Security contre hacking: Lesson II "Scanning"

Discussion dans 'Support informatique' créé par le3fou, 18 Mars 2006.

  1. le3fou

    le3fou Visiteur

    J'aime reçus:
    0
    Points:
    0
    f lesson I t3errefna 3la majmou3a dyal ma3loumate: chnou howa hacker, cracker, footprinting, traceroute, nslookup, ARIN, reconnaissance "passive" w "active", whois, TTL "time to live", Ping "lli tayste3mil ICMP protocol"...etc
    Hadchi kamil tayeb9a dakhil f nita9 ma3rifate chakhss lli howa l victim dyal hacking "Reconnaissance". ila ma9ritich dak lesson min 9bel sir 9rah howa lewil, 3ad aji 9ra had lesson.

    ba3d matate3rif ma3loumate 3la chakhss lli ghadi dir 3lih attack, tayji l phase dyal "Scanning" aw manossamih "ma3rifat do3f fi system dyal l victim, wa ma3rifat les ports lli maftou7in, chrajim lli sahil dkhel minhoum, les services lli kheddam bihoum etc..

    Msta3idine? yallah ntweklou 3la llah.

    Scanning fih toro9 ktira w ktira. nebdaw b "ma3rifate les systems aw les ordinateurs lli kheddamine w cha3line f network lli 9assdinha" "detecting live systems on target networks".

    Tools:
    War dialers
    Ping utilities

    nebdaw alors b war dialers: kimma smiya tatwedi7 likoum, fa hna tatste3mil des programs lli ta detecte bihoum les modems lli fihoum dghoul, wla wa7id l phone number w te3rif bih l modem lli kheddam bih bach gaining access l system. hachi wadi7 yak? Tools include:

    THC-scan : download hna http://www.thc.org/releases.php
    Toneloc: download hna http://www.canaudit.com/software.html
    TBA etc

    Ping w lli hiya naw3 tani min detecting live systems on the networks, ping tayssifit ICMP echo request, w taytssena ICMP echo reply, matalane ila mchiti msdos w derti ping 64.85.127.16 w weslik icmp reply, ca veut dire had inssane lli 3andou had ip rah kayin w mojoud sur internet. ila kan ljawab negative, ca veut dire had siyid mamconnectich. alors ila bghiti te3rif matalane f chi ecole ch7al min computer mconnecte ghadi dir ping 3la the network IP.
    daba ghadi tgoulia chnou lfer9 mabine network IP w computer IP. network IP hiya matalane 121.17.0.0 had network IP hiya class B, chratha wa7id ecole matalane min ISP "internet service profider" lli howa kamitale "maroc telecom. w 9esmatha 3la les ordinateurs lli 3andha f departments dyalha, w les offices dyalha... fa ghadi ykoun matalane 3andi 129.17.15.1 w nta 3andik 121.17.15.32 w hadak 3andou 121.17.25.4 lmouhim mabine 121.17.0-255.0-255 ... fa nta 3iwad madir ping l kolla ordinateur bou7dou, khassik dir ping l 65,000 hosts on each of 16,000 networks... wa chouf ch7al dyal lwe9t ghadi tched lik... solution howa : Pinger, WS_Ping ProPack, NetScan Tools, HPing, icmpenum . ila bghiti t3emme9 f hadchi dyal IP classes, class A, B, C, D, E w broadcasting, w subnetting, supersubnetting, w subnet masks...etc ndirou mawdou3 akhour f hadchi... w ghadi inshaallah tefhim dakchi mezyane.. w hak had link ila bghiti tfhem aktar http://www.webopedia.com/TERM/I/IP_address.html

    les autres softwares ila bghiti dir lihoum download hahoma:
    WS_PingProPack (www.ipswitch.com)
    NetScan Tools (www.nwpsw.com)
    Hping (http://www.hping.org/download.html)
    icmpenum (www.nmrc.org/files/sunix/icmpenum-1.1.1.tgz)

    Ping Sweep Detection Utilities include:

