[讨论]抓住黑客，计算机取证

[这个贴子最后由黑色海岸线在 2004/12/15 10:16am 第 1 次编辑]

   首先，一台计算机的扫描报告如下：
Address: 192.168.1.249
This is the IP (Internet Protocol) address of the machine, a single machine might have multiple IP adresses associated with it.  
Host name: WALL
This is the domain name of the machine. There can be multiple domain names assigned to a single IP (Internet Protocol) address or one domain name assigned to multiple IP addresses.  
Average Ping Response: 0 ms
Time To Live: 128
Report Date: 2004-12-01
This is the date and time the scanner started to perform the auditing process. The date and time is reported off the machine local time zone.  
Audits 4 - 3

NetBIOS: Null Session
Description A Null session is sending a null for the user name and password when establishing a connection to the ipc$ (Inter Process Communication) pipe. If a remote attacker is able to establish a null session they can gain lists of user names, shares, etc...
Risk Level: High
How To Fix: Add the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Name: RestrictAnonymous Type: REG_DWORD Value: 1.
CVE GENERIC-MAP-NOMATCH
BugtraqID: 494
Accounts: Administrator - Password Does Not Expire
Description If a users password does not expire you allow a remote attacker endless amount of time to try to figure out your users password. It is recommended that you make all users passwords expire unless the user account is used for a system service.
Risk Level: Medium
How To Fix: Remove the password never expires option from the user account.
1. Open User Manager.
2. Select the user from the list.
3. Select Properties from the User menu.
4. Uncheck "Password Never Expires."
5. Click "Ok".
CVE CAN-1999-0535
Accounts: Guest - User Never Logged On
Description It is suggested that you review this user account. If it is not needed or was not created by an administrator of your network, it is suggested that you disable or delete it.
Risk Level: Information
How To Fix: To delete the account:
1. Open User Manager
2. Select the account to delete
3. Press the "Delete" key
4. Click "Ok"
To Disable the account:
1. Open User Manager
2. Select the account to disable
3. Select Properties from the User menu
4. Check "Account Disabled"
5. Click "Ok"
CVE GENERIC-MAP-NOMATCH
Accounts: Guest - Password Does Not Expire
Description If a users password does not expire you allow a remote attacker endless amount of time to try to figure out your users password. It is recommended that you make all users passwords expire unless the user account is used for a system service.
Risk Level: Medium
How To Fix: Remove the password never expires option from the user account.
1. Open User Manager.
2. Select the user from the list.
3. Select Properties from the User menu.
4. Uncheck "Password Never Expires."
5. Click "Ok".
CVE CAN-1999-0535
Machine 4 - 4
Date and Time 12/14/2004 2:17
Name WALL
Workgroup DEVP-DOMAIN
OSName Windows NT
OSVersion 5.0
Shares 4 - 5
IPC$: 远程 IPC
Type IPC
Description This is a default share created when the server first boots. Responsible for Inter Process Communications.  
D$: 默认共享
Type DISKTREE
Description This is a default share created when the server first boots. It is a mapping to the root of your D drive.  
tools
Type DISKTREE
ADMIN$: 远程管理
Type DISKTREE
Description Default Administration share. The admin$ share is a mapping to \winnt\system32. An attacker could use access to this share to remotely run l0pht crack against your server to find out your passwords.  
C$: 默认共享
Type DISKTREE
Description This is a default share created when the server first boots. It is a mapping to the root of your C drive.  

Users 4 - 6

Administrator: 管理计算机(域)的内置帐户
User: Administrator
Logon Server: \\*
Number of Logons: 252
Privilege: Administrator
Password expired: no
RID: 500
Bad PW Count: 0
Country Code: 0
Guest: 供来宾访问计算机或访问域的内置帐户
User: Guest
Account Disabled: True
Logon Server: \\*
Number of Logons: 104
Privilege: Guest
Password expired: no
RID: 501
Bad PW Count: 4
Country Code: 0
Ports 4 - 7

21: FTP - File Transfer Protocol [Control]
Found Audits 0
80: WWW-HTTP - World Wide Web HTTP (Hyper Text Transfer Protocol)
Found Audits 0
81: HOSTS2-NS - HOSTS2 Name Server
Found Audits 0
82: XFER - XFER Utility
Found Audits 0
83: MIT-ML-DEV - MIT ML Device
Found Audits 0
119: NNTP - Network News Transfer Protocol
Found Audits 0
135: RPC-LOCATOR - RPC (Remote Procedure Call) Location Service
Found Audits 0
137: NETBIOS-NS - NETBIOS Name Service
Found Audits 0
138: NETBIOS-DGM - NETBIOS Datagram Service
Found Audits 0
139: NETBIOS-SSN - NETBIOS Session Service
Reply Banner in Request ?/TD>
Found Audits 0
445: MICROSOFT-DS - Microsoft-DS
Found Audits 0
500: ISAKMP -
Found Audits 0
1025: LISTEN - listen
Found Audits 0
1026: NTERM - nterm
Found Audits 0
1080: SOCKS - Socks
Found Audits 0
5190: AOL - America-Online
Found Audits 0
8080: Generic - Shared service port
Found Audits 0
8088: Generic - Shared service port
Found Audits 0
9010: SERVICE
Found Audits 0
--------------------------------------------------------------------------------

