNIX/Linux snmpget SNMP

[root]# snmpget 192.168.1.60 public system.sysName.0
system.sysName.0 = wave
snmpget snmpwalk MIB

[root]# snmpwalk 192.168.1.60 public
system.sysDescr.0 = Linux wave 2.4.3-20mdk #1 Sun Apr 15 2001 i686
system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.linux
system.sysUpTime.0 = Timeticks: (25701) 0:04:17.01
system.sysContact.0
=
Root
<root@localhost>
(confi
gure
/etc/snmp/snmp.
conf)system.sysName.0 = wave
system.sysLocation.0
=
Unknown
(confi
gure
/etc/snmp/snmp.conf)system.
sysORLastChange.0 = Timeticks: (0)
[output truncated for brevity]
SNMP
UNIX
Linux
Linux
2.4.3
Mandrakemdk
Intel 686
private
http://www.solarwinds.net
62
SNMP IP Network Browser 3-5

SNMP
3-5 SolarWinds IP Network Browser

SNMP
public
SNMP
SNMP
agent
133
SNMP
SNMP agent SNMP
"public""private" SNMP
SNMP
TCP UDP 161 SNMP GET/SET IP
SNMP agentMicrosoft SNMP agent IP
SNMP IP
SNMP V3 RFC 2571~2575SNMP V3 V1
V2 V3
V1
Windows NT
SNMP Microsoft MIB regedt32
HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities
Security | Permissions
HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
LANManagerMIB2Agent
1 2 1
2 2 1
SNMP
SNMP http://www.rfc-editor.org SNMP
RFC
BGP TCP 179
2
6
2
Border Gateway ProtocolBGP Internet

IP BGP
Internet
BGP
62
BGP
BGP
1. ASN Autonomous System Number
2. ASN AS
BGP IP ASN ASN 16
ARIN ASN IP
ASN
ASN ARIN whois 3-6
3-6 ASN KPEASN 16394AS KPENY-AS

IP
AS ASN telnet
AS 16394 ASN
route-views.routeviews.org AAA
rviews http://www..routeviews.org/aaa.html
133
C:>telnet route-views.oregon-ix.net
User Access Verifi cation
Username: rviews
route-views.oregon-ix.net>show ip bgp 63.79.158.1
BGP routing table entry for 63.79.158.0/24, version 7215687
Paths: (29 available, best #14)
Not advertised to any peer
8918 701 16394 16394
212.4.193.253 from 212.4.193.253 (212.4.193.253)
Origin IGP, localpref 100, valid, external
Not advertised to any peer AS

ASN 16394
route-views.oregon-ix.net>show ip bgp regexp _16394$
BGP table version is 8281239, local router ID is 198.32.162.100
Status codes: s suppressed, d damped, h history, * valid, > best, i
internal
Origin codes: i - IGP, e - EGP, ? incomplete
Network
Next Hop
Metric LocPrf Weight Path
* 63.79.158.0/24
212.4.193.253
0
8918
701 16394 16394
_$
AS AS
63.79.158.0/24 KPE
BGP
ARIN ASN ASN
BGP ASN ARIN ASN
BGP
BGP
BGP ARIN
ASN BGP BGP
62
Windows LDAP TCP/UDP 389 3268
2
2
5
NT Windows 2000
Lightweight Directory Access ProtocolMicrosoft
Active DirectoryAD AD
Windows
Support Tools CD Support\Tools
LDAP Active Directory Administration Toolldp.exe
AD
1999 Windows 2000 Release Candidates
ldp Windows 2000 DC LDAP
LDAP
NetBIOS
LDAP
ldp
Windows 2000 bigdc.labfarce.orgDC=labfarce,
DC=org BIGDC Guest guest
1. ldp Connection | Connect |

IP DNS LDAP 389
AD Global Catalog port3268 389
2. Guest Connections | Bind

Domain Guest
133
3. LDAP View |
Treedc=labfarce,
dc=org
4.
5. CN=Users CN=Builtin
Users 3-7
3-7 Active Directory Administration Tool idp.exe
guest NT 4 Remote
Access Service SQL Server AD Windows 2000
62
dcpromo
3-8 LDAP
3-8 Active Directory Installation Wizarddcpromo
389 3268
Windows
Pre-Windows 2000 Comptible Access Pre-Windows Comptible
Access 3-3
User
Group
User
Group
3-3 Pre-Windows 2000 Compatible Access Group User
133
3-8 Permissions Compatible with Pre-Windows

2000 Server Windows 2000 Windows
Everyone Pre-Windows 2000 Compatible Access
Everyone Everyone Pre-Windows 2000
Compatible Access Windows 2000
Everyone
net localgroup "Pre-Windows 2000 Compatible Access" everyone /add

Q240855http://search.support.microsoft.com
Pre-Windows 2000 Compatible Access
NetBIOS enum
Windows 2000 Advanced Server enum
Everyone Pre-Windows 2000 Compatible Access
C:\>enum -U corp-dc
server: corp-dc
getting user list (pass 1, index 0)... success, got 7.
Administrator Guest IUSR_CORP-DC IWAM_CORP-DC krbtgt
NetShowServices TsInternetUser
cleaning up... success.
Compatible Everyone
enum
C:\>enum -U corp-dc
server: corp-dc
getting user list (pass 1, index 0)... fail
return 5, Access is denied.
cleaning up... success.
NT4
RASRouting and Remote
Access ServiceRRAS SQL
62
133
Novell NetWare TCP 524 IPX
7
6
1
Microsoft Windows Novell NetWare

Novell
NDSNovell NetWare 3.x 4.x Bindery Context
Attach
NetWare
Novell NDS
Windows
Novell NDS 3-9
NetWare IPX TCP/IP NetWare
IPX IP TCP 524 NetWare 5
NetWare Core ProtocolNCPTCP 524 NDS
Novell NDS
3-9 Windows Novell NDS

Novell Client32
Novell NetWare Services NetWare
Connections NetWare
attachments
62
NDS
3-10
3-10 Novell NetWare Connections NDS
7
On-Site Admin Novell
Novell On-Site Admin
On-Site
Novell 3-11
On-Site Admin
133
3-11 Novell Novell On-Site Admin

On-Site Admin Analyze 3-12
Analyze On-Site Admin Analyze
3-12 On - Site Admin
62
Novell On-Site Admin NDS Client32

NetWare 4.x
NDS 3-13
3-13 On-Site Admin NDS

Razor 2000 11 NetWare 5.0 5.1
Novell NDS Service Announcement ProtocolSAP
Novell Razor
Windows Razor NCPQuery
TCP 524 http://www.
bindview.com/support/Razor/Utilities
6
NetWare
IPX Internet
TCP 524 IPX
NDS inheritance rights filterIRF
NDS NDS
Razor NetWare 5.x NDS [Public]
133
Browse NDS
http://support.novell.com
UNIX RPC TCP/UDP 111 32771
7
10
1
Remote Procedure CallRPCRPC portmapper

rpcbind RPC RPC
RPC
rpcinpo RPC finger
111rpcbind 32771Sun portmapper rpcinfo
[root$]rpcinfo p 192.168.202.34
program vers proto port
100000
2
tcp
111
rpcbind
100002
3
udp
712
rusersd
100011
2
udp
754
rquotad
100005
1
udp
635
mountd
100003
2
udp
2049
nfs
100004
2
tcp
778
ypserv
rusersdNFS NISypserv NIS

rusersshowmount -epscan -n
pscan -r
rpcinfo Windows NT rpcdump

Next Generetion Security Software Ltd. David Litchfield
http://www.atstake.com/research/tools/info_gathering rpcdump
rpcinfo -p
C:\>rpcdump 192.168.202.105
Program no.
Name
Version Protocol
Port
62
(100000)
(100000)
(100001)
(100021)
portmapper
portmapper
rstatd
nlockmgr
4
3
2
1
TCP
TCP
UDP
UDP
111
222
32774
4045
RPC Sun UNIX Solaris 32771

portmapper 111 32771 rpcinfo
Solaris
RPC nmap 7
rpcinfo RPC 192.168.202.34
ToolTalk DatabaseTTDB
[root$] rpcinfo -n 32776 -t 192.168.202.34 100083
100083 RPC TTDB

nmap 100083-sR
[root$]nmap -sS -sR 192.168.1.10

Starting
nmap
V.
(www.insecure.org/nmap/)
2.53
by
fyodor@insecure.org

(The 1495 ports scanned but not shown below are in state: closed)
Port
State
Service (RPC)
23/tcp
open
telnet
4045/tcp
open
lockd (nlockmgr V1-4)
6000/tcp
open
X11
32771/tcp
open
sometimes-rpc5 (status V1)
32772/tcp
open
sometimes-rpc7 (rusersd V2-3)
32773/tcp
open
sometimes-rpc9 (cachefsd V1)
32774/tcp
open
sometimes-rpc11 (dmispd V1)
32775/tcp
open
sometimes-rpc13 (snmpXdmid V1)
32776/tcp
open
sometimes-rpc15 (tttdbservd V1)
Nmap run completed -- 1 IP address (1 host up) scanned in 43 seconds
133
RPC
RPC
RPC RPC
Sun Secure RPC 111
32771rpcbind RPC
UNIX/Linux
rwhoUDP 513 rusersRPC 100002
3
8
1
rusers rwho finger rwho

rwhod rwho
[root$]rwho 192.168.202.34
root
localhost:ttyp0
jack
beanstalk:ttyp1
jimbo
192.168.202.77:ttyp2
Apr 11 09:21
Apr 10 15:01
Apr 10 17:40
rusers -l rwho
rpc.rusersd RPC
Sun RPC portmapper
TCP/UDP 111 TCP/UDP 32771 rusers
UNIX
[root$]rusers l 192.168.202.34
root
192.168.202.34:tty1
Apr 10 18:58
root
192.168.202.34:ttyp0
Apr 10 18:59
:51
:02 (:0.0)
rwho rusers
finger inetd
/etc/init.d//etc/rc*.d rpc.rwhod rpc.rusersd
#
62
NIS RPC 100004
3
8
1
UNIX Network Information SystemNIS
NIS NIS RPC

NIS NIS
passwd NIS NIS pscan
-n Pluvius Internet
NIS
NIS DNS
NIS+ RPC /var/yp/securents

TCP Wrappers
ypserv NIS root
SQL Resolution Service UDP 1434
5
8
2
Microsoft SQL Server TCP 1433 SQL Server

2000 SQL Server
SQL Server TCP/IP
1433 TCP SQL
Server Resolution Service
RPC SQL Server SQL
Server 2000 SQL Server Resolution Service UDP 1434
133
SQL Server Resolution Service SQL SQL

Server 2000 SQL Server
sqlsecurity.com Chip Andrews
SQLPing UDP 1434
Microsoft SQLPingChip
IP SQL Server
3-14 SQLPing 2.2
IP UDP 1434 SQL
Server sa/null password
3-14 SQLPing SQL Server

UDP 1434 SQL
David Litchfield 2002
http://www.nextgenss.com/advisories/mssql-udp.txt
http://www.microsoft.com/technet /security/bulletin/MS02-039.mspx
SQL
Chip Andrews http://www.sqlsecurity.com
SQLPing
62
Chip Server Network Utility

SQL Server local.
Server Network Utility TCP/IP netlib
hide server netlibChip
SQL TCP 32433
NFS TCP/UDP 2049
7
10
1
UNIX showmount NFS

2049 NFS
showmount
[root$]showmount -e 192.168.202.34
export list for 192.168.202.34:
/pub
(everyone)
/var
(everyone)
/usr
user
-e NFS
NFS
NFS
/
NFS 2049Showmount
NFS UNIX/Linux Samba
SMB SMBServer
Message Block Windows Samba http://www.samba.org
Linux Samba /etc/smb.conf
133
3.3
Windows NT SMB
TCP 139 445 RestrictAnonymous Windows

XP/Server 2003 Network Access NT
Windows
LDAP DNSNovell NetWare
SNMP SNMP
SNMP agentpublic
Finger rpcbind
finger RPC TCP Wrappers

WEB
Hacking Exposed Web ApplicationsMcGrawHill/Osborn2002

http://www.linux-sec.net/Audit
/nmap.test.gwif.html C nmap
TCP/UDP http://www.iana.org
/assignments/port-numbers

(黑客大曝光 (第6版) ) Hacking Exposed 6Th Ed

Uploaded by

Copyright:

Available Formats

You might also like

(黑客大曝光 (第6版) ) Hacking Exposed 6Th Ed

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(黑客大曝光 (第6版) ) Hacking Exposed 6Th Ed

Uploaded by

Copyright:

Available Formats

1

Joe Hacker Google

intitle:"Welcom to IIS 4.0"

Windows IIS 4.0

Joe Hacker John the Ripper Louisa

"not for distribution" confidential site:edu

access control listACL

VPN IPSec PPTP

Security and Exchange

http://www.thememoryhole.com Google cached results

1-3 http://www.archive.org http://www.yahoo.com

Johnny Long Google Hacking for Penetration

Athena snakeoillabs Steven

1-5 Foundstone SiteDigger Google Hacking DatabaseGHDB

IP ACL NATnetwork address translation

CheckPoint Snort IDS 5

Google company resume firewallcompany

The Site Security Handbook RFC 2196

1.2.4 4WHOIS DNS

Internet Corporation for Assigned Names and NumbersICANNhttp://www.icann.org

ICANN 2002 Evolution and Reform Process

1-8 5 Regional Internet RegistryRIR

1-9 GNSO generic top-level domaingTLD

1-10 CCNSO country-code top-level domainccTLD

1-12 Verisign Global Registry Services keyhole.com

.gov .mil WHOIS

TLD ICANNIANA WHOIS RIR

1-14 ARIN RIR

1-15 IP National Internet Backbone

1-16 Google IP BGP AS

DNS DNS DNS

UNIX Windows nslookup

[bash]$ more zone_out

SunOS Solaris HINFO SparcSun

[bash]$ grep -i test /tmp/zone_out |wc-l

host -l -v -t any tellurian.net

UNIX Sam Spade Windows

UNIX dig DNS

com edu com edu

[bash]$ host tellurian.net

BIND named.conf allow-transfer

traceroute Van Jacobson IP

[bash]$ traceroute tellurian.net

access path diagram

-g UNIX man traceroute

[bash]$ traceroute 10.10.10.2

[bash]$ traceroute -S -p53 10.10.10.2

VisualRoute http://www.visualroute.com NeoTrace http://www.neotrace.com

ACL firewall protocal scanning

network intrusion detection systemNIDSintrusion

Marty Roesch Snortwww.snort.org

shell expect Perl

IP 10.0.0.0/8172.16.0.0/12 192.168.0.0/16RFC 1918

Host (192.168.1.0) seems to be a subnet broadcast

Windows Foundstone http://www.foundstone.com

2-1 Foundstone SuperScan ping

SolarWinds http://www.solarwinds.net Ping Sweep

ICMP port scanning

[] spp_portscan: PORTSCAN DETECTED from 192.168.1.10 []