ntsec.html

黑客培训教程

  <b>&lt;Cypher&gt;</b> (command prompt)<br>
  <b>&lt;Cypher&gt;</b> so a malicious hax0r could<br>
  <b>&lt;The_Duke247&gt;</b> lol@hax0r<br>
  <b>&lt;Cypher&gt;</b> execute something by using the following string:<br>
  <b>&lt;Cypher&gt;</b> domain/scripts/yadayadayada.bat?&amp;command1+?&amp;command2+?&amp;..........<br>
  <b>&lt;Cypher&gt;</b> and it will be executed as batch commands<br>
  <font color="#ff0000">*** Cypher sets mode: -m</font><br>
  <b>&lt;Cypher&gt;</b> go go go :)<br>
  <b>&lt;m0ded&gt;</b> hehe<br>
  <b>&lt;Slayer&gt;</b> yeah<br>
  <b>&lt;snider&gt;</b> lol<br>
  <b>&lt;dr3x&gt;</b> It would run in system context (root)?<br>
  <font color="#ff0000">*** Cypher sets mode: +v snider</font><br>
  <b>&lt;m0ded&gt;</b> plx devoice The_Duke when u have +m<br>
  <b>&lt;Slayer&gt;</b> cypher u are the man<br>
  <b>&lt;Cypher&gt;</b> m0ded, fine<br>
  <b>&lt;The_Duke247&gt;</b> whhhy ?<br>
  <b>&lt;m0ded&gt;</b> he keeps talking<br>
  <b>&lt;The_Duke247&gt;</b> what ?<br>
  <b>&lt;Cypher&gt;</b> any questions/comments/corrections/suggestion/yada_yada_yada?<br>
  <b>&lt;Cypher&gt;</b> The_Duke247, nm it now<br>
  <b>&lt;dr3x&gt;</b> Would the batch run with root privs?<br>
  <b>&lt;Cypher&gt;</b> dr3x, it will run with system privs<br>
  <b>&lt;The_Duke247&gt;</b> shouldn't the question be would it run without ?<br>
  <b>&lt;Cypher&gt;</b> no, it wouldn't<br>
  <b>&lt;Cypher&gt;</b> the ? delivers the params<br>
  <b>&lt;dr3x&gt;</b> k<br>
  <b>&lt;m0ded&gt;</b> its something like phf<br>
  <b>&lt;The_Duke247&gt;</b> no, ? was part of my own question<br>
  <font color="#ff0000">*** syfilis84 has joined #bsrf</font><br>
  <b>&lt;The_Duke247&gt;</b> not syntax lol<br>
  <b>&lt;Cypher&gt;</b> but (hate to disappoint ya) it was fixed and patched by Billy
  :)<br>
  <font color="#ff0000">*** syfilis84 has left #bsrf</font><br>
  <b>&lt;snider&gt;</b> ouch, nice nick.. syfilis<br>
  <b>&lt;Slayer&gt;</b> grr<br>
  <b>&lt;Cypher&gt;</b> let me now explain what exactly happens and why<br>
  <b>&lt;Cypher&gt;</b> (in that issue)<br>
  <b>&lt;Cypher&gt;</b> so it goes like das: /scripts/lalala.bat?&amp;dir+c:\+?&amp;time<br>
  <b>&lt;Noon_Ghunna&gt;</b> cypher u reading some book? :)<br>
  <b>&lt;QX-Mat&gt;</b> hey, keep him away!<br>
  <b>&lt;Cypher&gt;</b> then the following occurs<br>
  <b>&lt;Cypher&gt;</b> Noon_Ghunna, i made notes to myself earlier :)<br>
  <b>&lt;Cypher&gt;</b> i can't remember everything :)<br>
  <b>&lt;QX-Mat&gt;</b> I hear that syfilis.... oh god I had sex ed only last week!<br>
  <b>&lt;Cypher&gt;</b> so<br>
  <b>&lt;The_Duke247&gt;</b> gotta run... my errr bath is overflowing?<br>
  <b>&lt;The_Duke247&gt;</b> :)<br>
  <b>&lt;The_Duke247&gt;</b> ciao boys and girls<br>
  <b>&lt;Cypher&gt;</b> later<br>
  <b>&lt;m0ded&gt;</b> bye<br>
  <b>&lt;m0ded&gt;</b> go on<br>
  <b>&lt;Cypher&gt;</b> i'm continuing<br>
  <font color="#ff0000">*** Cypher sets mode: -v The_Duke247</font><br>
  <font color="#ff0000">*** aragorn has quit IRC (Quit: Leaving)</font><br>
  <font color="#ff0000">*** The_Duke247 has quit IRC (Quit: Leaving)</font><br>
