Identify a target:
To fight an enemy you must know. The same goes for a hack, you'll have to get some information (as much as possible for that matter) on the machine the hacker wants to have, we will call the machine "target". For that it has a lot of tools. All will not apply to all machines because their security is different and some will be ineffective. I talked to a lot of these tools in different sections of this site so I do not reparlerais of ones, and I would just cite a link to the article. But do not worry I would give enough information so that you understand and you can start to experiment a little.
There are not talking about crappy hack to BO (Back Orifice) or with some other moles and trojans. Here is the hack that sagit servers and pc's grandmother under Win9x. The risks are truly starting to like here but I guess you are aware, we will start.
In this article I do not give exact address of the server as I do for the hack by FTP because it would restore still be abused. So the server will be that of the box "murderer" and DNS (domain name service) will http://www.assassin.com/. All manip that I will explain in this article will be carried out under windows but are fine (I've heard better in the room?) Linux commands only differ and I do not explain it here. I will review briefly the differences between IP addresses, DNS and URL. All servers have an IP address (and yeah, because the definition of a server is a computer connected to a network and other computers that can see that the) except when they are not connected. For the precise definition of an ip address I refer you to the article I wrote above. DNS address is an address like: http: ... . I write not because it depends on the www DNS addresses there that have not DNS but starting with something like http://perso.infonie.fr or ww2 or www3 ... It is true that it is easier to remember than 167.34.217.65 www.assassin.com. To obtain a DNS address, the company who owns the server has to pay a sum of between 500 and 1000 francs to an organization responsible for assigning addresses and makes gaffe that two different servers do not use two identical. Finally a URL is the two things mentioned above. There is talk of URL address for someone to specify that this is the address of a server via port 80 (www port used for, what web pages) we are talking about and not a E mail address. So when we ask for the url of a site generally you get the DNS address but it could very well give you his ip ca not change anything for you. Because of course if you type the ip of a server in its DNS address or netscape you get the same pages. Provided of course that this server has a good website.
Now that this is clarified we will return to the heart of our business. With a DNS address can not do much, we will need the ip address of the server and for that we'll do a ping. For that you type in dos:
ping-a www.assassin.com and it'll give you his ip :-) and the quality of the connection and the speed of the connection but that we do not care a bit I must say.
Now let's see how many machines between us and the server killer. To do this several ways. Or you use a prog like visual way (paying the last I heard) or NeoTrace or others or when using a dos command called tracert. Programs I do not explain how they work, it's super easy and they have the advantage of being graphic but for those who prefer the lines of text, this is the option back for you. Besides, I explained quickly and even if you are a fan of programs I guess you have nothing against a little general culture:
So back you type in: tracert url_du_serveur
example: tracert 167.34.217.65 or tracert www.assassin.com (both work)
If it's marked "host unreachable" is that you have copied the wrong ip previously found or the URL or the server is no longer connected.
All machines lying between you and the server will mark with their target ip. Note that in a corner or take a screenshot (Print Screen). Marked the last ip will be that of the target. And if that just before that of the target has the same three numbers as your target is that the target you are trying to attack you is more than likely secure. It's gonna be funny. Language is that of neophyte is a machine located on the LAN (LAN A is the line between the internal network and external network) between the target machine and the Internet and ensures its protection. That is to say that the system administrator has invested in a machine (there may be even more) that serves only to security and nothing else. It's either a firewall or filtering router is a bastion or a bunker or a firewall or a proxy or some sort of other crap like this :-). If such a machine placed on the LAN does not exist when you've done the tracert is not why a same type of protection is not included in the server murderer himself (it is almost always the cases elsewhere) but generally it is a fairly reliable index of the level of network security.
If you read the article on the ip you know that the first three numbers correspond to an ip to a domain and that the last number corresponds to a machine on that network. In this example the domain is 167.34.217 as the server ip is 167.34.217.65 murderer and the machine is on the "post" 65. In the vast majority of cases (as I say, all) there are several machines in the same field and must have a number of "post" between 0 and 255. Of course there are areas that have more than 256 servers linked together and in this case they have to be several areas related to Internet (this is the case of AOL, which are hundreds that begin with 162, 171, 172, ...) or have sub networks within areas that are not directly connected to the Internet and using ip can already be used no other servers on the internet but since they have no direct connection to internet no problem arises. And if they want to connect to the internet it still connect to it via a proxy and therefore take the ip of the proxy to get the answers from the Internet or external network. A proxy is a type of firewall that forwards requests between an internal network and external network but gives no direct contact between two machines (well yeah security forces) and if there was direct contact, the machine's subnet would a conflict of ip ip as it regained its starting. All that complicated? This will be explained in detail in the article on firewalls. It reminds you of something does not go through a proxy that does change the ip? And yes spoofing! Arf life is good anyway but this is not us who use it. So chase it from your thoughts or you will confuse you for the rest. For now your ip is not spooffé but it will come. :-)
So I said that the murderer was to be linked server to other machines in its network and bin to find out there are several methods:
- The first is to take a program called a scanner and ip to get into it the server ip assassin. It will search all servers with ip 167.34.217.0 and 167.34.217.255 content between since the ip of the target is 167.34.217.65. The full program will be released (hopefully) ip as you notice carefully.
