Intrusion infiltration involves a lot of knowledge and technology, and not some people can handle it with one or two strokes.
One, casing.
It can understand some basic security information of target host and network, mainly.
1, the Administrator contact information, telephone number, fax number;
2,ip address range;
3,dns server;
4, mail server.
Related Search methods:
1, search the web.
Determine target information 1, prepare for future launch of dictionary and Trojan intrusion; Find the Web page source code for comments and
Hide fields, looking for a "FORM" tag in a hidden field. For example:
<form action=/poll/poll.asp method=post>
<input Type=hidden Name=vice value=vice>
</FORM>
SQL injection attacks can be initiated to prepare for later intrusion into the database.
Related tools: Under the wget,windows under the Unix teleport.
2, Link search
The server on which the target site resides may have other sites with weaknesses that can be hacked and can be
To discover some implied information.
Search Method Introduction:
Through a variety of search engines: google,http://www.dogpile.comhttp://www.hotbot.com
Second, the enumeration
A, determine the target domain name and related network information.
Search method;
Whois query, through the WHOIS database query can get the following information:
1, Registered institutions: Display the relevant registration information and related WHOIS server;
2, the institution itself: displaying all information relevant to a particular institution;
3, Domain name: Display all information related to a particular domain name
4, Network: Display all the information related to a particular network or a single IP address;
5, contact point: Displays all information related to a particular person
Search Engine Station: http://www.infobear.com/whois.shtml
Example: Output Of:whois 163.com@whois.internic.net
Registrant:
Netease.com, Inc.
36/f Peace World Plaza, no.362-366
Huan Shi Dong Road
Guangzhou, Guangdong 510060
CN
Domain name:163.com
Administrative contacts, Technical contact:
Netease.com, Inc. nsadmin@corp.netease.com
36/f Peace World Plaza, no.362-366
Huan Shi Dong Road
Guangzhou, Guangdong 510060
CN
+86-20-85525516 Fax: +86-20-85525535
Record expires on 24-jan-2009.
Record created on 15-sep-1997.
Database last updated on 10-feb-2006 03:24:01 EST.
Domain servers in listed order:
Ns. Nease.net 202.106.185.75
NS3. Nease.net 220.181.28.3
B, the ARIN database can be used to query the corresponding network address assignment information for a domain name.
Related Search Address: http://ws.arin.net/cgi-bin/whois.pl
Use http://whois.apnic.net/apnic-bin/whois2.pl to query IP addresses to collect
Information about the network:
Example: 163.com->202.108.9.16 network management u Home u.bitscn.com
inetnum:202.108.0.0-202.108.255.255
Netname:cncgroup-bj
Descr:cncgroup Beijing Province Network
Descr:china Network Communications Group Corporation
Descr:no.156,fu-xing-men-nei Street,
Descr:beijing 100031
Country:cn
Admin-c: Ch455-ap
Tech-c: Sy21-ap
Mnt-by:apnic-hm
Mnt-lower:maint-cncgroup-bj
Mnt-routes:maint-cncgroup-rr
Changed:hm-changed@apnic.net 20031017
status:allocated Portable
Changed:hm-changed@apnic.net 20060124
Source:apnic
Role:cncgroup Hostmaster
E-mail:abuse@cnc-noc.net
Address:no.156,fu-xing-men-nei Street,
Address:beijing,100031,p.r.china
Nic-hdl:ch455-ap
Phone: +86-10-82993155
Fax-n +86-10-82993102
Country:cn
Admin-c: Ch444-ap
Tech-c: Ch444-ap
Changed:abuse@cnc-noc.net 20041119
Mnt-by:maint-cncgroup
Source:apnic
Person:sun Ying
Address:beijing Telecommunication Administration
Address:taipinghu Dongli, Xicheng District
Address:beijing 100031
Country:cn
Phone: +86-10-66198941
Fax-n +86-10-68511003
e-mail:suny@publicf.bta.net.cn
Nic-hdl:sy21-ap
Mnt-by:maint-chinanet-bj
Changed
Source:apnic
Know the target network, you can do circuitous infiltration, looking for weak points, into the target network, and then in
Attack targets.
