// English original address: http://fringe.davesource.com/fringe/Hacking/crap/hack_unix.beginners//eler BLOG: http://cnbird.99blog.com// The original article address: http: / /www3.hackbase.com/hacker/tutorial/200412279229.htm author: cnbird QQ: 550669 http://cnbird.99blog.com by chance found an article titled hacking unix, probably looked at that very value Big, so I decided to translate it. I think this article will become the cornerstone of China Unix hackers ... Oh, maybe a bit exaggerated, but after you have read this article, your attitude will definitely change .. Declaring again, this article is not prepared for scripting children, because the script child will only find a machine with a known vulnerability, then use the script to invade ....... Well to go .... ....... 5.3.1. Basic Port Scan Application Service Monitor on a port and until a connection (TCP) or packet is received. The port scanner is working to scan the application service listener. When any application may be susceptible to some kind of attack damage, this information is valuable. At the same time it also gives the clues on the purpose of that system. If it seems like a mail server program is remote On the system, it is only possible that this system is organized by MailServer. To identify, the service running on a target first system can connect each possible port and identify which of them is listening. This method is the port scan. Port scan looks simple to scan which server open Open port, but there are many different technologies in this section. In this section I only describe the basic port scan technology, TCP full connection and semi-connection. 5.3.2. Full Connect TCP and UDP is A connection-oriented protocol is different. Only one connection is created once, communication can be made. Another way to do a TCP port scan is to start a connection. This process requires TCP to exchange 3 packs (ie legend Three handshakes, I once again explained the connection between A and B in a typical example. 1 Host A sends a TCP SYN package to B, 2 host B Send TCP SYN / ACK package to host a 3 host A Send TCP The sequence number of the ACK package to the host B three handshakes is necessary. Which connects are recorded during which the two sides of the operating system are set (of course, only one connection can be established). If there is a port of 3 handshakes in a range in a range in the target system, we can affirm that this port is open. When the port on the target system is not open, then it will Returns a RST package. In short, the head of the TCP protocol contains Flags. For example, "SYN" tag is set, the Flags (flag) tells about how the package should be treated. In, for example, the RST flag indicates that this connection is re-established. (Connection Interrupt). This SYN flag is starting, or a request to coordinate a connection.
This flag is just confirmed. Well, I don't say it. Maybe you don't like it. If you are interested, you can see the TCP / IP ~ This site also has the corresponding TCP / IP tutorial .. Let us look at a specific example. Let's try again in your own local system to try a TCP full connection scan: $ nmap localhost starting nmap (http://www.insecure.org/nmap/) Interesting Ports on localhost (127.0.0.1): (THE 1649 Port State Service 22 / TCP Open SSH 25 / TCP Open SMTP 80 / TCP OPEN HTTP 110 / TCP Open POP-3 143 / TCP Open IMAP 515 / TCP Open Printer 993 / TCP Open IMAPS 5432 / TCP OPEN POSTGRES NMAP RUN Completed - 1 IP Address (1 Host Up) Scanned In 0.815 Seconds $ This type of port scan is used to create a connection to create a connection, with a normal The program (like your WebBrowser) will be the same.
Another name is TCP Connect (), I believe this is more familiar. Because connect () is the process of operating the system to establish a connection. The operating system will tell us that this connection is connected or not connected (failed). It is the application service that has been registered with a socket. And once a connected connection is established, the operating system tells the application service program to continue. This scan will be recorded by the log record, the rest of the other some TCP / IP protocol Let's start another scanning method is also a very hidden way, semi-connection scan 5.3.3. TCP semi-connection scan. TCP semi-scan is also called "SYN scan" or sometimes called "SYN secret scan". It is the port scanner to send a SYN package, know that it accepts SYN / ACK or RST, I can get the status of the port (SYN / ACK indicates that this port is open, the RST represents the port is not open) and then continue to scan the next one Port. Connection will never be fully established, so any application record will not happen (that is, not writing logs). (When the connection has been established, TCP will only notify the connection application). So it has The name of the secret scan. Book I will give an example of a semi-connected scan # nmap -ss 10.0.0.1 starting nmap (http://www.insecure.org/nmap/) Interesting Ports on 10.0.0.1 (10.0. 0.1): (THE 1649 Ports Scanned But Not Shown Below Are In State: Closed) Port State Service 22 / TCP Open SSH 25 / TCP Open SMTP 80 / TCP OPEN HTTP 110 / TCP Open POP-3 143 / TCP Open IMAP 515 / TCP Open Printer 993 / TCP Open POSTGRES NMAP Run Completed - 1 IP Address (1 Host Up) Scanned in 0.787 Seconds # handmade port Scan here has a very fashionable tool called "http: // Www.hping.org) gives an example: devil: ~ # hping -s -p 79 Tosca HPING TOSCA (Eth0 192.168.9.1): s set, 40 Headers 0 Data Bytes Len = 46 IP = 192.168.9.1 TTL = 64 DF ID = 2869 Sport = 79 Flags = RA SEQ = 0 WIN = 0 RTT = 0.3 MS LEN = 46 IP = 192.168.9.1 TTL = 64 DF ID = 2870 Sport = 79 flags = rat = 1 WIN = 0 rtt = 0.4 ms --- Tosca HPING Statistic --- 2 Packets Transmitted, 2 Packets Received, 0% Packet Loss Round-Trip Min / AVG / MAX = 0.3 / 0.4 / 0.4 MS Devil: ~ # As you see, return RST and ACK package. Well start the next topic: Before starting, the purpose of writing this article is to analyze the perspective of hackers. Unix's intrusion technology, why should I write this angle, because the network administrator must know the hacker's technique to better defense. So I wrote this article is better defense, because I prefer Unix, I hate I hate Windows does not open the source code ... Ok, continue. Do not make a pleasant 5.3.4. OS detection There is no simple way to identify the remote operating system. NMAP provides a good method and very Reliable way to find the fingerprint of the operating system. This technology is a slight change in implementation of the operating system in various network protocols using the operating system and their version.
