Network invasion method and general step |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  Hacker file>>invasion analysis>> network invasion method 
                  and general step  Printing

            Network invasion method and general step 
            Www.cshu.net  2002-9-10  fog rain village 

              The network security says from its essence is in the network 
              information security. From generally said that, every is involves 
              to the network in the information secrecy, the integrity, the 
              usability, the authenticity and controllability the related 
              technology and the theory all is the network security research 
              area. Guarantees the network system the information security is 
              the network security goal, the information security including two 
              aspects: Information memory security and information transmission 
              security. The information memory security is refers to the 
              information under the static depositing condition security, like 
              whether can by the non- authorized transfer and so on. The 
              information transmission security is refers to the information in 
              the dynamic transmission process the security. In order to 
              guarantee the network information the transmission security, has 
              following several questions: 
              (1) to network in information monitor 
              (2) to user status counterfeiting 
              (3) to network in information tampering with 
              (4) to the information which sends out denies 
              (5) carries on to the information reissues 
              Mainly has regarding the general commonly used invasion method 
              1. Password invasion 
              The so-called password invasion, was refers with some software 
              unties already obtains but the password documents which encrypts 
              by the person, but many hackers have massively used one kind to be 
              allowed to go round or the shield password protection procedure 
              complete this work. May untie or the shield password protection 
              procedure regarding these is usually been called "Crack". Because 
              these software widely spread, causes the invasion computer network 
              system sometimes to change quite simply, generally does not need 
              the very thorough understanding system the internal structure, is 
              beginner's good method. 
              2. Troy wooden horse-riding 
              Speaks of the Trojan horse, so long as knew this story the person 
              is not difficult to understand, it most typical procedure possibly 
              is can help hacker's to complete some specific movement the 
              procedure attachment in in some legitimate user's normal 
              procedure, by now the legitimate user's procedure code should 
              change. Once the user triggers this procedure, then attaches to at 
              the same time the hacker instruction-code to activate, these codes 
              often can complete the task which the hacker assigns. Because this 
              kind of invasion law needs the hacker to have the very good 
              programming experience, also must change the code, want the 
              certain jurisdiction, therefore is more difficult to grasp. But 
              because of its complexity, the general system manager is being 
              very difficult to discover. 
              3. Monitor law 
              This is is very practical but the risk also very big hacker to 
              invade the method, but or has the very many invasions system the 
              hacker uses this kind of method, so-called boldness because of 
              one's skill. 
              Between the network pitch point or the workstation exchange is 
              passes along through the information flow can realize, but when 
              does not have the concentrator in in the network, the data 
              transmission has not certainly indicated the specific direction, 
              by now each network pitch point or the workstation all were a 
              connection. This is just like some pitch point to say that, "Hi! 
              In you some who are I must send the information the workstation." 
              This time, all systems connection all has received this 
              information, once some workstation said: "Hi! That is I, please 
              passes on the data." The joint immediately completes. 
              Some one kind calls sniffer software, it may intercept the 
              password, may intercept the secret the information, may use for to 
              attack the neighboring network. 
              4.E-mail technology 
              5. Viral technology 
              6. Hideaway technology 
              Network attack general step and example 
              Attack preparatory stage 
              First needs to explain, intruder's origin has two kinds, the 
              attack which one kind is the internal personnel uses which own 
              work opportunity and the jurisdiction gains should not gain the 
              jurisdiction carries on. Another kind is exterior personnel 
              invades, including the long-distance invasion, the network pitch 
              point turns on the invasion and so on. This main discussion 
              long-distance attack. 
              Carries on the network attack is a systematic very strong work, 
              its main work flow is: The collection information, the 
              long-distance attack, long-distance registers, obtains the average 
              consumer the jurisdiction, obtains the super user the 
              jurisdiction, leaves behind the back door, eliminates the diary. 
              The main content including the goal analysis, the documents gain, 
              explains the password, technology and so on diary elimination, 
              under separately introduced. 
