Text / Jianghai off (seak@163.net)
声明: Statement:
1、您所看到的是《个人网络用户的安全与维护指南》一文的文本稿,本文已经在《计算机应用文摘》增刊《网络之门》发表,传统媒体如欲转载请同该杂志社联系,获得许可方可转载。 1, you see a "personal safety of users and Maintenance Guide," a text of the article Suggest this paper has been in the "Computer Digest" supplement "network door" published, reproduced For traditional media with the magazine, please contact , permission to be reproduced.
2、本文作者seak(哈工大紫丁香站ID)许可本文可转载于任何非商业BBS、新闻组和WEB站点。 2, the author seak (HIT lilac station ID) permit this article can be reproduced in any non-commercial BBS, newsgroups and WEB sites. 但严禁改动、删节或添加或局部抄袭、改头换面用于任何正式出版物。 But forbidden changes, deletions or additions or partial plagiarism, new look for any formal publication. 转载必须完整。 Reproduced must be complete.
3、由于《计算机应用文摘》编辑同志对本文的修改、和作者对文章的再次扩充,等因素,你看到的电子版本部分章节与刊发文章并不一致。 3, the "Computer Digest" Comrade Editor changes to this article, and author of the article, once again expanded, and other factors, you see the electronic version of the chapters is not consistent with the published article. 同时,作者本人也保留对文章再次扩充修改和网上重新发布的权利。 Meanwhile, the author also reserves the right to modify and expand the article once again re-released right online.
4、本文是一篇科普文章,是作者考虑到一般网络用户的接受能力而写的,对本领域的专家本文并无价值。 4, this is a popular science article, the authors take into account the general acceptance of Internet users the ability to write, for experts in the field do not value this. 作者力图能给广大用户做准确的描述,但由于作者时间和水平的限制,作者不能保证本文的涉及的观点、处理方法等绝对正确。 Author tries to give an accurate description of the majority of users do, but because of the timing and level of restriction the author, the author can not guarantee that this article related to the point of view, absolutely correct handling methods. 欢迎大家就各种问题与我探讨,seak@163.net。 Welcome to discuss with me on various issues, seak@163.net.
一、攻击的简单机理。 A simple mechanism of attack.
好多网上用户都有这样的经历,在聊天室里与网友谈的正高兴突然机器蓝屏,必须重起。 Many Internet users have this experience, in a chat room to talk about being happy with the friends suddenly the machine blue screen, you must restart. 也经常有的ISP的NT SERVER遭到莫名的攻击。 Some ISP's often inexplicable NT SERVER been attacked. 更令人难受的是一个网吧或企业的所有机器几乎同时蓝屏当机。 Even more uncomfortable is a cafe or business while almost all the machines blue screen crash. 很大的可能是这些机器遭到了OOB攻击。 Very likely that these machines were the OOB attack. 何谓OOB攻击,其实,攻击者是利用Windows下微软网络协定NetBIOS的一个例外处理程序OOB(Out of Band)的漏洞。 What OOB attack, in fact, the attacker is using Windows, a Microsoft NetBIOS networking protocol exception handler OOB (Out of Band) vulnerabilities. 只要有人以OOB的方式,通过TCP/IP传递一个小小的包到某个IP地址的某个开放的受端上(一般为139)。 As long as someone OOB way, via TCP / IP to pass a small package to an IP address by opening one side (usually 139). 使没有防护或修订的win95/nt系统瞬间当机。 So there is no protection or revised win95/nt system instantly crashes. NT将会重新启动,95则一般要手动重起。 NT will restart, 95 generally have to manually restart. 有的补丁尽管可使机器可用ESC退出蓝屏,正常工作,但不重起,就无法访问tcp/ip类型的网络。 Some patches even though the machine can be used ESC to exit blue screen, normal work, but do not reboot, you can not access the tcp / ip type of network.
除了139,其他可能的oob开放的受端,如137、138、113等等,均有可能遭到攻击。 In addition to 139, other possible oob open by the end, such as 137,138,113, etc., are likely to be attacked.
