下面是小编整理的网络渗透测的大体步骤(共含10篇),希望对大家有所帮助。同时,但愿您也能像本文投稿人“icandrunk”一样,积极向本站投稿分享好文章。
网络渗透测的大体步骤如下:
1、侦察 在这个阶段测试人员主要收集目标尽可能多的信息,其侦察形式也分为两种,一是主动模式,测试人员可以使用nslookup、dig等工具进行探测目标网络确定IP地址范围等;二是被动模式,利用新闻组或者招聘等信息来发现有关公司技术的信息
2、扫描 大多数会使用nmap这样的工具来进行扫描获取器开放的端口,以及确定目标主机上运行的服务,
网络渗透测的大体步骤
,
也是这个阶段来确定目标操作系统的指纹识别,确定其运行的操作系统。扫描的工作也包括了漏洞扫描,因为漏洞测试也是获取主机访问的方法之一
3、获取访问 通过前期获取的信息进行获取访问,可以通过web、数据库、系统漏洞等多方面漏洞进行测试获取目标主机的访问权限
4、维持访问 在获得了访问权限后需要进行一个长期的维持阶段,这个时候我们需要后门木马程序安装,以便于我们长期的重复进入目标系统来进行访问
5、擦除证据 在此前我们需要获得这个授权,如果测试者不能证明他们进行了日志擦除,那么擦除的文件就会导致责任问题,所以我们需要向客户了解这个时候需要进行操作
在日益发展的网络社会,我们每个人都成为其中的一分子,而当你打开电脑连接到网络的时候,某一天你发现你的全部个人档案被地球上某一个角落的不速之客了如指掌,甚至于你的个人隐私,你会如何想?也许你很不以为然,不要以为这只是危言耸听,如果你是一个完全与网络隔绝的人,当然不用担心,但是如果当年是一个网络社会的新潮人士,你可能就需要当心了,下面我们来看一个实际的例子!
目标:知道一个人的姓名(此处假定为张三),现在要查出他的网络常用身份!前提:此人(张三)名字不是太普通,不能太多重名,否则还需要知道另外信息!
具体步骤如下:
收集信息
由于只是知道其名字,所以需要了解其在网上的活动!首先登陆www.google.com和www.baidu.com,输入其名字进行搜索,但是均没有搜索结果,
这个很在我的意料之中,因为毕竟一般的人在搜索引擎上都搜索不到的,那么在哪里去知道更多信息了?
打开www.chinaren.com,登陆之后,校友录提供一个很好的功能那就是同学大搜捕,输入姓名,点搜索,但是提示非手机绑定用户,无法使用此同学大搜捕功能,没有办法,只好用手机绑定,再重新搜索,结果出来了,如下图所示:
可以看到,通过搜索,我们已经获得了毕业学校信息!接下来,打开搜索结果中的各个班级的链接,由于现在很多班级都把自己班级设置为不公开状态,访客登陆是无法看到校友录留言的,所幸的是在以上搜索结果中有两个班级是设置为公开状态,可以随意浏览校友录留言和班级个人地址,在个人地址中,查看张三的个人信息,提示非班级成员,不能查看,那好,直接点加入班级,都不需要批准就加入了此班级,接下来查看个人信息,可以得到张三在校友录的注册帐号:aaa@chinaren.com,常用Email:bbb@163.net,QQ:3*******.
第一步:进入系统
1.扫描目标主机,
2.检查开放的端口,获得服务软件及版本。
3.检查服务软件是否存在漏洞,如果是,利用该漏洞远程进入系统;否则进入下一步。
4.检查服务软件的附属程序(*1)是否存在漏洞,如果是,利用该漏洞远程进入系统;否则进入下一步。
5.检查服务软件是否存在脆弱帐号或密码,如果是,利用该帐号或密码系统;否则进入下一步。
6.利用服务软件是否可以获取有效帐号或密码,如果是,利用该帐号或密码进入系统;否则进入下一步。
7.服务软件是否泄露系统敏感信息,如果是,检查能否利用;否则进入下一步。
8.扫描相同子网主机,重复以上步骤,直到进入目标主机或放弃。
第二步:提升权限
1.检查目标主机上的SUID和GUID程序是否存在漏洞,如果是,利用该漏洞提升权限,否则进入下一步。
2.检查本地服务是否存在漏洞,如果是,利用该漏洞提升权限,否则进入下一步。
3.检查本地服务是否存在脆弱帐号或密码,如果是,利用该帐号或密码提升权限;否则进入下一步。
4.检查重要文件的权限是否设置错误,如果是,利用该漏洞提升权限,否则进入下一步。
5.检查配置目录(*2)中是否存在敏感信息可以利用。
6.检查用户目录中是否存在敏感信息可以利用。
7.检查临时文件目录(*3)是否存在漏洞可以利用。
8.检查其它目录(*4)是否存在可以利用的敏感信息。
9.重复以上步骤,直到获得root权限或放弃。
第三步:放置后门
最好自己写后门程序,用别人的程序总是相对容易被发现。
第四步:清理日志
最好手工修改日志,不要全部删除,也不好使用别人写的工具。
附加说明:
*1例如WWW服务的附属程序就包括CGI程序等
*2这里指存在配置文件的目录,如/etc等
*3如/tmp等,这里的漏洞主要指条件竞争
*4如WWW目录,数据文件目录等
/*****************************************************************************/
好了,大家都知道了入侵者入侵一般步骤及思路那么我们开始做入侵检测了。
第一步、我们都知道一个入侵者想要入侵一台服务器首先要扫描这台服务器,搜集服务器的信息,以便进一步入侵该系统。系统信息被搜集的越多,此系统就越容易被入侵者入侵。所以我们做入侵检测时,也有必要用扫描器扫描一下系统,搜集一下系统的一些信息,来看看有没有特别流行的漏洞(呵呵这个年头都时兴流行哦:)
第二步、扫描完服务器以后,查看扫描的信息---->分析扫描信息。如果有重大漏洞---->修补(亡羊补牢,时未晚),如果没有转下一步。
第三步、没有漏洞,使用杀毒工具扫描系统文件,看看有没有留下什么后门程序,如:nc.exe、srv.exe......如果没有转下一步。
第四步、入侵者一般入侵一台机器后留下后门,充分利用这台机器来做一些他想做的事情,如:利用肉鸡扫描内网,进一步扩大战果,利用肉鸡作跳板入侵别的网段的机器,嫁祸于这台机器的管理员,跑流影破邮箱......
