Network penetration ideas

Source: Internet
Author: User
Tags rfc net send nslookup

The following articles provide some good ideas for network penetration.

I. Click

Click here to learn basic security information about the target host and network, including;

1. Administrator contact information, telephone number, telephone number;

2. IP address range;

3. DNS server;

4. email server.

Related search methods:

1. Search for webpages.

Determine the target information 1 to prepare for dictionary and Trojan intrusion. Search for comments and
Hide the domain to find the "form" mark in the hidden domain. For example:

<Form action =/poll. asp method = post>

<Input type = hidden name = Vice value = Vice>


Attackers can initiate SQL injection attacks to prepare for database intrusion.

Related tools: wget in UNIX and teleport in windows.

2. Link search

The server on which the target website is located may have other websites with weak points, which can carry out roundabout intrusion and
To discover some hidden information.

Search methods:

Through a variety of search engines: Google, http://www.dogpile.comhttp: //

2. Check Points

A. Determine the target domain name and related network information.

Search method;

Whois query. You can obtain the following information through WHOIS database query:

1. Registration Institution: displays relevant registration information and related Whois servers;

2. institution itself: displays all information related to a specific institution;

3. Domain Name: displays all information related to a specific domain name.

4. Network: displays all information related to a specific network or a single IP address;

5. Contact point: displays all information related to a specific person.

Search engine site:

Example: output of: whois

Registrant:, Inc.

36/F peace world Plaza, no.0000- 366

Huan shi dong road

Guangzhou, Guangdong 510060


Domain Name:

Administrative contact, technical contact:, Inc.

36/F peace world Plaza, no.0000- 366

Huan shi dong road

Guangzhou, Guangdong 510060


+ 86-20-85525516 Fax: + 86-20-85525535

Record expires on 24-Jan-2009.

Record created on 15-sep-1997.

Database last updated on 10-feb-2006 03:24:01 est.

Domain servers in listed order:

NS. nease. Net

Ns3.nease. Net

B. the Arin database can be used to query the Network Address allocation information corresponding to a domain name.

Related search address:

Use query the IP address to collect

Related Network Information:




Descr: cncgroup Beijing Province Network

Descr: China Network Communications Group Corporation

Descr: no.156, Fu-Xing-men-nei Street,

Descr: Beijing 100031

Country: CN

Admin-C: CH455-AP

Tech-C: SY21-AP




Changed: 20031017

Status: allocated portable

Changed: 20060124

Source: APNIC

Role: cncgroup hostmaster


Address: no.156, Fu-Xing-men-nei Street,

Address: Beijing, 100031, P. R. China

Nic-HDL: CH455-AP

Phone: + 86-10-82993155

Fax-N + 86-10-82993102

Country: CN

Admin-C: CH444-AP

Tech-C: CH444-AP

Changed: 20041119


Source: APNIC

Person: Sun Ying

Address: Beijing Telecommunication Administration

Address: taipinghu dongli 18, Xicheng District

Address: Beijing 100031

Country: CN

Phone: + 86-10-66198941

Fax-N + 86-10-68511003


Nic-HDL: SY21-AP


Changed: 19980824

Source: APNIC

Knowing the network where the target is located, you can perform loose penetration, find weak points, enter the target network, and then
Attack target.

C. query DNS information

The domain name system allows a DNS namespace to be divided into multiple zones, each of which stores one or more DNS domains separately.

Zone replication and zone transfer: the DNS server uses a zone transfer mechanism to synchronize and copy data in the zone.

The security issue of zone transfer lies not in the domain name information transmitted, but in whether the configuration is correct. Because some domains
The name information contains the Domain Name Information of internal hosts and servers that should not be disclosed.

Related tools:

1. In Windows, NSLookup and samspade;

2, in UNIX: NSlookup, dig, host, axfr

Usage in Windows:

C:/> NSLookup

Default Server: The target DNS Server

Address: the destination IP address.

> Set type = any // indicates accepting any possible DNS records

> Ls-D> // obtain the relevant records of the target domain and save the results in Zon

D. Obtain the topological structure of the network and the IP address of the network device through traceroute.

Related tools;

In Windows: tracert supports ICMP protocol

In Unix: Traceroute supports ICMP and DNS protocols. Because most firewalls have filtered ICMP
Traceroute in UNIX is a good choice, and you can use the-P n option to specify the port used by yourself.

