The current invasion is increasingly difficult, people's security awareness has generally improved a lot, even individual users know the firewall, anti-virus software should be equipped in hand, for Microsoft's patch upgrade is no longer adding. So now we want to scan the weak password on the Internet, it is almost in love. (This is a big good thing.)
But this also made us hacked intrusion detection reached an unprecedented difficulty. Through a variety of means, we usually do not directly obtain a system administrator privilege. For example, we can only get the permissions of IUSR-MACHINENAME (such as uploading ASP Trojans, as well as some overflows). This account is usually the system default guest permission, so how to get system administrators or System privileges, it is increasingly important.
So, I summarized several ways to use the improvement permissions, the following content is what I organized, there is no new way, write to the rookie like me. The masters can be slightly, of course, you have to review I don't object, by the way, help me check what additions and modifications:
1. Social engineering.
For social engineering, I think everyone will not be unfamiliar? (If you still don't quite understand this noun, it is recommended that you go to find some relevant information.) We are usually gaining the target sensitive information through various ways, then analyzing, so that the password of the other admin can be inferred. To give an example: If we get the password on the website by database proliferation, then you will do it uploaded a marine top Trojan, what do you do? Let's go to the box of the ASP file first, so I hope to see the account password connected to the SQL. Wrong error, we should first type a netstat -an command to view his port (of course to check the service with the NET START command). Once he found 3389, what is hesitant? Take your terminal connector immediately, add the other party IP, type your username and password you get on his website ... After a few seconds, huh, go in? This is because according to the principles of social engineering, people usually use the same username and password in order to make memories. So, we got the administrator password on the website, and we also equally obtained all his passwords. Among them, the system admin password is included. So we can go to his 3389 pull!
Even if he does not open 3389 service, we can also try this password to his FTP server. If his FTP server is a version of Serv-U 5.004, and the account has write permissions, then we can overflow attack ! This is, you can get the system permissions directly! (With the use of Serv-U and two ways to improve permissions,
I will say later)
It's really not, we can also try it to get its account! Perhaps you can enter the mailbox he applied to get a lot of useful information! It can be used to cooperate with our future actions.
There is also a idea, we know, a network management of a website usually sets your homepage to IE's default homepage for managing. We can use this, plant his homepage to the webpage Trojan ... and wait for him to open IE ... Oh, he will not think that his home page will give yourself a Trojan?
In fact, there are many ways to use social engineering, thinking as a qualified hacker, this is a must learn! You will succeed in your own brain.
2, local overflow.
Microsoft is really cute. This sentence doesn't know which kind of people say it. It is not fake. When I will send us some overflow vulnerabilities, I believe that through the nearest MS-0011, everyone has earned a broiler. Is it? In fact, we can also use overflow to increase permissions after the shell gets Guest privilege. The most commonly used is Runas.exe, WinWmiex.exe or PipeUpAdmin, and more. ADMIN permissions can be obtained after the upload execution. However, it must be that the other party has not yet turned the patch, but the recent Microsoft's vulnerability is one after another, and the EXPLOIT of the local upgrade authority will come out, so everyone should care about the vulnerability information, maybe the next Exploit is what you wrote. Oh! 3. Use the executable permissions of the scripts directory.
This is also a trick usually used before we get Webshell. The principle is that the scripts directory is the running directory under IIS. Permissions are the SYSTEM permissions we dream. The common method is to upload IDQ.dll to the Scripts directory of IdQ.dll to the home directory of the IIS main directory, and then use ISPC.exe to get system permissions, but this is in Microsoft out SP3. In fact, we can still use this directory, as long as we drive the Trojan to this directory, I will take an example, such as WINSHELL. Then we enter in IE:
Http: // targetip / scripts / Trojan file name .exe
Waiting for a while, see the following progress bar display "Complete", can connect you to the port! I am the default 5277, it is SYSTEM permissions after connection! At this time, what do you want to do, I can't control ... 嘿嘿
4, replace system service.
This is a trick that the majority of black friends is not tired. Because Windows allows you to change the program being running, we can replace his service to automatically run our back door or Trojan after restart! First, through the shell input you get: Net Start command, check the service he run. At this time, if you are familiar with Windows system services, you can quickly see which services can be used.
C: / Winnt / System32 /> NET START
The following Windows services have been launched:
COM EVENT SYSTEM
Cryptographic Services
DHCP Client
Distributed Link TRACKING Client
DNS Client
EVENT log
Help and support
IPsec Services
Logical Disk Manager
Logical Disk Manager Administrative Servic
NetWork Connections
NetWork location awareness (NLA)
Protected Storage
REMOTE Procedure Call (RPC)
Rising Process Communication Center
Rising realTIME MONITOR Service
Secondary Logon
Security Accounts Manager
Shell Hardware Detection
System Event Notification
System Restore Service
TELEPHONY
Themes
Upload Manager
WebClient
Windows Audio
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Wireless Zero ConfigurationWorkstation
The command successfully completed.
I first run a command on my machine to do a demonstration (everyone else black me), pay attention to the part of my red label, that is the Rising I installed. The Rising Process Communication Center call is CCenter.exe, and the Rising Realtime Monitor Service service calls RavMond.exe. These are third-party services, which can be used. (Strongly recommended to replace third-party services, do not mess with system services, otherwise the system is unstable) so that we search these two files, found them in the D: / Rising / RAV / folder, pay attention to a point: if This file is in the Program files directory of the system disk, we have to know if the other party is using the hard disk used by the NTFS format, then this folder guest permission under the system is not writable by default, and Windows Directory, Documents and These settings directories are not writable, so we can't replace files and can only make the way. (This is also one of the reasons why I don't recommend replacing the system service, because the system service file is in the Windows / System32 directory, not writable), but if it is FAT32 format, you don't have to worry, because it is insufficient, all folders are written.
