Recently several hacker tools use method-vulnerability warning-the black bar safety net

ID MYHACK58:6220054868
Type myhack58
Reporter 佚名
Modified 2005-11-26T00:00:00


In this article, The author mainly introduces hackers used to attack the network of some of the tools. By understanding these hacking tools using the method, the reader can better protect their network security.

The............, At 3 4 5, annoying ringtones will Wake you up on. Thus, you Internet to respond to the call, but found that the network has been cut off, you have to be a hacker“black”. Moreover, this hack is a master, because the number of servers has stopped working, everywhere there is his legacy of Trojan horse backdoors. God knows he did something about it! What makes you headache is, when you check E-mail, there are many companies actually asked you why attack their network. Apparently, the hacker has use of your host to attack other systems.

In order to help you better prevent timing attacks, this article describes the popular hacker tools, and effective prevention techniques that you can use these techniques to protect network security.

Special note

This article is not teaching you how to attack others system, but objectively describes the real world attacks, and to provide you with protection against these attacks.

Because these tools available online for free download, and it might damage your system, therefore, the authors discussed a particular tool, does not indicate that he acquiesced or recommend you use. Author reminder: in using these tools, you must be careful, be careful, and you must figure out the source of meaning.

Tools: Password Crackers

Password Crackers because of its widespread use and become a hacker use of mainstream tools. The implementation of password cracking attack is divided into two steps, the first step: the attacker first from the target computer to read out an encrypted password file, most system, including Windows NT and UNIX, and they put the password encrypted and stored in the file system, so that when the user login authentication; the second step: an attacker in a dictionary as an auxiliary tool, with Password Crackers began to try to decipher the password. Which way is the Dictionary of each entry is encrypted, then both for comparison. If the two encrypted passwords match, the hacker will know the password; if the two do not match, the tool continues to repeat work until the dictionary the last item. Sometimes, hackers even try to pass every kind of letter combination. Using this method, the password decipher speed with the encryption and compare the speed.

Tools II: L0phtCrack

L0phtCrack by the hacker group L0pht Heavy Industries wrote in 1 9 9 7 year of launch. It to sharing software properly before in the form of a spread. It is specifically used to decipher the Windows NT password. This tool is powerful, and very easy to use, beginners only need a small amount of pointing will be able to decipher the password. 1 9 9 9 years 1 month launched L0phtCrack 2.5 version optimized DES cipher program, the software performance will be improved than older version faster 4 of 5 0 percent. Allegedly, a 4 5 0 MHz Pentium II computer within a day you can decipher all of the alphanumeric password.

L0phtCrack through a variety of channels to obtain the encrypted password file. As long as the hack run the one that contains the L0phtCrack program, or from a window NT system administrator to the backup floppy disk in a copy of a program, you can get the Windows NT system where the SAM database. L0phtCrack latest version of the GUI from the network to get the encrypted Windows password. When you log on to the NT domain, your password will be used the hash algorithm to the network. L0phtCrack's built-in Sniffer it is easy to find the encrypted value and decipher it.

Because this tool for IT practitioners also have great usefulness, so from the L0phtCrack 2.0 version later started to charge a registration fee. The latest version can be 1 5-day free trial period, more than 1 5, then charge 1 0 0 US dollars, and a plurality of decipher programs to choose from, some charge a fee, some may be from the Free Software Library.

L0phtCrack prevention

Defend against password cracking attacks is the best way to perform a forced password against policy. For example, requires the user to envisage the password difficult to be guessed. As the password should be at least 8 bits, including numbers, letters and special characters such as!@#$%); Passwords should not include dictionary words. In order to further ensure safety, some of the password automatically sets the tool helps user to design complex password.

In addition, you should often use password cracking tools to check the company whether the password is secure. Of course, only security officers or by their authorized personnel to allow the use of the tool, and must give written approval. At the same time you should also be advance password unfortunately be deciphered by the user to make a solution, choose to send him Email, or personally visit the user, explain to him your password policy. These problems in the password pre-assessment should be considered completely.