  <b>&lt;Cypher&gt;</b> the first thing is the browser asks u to save the doc or view
  it with a viewer<br>
  <font color="#ff0000">*** head__ has joined #bsrf</font><br>
  <b>&lt;Cypher&gt;</b> then it starts a download session<br>
  <b>&lt;m0ded&gt;</b> downloading what?<br>
  <b>&lt;Cypher&gt;</b> the file<br>
  <b>&lt;Cypher&gt;</b> e.g. &quot;Save or Open&quot;<br>
  <b>&lt;Cypher&gt;</b> u know<br>
  <b>&lt;Cypher&gt;</b> lalalal.bat<br>
  <b>&lt;m0ded&gt;</b> yeah<br>
  <b>&lt;QX-Mat&gt;</b> I can type with my nose! Look. .s<br>
  <b>&lt;Cypher&gt;</b> u click &quot;cancel&quot; but it never termintes cause u used
  the &quot;time&quot; command :)<br>
  <b>&lt;QX-Mat&gt;</b> h;lkl:<br>
  <b>&lt;snider&gt;</b> hmm, maybe +m would help<br>
  <font color="#ff0000">*** Cypher sets mode: +m</font><br>
  <b>&lt;Cypher&gt;</b> oh, and _nothing_ is logged on the server<br>
  <b>&lt;Cypher&gt;</b> cause it was never terminated<br>
  <b>&lt;Cypher&gt;</b> the only way is to check ALL the security logs<br>
  <b>&lt;Cypher&gt;</b> which is a veeery long thing on a large network<br>
  <b>&lt;Cypher&gt;</b> and we know, that admins hate logs ;-)<br>
  <b>&lt;Cypher&gt;</b> that's their default state of mind<br>
  <b>&lt;Cypher&gt;</b> so, in conclution, the hax0r (e.g. script kiddie) could excute
  his milicions code like das<br>
  <font color="#ff0000">*** zzorro has joined #bsrf</font><br>
  <b>&lt;Cypher&gt;</b> and of course there is no *.bat files in the /scripts dir, but
  windows mapped it<br>
  <font color="#ff0000">*** Rockin_lad has quit IRC (Ping timeout)</font><br>
  <b>&lt;Cypher&gt;</b> so it &quot;gotta&quot; use it :)<br>
  <font color="#ff0000">*** zzorro has left #bsrf</font><br>
  <b>&lt;Cypher&gt;</b> that ends it for this exploit<br>
  <font color="#ff0000">*** Cypher sets mode: -m</font><br>
  <b>&lt;Cypher&gt;</b> q?<br>
  <b>&lt;m0ded&gt;</b> nope<br>
  <b>&lt;snider&gt;</b> yes<br>
  <font color="#ff0000">*** drednought has joined #bsrf</font><br>
  <b>&lt;Cypher&gt;</b> shoot snid<br>
  <b>&lt;snider&gt;</b> is input validation and wrong file permissions all there is to
  ISS vulns?<br>
  <b>&lt;snider&gt;</b> IIS*<br>
  <b>&lt;Cypher&gt;</b> hey drednought. we're having a lecture here, you're welcome to
  join in<br>
  <font color="#ff0000">*** zzorro has joined #bsrf</font><br>
  <b>&lt;zzorro&gt;</b> ol&aacute;<br>
  <b>&lt;Cypher&gt;</b> snider, nah, its just plain old stupidity also :)<br>
  <b>&lt;Cypher&gt;</b> hey zzorro<br>
  <b>&lt;zzorro&gt;</b> io<br>
  <b>&lt;zzorro&gt;</b> dd tc?<br>
  <b>&lt;drednought&gt;</b> thanks<br>
  <b>&lt;snider&gt;</b> what about bufferoverflows in IIS?<br>
  <b>&lt;snider&gt;</b> or other stuff alike<br>
  <b>&lt;Cypher&gt;</b> but we don't want that now, do we?<br>
  <b>&lt;Slayer&gt;</b> yes<br>
  <b>&lt;snider&gt;</b> okay<br>
  <b>&lt;Slayer&gt;</b> lol<br>
  <b>&lt;Cypher&gt;</b> next thing on the chapter - FrontPage-Server Extentions-based
  IIS holes<br>
  <b>&lt;snider&gt;</b> wee<br>
  <b>&lt;snider&gt;</b> :)<br>
  <b>&lt;Cypher&gt;</b> Frontpage is one hell of a program when it comes to security....