当然95系列的不稳定性,也是众所周知的,因此大不必把一切蓝屏死机都归罪到oob的头上。 Of course, the instability of 95 series, is well known, so the big blue screen of death do not have to have all blamed the oob's head. 一般的95遭受oob攻击的典型蓝屏提示形如: 95 attacks on the general subject oob typical blue screen prompt like this:
Fatal exception 0E at 0028: in VxD MSTCP(01)+000041AE Fatal exception 0E at 0028: in VxD MSTCP (01) +000041 AE
This was called from 0028: in VxS NDIS(01)+0000D7C This was called from 0028: in VxS NDIS (01) +0000 D7C
需要说明的是,这种类型的攻击主要的对象是没有打过补丁95和NT有效,而对98无效,但根据最新的资料,有人已经发现了WIN98的TCP/IP协议栈的漏洞,并发布了针对这一漏洞的工具,据称,这种攻击将使98蓝屏,用ESC返回后,同样不能访问TCP/IP资源必须重起,在本文即将完成时,我收到了一组程序UNIX C,根据程序的说明有两个程序可以对98进行攻击,大概的机理好象分别是对95/98的ICMP协议和对IGMP协议进行DoS(Denial of Service,拒绝服务)攻击。 It should be noted that this type of attack is the main target unpatched 95 and NT, but not for 98 invalid, but the latest information, someone has found the WIN98 TCP / IP protocol stack vulnerabilities, and publish tool against this vulnerability, said that such attacks will 98 blue screen with ESC to return later, the same can not access TCP / IP resources must be re-starting, this article was being completed, I received a set of procedures for UNIX C, According to the program that there are two procedures can be carried out 98 attacks, the mechanism probably is 95/98, respectively, if the ICMP protocol and the IGMP protocol DoS (Denial of Service, Denial of Service) attacks. 依照经验,此类攻击一般是利用目标机器协议上的一些漏洞,连续发送大型的破碎数据包,形成packets的风暴,造成目标机器当机。 The basis of experience, the target of such attacks is the use of general agreement on some of the loopholes in the machine, crushing a row of large data packets sent, packets of storm formation, resulting in the target machine to crash. 但是由于时间关系,笔者已经来不及作出分析测试,只能给网友一个提醒,98也不能高枕无忧。 However, due to time constraints, I have no time to analyze the test, only a reminder to the users, 98 can not sit back and relax.
二、几种典型的攻击工具 Second, several typical attack tools
NUKE、WINNUKE及其变种,现在网上流行的OOB攻击工具已经从最初的简单选择IP攻击PORT139,发展为可攻击某一IP范围,可连续攻击,可验证攻击效果,可监测及选择端口,因此,常常出现某一区段全部蓝屏死机的结果。 NUKE, WINNUKE and its variants, and now the popular online OOB attack tools have a simple select the IP from the initial attack PORT139, the development of an IP range to attack, continuous attack, attack verifiable results, select the port can be monitored and, therefore, there are often a section of the results of all the Blue Screen of Death.
SSPING:SSPING是一种出色的ip攻击工具,它的机理是,向被攻击的ip连续发出破碎的大型ICMP数据包,被攻击的95系统试图将破碎包合并处理,从而造成当机。 SSPING: SSPING ip attack is an excellent tool, it is the mechanism to continuously attack the issue of fragmentation of large-scale ip ICMP packets, the system attempts to attack the 95 consolidation of the broken package, resulting in a crash.
TEARDROP(泪滴):泪滴也是采用碎片包攻击的一种远程攻击工具,他的最大的特点是除了95/nt外,可攻击linux。 TEARDROP (teardrop): teardrop attack is using fragmented packets a remote attack tools, his biggest feature is the addition 95/nt, but can attack linux.
三、OOB攻击的防范 Three, OOB attack prevention
由于目前微软尚未就98的ICMP和IGMP漏洞作出反应,因此只能介绍OOB攻击的防范 Microsoft is not yet due to the current 98 to respond to ICMP, and IGMP vulnerability, it can only prevent the attacks described OOB
(一)手动防范 (A) manually to prevent
WIN3.X WIN3.X
编辑SYSTEM.INI,找到[MSTCP], Edit SYSTEM.INI, find the [MSTCP],
下面加入BSDUrgent=0 The following joined BSDUrgent = 0
Windows 95 Windows 95
编辑注册表Regedit Regedit to edit the registry
在HKEY-LOCAL- In HKEY-LOCAL-
MACHINE/System/CurrentControlSet/Services/VxD/MSTCP MACHINE / System / CurrentControlSet / Services / VxD / MSTCP
下加入一个"BSDUrgent=0"。 To add a "BSDUrgent = 0".
并把VNBT.386更名为VNBT.BAK And to VNBT.386 renamed VNBT.BAK
这可以让95关闭其netbios的服务,但这也使机器丧失了MICROSOFT This allows 95 to close its netbios services, but also the loss of the machine MICROSOFT
网络的Pier-to-Pier打印与文件共享功能。 Network Pier-to-Pier printing and file sharing.
(二)原厂补丁与安装要点 (B) the original patches and installation points
win95 win95
微软95与此BUG相关的补丁较多,请大家注意,一定要按照步骤安 95 Microsoft patches associated with this BUG more, please note that we must follow the steps to safety
装。 Install.
1:安装MS DUN12升级文件并重启动,(下载MSDUN12.EXE)。 1: Install the MS DUN12 upgrade file and restart, (download MSDUN12.EXE).
2、安装WINSOCK升级文件并重启动,(下载WS2SETUP.EXE)。 2, installed WINSOCK upgrade file and restart, (download WS2SETUP.EXE).