Iii. Network Scanning

Different network scanning methods should be used:

1. For the internal network, there are many available types. ICMP protocol is generally installed and ICMP numbers are broadcasted on the Intranet.
Data packets can be distinguished between windows and UNIX systems,

Send an ICMP echo request of Type 8. If an echo response of Type 0 can be received, it indicates the target host.

Related tools:

For Unix: fping & gping

Windows: Pinger Features: High Speed and multithreading.

2. There are also many available types for external networks, and there are also many principles involved, such as TCP scanning and Ud.
P scan,

In fact, I am reluctant to use scanning tools, and it is easy for the other party to feel the occurrence of intrusion events, whether it is anti-DDoS
Fire walls and intrusion detection systems will leave our footprints more or less. If we encounter a diligent management
Personnel, the intrusion is likely to end with failure.

But it depends on your preferences. :) sometimes when we test the security of the network or host,
We can't ignore his existence. First, the security test is not an intrusion. A comprehensive test is designed to defend against hackers and worms.
The recommended port scanning tool here is Nmap, because it has a host that avoids IDS detection.
The TCP three-way handshake mechanism, slow scanning mechanism, and so on are incomparable to other scanning tools.
DP scanning is unreliable due to the following reasons:

This scan relies on ICMP ports for messages inaccessible. If the sender sends a message to a port of interest to the target
After a UDP packet is received, the ICMP port cannot be sent, so we think the port is open.

The reason is unreliable:

1. the router may discard the UDP group;

2. Many UDP services do not respond either;

3. The general configuration of the firewall is to discard the UDP group (except DNS );

4. The Sleeping UDP port does not send an ICMP port and cannot reach the message.

Other scanning tools are vulnerability scanning tools. These tools combine various vulnerability information to construct a Vulnerability Database,
Explore hosts with no patches for vulnerabilities, and of course there are detection and discovery tools for specific vulnerabilities (the script is small
Sub-usable, and network security personnel can also use a double-edged sword -:)

The following describes how to check the target operating system type:

Telnet ID and TCP/IP stack fingerprint:

1. Many systems on the internet can directly telnet to the target, and most of them will return the welcome information. The returned information package
Contains the version number of the service software corresponding to the port. This vulnerability is very serious for software looking for this version.
Yes. If telnet is enabled for the peer, you can directly obtain the system type and version number of the peer.
Mining System Vulnerabilities is very important (for overflow systems of different versions and language versions,
RET address, jmp esp, the address is different ).

2. More and more administrators are now familiar with the function disabling mark and even provide forged welcome information. Then T
CP/IP stack fingerprint is a good way to distinguish different systems.

1. Fin Scan

Send a FIN packet to the opened port, RFC 793 requires that no response is returned, with the exception system being: MS wind
OWS, bsdi, Cisco, HP/UX, MVS, and IRIX both return a reset package.

2. TCP Initial serial number (ISN) Sampling

This method uses different isn pattern recognition systems to implement TCP connections and can be divided into multiple modes.
: The traditional 64 K increase (old

Unix OS), random addition (new versions of Solaris, Irix, FreeBSD, Digital UNIX, and Cray ),
True random (Linux. *, OpenVMS and the new version of Aix, etc.), the Windows system uses the so-called "time according
The addition of ISN is related to a short and fixed time interval.
Specified ISN, such as 3Com Hub (with 0x803) and applelaserwriter printer (0xc7001 ).

3. No part bit

Currently, many systems use IP "not sharded" bits in the packages they send, mainly to achieve good running performance.
Yes, but not all operating systems have this function. Even if yes, the implementation method may be different.
Therefore, the use of sub-bits may help us collect more information about the target OS.

4. TCP initial window

The TCP initial window simply tests the window size of the returned packet. Queso and NMAP can be used for the actual window
Window tracking. It is a constant in many operating systems. For example, AIX is the only operating system that uses 0x3f25.
. For the TCP stack of NT 5, which is completely rewritten, 0x402e is used.

5, Ack Value

If you send a FIN | PSH | URG, Many operating systems set ack to equal to the initial serial number, while windows and
Some printers will send seq + 1. If you send a SYN | FIN | PSH | URG to the open port, different Windo
WS system implementation will be inconsistent, sometimes return seq, sometimes return seq + 1, or even return completely random values

6. ICMP error message mechanism

Some operating systems limit the transmission rate of different error messages according to RFC 1812. For example, in Linux
The core (defined in net/IPv4/ICMP. h) limits the generation rate of messages that cannot reach the target to 80 in four seconds.
If the limit is exceeded, a 1/4 penalty will be imposed. The test method is to send a large string of packets to some randomly selected height.
And then calculate the number of inaccessibility packages returned.