              1. Determination attack goal 
              The aggressor in carries on before a time of complete attack first 
              must determine the attack must achieve any type the goal, namely 
              creates any type to opposite party the consequence. The common 
              attack goal has the destruction and the invasion two kinds. The 
              destruction attack refers only destroys the attack goal, enables 
              it normally to work, but cannot control the goal at will the 
              system movement. Must achieve the destruction attack the goal, the 
              main method is refuses to serve the attack (Denial Of Service). 
              Another kind of common attack goal invades the attack goal, this 
              kind of attack is needs to obtain the certain jurisdiction to 
              achieve the control attack goal the goal. Should say this kind of 
              attack compared to destruction attack more universal, the threat 
              is also bigger. Because the hacker once the gain attack goal 
              manager jurisdiction may the server do regarding this wilfully 
              act, including destructive attack. This kind of attack generally 
              also is using the server operating system, the application 
              software or the network agreement existence loophole carries on. 
              Certainly also has another kind to create this kind of attack the 
              reason is the password revelation, the aggressor depends on the 
              guess or the exhaustion method obtains the server user the 
              password, then may use with the genuine manager equally to carry 
              on the visit to the server. 
              2. Collection of information 
              Besides the determination attack goal, before the attack most main 
              work is the collection are as far as possible many about the 
              attack goal information. Do these information mainly include the 
              goal the operating system type and the edition, which the goal 
              provide to serve, various servers procedure type and edition as 
              well as correlation social information. 
              Must attack a machine, first must determine above it is moving the 
              operating system is any, because of regarding the different type 
              operating system, the above system loophole has the very big 
              difference, therefore the attack method completely is also 
              different, even the identical kind of operating system different 
              edition system loophole also is dissimilar. Must determine a 
              server the operating system generally depends on the experience, 
              some servers certain service demonstration information can reveal 
              its operating system. For example works as when we through on a 
              TELNET continually machine, if demonstrated 
              Unix (r) System V Release 4.0 
              Login: 
              Then acts according to experiences may determine on this machine 
              moves the operating system is SUN OS 5.5 or 5.5. l. But like this 
              The determination operating system type is, because some websites 
              manager in order to confuse the aggressor to be able intentionally 
              to change the demonstration information, creates the pseudomorph. 
              Some one kind is not the very effective method, such as inquires 
              the DNS main engine information (is not very reliable) looked when 
              registration domain name the application machine type and the 
              operating system type, or the use society engineering method 
              obtains, as well as SNMP which opens using certain main engines 
              common group inquires. 
              Moreover one relative quite accurate method is uses in the network 
              operating system the TCP/IP storehouse to take special "the 
              fingerprint" determines the system the true status. Because the 
              different operating system slightly has the difference in in the 
              network first floor agreement each kind of realization detail. May 
              through long-distance to the goal transmission special package, 
              then through the package which returns determines the operating 
              system type. For example through (or is any does not have ACK or 
              SYN mark package) to a goal machine transmission FIN package to a 
              goal main engine open port then waiting response. Many systems 
              like windows, BSDI, CISCO, HP/UX and IRIX can return to RESET. 
              Through transmits a SYN package, it does not include definition 
              TCP the mark TCP head. Then can contain this definition in the 
              Linux system response package the mark, but can after receives the 
              SYN+BOGU package close the connection in some other systems. 
              Perhaps the use seeks the method which the initialization sequence 
              length template and the specific operating system matches. Using 
              it may to many systems classifications, if the earlier Unix system 
              is the 64K length, some new Unix system length is the stochastic 
              growth. Also has is the inspection returns to the window length 
              which in the package contains, this technology acts according to 
              each operating system the different initialization window size 
              only to determine them. Are very many using this kind of technical 
              realization tool, compared with famous has NMAP, CHECKOS, QUESO 
              and so on. 