    Network based IDS (www.snort.org)
    Genius (www.indiesoft.com)
    BlackICE (www.networkice.com)
    Scanlogd (www.openwall.com/scanlogd)

    ba3d mate3rif chkoun mconnecti, chnou ba9i ghadi te3rif, les services lli kheddamine bihoum douk nass lli mconnectyine :)
    w tesmi3 aw tssenit 3la had nass lli kheddamine. comme ca ghadi te3rif les operating systems lli kheddamine bihoum, les ports lli maftou7ine "kib7al ila tgoul lbibane lli ma7louline bach dkhel" w te3rif les protocols w les hosts lli mblockyine..etc...


    alors ghadi dir 3lihoum "port scanning"

    9bel mae3rif kifach dir port scanning, khassik te3rif kifach kheddam TCP "Transmission control protocol". w lli tansemiwha "TCP 3 way handshake". fa ila bghiti l connection mabin l'ordinateur dyalik w server tchtaghil, khassik t7e9i9 l connection mabine les deux, alors f lewil tatssifit "SYN request l server" : tatgoul l server hey, ana rah baghi ndir m3ak connection.
    2- server tayred 3lik b "SYN/ACK" ca veut dire, hey "ack" lli jayya min acknowlegement" hey rah 3reftik, w "SYN" hahowa l message back billa rah msta3id ndir m3ak connection.
    3- client tayred b ACK, taygoul l server, OKEY 3ala barakati llah.

    daba nrej3ou l port scanning, walakine sir dreb chi kwiyiss dyal lma wla 9ahwa w 3awid rje3 bach rassik yeb9a m3ana :)

    fa bach douz l victim dyalik, dir kib7al lli taydir cheffar, chouf lbibane lli 3andou meftou7ine wla chrajim wla n'importe koi, alors tadir port scanning.

    Techniques:
    Vanilla
    Strobe
    Stealth
    FTP Bounce
    Fragmented Packets
    Sweep and UDP Scans

    Tools:
    Ipeye
    IpsecSCAN
    Netscan tools pro 2003
    SuperScan
    NMap "hada mezyane bezzaf"

    les links rahoum mojoudine lli mal9ahoumch f google, ygoulha w njibhoum lih.

    daba ila bghiti te3rif ina operating system bach kheddam l victim dyalik, ghadi dir 3lih "active stack fingerprinting". w lli tatekhdim par scanning target host "l'ordinateur dyal victim". passive stack fingerprinting" howa aydan bach te3rif ina operating system bach kheddam victim, walakine tayekhdim par capturation dyal l packets dyal victim host, w tedresshoum bach te3rif ina OS kheddam bih... 3lach 7na khassna n3erfou ina operating system bach kheddam l victim dyalna, li anaho kolla OS 3andou khassiyate dyalou, fa windows XP machi howa windows NT, machi howa linux, machi howa BSD..etc

    w hna tansse7 anakom tkhedmou b active fingerprinting lli anaho more accurate aw manossamih "plus precise w correcte" min passive fingerprinting.

    Tools:
    Cheops
    Sockschain "taykhellik tchtaghil min socks wla http proxies bach tkhebbi ip address dyalik.
    Proxy server " w lli howa a network computer lli tatkonnecta minnou" comme ca tatkhebba mour chi 7ed. had les proxy mezyanine contre ads, hackers, w yemkin lik tconnecti bezzaf dyal les ordinateur b one IP address, yamkinlih yekhdim lik aussi comme un firewall. ehhh oui
    Anonymizers homa des services lli taykhelliwk tsurfi sur web bla mate3rif... comme ca ta assuri lik l privacy dyalik. wa goul l cookies dik sa3a ydirou chi 7aja.

    khtari9 l firewall bi sti3mal httptunnel, http://www.nocrew.org/software/httptunnel.html
    HTTPORT taykhellik tekhtari9 http proxy, lli howa mblockik min l'internet :) comme ca yemkin lik dkhel w tessti3mil kol had les programs email, MIRC, ICQ, news, ftp, AIM, aw ayyi socks capable software, min wara2 http proxy.

    wsselna l nihaya dyal had lesson, w ntmenna tkounou stafedtou bezzaf dyal le7wayij. f l7issa jaya ghadi nt3amlou m3a NETBIOS, windows 200 DNS information, CIFS/SMB, active directory..

    les commentaires dyalkoum mra7ba biha, w ana msa3id njawibkoum 3la ayyi so2al mt3alli9 b hadchi lli 3alijnah hna. wa salam alaykom wa rahmato llah.
     