如何检测这台机器有没有装一些入侵者的工具或后门呢?
查看端口(偏好命令行程序,舒服)
1、fport.exe--->查看那些端口都是那些程序在使用。有没有非法的程序,和端口winshell.exe8110晕倒~后门netuse谁在用这个连接我?
2、netstat-an--查看那些端口与外部的ip相连。23x.x.x.x没有开23端口,怎么自己打开了?? !?
3、letmain.exe\\ip-admin-d列出本机的administrators组的用户名查看是否有异常。怎么多了一个hacker用户??netuserid
4、pslist.exe--列出进程任务管理器
5、pskill.exe--杀掉某个进程,有时候在任务管理器中无法中止程序那就用这个工具来停止进程吧,
6、login.exe--列出当前都有那些用户登录在你的机器上,不要你在检测的同时,入侵者就在破坏:(
7、查看日志文件-庞大的日志文件-需要借助第三方软件来分析日志记录了入侵者扫描的信息和合法用户的正确请求
Find“scirpts/..”C:\WINNT\system32\LogFiles\W3SVC1\ex010705.log--解码漏洞??谁在扫描我?
8、查看Web目录下文件改动与否留没有留aspphp后门......查看存放日志文件的目录
DOSdir/a
GUI查看显示所有文件和文件夹
技巧:查看文件的修改日期,我两个月没有更新站点了(好懒:),怎么Web目录下有最近修改文件的日期??奇怪吧?:)
#######################################
C:\WINNT\system32\LogFiles\W3SVC1>dir
dir
驱动器C中的卷是systemServer
卷的序列号是F4EE-CE39
C:\WINNT\system32\LogFiles\W3SVC1的目录
-07-0502:431,339ex010704.log
2001-07-0523:5452,208ex010705.log
2001-07-0722:590ex010707.log
2001-07-0822:450ex010708.log
2001-07-1008:00587ex010709.log
恩?奇怪?怎么没有2001-07-06那天的日志文件??可疑......2001-07-07、2001-07-08两天的日志文件大小为零,我得网站访问量怎么两天都是空??没有那么惨吧:(好奇怪?!
#######################################
D:\win>dir
dir
驱动器D中的卷是新加卷
卷的序列号是28F8-B814
D:\win2000的目录
2001-06-0317:43.
2001-06-0317:43..
2001-06-0317:43CLIENTS
2001-06-0317:43BOOTDISK
2001-06-0317:43I386
2001-06-0317:46PRINTERS
2001-06-0317:46SETUPTXT
2001-06-0317:46SUPPORT
2001-06-0317:46VALUEADD
2000-01-1020:0045AUTORUN.INF
2000-01-1020:00304,624BOOTFONT.BIN
2000-01-1020:005CDROM_IS.5
2000-01-1020:005CDROM_NT.5
2000-01-1020:0012,354READ1ST.TXT
2000-01-1020:00465,408README.DOC
2000-01-1020:00267,536SETUP.EXE
2001-06-0417:37SP1
2001-06-2716:03sp2
2001-07-0600:05system-从来没有修改或安装什么文件程序啊什么时候多了system目录?这个是我安装win2000的安装文件。日期怎么不对2001-07-06,日志文件也没有2001-07-06的这一天的记录,可疑.......
7个文件1,049,977字节
12个目录10,933,551,104可用字节
#######################################
总的来说入侵检测包括:
一、基于80端口入侵的检测CGIIIS程序漏洞......
二、基于安全日志的检测工作量庞大
三、文件访问日志与关键文件保护
四、进程监控后门什么的
五、注册表校验木马
六、端口监控21233389...
七、用户我觉得这个很重要,因为入侵者进入系统以后,为了方便以后的“工作”通常会加一个用户或者激活guest帐号提升为管理员.
传说中也只有凯文米特尼克曾经成功的实现过,IP 欺骗是个非常困难的事情,
举例说明ip欺骗渗透网络
,
不过这个一般人是可望不可即的但是特殊条件下,则可以比较简单的实现 IP 欺骗,并利用这个来做一点点事情,比如入侵有 IP 地址限制的系统。 某人已经渗透进入了一个网络, 举个例子来
本文讲解下在网络上推广企业所必要经历的一些步骤:
1.域名注册:要在网站中推广,选择一个容易记忆,并且可以代表公司形象的域名是非常重要的,一个好的域名可以很容易让访问者记住,这也是为什么很多大公司去花巨资去购买简短域名的原因,
2.虚拟主机或服务器:关于存放网站内容的空间可以根据自己的经济条件和站点类型进行选择,对于小型公司的普通企业站点,用虚拟主机就完全可以应付,如果是做大型站点,而且公司资金充足,建议租用服务器。
3.网站制作:如果希望通过网络获得订单,获得最好的网络推广效果,那一个内容丰富,可以充分展示自己产品的站点是必不可少的,现在有很多企业做的非常简单,没有实际内容,这种站点很少有人去访问的,那也就无法对你的站点起到推广的效果。
4.企业邮局:用自己域名后缀做邮箱地址的后缀,这个是企业邮局最的的优点,当你告诉别人你的邮箱时同时也是对自己站点的一个推广,可以更容易的让别人记住你的网站域名,也可以更好的展示自己公司的企业形象,
5.网站推广:当前四个步骤都具备了以后,那企业就属于已经上网了,但是茫茫网络如此之大,如何能从数亿网站中脱颖而出,让你的潜在客户看到你的产品,了解你的公司,购买你的产品呢?那就需要网站推广来帮你进行了,网站推广有很多种方法,其中效果比较明显的有:网站优化,邮件营销,病毒营销,竞价排名等。只有将网站推广工作做到位,那网络推广工作才算是完美,前四个步骤可以说都是为了网站推广而进行的铺垫,网站推广的各种方法我会在后面详细的讲解。
来自:www.0532seo.com.cn/WangZhanYouHua/523.htm
延伸阅读:
挖掘网络推广的宝藏
网站推广的18种秘笈
购物网站推广渠道分析
把网站推广到国外去
通过采用以下四个步骤,你能够减轻保护网络的压力,下面是一些加强你的网络防护的方法。
最近,微软在宣传如果你想要得到一个真正安全的网络,你必须关注5个重要的领域。这些领域包括周边防护,网络防护,应用防护,数据防护,和主机防护。在本文中,我将讨论网络防护,帮助获得深度安全。
微软的安全哲学是你应该关注五个独立的领域,就好象你需要独立对它们进行防护。这样的话,你就能够确保这些领域都得到了妥善的防护。通过独立地关注这些领域,你还能够确保当其中一项防护受到安全威胁的时候,其他的四层防护还是能够起效果并且保护你的网络。如果你想要了解更多关于其他领域的信息来提高网络安全性,可以参看下面的这些文章:
什么是网络防护?
