Detailed infiltration technology of intrusion

Intrusion infiltration involves a lot of knowledge and technology, and not some people can handle it with one or two strokes.

One, casing.

It can understand some basic security information of target host and network, mainly.

1, the Administrator contact information, telephone number, fax number;

2,ip address range;

3,dns server;

4, mail server.

Related Search methods:

1, search the web.

Determine target information 1, prepare for future launch of dictionary and Trojan intrusion; Find the Web page source code for comments and

Hide fields, looking for a "FORM" tag in a hidden field. For example:

<form action=/poll/poll.asp method=post>

<input Type=hidden Name=vice value=vice>

</FORM>

SQL injection attacks can be initiated to prepare for later intrusion into the database.

Related tools: Under the wget,windows under the Unix teleport.

2, Link search

The server on which the target site resides may have other sites with weaknesses that can be hacked and can be

To discover some implied information.

Search Method Introduction:

Through a variety of search engines: google,http://www.dogpile.comhttp://www.hotbot.com

Second, the enumeration

A, determine the target domain name and related network information.

Search method;

Whois query, through the WHOIS database query can get the following information:

1, Registered institutions: Display the relevant registration information and related WHOIS server;

2, the institution itself: displaying all information relevant to a particular institution;

3, Domain name: Display all information related to a particular domain name

4, Network: Display all the information related to a particular network or a single IP address;

5, contact point: Displays all information related to a particular person

Search Engine Station: http://www.infobear.com/whois.shtml

Example: Output Of:whois 163.com@whois.internic.net

Registrant:

Netease.com, Inc.

36/f Peace World Plaza, no.362-366

Huan Shi Dong Road

Guangzhou, Guangdong 510060

CN

Domain name:163.com

Administrative contacts, Technical contact:

Netease.com, Inc. nsadmin@corp.netease.com

36/f Peace World Plaza, no.362-366

Huan Shi Dong Road

Guangzhou, Guangdong 510060

CN

+86-20-85525516 Fax: +86-20-85525535

Record expires on 24-jan-2009.

Record created on 15-sep-1997.

Database last updated on 10-feb-2006 03:24:01 EST.

Domain servers in listed order:

Ns. Nease.net 202.106.185.75

NS3. Nease.net 220.181.28.3

B, the ARIN database can be used to query the corresponding network address assignment information for a domain name.

Related Search Address: http://ws.arin.net/cgi-bin/whois.pl

Use http://whois.apnic.net/apnic-bin/whois2.pl to query IP addresses to collect

Information about the network:

Example: 163.com->202.108.9.16 network management u Home u.bitscn.com

inetnum:202.108.0.0-202.108.255.255

Netname:cncgroup-bj

Descr:cncgroup Beijing Province Network

Descr:china Network Communications Group Corporation

Descr:no.156,fu-xing-men-nei Street,

Descr:beijing 100031

Country:cn

Admin-c: Ch455-ap

Tech-c: Sy21-ap

Mnt-by:apnic-hm

Mnt-lower:maint-cncgroup-bj

Mnt-routes:maint-cncgroup-rr

Changed:hm-changed@apnic.net 20031017

status:allocated Portable

Changed:hm-changed@apnic.net 20060124

Source:apnic

Role:cncgroup Hostmaster

E-mail:abuse@cnc-noc.net

Address:no.156,fu-xing-men-nei Street,

Address:beijing,100031,p.r.china

Nic-hdl:ch455-ap

Phone: +86-10-82993155

Fax-n +86-10-82993102

Country:cn

Admin-c: Ch444-ap

Tech-c: Ch444-ap

Changed:abuse@cnc-noc.net 20041119

Mnt-by:maint-cncgroup

Source:apnic

Person:sun Ying

Address:beijing Telecommunication Administration

Address:taipinghu Dongli, Xicheng District

Address:beijing 100031

Country:cn

Phone: +86-10-66198941

Fax-n +86-10-68511003

e-mail:suny@publicf.bta.net.cn

Nic-hdl:sy21-ap

Mnt-by:maint-chinanet-bj

Changed

Source:apnic

Know the target network, you can do circuitous infiltration, looking for weak points, into the target network, and then in

Attack targets.