              Learned which the goal does provide to serve and respectively to 
              serve the daemon type, the edition is similarly extremely 
              important, because the known loophole generally all is to some 
              service. Here said provides the service is refers to usually us to 
              mention breathes heavily the mouth, for example general TELNET in 
              23 ports, FTP in to 21 ports, WWW in 80 ports or 8,080 ports, this 
              only is the ordinary circumstances, the website management 
              definitely may revise the service station monitor according to own 
              wish the end slogan. Provides the identical kind of service on the 
              different server software also to be allowed to be different, we 
              manage this kind of software to be called daemon, for example 
              similarly provides the FTP service, may use wuftp, proftp, ncftp 
              and so on many different types daemon. Determined daemon the type 
              edition also is helpful to the hacker breaks through the website 
              using the system loophole. 
              Moreover the need obtains about the system information is some and 
              the computer itself relations social information, for example 
              website respective company's name, scale, network administrator's 
              habits and customs, telephone number and so on. These information 
              look like with attack a website not to relate, in fact very many 
              hackers all were use this kind of information to break through the 
              website. For example some websites manager makes the system 
              password with own telephone number, if has grasped this telephone 
              number, was equal to grasped the manager jurisdiction to carry on 
              the collection of information to be allowed to use manually to 
              carry on, also was allowed to complete using the tool, completes 
              the collection of information the tool to be called the scanner. 
              Is the speed is quick with the scanner collection information 
              merit, may by time carry on the scanning to many goals. 
              Attack implementation stage 
              1. Obtains the jurisdiction 
              After collects the enough information, the aggressor had to start 
              to implement the attack to move. As the destructive attack, only 
              must start the attack using the tool then. But took the invasion 
              attack, often must use the information which collects, found its 
              system loophole, then uses this loophole to gain the certain 
              jurisdiction. Sometimes obtained the common user's jurisdiction on 
              sufficiently to achieve revised goal and so on main page, but took 
              a time of complete attack was needs to obtain the system highest 
              jurisdiction, this not only was for achieve the certain goal, more 
              importantly proved aggressor's ability, this also conformed to 
              hacker's pursue. 
              Can loophole which is used by the aggressor not only including 
              system software design in security loophole, also includes as a 
              result of the management disposition not when creates loophole. 
              Little while ago, on Internet applied most popular famous www 
              server provider Apache the main page to break through by the 
              hacker, on its host page Powered by the Apache pattern (feather 
              hairy drawing) was altered to the Powered by Microsoft Backoffice 
              pattern, that aggressor was has used the manager to Webserver with 
              database some not when disposed succeeds obtains the highest 
              jurisdiction. 
              The natural majority attacked the successful model or to use the 
              system software itself loophole. Creates the programmer which the 
              software loophole the main reason lies in compiles this software 
              to lack the safe consciousness. When the aggressor carries on the 
              unusual transfer request to software creates the buffer overflow 
              or visit to document illegal. The attack which carries on using 
              the buffer overflow is most common, above 80% succeeded the attack 
              according to the statistics all is uses the buffer overflow 
              loophole to obtain the illegal jurisdiction. Makes the detailed 
              explanation about the buffer overflow in behind with the special 
              chapter. 
              Regardless of takes an hacker or a network administrator, all 
              needs to grasp the as far as possible many systems loophole. The 
              hacker needs to use it to complete the attack, but the manager 
              needs to carry on the different defense measure according to the 
              different loophole. The understanding most newly most loopholes 
              information, may arrive such as Rootshell (www.rootshell. com), 
              Packetstorm (packetstorm. securify. com), Securityfocus 
              (www.securityfocus. com) and so on the website searches. 
              2. Jurisdiction expansion 
              The system loophole divides into the long-distance loophole and 
              the local loophole two kinds, the long-distance loophole is refers 
              to the hacker to be allowed directly to use this loophole on other 
              machine to carry on the attack and the gain certain jurisdiction. 
              This kind of loophole threat is quite big, hacker's attack 
              generally all is starts from the long-distance loophole. But uses 
              the long-distance loophole to gain not necessarily is the highest 
              jurisdiction, but often is only a average consumer's jurisdiction, 
              like this frequently does not have the means to make the matter 
              which the hackers wants to do. By now needed to coordinate the 
              local loophole to come the jurisdiction which obtained to carry on 
              the expansion, frequently was the expansion to the system manager 
              jurisdiction. 
