Know yourself and know what to do before hacker intrusion

Generally speaking, apart from being a dumb hacker, a real hacker will spend a lot of time and energy collecting information about the target host before launching an attack, such as what the other party uses.Operating SystemWhether the Administrator account is empty or weak, and whether the system has some serious vulnerabilities ...... With this information in mind, the attack was successful and won several more victories. The more mature hackers spend time searching information, the more information they collect, filter, and analyze ...... This is the most boring but important job. How do hackers collect such information?

　　I. Use a clever tool to easily detect the operating system version

X-Scan is a comprehensive scanner program. It is an indispensable part of the hacker's weapon library. With its help, "hackers" will become more powerful. Unlike some common attack tools, scanners can only be used to detect problems, rather than directly attack the target machine. by performing the following operations, you can complete the operating system detection of remote computers:

Step 2: first, the famousSecurityWebsite "Security Focus" "http://www.xfocus.net/tools/200507/1057.html#download the x-scan Chinese version.

Step 2: After the download is completed and decompressed, run the corresponding xscan_gui.exe interface.

　　

Figure 1

Step 2: click "Settings"> "scan parameters". In the displayed dialog box, in the "detection range" Settings panel, enter the IP address of the target computer to be scanned in the "specify IP Range" column.

　　

Figure 2

Step 2: select the remote operating system option on the "global settings"> "Scan module" Settings page, we can see that the remote computer operating system identification is completed through the "SNMP, NETBIOS protocol active identification of the remote operating system type and version" plug-in, as shown in Figure 2-3.

　　

Figure 3

Step 2: After you click "Confirm" and then click "Start scan" to return to the "xscan_gui.exe" Main Window, wait patiently for a moment to see the scan results.

　　

Figure 4

Step 2: You can see the "Windows 6th" icon on the right side of the scan target on the left. This tells us that this is a computer that is using Windows 2003. In this case, we can analyze that this computer may be a computer.ServerThe reason is simple: Generally, only Windows XP or Vista is installed on a PC.2. Use the Ping command to easily obtainNetworkConnection and system information

The Ping Command is a practical tool used to test network connection, message sending and receiving conditions. It is a built-in system detection tool. The following describes how to use Ping commands and how to determine system information.

　Instance 1: Check the Local Machine

To check whether the NIC Driver and TCP/IP protocol of the local machine are normal, you only need to enter the "Ping 127.0.0.1" command in the "command prompt" window. Because the reserved IP address 127.0.0.1 points to the local machine, you can use this command to check the NIC Driver of the local machine.

　Instance 2: multi-parameter detection

Assume that the "Ping-a-t 202.102.48.141" command is used to test the computer with the IP address of 202.102.48.141.

　　

Figure 5

The "-a" parameter in the preceding command shows that the Net BIOS name of the machine is dns.sq.js.cn, and the "-t" parameter continuously sends data packets to the machine.

Generally, the Ping command returns the following two results:

Result 1: The request times out.

This indicates that no response packet is returned from the network device, that is, the network is disconnected. The reason for this result is complex. There are several possible causes:

The other party has a firewall and disables ICMP echo.

The other party has shut down.

The IP address of the local machine is incorrectly set or the gateway is incorrectly set.

The network cable is disconnected.

Result 2: replies from 202. 102. *. 141: byte = 32 time <1 ms TTL = 128

This indicates that the network is smooth, the data packet size used for the test is 32 Bytes, and the response time is less than 1 ms. The TTL value needs To be described in detail. TTL stands for "Time To Live". The Chinese meaning is the survival Time, which refers To the lifetime of a data packet in the network. The network administrator can use it To understand the network environment, auxiliary maintenance work. By using the TTL value, you can roughly determine the type of the operating system used by the peer computer and the number of routes that the local machine uses to reach the target host. Examples:

When checking the network connectivity of the local machine, the Ping command is usually used to send ICMP packets to a target host (such as the Local Machine. When an ICMP packet is generated on the local machine, the system will initialize a TTL value for this ICMP packet. For example, Windows XP will generate "128" and then send this ICMP packet, when a network routing device is forwarded, the TTL value is subtracted from "1" and finally reaches the target host. If the TTL value changes to "0" during the forwarding process ", the router device discards the ICMP packet.

Tip: the TTL value is very useful in network applications. You can infer the number of routes sent to the target host based on the TTL value in the returned information. The layer-3 routing occurs in the 0SI network reference model, that is, the network layer.

For example, you can use the TTL value returned by the Ping command to determine the number of routes to the target host whose IP address is 202.102.48.141. Enter the "Ping 202.102.48.141" command at the command prompt, and the message "Reply from 202.102.48.141: bytes = 32 time = 15 ms TTL = 126" is displayed ", it can be seen that the returned TTL value is 126, which is the closest to the TTL value 2000 of Windows NT/128/XP host, therefore, it can be inferred that the host type may be one of Windows NT/2000/XP, because "128-126 = 2 ", therefore, we can know that two routes are used to route data to the host.

Tip: different operating systems have different TTL values. By default, the TTL value of Linux is 64 or 255, the TTL value of Windows NT/2000/XP is 128, and that of Windows 98 is 32, the TTL value of a UNIX host is 255.3. Search Engines can easily detect website Vulnerabilities

Through the search engine website, hackers can search for special "keywords" to find some websites with vulnerabilities. For example, a dynamic website usually contains the CONN. ASP file, which is used to store information such as the path and name of the database file. Obviously, this file is very important, so hackers always like to use it as a search keyword in search engines, such:

Inurl:/admin + conn. asp

Here, admin indicates the background management Directory, which is usually used to store all management files. Of course, you can also change it to some other directory names, but the directory names must exist on the website ,.

　　

Figure 6

After you click the first search result, the page is displayed. The management structure of the website is displayed here.

　　

Figure 7

You can even see the database file (suffixed with mdb) that stores the website content (such as the administrator username and password). After you click this file, you can immediately download it to the current computer.

After you open the database file using software such as Access 2007, you can obtain all kinds of important information about the website. At this time, the website management permission has already been compromised by hackers.

Tip: There are many keywords used by hackers in www.google.com, such as upload. asp site: tw, inurl: winntsystem32inetsrv, and so on. All these keywords can play a role as a hacker.4. Google Hacker detection instances beyond imagination

When the powerful "intrusion" function of search engines fascinated hackers, a variety of tools that can use search engines for hacking tasks are emerging. The following describes how to use Google Hacker as an example. To do this, perform the following operations:

Step 2: first download the Google Hacker software.

2nd