Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Bn in
Nmap
IPEye
Tcpdump
Metasploit Framework
Netcat
Tftp client
FU Rootkit
Bc thit lp
C rt nhiu hnh ng qut trn Internet ngy nay, khng cp n hnh ng ca worm v
cc dng malware khc nh virus. Tt c chng s ch nh tp nhiu v hi vi cc mng my
tnh c bo v tt. Nhng g chng ta nn xem xt l mt ngi ang ch tm nhm n
mt mng my tnh. Bi ny s tha nhn rng k tn cng tn cng vo nn nhn ca hn
v thc hin cc nghin cu trc nh tm ra a ch IP v cc a ch mng ca nn nhn.
K tn cng ny c th cng c gng khai thc thng tin nh cc a ch email c lin quan
n mng . Kiu thng tin ny l rt quan trng trong trng hp k tn cng tm nhng
khng c cch no vo mng sau khi thc hin cc hnh ng qut, lit k v gi mo n.
Cc a ch email m hn thu lm c s rt hu dng trong vic thit lp ln mt tn
cng trnh khch bng cch th v mi ngi dng vo mt website m c thng qua mt
lin kt trong email. Nhng kiu tn cng s c gii thiu trong cc bi sau.
Cch thc thc hin
Chng ta nn quan st cc hnh ng ca mt hacker khi hn thc hin cng vic qut, v lit
k mng nn nhn. Cng c u tin m hacker s dng l Nmap. Mc d Nmap c kh t k
hiu IDS nhng n vn l mt cng c kh hu dng v c s dng nhiu.
Chng ta c th xem thng qua c php c s dng bi hacker trong mn hnh nh hin th
bn trn, hacker chn cng 21 v 80 v hn c mt s khai thc c th s dng thng qua
Metasploit Framework. Khng ch iu m cn c hai dch v h thng v giao thc m
hn hiu kh tt. c hin th kh r l rng hn ang s dng qut SYN, y l kiu qut
cng c s dng thng dng nht. cng l do thc t l khi mt dch v s dng TCP
ang nghe trn mt cng nhn c gi SYN th n s gi tr li mt gi SYN/ACK (phc
p). Gi SYN/ACK ch th rng mt dch v qu thc ang nghe v ang ch i kt ni.
Tuy nhin vn tng t li khng ging vi UDP, n li da trn cc dch v nh DNS
(DNS cng s dng TCP nhng n hu nh s dng UDP i vi phn ln cc phin giao
dch ca n).
C php c lit k di y l u ra m Nmap thu lm c t cc gi n gi, nhng
chnh xc hn l t cc gi n nhn vi t cch l kt qu ca qut SYN m n thc hin.
Chng ta c th thy rng b ngoi c v c c cc dch v FTP v HTTP c cung cp.
Chng ta khng thc s quan tm n a ch MAC v vy s b qua iu . Cc cng c
nh Nmap khng thng xuyn c li nn n thng rt tt cho vic thm nh thng tin ca
bn mc gi d liu bo m cho s chnh xc. Khng ch vy m n cng cho php
quan st c c cc gi tr li, t mng nn nhn c th thu thp c cc thng tin kin
trc, dch v v host t .
Hy tra cu cc gi d liu
C mt s chng trnh c cung cp ngy nay s khai ph c cc gi v tm ra nhng
thng tin cn thit nh kiu h iu hnh, thng tin v kin trc, v d nh x86 hay SPARC v
nhiu vn khc na. cha phi l nhng n cng quan trng khi chng ta ang tm
hiu v vic cho php mt chng trnh thc hin cng vic cho chng ta. Vi lu ,
chng ta hy xem xt n du vt gi Nmap v tm ra mt s thng tin no v mng nn
nhn.
10:52:59.062500 IP (tos 0x0,
proto: ICMP (1), length: 28)
request seq 38214, length 8
0x0000: 4500 001c 2295 0000
0x0010: c0a8 6f17 0800 315a
10:52:59.078125 IP (tos 0x0,
E.............o.
..o...9Z1_.F....
..............
Th hin trong hai gi d liu trn l lot m t Nmap. Nhng g n thc hin l gi mt
yu cu ICMP echo n mng nn nhn. Bn s thy rng n khng c trang b ti mt
cng no , bi v ICMP khng s dng cc cng, nhng li c qun l bi b thng bo
li ICMP xy dng bn trong ngn xp giao thc TCP/IP. Gi ICMP ny cng c dn nhn
bng mt s duy nht, trong trng hp ny l 38214 gip ngn xp TCP/IP c th kim
tra c lu lng tr v, v lin kt n vi gi ICMP trc gi. Gi tin ngay trn l
p tr t mt mng nn nhn, trong biu mu ca mt p tr (reply) ICMP echo. Cng tnh
n c s chui 38214. Chnh v vy hacker bit c rng c mt my tnh hoc mt mng
ng sau a ch IP .
