- 1、本文档共85页,可阅读全部内容。
- 2、有哪些信誉好的足球投注网站(book118)网站文档一经付费(服务费),不意味着购买了该文档的版权,仅供个人/单位学习、研究之用,不得用于商业用途,未经授权,严禁复制、发行、汇编、翻译或者网络传播等,侵权必究。
- 3、本站所有内容均由合作方或网友上传,本站不对文档的完整性、权威性及其观点立场正确性做任何保证或承诺!文档内容仅供研究参考,付费前请自行鉴别。如您付费,意味着您自己接受本站规则且自行承担风险,本站不退款、不进行额外附加服务;查看《如何避免下载的几个坑》。如果您已付费下载过本站文档,您可以点击 这里二次下载。
- 4、如文档侵犯商业秘密、侵犯著作权、侵犯人身权等,请点击“版权申诉”(推荐),也可以打举报电话:400-050-0827(电话支持时间:9:00-18:30)。
查看更多
Intrusion Auditing Under Windows NT.ppt
Intrusion Auditing Under Windows NT Catching Greg Hoglund - Part II By JD Glaser jdglaser@ Overview NT Behavior Tools I use New tools I have written Useful techniques My Morning E-Mail Message JD, You’re hosed Greg Race is on Change passwords Assemble a toolkit from burned CD of known good tools Begin looking for damage Initial Assertions Start reading my logs Lots of log activity. Cant verify for certain a time/date/logon range No odd server names - COULD BE FORGED THOUGH Im not running IIS on this box - Cross that off Must have sniffed a password. Common Problem - Strong PDC, Weak local admin passwords Undermines the whole game My Initial Process Read the logs Examine the task list Examine the loaded dlls list Read the logs Look through the registry Read the logs My Second E-Mail Message JD LOL, Your new password is “keepgregout” Greg Trojan Possibility I know he did not sniff this time, nothing went out over the wire because I havent yet accessed any domain resources. Must be a Trojan NetMon Tip Hook up MS NetMon to watch all outgoing traffic of a suspected breached host Be aware that the generated traffic can have forged source address info Check Files Break out the file integrity checker You can use a home-made solution here Use your own baseline records Perl can be used here to great effect Results = Nothing. All files match to originals No new files are detected .EXE Side Note Run file as ~ in temp directory can confuse a tripwire report Why? because you probably arent going to take time to look at these Or you have scripted TW to avoid looking there because of ‘NOISE’ factor TaskMan Showing ~EXE Executing ~.tmp Files ~ Points File Integrity checkers can alter file access times Can Leave wide time stamp trial showing what to avoid This is one method to sidestep automated sweeps Examine RID’s Look at latest RID, none have been added (NT uses them sequentially and never reuses them) You see accounts have been created/deleted Getti
您可能关注的文档
最近下载
- 【部编统编版语文】四下语文 全册教材分析(解析)PPT课件合集.pptx VIP
- 企业主要负责人安全生产履职情况报告.docx VIP
- 企业主要负责人安全生产履职情况报告.pdf VIP
- 产品工时额定标准.pptx
- 学术论文 - 半导体物理第六七章习题答案..pdf VIP
- 新概念英语1-4册(课文版).doc
- 2024年上海高考语文真题文言文(一,二)词句解释与试题解析.docx
- 胸痛PBL护理查房.pptx
- 财务报表分析和证-券估值 ,第五版 答案 Financial Statement Analysis and Security Valuation solution SOLUTIONS_MANUAL ,5e.doc
- 北师大版七年级上册数学第五章《问题解决策略:直观分析》教学课件(新教材).pptx
文档评论(0)