The current invasion is increasingly difficult, people's security awareness has generally improved a lot, even individual users know the firewall, anti-virus software should be equipped in hand, for Microsoft's patch upgrade is no longer adding. So now we want to scan the weak password on the Internet, it is almost in love. (This can be a big good thing.) But this also makes our hacker's intrusion detection has reached an unprecedented difficulty. Through a variety of means, we usually do not directly obtain a system administrator privilege. For example, we can only get the permissions of IUSR-MACHINENAME (such as uploading ASP Trojans, as well as some overflows). This account is usually the system default guest permission, so how to get system administrators or System privileges, it is increasingly important. So, I summarized several ways to use the improvement permissions, the following content is what I organized, there is no new way, write to the rookie like me. Masters can be slightly, of course, you have to review I don't object, by the way, help me check what supplements and modifications: 1. Social Engineering. For social engineering, I think everyone will not be unfamiliar? (If you still don't quite understand this noun, it is recommended that you go to find some relevant information.) We are usually gaining the target sensitive information through various ways, then analyzing, so that the password of the other admin can be inferred. To give an example: If we get the password on the website by database proliferation, then you will do it uploaded a marine top Trojan, what do you do? Let's go to the box of the ASP file first, so I hope to see the account password connected to the SQL. Wrong error, we should first type a netstat -an command to view his port (of course to check the service with the NET START command). Once he found 3389, what is hesitant? Take your terminal connector immediately, add the other party IP, type your username and password you get on his website ... After a few seconds, huh, go in? This is because according to the principles of social engineering, people usually use the same username and password in order to make memories. So, we got the administrator password on the website, and we also equally obtained all his passwords. Among them, the system admin password is included. So we can go to his 3389 pull! Even if he does not open 3389 service, we can also try this password to his FTP server. If his FTP server is a version of Serv-U 5.004, and the account has write permissions, then we can overflow attack ! This is, you can get the system permissions directly! (With the SERV-U and two ways to improve permissions, I will say it later) I can't say it, we can also take its account to all the big websites! Perhaps you can enter the mailbox he applied to get a lot of useful information! It can be used to cooperate with our future actions. There is also a idea, we know, a network management of a website usually sets your homepage to IE's default homepage for managing. We can use this, plant his homepage to the webpage Trojan ... and wait for him to open IE ... Oh, he will not think that his home page will give yourself a Trojan? In fact, there are many ways to use social engineering, thinking as a qualified hacker, this is a must learn! You will succeed in your own brain. 2, local overflow.
Microsoft is really cute. This sentence doesn't know which kind of people say it. It is not fake. When I will send us some overflow vulnerabilities, I believe that through the nearest MS-0011, everyone has earned a broiler. Is it? In fact, we can also use overflow to increase permissions after the shell gets Guest privilege. The most commonly used is Runas.exe, WinWmiex.exe or PipeUpAdmin, and more. ADMIN permissions can be obtained after the upload execution. However, it must be that the other party has not yet turned the patch, but the recent Microsoft's vulnerability is one after another, and the EXPLOIT of the local upgrade authority will come out, so everyone should care about the vulnerability information, maybe the next Exploit is what you wrote. Oh! 3. Use the executable permissions of the scripts directory. This is also a trick usually used before we get Webshell. The principle is that the scripts directory is the running directory under IIS. Permissions are the SYSTEM permissions we dream. The common method is to upload IDQ.dll to the Scripts directory of IdQ.dll to the home directory of the IIS main directory, and then use ISPC.exe to get system permissions, but this is in Microsoft out SP3. In fact, we can still use this directory, as long as we drive the Trojan to this directory, I will take an example, such as WINSHELL. Then we enter: http: // targetip / scripts / Trojan file name. EXE and wait for a while, see the following progress bar display "Complete", you can connect your set port! I am the default 5277, it is SYSTEM permissions after connection! At this time, you have to do anything, you can't control ... 嘿嘿 4, replace the system service. This is a trick that the majority of black friends is not tired. Because Windows allows you to change the program being running, we can replace his service to automatically run our back door or Trojan after restart! First, through the shell input you get: Net Start command, check the service he run. At this time, if you are familiar with Windows system services, you can quickly see which services can be used. C: / WINNT / System32 /> net start has been launched the following Windows services: COM Event System Cryptographic Services DHCP Client Distributed Link Tracking Client DNS Client Event Log Help and Support IPSEC Services Logical Disk Manager Logical Disk Manager Administrative Servic Network Connections Network Location Awareness ( NLA) Protected Storage Remote Procedure Call (RPC) Rising Process Communication Center Rising Realtime Monitor Service Secondary Logon Security Accounts Manager Shell Hardware Detection System Event Notification System Restore Service Telephony Themes Upload Manager WebClient Windows Audio Windows Image Acquisition (WIA) Windows Management Instrumentation Windows Time Wireless Zero Configuration Workstation Commands successfully.