Chui gi ICMP ang m ny l l do ti sao Nmap c mt k hiu IDS cho n. Ty chn
khm ph ICMP host c th b v hiu ha trong Nmap nu mun. Loi thng tin g c th
c thu lm thng qua kt qu ca gi tr li ICMP echo t mng nn nhn? Trong thc t
y khng c nhiu thng tin gip chng ta nm c v mng. Mc d vy vn c th s
dng nhng n s b ti nhng ch lin quan n h iu hnh. Thi gian c tr mt
trng v gi tr bn cnh n c nh du t m trong gi trn. Gi tr 128 cho thy mt
s tht rng my tnh ny c th l mt my tnh chy h iu hnh Windows. Trong khi
gi tr ttl li khng tr li mt cch chnh xc nh nhng g v c lin quan n h iu hnh,
n s c cn c cho cc gi k tip m chng ta s xem xt.
Kt lun
Trong phn mt ny, chng ta xem xt v mt qu trnh qut i vi mt mng trong mt
tn cng cho hai cng c th bng Nmap. n y, k tn cng ny bit chc chn rng c
mt my tnh hoc mt mng my tnh c tr ti a ch IP . Trong phn 2 ca lot bi ny,
chng ti s tip tc gii thiu n cc bn phn kt ca nghin cu v du vt ca gi ny, v
tm ra nhng mu thng tin cn li.
Chng ti gii thiu cho cc bn trong phn mt nhng thng tin c th quan st
c trong khi m chui gi c gi bi Nmap. Chui gi bt u vi mt phn hi
ca ICMP echo xc nh xem my tnh hoc mng c gn vi a ch IP cha.
Thm vo , chng ta cn c th on c mng ca my tnh b tn cng l mng c
xy dng trn Windows bng cch da vo ttl trong gi phn hi ICMP echo m n gi tr
v. Nhng g nn thc hin lc ny l tip tc quan st cc gi cn li trong trnh qut Nmap,
v tm ra thng tin cn li c th bit c h s ca mng nn nhn.
Tip tc
10:52:59.078125 IP (tos
proto: TCP (6), length:
cksum 0xfd46 (correct),
0x0000: 4500 0028 2650
0x0010: c0a8 6f17 9324
0x0020: 5010 0800 fd46
Hai gi trn xut hin sau cc gi ICMP m chng ta quan st trong phn 1. Nmap gi
mt gi ACK n IP mng nn nhn l 192.168.111.23 trn cng 80. Di dng thng tin gi
mo chng ta khng c c ton b vn y. Ch thy c rng gi ACK nhn t
k tn cng mt gi RST phn hi, v ACK ny khng c mong i. Bn cht l n khng
thuc v mt kt ni c thit lp trc . Chng ta vn c mt ttl 128 tng ng vi ttl
quan st t trc.
10:52:59.296875 IP (tos
proto: TCP (6), length:
cksum 0x37ce (correct),
0x0000: 4500 0028 b045
0x0010: c0a8 6f17 930c
0x0020: 5002 0c00 37ce
10:52:59.296875 IP (tos 0x0, ttl 128, id 398, offset 0, flags [DF], proto:
TCP (6), length: 44) 192.168.111.23.21 > 192.168.111.17.37644: S, cksum
0x4f58 (correct), 1685290308:1685290308(0) ack 2010644898 win 64240
0x0000: 4500 002c 018e 4000 8006 99c4 c0a8 6f17 E..,..@.......o.
0x0010: c0a8 6f11 0015 930c 6473 7d44 77d8 01a2 ..o.....ds}Dw...
0x0020: 6012 faf0 4f58 0000 0204 05b4 0000
`...OX........
10:52:59.296875 IP (tos 0x0, ttl 128, id 110, offset 0, flags [none],
proto: TCP(6), length: 40) 192.168.111.17.37644 > 192.168.111.23.21: R,
cksum 0xca50 (correct), 2010644898:2010644898(0) win 0
0x0000: 4500 0028 006e 0000 8006 dae8 c0a8 6f11 E..(.n........o.
0x0010: c0a8 6f17 930c 0015 77d8 01a2 77d8 01a2 ..o.....w...w...
0x0020: 5004 0000 ca50 0000
P....P..