              Has after only obtained the highest manager jurisdiction, only 
              then may make such as the network monitor, clean the trace and so 
              on matter. Must complete the jurisdiction the expansion, not only 
              may use the jurisdiction which obtains to carry out the use local 
              loophole procedure on the system, but also may put some wooden 
              horse and so on deceit procedures to obtain by illegal purchase 
              the manager password, this kind of wooden horse is puts locally on 
              obtains by illegal purchase the highest jurisdiction to use, but 
              cannot carry on the long-distance control. For example an hacker 
              has already obtained a average consumer's account number on a 
              machine and registers the jurisdiction, then he may lay aside a 
              false su procedure on this machine. Once the hacker laid aside has 
              assumed the su procedure, when the genuine legitimate user 
              registered, moved su, and has input the password, by now the root 
              password could record, next time the hacker again will register 
              when was allowed to use su to turn root. 
              Attack damage control work 
              1. Diary system synopsis 
              If after the aggressor completes the attack on to leave the system 
              but not to do any damage control work immediately, then his 
              whereabouts very quickly was discovered by the system manager, 
              because all network operating system generally all provides the 
              diary recording function, can the movement which has the system on 
              record. Therefore, for own hiding, the hacker generally can erase 
              oneself the trace which stays behind in the diary. Wants to 
              understand the hacker erases the trace the method, first must 
              understand the common operating system the diary structure as well 
              as the work way. The Unix journal file usually puts on the under 
              these positions, different slightly has the change according to 
              the operating system 
              / usr/adm early edition Unix. 
              / Var/the adm new edition uses this position. 
              / Varflort some edition Solaris, Linux BSD, Free BSD uses this 
              position. 
              / etc, the majority Unix edition puts Utmp on the here, some Unix 
              edition also puts Wtmp on here, this also is the Syslog. conf 
              position. 
              The under document possibly can act according to the table of 
              contents which you is at to be different and different: 
              Acct or pacct - as soon as record each user use the order record. 
              Accesslog mainly used for the server to move NCSA the HTTP server, 
              this record document could record has any stand to connect your 
              server. 
              The aculo preservation allocates Modems record. 
              Lastlog has recorded the recent Login record and each user's 
              initial destination, sometimes is finally not the successful Login 
              record. 
              Loginlog as soon as records some not normal L0gin record. 
              The messages recording outputs the system control bench the 
              record, other information produces by Syslog 
              Security records some to use the UUCP system attempt to enter the 
              limit scope the instance. 
              The sulog recording uses the record which su orders. 
              Utmp records currently registers in the system all users, this 
              document follows the user to enter and to leave the system but 
              unceasingly to change. 
              Utmpx, utmp expansion. 
              The wtmp recording user registers with the withdrawal event. 
              The Syslog most important journal file, uses the syslogd 
              protection procedure to obtain. 
              2. Hides the trail 
              The aggressor after obtains the system highest manager 
              jurisdiction was allowed to revise on the system the document 
              (only at will speaking of the conventional Unix system), including 
              journal file, therefore the common hacker wanted to hide own trail 
              the speech, could carry on the revision to the diary. The simplest 
              method certainly was deletes the journal file, but did this 
              although avoided the system manager tracing own according to IP, 
              but also was clear about unmistakably tells the manager, the 
              system oneself after has been invaded by the person. Therefore the 
              most commonly used means are only concern own to the journal file 
              in that part to make the revision. Has the difference about the 
              revision method concrete detail basis different operating system, 
              in the network has many this kind of function the procedure, for 
              example zap, wipe and so on, its main procedure is eliminates 
              journal file and so on in the utmp, wtmp, Lastlog and Pacct some 
              user's information, causes when appropriately uses order 
              examination journal file and so on the w, who, last, hides this 
              user the information. 
