{"id":415,"date":"2017-03-19T21:08:00","date_gmt":"2017-03-19T13:08:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=415"},"modified":"2024-02-17T20:35:00","modified_gmt":"2024-02-17T12:35:00","slug":"system-hacking","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/415","title":{"rendered":"system hacking"},"content":{"rendered":"\n

hacking cycle
1 enumeration
\u5217\u51fauser
2 cracking passwords
\u53d6\u5f97 user\u5bc6\u78bc
3 escalating privileges
\u5f9euser\u5e33\u865f\u63d0\u5347\u5230admin\u6b0a\u9650,\u76ee\u5730\u662f\u53ef\u57f7\u884c\u66f4\u591a\u7a0b\u5f0f
4 executing applications
\u57f7\u884ckeylogging,spyware…\u7b49\u8a18\u9304admin\u4f7f\u7528\u7fd2\u6163,\u4e26\u4fdd\u7559\u6a5f\u5668\u7684\u4f7f\u7528\u6b0a\u7d66\u4e0b\u4e00\u6b21\u9032\u5165\u7cfb\u7d71
5 hidding files
\u5c07\u60e1\u610f\u7a0b\u5f0f\u96b1\u85cf\u8d77\u4f86,ex:\u4f7f\u7528ntfs\u7684ads\u7279\u6027
6 covering tracks
7 steganography<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………<\/p>\n\n\n\n

escalating privileges<\/h2>\n\n\n\n

\u8a2d\u6b0a\u9650\u5efa\u8b70:<\/strong>
least possible privileges:\u6700\u5c0f\u7684\u6b0a\u9650
just enough privileges:\u525b\u525b\u597d\u6700\u5c0f\u7684\u6b0a\u9650
\u5148\u5c07\u5e33\u865f\u6240\u6709\u6b0a\u9650disable,\u5728\u6839\u64da\u9700\u6c42\u4ee5\u6700\u5c0f\u6b0a\u9650\u7684\u539f\u5247enable<\/p>\n\n\n\n

privilege\u8a2d\u5b9a\u5de5\u5177:
cacls.exe<\/p>\n\n\n\n

\u907f\u514d\u975e\u6cd5escating privileges\u5efa\u8b70:<\/strong>
restricting interactive logons
\u8981\u6c42 user\u4e0d\u80fd\u7528cmd.exe\u5b58\u53d6system programs
auditing success\/failure,\u5305\u62ecaccount logon events,privilege use,system events<\/p>\n\n\n\n

…<\/p>\n\n\n\n

if the attacker has access to a w2k sp1 server<\/strong>
\u53ef\u4f7f\u7528ERunAs2X.exe to escalate his\/her privileges to that of system by using “nc.exe -l -p 50000 -d -e cmd.exe”
ps:this can also be used remotely<\/p>\n\n\n\n

ps:\u7528\u5f31\u9ede\u9032\u53bbwin\u7cfb\u7d71shell\u6642,\u9810\u8a2d\u6b0a\u9650\u662flocalsystem<\/p>\n\n\n\n

if attacker\u5df2\u7d93\u9032\u5165windows system<\/strong>
1 booting to an alternate os:ex:ntfsdos,\u5fae\u8edf\u7684minisystem
2 backup sam from the repair directory:sam\u5099\u4efd\u6a94\u6703\u5b58\u5728%systemroot%repair
3 extract the hashes from the sam:\u4f7f\u7528l0phtrack\u89e3\u958bsam
ps
sam file \u5132\u5b58win nt\/2000\u7684password,username
sam file is located at %systemroot%system32config
\u7576os is running,sam file\u6703\u88ablock<\/p>\n\n\n\n

…<\/p>\n\n\n\n

privilege escalation tool:<\/p>\n\n\n\n

active@password changer<\/strong>
\u53ef\u904b\u4f5c\u5728win xp\/2003\/2000\/nt<\/p>\n\n\n\n

x.exe<\/strong>
\u7279\u8272:\u6a94\u6848\u5c0f,\u4f7f\u7528buffer overflow exploits
\u904b\u4f5c:\u6703\u5efax\u5e33\u865f\u4e26\u653e\u5165administrator group\u4e2d
ps:1 \u57f7\u884c\u6642\u9700\u5728administrator\u6b0a\u9650\u4e0b,2\u9700\u8a2d\u6cd5\u7d66\u6709administrator\u6b0a\u9650\u7684\u5e33\u865f\u57f7\u884c
\u4e00\u822c\u7528\u6cd5:\u5c07\u6b64\u6a94\u653e\u5165\u67d0\u500b\u6a94\u88e1\u9762,\u5728\u7d66\u5225\u4eba\u57f7\u884c<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………<\/p>\n\n\n\n

