Third, what can I do?
For NT, in the default security settings, you can list the users and shares on the target host, access the share of Everyone privilege, and access the small part of the registry, and there is no great use value; for the 2000 role, Because the default is only administrator and backup operators in Windows 2000 and later, it is not convenient to access the registry from the network, and it is not convenient to achieve tools. From these we can see that this kind of non-credit session does not use, but from a complete IPC $ invading, empty space is an indispensable springboard because we can get a list from it, this is An older hacker is already enough. The following is the specific command that can be used in the empty session:
1 First, let's build an empty box (need to open IPC $)
Command: Net USE // IP / IPC $ "" / user: ""
Note: The above command includes four spaces, NET and USE have a space, one of the rear of the user, the password, and one space.
2 Viewing the shared resources of remote hosts
Command: Net View // ip
Explanation: After establishing an empty connection, use this command to view the shared resource of the remote host, if it has a sharing, you can get the following similar results:
Shared resources in //*.*.*.*
Resource shared name type use notes
-------------------------------------------------- ---------
Netlogon Disk Logon Server Share
Sysvol Disk Logon Server Share
The command successfully completed.
3 View the current time of the remote host
Command: Net Time // ip
Explanation: Use this command to get a current time of a remote host.
4 get NET from the remote host
BIOS username list (need to open your own NBT)
NBTSTAT -A IP
Use this command to get a NetBIOS user name list (require your NetBIOS support), return to the following results:
Node ipaddress: [*. *. *. *] Scope id: []
Netbios Remote Machine Name Table
Name Type Status
---------------------------------------------
Server <00> Unique registered
Oyamanishi-h <00> Group registered
Oyamanishi-h <1c> Group registered
Server <20> Unique Registered
Oyamanishi-h <1b> unique registered
Oyamanishi-h <1e> Group registered
Server <03> unique registered
Oyamanishi-h <1d> unique registered
..__ msbrowse __. <01> Group registered
INET ~ Services <1c> Group registered
Is ~ server ..... <00> unique registered
Mac Address = 00-50-8B-9A-2D-37
The above is what we often use empty sessions, it seems to have a lot of things, but you should pay attention to the operation of establishing an IPC $ connection will leave a record in EventLog, whether you are successful. Ok, then let's take a look at the ports used by IPC $?