- The second is to use a wealth of information exists on much of the world servers connected to the internet and available to all. All servers have a DNS address (and others as may be. Now I know) have identified a number of information as the number of computers with access to their server, the size (number of ip or machine ) of their field ... This mine of info is available by telnet which means he will have run telnet. There are several servers that provide this kind of info including Internic (whois.internic.net) and Netcraft (www.netcraft.com) but we will return in detail in another article because the possibilities of this research are quite allucinantes. For now just know that it exists.
- The third one is to make a snmp expn a network of bikes. And if it takes you back an email address on a different server but the same area you will be set. I recall that the smtp is port 25. You connect with and win or linux you type: HELO name of the server and then once you have acknowledged that this in turn you will EXPN ROOT. Of course you need the login as ROOT is the root of course not always the root login and even far away. It may even root login is only a user status. Try always EXPN ROOT and see what happens if AC is "unknown login" try the other boat used by login as root sysop, admin, ... and then if it does not work and that you attack the server has a web page you can try to find info on the various email on this site. Of course the expn does not work for the root, but for any user.
- The fourth is to do a nslookup on a server but it only works on Linux. why do: nslookup www.assassin.com (in console mode of course)
- The fifth one is to dig. Also in console mode on Linux: dig www.assassin.com.
- The last way is to use specific ports such as finger (79) and whois (43), which, when it is not closed or unusable by a foreign host are very instructive to know which machines and the users connected to this machine and their ip and their rights. To see which ports are open (like ftp, telnet, finger ...) using a port scanner. Of course for a server to which persons are allowed entry, it verifies that the criteria as login, pass, ip, source ports, protocol packets, ... With the information we just collected it will be able to use methods to falsify these criteria and circumvent security. But that's for another article ...
Now we will try to see what OS is running on a server. It will help us enormously to know which method to use hack. For that there are SEVERAL methods unfortunately most of the one I know go through linux. We will not say Linux or die but if you're not a Windows expert (a real expert), there are plenty of things you can not operate without the specific program and the program (I'm talking about hackers program genre satan, nmap, ...) under windows are very rare. It is also obliged to do either conversion linux even win yourself or schedule its own application for that win is beginning to resemble something usable. How to find what OS is running on a server are many. Here are several methods:
- The first is the ftp. We're going to like the hack by FTP and the connection we will see a line that the server will send us the type of OS it uses. This is not an exact science because a lot of server remove this line or replace it with a false or a pub band (secure or commercial :-(). So if you are on windows ca's it but if you are in Linux, just to have a SYSTEM for further information about the server OS.
- The second happens under linux, it sagit to:
playground ~ telnet hpux.u-aizu.ac.jp
Trying 163.143.103.12 ...
Connected to hpux.u-aizu.ac.jp.
Escape character is '^]'.
HP-UX hpux B.10.01 A 9000/715 (ttyp2)
login:
(From the American mag Phrack)
You see the version of the server OS (5th line for those who have not seen).
- The third method is also happening in linux:
playground echo 'GET / HTTP/1.0 \ n' | nc hotbot.com 80 | egrep '^ Server:'
Server: Microsoft-IIS/4.0
playground
(Always sorted the same zine)
- Finally the last and the best linux still passes through as it is to use TCP packets sent by a server to know which server it sagit. Indeed the plupars servers have managements layers tcp packets so clean and different from each server that is knowledgeable in all versions of every OS world, and by integrating their particularity for referrals of protocol packets tcp, udp and icmp even once, the program can almost say with certainty what is the OS that runs on a server. Indeed, by sending a packet regardless of the protocol (tcp or udp. Icmp being apart because it serves only for packets with errors or redirected back as incorrect header) slightly alters the server the tcp packet header without Usefull as touching the data for normal users. This alteration will be stored and analyzed. Each altering the OS differently, its type and version will be immediatly detected. This program is called nmap and is available at the following address: http://www.insecure.org/nmap.
Something that can be also use it to put an "=" behind a cgi-bin if the server has a fault it will give you the OS version, kernel, scripts ... generally good but we need this kind of information before being logged on the bike and the info you do optiendrez if you have read access via http in the cgi-bin. For example if a server named assassion a buggy php cgi scripts you can simply do this: = www.assassin.com/cgi-bin/php.cgi?/.
Of course all the above steps are not necessary, it is rare when all these steps are mandatory, but if you can not enter a server tries to return it directly by a less secure which he trusts and is in that it serves to know with which it communicates
Subscribe To
Posts
Comments
No comments:
Post a Comment