hacker/intruder 入侵簡介 博二 888311 李鎮宇. outline introduction unix password decryption...
TRANSCRIPT
Hacker/Intruder 入侵簡介
博二888311 李鎮宇
Outline Introduction Unix Password decryption Buffer Overflow Attack Trojan horse/Horse Conclusion
Introduction Oversight( 人為疏忽 )
Password decryption. (Unix/Win) System vulnerability ( 系統漏洞 )
Buffer Overflow Attack( 緩衝區溢位 ) (IIS vulnerability)
Inveiglement( 誘騙 ) Trojan horse( 木馬 )
Unix Password decryption Get password file.
/etc/passwd or passwd.OLD sirhack:89fGc%^7&a:100:100:Sir Hackalot:/usr/sirhack:/bin/sh username:password:UserID:GroupID:description(or real name):hom
edir:shell
DES one-way encryption
PasswordDES
EncryptionCipherpassword
KeepInSystem
Unix Password decryption
UNIX 密碼欄位使用 8 個字元,而可輸入字元有 95 個,所以暴力法就需要:
(95^8+95^7+95^6+95^7+95^6+.....+95^1) =6.70478095451712e+15 (次)
CipherPassword(CP)
DictionaryDES
Encryption
CipherPassword(CP’)
Matching
Buffer Overflow Attack Control the EIP value cause of Buffer
Overflow.
Calculate the predict program counter to feed EIP.
Buffer Overflow -> EIP value miss load. Program Counter jump to new address
and keep running.
Buffer Overflow Attack #include <windows.h>
#include <stdio.h> void overflow(char *s,int size) {
char buffer[80]; s[size]=0;
strcpy(buffer,s); }
int main ( ) {
FILE *file; char buf [300]; LoadLibrary( "msvcrt.dll" ); file = fopen("bo.txt.code","rb"); if( file!=NULL ) { fread(buf,sizeof(char),255,file);
overflow(buf,255); fclose(file); } }
Buffer Overflow Attack
Buffer Overflow Attack
Buffer Overflow Attack
Buffer Overflow Attack
Buffer Overflow Attack Winamp 2.62\2.64
程式在處理 M3U 清單裡面的“ #EXTINF:” 欄位 . #EXTM3U
#EXTINF:AAAAAAAAA....AAAAAAAAA<cr><lf> >280 個 A
<A HREF="ATTACK.M3U"><BGSOUND SRC="ATTACK.M3U"><EMBED SRC="ATTACK.M3U">
Outlook Express Field value.
IIS printer Printer name.
Trojan horse/Horse What is Horse
Client/server program System control/monitor Remote access Hide/slink
ServerClient
IntruderIntruder
VictimVictimPort
Trojan horse/Horse How Horse hide/Slink.
Form.Visible=False, Form.ShowInTaskBar=False,
Public Declare Function RegisterServiceProcess Lib "kernel32“() As Long
Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Registry, win.ini, system.ini
Port
Driver, DLL and ICMP.
Trojan horse/Horse How system EARN a Horse.
Attach files. Attach files Web trick/trap 221(Two To One)combine one normal program and
one horse. un-authorization/share usage.
un-authorization usage share usage
Attack BOA IIS vulnerability
Trojan horse/Horse ICMP Horse(without port) (Internet Control Message Protocol) Ping…
InvaderInvader
VictimVictim
Ping
Conclusion Known one bully ignorant one