Tool three: War Dialers

A lot of companies attaches to the firewall security. However, this robust line of Defense only to seal the network of the front door, but the internal does not register the modem, but the intruder opened the“back door.” War Dialers can rapidly find out these modems, then hack into the network. Therefore, it became a very by the intruder welcome tool.

War Dialer because of the movie“War Games”and fame. Its attack principle is very simple: to continue to order or out of order dial phone numbers looking for modem is turned on after the familiar response to sound. Once the War Dialers to find a large heap can be turned on the modem, the hackers will dial into the network to continue looking within the system unprotected login or easily guessed password. War Dialers preferred object of attack is“no password”of the PC Remote Management Software. These software are usually made by the end user to install for remote access to company internal systems. These PC Remote Control Program when used to the insecure modem is unusually fragile.

THC-Scan is The Hacker's Choice (THC) Scanner abbreviations. This War Dialers tool is by“van Hauser”written. Its function is very complete. THC-Scan 2. 0 version to 1 9 9 8 annual Christmas launched, THC-Scan and Toneloc (by“Minor Threat”and“Mucho Maas”written) use approximation. THC-Scan with other ordinary War Dialers tool, it can automatically detect modem speed, data bits, parity bit and stop bit. This tool also attempts to determine the be found of computer the use of theoperating system. Moreover, THC-Scan has the ability to confirm when can then have a dial tone, so that hackers can not go through your PBX can make free calls.

War Dialers prevention

Of course, the most effective preventive measures is the use of security modem. Cancel those no use of modem. And the user must to the IT Department after registration in order to use the modem. For those who have registered and only used as the outer hair of the modem, it will be the company's PBX permissions adjusted to allow only the outer dial. Each company should have a strict policy describes the registration of the modem and controls the PBX. Due to market retail with easy to use, inexpensive digital modem for sale, the user can put the modem installed on only the digital lines of the PBX.

In addition, you also want to regularly for penetration testing, find out Telephone exchanger is not legitimate modem. The choice of a good tool to look for the connection with the network modem. For was found, but not register the modem, either remove them, or re-registration.

Tools: Net Cat

Net Cat is a versatile TCP and UDP connection tool. It is by“The Hobbit”in 1 9 9 5 years of UNIX written in 1 9 9 7 year of launch. For system managers and network commissioning personnel is concerned, it is a very useful tool. Of course, it is also a attack network a powerful tool.

Net Cat has many features, known as the hacker“Swiss army knife”. With a powerful UNIX scripting language when combined, The Net Cat is a manufacturing network tool basic components. Net Cat the basic program can be listening and customer type Two way run. When to listen to runtime, Net Cat is a server process, wait for the specified TCP or UDP port connection. And in the client runtime, Net Cat can be connected to any user-specified port.

Net Cat within a system to listen to run, while in the other system to the client runtime, Net Cat can launch many attacks. It can be on any Port to provide a backdoor to login, such as UDP Port 5 to 3. From a network packet perspective to analyze, this log is seen as a series of DNS questions and answers, this is actually really the back door login. When the two system in two ways running at the same time, the Net Cat can be in any port architecture fast, simple file transfer mechanism.

Net Cat may also be the source circuit Pack. When the Net Cat to client mode operation, it is a UDP and TCP port scanner. When it is found that the system has open ports, Net Cat easily with these port connections.

Net Cat NT version has a unique feature: it can bind itself in the current process to port the front end. The use of this feature can be very effective in to the server orWeb serverto launch attacks. This connection can also be due to a denial of service attack Denial-of-service DoS, and is broken. Sometimes the hackers put their request to the proper server process before the preparation of the special program used to find sensitive data, passwords, Bank account numbers, etc.