首先,网络防护的概念显得过于宽泛笼统。但是在这个领域内没有什么是多余或者是过于笼统的。网络防护解决了包括网络之间联接的问题,把所有的网络联接成一个整个的网络。网络防护并不解决诸如外部防火墙或者拨号联接的问题,周边安全性包含了这些问题。网络防护也不涵盖单个的服务器或者工作站的问题,那是属于主机防护的问题。网络防护涵盖了包括协议和路由器等问题。
内部防火墙
网络防护不包含外部防护墙,但这并不意味着它完全不涉及防火墙。相反,我所建议的网络防护的第一步就是在可能的情况下使用内部防火墙。内部防火墙同外部防火墙一样是安全的基础。两者主要的区别在于内部防火墙的主要工作是保护你的机器不受内部通信的伤害。有很多使用内部防火墙的理由。
首先,想象一下,如果一个 或者某种病毒以某种方式控制了你的外部防火墙,那么他就可以不受防火墙阻碍地同内部网络进行通信。通常,这意味着你的网络对于外部世界完全敞开。但是,如果你有内部防火墙,那么内部防火墙会阻止从外部防火墙里溜进来的恶意的数据包。
使用内部防火墙的另一个主要的原因是很多攻击都是内部的,
首先,你可能听说过这种说法,并且认为内部攻击不太可能出现在你的网络中,但是我在我所工作过的每一家公司的安全部门里,都见过内部攻击。
在我曾经工作过的两个地方,其他部门的有些人是 或者对管理权狂热爱好。他们会认为探测网络以获得尽可能多的信息是一件很酷而且很值得炫耀的事情。在这两个地方,他们都没有任何主观上的恶意(或者说他们都声明自己没有恶意),他们只是想在朋友面前炫耀自己能够攻击系统。不论他们的动机如何,他们确实给网络安全造成了危害。你必须防范你的网络受到这样的人的攻击。
在我工作过的其他一些地方,我看到人们未经授权就自己安装软件,而这些软件中却包含了特洛伊木马。这些特洛伊木马进入系统后就可以通过特定端口将你的信息广播出去。防火墙很难阻止恶意的数据包进入网络,因为数据包已经在网络之中了。
这些事实导致了一个有趣的现象:我认识的绝大部分技术人员都让他们的外部防火墙阻止绝大部分流入网络的通信包,但是却对于流出的通信包却不加限制。我建议要对流出的通信也要像对待流入的通信一样谨慎,因为你永远不会知道,什么时候会有一个特洛伊木马躲在你的网络里,向外广播你网络中的信息。
内部防火墙可以放在任何一台电脑上或者任何一台服务器上。市场上有一些很好的个人防火墙产品,比如赛门铁克Norton Personal Firewall 。但是因为Windows XP自带了一个内置个人防火墙,所以你并不一定要为你的工作站花钱购买独立的个人防火墙。
如果你想使用Windows XP防火墙,用鼠标右键点击“我的网络”,然后从快捷菜单中选择“属性”来打开“网络连接”窗口。接下来,用鼠标右键点击你想要保护的网络联接并选择属性。现在,选择高级菜单,然后点击互联网连接防火墙选项。你可以使用“设置”按钮来选择保持开放的端口。虽然Windows XP防火墙是一个互联网防火墙,它也可以被作为内部防火墙使用。
网络渗透测试分以下描述的五个阶段
(1).侦察 在这个阶段测试人员主要收集目标尽可能多的信息,其侦察形式也分为两种,一是主动模式,测试人员可以使用nslookup、dig等工具进行探测目标网络确定IP地址范围等;二是被动模式,利用新闻组或者招聘等信息来发现有关公司技术的信息
(2).扫描 大多数会使用nmap这样的工具来进行扫描获取器开放的端口,以及确定目标主机上运行的服务,
网络渗透测试的五个阶段
,
也是这个阶段来确定目标操作系统的指纹识别,确定其运行的操作系统。扫描的工作也包括了漏洞扫描,因为漏洞测试也是获取主机访问的方法之一
(3).获取访问 通过前期获取的信息进行获取访问,可以通过web、数据库、系统漏洞等多方面漏洞进行测试获取目标主机的访问权限
(4).维持访问 在获得了访问权限后需要进行一个长期的维持阶段,这个时候我们需要后门木马程序安装,以便于我们长期的重复进入目标系统来进行访问
(5).擦除证据 在此前我们需要获得这个授权,如果测试者不能证明他们进行了日志擦除,那么擦除的文件就会导致责任问题,所以我们需要向客户了解这个时候需要进行操作
Chinadu`s Blog
cisco安全情报中心发 的一个文章,原文标题是“Infiltrating a Botnet”,为了照顾各位的用户体验,我翻译成“渗透一个肉鸡网络”:)大致看了下,应该是伪装成肉鸡进入server,然后 肉鸡老板相关交易信 息的一个过程,挺有意思,相信玩bot的朋友在很久以前就中过这种道,
Overview
Many teams at Cisco are dedicated to security research. One team recently investigated botnets with the goal of improving existing detection methods and discovering the techniques botmasters use to compromise machines. The team’s efforts were rewarded through their protection of an important customer’s network. Their discovery efforts also yielded extraordinary insights into the mind and motives of a botmaster. This paper discusses exploit protection and reports on the interviews the team held with the botmaster they encountered.
