“Broiler”get the insider Secret's to exploit system vulnerabilities-vulnerability warning-the black bar safety net

It has been, by a large number of“broiler”is composed of the zombiesweb, all the time not a threat to all web users safe.“ Chicken”, refers to those who are the attacker full control of a computer network, it is the composition of the botnet of the main factors. Therefore, in order to eliminate the botnet has brought us security threats, the best method is to reduce the number of broilers number.

While a reduction in broiler number of the best method, that is, each of the network users, through a variety of methods to prevent your computer to become an attacker of broiler chickens. However, to achieve the prevention of the own computer has become broiler purposes, we should from which aspects to enhance computer security preparedness, as well as the What kind of tools and methods to complete?

The ancient art of war cloud:“know thyself, only know yourself”for. Known to each other, refers to the understanding of the opponent in each period of a variety of conditions, including the army commander who, the number of troops, and stationed location, as well as opponents usual means of attack and other information. Wherein, to fully understand the opponents of conventional means of attack, to let us know is we protect the objects, which areas need reinforcement, and need to know what tools and means to deal with opponents of various attacks means. Therefore, to prevent your computer to become broiler chickens, the best solution is through the analysis of the attacker to obtain the broiler of a variety of means to find the computer to become the attacker broiler chickens of various reasons, by finding the cause will know what areas need to guard against, and know that you can use what kind of security technology and products to solve these problems.

For now, the attacker can be used to obtain the broiler means there are many, of which, the most commonly used tools can be summarized as exploit system vulnerabilities, the use of bundled Trojans and web Trojans, as well as the use of social engineering which 3 main ways. In this article, I will be the first attacker how to useoperating systemvulnerability to get chickens this method is described in detail, other 2 kind of took the broiler method, will be described in subsequent articles, the snow plum incense only with everyone together to discuss.

In order not to let this article become the attacker of the learning manual, but also in order to facilitate my instructions to get a chicken of the specific process, all of the following actions will all put in one by the virtual machine configuration of the LAN environment. In the virtual LAN environment, the host the host uses Fedora 8 operating system, is used to attack the object is the one by default is installed Windows XP operating systemof the virtual computer. In this virtual host, without installing any securitysoftware, nor for the system to hit on all kinds of patches and make the appropriate security settings, the purpose is just to easy I’m going to do the description, in reality, should not exist such a computer.

Now, let us work together to understand the attacker is how to leverage theoperating systemvulnerabilities, will a computer into his broiler of the specific process and method of operation.

First step: looking for the target of the attack

For any attacker, to attack the activities of the first step is to find a variety of suitable targets, as well as collect and attack the target related to a variety of information.

Looking for attack of the target of the main task is to find the attack target IP address. Any one attacker, usually are shown by the following means to get to the attack target’s IP address or the host IP Address section:

1, If is a website, a Whois query for a domain name or Whereisip software to get their IP addresses;also may through the ping command to query a domain name’s IP address;Windows systems you can also use the trace route command tracert to find a target IP address.

2, If the attacker knows the target area of the approximate location, and the target to use the IPS name, you can through the search engines give this area the corresponding IPS can be assigned to the whole IP address segment. They can also be to responsible for the allocation of a region of IP address website, such as www. apnic. net(responsible for Asia Regional IP address allocation organizations APNIC website), on this site, you can query to mytelecommunications, Iron-pass, andwebof the IP address allocation table.

3, the attacker can create a phishing site, and then to trick Internet users a way to get the ordinary user of the IP address.

4, the attacker can also use the instant chat software such as QQ, etc., and then use such as Rainbow significant IP QQ Plug-In will be able to know and chat with any one of Q friends of the use of the IP address.

5, The now, the attackers prefer using social engineering way to get a organization or individual IP address. Also can through to the other hackers to purchase way to get.

Listed here these get the attack target IP address of the means, and not the attacker all can use all the way included, I just want to note that the attacker can be through many means to reach get the attack target IP address of the object. As in this article, since I build the experimental environment, it has been know to attack the target IP address is 1 9 2. 1 6 8. 1. 1 1, It is omitted to find the target step.** The second step: scanning the object of the attack**

Attack target IP address or address segment is found, the next step of the work, the attacker will pass a Vulnerability Scansoftwareto scan these IP addresses, in order to be able to know these targets in which the host is currently surviving, the survival of the host and open the which port, as well as learn about these survival of the host runningoperating systemtype and version and other information. These information on the subsequent attack activity is very important, they let the attacker decide which survival of the host are further intrusion is necessary, as well as the next step how to operate and so on.

Attack the target for scanning, The are usually using the appropriate scanning software to automate. In Linux system, attackers often use is called Nmapnetworkand system scanning software, this software in a network or system administrator hand, is a system vulnerability detection software, and in the attacker’s hands, it is a nothing short of offensive weapons.

