hacker’s strategies revealed west chester university computer science department yuchen zhou march...
TRANSCRIPT
Hacker’s Strategies Revealed
WEST CHESTER UNIVERSITY
Computer Science Department
Yuchen Zhou
March 22, 2002
Requirements:• Hardware: -Two computers
-One hub
-Internet access
• Software: -Windows 98/2000
-Trojan horse (Glacier 6.0)
-Sniffer ( password monitor)
-Port scanner (Fluxay IV)
Case 1: Trojan Horse:
• Suppose a Trojan horse (server.exe) was installed on computer A already.
• One can execute a control program(client.exe) on computer B to control computer A.
Planting a Trojan Horse
• Direct execution of a Trojan horse• Sent as an e-mail attachment• Link an icon (as a “bait”) to a Trojan Horse• Guess password of a user and then use remote execution
Hacking Remotely
• Run a client program to control the compromised system remotely
Searching...
port
delay time
domain
begin from
to
Victim found
All folders and filesin computer A. We cancopy, rename, run or delete them remotely.
All folders and filesin computer A. We cancopy, rename, run or delete them remotely.
Computer A’s basic information
System informationof computer A.
System informationof computer A.
Passwordrelated commands
Controlrelatedcommands
Networkrelatedcommands
All the passwords in computer A's cache.
Password in cache
Monitoring computer A’s screen
Controlling Computer A’s screen
Other operations you can use to control computer A
• Find/copy/delete files from computer A
• Share a directory
• Kill a process
• Change the registry
• Record the keyboard
• Shut/restart the computer
All commandswe can use
Case 2: Sniff a Password
• If computer A transmits some data frames to a server machine D via an Ethernet, every computer will receive a copy.
• Only computer D should accept it; others should discard the data frames.
• However, a sniffer running on machine B or C receives it and analyzes it even B or C is not the destination.
The URL computer A visiting
username
password
Computer A’s IP address
log on time
monitoring NIC
When the password was detected, it will display here.
When the password was detected, it will display here.
This file’s name is “webfilter.txt”, “pwmonitor” need this file to identify the URLs. That is to say, only when the URL computer A visiting is in this filter file can the passwords be sniffed. Because this sniffer is created in China, most of the URLs located in China, but we can find yahoo.com here.
This file’s name is “webfilter.txt”, “pwmonitor” need this file to identify the URLs. That is to say, only when the URL computer A visiting is in this filter file can the passwords be sniffed. Because this sniffer is created in China, most of the URLs located in China, but we can find yahoo.com here.
Case 3: Hack a Server
• Computer A is a server, B is a client
• Scans the ports of computer A
• Guesses the password of admin.
• After the computer is compromised, a hacker can plant some backdoor software to the server and execute it remotely.
Hosts’ typeHosts’ type
username password hosts
Flaxuy is the most popular ports scanner used in China these days.It scans all services (ports) of the servers provide, once it finds a certain service (FTP, telnet...), it will try to find the users and guess the passwords...
Flaxuy is the most popular ports scanner used in China these days.It scans all services (ports) of the servers provide, once it finds a certain service (FTP, telnet...), it will try to find the users and guess the passwords...
Scan from
to
Host type
Guess password
Display password if get
Scanning...
Now we get thepassword.
Computer 144.26.30.40’s Administrator is “TopTooler”,the password is “toptooler”, we can establish a IPC connection.
Computer 144.26.30.40’s Administrator is “TopTooler”,the password is “toptooler”, we can establish a IPC connection.
password
Using this command, we can log on to the server as an administrator.
Using this command, we can log on to the server as an administrator.
Then copy a Trojan horse to a server
Then copy a Trojan horse to a server
The Trojan horse will be started automatically
at 13:50p.m. on the server.
The Trojan horse will be started automatically
at 13:50p.m. on the server.