Defending a Customer from a Botmaster
Typically, administrators patch vulnerable machines or deploy some sort of intrusion prevention system (IPS) to protect against exploits. Both approaches are effective the majority of the time, but neither approach protects systems against the uneducated user. These approaches may not even protect people who take their machines home if the IPS is network-based. The user who will click and run anything is the greatest threat to any network.
Internet relay chat (IRC) traffic on non-standard ports is a good indicator of malicious activity. Simple botnets often use IRC as a command-and-control framework because the source code is readily available. Joining a chat network is not botnet activity, but it is usually not work-appropriate activity. Cisco offers a service that monitors and manages network-based IPS. By monitoring certain alerts from this data feed, suspicious IRC traffic was easily found.
An Unsuspecting Customer
A Cisco customer was unaware of dozens of compromised machines. A tremendous number of alerts including IRC activity, far larger than anything that could be benign, were occurring on the customer’s network. The traffic from several machines stood out from other systems on the network. There are occasionally oddities in a network, but when a small subset of machines is observed sharing the same odd behavior, researchers should take note.
Figure 1 shows a data feed from a Cisco IPS device.
Figure 1. Monitoring a Cisco IPS Data Feed
Looking at the signature alerts, it was clear that the affected machines had been compromised. The Cisco IPS detected the attack, but unfortunately the customer was not running it inline or connected to the router, so the hits were not blocked. There were several different botnets involved that looked strangely similar. When inspecting the history of the machines, in addition to the IRC traffic, exploitation and reconnaissance attempts were discovered.
None of the traffic was encrypted, indicating that the attackers were either unsophisticated or unconcerned about hiding their tracks. The botmaster occasionally took basic precautions, such as using server and channel passwords, but failed to encrypt the data. Challenge-response exchanges were hidden in normal IRC traffic.
For example, upon connecting to a server, the bot would immediately have to ping “MrB|g” with the key “s3cr3+sq|_|rr3l” or it would be denied access to the server. This challenge-response method was also used by the clients in response to certain RFC 2812 commands, such as a client-to-client protocol version request. Additionally, the bots would respond to non-RFC 2812 commands. It was noted that different botnets seemed to share many of the same commands. This led to the belief that most, if not all, of these clients were based on a common source code. Figure 2 shows the botnet.
Figure 2. Botnet
At this point in the investigation, the team’s largest concern was for the customer. There was an urgent need to determine what the botnet was doing and what information had been compromised. By using the Cisco IPS, a wide range of data about the command-and-control networks was captured. For example, the network was separated into several discrete command-and-control nodes with different IP addresses. Over the course of a few weeks, commands were captured and the network was monitored to see what information the botmaster was targeting. An open source IRC client was set up to emulate an infected machine and join the network. This allowed continuous monitoring without having to leave any compromised machines active.
The botmaster targeted employees instead of the company itself. This action likely helped the attacker to remain undetected. The botmaster’s mode of attack involved stealing employees’ passwords that were stored in Internet Explorer and then adding a redirect in the hosts file that enabled a man-in-the-middle attack against a bank in Latin America.
Stopping the Bot
Once the extent of the damage was determined, the bot needed to be stopped. The team was able to demonstrate the modification of the hosts file, making the compromise irrefutable. Some of the machines appeared to have been compromised dozens of times. A worm or trojan would compromise the machine and update the hosts file, only to have it corrected by the virus scanner (or other malware).
The correction would prevent the man-in-the-middle attack but the botnet would load normally. This action occurred each time the system booted. Some machines had dozens of entries that showed that the hosts file was corrected repeatedly. It became clear that it was not feasible to clean every infected machine, because in the time it took to alert the company to the problem, the personal information of hundreds of employees could be compromised.
The customer did not have the capability of running Cisco IPS inline, so the firewall was examined. When monitoring the botnet, it became very clear that the IRC servers would update fairly frequently. The IRC servers would move ports, servers, and change passwords, sometimes several times a day. This frequent updating made it extremely hard to block the command-and-control servers.
The team found a visible flaw in the attack: the botmaster had overlooked the update servers. The botmaster had several domain names for the update server that could be broadcast by means of IRC to update the bots before a server change-over. Close inspection revealed that the IP address of the update server always belonged to one of a small group of machines. Blocks were put in place immediately.
When the botmaster issued the next update, only a few of the systems (and none from the customer) followed. The botmaster repeatedly issued the update command to no avail. When the machines were locked down to one IRC server, a single block was sufficient to disable the network.
Had the botnet-client been more robust, it would have been necessary to block backup networks. In this case, the customer was lucky, and the single block was sufficient. The team continued monitoring the network to ensure the systems were unable to reconnect to the network, giving the customer the needed time to reimage all of the compromised machines. It was not a perfect solution, but it stopped the data leakage and prevented the systems from compromising other machines on the network.
Conversations with a Botmaster
With the customer protected, only curiosity remained. The team wondered what type of attacker would go to such complicated lengths but leave such a simple hole in their plan of attack. Did the botmaster have so many networks that it didn’t matter if one was blocked? Was the botmaster a script. kiddie? For answers, one of the researchers decided to go back to a monitoring box and ask. At this stage the customer was protected and the botmaster was likely away from the keyboard. The researcher sent out an intrepid “hey” and received a response from the botmaster: “?” Thus began what turned into a months-long conversation.
The botmaster, upon realizing that one of his bots was suddenly sentient, appeared to assume that the researcher was a fellow botmaster and that their respective networks had “collided.” The researcher worked to strengthen the botmaster’s assumption. Pretending to be a fellow botmaster, the researcher asked about the server software. Figure 3 shows the initial conversation with the botmaster.
Figure 3. Starting a Conversation
After some inconsequential chat, the researcher asked if the botmaster was using his network for anything interesting. The botmaster readily revealed his master plan: to compromise a few thousand machines and then sell them off in big batches. With careful questions, the researcher learned from the botmaster that the market rate was about US$0.10-$0.25 per machine and that the botmaster had recently sold 10,000 machines for US$800. In attempts to bond with the botmaster, the researcher discussed popular exploits, sharing stories of “pwning,” or gaining control of, dozens of machines at a time.
With a solid background in IPS, the researcher was aware of current trends in vulnerability research but asked in what area the botmaster focused his efforts. The expected answer was a Microsoft vulnerability that worms such as Conficker exploit. The botmaster’s answer, however, was that he mostly focused on instant messaging software. No vulnerability was required to grow his network. Instead, he could spam 10,000 people with a simple “check out this cool software” message and rely on at least a one percent response from the recipients. As an approach, it made sense, because the same process continues to work for spammers as it has worked for years, despite efforts at user education.
After revealing his methodology, the botmaster appeared to suddenly realize that perhaps he had shared too much information with an unknown person. He quizzed the researcher on “old school” (that is, previously well-known) hackers. The researcher responded that he did not know any of the old-school attackers. (When the researcher later did online searches on the old-school attackers, most of them had been apprehended by the Federal Bureau of Investigations.) By saying he did not know any of the attackers that the botmaster named, the researcher established credibility with the botmaster that he was not a law enforcement agent. After this exchange, the botmaster gave the researcher his contact information through Microsoft Network (MSN) so the two could communicate more easily. Figure 4 shows a trust-building session between the researcher and the botmaster.
Figure 4. Building Trust
You Can Find Everything on the Internet
As any good hacker would, the researcher immediately keyed the botmaster’s screen name into Google and found a few posts. The posts led the researcher to additional handles, or usernames, which then led to hundreds of posts by the same author. Under a different handle, the botmaster was the author of an enormous amount of IRC-based botnet software. He was also very well known in the black hat community, where attackers and hackers share information.
Intrigued, the researcher decided to accept the botmaster’s invitation to stay in touch. The researcher created an MSN account and, over the course of several days, multiple MSN conversations were held between the researcher and the botmaster. Topics focused primarily on secrets of the botnet trade and discussions of various software packages. The botmaster confirmed the researcher’s theory that many of the IRC-based botnets stemmed from a single source; however, he declined to provide a copy of the modified version he had adapted. Instead, the botmaster directed the researcher to an online forum that was contained a profusion of information regarding botnet activity.
Figures 5 and 6 shows the conversations of the botmaster directing the researcher to the forum.
Figure 5. Directions to a Forum―Part 1
Figure 6. Directions to a Forum―Part 2
One-Stop Botnet Shopping
The forum hosted discussions on all the information that anyone would need to form. a botnet, including several detailed how-to guides. The researcher was able to acquire source code for the bot and the server from the forum. The server code was based upon a modified Unreal IRC server. The client code, which would have no legitimate use, was a valuable source for IPS signatures. While it would be possible that all of the command functionality could be rewritten, if botmasters were capable of doing that, they likely wouldn’t use the publicly available source code.
Entire sections of the forum were dedicated to the buying and selling of botnet paraphernalia, such as RapidShare file hosting accounts, packers, password lists, bot software, and password stealers. The bot software is advertised much like any other software, listing various features such as “four methods of command and control,” “undetected by virus scanners,” “anti-x (sandbox, debugger, etc.),” “process monitoring,” and so forth. Several bot software authors have followed the Microsoft practice of offering multiple versions of software at tiered pricing levels.
The “For Sale” sections were governed by a very specific set of rules, including a rule that stated that botnet software could not be sold in the forum, likely due to the laws of the country in which the server hosting the forum resides.
The software for creating botnets, including directions and tutorials, was widely available for download or purchase. It was forbidden to sell the software on the forum if the software was publicly available, a rule that seemed to be an attempt to deter botmasters from taking advantage of one another. For concerned bot shoppers, all software was verified by a trusted moderator so that the buyer could trust that they would be receiving the software for which they were paying.
Pretense to Avoid Pwning
The customer who had originally been infected had been clean for months when the researcher decided to seek out the botmaster again to learn more about the botnet community. The researcher was concerned about not revealing any specifics about the customer or himself but needed to establish a level of trust with the botmaster. With these considerations in mind, the researcher decided it was more likely that the botmaster would speak with a journalist than an IPS specialist pretending to be a fellow botmaster.
After re-establishing contact with the botmaster, the researcher promptly “confessed” to being a reporter researching an article on botnets. The researcher explained that he had contacted the botmaster again because he was seeking the most accurate data possible for his article. The researcher expected his virtual disguise would pass the botmaster’s scrutiny because of the widespread disdain by certain groups in the security community of the quality of security reporting.
Within the security community, there is a perception that only a few reporters actually understand the security topics that they cover. Some part of nearly every story is wrong or greatly exaggerated. For example, a recent article in PC World [1] stated that the widely publicized attack on the creator of Metasploit was performed by an unknown attacker who had weaponized Dan Kaminsky’s discovery of a fundamental flaw in DNS [2]. The article contained so many errors that, in addition to a printed retraction, additional reporting was required to correct the published description of the issue [3]. H D Moore, Metasploit’s creator, claimed that the statements attributed to him were completely fabricated [4].
The botmaster had strong opinions on security reporting. He mentioned conflickr in particular as example of faulty reporting that resulted in exaggerated numbers of systems affected. One antivirus software company [5] had based its publicly reported numbers of affected machine on a variable in the URI sent from the compromised machines. The variable, known as Q, reported the number of machines that had been successfully attacked to the botnet’s command and control system. This method of calculating the number of compromised machines was easily manipulated by Dynamic Host Configuration Protocol (DHCP) and other means. A user on the company’s public blog even posted a comment pointing out the possibility of easy manipulation, but the company dismissed the comment and did not correct its reported numbers.
The actual count of affected systems would not be realized until weeks later in a subsequent report by a separate research company [6] that explicitly pointed out that “Q reports the number of machines that each victim claims to have infected. Q may be artificially inflated by reinfections and DHCP effects” (The Q variable is the value in the URI that was thought to report the number of compromised machines.) According to the latest report [7], the numbers reported using the initial method was was off by a multiple of 50.
Figure 7 shows a continuation of the conversation between the researcher and the botmaster.
Figure 7. A Little Anonymous Fame
The researcher assured the botmaster that even if he chose not to be interviewed or answer questions, he could have a little “anonymous fame.” Surprisingly, the botmaster agreed to participate. Recognizing the unusual opportunity, the researcher suggested a TOR audio conference [8] using a method known as onion routing that would be untraceable. The botmaster reported he did not have a microphone available, but more likely, he feared the researcher would try to trace him through the tunneling connections. His reluctance to audio conference may also have been based on his lack of knowledge of the onion routing protocol. The researcher’s first question was why it would be preferable to sell bots instead of turning them into spam or phishing networks. The botmaster’s answer was that selling bots was a rarity; normally, bots would be used as a network for phishing attacks. When the researcher asked how much money could actually be made from phishing activities, the botmaster was evasive about his most lucrative bot activities, but said “a guy he knew” was able to earn US$5000 to US$10,000 a week solely through phishing activities.
Figures 8 and 9 show conversations about selling bots.
Figure 8. Phish or Sell
Figure 9. Lucrative or Unprofitable?
The researcher offered the botmaster a lighter question, asking what was the strangest thing the botmaster had found on a compromised machine. The botmaster replied he had found inappropriate pictures of a minor and had promptly reported the issue to the authorities.
The researcher asked the botnet owner about his proudest moment as a botmaster. The answer involved the Windows Distributed Component Object Model (DCOM) attack (MS03-026, IAM 11104), which exploited a bug in the DCOM Remote Procedure Call (RPC) interface. The vulnerability existed in all modern versions of Windows at the time and was remarkably easy to exploit. The botmaster said that when he ran the attack, his server was flooded with joins, with each join representing the compromised machine of an unsuspecting user.
The researcher and the botmaster continued to chat, discussing protective measures. New security features in Windows Vista, such as kernel patch protection, prevented his bot from running in Ring0 [9]. Ring0 is a term from system management mode. Briefly, this protection system involves three rings. Ring0 is the most privileged ring, where the kernel resides, and Ring3 is the least privileged ring, where a user’s programs execute. Given this limitation, the botmaster’s bot would not function on the Vista OS.
Figure 10 shows the conversation about Ring0
Figure 10. Protective Measures
Over the course of the conversations, the botmaster revealed that he could never trust anyone 100 percent of the time and that it was necessary for him to be on guard constantly and follow good computing practices. Other botmasters would act on any opportunity to take over his networks, and according to Google-cache hits, they had tried in the past. However, lack of trust is common among botnet owners, and with good reason. In one instance, the botmaster had used a hijacked account to impersonate a law enforcement official and force another botmaster to abandon a 6,000-node network. The botmaster had to remain alert at all times, his firewall blocking nearly all inbound connections, and surfing the Internet via proxy chains [10] to remain anonymous.
The botmaster recommended a list of best and worst sites that are based around forums. Forums may facilitate the code re-use that is often associated with botnet clients. The botnet community is similar to the open source community, in which more experienced users in the forum help or humiliate new botmasters. According to the botmaster, only 20 percent really understand the code offered through the forums; the rest simply run the code and do their best to follow the help files. He estimated another three to five percent of botmasters write unique code.
Figure 11 shows a conversation in which the botmaster estimates the percentage of unique coders.
Figure 11. Who Writes Code?
Conclusion
Many people, researchers included, wonder why attackers do not pursue legitimate IT or programming jobs. According to the botmaster, the barriers to legitimate work are a criminal record and a lack of professional education; frequently, both factors prevent attackers from gaining regular employment.
Figure 12 shows the conversation regarding barriers to legitimate occupations.
Figure 12. Why not Get a Real Job?
The researcher asked how attackers experience security companies and services, and whether the botmaster felt pressured by the security companies. His response was that “a few companies catch on very quickly but, for the most part, it is business as usual.”
As the botmaster stated, running a botnet was his business. The criminality of running a botnet was simply a by-product of his primary means of employment. The botmaster’s product is a management interface to a multinode network that can be sold to other customers for a profit. Perceiving himself as a small business owner, the botmaster is not concerned with impacting the functionality of a user’s personal computer or with the possibilities of identity theft or data leakage, but instead with generating income.
Anyone with basic computer experience is able to run a botnet. It is not necessary to understand the code, nor is there a need to understand networking. Both traditional and new media organizations frequently report on the need to patch against the latest threat that exploits a recent vulnerability. Readers rarely hear, however, about the kid who lives in their neighborhood who runs a 10,000-node botnet based off of MSN instant message spam. All bots are not created with equal proficiency. Botmasters are implementing cutting-edge evasion techniques to avoid detection and prevent reverse engineering. It is imperative to keep attackers of both types in mind, professionals and script. kiddies, when designing a network’s defenses. To effectively combat the bot economy, the cost of doing business must be raised by educating users and following security best practices. Attackers pursue easy money. Maximum gain with minimal effort is the prime motivator for a botmaster. If the time required to compromise machines increases, attackers will move on to easier targets.
Patching is important, but user education is key. A corporation can deploy the latest security measures but remain vulnerable to data theft, hosting spam servers, or worse. Business users must be educated to comply with safe behavior. If policies are not in place to limit the infiltration on non business communications or if users do not understand the importance of leaving random files unopened, there is little point in administrators patching machines.
Using Cisco IPS alerts, the research team was able to successfully identify and disable a botnet. The IRC traffic on non-standard ports was a clear sign of compromised systems. Without Cisco IPS, the customer would have been blind to the botnet activity and its employees could have had their stored password compromised leading to bank fraud or identify theft. If the customer had been able to run the IPS inline, the compromise would not have occurred. An intrusion detection system also has its place in a network; without the history of previous alerts from a management tool, the remediation for the customer’s system would not have been possible.