Nmap can not only quickly identify the survival of the host, these host on an open port and the port associated with the service are all listed, and regardless of whether the target is modified system of the ICMP response TTL value, it can correctly identify the targetOStype. Even, the use of the appropriate scan parameters, Nmap is also able to penetrate each otherfirewall, and it also has some special scanning parameters to be able to let it scan activities will not be each other’s safety device record, to facilitate the attacker to evade responsibility.

Nmap can be in the character terminal by the command to complete assigned scan tasks in the tool, but this way we need to remember it a large number of scan parameters, using them is not very intuitive, but high flexibility. If the scan task is not very complicated, we can use the Nmap graphical front-end to carry out. In this example, I’ll use it for a KDE graphical front-end NmapFE(Nmap Front End)to complete the present example of a scanning task.

In the K-menu of the“system”menu item, locate and click the NmapFE(Nmap Security Scanner), you can start the Nmap graphical front end. Its main interface shown in Figure 1.

! 1

Figure 1 NmapFE graphical Frontend to the main interface

In NmapFE main interface of the“Target(s)”text box, enter the secondary scan of the IP address 1 9 2. 1 6 8. 1. 1 1, and then in the main interface, the“Scan”tab in the“Scan Type”drop-down list box, select the“SYN Stealth Scan”, and then in the main interface of the“Scanned Ports”drop-down box, select“Range Given Below”in the“Range”below

In this box enter the secondary scan of the port range“7-4000”in. Other options can be kept default, and finally click NmapFE main interface of the“Scan”button, you can start this scan task.

NmapFE scan task completion time depends on the specified IP address range, in the present embodiment, since only specify one host, and therefore, the scan task is completed very quickly. Figure 2 is the scan task after the completion of the scan results interface.

! 1

Figure 2 NmapFE scan results

From the NmapFE scan results, we can clearly understand to be scanning the attack target to open up 1 3 5 and 1 3 9 and 4 4 5 and 3 3 8 9 port, but also know that this host is using Windows 2 0 0 3 Server or XP SP2 operating system. These information, for an attacker, it means that the target host can proceed to the next step of the invasion to work.** Third step: attack a target further weakness scan**

When the attacker through the NMAP and other tools to learn to attack the target using the system types and open ports and other information, just the description of these targets can be carried out the next attacks, but also can not completely confirm that you can use what means to proceed to the next specific attack operations. Therefore, the attacker now have to do, is concentrate fire sweep attacks the target host open port whether there may be use of which type of weakness.

To complete the attack targets weaknesses in the scan task, the attacker is still using the appropriate toolssoftwareto complete. In Linux system, to complete the assigned host port of the weakness of the detection task, the best way is using the Nessus vulnerabilities scan software;and on Windows systems, in addition to the use of this software, you can also use the X-Scan and SuperScan, etc. software. In the present embodiment, since my host used by the host is a Fedora 8 system, so the use of Nessus to complete the attack targets weaknesses in the scanning task.

The attacker at the beginning of the target host for vulnerabilities prior to detection, usually will first upgrade the Nessus vulnerability database, and then restart it the daemon Nessusd to. The completion of these work, then startMoving it to the client NessusCliend the start of the attack target vulnerability scanning. NessusCliend after the start of the main interface as shown in Figure 3.

! 1

Figure 3 NessusCliend the main interface

Start NessusCliend, the first thing to do is to complete with the Nessus service side of the connection. In this example, click NessusCliend the main interface lower left corner of the“Connent”button in the connection management interface, select“localhost”, and then click the“+”button to enter the Edit connection interface. In the Edit connection interface in the“Port”text box input 1 2 4 1, which is Nessus to detect when use of the port, if the Nessus vulnerabilities detection software in thefirewalllater, it should ensure that the firewall has been opened 1 2 4 1 port.

Then in the same screen in the“login”and“password”text box, input the Nessus-adduser command to add the Nessus administrator account and password. Finally, click the interface in the“save”button to return to the NessusCliend the connection Management Interface. Then click in the interface“Connent”button can be accomplished with the Nessus service side of the connection.

Complete NessusCliend with the Nessus service side of the connection, it should be for this scanning task to specify a specific scan policy. In this example, I will edit a new scanning strategy to complete 1 9 2. 1 6 8. 1. 1 1 The host of the weakness of the detection task. Usemouseclick the NessusCliend the main interface in the“select a scan policy”option box in the lower right corner of the“Edit”button, you can open the Edit scan policy interface. As shown in Figure 4.

! 1

Figure 4 NessusCliend edit scan policy interface

In NessusCliend edit scan policy interface there are six options, in the present embodiment, the I on which the policy, Options and plugin selection three options do the following settings:

1, in the“policy”option in the“policy name”text box, enter the“my policy”as the scan policy name.

2, in the“Options”Option in the“Port scanner range”enter in the secondary scanning port: 1 3 5, the 1 3 7 and 1 3 of 8, 1 3 9 and 4 4 5 and 3 3 8 9, You can also directly input 7-4 0 0 0 it.

3, in the“plugin selection”option, only reserved with the scanning of the target-related plug-ins such as this only keep up with the Windows System-related plug-ins, in order to improve weaknesses detected speed.

After completion, click the Edit scan policy interface in the“Save”button to save the scan policy and go back to NessusCliend the main interface.

In NessusCliend the main interface, click“scan”list box below the“+”button, open the“edit target”dialog box, in the event the interface of the“Scan”option, select the named“IP Range”of a single option. Since you only need to detect a host, and therefore, in this dialog box in the“Start Address”and“End address”text box, enter the same IP address: 192.168.1.11。

Complete all of the above settings, in NessusCliend the main interface, click“Scan now”button can start the weakness of the detection task.

Due to the weakness of the scanning target of the attack only one host, after about a minute of the scan detection, it will complete the entire weakness of the detection task, and appears as shown in Figure 5 of the host weaknesses of the inspection report.

! 1

Figure 5 Nessus scan targets after the weakness of the test report

From the figure shown in the report, the attacker may be aware of some important weaknesses of the information. For example, in 3 3 8 9 port, you can know the attack on the target host Null Session And the Guest account and Given the Credentials of these three accounts, and thus knew the target system to the IPC$empty connection, and Remote Desktop Connection;and from 1 3 7 Port, also know to attack the target host computer name, workgroup name andNICMAC address. All of these weaknesses of the information are represented in a broiler is to the attacker’s warmly beckons. Step four: go to attack the target host and control it, and then clean up all the intrusion traces

Now, the attackers have been know to attack the target host there can be Remote Desktop Connection for weakness, the next job, is the first to use a remote connection into the target system, and then complete the host control and clear all the intrusion traces.

Typically, the default installation of Windows XPoperating systemthere will be a default administrator account “administrator”is. Thus, in this example, I try to use this account to an empty password, by the tsclient Remote Desktop Connectionsoftwarelogin to the target host, I did not expect a try to success. Figure 6 is me by the tsclient software sign in this example the virtual machine interface. Under Windows System, the attacker can also use the net use command with the existence of this vulnerability of the target host to establish IPC$empty connection.

! 1

Figure 6 tsclient Telnet the target host interface

However, when using tsclient for Remote Desktop Connection, if you are using a logon account on the target system are using the same account while in tsclient after a successful connection, the target system originally present is the use of the Account will be automatically logged off. As a result you will be attack targets the user of the perceived. Therefore, the best way is to use NET USE command to establish a have administrator privileges to the new account, and then through this newly created account to complete the rest of the work, which is also convenient on the broiler after the control.

When the attacker into the target system, The Next, you can begin for the next remote control it to install the appropriate Trojan Backdoor. Usually, the attackers in order to ensure that targets each on-line after to be able to immediately know, are installed with afree to killand the bounce function the Trojans to complete the broiler control.

When the remote control is an attack target of the back door provided the work is completed, in order not to let the attacks target the user perceived, nor is it found that the attacker left behind any evidence, so the attacker will also be attacks on the target system all operations trace clean clean. For example, to clear the system log file, delete the created account, and the use of TimeStomp tool to modify the created file creation time, etc.

To this, by using theoperating systemis itself a vulnerability(in the present example is the long-obsolete Windows XP3389 vulnerability), to obtain the broiler of the task has been completed. In fact, even now the Windows operating system does not have this vulnerability, but there are still many new vulnerabilities are found. The attacker just need to some daily announcement system and software vulnerabilities on the website to obtain the latest vulnerability information, and then from the Internet to find the appropriate the use of some vulnerability tools, or write your own using the script, you can still be presence of these vulnerabilities of the host into their broiler chickens.

Through this article, we should know that reduce the system’s vulnerability and the reduction system on the open port number, is to prevent the host becomes the attacker broilers during the main Guard point. While the use of technology and method, is to use the attacker the same tools(such as NMAP AND NESSUS)to the attacker step to the system to conduct a comprehensive vulnerability and vulnerability detection, and to find weaknesses and vulnerabilities timely repair. Also, try to prevent yourself connected to the Internet with the public IP address reveal out is also prevented by the scanning method of attack. Of course, installed on the systemfirewallit is possible to prevent most of it fromwebscanning and attack behavior.