我们长期可以发现计算机的桌面有动过的痕迹——注意，并不是在cmd下的修改，而是桌面交互的修改，大家讨论黑客是怎么实现入侵的？
二，如何抓住对方入侵的证据

注意：本计算机没有安装IIS或者PWS 等WWW信息发布组建，也没有安装FTP软件！·

再次说明：在被入侵的计算机上用netstat/an查到没有21和80端口在监听

   没看明白什么意思?

   好象是开了ipc$,估计入侵者用暴力猜解得到administrator的帐号密码
   然后可以映射主机WALL的硬盘,然后在administrator的桌面文件夹做了些手脚.

   上面扫描报告说了,没有开我们现在能找到益处的服务.然后admin的帐号有被猜解的可能,能建立空连接.
   guest帐号没有击活.
   好象就是这些吧.
   我E文比较烂.看得不是很明白.

我杂什么也看不懂了。。。。。。。。。。。
以后请各位大侠多多指教了。。。。。。。。。。。。

[这个贴子最后由damnyou在 2004/12/15 08:31pm 第 2 次编辑]

   取证的话.我试着说几点看看
   一 .既然桌面有动过的痕迹,应该可以看看被动过的文件最后修改日期
   二.既然没有什么可使用远程管理的地方,我们可以试想一下是本地物理接触,登陆的.
   既然guest没有激活,可以看看admin登陆的时间(时间查看器-->安全性-->登陆审核)和第一点结合,看谁在那个时间段和主机有接触的机会.其实物理接触主机,大家能想到的取证思路就多了.机房钥匙(卡,密码锁)的管理使用(具体太多),监视器录象.查看键盘或显示器(如果有的话)上是否有入侵者的指纹(头皮,口水,呼吸时喷到显示器和键盘上的分泌物,^_^等等..).
   三.如果有防火墙(看扫描报告中,提到ping返回为0ms,应该是有防火墙的),并且有完整的日志记录的话,可以查看一下日志,假设入侵者确实是通过空连接猜解帐号,日志中应该有大量139端口连接的信息.我们可以通过这个得到入侵者IP或者说是跳板的IP.
   四.在被入侵主机上一般会留下入侵者的工具,比如后门程序,预备下次入侵其他主机的攻击程序.这些程序有可能被修改过为了避免被杀毒软件查杀,或者甚至是入侵者自己写的程序.我们可以通过仔细检查或者反汇编其程序,找到和入侵者有联系的信息.比如程序作者,或者在程序上留下的联系方式,一些字符串,等等.
   五.或许入侵者在登陆到目标主机后通过主机连接到internet过(废话),我们就可以查看IE缓存,看看在被入侵的这个时间段,有那些网址,FTP,BBS,等等被访问过,譬如IE缓存中的cookie可以得到入侵者常去的BBS甚至是他在此BBS的ID等等.还有就是有些时候入侵者需要从网络其他地方下载工具或者其他什么到被侵主机,可能通过FTP,TFTP,等等,如果防火墙也记录了连出的连接.我们就可以查看到某些主机上留下的工具是通过什么途径来的，甚至追踪到入侵者自己的机子或跳板也不是不可能.
  六.一般稍微熟练点儿的入侵者,在入侵完后会删除一些和自己相关的日志.有时候这反倒让我们得到一些信息,比如某个时间段的日志不完整,并且有人为修改过的痕迹.
  七.搜索被安装了的一些后门.监视这些后门程序(嗅探器?),查看连接IP,发送的数据.
....
   暂时就只想到了这些

有效信息说:攻击者没有放木马,只有一个小程序
没有防火墙,这是我用两台机子对连的扫描结果
攻击方没有使用代理程序
我所说的桌面被动过,不是说某文件被使用
而是桌面上有一个软件在运行,但是这个窗口的位置被移动或者关闭了

呵呵~有意思 我来热闹热闹

注意：本计算机没有安装IIS或者PWS 等WWW信息发布组建，也没有安装FTP软件！

从端口信息来比较，如果没有所说的相关组件和软件，那么我们应该考虑是不是一个密罐了。^_^

再次说明：在被入侵的计算机上用netstat/an查到没有21和80端口在监听

是不是可以确定了?

Guest - User Never Logged On

这里登陆了

Account Disabled: True

这里禁用了
是不是很奇怪哦?

好东西

你看明天了吗，楼上的 ？ 什么呀你就“好东西” ?哈哈
Description If a users password does not expire you allow a remote attacker endless amount of time to try to figure out your users password.