So someone will ask: If we are NTFS format, are we not?
Of course, the NTFS format is default, except for the three folders, the rest of the folder, the partition is EVERYONE fully controlled. (That is to say, even if IPC $ anonymous connections, I have writable can be written to these places!) So once the other party's third-party service is not installed in that three folders, we can replace it! I will take CCenter to download it to the local machine (FTP, put it in the IIS home directory and then download, etc. ...) then take your file bundle machine, find a back door of your most hand ... huh, After the bundle is tied, upload, first change the other CCenter.exe file to cCentBak.exe, and then replace itself into its own ccenter. Now just need to wait for the other machine to restart, our latter can run! Since the Windows system is unstable, the host will restart after a week, (Of course, if you can't wait, you can do DDoS attack on this server forced him to restart, but I don't agree!) Mount your back door at this time. Is SYSTEM permissions!
5, replace the Admin common program.
If the other party does not have the service you can use, you can replace the program commonly used by the other party administrator, such as QQ, MSN, etc., the specific replacement method is the same as the replacement service, just when your back door can start your luck. .
6, using autorun .inf or desktop.ini.
We will often encounter this kind of thing: the disc is placed in the optical drive, and it will automatically jump out of a Flash. Why? Oh, you go to the root directory of the CD, do you have an autorun.inf file? Take a look at the notepad, do you have such a sentence: autorun = xxx.exe This is the automatic running program you just saw.
So we can use this to enhance our permissions. First configure a back door, (I often use Winshell, of course, you don't have to use this also) to upload any folder under his D, then upload the autorun.inf file from your own CD, However, you will change the XXX.exe next to Autorun = XXX.exe to the back door file, file name, and then upload it to the D drive root directory, plus read only, system, hide properties. OK will wait for the other party admin to browse D disk, our latter can start! (Of course, this must be in the case where he has no automatic operation.) In addition, it is desktop.ini. Everyone knows Windows supports custom files, in fact it is implemented by writing specific files in the folder - DESKTOP.INI and Folder.htt, we can use the modified file to achieve our goal.
First, we now create a folder locally, the name is not important, enter it, right click on the blank point, select "Custom Folder" (XP seems to be not possible), it will be separated. Once you have finished, you will see more than two files named Folder Setting files and Desktop.ini files in this directory, (if you can't see, unwind "hidden protected operating system files") We found Folder.htt files in the Folder Setting directory, and notepad open, add the following code to anywhere:
Then you put your back door file in the Folder Setting directory, upload this directory with Desktop.ini to any of the directories, you can, just wait for the administrator to browse this directory, it has implemented our back door ! (If you don't worry, you can set a few directory more)
7, Serv-U upgrade permissions
There are three ways to use Serv-U improved permissions, and overflow is the first, I have said before, it will not be introduced here. What I want to talk about is the rest of the two.
Measures 1: Requirements: There is full control over the SERV-U installation directory.
Method: Enter the other party's serv-u directory, look at his servudaemon.ini, which is the Serv-U configuration file. If the administrator does not choose to write the Serv- U of all configurations to the registry, we can come from this file. See all information, versions, IPs, and even user names and passwords in Serv-U! The password of the earlier version is not encrypted, but later it has passed MD5 encryption. So you can't get your password directly. However, we still have a way: first install a serv-u (the best new point) locally, cover your own servudaemon.ini file with the servudaemon.ini downloaded from his download, restart SERV-U, So all the configurations above is exactly the same as him. We create a new user, what group is not important, it is important to change his home directory to the other party's system disk, and then add execution permission! This is the most important. After the change is applied, exit. Upload the servudaemon.ini file you changed, overwrite his file, and then wait for his SERV-U restart update configuration, then we can log in to his FTP. After entering, execute the following command: CD Windows
CD System32
Quote Site EXEC NET.EXE User WOFEIWO / ADD
Quote Site EXEC NET.EXE LOCALGROUP Administrators WOFEIWO / ADD
BYE
Then you have a system administrator called WOFEIWO, what are you waiting for? Log in to 3389, don't know!
Method 2: SERV-U opened two ports, one is 21, which is ftp, and the other is 43958, what is this port? Hey, this is the local management port of Serv-U. But by default, it is not allowed to use an IP connection outside 127.0.0.1. At this time, you will use the fpipe.exe file. This is a port forwarder, upload him, execute the command:
Fpipe -V -L 3333 -R 43958 127.0.0.1
It means to map 4444 ports to 43958 ports.
Then you can install a serv-u locally, create a new server, IP fill in the other party IP, the account is the Localadministrator password to #1@'Ak#.1k; 0 @p connection, you can manage his serv-u. After that, the method of improving the permissions first. I haven't described it.
8, SQL account password leakage.
If the other party has an MSSQL server, we can use the SQL connector to add the administrator account because MSSQL is the default System permission.
Require: You got the other party MSSQL administrator password (you can see from his ASP file in his connection database), the other party did not delete XP_cmdshell
Method: Use SQLEXEC.exe to fill in the other party IP in the Host column, and User fills the username and password you got in PASS. Format Select XP_cmdshell "% s". Then click Connect, and you can enter the CMD command you want in the CMD column after connecting.
Hey ... Listed a lazy waist, so tired, finally write eight methods, send complaints ... (hereby omitting n characters)
