給駭客初學者看的一份文件（1.2版）    前幾天在 PacketStorm 看到一份 Marcus Andersson (Mah-Kahn) 寫給初學者看的一份 FAQ，看了之後覺得蠻有參考性的，所以寫了一封 Email 給Mah-Kahn，希望獲得他的轉載授權。結果回函他同意了，下面是信件的內容：        這份 FAQ 裡面有許多大家常問的問題，以下是目錄：    Chapter 1 - General questions 1.1 How do I hack a [put whatever here] system? 1.2 Where can I find some "K3wl pHil3z" on hacking? 1.3 How do I hack Hotmail/Yahoo mail/whatever? ←Hotmail/Yahoo郵件的用戶注意 1.4 Will you crack this machine/password/account for me?    Chapter 2 - TCP/IP questions 2.1 How do I spoof my IP-address? 2.2 How do I hide my IP-address? ←透過 Proxy隱藏 IP，我在很多篇稿子寫過相關問題 2.3 How do I trace someone on the Internet? ←追蹤 2.4 How do I get a DoS through a (personal) firewall? 2.5 Is there a legitimate use for DoS? Ever? 2.6 How do I sniff all the traffic going to a certain host? 2.7 Why can`t I sniff in a switched environment? 2.8 How do I find firewalls? ←防火牆 2.9 What is a firewall/personal firewall/routingfilter?    Chapter 3 - Unix questions 3.1 Where do I get a (free) shell-account? 3.2 How do I get root without having a compiler? 3.3 How do I upload a file to UNIX, not having mail or FTP? 3.4 What are the security issues with core dumps?    Chapter 4 - Windows questions 4.1 How do I upload a file to a box without them noticing? 4.1.1 How do I hide an .exe in a .jpg? ←「特洛依木馬」 4.2 How do I hack with Windows? 4.3 How do I secure my Windows system? 4.4 How do I stop my Windows system from being nuked?    Chapter 5 - Programming questions 5.1 How do I run a .c exploit? ←別再問我如何執行 .c  5.2 What is a buffer-overrun? ←「緩衝區溢位」    Appendix 1) Sources/Resources    1.2版裡面新增了以下這些東西    Updated 1.2 - Installing Ghostscript is fairly easy... Q&A 1.5 - What is PGP Updated Appendix 1 with some books on cryptology Appendix 2 - Sniffing in switched networks    Mah-Kahn 轉貼的條件是要求文件保持完整，所以我一字不漏將它完整貼出，沒有加上任何註解說明，抱歉，忘了問他翻譯的問題.....而且我大概最近也沒空翻譯，有人願意做這份工作的話，可以發 Email 問他是否可以翻譯。    --------------------------------------------------------------------------------    The somewhat unofficial Packetstorm Newbie-Forum FAQ  Born on the 8th of August 2000  Version 1.2  Mackan@rpcs.pp.se    (Texteditor: Pico - Windowsize set to 75 cols, and then the text was copied and pasted to the window. Hence the ugly layout. You get what you pay for ;-)    Latest update: 20th of December 2000 Updated 1.2 - Installing Ghostscript is fairly easy... Q&A 1.5 - What is PGP Updated Appendix 1 with some books on cryptology Appendix 2 - Sniffing in switched networks    Contributors (in alphabetical order): Doxavg (Almost everything in chapter 3), Marcus Andersson (chapters 1,2,3 and 5), Occam, (Updates) Richard Glover "Secular" (Everything in chapter 4, updates), Trevlig (Almost everything in chapter 5, updates).     Editor: Marcus Andersson (Mah-Kahn)     Status of this memo: This document has no official seal of approval of any kind. It`s just a "whitepaper", basically.    DISCLAIMER: As any good information goes - it can be used whatever colour you might have on your hat. If it`s white - great! I guess we`re "scene buddies" and might bump into eachother sooner or later. Is it black - well, shame on you! Hope you get caught! Hope that you will tell me how you did it before, though, so that I might benefit from it and fix my systems. Not ANYONE at Packetstorm, nor the participants in the forums, have ever, or will ever, encourage illegal or immoral behaviour, unless they are VERY stupid. Go figure.    NOTE:     The editor would like to thank all contributors to this FAQ. You have generously given of your time on this document, beacause you saw some usefullness in it. I hope you are right. At least, I give you my standing ovation.     If you would like to contribute to this FAQ by adding questions, adding answers, fixing errors/spelling/grammar, please contact the editor at mackan@rpcs.pp.se. If your mail doesn`t get answered right away, it`s not because I ignore you, but rather it signifies that I`m working on it. If you have heard nothing in a week, it`s beacause I`m out of town and can`t read the mail. DON`T mail again. Your mail WILL be answered, eventually. Patience is a virtue.     If I get any more "Can you teach me how to hack?"-questions of ANY kind, in my mail I`ll scream. At you.     ABOUT POSTING TO THE FORUMS:    [Secular holds the pen]    A brief note about posting to the Packetstorm forums (or as Mah-Kahn preferrs, the Packetstorm fora.): We really are here to help. No, we`re  not a bunch of crazed psycho sysadmins out to flame your head off.  We want you to have the best learning experience possible. Sometimes that means that before you ask a question, you should do the research yourself. Make sure first you`re asking your question in the correct forum.     Second make sure your question hasn`t already been answered here, or in one of the earlier postings.     Third, RTFM (Read The Friggin`Manual, for those of you unfamiliar with  the jargon.) Make certain you`ve read through your paper documentation,  or the online documentation for your products. Do your homework. Go to the library. Take the time to learn it on your own, and then if you have questions on what you`re learning, ask for help. If you`ve done all of this, and you`ve formed your question into a detailed, specific, well worded, well documented posting, we can more easily help you help yourself. Doing the leg work, learning your part, and helping to spread the information that wants to be free is what hacking is REALLY all about. Hackers aren`t what the media says. A hacker, in the true sense of the word, is one who is capable of creating wonderful new things with very little to work with. We`re trying to be real hackers. We`re trying to help make the flow of information a little easier. We hope you are too.    [Mah-Kahn holds the pen]    If you are a newbie, having asked a question, and having been pointed to this document, don`t take it as a personal insult. The reason is that the same questions have been asked over and over and over again, and that the same answers have been given in every possible form known to man. Nobody wants to start a fight. Nobody wants to hurt your feelings. If somebody did it anyway, unintentionally, swallow your pride, read the FAQ, learn something new, and get on with your life.     The questions in this FAQ may have appeared in other forums than the Newbie-forum, but are still referred to as frequently asked Newbie-questions in those forums.     --- --- ---     Chapter 1 - General questions 1.1 How do I hack a [put whatever here] system? 1.2 Where can I find some "K3wl pHil3z" on hacking? 1.3 How do I hack Hotmail/Yahoo mail/whatever? 1.4 Will you crack this machine/password/account for me? 1.5 What is PGP and how does it work?    Chapter 2 - TCP/IP questions 2.1 How do I spoof my IP-adress? 2.2 How do I hide my IP-adress? 2.3 How do I trace someone on the Internet? 2.4 How do I get a DoS through a (personal) firewall? 2.5 Is there a legitimate use for DoS? Ever? 2.6 How do I sniff all the traffic going to a certain host? 2.7 Why can`t i sniff in a switched environment? 2.8 How do I find firewalls? 2.9 What is a firewall/personal firewall/routingfilter?    Chapter 3 - Unix questions  3.1 Where do I get a (free) shell-account? 3.2 How do I get root without having a compiler? 3.3 How do I upload a file to a UNIX, not having mail or FTP? 3.4 What are the security issues with core dumps?    Chapter 4 - Windows questions 4.1 How do I upload a file to a box without them noticing? 4.1.1 How do I hide an .exe in a .jpg? 4.2 How do I hack with Windows? 4.3 How do I secure my Windows system? 4.4 How do I stop my Windows system from being nuked?    Chapter 5 - Programming questions 5.1 How do I run a .c exploit? 5.2 What is a buffer-overrun?     Appendix 1) Sources/Resources 2) How do I sniff in a switched environment?    --- --- ---    Chapter 1 - General questions  -----------------------------     1.1 How do I hack a [put whatever here] system?     We will not help you crack a systems` security.    If you really want to learn how to break a systems` security, you  must start from the bottom and learn as much as you can about the system from the inside out, and the necessary respect which goes along with it.    NO textfile will teach you how to hack. Ever.    If you want to read a reasonable good and all-around FAQ on cracking systems` security, read the alt.2600/#hack FAQ, which is found at http://www.linuxsavvy.com/staff/jgotts/underground/hack-faq.html (Oh, and I recommend that you download the ASCII-version, which is more readable, in my personal opinion.)    1.2 Where can I find some "K3wl pHil3z" on hacking?    Well, if you know NOTHING, go to the FAQ above. If you want to learn some "heavier stuff", go to http://phrack.infonexus.com and read. You would probably want to use their search-function, though since reading through stone-age hacking material (written in the eighties) will eventually make your eyes bleed otherwise.     Now, these guys knows what they are doing, so DON`T go there and ask silly questions, or they WILL flame your head off.    Oh, and while you`re at it, check out the "papers" section of http://packetstorm.securify.com     Make sure you have a viewer capable of opening postscript files. Many of the papers on packetstorm are in PostScript3 format. Ghostscript is a good viewer, in my opinion, and it`s ported to Windows too. It is even quite easy to install nowadays...    1.3 How do I hack Hotmail/Yahoo mail/whatever?    Now, first of all, that would be a BAD idea, since it would land you in jail. Don`t do it. If you ask just out of curiosity, there are several ways to do this, as history have prooved. A very lame way is to plug a wordlist into some automated script (a three-liner with netcat) and go to town, while your script tries every word in the list... This is basically how they "hack" in the movies, and if the password is generated correctly, the chances of succeeding such a task is really low. Oh, and even if you`d struck gold and actually got in, you would still be logged, beacause of all incorrect login-attempts. You WILL get spotted.    Another (better) way of doing it would probably be to send a mal-formed html-post to the victim, and include some sort of hostile script (Javascript and VBscript comes to mind). However, a lot of these bugs has already been found, so don`t try to just download something from the net and expect it to work.    You WOULD have to find a way to include the script, without the html-parser of the mail-system figuring it out... I`ll leave that as an exercise for the imaginative reader, but historical evidence shows methods of using mal-formed image-tags, including control-characters in the middle of the javascript tag, mal-formed gopher-tags, etc.    1.4 Will you crack this machine/password/account/whatever for me?    Short answer: No. Long answer: No way.    1.5 What is PGP and how does it work?    PGP is a de-facto standard for encrypting e-mail. The acronym stands for "Pretty Good Privacy", but PGP also adds authentication and key-management to this. The "standard" is described in detail in RFC 2440 (OpenPGP) and the document is based on the older RFC 1991.     Some historical trivia:    RFC 1991 is about PGP 2.6.x-clients (which used IDEA and RSA).  However it mentions "PGP 3"-clients. When these clients finally say the light of day, they had been renamed "PGP 5.x", so PGP 5.x clients are the first "PGP 3"-compliant ones. Clear? No.     The standard is PGP 3 - the name of the product, supporting the standard, is PGP 5.     Now - OpenPGP is based on the PGP 5.x-clients. Just so you know...    --- --- ---    Chapter 2 - TCP/IP questions ----------------------------    2.1 How do I spoof my IP-adress?    There is no easy (point-and-clickable) way to do this. Sorry. There are no such things as "IP-spoofers", or everyone would be using them. In order to make a full, spoofed, IP-connection, you would actually have to learn some of the inner workings of TCP/IP. I will make a brief summary here, but if you don`t get it, check out http://phrack.infonexus.com/search.phtml?view&article=p48-14 until you do. It is nothing you do as a newbie, anyway.    IF you want to learn, look below.    In a TCP/IP-connection, the first thing that happens is the "TCP-handshake". This is a three-step initial setup that has to be made before any data can be sent. 1) A sends B a SYN-packet (SYNchronize) 2) B sends A a SYN/ACK (ACKnowledge the SYN, and send his own SYN values) 3) A sends B an ACK (ACKnowledge B`s request for synchronisation)    Now, if you want to "spoof" a connection, masquerading as someone else, you might think that there would just be to send the packets with this "someone`s" IP-adress. This is wrong, because the Internet is built in such a way that the packets FROM B would ALLWAYS go to A, and A would simply reset the connection, not knowing why B sends his SYN/ACK-packet.    So, what you want to do is that you make sure that A can`t answer (thus resetting) the packets from B. This is done through a DoS-attack of some sort (SYN-flooding was popular, with real hackers, because that method would make it possible to "undo" the attack later on, by sending RST:s to those packets, thus making A getting back in service.)    Now, in order to really impersonate A, you must realize that B will still send his packets to the real A, so you won`t see them. This is a problem, since you won`t get the SYN/ACK by B, and thus can`t synchronize the sequence-numbers of the packets. This means that you have to guess the sequence number (and the payload) of every single packet that might come, as a response to your packets. Doing this against machines with poor IP-stacks (like Windows-boxes) is doable, but on REAL implementations of TCP/IP-stacks (such as Linux, that actually follows the RFC) the numbers are quite unpredictable (random) which makes these attacks useless.    Now, all this is theory... If you WOULD like to do it in practice, learn TCP/IP, a lot. You would probably be helped if you could, for instance, manipulate with the routing so that the real packets from B to A passes through a network where you can capture them. In that case you would JUST have to send your packets fast enough for B`s IP-stack to not time out.    As you can see, this is fairly esoteric stuff. Don`t go there. Oh, and you will need a program to manipulate the raw IP-packets as well.    [Defense]    There are several ways to defend against these types of attacks.     1) The first one is of course to make it unusable to even try it, so - get rid of all trust-relationships to other hosts (hosts.equiv, .rhosts, etc.)     2) If that can`t be done, exchange the services to equivalents that use cryptographical authentication of both ends before sending any packets over the connection. This way an attacker would need to get hold of the crypto-key somehow, in order to impersonate the machine. A good substitute for rsh and rlogin would be ssh, for example.    3) If you can`t get rid of ALL trust-relationships between hosts, at least place the machines that need to trust eachother on the same subnet, and disable the services at the border router AND apply filtering rules to make sure that a packet with an "inside" adress gets dropped if it comes in on the "outer" interface (i.e. a "spoofing filter").    2.2 How do I hide my IP-adress?    Well, not beeing able to spoof the adress (see above) you might still want to hide it. This is fairly doable by using proxies. A proxie is a machine that forwards queries for you. If you can get a proxie to forward an illegit query to the victim-host, it will be the proxy`s, not your, IP-adress showing up in the logs...    Example, the light side (webproxy):    If you have configured your webbrowser to use a webproxy, and you type in an URL, the proxy will first see if it has a copy of the document locally stored (cached) and if so, forward it to you, thus serving the request faster and reducing the use of bandwidth on the Net. If it does NOT have a copy of the document locally stored, it will forward your query to the intended webserver, then forward the answer back to you, and store a copy of it locally.    Example, the dark side (webproxy):    Now, an 3viL H4x0r wants to try to portscan through the proxy. This can not be done with ordinary portscanners, since what is forwarded are not your IP-packets, but the QUERY (data in the payload). So what the imaginative mind does, is that s/he connects to server:port through the webclient, and then waits for a while, before hitting the "stop" button. On the screen s/he will then see the banner of the service of the port.    You could probably not scan low ports (<1023) in this way, but there are fun services on high ports as well. All kinds of (exploitable...) RPC-services, for example, as well as listening NFS-daemons, Radius-servers, SOCKS-servers, and others. Now, you could also (usually) chain webproxies by typing (in the client) proxy1:Pport:proxy2:Pport:proxy3:Pport:victim:Sport, where Pport is the port of the listening proxyserver (usually 8080 or thereabouts) and Sport is the port you want to scan on the victim. 2.3 How do I trace someone on the Internet? Now this is a real classic, with no real answer. First, you can never trace the connection farther than to the IP-address in use. This means that you CAN NOT get the actual user`s name, address, phone number or some such. YOU can`t. Their ISP can, though, and if you provide them with adequate logs (proving their misdeed, the time of the incident and the IP-address in question) they will deal with it according to their Acceptable Use Policy (AUP). Usually the culprit will lose his/her account, or at least will be given a slap on the wrist. Adequate standard addresses are abuse@ispname, security@ispname, postmaster@ispname, and root@ispname. Second, you have to actually get the IP-address involved. If the problem is a DoS-attack, they are almost always using some fake IP-address, so you will not be able to trace those. Get some sort of protection instead, like a "personal firewall". If the problem is foul language in a chat, most ISP`s are not veryinterested. Sorry. If the problem is a threatening e-mail, look where it comes from, by looking at the mail-headers bottom-up (from the last To: line). The originating host will be the first one (reading "backwards", that is). If you want to see where a connection (such as an ongoing portscan, a trojan such as Back Orifice or some such) goes to, go to a DOS-window and do a netstat -an (the same for UNIX). Third, when you found the IP-address - DON`T DoS them, or approach them at all. Just report them to their ISP and let them do the work. Don`t get into fights. 2.4 How do I get a DoS through a (personal) firewall? Don`t. You`ll be hated. There WAS a posting asking this question, and basically, this FAQ is an offspin to that posting... The only short answer to the question is: learn TCP/IP, and how and why firewalls work. After that, making a DoS-attack should be fairly obvious, as would the fact of why you wouldn`t want to do it. Get the message: DoS are lame. 2.5 Is there a legitimate use for DoS? Ever? The simple answer is "no", because what the person asking the question wants to know, is generally if there is ever a moral reason to DoS someone. And there are not. Not even if they do it to you. Not even if you (think you have) hunt them down. Not ever. The ONLY practical, and therefore legitimate, use for DoS would be during a professional penetration audit, when the customer has ordered a stress-test of the machines OR the "Red Team"/"Tiger Team" would like to, for a moment, disable a ident daemon, a syslog daemon, or a host running some sort of NIDS. 2.6 How do I sniff all traffic going to a certain host? You can`t, if you are not on the same network as that host. This means you would typically have to be in the same building as the host you want to "sniff". Even if you manage to get to the building, you are still out of luck if you try to sniff on a switched network (which most networks are today). If you start your sniffer on another network, you would only be able to see all traffic from that network segment to the host. Most probably, only your own packets, since the network YOU are sitting on (most usually an ISP) is switched too. Defense: Fairly obvious - implement a switched network environment. OK, it`s quite expensive, but the payoff in increased security and better network-prestanda is huge. How much do you value your time? If you don`t have the cash to immediately implement a switched environment, at least try to implement cryptographical countermeasures against this attack, such as ssh and other tunneling protocols. 2.7 Why can`t I sniff in a switched environment? Now, this demands some fairly thorough explanation on how Ethernet works, but to put it simply: What a switch does, is to break up the adressable message-bus of the ethernet, into sub-buses, typically with one host per port. A sniffer sees the same segment (part of the adressable bus) that it is connected to (see above). If you just have one host per segment, that`s all it`s going to see. The reason for this was originally not to implement security, but to divide large networks into smaller pieces, in order to prevent packet-collisions on the message-bus. ADD-ON-Extra-kewl-hacker-knowledge: Now, the above is not entirely true. One actually CAN sniff in a switched environment, though it`s not really easily done by a newbie... It requires some knowledge about the inner workings of ARP and the (ab)use of ARP-caches. For a thorough explanation, check out appendix 2. Defense: Using cryptographical countermeasures. 2.8 How do I find firewalls? This question assumes that you want to hack a host and that you want to know if there is a firewall securing it. Now, this is not an easy question to answer, since all firewalls don`t work the same way, but let me give you some general (and quite compressed) info on the subject. First, try to traceroute, from a UNIX-machine, to the machine you want to check. If the trace-route dies (hangs on the same routerhop forever...), it`s probably because of a firewall. You could actually see if it is, by first seeing if a traceroute with ICMP-packets (such as a Windows tracert) goes through. If it does, it`s definitely a firewall, or at least a filter of some sort. If it still does not get through, there MIGHT be a firewall OR the router is down for some unknown reason. In that case, you try with a sort of special traceroute... Now, if your traceroute dies beacause of a filter, it`s beacause the probes are coming from a port that the filter doesn`t like. What you do then, is that you try to mask your probes as something legitimate, like DNS-packets. Now, the portnumber is incremented for each probe, and for each routerhop traceroute sends out 3 probes. What you want to achieve is for the portnumber to reach 53 exactly at the filter, so it thinks that the packets are DNS-packets. The formula is: (target_port - (number_of_hops * num_of_probes)) - 1 So, let`s say our traceroute died at the 8th routerhop, you would have to do a (53 - (8 * 3)) - 1 = 28 traceroute -p28 targethost Now, if the probe gets through, you can, again, be certain that there is a filter, and not just a broken router. You will just see ONE routerhop behind the filter, though. However if the traffic STILL dies, it MIGHT still be a firewall there, OR the route is just broken. Now, in order to keep this answer short (I could fill a whole FAQ with info about testing firewalls) I`ll just cut to the chase. Try to fingerprint the machine where the traceroute dies, with nmap. Nmap will probably tell you wether or not it is a router. If it`s not, it`s a firewall. Note though, that EVEN if it is a router, it might still be a filtering router. Read the nmap documentation on scanning types at http://www.insecure.org/nmap/nmap_manpage.html Defense: Oh, the joys of configuring firewalls... One thing that you would want to do is to configure your firewall to actually send RST:s instead of just dropping the packets to filtered ports. This would make it REALLY hard to see from the outside. If this couldn`t be done, your firewall WILL be spotted, and you have to make a trade-off what is better security-wise: To keep, for example, traceroutes open through the firewall, in order to keep it hidden (so that an attacker "stumbles" into it if they attack your net) and thereby making it possible for an attacker to draw quite detailed maps of your network environment? By closing traceroutes, on the other hand, your firewall will be visible to the outside, thus flagging for a potential attacker that s/he should be cautious, and thereby, you might miss the REAL attack, since the attacker carries it out more "silently". Best practice suggests that you tighten the filters so that it IS obvious that you have a firewall, but also set the firewall to be as paranoid as possible about what it leaves out. This is a VERY big topic, not to be covered in this FAQ. 2.9 What is a firewall/personal firewall/routing filter? Now, this is a BIG question in the business today, so I`ll just give you some quite clear distinctions, not focusing too much on the border-cases. [Packet filtering routers] The first distinction to make, is between a packet-filtering router, and a firewall. In the spirit of selling as much routers as possible, a lot of routervendors, focusing on the home-use market, tries to sell ISDN- and cablerouters with "firewalling capabilities". This is sell-speak. Don`t buy it. What it usually means is that the router is able to check every packet`s source address, source port, destination address and destination port, and decide if the packet should be forwarded or dropped. End of story. That`s what it does. Now, the cautious homeuser would of course set up the filter to let through any traffic from sourceadress "any", port 20, 21, 80 in order to use ftp and web. (Of course you would actually open up a LOT of ports in order to get mail, dns, news, etc. to work, but that`s beyond the scope of this FAQ.) That would mean that an attacker could, if he was root on a UNIX-machine (his own Linux-box, for example), get ANY traffic through the filter, if s/he just binds to an "open" port locally. The router- filter does not check whether the traffic coming from, say, port 80 is REALLY webtraffic, it just assumes it is, and lets it through. Now, if you are a REALLY lucky routerowner, the vendor has actually put some thought into this problem, and have a feature in the router called "established"-filter. This would mean that the router checks is if the connection was established from YOUR side or the outside. Basically, it makes it impossible to just start any traffic from the outside, and bind it to an open port, as described earlier. The router keeps track on wether you have made started the connection or not. There is nothing magic about this, really. What the router does, in this case, is to see if the packets have the ACK-flag set. If a packet has the ACK-flag set, it just draws the conclusion that the initial SYN-packet was sent from the inside. If an ordinary SYN- packet is sent from the outside, it`s just dropped. (To learn more about the TCP-handshake, check out 2.1 in this FAQ, "How do I spoof my IP-adress?") A quite obvious thing that you could do, as an attacker, if this is the case is that you could send any-packets with an ACK-flag set through the packet. This wouldn`t give you a full connection, but you CAN portscan through the filter, and maybe find something interesting. Again, your best friend is http://www.insecure.org/nmap/nmap_manpa ge.html So much for "firewalling capabilities". [Firewalls] Now, what a real firewall does, in addition to the above is that is also "understands" the protocols involved, and not just the portnumbers. There are basically two philosofies on how to implement such an "understanding" - stateful packet inspection, and application-level proxying. Now, this sounds like gibberish to most people, but let me just explain it VERY briefly. Stateful packet-inspection means that firewall checks every packet that travels through it, but it can check for more things than just portnumbers, IP-adresses and if the ACK-flag is set. It can, for example, build upp a table of ongoing connections made from the inside, and then keep track of them as long as they live. This means that it won`t (typically) let through a packet, just because the ACK-flag is set. It can also, if an IP-packet is fragmented, await all fragments, reassemble the packet and THEN decide wether or not it shall route it to it`s destination. Go figure. The most useful feature is, however, that it can actually look on the payload of the packets, and thereby "understand" at least some of the more obvious attacks on the datastream. Application-level proxying is briefly discussed in 2.2 "How do I hide my IP-adress?". In that particular example we used a HTTP-proxy. Now, in a proxying firewall, the clients sends ALL their requests (not just HTTP) to the outside world through proxies. This way we don`t have to worry about the packetfilter, just to make the application work, beacause what`s forwarded to the outside (and to inside servers) are just the REQUESTS, not the real CONNECTIONS. Now, in real life, almost all commercial firewalls implement both of these techniques, to some extent, but different firewalls have different underlying architecture. Is it mainly an application-level proxy, with packet-filtering capabilities, or is it the other way around? [Personal firewalls] Now, to confuse things even more, the software industry have jumped on the firewall-craze, and are trying to sell packet-filtering software, sometimes with some proxied services, as "personal firewalls". The biggest differences between these and "real" firewalls are that 1) real firewalls are run on machines reconfigured and "hardened" from kernel and up, and don`t just run as an application on the machine, 2) have more features and better logging (often fewer false positives) and 3) can protect a whole network with several hosts (a personal firewall often just protect the machine it`s running on). For a better understanding on firewalls and their capabilities, consult the books referred to in Appendix 1 - sources and resources. Look for the subject "TCP/IP". --- --- --- Chapter 3 - Unix questions -------------------------- 3.1 How do I get a (free) shell-account? There are many "free shell account" services in existence, but most strictly limit activities. Many, for example, will not allow you to telnet, ftp, or http out, or compile programs. Most decent shell services will require a fee. For those still interested in free shell accounts, a list of free shell providers resides at: http://www.dmoz.org/Computers/Internet/Commercial_Services/Access_Providers /UNIX_Shell_Providers/Free_Shells/ 3.2 How do I hack root without having a compiler? This basically the same question as "How do I hack, without only using pre-made scripts?". In question 1.1 and 1.2 you are pointed out to some resources, but there are many more ways, which you will only learn if you really have to secure a UNIX-box (In which case you would benefit greatly by reading "Practical Unix and Internet Security". Check out the details in Appendix 1). I will only summarize some basic fundamentals here. First of all, you have to have at least SOME sort of account on the machine... * See the file-permissions on .login-files, .forward-files, scripts started by cron, any files referred to in any file in /etc and so forth. If you can write to any of those files, write a simple shell-script that drops a SUID/SGID shell somewhere... (cp /path/to/ks

------
**********************************************************
哈哈&兵燹
最會的2大絕招 這個不會與那個也不會 哈哈哈 粉好

Delphi K.Top的K.Top分兩個字解釋Top代表尖端的意思,希望本討論區能提供Delphi的尖端新知
K.表Knowlege 知識,就是本站的標語:Open our mind

上面就是全部的內容了嗎？ 可否告訴原文的連結處，謝謝！

痕抱歉當時我只將此文章存檔 但是原本的原文的連結處因為我的硬碟泡水 找不到位置了 致於此文章的原著 此網址好像也失效了http://packetstorm.securify.com 微軟的部份仍可連結 http://support.microsoft.com http://www.linuxsavvy.com/staff/jgotts/underground/hack-faq.html http://www.mindview.net http://www.insecure.org/nmap/nmap_manpage.html http://www.tuxedo.org/~esr/jargon/jargon.html http://hp.vector.co.jp/authors/VA002416/teraterm.html 不過此文章放至於此也有些時日了 但是也無人翻譯 只有英文程度較好的人才看的懂吧 其中有一些內容應該是網管人員比較了解 放置這麼久了 這種冷門的文章 我想應該痕少人有興趣吧

------
**********************************************************
哈哈&兵燹
最會的2大絕招 這個不會與那個也不會 哈哈哈 粉好

Delphi K.Top的K.Top分兩個字解釋Top代表尖端的意思,希望本討論區能提供Delphi的尖端新知
K.表Knowlege 知識,就是本站的標語:Open our mind

It Is Difficault to Understand

我认为对于大多数人来说没有什么用处，只好用来出书

在 Google 找到的原文，有興趣的人可以加到書籤裡。 http://www.ouah.org/newbiefaq.html