executing applications<\/h2>\n\n\n\n

tool
psexec:\u5728ps\u7cfb\u5217tools\u4e2d,\u53ef\u9060\u7aef\u57f7\u884c\u5176\u4ed6\u7a0b\u5f0f
remoexec:\u53ef\u9060\u7aef\u57f7\u884c\u5176\u4ed6\u7a0b\u5f0f,\u5716\u5f62\u5316
ras n map
alchemy remote executor:\u9060\u7aef\u57f7\u884c\u5176\u4ed6\u7a0b\u5f0f
emsa flexinfo pro<\/p>\n\n\n\n

…<\/p>\n\n\n\n

keystroke loggers tool<\/p>\n\n\n\n

software tool<\/strong>
e-mail keylogger:sc-keylog,\u7528\u8907\u88fd\u8cbc\u4e0a\u7684\u8cc7\u6599\u4e5f\u6703\u8a18\u9304,\u53ef\u9060\u7aef\u5b89\u88dd\u6b64\u7a0b\u5f0f,\u53efemail\u56de\u5831
revealer keylogger
handy keylogger
ardamax keylogger
powered keylogger
elite keylogger
quick keylogger
spy-keylogger
perfect keylogger:\u652f\u63f4\u8f03\u591a\u7248\u672c,\u5305\u62ecmac,\u4e5f\u652f\u63f4screenshots
invisible keylogger
actual spy
spytector ftp keylogger:\u91dd\u5c0dftp
iks software keylogger
ghost keylogger:\u7db2\u8def\u9023\u7dda\u6642\u6703\u5373\u6642\u628a\u8cc7\u6599\u56de\u5831<\/p>\n\n\n\n

hard tool<\/strong>
hardware keylogger
keyboard keylogger
usb keylogger
ps:\u5167\u90e8\u4eba\u54e1\u6709\u8f03\u5927\u7684\u6a5f\u6703\u4f7f\u7528<\/p>\n\n\n\n

…<\/p>\n\n\n\n

sypware<\/strong>
\u7528\u4f86\u53d6\u5f97\u4ee5\u4e0b\u8cc7\u6599
keystorkes
email messages
chat
websites visited<\/p>\n\n\n\n

tool<\/strong>
spector: \u8a18\u9304\u4f7f\u7528\u8005\u884c\u70ba
remotespy
spytech spyagent:\u5716\u5f62\u754c\u9762
oo7 spy software
spybuddy: \u8a18\u9304\u7db2\u8def\u884c\u70ba
acespy
keystroke spy
activity monitor
eblaster:\u8a18\u9304\u76f8\u95dc\u884c\u70ba\u6a21\u5f0f
stealth voice recorder:\u53ef\u5b9a\u671f\u9304\u97f3\u4e26email\u56de\u5831
stealth keylogger
stealth website logger
digi-watcher video survillance:\u53ef\u9304\u5f71
desktop spy screen capture program: \u684c\u9762\u5b8c\u6574\u8a18\u9304,\u53efscreenshot,\u4e26\u5b58\u5728\u9060\u7aef
telphone spy:\u8a18\u9304ip phone
print monitor spy tool:\u76e3\u8996\u5370\u8868\u6a5f\u72c0\u614b
stealth email redirector
wiretap professional
flexispy
pc phonehome:\u4e0a\u7dda\u6642\u6703\u56de\u5831ip\u4f4d\u7f6e<\/p>\n\n\n\n

…<\/p>\n\n\n\n

countermeasures tool<\/strong>
anti-keylogger
anvanced antii keylogger
privacykeyboard:\u505a\u5728keyboard\u4e2d\u9593
spy hunter-spyware remover
spy sweeper:detects and removes more traces of spyware including trojans,adware,keyloggers,system monitoring tool
spyware terminator
wincleaner antispyware<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………<\/p>\n\n\n\n

hiding files<\/strong><\/h2>\n\n\n\n

attrib:\u8a2d\u5b9ahide\u5c6c\u6027
rootkit:\u963b\u64cb\u56de\u5831\u7cfb\u7d71\u9054\u5230\u96b1\u85cf\u6548\u679c
ntfs ads<\/p>\n\n\n\n

