Phn tch mt tn cng (Phn 1)

Cp nht lc 11h03' ngy 22/12/2007

Bn in

More Sharing Services Chia

s
Don Parker

Lot bi ny s da trn mt l hng h thng mng. Nhng g s gii thiu trong bi

l mt tn cng thc s, bt u t thm d n lit k, khai thc dch v mng v kt
thc cc chin lc khai thc gi thng bo. Tt c cc bc ny s c quan st
mc gi d liu, v sau s c gii thch mt cch c th. C th quan st v hiu
c mt tn cng mc gi d liu l mt iu cc k quan trng cho c cc qun tr vin
h thng (sys admin) v cc nhn vin bo mt mng. u ra ca cc tng la, H thng
pht hin xm phm (IDS) v cc thit b bo mt khc s lun lun c s dng c th
xem c lu lng mng thc s. Nu bn khng hiu nhng g ang nhn thy ti mc gi
d liu th tt c nhng cng ngh bo mt mng m bn c s tr thnh v ngha.
Cc cng c c s dng cho vic m phng mt tn cng mng l:

Nmap
IPEye

Tcpdump

Metasploit Framework

Netcat

SolarWinds TFTP Server

Tftp client

FU Rootkit

Bc thit lp
C rt nhiu hnh ng qut trn Internet ngy nay, khng cp n hnh ng ca worm v
cc dng malware khc nh virus. Tt c chng s ch nh tp nhiu v hi vi cc mng my
tnh c bo v tt. Nhng g chng ta nn xem xt l mt ngi ang ch tm nhm n
mt mng my tnh. Bi ny s tha nhn rng k tn cng tn cng vo nn nhn ca hn
v thc hin cc nghin cu trc nh tm ra a ch IP v cc a ch mng ca nn nhn.
K tn cng ny c th cng c gng khai thc thng tin nh cc a ch email c lin quan
n mng . Kiu thng tin ny l rt quan trng trong trng hp k tn cng tm nhng
khng c cch no vo mng sau khi thc hin cc hnh ng qut, lit k v gi mo n.
Cc a ch email m hn thu lm c s rt hu dng trong vic thit lp ln mt tn
cng trnh khch bng cch th v mi ngi dng vo mt website m c thng qua mt
lin kt trong email. Nhng kiu tn cng s c gii thiu trong cc bi sau.
Cch thc thc hin
Chng ta nn quan st cc hnh ng ca mt hacker khi hn thc hin cng vic qut, v lit
k mng nn nhn. Cng c u tin m hacker s dng l Nmap. Mc d Nmap c kh t k
hiu IDS nhng n vn l mt cng c kh hu dng v c s dng nhiu.

Chng ta c th xem thng qua c php c s dng bi hacker trong mn hnh nh hin th
bn trn, hacker chn cng 21 v 80 v hn c mt s khai thc c th s dng thng qua
Metasploit Framework. Khng ch iu m cn c hai dch v h thng v giao thc m
hn hiu kh tt. c hin th kh r l rng hn ang s dng qut SYN, y l kiu qut
cng c s dng thng dng nht. cng l do thc t l khi mt dch v s dng TCP
ang nghe trn mt cng nhn c gi SYN th n s gi tr li mt gi SYN/ACK (phc
p). Gi SYN/ACK ch th rng mt dch v qu thc ang nghe v ang ch i kt ni.
Tuy nhin vn tng t li khng ging vi UDP, n li da trn cc dch v nh DNS
(DNS cng s dng TCP nhng n hu nh s dng UDP i vi phn ln cc phin giao
dch ca n).
C php c lit k di y l u ra m Nmap thu lm c t cc gi n gi, nhng
chnh xc hn l t cc gi n nhn vi t cch l kt qu ca qut SYN m n thc hin.
Chng ta c th thy rng b ngoi c v c c cc dch v FTP v HTTP c cung cp.
Chng ta khng thc s quan tm n a ch MAC v vy s b qua iu . Cc cng c
nh Nmap khng thng xuyn c li nn n thng rt tt cho vic thm nh thng tin ca
bn mc gi d liu bo m cho s chnh xc. Khng ch vy m n cng cho php
quan st c c cc gi tr li, t mng nn nhn c th thu thp c cc thng tin kin
trc, dch v v host t .
Hy tra cu cc gi d liu
C mt s chng trnh c cung cp ngy nay s khai ph c cc gi v tm ra nhng
thng tin cn thit nh kiu h iu hnh, thng tin v kin trc, v d nh x86 hay SPARC v
nhiu vn khc na. cha phi l nhng n cng quan trng khi chng ta ang tm
hiu v vic cho php mt chng trnh thc hin cng vic cho chng ta. Vi lu ,
chng ta hy xem xt n du vt gi Nmap v tm ra mt s thng tin no v mng nn
nhn.
10:52:59.062500 IP (tos 0x0,
proto: ICMP (1), length: 28)
request seq 38214, length 8
0x0000: 4500 001c 2295 0000
0x0010: c0a8 6f17 0800 315a
10:52:59.078125 IP (tos 0x0,

ttl 43, id 8853, offset 0, flags [none],

192.168.111.17 > 192.168.111.23: ICMP echo
2b01 0dd3 c0a8 6f11 E..."...+.....o.
315f 9546
..o...1Z1_.F
ttl 128, id 396, offset 0, flags [none],

proto: ICMP (1), length: 28)

reply seq 38214, length 8
0x0000: 4500 001c 018c 0000
0x0010: c0a8 6f11 0000 395a
0x0020: 0000 0000 0000 0000

192.168.111.23 > 192.168.111.17: ICMP echo

8001 d9db c0a8 6f17
315f 9546 0000 0000
0000 0000 0000

E.............o.
..o...9Z1_.F....
..............

Th hin trong hai gi d liu trn l lot m t Nmap. Nhng g n thc hin l gi mt
yu cu ICMP echo n mng nn nhn. Bn s thy rng n khng c trang b ti mt
cng no , bi v ICMP khng s dng cc cng, nhng li c qun l bi b thng bo
li ICMP xy dng bn trong ngn xp giao thc TCP/IP. Gi ICMP ny cng c dn nhn
bng mt s duy nht, trong trng hp ny l 38214 gip ngn xp TCP/IP c th kim
tra c lu lng tr v, v lin kt n vi gi ICMP trc gi. Gi tin ngay trn l
p tr t mt mng nn nhn, trong biu mu ca mt p tr (reply) ICMP echo. Cng tnh
n c s chui 38214. Chnh v vy hacker bit c rng c mt my tnh hoc mt mng
ng sau a ch IP .
Chui gi ICMP ang m ny l l do ti sao Nmap c mt k hiu IDS cho n. Ty chn
khm ph ICMP host c th b v hiu ha trong Nmap nu mun. Loi thng tin g c th
c thu lm thng qua kt qu ca gi tr li ICMP echo t mng nn nhn? Trong thc t
y khng c nhiu thng tin gip chng ta nm c v mng. Mc d vy vn c th s
dng nhng n s b ti nhng ch lin quan n h iu hnh. Thi gian c tr mt
trng v gi tr bn cnh n c nh du t m trong gi trn. Gi tr 128 cho thy mt
s tht rng my tnh ny c th l mt my tnh chy h iu hnh Windows. Trong khi
gi tr ttl li khng tr li mt cch chnh xc nh nhng g v c lin quan n h iu hnh,
n s c cn c cho cc gi k tip m chng ta s xem xt.
Kt lun
Trong phn mt ny, chng ta xem xt v mt qu trnh qut i vi mt mng trong mt
tn cng cho hai cng c th bng Nmap. n y, k tn cng ny bit chc chn rng c
mt my tnh hoc mt mng my tnh c tr ti a ch IP . Trong phn 2 ca lot bi ny,
chng ti s tip tc gii thiu n cc bn phn kt ca nghin cu v du vt ca gi ny, v
tm ra nhng mu thng tin cn li.

Chng ti gii thiu cho cc bn trong phn mt nhng thng tin c th quan st
c trong khi m chui gi c gi bi Nmap. Chui gi bt u vi mt phn hi
ca ICMP echo xc nh xem my tnh hoc mng c gn vi a ch IP cha.
Thm vo , chng ta cn c th on c mng ca my tnh b tn cng l mng c
xy dng trn Windows bng cch da vo ttl trong gi phn hi ICMP echo m n gi tr
v. Nhng g nn thc hin lc ny l tip tc quan st cc gi cn li trong trnh qut Nmap,
v tm ra thng tin cn li c th bit c h s ca mng nn nhn.
Tip tc
10:52:59.078125 IP (tos
proto: TCP (6), length:
cksum 0xfd46 (correct),
0x0000: 4500 0028 2650
0x0010: c0a8 6f17 9324
0x0020: 5010 0800 fd46

0x0, ttl 49, id 9808, offset 0, flags [none],

40) 192.168.111.17.37668 > 192.168.111.23.80: .,
ack 85042526 win 2048
0000 3106 0407 c0a8 6f11 E..(&P..1.....o.
0050 67d1 a55e 0511 a55e ..o..$.Pg..^...^
0000
P....F..

10:52:59.078125 IP (tos 0x0, ttl 128, id 397, offset 0, flags [none],

proto: TCP(6), length: 40) 192.168.111.23.80 > 192.168.111.17.37668: R,
cksum 0x6813 (correct), 85042526:85042526(0)win 0
0x0000: 4500 0028 018d 0000 8006 d9c9 c0a8 6f17 E..(..........o.
0x0010: c0a8 6f11 0050 9324 0511 a55e 0511 a55e ..o..P.$...^...^
0x0020: 5004 0000 6813 0000 0000 0000 0000
P...h.........

Hai gi trn xut hin sau cc gi ICMP m chng ta quan st trong phn 1. Nmap gi
mt gi ACK n IP mng nn nhn l 192.168.111.23 trn cng 80. Di dng thng tin gi
mo chng ta khng c c ton b vn y. Ch thy c rng gi ACK nhn t
k tn cng mt gi RST phn hi, v ACK ny khng c mong i. Bn cht l n khng
thuc v mt kt ni c thit lp trc . Chng ta vn c mt ttl 128 tng ng vi ttl
quan st t trc.
10:52:59.296875 IP (tos
proto: TCP (6), length:
cksum 0x37ce (correct),
0x0000: 4500 0028 b045
0x0010: c0a8 6f17 930c
0x0020: 5002 0c00 37ce

0x0, ttl 58, id 45125, offset 0, flags [none],

40) 192.168.111.17.37644 > 192.168.111.23.21: S,
2010644897:2010644897(0) win 3072
0000 3a06 7111 c0a8 6f11 E..(.E..:.q...o.
0015 77d8 01a1 0000 0000 ..o.....w.......
0000
P...7...

10:52:59.296875 IP (tos 0x0, ttl 128, id 398, offset 0, flags [DF], proto:
TCP (6), length: 44) 192.168.111.23.21 > 192.168.111.17.37644: S, cksum
0x4f58 (correct), 1685290308:1685290308(0) ack 2010644898 win 64240
0x0000: 4500 002c 018e 4000 8006 99c4 c0a8 6f17 E..,..@.......o.
0x0010: c0a8 6f11 0015 930c 6473 7d44 77d8 01a2 ..o.....ds}Dw...
0x0020: 6012 faf0 4f58 0000 0204 05b4 0000
`...OX........
10:52:59.296875 IP (tos 0x0, ttl 128, id 110, offset 0, flags [none],
proto: TCP(6), length: 40) 192.168.111.17.37644 > 192.168.111.23.21: R,
cksum 0xca50 (correct), 2010644898:2010644898(0) win 0
0x0000: 4500 0028 006e 0000 8006 dae8 c0a8 6f11 E..(.n........o.
0x0010: c0a8 6f17 930c 0015 77d8 01a2 77d8 01a2 ..o.....w...w...
0x0020: 5004 0000 ca50 0000
P....P..

Theo sau qu trnh trao i gi ACK v RST, chng ta c th thy gi SYN tht c gi
t hacker n mng nn nhn, minh chng trong gi vi ch S in m. Vn ny cho ta c
th suy lun ra rng gi SYN/ACK phn hi v t mng nn nhn trn cng 21 ca n. Qu
trnh trao i ny sau c kt thc bi gi RST c gi tr v t my tnh ca hacker
n mng nn nhn. Ba gi ny lc ny gi rt nhiu thng tin phong ph v s gi mo.
Chng ta cng c ttl 128 t my tnh nn nhn, nhng cng c win64240. Tuy gi tr ny
khng c trong danh sch, n qu thc l mt size m ti thy nhiu ln trc y t
Win32 (cc phin bn 32 bit ca Microsoft Windows nh Win NT, 2K, XP v 2K3). Tnh
nng hn ch khc ca my tnh Windows l rng kh nng on trc s cc IP ID. Trong
trng hp ny, chng ta ch c mt gi tr IP ID. Chng ta cn t nht gi tr na trc khi c
th t tin ni rng my tnh ny l mt my tnh s dng Windows ca Microsoft. Lu rng,
hy quan st cc gi cn li t qu trnh qut ca Nmap.
10:52:59.312500 IP (tos
proto: TCP (6), length:
cksum 0x3393 (correct),
0x0000: 4500 0028 d309
0x0010: c0a8 6f17 930c
0x0020: 5002 1000 3393

0x0, ttl 59, id 54025, offset 0, flags [none],

40) 192.168.111.17.37644 > 192.168.111.23.80: S,
2010644897:2010644897(0) win 4096
0000 3b06 4d4d c0a8 6f11 E..(....;.MM..o.
0050 77d8 01a1 0000 0000 ..o....Pw.......
0000
P...3...

10:52:59.312500 IP (tos 0x0, ttl 128, id 399, offset 0, flags [DF], proto:
TCP (6), length: 44) 192.168.111.23.80 > 192.168.111.17.37644: S, cksum

0x7913 (correct), 1685345101:1685345101(0) ack 2010644898 win 64240

0x0000: 4500 002c 018f 4000 8006 99c3 c0a8 6f17 E..,..@.......o.
0x0010: c0a8 6f11 0050 930c 6474 534d 77d8 01a2 ..o..P..dtSMw...
0x0020: 6012 faf0 7913 0000 0204 05b4 0000
`...y.........
10:52:59.312500 IP (tos 0x0, ttl 128, id 111, offset 0, flags [none],
proto: TCP(6), length: 40) 192.168.111.17.37644 > 192.168.111.23.80: R,
cksum 0xca15 (correct), 2010644898:2010644898(0) win 0
0x0000: 4500 0028 006f 0000 8006 dae7 c0a8 6f11 E..(.o........o.
0x0010: c0a8 6f17 930c 0050 77d8 01a2 77d8 01a2 ..o....Pw...w...
0x0020: 5004 0000 ca15 0000
P.......

Mu thng tin u tin m hacker quan st l xem xem s IP ID c tng n 399 khng. IP
DI ny qu thc l 399 nh chng ta c th quan st phn gia gi. Vi thng tin ny,
hacker kh t tin rng my tnh nn nhn hn ang tn cng l Windows NT, 2K , XP, hoc
2K3. Cng quan st trong chui gi ny l cng 80 trn mng nn nhn dng nh c mt
dch v, minh chng bi gi SYN/ACK, gi SYN/ACK c xc nh bng vic thm nh
trng flag trong TCP header, trong trng hp ny gi tr hex gch chn l 12 hoc 18 vi
h thp phn. Gi tr ny c th pht hin c bng gi tr SYN flag 2 c b sung vo gi
tr ACK flag 16.
Lit k
Khi hacker bit c c hai cng 21 v 80 u m cho doanh nghip, anh ta s chuyn sang
trng thi lit k. Nhng g anh ny cn bit lc ny l kiu webserver ang lng nghe cho cc
kt ni l g. S v ngha i vi hacker ny nu s dng mt l hng Apache trn mt IIS
web server. Vi lu k tn cng s m cmd.exe session v tm ra chng loi mng.
C:\>nc.exe 192.168.111.23 80
GET slslslls
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Mon, 06 Aug 2007 15:11:48 GMT
Content-Type: text/html
Content-Length: 87
The parameter is incorrect.
C:\>

Chng ta c th quan st chng loi mng c nh du trn hoc c php nc.exe m

hacker nh vo a ch IP ca nn nhn cng nh cng 80. Khi vo c, hacker s nh
thm vo HTTP ca phng thc GET v theo sau l mt s cu sai ng php. Hnh ng
ny c th lm cho webserver ca mng nn nhn gi ngc tr v thng tin h thng ca n
khi n khng hiu yu cu l g. Chnh v vy m chng t nhin lit k nhng thng tin cn
thit cho hacker. Hacker lc ny c th bit c rng hn ang trong Microsoft IIS 5.0. Tin
tuyt vi hn na v hacker c mt s khai thc l hng i vi phin bn ny.
Kt lun
Vi vic thc hin qut mng ca nn nhn bng cch s dng Nmap, hacker c th nhn
c mt lot cc gi d liu quan trng sau . Bn trong cc gi d liu ny, nh chng ta
nhn thy, cha y thng tin hacker c th li dng vo cc l hng trong kin trc,
h iu hnh v chng loi mng cng nh kiu my ch.
Tm li, vi cch ny, hacker c th nm c cc thng tin chnh v host, kin trc v dch

v c cung cp. Vi cc thng tin ny trong tay, hacker c th tin hnh mt tn cng vo
webserver ca mng nn nhn. Trong phn sau chng ti s gii thiu thm v nhng tn
cng no hacker c th dng tn cng vo ngi dng trong trng hp ny.

Phn tch mt tn cng (Phn 3)

Cp nht lc 08h39' ngy 24/03/2008

Bn in

More Sharing Services Chia

s

Phn tch mt tn cng (Phn 1)

Phn tch mt tn cng (Phn 2)
Don Parker
Trong phn 2 ca lot bi ny, chng ti li tt c cc thng tin cn thit yu cu cho
mt tn cng trn mng nn nhn. Vi lu , chng ta hy tip tc vi mt tn cng thc
s. Tn cng ny ko theo sau vic truyn ti trn mt s chng trnh yu cu c th i
su hn na trong vic khai thc mt tn cng. Thc s s rt v ngha nu tn cng n gin
mt my tnh v sau rt lui, chnh v vy m chng ta s thc hin mt tn cng mnh.
Thng thng mc tiu ca k tn cng m nguy him l khng ch dng li vic tng s
hin din trn mng my tnh m cn mun duy tr n. iu c ngha l k tn cng cn
mun tip tc n s hin din ca mnh v thc hin mt s hnh ng khc na.
Nhng vn th v
By gi chng ta s s dng Metasploit Framework thun tin cho mt tn cng thc s.
C ch lm vic ny thc s rt th v v n cung cp cho bn nhiu kiu khai thc khc nhau
cng nh nhiu ty chn khc nhau trong vn chn ti trng. C th bn khng mun c
mt tin ch o ngc, hoc inject VNC. Ti trng thng ph thuc vo mc tiu sp ti,
kin trc mng v mc tiu cui cng ca bn. Trong trng hp ny, chng ta s thc hin
vi mt tin ch o ngc. y thng l cch c nhiu u im, c bit trong trng hp
mc tiu ca chng ta nm pha sau router v khng truy cp mt cch trc tip. V d, bn
hit vo mt webserver nhng ti vn c cn bng. Khng bo m s c th kt ni n
n bng mt tin ch chiu thun, do bn s mun my tnh to ra mt tin ch ngc tr
v. Chng ti s khng cp n cch s dng ca Metasploit Framework nh th no v c
th n c gii thiu trong mt bi khc. Vy chng ta ch tp trung vo nhng th nh
mc gi chng hn.
Lc ny, thay v dng phng php gii thiu mi bc tn cng bng cc hnh nh vn tt v
cc on m trch, chng ti s a ra mt tn cng khc. Nhng g s thc hin l to li tn
cng vi s tr gip ca Snort. Chng ta s li dng bn ghi nh phn trong tn cng m
chng ti thc hin, sau phn tch c php ca n thng qua Snort. L tng n s xem
c mi th nh nhng g chng ti thc hin. Trong thc t, nhng g s thc hin l
mt gi minh chng. Mc tiu y l xem c th rp li mt cch chnh xc nhng g
xy ra nh th no. Vi lu , chng ta s s dng bn ghi ca gi nh phn ghi mi th
thc hin v phn tch c php thng qua Snort qua mt s cc nguyn tc mc nh ca
n.

u ra Snort
C php s dng gi Snort nh sau:
C:\snort\bin\snort.exe r c:\article_binary dv c snort.conf A full

C php ny lm cho Snort phn tch gi nh phn c tn gi l article_binary, kt qu c

cho ra bn di. Chng ti ct ngn u ra ca Snort c th xem xt chi tit tng phn
mt.
==============================================================
Snort processed 1345 packets.
==============================================================
Breakdown by protocol:
TCP: 524
(38.959%)
UDP: 810
(60.223%)
ICMP: 11
(0.818%)
ARP: 0
(0.000%)
EAPOL: 0
(0.000%)
IPv6: 0
(0.000%)
ETHLOOP: 0
(0.000%)
IPX: 0
(0.000%)
FRAG: 0
(0.000%)
OTHER: 0
(0.000%)
DISCARD: 0
(0.000%)
==============================================================
Action Stats:
ALERTS: 63
LOGGED: 63
PASSED: 0

Phn ny rt hp dn v c n 63 cnh bo c kch hot bi mt hnh ng tn cng.