C,dns Information Inquiry
The domain Name System allows a DNS namespace to be split into multiple domains, each to save one or more DNS domain
's name information.
zone replication and zone transfer: A zone transfer mechanism is used between DNS servers to synchronize and replicate data in the zone.
The security issue with a zone transfer is not the domain name information that is being transmitted, but whether it is configured correctly. Because some domains
The name information contains information about the domain name of the internal host and server that should not be exposed.
Related tools:
1,windows, Nslookup,samspade;
2, under Unix: NSLOOKUP,DIG,HOST,AXFR
How to use under Windows:
C:\>nslookup
Default Server: Destination DNS server
Address: IP addresses of destinations
>set Type=any//indicates acceptance of any possible DNS records
>ls-d 163.com >zone.163.com.txt//Get relevant records of target domain, the result is saved in Zon
E.163.com.txt
D, the topology of the network and the address of the network device are obtained through traceroute.
Related tools;
Windows: Tracert supports ICMP protocol
Under UNIX: Traceroute supports ICMP and DNS protocols, because most firewalls have already filtered ICMP, so
Traceroute under UNIX is a good choice, and using the-P-N option allows you to specify which ports to use.
Third, network scanning
In the face of different networks, you should use the scanning method:
1, for the internal network, a lot of available types, ICMP protocol is universal to install, in the Intranet broadcast ICMP number
According to the package can differentiate between Windows and UNIX systems,
Send an echo request of type 8 ICMP, if the echo response of type 0 indicates that the opposing host
Is alive.
Related Tools Introduction:
Under Unix: fping&gping
Under Windows: Pinger features: fast, multi-threaded.
2, for the external network, there are many types of available, there are many principles involved, such as: TCP Scan, UD
P-Scan,
In fact, I am very reluctant to use the scanning tool, it is easy to make the other side feel the intrusion occurred, whether it is
Firewall or intrusion detection system will be more or less to leave our footprints, if encountered a diligent management
, the invasion is likely to end in failure.
But the use depends on each preference: Sometimes when we test the security of the network or the host,
Can not ignore his existence, first of all, security testing is not an intrusion, comprehensive testing against hackers and worms
The attack is necessary, and the port scan Tool recommended here is NMAP because he has a machine that avoids IDs detection
System, reorganized TCP three times handshake mechanism, slow scan mechanism and so on are all other scanning tools incomparable, U
DP scans are unreliable for a few reasons:
This scan relies on ICMP Port unreachable messages if the sending end sends an interested port to a destination
After the UDP packet has not received an ICMP Port unreachable message, we think the port is open.
Reasons for unreliability:
1, routers may discard UDP packets;
2, many UDP services do not have a response;
3, the general configuration of the firewall is to discard UDP packets (except DNS);
4, the hibernation-state UDP port is not sending an ICMP Port unreachable message.
Other scanning tools are vulnerability scanning tools that synthesize various vulnerability information Construction vulnerability databases,
To explore the existence of a bug without patching the host, of course, there is a specific vulnerability detection discovery tool (script small
The child can use, the network security personnel also uses--double-edged sword--:
Here is a detailed description of the detection principle of the target operating system type:
Telnet identity and TCP/IP stack fingerprint:
1, many online systems can be directly telnet to the target, most will return the welcome information, the returned packet
Contains the version number of the service software corresponding to the port, which is very bad for finding this version of the software.
To, if the other side opened Telnet, you can directly get the other side of the system type and version number, this for
Mining system vulnerabilities are important (for overflow, different versions of System and language versions of systems,
RET address, JMP ESP, address is different.
2, more and more administrators now understand the turn off function signs, and even provide forged welcome information. So T
CP/IP stack fingerprints are a good way to differentiate between different systems.