References
[1] McMillan, Robert. “DNS Attack Writer a Victim of His Own Creation.” PC World, July 29, . (www.pcworld.com/article/149125/dns_attack_writer_a_victim_of_his_own_creation.html)
[2] Invisible Denizen. “Kaminsky’s DNS Issue Accidentally Leaked?” July 21 2008. (blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html)
[3] IDG News Service staff. “DNS Attack Writer a Victim of His Own Creation.” PC World, July 30, 2008. (www.pcworld.com/businesscenter/article/149136/dns_attack_writer_a_victim_of_his_own_creation.html)
[4] Moore, H D. “DNS Attacks in the Wild.” Metasploit, July 28, 2008. (blog.metasploit.com/2008/07/on-dns-attacks-in-wild-and-journalistic.html)
[5] F-Secure. “Calculating the Size of the Downadup Outbreak.” Weblog: News from the Lab. January 16, . (www.f-secure.com/weblog/archives/00001584.html)
[6] Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. “An Analysis of Conficker’s Logic and Rendezvous Points.” SRI International, February 4, 2009. (mtc.sri.com/Conficker/)
[7] Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. “An Analysis of Conficker’s Logic and Rendezvous Points.: SRI International, February 4, 2009. (mtc.sri.com/Conficker/#appendix-1)
[8] The Tor Project (www.torproject.org/)
[9] Federico Biancuzzi. “The Quest for ring 0.” Security Focus, May 10, . (www.securityfocus.com/columnists/402)
[10] “Proxy Chains” (proxychains.sourceforge.net/)
Acknowledgments
Cisco Security Intelligence Operations
目前,互联网已经成为各出版社和作者们必争之地,除了书评、媒体采访、连载、节选、导购等传统方式的网络应用外,还有一大批专门从事网络推广的专职人员,承接论坛发帖、写博客、织微博、IM群发等业务,这也是网推正在步入成熟的象征之一,
在作者和编辑在经过数十上百的日日夜夜笔耕、校对、排版等工作后,一本新书孕育而出,此时,图书的销量就成了出版社和作者共同关心的话题。这不仅与图书的内在品质息息相关,同时,还与其持续的推广策略密不可分。
对于网络推广人员来讲,所用的方法、方式、工具等并不存在什么不可逾越的壁垒,除了现有媒体关系的重复使用外,所推产品的心理渗透也起到了至关重要的作用。
以《创造奇迹:零起步创财富》网络推广之“男人一定要有含金量”篇为例,在“书评分享”、“书讯传播”、“著作节选”、“IM群发”、“SNS分享”、“E-DM”、“图书导购”等常规方式外,策划者另辟蹊径,以“男人含金量”为切入口,借助可爱宝宝的创业经历,将社会现实融入其中,而图书内容也让读者自然而然地能够心领神会。
该故事源自一个名不见经传的“好天津”论坛,通过利用开心网、人人网等国内知名SNS社区,以分享或转帖方式,在好友间相互转告,获得了诸多创业者或正计划创业者的积极相应,其中以80后居多。同步,在各强势性的区域论坛和新浪博客、、等多处发表,当天累计10万多的点击量。该推广的只所以能够迅速聚焦,关键在于成功的心理渗透。
《创造奇迹:零起步创财富》是一本以国内二手电脑连锁第一品牌-金桥创始人许敬东白手起家,成功创业为原型,全面系统地指导如何创业的作品,策划者根据图书以上特征,从“3B”原则(beauty美女、beast动物、baby 婴儿)入手,结合“女子爱才,更重财”的社会现实,制作了一系列可爱宝宝的图片集。
故事情节,大致如下:
一个小P孩,从小立志,努力读书,顺利就业后,过着蜗居的生活,虽然艰苦,却有女朋友的相依为命,也可谓开心快乐,
在若干年后,依然如此,经济条件无明显的改善,此时,女朋友受到一位有钱人的青睐和追求,最终,小P孩遭遇了“由于太穷,被相处几年的女朋友甩掉,而跟有钱人跑了”的沉痛打击。
痛定思痛,下决心开始创业,但创业谈何容易,曾尝试过两个项目,却终究以失败而告终,一直不得其法。在窘困之时,小P孩得到成功人士的指点,调整心态,采用科学系统的方法,组建团队,披荆斩棘,最后,踏上了成功人士的行列,有酒有肉、有美女投怀送抱,不亦乐乎,逍遥自在。诸多疑问下,小P孩终于分享了自己的法宝,画面中展示了该书的封面(画外音:要详细了解,看看该书就明白的啦),给予了用户一定的引导性。
前后境遇的明显对比,让大家明白“男人一定要有含金量”,不仅有“才”,还有“财”,爱她就给她幸福,爱情无法当饭吃,有面包的爱情,才更务实牢靠。
现今,80后已步入尔立之年,逐渐成为社会的中流砥柱,而高房价、高消费却把他们压得喘不过气来,许多人深感前后夹击的困惑,上班只拿那些薪酬,根本无法满足短期内购房的需求,于是,许多人选择了创业,一个简单的道理就是“创业有法”,这即为故事奠定了实实在在的社会基础。