Chng ta s xem xt n file alert.ids, y chnh l file c th mang li nhiu thng tin chi tit
v nhng g xy ra. Lc ny, nu bn nh th u tin m ngi tn cng thc hin l
s dng Nmap thc hin hnh vi qut mng th vn cng to ra mt bo cnh u
tin c kch hot bi Snort.
[**] [1:469:3] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
08/09-15:37:07.296875 192.168.111.17 -> 192.168.111.23
ICMP TTL:54 TOS:0x0 ID:3562 IpLen:20 DgmLen:28
Type:8 Code:0 ID:30208 Seq:54825 ECHO
[Xref => http://www.whitehats.com/info/IDS162]

Theo cch thc ny, k tn cng s dng netcat lit k webserver tm ra kiu
webserver l g. Hnh ng ny khng kch hot bt c mt bo cnh Snort no. Chng ti
cng mun tm hiu iu g xy ra, chnh v vy chng ta hy xem xt mt cch k cng
hn v bn ghi cho gi. Sau khi quan st thy cc th tc bt tay TCP/IP nh thng l, chng
ta s thy gi di y.
15:04:51.546875 IP (tos 0x0, ttl 128, id 9588, offset 0, flags [DF], proto:
TCP (6), length: 51) 192.168.111.17.1347 > 192.168.111.23.80: P, cksum
0x5b06 (correct), 3389462932:3389462943(11) ack 2975555611 win 64240
0x0000: 4500 0033 2574 4000 8006 75d7 c0a8 6f11 E..3%t@...u...o.
0x0010: c0a8 6f17 0543 0050 ca07 1994 b15b 601b ..o..C.P.....[`.
0x0020: 5018 faf0 5b06 0000 4745 5420 736c 736c P...[...GET.slsl

0x0030:

736c 0a

sl.

Khng c g ng ch trong gi ny ngoi s vic l n c request GET vi mt s vn

bn trong theo sau nh slslsl chng hn. V vy trong thc t, khng c bt c g cho Snort
hnh ng. Chnh v vy s rt kh khn trong vic xy dng mt ch k (hay c th gi l
du hiu) IDS hiu qu nhm kch hot kiu c gng lit k ny. Chnh iu l l do ti sao
khng c cc ch k nh vy. Gi tip theo sau chnh l ni m webserver ca mng nn
nhn t lit k n.
Sau khi vic lit k c thc hin, k tn cng ngay lp tc gi mt m nhm thc hin hnh
vi khai thc n webserver. M ny sau s cho mt s kt qu c cc ch k Snort c
kch hot. c bit cho s khai thc c th hin bn di m chng ta c th thy c ch
k Snort ny.
[**] [1:1248:13] WEB-FRONTPAGE rad fp30reg.dll access [**]
[Classification: access to a potentially vulnerable web application]
[Priority:
2]08/09-15:39:23.000000 192.168.111.17:1454 -> 192.168.111.23:80
TCP TTL:128 TOS:0x0 ID:15851 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7779253A Ack: 0xAA1FBC5B Win: 0xFAF0 TcpLen: 20
[Xref => http://www.microsoft.com/technet/security/bulletin/MS01-035.mspx]
[Xref
=> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0341][Xref =>
http://www.s
ecurityfocus.com/bid/2906][Xref => http://www.whitehats.com/info/IDS555]

Khi k tn cng tng s truy cp vo webserver, hn s bt u s dng TFTP client

truyn ti 4 file: nc.exe, ipeye.exe, fu.exe, msdirectx.exe. Sau khi cc file ny c truyn
ti, k tn cng s dng netcat gi mt tin ch ngc tr li my tnh ca mnh. T ,
hn c th hy kt ni v tin ch khc, tin ch cho kt qu t tn cng ban u v thc
hin tt c cc cng vic cn li trong tin ch netcat. Rt hp dn, khng c hnh ng no
thc hin bi k tn cng thng qua tin ch o ngc c ghi bi Snort. Tuy nhin
khng quan tm ti vn , k tn cng s dng rootkit m hn truyn ti thng qua
TFTP n thng tin qu trnh cho netcat.
Kt lun
Trong phn ba ca lot bi ny, chng ta thy tn cng c minh chng khi s dng
Snort. Chng ta hon ton c th to li mt trong nhng th c thc hin ngoi tr cch
s dng ca rootkit. K c khi IDS l mt phn cng ngh kh hu dng v l mt phn trong
h thng phng chng mng ca bn, th iu khng phi lc no cng hon ho. Cc IDS
ch c th cnh bo bn lu lng m n c th cm nhn c. Lu c vn chng
ta s tm hiu cch xy dng cc du hiu Snort trong phn cui cng ca lot bi ny. Cng
vi , chng ta s tm hiu c cch kim th mt ch k s (du hiu) thm nh s hiu
qu ca chng.
Vn Linh (Theo Window Security)