Net Cat prevention

The best prevention Net Cat method is“least privilege principle”is a nickname for“polyp”)(Principle of Least Priviledges to. That is, do not let do not need the port through the firewall, only those who you allow through the port with the specified host connection. For example: through the firewall to the DNS query, only to open the need of this service UDP 5 3 ports are usually an internal DNS server to these queries go out to the Internet to. This prevents an attacker the opportunity to put the Net Cat package delivered to your internal network any host.

For those who may be an external access to the system, in the preventive Net Cat attack, you have to clear these machines have a process running, and carefully investigate those unusual process, because they may be Backdoor listener. You must periodically check the Port to find that there is no listener to invade your machine.

In order to prevent replay attacks, all applications should be for each message, including web cookies, forms, or is the original data cover the time stamp and sequence number. All message time stamp and sequence number should be after the password integrity test, to ensure that has not been modified or playback.

Tool five: Session Hijacking

Many applications use command-line login is insecure, especially telnet, rsh, and rlogin, and FTP programs, they are all hacked object. Any a hack at the connection between the client and server network, you can use a Session Hijacking tool to take over the session.

When a legitimate user is logged into a command line session, a hacker can locate this session and immediately on behalf of the user to take over this session, re-connecting customers, so a hacker will have complete control of this login, and then hackers becomeA legitimate user. While the real user will simply think the network fails, so will break off the session.

Hacking ring has a large number of this kind of hack Tool, the latest “Kra”in 1 9 9 8 in 1 1 on the preparation of the Hunt, as well as“daemon9”prepared by the juggernaut, they all provide the basic Session Hijacking feature.

Session Hijacking prevention

For sensitive communication sessions, such as firewalls, remote management, PKI or other key member of management, the selection of a password authentication function of the tool is the entire session encrypted is a good choice. Secure Shell (SSH)provides these functions. VPN products also provide authentication and session encryption. Hack no in SSH or VPN Tool. the key will not be able to perform session attacks.

Happy ending

Let us recall three months ago the first Chapter described the attack plot.

When you investigate this attack, you find that the invaders use war dialing to find a for users of an unprotected modem. He then took over the system and scan the entire network, the backdoor is installed in the internal network of the machine. When a hacker observed a system administrator login to the utilityyour Web server, he would take over the server, and with it began to attack other Internet sites.

After this event, your Agency began to pay attention to safety and Prevention the importance of management is also authorized you to implement a password and modem policy, they began to regularly make war dialing and password cracking tests, as well as the installation of automatic monitoring and early warning systems.

After the implementation of these new policies, company network security is greatly improved. You understand that only careful study and the implementation of prevention strategies to from attack. Even if the future and discover any problems, you will also quickly detected and immediately take measures.

Hope you have that knowledge, you can a good sleep at night!

Back Orifice description

Hack once to find out the modem and decipher the password after the success, he will do what? Usually, he would be in within the system installed backdoors so that he later. Back Orifice, or BO, is a powerful back-door manufacturing tool, it can easily make a huge network system to a standstill.

Back Orifice by hack Cult of the Dead Cow (cDc)in 1 9 9 8 years 8 months soon. The BO includes a server portion and a client portion. The server portion installed on the intruder of the Window 9 5 on the machine, and the client part in hacking the system to run. Install BO main purpose is to: hacking through the network remote invade and control the attack of the Win95 system, so that by the invasion of the machine to“toe the line” is.

BO to Multi-Function, The code concise. BO server only 121KB, installed quickly. BO the client software use UDP packet with the server communication can be configured to the system on any port, the default is UDP 3 1 3 3 7 out of hackers the term“Elite” is.

BO has many features:

·Hackers full control of the file system, you can move, edit, delete and copy by the invasion of the machine program.

·Can capture any user keyboard percussion. This point that BO produce a strong lethality. Because when the victim type is a password or a public key password, the BO also will they truthfully exist in the file, so an attacker later access.

·Hackers may be in the infection on the machine to run any process, and that these processes can be in any port on the listening.

·BO trying to hide himself, not in the task column.

·BO Server comes withWeb server, so that the hackers can use the Browser to access the victim machine.

