Weak Points of "Trust Crisis" Network Security

Source: Internet
Author: User
Tags domain name registration website domain names

Author: Lu Yu Source: IT168

Social Engineering is a harmful means to the psychological traps of the victims, such as deception and injury, through psychological weakness, instinct reaction, curiosity, trust, and greed, in recent years, the method of acquiring its own interests has become a trend of rapid increase or misuse. So what is social engineering? It is not the same as a general deception. Social engineering is especially complicated. Even if you think you are the most vigilant and careful person, it will be compromised by brilliant social engineering techniques.

When we perform security detection on a website that does not have any security vulnerabilities on pure static pages, servers, or website programs, the solution is to intrude into the C-segment server and continue penetration, however, this method is helpless for servers in some independent data centers, so we have introduced social engineering for Security Testing!

Attackers can obtain website-related management information, such as the server password, SQL Database Password, FTP password, website management backend address, and website management password. If you cannot directly obtain the permission information for the Web server and SQL Server, we need to lock the target to the computer permissions of the company's employees and management. Obtain Company staff information and contact information through social engineering (name, phone number, birthday, QQ, email, phone number, etc ). When we get this important information, we are very close to the server permissions!

To help you better understand the security detection process I mentioned, I drew a simple structure:

498) this. style. width = 498; ">
Figure 1

Let's take a look at which human factors may cause security problems:

1. Professional Quality of server management personnel

2. Quality of members in the OA system

3. confidentiality measures of enterprises for confidential data

4. Management and Protection of personnel data transmission media

5. Personnel contact and Operation Review

Next, let's explain in detail how to obtain more information and permissions from those who may cause security problems.

Here I will explain from ease to difficulty one by one. Before carrying out the following specific social engineering penetration, we need to collect certain information, for example:

Website operation company name, address, all contact information, Server IP address segment, server room, IDC room staff information, company staff information (including the company's senior management and Server Management Personnel), domain name, domain name purchase location, domain name Owner information, domain name registration email address

The company and website domain names are well obtained and will not be described in detail here. Here we will focus on how to obtain contact information:

First, the IDC data center personnel information of the server where the website is located:

Through the IP address segment of the preceding collection server, we can directly access the IP address to learn about the server provider. For example, when you access the IP address of the server in the Beijing hichina server room, you will see the advertisement page of The hichina server. Then we can determine the information of the data center. Next we will go to the website of the server provider to find the staff information. The most accessible personnel information is, of course, the website customer service staff. Personnel are classified into pre-sales and after-sales personnel. Generally, pre-sales personnel are pre-sales engineers who have graduated from some specialists. Their computer expertise and security awareness are very weak, however, to obtain server permissions as quickly as possible, it is still necessary to address after-sales customer service. After-sales customer service is divided into GG and MM. GG is of course the server maintenance staff and has direct operation permissions on the server. MM is responsible for answering customer questions and submitting questions to GG. Therefore, to obtain server permissions, we may need to go to social engineering to obtain GG and MM computer permissions. GG with relatively professional knowledge and security awareness, those with weak security awareness, are better at dealing with a lot. As you can imagine, it won't be easy to send any file to the server administrator. Even if it is a Word 0 day. It may also be ruined by the Administrator's computer, which is required to update anti-virus software, and will immediately alert the other party, so the plan will immediately fail. I believe that all the staff in the data center who sent the virus files within one hour will know that it is impossible to make a social engineering scam to anyone in at least one week.

498) this. style. width = 498; ">
Figure 1

Therefore, our first goal should be to contact the after-sales MM. For example, when we contact customer service, we tell the other party that our website is inaccessible, then the other party will open your website to verify whether the website is actually inaccessible. If you can construct a website error-free web horse page (If your web horse is better than 0-day or a popular third-party software vulnerability ), when the customer service MM finds that the website address you submitted is indeed wrong and she cannot handle it for you in time, she will send the address you showed her to the GG responsible for server maintenance, if you are lucky, you may get the computer permission of customer service MM or the computer permission of server administrator GG (if the administrator directly accesses your page on the server, in addition, if your network horse is a system-level vulnerability, you may be able to directly obtain server permissions ).

If you are not so lucky or do not have a good no-kill network horse, you dare not try it like this, then you can choose to conduct another kind of social engineering intrusion on customer service personnel-trick the other party into accepting and running your files (such as Word, Excel, PDF, RAR, and even EXE files ), so how can we trick the recipient into accepting and running your files? The following is a brief introduction:

There are simple ways and difficulties for customer service personnel to run your files, the simple method is to send a Word document and falsely claim that this document is a domain name change form. (Of course, you must first contact the other party and ask the other party to send you a form, I want to transfer the domain name I bought elsewhere to them for renewal. I tried it here. The other party will definitely send you a form asking you to fill it out, that is, the domain name transfer application form. After receiving this form, pretend to be filled in for a period of time. Do not take it too long! If the form you entered in the morning is sent to her only in the afternoon, then MM may not remember that the form was sent to you, so that it will not run without fear .) In this way, you can get the permissions of the MM computer and get a lot of useful information from her computer-for example: MM's QQ account password, IDC website's background account password, company's internal FTP password (if you have the upload permission, of course, the best, in this way, you can bind some Trojans to the company's internal resources. This method also applies to the company's internal group, which also has a great opportunity to obtain the permissions of other people inside the company) other company member information (Email, phone or QQ ...... Then you can use the information and permissions collected here to further expand the Intranet control over the IDC.

For example, you can perform Intranet ing. Map your machine to the Intranet of the other company, and then scan the Internet bot. If you are lucky, you can directly obtain the computer permission of the server administrator or the computer permission of the company's management. We have already said this before. If you can get the computer permissions of the above two types of people, you are very close to the server password and permissions.

You can also steal the GG contact from mm qq during off-duty hours when the monk is on duty in the server room, spoofing your virus files or opening websites with viruses (GG duty schedule can be found from the company's intranet ), then, how can I use the identity of MM to make GG point your files with viruses? Here we will look at your experience and technology of social engineering intrusion. Here I provide a concentrated idea:

1: pretend to send photos (lie to me that I recently went out to play, because there are too many files, so we compress the package, and the compressed file is a drug-infected file)

2: Send Offiece documents (fake novels, company documents, customer requirements, etc ......)

3)

4 :......

In addition, if you get the company's website's background management password (customer service usually has a certain background permission, even if it is a small permission, as long as it is a background, it may also expose a lot of important information. For example, the Html editor that exposes the page for publishing background news announcements is an eWebEditor or FckEditor with vulnerabilities... Once upon a time, a general administrator of a website program has the permission to edit database connection parameters and website materials, these parameters and materials happen to be stored in an entity's website Program (that is, you can write files), so that we can manually construct a one-sentence Trojan to obtain the company's Web server permissions ). If you can obtain the Web server permissions, you can easily obtain customer information from a server, that is, our target user's website Ftp password, domain name management password, server management password and other useful information. In this way, even if we cannot improve server permissions and perform Intranet sniffing in the IDC, we can successfully win the target site.

Similarly, if a social worker from MM or GG fails, you can try another way, that is, the person who has the final permission to the server mentioned above-the company's management.

Imagine if your boss sends a company email to you. Or, on MSN or QQ, tell you that his background password has been forgotten, or the target site's leader entrusts him to ask you to add an FTP account or system account to the service. Do you dare to say No? O (distinct _ distinct) o... After understanding this simple truth, we have a goal for further penetration. Find as much leadership information as possible from company staff information collected by MM computers, company intranets, or other means. Use these materials to break into social engineering, or crack their QQ, Msn, or mailbox.

Here, we will also provide a way to get the company's staff mailbox: one is the information obtained through the Intranet, and the other is scanned by the company's website path. Sometimes we can find some internal corporate forums that are not open to the outside world. You can obtain the management's ID and email address from the company's forum, if you are lucky, you can directly obtain the company's website permissions or database through the vulnerability in this internal forum (the database stores important information such as the common network name ID, password, email address, and birthday of all employees of the company)

(498) this. style. wid

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.