  ;-)<br>
  &lt;head__&gt; Cypher: sure is true ;)<br>
  <b>&lt;Cypher&gt;</b> it has something like ZERO security features<br>
  <b>&lt;Cypher&gt;</b> not to mention, its a lousy editor :)<br>
  <b>&lt;m0ded&gt;</b> yup<br>
  <b>&lt;snider&gt;</b> and Frontpage-server is also an IIS webserver app?<br>
  <b>&lt;Noon_Ghunna&gt;</b> Frontpage is one hell of a program when it comes to security
  &lt;--- and web page making too :)<br>
  <b>&lt;Cypher&gt;</b> its a server extention<br>
  <b>&lt;Cypher&gt;</b> <b>[Cypher]</b> not to mention, its a lousy editor :)<br>
  <font color="#ff0000">*** zzorro has quit IRC (Quit: Leaving)</font><br>
  <b>&lt;Cypher&gt;</b> FP has caused many problems to IIS<br>
  <font color="#ff0000">*** Rockin_lad has joined #bsrf</font><br>
  <b>&lt;Noon_Ghunna&gt;</b> Cypher! is FP a webserver too?<br>
  <b>&lt;m0ded&gt;</b> yeah<br>
  <b>&lt;Cypher&gt;</b> no, an extention (add-on)<br>
  <b>&lt;m0ded&gt;</b> no<br>
  <b>&lt;snider&gt;</b> no, he just said that<br>
  <b>&lt;m0ded&gt;</b> heh<br>
  <b>&lt;Cypher&gt;</b> lol@m0ded<br>
  <b>&lt;QX-Mat&gt;</b> FP Exploits..... we gonna be here for ever!<br>
  <b>&lt;snider&gt;</b> cypher, please go on :)'<br>
  <b>&lt;Cypher&gt;</b> FP &quot;throws&quot; all kind of dirs to your web, in the form
  of: _vti_xxx<br>
  <b>&lt;drednought&gt;</b> are you taking about local security problems or remote?<br>
  <b>&lt;Cypher&gt;</b> QX-Mat, just the basics<br>
  <b>&lt;Cypher&gt;</b> remote<br>
  <b>&lt;QX-Mat&gt;</b> ah<br>
  <b>&lt;Cypher&gt;</b> (now)<br>
  <b>&lt;Cypher&gt;</b> FP sometimes get so stupid it actually _shows_ you its _own_
  password file... imagine that....<br>
  <b>&lt;snider&gt;</b> passwords to do what=<br>
  <b>&lt;zar&gt;</b> Did i make it for the lecture??????<br>
  <b>&lt;snider&gt;</b> ?<br>
  <b>&lt;Rockin_lad&gt;</b> hey zar , wuz up ?<br>
  <b>&lt;Cypher&gt;</b> for example, if directory browsing is allowed, and proper permission
  not set (not NTFS for example)<br>
  <b>&lt;zar&gt;</b> just woke up :)<br>
  <b>&lt;Cypher&gt;</b> the user could get the file list of the dir<br>
  <b>&lt;Cypher&gt;</b> a known password file: domain/_vti_pvt/service.pwd<br>
  <b>&lt;Cypher&gt;</b> it is encrypted of course<br>
  <font color="#ff0000">*** QX-Mat is now known as QX</font><br>
  <b>&lt;zar&gt;</b> @#$%ing daylight savings time<br>
  <b>&lt;Cypher&gt;</b> (FP is not _that_ dumb)<br>
  <b>&lt;Cypher&gt;</b> but with standard DES<br>
  <b>&lt;snider&gt;</b> hehe<br>
  <b>&lt;snider&gt;</b> what are the passwords used for?<br>
  <b>&lt;Cypher&gt;</b> which will make no prob usually<br>
  <b>&lt;Cypher&gt;</b> snider, u don't know what to do with passwords?? man..... :-)<br>
  <font color="#ff0000">*** han has joined #bsrf</font><br>
  <b>&lt;QX&gt;</b> the passwords are creted using the crypt() command<br>
  <b>&lt;snider&gt;</b> no i mean, are they access passwords for the NT system?<br>
  <b>&lt;QX&gt;</b> no<br>
  <b>&lt;Cypher&gt;</b> no<br>
  <b>&lt;Cypher&gt;</b> web ones<br>