I first run a command on my machine to do a demonstration (everyone else black me), pay attention to the part of my red label, that is the Rising I installed. The Rising Process Communication Center call is CCenter.exe, and the Rising Realtime Monitor Service service calls RavMond.exe. These are third-party services, which can be used. (Strongly recommended to replace third-party services, do not mess with system services, otherwise the system is unstable) so that we search these two files, found them in the D: / Rising / RAV / folder, pay attention to a point: if This file is in the Program files directory of the system disk, we have to know if the other party is using the hard disk used by the NTFS format, then this folder guest permission under the system is not writable by default, and Windows Directory, Documents and These settings directories are not writable, so we can't replace files and can only make the way. (This is also one of the reasons why I don't recommend replacing the system service, because the system service file is in the Windows / System32 directory, not writable), but if it is FAT32 format, you don't have to worry, because it is insufficient, all folders are written. So someone will ask: If we are NTFS format, are we not? Of course, the NTFS format is default, except for the three folders, the rest of the folder, the partition is EVERYONE fully controlled. (That is to say, even if IPC $ anonymous connections, I have writable can be written to these places!) So once the other party's third-party service is not installed in that three folders, we can replace it! I will take CCenter to download it to the local machine (FTP, put it in the IIS home directory and then download, etc. ...) then take your file bundle machine, find a back door of your most hand ... huh, After the bundle is tied, upload, first change the other CCenter.exe file to cCentBak.exe, and then replace itself into its own ccenter. Now just need to wait for the other machine to restart, our latter can run! Since the Windows system is unstable, the host will restart after a week, (Of course, if you can't wait, you can do DDoS attack on this server forced him to restart, but I don't agree!) Mount your back door at this time. Is SYSTEM permissions! 5, replace the Admin common program. If the other party does not have the service you can use, you can replace the program commonly used by the other party administrator, such as QQ, MSN, etc., the specific replacement method is the same as the replacement service, just when your back door can start your luck. . 6, using autorun .inf or desktop.ini. We will often encounter this kind of thing: the disc is placed in the optical drive, and it will automatically jump out of a Flash. Why? Oh, you go to the root directory of the CD, do you have an autorun.inf file? Take a look at the notepad, do you have such a sentence: autorun = xxx.exe This is the automatic running program you just saw. So we can use this to enhance our permissions.
First configure a back door, (I often use Winshell, of course, you don't have to use this also) to upload any folder under his D, then upload the autorun.inf file from your own CD, However, you will change the XXX.exe next to Autorun = XXX.exe to the back door file, file name, and then upload it to the D drive root directory, plus read only, system, hide properties. OK will wait for the other party admin to browse D disk, our latter can start! (Of course, this must be in the case where he has no automatic operation.) In addition, it is desktop.ini. Everyone knows Windows supports custom files, in fact it is implemented by writing specific files in the folder - DESKTOP.INI and Folder.htt, we can use the modified file to achieve our goal. First, we now create a folder locally, the name is not important, enter it, right click on the blank point, select "Custom Folder" (XP seems to be not possible), it will be separated. Once you have finished, you will see more than two files named Folder Setting files and Desktop.ini files in this directory, (if you can't see, unwind "hidden protected operating system files") We found the folder.htt file in the Folder Setting directory, the notepad opened, add the following code in any place: