1. What is a penetration attack:
Simply put is that there is no obvious system vulnerability by black main machine, using the same
The problem of other hosts under the network segment will be shaken.
The core technology is:
1: Switching the data in the non-exchange environment,
2: There is also IP spoof for the Linxu / UNIX system.
2. Attack Process:
Scan the host (determine the system type, do you open FTP, Telnet, whether to use SSH)
|
Scan other hosts of the same subnet (find the vulnerability to win admin, it is best to open 3389)
|
Determine the network topology (find the gateway, determined to exchange or non-swap environments)
|
Enter other black host to install a suitable sniffing data program
|
Use the sniffed username password to enter the target ...
|
Leave the back door, clear the footprint ...
3.www.xxx.com is black whole process
1.PING gets IP (assuming name is AA), seeing a TTL returned is more than 100, mostly NT.
2. Open X-scaR to see the open port, not many but open FTP, version Serv-U4.0
There is no hole (another scan, there is no hole in the main unit without cave).
3. Sweeping the same C network with X-Scner (an IP segment) The focus is IIS cave (find four or five sets of IDQ / IDA overflow).
4. Take a look at what the four or five machines have opened (lucky one of the 3389).
5. Enter the host of 3389 (assuming name is BB), installing CaptureNet (a kind of unswing
A sniffer that is useful for the environment), running, only receive data and broadcast data flowing to your own, original network
Switch.
6. Install the ARPSNIFFER of Xiaoki on BB (h http://666w.com/tools/aps.zip), while other host tracert
Take it to find the gateway (you can see the TCP / IP settings of BB).
7. Run Arpsniffer on the BB, target AA, and listening port 21.
9. Wait a few days, then go to BB to see the log file of Arpsnifer, find the username and password!
10. FTP (good excitement), good privilege, upload the latest power lifting tool Eruanasx.exe / DLL (and a bat file) to the executable directory, and execute ... first add an administrator to say ! (There is no latest hotfix)
11. Then try with IPC connections, prompt "The command is successful" ... haha finally won the admin :)
12. Run PWDUMP3 to get the password HASH of all users on the AA, then use LC4 to crack ...
