ADSL Intrusion Prevention _ security-related

With the rapid development of ADSL networks around the world, it is no longer a distant dream to achieve permanent connectivity and online, but we must understand that a permanent connection to the Internet also means that the likelihood of being invaded is greatly increased. Know the enemy, can win, let us understand the hacker intrusion ADSL user methods and precautions.
Methods of hacking ADSL users

ADSL in many places are monthly system, in this case, hackers can use a longer time for port and vulnerability scanning, and even the use of online brute force to hack the password, or use sniffer tools waiting for each other automatically to the user name and password delivered to the doorstep.

In order to complete a successful network attack, there are several steps in general. The first step is to collect the information of the target, in order to thoroughly analyze the target, we must collect as much effective information as possible to the target, in order to finally analyze the target vulnerability list. The analysis results include: Operating system type, operating system version, open service, open service version, network topology, network equipment, firewall, break argon Yang ankle dad Rose Magpie take?

Hacker scans use a method of TCP/IP stack fingerprints primarily. The means of implementation are mainly three kinds:

1.TCP isn sampling: Find the initialization sequence to match the specified length with the specific OS.

2.FIN probe: Send a FIN packet (or any packet without an ACK or SYN tag) to an open port on the target and wait for a response. Many systems return a reset (reset tag).

3. Using the bogus tag: by sending a SYN packet, it contains a TCP header with no defined TCP tags, and can differentiate some operating systems by using the system's different response to the tag.

4. Use TCP initialization window: simply check the length of the window contained in the return package to uniquely confirm each operating system based on size.

Although the scanning technology is many, the principle is very simple. Here is a brief introduction to the scan Tool Nmap (Network Mapper). This is known as the current best scanning tools, powerful, versatile, support a variety of platforms, flexible, easy to use, strong portability, very few traces, not only can scan the TCP/UDP port, but also for scanning/detection of large networks.

Note that some real domain names are used here to make the scan behavior look more specific. You can use the name in your own network instead of the addresses/names. You'd better scan after you get permission, otherwise you will have to bear the consequences.

Nmap-v target.example.com

This command scans all reserved TCP ports on the target.example.com, and-V indicates verbose mode.

Nmap-ss-o target.example.com/24

This command will start a SYN half-open scan, targeting the C-class subnet where target.example.com resides, and it also tries to determine what operating system is running on the target. This command requires administrator privileges because half-open scans and system detection are used.

The second step in launching an attack is to establish a connection with the other person to find the login information. Now assume that by scanning the other side of the machine is built with ipc$. Ipc$ is a resource that shares named Pipes, which is important for communication between programs, and is used when you are managing computers remotely and viewing your computer's shared resources. With ipc$, a hacker can establish an empty connection (without a username and password) and use this null connection to obtain a user list of each other.

The third step is to log in using the appropriate tool software. Open a Command line window and type the command: NET use \\222.222.222.222\ipc$ "Administrator"/user:123456

Here we assume that the password for the administrator is 123456. If you do not know the administrator password, you need to find other password cracking tools to help. After logging in, everything is under the control of the hacker.

Prevention methods

Because ADSL users generally online time is relatively long, so safety protection awareness must be strengthened. More than 10 hours a day on the internet, or even an overnight boot of a few people, but also someone to make their own machine into the Web or FTP server for other people to visit. Routine preventive work can generally be divided into the following steps.

Step one, be sure to disable the Guest account. There are a lot of intrusions through this account to further obtain the administrator password or permissions. If you don't want to give your computer to others as a toy, it's a good ban. Open Control Panel, double-click Users and Passwords, and select the Advanced tab (Figure 1). Click the Advanced button to eject the Local Users and Groups window (Figure 2). Right-click on the Guest account, select Properties, and in the General page, choose "Account Deactivated" (Figure 3).


Step two, stop sharing. When Windows 2000 is installed, some hidden shares are created. Click start → run →cmd, and then type the command "net share" on the command line to view them (Figure 4). There are many articles on the internet about IPC intrusion, all of which use the default shared connection. To disable these shares, open administrative tools → Computer Management → shared folders → shares, right-click the corresponding shared folder, and click "Stop Sharing" on the line.

Step three, try to turn off unnecessary services, such as Terminal Service, IIS (if you do not use your own machine as a Web server), RAS (Remote Access Service), and so on. There is also a very annoying messenger service to turn off, otherwise there will always be a message service sent online ads. Open management tools → Computer management → services and applications → service, turn it off when you see the useless.

Step four, prohibit the establishment of an empty connection. By default, any user can connect to the server via a null connection, enumerate the accounts, and guess the password. We must prohibit the establishment of a null connection, the following two kinds of methods:

(1) Modify the registration form:

Hkey_local_machine\system\current-controlset\control\lsa, change the key value of the DWORD value RestrictAnonymous to 1.

(2) Modify the local Security policy for Windows 2000:

Set the RestrictAnonymous (additional limit for anonymous connections) in local security policy → local policies → options to "do not allow enumeration of SAM accounts and shares."

Step five, if the Web service is open, you also need to configure the IIS service securely:

(1) Change the Web service home directory. Right-click the default Web site → properties → home directory → Local Path, and point the local path to a different directory.

(2) Delete the original default installed Inetpub directory.

(3) Delete the following virtual directories: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.

(4) Remove unnecessary IIS extension mappings. Right-click the default Web site → properties → home directory → configuration, open the application window, and remove unnecessary application mappings. If no other mappings are required, only. asp,. ASA is reserved.

(5) Back up the IIS configuration. You can use the Backup feature of IIS to back up all of your configured IIS configurations so that the security configuration of IIS is restored at any time.

Do not think this is all right, Microsoft's operating system we do not know, the number of bugs, so be sure to the Microsoft's patch dozen.

Finally, we recommend that you choose a practical firewall. For example, Network Ice Corporation produced Black Ice. Its installation and operation is very simple, even if the network security is not familiar with the relationship, using the default configuration can detect most types of hacker attacks. For experienced users, you can also choose "Advanced Firewall Settings" in "Tools" to accept or reject configurations for specific IP addresses or specific ports on UDP to achieve specific defensive effects.