Please refer to the source for reprinting
PopSky S Blog
Www. PopSky. Org
QQ: 396421483
}
What is Information Collection
Information collection, commonly known as "stepping points", is a public or non-public inspection of the target host, related facilities, and management personnel, used to grasp the security defense work of the target. For example, identify the operating system of the target host. This is a prelude to an attack. The content can include the system, network, data, user activity status, and behavior. In addition, you sometimes need to collect the required information from several key points in the computer network system.
There is an old saying in China: "know yourself, know yourself, and know what you want. A successful hacker not only needs to master a large number of computer network and programming technologies, but also understands the foundation of social engineering in some cases. Only by making full use of these things and making full use of your imagination can the success rate of intrusion be increased.
Information collection procedure
The information can be collected in two steps:
Goals:
The targets we mentioned here are generally divided into two types: first, they have clear attack targets and motivations, and the other is random scanning, with no clear attack awareness in advance, it is only for some reason.
Collect specific information:
It can be roughly divided into two aspects: first, the powerful system security detection software is used to perform multi-faceted Security Detection on the target host, and effective attack policies are developed after analysis. Second, the use of social engineering principles to collect pre-intrusion information based on pre-defined goals can often achieve unexpected results. However, this method is demanding and difficult, and requires good information grasp and processing capabilities.
How to collect anti-Information
1. Modify the TTl value.
We know that hackers can use the Ping program of Windows to detect the operating system of the other party:
C: Documents and SettingsAdministrator> ping 221.195.40.52
Pinging 221.195.40.52 with 32 bytes of data:
Reply from 221.195.40.52: bytes = 32 time = 84 ms TTL = 128
Reply from 221.195.40.52: bytes = 32 time = 126 ms TTL = 128
Reply from 221.195.40.52: bytes = 32 time = 75 TTL = 128
Reply from 221.195.40.52: bytes = 32 time = 79 TTL = 128
In the above case, we can use the TTL value to determine the target host as the WindowsNT/2 K/XP/2003 system, because the default TTL value of WindowsNT/2 K is 128, if the host does not filter out ICMP, you only need to ping the host to get to know your system. We can make changes by ourselves to achieve the goal of deception.
We can change to 255 of the UNIX class. Save the following content as the. reg file and double-click it to import it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]
"DefaultTTL" = dword: 000000ff
Note: The hexadecimal value of decimal 255 is FF.
2. Modify the default Banner information
Intruders can telnet the Web port of the host (port 80 by default), and then use the Get command to obtain the host version.
HTTP/1.1 400 Bad Request
Server: Microsoft-Microsoft IIS/5.0
Date: Sat, 13 Jan 2007 03:17:58 GMT
Content-Type: text/html
Content-Length: 87
<Html> </Html>
The preceding figure shows the information of a host. We can easily see that the operating system of the other host is Windows 5.0 through Server: Microsoft-IIS. Through ftp to the ftp port of the target host, we can also obtain the ftp information of the target host. If the FTP server uses the FTP server that comes with Windows, obtain Microsoft information from the returned Banner value.
So how can we change the Banner information? First, we need to know where the Banner information is stored in the operating system:
The file in the % systemroot % system32inetsrv directory is as follows:
Web is: % systemroot % system32inetsrvw3svc. dll
FTP: % systemroot % system32inetsrvftpsvc. dll
SMTP: % systemroot % system32inetsrvsmtpsvc. dll
We can use NotePad to open them and find the desired Banner keyword. For example, if IIS is Web, we can find Microsoft-IIS/5.0. Then we can change it to what we want and save it. (Note: You must stop the IIS service before modification.) a host is also required. Because of the Windows system background file protection mechanism, the modified file will be repaired. Therefore, you must first delete the file with the same name under the % systemroot % system32dllcache directory and then modify it.
For the Windows operating system, we know that Windows has canceled the return error message. So there is no need to modify it (w3svc. dll is no longer available in Windows2003)
If the Telnet service is enabled for your operating system, intruders can also Telnet to port 23 to obtain information about your system version. We can confuse the other party by modifying its Banner. Information about Windows2000 and Windows2003Banner is stored in % systemroot % system32login. cmd. We can use NotePad to open and edit its information. For example, we can change it to Red Hat Linux Release9.0 Kernel 2.4.18-14 on an i686.
The above summarizes several common Banner information modifications. I hope to give you an interesting role. Intrusion and Defense have always been evolving together. Hackers can use more methods to collect information about related hosts. To ensure the security of your host, you must fully maintain the security of every part of the system.