C,dns Information Inquiry

The domain Name System allows a DNS namespace to be split into multiple domains, each to save one or more DNS domain

's name information.

zone replication and zone transfer: A zone transfer mechanism is used between DNS servers to synchronize and replicate data in the zone.

The security issue with a zone transfer is not the domain name information that is being transmitted, but whether it is configured correctly. Because some domains

The name information contains information about the domain name of the internal host and server that should not be exposed.

Related tools:

1,windows, Nslookup,samspade;

2, under Unix: NSLOOKUP,DIG,HOST,AXFR

How to use under Windows:

C:\>nslookup

Default Server: Destination DNS server

Address: IP addresses of destinations

>set Type=any//indicates acceptance of any possible DNS records

>ls-d 163.com >zone.163.com.txt//Get relevant records of target domain, the result is saved in Zon

E.163.com.txt

D, the topology of the network and the address of the network device are obtained through traceroute.

Related tools;

Windows: Tracert supports ICMP protocol

Under UNIX: Traceroute supports ICMP and DNS protocols, because most firewalls have already filtered ICMP, so

Traceroute under UNIX is a good choice, and using the-P-N option allows you to specify which ports to use.

Third, network scanning

In the face of different networks, you should use the scanning method:

1, for the internal network, a lot of available types, ICMP protocol is universal to install, in the Intranet broadcast ICMP number

According to the package can differentiate between Windows and UNIX systems,

Send an echo request of type 8 ICMP, if the echo response of type 0 indicates that the opposing host

Is alive.

Related Tools Introduction:

Under Unix: fping&gping

Under Windows: Pinger features: fast, multi-threaded.

2, for the external network, there are many types of available, there are many principles involved, such as: TCP Scan, UD

P-Scan,

In fact, I am very reluctant to use the scanning tool, it is easy to make the other side feel the intrusion occurred, whether it is

Firewall or intrusion detection system will be more or less to leave our footprints, if encountered a diligent management

, the invasion is likely to end in failure.

But the use depends on each preference: Sometimes when we test the security of the network or the host,

Can not ignore his existence, first of all, security testing is not an intrusion, comprehensive testing against hackers and worms

The attack is necessary, and the port scan Tool recommended here is NMAP because he has a machine that avoids IDs detection

System, reorganized TCP three times handshake mechanism, slow scan mechanism and so on are all other scanning tools incomparable, U

DP scans are unreliable for a few reasons:

This scan relies on ICMP Port unreachable messages if the sending end sends an interested port to a destination

After the UDP packet has not received an ICMP Port unreachable message, we think the port is open.

Reasons for unreliability:

1, routers may discard UDP packets;

2, many UDP services do not have a response;

3, the general configuration of the firewall is to discard UDP packets (except DNS);

4, the hibernation-state UDP port is not sending an ICMP Port unreachable message.

Other scanning tools are vulnerability scanning tools that synthesize various vulnerability information Construction vulnerability databases,

To explore the existence of a bug without patching the host, of course, there is a specific vulnerability detection discovery tool (script small

The child can use, the network security personnel also uses--double-edged sword--:

Here is a detailed description of the detection principle of the target operating system type:

Telnet identity and TCP/IP stack fingerprint:

1, many online systems can be directly telnet to the target, most will return the welcome information, the returned packet

Contains the version number of the service software corresponding to the port, which is very bad for finding this version of the software.

To, if the other side opened Telnet, you can directly get the other side of the system type and version number, this for

Mining system vulnerabilities are important (for overflow, different versions of System and language versions of systems,

RET address, JMP ESP, address is different.

2, more and more administrators now understand the turn off function signs, and even provide forged welcome information. So T

CP/IP stack fingerprints are a good way to differentiate between different systems.