Windows 2000 security

zhaozj2021-02-08  243

the goal:

I want to see how Windows 2000 security performance, so I decided to try it. Correct

Win2000

Basic attacks should use NT 4.0 to query whether the other party is patching a vulnerability. I think you will be very surprised.

They not only do not repair vulnerabilities, but there are new vulnerabilities. I am a MCSE, so microsoft

I have a beta version. Here is my assessment.

way:

First of all, I need to find some ordinary users who use Win2000, I open IP Scanner, find

About 6000 IP addresses, these IPs are dial-up users for long-term connection, and analyze the use

Win2000 users. Ok, attack begins;

First use the Table 1.1 tool to get the basic information of WIN2000:

NetBIOS

Share Information

Share Name: IPC $

Share Type: DEFAULT PIPE Share

Comment: Remote IPC

Warning - null session can be be establish to //24.?.?.?/ipc $

Share Name: admin $

Share Type: DEFAULT Disk Share

Comment: Remote Admin

Share Name: C $

Share Type: DEFAULT DISK Share

Comment: Default Share

Account Information

Account Name: Administrator

The Administrator Account IS An Administrator, And The Password Was Changed 3

Days ago. This Account Has Been Used 2 Times To Logon. The Default Administrator

Account Has Not Been Renamed. Consider Renaming this Account And Removing Most of

ITS Rights. Use a Different Account as The Admin Accommount.

Comment: Account Upgrade from Windows 95 or Windows 98

User Comment:

Full name: administrator

Account name: GUEST

The Guest Accent Is A Guest, And The Password WAS

Changed 0 days ago. This Account Has Been Used 0 Times To Logon.

Comment: Built-in Account for Guest Access To The Computer / Domain

User Comment:

Full Name:

Account Name: User1

The user1 account is an administrator, and the password WAS

Changed 3 days ago. This Account Has Been Used 22 Times To Logon.

Comment: Account Upgrade from Windows 95 or Windows 98

User Comment:

Full name: User1

Warning Administrator's Password Is Blank

Warning User1's Password Is Blank

I feel strange. The first is that the administrator account and another user (also a supervisor) password is blank. These accounts seem to have been upgraded from Win98 or 95, which caused my curiosity, so

I decided to do an attempt. I upgraded my 98 machine to 2000. This machine

Inside a point-to-point network work group, there is a domain master server in the system. I follow the prompt

Steps, the upgrade process is smooth. After restarting, set the window that sets the new Win2000 account password.

Port, it gives a list of accounts created during the upgrade process, you need to set your password for each user. odd

It's strange. It has a prompt to set up the same password as Win98: [if you don not want to see

This Screen Again Then Just Hit Enter]. I press it to enter, enter Win2000, and I am on the machine

Users set the password empty, this is not safe, I also increased on another Win98 machine.

Level 2000, all created a password empty ADM user.

Now, continue to attack. There may be other vulnerabilities.

I have established a session with these machines and use ADM.

C: /> NET use //24.?.?.?/ipc $ "" / user: administrator

The Command Complated SuccessFully.

I will now connect to this machine as an ADM and can be an inactive drive and like my own drive.

Browse it. The security vulnerability MS upgraded to Win98 upgrade to Win2000 is not paying attention.

I decided to continue to deepen, I hope to find that Win2000 other vulnerabilities I open computer manager

(Photo 1.2), join his machine. I can use my local machine on the remote machine.

increase user.

Photo 1.2

I deeply study computer management, and I found that the disk management is also fragile, so I can remotely.

His drive. I will continue to deepen, pay attention to the Telnet remote login service (Pohot1.3).

Is Microsoft set up this Telnet service when the default installation of Win2000? An ordinary user

Need a Telnet service? This seems to be set in the installation process, it is not started by the default, but it

Set as a LocalSystem login. Curious heart makes me continue to study. I have seen the properties of the service

(Photo.1.4) and find not only I can start the service, but I can automatically start.

Photo 1.4

This service is now started when it starts and is run as a Localsystem. It is definitely Microsoft

Due some things to stop me from entering this machine and execute the command I want to perform. They did it! It is called

NTLM certification and remote login is set only by default NTLM. And only Win2000

Remote login will identify NTLM. What does that mean? This means that if your account and password do not

By confirming, or if you don't confirm that you are in an approved domain, the system will reject your access.

I tested the remote login service on my machine, I launched a remote login service at the console. I

Doubt the key value of TelnetServer in the registry can avoid NTLM. In order to verify me

Doubt, I connect to the registry of the remote machine and put it

HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / TelnetServer / 1.0 key value from 2

To 1, restart the service.

result:

One minute later and I log in to this machine via remote login! ! Now I can completely control

This machine, build user account and format drive, and use this machine to run attack programs

Row attack.

After using some commands, I built a user account of the ADM group and created a hidden.

Run the catalog of the attack, then I ftp to my FTP site and download the program I need to run, and launch the Scheduler service to run my attack program in the morning, and transfer the results with FTP to me, this

There will be no more attention.

Dangerous

Some people may ask, why do Telnet services are dangerous, OK, I will invade you

In Telnet to Whitehouse.gov, replace it with an anti-government page, the server will record you.

IP, then you will have a big problem.

Problem resolution:

Press my opinion, at least to delete the c: /winnt/system32/tlntsvr.exe file, because of ordinary use

This service does not require this service.

references

http://www.compsecurity.net/

solution

If you don't need it, close all shares and add more complicated passwords.

At least you want to delete the C: /Winnt/System32/TLNTSVR.EXE file, because ordinary users do not need this service.

转载请注明原文地址:https://www.9cbs.com/read-1332.html

New Post(0)