…<\/p>\n\n\n\n

attrib\u7bc4\u4f8b
ex:
ATTRIB +S +H file
ATTRIB +H C:file<\/p>\n\n\n\n

…<\/p>\n\n\n\n

rootkit<\/strong>
hide processes from the process list, can hide files, registry entries, and intercept keystrokes.
primary objective of a rootkit:It replaces legitimate programs<\/p>\n\n\n\n

\u4e3b\u8981\u662ffile\u3001process\u3001system log\u7684\u96b1\u85cf\u6280\u8853\uff0c\u548cpacket\u3001keylogger\u7684\u6514\u622a\u7aca\u807d\u6280\u8853\u7b49 
Rootkit\u6280\u8853\u901a\u904e\u4fee\u6539\u9019\u4e9b\u8cc7\u6599\u7d50\u69cb\u4f86\u96b1\u85cf\u5176\u5b83\u7a0b\u5f0f\u7684process\u3001file\u3001network communcation\u548c\u5176\u5b83\u76f8\u95dc\u8cc7\u8a0a
ex:
\u4fee\u6539OS\u7684EPROCESS\u9023\u7d50\u4e32\u5217\u7d50\u69cb\u53ef\u96b1\u85cf\u884c\u7a0b
hook\u670d\u52d9\u547c\u53eb\u8868\u53ef\u96b1\u85cf\u6a94\u6848\u548c\u76ee\u9304
hook\u4e2d\u65b7\u63cf\u8ff0\u7b26\u8868\u53ef\u76e3\u807d\u9375\u76e4\u8f38\u5165
ps:
\u5f88\u591a\u6728\u99ac\u90fd\u7528\u9019\u4e9b\u6280\u8853\uff0c\u56e0\u6b64\u6728\u99ac\u4e5f\u53ef\u8996\u70baRootkit\u7684\u4e00\u7a2e
Rootkit\u4e00\u8a5e\u6700\u65e9\u51fa\u73fe\u5728Unix\u4e0a\u3002Attacker\u70ba\u4e86\u53d6\u5f97root\u6b0a\u9650\uff0c\u6216\u6e05\u9664\u5165\u4fb5\u8a18\u9304\uff0c\u6703\u91cd\u65b0compiler\u4e00\u4e9b\u6307\u4ee4\u5de5\u5177\uff0c\u4e5f\u7a31\u70bakit\uff0c\u50cf\u662f\u91cd\u505aps\u3001netstat\u3001passwd\u7b49\u5de5\u5177 
rootkit \u5728unix\u7cfb\u7d71\u8f03\u9ebb\u7169,\u56e0unix\u53ef\u76f4\u63a5\u63dbkernel,\u53ef\u63db\u6210\u542brootkit\u7684kernel,\u96e3\u4ee5\u5075\u6e2c<\/p>\n\n\n\n

rootkit tool<\/strong>
fu
afx
nuclear
vanquish<\/p>\n\n\n\n

rootkit countermeasures<\/strong>
\u5b9a\u671f\u5099\u4efd\u8cc7\u6599
\u5b89\u88dd\u6642\u505a\u8a18\u9304
\u4f7f\u7528patchfinder
\u4f7f\u7528 rootkitrevealer<\/p>\n\n\n\n

rootkit detection tool:<\/strong>
blacklight
rootkitrevealer
malicious software removal tool
PC Hunter
gMER
Rootkit Unhooker
IceSword
Kernel Detective
XueTr<\/p>\n\n\n\n

rootkit detection common function summary for below:<\/strong>
Hidden processes, hidden DLLs, hidden threads, hidden kernel drivers, hidden services, hidden files, and hidden Registry keys
Alternate data stream
Import Address Table (IAT) hooks, Export Address Table (EAT) hooks, and inline hooks
System Service Dispatch Table (SSDT) hooks
Interrupt Descriptor Table (IDT) hooks
Hooked I\/O Request Packet (IRP) routines in kernel drivers
Suspicious modifications of the Master Boot Record (MBR)
Suspicious layered drivers or attached devices
Drivers whose entry points land in suspicious PE sections, such as the .rsrc section. This indicates a rootkit may have patched the driver on disk.
Processes with mismatched section permissions (for example, an executable .rdata section)<\/p>\n\n\n\n

If a rootkit is discovered
you will need to reload from known good media. This typically means performing a complete reinstall<\/p>\n\n\n\n