  2. rosée du matin

    rosée du matin Accro

    J'aime reçus:
    95
    Points:
    48
    Re : Security contre hacking: Lesson II "Scanning"

    salam a ssi le3fou

    rani bdit neqra f had chi , wakha ana oummiya f informatique, but i'll try to follow ur cours
    anyway, i have 2 questions, about IP adresses and Firewall..

    Awwalan: daba hna Menara 3endha les IP dynamiques, which means, ila bqite everytime that i switch off my computer nzewel oula ndebranchi les câbles de connexion, in this case, wach no one can acced to my computer, ya3ni ma ghadich tewq3 liya "reconnaissance"

    taniyan:  binnissba l khtiraq Firewall, wach kayen des solutions pour renforcer had l firewall, hakda ma yekhtarqo tta chi wa7ed?

    Merci  [06c]
     
  3. le3fou

    le3fou Visiteur

    J'aime reçus:
    0
    Points:
    0
    Re : Security contre hacking: Lesson II "Scanning"

    hackers can only attack your computer if u re online, but remember, sometimes if they succeed to gain access of your computer, then they can leave a back door, or a rootkit where they can have access the next time you get connected... so the answer to your question is: worry only when u re connected online, if you are not connected then you are fine. that's why security officials recommend you not to leave your computer online unattended. you don't have to unplug the wires in order to stay offline, but u can just disconnect urself while u re away.

    DHCP or dynamic IP addressing is something menara offers to its customers through their router configuration, and if u want to know how this is done, we can start another subject about DHCP.

    the answer to ur question about firewalls:
    first, a firewall can be a software such as microsoft SP2 has a firewall embedded in this pack and it's well known for its great efficiency. as long as u have it enabled on ur computer, nothing to worry from. other well known firewall software are zone alarm, mc afee firewall, norton firewall. you should always have them enabled on ur PC in order to stay safe.

    second, a firewall can be a hardware: and I worked with cisco pix firewalls, and they are pretty hard to configure, such as using DMZ and access list "implicit explicit". and that's another subject you can remind of tutoring about and I will be glad to go through it or just skim it to give u a clue about it.

    finally, you can use some IDS "intrusion detection systems" such as snort, or ethereal to detect any intrusion by hackers, these programs detect an intrusion, send it to the logs file, and you can connect the log to mysql database which sends alarms to the security officials that there are attempts to bring the firewall down. and that's also another subject of how to connect for example snort with mysql database. and if anyone is interested in knowning the basics of mysql, I will be glad to go through it.

    let me know if this actually answer your questions. and I welcome any more questions. if u can't understand my english, let me know and I will try to explain things in arabic in the future ahead. thanks for ur participation. Good luck everyone [:Z]
     
  4. YSF

    YSF Khasser

    J'aime reçus:
    109
    Points:
    63
    Re : Security contre hacking: Lesson II "Scanning"

    char7 en arab lay7fdak khok omi f langlais a ostade :)
     
  5. aflam

    aflam Visiteur

    J'aime reçus:
    0
    Points:
    0
    Re : Security contre hacking: Lesson II "Scanning"

    tbarkalah 3likom
     
  6. rosée du matin

    rosée du matin Accro

    J'aime reçus:
    95
    Points:
    48
    Re : Security contre hacking: Lesson II "Scanning"

    Thanks really for answearing my questions..Well, now i've more questions to ask [06c]

    First: where hackers leave there traces (rootkit) so I can look for them??
    Second: I'm using Avast Antivirus, isn't it enough? chould i change it?
    Third: Can you please give us more explanaiton about those IDS???