              The manager wants to avoid the diary system revising by the 
              hacker, should take the certain measure, for example uses the 
              printer real-time recording network diary information. But does 
              this also has the malpractice, the hacker once understood your 
              procedure can not stop reads in the useless information to the 
              diary in, causes the printer not to stop prints the diary, uses up 
              until all papers. Therefore quite good avoids the diary the means 
              which revises is all journal file transmits to on a comparison 
              security main engine, namely uses loghost. Even if is this cannot 
              completely avoid the diary the possibility which revises, because 
              hacker since can attack into this main engine, also very possibly 
              attacks into loghost. 
              Revised the diary is only insufficient, because hundred is dense 
              must have as soon as leaks, even if confessed for revised all 
              diaries, still could leave behind some &#19997;&#39532;. For example installed 
              certain back door procedures, after the movement possibly had been 
              also discovered by the manager. Therefore, the hacker master may 
              through replace some system programs the method further to hide 
              the trail. This kind uses for to replace the normal system program 
              the hacker procedure to be called rootkit, this kind of procedure 
              may find in some hacker websites, compared with common has 
              LinuxRootKit, now already developed 5.0 editions. It may replace 
              the system ls, ps, netstat, inetd and so on a series of important 
              system program, after has replaced ls, may hide the document which 
              assigns, causes the manager when uses the ls order to be unable to 
              read these documents, thus achieved hides own goal. 
              3. Back door 
              The common hacker can after attack into the system not only place 
              to enter this system. Will enter when again the system for the 
              next time will facilitate, the hacker can leave behind a back 
              door, the Trojan horse is the back door best model. In Unix keeps 
              the back door the method to have very many kinds, below introduced 
              several kind of common back doors, refer to the guard for the 
              network administrator. 
              The <1> password explains the back door 
              This is the intruder uses most early also is the oldest method, it 
              not only may obtain visit to Unix machine, moreover may through 
              explain the password manufacture back door This is explains the 
              password weak account number Later even if the manager has sealed 
              intruder's current account number, these new account numbers still 
              possibly were the back door which reinvades In the most 
              situations, the intruder seeks the password to be weak has not 
              used the account number, then difficult which changes the password 
              When the manager seeks the password weak account number is, also 
              cannot discover these passwords revised account number Thus the 
              manager is very difficult to determine which account number seals 
              up 
              <2>Rhosts + + back door 
              In continually the net Unix machine, looks like Rsh and the Rlogin 
              such service is based on the rhosts document in main engine use 
              simple authentication method The user may the easily change 
              establishment but not need the password to be able to enter The 
              intruder so long as to may visit in some user's rhosts document 
              inputs "+ +", may allow any person not to need the password from 
              any place then to be able to enter this account number Specially 
              when the home table of contents shares through NFS to outside, the 
              intruder hankers after to this These account numbers have also 
              become the back door which the intruder invades once more Many 
              people like using Rsh, because it usually lacks the diary ability 
              Many managers frequently inspect "+ +", therefore the intruder 
              establishes in fact from on-line another account number main 
              engine name and user, thus was not easily discovered 
              <3> verification and prompt stamp back door 
              The early time, many intruder substitute the binary file with own 
              trojan procedure The system manager then depends upon the time 
              stamp and the system verification and the procedure distinguishes 
              a binary file whether was changed, like in Unix sum procedure The 
              intruder developed has caused the trojan document and the original 
              document time stamp synchronization new technology It is realizes 
              like this: First dials the system clock returns the original 
              document time, then adjusts the trojan document the time for the 
              system time Once the binary trojan document and original precise 
              synchronization, may suppose the system time redeem front the time 
              The Sum procedure is based on the CRC verification, is very easy 
              to deceive The intruder designed has been allowed and adjusted the 
              trojan verification the original document the verification and the 
              procedure MD5 is is recommended by the majority person, the MD5 
              use algorithm at present also nobody can deceive 
              <4>Login back door 
              In Unix, the login procedure usually uses for the user which comes 
              to telnet to carry on the password confirmation The intruder gains 
              login.c the original code and the revision, causes it when the 
              comparison input password and the memory password first inspects 
              the back door password If the user knocks into the back door 
              password, it will neglect the password which the manager will 
              establish to let you push directly into This will allow the 
              intruder to enter any account number, even will be root. Because 
              the back door password is really registers in the user and is 
              recorded by the diary in front of utmp and wtmp produces a visit, 
              therefore the intruder may register gains shell actually not to be 
              able to expose this account number After the manager notes this 
              kind of back door, then uses "strings the" order to search the 
              login procedure to seek the text information In many situations 
              the back door password can reveal one's true colors The intruder 
              starts to encrypt or the better hideaway password, causes strings 
              to order the expiration Therefore more managers are verify and 
              examine this kind of back door with MD5 
              <5>Telnetd back door 
              When user telnet arrives the system, monitors the port the inetd 
              service to accept the connection afterwards to give in.telnetd, by 
              it moves login. Some intruder knew the manager can inspect login 
              whether is revised, begins to revise in.telnetd. to have some in 
              the in.telnetd interior to the user information examination, for 
              instance the user has used what kind of terminal The typical 
              terminal establishment is Xterm or VT100. The intruder may make 
              such back door, when the terminal establishes as "letmein" 
              produces the shell. intruder which does not want any confirmation 
              to certain to serve has made the back door, to comes to produce 
              shell from the specific source port connection. 