…<\/p>\n\n\n\n

ADS(alternate data streaming)<\/strong>
\u4f5c\u7528\u5728NTFS\u683c\u5f0f\u4e0a
\u53efhide file
\u5c07a\u6a94\u6848\u9644\u52a0\u5728b\u6a94\u6848\u4e0a,\u800c\u4e14b\u6a94\u6848\u5927\u5c0f\u4e0d\u8b8a<\/p>\n\n\n\n

how to create ntfs steam<\/strong>
1 to move the contents of trojan.exe to readme.txt
ex:type c:trojan.exe > c:readme.txt:trojan.exe
2 to execute the trojan.exe inside readme.txt
ex:start c:readme.txt:trojan.exe
3 extract the trojan.exe from readme.txt
ex:cat c:readme.txt:trojan.exe > trojan.exe<\/p>\n\n\n\n

\u907f\u514dads countermeasures<\/strong>
\u4e0d\u4f7f\u7528ntfs,\u4f7f\u7528fat<\/p>\n\n\n\n

ntfs stream detectors tool:
ads spy
ads tools<\/p>\n\n\n\n

usb dumper:hacking tool<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………<\/p>\n\n\n\n

steganography<\/strong><\/h2>\n\n\n\n

hiding of a secret message within an ordinary message and the extration of it at its destination
\u901a\u5e38\u96b1\u85cf\u5728\u5716\u7247\u4e2d<\/p>\n\n\n\n

steganography tool:<\/strong>
\u7279\u7570\u6027\u9ad8,\u96b1\u85cf\u8cc7\u6599\u7684\u5de5\u5177\u53ea\u6709\u8a72\u5de5\u5177\u53ef\u89e3
merge streams: \u5c07\u6587\u5b57\u8207\u53e6\u5916\u4e00\u500b\u6a94\u6848\u5408\u5728\u4e00\u8d77,\u53ea\u80fd\u5408\u4f75word\u548cexcel
invisible folders:\u9078\u64c7\u67d0\u4e00\u500b\u6a94\u6848\u96b1\u85cf
invisible secrets:hide file\u548cunhide file,\u4ee5\u53ca\u5176\u4ed6\u529f\u80fd
image hide
stealth files
steganography
masker steganography tool
hermetic stego
dcpp
camera\/shy:\u85cf\u5728gif
www.spammimic.com:online\u5de5\u5177,\u96b1\u85cf\u6587\u5b57
mp3stego: \u5229\u7528\u97f3\u6a02\u683c\u5f0f
snow.exe:hide the data on the cd’s and usb flash drivers
fortknox
blindside
s-tools
steghide
steganos
pretty good envelop
gifshuffle
jphide,jpseek
wbstego
outguess
data stash
hydan
cloak
steganote
stegomagic
steganos security suite
sams big play maker
video steganography:\u5c07\u8cc7\u6599\u653e\u5165\u5f71\u50cf<\/p>\n\n\n\n

detect steganography<\/strong>
steganalysis tools
stegdetect:\u5075\u6e2c\u85cf\u5728\u5716\u7247\u4e2d\u7684\u96b1\u85cf\u8cc7\u6599
sids(stego intrusion detection system)
high level view
stego watch-steg
stegspy<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………<\/p>\n\n\n\n

covering tracks<\/strong>
disabling auditing
ex:auditpol
clearing event log
ex:dumpel<\/p>\n\n\n\n

windows log<\/strong>
\u5b89\u5168\u65e5\u8a8c:%winsystem%\\system32\\config\\Secevent.evt
ps:brute force log\u6703\u5728secevent.evt\u51fa\u73fe
\u61c9\u7528\u7a0b\u5f0f\u65e5\u8a8c:%winsystem%\\system32\\config\\AppEvent.evt
\u7cfb\u7d71\u65e5\u8a8c:%winsystem%\\system32\\config\\SysEvent.evt<\/p>\n\n\n\n

tool<\/strong>
elsave.exe:\u53ef\u6e05 log\u6a94\u6848
winzapper
evidence eliminator:\u91dd\u5c0d\u6b77\u53f2\u8a18\u9304\u505a\u6e05\u9664,\u53ef\u505a\u975e\u5e38\u5b8c\u6574\u7684format
traceless:\u91dd\u5c0d\u7db2\u9801\u700f\u89bd\u8a18\u9304
tracks eraser pro
armor tools
zerotrack<\/p>\n","protected":false},"excerpt":{"rendered":"

hacking cycle1 enumeration\u5217\u51faus …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[39],"tags":[],"class_list":["post-415","post","type-post","status-publish","format-standard","hentry","category-concept"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/415","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=415"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/415\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=415"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=415"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=415"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}