  <b>&lt;Cypher&gt;</b> another exploit (in case u find anony ftp writable and fp extentions,
  of course)<br>
  <b>&lt;Cypher&gt;</b> u could upload a file to the _vti_bin dir<br>
  <b>&lt;QX&gt;</b> cos it's public!<br>
  <b>&lt;Cypher&gt;</b> and issue the following: domain/_vti_bin/your_file<br>
  <b>&lt;snider&gt;</b> im still baffled about this &quot;web passwords&quot; thing..<br>
  <b>&lt;Cypher&gt;</b> and the server will be glad to execute your malicious file :)<br>
  <font color="#ff0000">*** han has quit IRC (Quit: Leaving)</font><br>
  <b>&lt;Rockin_lad&gt;</b> wow , what a bug unfortunatley I'm still learnin ASP <br>
  <b>&lt;m0ded&gt;</b> Cypher the dir _vti_bin always exist through ftp?<br>
  <b>&lt;Rockin_lad&gt;</b> :)<br>
  <b>&lt;Cypher&gt;</b> snider, FP extentions has a password protection system for your
  web (FP is also a web manager)<br>
  <b>&lt;QX&gt;</b> mkfs_dos....<br>
  <b>&lt;dr3x&gt;</b> what kind of files can be executed in _vti_bin?<br>
  <b>&lt;Cypher&gt;</b> m0ded, depends on the permissions<br>
  <b>&lt;Cypher&gt;</b> we are not talking on how to get it ther<br>
  <b>&lt;Cypher&gt;</b> e<br>
  <b>&lt;Cypher&gt;</b> i'm saying that it'll be executed<br>
  <b>&lt;snider&gt;</b> okay, and by web manager you mean that you can upload through
  it?<br>
  <b>&lt;Cypher&gt;</b> dr3x, executable ones :)<br>
  <b>&lt;QX&gt;</b> Simple mime post<br>
  <b>&lt;Cypher&gt;</b> snider, it manages your site. the permissions, uploads, safety,
  passwords (e.g. permissions), etc.<br>
  <b>&lt;Cypher&gt;</b> when u have the password<br>
  <b>&lt;m0ded&gt;</b> u can deface it<br>
  <b>&lt;Cypher&gt;</b> u just go to your local (argh)<br>
  <b>&lt;Cypher&gt;</b> copy of FP<br>
  <b>&lt;Cypher&gt;</b> and logon<br>
  <b>&lt;Cypher&gt;</b> to the remote site<br>
  <font color="#ff0000">*** SteeLe has joined #bsrf</font><br>
  <b>&lt;QX&gt;</b> SAVE THIS MAN: http://www.elfqrin.com/elfcam.jpg<br>
  <b>&lt;m0ded&gt;</b> hehe<br>
  <b>&lt;snider&gt;</b> ahh i see..<br>
  <b>&lt;Cypher&gt;</b> hey SteeLe<br>
  <b>&lt;Cypher&gt;</b> you're a bit late for the lecture<br>
  <b>&lt;SteeLe&gt;</b> hi<br>
  <b>&lt;SteeLe&gt;</b> what lecture?<br>
  <b>&lt;Cypher&gt;</b> but no biggy, just two hours :)<br>
  <b>&lt;m0ded&gt;</b> heh<br>
  <b>&lt;m0ded&gt;</b> NT Security<br>
  <b>&lt;zar&gt;</b> lol<br>
  <b>&lt;SteeLe&gt;</b> aaahh the NT Security lecture<br>
  <b>&lt;SteeLe&gt;</b> I just remembered about it<br>
  <b>&lt;m0ded&gt;</b> yeah, remember?<br>
  <b>&lt;m0ded&gt;</b> ;p<br>
  <font color="#ff0000">*** SteeLe has quit IRC (Quit: 7th Sphere v3.0 &copy; 1997 7th Sphere Enterprises)</font><br>
  <b>&lt;Cypher&gt;</b> hehe<br>
  <b>&lt;Cypher&gt;</b> he went to his time machine :)<br>
  <b>&lt;m0ded&gt;</b> he left us<br>
  <font color="#ff0000">*** Megram has joined #bsrf</font><br>
  <b>&lt;m0ded&gt;</b> go on Cypher<br>
  <b>&lt;Cypher&gt;</b> i wanted to have a little war game at the end, but unfortunatly
  i had