BI THC HNH SYSTEM HACKING

BI 1: FOOTPRINTING
y k thut gp hacker tm km thng tn v 1 doanh nghp, c
nhn hay to
chc. Ban c the du tra duoc rat nhu thng tn cua muc tu nh
vo k thut ny. V du trong phn thuc hnh th 1 chng ta p dung
k thut ny tm km thng tn v mt
doman(v du www.tvetnam.com) v xem thu ema n ac cua
doman ny cua a,
trong phn thuc hnh th 2 chng ta truy tm 1 danh sch cc ema
cua 1 keywork cho truc, phuong php ny hu qu cho cc doanh
nghp muon su dung marketng thng qua hnh thc ema v.v. Trong
ga doan ny Hacker co gang tm cng nhu thng tn v doanh
nghp(thng qua cc knh nternet v phone) v c nhn(thng qua
ema v hoat dng cua c nhn d trn Internet), nu thuc hn tot
buc ny Hacker c the xc d}nh duoc nn tan cng vo dem yu no
cua chng ta. V du muon tan cng doman www.tvetnam.com th
Hacker ph bt duoc d}a ch ema no chu ca doman ny v tm
cch ay password cua ema thng qua tan cng ma Server hay
snffer trong mang n b v.v. V cuo cng ay duoc Doman ny thng
qua ema chu ny.
Bc 1: Tm thn t!n "# $%m&!n
Ta vo trang www.whos.net de tm km thng tn v dnh vo doman
mnh muon
tm km thng tn
Sau d ta nhn duoc thng tn nhu sau:
Ngo vc tm thng tn v doman nhu trn, chng ta c the su dung
cc tn ch
Reverse IP doman ookup de c the xem thu trn IP cua mnh c bao
nhu host chung v mnh. Vo nk sau dy de su dung tn ch ny.
http://www.domantoos.com/reverse-p/
Vc tm km duoc thng tn ny rat cn tht v Hacker, bo v dua
vo thng tn su
dung chung Server ny, Hacker c the thng qua cc Webste b}
trong danh sch trn v tan cng vo Server t d kem sot tat c cc
Webste duoc hostng trn Server.
Bc ': Tm thn t!n (m&!)
Trong b thuc hnh ny, chng ta su dung phn mm "1st email
address spider" de tm km thng tn v cc ema. Hacker c the su
dung phn mm ny de thu thp thm thong tn v ma, hay oc ra cc
do tuong ema khc nhau, tuy nhn ban c the su dung too ny de
thu thp thm thng tn nhm muc dch marketng, v du ban cn tm
thng tn cua cc ema c du @vnn.vn hay @hcm.vnn.vn de phuc
cho vc marketng sn phm.
Ta c the cau hnh vc su dung trang web no de ay thng tn , v du
su dung trang googe.com de tm km. Sau d dnh t kha vnn.vn
vo tag keyword
Sau d chng ta d c duoc 1 st ma nh su dung truong trnh ny.
BI ' : SCANNING
Scannng hay cn go qut mang buc khng the thu duoc trong
qu trnh tan cng vo h thong mang cua hacker. Nu m buc ny
tot Hacker s mau chng pht hn duoc cua h thong v du nhu
RPC cua Wndow hay trn phm mm d}ch vu web nhu Apache v.v.
V t nhng ny, hacker c the su dung nhng doan m dc ha(t
cc trang web) de tan cng vo h thong, to t nhat ay she.
Phn mm scannng c rat nhu oa, gom cc phm mm thuong ma
nhu Retna, GFI, v cc phn mm mn ph nhu Nmap,Nessus. Thng
thung cc an bn thuong ma c the update cc bug m t
nternet v c the d tm duoc nhng m hon. Cc phn mm
scannng c the gp ngu qun tr} tm duoc cua h thong, dong
th dua ra cc g php de sua nhu update Servce patch hay su
dung cc pocy hop hon.
Bc 1: S* +,n Ph-n m#m Nm&.
Truc kh thuc hnh b ny, hoc vn nn tham kho a go trnh
thuyt v cc
opton cua nmap. Chng ta c the su dung phn mm trong CD CEH
v5, hay c the downoad bn m nhat t webste: www.nsecure.org.
Phn mm nmap c 2 phn bn dnh cho Wn v dnh cho Lnux,
trong b thuc hnh v Nmap, chng ta su dung bn dnh cho Wndow.
e thuc hnh b ny, hoc vn nn su dung Vmware v boot t nhu
h du hnh
khc nhau nhu Wn XP sp2, Wn 2003 sp1, Lnux Fedora Core, Wn
2000 sp4,v.v.