              <6> service back door 
              The nearly all networks service has once done by the intruder the 
              back door Finger, rsh, rexec, rlogin, ftp, even inetd and so on 
              has done the edition everywhere are many is Some only connects 
              some TCP port shell, can gain the visit through the back door 
              password These procedures sometimes use to puncture Wa?? Ucp does 
              not use like this the service, or is joined inetd.conf to take a 
              new service The manager should extremely pay attention to these 
              services to move, and makes the verification with MD5 to the 
              original service routine 
              <7>Cronjob back door 
              On Unix Cronjob may according to the timetable dispatch specific 
              procedure movement The intruder may join the back door shell 
              procedure to cause it to move in 1AM to 2AM between, then each 
              late has a hour to be allowed to obtain the visit Also may examine 
              in cronjob frequently moves the legal program, simultaneously sets 
              at into the back door 
              <8> storehouse back door 
              Nearly all UNIX system use sharing storehouse The sharing 
              storehouse uses in the same function to entrust with heavy 
              responsibility reduces the code length Some intruder in looked 
              like crypt.c and in _crypt.c these functions have made the back 
              door Looked like the login.c such procedure to transfer crypt (), 
              when use back door password produced shell. therefore, even if the 
              manager inspected the login procedure with MD5, still could have a 
              back door function Moreover many managers certainly cannot examine 
              inspect a warehouse whether has done the back door As for many 
              intruder has a question: Some managers have made the MD5 
              verification to all things Some one means are the intruder () and 
              the document visit function make the back door to open The back 
              door function reads the original document but to carry out the 
              trojan back door procedure Therefore when MD5 reads these 
              documents, the verification and all is normal But when system 
              movement will carry out the trojan edition Even if trojan 
              storehouse itself also may hide the MD5 verification As for the 
              manager has one method to be allowed to find the back door, is the 
              static state arranges links the MD5 check routine then movement 
              The static connection procedure cannot use the trojan sharing 
              storehouse 
              <9> essence back door 
              The essence is the Unix work core Uses in the storehouse to hide 
              the MD5 verification method similarly to be suitable for the 
              essence rank, even links the static state to connect many cannot 
              distinguish A back door does the very good essence is is 
              difficultly searched by the manager, fortunately is the essence 
              back door procedure is not conveniently may result in, each person 
              knew it disseminates in fact has broadly 
              <10> filing system back door 
              The intruder needs to save their capture or the data on the 
              server, certainly cannot discover by the manager Intruder's 
              article often is includes the exploit script tool, the back door 
              collection, the sniffer diary, email prepares the minute, original 
              code, and so on Sometimes in order to prevent the manager 
              discovered the such big document, the intruder needs to patch 
              "ls", "du", "fsck" goes into hiding the specific table of contents 
              and the document In the very low rank, the intruder makes such 
              loophole: Shears a part by the appropriation form on the hard 
              disk, also expression for bad fan area Therefore the intruder only 
              can use the special tool to visit these hideaways the document As 
              for the ordinary manager that, is very difficult to discover these 
              "in bad fan area" the filing system, but it truly exists 
              <11>Boot block back door 
              In the PC world, many virus hide with the root area, but kills 
              viral software inspects the root area whether is changed Under 
              Unix, the most managers have not inspected the root area software, 
              therefore some intruder keep some back doors the root area 
              <12> goes into hiding the advancement back door 
              The intruder usually wants to go into hiding the procedure which 