Let's try one: # nmap -p0 -ss -o 192.168.0.1 starting nmap (http://www.insecure.org/nmap/) WARNING: OS Detection Will Be Much Less Reliable Because We Did Not Find At Least 1 open and 1 closed TCP port Interesting ports on server (192.168.0.1): (The 1655 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 21 / tcp open ftp 23 / tcp open telnet Device type: general purpose Running (Just Guesding): DEC OpenVMS 7.X (90%), Compaq Tru64 Unix 5.x (88%) aggressive OS Guesses: DEC OpenVMS 7.3 (COMPAQ TCP / IP 5.3) (90%), Dec OpenVMS 7.3 (alpha) TCP / IP 5.3 (88%), Compaq Tru64 UNIX V5.1 (Rev. 732) (88%), Compaq Tru64 UNIX V5.1A (Rev. No Exact OS Matches for Host (Test Conditions Non-Ideal). Nmap Run Completed - 1 IP Address (1 Host Up) Scanned In 284.404 Seconds There is a tip that is NMAP printing Linux kernel, not a specific Linux operating system version number, experienced people easy to get the version number, below There are several commonly used corresponding table 2.2.16 = Red Hat 7.0 2.2.20 = Red Hat 9.0 Everyone has experience. Ok, say that even, completely close (OpenVMS). It is recommended that you have to scan with some ports. Technical uses -O option together ... If the host is again, the remote system does not respond to ICMP ECHO (Ping), then you should use -PO option to close the detection. $ Telnet Server Trying 192.168.0.1 ... Connected to 192.168.0.1. Escape character is '^]'. Welcome to OpenVMS (TM) Alpha Operating System, Version V7.3-2 UserName: [ SSL NOT AVAILABLE] The idea of fingerprint is not new technology and is used in a variety of tools (although NMAP is one of the first public tools), but NMap huge fingerprint database and give very Accurate results. I have time to eat, but today I don't want to eat, continue to translate it .. Let's go on .. 5.4. Handling the firewall This part of this part is the basic concept of the firewall, I will introduce several kinds. The new display of the contour is confirmed to confirm a firewall and discover the rules of the firewall. In an internet access, users can access other networks on the Internet. One organization will want to limit the Internet and will especially want to limit Untrusted Internet enters the interior network. The firewall is used in interactive mode for controlling network traffic. Managers need to form a service-based policy, user about external network requirements and services about the required internal networks from the network. Some partial restrictions on the external network The internal network is also possible. This rule can be converted into a rule table that is used to place a firewall between two networks.
