First, what is IPC $
IPC $ (Internet Process Connection) is a resource shared "named pipe", which is to let
Inter-process communication and open name pipes, by providing trusted username and password, connecting the two sides to create a secure channel and exchange of encrypted data in this channel, thereby implementing access to remote computers. IPC $ is a new feature of NT / 2000, which has a feature that only one connection is allowed between two IPs within the same time. NT / 2000 also opens the default sharing while providing IPC $ feature, all logical sharing (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $) shared. All of these, Microsoft's original intention is to facilitate administrator management, but in interested in unintentional, there is a decrease in system security.
Usually we can always hear someone who speaks IPC $ vulnerability, IPC $ vulnerability, in fact IPC $ is not a true vulnerability, I think someone says this, must refer to Microsoft's own place
Back door ': null session. So what is empty conversation?
Second, what is an empty conversation
Before introducing empty sessions, we need to understand how a security meeting is established.
In Windows NT 4.0 is a challenge response
The agreement is established with a session with the remote machine. Establishing a successful session will become a secure tunnel, establishing the two parties through its interworking information, this process is as follows:
1) Session requestor (customer) to the session recipient (
Server) Send a packet to request the safety tunnel
Stand;
2) The server generates a random 64-digit number (real challenge) to transfer back customers;
3) The customer gets this 64-bit number generated by the server, with the password that tries to establish a session, will knot
Return to the server (real response);
4) The server is sent to the local security verification (LSA) after the server accepts the response, and the LSA verifies the response by using the user's correct password to confirm the requester's identity. If the requester's account is the local account of the server, verify local; if the requested account is a domain account, the response is transmitted to the domain controller to verify. When the response to the challenge is correct, an access is accessed.
Token is generated, then transfer to the customer. Customers use this access token to connect to resources on the server until the suggested session is terminated.
The above is a rough process established by a security conference. What is the empty session?
The empty board is a session established with the server without trust (ie, the user name and password is not provided), but according to the Win2000 access control model, the establishment of the empty space will also provide a token, but the empty session is in the process of establishing There is no authentication of user information, so this token does not contain user information, so this session does not allow the system to send encrypted information, but this does not mean that there is no security identifier SID in the token of the empty session (it identifies User and site), for an empty meeting, the LSA's order SID is S-1-5-7, this is the SID of the empty conversation, the username is: Anony
Mous Logon (This username can be seen in the user list, but cannot be found in the SAM database, which belongs to the system built-in account), this access token contains the following group:
EVERYONE
NetWork