    Thanks again [06c]
     
  7. le3fou

    le3fou Visiteur

    J'aime reçus:
    0
    Points:
    0
    Re : Security contre hacking: Lesson II "Scanning"

    it's nice to see more people interested in Information system, especially in this topic of hacking.
    well, to explain to u what a rootkit is; it's a file or program written in linux or unix, and has some malicious code that can track your navigation, and hack your system each time your system boots up. as many people know, windows operating system are not aware of many linux and unix files, sometimes they can't read them, they can't recognize them or they can't tell what they are, and so does the anti virus. therefore, when u run your anti virus, or the anti spyware and adware, they sometimes can't find rootkit between the files on the NTFS because they have no idea what that file is. Rootkits are able to intercept data from terminals, network connections, and the keyboard. thus, you need to have a rootkit killer, or a rootkit sweeper.

    here is a recommended software for this purpose: http://www.download.com/1200-2018-5146245.html

    I hope this explain to u what a rootkit is.

    as far as the IDS are concerned, it's an intrusion detection system: they can be a software or a hardware. a software can be something such as : snort which you can download from here, and it's free. but it takes a while to configurewww.snort.org and others such as : Prevx Home, SnoopNetCop Standard, AIDE (Advanced Intrusion Detection Environment) ...etc

    IDS are Tools and Utilities to Monitor Your Network For Suspicious or Malicious Activity. and think of urself u have an enterprise, and u re responsible for its network security; what u have to do is: put an IDS before a firewall and sometimes behind a firewall. how this work is? think of someone who wants to get into to ur house to steal something, what he does is try to open your front door sneakily, what u do, you get up of ur bed and u lock the door from the inside. right? and then u call the police and report the incident. the same thing happens with a network: when a hacker try to hack a network or computers in a network, the IDS detects an intrusion attempts, sends that to the log file. the firewall recognize the attempts and deny access to the hacker. if the hacker is adept to get through the firewall, the second IDS behind the firewall detects a successful attempts of intrusion from the hacker and then send logs to the security officials warning them of someone inside their network. of course the computers are located in dmz area, and other security config is put on the routers and switches and also the computers themselves.

    Hope this give u a thorough idea about IDS.

    you asked me about avast anti virus, actually, I use mc afee, and karsperky is also a good anti virus software, but I will search it up and get back to u on that.

    take care and u re welcome for any further questions. the new topic coming up about hacking is enumeration. stick with us [17h]
     
  8. BillGates

    BillGates Citoyen

    J'aime reçus:
    4
    Points:
    38
    Re : Security contre hacking: Lesson II "Scanning"

    that's not true... you cannot run any unix or linux application on windows, the binary structure is not the same... and why antiviruses does not recognize them, it's simply because they do not act as a virus, this has nothing to do with unix or linux... a nice rootkit revealer can be downloaded from here http://www.sysinternals.com/Files/RootkitRevealer.zip
    what a rootkit does, it gives the author access to your computer after openning a backdoor on your system... the author then will be notified and given your IP, he will have full access to your system.... Usualy they are installed as a windows service, which makes them hard to detect.....
     
  9. le3fou

    le3fou Visiteur

    J'aime reçus:
    0
    Points:
    0
    Re : Security contre hacking: Lesson II "Scanning"

    you probably did not understand what I wanted to say. "it's a file or program written in linux or unix, and has some malicious code that can track your navigation, and hack your system each time your system boots up. as many people know, windows operating system are not aware of many linux and unix files, sometimes they can't read them, they can't recognize them or they can't tell what they are, and so does the anti virus."

    and you said "you cannot run any unix or linux application on windows, the binary structure is not the same" that's true, but u can use some win emulators for this purpose.

    please read what I wrote carefully, coz we can't argue about something we both agree about [06c]
     
  10. BillGates

    BillGates Citoyen

    J'aime reçus:
    4
    Points:
    38
    Re : Security contre hacking: Lesson II "Scanning"

    Use a win emulator to do what ?? to develop a win rootkit?? or to run it??
    the only unix or linux files that windows does not read are the binay executables !!! for everything else there is a windows application that can read it, be it a graphic file, audio, archive or whatever it is !!

    you are associating hacking with unix, that's what most people do... but I didn't see any unix application among the links you gave !!

    now talking about Rootkits... you said "it's a file or program written in linux or unix, and has some malicious code that can track your navigation, and hack your system each time your system boots up", it cannot be any file, it has to be a program or DLL... as far as I know unix does not use DLLs..... can track you navigation, a rootkit does not track your navigation, that's called a spyware.....