3、安装WINSOCK22补丁并重启动,(文件名一般为VIPUP20.EXE)。 3, the installation WINSOCK22 patch and restart, (file name usually VIPUP20.EXE).
至此系统可防范部分IP攻击的工具如SSPING和TEARDROP(泪滴) Thus part of the IP system can prevent the attack tools such as SSPING and TEARDROP (teardrop)
4、安装补丁文件VTCPUP20.EXE并重启动(下载VTCPUP20.EXE)。 4, install the patch file and restart VTCPUP20.EXE (download VTCPUP20.EXE).
5、将VNBT386更名为VNBT。 5, the VNBT386 renamed VNBT. BAK或者修正VNBT(运行VNBT.EXE) BAK or correction VNBT (run VNBT.EXE)
并重起。 And reboot.
可防范WINNUKE等工具。 Can prevent WINNUKE tools.
WIN3X的防范 WIN3X prevention
WIN3X似乎没有相应的补丁,请参考前面手动处理。 WIN3X seems to be no corresponding patch, please refer to the previous manual processing.
NT4 NT4
1、安装SERVICE PACK3及以上版本(下载SERVERCE6中文版。) 1, the installation SERVICE PACK3 and above (download SERVERCE6 Chinese version.)
2、安装针对泪滴2等攻击工具的补丁(下载TEARFIXI.EXE)。 2, the installation tool for attacks such as teardrop 2 patch (download TEARFIXI.EXE).
NT3。51 NT3. 51
1、针对X86和APLHA芯片不同的NT要分别打一个补丁, 1, X86 and APLHA chips for different NT to apply a patch, respectively,
而后升级到SERVICE PACK5。 Then upgrade to SERVICE PACK5.
WIN98 WIN98
尚未发现类似漏洞。 Not yet found a similar vulnerability.
—————— ------
防止WIN98的IGMP攻击补丁,请根据你98的版本选择合适的补丁。 IGMP attacks patch to prevent the WIN98, 98 according to the version you select the appropriate patch.
98第一版IGMP补丁下载 IGMP patch download 98 first edition
98OEM-2版IGMP补丁下载 98OEM-2 version of IGMP patch download
(三)防弹衣与第三方补丁简介 (C) vests with the third-party patches Profile
NOCRASH:NOCRASH的命名是因为有OOB攻击工具名称为CRASH,这个工具这似乎简单的修改注册表,以使NETBIOS功能失效的工具,对传统的基于PORT139的攻击比较有效,但并不能全面防范。 NOCRASH: NOCRASH named because of OOB attack tool named CRASH, this tool seems simple to modify the registry, so that the tool NETBIOS function failure, the traditional attack on PORT139 more effective, but can not fully prevent. 而且会造成无法使用其他的的防弹衣。 But will also cause other body armor can not be used. 因此如果你上网比较方便,我们还是建议你下载微软的原厂补丁,或使用NUKENAGER。 So if you access the Internet more convenient, we recommend that you download Microsoft's original patch, or use NUKENAGER.
ANTINUKE:这是早期的一个外挂式的程序,能防范针对139的攻击,并捕获攻击者的IP,但这个程序重要的特点是他会对攻击者进行反击,而且会使,一些探测139是否打开的工具溢出,另外这个程序在NT上也有效。 ANTINUKE: This is a plug-in the early process, can prevent attacks against the 139, and capture the attacker's IP, but the important feature of this program is that he will fight back the attacker, and make some probe 139 is turned on tool overflow, while the program is also effective in the NT. 这个程序的缺欠是:一、只能监听一个PORT,第二是会把网上邻居的方式对你机器的访问也误报为攻击。 Shortcomings of this process is: First, can only monitor a PORT, the second is the way neighbors will line access to your machine but also false positives for the attack.
NUKENAB:这是目前功能比较完善的一个防弹衣,除了系统自身设定监听的5个PORT之外,你还可以指定系统监听的一个端口,(一般我们指定为113)即总共可以监听6个端口。 NUKENAB: This is the function of a more perfect body armor, in addition to the system monitor its own set of 5 PORT addition, you can also specify a listening port system, (we generally designated as 113) that can monitor a total of 6 ports . 他可以捕获攻击者的IP,另外系统提供了一些自定义参数,如端口开放与关闭、受到攻击时所发出的声音等等。 He can capture the attacker's IP, the other system provides a number of custom parameters, such as port opening and closing, when it was attacked by the sound and so on. 另外,特别值得一提的是,当你发现有人用BO、NETBUS等黑客工具入侵你时,你可以用NUKENAB监听对应的开放端口发现他的地址。 Another one worth mentioning is that when you find someone with BO, NETBUS and other hacker tools when you invade, you can monitor the corresponding open ports NUKENAB found his address.
Tidak ada komentar:
Posting Komentar