7. Message quoting)

RFC rules: ICMP error messages reference a small part of the ICMP message content that causes the error message packet. For Port
Messages are not reachable. Almost all implementations only send the required IP header + 8 bytes. However
More, while Linux sends the most. This is how we identify Linux and so
Laris host.

8. ICMP error message echo integrity

The host cannot send an error message to the port. A small part of the message is returned. Packets sent back by some machines
The included protocol header has been changed. For example, the total length of the IP sent back from Aix and bsdi is 20 bytes. While the system
Bsdi, FreeBSD, OpenBSD, Ultrix, and vaxen are sent back as they are. Some systems
System (Aix and FreeBSD) will return a checksum that is inconsistent or equal to 0. This applies to UDP checksum.
NMAP performs nine different tests on ICMP error message packets to identify smile differences between systems.

9. TCP options

Is an optional part of the TCP/IP protocol, which is related to different system implementations.
Is a good way to mine available information. The reason is:

1. They are all optional and not all hosts can be implemented;

2. If an option is set in the package you send, the target host will return if the target host supports the option.
This option is returned;

3. You can set all the options in the package for testing.

For example, NMAP sets all the options in each test package for testing:

Windows scale = 10; NOP; Max segment size = 265; timestamp; end of OPS;

View these options from the returned package and you will know what systems support them.

Another method for identifying passive operating systems is to monitor network packets between different systems to determine the target.
Siphon is used for this test. The working principle is as follows:


Determine the four main TCP fields:

1. TTL: The survival time of the outbound package;

2. Window Size: The window size;

3. df: whether the partition bit is not allowed;

4. TOS: whether the service type is set.

Based on this information, the target system can be determined, but not % 100.

4. Check Points

The scanning technology can be used to obtain more specific and useful information, such as account information.

1. Windows checkpoint Technology

Using NetBIOS rules, we first introduce NetBIOS. netbois is located on top of TCP/IP and defines multiple TCP and U
DP port.

---- TCP

(1), 139: nbsession: netbois session.

For example: net use // ip/IPC $ ""/User :"".

(2), 42: wins: Windows Internet Name System (UDP port is also 42 ).

---- UDP

(1) 137: nbname: name query.

For example, the information displayed in nbtstat-a ip // 03 is either the computer name or the user name.

(2) 138: nbdatasync: UDP datagram Service

For example: net send/D: domain-name "hello"

The user name is obtained using the IPC $ empty session and Sid tool. The SID tool consists of two gadgets: user2sid
And sid2user. user2sid to get the SID of the user name or group name; sid2user is to enter a Sid and get
Username and group name. Sid is created when the user is created, which is equivalent to uid, win
The system permission is checked by the SID. A Sid is composed of a long string of numbers, including packets
Contains two parts, the first part is used to uniquely identify a domain, and the last part uniquely identifies a user name.
The score number is called the RID. It is relative identifier and the RID has a certain rule. Its value always starts from 500 and exceeds
The level administrator's RID is always 500, while the Guest user's RID is always 501. The new account's RID is from 1000

Specific steps:

C:/net use // ip/IPC $ ""/User :""

C:/user2sid // ip guest // obtain the first half of the Sid.


S is the SID prefix, followed by 1 to indicate the version number, 5 to identify the authorization entity for Sid issuance, 5 to NT/2
000. 21-1273561945-1580818891-1957994488 uniquely identifies a domain and a working group. Different users
Only the last relative identifier is different. Now the user name is queried using sid2user:

C:/sid2user // ip 5 21 1123561945 1580818891 1957994488 500

Name is Cookie

Domain is Condor

C:/sid2user // ip 5 21 1123561945 1580818891 1957994488 1001

SNMP check point: you can obtain some information about the system by using the default Management Group string public read feature,
Specifically: interface table, route table and ARP table, TCP table and UDP table, device table and storage table, progress table and software
Table, user table, and shared table.

Snmptool, snmputil.exe

For example:

1, or the number of network interfaces:

C:/snmputil get localhost public.