虽然在41张图片中只选用了1张体现《创造奇迹:零起步创财富》,但却收到了较好的效果,在两天内,当当网和卓越网,即宣告缺货。
从以上案例中,我们可以简单得出,如何成功实现网络推广的心理渗透:
1、图书品质:品质有保证,好书未必一定好卖,但劣质书,势必无法得到读者持续性的支持,该书语言犀利,道理深刻,系统务实,是一部相对不错的作品;
2、目标明确:精炼且清晰,该书虽然适合阅读人群比较宽泛,但策划者主要截取了80后,拥有较为丰富工作经验的人群,作为小P孩的仿真写照,更易于产生共鸣;
3、平台对路:人以群分,推广人员挑选了“开心”、“人人”、“腾讯”等80后相对集中的知名平台,给予快速和广泛传播,强化渗透的有效性;
4、激活互动:在转发的过程中,除了一键即转的便利性外,还设置了观点投票和互动评论,即时看到其他用户的表态,由此,有利于更好地吸引用户参与的积极性。
总而言之,实现心理渗透,需要策划者精心地分析,并扎实地做好社会背景、用户特征、触媒偏好及其阅读习惯等系列性工作,这是网络推广所追究心理渗透的基本保障。
证明有效的八个步骤,吸引访问者到你的网站――并让他们购买。
作为一个网络营销指导,有很多人问我如何建立和开展网上业务。我告诉他们:你可以遵循一系列行之有效的步骤来保证你的成功。我怎么知道?我见过成千上万的人遵循同样的精确过程建立并开展了网上交易。
第1步:找到需求并满足它。
大多数营销人员做总是错误地先找产品后找市场。但除非人们正积极寻找你的网上产品,否则你的产品永远卖不去出。诀窍在于找到人们正在设法解决的共同问题,然后你把它解决掉。
值得庆幸的是,互联网使得市场调研轻而易举。这里有一些简单的步骤,有助你研究市场:
访问网上论坛,看看人们在问什么问题,他们正在试图解决什么问题。
搞清那些很多人找但没多少网站竞争的关键词。
检查出你的潜在竞争对手,通过访问他们的网站,并注意到他们为了满足需求做了些什么。
当你这样做时,用你学到的知识去为现有市场开发一个产品-并且比你的竞争对手做得更好。
第2步:撰写出色的销售电子书。
在网站上你必须让你的销售电子书为你销售。有一个撰写销售电子书的有效模式,它让你的访客从登录起就开始进入推销过程:
用一个有说服力的标题激发访客兴趣。
说明你的产品可以解决问题。
告诉他们为什么相信你可以解决这个问题。
写上已经使用该产品的顾客写的推荐信。
谈谈产品及它们对用户如何有用。
给出报价或一个保证。
创造紧迫感。
要求购买。
在整个销售电子书中,重点在于你的独一无二的产品或服务怎样解决人们的问题,或者如何他们的生活变得更加美好。好比你就是一个顾客,问问自己能从产品中得到什么?
第3步:设计并建设你的网站。
一旦你确定了市场和产品,敲定了销售过程,下一步就要准备建设你的网站。
记得要简单。你的网站是你的网上商店,因此亲近顾客。在你的顾客走开之前你只有不到10秒时间吸引顾客的注意力。一些重要的提示,切记:
在白色的背景上使用简朴的sans - serif字体,如Arial。
使你的导航简单明了,并保持在整个网站中保持一致。
只能用图形,如果能增强你的讯息,可以使用音频或视频。
提供单向提交表单,以便搜集电子邮件地址。
第4步:利用搜索引擎,以促使目标客户访问你的网站。
新网站如何增加访问量?按点击付费的广告,好处有两点:
广告立即显示在搜索页面上。
它们让你尝试不同的关键字,标题,价格和销售办法。
你不仅能迅速得到访问量,但一旦你发现最佳关键词,你可以将他们放在你的销售电子书和规则中,这将有利于你在有机搜索结果中的排名。
第5步:打造专业信誉,增加网站访问量。
人们使用互联网来查找信息。如果你提供有价值的信息供其他网站使用-包括一个反向链接-你将获得更多的访问量和更好的搜索引擎排名。把自己打造成一个专家的方法包括:
发放免费内容,如文章,视频或其它有用的信息,并通过在线文章目录和社会媒体网站传播这些内容。
在你的网站有价值的内容中加入“发送给朋友”的链接。
在行业论坛和社会网络网站里成为一个活跃的专家,那里有你的目标市场。
如果你使用这些策略,你将获得新的读者。但更好的是,发布你的内容的每一个网站都会反向链接到你的网站,搜索引擎偏爱相关网站链接,并会增加你的排名。
第6步:利用电子邮件营销的力量,和你的访客保持联系,并将其转化为买家。
当你创建单向提交表时,你就是在创建网上业务中最宝贵的资产――允许给你的访客发送电子邮件。为什么电子邮件营销如此重要呢?
你给潜在客户他们想要的东西。
你在和目标市场中的人们建立终生的联系。
反应是百分之百是可以衡量的。
它比印刷,电视或电台广告更便宜,更有效,因为它具有高度针对性。
它几乎可以完全自动化。
任何人访问您的网站,并提交表单的人都是一个值得信任的客户。没有比电子邮件更好的工具让你毫不费力地跟踪这些线索。
第7步:通过后端销售和促销增加你的收入。
其中一个最重要的网络营销指导方针就是发展每个客户的终身价值。如果你跟进,至少会有36 %的人成为回头客。达成与客户的第一次销售是迄今为止你最困难的工作-不用说也是你最有价值的工作。那么下面告诉你怎么让他们成为回头客:
提供和他们原来购买的产品互补的产品。
发送电子优惠券,他们会考虑下次再来访问。
你的“致谢”页提供相关产品。
如果你奖励了忠诚顾客,他们反过来会变得更加忠诚。
第8步:启动一个合作伙伴计划,让你的销售和收入最大化。
一旦你的企业已经建立并运转,你就要推出自己的合作伙伴计划了。合作人在自己的网站上减价推广你的产品。每次带给你一个买主,你就给他们支付佣金。
合作伙伴计划是一种简单的,低维护的方法,用来拓展你的业务。一旦你的计划启动,你所要做的一切就是和你的伙伴分享你的营销材料,并在他们卖出产品时给他们寄支票。
通过这么做,你不用出去花钱打广告-你的合作公司为你做广告。更好的是,只有在他们卖出东西时你才给他们钱。
在我从事网上业务的10多年里,互联网变化日新月异,但创建并拓展网上业务的原则变化却变化有限。
如果你是刚刚起步,那么请按照本快速指南循序渐进。如果你已经在网上呆过一段时间了,迅速浏览一遍,看看你刚开始是否忽略了哪个步骤,或从来都没有尝试过。有了这些基础知识,你不会出错的。
[网络创业的最基本步骤有哪些]
★ 教学步骤
★ 行测学习方法
★ 量测个人简历
★ 地测工作总结
★ 德育渗透教案