Theo sau qu trnh trao i gi ACK v RST, chng ta c th thy gi SYN tht c gi
t hacker n mng nn nhn, minh chng trong gi vi ch S in m. Vn ny cho ta c
th suy lun ra rng gi SYN/ACK phn hi v t mng nn nhn trn cng 21 ca n. Qu
trnh trao i ny sau c kt thc bi gi RST c gi tr v t my tnh ca hacker
n mng nn nhn. Ba gi ny lc ny gi rt nhiu thng tin phong ph v s gi mo.
Chng ta cng c ttl 128 t my tnh nn nhn, nhng cng c win64240. Tuy gi tr ny
khng c trong danh sch, n qu thc l mt size m ti thy nhiu ln trc y t
Win32 (cc phin bn 32 bit ca Microsoft Windows nh Win NT, 2K, XP v 2K3). Tnh
nng hn ch khc ca my tnh Windows l rng kh nng on trc s cc IP ID. Trong
trng hp ny, chng ta ch c mt gi tr IP ID. Chng ta cn t nht gi tr na trc khi c
th t tin ni rng my tnh ny l mt my tnh s dng Windows ca Microsoft. Lu rng,
hy quan st cc gi cn li t qu trnh qut ca Nmap.
10:52:59.312500 IP (tos
proto: TCP (6), length:
cksum 0x3393 (correct),
0x0000: 4500 0028 d309
0x0010: c0a8 6f17 930c
0x0020: 5002 1000 3393
10:52:59.312500 IP (tos 0x0, ttl 128, id 399, offset 0, flags [DF], proto:
TCP (6), length: 44) 192.168.111.23.80 > 192.168.111.17.37644: S, cksum
Mu thng tin u tin m hacker quan st l xem xem s IP ID c tng n 399 khng. IP
DI ny qu thc l 399 nh chng ta c th quan st phn gia gi. Vi thng tin ny,
hacker kh t tin rng my tnh nn nhn hn ang tn cng l Windows NT, 2K , XP, hoc
2K3. Cng quan st trong chui gi ny l cng 80 trn mng nn nhn dng nh c mt
dch v, minh chng bi gi SYN/ACK, gi SYN/ACK c xc nh bng vic thm nh
trng flag trong TCP header, trong trng hp ny gi tr hex gch chn l 12 hoc 18 vi
h thp phn. Gi tr ny c th pht hin c bng gi tr SYN flag 2 c b sung vo gi
tr ACK flag 16.
Lit k
Khi hacker bit c c hai cng 21 v 80 u m cho doanh nghip, anh ta s chuyn sang
trng thi lit k. Nhng g anh ny cn bit lc ny l kiu webserver ang lng nghe cho cc
kt ni l g. S v ngha i vi hacker ny nu s dng mt l hng Apache trn mt IIS
web server. Vi lu k tn cng s m cmd.exe session v tm ra chng loi mng.
C:\>nc.exe 192.168.111.23 80
GET slslslls
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Mon, 06 Aug 2007 15:11:48 GMT
Content-Type: text/html
Content-Length: 87
The parameter is incorrect.
C:\>
v c cung cp. Vi cc thng tin ny trong tay, hacker c th tin hnh mt tn cng vo
webserver ca mng nn nhn. Trong phn sau chng ti s gii thiu thm v nhng tn
cng no hacker c th dng tn cng vo ngi dng trong trng hp ny.
Bn in
u ra Snort
C php s dng gi Snort nh sau:
C:\snort\bin\snort.exe r c:\article_binary dv c snort.conf A full
Theo cch thc ny, k tn cng s dng netcat lit k webserver tm ra kiu
webserver l g. Hnh ng ny khng kch hot bt c mt bo cnh Snort no. Chng ti
cng mun tm hiu iu g xy ra, chnh v vy chng ta hy xem xt mt cch k cng
hn v bn ghi cho gi. Sau khi quan st thy cc th tc bt tay TCP/IP nh thng l, chng
ta s thy gi di y.
15:04:51.546875 IP (tos 0x0, ttl 128, id 9588, offset 0, flags [DF], proto:
TCP (6), length: 51) 192.168.111.17.1347 > 192.168.111.23.80: P, cksum
0x5b06 (correct), 3389462932:3389462943(11) ack 2975555611 win 64240
0x0000: 4500 0033 2574 4000 8006 75d7 c0a8 6f11 E..3%t@...u...o.
0x0010: c0a8 6f17 0543 0050 ca07 1994 b15b 601b ..o..C.P.....[`.
0x0020: 5018 faf0 5b06 0000 4745 5420 736c 736c P...[...GET.slsl
0x0030:
736c 0a
sl.