Here, there are several common firewalls: 5.4.1. Packet filtering firewalls There are many introductions online, I will not waste time, we give a rule below: the first one according to the manager (smart The rule looks like this: Source: Anywhere Destination: Anywhere Protocol: Any Destination Port: Any Policy: DENY Next Manager Efforts to identify the exception of this basic rule. A manager may have MailServer in the organization network (mail server) . My dormitory friends have bought me. I will eat first .. I will write again, first look at the videos of Warcraft, I used to human's GUSO, and then I have already hit 38, not blowing, hope If you have time, you will learn from me ~ .. Well, I will continue ... The last time we talked about the next manager efforts to identify the basic rules. One manager may have MailServer in the organization network. Mail Server). The following continues the email from the SMTP service from the mail server, simple example is Sendmail and Postfix. Administrators know that the SMTP service must be able to receive mail from the Internet, so the administrator defines a new rule (about the first rule Exceptions) Source: External (Internet) Destination: INTERNAL MAILHOST Protocol: TCP Destination Port: 25 (SMTP) Policy: Accept. Meaning An address from any scheduled to the SMTP service (TCP port 25) will be provided on the MIAL server Appropriate direction .. Administrator allows the user to deliver E-mail to the user's mailbox on any system on the Internet. The administrator does not define rules for the Internet network, and those users only need to connect to the mail server, not the mail server outside the interior. So he will only need to do an exception from the mail server as SMTP: Source: Internal Mailhost Destination: External (Internet) Protocol: TCP port: 25 Policy: The next thing you want to allow users will allow users to use POP3 in the mail server The agreement received their mail from their mailbox. The administrator likes to set the POP protocol to .deny. Well to write it next time, do a few hours ... rest .. ...... 88 I Will Come Soon ... Waiting for me ........ part: 4 Tell the firewall section last time, more difficult to understand. If you don't understand, you can refer to it. TCP / IP protocol part, we told the TCP / IP protocol to be the foundation in the foundation, the focus of the focus, I hope everyone carefully learned the knowledge in this area, and it must be helpful to learn this knowledge. Ok, no Ningled, the firewall part was too blustered, and I feel that everyone will not be interested. I don't translate this. Interested friends want the original, here is the actual example. GO ..... John first on Web Server (Web Server) A harmless connection test procedure is as follows: $ ping www.totallysecure.org ping www.totallysecure.org (123.123.123.123): 56 OCTETS DATA --- www.totallysecure.org Ping Stati Stics --- 12 Packets Transmitted, 0 Packets Received, 100% Packet Loss $ John knows that there must be some equipment to discard the way ICMP (PING) echo request package, although he knows that he may not be his own Web Server. Next, John wants to know that some ports are also filtered, and managers often filter ports and protocols rather than blocking them. This seems that the host seems to be no longer line. "OFFLINE.
From our previous knowledge, when we send a SYN package, the close-up port needs to reply to a RST / ACK package, from this point you can see if there is any filtering it. He will use the HPING to discover it. : # hping www.totallysecure.org -s -p 85 hping www.totallysecure.org (eth0 123.123.123.123): s set, 40 headers 0 data bytes --- www.totallysecure.org HPING Statistic --- 10 Packets Transmitted, 0 Packets Received, 100% Packet Loss Round-Trip Min / AVG / MAX = 0.0 / 0.0 / 0.0 MS # -s option indicates that the SYN flag has been set, the -p option specifies the target port. Undoubtedly, it will It is filtered out. When a single ACK package is sent to a port, the RST reply will be received in normal state. If the firewall is not so perfect, it may only go to the port plugging synchronization (for connection synchronization) package If we send an ACK package to the 85 port, we have received an RST package, then he shows that this is a very ordinary firewall because it only throws the SYN package. # Hping www.totallysecure.org -a -p 85 hping www.totallysecure.org (eth0 123.123.123.123): a set, 40 headers 0 data bytes --- www.totallysecure.org HPING Statistic --- 4 Packets Transmitted, 0 Packets Received, 100% Packet Loss Round-trip min / avg / max = 0.0 / 0.0 / 0.0 ms # There is no response, well, it may be properly filtered. I suggest an ACK package to send a port without filtering (whether it is turned on or off) often returns an RST Package. You still can't determine if this port is open. Now we are not important for this action (85) port, as long as we think this may not be used. This clue can make us think that the host has filtered all ports. And do the exceptional requirements for specific ports (like webserver). We can detect it: # GREP 85 / etc / se RVices # therefore filtering unused ports, but why not filter all the ports he use? John may think that since the administrator's first rule is to lose any connection on the port, at least from outside (Internet) there. If the firewall works correctly, there is no ordinary back door may be installed on the firewall without changing the setting rule. There is another way to see if the firewall is properly filtered, which tests it with a fragmentated package.
Broken or scattered bags are often used to send bags above the network with a lower maximum transmission unit (MTU). Breaking or scattered packages can divide the head into a lot of small bags. Some firewalls are blocked Such a package that is not completely concentrated, and they don't wait for the reconstruction. John's NMAP with Fyodor once again implemented a simple test, # nmap -ss -p85 -f www.totallysecure. org -P0 Starting nmap V. 2.54BETA30 (www.insecure.org/nmap/) Interesting ports on www.totallysecure.org (123.123.123.123): Port State Service 85 / tcp filtered unknown nmap run completed - 1 IP address ( 1 host up) SCANNED IN 36 Seconds # he uses the -f option to scatter, -p0 tells NMAP not to detect if this host is survive (when the connection test program is not passed, NMAP does other way to turn off down), The -ss option is to be a SYN scan. As a result, the NMAP splits the package into 6 pieces, like a sniffer as seen.