2. Display All SNMP variable content

C:/snmputil walk localhost public. 1.3

2 UNIX system checkpoint Technology

1, $ showmount-e // The premise is that port 2049 is on (NFS)

2, $ finger @www.tar // and rusers

3, $ Telnet 25

VRFY root // check whether root exists



V. Specific Vulnerability Analysis

After analyzing the above analysis for specific targets, we will summarize the best intrusion ideas, select the intrusion tool, and complete the Import
Preparations for intrusion are required, and sometimes the selection of intrusion time is also very important, because it will involve normal public
The normal communication of the company's network may even cause a malicious network to happen in your intrusion test, and the most direct vulnerability is beneficial.
I think it is an overflow vulnerability because he can directly obtain the system permissions of the other party and return
In the same shell environment as in a local environment, you can do anything at this time:

Overflow attacks are classified as follows:

1. Windows and unin

In general, the range of parameters submitted by the user exceeds the range of local variables stored in the memory, and the program
Or the system does not check the input parameters properly, resulting in the return address of the called function.
Overwrite. If we use an address that redirects to the shellcode place we submitted, then our s
The hellcode can be run and the target system permission is obtained successfully.

In addition, the formatting string vulnerability occurs because user data parameters are not filtered during processing.
Format symbols submitted by the user. For example, % N stores the number of parameters allowed to be output in memory.
Intended to construct this vulnerability, the user will write the shellcode address to any location in the memory.

2. Common vulnerability types

Unix has many local vulnerabilities and is easy to exploit. It mainly has the following types:

1. Environmental Spoofing

It generally refers to the spoofing of PATH environment variables, that is, if a privileged program executes an external command,
Then we can simply construct this external command program, and then modify the path so that this privileged program can
First, execute the external command program we constructed, and this external command program is a shell program.
For example:

Bash $ cat> ps <EOF

> #! /Bin/sh


This privileged program is:

Bash $ cat> test. C <EOF

> Int main ()

> {

> Setuid (0 );

> System ("PS-Ef");/* The program calls an external command, but does not provide an absolute path for this command,
This is the prerequisite for path spoofing */



The compiled test file has "S" and the owner is "root". This setting is because the program "test" runs as "root ".
Identity to run privileged commands. In this way, because the ps command program we forged is called
Generate a shell environment with the root permission.

2. competitive conditions

It generally refers to Time Series competition, for example:

Fp = fopen ("test. log", "W + ");

Chown ("test. log", getuid (), getgid ());

The principle is also very simple, that is, if the current program running permission is EUID = root, uid = current user, because
When the file test. log is opened, the owner of the file is changed to the current user.
After the pen, chown deleted test. log and created a symbolic link to/etc/passwd.
The owner of the/etc/passwd file will be changed to the current user, the current user can be in the passwd file
Change your UID to 0, so that the system permission is obtained.

3. overflow and format string vulnerabilities

Data sources that cause these vulnerabilities are:

1. Command Line Parameters

2. Environment Variables

3. Reading specific format files

4. Input 10 for user interaction

The buffer overflow vulnerability is caused by the following functions:

1, strcpy

2, strcat

3. sprintf

4. vsprintf

The formatting vulnerability is related to the following functions:

1, print/vprintf

2, fprintf/vfprintf

3. sprintf/vsprintf

4. snprintf/vsnprintf

Use the tool objdump and elfedump to check whether the target has any unsafe functions.
You can perform a black box test, and then perform the context and execution processes of the return assembly analysis program. Using strings, you can
Search for the target environment variables statically.

6. Attack WWW

Currently, most of the attacks against WWW are due to intrusion events. The reason is that programmers are writing web scripts.
Because of the serious consequences of uploading shell, elevation of permissions, and intrusion penetration testing
The test mainly involves the following aspects:

1. Search for SQL injection points;

2. Search for specific directories and files, such as uploading program files, which are of great value;

3. Search for the Administrator to log on to the webpage and break into the dictionary or SQL statements;

4. Search for the source code of the web program for vulnerability mining. The main types of vulnerabilities are SQL injection and files.
Vulnerabilities include directory redirection vulnerabilities, saving error logs in script file format, and uploading vulnerabilities;

5. During code review, do not forget to view the logic errors made by programmers, for example, function writing errors.

6. Always, the root cause of the vulnerability is that user input is not strictly filtered.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.