              they moves Such procedure generally is the password explains the 
              procedure and the monitor procedure (sniffer) Some many means may 
              realize, here is more general: When compilation procedure revises 
              own argv [ ] to cause it to look like likely other advancement May 
              change name similar in.syslog the sniffer procedure to carry out 
              again Therefore works as when manager with "ps" inspection 
              movement advancement, appears is standard service May revise the 
              storehouse function to cause "ps" not to be able to demonstrate 
              all advancements May inserts a back door or the procedure the 
              severance driver to cause it not to be able to appear in the 
              advancement table Uses this technical a back door example is 
              amod.tar.gz: 
              Http://star.niimm.spb.su/~maillist/bugtraq.1/0777.html 
              Also may revise the essence to go into hiding the advancement 
              <13> network general back door 
              The intruder not only wants to go into hiding in the system trace, 
              moreover also must go into hiding their network pass through These 
              network general back doors sometimes allow the intruder to carry 
              on the visit through the firewall Some many networks back door 
              procedure allows the intruder to establish some end slogan 
              certainly not to need through the ordinary service to be able to 
              realize the visit Because this is through non- standard network 
              port pass through, the manager possibly neglects intruder's trail 
              This kind of back door usually uses TCP, UDP and ICMP, but also 
              possibly is other type texts of a telegram 
              <14>TCP Shell back door 
              The intruder possibly the top digit TCP port which has not blocked 
              in the firewall establishes these TCP the Shell back door In many 
              situations, after they use the password to carry on the protection 
              in order to avoid the manager connects on saw immediately is the 
              shell visit The manager may use netstat to order the examination 
              current connection condition, these ports are intercepting, at 
              present connects long and short of the story The usual these back 
              doors may let the intruder hide TCP the Wrapper technology These 
              back doors may put on the SMTP port, many firewalls allow e-mail 
              to be general 
              <15>UDP Shell back door 
              The manager frequently pays attention to TCP to connect and to 
              observe its strange situation, but UDP Shell back door not such 
              connection, therefore netstat cannot demonstrate intruder's visit 
              trace Many firewalls establish permission similar DNS the UDP text 
              of a telegram pass through The usual intruder lays aside UDP Shell 
              in this port, the permission passes through the firewall 
              <16>ICMP Shell back door 
              Ping is through transmits and accepts 1.th ICMP package of 
              examination machine activity condition general means Many 
              firewalls permissions outside ping it internal machine The 
              intruder may the money-lending according to enter Ping the ICMP 
              package, forms a shell channel in the ping machinery room Perhaps 
              the manager can note a Ping package of storm, but except him 
              examined a package of in data, otherwise the intruder cannot 
              expose 
              <17> encryption connection 
              The manager possibly establishes sniffer to attempt some visit the 
              data, but after the intruder to the network general back door 
              encryption, was impossible to determine two machinery rooms the 
              transmission contents 



              Original author: IntRudeRs 
              Origin: IntRudeRs.126.com 
              Altogether has 381 readers to read this article 

              [Tells friend] 
            Previous article:National IP address distribution list 

            Next article:Teaches you the first invasion 

            - this week popular article - related article 
            On-line startled presently "the monster" the viral harm degree 
            presses up to "seeks employment the letter"
            Based on loophole scanner main engine security policy
            Celebrated a holiday has delivered everybody the free proxy 
            springboard
            The win98 loophole uses again
            World top-quality hacker Mitnick {myself idol}
            Teaches you the first invasion 
            Network invasion method and general step 



      CSHU 