·Other hackers use the so-called BO Unified tool transport plug-in that“BUTT plugs”, and the BO function expansion. Has introduced the plug-in claims can be made by E-mail or IRC to activate the BO, so that when the tool is in the network diffusion, you can find the latest target.

·A valid BO Sniffer Plug-In has been prepared.

BO is very easy to install. Just install a must a simple program, you can easily and quickly install all BO components. BO in a variety of forms of communication, sometimes by the intruder may be in without the knowledge of the case through e-mail attachments or Web site to spread)would be forced to perform the installation procedure.

wrappers and BO-related tools, it can take BO with the harmless procedure of the merger. For example: it took BO with some important software such as a word processor or the network popular a simple game, and then hackers will BO attached to the game. exe, and the result is a file with the email sent to the user, pretending to notify the user, the software the upgrade. When the user performs the upgrade program, this tool will first install BO, after the Run is combined with the application. Users only see the game running, but simply do not know they have become BO the victim. Finally, this tool can be used by the Web of not signed Java applets or activeX controls to install.


Although Bo tried to hide himself does not appear in the task list, but it's still very easy to be found. When the manual detection of BO, as long as the c:\windows\system directory to find 122KB . exe file and in windows Registry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Default key in the key name can be compared. If both are consistent, then the proof system in the presence of BO. (It is worth noting: the file name and the key name is made by attacker to configure, but the default is:“. exe”to. Finally, as the system has BO present, may be in c:\windows\system directory to find a called“windll.dll”file.

Although manual analysis of a small machine useful, but for a wide range of scanning you'll need anti-virus products. There are several anti-virus manufacturers have put a detect BO features into its products the latest version. Until the deadline, BO only for window95 be destroyed. However, BO client portion can also be in Windows and UNIX to spoil the work. Not because you use a NT system you can sit back and relax. Please note that the Carl-Fredrik Neikter the preparation of the Net Bus is for NT Server were destroyed, and the function with the BO the same. Net Bus 2. 0 in 1 9 9 9 years 1 month has been launched.

Other attack tools


Attackers use ROOT EXPLOITS, using ordinary UNIX account to access the super user to take over the machine. An attacker on a UNIX system there are countless methods to put your own upgrade.

ROOT EXPLOITS prevention

Security practitioners and system administrators should refer to the Carnegie Mellon's CERT( and bugtrag (subscribe:list serve@net Bulletin, pay close attention to the new exploits of. When a new attack is firing after the break, it should be rapidly and systematically for the affected machine for testing and installing the manufacturer's patches. For the public use of theWeb server, DNS systems, firewalls, etc., should use host-based security monitoring software detection to find the root directory of the user.

Denial service Denial-of-service DoS attack

This type of attack will make the system chaotic, or slow, until it can not be used. In the past two years, this type of attack method of hackers a lot of use, but also attack the target is theoperating system, a router, or even a laser printer, and an attacker used software of all kinds, such as Ping O Death, Land, Smurf, Bonk, Boink and Latierra it. These attacks seem not so ferocious, but the company is often therefore caused by system failures, employees are idle and a transaction abortion, the company will end up paying expensive costs.

Denial-of-service prevention

Similarly, pay close attention to the latest attacks and frequently installed system the patch is still against DoS attacks the best method. Of course, you also can try the external router to place anti-spoofing filters or set the internal network routers to withstand DoS attacks.

Remote Explorer

Remote Explorer is a very strong lethality of the NT virus. It is in the NT system will disguise themselves as a service. When the administrator logs on, this virus will make your own automatic diffusion to within the domain, all NT machines. In affected system, Remote Explorer randomly encrypts files, and deny legitimate access.

Remote Explorer of prevention

Strict anti-virus measures and effectivevirus preventiontool can prevent Remote Explorer attacks.

Note:this article describes the above tool is intended to let everyone understand how these tools affect us, to understand these tools in order to better protect their network security, no person shall use the above tools to do illegal things.