    My point was not to argue with you, just to clarify what you said... and sorry if you didn't like my comments
     
  11. le3fou

    le3fou Visiteur

    J'aime reçus:
    0
    Points:
    0
    Re : Security contre hacking: Lesson II "Scanning"

    I welcome your comments BillGates, that's how we can learn and that's how we can clarify things well in our minds.

    well, win emulators are used in linux or unix to read some of the files that these two operating systems can't recognize, such as file.doc "for everything else there is a windows application that can read it, be it a graphic file, audio, archive or whatever it is !!" yes exactly coz we use a win emulator such as wine.


    In my explanation about rootkits, I was talking about rootkits in windows. and I said that: most of rootkits in windows are written in linux or unix, ok? "A rootkit is software which alters the way the operating system works. The purpose of this is to hide files, folders and processes while they are running on the system. They were used in the old days, long before Windows was created, to take over UNIX computers. With a good rootkit, you can hide any piece of software from all but the most determined search. Today, they are used frequently by trojans, spyware and viruses."

    By the way, unix uses dll files. and I didn't associate unix with hacking, all I said is windows rootkits can be written inside unix or linux with some certain extensiosns, they can be programs or files. and Dll is a file.

    I said track your navigation, because rootkit can hide a spyware or a file that works as a spy on ur computer and the tracking can begin. hopefully we re at the same track, if not I would be glad to discuss this further and do some research on it, and come up with good stuffs. sounds Good?
     
  12. BillGates

    BillGates Citoyen

    J'aime reçus:
    4
    Points:
    38
    Re : Security contre hacking: Lesson II "Scanning"

    we're talking about the same thing... and here is a more detailed explanation of rootkits
    What is a Rootkit?
    The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

    Persistent Rootkits
    A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

    Memory-Based Rootkits
    Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

    User-mode Rootkits
    There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

    The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

    Kernel-mode Rootkits
    Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
     
  13. le3fou

    le3fou Visiteur

    J'aime reçus:
    0
    Points:
    0
    Re : Security contre hacking: Lesson II "Scanning"

    thanks for the extra explanation. waiting for more of your comments from you in the next lesson "enumeration" (working on it right now). [06c]
     
  14. BillGates

    BillGates Citoyen

    J'aime reçus:
    4
    Points:
    38
    Re : Security contre hacking: Lesson II "Scanning"

    cool !!
    it's gonna be great ;-)
     
  15. RedEye

    RedEye - أبو عبدالرحمن - Membre du personnel

    J'aime reçus:
    4153
    Points:
    113
    Re : Security contre hacking: Lesson II "Scanning"

    jma3a calm-down, awalan shokran l akh l3fou 3la lmajhoudate dialo,
    tanian ana wjma3a kbira men el ikhwa ta9aftna allemania " shrinbakh shrnbakh zeeer"
    w nta a khoua kateb dashi b negliiiza
    fa ya 7abada law 3al a9al tweda7 dakshi shwya blefransaucisse bash al isstifada tkoun a3am w tewssal l 3adad akbar dial nass wa shokran bel3erram :)
     
  16. le3fou

    le3fou Visiteur

    J'aime reçus:
    0
    Points:
    0
    Re : Security contre hacking: Lesson II "Scanning"

    khouya rah makrehtch ndir had lesson b tout les langues, walakine rah goult ndirou b darija ga3 bach yesshal 3la kol wa7id yfhem...ana hadchi ma9arihch b francais, mais b l'anglais, ila kan chi 7ed min ikhwane lli yebghi ytewi3 w yterjim nkounou chakirine lih, sinon goulina dakchi lli mafhemtich w 7na njawbouk.... a propos, rah kayin des sites dyal traduction comme www.systransoft.com rah t3awnik

    w hadchi lli 9dert 3lih hana tandirou a khouya [06c]
     
  17. RedEye

    RedEye - أبو عبدالرحمن - Membre du personnel

    J'aime reçus:
    4153
    Points:
    113
    Re : Security contre hacking: Lesson II "Scanning"

    au fait, non c pas pour moi, an a wakha tektab babah be mrikhia, j suis dans le domaine informatike, mais pour le reste des membres li yebghiw yfahmou bash y3arfou kifash yprotigiw rasshoum, w wallah a khouya ila koun makansh 3andi alaf al ashgha, koun khdit wa9t w terjamt dakshi :)
     

Partager cette page