Hacker/Intruder 入侵簡介

博二888311 李鎮宇

Outline Introduction Unix Password decryption Buffer Overflow Attack Trojan horse/Horse Conclusion

Introduction Oversight( 人為疏忽 )

Password decryption. (Unix/Win) System vulnerability ( 系統漏洞 )

Buffer Overflow Attack( 緩衝區溢位 ) (IIS vulnerability)

Inveiglement( 誘騙 ) Trojan horse( 木馬 )

Unix Password decryption Get password file.

/etc/passwd or passwd.OLD sirhack:89fGc%^7&a:100:100:Sir Hackalot:/usr/sirhack:/bin/sh username:password:UserID:GroupID:description(or real name):hom

edir:shell

DES one-way encryption

PasswordDES

EncryptionCipherpassword

KeepInSystem

Unix Password decryption

UNIX 密碼欄位使用 8 個字元，而可輸入字元有 95 個，所以暴力法就需要：

(95^8+95^7+95^6+95^7+95^6+.....+95^1) =6.70478095451712e+15 （次）

CipherPassword(CP)

DictionaryDES

Encryption

CipherPassword(CP’)

Matching

Buffer Overflow Attack Control the EIP value cause of Buffer

Overflow.

Calculate the predict program counter to feed EIP.

Buffer Overflow -> EIP value miss load. Program Counter jump to new address

and keep running.

Buffer Overflow Attack #include <windows.h>

#include <stdio.h> void overflow(char *s,int size) {

char buffer[80]; s[size]=0;

strcpy(buffer,s); }

int main ( ) {

FILE *file; char buf [300]; LoadLibrary( "msvcrt.dll" ); file = fopen("bo.txt.code","rb"); if( file!=NULL ) { fread(buf,sizeof(char),255,file);

overflow(buf,255); fclose(file); } }

Buffer Overflow Attack

Buffer Overflow Attack

Buffer Overflow Attack

Buffer Overflow Attack

Buffer Overflow Attack Winamp 2.62\2.64

程式在處理 M3U 清單裡面的“ #EXTINF:” 欄位 . #EXTM3U

#EXTINF:AAAAAAAAA....AAAAAAAAA<cr><lf> >280 個 A

<A HREF="ATTACK.M3U"><BGSOUND SRC="ATTACK.M3U"><EMBED SRC="ATTACK.M3U">

Outlook Express Field value.

IIS printer Printer name.

Trojan horse/Horse What is Horse

Client/server program System control/monitor Remote access Hide/slink

ServerClient

IntruderIntruder

VictimVictimPort

Trojan horse/Horse How Horse hide/Slink.

Form.Visible=False, Form.ShowInTaskBar=False,

Public Declare Function RegisterServiceProcess Lib "kernel32“() As Long

Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long

Registry, win.ini, system.ini

Port

Driver, DLL and ICMP.

Trojan horse/Horse How system EARN a Horse.

Attach files. Attach files Web trick/trap 221(Two To One)combine one normal program and

one horse. un-authorization/share usage.

un-authorization usage share usage

Attack BOA IIS vulnerability

Trojan horse/Horse ICMP Horse(without port) (Internet Control Message Protocol) Ping…

InvaderInvader

VictimVictim

Ping

Conclusion Known one bully ignorant one