Truc tn su dung Nmap de do thm thu xem trong subnet c host
no up v cc port
cc host ny m, ta s dng lnh Nmap h xem li cc option ca Nmap, sau th!c
hin lnh Nmap sS 10.100.100.1-20. " sau #$c %&t 'u( sau)
C:\Documents and Settings\longdt>nmap -sS 10.100.100.1-20
Starting Nmap .20 !"ttp:##insecure.org $ at 200%-0&-02
10:2% 'aci(ic Standard
)ime
Interesting ports on 10.100.100.1:
Not s"o*n: 1+,- closed ports
'./) S)0)1 S1/23C1
22#tcp open ss"
111#tcp open rpc4ind
50C 0ddress: 00:0C:2,:0,:1D:10 !25*are$
Interesting ports on 10.100.100.6:
Not s"o*n: 1+%& closed ports
'./) S)0)1 S1/23C1
%#tcp open ec"o
,#tcp open discard
16#tcp open da7time
1%#tcp open 8otd
1,#tcp open c"argen
26#tcp open telnet
2#tcp open nameser9er
-6#tcp open domain
&0#tcp open "ttp
16-#tcp open msrpc
16,#tcp open net4ios-ssn
-#tcp open microso(t-ds
102-#tcp open N:S-or-33S
102+#tcp open ;S0-or-nterm
102%#tcp open 33S
1060#tcp open iad1
210-#tcp open e<login
66&,#tcp open ms-term-ser9
&0&0#tcp open "ttp-pro=7
50C 0ddress: 00:0C:2,:-,:,%:02 !25*are$
Interesting ports on 10.100.100.7:
Not s"o*n: 1+,6 closed ports
'./) S)0)1 S1/23C1
16-#tcp open msrpc
16,#tcp open net4ios-ssn
-#tcp open microso(t-ds
102-#tcp open N:S-or-33S
50C 0ddress: 00:0C:2,:,-:0,:06 !25*are$
Interesting ports on 10.100.100.11:
Not s"o*n: 1+,- (iltered ports
'./) S)0)1 S1/23C1
16,#tcp open net4ios-ssn
-#tcp open microso(t-ds
50C 0ddress: 00:0C:2,:0+:21:61 !25*are$
S<ipping S>N Stealt" Scan against 10.100.100.16 4ecause
?indo*s does not support
scanning 7our o*n mac"ine !local"ost$ t"is *a7.
0ll 0 scanned ports on 10.100.100.16 are
Interesting ports on 10.100.100.16:
Not s"o*n: 1+&, closed ports
'./) S)0)1 S1/23C1
21#tcp open (tp
2-#tcp open smtp
&0#tcp open "ttp
16-#tcp open msrpc
16,#tcp open net4ios-ssn
6#tcp open "ttps
-#tcp open microso(t-ds
166#tcp open ms-s8l-s
50C 0ddress: 00:0C:2,:D+:%6:+D !25*are$
Interesting ports on 10.100.100.20:
Not s"o*n: 1+,6 closed ports
'./) S)0)1 S1/23C1
16-#tcp open msrpc
-#tcp open microso(t-ds
1000#tcp open cadloc<
-101#tcp open admdog
50C 0ddress: 00:1-:C-:+-:16:&- !Dell$
Nmap (inis"ed: 20 3' addresses !% "osts up$ scanned in
21.-1- seconds
*+ong mng c t,t c( - host g.m / my "m0a+e 1 2 34 56778 9:y gi; <#=c ti&p theo
ta t>m %i&m th?ng tin 1@ AB ca cc Cost t+Dn <Eng s dng lnh F Nmap 9 -. ip
address .
C:\Documents and Settings\longdt>nmap -99 -. 10.100.100.%
!=em c"i ti@t Nmap 8uAt$
Starting Nmap .20 !"ttp:##insecure.org $ at 200%-0&-02
10:+ 'aci(ic Standard
)ime
3nitiating 0/' 'ing Scan at 10:+
Scanning 10.100.100.% B1 portC
Completed 0/' 'ing Scan at 10:+D 0.22s elapsed !1 total
"osts$
3nitiating 'arallel DNS resolution o( 1 "ost. at 10:+
Completed 'arallel DNS resolution o( 1 "ost. at 10:+D
0.01s elapsed
3nitiating S>N Stealt" Scan at 10:+
Scanning 10.100.100.% B1+,% portsC
Disco9ered open port 102-#tcp on 10.100.100.%
Disco9ered open port -#tcp on 10.100.100.%
Disco9ered open port 16-#tcp on 10.100.100.%
Disco9ered open port 16,#tcp on 10.100.100.%
Completed S>N Stealt" Scan at 10:+D 1.-+s elapsed !1+,%
total ports$
3nitiating .S detection !tr7 E1$ against 10.100.100.%
Fost 10.100.100.% appears to 4e up ... good.
3nteresting ports on 10.100.100.%:
Not s"o*n: 1+,6 closed ports
'./) S)0)1 S1/23C1
16-#tcp open msrpc
16,#tcp open net4ios-ssn
-#tcp open microso(t-ds
102-#tcp open N:S-or-33S
50C 0ddress: 00:0C:2,:,-:0,:06 !25*are$
De9ice t7pe: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows 2003 Serer S!1
OS "ingerprint:
.S:SC0N!2G.20HDG&#2H.)G16-HC)G1HCIG6+0,2H'2G>HDSG1HJG>
H5G000C
2,H)5G+K21&% .S:6H'Gi+&+-pc-*indo*s*indo*s$
S1L!S'G::HJCDG1H3S/G100H)3G3H33G3HSSGSH)SG0$
.S:.'S!.1G5-KN?0NN)00NNSH.2G5-KN?0NN)00NNS
H.6G5-KN?0NN)00H.G5-KN?0NN)0 .S:0NNSH.-G5-KN?0NN)00NNS
H.+G5-KNN)00NNS$?3N!?1G:0:0H?2G:
0:0H?6G:0:0H?G: .S:0:0H?-G:0:0H?+G:0:0$1CN!/G>HD:GN
H)G&0H?G:0:0H.G5-KN?0NNSHCCGNHLG$)1!/G>.S:HD:GNH)G&0HSG.
H0GSMH:G0SH/DG0HLG$)2!/G>HD:GNH)G&0H?G0HSGNH0GSH:G0/H.GH/D
.S:G0HLG$)6!/G>HD:GNH)G&0H?G:0:0HSG.H0GSMH:G0S
H.G5-KN?0NN)00NNSH/DG0HLG$).S:!/G>HD:GNH)G&0H?G0HSG0H0G.
H:G/H.GH/DG0HLG$)-!/G>HD:GNH)G&0H?G0HSGNH0GSMH
.S::G0/H.GH/DG0HLG$)+!/G>HD:GNH)G&0H?G0HSG0H0G.H:G/H.G
H/DG0HLG$)%!/G>HD:GNH.S:)G&0H?G0HSGNH0GSMH:G0/H.G
H/DG0HLG$I1!/G>HD:GNH)G&0H).SG0H3';GK0HING0H/3' .S:;GJ
H/3DGJH/3'COGJH/ICOGJH/I;GJH/IDGJ$31!/G>HD:3GSH)G&0H)
.S3GNHCDGNHS3GSH .S:D;3GS$
Net*or< Distance: 1 "op
)C' Se8uence 'rediction: Di((icult7G2-- !Jood luc<P$
3'3D Se8uence Jeneration: 3ncremental
.S detection per(ormed. 'lease report an7 incorrect results
at "ttp:##insecure.org#nmap#su4mit# .
Nmap (inis"ed: 1 3' address !1 "ost up$ scanned in 6.20
seconds
/a* pac<ets sent: 1%+% !%&.+0OK$ Q /c9d: 1%1 !%,.62&OK$
)a cR t"S =em cTc (igerprinting tUi
C:\'rogram :iles\Nmap\nmap-os-(ingerprints
Tip tc vi nhng my cn li.
C:\Documents and Settings\longdt>nmap -. 10.100.100.1
Starting Nmap .20 !"ttp:##insecure.org $ at 200%-0&-02
10:- 'aci(ic Standard
)ime
3nteresting ports on 10.100.100.1:
Not s"o*n: 1+,- closed ports
'./) S)0)1 S1/23C1
22#tcp open ss"
111#tcp open rpc4ind
50C 0ddress: 00:0C:2,:0,:1D:10 !25*are$
De9ice t7pe: general purpose
/unning: ;inu= 2.+.V
OS details: #inu$ 2.6.% & 2.6.12 '$(6)
Iptime: 0.0-+ da7s !since )"u 0ug 02 0,:6:0& 200%$
Net*or< Distance: 1 "op
.S detection per(ormed. 'lease report an7 incorrect results
at "ttp:##insecure.org#nmap#su4mit# .
Nmap (inis"ed: 1 3' address !1 "ost up$ scanned in 2.%&1
seconds
Tuy nhin c 1 s host Nmap khng th nhn din ra nh sau:
C:\Documents and Settings\longdt>nmap -. 10.100.100.1+
Starting Nmap .20 !"ttp:##insecure.org $ at 200%-0&-02
10:-- 'aci(ic Standard
)ime
3nteresting ports on 10.100.100.1+:
Not s"o*n: 1+&, closed ports
'./) S)0)1 S1/23C1
21#tcp open (tp
2-#tcp open smtp
(0*tcp open +ttp
16-#tcp open msrpc
16,#tcp open net4ios-ssn
6#tcp open "ttps
-#tcp open microso(t-ds
1,33*tcp open -s&s.l&s
50C 0ddress: 00:0C:2,:D+:%6:+D !25*are$
/o e$act OS -atc+es for +ost 'If 0ou 1now w+at OS is
running on it2 see +ttp:**insecure.org*n-ap*su3-it* ).
)C'#3' (ingerprint:
.S:SC0N!2G.20HDG&#2H.)G21HC)G1HCIG6-1%H'2G>HDSG1HJG>
H5G000C2,H)5G+K210,.S:H'Gi+&+-pc-*indo*s*indo*s$
S1L!S'G:DHJCDG2H3S/G10CH)3G3H33G3HSSGSH)SG0$S.S:1L!S'G:D
HJCDG1H3S/G10CH)3G3H33G3HSSGSH)SG0$.'S!.1G5-KN?0NN)00NNS
H.2G5-K.S:N?0NN)00NNSH.6G5-KN?0NN)00H.G5-KN?0NN)00NNS
H.-G5-KN?0NN)00NNS
H.+G5-.S:KNN)00NNS$?3N!?1G:0:0H?2G:0:0H?6G:0:0H?G:0:0H?-G
:0:0H?+G:0:0$1CN!/G>HD.S::G>H)G&0H?G:0:0H.G5-KN?0NNSHCCGN
HLG$)1!/G>HD:G>H)G&0HSG.H0GSMH:G0SH/DG0.S:HLG$)2!/G>HD:GN
H)G&0H?G0HSGNH0GSH:G0/H.GH/DG0HLG$)6!/G>HD:G>
H)G&0H?G:0:0.S:HSG.H0GSMH:G0SH.G5-KN?0NN)00NNS
H/DG0HLG$)!/G>HD:GNH)G&0H?G0HSG0H0G.H:G.S:/H.G
H/DG0HLG$)-!/G>HD:GNH)G&0H?G0HSGNH0GSMH:G0/H.G
H/DG0HLG$)+!/G>HD:GNH).S:G&0H?G0HSG0H0G.H:G/H.G
H/DG0HLG$)%!/G>HD:GNH)G&0H?G0HSGNH0GSMH:G0/H.G
H/DG.S:0HLG$I1!/G>HD:GNH)G&0H).SG0H3';G6&HING0H/3';GJH/3DGJ
H/3'COGJH/ICOGJH/I;G.S:JH/IDGJ$31!/G>HD:3GSH)G&0H).S3GS
HCDGNHS3GSHD;3GS$
Net*or< Distance: 1 "op
.S detection per(ormed. 'lease report an7 incorrect results
at "ttp:##insecure.org#nmap#su4mit# .
Nmap (inis"ed: 1 3' address !1 "ost up$ scanned in 12.&-
seconds
Tuy nhin ta c th nhn din rng y l 1 Server chy dch v SQ v !e"
Server#"y gi$ ta %& dng lnh
Nmap 9 p &0 s2 10.100.100.1+ WS xc Gnh 1e+sion ca HHB.
C:\Documents and Settings\longdt>nmap -p &0 s2
10.100.100.1+
Starting Nmap .20 !"ttp:##insecure.org $ at 200%-0&-02
11:01 'aci(ic Standard
)ime
3nteresting ports on 10.100.100.1+:
'./) S)0)1 S1/23C1 21/S3.N
(0*tcp open +ttp Microsoft IIS we3serer 4.0
50C 0ddress: 00:0C:2,:D+:%6:+D !25*are$
Ser9ice 3n(o: .S: ?indo*s
Ser9ice detection per(ormed. 'lease report an7 incorrect
results at "ttp:##insec
ure.org#nmap#su4mit# .
Nmap (inis"ed: 1 3' address !1 "ost up$ scanned in +.%-0
seconds
2X7 ta cR t"S WoTn WYZc p"[n n"i\u "ost l] ?indo* 2000
Ser9er. Ngo]i 9i^c t"_c
"]n" tr`n c"ang ta cR t"S sb dcng Nmap traceD lYu log 9.9
Bc ': Ph/t h!0n c/c 1!2m 345
Su dung phn mm Retna de pht hn cc vunerabtes v tan cng
bng Metaespot framework.Retna cua Ieye phn mm thuong
ma(cng nhu GFI, shadow v.v ) c the update cc hng 1 cch
thung xuyn v gp cho ngu Admn h thong c the dua ra nhng
g php de xu .
By g ta su dung phn mm Retna de d tm cua my Wn 2003
Sp0(10.100.100.6)
Report t chuong trnh Retna:
TOP '6 789NERABI9ITIES
Ta t k TOP 20 vunerabtes trn mang
Rank Vulnerability Name Count
1. ec"o ser9ice 1
2. 0SN.1 2ulnera4ilit7 Could 0llo* Code 1=ecution 1
6. ?indo*s Cumulati9e 'atc" &6-%62 /emote 1
. Null Session 1
-. No /emote /egistr7 0ccess 09aila4le 1
+. telnet ser9ice 1
%. DC.5 1na4led 1
&. ?indo*s /'C Cumulati9e 'atc" &2&%1 /emote 1
,. ?indo*s /'C DC.5 inter(ace 4u((er o9er(lo* 1
10. ?indo*s /'C DC.5 multiple 9ulnera4ilities 1
11. 0pac"e 1.6.2% 0=10 C"aracter ;ogging DoS 1
TOP 20 OPERATING SYSTEMS
The foowng s an overvew of the top 20 operatng systems on your
network.
12. 0pac"e 1.6.2% F)Digest Command 1=ecution 1
16. 0pac"e moddalias and moddre*rite Ku((er .9er(lo* 1
1. 0pac"eKenc" multiple 4u((er o9er(lo*s 1
1-. F))' )/0C1 met"od supported 1
TOP 20 OPEN PORTS
The foowng s an overvew of the top 20 open ports on your network.
Rank Port Number De!ri"tion
Count
1. )C': % 1CF. 1c"o 1
2. )C': , D3SC0/D - Discard 1
6. )C': 16 D0>)351 - Da7time 1
. )C': 1% L.)D - Luote o( t"e Da7 1
-. )C': 1, CF0/J1N - C"aracter Jenerator 1
+. )C': 26 )1;N1) - )elnet 1
%. )C': 2 N051S1/21/ # ?3NS - Fost Name Ser9er 1
&. )C': -6 D.503N - Domain Name Ser9er 1
,. )C': &0 ???-F))' - F))' 1
10. )C': 16- /'C-;.C0)./ - /'C !/emote 'rocedure
Call$ ;ocation Ser9ice 1
11. )C': 16, N1)K3.S-SSN - N1)K3.S 1
12. )C': - 53C/.S.:)-DS - 5icroso(t-DS 1
16. )C': 102- ;3S)1N - listen 1
1. )C': 102+ N)1/5 - nterm 1
1-. )C': 1060 30D1 - KKN 30D 1
1+. )C': 2106 N1'F>/-C;) - Nep"7r Ser9-F5 Conncetion
1
1%. )C': 210- 1O;.J3N - Oer4eros !9$ 1ncr7pted
/;ogin 1
1&. )C': 66&, 5S /D' !/emote Des<top 'rotocol$ #
)erminal Ser9ices 1
1,. )C': &0&0 Jeneric - S"ared ser9ice port 1
20. ID': % 1CF. - 1c"o 1
Nhu vy ta d xc d}nh h du hnh cua my 10.100.100.6, cc Port
mo cua h thong
v cc cua h thong. y thng tn cn tht de ngu Admn
nhn dn v v
Trong Top 20 vunerabtes ta s kha thc bug th 10 RPC DCOM
bng chuong trnh Metaespot framework(CD CEH v5). Ta c the kem
tra cc thng tn ny trn chnh trang cua Ieye hay
securtyfocus.com, mcrosoft.com.
Ta su dung gao dn consoe cua Metaespot de tm bug hop v
chuong trnh Retna va qut duoc.
Rank O"eratin# Sytem Name Count
1. ?indo*s Ser9er 2006 1
Ta thay c the nhn thay bug msrpcddcomdms06d02+.pm duoc t k
trong phn
expot cua metaespot. By g ta c the kha thc ny.
Nhu vy sau kh kha thc ta d c duoc she cua my Wn 2003, by
g ta c the upoad backdoor hay ay nhng thng tn cn tht trong
my ny(van d ny s duoc bn o nhng chuong sau).
Kt un$ Phn mm scannng rat quan trong v Hacker de c the
pht hn cua h thong, sau kh xc d}nh Hacker c the su dung
Framework c san hay code c san trn Internet de c the chm
quyn su dung cua my muc tu. Tuy nhn dy cng cng cu hu
ch cua Admn h thong, phn mm ny gp cho ngu Admn h
thong dnh g a mc d bo mt cua h thong mnh v kem tra n
tuc cc bug xy ra.